|
Conficker gained prominence back in 2008, when it was then considered possibly the most widespread worm affecting millions of Windows computers worldwide. For several years, the worm, also known as “Downup,” “Downadup,” “Downad,” or “Kido,” was the top malware infector.
These days, while Conficker is no longer among the world’s top threats, users of older Windows operating systems (OSs) or so-called “legacy systems” may still be vulnerable to the threat. Examples of industries that may have such systems in their networks include banks, industrial control systems (ICS) operators, and utility companies.
This post sought to look at known Conficker indicators of compromise (IoCs) and find out if any of them remain online.
WhoisXML API DNS security researcher Dancho Danchev shared a list of 993 known email addresses with connections to Conficker domain registrations. These were run through Maltego using the WhoisXML API Historical Reverse WHOIS Search transform and providing us with 10,607 connected domains.
Here’s an example Maltego historical reverse WHOIS search result:
Subjecting the 10,607 domains to a bulk WHOIS lookup to find out when each of them was registered revealed that:
More than a fifth of the total number of domains were recently updated (meaning within 2021). Less than 10% were updated in 2020 and more than a fourth didn’t have update dates.
The findings from the bulk WHOIS lookup indicate that more than 40% of the domains are probably no longer in service, as evidenced by the lack of accessible WHOIS records for 4,614 of them. It’s interesting to note that the WHOIS records of more than a third of the data set have been updated.
Users should, however, be wary still, as malware database checks via Threat Intelligence Platform (TIP) showed that 3% of them are categorized as “malicious” on blocklists that include Bambenek Consulting OSINT Data Feeds, VirusTotal, Google Safe Browsing, Stop Forum Spam, and Yandex Safe Browsing.
A majority of the domains dubbed “malicious” were listed on VirusTotal (57%), closely followed by Bambenek Consulting OSINT Data Feeds (41%). The remaining 2% were distributed across Google Safe Browsing, Stop Forum Spam, and Yandex Safe Browsing.
Screenshot lookups for the malicious domains showed that:
We can’t definitely conclude if the domains that remain up and running are connected to Conficker without more in-depth malware analysis. Yet since they were registered by users with the same email addresses related to the threat, it might be safer to steer clear of them and their registered web properties.
If you wish to access a copy of the complete list of domains (malicious or otherwise) registered by users of confirmed Conficker-related email addresses or to discuss potential security research collaborations, please don’t hesitate to contact us.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byVerisign