Conficker.C and DNS

We have been working to track conficker’s dns queries in order to  identify infected machines/network with conficker.c. Tracking a 50K DNS names and 500++ queries from each conficker is a bit troublesome when u have to record all the DNS queries (200M records/day) and compare it with 50K/day conficker.c domain names.:). The main idea of why we’re working on this so that the infected machine can be identify based on queries made by conficker.c to contact to the conficker.c’s c&c. Below is one of the result from our tracking on conficker.c dns query to .MY domains in the hitlist :
Conficker's DNS Queries to .MY

Another one:
Another Conficker's DNS Queries to .MY

Looking at the trends from both pictures, its coming from the same source (see over geomap). Why?..:)

The tracker is basically is a ruby code build over dnsruby’s and ruby-pcap library for collecting packets and processing the dns packets only. So far, the tracker is working fine except if it receive malformed dns traffic which normally will be discarded by the tracker

4 thoughts on “Conficker.C and DNS

  1. t0ny says:

    nice visualization

  2. vanhero says:

    how to get the visualization like that?

  3. Balu says:

    Hmmm.. nice one… any way f getting conficker.c??? 😛

  4. mahmud says:

    @balu:u can find it here:http://www.offensivecomputing.net. search for conficker.C (require registration,though).

Leave a Reply

Your email address will not be published. Required fields are marked *