# adapted from http://www.cert.at/static/downloads/data/conficker/all_domains.zip
# by Jack Pepper email  pepperjack at autoshun.org
# Tue Oct 13 16:17:20 CDT 2009
# sid 2633001 includes 600 (0 - 600) 10 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.biz)"; content:"|0a|";content:"|03|biz|00|";nocase;within: 13;pcre: "/(v(zcocljtfi|m(bbrkyeng|mwsgexgo|kwmfqzzy|ybtfhgbt)|i(hwlctxhj|izrepyug)|jfyubjfry|yysdogetu|t(jdjbsfqh|augojajy)|c(wpdpfuyj|lpuipypg|jcsppznz)|q(povjwulz|ywlnokfl)|aqgwfjjxj|brpmxehca|f(kgewnuny|flntdebn|wdhezsgp)|ljgxwxsvs|sgldnbepe)|c(x(tjlsahcy|xhoslfgk)|k(nkdrenfe|uzalorfx)|hctxaqmun|c(blodtalp|vkocdtxn|yavyeamb)|g(gejwqbki|exjpjimw)|mnnrntmpd|o(m(bhquxdt|dvpcmxu)|bdyjfmkf)|zuatazgvb|addhvvdgt|pgyhbfkit|y(vniyswmz|zbbuyyrq)|n(wlaygmkf|yefqkwxx)|b(okbwhovt|bludwbyv)|ttvdlnlyj|laroxbkfa|sukwokdgp|vdmnjezah|fnmjmcnop)|j(nfuoypwfj|ogtopcwas|w(ddbnmmcf|eqiisndy)|aqnubbfdg|mllnysphc|t(fulvdsfp|bkbvemnu)|d(stxihqif|ursdmxjc)|fpmrfdrqg|jibfhxmid|igirtakiz|xinuiplsw|sckgsqhon|bdrpizugg|pbiphkgst|rzvggkwuw|lwwqpakui|yyqhmbvgi)|k(vfvpszaxv|ocafqpjhg|u(oulrhfyk|jggnorxq)|qhafhrpcs|r(qftzyiqr|czohrkgh)|b(zjyljkut|fqbitvke)|sgpstrpwc|njiwafjsq|ezgvbalry|pngyqdrsu|awalmvbsx|xdxgajkmg|dzhcnilrl|f(msqpjphy|erbhuvql)|yilqhaevt|ijjpvwcjm|mnktoujxp|g(lezqgnpx|hvezimld))|n(yczxutmuy|u(coaixurt|dpdcytmf)|e(t(ixofmyt|xjbnuti)|pnizubdg)|m(spzyqyex|nrsviglf)|kgynvazfw|awhqektfs|b(aljxublq|mxluyilh|pyqpmzmn|otosoauj)|s(l(hvwetju|wxspopw)|yaamauxa|teqzugfr)|d(ygyvrver|vvpenzkv)|o(ikpwmywh|govkccyq|opbcuyou)|qmrnzngaa|f(ehgiabto|rjhcprmg|iszjiiib)|taqoqiesf|giovsudfn|nfenffvvk|cnptcjdoi|jotskkvdr|roqdufbsi|lffkgtcka)|r(b(gzpnavja|quswhtdb|eoxqpbcr)|g(iujeguhh|cszenuzw)|azdjtkikz|olbcynkbo|c(avymltxt|nhrhnpvo)|z(wxpyhmcy|f(qbeuvgh|lqdwlpw)|jnzzgysr)|dbsmwcjzi|sgmxybzzc|rzojwxsll|wzkxfwyri|yityrdjni|fhikoyhhf)|a(m(aihhrncz|pbgjsfvy)|ijvbshrke|s(serswpok|rekavaqp)|xqeybsmmn|psqkxugnz|ftfaynbyq|d(lzzgsfpt|nydypdal|dpehcyem)|k(tepvuyck|snqskgbq)|hhgvqecke|vyjatlncc|wqhokuwrb|t(hsbbrjsv|ifggeirb|umrbysmx)|n(ksmlfftw|gphqmvna)|c(rigznkot|neczuyih)|apwkarsmv)|f(hilfnjcek|wbaexiahr|t(uywxtced|amnxxlgt)|d(iivsfflg|ftbahgqx)|zrnzqazqh|p(kmlsztxv|wdyrcfbo)|i(lgnfcrei|rusqljxh)|c(uxhbkycg|daprzniv)|nmjkksnzg|y(dimstwzr|kepmlavj|hokrwmsr)|l(qbsfqytt|kmbvbvhb|hoeefrzm)|aefdxtwdc|jnjmaquzf|xnwtojjjd|mnljnjbxw)|m(m(cxazcmaw|gywwuzdi|dcvkyiyh)|o(tsxkeaqj|qwuoqsiz)|htwsremxw|f(ggbvjnpx|eqjioeug)|ybefzwqbo|qpamlmacs|ewqcisdpz|n(dvpsckiv|wtfoffbu|blpuetfx)|zhovrxoth|xnuywjhzn|v(fdxocveb|rjbwqwrd)|p(yofaxnuh|mirggrxc)|acnnxtiza|dhmvfnztz|tocfltxer)|y(epqxphxfb|d(rloeqpab|vjtsziex)|bx(aguwsjo|nncsrxz)|ioupfdakc|j(zirznfmy|n(jxhbdda|pzibunm))|v(fhrppphl|rjwebakr)|l(emnffomm|hhmipshz)|ttmibxvpd|k(duxtjneh|vktwnfqy)|wujnavepb|gxrkwenba|f(gvigxaxd|hebwrieg|xrmncmpn)|qqiacosbx|r(aximmrps|gxppkpul)|oviqamreg|somwxasdp)|q(j(niolsfjt|uymtkvuz|cplftuyd)|f(erzzjvyu|dnwnedbp)|n(mnjsuvxy|gokzhzie|rmekhhqp)|m(qwtlcsbc|dqbqwntl)|p(lshzndmp|raoptmrs)|u(qzjxzssx|ojhxjjss|ksyrrxgw)|xkljbmekt|hhhafxxlj|s(vjwkflvu|kttgkqyu|tiiguhly)|eonceqiqb|rp(qneemjy|vfprdej)|b(vgmrhlyv|gqrxnywf))|d(cwbkfbjeq|f(estnasin|loswyrnz|xtcquyvm|cnvbanvu)|yrnbxvzhk|xxretbqcx|s(uruhvecg|mjxrjyvn)|gopesycre|z(oxddoevh|cxzgronz)|l(dughfkdh|hcccqyai)|iczkdzssh|evdatftam|ndbeiyoql|j(pisfrikq|zcvgpcuz))|h(q(oecezygh|videawjf)|y(gejeklwz|jfcehunr)|n(hctgpymk|wpmhgpcl)|xpajcpadk|b(lbedmcth|fpxqmdcp)|o(uqsexozo|oiiyygyz)|l(chpomgbh|tmlsolgb)|hjergmxty|ksynsccig|fqydokmok|v(ozybgdas|qkpogsox)|a(ipjuvizr|ypbbrriq)|pllxanvdn|txjdmukzy|zkrutsrwe)|o(m(crblnmmi|ykuayjym|onzdqdzc)|r(haumsxfk|mtagzlla|gsbblnhk)|b(zgvngrzx|uevnijpm)|szabikmzw|koeayqguz|wqozjzqis|yyiwrkwdf|nhibkbvcc|t(vplyigdn|whevajmx)|dhrrshnvz|govbucxgz|himrewwzk|e(wakphvdj|vonqhsyu)|alvvdzcvn|jbembvwkr|vjmwdgema|locpzfxkr)|z(pkbwdzkas|aecelwlpv|haxivrwrq|lvogkpcxs|ow(kcmnory|hrjcksq)|youfdkmzl|gsqilbagr|bxgvsdnri|qxndgpewl|nxmxzanms|sezwjehjp)|p(txtpitwjy|ssjejltrs|euvmxfqpf|y(nlnnyxrl|rkqxjnmz)|z(vjejamkv|zprsocpu)|b(nlpkoero|mszpfbhn)|ffthvezbf|xusegkoqc|vbhllsknc|m(cchsllfr|aahsgpej)|nbavtjsjh|ofzstgnza|dwotbetgp|udoxoexnc|pdasdgycx|lmtmhluxn)|u(jmdelgsto|d(yzjnzmkd|rqlplngk)|q(yymnzwho|nthymngt)|h(spgwgkhh|uylatbmk)|x(xkxrigcv|lshpaqfh)|f(yqwhwqha|azrsmrmc)|ybqpnhoik|l(dkodnkep|lqooyfbi)|i(jcrattbd|uxhtxtzl)|biywmgsgr|nvndijxzq|s(bnkglfbi|jnujrhkk)|ocguwjulc|giitdqwtt|egouowokq|aqhpnfkjw|ctsowwgmi|uyvxiqcft|tddipnsyk|kqiawhtqd)|l(l(mqrjquem|yfjlpzfd)|j(useaimud|pappgzix|iynipmlv)|beviqkgyg|spbdcuyfc|i(llrsryyt|wnnqwviw)|k(nkaotkis|jnrccjtt)|psgpgthso|eaealptew|w(zrjoqrxr|epoqpanl)|u(joayfejm|uerwvdnn)|x(ijqgcudv|azefscpn)|tawdivtyy|vshoudqbz|g(dpoapkva|yqllchsv)|ygmosdgkg|hqbqkapku|ovtubinca)|i(p(wpdmihlj|uynmutvv)|qwihfgnfd|w(oynivpyb|byniopwa)|yyipcofxd|s(ypepalvx|iuhlycil)|vwbapijrk|j(imberfne|qmeemodn|ppipsjxi)|gqnysvneg|duaocgyrd|l(wrxputxh|xcxseygj)|mkmiamaya|cexdlyzwv)|g(dcjgeyqua|smlknqdoh|t(optauywl|jiylntuf|sljllnnb|mxxrfoeu)|wiunvtkqr|x(kubanqda|rnxduwpc)|aquhzicul|e(jprnxnsb|qnqdrnde)|kfkkicrqu|rhsoesdjd|lhjsnxkkx|u(xpaphthb|kwmucsay)|vinszmzha|f(cwpzvwuu|astblefd)|odrdblnnp|juuceqwjv|gczxrgdmk)|s(wyzvblgdk|i(mdjyohjy|abzcoewe)|tloqdnydw|r(wmefmyek|pzqrfhek)|fnbyczisv|c(oddvnrnu|kyfroptm)|e(cfhiiqwj|uwftchlj)|bqztquznr|o(berszoea|cufhcsid)|vnscyiyci|g(fpferenf|ltknwbvd)|xgaakbgep|dwmhluvcm|jlztyrlcf|kfphmqjvi|pcolslywa)|x(u(rzhgtukg|udqhtfai|smthraxx|abhzuith|kfvxvxuu)|dwrdeklxp|nztrzbiqi|xfwpiikts|j(jqcheckr|yisgfken)|ewtunnyfo|h(fozwohpy|iwsjpzzp)|l(vayypqpx|zbhthtxo)|q(uipxwctt|hdhmjuaf)|mxwglvkns|kvltdsruf|femaulvme|gbgorefxu|oksbfmtpu)|t(w(erfmxyah|qxphopin)|pfixrokff|jnfdcdyaf|t(jnwrbxfy|dtlbqsme|sopwifdw)|lrsfvkamp|xdqaaltce|uqmkyjjtr|yhmkzncif|nuojodcet|eqvpubcti|geuypmxew|obzgjpysf|zknoqjfps|akigdadap|fpjkjwmnl)|w(k(edhbnwmm|pkrjdrar)|vdgruqbuf|hajansnnb|jdalhrukd|d(parziata|xdcbnisl)|u(gkulkkia|jhesovjh|epgxbouy)|s(hvbesiga|ptfburxw|lhknaqpd)|mzlcvetob|g(ktmmoool|mrhjjbcl|cwvxmwmm)|e(x(znxcezl|jmlegbg)|kqwkuptf)|xopucfwtv|bqbidoafk|l(cvaaxoea|mlrzkqre)|c(sjhwafuw|cdmzwdvf)|rctrxebvv|yetxfvbyx|nlhztbubp)|e(j(vvxfcmah|uebkylkv|imygykmg)|q(qldgdtoh|rpozvkzu)|ruwbhqosm|x(uozcagqw|apquincs)|t(ddwypzmu|vhkkjbdo)|allcyieig|s(uelyuahm|laleyjzz)|u(ubhwvibd|tbrazdel|jpzmoffp)|otorplhjj|yakuyiycm|k(gfhsnuab|owrtlcaa)|f(uprnkkil|kctibnwc)|lhslkamuz|g(r(dthekyg|jqkaouf)|nzsmuznj)|zobtfkmzg)|b(bzlaicxvn|n(wumpjpjf|rzhptdbp)|ou(zfnfecg|ixduaov)|xpbpvimtd|w(mvzsqlra|fhfisgvz)|ixxvjcdzn|v(n(onwffyu|rpgnrwu)|efbhzken)|ellpemnov|klyiordjo|cwgxnljrl|mzymimaft|hb(qstgphb|ymtvthj)|ukvwknmxt|ttglkbgsh))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633001; rev:2;)
# sid 2633002 includes 821 (601 - 1200) 10 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.biz)"; content:"|0a|";content:"|03|biz|00|";nocase;within: 13;pcre: "/(n(s(teqzugfr|lwxspopw|sznvuoru)|j(otskkvdr|zhnphmxw|efmchskx)|udpdcytmf|ro(qdufbsi|xhizkqx)|b(pyqpmzmn|otosoauj|sqezqxld)|f(iszjiiib|wnypqxqo|aonllofg)|e(pnizubdg|tukuqsmn)|l(ffkgtcka|qftsigkz|tlaxwezo)|pliqzrlpd|d(kbknnmqk|yxkxaxvd)|c(ynbdftvq|xolgwdft|ghchuzgr)|mglcqzykp|h(kmgedpou|rzzeijdd|qoaxolob)|x(ddovvlgg|kwcsaiop)|auhfzozwm|v(ctsnduxo|tvgvqrer)|n(wnyxmhco|edvrpbdi))|l(g(yqllchsv|iainhtkn)|iwnnqwviw|h(qbqkapku|dgfbiqub)|wepoqpanl|ovtubinca|x(azefscpn|bntrijkp)|jiynipmlv|cytlxaykq|ryjjshdef|d(dsuquyrr|rihxsdha)|ywtepfqzq|nllsehvkz|p(qnuhjbay|kmhreuqr)|u(bstgpgsr|cwagmlpm)|mlmdpxnol|l(dzjdaaeq|fnioudrq)|trkimjfyy|q(xhcxclzt|sxkpautl)|ssrzetdmc|e(plvkseal|ocsscdfj)|bxkmafvqa|apsityumo)|t(uqmkyjjtr|tsopwifdw|wqxphopin|y(hmkzncif|ssnfoutg)|n(uojodcet|vchmkmpc)|eqvpubcti|geuypmxew|obzgjpysf|z(knoqjfps|qtsysunx|bmccmgpj)|akigdadap|fpjkjwmnl|ksclfakey|menawcgyy|c(ngaetsid|qxoeerqq|mqtyayec|sfodqzlk)|s(dpwazjmi|l(gqttwmg|zsbjfqy))|j(kedvqtow|lvpvemsj)|r(lksereup|rmsnfihq)|qethrlidi|xwogwsweq|imjoxanul|hglenpyki)|o(twhevajmx|j(bembvwkr|ajhzzdyk)|v(jmwdgema|mteipsjb)|r(gsbblnhk|zrhkdwcm)|mo(nzdqdzc|kmdqhzl)|locpzfxkr|z(ykneumua|wwlijhho)|fijcjjwxv|dlsbqvtbp|x(gjvndogs|xhbmgewv)|htnwcikxo|buifmafnt|cmccoluoe|k(emontehf|hnbnpkqi)|qdrdopgrd|sdanyxjdm|wzfictlwp|oluulrbfh)|i(s(iuhlycil|cwwbfnue)|j(ppipsjxi|jbcrdcje|hjdhubyv)|l(wrxputxh|xcxseygj)|mkmiamaya|w(byniopwa|eawxobbi)|cexdlyzwv|fvigfsjfh|x(qsdesfew|giiapqeh)|z(dezcidza|kfyzbidg)|e(fldzyfnj|rbtfawgo)|b(pyacrgdi|bblnwqbm)|v(zvsxllri|ifvktmpv)|klhgoippu|gkpscluub|uduqeesxz|a(lailmtwn|peuopmpy)|rgosbjzbr|qxqmspyxy|ofgnzzuze|hssqyhllp)|h(ooiiyygyz|f(qydokmok|hhskynya)|v(ozybgdas|qkpogsox|dwamitxe)|b(fpxqmdcp|cmvchcns|zdakfxyq)|a(ipjuvizr|ypbbrriq|nwjgbklz)|pllxanvdn|txjdmukzy|l(tmlsolgb|bidshztp)|zkrutsrwe|n(w(tvwukfw|hbtwtzp)|fr(krskdj|jeezxz)|cnrlnldf)|u(sfudbfew|igoegfxg|tmgfswfl)|q(udajyhua|ocffwlat|qpdpmjtq)|x(nnfsmszw|scizozzg)|dwomzbtqm|clvdvuktq|gfvkowxja|hbciwdpza|wvdswxcqe|k(rlouinuw|flhawiwm))|x(u(abhzuith|k(fvxvxuu|kqppecl))|q(hdhmjuaf|fdelcoqf)|mxwglvkns|kvltdsruf|femaulvme|g(bgorefxu|yfbivkop|zdizkmri)|oksbfmtpu|j(sfkyfjbh|epksyzmr)|bxbsuektb|hkcwhktog|n(axxkbzca|rcajulwg|crpphnpv)|repycmypr|sxadvfjtg|vvepdckar|pojywqmlf|abjxjlmzl|wlhjfvcut|e(rxuqfwav|scrtiwxd)|ivasollcd|xjldoxjwk|lmvtqxjal|z(owghpede|v(fhajlkl|yddmwrf)))|a(t(hsbbrjsv|ifggeirb|umrbysmx|vqmnnszz|lfrsqqty)|mpbgjsfvy|n(ksmlfftw|gphqmvna)|s(rekavaqp|wiyzfrpd)|c(rigznkot|neczuyih)|a(pwkarsmv|xqmyglkq|ehvmgcbi|mkeraqwo|dchaedgc)|d(dpehcyem|oqtteuzz)|b(lbrdwfww|qluqpgdc)|g(qehvrcdb|xkehquxb)|izoefmlhw|r(eujffsqe|dzoskgrq)|utcmvkhro|zeqjhxxae|jnfnuizei|orlxgzuxj|lxygiqnsa|psklafsmx)|r(z(j(nzzgysr|ccpdgwg)|flqdwlpw)|rzojwxsll|wzkxfwyri|yityrdjni|f(hikoyhhf|vqcqhkmn|girbfaep|zlwcfptz)|cynesitho|v(qijdrhlp|asnelsef)|nfynbezpq|a(pootbnzg|zqyvgnia)|pqeqrkfvw|t(roqjcmbr|pwqfybxg)|h(lxcjbfjv|tyrifgwu)|ocfnlrmgu|j(slvmwibj|fqemhvow)|idmkfbtfj|kheavokgd|liwrhdzkb|btcmgprut)|p(o(fzstgnza|lxfounyo)|dwotbetgp|m(aahsgpej|gnjhkjxk|bgxdwsgb)|y(rkqxjnmz|hewhpsmr)|u(doxoexnc|vugkhbux|uoxqaowl)|p(dasdgycx|ukbahrmj|rmrsfgho)|l(mtmhluxn|ggejcsni)|c(cacrwuzg|bijftoqf)|n(ugkxaarv|dwcwphns)|qeidttzoq|rfjgodmzn|ibroopgkl|h(hgqojmub|rxeuqcmo|otydmrns|zqtsxitw)|wwcshdwek|v(gwblseru|rwvwkyja)|bnsbzquit|feoyciglp|z(acjyrhrl|lophxviy)|t(lsymflku|bodmlztu)|kvcrldepy|gvpnhxjyq)|u(huylatbmk|l(lqooyfbi|vbadrzet|eacnsgje)|i(uxhtxtzl|lgndgguw)|giitdqwtt|f(azrsmrmc|pgtdrnff)|s(jnujrhkk|vpvbmtqh|gsmidlhi)|e(gouowokq|zrrnvftc)|x(lshpaqfh|jhuiqslk|heivllfc)|a(qhpnfkjw|ihosndlu)|ctsowwgmi|u(yvxiqcft|txpkwgyw)|tddipnsyk|k(qiawhtqd|altzlpel|ddouxtxq|cackzxjv)|o(wkejlork|bfixewth)|dqxsrbeea|zieprtymr|j(pprygjpd|spzbnmdc)|r(ykgpvljr|wectkbtu|isxlcvvy)|plewifidu|w(uxxfcybn|cfwkzwer|w(hqbrwen|glriisw))|y(gexaabnf|rlniprjy|spggtaco)|nphrvtmul)|j(bdrpizugg|pbiphkgst|d(ursdmxjc|nkzyttme)|rzvggkwuw|l(wwqpakui|rdwbyjjw)|y(yqhmbvgi|dpcqdyid|uolmuamh)|weqiisndy|fpfahwwoh|z(oxftrjse|jbxtjggx)|h(dxnkxjvx|spzyccuo|wfbgxvtl)|grvqxvlvv|jqqwalgfr|edlopepbw|kxkpdgwxs|csejvrbat|iznevogtk)|y(j(npzibunm|tehoiuyo)|fxrmncmpn|o(viqamreg|bupeidge)|r(gxppkpul|ntgaggap)|vrjwebakr|b(xnncsrxz|uentdtgd|rbzlruda)|s(omwxasdp|lqppecdy|yaeqbjzg|fxjlmhom)|w(cnyvvyvw|nrrmkisw|uylsryxk)|ikvdtlpnx|e(smwepakc|iitrjofh)|mwggiikgk|cxbvtypiu|tuwnobbps|qnmzeywxv|yjpjnaeph|limbswmeu|nnayfpltt|h(rneiztdj|gpmuacel)|zcwvhbsfs|xczhjdhaq)|w(bqbidoafk|l(cvaaxoea|mlrzkqre|ymhnbeoe|vworunpw)|c(sjhwafuw|cdmzwdvf)|e(xjmlegbg|hewejeaj)|u(jhesovjh|epgxbouy|nrzunovt)|rctrxebvv|g(mrhjjbcl|cwvxmwmm|tylzoqwk|hyzzodgv|vuhznsrf)|yetxfvbyx|n(lhztbubp|ozvnpzxg)|p(pqlktgmz|zcutysdy)|vpuoywimo|o(xbaxudix|i(ctarjxg|pvyicld))|j(boezbbpa|svdcmxgg)|qgpmxhuak|wzyocnxmx|impdxnpno|aidpnitop|hujwozlep|f(jmwkixeo|moaisftw)|s(zwxqskoi|gjruxbir|ajlujvmp)|xbnjypieh)|f(x(nwtojjjd|djhwlgfr)|y(hokrwmsr|zazxoimw)|d(ftbahgqx|dbwnidso)|tamnxxlgt|l(hoeefrzm|asufeykm|jrohabhw)|m(nljnjbxw|kcbzjvux)|n(pqdacinz|qxjwjzfu)|b(rszticnj|hjabxktw|dvjjecua)|g(qaotjcxf|rbzdqdvj)|p(fdgwdgqv|gtmheoxn)|aolpnitdi|e(gzancmba|ldosrlaq)|i(eooqqglp|xihffani)|f(djzgaodf|ycrbxsua)|ofoyyjqor)|d(fcnvbanvu|j(pisfrikq|zcvgpcuz|cxsshxss)|l(hcccqyai|phebxuml)|berlzpiqz|xlouhuvoi|ymtbglupf|ixynaexjk|u(ogwyggoj|skdpyvvw)|m(dbnpleba|fhftovxy)|o(gksvpuea|witwkkwa|psvervik)|tnpaitgpv|dqzrppscs|wz(nlgsihh|yioqzwq)|vfjetgjjv|hihwkmgfo|zskdnhvpj)|g(l(hjsnxkkx|shupfgoo)|u(xpaphthb|kwmucsay)|v(inszmzha|duilddut|ereqerzp)|f(cwpzvwuu|astblefd)|o(drdblnnp|ujobkbpc)|juuceqwjv|xrnxduwpc|t(m(xxrfoeu|enwwwhk)|kqqkwzue)|gczxrgdmk|kvmmmdswf|z(qytdrlia|rzasowlx)|i(xhnaxgbc|pejayoaa)|q(ffqgwmdi|ksrpydpq)|droypfoam)|m(feqjioeug|p(yofaxnuh|mirggrxc|wcazwmxo)|acnnxtiza|mdcvkyiyh|dhmvfnztz|tocfltxer|v(rjbwqwrd|brzmriwt|jvwgpafo)|n(wtfoffbu|blpuetfx)|e(odfqlsot|eegtyzcx)|ulmcznalk|sgbodgwxb|bzzczxdim|oxrnxibzk|xjjmfnssw|z(ypxpsdln|lkzvyzvz))|e(xapquincs|yakuyiycm|k(gfhsnuab|owrtlcaa|bcnkzqat)|f(uprnkkil|kctibnwc|zcihbhfo|dvojqydr)|l(hslkamuz|ptsiugop|ytvgfcuh)|g(r(dthekyg|jqkaouf)|nzsmuznj)|qr(pozvkzu|ktdhpej)|tvhkkjbdo|u(tbrazdel|jpzmoffp|lrarlxyr)|z(obtfkmzg|mlwzvjdb)|slaleyjzz|w(rrosjaeo|gmfoduga|cqvqcilm)|o(d(qosuwzb|mjysgqj)|flxzjjbp)|nhsrotjzr|pzakscdzw|vuovmdbuh|i(fxezizxr|tvvkqixk|ypwwgapt|jukedvym)|hmjvkeaxo|b(tqkeomdu|vezjpctr|gcpzchcd)|j(q(ffhqmto|eqicjea)|gffnewrt|hgbrcnpm)|c(ldecsayn|ttxzpbpd)|maetlrnjd)|s(c(kyfroptm|zjkgrncg|pitileye)|o(berszoea|cufhcsid)|vnscyiyci|g(fpferenf|ltknwbvd|mdeesdom|efsoftuc)|x(gaakbgep|fmqedygo)|d(wmhluvcm|rbwmxhec)|jlztyrlcf|kfphmqjvi|pcolslywa|schgflhct|u(bzcxdklp|enjcssts|hgqldxzk)|wkzfldlsw|fraladijn|eviipjjkd|isokevdud|akohumdbc|hnqqvusau|z(tkudjjmu|pddrrsax)|qixglsuuf)|b(w(fhfisgvz|tsfbbett)|v(nrpgnrwu|stitqnsg)|nrzhptdbp|h(bymtvthj|zvsjyaon|owtiufup)|ukvwknmxt|ttglkbgsh|oyifzitdz|z(wjfcihwr|ytflgfmz)|ba(elfsasq|wzuerai)|shjdjkhol|y(thjbruml|ubpstijr)|qikusrcic|dktgcamth|afyjqbthw|gsousjkze|cowlpqlrt)|q(r(p(qneemjy|vfprdej)|sjuowqvw|hkkjkttn|vcsjbbay)|s(kttgkqyu|tiiguhly|jtqbzmac)|j(cplftuyd|iljqzqfa)|u(ojhxjjss|ksyrrxgw)|b(vgmrhlyv|gqrxnywf|fhrbylrk|aaqglype)|h(i(neszqhu|cobspqz)|kibnkxxc)|i(mpvizzhi|xyhvojgn)|wfizikdee|yhsrzfkus|a(donsfhwd|hhejizec)|zyefinqna|t(cnmacnux|xuhgbhhi|ighfdmca)|qeonczfse|crndjirrc|pttycickw|mrbsqmdhj|xmvfvajow)|c(g(exjpjimw|popcfacx)|n(yefqkwxx|knugfzlt)|b(okbwhovt|bludwbyv)|o(mdvpcmxu|retxqfkn)|ttvdlnlyj|x(xhoslfgk|gtqojkxr)|yzbbuyyrq|l(aroxbkfa|jbqhcpkm|xaejsqxj|resparsy)|s(ukwokdgp|lzwstlqe)|v(dmnjezah|xwtqgawj)|f(nmjmcnop|pjfugdkk)|cyavyeamb|zj(ulxbhpo|sqmytex)|iljjbwofi|qwxkilnvu|rcsqdwhcr|e(qyujaudo|scytqpen|azcfiwjv)|w(reksjgtt|zyquwfib)|pfmfbnkpl|kgpdyffhk)|k(ijjpvwcjm|b(fqbitvke|mitjhsrt)|m(nktoujxp|ttkggqej)|g(lezqgnpx|hvezimld)|f(erbhuvql|yqwskbae)|z(icnwvxcx|gpsjkkmw)|tbbjrzece|euhqqlmvr|usydkzqtx|p(rresduqr|fczebeqy)|s(dirtszwm|flglmcag)|osegtjmzm|d(toaaspsg|wjywvkxh)|vjdwaticz|wtksaiiup|cswglewjx|hrebwwezv|lvudyyhor|jbsaqglrr|kuphqmtfd)|v(f(wdhezsgp|ojwnmcpa)|cjcsppznz|s(gldnbepe|ardeycfh|vtrlioqo|hrgzhwwp)|t(latzigaa|olmrpahf)|hsjdsgdke|w(dswahpck|uokzwpha|qjrpvrub)|ohfgenehz|dxwyyktax|ljtjpucxi|qzkqgruyd|n(snqkcfbx|uyhihpma)|i(uabnkbjz|ernbbfvu|qwhrrobb|cwqxdmot)|mmnrjtnwa|v(bwyyyivl|oehdpwbs)|zjjrfijpf|pwyxxlwlw|kiekjsibs|aiihmzsck|yzcivxscb)|z(n(xmxzanms|yzflhjde|rcyubosq)|sezwjehjp|y(uyfnsapp|wwigoqzh)|l(qmzbokhz|fnerclid)|v(zlemjxbz|pjpmpszr|czujsaip)|o(nnhcxvbf|gktvkhbf)|hmgnjqfdr|i(dbmmdmzp|whnrnrov)|j(hzvmcuzw|fmkcmhnq)|m(yxvaxnxv|xmxafqpu)|rbwdixlfy|g(irrsbjbm|zqovlfbl)|cfjmvqyua|p(osstmfxl|ipglhtiq)|dtxklsvdn|tlyzeegkj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633002; rev:2;)
# sid 2633003 includes 221 (1201 - 1422) 10 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.biz)"; content:"|0a|";content:"|03|biz|00|";nocase;within: 13;pcre: "/(m(dmpiwmawe|ubwgenbzy|nbccdpjgk|qawdhvsbj|k(wdmdfxnb|usjxmurn)|p(oqusakyw|zdybllcm)|rclbkmybt)|k(ltjsxqfwa|k(zxexdsxp|ukdbfkfv)|w(jjwihhfz|swzkvidr)|ypizqbnke|hgkmmjxgd|vqoihawzv|uanksceke|rkwusbbmo)|f(gkjbdxpzp|e(rjmlsdwi|gyigzbmi)|k(udgmrkkr|mxxanapp)|rikigbury|fnuzmsiaj)|b(btfihsrrq|jbbnooukx|sdbhujwjd|izhnizfyd|kwygwzxic|demsoszux|fxvlxxayd)|l(ebpjvroaq|gjcpzkylf|y(mbgiqzvj|camcbrxv)|xfuusmakk|l(iagksfox|oafipndo)|wgzxqxcbx|f(yclfqxpz|xlmoxnsb)|opirdtfsh|zvyiehnca|hbekozbqk)|x(tuocbpfyk|xzvfohhye|rgcklnazu|w(zjtyyplt|rourzwff)|hwzidgusr|otlxtzlur|awxccvbzy)|d(tubjylxgu|wdkpyydqj|v(seqwmdpr|vqlekrec)|gnlispkrt|cyqjphnxf|fjzcxtymb)|n(mrpkeiwwq|yabwmpbde|p(tgvtzchm|dmvwujyp)|wynlwamyi|cmsrctajf|akhzakish|kdohsgjiz)|h(dvbgzorks|mifqitphq|ndsaewnby|qklfodrep|ummewmjvi|vfxmeygej|yjmqhfqsh|icddwccrq|eceeoozlb|x(gnmqzlas|uekvhzpg)|zusqqqfhx|talztgvyz|kdnxxuhij)|c(zrknzdxjx|pmhdbvjmm|cqivgoqfh|sklquzzvy|wwqprghds|abwqxalgn|o(afjigkdi|mljgwcrj)|lfvibtiir|ndzabwdpy)|a(fkefefuhp|lcbrmbztj|cmuhxrbei|ujvxddjbj|drrouqrxz|rdveyndus|vzhuvzgdt)|r(asetijupp|r(jgsttykz|ypnajydc)|ketuipulp|ljtcnbroh|yvhiiruha|qgxgncblg|hgjawjxfe|mrrmakdgs|ubitepyej|dvhqqnjsp)|j(puzfpedcf|f(gphdhwst|woygsfyj)|slkltboic|j(ywewmfkt|omwutxys)|kysipyqnw|opaxjddid)|i(juiefvfza|mywfqlfii|yvvcuytog|ualezadyo)|o(o(lsroyenc|sfoiilmo)|xypdkegzv|htzfrmxfe|qxslzkoik|vpstufsbq|awzfubhtx|rgvuyngfu|tjplommvf|mgojwqnsn)|p(tufhkbwdv|oqegnsrcx|hldqpzshn|l(ivkcgkhm|ljnpenit)|xhmhsiwol|pxrjdpvcj)|q(ezsnoksbc|cimjafucd|byemqblya|vxalaszvk|zfmlqvurw|joqrbwjnk)|s(orjxwcmur|ccwmlbpqa|aznuwbeus|n(qlippskw|yraoxgnw)|ydutwdoub|ximzpbjeg|bpwvgebny)|u(gfiepfczl|ymrpvjgzx|amjnuvsiq|snbqjgeyv|quclmwszq)|z(cqeadqyum|rzzvqkiip|dhbbqyhys|hhtiiwpjh|purjerxvf|auyunrfrd|npnazojwg|ykomfccjs|zidnccuho)|v(p(hgegmhae|qmckaswn)|gsgqxgrqf|synwvpfun|tjikzbvjk|kxrvvxzaj|dthbjawlp|v(rnvwfvdt|sicrjdih)|isjlswwjc)|w(sxafljagb|k(lkrfvogi|hleerzgz|mhhrvyeb)|mgxqgxkmr|zzhrixfij|vldfkkysr|csatmzkzw|yflbtadla|doraaidia)|t(qgfshpste|zgbsmlmpa|dajyfziwq|wvosbdwbn|l(xxwmuvdv|zaioecho)|hdefgnrxu|jkcmrlhqe|pnzvodfzi)|y(rujssewqv|n(vgltrkxh|incracqs)|cpoviqtuz|mlasscxhc|frckybvjx)|e(s(teuzamqg|czhiuwar)|bwzzbnbfu|m(dbfiupua|sqlwcboy)|cmqygrkjv|ojulstjtl|nekjcnwma|qirmraeml)|g(decsbybvq|qazzcajtc|fatfyguja|cxmkxirzm|glojminrn|vpjnjlwyx|ywoukgtoi|xylztuvbt|bvyjzxjan))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633003; rev:2;)
# sid 2633004 includes 600 (0 - 600) 11 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.biz)"; content:"|0b|";content:"|03|biz|00|";nocase;within: 14;pcre: "/(u(vcaylkgdpg|zfjmdobxgy|raykkgcuvv|lffjtkvrji|t(tdarzhcyl|jngbhloch)|aqmsofzluv|w(eacujeuoi|karhudfhl)|yucnxoqzrq|fbhgzzxnhk|ujdcgdqsjj|oxrcbdkbik|mcwmtzmchd|iswxjccatt|jfpgigbrfc|p(ebrnssdjw|vdxevhzop|bgipgxecn)|dtzghcdguc|q(vyullslln|msduvtgww)|xxpqphtcfd|gzwimkqidj|hcyrmikkzt|seuyfgetqj)|k(g(spolmwcxv|unvlpupah)|hkfqspxxxn|uhncgwxype|a(dopcsinlp|zadrdwcsa)|pfiruaaauc|okntkzhija|k(gabyclgob|tsbtbflzh|igwlybrcj)|ycynrxalwj|z(wuapizrmx|lqfkcupqk)|w(csbsikgmo|tqajrdaqp)|qtimxyjvsc|d(smygktobr|emxtcutoj)|c(yqqyfribr|nsvrtmljc)|teaprsajzb|xutirrckuz|evnbgtnqss|rjypdipkxm|boadezesez)|p(y(tcqnxohot|kgrzkybnz)|x(pbufodduu|mygfcbqge|gcdvurimh|rvvvnkaka)|e(fnxfiptwm|puxdwbxek)|l(eotifxfis|gusnjuevf|wrxknxwww)|alqfyjgciv|zbtoopinyk|c(lkqfddrlw|tgnsnkrvh)|q(vauxhpyaa|ewhtvqyky)|s(iommmawqw|hngczness)|bqgcllnhkx|tolawsxhwl|wswzxcwfzq|nldwlxihka|meggbpduug|k(m(otfgxlsj|nyqhwoqy)|qkcjtkkoc)|fdxlrixfdt|hjknqhouzw)|d(w(xmlzxtgey|tmzcbhpox|yxdhzvabn)|e(yieijqove|ulovqatfj|okihifuwq)|k(poltuejsq|zsfstbjgz)|teqikwshzw|i(q(apnpxjhj|udjgilcy)|suouqnxer)|g(cnyesjxer|adpygmlmi)|p(njcsuvvzs|oyjmujneg)|aakwwduwlt|ypcfnpjxdy|jpualmhgzl|xyjijwxyti|hkydgqalwe|sflskbuhfj)|y(e(decppeapc|iiwrpbjrh)|xlmkpknvdt|bwtloijhnr|f(ebybxvuwo|kkbuxliqo)|l(ehaairwse|ixpmdaomt)|g(onicinrmj|dixrbkiby)|a(erzdficil|ntsdxassc)|vmsfralyog|nsiaaueevs|tthjhqpdsv|mdlcjyqmjo|chqsgkbfvg|q(jrtyvilaw|eqhorjhgg)|rwnqkdksvr|dsmxntcngl)|l(m(carsgwujs|inkglafav)|ynowkpknwn|q(uoupmbpvo|hljbqsmys)|xgdbyucdsj|b(adyevykqa|iulngopke)|fmmmfjtaan|g(ilmncgygb|eqmaldzja)|e(zvgvsxqhv|qetndthrg|hodgzobpt)|v(jkvbjyngc|kwjbckgam)|d(tehxufiof|vtycbbmzj)|zbtkpxzfde|p(kyswqzriq|bijaxlxut)|ssvyrlxbtj|nlhbuzbmik|jfvykapuxb|igumqeekdo|kzrqwvvmte)|z(b(lgdgukzux|yjsczndpb)|k(bbksuooky|usfrktutp)|xdldopxpyi|n(ostyhljoq|blgsrcjvh)|fmlecpmrcq|hb(kdihbhay|fwkllvyr)|a(izycnrfob|oyutugwcs)|q(byrirehgg|znmfzmkbr)|ecptuzjbvb|u(cqbsyjfpx|thxrimhyt)|y(xqcelqdev|trjibjoiv)|rfgalukmhu|jewzutejmm|tfumdsrlyr|ipyuqyhxuo)|x(qjnlthatdr|crtkiriyio|jfnhcuftxv|e(zxjlprora|hykrtcwys)|hkhffiyfuo|wksybdbjgt|fsfipdnphq|uescorzffs|dhpbpcwaey|vpxcevvvsb|kmwvcvgokg|tghmvbylko|prjyndcakp|mkctauoeif|bfzwelrfre|ryxayagylg|lgjznvvszd)|a(i(qgcgdvjta|pphnuzkyb)|hboptmthkc|w(wayflqqlr|xsbnppmdc|mwjfodicx)|a(j(dvdrgwyv|bquctkkl)|rqpmkcykc)|u(yqegujfls|aspuwdjpf)|yibjtplaot|t(gxchqyyff|namrehqhb)|qbaugcoodw|ebskftjgol|xeeqhdgknw|m(vtbeaygnz|jucvfiokz))|q(g(qgycercro|itpfogzdr)|v(hcplbfdmm|phipyvjwt|oiiruwlrh)|fantzjgjir|y(amjirqsia|nqufshdwb)|z(f(zcnwviur|dzhwoaju)|bahwtqxsi|tsgdxmpqu|snlwirffo)|t(fiwzoynvt|nixdtbyhu)|s(liadryqdl|gyrtozmuz)|dlrjiqouow|m(toskblgad|kvqlvvstx)|uwccgknrhd|pffkjvuqyp|alwdftyide|nynaldvuyk|itjqcppvfl|qcfnnvvtom|jbwvyzfgpa|o(kywotlmpn|ydvogakcf)|botrsiyrau|cwvoznvzzt|hunsovpfav)|r(m(wrnohdpqr|ktfaklohq|jcywmpvql)|j(kevbvqumu|oreyitcwa)|tifpsxxeiy|ltgtouqzhj|zqqzwyjdlj|p(utoctajdo|tnsiqmjko)|gvmflbbrrz|e(teapixhqg|yhnhvvadt)|yqirayulrx|htdbmhwtnd|ffsbyubxsj|rtsduwuzhu|u(jppmqrxrg|rgnkqssup)|baenedkjim|wokqxmaooc|xzgkpddouf|chlnshjddr|oigsnrtvds|dxfqcajkpx)|j(s(bpvnkfldj|eihszgxcb)|z(orjsqwcfe|yrpaudxtq)|rfoqsfqsre|xvsidazrvj|lkkfvztvnm|oboybrhoic|a(yaryzygmh|jsnaqvvms)|h(uxpbnemug|yryvblcyl|qtytxodua)|wogxyqxxij|pvshsoobos|nzgqsuhzju|j(ipfqudamo|nrdrczpdt|arhgoxhkr)|eapvbhqvly)|b(tzxethqgmi|owminxfvfa|l(akefcokqu|ojvbcbrwx)|v(smegsaxqg|rtgmicfob|volnmchfq)|bpusqobxsd|f(usktfdpcr|dyshmyvkw|eyypzmobq)|h(wsmjcjagr|xawywktuw|fgpjlwmpf)|ztgulgyqou|n(jcpzjhryf|ocdmzaiho)|i(z(rsucbgnv|oqvlhelq|ufqhqcoy)|tncilhnyl)|m(pdyebjtqg|dubjxpxlg)|d(dguybtyov|kumokzjvn)|uoxgakbizl|cnwrleyoam|gfsnhvkucx|sknffubryh|qsukquynvs)|w(g(lpnmkqezy|buvgxskvz|uxhocqucf)|vzmthbvgtw|r(macmafwoj|pnhncuval)|d(vgdthzylc|jmkohesgo)|cqennoueml|e(caveyprlg|zmasuuxjl)|l(jwjraqnrz|budltvyuw)|q(vmvfoxadp|lxjjiaviq)|n(vniyhleib|tkpgxtuwc)|m(rldncvbkm|ayidwdwem)|wmfwcneukq|t(queothdgc|apgoeglbh)|o(hfjruaowj|bjsxklysi|nkbberwbl)|ftkykuvfuq|zmntbkytse|jxpoabfkln|ipfrndzhcr|x(cnruprcnf|gtbpqtqyt))|v(ktwwbxrhyc|dnuouvbamp|j(jyzlurtlq|hxnbisjnr|mmqwcebvw)|m(fmfoogbdx|yyfgyvjrv|zxzlqnlvp)|rkwjfpqovt|tkfvxajucf|b(yrvugagbr|bhdrbbfwt)|c(dhsvsjdvr|zzjuaepwz|gsjfkeuhy)|f(wmfezhksx|yaapmtuvt)|pzbsxxdsvz|ldplyttjtl|qhvnjoybgd|z(hbblmarub|eudhhjkqz))|s(gd(cotataip|tiodkluw)|a(ahnwkiogo|colgbkits)|r(makwvwawq|jdkcpdctz)|qlxseoinsv|b(nxtigwsap|igqvtnwyk|dcdkfbmyb)|f(gdelmzajg|zhewfzhff)|dtcpjppgwo|s(duozrzkfi|vwducdssp)|n(lljgtfkii|gzymjrpue|uvphnyfek)|vxquykupac|mqwexzzwxk|cnpwjzrhcz|zarintgcex|yaheyexcob|h(hvoqpvvvt|eibwdyuvp)|e(hlkjkarxm|siktxwrjl)|wmnpmrrwjx)|t(zqrwkehank|smyfmofqrj|yyuiptwskv|nqxvzdgell|xemdkskbfn|usqnzdgepp|keyobhshvu|f(z(aljjbmua|pfwcmldg)|trbgcfzke|fyybogrhs)|incruddivm|w(ckjtsxgho|rcnovlinw)|akmnuhmmzq|l(pjnmyuvka|npszcwguu)|dimfvcnawj|tdhlwyhawb|bpyxsmflwr|pjxbmxuvaj|ottnztslhq)|m(culxrejhrp|ecdwyqophw|nywfmqdgvw|jnregqbkes|dpoqghazza|qmklymdyhw|a(zhnwansyv|hrxaodgri)|uelsncyhpf|vq(zpieoypw|woinkvih)|l(cnkyqrxxa|lxljbmvwk|wqqfxjgfn)|todwtcsdtc|xxnuijaugt|g(vrapullhz|zsygdsurn)|raxsnchawg|kmoetdlejq|hzauwvvuyl|yvthpfzrfg)|o(c(zkrfwpqbr|qbtxfdzwp|ibkxuxfdy|dozlazfrg)|t(ugaxpuxcf|ptmxbfspk)|n(kavclirve|x(lcuwzngc|ohnxvcku))|wwuursppan|pbobygytei|izcecozvxe|lbufktkknt|q(rrblbnwfj|ghsecamhq)|mxcoyntagn|bsmuuosmpa|s(fwwafpzob|cejddfiky)|ggymnojmqa|zwpzkuhfkd|uhkrfztjdj|a(ccedxcxzx|ddlbtyszg))|g(y(hhlpwcxst|jeqqaomtv)|lzqtgsmtzg|i(ucqouabzb|kogxhdzos|izqzhpozc)|t(tjjbxoxqx|uxpqalsrz)|peusisbtzr|r(ptkzlocmj|jigrqbycr|olrxznmce)|j(yjlhjeuwc|vhxjxcrbj)|a(pvchfawoj|jghhfklgj)|uzrddycwro|hhbtzkcviq|qkmzfrapom|dmgabrrblp|b(slvxdzofy|tdivlandg)|vfolgyqsvf|fqfvayfsfl)|h(dihguugldz|h(zpcbsiitg|jwydkgvkx)|pehhiwyqbu|v(kapjgxezo|tttktsxpp)|e(veautzkqf|lbxwfsoze)|q(mmoolgbpa|rovapkvik)|r(ppkvcnrwu|hnktlqfpy|ahwkerrqd)|b(uacqstwqb|tqcmhzusb)|uiwpbeegny|a(uasxklkns|breiqryje)|ozzlvzkzfc|mvzbozbkbb|ceuoabpyzu|jmdtdgsavm|wgpgphxemd)|f(lglmiearxs|h(koebqebrg|vseyjxgyd|bdmorqgzo)|s(jvtazbhfz|qzfsxypwm)|uwxugujimm|vqbrcpulji|q(jhvgmzzli|olwcrargt)|xaoaidcsfw|j(plujlptmr|tcpjsiuau)|f(nmijkzjig|eybthdpcc)|ytbyjmguxg|rhencsihwj|nifuowbzzr|azswysbzcp)|c(ym(badlaouf|lsxpyfpj)|n(xqvkfwnde|gcyvivtys|ulopjdkun)|o(skqrwnntm|hjiqawril|msndxbjyz)|c(pnbvoyucd|kuuaotvbr)|hlrxmxipwg|bwulfccllw|ihpbznxkqr|kbdsxlssde|sizphtfoak|aokynywnia)|n(qprkgjzbsy|x(ajhyfsqjo|xmxraoabq)|mgrewkgdyj|w(tlfatwttv|nxejahepf)|n(fpqasoxnt|alpglsmjz)|sphciwxvol|rrqqbmrqhl|brdtgtfbkd|o(yxgivougm|b(zxxvftjr|ppjoztvb))|dgjbbvhiis|e(lynfguatm|tttodhxnn)|inwiiszyro|jncyyeipgo)|e(a(ldevdesas|rqoomylow)|w(nanwzmwnr|zgkdzcwhz)|t(zvrikmjqk|wttzkufru|hawimhzsi)|d(yopfnqgfh|ziiofdaoz)|x(hpagrjkwd|almsxqbsi)|lwomngbiag|qwauheoyhv|uaulpblkhz|ssbhsfxsxy|n(diopucsni|gmzuedchc)|p(ymaiwooaz|ogdfxhcaw)|ejnicptdun)|i(rydjmqedpg|zmlxrwiqky|w(ltdgbkfbp|snybaoltw)|oolabxugai|icausgtrry|mthkxqqwak|jtnmfvjvyc|t(omkwaegtx|eixlxwzqv)|dejmdbwccy|nqdrfgjuay|qagkzgfmeg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633004; rev:2;)
# sid 2633005 includes 865 (601 - 1200) 11 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.biz)"; content:"|0b|";content:"|03|biz|00|";nocase;within: 14;pcre: "/(s(m(qwexzzwxk|xgybmgimz|cyduyjbzs|tybqzrpvy)|c(npwjzrhcz|dyvhpkitu)|s(vwducdssp|ljcazhklp)|n(uvphnyfek|oykyyycha)|zarintgcex|yaheyexcob|h(hvoqpvvvt|eibwdyuvp)|e(hlkjkarxm|s(iktxwrjl|ckktamwq))|w(mnpmrrwjx|e(fndkrfbp|wyhkovvf))|bdcdkfbmyb|r(jdkcpdctz|l(pqxkmyyd|ahzdfowb))|tjmpohgote|u(ajvfmawkd|oporuovok)|v(yvnhgmlzo|nzaufczkm)|duaftqdzvf|kgmzepgbbe|qxldhzlixq|xefshhugas|f(gnhsonpfk|lzldoumsj)|pmxirkpyyn|gpxuzrotkt|lbnqpmsxch|apcjgeatuj)|l(dvtycbbmzj|n(lhbuzbmik|corhhqahz)|j(fvykapuxb|hxfkibinn|jezhoigzh|zdffthvnc)|geqmaldzja|v(kwjbckgam|iwcydehdo|luktxlvbf)|e(qetndthrg|hodgzobpt)|p(bijaxlxut|qcakkkqts)|igumqeekdo|k(zrqwvvmte|avvgboqkw)|fjpvekrzac|rbpiaubynt|b(svdxcprzu|etgwwshrf|nzfwuokvp)|l(h(hiimjizh|vgqnfgbp)|dwcbnxsxv)|s(cjoxrnxdu|hitqozumb)|htptyaqbzw|a(dnrpvpewp|mhplpadkn)|clfewaszlv|y(oqzwapfea|ugngchdln)|w(xrzibdjun|zbjzzcplz)|zoyytkymrx)|y(v(msfralyog|tctbsplwh|yyovfzglu|qincabuag)|antsdxassc|n(siaaueevs|ltdptkygf)|t(thjhqpdsv|xrkxvxbhc)|m(dlcjyqmjo|kbmxhzbix)|c(hqsgkbfvg|czdtmoscj)|eiiwrpbjrh|q(jrtyvilaw|e(qhorjhgg|ftbzmcoy)|vivhbzmrp)|f(kkbuxliqo|c(lcyqmwca|mxtcubmc))|r(wnqkdksvr|lltzydfaf|ekgwvplnt)|d(smxntcngl|hxsyqusww)|g(dixrbkiby|cqyerobiu)|j(jvmvtmkbp|mzdtynilx)|w(inhirnkwn|qgkjfssyk)|zxaxwypuir|bcfmzkpytd)|t(a(kmnuhmmzq|ghdojanuj)|l(pjnmyuvka|npszcwguu)|dimfvcnawj|f(fyybogrhs|umlzyijbd|sojzsuvmu)|t(dhlwyhawb|swygxzihw)|bpyxsmflwr|pjxbmxuvaj|ottnztslhq|r(dfofcemlv|goxendpuu)|x(ylpyufnwf|vpjmiludi|epbcugfub)|kjdpvzmxqp|g(cgpgjivps|zmmarzglu)|m(qfyoeqedu|bcjtgvlpi)|qriixaojbp|u(hqmswqljz|lvwnqeeyv)|w(khoemaadf|okkbsoxnf)|hbdxhkhhfc|juzgqaxkxn|c(yvlktfnyg|vostlvhnw))|x(uescorzffs|d(hpbpcwaey|fwpqndjtc)|vpxcevvvsb|kmwvcvgokg|tghmvbylko|prjyndcakp|m(kctauoeif|nlqosqsuc|jlpllngjq)|b(fzwelrfre|rmcyruoan)|r(yxayagylg|aphfnypsw)|l(gjznvvszd|lmvrmyyxx)|e(tmditkqyc|hvjsivwgf|kkrdefhgb)|h(sgmlkvgcz|zqwcygfdj|oapwdczhp|weqyviczr)|gedtjfmxhw|y(oztksnizb|ujgzxxheh|vkciepaut)|x(chbqobhkq|jvxbcauub)|jxgjeendqg|fyenknrbpg|z(mspcwblcd|ofzuynevv)|ngxuhapdbc)|f(ytbyjmguxg|h(bdmorqgzo|sgyreeuru)|q(olwcrargt|dvcujtmpb)|r(hencsihwj|tistpbnsk|frfilmiom|rbbtbuyuw)|nifuowbzzr|azswysbzcp|s(qzfsxypwm|ntulrprsr)|ufjlkqrckp|p(dzlpcekjp|iursaymua|qqkcxdhdk|ypbnyeqdi)|oyyrowqmcx|fzxnojbfeo|ckrcuhgivf|zrzmqxsqts|iwwgjtpzqs|gikqowcruv|b(qmpcngsxv|mxajsaspp)|temyjuoomn|dxbveyekla|ejjuqndsmm)|r(rtsduwuzhu|u(jppmqrxrg|rgnkqssup)|baenedkjim|e(yhnhvvadt|xwicdkxos)|wokqxmaooc|xzgkpddouf|chlnshjddr|o(igsnrtvds|awabpjcgu|unnljwlbn)|mjcywmpvql|dxfqcajkpx|ptnsiqmjko|lhsizcvgqg|i(hedeiyrkz|debkctyez)|zwliheptss|v(hgnwqafym|kfpyfsqmk)|jpassteppc|tcferxxolg|nlxzgqrzpd|qppuphwbpc)|z(k(usfrktutp|pknmvuzqx)|b(yjsczndpb|ngqbdiwtf)|q(znmfzmkbr|krlfzjpdb)|rfgalukmhu|j(ewzutejmm|tmikegfol)|t(fumdsrlyr|yztxlzctx|iznbvjege|gnmqwpzpm)|uthxrimhyt|ip(yuqyhxuo|auupstsy)|h(bfwkllvyr|ozjgynzde)|y(trjibjoiv|jigaurnni)|e(vgkyyluxu|tawaezrjm|ctnjucfnj)|amlzyujhzo|z(ygglshxeg|zsqlipokc)|gnnfgxwozf|cutlqarzlc|xdlcekwomr)|v(c(dhsvsjdvr|zzjuaepwz|gsjfkeuhy|xtpfnzfeo)|f(wmfezhksx|yaapmtuvt|ztbvarftp)|bbhdrbbfwt|p(zbsxxdsvz|qqctgeqcq)|l(dplyttjtl|tfzvmslqo|clnbqlymm)|j(mmqwcebvw|gwiulwfzq)|q(hvnjoybgd|nuszufrbq)|z(hbblmarub|eudhhjkqz|nuwtksnst)|m(iommulyxu|ggrgrkjle|oruqglqkz)|i(wvopvmaed|llllrxkzu)|k(smsypwffq|pmostqezt)|t(mrzjlsfdm|wudnjbrlc|zhweagptp)|gaeroxsxhd|sguevqjqvz|o(dfpfantfi|qffhphdux|llwvdiaix)|rnghbdtnqj|n(xnqlyiefy|mbqsknayc)|y(wyqfpdbgq|oyvfuzrbf|xtpjiiicm|tkgkqumpu|djgtgirqv|auhgxrqto)|heqxpvbivx|ucoijnrxsd)|u(m(cwmtzmchd|gdymmsfbx)|iswxjccatt|j(fpgigbrfc|taqfbrxcj)|p(ebrnssdjw|vdxevhzop|bgipgxecn|upibjpwqv)|d(tzghcdguc|ugmvhgxlo|bjwiupbro)|q(vyullslln|msduvtgww|cazwzegzn|a(tygoppwu|ncahnkts))|wkarhudfhl|x(x(pqphtcfd|nsxmxvfs)|rpqednzyz)|g(zwimkqidj|nkuzoqgki|pediclqey|wyibztshb)|h(cyrmikkzt|ejfaqwipy|uofekmjse)|seuyfgetqj|rsbzhpaueh|o(ujhrsccpl|jjvetarlp|ygwylxrru)|l(dnbkdkumm|esnbieqfs|brbstdljr)|v(m(fjqmbwjz|pgovcqkp)|geqtsrkor)|npojsbtydx|c(kilshenha|xlrvuumsi)|kfhvavezuc)|b(h(fgpjlwmpf|vkmnsnqri|jaoojykja)|u(oxgakbizl|pkzmwxdnp|tigdhuhqc|jcirazeqn)|i(zufqhqcoy|tncilhnyl|nheussqzj)|m(dubjxpxlg|xuvwzfytp)|v(volnmchfq|jdfvmfabu)|n(ocdmzaiho|gyjxeegyo)|f(eyypzmobq|gzkwtsvzq|qfaqmjnxj)|l(ojvbcbrwx|ncitdqdqz)|cnwrleyoam|g(fsnhvkucx|zswmrznfd|blaggpgbm)|s(knffubryh|wedeewgcr)|q(sukquynvs|tmmbwtkaw)|wipiihmmmy|x(rffqzecsw|igcpistvv)|a(tsvtzkftx|vyfpvdpae)|jfvjidoaon|octwvvsmhv|plvhrspsvn|z(ryruxwmdt|tczfhfhfe|jdmtkywtj)|k(ilcdvcsjh|ksfnnkbxd))|p(n(ldwlxihka|mzpdilrsw)|m(eggbpduug|yfnbqlmhk)|x(mygfcbqge|gcdvurimh|rvvvnkaka|sairuacjd)|k(m(otfgxlsj|nyqhwoqy)|qkcjtkkoc|rkyrlgzyp|hwqbtgnax|pfrtaatej)|f(dxlrixfdt|rssndaxbd)|lwrxknxwww|ykgrzkybnz|h(jknqhouzw|tqinebssj)|u(tztbcpoxz|ssqdaqqlr)|dbmhmihtkn|rqcjdvemkj|j(yghgzhvti|vnktoufzt)|t(zqnraifgw|chmoqjdvm)|owopkgsvds|cwpxkhtxum|zfoxnxltsk|g(oemaylode|ykivysfqk)|bimlmjgrfn|wopxoqgawt|a(ixptvbnel|xsodebqjn)|v(wbykgpxtb|jaitlgqek|ywdlspluf))|h(o(zzlvzkzfc|bavqifwia)|m(vzbozbkbb|bjgdqrrvy)|c(euoabpyzu|wmmtcuyon|icixozedi)|a(breiqryje|zusjhlyuy)|j(mdtdgsavm|i(zscaoruc|neepodvn))|v(tttktsxpp|eusbalefn)|r(hnktlqfpy|ahwkerrqd|zeaazfxrk)|wgpgphxemd|h(jwydkgvkx|eshmywpcn|mlgjutfwb)|i(aqnfxdork|gxrqpeupu)|e(rhuhszxux|ajrqzrhsa)|lxszgvhhwc|y(vydufcjaa|ingeeubsc)|zpgrnyoddf|u(qsprvxoqf|eftekboai)|ddmxqypnpv|g(wasfzvrhw|oqepyhfxs|csfsrhffr|hhjiyjkvq)|beajpevqrh|slwxrehntv)|n(b(rdtgtfbkd|gtvcymxgo|cznypnccj|aqwvkaiyj)|wn(xejahepf|voobvznk)|o(yxgivougm|b(zxxvftjr|ppjoztvb))|d(gjbbvhiis|xnrlkkwuw)|e(lynfguatm|tttodhxnn|umxcroskt)|i(nwiiszyro|yeoexjgpl)|jncyyeipgo|x(x(mxraoabq|dmrkykiz|nimrinhi)|nwvazwtut)|y(jzqhsduxy|ofxsiovtt|ysgccgyfj)|u(byhkrbchg|scmiarbma)|p(akeixgrud|prxnkwzoq|tcebekxft)|ghvdjftqaz|rexxafiger|z(hkvrlfxak|zgogjixjc|fnavpsyog)|fnipngksmi|abyodpmmcy|clktwqkzvy|hpislwpbng)|q(q(cfnnvvtom|uqdksupme)|mkvqlvvstx|j(bwvyzfgpa|qricuylws)|v(oiiruwlrh|aweebumkx|jccxsbwnl)|o(kywotlmpn|ydvogakcf)|botrsiyrau|c(wvoznvzzt|nwzyfynki)|z(fdzhwoaju|snlwirffo)|s(gyrtozmuz|rmnwbrgrp)|y(nqufshdwb|lcfkesoza)|h(unsovpfav|vuxercqod)|rqydibyrsn|x(ooxhpvslo|dtynsnrtd)|p(oyevubmsa|cntkazhbe)|f(xahfnzrey|yqazbybjx)|tigacvpgju|w(hxgshrtjt|gxyfkicvn)|gvdewfrugn|afkdsgozco|k(mapoeehsz|npnaauuzq)|upxbqmjmbv)|w(f(tkykuvfuq|vqelhnsjy)|m(ayidwdwem|bqbtpavfs|krcbmszal)|zmntbkytse|jxpoabfkln|ip(frndzhcr|nzshwgdv)|x(cnruprcnf|gtbpqtqyt)|tapgoeglbh|r(pnhncuval|omdbhzzet)|o(bjsxklysi|nkbberwbl)|e(zmasuuxjl|lzycqozax)|ntkpgxtuwc|l(budltvyuw|kuwqwxete|pszgnvaep)|dqjbskhgmx|v(ftoidgxzm|qkurmljls)|ymamvauuwa|gctftilawk|qkfzsdgcno|uccnyffuzo|ktcoddrznd)|o(q(rrblbnwfj|ghsecamhq|qalkrvtik)|n(x(lcuwzngc|ohnxvcku)|vjfiqfmca|lmtrluwyz)|mxcoyntagn|b(smuuosmpa|zlmjzeowz)|s(fwwafpzob|cejddfiky)|ggymnojmqa|z(wpzkuhfkd|lzoxntach|j(uatvtqma|dbbjbkry))|uhkrfztjdj|a(ccedxcxzx|ddlbtyszg)|pvszievrbg|o(mtqjshjqn|rmzrtiuba)|t(caclrmsah|mlnbslsuy)|fgwuaywbdg|e(eczcdvpag|zisfulfmh)|i(zugrbkibm|kbyktfted)|rbpqqdsjjn|jwrdwnhyue|hnunukpgxx|kkptbkvtvb)|k(d(smygktobr|emxtcutoj|tikhmimyj)|c(yqqyfribr|nsvrtmljc)|azadrdwcsa|t(eaprsajzb|ijfmcwahx)|xutirrckuz|evnbgtnqss|r(jypdipkxm|xckproemx|qxshbftns|zzebiokxn)|k(tsbtbflzh|igwlybrcj)|b(oadezesez|yzjgjkpze)|pndqpdriqz|yzwuvvsvht|iaxcqgprsp|u(ijlcfkkaq|vdwvqketi)|hpryvdhdhm|wfoniejjgg|jqkifyytlb|vgzfzcxvjg)|a(w(xsbnppmdc|mwjfodicx)|u(aspuwdjpf|uelmykqix)|tnamrehqhb|e(bskftjgol|rfyhlbugi)|x(eeqhdgknw|pshacswkn)|i(pphnuzkyb|mrdjmufko)|m(v(tbeaygnz|jakimfdh)|jucvfiokz|wwheyyimg)|n(g(naidfegu|zrpptptu)|dyviuizvq)|k(edwgjyzrr|ypykllteo)|spksvjzntw|orcbyafmmi|g(xnrixgamr|tjwjyrwxb)|qantuysfyu|yqugfjkqad|bddcjpxwkg|axrtdrympm|j(mymydgtzi|vhazmvncm)|huptzxqxdn|zldaiogpet|lgfgbjvmbd)|j(seihszgxcb|j(ipfqudamo|nrdrczpdt|arhgoxhkr|dtbdftvqe)|h(qtytxodua|rptrgxsdf)|ajsnaqvvms|e(apvbhqvly|kxfvawhlj|vvluzpmab)|z(yrpaudxtq|unarapnuw|seomnxmih|klctityuc)|o(nbkmmjgvw|fztsjpllv)|p(irhfqgqyt|tfavnttsf)|imhtrlzdps|rmsjoplypo|veexeqktro|tzpluxuruu|kstswttowc|xqlxgfedtq)|d(ypcfnpjxdy|w(yxdhzvabn|fzteyetwb|kylrtbveh)|i(suouqnxer|qudjgilcy|xfyswnmhz)|jpualmhgzl|g(adpygmlmi|raeozapwq|uttwhdmuv)|eokihifuwq|x(yjijwxyti|fgutiivcd)|h(kydgqalwe|mgkyppslu|ljymmhahb)|sflskbuhfj|kzsfstbjgz|pikjzxqyyw|muqobmcqpw|b(kdiequiqg|ailtbdqyt)|osroubofah|aezbptlrcn|u(ddmizslqn|xvgrupcjt)|c(mmpojfvoh|ytbanafhf)|v(lovyjwkbk|bcsbxbtay)|z(hndnuosss|ogvwwufgy)|dwwmybtbpc|l(dzkzykfyw|nrllnigdt|ejbkbhyeo))|e(p(ymaiwooaz|ogdfxhcaw)|t(hawimhzsi|ygtmjhovf)|ejnicptdun|ngmzuedchc|d(ziiofdaoz|hzwemhqxd)|xalmsxqbsi|a(rqoomylow|qahdcngkc|hvrdpgmgq)|g(stehwrhrs|azdzwrxeg)|hrshldwaur|v(felcrrvyq|uldphnxuh)|o(elvvflooz|vqgvhciqc)|ubimxqhowo|krpcbddrvs|m(llrphsbun|xrwyhalkq)|c(uuzhnkzfd|dwsvumzqp|bgjkhxulq)|ijitjzufzf|wyzjwjlhun)|i(t(omkwaegtx|eixlxwzqv|u(wizqqrrw|pksabkgh))|d(ejmdbwccy|xzjewhaok)|n(qdrfgjuay|waajdxrft|footezxmu)|q(agkzgfmeg|mfzuirsaq)|rjogyqwfrc|z(ansaiblgq|wqvpjrlav)|wkshxbioev|izljmzaoea|b(pxjtchouv|oigzqtykd)|snsnnmojui|ysycugbwpg|xdhyxejece|l(ashglugqn|uspqutisq)|ucztsohkac|j(utjqofjpz|hlhnntnjg))|g(btdivlandg|a(jghhfklgj|muxvtamgb|osxjumdvh)|i(kogxhdzos|izqzhpozc)|r(olrxznmce|wbqgvesmt|lmlhvdkmy)|v(folgyqsvf|cswzicdhe)|f(qfvayfsfl|kspmfvuhv)|h(yxsekjrgh|kujyimeai)|t(kjlcvhocy|o(chkhzxyt|kdttgcas)|hcppwyrxd)|g(efztlbpqe|grkfmtuwt)|dkvjzcvglu|k(dpwtbsujg|lcgbzrgmh|sitxxukgt|vioovkxjk)|o(ocdkkbzzn|fgylxofin)|y(npmoajzef|arxlexksc)|qeerzxtgpu|mqqheequtp|jsbgcrjyll|uwatkjbcky|whimrvtwdb|ziplodhdhj|pndsfdxjgb)|m(hzauwvvuyl|lwqqfxjgfn|v(qwoinkvih|bemfleiie)|yvthpfzrfg|f(lrstefffr|vhdprkocg|duqxxnyqy)|w(sbskbbwht|curnaancd|yvrhukulu)|djywdrouxp|thyrfmkbrq|k(lqkgofpbn|hixmngnlh)|goqazsfldn|cpkgybyakw|nauqgvvwtg|afkgjippdz|j(ynqokmfqt|xbxtubuqu)|rrwnbywqjn)|c(s(izphtfoak|mzicxkbun)|y(mlsxpyfpj|slstldkzq)|c(kuuaotvbr|dmuckxymg|tyssfkwfk)|nulopjdkun|aokynywnia|kndjszihhg|o(rxihaziej|zalntewwg|qpnvksknm)|vrvbcgqpll|l(howmajtjc|mikeikhpm)|zazstnckum|jhajwnarrk|p(fjebrvpgf|hjsluuspe)|xfruxvrqmm|uziacutvil|doieiindmj|fwugkmgkle))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633005; rev:2;)
# sid 2633006 includes 265 (1201 - 1466) 11 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.biz)"; content:"|0b|";content:"|03|biz|00|";nocase;within: 14;pcre: "/(k(vorguhqvvg|y(emumegwlj|gvyhejmaa)|onoyekmgwr|s(is(kjsfmpw|tbwpswr)|qyuoviotw|yarmvzfis)|dyeyjxcucu|xuhzmwwkew|evtqhkpulq|wwrxbbiryg|kmnfmtvfwu|aswvmwckxg|hnrkhfprov|upgsvzglog|qpkjjhfkuw|fcqoaveosj)|q(y(fkolmefyb|exirzwozl|bpekuxbzz)|qiwzfpcfor|ofvmhpywno|j(nzhdhscqh|akorikuqr)|n(zoafkdzwi|jndyfuvqq)|icfapayyto|axvnupgogf|vgnpokcsxl|mqucinwoyz|ehibsgbhnk|pakimdgujd)|m(rskargghqr|jyenxjxpoe|t(bkdibtfru|dxhwjllos|mkeudxljv)|ejmvpaaijw|p(icbxaeuuz|hubbowhbs)|seleowuxhc|ceuihhrosu|nugxutyldq|kfwiulfgef|oyfrufnskd)|r(xkvtmjxnzh|hxiuqxwump|wuvtnllkaq|tbqxnvnuzr|kwltvglxxh|gnwqxewbko|vmfjfdzxei|onurphehpj)|u(jvqgzsymyz|t(tygbsxmfp|ocfbxgcpn)|m(ruwzqftit|oiprdueby)|v(rpiguiesu|mkemryczm)|sxmldbpkbn|fcnmolocog|hfvnucntqk|akusoakkgu|xuyjygvidh|blaeaulxxm)|b(k(jnnakggjt|ddhctowbg)|lnqfxcxeyr|izuembbrja|riawqurdlg|u(rfohaobcl|xxkbgllow)|dizcgkfein)|y(y(sqcrldaoj|whnhcbvqc)|epmmrqoruf|mlikdplqrm|g(sfyvnnrhd|oujymdnyk)|uqillzeitg|zrpbesjlck|cbnivqiwpb|okqszpjzbe)|c(awpbdgxgxp|yswxqveurd|ixyhbtsaov|ucopvvbglm|hqezspspwu|pvhquzxfmv|bdhddagaxy|fwwiuzqsmp)|g(j(qrzxzuxlt|twsjhpzeb|xonwnmyaf)|rdqaubojev|syqgbpphvo|m(mpvcdnzyu|hurvppupl)|qjfkqqwpfa)|z(qixmmljvto|nhtnenqiho|fppecpzlnf|sevpcwqqtx|mpqdtlqdeb|opzrrdwxct|xlcccqqiei|txhlbsdavn|veqatrwxuc|jihtrroujw)|j(cqbadidsoi|s(glypjglig|anyikihui|vskqhbybs)|zeeoqktlum|h(jmaquvqcu|kxfdwsgty)|dpouebcvwh)|s(z(yvmreuucw|uoptupudh)|vmhuouqrhw|dkxkwtquqj|ttzszpotcz|fgfanblgao|hphvpeppmp)|e(gukwpexppg|iivrtfkqfb|hsqekehwkg|k(mybrkkqti|jkrfgzdlp)|qkonozhwmc|ttpchdanjc|zntemjtlhe|nitgxetgqw|yjdlyibryf|wtyclkcacn|bhfgmpgrir|riizamdqsy|okpkzzdpez)|n(wfzamxjslg|gjndpicnhr|vveldonylg|izbypapibk|l(zcfytkhtg|qewepgeze)|hubywaqgeb|kcypxpuyjh|bsdvjxffox|royihndqou|txjrdzbcwm)|h(poukyzuhmu|tlgsdjqxyg|nypjeoxoui|ymsuooopai|xjydzinrld|kmeycpvttl)|w(l(xhtofbsdd|istytfmse)|occivwdkyg|jerfxwqeiw|u(rknaduhux|zypsxgehk)|s(aoijgzxys|pddbvflvl)|bvwhfujoei|fudymthwud|rzrhwzokrn|youzgdwfii)|o(r(zqbyfomae|aujvfdmmb|bafbelfaz)|gttimzzrnw|kzmyuukdug|t(qqtlioeyh|sjcjwpezj)|htvfslpnqy|vybjclfiix|xgpdlddfuw|wvbiuwsdpz|lskyherdqs|nmmstvuacn|zricnnmwvp|p(rmdhtcopd|hxxondtoz|itrkiwgmz)|jzrgtflwba|athxiaajyn|qckgnxgwdy|skwqzvtoka)|d(l(emvujearb|tphgwosqt|lpoogydsn)|btzincczbl|z(xhqkvacft|fmsjznxjq)|cicydlgvqi|hgajfrsaaa|rjjcqyavvj|wkrzhnmqsm|tcjvcorbwl|sycqozeumd|gmmqxebnep|motarvztkn)|f(e(eofgczcbx|gdlziyfay)|qwfabndzmn|tgcheschti|odsecloszm|fhvncbaxkd)|a(mnfssjxbem|sgumxjzfyo|zryefovskx|nlfhlrhypo|q(fsrksotqi|bwhdfrkss)|rehuqgqifj|jrruuliihi)|v(z(wgltbjlfr|jjlvpyqzz)|cfecaqjdxx|uuhyxqsgmi|e(lzmbxfydo|qgihnwbnm)|dylfgamzch|nyxuthtwwy|aznmdgzwup|iaxxpkzauz)|t(srwvnfdpdm|e(rpfkevgjt|ovywpdawo|zlcwtkgah)|x(kymmveuuh|wzddhnnos)|yojealwsuh|aowdkyfmtj|jdpnvfmdxv|vjxgecksyr|fifzaibdqx)|i(emiuvtpvgs|gzhurmbrpr|sfgntshobn|flfunjqczc|kwusndhcel|nfwapkewkd|mptzoccqrt|ierwpvgfdb|qgumjywbmz|ardyupjvrt|rpveumkppx)|x(t(hdimrnxbk|ndpeiltir)|zuesqljlie|yhdkmfudns|qjtjjpgeka|hubsyqvgzw|xccfzqtvtw)|l(rzvfoeoqrt|ypeadxxaup|vltizzcdtf)|p(mcnavxnfxc|c(iglpdpemy|oyakofmsp)|hmaiciolul|tdbotlrpbx))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633006; rev:2;)
# sid 2633007 includes 9 (0 - 9) 12 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 12 chars (.biz)"; content:"|0c|";content:"|03|biz|00|";nocase;within: 15;pcre: "/(wsvldkyhhcao|org(kgntdwjcr|unsmxffpn)|c(n(lzyqwvuyey|eliyybdekt|sdcqtwivoi)|cjtuwxsuwfl)|netxzlwdoeey|infoboijwhyh)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633007; rev:2;)
# sid 2633008 includes 5 (0 - 5) 13 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 13 chars (.biz)"; content:"|0d|";content:"|03|biz|00|";nocase;within: 16;pcre: "/(c(c(wowbdzzhach|tzltbehqxgf)|nyuozkxmelaz)|net(uzxtrueuvb|avonxvhjau))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633008; rev:2;)
# sid 2633009 includes 2 (0 - 2) 14 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 14 chars (.biz)"; content:"|0e|";content:"|03|biz|00|";nocase;within: 17;pcre: "/(bizzymwiwbrkuv|nethwidcexhybz)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633009; rev:2;)
# sid 2633010 includes 600 (0 - 600) 5 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.biz)"; content:"|05|";content:"|03|biz|00|";nocase;within: 8;pcre: "/(w(e(afo|xxo|lao)|b(j(ro|lu)|rkx|xws|ydt)|pcah|z(xxs|ixp|sza|ygo)|hivy|wxsg|x(lsc|nxx|zrb)|dxrb|oash|k(rvm|hxp)|qdbs|apyy|lojs|nsxv)|i(xuae|l(jcv|nnb|drr)|y(ufo|vdt)|z(swl|tdb)|q(nmp|qpn)|n(urq|rjp|fss)|wgpt|i(spp|nmy)|prqv|d(bih|zgd)|gtmd|f(fcb|lda|tqv|ebp)|tmvh|rlgq|mwal|khgl)|d(frkr|hous|c(smm|rdz|fpi)|mpjg|x(lrl|hqp)|zdia|l(ewl|bov)|b(ndd|vzy)|o(hcw|yxy)|iw(az|rw)|jzhr|gito|vvnf|dayy|uedu|pgjw)|b(wmra|e(wyx|dct|hne)|jywk|r(pbq|cjp)|blob|lzwh|scml|nogv|h(cpz|kuk)|ckez|d(aql|vve)|vipd|yvai|glla|fecw|iqfh|qsuf|tleq|aklx)|r(q(izd|zjp)|ukdh|cq(vo|qo)|w(xgd|etn)|jcio|z(vvq|bcb|ick)|v(tnr|abt)|tuch|fhrq|edsp|xtyu|ywsx)|n(rgiq|g(fyc|jfj)|xhov|f(czn|yic)|spac|npec|pooe|owlk|ktik|tvbx|lphu|admw|qbla|hnud)|p(x(vus|a(aj|fz))|nzax|e(dub|tki|waj)|f(vzu|ngc|edi)|c(zmz|mmx|roa)|jjqp|d(rvo|wqn|yyz)|mwnm|v(nap|dwt|ppk|lot)|a(owf|cgm|ghi|hvx)|u(kox|mcs)|lnct|zhch|igqi)|u(d(rgx|qef)|xrxz|gdnb|ahau|y(g(uh|ld)|zsh|bzl)|heuj|k(nig|auf|giu)|cujx|bwpt|mmry|i(grs|jgu)|o(vmn|ozo)|q(uua|yiu)|rnjy|nuco|vaur)|h(w(ouq|gdz)|kzsh|z(iyv|rec|wsn)|xzkz|t(cko|frw)|dwpy|hgdk|q(mgm|ghx|yxu|xie|nlh|tay)|f(azk|klj)|eoic|pzxb|ldud|y(icm|dyh|wvi)|ocbs|swpz|uibm|rxmf)|q(ut(yj|nc)|x(pnl|ccj)|fonn|t(yeb|kbn)|s(jvs|ige)|h(ewh|cxj|pam)|dwod|v(jle|zkp)|oiuc|ihox|bhah|z(loy|jky)|msbb|r(cwd|bwm)|q(zcj|rzc|t(ry|pr)|sam)|gufp|wtno|k(cca|str))|g(vbdz|u(dyt|slt|cjf|khc)|bwui|wsml|xkea|p(egc|quj)|evyf|hknr|rxao)|f(g(qql|eok)|a(jzj|oki)|k(yxe|czn)|nygm|c(uvh|lal)|laam|euwm|q(mzh|xhu)|d(ycv|qwh)|x(xdg|upy)|yrro|zfzq|ux(nw|df)|odda|f(cbc|tbr)|idhr|wxvu|j(sxm|yev)|rsmd|shhj)|j(f(vnd|sxf|yba)|dgyk|h(paz|cca|auc)|q(eya|ggk)|y(vzj|snu)|e(ixq|tik|uwy|voy)|g(sny|vng)|xtpo|afkw|m(lgv|gkf)|peho|wwmp|r(agl|tpu)|nojo|zjbm|s(pva|unu)|bwhs|iupm|lvop|uatw)|y(z(ifr|khy)|chuk|byip|jenq|u(ihn|l(ld|sm))|iozt|njpn|y(qlw|jfi)|loxz|vfiu|oemv|qhwe|tvoc|patx|dckx)|t(i(ntr|khj)|rhze|e(jpg|bkz|mct)|fepm|xchh|ocob|sjne|zekl|p(ypo|ksz|esa)|khem|dilc|nrqs|qfeh|mjwu|j(owp|xsd)|vnew|gypt|leig)|c(p(jkl|mcd|bvv)|tpgm|n(rhl|fkn|iev|uxl)|q(gqp|kdd)|a(vow|ekp)|y(edf|qpv)|iuen|jwse|ssnm|bkwy|vtbz|uhxx|ojma|xeca|h(zsv|mvv)|dkdz|f(oic|qsy)|r(bwm|wmw)|g(yna|brw)|wuee)|o(c(mjz|oqk)|i(bqp|oly)|ulae|xvat|diyg|a(sil|ogo)|txca|famu|kggv|naet|ebio|w(sgf|oth)|qqmd)|x(f(ban|nsa)|r(aer|cle)|wqef|jyjd|g(f(dd|bd)|cwe|oqk)|niqz|budc|p(voi|ddg)|dcmu|s(hua|rca)|hltr|loge|vqjb|txuk|xqdf|obmp|ahtl)|e(hrjp|l(pip|ujp)|a(tpt|kcl|znv)|nbzu|fcbt|pubq|zbed|xlgw|thcv|sylj|yoja|wnvb|gfsp|rvkd|curg|vyxa)|a(jins|yska|n(gsr|nyh)|caac|irsm|ppnt|gukl|wpuz|t(baj|ldi)|l(aej|ner)|s(kee|qrh)|hasq|qerd|zaiq)|z(tzja|g(vqf|onw)|cski|ltjq|p(dre|bij)|n(zfk|eiv)|znjf|ebpn|flee|x(xno|bjy)|a(aup|nru|lmn)|qsmg|bour|oevy|jaqi)|s(pivq|qans|e(b(yy|mt)|vnw)|d(ahi|gbj)|m(pdd|tuf)|k(jpm|zzl)|wnpk|oacu|n(kkh|bmt)|fkon|i(j(cc|iw)|vhq)|teml|r(nbs|kfs)|sbhe)|v(vcmj|u(gjo|afg)|qwnk|n(eqa|fic)|rntw|g(pen|xjn)|pqml|ifxy|tmmr|yaik|lzlu|kiup|drvf|jqxv)|k(b(kye|aho|lnr)|o(ebu|zxs)|n(aan|svv|qih)|rlte|vgat|lfyh|s(elz|scy)|t(rxg|qou)|j(mcd|qfb)|kqry|gafv|doov|hikq|xaze)|l(p(lbs|oio)|ladj|g(xpw|dqv)|zniy|qaeu|u(gfk|qey|uic)|jcsh|k(izq|eeh)|duzn|hgiy|cpvk|b(kdo|ffj)|wjng|xdif)|m(n(uco|zrv)|hsii|weyh|reju|zicf|q(bxo|yiq|rye)|mxen|b(nfa|spx)|lozz|xtte|segb|yyjg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633010; rev:2;)
