Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Investigating and Verifying domains to block (Conficker.B/Downadup.B)

Published: 2009-01-17
Last Updated: 2009-01-17 05:00:46 UTC
by Andre Ludwig (Version: 1)
0 comment(s)

As most of us know, investigation and verification of data plays a critical role in protecting our assets.  Blind faith in what others say or do may of course lead to a call from a C level asking why his VP of sales cant get to his favorite vacation blog.  Todays diary (and the updates that will follow) will share some of the process and findings of my investigation into the wonderful list of domains that was produced by F-secure that we have previously mentioned.

First things first, the list of domains!
http://f-secure.com/weblog/archives/downadup_domain_blocklist_13_16.txt

Now browsing this list, I was immediately struck by one thought. Which of these domains were actually registered by the "bad guys"?  Which were registered by "researchers"?  Which where owned by "domainers"?  So in order to get that information I had to obviously do some legwork.

Process used (this will change with time):

1. Get the list.

2. Code horrible code to do my bidding for me.

3. Code first does a whois against a domain in the list.

4. Capture the results and parse out looking for details we want (registrar)

5. Print domain/registrar to a text file.


Results of the first run against the data:


As of today  23:15 UTC the above F-Secure list contained the following registered domains.

50 domains registered total out of 1000

Registrar's used (and number of domains at each)

What is left to do:

Add DNS resolution

Begin poking at the IP's and the infrastructure surrounding them.

Try and discern between the different categories of actors we are looking for (researchers, "bad guys", domainers)

Share results (and possibly code if it isn't to embarrassing)

Things to note:

If you are blocking any of these domains based on resolution you may want to know that some ccTLD's use wildcard's.   I found out while writing some python to perform DNS resolution that the .ws ccTLD does just this.  So please do be aware that .ws uses such a setup, and it will always resolve any .ws domain.

example:
host asdioaisu123duaisdas.ws
asdioaisuduaisdas.ws has address 64.70.19.33


List of TLD's with wildcard's
(probably not the best idea to block these ip's, but an educated decision should always be made)
http://www.generic-nic.net/sheets/facts/tld-wildcards-print-en

Explanation of what DNS Wildcards do

http://en.wikipedia.org/wiki/Wildcard_DNS_record

Keywords:
0 comment(s)
Diary Archives