<<<
Tuesday, January 6, 2009
>>>
 
MS08-067 Worms Posted by Mikko @ 18:15 GMT

Over the last days, we've received reports of corporate networks getting infected with various variants of MS08-067 worms. These are mostly Downadup/Conficker variants.

The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked.

We have detailed information about the malware functionality in our Downadup.AL description.

We also have a separate tool available to assist in disinfecting. The tool is available from here.

We also recommend system administrators to block access to web sites used by the worm. The sites keep changing, but the current domains to block are:

acqggcq.cn
adbsq.net
akgjmdzx.cc
bclaxb.cn
bdjtrpaav.cc
bdrmppudqh.cn
boirczdikw.com
bpufhbvqwjs.com
bwocsfviu.net
bwtrd.net
bxtopike.ws
ccgdllgwk.info
ccolbxdud.com
cdbhi.cn
cffcipqz.biz
ciopicmfq.info
cjeyj.com
crikr.cn
dbizknbfyv.cn
dckhrrqh.com
djthknbtxe.cc
dkvjxac.info
dphxqdpp.cn
drykouwoa.com
dugnyfnxky.com
dwikmnmhx.org
esujw.cn
eufiwwkplyc.cn
evtwdavi.net
evuqysnc.cc
ezkhbz.org
fhchak.org
fhioqvpdpg.info
fhoptkn.org
fjxkmq.ws
fnmhkizip.ws
fnopiz.cn
fnxklfyxdy.com
gdneutxoi.cc
girirvjy.org
govagjcasyo.cn
gqjgx.cn
gwfnepcus.ws
hbkbc.biz
hpmhoassp.org
hrmwzqif.com
hwmggrmzdsw.biz
hxhpc.org
ibifq.ws
icbabdoo.org
igggellu.ws
imaexvlmjn.org
ipuuulsw.com
itiuuv.cn
itzbanmjbds.ws
iuqmklmklbw.ws
jfqlrlgf.biz
jilpumzn.ws
jjdifsh.net
jnfcmmuhfum.ws
jpgflwtu.net
jqlmcfmdua.info
jqmdyemnd.cn
jufwmttx.net
jzvpspdcv.cn
kbrlxkiohfb.org
kcawyfgl.ws
kkvugfb.biz
knpfuq.cc
ktveyekd.cn
kuikq.org
kxsmffcsh.biz
lejhfcdm.biz
leyloenk.cc
lmcrkcuu.net
lrkewik.net
lrwnqgoj.biz
memsvr.com
miyga.biz
mmprans.ws
mxvrtq.net
nhmgtrmka.org
nmdrr.com
nqnmjn.org
nwczso.cc
nykyhzap.cc
oawtwovet.cc
oecsw.net
omxzanan.ws
ovqoluqwhf.org
pakzqankxai.ws
pnaeydmg.org
pvfivnqgk.cn
qauaiepfih.ws
qdgvbkpopx.net
qhdefcfkqg.cc
qtjumbvk.ws
quvjfczmd.net
qvuycgw.net
qwwnsrgii.cn
qxdzbtgok.org
rcoesjhoii.info
rrtvw.org
sedueat.cc
siirkijx.cn
sjarftss.biz
snytwwp.cc
srfvt.com
srtbuvesjmy.org
thzydzvunfk.biz
tlxzjjlmk.org
tmegbpwamyr.ws
tnaqhezhswk.biz
tsamlnes.cc
txibddqtpuj.cc
udthrjtx.cc
udyxa.info
uikrzcuzw.com
uuuwlcpzi.cn
vbvvhgs.net
vfdjkunysp.cn
vhegpqfiga.cc
vlfgk.info
vrfouwsk.net
vuvjptke.org
vxuiwtpqc.info
vxuuur.biz
wagwovomnj.net
wbpciauakl.ws
wdgeaqrhk.net
weekax.cn
wpnmravf.cc
wycqkpn.cn
xakcypzbj.org
xbrpaahhcjl.org
xbtqz.com
xfpzmkcl.cc
xgdgxusdq.org
xihpmics.net
xrbczsuyw.com
xyywekmbuuq.net
yagcjzafet.cn
yjbslycn.org
ykzoap.cc
yrmek.cc
yrmvbwbzlt.ws
yryxdaecqwa.info
ysuxkcv.com
ywictoyhzeu.ws
zdjmcwcknwn.biz
zfrcc.org
zjcmnmrpwdp.info
zrfdubsgmuq.net
ztyshleh.biz

We'll update this list as needed.

Update: Additional details can be found here.






<<< Flashy Botnet is Flashy
|
When is AUTORUN.INF really an AUTORUN.INF? >>>