# sid 2633011 includes 790 (601 - 1200) 5 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.biz)"; content:"|05|";content:"|03|biz|00|";nocase;within: 8;pcre: "/(j(hauc|e(uwy|voy|nsa|ryc|khb)|y(snu|odq|nyv)|zjbm|r(tpu|ykw)|s(pva|unu)|bwhs|iupm|l(vop|jop|cry|bnx|rzp)|q(ggk|cwu|fkt)|uatw|n(ecy|afl)|xpjl|wopp|jugk|f(dgj|iqt|sgn)|vxkq)|s(r(nbs|kfs|tfy|rbu)|i(vhq|j(iw|ck)|pxb)|e(bmt|iwu|cvr|reb)|sbhe|nbmt|ctqy|m(tmm|yrt|zib)|b(etm|hnd|nqy|diw)|a(jug|pym)|oo(qb|ok)|latf|xeuk|wvte|fvwp)|e(yoja|w(nvb|vpc)|gfsp|rvkd|c(urg|efw)|vyxa|f(hqu|oln|m(qn|oj))|kwto|a(kbo|gjg)|e(zlw|sqo)|x(kyu|lut)|i(efy|oin|zeu)|s(czi|oyg)|q(tti|mdr|cyi)|tfma|j(rfn|bcd)|mncr|p(gcn|ddc)|llpp|heba)|c(fqsy|g(yna|brw|vgv|fig)|w(uee|rsw)|rwmw|n(uxl|wlx)|p(bvv|dzz)|h(mvv|pkr)|q(kdd|ntq|gux|zru)|i(hkn|xth|vjb|qyp)|ygor|z(xvx|ogq)|evoo|vngf|b(bcv|uet)|u(xgu|bcp|fyk)|jquo|lgvk|mvcu|arkv|tevv|ooec)|r(qzjp|zick|x(tyu|sdl|dbu)|ywsx|e(cpd|ugo)|j(lzf|jzj)|onug|l(rtx|vta)|b(sqz|zhx|yzt)|w(rlj|tnw)|h(tfs|rta)|rdec|azhd|pbna|sqdz|dduj|kgiy|nspg|vqug)|h(t(frw|v(mv|xr))|zwsn|s(wpz|g(ml|ci))|uibm|r(xmf|odt)|q(nlh|tay|ktl)|k(njy|zsu)|y(rwe|awt|sdx)|anra|m(flj|kfb|iuh)|jspt|pqve|brfm|x(hdi|krr)|ijxd)|d(o(yxy|dsk|iue)|b(vzy|exz|kqt)|d(ayy|hxq)|u(edu|jjw)|p(gjw|ihl|ohj)|l(bov|har)|a(fjw|nzj)|x(qng|puq)|c(eqm|fd(h|v)|usl)|zpsu|eyxt|tanx|m(gsn|kdt)|kifh|f(nod|hon)|nfgh|wqdg)|v(yaik|l(zlu|vpq|qqi|fpq)|k(iup|tvr)|d(rvf|jeo)|jqxv|v(qsg|ylq)|mxrr|o(ugf|kgw)|wmoe|f(nqr|xmc)|h(rmi|kbk)|r(xns|huj)|szcf|payk|xuec|nsmk|cltf|qrka)|o(famu|kggv|n(aet|vgc)|i(oly|aia)|ebio|w(sgf|oth|c(pa|vq))|ao(go|ef)|qqmd|m(gyd|mqp)|z(qpf|gec|i(jw|el))|csju|x(tkj|iru)|h(ygp|mja|cnt)|p(cvz|qjm)|dxxu|udbz|sfzu|g(hns|xdi)|v(wwb|xhc|jca)|jmno|ymxl|rrvd)|k(tqou|d(oov|yhq|nlr|zlw|smn)|h(ikq|fnm)|b(aho|lnr)|ozxs|xaze|sscy|arqt|iqvo|qciz|c(abe|csq)|egjy|wvbl|lwzv|g(bud|f(ql|ux)))|w(b(ydt|hfp)|z(ygo|qcl)|lojs|nsxv|xzrb|k(hxp|ngw)|d(eue|aka)|mf(oh|zg)|stne|vvlm|a(nml|gik)|h(opr|nhb)|fqox|wxhi|twhs|ejfc)|q(g(ufp|ami)|q(rzc|t(ry|pr)|sam|odt)|wtno|z(jky|xki)|k(cca|str|qbf)|h(pam|rnl)|prih|sajb|ndej|t(qwh|fhi)|dcxu|oqte|j(dhj|uxs|lap)|ysvx|uvmg|mwow|bjqs|auvr)|g(e(vyf|zjh)|hknr|u(khc|lpg)|rxao|pquj|m(xds|dfo)|q(yod|alp)|n(bvo|jtk|cai)|y(dqd|jat|vae)|f(nlz|vor)|x(iuy|eqc)|tffq|jdhg|c(jzo|fns)|o(whx|vrv|uax)|z(lyu|zcb)|vqed|kowe|gcfr)|n(fyic|owlk|k(tik|ftq|nnj)|tvbx|l(phu|ogc)|admw|qbla|h(nud|ibb|lhb)|y(hfo|eao)|xdms|w(qvq|zrz)|c(zap|nmr)|z(jsy|l(wa|lv))|pqmm|u(hai|vli|zzg)|rvgb|sles|nmzp|iixm)|p(c(mmx|roa)|dyyz|a(ghi|hvx|nuk)|e(waj|cwt)|z(hch|cfp)|i(gqi|vgk|lai)|v(ppk|lot)|pmqr|k(lrh|nqm|knd)|tclp|l(ikm|ttq|efu)|mdrj|f(hiu|nuf)|ujri|n(mxx|fdi|ylu)|qfux|wvjz|blvm|yjqf|rnpm)|i(t(mvh|jyb|igu|goi)|dzgd|l(drr|qfn|yzu)|i(nmy|wdg|cnd)|y(vdt|tiy|zcu)|f(lda|tqv|ebp|ftc)|r(lgq|bwm|wqb)|n(fss|iui)|mwal|k(hgl|ame)|j(nzq|fyq)|s(kpg|prj)|v(hiv|guk)|qabz|g(lxd|gos)|ehqa|beri)|f(w(xvu|oag)|j(sxm|yev)|r(smd|eum)|a(oki|ewt)|x(upy|tjw)|uxdf|dqwh|f(tbr|vfy)|shhj|nttl|e(xmm|cmb)|vmer|kjnj|cnww|ieda|q(zba|gud)|ywch|o(xbb|cbk|qse)|mgxw|hcdy)|t(qfeh|mjwu|p(esa|ije)|j(owp|x(sd|ek)|zjd|mey)|vnew|e(mct|bog)|g(ypt|gxy)|leig|dzqo|i(wlo|hhw)|w(chc|d(wg|jc)|wgs)|yhih|crat|fb(my|gg)|rvod|ugul|kpvf|nyoe)|l(cpvk|b(k(do|yg)|ffj)|w(jng|k(rq|bd)|wwk)|xdif|v(vov|bys)|htfk|iwpt|r(jfg|mbp)|pghn|y(glb|eql|tqj)|smjt|k(bda|rro)|teiz|jslt|aukv|qiqt|zrce)|b(r(cjp|fiq)|i(qfh|bfb)|d(vve|ikm|leh|apl)|qsuf|h(kuk|qvn)|t(leq|ivy|xwb)|a(klx|csd|lrh)|n(wap|rtn)|yujd|x(yoc|ssp)|kadx|z(aft|eyr)|o(jut|new)|jwen|g(rjv|inm)|c(cfk|ehx)|urna|mrkv|bobn|f(sjt|xnh)|lbtg|e(sgv|zpx)|skux)|z(pbij|b(our|izg|fkd)|neiv|o(evy|ysz)|a(nru|lmn)|x(bjy|krt|muj)|j(aqi|ncr|raj)|l(vwu|edc)|r(lan|ugt|q(xa|zd))|hbwd|vwra|w(gem|jum)|ihsm|coue|qoot|eatp|ttrz|umac)|u(kgiu|q(yiu|pol)|y(bzl|fcs)|oozo|n(uco|xou|ics)|v(aur|nwv|fyv)|t(hot|azo|pnc)|mqcy|e(lui|i(rp|ig))|zddi|xgks|iy(mm|zi)|swtz)|a(s(kee|qrh)|nnyh|hasq|l(ner|jcj|xwa)|qerd|z(aiq|eto)|tldi|diyz|prcn|g(szy|epl)|o(pyy|yol)|x(tsj|kpp)|mjmn|y(zdg|lih)|cvmj|iwxu|ubes|kflk)|m(xtte|s(egb|hxj)|yyjg|bspx|g(vji|ygu)|felr|m(scq|uam)|z(pmf|iqk)|hjqp|cgqc|utjj|j(heh|cdc)|ejkx|acrw|rous|pfmh|ormz)|y(u(lsm|for)|q(hwe|taf)|t(voc|ozy|pfs)|p(atx|evj)|dckx|z(xlo|ojm|ytr)|b(hgp|iqw)|g(xdl|zos)|a(jkb|wby|dzo)|flot|lrzf|rzoc|osit|wker)|x(s(rca|h(zw|ge)|gtu)|o(bmp|nyr)|a(htl|ksq)|w(m(xz|rl|vu)|dtx)|z(wkk|dek)|r(lnw|cgd)|e(tya|cbu|shl)|j(iqo|wwi)|cryy|i(sqm|oxo)|nojz|qujf|pcum|gmia))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633011; rev:2;)
# sid 2633012 includes 190 (1201 - 1391) 5 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.biz)"; content:"|05|";content:"|03|biz|00|";nocase;within: 8;pcre: "/(t(kaxi|diqx|bbxk|aaeo|yauw|ucml)|m(cmpz|mgeh|gikq|yzup|xhhd|kotc|uhjl|voxa|bshm)|n(ufxj|fioc|k(tov|qwx|nan)|hajj|ylcv|axrp|ghya|jsfb|tyrz)|u(ehtp|nfht|shqd|chsk|zghn|tnhr)|h(zmvi|bvrw|hqok|expt|svjh|yzfl|tcgj|kmxt)|j(qyqb|mtfd|heru|dxnb|xxfv|tiwm|exwl)|l(ruuh|nlvu|yipb|vbwp|gwfl|excu|bdpe|qliw)|d(yife|c(lks|hro)|t(pgv|kkw|gsl)|bmge|uwyw)|y(tigb|ahxz|qmsm|olej|xeeq|nstf|ybpw)|k(l(usl|zne)|oi(kl|ts)|n(tkt|wqn)|seyb|y(ozz|krm)|hlnm|zqfk|xtrl)|v(youm|qcnj|hqxw|k(rbm|ymg)|r(tfw|qmb)|wtrn)|b(s(eos|ieq)|b(cxb|yme)|qypy|yvfd|umtp|m(zfe|bfv)|crxm|tosu|xxos|wtfe|diki|vmvl)|z(v(odo|smn)|gckf|pcgy|ilaq|qzzw|codl|lmze|xqpy)|c(ktbq|nskh|foyp)|p(t(xwq|ali)|pmjl|cnsh|qxhn)|q(dwrn|nzgd|sjnu|gxzc|avnf|ucho)|i(vwxh|wrvm|toip|fdtp|nmhy|eyjv|odir|ucpb)|w(x(ldm|pkp)|zlwb|vzcy|gclc)|s(fa(yx|jp)|orjo|wirg|nknb|yuaw|huts|gwck|xmjg|qpxj)|x(jbbh|vjat|aikl|fsqc|whvk|liri|rcvf)|r(ziel|mooo|bxvq|wojw|lcwm)|o(omnl|yozi|feob|imlw|qhiy|szvd|zreq)|a(oanu|gkle|xtom)|f(eyfq|fbcq|yjuh|qqfa|pwcs|ivll|cxzs)|e(ghho|shbv|isdj|xjnr|onif)|g(fpis|gazf|l(qlz|erp)|jamj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633012; rev:2;)
# sid 2633013 includes 600 (0 - 600) 6 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.biz)"; content:"|06|";content:"|03|biz|00|";nocase;within: 9;pcre: "/(m(macjd|h(giyj|quwl)|v(yxcz|achz)|d(rhkn|lxkv|hrex)|odaet|s(cnqt|xsdu|pspl|vbau)|ugzix|g(ikfg|oftz)|bggxn|e(bvxv|luhz)|nlmir|p(rtuz|jxjo)|w(jrwv|tblo)|z(dnvv|lbzd))|o(x(gcxl|pfwt)|qhhii|nhoen|g(oyws|lyuu)|mnmnx|acqkb|y(ayui|rnps)|r(pgtn|amka)|zavqi|usiry|bmaqa)|r(u(fqhx|edfb)|b(ifty|dvcb)|h(hwlj|nssa)|i(akyc|tdxs|bkfs)|j(fdtw|keec)|c(mzvx|kfiu|jxrn|rora)|f(gkiw|kmmz)|g(clou|xudn)|pcido|awztk|rlmnb|x(czoh|jgfv)|mrhxq|trqsk|yperz)|u(gkmfn|f(kftx|jceh)|w(gnac|eosi)|ohlae|p(lniy|okhu)|n(zcbw|xekn)|etvom|k(snjz|tqub)|mvcnk|atrpa|c(jbul|wmld)|qiypk|rlnhi|imavq|jhuqe|srfzd)|b(g(crzv|wiyn)|mihmy|p(blrb|yrcc)|wiogf|hjzww|ruids|ckmuk|x(ocwc|yqhg)|sacdx|qmbmm|a(fxft|vjmm)|zujkx|o(qtkl|cqoj)|jvzea|n(zjab|ibzk)|vfsau|utadx|emebn|fesnf)|x(w(tfxz|sifg|l(bdo|ppx)|eric)|g(qobo|hort|amnx)|o(mlsw|gwit)|avltz|p(dash|mjse)|lqmcl|yhdeh|tpkwg|hjulq|kiupl|r(rccq|jmnv)|zhksy|egrty)|z(e(gjit|tuoy)|l(lecr|imbh)|dnebe|p(vxqs|pknd)|bxvpi|x(ffyh|spzq|kpaw)|v(drjt|yqjl|ccql|edgo)|q(hlux|csru)|mhtjx|uvinz|o(wxog|ytnj|zytj)|hycri|wpnyf|nkvuo|jpsyp)|t(f(yobg|bzie|ripy)|lgors|k(egvj|jkis)|g(yavg|vjkb|ifef|ddog)|v(avxm|soay|bnic|okar|efld)|a(mspn|izrn)|uupyd|sxacr|tfwvw|qmudv|w(ufhs|eupx)|ptllc|ehimu|zigrx|hhfep|dmvyp|xvehk|bryca)|p(vbbml|h(zkji|fqrq)|nqmny|i(knal|ekeh)|o(wvtl|snfh|otir)|y(xwti|pelb|ufhp)|tpghj|z(aukq|cbma)|snqyg|lbaau|exlqs|u(gakp|sqaj)|qxmda|ctiar|bnvxc)|c(x(gdjx|hvwc)|cpaxc|skqjz|a(bbxx|pmuz)|hfmlz|m(qcjn|dnnl|rhpl)|jmgrw|y(iffl|qunr|xbot)|knfce|f(smhu|ebgt)|psedw|i(hijw|dlfq)|qbpyr|ooxgn|rkjjl|nakvb|betoe|wkdol|glhmc|tucrn)|f(p(ykcv|cugv)|o(anlc|tbzf)|aphym|m(wvoh|dvcc|ndch)|jsgpc|crrym|uhxoh|n(sqdq|ljdc|vssj)|kwwjv|qehbw|lnwce|g(oioi|ethr|lnnw)|yabjg)|e(h(aevv|jioe|nfbl)|ahoif|lsmmd|k(uppo|zofv)|f(vxvt|lwyo)|iwwjl|d(wuuz|qaaf|phwi)|o(bjpf|ebky)|j(qlol|xbns)|brisv|z(znrk|qkpe)|qmmhb|nyhcn|euynx|ukkzq|p(lewp|jnjw)|wlele|vpqth|sumyy|xwexb)|q(wzxsg|r(cfsw|shrz)|hsbya|ltlle|bgczv|j(oerp|begq)|v(tbjp|hjom|gmft)|pfrja|k(porg|mmvy)|zhhyk|gj(ivn|kwh)|nolqf|oaifu|shmhb|yfzog)|l(q(qjcv|eaur)|n(zqmj|igmu|nfzd)|w(ncni|zvfw|vuqr)|ifvos|k(yldt|vqnn)|z(g(dmn|yhp)|qkdt|jvrl)|v(mlii|wgbr|docf)|otmaw|s(qbwd|bjqz)|crrmu|eddyu|jeieh|rsxxo|darbp)|v(izkby|v(jxhi|qfgb)|elmia|w(qpxv|xcsj)|sbmvy|j(ezon|awzd)|r(jgch|fxnw|vdaq)|ainlq|yfcqj|zbbtg|flnvc|dnukj|obref)|j(ciodb|t(vxrr|meub)|k(wzja|zocp|ukfr)|albsp|mfbpw|p(ozoa|xhkn)|z(xnsl|jngj|knoy)|suqyw|e(fvmg|pfle)|q(gfpp|hppf)|wqcnp|vomwt|bqkym|hvebm|fmcij|lbjna|daydk|ozrnj|jfzgr)|y(x(uvuz|ioak|rmpv)|gadye|wfiqj|b(rcxi|eutu|vegr)|v(wbna|efck)|nyyyw|m(nznw|urba)|o(amfj|oukx)|froah|kggff|zywkn|tvtst)|w(axtgd|g(cfmp|aqvg|rrrr)|ysdqf|p(rylk|jgqj)|s(zzdz|hwag|mtoc)|r(qasz|mdsw)|lyomq|mmxve|cetha|zxgrd|nvjrr)|a(pniif|ugiad|h(druw|voeq)|qduaa|e(txyi|fyia|czbt)|vvqdh|bnixi|s(wnel|iyvj)|awxmi|f(lhsd|cslr)|jrmwk|lgpqu|rrjda|ijeso|cscle|yjkda|owbgh)|k(j(ywti|aqpk)|v(olsj|fmoi)|avfqx|fgbrq|zgspm|sqovp|h(ebrw|srdf)|usozz|ooygi|dffso|qfhsy|yviqb)|g(nkekh|b(owgf|ddty)|vxwto|qmgnl|o(rfdd|xsge)|czaxe|shevk|jpijt|a(lpjh|qcqj)|iwgsy|g(jwkr|wtku)|p(fcfa|azci|xnyp)|eeknd|xmc(ki|ro)|wcffu|upaqj|mxtwo|rvcmt)|s(d(lzwh|ufko|hptk)|l(thso|zbqd|xncv)|e(xgea|ijft)|qrkbx|vrxte|xengj|gsrqw|cskkm|mrkfu|wgshq|s(gbjj|jafq)|axvxv|igyyi|otwuj|hhytp)|h(s(lluw|asst)|p(aunp|fhqs)|ljlty|f(lfxg|xpxn)|wyfih|r(icxh|hcic)|vvrxt|q(ipgw|b(kvs|cbc))|m(vddl|cmzo|uaoc)|tzrcd|ybrmx|dedjv|nywnb|gmbdo|xybvb|kktyh)|d(m(xqxz|ifek|wqqp)|i(ihhc|lgws)|nvqdh|dyhfp|ogrpk|lxnrj|k(yzks|hhle)|t(fbfa|memi)|bvpko|qxgud|hbbru|eilhf|p(yogn|qiwe)|jtffj|gypgz)|i(q(dmye|wazb|ghls)|kuclo|p(befo|wrtz)|mvqis|ifbha|ebyty|jwepa|zlplv|cvdbh|s(fiya|qkxu)|l(wnlu|shig|hmxk|bjsu)|h(kiyj|pvrw)|grvkc|o(lcpc|tztw)|xmvfz|rplfq)|n(k(rvss|dpst)|d(zkya|ngud|ttif)|jowau|l(hejc|rfmv)|gujpr|zpwms|p(vpno|snww|gjic|fkwq)|yiknt|ulibe|wgsll|rupvj|ikleb|hkvlp|muenh|x(eicj|rqme)|ceioi))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633013; rev:2;)
# sid 2633014 includes 832 (601 - 1200) 6 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.biz)"; content:"|06|";content:"|03|biz|00|";nocase;within: 9;pcre: "/(f(lnwce|g(oioi|ethr|lnnw|qwnt)|nvssj|mndch|y(abjg|ilkx)|kxesp|i(lprn|ngwr)|uskst|b(tmbk|aluu)|e(ihfk|lgvj)|j(zeir|auxq|ygro)|c(hclx|urno)|h(gnow|wxfk)|qggep|xhxnr|vbkfo|pxvmt)|v(jawzd|v(qfgb|mlvm)|flnvc|d(nukj|yeak)|o(bref|orgv)|yifpm|bdeoe|kqwno|nslcq|a(wrkb|xajd|aiqb)|gffnz|m(cxcq|pshc)|ctvab|r(gcqq|ogcr)|zdjca|todtd|e(leze|owia)|wrnig)|k(dffso|v(fmoi|kfer)|hsrdf|q(fhsy|wcuo)|yviqb|c(soeo|tlzl)|gkbub|k(mexb|pdlp|nksf)|zidqz|wvbyy|aakdh|s(zxnb|ryyy)|fazlk|lg(ukm|hsd)|n(htgy|mczp))|t(w(ufhs|eupx|iwmb|flic|zqud)|g(ifef|ddog|snxc|xlmu|kvpx)|p(tllc|yrrq)|e(himu|fmwl)|v(okar|efld)|zigrx|h(hfep|bdwf|twzv)|a(izrn|zrfn|uozf)|d(mvyp|nowl)|xvehk|b(ryca|galy|aqij)|iflbm|l(nkbp|xqvh)|n(ewxk|uvbv)|s(dxhq|tbsg)|olyax|r(rrnc|lptp|gqnp|jamz)|kvzvh|t(rpmw|xhxf)|fckjz|cygwe)|s(l(xncv|bops)|wgshq|s(gbjj|jafq)|axvxv|i(gyyi|mtzt|l(slu|aev)|uaeu)|otwuj|hhytp|z(fdxu|lazr|rmir)|ydhaw|rvzov|j(fszz|strg)|gfjwz|v(efvw|tqtw)|k(hbuv|ofoh)|mrmph|nqcko|exgtf|pwwps|tbjdj|fktze|qryjs)|p(yufhp|e(xlqs|stts)|u(gakp|s(qaj|gla)|blkp|afyf|zhyt)|zcbma|h(fqrq|wlce)|qxmda|c(tiar|ifhp|qjhm)|bnvxc|v(omgw|vixs|iefl|psze)|axlme|mtsyd|fdgmi|s(spay|qzul)|n(ylzl|qklh)|i(nfdr|wqmb)|pmebq|j(ydwv|sljl)|o(yaes|ommc)|xzyni|d(e(jiu|tpf)|lepl)|ronke|kjjaq|t(kkbg|qxwu))|l(s(bjqz|xqhb)|z(gyhp|jvrl)|w(zvfw|vuqr|bwmb)|r(sxxo|qyiw)|n(nfzd|fvrt|dbxw)|q(eaur|wapn|dtgr)|v(docf|izwj|pmff)|d(arbp|wpag|utfu|lzwp)|ynfli|xidpg|a(drrf|hdir)|p(abdl|ipfr)|t(iwzo|qvdz)|hsruz|cchzc|e(t(msb|ojv)|hboh)|g(muli|qiyj)|bdonc|jzfig|k(qvzd|mbkb)|otomi|uhrxm|fouog)|y(o(amfj|oukx|ktrc|ufug)|f(roah|sovu)|k(ggff|zvfu)|zywkn|tvtst|r(acds|cuhc)|dlcvk|u(uiuv|vmnt)|n(ucyn|yqin)|hvkzc|pafni|gnhbr|yphyc|xkezo|jdurv|eecsg|brkjd|ixpcs)|z(ppknd|o(w(xog|nky)|ytnj|zytj|hcke|tbkn)|v(edgo|jgbb|gbed|dwjg)|hycri|q(csru|qmwk)|wpnyf|nkvuo|x(kpaw|jeva|ujrc)|jpsyp|r(eehw|vcaa)|kxwbr|drqvk|y(hmsk|ronm|qmjc|jrdo)|c(qbrh|ivil)|zrttg|ltyhy|axwoa|sxrkw|fftai)|o(r(amka|ugjh|bihd)|u(siry|vbxu)|glyuu|b(maqa|gmcn|zryf)|t(rmcj|nkue)|aonyt|d(jwef|xyun|cxlh)|safnw|f(xtfb|fwds)|jhkcd|zodvk|qnvjy|pzetf|xynso|ipqny)|x(r(jmnv|nsrv)|zhksy|ogwit|g(hort|amnx)|e(grty|vxvx)|d(dhqh|uqzz)|bdrew|a(bgtm|afag)|cpmja|hognj|t(qmxt|fyvy)|veewl|ypciw|nirtk|qmaml|xojfi)|g(o(xsge|hzzh)|w(cffu|tvgm)|xmcro|upaqj|m(xtwo|rgrs|bjkh)|rv(cmt|jfz)|lzkrf|j(zqvx|jzhn)|z(hpmn|dqgl|ftox)|heeoq|ftuvy|pxnut|y(fwwr|vwqv)|tdjjg|diqeg|c(dqdb|vgzm))|h(dedjv|q(b(kvs|cbc)|pfpo)|n(ywnb|ufsa|nyof)|m(cmzo|uaoc)|g(mbdo|tasj)|xybvb|kktyh|rhcic|p(fhqs|adqj)|ljrou|bqyyh|z(ambh|yezn|dazv|thwj)|onpze|s(ttwx|jrlm)|e(onou|sxan)|v(oejk|rruv)|usaxw|y(zctd|snpo)|trfiw|i(vlfm|jcan)|wuupq|flohr|cxabm|hbesm)|m(s(pspl|vbau)|e(luhz|vksw)|w(jrwv|tblo|nijw)|z(dnvv|lbzd)|dhrex|pjxjo|v(anzr|cols|xapu)|u(olls|uzvt)|iojwo|n(yoom|pjmw)|kzhju|bteaq|ggwqa|f(qxzd|wwxq)|hrojp|t(ixmi|ecau)|quoqy|libfx|mghwf|ofuet)|d(q(xgud|ccel)|ilgws|hbbru|e(ilhf|fbko|xrez)|p(yogn|qiwe)|j(tffj|fqme)|t(memi|ymoe)|g(ypgz|chwz|syaf)|a(fkkp|jpli)|fjphm|zqnps|n(dsqg|tdbu)|rwfis|v(gqzz|qwpb)|oakoi|uncwq|kjsms)|c(o(oxgn|drbv)|r(kjjl|ypoe)|n(akvb|yptm|zvin|vhov)|b(etoe|ljsm|slbb)|m(dnnl|rhpl)|f(ebgt|lviy)|wkdol|glhmc|a(p(muz|vbj)|facc|qyoq)|i(dlfq|gkhc)|tucrn|x(hvwc|jcmx|oyoa|kbzj)|d(zaol|xycm)|qkaop|hxjxy|jndsq|c(sjtb|rxzr)|ylokc|encof)|w(r(mdsw|tznv)|cetha|g(rrrr|shsq|xsen|mfop)|s(hwag|mtoc)|zxgrd|nvjrr|b(sjti|dhzz|tpwq)|m(flxf|z(pog|rfj)|hfei)|wgsxn|x(mgps|axkp|nkpn)|q(cbuw|dcjo|adgz)|yjeyh|oodpv|anolq|lybsg|dplwc|tyxlq|irvge|flpar|klqmk)|a(f(lhsd|cslr|sruj|wazz)|jrmwk|l(gpqu|sqaw)|r(rjda|qoou)|i(jeso|uoyp|aywa)|c(scle|vvto|wirt)|y(jkda|reid)|o(wbgh|ziyy)|eczbt|s(iyvj|xxdf|jvcd)|m(ktpb|akoi)|njcxh|a(umdi|kpew|jqjc|bnpy)|qpjxk|znbmw|gewny|hxuch|b(rnhx|mrvb)|t(euwe|smrv)|x(jukk|qcvz))|n(k(dpst|ctdt)|u(libe|ubqq)|w(gsll|yqlr)|p(gjic|fkwq)|rupvj|i(kleb|nefa|wpmh)|h(kvlp|zfuv)|m(uenh|vqzd)|x(eicj|rqme|bfne)|ceioi|lrfmv|oovou|f(quek|gujq)|e(iejd|fpcu)|bpmwk|z(efld|fyaz)|gkfng|dllmh|sftga|tadwo)|r(f(kmmz|ufvh)|mrhxq|hnssa|xjgfv|t(rqsk|ijkb)|i(tdxs|bkfs|nisz|qfuu)|crora|jkeec|y(perz|ttss)|gmlgd|w(vijj|zxtp)|uuozm|pqcsa|kaeoe|blbpn|ncspe|ogsvq|slbgd)|j(v(omwt|uyni)|e(pfle|efjz)|b(q(kym|hfj)|mvnh|vzbl|dnrq|smcm)|hvebm|p(xhkn|owpv)|tmeub|f(mcij|tngb)|l(bjna|sago|zpsn)|d(aydk|jezq)|q(hppf|zvlk|efxj)|z(jngj|knoy)|o(zrnj|pfoz)|k(ukfr|sqnz|reon)|j(fzgr|dybb)|u(spjk|dsqa|qsxv)|irzez|anvbm|y(asra|rjdi|dtsv)|wyprh|m(fwnt|snwc))|q(z(hhyk|qiau|vwam|bvem)|g(j(ivn|kwh)|btaf)|nolqf|o(aifu|zsfb)|s(hmhb|efiv)|vgmft|rshrz|y(fzog|baom)|kmmvy|pdrhg|hpqpe|t(dsqu|qkus|lxbc)|j(cgxr|pxpt)|w(xxnh|nzme)|a(rode|qavd)|q(sxfe|xpzy|evhx)|u(atov|vcim)|dvuai|fjgji)|e(p(jnjw|igog)|d(qaaf|phwi|igne|sehi)|w(lele|ntxd)|v(pqth|trvp)|jxbns|s(umyy|igvt|fytg)|kzofv|xwexb|o(ulto|ypjx|hayc)|g(vums|gbxd)|qytqa|u(wdpg|ouok)|nliti|hnswk|iiorz|flqgu|eztdb|lhasi)|b(v(fsau|biiy|y(koi|drv)|elmo)|xyqhg|utadx|emebn|g(wiyn|fdyh)|a(vjmm|javn|utlv)|nibzk|o(cqoj|rmze|dwza)|fesnf|c(ulth|omcg)|w(vesq|fdlm|c(wdy|ssx)|wbdb)|ydcyd|r(jqym|hpzi)|mmcio|l(lowh|djdg)|dmhyv|prqdy|haaej)|i(l(shig|hmxk|bjsu)|g(rvkc|kjsl)|o(lcpc|tztw)|xmvfz|p(wrtz|hvsf|legr)|s(qkxu|azdf)|r(plfq|lkve)|h(pvrw|uppv)|kjtlf|apfto|qrtfq|w(fygi|qyrm)|f(cgzx|ilpb)|v(ncrh|fazy)|nbcfv|mmwfp|ywcql|ijxjc|jyckn|zyjvg)|u(j(huqe|kfvi)|ktqub|s(rfzd|qjey)|p(okhu|qero|hwib)|lcadi|qoinx|fboli|rwlae|cssfl|mcntd|nsqad))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633014; rev:2;)
# sid 2633015 includes 232 (1201 - 1433) 6 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.biz)"; content:"|06|";content:"|03|biz|00|";nocase;within: 9;pcre: "/(c(ctrkf|t(qzbq|xcgs)|rbwqm|nbotx|ozrdj|jiqxz|xblvw|bbrgy)|v(aaswk|vfpqe|rhstj|buhfv|wawpz|cxkxc|gklkr|fflry|xtasc)|w(baoyu|t(blid|azof)|zvxjm|dqtgm|fjmkj|mrucs|hjiia|isxfo)|j(cmtsg|jjwau|z(zzuh|nhof)|kvzls|axgpo|houed|lewvk|ttoyu|wcuwz|ijndu|yewua)|i(c(cmst|ofko)|yvtjd|ajfaa|eelit|iqybo)|p(pppzv|u(veqi|ccqn)|zdivk|arndn|csgzu|qoznf|sxfut)|d(n(plzq|twfa)|pdgks|uflrd|s(akgd|sohx)|blfgc|qlpxd|ysphw|ayuga|vckco|krcjt|xmwlp|hwioz)|h(dj(jlw|cav)|acutj|u(pyib|cnou)|wzjsw|xdnqu|jwkml)|b(li(yen|nvc)|r(bevc|kqes)|mimdb|thjyx|zqaeb|wklwi|sakkc|bzagk)|y(zdmit|pdtfc|nieva|jwufp|knoaf|qwzhf|yvxvm)|l(jhypz|ycade|ep(gql|xtu)|keivf|wqnpt|texic|fnthf|awvmg)|z(qfxuf|iqxga|kmpvg|gryox|pefzb|dqegb|aqejt|hwgvr|ntzzs)|t(bbelo|s(muns|qsgh)|wfhtb|yybxh|zvnjn|oscfb|ketbp|dnhqr|mqaze|ugfzu|eyzlf)|n(g(bedm|nbcq)|uheoy|bwoyo|qnnbg|tnenu|pyydt|mepnc)|k(u(gfvf|choc)|obwkr|vwnhv|rlpwj|t(bdki|odeu)|qhfle|ynswz)|u(weuyv|n(avry|bzuw)|guead|epswa|zzdfq|p(adwd|lvdm)|ancgh)|q(cayiq|igurl)|x(q(rqdv|xtaq)|kcjbz|pckwj|edecd|ytjdj|h(jhek|davv)|vpmkb|zephp)|r(flzoi|jahvh|bwckr|rvbhz|qqzyq|anojx|tormz|ioirl|dunhk)|s(qrpqb|f(txrh|pudo)|mtlon|aoqhw|ioyox|dwgqw|e(rhov|zdkb)|xaeoy|crceu|yeqdf|hgeln|wtwzl)|m(awust|wpzud|jzquw|sbhze|kahse)|a(xthbs|t(r(eqj|jzh)|qmqi)|e(xgcn|hhip)|socxh|bygsm|hxsuj)|f(alboj|bdksv|rrjns|ijzjm|qweir|v(hkde|rdiq)|l(tlgu|zdnj)|opkgi|xjfst|hbikx)|g(jwoen|ittay|y(njep|uyyx)|trapb|f(mtdx|hofu)|dhflm|wckiu)|e(nmmka|ethzh|vrnhl|lysgv|husnm|kgqjx|dlowd|wteot)|o(f(ouzq|rhbb)|uimco|oydmg|tccjy|adebo))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633015; rev:2;)
# sid 2633016 includes 600 (0 - 600) 7 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.biz)"; content:"|07|";content:"|03|biz|00|";nocase;within: 10;pcre: "/(k(ufqvqp|i(i(gqua|zbjh)|gtxph|stbbm|loqvb)|vrkhoq|e(hhcez|evtac|ccifq)|tovaff|paxwhd|bfzmta|zgcpgr|hpblze|ovpbbr)|w(i(uhlpp|fftdr)|e(ceqwu|emkab)|vvjssm|r(smdao|wzywr)|y(zhajc|klkee)|a(piyqz|lthkj)|ccyjwg|nenpkl|pavbpy|heyhyd|krjxsn|fzrezm|z(ioiet|jttec)|glprna|q(zhzyg|uheob)|jldonu|dpanwp|bfkoor|moucdp|wnynjs)|f(j(oqriw|vggzo)|b(dqqce|wulcj)|q(nxcrm|orwos)|g(lgrla|eildg)|o(gnsqw|flsyp)|s(ymzvd|nonid)|iskbau|w(fhumc|bvbic)|xmfmnb|v(r(armj|cqnx)|mktdy)|l(mzxde|renem)|u(fwlds|jhwry|yublf)|tctzhn|y(vxdpl|kokzx)|hxehex|rxwpkc|akjaab|fzpxmr|elwkds)|l(p(clfzr|tyvvf)|dziqmb|tynxjc|lvtskl|ilcsvs|b(luhbe|nspnj)|g(xscdh|dnibd)|jm(mtmk|vhit)|vxhqmx|rbmaqo|c(reqjx|otclj)|m(blcon|meter)|kekupt|u(jliei|xmebo|pgcab)|y(rjdqa|jfyef|ujfjg)|n(xowfe|jakgb)|h(ujhva|yiyfr)|xmcmsb)|q(v(qrlrz|bicpl)|btxjcs|ovykln|xxnysg|ggpfjh|r(tutar|wtedp)|js(zuaz|houa)|l(mtych|dcpyn)|w(giirv|coujb)|mrjmza|caofoy|ztnhch|ynyekz)|v(ckukxu|wrovdo|r(levzj|uckhd|ovwfz)|yeribs|z(qkbzj|zhznw)|k(ggvpn|abeoe)|m(jbsoa|heciu)|vrxxrb|heckbo|ngwals|qntbpz|t(ojrhg|gsuoy)|ldpgud)|o(r(wilej|ouaat|duqxn)|t(vphcy|khifh)|k(vffeu|hikgh)|l(bnkpt|tsccm)|s(ghxer|vpweb)|y(zlqcb|cmpab|iwwin)|m(wyymh|akefd)|npvphk|ezvovn|zahram|ipltvt|vi(wypl|scgi)|oqthwn|uvtxea)|y(ahehfd|p(euhun|wfrcq)|l(bwswb|pevso|vjxsv)|n(sqjha|meiwz)|mdyowa|t(gvqzi|ipwra)|d(bobxc|ohsek|ubtwx)|s(tqrmq|qibdd)|xlbhbv|i(jxxuz|gjmzk)|h(vrjzn|gniwa)|gsylji|uirssu|qikohq)|r(a(iafas|ybifb|buobh)|h(vuuxg|dewih)|s(ovacg|kpdij)|csqguh|rwkuzl|qjvhum|mbfthp|urlsha|koesxw|b(wuyob|bvnfh)|z(nslgg|bytcy)|gioeph|xurhvb|driyum|ydfsvm|oczyfg)|e(g(ngkca|mlkqd|utgkr)|i(dsayc|kansq)|e(gbzkn|ulxrk|awqlx|hwlqf)|n(maegf|prbdn)|h(jmzsd|uwzsv)|tustbv|zvrjip|vdrevj|marndk|f(gegbe|lxmus)|dnsjlb|utssdv|p(dglia|mlehs)|wwclmw|xngczg|cetffo)|d(fhpeiw|c(ovhom|xyomo)|z(ystty|iyilu)|xialqc|m(lvbrr|qpvzy)|k(rhrtf|ankfs)|rjukst|vgkywo|bnwpqk|ihhphm|dokalv|n(tkckb|j(apkc|jhjd))|lenyib|auexme)|c(lmbybu|flzxlu|z(qrird|vgrxp)|k(iqbqy|kiswi)|erwsrh|bikvml|czwxhe|hcflaq|atbukp|imqkah|oykkym|rdraog|jyalaf|votzgg)|s(zpwchg|t(jmumm|eybhc|wyxzu|iueoc)|ri(gsqf|vyhy)|c(ynhdk|oixbo|mljdx)|ktceyp|b(zfkuv|ihqmi)|mcoihb|pgzvto|u(wpqts|nvyaq)|xosryq|gmpoev|iczptu|f(cdipe|evggo)|njvlsa|l(eksch|kgaxg)|oztlgb)|m(wrognz|cddeko|l(witfq|xqtmq)|rbqvtx|apcpgm|uyswws|i(lluvt|ocjhp)|q(altwq|oesxg)|zunech|h(hqdul|rgvct|ldsvb)|g(sfxyn|icjhe)|v(ngsie|ddhve|amtzu)|fuufaz|n(e(nsoa|xtjl)|qrnmb)|dueygc|p(cfeea|mjsop|vygak)|knthqn|ecraed|yshtqz|mrgjsg)|z(t(adcfl|bawnk)|n(igabm|xqnfs)|mwjccu|c(ncung|mrirb)|h(nekwi|rpzko)|dnmcwv|vsigsx|ylbbbm|s(hhqtf|aelhc)|x(gyxbe|lpnul|jbzoe)|a(xvyfm|rhpxb|cvkxn)|onaqkq|blcucg)|i(x(rygzi|lcitm)|z(ngysv|rxssv)|e(gnaiw|tzanu)|hnjrin|rpnuac|ygvlcv|gicuhm|qeagxs|f(aevav|nvpdn)|azwnlt|wkdaxr|vyseie|p(bjssj|nqwqa)|cnwzhh|smgegj)|p(y(koxyb|wctbg|aiseg)|popkjq|s(yglxi|xdbeo|mmzmq)|r(avlff|ehdnu|uakji|xyzer)|f(dkddw|orxas)|n(ygrre|plsra)|w(gojac|awqxu|nqzmb)|i(qgrtb|utixv)|acwjnj|osrhrm|lkbdyn|hisgws|xkvhey)|t(u(oujsh|abize|mjbbl|nyebw)|b(gjvhh|aqipo)|q(prutm|xjych)|d(rrcyo|bizpx|gsvkd)|x(tsddk|vhnty)|hcqffj|a(mmayo|oidnj)|rabpgp|l(pigmj|lsgrb)|yvlkvs|fehfbh|g(aisfn|gfaxy)|jbqiap|cjxugz|ocqamw|piitxs|sagmpu)|n(hchtkx|x(atvmx|cnyso)|j(pccal|siknl)|pxdjoa|l(eensz|kptdq|znuwp|mlfwa)|cuxwwd|enqzgj|fkzzpk|kgdszv|vhgklk|guyyzm|rlczoa|q(qlopn|ikjkk)|utnzuu|byxmqh)|h(d(cbtcr|hsmrs|swddz)|ouarwp|i(fkzgj|cbdmc)|vyaxmj|fphpzq|wj(ocib|ahup)|xipivy|y(xwgqk|nxtvb)|p(sibec|hktpl|waqki)|e(lkijx|qduak)|q(usjlq|iguah)|tuqbbb|mroipi|upgyrj)|x(phhlce|b(jmhlx|djhvt)|zmdkry|v(sboth|xcbsp)|jorjfw|fhfukp|d(axxii|mqqvb)|y(tpdoe|cmiye)|syrmiw|agxmbf|m(htdjy|gsjte)|e(tthnd|gytds)|qyzrta|cdebcv)|g(k(gepum|xswcj|atbze|tavld)|r(dygjg|ipxtl|qddie)|bk(ihdq|wdbo)|eusrrm|jwmvwb|casxux|s(xidpi|refae)|v(aomqx|ehyze)|itskff|aqfrpv)|b(izraui|v(filiz|ekiak)|yoybrs|qhtltq|g(xrycl|yzatj)|pvzayt|drgkei|u(cqnbv|dwfdx)|h(rvzmp|vwepz)|xdezvx|cnmxxd|waawpq|mwfdnm|k(tdhez|uxaxn)|tmrtqb|jgvykk)|j(t(hdivt|vqpop)|pjdssy|a(keqsy|rcxck|guhhc)|zrbwhg|ioczsa|j(ppzgn|epkjr)|ybrkdl|w(khpcf|ecdha|wdvid)|n(ixgiw|yfzci)|fnymjl|r(qqnyr|cplii)|l(yldpu|zfgxz)|cvadje|uislyz|kdynjv)|u(vwmcui|z(tjzck|nquiw)|hylfth|j(hvjxi|flwlh)|dregdl|aj(vuil|ostk)|qdakbe|xsxpdt|p(rdtwg|nvgzr)|lktqmy|omy(wva|pvy)|t(pqlao|tlowt)|ydpsav|wmvdsk|fxzvio|c(jyzww|eswoj)|mgkhdz|uayxgq|bhhodp)|a(vlwduq|h(dogbq|nenbp)|x(bszjx|wwkzu)|yqptif|izgnvt|rwwilr|s(cedjb|ocasv)|bqkzgp|znypay|ttausv|fjujsc|pstgze|q(jsgdd|yqama)|gyhpix|u(zxwok|ufloc)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633016; rev:2;)
# sid 2633017 includes 772 (601 - 1200) 7 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.biz)"; content:"|07|";content:"|03|biz|00|";nocase;within: 10;pcre: "/(e(f(lxmus|fbmjq)|pmlehs|wwclmw|g(mlkqd|utgkr)|n(prbdn|xjeik)|x(ngczg|klaxt)|c(e(tffo|apbq)|pfdzj)|ehwlqf|jobzfh|myzqiv|l(aviiw|ukxli|tiufo)|s(oeynb|amkmj)|zlcvdd|bvepyz|kspnlx|yrrhem|udkeop|vlupyt)|a(p(stgze|piamh)|q(jsgdd|yqama|ojajo|qojta)|gyhpix|s(ocasv|ujemh)|u(zxwok|ufloc|mmmxo)|h(nenbp|ifaia)|xwwkzu|mgqgie|tbwiln|dhwknj|vnkgsk|kfflsq|nmzpdx|wjvqxm|aweuuj|leqnye|jbcynj|z(pqlao|fvnmf)|eqjrae)|d(d(okalv|sfrgd|vxysr)|n(tkckb|j(apkc|jhjd))|cxyomo|l(enyib|mpqsy)|auexme|yulbna|v(ecfwd|pfqul|bjnwn)|u(vsxim|hbzpj)|hoylpr|s(fquuz|twlob)|t(beimc|ibsvp)|q(zsczt|rsiiq)|z(dxuyl|msibe)|rjwika|gjgkps|kpppin|e(xjnjs|tnywf|wiyab|vtpuq|kuwhm)|bxdrtr|ilaiou|wkgqow|jedoad)|y(pwfrcq|u(irssu|pegsm|vqvid)|n(meiwz|qmbrz|stfvt)|q(ikohq|ggass)|igjmzk|t(ipwra|jwciq|actks)|a(ptufb|ntzlo)|o(pfnax|vglyy)|e(oxgwg|xqvxk)|b(mvepd|ibekn|wirzc)|chuaxk|krnqfk|f(vjtcu|ujkpm)|lhlqva|mmdhxe|jdnsyn)|v(ldpgud|r(uckhd|ovwfz|pacjf)|k(abeoe|wtwsc)|t(gsuoy|vdjug)|awqeil|zmenik|uqrqmo|q(fzxch|hlgub)|v(nwjei|ldmhu)|fiunlg|d(popwc|jzeft|bikuf)|n(djplf|icnsm)|s(ffnzu|cyavf)|mrjdcn|w(leeoe|dkqaw)|iztplz|b(tstnh|vwerm)|xvesdz|ovimmk)|p(rxyzer|h(isgws|szujt)|forxas|s(mmzmq|kwvqt)|xkvhey|n(plsra|vmelx|wsycu)|egxfbg|g(esbkh|mqcqn)|m(njscg|bszny)|aqlfaj|y(kihcm|parrn)|brdocr|pfsimy|djxefs|olvvyc|j(httle|nkqzr))|w(quheob|z(jttec|nbdcj)|b(fkoor|kaies|wuacc)|m(oucdp|hpvtf|biqqd)|w(nynjs|pmfwk)|y(klkee|uyulj)|odjuav|a(rmynw|tpupc|knnms)|vqthkz|sumsfr|ukilaj|xowaow|g(swqfz|auoya|bsftp)|jkqhfi|hbmdcb|lrcobl|p(nrfap|mvptz)|cwugfj|ebmuys)|q(caofoy|r(wtedp|akemx|kzppz)|j(shoua|fxbvm)|ztnhch|y(nyekz|dbqgq|qhohh)|gwlzij|quxzkd|n(kwsnd|zwfsq|yzvud)|pjsvmc|d(rknbs|xmeig)|wafdxm|vfdklr|lxdwii|mhrcfw|xcxpni|utglli)|m(n(q(rnmb|mruq|vxsd)|extjl|jqxur)|v(ddhve|a(mtzu|jflk)|zilhc)|y(shtqz|hcvec|pvmrv)|m(rgjsg|ytdyk)|l(xqtmq|axuza|itwsi)|qtqefk|d(qlxem|oxykn|yewhk)|ativum|c(qekrf|jzior|embyl)|f(dlgsr|kmwbx)|h(tcuej|eifju|fukif)|bzulde|osoigh|xsjwtg|zbwbjy|w(hgxyu|kcflh)|egesbm|pfdkjn)|f(ykokzx|h(xehex|jakkm)|r(xwpkc|pssuj)|u(yublf|lqmzx|dxtlb)|akjaab|l(renem|mykcx)|fzpxmr|w(bvbic|rrchb)|v(rcqnx|vlbkl)|e(lwkds|olvfh|hmefr|avwgk|mhsmv)|qorwos|d(pnoil|rllbm)|bntvad|m(naxpa|ujkhl)|s(vcjsb|iuqal)|zhsrcs|gdymnj|tucmdw|igftqe)|r(g(ioeph|bokae)|b(bvnfh|kayiq)|xurhvb|z(bytcy|txeit)|d(riyum|szqwx)|ydfsvm|skpdij|o(czyfg|gligu|tnglg)|mqqiyx|v(dfpjz|t(rbxu|aagi))|ebzziy|ihwsgq|tfgzbt|uzhnyt|hiqqdj)|s(r(ivyhy|tsegh|oeopj)|lkgaxg|oztlgb|t(iueoc|konkl|qagfb)|bihqmi|s(niplt|jhbud|haswt|fvwsx|zmbrg)|u(qiseu|fkibs)|a(ygseq|nnbnb)|guwiji|x(bjylt|mqzkd)|ex(mypz|piga)|yaijvk|f(kstad|uvfhu)|w(dfxny|skjqi)|ckflbl)|t(j(bqiap|tsxja|xfvpb)|a(oidnj|ibpur|wtdfe)|c(jxugz|byzkk|drknn)|ggfaxy|d(gsvkd|ojtfu)|o(cqamw|xnxaj|ftvjh)|l(lsgrb|unxpe)|piitxs|s(agmpu|nvyti)|hvjnxp|rfynlq|khawmd|f(ewctr|djuaz)|bgcgpm|i(ovnkz|qernl)|qierhr|mavvvt|wfpoqg)|x(c(debcv|jgshv|uzipv)|d(m(qqvb|pbop)|dspgm)|mgsjte|b(djhvt|jpybf|ejdbn|vyhaw)|advfdt|pjtupc|i(apyma|hagnz|mfbrb)|w(szlog|zjwdr|heqql)|s(ilpjr|vmvno)|k(zhxjq|rbxez)|t(wqwrs|cxzbm)|feazcc|g(btfrz|jppfz)|n(prmch|dundb|hilwy)|xkapgj|z(mgqvs|eggoy)|umddvr|ebbajp|lryzrt|hdacze)|u(omypvy|bhhodp|z(nquiw|wblvn|tphoq)|ajostk|q(lxcsz|zvutw)|lyhdjg|cdzuyv|nntlys|kmfgbn|x(pqlqs|oedkg)|hrsnjc|g(ezvvh|wwlxu)|i(pbvvj|jfstk)|eogywe|wrapyc|mtzzci)|l(u(xmebo|pgcab)|h(ujhva|yiyfr|nfokx)|y(jfyef|ujfjg)|bnspnj|m(meter|emtuz|ksipm)|xmcmsb|n(jakgb|nzesl)|cotclj|g(pvklg|tguuh|kjquu)|k(wijdg|egsnp)|v(gvogn|ipxth)|ovqdji|lgpdtv|t(iaiop|tulxd|ogifr)|eyvphr|qjhita|plngzw|j(ghyio|znivx|pimpe))|h(m(roipi|aywck)|upgyrj|p(hktpl|waqki)|icbdmc|e(qduak|ohlfa)|d(swddz|nhzgu)|jvpojh|gsyrup|sxxdcm|zosoaz|l(oxkpq|cyulz)|yzsfot|bgzkhd|odcfkb|n(cthgj|osapp)|waueam)|j(c(vadje|ruens)|rcplii|j(epkjr|tjmnx)|u(islyz|ljdyr)|kdynjv|l(zfgxz|ozczl)|f(aqbno|vrues)|askyqn|ekorzj|g(nvnnh|ucvhb|chocw|iaxju)|bzftfs|pfoarf|oygicw|t(cqjzu|snnxu)|h(hqexy|qgbyb)|iqdzqp|sinmps|ntizjz|qsmzsw)|i(z(rxssv|ubaqt)|wkdaxr|e(tzanu|kmazb)|f(nvpdn|mxboi)|vyseie|p(bjssj|nqwqa)|c(nwzhh|rbuuv)|s(mgegj|ixvst)|q(wvvbg|gelrw|jvafp)|hopvmf|nlnjmn|x(iwnul|rkhww)|i(zuffy|thtts|ysfrm)|d(fwzbz|tsgxd|aavgv|bopxz)|brubyj|ybqarl|jwhfeb)|z(o(naqkq|gpqjk)|x(jbzoe|vmvsi)|hrpzko|b(lcucg|srmha|yzljr)|l(tfjwx|xevwo)|dhpnxg|m(dvwtg|hmmmu|refxv)|fqtral|uycund|p(krdpx|pqrkw)|atjzkk|nlogbb|govhgb|vmeirw|wrsngy|ctyhes|scttjs|imdpyj)|c(i(mqkah|ckrur)|kkiswi|oykkym|r(draog|erihn|qjnek)|j(yalaf|atnhr|oraen)|v(otzgg|izawo)|x(vmcud|gcpge|dnyje|sajtx)|l(copgb|zfhvo|pgejr|wqklw)|njtpex|uvjrlm|e(tbouc|imeta|lvegg)|cetffz|q(vxxtm|obegt)|zzovge|gpxrus|bqsjhn|d(uytme|oedrp))|g(bkwdbo|itskff|v(ehyze|dcemg)|r(qddie|indvl|sadwb)|s(refae|tccxx)|aqfrpv|y(lbjsi|iujnh)|lsznox|dcvuac|w(zwypq|mydez)|h(edzgj|zqncw|xqear)|zs(htga|nlxt)|ffzrnc|cauwpj|qacsqq|pgwkwz|owhanm|gblmma|uazduj|mxkjun)|n(q(ikjkk|vhioo)|utnzuu|b(yxmqh|zhnxj)|l(mlfwa|csmoq)|x(cnyso|brfpk)|p(ljarj|yoemo)|mkoljh|ssjnxr|c(tmlgc|ouxxi)|t(lmlxr|yskjj)|a(bdmao|qeigk)|kbptej|r(xzudy|odqan)|e(aozxu|kwcep)|hzuxjy|vbyhkm|fykyzg)|o(oqthwn|m(akefd|mtlbl)|s(vpweb|hljaq|wlghw)|r(duqxn|bitjo)|u(vtxea|clqes)|k(prjnr|tijqy)|b(nfgrp|vzskq)|d(tckmp|vkbid)|a(phozv|kbran|xtjgf)|gm(zriu|jmgy)|l(wthhb|fkouv)|v(fuxpo|iupfr)|h(twllg|zmjvw)|q(bvjat|zxhut)|yerljs|zxqzsy)|b(w(aawpq|hifrq|jgzpd|tlfwy)|hvwepz|mwfdnm|k(tdhez|uxaxn)|t(mrtqb|fqozx)|j(gvykk|wjgtm|zaayw)|gyzatj|fayxlw|y(nhttc|zqdmq)|srpttj|ujtlha|r(lmwvc|x(fwck|qjck)|fqpjn)|i(xaauo|uorwv|afdzz)|a(meuuo|rurbc)|qmpqdf|l(uptae|bvvfs)|zekuou|xypkll)|k(i(loqvb|tkwkt)|hpblze|e(ccifq|thoya)|o(vpbbr|yyypy|gvdxn)|k(jhldy|yuewq)|tndtwo|aadrrl|x(gluid|kruhw|tfagq)|pj(loqg|djmm)|uzytfr|bszyaf|f(ayteb|qlvbm|uwwqu|icurk|lbgbq)|wofpgj|lrmefo|cggwns|rnwuqa|mygtji|n(ymwlh|zfeju)|smpsoc|gexlac))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633017; rev:2;)
# sid 2633018 includes 172 (1201 - 1373) 7 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.biz)"; content:"|07|";content:"|03|biz|00|";nocase;within: 10;pcre: "/(o(jvuraw|npdlwf|brvhhx|wapfdx|hmtndx|pgmzcy|gmlyut|aziiyr|ouuise)|d(bvmpdn|elyikv|svbyko|f(hhxjj|vojnm)|y(ddkgk|uwrjx)|owmyrm|vnsxmo|cmueom|kkjbve|lekvhe|rcimzg)|q(z(delwo|krvyd)|kvaxkd|fuvhuc|aqpedp|x(gwryi|apdmt)|npmrcg|iwnchf)|z(oqohsl|qiidus|ctryaa|trwbxv|rcgvcm|nxvqna)|i(wumtvd|lvmces|cdemjf|rmcjmq|evkhhw)|y(ekwnlu|qh(nzmk|qpkm)|dagbdl|bsabdl|vudagh)|w(brdyec|wauhii|lfagql|iosiuh|fpuzgc)|n(jmijlz|cnitkz|ijioku|tfbana|whthpy|algnob)|u(pitwkv|wrwbzx|qpxgrf|kujrvh|aiestu|bjuujx)|g(tvjmpc|bugtkq|uqjuca|nyjltt|poztdo|fjmjay|gisxmg|snabng)|f(icxqhr|dwagiq|ooipdu|jcvvzh|aiqfqp|t(kwggm|lsdov)|eecuef)|m(middag|xucmjc|hbffdt|jddppg|tfseal)|r(lgyzxg|pfffwg|bvezxv|hgbour)|t(ggkjcq|fazowd|w(sxfbg|xdjgd)|d(hlbwd|onwrr)|ozgjrg|ntsusx|y(iidte|lfbqt)|rgsfst)|p(pwzory|n(zsohv|gfnyz)|c(pasmy|egfel)|axqgak)|e(xzompz|arhkox|oxeubm)|c(runwsr|fnmqxd|himqxc)|s(w(ljejs|xlpnq)|pzpffj|gonxhn|cujome|vypqoq|enwxsn|k(soxau|zvpwn)|tdqsku)|k(hyhhkc|owjhrd|fb(rejr|fqpk)|luhcnc|ttnxxy)|l(l(bziqq|ghhco|eiybb)|exivli|vjplrt|pufwvq|ggncgs|wvoqni|mkmvmh|ntsvfk|dfqeri)|x(mrbcgh|llcksz|xwdixs|wgzzlw|rsghpc|jmwhqj|ehoatl)|v(pxkxro|n(byron|lgtqv)|bfvinn|hordbj|dxsboq|jbmmgx|edeuao)|a(wmfmjm|tonwla|hnrtar|ymzwea|urepkh)|b(izcwmh|djtisx|qirqsn|mwgivj|egzwww)|h(wdmrul|ufqyag|e(gjeih|dnawu))|j(ommtgo|kxmsnf|fionqp))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633018; rev:2;)
# sid 2633019 includes 600 (0 - 600) 8 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(q(xehqxit|d(tppnqb|cwloxa)|nfmuzzp|tyojbkp|fsyvqgc|k(mvqffu|hnepui)|g(hegpum|qaxunq)|vspjzdz|ehrgyos|u(hlqlhy|aoolxx|qwghgk)|sbwgyci|yrijhdd|jhmxkxd|qsfxxsi|meawzxh|bkvqkjj|asjficq|hyoqzzg|zymvjfc)|s(k(t(vhvjk|jhwze)|gqvrxd|qamdsh)|t(kshdst|lolvfh)|urvuzfr|b(iydpcf|bswcha)|litmaii|e(bmfqxy|tpnpph)|huacwft|icweuds|xzdfvkj|ppfgaiu|f(hsbemi|auozkb)|wnfieop|ycxbwaw|n(vmhhvw|kbssoj)|okrzkdh|r(epfjiq|nzudil)|mfltbsa)|t(damiflp|v(rdaqhl|qpxhud)|l(ouhuer|zxergj)|i(itvvxn|mmmhkx)|skbpgxd|gqkxnuw|f(zihplx|iyzukq)|b(yabuql|htdzvx)|qsasdqq|hpseags|n(gyobna|tqftwt)|kjbatlv|jkhdmxz|y(qltfnk|fiioqp)|rxphjgc|oshcqzw|zdqrlgm)|u(ixrykgs|sgfgyrh|lovnhbo|kqiimbp|wacgatz|h(veylzx|swfonx|ysixxy|wicfpg)|jkmouik|zfwgvmt|awkjyzn|yspwgsz|nfvvsov|e(wwyowy|xeygfy|awmmbe|pvfogi)|mexymht|fgqdmmt|v(lspttu|pcrqtc)|cxmfobu|dgzlmgp|biwfwse)|v(z(ehcjhw|gudsns)|antmmsh|r(dnipky|jqwfbx|bmotgi)|ffkrncw|v(hqswtq|uahnqe)|i(lrcobv|gaiqjg)|g(jnppyl|onhtik|miwmsw)|pvhmfan|moamkvz|x(vedqtt|fyjwjq)|wmpzllk|ygkytuy|lpiggmp|b(ndahrq|j(unauh|yedgj))|dbzbqmj|cqesffb)|r(a(vybmhc|albadv|xoeaqq|pyvgpz)|ljkuumn|r(zommoy|kizaub)|gfypgjh|c(wxsinm|ziwmtx)|q(lztlif|yfivrm)|tp(blwye|gwizt)|y(ghucma|nnnuph)|kytcirh|sipujfe|w(jiwnts|kqtoqf)|bsmzoia|naghjxv)|m(d(h(xkjlt|panjw)|thzrfs)|wlmvtvs|e(luxvat|qkxsnf)|rwgiamn|k(sdijcd|hctsqw)|i(sdopkt|h(heppn|igcdk))|yygzhnr|x(tycdeq|zkzdgm)|n(qjpxce|mhmzjf|asmnio)|b(igsxcm|wcbhgd)|ufnxnmv|t(nveuvc|pbecfo))|b(aaxajgd|u(jtkdsj|yyztif)|v(bntkil|wskckc)|n(gqlsce|oghoqk)|x(lojctq|avjhjm)|bpxhyou|zcdkmyy|o(tjrbii|ukpbmu)|fqbsfhg|yeaetdm|pnukdmg|hqmmyey|rpixjss|sqctomf|moryzzd|jgphuzy|kjlwgrz|iugnhua)|e(k(gcuaqx|vykons|olkfwh)|l(yy(lexf|zdva)|textjl)|ndkjamo|f(ygkzur|gduexu)|t(venvrh|ptqrpv|sbgsxb|rzvjwk|csafkl)|mmpgszm|vqzpwlp|b(lxvaso|fsvvjs)|j(tdjlra|pibspj)|pgyddig|c(eqwozl|vghqup)|wbjeuit|yeffipe|g(rqpklw|gwkmzp)|xvhpqym)|k(u(esazza|wdawsm|pkngzl)|h(swidqy|akgjvk)|zinckwo|s(idcqwa|fmxpzp)|ctumaza|f(hxdytq|mjyzee)|vzxofav|yizdmov|gzduvwn|d(bqfkut|jvcmih)|pxdxttq|jgoppnj|n(gsport|upgkrc)|kcxkddy|abqftxx|egqspif|o(pxnplb|vdgyco)|wiuecij|lnudxkp)|a(llheamn|tfeqisj|y(ndyjzk|unxavr|ctufdz)|i(zuiczk|fdtxfj)|ewrptlx|wvstumi|q(oqweek|lhwakj)|uebveer|p(eokoob|zpcgrd)|n(ghxeub|dotezw)|dbiumij|sgttvyz|xwpiorx|zyacdyk|gycocmq)|l(a(szjkmr|yggkjh|duvazx|qbfukn|zvicnj|wserfp)|rhpuvii|mmqxqsz|dxpwcmu|jvtllzm|n(zyodkp|acbqou)|uqehjbg|byisokl|xerzody|q(bgunnc|qkrura)|s(hmoltv|pbcdcv)|yvaksrg|ljcwxcb|vuxotxr|wmtgold|kuqytlc|iqqkfwl)|d(rjvgmfg|jxsmhul|i(fuoqcm|nwbsvd)|nvlzzji|vmreqsy|wdoknib|trigjpy|pjwlngf|lxtjcdc|s(vsyqoh|ghmxva)|qivgzfk|hcfuewu)|y(w(aeiheb|uuhzhr)|qfajzju|kyvreum|mvolxiq|sbavwcm|izcfmds|cgezydw|f(cvvrir|yegobg)|axhrsph|ndigaxa|vgeifgq|p(dhknzx|clzpze)|u(fcgceb|okyzru)|rbgzxpf|ylbteei|ttkjcod|lkpgybp|enxlfby)|x(e(mqbtay|huiisd)|x(rzbltn|emzqzs)|znlttll|ytqlmvt|v(lgoazi|bzkxfi|ydjtii)|c(jynzrd|vqssxm)|l(hsqoch|raonqq)|bkgnqzv|kerhbkr|iyflxxp|woprpbd|r(zqzpdu|mccqft)|naefbog|mkzgzxq|qpljols|hpblitd|pyfgcxn)|o(k(jhdwjo|fifisa)|w(fpyidp|nwavlv)|q(ybfxrt|stbdhl|nmfgtf)|v(apglla|kuvkch)|tdjdvfq|cqwjqlb|gpfvuqs|xzbmezi|syfimwn|eagwwee|ppnhsqv|m(frygsv|rdbojp)|otcjopa|f(hwwnin|ptilay)|lgzybee|yfdwczc)|c(twd(onve|qwec)|j(zatvjt|jvwdby|cqhwia|sziejn)|mzuhtvh|ukewdqa|rysqcqs|fbeczuh|k(yodfyf|cnnfwt|uzoxjo)|aelfkue|hsxcoco|qasftfy|zfvcyrz|glntndd|weeqwkc|imjvxvj|exgqiph)|p(zeguimg|x(sdemzk|yfgujg)|v(hyotss|xmndap)|oggsutm|lwzvomw|qajvwou|eju(ehkl|jtez)|pfyxhkb|usugwxi|a(ymxloy|koxgkl)|j(ikmlzq|reqamb)|cjwrnei)|h(ssdyuvw|vrxifyd|lexjuht|zhpfmai|q(tctjie|reglht)|y(wvxppt|vaytnt|znuesq|xkklep)|w(lueaqj|vzwzlf)|d(pxulfc|enmjus|y(dhgsn|hsfwt))|txpbhty|cqhunpg|aocvygr|hhsyebh|pgvhtnm|xkpitky|ikroucv)|n(w(dctfrz|steopp)|t(bytgsw|npnpla)|pziktgj|a(agghjk|lvmobu|idpwrj)|e(bstvcd|evtkdw|qofzvu)|i(mnugaj|jlzavb)|j(hbtrul|jsoygt)|u(jytwwu|qfucqp)|ficcpgy|n(xxojcp|kaaqsi)|zpwpxkh|y(bfqyxe|humgbs)|c(bidpkc|eyjrbz)|rmwndag|l(jecftq|kcuouc)|klljcuj)|g(uzozcfy|qqtcouz|c(j(ijeof|joipk)|rcffcy|iilxqb)|wrdcxyb|tiuxntg|x(yaexqi|itafkk)|z(amkwpm|cjwnwl)|lxgwafm|j(shafhy|bvbssi|pgkmjb)|ravyfyj|pwzfqxp|d(ajysfe|lybvdw)|b(y(qswwc|ygaut)|emjqub)|aanexhr|srhoztr|emqsoky|hebwffm|nxsykms|ogqvkvz)|i(a(bqhncw|mgkpoe|qkwawy)|p(jiubxj|yobobp|ftppvs|bbjzij|poztyo)|wpansyx|umhxbqo|yxjotds|fzkbnnr|x(lhsrvl|usufet)|c(helosk|syoiax)|gsuzqot|z(vvzmfa|rqxozb)|tpbsrlu|bunhtnp|jjkihvz|dungkfr|egkuadm|kocxrnq)|f(e(r(hjdqq|impxp)|elfyfv|uvodnb|hngkcc)|m(shqooh|cecpwp)|hwfdwqj|kslxkdd|bgsseiy|j(fvwglo|woytvb)|porgpyb|oaueays|iiivixj|fcrwcwp|uzhwrgo|vqkjkjr|xqferxi|twctdtb|qkeokep|rykdnxg|lbcgigc)|j(elenpfv|l(npidsq|hjlugb)|a(zament|rhmskt)|kuoumhs|p(pfrjrn|mlarwv)|vnwkuta|x(gycvdx|pzpjrz)|trhdypy|m(vbkekz|tqxhov)|jqruxae|zfbqbyo|izuywzi|rwxcfel)|w(nwcfhpv|yxzcypp|b(cwuwyf|owfjqt)|rwgucgu|lythacy|k(srhmgk|qexhpy)|zzlvnnk|hztskph|s(xcmbwj|adtvrq)|oa(xoowz|crktk)|xsqbttc|w(qpvohz|ajdudu)|a(ebtbud|utymuh)|pxnqmfl)|z(y(ahzthv|piqevx)|f(swwkqh|wvavzn)|vxcthbw|npbeziz|t(zgaodt|bgjghq)|dynmmbf|q(bstayk|aoxlzv)|ujcxxgw|musqfzf|rqbocaj|irhbkaz|ccxkzdj|bqdaruw|oawumxg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633019; rev:2;)
# sid 2633020 includes 1200 (601 - 1200) 8 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(q(xehqxit|d(tppnqb|cwloxa|vlghgq|wbwfnc)|nfmuzzp|t(yojbkp|kavcaq)|f(s(yvqgc|jwscf)|mknydh)|k(mvqffu|hnepui)|g(hegpum|qaxunq|dawulk)|vspjzdz|e(hrgyos|wxwbjq)|u(hlqlhy|aoolxx|qwghgk|byrikn|vyalhw|sbzmow)|s(bwgyci|qzphbn)|yrijhdd|j(hmxkxd|fpmhrt)|qsfxxsi|m(eawzxh|xdhvkc|gifsgl)|b(kvqkjj|tdzrhq|iazipd)|asjficq|hyoqzzg|z(ymvjfc|gyjhup)|l(hrxahn|wjemeg)|rdjmbei|ozgijje|pvoprav|wddtavr)|s(k(t(vhvjk|jhwze)|gqvrxd|qamdsh|iaeqhu)|t(kshdst|lolvfh)|urvuzfr|b(iydpcf|bswcha|xffzli|oadxzq)|litmaii|e(bmfqxy|tpnpph)|huacwft|i(cweuds|qlvdxy)|x(zdfvkj|vvhzhx)|ppfgaiu|f(hsbemi|auozkb)|w(nfieop|rkyttl)|ycxbwaw|n(vmhhvw|kbssoj|n(nmhfl|gvbyg)|g(cryft|xhbdx))|o(krzkdh|irawfb)|r(epfjiq|nzudil|vfpsfy)|mfltbsa|s(npjadz|imqheb)|z(t(mlthn|uynhy)|nvsltq|rdumzz)|v(tqvmfj|bukwmm)|cmzswqu|g(mqecjp|fctrfv))|t(d(amiflp|ujyhle|tmallt)|v(rdaqhl|qpxhud)|l(ouhuer|zxergj)|i(itvvxn|mmmhkx|hzfwxq|vobprn|xxmuiz)|s(kbpgxd|qmffng)|g(q(kxnuw|pgzox)|vomzlo)|f(zihplx|iyzukq)|b(yabuql|htdzvx|gksdng)|qsasdqq|h(pseags|yxxmsk)|n(gyobna|tqftwt|athdvr)|kjbatlv|j(khdmxz|notcck)|y(qltfnk|fiioqp|caequp)|rxphjgc|o(shcqzw|biobos|qkacan)|z(dqrlgm|ogcymd|uzaqiv)|axeyxdw|wtvwecs|trevtju|exvbnlb|usevntt|pyeswrs)|u(i(xrykgs|uqcxkz)|sgfgyrh|l(ovnhbo|iwlzca|bwmpsa)|k(qiimbp|oczoov)|wa(cgatz|adxco)|h(veylzx|swfonx|ysixxy|wicfpg|egzbqa|kkgvxj)|jkmouik|z(fwgvmt|hqucxz|wcwhpa)|a(wkjyzn|aufmkz)|yspwgsz|nfvvsov|e(wwyowy|xeygfy|awmmbe|pvfogi)|m(exymht|ljrmce)|fgqdmmt|v(lspttu|pcrqtc)|c(xmfobu|muaxul)|d(gzlmgp|qzwenc|kfafot)|b(iwfwse|zzbdvj|pitzxo)|pisgcvd|otdhgfy|ublzcdx)|v(z(ehcjhw|gudsns|whqsgj)|antmmsh|r(d(nipky|wqdwe)|jqwfbx|bmotgi|pkxavw)|ffkrncw|v(hqswtq|uahnqe)|i(lrcobv|gaiqjg)|g(jnppyl|onhtik|miwmsw|izhfjv)|pvhmfan|m(oamkvz|twpatd)|x(vedqtt|f(yjwjq|wrarr)|y(xtouz|ydcrt))|w(mpzllk|rofqqt)|y(gkytuy|hqlfsw|trhtzp)|l(piggmp|kmfdzj)|b(ndahrq|j(unauh|yedgj)|dzsuhh|iwlpuf)|dbzbqmj|c(qesffb|k(mbgrw|aesku))|kaxdtzm|uqskfvm|qfcvptv|hjqxvsh|jggfble|enbymor)|r(a(vybmhc|albadv|xoeaqq|pyvgpz)|ljkuumn|r(zommoy|kizaub)|g(fypgjh|hjzabv|zyrzkd)|c(wxsinm|ziwmtx)|q(lztlif|yfivrm|iykkgl)|t(p(blwye|gwizt)|xjtffo|ypluwa)|y(ghucma|nnnuph)|k(ytcirh|ebdvty)|s(ipujfe|mhzitk|dgqepq|fezsgy)|w(jiwnts|kqtoqf)|b(smzoia|jeqpnp)|n(aghjxv|nizvqt)|v(sehhcf|kvyjxd)|emqlfzs|o(jvjeyo|gybhuz|fgjeka)|f(scrtby|nnjfar)|jvlwhvr|pecglhy)|m(d(h(xkjlt|panjw)|thzrfs)|wlmvtvs|e(luxvat|qkxsnf)|rwgiamn|k(sdijcd|h(ctsqw|pxjon))|i(sdopkt|h(heppn|igcdk))|y(ygzhnr|ratwqp|jrqksf|azgekp)|x(tycdeq|zkzdgm|nbzjcd)|n(qjpxce|mhmzjf|asmnio)|b(igsxcm|wcbhgd)|u(fnxnmv|ujffay)|t(nveuvc|pbecfo)|sxvlaaj|m(fsynym|ymodfs)|azpsnkg|lmzkcvh|fpnhnov|gaocnta|phifitg)|b(aaxajgd|u(jtkdsj|yyztif)|v(bntkil|wskckc)|n(gqlsce|oghoqk|kzhkxc)|x(lojctq|a(vjhjm|yyltf))|bpxhyou|z(cdkmyy|bwticq)|o(tjrbii|ukpbmu)|fqbsfhg|yeaetdm|pnukdmg|h(qmmyey|ydeypg)|rpixjss|s(qctomf|fpvyya|cthfrk|mdidct)|moryzzd|j(gphuzy|tstczl|vezgwq|ssetjz)|k(jlwgrz|bjejrh|olxios)|iugnhua|cmrwpxd|t(nmdmkb|jkvkok)|duzjwpu|ehedyat|whybcqd)|e(k(gcuaqx|vykons|olkfwh|rztjua)|l(yy(lexf|zdva)|textjl)|ndkjamo|f(ygkzur|gduexu|dxsisf|oovbgr)|t(venvrh|ptqrpv|sbgsxb|rzvjwk|csafkl|gfmqet|tostwt)|mmpgszm|vqzpwlp|b(lxvaso|fsvvjs)|j(t(djlra|aorgi)|pibspj|fiexsh)|pgyddig|c(eqwozl|vghqup)|w(bjeuit|pcqsjq)|yeffipe|g(r(qpklw|glxra)|gwkmzp|oooqta)|xv(hpqym|nfmdd)|u(yvomyp|oehwoe)|z(ejkowh|ffoozq)|eszdbkx|q(evhdnz|flwisb)|ifqpdtj|ayilito|dazdsmi|s(wuvtzf|yawtfk|uimqqm)|hfhfzmm)|k(u(esazza|wdawsm|pkngzl)|h(s(widqy|zyknd)|akgjvk)|z(inckwo|srdxzu)|s(idcqwa|fmxpzp)|ctumaza|f(hxdytq|mjyzee|fdhgvp)|vzxofav|yizdmov|g(zduvwn|qkjbtc)|d(bqfkut|jvcmih|yvdqzh)|pxdxttq|j(goppnj|doudtk|bapyac|ygklcy)|n(gsport|upgkrc|flxmot)|kcxkddy|abqftxx|e(gqspif|czgvzw)|o(pxnplb|vdgyco)|wiuecij|lnudxkp|bwywdtq|t(tkldtf|yclhhz)|xsuivmg|q(gbxxxd|nzhvma))|a(llheamn|t(feqisj|qkvufc|nrbvog|mxuvik)|y(ndyjzk|u(nxavr|zedpz)|c(tufdz|hoauv)|xyybeh)|i(zuiczk|fdtxfj|wqogpp)|e(wrptlx|lvakpb)|wvstumi|q(oqweek|lhwakj)|u(ebveer|zhetxy|wbsfif)|p(eokoob|zpcgrd|lzzlsw)|n(g(hxeub|yqpeq)|dotezw)|d(biumij|ajbbyf|vrmqua)|sgttvyz|x(wpiorx|bqgvco|kufwmz)|z(yacdyk|nchmnz)|g(ycocmq|wiuttm|cjlhea)|baxujgr|mewkcbb|v(qkgbsa|oqrovf|gnbjkv)|rsyjdzm|a(dvpojm|mwdlxb|owhloq)|f(xbtzjp|pdscjq|mymspz))|l(a(szjkmr|yggkjh|duvazx|qbfukn|zvicnj|wserfp)|r(hpuvii|zxqhps|tkxthf)|mmqxqsz|d(xpwcmu|ttargz)|jvtllzm|n(zyodkp|a(cbqou|wvfwa)|lqwcmu)|uqehjbg|byisokl|xerzody|q(bgunnc|qkrura)|s(hmoltv|pbcdcv)|y(vaksrg|bewksz)|l(jcwxcb|xhiwrq|gnpybo)|vuxotxr|w(mtgold|jwrgjd)|kuqytlc|i(q(qkfwl|ogpoq)|bsvbsi|tjyeyo)|c(gkzbzp|dongvf|vdxyni)|ti(amxkz|ripbs)|p(t(ffhmk|uxrtz)|sohejf|odaspx)|fudaptg|hqzmegb|ejilonh)|d(rjvgmfg|jxsmhul|i(fuoqcm|nwbsvd|ttunpl|bxnxlb|zyqomq)|n(vlzzji|cmzilr)|v(mreqsy|jtxisp|r(fenhz|pczbu)|vrgmlj)|w(doknib|jexdus)|t(rigjpy|dofjto)|pj(wlngf|thdlw)|l(xtjcdc|iygbvp)|s(v(syqoh|jbgjf)|ghmxva)|q(ivgzfk|ciktdf)|hcfuewu|c(sqdxeb|kfhxpf)|a(fchhog|dcebbr|ugdfcq)|k(hanpkw|dzvsoq|fnzkng)|d(pjxlgy|rupwry)|yuajqvs|elusnqi|fmcimxj|zekyjpp|x(additi|iywpau|hlumcr)|bydsvpy)|y(w(aeiheb|uuhzhr)|q(fajzju|pfipia)|kyvreum|m(volxiq|smgabi)|sbavwcm|i(zcfmds|mbocht|ocdukq)|cgezydw|f(cvvrir|yegobg|hvbjnu|gvchml)|axhrsph|n(digaxa|fgzwzb)|vgeifgq|p(dhknzx|clzpze)|u(fcgceb|okyzru)|rbgzxpf|y(lbteei|r(ddqwt|igfth)|deqwmd|fqgrbu)|t(tkjcod|cnhptt)|l(kpgybp|xmckcx)|enxlfby|zvsnzst|gfxrvqr|ohbngjj)|x(e(mqbtay|huiisd|ishhte)|x(rzbltn|emzqzs|noamfm)|z(nlttll|unqdiy|tuvntk)|y(tqlmvt|prxwap|fdhrfe)|v(lgoazi|bzkxfi|ydjtii)|c(jynzrd|vqssxm)|l(hsqoch|raonqq)|bkgnqzv|kerhbkr|iyflxxp|w(oprpbd|fstkdn)|r(zqzpdu|mccqft)|n(aefbog|lysvbi|mgepqc)|m(kzgzxq|dzkdgg)|q(pljols|gdbdpf|tilavy)|h(pblitd|dqlwqj|scsibm)|p(yfgcxn|reprwh)|u(dyecba|pdqgzz)|d(r(ihhzq|psluv)|fpjvkm)|s(dcwsvc|bpchni)|jvxuyxi)|o(k(j(hdwjo|dokqw)|fifisa)|w(fpyidp|nwavlv)|q(ybfxrt|stbdhl|nmfgtf|hrlsxb|puejmr)|v(apglla|kuvkch)|tdjdvfq|c(qwjqlb|ybrlhl)|g(pfvuqs|iymboc)|x(zbmezi|asukxu)|syfimwn|eagwwee|p(pnhsqv|ebfnic)|m(frygsv|rdbojp|cxyptg)|o(tcjopa|qzgxki)|f(h(wwnin|pntqw)|ptilay|oncjpg)|lgzybee|y(fdwczc|vkulws)|nwswpfp|igiumlk|d(mclpqi|vjzwhl)|zedkgsu|j(nliodu|fvrnub|mjsvtx|wydbbs)|u(bsqpce|grfupt|vqcyqe)|hzwhqlm|bkcococ|rfeyukn)|c(t(wd(onve|qwec)|vbfyxb|lpfntw)|j(zatvjt|jvwdby|cqhwia|s(ziejn|qgabg)|avopts)|mzuhtvh|u(kewdqa|e(dfzyf|gwjus))|r(ysqcqs|gtuvoo|zuhufb)|f(beczuh|wqacpx)|k(yodfyf|cnnfwt|uzoxjo|dyeqtc)|a(elfkue|vttwav|uogpgu|fhgdgr)|h(sxcoco|qyiinn)|qasftfy|z(fvcyrz|luibqb)|g(lntndd|endfju|kcysxx)|w(eeqwkc|lyscvb|ycjgex)|imjvxvj|exgqiph|chzkeyy|y(lxvqpl|oksqdq|yqupfp)|o(oyvjgm|iidxjs|wwpulm)|s(xgcmpe|shzmhc)|l(szhxxj|jridtl)|v(rpnbcu|ufiqgt|eegdft)|bzcmxzt)|p(z(eguimg|kgxetf|mtpcoa|crhfzc)|x(sdemzk|yfgujg|iwgguv)|v(hyotss|xmndap|olyhkw)|oggsutm|l(wzvomw|gieegj)|qajvwou|eju(ehkl|jtez)|p(fyxhkb|drudvr)|usugwxi|a(ymxloy|koxgkl|ucrnmo|tpqnxc|pdlhhd)|j(ikmlzq|reqamb|wyrrjq)|c(j(wrnei|zvsjp)|vagkdb)|niolomi|h(izsppf|tawkpq)|t(txxsvr|pkmfms)|w(jlapsm|lzchjd))|h(s(sdyuvw|cqcent)|v(rxifyd|twbehj|nueigs)|l(exjuht|reskno)|zhpfmai|q(tctjie|reglht|wmxijg|aevyrv)|y(wvxppt|vaytnt|znuesq|xkklep)|w(l(ueaqj|aaogx)|vzwzlf)|d(pxulfc|enmjus|y(dhgsn|hsfwt))|t(xpbhty|zvimuh|jqfyfd|aqyvwg)|cqhunpg|aocvygr|h(hsyebh|urlrjv|eghnpz|qbaqio)|p(gvhtnm|jykjar|euzyai)|x(kpitky|dosfec)|i(kroucv|lygirb)|g(grmwhr|uduzhm)|m(jsmrnz|b(ktvbs|pfnwh))|fpwfcox|ogrixrn|eewmqaa)|n(w(dctfrz|steopp)|t(bytgsw|npnpla|hazjqq)|pziktgj|a(agghjk|lvmobu|idpwrj|jfudwe|dldnmi)|e(bstvcd|evtkdw|qofzvu|tljtia)|i(mnugaj|jlzavb|tqqqkx)|j(hbtrul|jsoygt|swvojf|dgaora|egrhsh)|u(jytwwu|qfucqp)|f(iccpgy|gekxkb|oqfqcm|yxyzjp)|n(xxojcp|kaaqsi|heiiac)|zpwpxkh|y(bfqyxe|humgbs|lnpvwn|zvomsj)|c(bidpkc|eyjrbz|f(zktwp|bxpvx))|rm(wndag|ghhxf)|l(jecftq|kcuouc|vanchp|azgbqu)|k(lljcuj|mdvdhp)|qmwqzht|s(cfuomc|mucati)|m(jgoepc|xnzldj)|g(pgenzs|lmhsxg)|hgtluif|o(xodjpc|ldovcd))|g(u(zozcfy|uzrekq)|qqtcouz|c(j(ijeof|joipk)|rcffcy|iilxqb)|wrdcxyb|tiuxntg|x(yaexqi|itafkk|mggmfk|uremay)|z(amkwpm|cjwnwl)|l(xgwafm|hxrlgn|vvlabt)|j(shafhy|bvbssi|pgkmjb)|r(avyfyj|fqynqv|thakln)|pwzfqxp|d(ajysfe|lybvdw|yndevx)|b(y(qswwc|ygaut)|emjqub|ohaotn)|a(anexhr|gnzsam)|srhoztr|e(mqsoky|frnorv)|hebwffm|n(xsykms|mohwkw)|ogqvkvz|g(nxosmy|vcjloh|yelsoe|mryhfq|oevyuu)|fasucmc|kwuxhpg|mmtepxl|iamhkmy)|i(a(bqhncw|mgkpoe|qkwawy)|p(jiubxj|yobobp|ftppvs|bbjzij|poztyo|cbdplg)|w(pansyx|osawjp|jzjycz|wlkvcu)|u(mhxbqo|dmvdin)|y(xjotds|fabbpm)|f(zkbnnr|uqfrgw|tieesd)|x(lhsrvl|usufet|zswwea)|c(h(elosk|arirj)|syoiax|ibiuis|frodgl)|g(suzqot|tpltsc|grebzs)|z(vvzmfa|rqxozb|bmpejr)|t(pbsrlu|zhyjaa|ufmmzv|lmqyyz)|b(unhtnp|cywcgb)|jjkihvz|dungkfr|egkuadm|kocxrnq|v(nfajfy|zufkhr)|s(vaznct|uyqmje)|iyxhtms|q(b(ybadx|zvtir)|gadoxr)|h(jzuafe|wbbitw))|f(e(r(hjdqq|impxp)|elfyfv|uvodnb|hngkcc|yatrbp)|m(shqooh|cecpwp|lmtsjw)|hwfdwqj|kslxkdd|b(gsseiy|rclxuo)|j(fvwglo|woytvb)|porgpyb|o(aueays|bznoup|jvtwrw)|i(iivixj|tuevfl|fvwnit)|fcrwcwp|u(zhwrgo|ujjgro)|vqkjkjr|xqferxi|t(wctdtb|vzdtnj)|qkeokep|rykdnxg|l(bcgigc|znewga)|y(fihvcx|czdpvh)|dgqbxqe|c(dazlyy|hvwpju|rklowv)|s(ubrptv|eypgte|hgedfd)|ajgksuy|wjszwmr)|j(e(lenpfv|coaess)|l(npidsq|hjlugb|uaxsid|kstjnh)|a(z(ament|roojj)|rhmskt|ndgbvn|oymdfd|lxhwov)|k(u(oumhs|froet)|xjpppb|vgbqmg|hvsyxg)|p(pfrjrn|mlarwv)|v(nwkuta|fakdrv)|x(gycvdx|pzpjrz)|trhdypy|m(v(bkekz|mgpng)|tqxhov|ufxuox|pjzucv)|jqruxae|z(fbqbyo|mkihes)|i(zuywzi|landwy)|r(wxcfel|joavzn)|sfpkaie|c(cfzdoc|mfxpqd)|u(dbhwdi|ockgch|uzbcua)|bmwvdpw|qtwiaaf|ndxcddq)|w(nwcfhpv|yxzcypp|b(cwuwyf|owfjqt|sfpxes)|r(wgucgu|bysbrk)|l(ythacy|gvgxvt|vdqlik)|k(srhmgk|qexhpy|fvtiku|oggkkt)|z(zlvnnk|xpprmp)|hztskph|s(xcmbwj|adtvrq|filazr|ynufbh)|o(a(xoowz|crktk)|yzkaqy)|xsqbttc|w(qpvohz|ajdudu)|a(ebtbud|utymuh)|pxnqmfl|f(fkjjhb|qzygvi)|q(rhlwqz|vbmlnd)|earwxiw|i(obqzke|mmugmq)|v(dpeavy|nrdrlq))|z(y(ahzthv|piqevx|fehtsm)|f(swwkqh|wvavzn|byywwt)|vxcthbw|n(pbeziz|msxveb)|t(zgaodt|bgjghq|wnqpoc|rgqbvh)|d(ynmmbf|orxweu)|q(bstayk|aoxlzv)|ujcxxgw|musqfzf|rqbocaj|i(rhbkaz|ilemid)|ccxkzdj|bqdaruw|o(awumxg|otiwea)|hq(cdjky|yznbp)|stibkox|wxrtkye|k(eolajy|woilah|izpsky)|pbfzhww|euvdgnr))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633020; rev:2;)
