Home / Industry

What Are the Internet Domains Connected to the Conficker Botnet?

Conficker gained prominence back in 2008, when it was then considered possibly the most widespread worm affecting millions of Windows computers worldwide. For several years, the worm, also known as “Downup,” “Downadup,” “Downad,” or “Kido,” was the top malware infector.

These days, while Conficker is no longer among the world’s top threats, users of older Windows operating systems (OSs) or so-called “legacy systems” may still be vulnerable to the threat. Examples of industries that may have such systems in their networks include banks, industrial control systems (ICS) operators, and utility companies.

This post sought to look at known Conficker indicators of compromise (IoCs) and find out if any of them remain online.

Data Set

Chart 1: Sample historical reverse WHOIS search result for a known Conficker registrant email address

WhoisXML API DNS security researcher Dancho Danchev shared a list of 993 known email addresses with connections to Conficker domain registrations. These were run through Maltego using the WhoisXML API Historical Reverse WHOIS Search transform and providing us with 10,607 connected domains.

Here’s an example Maltego historical reverse WHOIS search result:

Analysis and Findings

Subjecting the 10,607 domains to a bulk WHOIS lookup to find out when each of them was registered revealed that:

  • Only 12% of the domains registered using Conficker-related email addresses had 2021 creation dates on their WHOIS records.
  • 14% were registered in 2020.
  • 5% were registered in 2019.
  • Around 25% them were registered between 1987 and 2018.
  • 43% of the domains didn’t have accessible WHOIS records.
Chart 2: Domain registration volume by creation date based on WHOIS records

More than a fifth of the total number of domains were recently updated (meaning within 2021). Less than 10% were updated in 2020 and more than a fourth didn’t have update dates.

Chart 3: Domain registration volume by update date based on WHOIS records

The findings from the bulk WHOIS lookup indicate that more than 40% of the domains are probably no longer in service, as evidenced by the lack of accessible WHOIS records for 4,614 of them. It’s interesting to note that the WHOIS records of more than a third of the data set have been updated.

Users should, however, be wary still, as malware database checks via Threat Intelligence Platform (TIP) showed that 3% of them are categorized as “malicious” on blocklists that include Bambenek Consulting OSINT Data Feeds, VirusTotal, Google Safe Browsing, Stop Forum Spam, and Yandex Safe Browsing.

A majority of the domains dubbed “malicious” were listed on VirusTotal (57%), closely followed by Bambenek Consulting OSINT Data Feeds (41%). The remaining 2% were distributed across Google Safe Browsing, Stop Forum Spam, and Yandex Safe Browsing.

Chart 4: Malicious domain distribution by blocklist

Screenshot lookups for the malicious domains showed that:

  • 6% were still live and hosted content (though one showed a blank page).
  • A majority (66%) are currently for sale.
  • 1% were parked.
  • 2% pointed to error pages.
  • 24% were unreachable.
Chart 5: Malicious domain distribution by hosted website’s status

We can’t definitely conclude if the domains that remain up and running are connected to Conficker without more in-depth malware analysis. Yet since they were registered by users with the same email addresses related to the threat, it might be safer to steer clear of them and their registered web properties.

If you wish to access a copy of the complete list of domains (malicious or otherwise) registered by users of confirmed Conficker-related email addresses or to discuss potential security research collaborations, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – 

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

 Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

Brand Protection

Sponsored byAppdetex

IPv4 Markets

Sponsored byIPXO

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API