Thursday, April 2, 2009

conficker.c - ccTLD attractor

This is my smart analysis about the first 20days of April 2009 ccTLD (country code top level domain) generated by the algorithm used by worm for pseudo random domain name generation. The data used for this report are taken from

The following table show the frequency for each ccTLD. As you can see there is a sort of attractor for some ccTLD such as AG, BO, LC, HN,PE, and TW. A singular point is for DJ ccTLD domain

Some note about this results: I have used only ccTLD. So in certain cases like "" i have decide to count ".bo" as usefull data. Since I saw that if we think in terms of " is different from .bo" we have a uniform distribution that is not so usefull for generate a signature or a evidence parameter for my goals.

I have decide to call the green cell "not so well come ccTLD" and for the orange cells the term "well come ccTLD".
As the final result I decide to generate the following graph view :

"it's like a virus"

Why this chart may be so usefull ? Immagine you as a DNS server admin and you have need for a smart trigger that show you an indicator of possible conficker.c propagation inside your corporate or company network. During your investigations may use your data (dns queries for example) and check matches with this graph. Obviously this is only a possible additional parameter for evaluate a possible conficker.c activity. Countermeasures to this approach ? occlusion attack.

Thanks to 0xff for the following
signature based on regular expression for ISS SiteProtector that has generated for him some great evidence of conficker.c spreading inside his corporate network:

RegEX DNS_Query_Conficker.C_TopTLD_attractor

Some note: In some case is better don't evaluate .tw ccTLD for false positive and other side effects

Feedback are welcome.


  1. Usefull for detecting Conficker.C spreading in your country or corporate.

    Obviously NOT in Hungary, Argentina, PerĂ¹, etc..

    Have fun

  2. Hi anonymous,
    I know the problem, but if you have access or availability of large DNS queries you can apply this method for show up some evidence about conficker activity.

    Thank you very much for your comment.