Wednesday, July 15, 2009

Conficker.C and DNS

I have been working to track conficker's dns queries in order to  identify infected machines/network with conficker.c. Tracking a 50K DNS names and 500++ queries from each conficker is a bit troublesome when u have to record all the DNS queries (200M records/day) and compare it with 50K/day conficker.c domain names.:).

The main idea of why we're working on this so that the infected machine can be identify based on queries made by conficker.c to contact to the conficker.c's c&c.  Below is one of the result from our tracking on conficker.c dns query to .MY domains in the hitlist :

Another result for the tracker.

Looking at the trends from both pictures, its coming from the same source (see over geomap). Why?..:)

The tracker is basically is a ruby code build over dnsruby's and ruby-pcap library for collecting packets and processing the dns packets only. So far, the  tracker is working fine except if it receive malformed dns traffic which normally will be discarded by the tracker

No comments: