[Emerging-Sigs] conficker domain rules

Jack Pepper pepperjack at afferentsecurity.com
Tue Jan 20 09:13:14 EST 2009

Quoting RPG <inittab at jtan.com>:

> I just cycled through each one looking for A records but none are alive.
>    Does anyone know of a quick or bulk method of checking the whois on
> each of these?  Any method I have is very clunky.  TIA

each domain is only going to show up for 24 hours, then it's gone.  I  
am working on a way to make the list "roll along" day to day with the  
active domain list.  If I can get it down to 1000 domains in a rolling  
window, that would be good.

The current ruleset is based on the generated names from Jan 17th - Jan 31st.



Framework?  I don't need no stinking framework!

@fferent Security Labs:  Isolate/Insulate/Innovate  

More information about the Emerging-sigs mailing list