# sid 2633021 includes 1619 (1201 - 1800) 8 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(i(z(vvzmfa|rqxozb|bmpejr)|p(yobobp|ftppvs|bbjzij|poztyo|cbdplg)|x(usufet|zswwea|nkgszi)|t(pbsrlu|zhyjaa|ufmmzv|lmqyyz)|b(u(nhtnp|iqzsm)|cywcgb|jnxrpo|vjdwtw)|j(j(kihvz|wyodj)|omyhgd|psxlgx|saidwz)|a(mgkpoe|qkwawy|jrchcm)|dungkfr|e(gkuadm|dwyqtw)|k(ocxrnq|ifcizd)|w(osawjp|jzjycz|wlkvcu|aknbbt|bizbzg|h(tpaqc|bpxlg)|yrihsi|plrnpx)|y(fabbpm|ilphnv)|g(tpltsc|grebzs)|v(nfajfy|zufkhr|brwcmj)|s(vaznct|uyqmje|gfgosn|jxgvah)|f(uqfrgw|tieesd)|i(yxhtms|dmcace)|q(b(ybadx|zvtir)|gadoxr|radxdx)|c(harirj|ibiuis|frodgl|tbhrfn|aovkpe|utqyxf)|h(jzuafe|wbbitw|fsgfhq)|udmvdin|ngczise|l(whkphw|skrcwd))|y(s(bavwcm|trgcbb)|i(zcfmds|mbocht|ocdukq)|cgezydw|f(cvvrir|yegobg|hvbjnu|gvchml|puftwq|onetou)|a(xhrsph|doneam)|n(digaxa|fgzwzb|ipysbk|wtrtzs)|vgeifgq|p(dhknzx|clzpze)|u(f(cgceb|tnsrk)|o(kyzru|zbadb)|eprobp)|w(uuhzhr|azhxdn)|rbgzxpf|y(lbteei|r(ddqwt|igfth)|deqwmd|fqgrbu|hvzdwz)|t(tkjcod|cnhptt|amcbst)|l(kpgybp|xmckcx)|enxlfby|q(pfipia|nojmig)|z(vsnzst|xbkiee|snbisn)|gfxrvqr|ohbngjj|m(smgabi|zagqai)|j(duqojc|blqgwt)|d(ryehbb|aepzsi))|h(t(xpbhty|zvimuh|jqfyfd|aqyvwg|ufgedl|gbecse|wyzlmr|sbbbmx)|y(vaytnt|znuesq|xkklep|eoolaw|syuqan)|cqhunpg|d(enmjus|y(dhgsn|hsfwt)|oabtkz)|w(vzwzlf|laaogx|pawxgf)|aocvygr|h(hsyebh|urlrjv|eghnpz|qbaqio)|p(gvhtnm|jykjar|euzyai)|x(kpitky|dosfec|fobxwc)|i(kroucv|lygirb)|g(grmwhr|uduzhm)|lreskno|m(jsmrnz|b(ktvbs|pfnwh|wowdq)|vyeupq)|q(wmxijg|aevyrv)|v(twbehj|nueigs)|f(pwfcox|tfezqy)|ogrixrn|s(cqcent|rqipvu|wqxxvb)|eewmqaa|b(gkffep|iqaeua)|k(beyklv|frxpdz)|ukrosmk|njfqmzc|jtufjxj|z(hwaeob|vqahst))|q(g(hegpum|qaxunq|dawulk)|d(cwloxa|vlghgq|wbwfnc)|vspjzdz|e(hrgyos|wxwbjq)|u(hlqlhy|aoolxx|qwghgk|byrikn|vyalhw|sbzmow)|s(bwgyci|qzphbn|vsgczv|gpzest|ywwuid|alhkxu)|yrijhdd|j(hmxkxd|fpmhrt|qiwasz)|q(sfxxsi|fxvstx|tvwicg)|m(eawzxh|xdhvkc|gifsgl)|b(kvqkjj|tdzrhq|iazipd|wjkupi)|a(sjficq|fkmzux)|khnepui|h(yoqzzg|wgswnb|uvuqap)|z(ymvjfc|gyjhup)|f(sjwscf|mknydh|alhafl|juccxg)|l(hrxahn|wjemeg|vvnsex)|rdjmbei|t(kavcaq|jeguoq)|ozgijje|p(vo(prav|iadq)|ywcjot)|w(ddtavr|hmegxg)|nhvbekz|i(mqljgl|ayjduc))|t(i(mmmhkx|hzfwxq|vobprn|xxmuiz)|h(pseags|yxxmsk|nvzxqx)|n(gyobna|tqftwt|athdvr|qihiaj)|l(zxergj|mznide)|kjbatlv|j(khdmxz|notcck)|b(h(tdzvx|vffbp)|gksdng|i(eupyr|bwotp))|y(qltfnk|fiioqp|caequp|ujkges)|vqpxhud|rxphjgc|o(shcqzw|biobos|qkacan|rzztlu)|z(d(qrlgm|gnxtj)|ogcymd|uzaqiv|juanyj)|a(xeyxdw|nzjhhy)|w(tvwecs|blodmf)|d(ujyhle|tmallt|exbvbr)|sqmffng|trevtju|g(vomzlo|qpgzox)|e(xvbnlb|upoyvw)|u(sevntt|oymyxx)|p(yeswrs|ufuorg|noqlkn)|q(vwpiwc|iiibsn)|fwbluxu)|u(h(ysixxy|wicfpg|egzbqa|kkgvxj)|z(fwgvmt|hqucxz|wcwhpa)|a(wkjyzn|aufmkz)|yspwgsz|n(fvvsov|mrgzvf)|e(wwyowy|xeygfy|awmmbe|pvfogi|idfcwm)|m(exymht|ljrmce|tdyebh)|f(gqdmmt|kizujb)|v(lspttu|pcrqtc|yqpxwt)|c(xmfobu|muaxul|cvufqo|josope|eqfboe)|d(gzlmgp|qzwenc|kfafot)|b(iwfwse|zzbdvj|pitzxo)|k(oczoov|ldqqni)|pisgcvd|l(iwlzca|bwmpsa|mejlhz)|o(tdhgfy|ipltzm)|w(aadxco|olqixb)|i(uqcxkz|qcqemf|aieuzq)|u(blzcdx|ysjias|gdpkhb)|jwztoyo|t(fixvpe|vbelbo)|sevytwl|xcrzffo)|l(x(erzody|klmjnb|itngah|qyepgo)|q(bgunnc|qkrura)|s(hmoltv|pbcdcv|dnxbzp|sbuctx)|a(qbfukn|zvicnj|wserfp)|y(vaksrg|bewksz)|l(jcwxcb|xhiwrq|gnpybo)|vuxotxr|n(a(cbqou|wvfwa)|lqwcmu)|w(mtgold|jwrgjd)|kuqytlc|i(q(qkfwl|ogpoq)|bsvbsi|tjyeyo)|r(zxqhps|tkxthf|civjms)|c(g(kzbzp|xdtsy)|dongvf|vdxyni|afamvq)|d(ttargz|vubfqf)|ti(amxkz|ripbs)|p(t(ffhmk|uxrtz)|sohejf|odaspx)|f(udaptg|hpyfni)|h(qzmegb|cirfrj)|e(jilonh|upvjdp)|b(aahjps|bbxmst)|umdbqwq|j(khulmt|fbwcxw)|mpboieq)|e(b(lxvaso|fsvvjs|vwzvbo|qdfzdr)|j(t(djlra|aorgi)|pibspj|fiexsh)|t(sbgsxb|rzvjwk|csafkl|gfmqet|tostwt|fuhbab)|pgyddig|c(eqwozl|vghqup)|l(textjl|yyzdva)|w(bjeuit|pcqsjq)|k(olkfwh|rztjua)|f(gduexu|dxsisf|oovbgr|sxbnyc)|y(effipe|magzzy)|g(r(qpklw|glxra)|gwkmzp|oooqta|iofvxk)|x(v(hpqym|nfmdd)|bjchtb)|u(yvomyp|oehwoe|wuqlub)|z(ejkowh|f(foozq|xosuw)|zfukoo)|eszdbkx|q(evhdnz|flwisb)|i(fqpdtj|lwpszr)|a(yilito|rmheze)|dazdsmi|s(wuvtzf|yawtfk|uimqqm|jpptrb)|hfhfzmm|o(qjmigj|earkva|txaagl)|vcvjbrz|mjvtyuy)|x(k(e(rhbkr|sophx)|sbcwqh|ajlfqw)|v(bzkxfi|ydjtii)|cvqssxm|i(yflxxp|fnenio|ovuddc|dwmkex)|w(oprpbd|fstkdn|hkkdtb|puybcv|bmrwwp|jtkiue)|r(zqzpdu|mccqft|xnphfl|djzmkm)|n(aefbog|lysvbi|mgepqc)|e(huiisd|ishhte|eusnmk)|m(kzgzxq|dzkdgg)|x(emzqzs|noamfm|hjmgnb|ikkjzs)|q(pljols|gdbdpf|tilavy|fdkhbs)|h(pblitd|dqlwqj|scsibm|gefpwk)|p(yfgcxn|reprwh)|l(raonqq|xoldxi)|u(dyecba|pdqgzz|jjfgsq)|d(r(ihhzq|psluv)|fpjvkm|djriri)|s(dcwsvc|bpchni)|z(unqdiy|tuvntk|njenbr)|y(prxwap|fdhrfe|klmigg|wajcvi)|j(vxuyxi|rkvzvp)|gnzwmhf|aryizmt|bkrklrg)|m(x(tycdeq|zkzdgm|nbzjcd)|e(qkxsnf|nhmwyv|jjfudw)|n(qjpxce|mhmzjf|asmnio|hljajl|zzbsed)|d(thzrfs|hpanjw|mivbme)|k(h(ctsqw|pxjon)|pfczgp|beojdb|qubksb)|b(igsxcm|wcbhgd|qkkfvh)|i(h(heppn|igcdk)|qfzxdj|dxtyug|xbiyvz)|u(fnxnmv|ujffay)|t(nveuvc|pbecfo|dksqij|vmoyuu)|y(ratwqp|jrqksf|azgekp|nsjitb)|sxvlaaj|m(fsynym|ymodfs)|azpsnkg|lmzkcvh|fpnhnov|g(aocnta|yekmwt)|phifitg|h(ejtnfr|kzkuxs|hzqphq)|r(zradwx|sexgld)|vqweawa|w(simevz|cuojct|wyjnhv)|c(a(jrowi|chdjx)|lkvcja)|otdurqq)|n(j(hbtrul|jsoygt|swvojf|dgaora|egrhsh)|u(jytwwu|qfucqp)|a(lvmobu|idpwrj|jfudwe|dldnmi)|f(iccpgy|gekxkb|oqfqcm|yxyzjp)|n(xxojcp|kaaqsi|heiiac|dtqrhi)|e(qofzvu|tljtia|giuoji|ockovv)|z(pwpxkh|lfpyrk)|y(bfqyxe|humgbs|lnpvwn|zvomsj|asiqhi|ifkqgh)|c(bidpkc|eyjrbz|f(zktwp|bxpvx))|r(m(wndag|ghhxf)|dzwypa|xpguxx)|i(jlzavb|tqqqkx|gbzrlk|mwwbly|xnbfzd|vmhxpo)|t(npnpla|hazjqq|ubwcft)|l(jecftq|kcuouc|vanchp|azgbqu)|k(lljcuj|mdvdhp)|q(mwqzht|a(meatb|tpejn))|s(cfuomc|mucati|jakknr|yxwfmi)|m(jgoepc|xnzldj|tlvpnw|cqhrac)|g(pgenzs|lmhsxg|rpjiva|smwdtf)|h(g(tluif|wugjp)|mfnhex)|o(xodjpc|ldovcd)|p(gjemsv|dbblym)|wkvgenv|b(nkoozq|ycmfzs)|vnccmir)|b(bpxhyou|z(cdkmyy|bwticq|sifyot)|xa(vjhjm|yyltf)|o(tjrbii|u(kpbmu|ogsjb))|f(qbsfhg|hvmysc)|yeaetdm|n(oghoqk|kzhkxc)|uyyztif|pnukdmg|h(qmmyey|ydeypg)|r(pixjss|gyrsrg|xlmtbm|mfzxvz)|s(qctomf|fpvyya|cthfrk|mdidct|eohsyc)|moryzzd|j(gphuzy|tstczl|vezgwq|ssetjz)|k(jlwgrz|bjejrh|olxios|aixkqn)|iugnhua|vwskckc|cmrwpxd|t(nmdmkb|j(kvkok|xeyth)|yktkdh)|duzjwpu|e(hedyat|lsshgn)|w(hybcqd|yhwdxa)|lvdrosx|gngsxpl)|s(hu(acwft|xvbkl)|i(cweuds|qlvdxy)|k(tjhwze|gqvrxd|qamdsh|iaeqhu)|x(zdfvkj|vvhzhx)|ppfgaiu|f(hsbemi|auozkb)|etpnpph|w(nfieop|rkyttl)|y(cxbwaw|zazbrt|uksewn)|n(vmhhvw|kbssoj|n(nmhfl|gvbyg)|g(cryft|xhbdx)|lzvije)|t(lolvfh|wrthze)|o(krzkdh|irawfb)|r(epfjiq|nzudil|vfpsfy|dwbcff)|b(bswcha|xffzli|oadxzq)|m(f(ltbsa|zoqgk)|rrtkjl|vpnurq)|s(npjadz|imqheb)|z(t(mlthn|uynhy)|nvsltq|rdumzz|l(eotzq|papfr))|v(tqvmfj|bukwmm|kvhlos)|c(mzswqu|svuczj)|g(mqecjp|fctrfv|icqgds)|lwosnox|qzwueeo|asanubi|jzyvror)|g(z(amkwpm|cjwnwl|shfqnm)|l(xgwafm|hxrlgn|vvlabt)|j(shafhy|bvbssi|pgkmjb|nkhekq)|r(avyfyj|fqynqv|thakln|yjqzjv)|p(wzfqxp|okeabo|hwohje|uojbji)|d(ajysfe|lybvdw|yndevx)|b(y(qswwc|ygaut)|emjqub|ohaotn)|a(anexhr|gnzsam|liycmj|jjgypo)|x(itafkk|mggmfk|uremay)|s(rhoztr|witozk)|e(mqsoky|frnorv|vjawgq)|hebwffm|n(xsykms|mohwkw|rsefbv)|o(gqvkvz|ztwasa|pzvqtb)|cjjoipk|g(nxosmy|vcjloh|yelsoe|mryhfq|oevyuu|enidcr)|fasucmc|k(wuxhpg|acvafg|sysnoq)|m(mtepxl|bdagqk)|i(amhkmy|xxczji|fkhxfp)|uuzrekq|y(uwjhzt|doobdt))|f(j(fvwglo|woytvb|mjpfcj)|porgpyb|m(cecpwp|lmtsjw|tpjedq|nxmtta)|o(aueays|bznoup|jvtwrw|spkbix)|i(iivixj|tuevfl|fvwnit|hqlfqr|nsmhbf)|f(crwcwp|utbmlm|qxfinj)|u(z(hwrgo|fhsnn)|ujjgro)|v(qkjkjr|tllbpl|rgecgg)|x(qferxi|ibtgpm)|t(wctdtb|vzdtnj|rqaima)|qkeokep|r(ykdnxg|gfbuju)|l(bcgigc|znewga|tprsrv|gzgvhw)|e(rimpxp|hngkcc|yatrbp|uyfhre)|y(fihvcx|czdpvh|hvlnbe)|d(gqbxqe|njtijn|zyfgas)|c(dazlyy|hvwpju|rklowv)|s(ubrptv|eypgte|hgedfd|oknedz)|a(jgksuy|zagqpx)|wjszwmr|brclxuo|h(dvxpiq|ovyqht)|grufbua|kfuqcob)|z(v(xcthbw|nyxxmw|kanbix)|n(pbeziz|msxveb)|t(zgaodt|bgjghq|wnqpoc|rgqbvh|kxgblm)|d(ynmmbf|orxweu|xuofhq|npztpo)|q(bstayk|aoxlzv|tbdube)|u(jcxxgw|sskuer|zmmqqz)|y(piqevx|fehtsm|hznrzo)|m(usqfzf|tufson)|rqbocaj|i(rhbkaz|ilemid)|ccxkzdj|b(qdaruw|wsqhop|mqfdih)|o(awumxg|otiwea|gjjgnd)|f(wvavzn|b(yywwt|rmbxi)|yogcrk)|h(q(cdjky|yznbp)|ajnucx)|s(tibkox|nygtuy|oygeqe|dmdrxe)|w(xrtkye|bqmbxe)|k(eolajy|woilah|izpsky|ljhieo|zvcich)|pbfzhww|e(uvdgnr|pftutk)|z(uvfrom|qbbpga)|xozmdtm|aivloxi|ldaknam|gxzszfn|j(fkvxbs|hznojp))|v(vuahnqe|g(jnppyl|onhtik|miwmsw|izhfjv)|p(vhmfan|mxqozn)|m(oamkvz|twpatd)|x(vedqtt|f(yjwjq|wrarr)|y(xtouz|ydcrt|rbzlz))|w(mpzllk|rofqqt|zrmvyn)|igaiqjg|y(gkytuy|hqlfsw|trhtzp|ksrtzb)|l(piggmp|kmfdzj)|b(ndahrq|j(unauh|yedgj)|dzsuhh|iwlpuf|eovpdn)|r(bmotgi|pkxavw|dwqdwe|avuuhy)|dbzbqmj|z(gudsns|whqsgj|j(gdwxr|laoxp))|c(qesffb|k(mbgrw|aesku)|gdwwqh)|k(axdtzm|oektbg|iyogae)|u(qskfvm|yidacb|fftzdf)|q(fcvptv|smabfq)|h(jqxvsh|fciyor|uabtxh)|j(ggfble|blbcwl)|enbymor|s(vfimya|qnaqtd)|t(hnbqir|vtvhbt)|ndaiafy|o(tmjubs|dfzhvj)|fxfvika|afgbrzo)|w(k(srhmgk|qexhpy|fvtiku|oggkkt|utnjpo)|z(zlvnnk|xpprmp)|h(ztskph|eildgr)|s(xcmbwj|adtvrq|f(ilazr|ykdtr)|ynufbh|kxcmuz)|o(a(xoowz|crktk)|yzkaqy|frubjc|ixaido)|x(sqbttc|domyqz)|w(qpvohz|ajdudu|kemytv|ngigmx|iesrbr)|a(ebtbud|utymuh|hyqjim)|p(xnqmfl|ulugra|rallkv)|b(owfjqt|sfpxes|gonpjf|qcsqng)|l(gvgxvt|vdqlik|w(gwypy|xoiaz)|yycwrp)|f(fkjjhb|qzygvi)|r(b(ysbrk|dovrx)|waccvz)|q(rhlwqz|vbmlnd)|earwxiw|i(obqzke|mmugmq)|v(dpeavy|nrdrlq)|jchmmho|d(lotuwx|oayeyy)|g(ykvbbu|oyzgjb)|nunphyu|mmgyrqz|czhodby)|o(x(zbmezi|asukxu|jempuq)|k(fifisa|jdokqw)|syfimwn|eagwwee|q(stbdhl|nmfgtf|hrlsxb|puejmr)|p(pnhsqv|ebfnic|cdvoxo)|m(frygsv|rdbojp|cxyptg|bbrdvf)|o(tcjopa|qzgxki)|f(h(wwnin|pntqw|yiibj|dxyma)|ptilay|oncjpg|nofjkj|utxite)|v(k(uvkch|kkdqn)|boxhlm)|lgzybee|w(nwavlv|qdelcz)|y(fdwczc|vkulws|aygivf)|n(wswpfp|qmxvgv)|i(g(iumlk|pnjdw)|yzqsar)|giymboc|cybrlhl|d(mclpqi|vjzwhl)|z(edkgsu|xsytjo)|j(nliodu|fvrnub|mjsvtx|wydbbs|jdmjdn)|u(bsqpce|grfupt|vqcyqe|wrtmil)|hzwhqlm|b(kcococ|xgpmvx)|r(feyukn|gehill))|j(v(nwkuta|fakdrv)|x(gycvdx|pzpjrz)|trhdypy|m(v(bkekz|mgpng)|tqxhov|ufxuox|pjzucv)|a(rhmskt|ndgbvn|oymdfd|lxhwov|zroojj|khlmkz)|j(qruxae|hankuz)|z(fbqbyo|mkihes|xydwmk)|i(zuywzi|landwy|trvpmo)|l(hjlugb|uaxsid|kstjnh|s(lqkpl|naurw))|r(w(xcfel|nfxyf)|joavzn|gqelsd)|sfpkaie|c(cfzdoc|mfxpqd|vyykdu)|k(xjpppb|ufroet|vgbqmg|hvsyxg|asovzi)|u(dbhwdi|ockgch|uzbcua|yvhnld|btxnfi)|e(coaess|ksesyl)|bmwvdpw|q(twiaaf|udpbuw|zrmwtj)|n(dxcddq|oguerv)|whlqhah|gmdvazt|fiptvsh|y(gbngaj|sodyuj|qgbril)|o(gvvjxc|jjwofa)|phpclkt)|a(wvstumi|q(oqweek|lhwakj)|y(c(tufdz|hoauv)|uzedpz|xyybeh|arzubz)|u(ebveer|zhetxy|wbsfif|sqxtxn)|p(eokoob|zpcgrd|lzzlsw)|n(g(hxeub|yqpeq)|dotezw)|d(biumij|ajbbyf|vrmqua)|s(gttvyz|jeodjv)|x(wpiorx|bqgvco|k(ufwmz|eieve))|z(yacdyk|nchmnz)|g(ycocmq|wiuttm|cjlhea)|i(fdtxfj|wqogpp|beawzd)|b(axujgr|rrttjv)|t(qkvufc|nrbvog|mxuvik|uorecs|rdtxgd)|m(ewkcbb|kobpjb|cogxgq)|v(qkgbsa|oqrovf|gnbjkv|wqkdxp|ikvnfw)|r(syjdzm|yeayxz)|a(dvpojm|mwdlxb|owhloq)|f(xbtzjp|pdscjq|mymspz|rjuhhi)|e(lvakpb|jxfzsj)|k(zhfgcc|uzbfgz)|j(zqmfqr|atczmh))|d(v(mreqsy|jtxisp|r(fenhz|pczbu)|vrgmlj|fieypc|qzgfng|ckjzlo)|w(doknib|jexdus)|t(rigjpy|dofjto|tysqxw)|p(j(wlngf|thdlw)|wivgxb)|l(xtjcdc|iygbvp)|s(v(syqoh|jbgjf)|ghmxva)|q(ivgzfk|ciktdf)|hcfuewu|i(nwbsvd|ttunpl|bxnxlb|zyqomq|oilrpp)|c(sqdxeb|kfhxpf|zlviav|taehal|hxlkja)|a(fchhog|dcebbr|ugdfcq)|k(hanpkw|dzvsoq|fnzkng)|d(pjxlgy|rupwry)|y(uajqvs|vtsaga)|elusnqi|f(mcimxj|bzuiiu)|z(ekyjpp|ndqjta)|ncmzilr|x(additi|iywpau|hlumcr|znzcjo|xgwumf)|b(ydsvpy|qovbfn)|m(bmhhqf|xewmxj)|g(bpzhts|misabm)|utveivc)|k(yizdmov|g(z(duvwn|bbjvw)|qkjbtc|bgunfe|mlhnpp|ftiufx)|u(wdawsm|pkngzl|oyqqzv)|d(bqfkut|jvcmih|yvdqzh|dfjbfw)|pxdxttq|j(goppnj|doudtk|bapyac|ygklcy|ljavwz)|n(gsport|upgkrc|flxmot|hfkhgm)|k(cxkddy|zvpjza)|a(bqftxx|fdtgvz|gzojub)|e(gqspif|czgvzw)|o(pxnplb|vdgyco|ouhjkw)|s(fmxpzp|ezpvah|iifear|soqemq)|f(mjyzee|f(dhgvp|ldyav)|bijxzg)|wiuecij|l(nudxkp|mdcuih)|b(wywdtq|zyctfd)|t(tkldtf|yclhhz|hlkgon|atojeo|jiqqiq)|x(suivmg|xfdpla)|z(srdxzu|cqyoyn|hruure|zkemba)|q(gbxxxd|nzhvma)|h(szyknd|hqdrdb)|v(uyljpi|tmvaca)|iqvhzds)|p(x(yfgujg|iwgguv)|q(ajvwou|ftmcyd)|e(ju(ehkl|jtez)|esefyt)|p(fyxhkb|drudvr|gfufvq|wsdtgk)|usugwxi|a(ymxloy|koxgkl|ucrnmo|tpqnxc|pdlhhd)|j(ikmlzq|reqamb|wyrrjq|xvgxsr)|v(xmndap|olyhkw|gvynwx)|c(j(wrnei|zvsjp)|vagkdb)|n(iolomi|xxpqcz|jqcarb)|z(kgxetf|mtpcoa|crhfzc)|l(gieegj|ddcksf)|h(izsppf|tawkpq|xcgyfm|qjiasz|j(osxji|rcmfj))|t(txxsvr|pkmfms|izxanm|ujujfb)|w(jlapsm|lzchjd|ogrxbs)|oooolce|ydoapeh|fcopxrh|sludpvz)|c(j(jvwdby|cqhwia|s(ziejn|qgabg)|avopts|vfjyeh|oowmfm|fqcwit)|a(elfkue|vttwav|uogpgu|fhgdgr)|h(sxcoco|qyiinn|eazgra)|q(asftfy|gilzhw|rhknxx)|k(cnnfwt|uzoxjo|dyeqtc|anjezn)|z(fvcyrz|luibqb)|g(lntndd|endfju|kcysxx|gjgahe|tinwgx)|t(wdqwec|vbfyxb|lpfntw|dhpwyg)|w(eeqwkc|lyscvb|ycjgex|rsljen|znomgq)|imjvxvj|e(xgqiph|whowhj)|chzkeyy|y(lxvqpl|oksqdq|yqupfp|sosivz|pedrku)|o(oyvjgm|iidxjs|wwpulm|udemlo|mkkxlx)|ue(dfzyf|gwjus)|f(wqacpx|mqjqti)|s(xgcmpe|shzmhc)|l(szhxxj|jridtl|rtvkrk)|r(gtuvoo|zuhufb)|v(rpnbcu|ufiqgt|eegdft|tjjzuv|nzwmlu|xvogrm)|bzcmxzt|p(lsbhel|odjrzc)|n(fxqvxy|lpiewf)|djpmaco)|r(t(p(blwye|gwizt)|xjtffo|ypluwa|lvymlh)|y(ghucma|nnnuph)|q(yfivrm|i(ykkgl|hlhhg))|k(y(tcirh|hjxmi)|e(bdvty|oibkf))|s(ipujfe|mhzitk|dgqepq|fezsgy|vclovh)|w(jiwnts|kqtoqf)|a(pyvgpz|hnnvlt)|b(smzoia|jeqpnp|qwrjwc)|c(ziwmtx|xkmzzz)|n(aghjxv|nizvqt)|v(sehhcf|kvyjxd|mmegyq)|e(mqlfzs|vtnbib|eguorp)|o(jvjeyo|gybhuz|fgjeka)|f(scrtby|nnjfar)|jvlwhvr|g(hjzabv|zyrzkd|glngwj)|p(ecglhy|veyfdj)|reveufl|h(ntrjxx|zxknos)|mvwcvus|ipqzltu|lizrdky|xorldpg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633021; rev:2;)
# sid 2633022 includes 1019 (1801 - 2400) 8 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(i(ngczise|q(radxdx|yecvgq)|idmcace|j(omyhgd|psxlgx|saidwz|jwyodj)|l(whkphw|skrcwd|vnvhwv|euksof)|v(brwcmj|lvqfeq|tyrxic)|k(ifcizd|lljtfm)|c(aovkpe|utqyxf|bjvadb)|w(aknbbt|bizbzg|h(tpaqc|bpxlg)|yrihsi|plrnpx)|b(jnxrpo|vjdwtw)|s(gfgosn|jxgvah)|e(dwyqtw|xdxocd|kktcvz)|hfsgfhq|r(dvhpbj|s(mhobj|xikkf))|m(shgxld|yrrmvk)|d(xzowmo|zsbggi)|u(cjuvau|wvrlct|nggiij)|zwauopk|p(bhenoz|sgnlcv))|n(z(lfpyrk|pehwez)|r(dzwypa|xpguxx|idceht|nqbzdb)|i(xnbfzd|vmhxpo)|e(ockovv|hcxxtk|bztzvq)|b(nkoozq|ycmfzs)|v(nccmir|ylnzfi)|qa(meatb|tpejn)|h(gwugjp|mfnhex|kzvkzz)|s(y(xwfmi|zssbj)|watxww)|mcqhrac|gsmwdtf|y(asiqhi|ifkqgh|cdcjkl)|tubwcft|n(dtqrhi|lpljhd)|whpngnh|knvgcxo|ulodhkc|jajfslh)|s(y(zazbrt|uksewn|ekwiip|jnzgtl|szllyh)|l(wosnox|eqpeqz|puatcu)|q(zwueeo|tbisyu)|asanubi|gicqgds|j(zyvror|lkruqq)|z(l(eotzq|papfr)|nmzvtn)|mvpnurq|twrthze|r(dwbcff|hfqice)|c(svuczj|ipxpjm)|nlzvije|h(uxvbkl|mvimbc)|e(mhjuuv|quipux)|v(yvskar|omxgsm|jcnupj)|b(sfjqva|wljkdh)|w(dchxgn|gptkdz)|prbacep|s(agvwqc|joujyv)|foakcit)|g(i(fkhxfp|pujejl|blefqr)|a(jjgypo|dvbgxf)|g(enidcr|s(trbjd|egovq))|m(bdagqk|nzxonb)|k(sysnoq|jckxcn)|y(uwjhzt|doobdt)|switozk|o(z(twasa|ozvfu)|pzvqtb)|puojbji|ryjqzjv|z(shfqnm|viqywz)|n(rsefbv|neuerw|lxtdms)|j(nkhekq|pqyyom|bhtbew)|t(wofcdw|fhpzky)|f(t(etumb|axvug)|gigmit|upsqaa)|w(opshvt|irehvd)|c(brzhil|rwcbui|zpysrl)|b(ejstey|illbxd)|xvksymb)|w(l(wxoiaz|yycwrp|pqoktb|gexrkh)|ahyqjim|w(ngigmx|iesrbr|ftszvr)|k(utnjpo|figddb)|r(waccvz|gpxcgv)|n(unphyu|yxautw)|mmgyrqz|b(qcsqng|bacoxq)|czhodby|p(ulugra|rallkv|gyrtww|fugtqb)|oixaido|d(oayeyy|teqiob)|s(kxcmuz|ncqjbk)|g(oyzgjb|aeaxoi)|y(kolqdq|vrnvgx)|qzjoylh|j(bghjbf|tqbfkn|wgtfht)|fubxhuk|xqggjhq|i(lstbtm|bgooqz|vgwlsw|kbwfqm))|l(j(fbwcxw|lmukux)|s(sbuctx|tjwgwn|qefcqt)|d(vubfqf|kxciqi|hrlnla|mrquwi)|b(bbxmst|lxtmwz)|c(gxdtsy|afamvq|xtmenf|lsbier)|x(itngah|qyepgo|yafyer)|m(pboieq|xyspyi)|e(upvjdp|zftefv)|f(hpyfni|ihvpgf)|r(civjms|jljdyu|xteefn)|gnmznzf|ujxycbo|q(fhtgxj|ibatfv)|y(jnzvue|dzninx)|amxiswm|w(ktihsz|ujmkcv|jyiyov)|znzknvc|iympnrv|hdghlad)|r(bqwrjwc|h(ntrjxx|zxknos)|v(mmegyq|djdnet)|keoibkf|s(vclovh|hplixa|kzlmyn)|m(vwcvus|ogmfga)|e(vtnbib|eguorp|oekjrk|fgyrrm)|ipqzltu|l(izrdky|lolcer|fgtrrc)|p(veyfdj|pexhnl)|t(lvymlh|roktve)|q(ihlhhg|mhhvyz|guexfe)|xorldpg|ahnnvlt|cauvwqu|z(eprgyc|fbabio)|dqoqjvk|wftrvzu|nmlogbe|y(stprnu|fkahko)|ovfexox)|f(e(uyfhre|z(xdgrr|lzoco))|jmjpfcj|t(rqaima|efdali|yvpqyb|udrbcs)|fqxfinj|m(nxmtta|lktmwx)|i(hqlfqr|nsmhbf|waoora)|l(tprsrv|gzgvhw|luwwhb|iykkar)|h(dvxpiq|ovyqht|licmtr)|v(tllbpl|rgecgg|mctmjc|pitofx|vcrjnt)|soknedz|x(ibtgpm|npkusl|fkprev)|azagqpx|grufbua|d(zyfgas|rivnny)|r(gfbuju|zeqino)|k(fuqcob|rlofia|bagdzn|nyxudn)|qb(xegim|lweyl)|uaurnjr|w(hwxafa|msdskg)|bgpvmny|cstmlmk|zorwpwz|y(rifhjg|nyrppg))|h(njfqmzc|jtufjxj|z(hwaeob|vqahst|mjwmtb)|swqxxvb|k(frxpdz|iietfg)|ysyuqan|doabtkz|t(gbecse|wyzlmr|sbbbmx|fwkoqk)|mvyeupq|w(pawxgf|ucjmym)|b(iqaeua|gjksen)|o(dxtevk|kcitvw)|cbsrppw|gqwbfel|upckkxe|a(xutbsw|myuhvv)|vqdsmdy|qcauvqr|xjlzumq|pzzezly|fqxwuol|emrdakd|rscxzsk)|d(ioilrpp|x(znzcjo|xgwumf|gddtlm)|m(xewmxj|mjavhh)|z(ndqjta|oftdgj)|p(wivgxb|dqwylb|vgefth)|yvtsaga|g(bpzhts|misabm|obrfgw)|c(taehal|hxlkja)|fbzuiiu|b(qovbfn|njsctj)|v(ckjzlo|vumlrj)|t(tysqxw|yrnxux|ihkbsm)|u(tveivc|xhhcfs)|k(iasoks|ljmicz)|j(qcrdue|gpxypb|wehpfo)|s(ljqioo|mhmbna)|ntqiylp|ojxgenh|aqwwqlw|edanuef)|v(ravuuhy|ndaiafy|z(j(gdwxr|laoxp)|dzklym|larxmx)|jblbcwl|o(tmjubs|dfzhvj|hqhgtm)|tvtvhbt|u(yidacb|fftzdf|ibligt|pqmmvt)|h(uabtxh|efrtba)|fxfvika|b(eovpdn|jstafi|arieek)|a(fgbrzo|rpjkxv|jnmqpw)|k(oektbg|iyogae|thcuas|wypzre|mmiooa)|wzrmvyn|yksrtzb|pmxqozn|sqnaqtd|x(gfjaqq|nqhwlf|wmrrsf|hiwlsp|iezlji)|v(nnaldt|fjvnjb)|gnskqkz|lsjvkrg|d(xwqyxf|udupow)|q(xichco|ndctrw)|mewftyb|e(wbqzwf|ffahzb))|t(nqihiaj|eupoyvw|q(iiibsn|dpmtew)|p(ufuorg|noqlkn)|f(wbluxu|rrhqve|dizebh|yrslof)|yujkges|anzjhhy|hnvzxqx|d(exbvbr|vkzdbq)|z(juanyj|clmzea)|w(blodmf|rjfvrd)|u(jjsueg|tcpswp)|ggzpqcn|ttlweny|o(srmvet|qfylee)|kfqfeif|ltyaykf|vrzwwgo)|k(s(iifear|soqemq|lyqhld|bibuht)|z(hruure|zkemba|dzxztl)|t(atojeo|jiqqiq)|o(ouhjkw|ehxhlo|gykcmp|ylllnu)|f(fldyav|bijxzg)|g(mlhnpp|zbbjvw|ftiufx|prymvn)|i(qvhzds|rjavlj|yowldg)|a(fdtgvz|gzojub|jwhtbh)|b(zyctfd|gbreob|tzxbml)|uoyqqzv|hhqdrdb|nhfkhgm|k(zvpjza|poofbw)|v(tmvaca|yszaky|mqwizq|nvwkah)|ehtbwrb|qzuklgm|mzaiqyg|x(qrlcgz|lvlhtx)|d(anmgsc|dsdfdx)|w(txvzas|qiypox)|c(fbbcnt|rcptmp)|jtbetns)|z(x(ozmdtm|xefdye|jiavqw)|wbqmbxe|aivloxi|f(yogcrk|brmbxi|usjrhh|cxvqlr|eowhhy)|d(xuofhq|npztpo|lussqt)|v(kanbix|qghbah|ozubyu)|k(ljhieo|zvcich|kclntq|qezltm)|q(tbdube|rqzyib)|b(mqfdih|izdhfd|puxfgd)|u(zmmqqz|sazvxn|oxrpbt)|ldaknam|s(oygeqe|dmdrxe)|gxzszfn|h(a(jnucx|quggb)|zqylgv)|t(kxgblm|ugvfsw)|j(fkvxbs|hznojp)|mtufson|ohdxbar|c(yelxgo|pcfmwc)|e(rmlvby|qleold|xizkdj|jbozki|herorl|shgjze)|yatqjno)|c(q(gilzhw|r(hknxx|qjqwh))|n(fxqvxy|l(piewf|wjagf)|tjydxw|vhkquz)|j(oowmfm|fqcwit)|e(whowhj|mufvub)|v(tjjzuv|nzwmlu|xvogrm)|o(udemlo|mkkxlx|pgycvx)|p(odjrzc|lkvsys|ealcdr)|gtinwgx|lrtvkrk|f(mqjqti|pkczzu|r(ybmzp|blogp)|uibvyq|sxszwk)|ypedrku|t(dhpwyg|yzozdu)|w(rsljen|znomgq|sckjyl)|d(jpmaco|gsmqvd)|cfsctjz|rbhmzxq|s(bpehua|tjhavg)|ktpogjj|mkcvwsp)|a(m(kobpjb|cogxgq)|v(wqkdxp|ikvnfw)|sjeodjv|yarzubz|k(uzbfgz|mdbaty)|xkeieve|b(rrttjv|enbchw|gyfpot)|i(mdyxxe|ckibdm)|e(jiazyu|vpwowh)|r(mkxttx|etvnuq)|g(poavzb|bwulvj)|cicuqfj|j(tgdbjn|nphrai)|d(jgmlre|mxpbbw)|qxwbxja|wwiovwo|ovohfpx|tnnkixe|lnrqhhj)|o(bxgpmvx|igpnjdw|v(kkkdqn|boxhlm)|xjempuq|zxsytjo|r(gehill|fqzbqg)|f(nofjkj|utxite|hdxyma|azgbtt)|p(cdvoxo|bfxbjw)|k(hhjprb|jwclcm)|whvfqgu|envexjw|n(zkxeau|pjdjen|rdmqdy)|gwkoyvw|j(heazcg|jcvqvn)|sqdnept|ljhvvgr|opumbzb|y(fjibdx|elxryx)|qlkxeya|mkmozti|aswybqj|tsahtvt)|m(n(hljajl|zzbsed|dkiauz|tvcljm)|e(jjfudw|ftxkrf)|r(zradwx|sexgld|rdijvr)|vqweawa|w(simevz|cuojct|wyjnhv)|d(mivbme|kefsyv|naiktv)|h(kzkuxs|hzqphq|vbdtwk)|tvmoyuu|i(dxtyug|xbiyvz|tpxxky)|c(a(jrowi|chdjx)|lkvcja|tceglt|srekxb)|o(tdurqq|jpgkug)|g(yekmwt|imyrrq)|y(nsjitb|trtesq)|x(vwcild|otboot)|j(fnjqkl|xchlxa)|zwubboj|smnyiho|uokobdr|pfpmrfq|f(ubqhsb|fhdxtc)|m(hpojaw|pnlpju)|agknyiq|lfnuvjv)|b(l(vdrosx|mcmlfi|wzeayg)|s(eohsyc|swruyg|btjjnt|rbzgiv)|zsifyot|elsshgn|r(gyrsrg|xlmtbm|mfzxvz)|g(ngsxpl|rxallj)|t(jxeyth|yktkdh)|wyhwdxa|f(hvmysc|lvxibs)|k(tzqvoy|yeexrt)|a(ohpyvb|iahgrb)|xougrub|j(buriuq|psfgow)|cfkmtip|p(xqvqvd|oautxb|foqpoz)|housxjl|mwlhuot|dcksudd|il(bnptq|subpy))|p(y(doapeh|yteqcf)|t(ujujfb|gtwtro|kbxffq)|jxvgxsr|h(qjiasz|j(osxji|rcmfj)|osgtfx)|lddcksf|pw(sdtgk|xwizg)|f(copxrh|lvmpbe)|v(gvynwx|tjamdp)|w(ogrxbs|xortmj)|q(ftmcyd|rhwren|sunoqb)|e(esefyt|wvotqv|tupeih)|sludpvz|acpmmsl|rahqggv|m(vcjmcw|ihwjqh|ubdsab)|xaqyvsn|cr(ppfey|dqkvw))|j(n(oguerv|vvkrpc)|y(gbngaj|sodyuj|qgbril)|itrvpmo|u(btxnfi|emsshv)|zxydwmk|o(gvvjxc|jjwofa|tqhuls)|akhlmkz|l(snaurw|ezikoe|lzkfdb)|j(hankuz|spvtbh)|q(zrmwtj|lgsekt|qvqerl)|r(wnfxyf|gqelsd)|kasovzi|p(hpclkt|ujmluf)|hjhkogc|dmpphgx|mclmwfm|fslzvcm|vlxinzm|seqiipo)|e(o(e(arkva|nhyym)|txaagl)|s(jpptrb|rqlwat)|tfuhbab|vcvjbrz|zfxosuw|uwuqlub|bqdfzdr|m(jvtyuy|cilggd)|y(magzzy|dfnude|loygox)|ikjdouq|f(pniuup|dbpxws|lciymh|ndnxip)|awdhush|p(pczgcs|esvxxr)|h(frhtcf|eqefix)|eohbzph|n(ofavep|hiqqba)|khdgvqq|jncgkfl|cgpgkxo|x(xyiddp|vksnsc)|wvmwojg|qhcjuvm)|x(h(gefpwk|sfhmhc)|znjenbr|idwmkex|w(puybcv|bmrwwp|jtkiue|gnylej)|k(esophx|sbcwqh|ajlfqw)|u(j(jfgsq|vyisj)|rxenys)|bkrklrg|ywajcvi|qfdkhbs|l(xoldxi|wprvwv|asfohi)|j(rkvzvp|bodaps|ujcesa)|r(xnphfl|djzmkm)|xikkjzs|g(bwwatb|dawwcp)|exqxgzt|ozvbjln|compdbu|mpnfcmi|prmguru|adxjmoz|tounkcj|fwdjrtr)|q(i(mqljgl|ayjduc|hllrqn)|s(gpzest|ywwuid|alhkxu|batxth|kkozic)|qtvwicg|t(jeguoq|irjxtc|qzuaoe)|jqiwasz|f(alhafl|juccxg)|h(uvuqap|vzxmtr|qoitag)|a(fkmzux|akkfdj)|p(voiadq|frxiwb)|r(jsmnew|hmtwth|pztlxk)|w(u(pklfs|cxwyp)|bnnord)|k(klrwed|trekyg|muohug)|mfsxnll|ubvgudy|y(lxxeqg|nhqqxr)|v(wrqryy|xtyuvl|hxrcip)|dltlfat|bsvnyll)|y(z(xbkiee|snbisn)|wazhxdn|d(ryehbb|aepzsi|frylgu)|adoneam|f(puftwq|onetou)|jblqgwt|n(ipysbk|wtrtzs|pptszt|ctcxgm)|m(zagqai|hrxbrc)|uftnsrk|p(xviatq|rlclpr)|gtvvefc|t(gghgdr|ynxqfc|psnpxs|ijjjgy|occgaa)|l(ncuwyr|gdbucx|iicqds)|iaiiuml|r(mviuco|gzzysq)|ckuwldd|vihzvdq)|u(m(tdyebh|ejrkya)|n(mrgzvf|yibxhy|cibjec)|ugdpkhb|i(qcqemf|aieuzq)|c(cvufqo|josope|eqfboe|fxejzx|sutmxw)|t(fixvpe|vbelbo|ltpmus|bhciyg)|kldqqni|o(ipltzm|vjtziu)|s(evytwl|cwohrv)|v(yqpxwt|xkzegx|jyrcwh)|x(crzffo|treuew|fazsji)|z(phakco|ejxuoz|fgrrqr)|a(xjvwhj|uvlktv|cyxceb)|f(malwbs|lgqsit)|h(dyafhi|fruqnz)|yummkad|jgrynec|dascwcj|grzkkho))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633022; rev:2;)
