3 years ago
How is it that conficker can register 50,000 domains a day?
Obviously it's automated but it would seem like they would have to interface with lots of different domain name registrars since they use ~110 top level domains? And how do they do it without paying? Or am I missing the point and they steal them somehow?
Separate topics with commas, or by pressing return. Use the delete or backspace key to edit or remove existing topics.
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$1 Answer
Conficker is not actually registering any domains. It is randomly generating domains then trying to reconcile them to an actual IP address. It then looks for executable files on the domain to continue to the next stage in its malicious programming...
"...will compute and attempt to contact the same set of domains. When contacting a domain for which a valid IP address has been registered, Conficker clients send a URL request to TCP port 80 of the target IP, and if a Windows binary is returned, it will be validated via a locally stored public key, stored on the victim host, and executed. If the computer is not connected to the Internet, then the malicious code will check for connectivity every 60 seconds. When the computer is connected, Conficker A will execute the domain name generation subroutine, contacting every registered domain in the current 250-name set to inquire if an executable is available for download. "
Conficker B is similar.
The article referenced above is actually a breakdown of the entire process the Conficker Worms go through...
"...will compute and attempt to contact the same set of domains. When contacting a domain for which a valid IP address has been registered, Conficker clients send a URL request to TCP port 80 of the target IP, and if a Windows binary is returned, it will be validated via a locally stored public key, stored on the victim host, and executed. If the computer is not connected to the Internet, then the malicious code will check for connectivity every 60 seconds. When the computer is connected, Conficker A will execute the domain name generation subroutine, contacting every registered domain in the current 250-name set to inquire if an executable is available for download. "
Conficker B is similar.
The article referenced above is actually a breakdown of the entire process the Conficker Worms go through...
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$Report Abuse
