Conficker gained prominence back in 2008, when it was then considered possibly the most widespread worm affecting millions of Windows computers worldwide. For several years, the worm, also known as “Downup,” “Downadup,” “Downad,” or “Kido,” was the top malware infector.

These days, while Conficker is no longer among the world’s top threats, users of older Windows operating systems (OSs) or so-called “legacy systems” may still be vulnerable to the threat. Examples of industries that may have such systems in their networks include banks, industrial control systems (ICS) operators, and utility companies.

This post sought to look at known Conficker indicators of compromise (IoCs) and find out if any of them remain online.

Data Set

WhoisXML API DNS security researcher Dancho Danchev shared a list of 993 known email addresses with connections to Conficker domain registrations. These were run through Maltego using the WhoisXML API Historical Reverse WHOIS Search transform and providing us with 10,607 connected domains.

Here’s an example Maltego historical reverse WHOIS search result:

Analysis and Findings

Subjecting the 10,607 domains to a bulk WHOIS lookup to find out when each of them was registered revealed that:

• Only 12% of the domains registered using Conficker-related email addresses had 2021 creation dates on their WHOIS records.
• 14% were registered in 2020.
• 5% were registered in 2019.
• Around 25% them were registered between 1987 and 2018.
• 43% of the domains didn’t have accessible WHOIS records.

More than a fifth of the total number of domains were recently updated (meaning within 2021). Less than 10% were updated in 2020 and more than a fourth didn’t have update dates.

The findings from the bulk WHOIS lookup indicate that more than 40% of the domains are probably no longer in service, as evidenced by the lack of accessible WHOIS records for 4,614 of them. It’s interesting to note that the WHOIS records of more than a third of the data set have been updated.

Users should, however, be wary still, as malware database checks via Threat Intelligence Platform (TIP) showed that 3% of them are categorized as “malicious” on blocklists that include Bambenek Consulting OSINT Data Feeds, VirusTotal, Google Safe Browsing, Stop Forum Spam, and Yandex Safe Browsing.

A majority of the domains dubbed “malicious” were listed on VirusTotal (57%), closely followed by Bambenek Consulting OSINT Data Feeds (41%). The remaining 2% were distributed across Google Safe Browsing, Stop Forum Spam, and Yandex Safe Browsing.

Screenshot lookups for the malicious domains showed that:

• 6% were still live and hosted content (though one showed a blank page).
• A majority (66%) are currently for sale.
• 1% were parked.
• 2% pointed to error pages.
• 24% were unreachable.

We can’t definitely conclude if the domains that remain up and running are connected to Conficker without more in-depth malware analysis. Yet since they were registered by users with the same email addresses related to the threat, it might be safer to steer clear of them and their registered web properties.

If you wish to access a copy of the complete list of domains (malicious or otherwise) registered by users of confirmed Conficker-related email addresses or to discuss potential security research collaborations, please don’t hesitate to contact us.