NEWS FROM THE LAB - Tuesday, March 31, 2009

Conficker's Domain Routine has Already Started Posted by Patrik @ 19:08 GMT

Mikko posted earlier about how the domain generation algorithm in Conficker works. Just to make it clear to everyone – this has now started.

Infected computers use the local time as the trigger to start generating the list of 50,000 domains, so in places where the local time is already April 1st, these computers are now actively polling for domains.

And, until the GMT date is April 1st they are in fact polling for domains for 31st March. So far there hasn't been any updates available on those sites.

In summary: Conficker has activated. So far nothing has actually happened.

Conficker.C polling for domains