honeyblog

Waledac Infection Check

Tuesday, March 2. 2010

Ben Stock has implemented a web service to check a given IP address for infection with Waledac, similar to the Conficker Eye Chart. The idea is that we are currently tracking Waledac as part of the take-down effort and thus we have a pretty good overview of the individual bots within the botnet. Therefore we are in a position to determine if we have seen a given IP address in the recent past as a bot, which indicates that this IP address might be related to a Waledac infection. Of course, effects like NAT or DHCP need to be taken into account: if an IP address is not listed, this does not necessarily mean that you are not infected.

The check is available at http://mwanalysis.org/waledac/, feedback is welcome!

Posted by Thorsten Holz in admin, malware at 22:29 | Comment (1) | Trackbacks (0)

About

This weblog deals with IT-security related stuff and honeypots / honeynets in particular. In addition, the main focus is on malware and bots / botnets.

The blog is maintained by Thorsten Holz (Twitter: @thorstenholz). I work as an assistant professor at Ruhr-University Bochum and am also affiliated with the International Secure Systems Lab. I am one of the founders of the German Honeynet Project and obtained a doctorate from the Laboratory for Dependable Distributed Systems (University of Mannheim) in May 2009. You can reach me at thorsten.holz [at] gmail.com

Together with Niels Provos, I wrote a book on honeypots:

Calendar