Monday, March 30, 2009

Conficker: The other not so famous Variant A


There are lot more discussions are going on for Conficker variant C (ConfickerC) due to 1st April. Why 1st april?. The 1st april is the day ConfickerC should call home for updates. The domain name generator  algorithm  used by ConfickerC is making blocking or detecting live ConfickerC update servers is becoming harder when it will search for about 50K domains name.  . Please refer to SRI excellent  write-up for more information about ConfickerC here.  MyCERT advisory about ConfickerC is here.

I can’t say much about the current situation but based on my observation on dns traffic we have, we only observed low volume of traffics contacting ConfickerC domains name hosted in .my domain. Maybe because it wasn’t the time yet.(my timeframe of observation was on 27-29 March 09).

Compare to ConfickerA (variant A), I observed more traffics are looking for the domain name: trafficconverter.biz. Trafficconverter.biz is the server that will be contacted by ConfickerA. Take a look at ConfickerA file sample and we’ll see the domain name. It’s very disturbing to notice that variant A is still out there screaming for their C&C server while alot more discussion have been switching to ConfickerC.

....................SNIP ...............SNIP....................
....................SNIP ...............SNIP....................
Sat Mar 28 17:29:00 +0800 2009 - 202.XXX.YY.132 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 16:32:07 +0800 2009 - XXX.60.YY.229 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:29:41 +0800 2009 - 203.XXX.YY.85 is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:46:26 +0800 2009 - 202.YY.56.XXX is looking for trafficconverter.biz.XXX.my
Sat Mar 28 15:15:55 +0800 2009 - 202.XX.XX.229 is looking for trafficconverter.biz.XXX.XXX.my
....................SNIP ...............SNIP....................
....................SNIP ...............SNIP....................

During the timframe ( 27-29 March 09), it is about 1167+ queries to DNS looking for the trafficconverter.biz. it’s still considered a big infection based on DNS traffics query only. Luckily the trafficconverter.biz is no longer running. But, the infected machines is still need to be clean-up.

MyCERT already released advisory for ConfickerA and also mentioned about tools that can be used to remove the ConfickerA. The advisory is here. If you haven’t patch your MS08-67, please do so.

No comments: