Is anyone aware of any network-based signatures that could be used to
identify and tag IP traffic, for dropping at the ingress/egress points?
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Has snort sigs for .A and .B variants .. haven't seen one for .C yet,
but there is a tool on that same site called 'downatool2' to enumerate
the domain list (to run through a parallel DNS tool, etc. and then check
netflow and such).
I did this just now for the .C variant (using 'wine downatool2_01.exe
-c' and then piping results through 'adnshost -a -f -Fi' after a little
cleanup) .. results?
Of the 50,000 DNS names generated for today ..
32,947 don't resolve.
For the remainder .. if I sort the list .. I get
107 unique /16s
308 unique /24s
11777 unique hosts (mostly sequential within a /24 or shorter mask).
Here's the top 10 /16's with count :
149.93/16 -- 8500
38.229/16 -- 2737
192.174/16 -- 404
148.81/16 -- 20
97.74/16 -- 13
75.125/16 -- 9
60.29/16 -- 7
221.130/16 -- 7
124.42/16 -- 7
118.102/16 -- 7
If anyone wants to save themselves the trouble and wants today's list of
IPs (which could change quickly .. I didn't query SOA info) .. ping me
off-list.
Regards,
Michael Holstein
Cleveland State University
