What's the virus doing with all of those domain names?
Domain names are enumerated at random (based on date) as a way around hard-coding an IP/domain that could be easily taken down. The domain names are used for the command & control of the worm, and presumably at least one of them will be registered at some point (if not already) by the worm authors. Read up on the specifics at one of the (many) sites where research is being done on it : http://www.dshield.org/conficker ~Mike.
On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein <michael.holstein@csuohio.edu> wrote:
Of the 50,000 DNS names generated for today ..
Additional info ..
Top 10 ASN by number/name :
5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc. 2820 -- 1668 AOL-ATDN - AOL Transit Data Network 2737 -- 23028 TEAM-CYMRU - Team Cymru Inc. 404 -- 760 University of Vienna, Austria 20 -- 1887 NASK-ACADEMIC NASK 10 -- 4134 CHINANET-BACKBONE No.31,Jin-rong Street 7 -- 21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc. 5 -- 8560 ONEANDONE-AS 1&1 Internet AG 4 -- 12306 PLUSLINE Plus.Line AG IP-Services 3 -- 26496 PAH-INC - GoDaddy.com, Inc. So you can tell the "good guys" are still at it pre-registering the bulk of the conflickr-related domain names.
Cheers,
Michael Holstein Cleveland State University