# sid 2633023 includes 419 (2401 - 2820) 8 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.biz)"; content:"|08|";content:"|03|biz|00|";nocase;within: 11;pcre: "/(o(fcsydai|jzuomtd|c(wwhsfd|goeufn)|nwkyhvs|u(ckggph|seawjh)|q(zxjfrz|mpxcgu|bujqbp)|thfsdzj|vgdwbil|wtqjtez|ennqkzi|mvqqqrn|xchzgtq|stobdyr)|m(ftjigif|nauonyi|tvxfdha|kwkfrvd|odihbys|aggogkq|myndgax|qwqxjlt|y(fvkhxu|yupqxc)|i(waqfte|xoeoyi)|dmizsbi|vnvirag|bbacigt|sjfdprf|zybapcg|uorbtcu|xenhdnl|enpyhku)|x(r(kwgfev|uuczrx|bhzwhp)|s(hneybd|qmrlrf)|f(odkdgt|hmslza)|cfvoihr|d(znelwz|owcslr)|iwzpexx|zzpgmld|e(wglfxe|nunodx)|nusltqj|yrzgpri|o(u(xgwqk|wtmkj)|dkpqii)|viagdkp|ubfkwqp|kjyzvhy|lswnfsf)|z(pdfrfof|aoycymp|csdxtov|h(redgcb|yebuto)|f(jhjzmf|lkksni)|uqlgvyu|l(fzulum|yxxmib)|gtmfogt|mlegxya|ycjaeyj|d(axajwp|xncuhk)|v(jrvter|qkwnmj)|x(pavbgl|ypfiyi)|ntcunns|jisjvjy|eurgizf)|l(l(ekrxmp|fxfyru)|fkepgxl|bnlddfe|k(mibqpc|xlbumd)|e(kbgnio|syktld)|gclftuo|cpqzfij|znhvtzu|jxusgyi|r(gfrxjb|hbbadc)|xmdvrwf|tdrltln|dzsutax|uotdlgn|hivcsdp)|g(whyuyws|zqaxjrh|v(yqsqra|wwerdr)|cyeqzxw|aajldhw|uepafna|kb(kjvuj|zxofy)|mgpubsg|qedzjxi|ftepyxk)|v(s(gqkpts|mnbbmr)|f(guvpbt|rqecbi|wqnxyh)|jyucnmj|t(ysheke|x(oairh|dgkgk))|dfslqza|e(udsqsw|bchizp)|grmrgdc|lcgozmg|rwyuagi|nuwutrn)|i(u(zhgtkw|iojftp)|m(zwbwfn|giwpxg)|jyanydw|cvuxdgw|y(kuwocz|amopjm)|nyxdcae|vntxjnf|gycsasz|qpmtpfr)|b(l(nijvew|tikffu)|s(tdedfj|sbcsyw)|wwpbsra|i(qrsqva|rpufms)|cvykqwj|uebxfni|a(mbnduv|ttsjzo)|d(rrqhxt|cncpao)|barnpze|mmqiqal)|t(g(ebxytw|tooudu|cnmgdd)|kfeqqyd|cjwnjse|t(fhekds|npkksp)|xlsgnew|byzfqgi|vbijviv|jmqnclp|wcgynvp|i(vbyfvt|dwzmld)|uwaxalx|djxofhu|aafqpzb)|d(plbrjzf|vwdypxp|kzveufm|d(hgczmh|uovssc)|xutbtcg|udvdcru|f(ublguj|yytcnq)|rdewuxk|q(zqszxd|pnguzm)|czngcma|o(vuawdi|zwwwyb|wrfzrs)|lvkcjtv|ngdyyhe|gbuzlmh|jjsyeoc)|n(s(hrbhct|nsitjn)|ympbkml|q(wdmkml|nhgkxp)|omuszby|m(emmdre|mygond|fqbjoc|rjnxdg)|heccida|kermbwo|jayyhtn|aufandq|c(mnntsc|ogilfh)|ruwhaft|ggxrvma|wtuehar|bwvshsi)|e(l(igidtg|cibigh)|dixhkxt|bhadifb|i(odypup|yuegnm)|tqrtifr|hxbwyug|jrvobkt|vsudvob|rtempap|cmywalz|yohubaa|evedfgy|zgqmvxj|kuheqrh)|h(cqqambc|z(nadkfm|esbuan|caebqi)|egabdjs|l(bpsqkv|wditcg)|qsbtixy|k(nyrmji|bfkgpt|chdhec)|gbfyedn|b(jsfzao|zekbwm)|ftrcmhf)|k(c(hmgwkr|xxddmd)|v(c(rvtze|ksfpk)|hiojro)|lkubijx|yezldne|o(zceevb|bjkeeu|kenbab)|ecvidiz|gvqzzsy|p(wutkht|qulgzq)|zjvkocm|jveramh)|q(t(rwjfyz|wwkocb)|o(rtqatt|nksnqm)|sbpfzsz|a(zptyvo|pzskeg)|qvgkqge|brccrfz|ywvawwi|gapyyzi|julydli)|u(ukimdpt|tuvcuth|v(bkoojx|dqauqr)|l(zctzgx|qwahzk)|zxdmzla|bqyrvlz|mzhxizc|s(atdmge|qpepyy)|kfgbxkl|egxxigg|hauuguo|iucdlyi|ospckux|pbdcffr)|w(lodmlzb|m(iykfch|qpnujh)|n(samyug|kzvnqb)|apkenul|ximhgrb|iyvikqa|gfctzdk|s(hjouci|kpthza)|u(qngglv|ezzcxh)|homwpra|kcpewqd|ohqnjis|rzxfcww|ehqcxaf|fnvcmrc|zdhwquf|tdwhipw|cgnrvhg|qeqzbkm|dmxfgvc|jfzeszq)|y(c(piggjs|yvpiqe)|j(vqqlcq|qwesou)|lxqqnlr|yupqutt|k(qlzdqg|rraako)|qdzzlbq|mmodnko|sgxpqbp|eyzloez|vgthdjn|xsdxzbl|rmbujyt)|j(azkquon|ejoucys|ntuuuug|sxheboj|wfltbkv|o(kyvmar|r(qvzdy|xtrus))|uizagpl|buamcpd|zvmrhfv|tmsdpti|gdevabl)|f(krpcmpw|zpemixv|qjysdce|rioqooj|poeucyy|nkotwnv|e(ufmdaf|ksczms)|acujdoe|otgeqlt|ykhtwye)|a(pivcohi|tzbgqhd|mptvxye|kaujbge|gmqhigw|d(ioghjw|xgpxdp)|aoczdsx|i(whhaol|rqztcx)|cyqffnx|fzsmzzf|rjwghri|zvbnxev)|c(xuiprdi|l(qgccql|zhwqsi)|asqgczz|hzgpodx|ngsjxpr|bbszlqv|tcvwaqp|pcdgkxz|rr(fjejn|eewsv)|icecygr|ktqiozr)|s(s(pzprus|kopjox)|clmkngj|p(uxqizd|gqmhyq)|gufeuww|r(hfehfe|tjrcvw)|haqdnjj|ejkyrxr|osatjxh|mgbcddg|akasvch|tlobhxx|qjunjtq|bejhpph)|p(zgdhvws|mmtqnuc|wcsaeav|qoyhesk|a(dlcjru|bkynwf)|tlabfuz|sggzijo|n(miiqmf|wiaxxf))|r(r(vgxfua|hkhwur)|a(swnadm|kismve)|ujurrkz|fcpyhqd|ksimvqz|trwfcix|cpjdopc|h(zoivdw|eouqcf)|imsxazt|xivriqc))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633023; rev:2;)
# sid 2633024 includes 600 (0 - 600) 9 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.biz)"; content:"|09|";content:"|03|biz|00|";nocase;within: 12;pcre: "/(c(hzpfuvow|s(dclnchm|itmosoh)|b(nnbahoj|csfkani)|qemdnvau|pqlxtrfk|r(kjlficd|mqrqbhv)|x(opytmdq|yvuyido|ewncdbl|koeluvc)|vuwzqyqy|a(kiawrwn|yixzcjt|lixylqr)|eeiibqtp|c(gfyflns|espxnzi|pegjaii)|w(akyznea|pjmqmgq|iyvmpvp)|ityvlwsm|tebrfqoa|kaxezeqq|nrxvphmx|lhjnvjjn|jvniygcf|dsjbjchv)|l(r(taekxfj|gmfxjtc)|f(bhhsmfb|udkptzg)|nkndjeda|p(dtkguqc|ozrhsok)|o(eojhagw|bqljifi)|bxxncoun|icvefkyv|dkadsdgs|yrgukfxv|jcsurjzy|zpmgerla|eczherjl|mjsospem|a(yuwxvzj|skfieia)|qsjxphxf|ltgvngye|vepwucsv|wdrptzzl)|f(bhqyjtvj|q(dhoxtkc|yuzbxgu)|xfqjrhzf|hateoyok|w(knzmzpa|fplnsgx)|rucgskld|vfvmilmy|kkebgban|esvpcdpf|j(iwdhkca|sqldrjw)|afqeqsra|lptiazra|tgykwkqc|p(ejqlsdq|hlqcxoo)|s(xvycrqn|lsqcrnv)|nxpjolgg)|z(n(h(feykqx|rwiixt)|cnlnsun)|ljobqjun|qoldhzbs|mepvfrbt|y(ogoskcp|tciwzcv)|ezktmrub|rtlhrzwt|a(gyhzqkq|hqcgizo)|i(wrjrhhq|oeqhbhh)|gxkallyx|jauqhpcq|xtoekowd|csgcuoso|fyihnrwg|zmvfpsjv|pyvnysin)|g(b(ngnospc|oimcwpa)|u(aadtsrb|sqkplxp|hobilmw)|ffjrejfi|w(sepdpez|eoqecdq)|yzvhrrhp|l(oebahum|rsbfzkq)|gmmwrdsx|pngieoww|t(lstiqny|hjylwyj)|h(h(bkrwvf|grqnnv)|kmhsdrg)|vcxqkmtw|jkcmczhb|k(grdyoej|kgyfbny)|obxqbaxc)|t(cydddqur|l(pembqny|lnnjoge|uskfbbk)|z(ehqzfcm|fxyfgnk)|v(cnwleda|bupcuop)|t(biwvlia|uagxrlj|tsyhlnn|jbdxfom)|grdodcyl|berqlgcz|mchcdeww|wfmrqntp|ixjlknal|a(sbnahbw|enfffck)|uowxwgnk|petvbvfv)|n(kfsmuiek|z(inyakva|bjuxamh|ufcalwy|mglfzml)|a(bquzler|yshsvnz)|f(vrhoina|qptcqdw)|vkfpqkid|p(brmjykj|wiybrso)|yllivohi|lvrabory|o(e(bbbvmg|rhjhkb)|ojlmdiz)|thbpfzru|mhnncwln|wczlyiia|ebtljwgz|ghqjclpl|xayazlvd|hwwyorgz)|q(macgpsbo|g(nwzynxq|uknknjt|pjozyuo)|d(dngxnvl|lcodleb)|q(mqbkyqr|qngquif)|v(yovetzu|vnpjnov)|t(vhfmlkg|yjuxwng)|cpnfhmsj|floorxaz|o(rkyhmpu|ioxgwwl)|s(ebfkrly|sxelpaj)|hqepceyd)|e(wevmzlvg|o(jdinaem|dorwydm|yzcvpal)|f(zkzwyjo|dcbasqr)|g(orirsvc|qvpumxv)|xqcnqjur|l(lxseuio|xklnsys)|p(tnpocgj|ybcunwu)|ebwbbedw|yhebwlwr|jdudjsif|koftbidz|zxrkmqtf|tbnjkyol|usyqshoq|ddbuvxjv|bmmwkelg)|o(w(mbmjxjs|ofilbdw)|i(sqjwkpv|logchzb)|sfivzscc|lcuckkgo|ukryckic|xkopkcnb|cjfulyvz|o(dccehpq|txslxhe|wksijhx)|m(tmyudjs|atrgczi|qlmpcvo)|j(yipwadk|ctgetaa)|ythxusoa|defuaknx|vjrhyoac|nsarobkf|giymdyks|elqaxpsj)|b(iz(jivupq|qmvzhs|nrncyy)|k(itfjbnb|omrqrwl)|w(zfantzc|bxgrxke)|f(kinxgwi|mfzszuk)|rhgfrcne|uavtxqcj|y(tntxfsf|knnqxsk)|e(vhyhpll|ceuimuh)|hdtkfnsh|l(iluohjm|pktctoy)|j(wvzehzc|syopirz|lrdxdhl)|xjizzvxd|nmsfelvz|s(crtjqgk|yhwyrrm)|g(isrpovs|hkeoiui)|djhfmare|bmyrvksn|afdecpih)|j(a(iphilth|dltgjpx|kzxotih|xqknvud)|j(mszvifn|teatfjc)|iccbjalj|ktagtawp|yhnwbxfd|z(gbiwqrg|sscmysg)|mw(msizje|jeipff)|v(dlxbvzd|wpoxdxo)|lxkxseqd|pyagsafi|x(frhgvvm|ubouoqx)|rpkvmjjj|o(ujcvjwc|giqmcxv)|fplbyviw|hernkrvl|ckijgffc|ukfejpmf)|p(gwmiotcb|ex(euladg|axvega)|rniqnhof|wgalfvyr|imgmhtly|xyqtfdqi|b(bzlpgpv|vxecxob|txpohol)|p(qtyltsu|umnywhh)|f(novlbga|grmqddp)|miycnsti|yuyqzafq|l(kgwqyxq|pomgqzt)|j(hvsqsvr|nnbarhz)|ohgaqklz)|w(e(mumumwi|wzcreey)|z(zrocdto|vpuhmjg)|w(sxlytbv|lcowdrm)|c(dtdkeaq|ovbhcay)|txrphhwb|dc(zlkowt|ngrzts)|m(gvejbbj|szlxcfi)|ffdwuanc|a(atnyibc|zeuavxk)|g(dbsprmo|vfkydxg)|l(fygsdpn|nluztyz)|p(yiveozy|ugnzubo)|qgomdlwy|kluxsjoz|u(djmewet|yyergxy)|baarciru|sezmeqqa|nizxmlhw|hkwdbtil|oidzqtyf)|u(u(fwkqzdp|rrhifel|ddbzhpo)|g(xnwwovm|ucpjrve|gckeakt)|rtsefwkz|zdcqddlv|c(nehfovw|rartmnt)|d(onqbdfs|sknigjr)|nmotduck|w(abdzgll|stxysir)|kuflaprf|o(cxrpyxi|vpetznu)|m(ahlqhtd|bkxwcns)|ydgrgund|lgfprulq|xzjhuowp)|a(gierrjlk|ozxzontj|sqtypbnx|q(vzwtpqt|ciescpo|zbcwlid)|jliaqiyv|focmnuct|ewfohkxk|cwrrrtwb|i(marjuqf|hvadggp)|lizrqugz|xjjqwnea|uvejsbbc|thutxfzj)|r(afqnhbkl|ezwajzwy|nekbkykt|q(b(sifnft|vxgifd)|yqoyosi)|cesapzdr|psvjybmi|hvvuugqg|o(rwsiitg|jfzrtwj)|k(wcahjwh|huwssqn)|bivapgoy|f(uwbtpao|tgdqnaf)|lsakhpwp|sxnpbosc|i(xvvxayj|kpeygsh))|s(douwnadt|bsanhoep|zexkztpk|k(fmzlacb|yizhghm|jfysods)|y(tttjhvb|gdjnuzh)|uiueufur|w(pcaftms|bshwcwn)|s(ysdvlqe|bhdwerm|nevjxoq)|c(wynjweb|rrcipyh|xheecvj)|xcwceemx|e(whbstza|uxukkbe)|haomhihf|gtmqogob|lszoxyog|miovjglw|i(jpicbtx|csbglsu)|p(ehpftun|jqnogmp)|jgufwgve)|k(bjrlzuic|gxofkwww|ppacvfuh|y(iyfagnz|yelmsji|xszupcy)|tmifnqbd|e(ixsnefm|htqtkcu|gdjzupr)|czhoqtji|h(cfcxdun|enuottb)|m(symgfjt|mynovlf)|uvoxepyb|f(dbwlqhs|rolelto)|jaebrflv|kkajudtd|r(zzecaqk|ueqpdgy)|qompwybx|iiagstbd|wcqvdyug|dafsilnf)|i(t(rilarqh|hqfebah)|hrwkuubg|n(cpwazue|foeyhkf|nmkrbrn|bnrcsbm)|s(xvacwbu|hqjsxij)|lvxuocnu|uysnhyqr|xdxnyehv|z(jsghqcg|bjirbsq)|rwkxjwxh|d(bgdopqz|xymzpwf)|bbivsfpz|kbcaxlvh|yxwkqrxb|jgdjptbj|qiinulci|gthbbmni|ewtizauq)|h(fhlrxijp|s(ymcayle|ikglmoh)|gmlsfuxn|qziuyxkh|b(iibxyct|jnyxvyj)|m(gnkqlgo|bqpqgoo)|xwwfmeib|adfrrwnv|dwazdilc|w(fjwcvve|lxwzbxr)|isiqbauo|kucmfaev|vewckcxj|tpwfptbu|unofknay)|m(g(mounaoe|jybjerk|ylumwcw)|m(nqdcjsg|kanrjua|j(uyfmwm|ssijmx)|arsqfot)|nxhahdff|qs(rtbqef|zuzfcf)|h(lpvsfdp|nrabffw)|f(zixrawq|fxqohyt)|obgjffaz|w(bghvsyw|pxxbfuf)|u(zrviqkm|wjftbwn)|pyjrlrzw|vkwgflnr|xzmcjvtl|abrnrrcq)|y(lhxxracg|saskaxdj|dwzrshzm|v(jcakojf|uwfnoip)|mwekewuo|c(evyefwa|qhamrhm)|xewbgsmc|aqgiuqsx|tvfbkmju|oygepkfm|imbhngqu|bcafhtvm|zbhrntae|geefchck|jqvpjcdx|hioqreyi)|d(fhvkmcue|mvhjuzyl|kpznzzgr|u(mdajapu|wqqtagv|kobhvtj)|d(jraycqw|phytane)|b(hotnfkj|iezpwip)|ngpqqxeb|r(zckhfkn|sfhaldq)|ykwdgoou|iwrdjjaa|e(fsqyntg|bjdmkdx|roygyux)|p(nhgawdc|reaxgrv)|qyjfwjay|zurmodov|ogsmbakn)|v(k(ljoqwgg|atfwckm)|q(neewdcs|hjvfjaa|ozqpxir|kaqblqx)|b(w(hwcazl|kqfsgi)|iwdfgjd)|ozivkjis|m(cpputut|gngocfy|aucofol)|nalvizli|wnewdcdb|h(mdtkcxj|asqxmxj)|s(wedxwnj|midbelr)|p(iikfqom|roxxqld)|erdgxydi)|x(rqxctfen|xsorvesk|c(bsbkafp|dxrxfcc)|q(qqnzgwe|xgrmrey)|a(syvkfam|jdrnytl)|haluhkpj|ypzxzilf|w(bkkxxwh|ccthszf)|lodhgceg|kkrefwxf|iiguwiji|v(fvseegd|azkmxab)|jwnyxplz|twmrzmfh|ppxlqznp))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633024; rev:2;)
# sid 2633025 includes 861 (601 - 1200) 9 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.biz)"; content:"|09|";content:"|03|biz|00|";nocase;within: 12;pcre: "/(l(e(czherjl|sxnjput)|rgmfxjtc|m(jsospem|ofaqgek)|a(yuwxvzj|skfieia)|qsjxphxf|ltgvngye|v(epwucsv|hhihpzv)|wdrptzzl|zjhiexlt|x(vulvmvk|toihiqr)|i(uetwqwr|nispggr)|ytzmlnpk|d(ztmuabi|okufvcj)|fmfzhhrg|khgdmlwj|p(mxgnskd|xstfwnu)|stfmyoge|gjhdallu)|c(r(mqrqbhv|j(tsqsez|drobhn)|iltlcrd)|sitmosoh|c(espxnzi|pegjaii|onkfggh|wcunbnm|jqnbwwb)|k(axezeqq|jzznltk)|w(iyvmpvp|xpboaxv)|x(yvuyido|ewncdbl|koeluvc)|nr(xvphmx|qvrqkc)|lhjnvjjn|jvniygcf|alixylqr|d(sjbjchv|grnncpn|uyhmsdx)|ukilyjgb|i(ososkmj|ufikqdw|xaditon)|plufuhdm|g(jscomdr|hceavls)|fecjunhz|q(bdajfgf|kigkfcp)|v(lrtedrr|atbffpq)|y(zltustw|ecuboew|yjxxude|uoujscm|iitdkoo)|hmvuwgaj|zouxxxdz|o(sxdasjm|mrzuomf))|d(p(nhgawdc|reaxgrv)|q(y(jfwjay|dsotsr)|xsrbmnt)|z(urmodov|beikjrv|xdapxim)|o(gsmbakn|h(obppom|hlcxbo))|biezpwip|e(bjdmkdx|roygyux|vqdisgu|idlndus)|rsfhaldq|u(wqqtagv|kobhvtj|jafnyxs)|d(phytane|igtjobr)|fwpinyqk|tkjfwylh|yekghskj|hqamrxyh|mjywevtf|c(tmunzbl|xjmovzh)|vfyghwyq|ioteuton|grizsxwt)|n(mhnncwln|wczlyiia|ebtljwgz|o(erhjhkb|ojlmdiz|pwkpslg|lyervrt|gtgwupz)|ayshsvnz|z(mglfzml|fzrzkmx)|ghqjclpl|xayazlvd|h(wwyorgz|elfxhey)|p(kxjniwu|cuylong)|k(mphzedh|awlaedh)|q(skgmzke|ppecnnj)|nlzvmxye|b(dgfquis|kavwmge)|ibcpwyfa|tjiimjmd|chlnrlhc|vnpllhhw|dfgpogwz|fbfbnrgr|ucrzaloj)|g(thjylwyj|w(eoqecdq|jxrmmoj)|u(hobilmw|jzdokhd|lhafoup)|h(hgrqnnv|fwuzwgz)|b(oimcwpa|agivkqp|gmbjeat)|jkcmczhb|k(grdyoej|kgyfbny)|obxqbaxc|m(gpkielv|nskzhzt)|llzwfloc|znkasvfs|nsqobqbe|qjxwjgal|gdmmxtzu|rgageyfd|cepgqdgb|vwyhcwfk|dulsromz)|h(wlxwzbxr|v(ewckcxj|sfpusiq)|mbqpqgoo|sikglmoh|t(pwfptbu|ixmbuhr|mnunrxk)|u(nofknay|jhfcfdr)|b(jnyxvyj|praxojo)|zcxrrprf|p(vhwkoys|c(krvzvn|vkybex)|asljaey)|c(hohaxdt|amlaeej|cweercg)|i(nvhajey|zdvfjbr)|avodlmfa|lmcolhud|hcbjaadf|nualgciu|ogltwrro|dhvxrasf|fesgyvnf|jzxstjae|xpqnblig)|j(x(frhgvvm|ubouoqx|aoshawp)|r(pkvmjjj|kvmmijy)|o(ujcvjwc|giqmcxv|kznalbi|yqfalat)|fplbyviw|v(wpoxdxo|pglhckf)|z(sscmysg|fqfbufx|weganaq)|jteatfjc|h(ernkrvl|qikqwld)|ckijgffc|u(kfejpmf|eexhmtz)|g(wfuzuns|agnafpr|ppfaevb|hfydanl|ixdalqq)|a(gxewlxq|fnklrqf)|waqzkksn|qxznfnjr|t(w(lokkpx|xkkjha)|qjesobe)|sbdxdpgn|bngupyhq|y(ypwjpas|mbttmsa|kjivhxc)|mkymveli|dtxjcwmb)|e(o(dorwydm|yzcvpal)|koftbidz|pybcunwu|z(xrkmqtf|onwqwto|gvqdlmg)|t(bnjkyol|rwdicws)|usyqshoq|ddbuvxjv|bmmwkelg|w(fgonmuo|isbrgbz|ynwabpy)|grrbgebr|ysuhwgfp|x(wkoslfv|csnepne)|eiuafwtw|aonkgvjy|istooouj|r(evvpble|zztzlqs)|ljnrvvkn|h(rohfvyi|ejikell|adpuilp|lvmrqzi)|vpiejftn|jnxlcmch|codygdzf)|x(k(krefwxf|agxnpsh)|i(iguwiji|xdwweqn)|v(fvseegd|azkmxab|pfsqjaf)|jwnyxplz|w(ccthszf|hwxvjht)|twmrzmfh|p(pxlqznp|oectxrc)|a(jdrnytl|ailaych)|bylmnzex|xfixxpco|dymtjvlb|z(gpowskz|vnwqqsn)|qmepgbmh|r(btcmxqv|ddaftqn|vorlkip)|h(owjqyld|ejfkfit)|ffieknyr|l(shfauhg|xucqllc|noiqkbs)|gvinyqtg|yplnzmfl|m(jnobwyv|kvtitvg)|nqpusyre|egfxtcaa|ohzhqfnm)|p(y(uyqzafq|elgcire)|e(xaxvega|ktirobg|pzjuzvj)|pumnywhh|f(grmqddp|xdjtggk|bhhpono|kdejzmb)|l(kgwqyxq|pomgqzt)|j(hvsqsvr|nnbarhz|vbeuiqu|qofhyjx)|btxpohol|ohgaqklz|rnmvposa|cmoqgkdm|n(vbgebda|chshzba)|wi(cfsmgn|juxlge)|q(tptscbi|vzfdzrx|oqynyjc)|kbyjonzl|unohygqy|hqhkayxt|zbtwhrky|mkklvvdh)|z(xtoekowd|a(hqcgizo|bkibkim)|ioeqhbhh|c(sgcuoso|iyzjjja)|fyihnrwg|z(mvfpsjv|jdsjijv)|p(yvnysin|dfvzfun)|nhrwiixt|y(qcvyvzl|rtqpsre)|g(zgrhypk|czqnyoo)|m(pkoycko|ejqjndr)|u(ffdmduf|icxswnu)|h(mzmvgnh|cmmsuwq|knxapcr)|b(uabheez|xsalzxo)|ebonmohv|rffbtaci|o(zeefsmd|xkimqtt)|sxharbqo|kbqqpann)|o(j(yipwadk|c(tgetaa|rakrhw)|f(yzxalj|isqbdi))|ythxusoa|o(txslxhe|wksijhx|rasctnj)|m(atrgczi|qlmpcvo|uslwqix|ozvekpi)|defuaknx|v(jrhyoac|tlkbtas|mstyige)|nsarobkf|g(iymdyks|dnmzmzr)|ilogchzb|e(lqaxpsj|yagzttl|oetlvwh)|r(g(ttaddy|uodynl|inizsq)|xxuegoe)|alvcjzfw|qvcumjfr|p(rqhvvyz|dorjogh)|lcozjjce|cjnhunpd|zntknueo|srsnzjul)|b(lpktctoy|djhfmare|yknnqxsk|b(myrvksn|w(uiycwr|syxhsf)|iysitvt)|i(znrncyy|mmwexze|ucxjeab)|a(fdecpih|mkbonwb)|w(bxgrxke|icfjuhh)|ghkeoiui|syhwyrrm|ugmvhxfu|c(osxwkrp|zblrabe)|npxbhlop|jmakogzu|mnqvuoma|rsbacohx|peufwkor|qgkritan|famxgdvb)|s(l(szoxyog|nwuyapg)|wbshwcwn|miovjglw|e(uxukkbe|sgwiclm)|k(yizhghm|jfysods)|i(jpicbtx|csbglsu)|c(rrcipyh|xheecvj)|s(nevjxoq|boybrby)|ygdjnuzh|p(ehpftun|jqnogmp|rinpoln)|j(gufwgve|fwubcvl)|oxfqphld|g(hghpylc|uxtdqqx|dzpfrro)|r(wurdmia|onnqvge)|bxvpreql|qnumlqlo|dvtukmej)|w(qgomdlwy|gvfkydxg|kluxsjoz|u(djmewet|yyergxy)|baarciru|s(ezmeqqa|nyjhbwe)|zvpuhmjg|a(zeuavxk|bmakwpg|ysukazh|sgwipwz)|nizxmlhw|pugnzubo|lnluztyz|h(kwdbtil|coadyly)|oidzqtyf|fkhzvbms|e(mipffns|tbivkha)|r(dejnqts|fqyyrki|ndjltvs)|iwgfpmmt|wexelsul|xidrcxjh|cavnpoqt|j(iigihbx|sgbffop)|vnkzscbo)|a(q(zbcwlid|itnzinb)|i(hvadggp|rbkienk)|lizrqugz|xjjqwnea|uvejsbbc|t(h(utxfzj|sbpije)|axkinbx)|n(mcwrztn|figjoew)|g(rcfyglc|dpuinuh)|yyjtvzhe|v(cgxtztp|qlxdzwa)|e(qshrzxg|vwwkbta)|jviqwmmr|krzlfimz|d(dcieqmk|fqrhcmz)|zvlexmtz|rrfmngcr)|t(i(xjlknal|ayjivcl|tnayekp|ywzihxq)|a(sbnahbw|enfffck|jokvlti)|uowxwgnk|l(lnnjoge|uskfbbk|zepuwbv)|z(fxyfgnk|xpnrwnk|hvilarm)|petvbvfv|vbupcuop|o(nfeotmy|hhklgwv)|dixrvhsh|kpsegwxi|hcrvzeyw|gyreoyti|nx(epheow|xscvgk)|ypeugsdf|mljulvux|fioqmjkm)|v(w(newdcdb|hmdprbn|cygtjan)|h(mdtkcxj|asqxmxj|bdqmlsx)|s(wedxwnj|midbelr)|m(gngocfy|aucofol|xbpigde|tyuupmq)|biwdfgjd|p(i(ikfqom|cypxjk)|r(oxxqld|aybbgo))|erdgxydi|jcaftqai|k(nstvdvl|hacpfad)|g(peopijm|ulbiddw|hqxhmdu)|y(ppdulej|zibgawv)|f(d(wxaxtp|zpurop)|tyqbgxt)|z(nmfnbnl|ckzetey)|oickiquv|nwgtobex|r(qshblbg|eqvsftb)|uftdylpq|djslktls|xdkwzrcz|lnmzysux|ixzunpju)|q(ssxelpaj|hqepceyd|vvnpjnov|gpjozyuo|dlcodleb|t(y(juxwng|hunfkm)|trfkfec)|p(ewaswyc|noscjxx)|c(jrcgijy|tfimqki)|rtddxtkt|m(bnjvfts|hvrnurk|agykpik)|l(huddlrp|ogqutck)|baygwhhd|z(ecrtozr|vwnnije)|u(hkpkirs|sqrbghn)|w(zmlpsxl|agvbrxk)|eefgvjkd|khfdhsje|iphdblaa|jandrajq|qxpgfzyv|ynuxztoo)|k(mmynovlf|i(iagstbd|tfmfqlp|ucfsplb)|w(cqvdyug|shmflkb|pthkwfb)|e(htqtkcu|gdjzupr|ntzjdxm)|rueqpdgy|h(enuottb|prwkmli)|f(rolelto|sbaxsjz)|d(afsilnf|nbbrkul|snfeatz|meovvge)|uuxjswgj|lavpsbhi|p(ezzxukl|dfmtxrq)|xyiwcixk|arvreekj|k(cbsvaep|nllrper|ktrpnel|sffqymp|dqgxgwo)|nvuqwyqq|vamsxksb|cejecgvu|beaeclyj)|i(b(bivsfpz|arffaai)|k(bcaxlvh|uclaloo)|yxwkqrxb|jgdjptbj|q(iinulci|dpqfkxn)|g(thbbmni|hhcbrji)|z(bjirbsq|xpwdkob|nkadyto)|e(wtizauq|f(kljxai|flqkly)|icorlid)|s(hqjsxij|kdjvklk|qbzgzjn)|xwtzqrqt|l(hspyjcl|nacsgnn)|o(zzhlhhj|yabspba)|r(micrxdv|hdaarmp)|i(gloiqoc|ewzliib|scuokkk)|nwbowzds|wexpcsum|uvaifwea|atujbbxz|mhkudzyb)|u(x(zjhuowp|uqlwffo)|m(bkxwcns|ofzcbfg)|ovpetznu|u(rrhifel|ddbzhpo)|wstxysir|d(sknigjr|vddawlm|jphxosc|fawfvow)|g(gckeakt|wspgomi)|q(zgcmhkz|qcyufuz)|s(szqbnqg|tqwueow)|r(fufiewv|phlrpth)|hmnmxddk|k(sqtnxtb|f(mefpkg|dbzucx))|yrfqpyku|emksvcdg|tjydgzad|zg(fzvors|jmehbq)|f(bjwqlwy|rtceurd)|b(sovnqdv|rzfsyxs|ztwazdp)|jbknrmxb|pbgmgqoa|afqnxnne)|m(o(bgjffaz|lyifjjy|vziokfc)|w(bghvsyw|pxxbfuf)|m(arsqfot|jssijmx|cvcmfhx)|u(zrviqkm|wjftbwn|mbunnbt)|pyjrlrzw|q(szuzfcf|kimxutc|tcgehhc)|ffxqohyt|v(kwgflnr|bhlowhs)|h(nrabffw|miiyamn)|x(zmcjvtl|qbnivbn|ihlhplz)|a(brnrrcq|gzzuuwg|fnogupc|avsfugy)|gdtpzfij|jxffsooe|cyzrkjqg|n(ywyjpcs|swlnllr|fotnxxl)|r(qesikrq|alxlvrg|xrscegw)|ypdsnhxn|bethbltw)|y(a(qgiuqsx|pynfztf)|t(vfbkmju|jtxerwl|zhuocpu|swofcjx|fzqilyi)|o(ygepkfm|rqaygbr)|i(mbhngqu|fubtihk)|vuwfnoip|b(cafhtvm|qtrkxde)|z(bhrntae|qcwahih|xbncvlk)|g(eefchck|wwtuptf|ivxtbtc)|j(qvpjcdx|apznbzf)|c(qhamrhm|phujbnd)|hioqreyi|e(uuzaslr|ncnevyf|ocryijq)|naflyhnq|m(nggolae|ahqowmm)|xiwdrzmc|p(ajnaqjo|oighgnd)|kcwtokyq|qawfjriu|w(amftmxf|zqtbnxg)|lxikmhkt|rucppqkj)|r(p(svjybmi|ullpnvt|mjilaak)|h(vvuugqg|m(lokkox|rtlmcp)|fxxkrjp)|o(rwsiitg|jfzrtwj)|k(wcahjwh|huwssqn|jxypzej|akmtrle)|b(ivapgoy|zcikvmd)|f(uwbtpao|tgdqnaf)|lsakhpwp|s(xnpbosc|rwalfer|yzyumhu)|i(xvvxayj|kpeygsh|vbscfks)|m(hzjbpky|bojgpsd)|wzhxqwaj|d(hensexz|mqhzesq|pgdwswy|olodbgm)|jqhoquwp|nqvrbudc|xccdgnfp|e(xvxscvw|rqntbta|mvmuwcz)|vxrjzcbw)|f(nxpjolgg|slsqcrnv|qyuzbxgu|ph(lqcxoo|cobmdq)|j(sqldrjw|vimukcj|cvmpgan)|w(zmagcqg|xxiehtc)|x(ymuxyhb|cgrauos)|m(mesiifg|bswpbqe)|o(fqqnktt|uhfnuol)|yvjsklfn|e(plgopvj|fqhypxp)|l(uenpsif|wxdkkfa)|tkaamfug|gckjllge|iecrwmfm|cynlquli|uiqsfchy|vctnnkxv|zocghfml|bdgetomo))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633025; rev:2;)
# sid 2633026 includes 261 (1201 - 1462) 9 character domains in the ".biz" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.biz)"; content:"|09|";content:"|03|biz|00|";nocase;within: 12;pcre: "/(w(v(awuqwoh|rcluzvc)|jisehphd|zzygbgjp|ollefknb|eztccgdl|ajdyyorn)|o(sfabfiyy|gszrhelk|oswmbswi|ikohjxqo|yqonbkko|t(xlvyrlk|jadynea)|zkuioexr|ulwqrnrc)|l(qkwpnfxu|fp(ktvayc|imqkey)|z(bvvdact|eoticcm)|eklkkuee|jzukbatu|xonhuonf|h(vrkkjut|unmvpqc)|g(cbrhsfj|sthespm)|wiqshbhi|acxfbqcs)|h(maddkzed|jhqkoair|cmzftuec|sotxvvlx|qgorpyyg|idfqtgyq|xrjvrebo|fndrxsww|tkeptpos|opgqbtlr)|y(i(lhckpbj|mfpyvqj)|ghvqlmvj|thwzwdhr|p(oeycmoz|bofalcd)|nqpzptpl|srevezpq|bctxjnhu|httvqqyo|kmmyumbt)|z(qfimtsbx|e(ykjhdqi|ghzvdah|lkxeoas|ewkwjge)|a(dnmxwtw|yunrplt)|sfkvzsfo|bpnflole|l(qmywaap|sozjlzu)|huqjkeqn|nkbyidpz|wvgnjkwy|dgdyuboa|ooctjoxb|ibjtxwcg)|q(hkfvsjrb|qrnitfsf|u(chqdmci|kwrxexh)|cwodkqov|plszkmhy|fvdbzmdu|d(txzpomw|vjvhatv)|xmeizgcp|mbgqdztf|ksozemwe|rqwqxagk)|v(xqziwkjz|kwlcvkaw|pgnqbsub|bdjjmahk|eiujiogd|uukeqtvj|iymmzijq|q(hjzyqmx|mcltvxd)|hbvowuwe|dhtmxjer|fkdcfowg|tumsgghx|nulodmxl)|t(krfbtuuy|nrxwphkv|xywuduqv|t(ucaftai|powvqzp)|sxxsaxgm|jbbaphhh|hepeqrrr|valjnbxa|u(exauogz|wmpbgwi)|mzqiyhrr|fpxbtbta|efjltqdj|ycvzwnid)|x(uvdpssux|lnouzabw|mpmtgjlb|ivzwkrml|d(zzatlaj|mhpfuoj|iihzcxj)|tcinqfvk|nrppvnyg|phnfsnrj|s(ykxxhta|txydkns)|wcrehzcw)|e(wpbixexk|altgeynq|bxzpsljg)|c(hwkrjtat|xkuhrmvq|mrujqhab|bfnfodhy|omwjsyhs|f(cmcnkrx|nwavyud)|nqsnvnik|vvyuljyd|kfzyaqfr|jonokomd)|u(z(fiipxti|oosadkl)|niksmhvs|pmutypmz|xovcvcnu|kipjzwwz|hzvyplst)|i(z(qhcazpw|iwgoabt)|qpbbsaoh|usygciun|jtflliou|dehhyjwe|vlpzotax|ohyqlsdh|pcgtsodo)|j(gakfdaja|l(ukamkck|mwmiwfo|fsnodvt)|owxmaxnw|cztnteti|qpnmcdif|njklpywe|jolbhldg|eefbsonv)|f(mikpgctf|t(qlhpdkl|zzvksjj)|juvtamsr|nihjhubj|wwltymzh|sjrozqaf)|g(t(dyjykle|eaykqvh)|cvwknnxz|futlztcs|hmciurnw|gmhxgqoz)|m(w(vuqdams|svwcqgd)|x(ywwjxpm|cuvfrez|bjpwgwt)|efxudulh|ljkqwkfp|nuvohpvh|zpfllrwx|gdmdfrhf|pjdqcaze)|p(e(mxowdte|ncgdwax)|ktzbzeeq|fizggyjd|wimezxzo|iblrlpjz|qosuazqn|mhxhokud|rygirmsz)|d(e(ibqudfb|eqsriup)|yjqtsijl|fkitdmet|pclheygs|agbaclbt|bdjnzzvx|wzjagmes|mysyoepd)|a(iidiucwj|jpwbzkjv|kudgrcmc|riajvcrc|fgkrwsva|ncnrvobx)|b(toqgirfk|rliuvesq|hkfhpesq|mfooftiv|pnebhrpx)|r(h(nknmkdm|pvwhqwl)|zxwefjeq|wsmzysro|mfwvzbnp|n(rqnemii|qsfbevx)|g(lryrkwd|jjqqiio)|eouydwdm|a(wivzzca|xiqaqgz|yamnstl)|s(whsdotz|ywdcdck)|cjszktus|vkuzyzis|ybjlufnk|fdbvjdcp)|n(n(glxmkqr|fpsixfl)|gofdtuhd|bvmvhxco|xsxrnrzw|lzsavgaj)|k(rmpbtcye|lekhylxe|pgencvkh|ywffubqa|ersldaap|xfghhgis|njaelhtk|kzttcusp|iqljzsoc)|s(cxwazvdx|ynmryxvj|riipkocx|p(mgrkbkk|oyxnnqs)|mfxorkhf|gxmgyaig|u(zbarxzx|ncmnvmv)|hhekszzq|zjxiptwl))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633026; rev:2;)
# sid 2633027 includes 600 (0 - 600) 10 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.cc)"; content:"|0a|";content:"|02|cc|00|";nocase;within: 13;pcre: "/(e(w(zbufbdlk|ktbjkmty)|y(csgkzkcs|hmwfefma|ygivwsbn)|m(fiknljko|qkuqpbte|lfdsbdci)|hxjcvfidv|u(pftwzopg|eplgbysr|qsznarlf)|bbpmgllgv|flwnofsct|c(tmjaylqk|llitxpzv)|r(rhubuwax|gphekebo|sbgkldab)|artlsihbo|zwfuphqcs|okzmrisbw|nfkbyfvjw)|c(bixreeefq|uqgplbmyu|xiyawitfc|q(sdhazptp|gmjsajep|ppzwneqc)|rfhdyvfqf|pcfnvjlwb|k(gtmpchrp|zhfauzib|mfiqszpy)|om(famdqft|wpqvuxe)|t(fcaigxnl|czkzrepw)|d(qyouvxwt|xvfrgsyg)|sxlqlpvfo|w(myreidxs|ytfhenjk|tmahkvly)|epxvnludt|alhyhfpni|m(jhsptbjz|fuzivjey))|y(gkrvovicw|e(bupkfjoy|hdffqlit|lwgykqtm)|heyuhoups|y(esnuxjqd|bgsnfain)|a(oxiweqsp|kmrujudw)|vtnxqwzoq|phcgyfyrh|dtdmjungm|qludnjnkg|t(xlvhzauw|kkqzyjdr)|rtjwzkbot|nsfydlhtw|smfbzdqge|blxjxstrh)|u(x(tvptlmkk|jzuewlki)|rcxgfksbo|qwpcoraqs|g(vnaxoozs|ymzwabmt|xtvqvxwc)|z(xydatyyf|dxldwbnh)|yhvkfjpch|f(zhzybnvh|rfjqgcds)|k(nicdquen|pbsuughp)|i(dfhlwmvo|ccnajuhz)|wmirnyesm|pquoduvof|odgtnwqie|a(ozilqsei|qxlnygsl))|g(lnjccmlql|hgecgtsmq|xwilrnawi|qufqielhf|b(hoglunnq|rwmztdfz)|o(foojrfhj|qlxmisdh)|azqsxrynw|krrornolh|f(lluryypk|bjqcajun)|jnxmdmvlw|ykgggxzwp|cvtbhckkx|syrudjcbn|dgogsmyub|zxqldxbnx)|s(x(tpninvky|hgmnqfai)|n(dqibmkel|yxthoajv)|h(xencmkkj|pafxldiw|lrbkgbds)|kmaojfdda|vtrlorskq|cemhnnkwe|t(ohrnjklq|gmivpnjj)|lhokauerk|btsuvtlrz|o(levrpjay|ndhbdqiq)|w(ugstwxqi|dakjxwba)|saptekdfb|uxypxylkt|praxobpfj)|v(d(ahomfvfe|ugcjnghc)|e(ugzvevos|kmlqwsni)|i(gqlmbhmy|eeraiaps)|x(ewwxobcv|pkkwjlgw)|m(gyxalmmd|ogfykpep|yhaizppc)|jtvcxhzxi|cweltkljb|oyuxujeqa|tmuvhwrci|q(b(btypsld|xdrufwm)|rtsjzijo)|n(nhvrvsxq|vnjdtryp)|geoxonwvd|k(uhchvjju|tdtlxmwv)|bnhkjwmxb|ylljnjjan|aisifrccd|hkqcwyvwo|rkntptzrh)|n(xxhkgbbdf|e(inidmrrx|tnukmrji)|fhlolxpts|afnpdnasc|oquuwbelh|sewojdbzk|k(eazvqboy|fdodnjiy)|i(rkdwrvma|mecubxay)|gekhjdppb|h(zebcbvaw|hbwsoppo)|j(accaekcq|qejzvjyt)|r(cnapsfqa|mjimxlfj)|w(wsdaidvh|xnubaets)|trjibjhjn|m(kltrswvq|zedasigl)|ccjotfkcs|poouagxys|y(drpjxrsp|nqiqjelp)|dhdqghcva)|d(n(pjgeearm|cpvwcgni)|mglyaiaub|t(pncvzygj|eiyfdrjp)|j(hxxwzxbi|rtzocjqu|kfldkmiy|qfbhbfqs|gjeybdon)|k(njdefnmi|gfinbuld)|ut(ezxjdbu|dmtchlg)|e(ypumoxob|fximkdvi)|vcroojoki|g(tnpmwrzl|nxrebnol|khcmueoe)|liopvufbb|phrcrbmiy|w(lclmsjpz|zwjbpfha)|hlownviww|iephmnqtu|f(pumgiccz|mupaaazd)|begcluaxp|zoafyuyij|qzplsqcwt)|r(s(azathuel|icoyanop|lpeeosna)|dkpuncoqo|y(qxqxkasp|tivptlkp|cftlywht)|xvaomglvm|vdgkfacdw|n(xisauetx|dneinyva)|w(nmllvdhq|gqfulfrn)|k(yypdpjaa|cgxatolk)|cqeadwkis|ibznibcki|h(gyydcyyo|uckqhvfw)|mfzmddqld|fjtumjili|lnwgtmweo|qvqurvnov|omcuriafc|gmddyuxgx)|f(salbmcoiz|h(yznaaeow|zxpwnikr|xkcbtvdq)|qlazvnymw|ggtxshfqt|nkfvnlaoa|ijwjoieul|b(zzpykrtk|riratboj|vzksgzdk)|kkfsnbeav|vvvsijgll|xanutzimw|y(twtfbiwq|fltpmdwa)|elgttnezd|l(styeqiuj|qgayuepf)|tnydzokfo|rllpxmfit|cctwxciqn)|l(cihavfsts|f(iunvvjzi|vmuxowzf|urrznwvf)|g(mokvpayj|rzxbtkdz)|x(csnwjswb|anbngfba)|l(ioamsxln|euquiojy)|t(xrjgvapq|nblkfczd)|a(vfiqnxqg|qunmyczc)|haeplxqva|oahqcrvck|qsjpusivz|e(ovzfoili|mlmdqsfk)|zybfydmoa|d(tkrhvasb|gjnzwupg)|bjvjnckry|waeuuvymi)|z(ncojpkkvg|qaymvznoq|y(vjfhobjf|ldeotaaf)|mtgoqnoag|g(njadvlli|mljacbbg)|t(cjpeynok|bsxoqxaa|aoghqsbs)|x(uzuwzffb|vpcvmuyt|cnuwhbxv)|vnnxfcleu|dbymluumq|b(onrguscj|nkhqrscr)|a(konslsrw|jpnbbvrm|rsdoplkv)|pgzvtkvww|wexxjkwlo|imlnwsylv|jaktbankp)|x(i(rkowrzod|fqmmgtsy)|o(wfytszvx|sqlkmxev|rfzfvcwc)|n(nwtwmqzy|dlnriddu)|avvpwowxh|c(xyprezao|jdmtsyby)|w(vlbnrcpl|rjevnicp)|u(axzpvyar|neecqpzj)|h(dlzmersi|lmkufkvp)|qyveabzfl|t(vcusrmjv|gflsjefa)|r(eelxjnjb|vsjapulz)|krasytzmo|masazmvzf|fghwqbgob|bhvwxbntr)|t(j(r(jtpdchb|stryvga)|yijmqhoc)|m(qlxablus|rylzrnnd)|p(fbmrjstu|rlajddlr)|zulnjsnrd|tinbvwgfa|d(ohniokig|iuqgzcvy)|houtzxtdj|snrfrmhkk|b(rmctcalv|fbffrrnx|jylngpay)|lkafdlkcn|noyhrxhfi|xldbzwwdd|aofvqerxa|e(fkzgxpuh|szpprwtd)|ojnusafif|ivehywqzi|wdgfggocy|qqixaqtlq|rtguviyhv)|p(gluncawyw|zxqqydsfd|v(ufwiphwp|mhqcxxur)|c(vrfugcsf|nnetzrlh)|xqdfmmbsr|p(txfadoqz|vvfabivi)|l(dpzxyyfe|lfahvdca)|a(rctzctkj|cqaiwrbh|lgabibeb)|rptpxgwxs|w(cbruqubt|nlbosqqz)|fnaxrwevv|mulwmzcew|dyrefutwn|hmayhlkds|snfafutuh|bgzwnvnzb)|k(clapfenkv|w(misvfghr|qjacldtk|batkjzjy|zspahcrj|dqbmcamf)|iarjgoqru|k(ppczeoho|zhkyqbsa)|n(amfdfrmk|enbfmknz)|t(rtulsfke|jwnmwfxn|txjvovjb)|ypjuqrhlz|qrixhsjmc|xssmyfmib|udlmpwsaf|hdkbwwmte|fthavdmot|oxpitbdgk|bmcsspigt)|o(n(rvnfwoeq|qmogukaz)|dkhgyrnfa|z(ooedmgui|eyqcufii)|t(hilhhptg|jlwdsblx)|baauqgmkp|i(enoqcvtw|vyfnkqub|xfacevdo)|oeszoohgf|qurpucmfv|vdsnyflab|whhonaplm|jwplmgkwz|yrtmhwuke|ubigmsbry|xzzjijmwm)|m(n(ilcjliwz|ahqpbkgj|vcgzptys)|i(wisjizjj|iccrenyj)|xussdjldq|ziqbrqdjy|e(jokxeeoz|kbbtgkek)|h(ewevmjji|lwfnhlno)|l(cbsgsgol|mijdkoud)|osnvtuuni|dxfczhaut|m(ffybtyiu|ptfzsvfh)|ujuxgtsfu|b(drtxnpre|rdugynio)|srvpbpchw|kmpgvzdzq|r(hhghnpds|pojwbgnt)|q(jodsaajn|pioejlsm)|ccrtbmabm)|q(edbrmkkmw|f(zadvnwsm|rgjrnfms|fbusbcql)|d(sotuttzo|kdoxtgpj|yrtotsgu)|y(xzkseepj|hxxbrmrc|ojqkdzow|kgpyunvs)|qdvytaoew|jepfedcul|wfciucwvi|zejdgtkwb|vjbkbolha|cwsglaqik|olpyxysad|b(jcqwbhzb|orkhjidb)|u(blluljjm|nqhuvhhy)|lnwpetqnf|iyyfhspax|tsasjxbfc|mbbgtmpex|x(rnsmfaef|viwabwiq))|a(grgwrrqag|fixgqjqeb|wfgpbyjtb|resneorwu|aeouvcifn|hsshdmeop|jupspbpnb|b(hpxnxial|zpniawsn)|xsqiwsquw|o(nqsxbxqf|oksoxaft)|qpuocfxei|t(luwjymnc|vhgcrhbn)|cjgqtcblv)|w(k(nqojrisb|knlqtwam)|uqabxlmdm|j(vgfdjwim|awfdujlq|jjusszvb)|lcwfbkmrz|htfovsygn|cmuglipyf|zygwmrikb|elqiultoq|n(pvgqmhjr|mugcodxm)|pwppvalct|m(fkzwuiol|rblepbpa|jjfigagq)|fxjyatwin|rvregfnfh)|h(v(qctalykf|zgszerqn)|gsoajcwoy|y(inwqnacg|mvskjruy)|r(iacglnvj|zfpfivqn)|nrfpudgkh|b(pntufqdc|illebife)|k(rjrszada|yqjyjont|clkaoqxu)|crwqwffsh|wf(ziktmrt|sbvsuai)|z(bspcoyku|pjxbvzty)|qmrdxdezp|x(twbyugzj|plfesfmc)|meywgojlm|o(arylnuew|plwfvibt|rixohmqt)|umlsocvua|lpmehilkz|aqlixgmch|tebqvlujs)|b(o(tsdiaemc|rbscatjg)|dvxlvlznp|qxbibmwpc|zmnyqnpua|tdpdmeafv|iiknjgakj|fgphvsrxf|c(nxgsvgks|lklmbwfi)|ezhvpeims|n(rbqoekyi|awjndror)|g(wosbyhgd|piietnns)|hqembllnu|ajnplfztb|xudyagghb|rqhabybsa)|j(xenvbxdiz|luaimbxim|vbhkhwpwr|awinosojh|jmvqjmmjm|idbgwnkqj|muypdyyco|z(utzlfyhf|spiyzxyk)|r(lodqjvqi|hfhbhpfr)|gpmiptomh|hbtbojpwj|njagvbusq|c(dequdjrq|gffdsdfa)|kirihsxxn)|i(w(z(pnwbdww|faiieuz)|ernulnbj)|y(gcklazvi|dydvddoj)|u(jtxswozh|namkwydo)|g(esmhbppg|qssnzlme)|o(fttkmflm|wfpogmje|qeliooeo)|vxwbhjfso|r(smeolxfc|auzsvtab)|hrranruoz|knfrqhqaj|etpvweynq|bwwpnumdm|sfiscbghg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633027; rev:2;)
# sid 2633028 includes 887 (601 - 1200) 10 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.cc)"; content:"|0a|";content:"|02|cc|00|";nocase;within: 13;pcre: "/(y(q(ludnjnkg|zgsiofnt)|t(xlvhzauw|kkqzyjdr)|rtjwzkbot|nsfydlhtw|elwgykqtm|a(kmrujudw|seideevw|wwmsxpql)|s(mfbzdqge|rrkndklk)|b(lxjxstrh|znsifeac)|uxsbdebxj|k(xnqcibqu|lhgjlooh)|gysdugrzm|yjbeywcfn|vddauepgm|z(z(bxdnflq|gmzrklh)|lidlnbkv|wtrpybcp)|ovsotmyec|imihfwotu|f(crcrcfgy|eefzghrh)|xvjovnptv|maakphxrs|jfaegzwrr)|h(x(twbyugzj|plfesfmc|hdwizdne)|meywgojlm|wfsbvsuai|rzfpfivqn|o(arylnuew|plwfvibt|rixohmqt|iniynjkw)|umlsocvua|l(pmehilkz|yyfmctij|iusgdekm|vbygssbv)|a(qlixgmch|cxalsbno|hybhynio)|z(pjxbvzty|qattuldb)|k(yqjyjont|clkaoqxu)|tebqvlujs|y(mvskjruy|tydhqpcu|waguvfog)|billebife|h(kalbozcb|scaxciro)|g(svrrdjhj|ncoyhyoe)|i(zeuvgrpz|xpdvaisp|fanoqofz)|dumfdnczo|q(jnujbrjq|gpwnmdyu)|vcmunpjfu|n(ziwtibym|ckmfzovo)|fvlqfmolh|connoiylg)|p(wnlbosqqz|m(ulwmzcew|p(hqjisvd|wvcroew))|vmhqcxxur|p(vvfabivi|cjosyjzd|oosnzawk)|dyrefutwn|a(lgabibeb|uzimaara|zebiceon)|h(mayhlkds|ywlvvnvn)|snfafutuh|bg(zwnvnzb|yfcitka)|q(jktfrrci|pqsnjjpr)|u(w(tmgdpnp|glhcaln)|tukisvhm|hnsvuyrh)|j(kgsnbizd|ieuxdmnu|wgznpcjn|yugshvrh)|f(krdbsmjz|bjqttqci|jmgilepb)|r(jacuwexy|ekbokkhn)|g(fmhdyccu|e(msrsxfg|alwsuil))|t(tesdsywv|vqnjyjhu)|leicphsrz|zlmvkykrg)|f(v(vvsijgll|phbzooab)|xanutzimw|y(twtfbiwq|fltpmdwa|peipadhf)|e(lgttnezd|agexlsrs)|l(styeqiuj|qgayuepf|jvqktycb)|b(riratboj|vzksgzdk|uipoymtl)|t(nydzokfo|milvvcyy|ohnlarjs)|rllpxmfit|c(ctwxciqn|xyreqamy)|h(vewqyowc|cvvcoslr|lcwnxekd)|aezuisajd|s(pkaqjkdu|btiinqvy)|q(pncteaqd|djwbghqv)|m(qisuotss|jmuarzku)|kfktkglzn)|k(n(amfdfrmk|enbfmknz)|t(rtulsfke|jwnmwfxn|txjvovjb)|w(dqbmcamf|zylccejo|xvaxowap)|ypjuqrhlz|q(rixhsjmc|mjkgcemp)|xssmyfmib|u(dlmpwsaf|bpsiabus)|hdkbwwmte|fthavdmot|o(xpitbdgk|gziujjao)|b(mcsspigt|xdiiofdz|kqejzegj|uklihcji)|kzhkyqbsa|g(teuptkgn|ztwfbwna|rlhunjov)|i(rqwsyuoi|tnsphsem|nbecboyh|bzrdqbgg)|sungbibkd|p(qxnmwqri|n(gsyrdym|qtbqllg))|d(kmrerlrk|uqluvvzq)|cwzldrikf|vicxewblw)|n(poouagxys|m(zedasigl|ldgsacox)|y(drpjxrsp|nqiqjelp|fxdezpez)|d(hdqghcva|rtdvkevc)|imecubxay|w(xnubaets|zmrnrumx)|jqejzvjyt|rmjimxlfj|c(j(xuiltfq|ganguzw)|ggdhctro|zznsqime)|l(wkywpcxg|gzvwmerx)|hzggmipma|as(qyghbtd|vryyfou)|f(dgzmsvpz|hqlvgkwb)|v(xsesxqfl|nxmxxmzs|dawnyrkm)|g(cofciunr|utkwxtha|nsfotwjw|xdawuhmd)|knhdotxhj|sgfnxtbpw)|e(w(ktbjkmty|unbboqjs)|uqsznarlf|cllitxpzv|z(wfuphqcs|zkmgsmxu)|okzmrisbw|r(sbgkldab|kuqanjae)|nfkbyfvjw|yygivwsbn|m(oizgervj|pvjvoyao|sfoxhhdt)|i(fqqfgqol|pxfojtwe)|k(lnuktusz|ocpfstso|yfiqvsch)|x(buitrndx|jxjryqcj)|snnqyildz|e(roofpetp|cwbvbtji)|lfatveugc|p(kshlwekl|afdehcjb)|tncdpysax|ackwkqpxx|jjkvmqqgu)|x(t(vcusrmjv|gflsjefa|iblawfhg)|r(eelxjnjb|vsjapulz|zrafikkg|yzbbnvct)|k(rasytzmo|meibwsrl)|o(sqlkmxev|rfzfvcwc|fyfjwtgo)|masazmvzf|w(rjevnicp|uroasdsi)|f(ghwqbgob|idlawwvk)|bhvwxbntr|u(neecqpzj|gtrobqyv|tnvltabv|jmvqyudk)|i(tpdsyyhb|hwhtgcwz)|d(wiormamp|afdjtqpp)|ycnqujbuh|cevaxdyls|z(zfxtmnpz|sizhizrb)|vuutwwjjp|ad(jcwgmyu|rycykta)|qxdxgyctp|piixfmfuy|snwoagraf)|q(u(blluljjm|nqhuvhhy)|d(kdoxtgpj|yrtotsgu|bzgzrlsh)|f(fbusbcql|bozqyjlb|tnxssxvl)|l(nwpetqnf|davwckos)|b(orkhjidb|eukihnim|xspodhqu)|i(yyfhspax|xjqofpto)|tsasjxbfc|mbbgtmpex|x(rnsmfaef|viwabwiq)|ktverjzvc|qudmlshhu|w(lspvcvjk|eibbtggu)|rzirsgwvh|a(ymkxpfub|dgtwfqhj|zbegaubf)|jmokzhkje|hrtqufcby|p(qwopnxdr|ndnawrui)|gdqzyylpz|opwuuexkz|z(fijpmrfi|egrppmdv)|nsgioggke)|t(iv(ehywqzi|ftzsxby)|j(yijmqhoc|fjcaiqmq|oydrddtk|csvbhqgi|ejwxmeoz)|w(dgfggocy|ezyyjnxf|uceanpvu)|mrylzrnnd|e(szpprwtd|zlutwlfs)|b(j(ylngpay|jawrxyi)|ekfazhby)|qqixaqtlq|diuqgzcvy|r(tguviyhv|figeyabx)|p(rlajddlr|utpzgcrc)|hicvhtxcd|gvzzasucl|kstyuvhjk|vouadryzl|zvgvrjsqk|fwswztstn|ujajbkwwn|sqpmkeeck)|m(n(vcgzptys|bffvxcce)|b(drtxnpre|rdugynio)|srvpbpchw|kmpgvzdzq|r(hhghnpds|pojwbgnt|euiuozww|q(mmlbyio|uhetqex))|q(jodsaajn|pioejlsm|fylpsuks)|e(kbbtgkek|dvkhbvcx)|iiccrenyj|m(ptfzsvfh|ufdqyklr)|h(lwfnhlno|tfdgztpq|wqjrnvwq)|ccrtbmabm|g(olbviwwm|ykohoudk|xmgqeziy)|l(ypidzmmp|onfiujbp)|t(bbiuqwyf|rfjctqdp)|zjwwayhss|a(ajmwdqnn|wvjzmvxa)|omisnkipr|yqzxltzxh)|d(efximkdvi|liopvufbb|p(hrcrbmiy|czutpbay)|w(lclmsjpz|zwjbpfha|qyhdejuk)|t(eiyfdrjp|bmodjzhu)|j(gjeybdon|uhayorma)|h(lownviww|fxzitetc)|iephmnqtu|g(khcmueoe|yvmgbtah)|f(pumgiccz|mupaaazd|afdauhhz|wmbdpnrf|shywgepc|eiwlunpp|nkeenqyy)|kgfinbuld|b(egcluaxp|chzyunoa)|zoafyuyij|q(zplsqcwt|bclaytlp|mfewejxo)|o(ijbkfuqu|lxzcdnbe)|djmlvxsuu|usydhbdvi|c(msvilymn|sejokibt)|skqkewplj|y(mqcddcox|ojxiexdp))|b(t(dpdmeafv|pezemyir)|i(iknjgakj|zfpwfadz)|fgphvsrxf|c(nxgsvgks|lklmbwfi)|o(rbscatjg|uqoslqgp|dyknytbf)|ezhvpeims|n(rbqoekyi|awjndror|fhiadhlr)|g(wosbyhgd|piietnns)|h(qembllnu|ayixjtko|sthnnesg)|ajnplfztb|xudyagghb|rqhabybsa|ptyrsvgld|l(oallqrlz|susmncgj|duydlubx|qjvdmjax)|vxqnvyafx|uyttrqind|w(rtvmzskw|brwhogdt)|satowwgjr)|j(muypdyyco|z(utzlfyhf|spiyzxyk)|r(lodqjvqi|hfhbhpfr|xpxknbjp)|g(pmiptomh|ihvtdrdo|lglaroqh)|h(btbojpwj|auzqdfgj)|njagvbusq|c(dequdjrq|gffdsdfa|yywkdqux)|k(irihsxxn|kvjxhzxa)|l(m(wbgcqmm|yjdrqzd)|jzjbjcsa|ybqaidke)|q(ylzsheej|avkuoiku)|x(xeuuvayv|ybohcmko|gveyderd)|fucwcnooo|urcblgypn|bfhyozdba|ijdlwbnzd|ppvoaigdi|tncnolnqd)|u(wmirnyesm|k(pbsuughp|joosvdfa)|frfjqgcds|p(quoduvof|tdzjccuf)|odgtnwqie|g(xtvqvxwc|tmlldjtm|pcyefljz)|iccnajuhz|z(dxldwbnh|uiksettk)|a(ozilqsei|qxlnygsl|zbosldjj)|s(bamprovl|diicfnbj)|l(umwxynxu|krjdkelp)|eq(zrnvafw|adcfwng)|dzlheclvn|q(plozshkm|yalpdrhb|loayagrz)|hdldiqdmj|nwlgyoprl|r(szbhgeyl|ywnrldiy)|ydpyxxznr|umbcqaekc|mribgwbtv)|i(u(namkwydo|hrfipzny)|v(xwbhjfso|fxecaduv)|r(smeolxfc|auzsvtab)|g(qssnzlme|snxavlug|nsnxhdmc)|o(wfpogmje|q(eliooeo|pqpgfbi))|h(rranruoz|wyqvhizz)|k(nfrqhqaj|eyjbgaco)|y(dydvddoj|iiggoyug)|e(tpvweynq|aponeala|xueorxzq)|b(wwpnumdm|meimmbur)|sfiscbghg|j(dcxconfu|hjwmagye)|a(kmxdtkjh|zamxcjkd)|pvevrptll|wblqafbdy|tsuxznqcx|inxfdwsvz)|v(b(nhkjwmxb|ebcjhpsr)|ylljnjjan|n(vnjdtryp|iaofwknh|cyyptbjk)|q(rtsjzijo|bxdrufwm|yyhktivr)|aisifrccd|hkqcwyvwo|r(kntptzrh|gwxqjnuj|xsmubzuu)|i(eeraiaps|apjtgrtb|xmovovtv)|m(yhaizppc|rqcvpsmf)|k(t(dtlxmwv|vzszyjl)|wbadmnhe)|g(myitegkp|ggxseofs)|ebmtruhab|luaegzikv|pzfmvitdn|v(jsoqxwnh|espxigdy|qsinntzi)|d(guolvyad|vzfyhsdk)|cvdqjaahc|f(dvfskwza|jaxmxjks))|a(jupspbpnb|b(hpxnxial|zpniawsn)|x(s(qiwsquw|eaizjhg)|vtneavgl)|o(nqsxbxqf|oksoxaft|ujwownwf|p(drwplnd|mjpzmyh))|qpuocfxei|t(luwjymnc|vhgcrhbn)|cjgqtcblv|s(bkugdxgd|lvekswli|qkyhbkpu)|zoqklfahe|l(smqnfryj|lyilktvv)|fzyhwogzu|w(fxoaquav|hvrpufxd)|iyhgiiigm|nqimaavow)|z(taoghqsbs|a(jpnbbvrm|rsdoplkv|lcseezpr|bycbbwpm)|gmljacbbg|p(gzvtkvww|rsirsswk|figumfrx)|w(exxjkwlo|tgmzrwma)|imlnwsylv|x(cnuwhbxv|yzubkzkq)|j(aktbankp|yuootfcg)|z(qfzelnkh|imdbqocv)|hcofszbdg|s(tposwgkh|glaihvpb)|uomdzgyrv|fhjrrvptm|cygewnfdr|d(azqvhocb|qpktnoyx)|lebtqroqb)|l(q(sjpusivz|qyrlmdkt)|e(ovzfoili|mlmdqsfk)|a(qunmyczc|notoojzm)|furrznwvf|zybfydmoa|d(tkrhvasb|gjnzwupg|bvaqbtlf)|b(jvjnckry|pfdxijiu)|t(nblkfczd|biavwrdy|mdslpyqj)|l(euquiojy|sxkpkgxi)|w(aeuuvymi|soeulkaw)|v(tchvqynq|nkktxpia)|y(iwufvimn|sjzdzeij|edqacpfn|pqovngyv)|c(tjdbgtpy|ulssgjvg)|kebcvggcs|opmtzpcrc|nvjafwrnm|hrnnfwgam|gpnquembj|rtctznkud)|g(cvtbhckkx|syrudjcbn|f(bjqcajun|dkihmmox|kkggjxde)|b(rwmztdfz|winaztuq|stdkfbll)|d(gogsmyub|odpwhgji)|o(qlxmisdh|caueaqof)|z(xqldxbnx|etmmyssy)|j(mtujgiyt|xlupsvso)|rwxzrwawk|t(xovrxwwa|rxpwcdxl)|u(dfxbzweq|oygpihob|nrpfzawl)|m(ftzmrlfk|adkauebo)|kajtclhxp|eyjkzzxlx|hqxpztblw|wfczuwwwp|xxbtdcmtz|axyujvgwy|p(zwniyukc|fhrjrkul)|nafdrliii)|s(o(ndhbdqiq|kwgiqpuu)|w(ugstwxqi|dakjxwba)|saptekdfb|u(xypxylkt|jofaaews|egbgpfgi|shnfbxpq)|praxobpfj|d(dwgehpoa|oaiwlwjp)|jsnmoljwo|acngefrua|z(fyosybgn|xvdjuxth|gukvzcnn)|ngmascdvz|q(ffnyjazi|ugqgojdd)|ilavynown|x(buuclvrn|jalrscng)|vflmxdjjg|lndwskzyg|b(xeiuiwqp|squeshyb|wugtyzpb)|hixsbxhjm|c(rnbzxqhj|jmdvgmrk)|kjtitcktx|gqkaokeoq)|c(wtmahkvly|q(gmjsajep|ppzwneqc|hqlcoqsm)|e(px(vnludt|pctejf)|vtpdmpze)|d(xvfrgsyg|rudoughx|uwccteoa)|k(zhfauzib|mfiqszpy)|alhyhfpni|omwpqvuxe|m(jhsptbjz|fuzivjey|halcrtgj|kqxepyxt)|t(czkzrepw|nvisyiad|ukmewyvg|hgtqdjha)|suzculezz|c(dxlzcdhm|pjzcwyxl|axlokfyi)|p(gwwibleg|wqgtohlk|ygluvvtt)|z(teansjuw|rvqsdeks)|redkufjbz|g(wlpvonlf|ipblduem)|najcuituc|y(oxyqvskm|zknvqklw|eeqwggvb|uceflbhv|bdlcruab)|uygbgagbl)|w(m(jjfigagq|lrauxzow)|f(xjyatwin|zxtggzjn)|r(vregfnfh|mrvrxfow|ysrmgnra)|nmugcodxm|k(knlqtwam|mglwsqzw)|o(zwyzwrho|ftnocuee)|z(qkvvreyr|sneavugx|xnykcexr)|payohsuzs|v(cftgeycc|afelgwfu)|q(xhafciyd|iyorhipt)|t(xcpbzqqo|hlscddgp)|hbynglewh|j(bpezxaoi|qbogswat)|aayjxorpb|yrhpvukhk|ikrxuietr|envbdbdmg|dbglrgfdw)|r(m(fzmddqld|srdaslnn)|ycftlywht|n(dneinyva|hqbrglce)|fjtumjili|l(nwgtmweo|zpasahen|olfluitl|xmwssgtu)|q(vqurvnov|sdfoevhe|tkrounke)|o(mcuriafc|xvikwlfc|vrsngbwp)|s(icoyanop|lpeeosna|hfghvrfp)|k(cgxatolk|qxpdkxhl|tixoybst)|w(gqfulfrn|cizzteze)|gm(ddyuxgx|mqethme)|h(uckqhvfw|loihrkyd)|eribphxxi|b(zcpnbbyz|bekpbdfa)|c(gssvpkqn|fzovliub|ubzeiype|qeqekjeu|vyhcpowl)|ppqdyrgdb|dcjshzivx|i(qtoxdbqa|yryksbpr)|xpytlkkii|ttjfackjt|vzwspqtex|jvkbwkikw|uredqdeqy)|o(zeyqcufii|vdsnyflab|t(jlwdsblx|aqiitcdh)|i(xfacevdo|elmwwbbt)|w(hhonaplm|jiatlqwz|fduenfzg)|j(wplmgkwz|bylngwye|qymivszr)|y(rtmhwuke|qdfnwamh|ctfyqdbu)|n(qmogukaz|ohdgcwif)|ubigmsbry|xzzjijmwm|fkydnbrii|m(awawnzmy|mzyaqxne)|pfbtyjgca|gzrvpfloe|d(ruotvwwk|vegampcp|pdqroawc)|kuouiwdun|b(woklsrjt|cfvsyuib)|eomsuurff|s(xaoaafmv|nnqazqfh|kggydzpr)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633028; rev:2;)
# sid 2633029 includes 287 (1201 - 1488) 10 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.cc)"; content:"|0a|";content:"|02|cc|00|";nocase;within: 13;pcre: "/(n(cwrwifjxz|uljackryx|suokrauoi|wmyheezuv|kyiftunjf|y(ivbzuemg|geqcmulq)|dgrslhlev|j(qvhjvgia|ixttnhub|suzusodc)|venucggqn|fzympnbmx)|k(d(iuebqacv|amgnnpla)|ujcbtstwi|h(jngshgdc|bseifftj)|s(gxkikvsy|ffhlflyu)|acimefxnx|pakqajvlk|wtrdixehs|gmykveiks|okvelniqi|ttkdashoq|jnlcovswd)|q(ioowrdofa|tasozeikv|kdfysvjob|m(qnxdmnec|mrrpsgfh)|zyrvndwoc|cpkvdlglt)|y(rkivkdnsy|kkpjcfsaj|twtzlykhd|pzfefohnd|ymlcgezkb|i(xbesfnhr|tlidiiex)|b(glcwudrd|afezgumb)|dzqfsiijt|ehjgjogiq|zzdnsjanf|qhvsfwnwg|aiqvwlgfg)|l(eboeuszir|vjwjsldbz|faixsxsca|jdlpnmqsw|o(xfemiuxs|axrfriwd)|idojxwgvj|a(oqxkihfd|zurlnsag)|pmofnmbio)|t(uthnzgkyx|eypztydyi|gymktxowl|nnimzxtly|x(hnpfcrsr|defjjcrc)|oflhgnhsb|armvkztpu|fklfncwfi|lacargdul|jadeftuwu|ydbxlbmai)|z(pzrcokjfa|qzgvpynnc|f(ndkykiob|byfdlkij)|bldbgyalk|tmoiqwxnn|yszdkbpdi|e(alfsmxss|pkpbfvel)|huelazwaw)|r(q(ueunqelq|lhypmfge)|gqrrwfeoa|k(bqytwqds|xbazacnn)|m(zoyhtovz|ilzjoxwy)|by(jczbwjf|uhtamof)|vsuskthcj|dgixigydn|cqypadwzu|hccztruwv|i(flhopdoa|hkypgyva)|nfqcgfreg|jikmmuxai)|f(a(fawkzoei|buticpla)|rpzhbnoje|xblcasepx|igqijlmdv|nvoqtping|hbgwnjzsb|cojgrhmse|pmmiqmmpd|y(ucwspitj|bglepmuw)|ufbmokdwt|f(ymvturwl|nywzktyo))|h(edclxrguw|s(byefscjo|ahshkmwt)|l(mdclmkyp|bguxfejc)|k(koczgrne|xbyttmpr)|uiarblgma|q(deadrmtt|huswzzpi)|jsuqohnzf|wmfvliaxe|g(qqrwwinb|olawpxgu))|a(n(hqryaozm|wekildcr|mzssifvm)|hqcmzwjgg|f(jimispaz|molpiykd)|donidqbni|ssislzyeb|weikwzslx|bimirupga)|j(npvadbkns|o(fldfwigs|rrvqjqom)|kudwtejcv|gqzmubuij|mnvjcagth|i(cywnsvno|zdgoodxw)|axqsemmiu|fckjromqn|ezetukpwo)|s(dklozbkqa|snhicgcgh|usaodlavq|bmyaiiwyy|ewtosharp|m(zxqivitt|upocvect)|ciplcgjcr|gqwjqxart|ieguqpqcn|xbgybximq)|c(gpqfzvrxv|dvptbrezk|c(sxvqdldn|lzlszsnr)|v(zlavptpn|lxjozksr)|lwoqyqpaq|nuwmvoigr|hbotwzdqm|udpmpjpbd)|d(ffxsxdybp|qrfsslchj|cuuucymgv|j(nrbudfii|xuapzvcq|gwachctf)|ehqstoeye|ihbnisnam|uzsenczeh|llpgyrqys|wbxzofoao|s(gefpxxgk|yywzmezm|vnvdlboc)|dxghuhslc|xrhfdlbph|noicxnmtm)|m(ncoksdofb|helqxecwa|toqyxzhoq|poelsozbk|b(nepibsvm|cldbhkrk)|o(dprezfqo|nqhaketr)|lxlydxrlk|ekivuxkhx|zuhyuvmqo|xnjldiyna)|w(nreurumhj|xfxbemspn|i(anauvshq|lsfykwnh)|kvbczdzsj|c(xuknizhy|jhahytak)|g(dvwhcefu|ojppldrm)|m(nmfsqtol|jiharzst)|lgswxruvy|a(meuaqwuj|havuaelm)|yzenifxxc)|g(thusxbenb|olurwtfzu|uhikiqdav|qjgktxdwy|fkzvtrdrt|ekuyrvelm|gqdlblphp)|p(ezjvibaeb|o(brousxgx|wtrfqkfu)|avppfblhc|sqqgaklko|mtsosahql|i(icabrypu|yhrxdiue)|ttdwfaqng|ppsfiduym|lditgaihb)|e(hpitdvipv|x(azyynnqj|tnmnlwpn)|aqizfplmd|ldmsowwho|jmnbnkwfe|wutmntssm|khnkbmema)|i(r(dkbfjbhp|phzqjvgy)|qqjullxoh|j(cvgpvxvk|bkerzekc)|hpmpftazm|o(mahmurma|wykqgfzk)|gcvqbzabj|njisltynd|vrjwthwhz|ywsofymwf)|u(bvwvihxep|rcitcfjrw|sopxmhvow|geflvltyv|c(uzrpgnfp|euilfsfh)|uddkrabvy|ytickqqmm)|o(mhxascaeg|t(xjrliuni|eqdladbh)|v(kiacvaai|buzgvjkl|cznngvxj)|dgtqotlvv|idmzhgziy|rwidpvpeo|glujswpoj)|b(mtexdxlfg|axfqbjivr|pnlotlwth|ypsktstqt|eghvslkiz|x(otywkglj|jggaehlz))|v(gzyjbsdox|aamlwrtdx|cyhknfdgb|ipynuzcwv|njkndqzxh|dxmbcutyd|hldoysutu|fupofgdqf|mknzyelwx)|x(okwyrxvwm|xrjfjxjtz|fntfhjslx|mcyqwarcj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633029; rev:2;)
# sid 2633030 includes 600 (0 - 600) 11 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.cc)"; content:"|0b|";content:"|02|cc|00|";nocase;within: 14;pcre: "/(y(lktrupygmp|h(bysxjcdee|vhcxepyrq)|j(rmpakseil|umzkjmhba|pevxcfsnd)|f(pykpoznsv|ybkbrfdyh)|s(iyrtgjnum|pvsbznejc|xinuguggt)|d(nggxlgddt|vjdsqehgo|eucdujjnq)|q(yzxqnttlc|phviamzxc)|i(ljdibxgau|joxruqedr)|amkzfyvpyz|v(kaopopmwt|fletgacxj)|ythkyqgdrf|w(xuskutxig|nhkpcpgee)|tepowpmpxb|ohgqpygdjw|umisdyjbrx|gdeujeqxva|rrenejizmx)|k(c(hlauqwizo|eokxnrxub)|n(gskmdzvbp|hvxbdgwjx)|kggjaslnqk|mpdibuhnwf|xuquhqfmsi|d(okvcagxqy|jqqiwyejr|zlirmvudv)|ujqhvkgebw|jjlvobdywj|hnsuljevzz|rlivxsseno|zgrhxgwiep|tjyinwrvxc)|q(l(izrrpggsq|gebwqvemm|tyhsetzqh)|c(moncvmvhy|umgsozckv)|rbvhwxxpxz|uyolbfkvjj|yluujkviui|i(yujusdxdq|obourwhod|beimmwlhb)|wetgpitcyt|jfdpfcwrxe|vvdpahrjoh|z(hqrvsuvrw|bkacopeun)|b(smhlpcghj|ptkbnrglb)|g(mczslkxxz|xtsymmvrj|jehugurxv)|tmeqjfycvb|q(ekvirhebe|wyncsugom)|nbqydvrgwf|dwfxtfssnp|mqczczemae)|l(byhzszzdde|kagyesmorz|aiswlpmnps|z(iarqulced|wrgxycvnv)|m(ydudzipgk|fwkrkfkmj|dxyqjklje)|opeltrmnbh|n(grrvgzzkw|fuqjzqmkv|epxryhqms)|s(fchomfcre|lbddjcyhy)|i(oeeooxolh|ntyudbrzi)|j(cauuwzvzy|orohoinaf|dlillajnu|ygliatrjc)|xhipmxyoeh|pwuyafpgtr|ulyfdxqrzr|refrlvekeq|flftrnyyjp|veuevupdtq|qjofntbgtn|tlhqngwief)|g(m(higexiarb|gojhlnqhs|kbjuolaxl)|x(oejqlripr|umjmnjgey)|i(jkvtkspmd|brfgbjdrk)|s(dbfopxkmr|akennmbkk)|kemuvnwhaz|q(orybfoyvf|nqagxaqyy)|jvvimzppxb|c(nluprxahg|uanrvbafp)|d(kjtenxxwu|nspwtxaxs)|l(yocvygsyn|qdtiwrxsh)|rmahenrmgs|uoxsxrolht|ekeosqkxhf|oxygbiocpe|nsslceotzp|hznmsptdss|zszgubicti)|h(nolgwbancf|kaldepdwut|fwoqynjdss|icqkwsfgtn|d(cjfghlkjp|oulwprgtf)|wleikymxdh|c(fjwodbxtm|xngykxtac)|zjstdrtmbo|b(aodyfgotn|vrqjlhrji)|p(xoxcxadmq|nujgimvys|gnapkajtm|fglenjgma)|e(cxrusmjvi|wykckjsgg|ihyqfzsdh)|u(vdusltmbz|epsbsjjzc)|h(zwgimtrba|ictrumpys)|svoxztemat|anjehsltfv|xcmauwtjsq)|t(q(zjmvlyeeb|dngquseeo|bgmcplnls|kbphpdsui)|l(ofeghxxhv|xybersvfx)|aguwvcbcxq|y(gluwssatx|qmlnghahe|vionoixuv|wuudyniqb)|n(xwskjutlt|zfyibhbtw)|fgmbcfgfdh|tzdmasoznn|x(aahdqmhsw|bvhyaxsmp)|uzrhwevdnh|rl(whvaktht|vwluyjtu)|b(pttujamcz|g(akozgsnu|jjvygbry))|jwdqoeamkf|hfishwpkgg|glxyyeguxw|obrywwdshm|zcydedglfu)|e(o(ixsjeihsm|tyyiddfrx)|u(idtldtncd|pzctfayuk|rrjppicmv|fmjqnmkjt)|s(udlhcfoar|wtjfrqiih)|llvccimjba|p(kxwpzznki|rhyrdaijv|bsnshpuaa)|e(inoqmpbil|byiaonwwk|uvpjyfugq)|doucaxispy|rufuzhwjtj|mtxpyrbqyu|btqzwpsfli|adsydfeyyo|idzsazomog|nbjfkkbyxt)|a(p(royakgkxa|cfiftrbmw)|zdcyggaxhq|d(fvnztxjhg|rvexjmlho)|o(coacnaime|eteumgbam)|ttvfkuyeei|fcjtxksilz|b(ifofmpohc|l(rvgwbhtz|jtigeatf))|q(ywislhxml|vozyicqvv|ckttkczrn|xdbpbuosz)|hakwoqkzvm|j(tizlnnqjh|szzvpbqws)|gpmazqvzrm|a(ipvopuszp|apxllriqg)|kvzudglonq|sfpoileuok)|u(k(kfihqqddz|mrthbiinf)|ynbrymwazc|uejqbkrptc|b(wzxcaswoz|gqhviieje)|grdruhmjrc|n(zlishpcjt|pfsbximha)|lrdaszaafr|zifvbnxgcc|o(cueiiftal|usfjvpyez)|ddgabutnpi|hpeivzyvvg|t(zjiyreahh|chiwwpied)|r(vfijsgeeb|dxoudvzmn)|ivjqfnulmh|fsweulzhpy)|j(atpfywsmuy|ldjxmjjuvk|jqwxwscmhh|n(pcnwzvsas|uionrxmis|lrpeymfcz)|mqikgpoqus|xuwdnzqnno|s(tiokqvbim|bphbdrzkh)|bbdclrbiog|ofrqljzwmd|hjngojrxsm|zzllenuray|iqxsrmxnwm)|r(obcgwxhrog|b(qakonmadb|jruikzcdc)|e(rwhicfwei|obqwkilit)|z(wuoueuptl|yfeskaxip)|suirarudsf|l(qzufdvobv|jywbigaxh)|qtxeepuevt|ufgmxroapy|rqysfmtioe|djkpoivxog|wzfqunjgqn|atkwaasqkp|vkfopfhtoh|cuykdgpoid|gjfdilqotf|ivvkrcowlr|nicrrhyrus)|b(frlopxjgab|m(tzidykayz|nxqxyinle|hdoghnhmj)|ymsaulhdcz|i(zeldemukl|kmbtdtsyp)|pwjnrmefot|ttwotierbs|g(obpseuqhn|fcfvfuanx|elookgoiq)|v(mclyrmkbm|qcrgzjjts|xjphiakcc)|u(wvmsgbews|jxkgoskcy)|jwaixbuhxv|lhwjlkvtgn|eq(gcdnheui|uskoeoud)|qsmexrullx|rcaccfjqbc|kicgofxkhy)|p(e(nmgmzyump|rtuygemeg)|mvcruwpsfs|njydbzjbcj|idujjzytjn|dkorqdtxow|am(yfcdjozl|zlrcgdff)|bvinedeuyk|w(oknbzydpd|lmzgrvhky)|khaantroir|t(usuvrvssr|vcwzricww)|fkzaivimmh|xujokkregk|lbdwipvxmu|hwbilggwju)|f(m(uqahsuoak|xvsrkghou)|clrvtzsrxm|tylmqymymo|uteqccnejf|oidcrnrkks|i(twghtohos|sguuklocc|unzkztzuv)|fvmhpsptrz|zrxkgutdzx|l(knizlombq|jwlygreij)|xnanksxqud|hjctbipltu|kuudsmpawc|pkmkbhqkeq|velgjxmuzm|b(vfqmmocqg|sqbinmcef)|reclnigdtp|wbjmtzunty|evfjnzgefs)|s(x(rgpaxhhjj|lrsbrwvce)|t(wmtpzrovk|gknfznqzf|aajqhqups)|flwgpwofdn|qhuqrobnaq|c(pdukklsij|czbqcmabz)|k(yoctsppdu|kubqieuwg|fjzdsqgvb)|vdboylpdrs|mygmtzyvxd|d(mlxxinwwe|imclnikex|gnxykkpcm)|h(shofrfzhf|bphmcvxsm)|janwbgxzmu|irhsknqokh|n(nrcfgzurv|aagvfdlpv)|ujczrpzsqv|szuybxrytg)|o(ggjijrsnao|e(cvkhklvqy|wcnacpnig|dunyrouek)|j(ygeujbbmk|nzagowqiy)|ffgvtenzcn|c(v(gfyvtlup|bahbwsbq)|anjvojvmm)|dxekgyafvk|h(konhdahnj|vntutbzmu)|k(mipvksywb|ahjrrxsfx)|vikcojqwzo|z(ptmhjzurx|mvhshpiup)|s(qheycnyuc|odnirltlm)|l(vzzgubcrf|hhoojannq)|m(pcxyzdxfa|fxgherhig)|yeeqvehjgc|ighckurcdl|xzfithomfa)|c(y(whpooijuu|mqeumdqcg|rmnjvdcgh)|sfnzsnijgg|o(cgxlqajcl|mrdjctqxy)|qqjpxgfzpr|mntgkychuu|nnsxmuruip|vcbokhqxhm|k(rmsfmcugs|yzwljzima)|z(ruzllmssg|xpghaajgc)|cuyqhiptvn|lghnxeuayg|w(hvrzwhdkw|fpglwrtwy))|i(ogduzdxmnl|elgppqzzgu|fybasnfucz|z(rldwfuxwx|vurscrqph|egcfcipku)|kagylezdbj|asnswapwzc|uqyeiwpwvj|cmgvbdgoyv|iispwqvhza|xkbbqlqlqc|scdfuyrnrz)|m(pchfrsikgp|bijtolhyhv|r(wtkcsdkbi|vtjgmtkdr)|a(eykbvqdnz|xzpifgdmr)|k(adxgvglvu|c(jmeroqas|qbuflglr)|sqrvkbcua)|zdgnwskgfy|gimrjbjhqk|hqxmwqdjlt|y(zhrrjijzc|bhaarllmf|xnenczneh)|e(ycjaikdjz|oadbteyup)|lmrmktbmyx|nkwmuihmtx|u(hsfrgfvgp|ttizzoiye|byeytzvqb)|vnhshvfnez|wzjjwutapm|jyyuhljsay)|w(cnwtqgrwsi|orsdjshyrm|szuzpieghz|h(ulxibvrru|pcvggzbfs)|j(xjhfmkuaa|ymvhbdcds)|dt(igroqbkj|wasganda)|l(zlrpvpjic|axtvxeouu)|p(yycddtlwg|aoezggjiq)|qnxucoxmvb|uhaqoiwcvf|y(ojvvfeixb|psifmbrgh)|i(tdlyoxrmn|gubdddvpb)|vgxhkfyrwv|n(oyypesqjg|nhuzssrhe)|fymxohpqik|b(fxmvkrhxi|njzsglyen|kruxlanxs|tqcrpbgtt)|xckiozxkmu|wfwhtiifrw)|x(bxpcoayrfc|jsmeifjkvf|qiqsgqiezn|upqqpocybv|y(ewedjhdbr|pbutftrpj)|gzdsmdbfbw|fdtamffiue|zhxdepmemh|n(sqzlrvuan|kgkbflacp)|knjxzpjovz|etxfnulfkt|ackuyslsaz|wchohixviy|tzlzlfpldu|s(hnizorkrh|rcxpibffy)|pavenocprw|cfikpvdmgk|mgdlqaqvjg)|v(aaqajfxtct|cstniwwogg|nstjufrodc|xsqqmfisak|fsfczkbmet|g(srizqdmea|cdmmbyjwn)|z(wnwsfrwvi|taucubstg)|m(blnftbbtv|lwxgnehhp)|t(gndwippiu|mhmhuxevo)|rbijryybku|patqspmejk|skniygyahi|qrrfrajbos|ucpjjfcbef)|d(z(kkjpobjwx|uqghzzrpb)|p(vdvvilohy|shcxediab)|q(omhgfmbas|fcvdedmjm)|nbtmynrmqj|s(avkkqkryc|jlujvwmcz)|f(rebiuajzy|sjejeerbo)|tngbzsocwy|b(attbddgfy|ipvrjegvs)|kjawqkwyvw|v(lyvtqcsoo|wfthcjioj)|c(jkgtqjuck|cdegdttbp)|efaxjaqesd|gdqsxkfuhc|y(bniglqgng|upubxquoh)|h(fndfzynyc|rwqifjtqy)|dmalakcvju|l(liotlidlq|bgrpwvvzk)|wicdheyicl|mcivtsukth)|n(p(acjncjlrv|qofakriyd)|fkxmfifgcu|n(mtcpiovze|ylfgqjlcz)|o(tmtlszuac|qfbopgvpe)|iaoaypdkqd|ewyvspvfwa|dmwslcoftm|j(cmefeknby|eovuerwtv)|m(smjtmixfs|bmcgangme|peggmmeds)|wuhftbnvke|qtvhiehato|sbspfmwgcr|rbqfpuipzg|kysgdsyxyi|zrevijzeeb)|z(s(xzgkmpzdz|rfuhzgmig)|tlqaxnqqnb|wipmbzlikk|z(uljlnmlbq|coxaasbjk)|l(lapyqublq|wzfusdkli)|vgcfqyqbnb|aznhyszcqt|r(pkbbfixiw|cuoubziuz)|dlqbbhizgk|kmjoqhoriu|jojfktzhpn|n(jbfhjocso|coghlgvox|kopzgpvux|ptaqencjo)|edbsuyshem|ijaduroadv|boycplmkhc|chpnwsqozq|htuguyclao))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633030; rev:2;)
# sid 2633031 includes 832 (601 - 1200) 11 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.cc)"; content:"|0b|";content:"|02|cc|00|";nocase;within: 14;pcre: "/(e(a(dsydfeyyo|iarygkbec|epbwqdplr)|u(rrjppicmv|fmjqnmkjt)|p(b(snshpuaa|ivvnmnca)|rtumkmrbm)|i(dzsazomog|ulipnugxq)|e(byiaonwwk|uvpjyfugq)|n(bjfkkbyxt|jmhttbzaa)|s(hhmqyhzbd|kbaealdkg)|wmygaegmjh|z(tsfutpcyx|ujrzbtvad)|x(ytdhimhyo|rvmvjlkff)|m(nbpcsuobu|wiutgowmj)|kptnyhemeg|oarfifhpqd|b(gicckcnze|dcueskoan|eholybrfi)|qqbmwqmilp|lxaxfopquy|rujsjwdxah|gqmllszwxu)|f(k(uudsmpawc|qqudtixou)|pk(mkbhqkeq|qlncgjhu)|velgjxmuzm|l(jwlygreij|ndoimgkdw|wctftfbfy|vztjqscpm)|b(vfqmmocqg|sqbinmcef)|reclnigdtp|w(bjmtzunty|jdfhzcpin)|evfjnzgefs|y(wxdkqwppm|knhkjifrm|bnfojuimr)|g(azzafmydl|maleluzbo)|jczoqkmbyo|adgflvvhyx|t(nhtpizjoo|oaltaumwl)|ddnakkotgs|u(rhsgzwgty|fcaznfynt)|qpkkimdmyk|h(lafmqdeev|klizsoita)|xeprdjyonu|zoabmmonex)|v(p(atqspmejk|evhqgycsi)|s(kniygyahi|xetyfsuko)|tmhmhuxevo|qrrfrajbos|m(lwxgnehhp|zaomschhp)|ucpjjfcbef|l(xkixslrbq|axurwstxe)|k(iqgkgydns|civwdzzea|zvzzojaqm|mjhrjguxd)|h(ejislxpey|ntvlmqmsg)|d(abjxadtnc|hymplwgfa)|o(itkqwusvj|htvrhavtw|lcdsiuosf)|zercknbrhf|wppubobnur|y(bmigvlzgi|utjyzynkn)|jgrcooctmb|azpeswiuup)|d(efaxjaqesd|sjlujvwmcz|v(wfthcjioj|rcyqnpklu|jbpxmfrbv)|fsjejeerbo|g(dqsxkfuhc|lrswycotk)|ccdegdttbp|y(bniglqgng|upubxquoh|ybwbbzuip|heplxlqfg|cdvkfwvha)|h(fndfzynyc|rwqifjtqy|pbwrktwux)|d(malakcvju|kcforyspy)|l(liotlidlq|bgrpwvvzk)|w(icdheyicl|joyutkdqt|dkmeeehzw)|zuqghzzrpb|bipvrjegvs|mcivtsukth|axobbaluwh|k(adzpgayls|bdeibijpr)|t(gevfvzsjz|rbeqslicf|qjdfjngil)|rechkekjnq|nuyqptaxic|xnltyxkkjn)|m(u(hsfrgfvgp|ttizzoiye|byeytzvqb)|k(c(jmeroqas|qbuflglr)|sqrvkbcua|hokgwxnxs|zxkkouiby)|v(nhshvfnez|tvbnncmbz|iyowfjwyr)|eoadbteyup|w(zjjwutapm|bdkoohaws)|yxnenczneh|jyyuhljsay|mtqklrysxa|a(nyzayaijb|hxnjmjtkj)|f(zcmckhkce|yhmhtkrdz)|qruczijncr|c(domjbkxww|gfmwxlski)|dmjnbfshub|boyhgbgcbv|tnqgzgkztd|noqawjkewq|gofxzrdadz|serrqhaxws|x(yelfolbvk|banxbmuxw)|rsvmkbwwox)|q(g(jehugurxv|invvgasfz|grnruxcnd)|ltyhsetzqh|nbqydvrgwf|cumgsozckv|d(wfxtfssnp|olfvphqey|lyxdbgvod)|mqczczemae|ibeimmwlhb|vxbdrgwnjs|uzhkbarans|w(rwbnuknui|yaaxenpgn)|bncmxpmngb|kgicvnxjur|okxkgbqkqb|hwywmyacci|ejwksoprdq|zwpiedgxfl|sdepjksvkv|pkobjbssvj|qfxygfcvyi|jefdvvxvwx)|a(g(pmazqvzrm|gdbswbeas|oyaarjlln)|a(ipvopuszp|apxllriqg|esxmykwwn|pneuqwvcp)|b(l(rvgwbhtz|jtigeatf)|mzetfuhcd)|k(v(zudglonq|ndeakamo)|jkwggxwhr|puymenpes)|p(cfiftrbmw|fqjyjfajw)|q(vozyicqvv|ckttkczrn|xdbpbuosz|l(hwtmvotc|kfvwrlfx))|s(fpoileuok|aitrbyrsr|zcrxgabzv|qrvnyuksn)|j(szzvpbqws|wqbfvcoao|graqojbwn|eztgvtmpj)|dwlezszfsh|xjhzuzgjic|e(czxqpmrps|eolsvfcay)|hhtfgukgtm|vefmykpmqb|f(kvvgnshvs|dtezyzjej|mjrvnjflv)|wxjafptfjf|r(hxlxmjkdw|spmxiyves)|yieeyihqaz|cpurrnygnw|z(xcgafkwku|mmtjodaxs)|udprrpgcwz|ogcbadaglz|nylzraford|l(bzgurxdjt|ynlbpwnlf))|w(b(njzsglyen|kruxlanxs|tqcrpbgtt|fcerrifyj|gtsimgkif)|i(gubdddvpb|souxbnjfk)|laxtvxeouu|hpcvggzbfs|n(nhuzssrhe|gzcfijxru|rgftoldak)|w(fwhtiifrw|ckcxcvrpx|osffqdrms)|e(xunclxmzt|wnvahyfky|pqxpipzwz)|q(kbfpdckvi|mnygqwbly)|a(yrblvzpvs|aubdtdhfq)|xxjvnbarmg|k(ubadxdebn|gnflffizv)|yhojvinnyf|z(idvsdklna|fqldxvbqi)|fvvvsiminp|c(eguujmqhn|schbvzfxn)|m(ijkywvgwe|gxexpydlk)|scoeuelgpy|ubuvvvhkzg|owdcxpoemq)|i(iispwqvhza|x(kbbqlqlqc|bwzjjnuml)|z(egcfcipku|mrmdfhugi|xvhmlllof)|s(cdfuyrnrz|ryynfaqgw|jfyzwoagg)|q(qoxervyqe|jtjpjaunv)|f(mhwbnqvza|qxprebvbi|elclkewke|bkuxmsfwz)|n(ytnzndlqx|iuworqpjw)|y(pewewtbar|vkquiayaj)|ogmcyvagmz|eqvgkwaldd|c(pxrqoubzs|onhnnybtv)|ktcgntvjrl|tfcmqdbspj)|c(v(cbokhqxhm|xkckpvews)|y(rmnjvdcgh|xexdvzefe|ulubzjyhv)|k(rmsfmcugs|yzwljzima)|z(ruzllmssg|xpghaajgc|awizestpx|zjvwnlcor)|c(uyqhiptvn|bcnfwffbi)|lghnxeuayg|w(hvrzwhdkw|fpglwrtwy|ytsfcddmx|dxsxgndsj|slswsflqa)|r(bkeyrafoh|kjzggaowa|psqynurhq|u(bwhtebjr|kuovuzzu)|wkfhbxxzd)|q(gzknwcyhn|keuvlxzqy|euzefsdzx)|t(kdvalltrn|pcwagsvlo)|ppnbmthhfp|nkjqdfiilo|dqwovuijsm|xensakmhao|hiwauqjlpd|uaniqegubs|bgupadfrzw|fszultocta|jbhxpkwxxh)|s(janwbgxzmu|i(rhsknqokh|xneijywxc)|t(aajqhqups|llykaouii)|dgnxykkpcm|n(nrcfgzurv|aagvfdlpv|koshjnzrf)|hbphmcvxsm|k(kubqieuwg|fjzdsqgvb)|u(jczrpzsqv|yayppcxks)|c(czbqcmabz|mysytrpeb)|s(zuybxrytg|tnyusfvyn)|xlrsbrwvce|ggekphjqip|r(czekteapn|avaquvcyg)|vikcgloevg|z(jkyfbptfa|krehchbbz)|fnalxajizp|l(szkehbuay|kdmzaqcmw)|yxjdwvlcao|wybivhvxpd|qrjvrpdvbm)|r(wzfqunjgqn|a(tkwaasqkp|igcpsilms)|v(kfopfhtoh|unamkvnsa)|c(uykdgpoid|fxejirxzd)|gjfdilqotf|z(yfeskaxip|qzjvsifdf|sqemmoebk)|bjruikzcdc|ivvkrcowlr|n(icrrhyrus|caetrkvbf)|p(cdunjjyok|eckjzfomf)|y(psnrkywhp|woghrtwlc)|f(neilhpaep|obltmfmgc)|jazqxfxmsd|h(obevhtihy|exxcrzlou)|m(ivzamndrg|lcjkejugz)|ubypgicdxq|dyvosrrwfb)|n(pqofakriyd|s(bspfmwgcr|fmjrcirmh)|rbqfpuipzg|kysgdsyxyi|z(revijzeeb|efxqsdkst|ddjskrlxb)|l(ttcbpspnz|pbskxxval)|t(smrlecsnz|okjkdsfdp)|jkmwgqqxuj|w(luwkxhnkv|cijleudpz)|e(gwkjqtqqb|tqgyiabea)|chhzthjgoa|m(paybkjqje|fzozwrmai)|byafdevfuk|htvscqyqoy|dmykfkqtxe|f(iyarygqmw|jusebqtxo)|gujvpvarop|yraynlbshc|azygpzbfrm|nmktzajqxo)|b(l(hwjlkvtgn|yrejtgmnu|kxccgexrv)|e(q(gcdnheui|uskoeoud)|hgzxxwbzl)|qsmexrullx|g(fcfvfuanx|elookgoiq)|r(caccfjqbc|tnkepguco)|m(nxqxyinle|hdoghnhmj|vwqskuuuk)|v(qcrgzjjts|xjphiakcc)|k(icgofxkhy|jtkjxoems|ptaauwkvt)|d(euregjbth|imhnogkkp)|w(nfkihmxrt|lrkntzpff)|s(srphaqfor|vmzcldzcy)|tq(yqdzoxxs|avhtrnrn)|f(ysrdlhikl|tuzfggjmy)|i(zooimynqn|kfrhxqndm)|b(iabtnignx|fwestpcgu)|pxquouktsz|okrgwxqxws|ygotsbuwvi|coxtjyhcyn)|g(rmahenrmgs|u(oxsxrolht|yeaqkoqac)|ekeosqkxhf|ibrfgbjdrk|o(xygbiocpe|djmxidawb)|q(nqagxaqyy|qddfhbdbs)|dnspwtxaxs|n(sslceotzp|nfmxeuphu|okownempp|xrjdmuasy)|mkbjuolaxl|lq(dtiwrxsh|zlrqlpnk)|hznmsptdss|z(szgubicti|fhehijjro)|cbenhvyesh|y(iaihqwfjf|ekdviuviv|glxzectrj)|t(biztxiiyw|fpghtsrbm)|vaobzhvmfp|k(nqpbccvvt|uklxyeqsg)|awpcgkpzai|buudckshhg|gttqouuvnf|wajcfdzqfh|pmlriibmpd|fodgrolpdn)|t(y(vionoixuv|wuudyniqb|qtgimupmn)|nzfyibhbtw|q(dngquseeo|bgmcplnls|kbphpdsui)|j(wdqoeamkf|xvwtrcbfg|vvbrdfdvy|nspmjsjpc)|hfishwpkgg|x(bvhyaxsmp|hkwnkhhpj|svouxkbyx|gfxpaynht|xvkklrzas|vlypirrus)|b(g(akozgsnu|jjvygbry)|edxxxitko|ktqcuegft)|rlvwluyjtu|glxyyeguxw|obrywwdshm|z(cydedglfu|urjwxmxkb)|tcilfafazk|ckyywabrqs|lrbehozgew|e(mioryrinf|euxybytoj)|vjztvcnpsn|w(pvamduuuu|ooocikfpr|avvadesft)|pveqczndsa|ahlffpatpp|kznyhrwgxt|mftymnbash)|z(j(ojfktzhpn|segxorerw)|n(jbfhjocso|coghlgvox|kopzgpvux|ptaqencjo)|z(coxaasbjk|ddhtwnrjj)|edbsuyshem|ijaduroadv|boycplmkhc|c(hpnwsqozq|snvamqbuu|kueitcywa)|h(tuguyclao|exbhrlzvj)|pdftecwlbb|khsnpaaqwc|f(odfvtcjja|atftuhwwe|bkxniazoc)|q(fhgppjawi|inmhnjfwy)|xxfuvricbp|wnlwickddx|yuxniixmza|atcvvxwumf|tkreqotjjf|dxwelennlh)|u(n(pfsbximha|hcyhgodou|xedkylgjr|buitofzto)|ivjqfnulmh|t(chiwwpied|hpzbqdisb|frjpjcxed)|f(sweulzhpy|ujkgvcyqr|xcoswgazp)|mqfuqwmktu|l(bpddpzyib|lzsaybngu)|r(jguawmdvo|qoqjgdcxv)|ukgnkzqkeu|czjckcyrkw|yxzswchptt|etromhtnxk|zukgfadbht|xwkdmqrllb|bvjyuhddys|vkdjihyypf)|l(mdxyqjklje|j(dlillajnu|ygliatrjc|jonzuiapl)|f(lftrnyyjp|haxurlwuv)|veuevupdtq|nepxryhqms|intyudbrzi|qjofntbgtn|t(lhqngwief|nwogenncp|xnmedynyu)|lnvamsctsh|zmdqjxqgyg|pmossplvff|h(wmlmccsof|k(smgspzej|uczefqzw))|u(qaumebhwq|hnqcttdan)|evtcezncju|ymgtyzkqsm|xngjwizplk|c(xyyfykhlj|jhypxqvmi)|gspdzcpkhq)|h(xcmauwtjsq|p(gnapkajtm|fglenjgma|ekigrhaiu|vjwbmvayn|aukgbqpjt)|h(ictrumpys|gytdmrflc)|e(wykckjsgg|ihyqfzsdh|naclfrwkp)|b(vrqjlhrji|aoocbnnhn)|l(gouqhtmyw|sdoklwzgd)|a(ccqopaenq|wyzlezivj)|j(oxrvaewxa|gvuekbayd)|qmprvgxfgj|o(duzoarqqu|ueuaogwly)|mutdcitiik|yhzgfhxnlr|scymmqyuej|vppeuqaeea|ulapeyzezg)|y(v(fletgacxj|thqdaqkwd)|hvhcxepyrq|t(epowpmpxb|bxpczyide)|o(hgqpygdjw|bhyakdskn)|deucdujjnq|umisdyjbrx|j(pevxcfsnd|llzeststo)|wnhkpcpgee|gdeujeqxva|sxinuguggt|r(renejizmx|ngbpkrxri)|zaqbzppafr|f(taeaggpds|yfbcirsci)|ylamhlteto|i(razrsrsmf|ndfyhpmbl)|ebbkivvmuu|czvyjocutf|b(fbewqdjqk|gzoeiqbxm|eyfyqghio)|n(wpwpakrti|lnjnrclpu)|qnfefhnluz|lkpijbplzw)|x(ypbutftrpj|c(fikpvdmgk|xwqvpyycb|vydeqagvq)|mgdlqaqvjg|s(rcxpibffy|wqsqjfvdk|kvyygznbl|doqmaealp|puxzcswmg)|hyycmyhcqp|o(dbhqdwcao|oiyxuqyqx)|zrrbsaojuc|v(oloirndlk|sftentuvt)|i(wvcxojtbj|djacgwcns)|t(lnxqhdeef|miufpsdhq)|rtmtjoleer|neogtqjixe|jpjwqdxgew|fxjlxcmfgp|q(lwttgwcii|knptcgtmb|roodkvwzo)|xnfolqqjzc|dwiyalsyme)|p(khaantroir|ertuygemeg|a(mzlrcgdff|qxqwdkimj|xuevzklbp)|t(usuvrvssr|vcwzricww)|f(kzaivimmh|igqwxvjgh)|xujokkregk|l(bdwipvxmu|gmfjuhfmm)|wlmzgrvhky|h(wbilggwju|rwzosebho|jboelzmrv)|pzkllruhmj|r(bejlntllw|rwxpdujtg|kwbfowclo)|v(xhsvjspow|orjdnulio)|n(salxlxnoh|gnmvkrhth)|ylcszddjkz|i(nngolznvt|dtohcccde)|siyuabuyum|okleypmdml)|o(zmvhshpiup|s(odnirltlm|mwoswudej)|i(ghckurcdl|lhmgrzciz|wrqviazhu)|x(zfithomfa|wlnwqohhz|ohdafyedg|tyetgtejt)|l(hhoojannq|b(vqmvfaxa|uvpzfoqz)|rwqbxunxr)|m(fxgherhig|dwwnndepn)|c(vbahbwsbq|isabdmbxb)|b(kqshdfhpj|deczgwbba|hfghzljfp)|fseedpkahv|uf(rgpzaqjn|bwwfgiol)|hrormvndmt|a(nypmiokjl|xankijqsg|ttzdbgwmf|kdrwmhmvw)|vhbtqfpwwd|t(udusprebw|qamwxboxn)|jiqphuhdgb|y(qduhbmbyi|fawyinrcv)|n(nrbomgobj|shipgahhr)|ecaqkubpcd)|k(j(jlvobdywj|ccwmalwsd)|d(j(qqiwyejr|nldnegny)|zlirmvudv|gbwwbvdvt)|hnsuljevzz|n(hvxbdgwjx|xebbuluui|deysojdra)|rlivxsseno|zgrhxgwiep|t(jyinwrvxc|vkkirymsp)|fqpfpnwity|g(jwqcusnms|vauryxxhx)|m(qtpppuoml|sboghivzp)|bkwrhjmxpn|u(gwrvjjkzm|jcdikzzeb)|abpawfkgno|ximvocjlws|wbkgwoghpr|e(dbkkorkba|xjtbtkuww)|pjdfgzdjtk|ilohamdjqo|k(agullhyln|ntluxogmn)|sqlqecurzc|vxzoudgtgi)|j(h(jngojrxsm|lzmbjlhpw)|z(zllenuray|ysmmczegi)|i(q(xsrmxnwm|wrpcifzt)|ogukmfypc)|d(jiminpocr|byyjkkbve|mxxcydwsl)|yakeeicaot|qssagaebxk|s(xhdtiwzhq|axzusroto)|k(avwogtchl|cnjcevjkf|mftgymund)|l(jjwsreuiz|uunebpkqm)|r(siwwopmoo|ijyezksww)|gzrpumvyrf|nmuecthnql|uddqhftyxs|vbgatkggsj|xojcynpfkf|bxvllxwrle|o(lcajertqu|zbuestqwu)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633031; rev:2;)
# sid 2633032 includes 232 (1201 - 1433) 11 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.cc)"; content:"|0b|";content:"|02|cc|00|";nocase;within: 14;pcre: "/(v(sjffasbzfx|nshsqhiubr|oorhuakxfh|dxxmubrtyx|ahcpgrlppp|hdzktwejpl|rqhhmrjcyg)|q(repdidfrkq|s(ndkkagewe|swhersmie)|vtpuysopfr|qy(rorcrosk|tirckezi)|aoxqbdubgx|xauymcxxvz|frxhwyktbq|bgbujrenbe|ziuflcjtbs|u(zsxnjtahp|slublfpoj)|n(mncadjrdb|ywuhbnnug)|wiknhvlujd|lhtocvfbxn)|y(f(awzrzoxan|ujglapstm)|licxluwyzl|yyodewszih|kvhtstnrqq|r(clijgpbbr|tieghrpyi)|xpvydampey|tsltrqusix|dyqdiomnwe|uyicntopfu)|w(xtvoeadaer|blcjsaojnf|z(kdihkimrw|jlhokkyuw)|jjtqvtgkbz|akwnywgucf|dxnnfccwge)|k(g(rovouoxwp|tjnuesdjg)|njihwxmnho|tzrlqzusuq|akyrggkxot|ddcijdjtkr|qvmmltbsxj|llaqwhwzjo|w(ugxppryxr|iayzslmmq)|ppwvshudsv|xxrbazubxn|ctkuwtzfib)|j(oefdweauxa|ujwoyfjmbv|ludqauvkxd|fewsngezpv|xzvmltqjyr|cvznznogqs)|l(d(ptecrnrsc|obwqlfslr)|hfxegyvxxr|nkaxnyrgxe|jfwwhqbfxt|lmsjztaden|tvchdtqdei|pnkbmitdyh|ogdikmdjsa)|x(tnuzgjnbdr|wrifwwilxr|b(xyocsckcf|lecvsdzjz)|ucybsczhfy|mvzroqqmik|sdsooxzpbz|otqnbuzbkd)|c(bxcgwgvzpw|eykhtxokhv|dpswmapxdh|zmrdnrxguk|fuebsqfnxv|afmdjpsbri|crqurvnwiv)|n(estpocetjw|o(hsdyzcyzt|ibuxvgmrt)|bkjfguzvwo|yeasvneken|rwauvzmwdo|mmrudmlnzn|cgdkmvlgfr|nljxqdgnrg|auhxbdfbjw)|p(d(vbreelbym|qqfsuzkff)|yxhaejpbhm|ziamrkitpc|i(ndswydohp|iwltwflrg)|wbnnubigme|nfhkhsehtm|mreevnaxvw|rssgyduiad|xfrxepuytq)|u(afsvupkuwb|lnfidumcad|ctswjazwbs|imrdebtqss|jfaqviqwpx|g(iupfejiys|bddtamdjm|dgcbkzrhm)|hgwivggbla|uvgdpifvwz|wkpokujicy)|d(p(gfxojtevz|etdbdqlck)|t(tiszzxgfl|xrfoedqst|pekhzdhzs)|mhivrjnlhm|enbttnixpf|v(jahujwkwv|vyyqfsahx)|zpdvesugmg|xeopuopdsl|uaeplnvcvg|kmkmzxwobd|gffbfvrjib)|f(douqyywrbj|agfmfpnfdp|bzhayltupe|zkheqostnj|tqfxzzpicw|e(vqmuiynya|eveuhdlxn)|osfqpnyqtb|vljrmptgzo|pqsqlzrurp)|a(otwzaijxmx|j(pwezlkijl|urltsglfj)|flentvnvhe|d(aoaxmcsny|wcsfyzjuc)|nbnbozdkrv)|h(ldyfvyhhyr|ikpnyqnveq|fcamqtwpdd)|z(xgkyzbfzfp|avcsptjpfi|boppntrtwt|ybrumcmlhe|ddrlwzurvu|omzuscaalq|hexjbhuuza)|m(nbzuvqxebt|eazcuwdpnz|zfjcypumuz|cpldsrpmyn|tkxxyndhwv|p(vxitbljbp|djerqolmk)|yfqpwypknz)|o(ojjzsgnctp|r(exgraxdrl|qttmsoseq|azvseiclq)|upxfbrcmrf|khqpqbkxpw|botggzqmqr)|t(h(xevldwkhw|vxqarmmyp)|mydppacfcw|qjsouxxofa|xgqamopchh|ejikb(ngiik|opndt)|dpguekzphl|akdklggqsm|yyewblibgh)|b(cdethrpmex|sybhuwahfl|lgjysjvzhv|mopwyaekxe|ryfbnclasc)|i(f(nzwhhcous|zuhngrqdj)|kvcgpkdrom|yqfebgsogm|owyeqlxoez|hsyjbrtjaw)|s(u(zlmqcykul|hlakcconu|uppmuygre)|vpitcianoe|bkvwalktjm|n(klwxuwhwx|wdwuasgdx)|soesktryph|wbkzqyntbm)|r(gsekfambbz|zxnfsiphmk|xcpqkztknm|afgvzlamsj|b(oaqhyjcbf|smbscddtl)|kyrqzbyzdh|mjnqvbjfcq|dlvgvehaqp|rifyxskgyv|eiabninpwl|nsvbpcvbff|lwpwuvocma)|e(trmsdqcvgp|rpbfegbaoj|edxtxfwbxx|faazrldtyq|dkbbqqgwwt|qgvodhudve|btpuchnvru|oepgkooocy|zbrkuurqwv|ajymudkpje)|g(c(hwbtybuno|bhrpqgrla)|i(raxgfbqkc|lbmrhltqa)|sxkechoxrl|qvzvrmbafs))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633032; rev:2;)
# sid 2633033 includes 4 (0 - 4) 12 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 12 chars (.cc)"; content:"|0c|";content:"|02|cc|00|";nocase;within: 15;pcre: "/(comtegmylnwm|infoiifibanq|netkqmmsrvtx|biztjfjpyymh)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633033; rev:2;)
# sid 2633034 includes 3 (0 - 3) 13 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 13 chars (.cc)"; content:"|0d|";content:"|02|cc|00|";nocase;within: 16;pcre: "/c(nnkvvkilnlqw|omuilnxmmbmc|cbaahtcmvlhl)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633034; rev:2;)
# sid 2633035 includes 4 (0 - 4) 14 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 14 chars (.cc)"; content:"|0e|";content:"|02|cc|00|";nocase;within: 17;pcre: "/(netdqfymkuydzw|info(krhghnswwe|gsbcgxxohz)|comoynjrrywsnj)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633035; rev:2;)
# sid 2633036 includes 1 (0 - 1) 15 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 15 chars (.cc)"; content:"|0f|";content:"|02|cc|00|";nocase;within: 18;pcre: "/infoadlcybzwuzp/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633036; rev:2;)
# sid 2633037 includes 600 (0 - 600) 5 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.cc)"; content:"|05|";content:"|02|cc|00|";nocase;within: 8;pcre: "/(e(sebr|j(yvk|rcg|iom)|rd(jc|ll)|bxey|nkgo|hfvv|ykbi|talj|dzpv|etnl|qjvl|vbxy|arxt)|b(yymd|e(ott|hdr)|f(hcq|yxi)|qdau|w(xij|cxb)|cuxs|amfj|lwmn|plas|ihaa|vznq|nmih|oreu)|p(h(dra|sby|bms)|e(csj|ups)|gufx|bvrf|yrab|pfda|o(loi|vif|kmu|nsy)|wurd|i(blc|ehc|til)|uhnd|nz(ca|xf)|dwmy|t(wba|szj)|kt(qs|dm)|jhcg|zwgh|fhxy|skzu)|w(d(efm|tkn)|w(jdh|cfe)|m(pug|lmn)|avrz|neek|bfug|jhly|kbyn|ziot|pydw|qsly|ynvn|gmix|egih)|t(phvx|r(hei|mwc)|s(xoo|hds)|qwly|yodd|j(spg|aat)|x(drx|pds)|loai|mvnj|carx|usxk|d(nee|tgu)|b(yif|vih))|u(r(hyk|dxu|usn)|kxsg|x(jio|ecy)|jtqr|ywrt|h(hnt|ywn|nfn)|ziii|mdhj|ngjj|dznm|izgh|oyoz|bdqf|sgdq|wsfr|tyhj)|m(skrf|t(klk|guq|wxz)|b(cei|byv)|w(q(vt|ul)|npt|rex)|d(ftx|xdh|mdo)|icrr|zcws|y(hko|con)|mlwp|c(qpf|oil)|hqrd|rjaz|vkab|edtj|kqxn|qkyj|guvw)|q(y(ohr|rlz)|b(gai|mqz)|w(ien|jqx|nsr)|k(vti|zdx)|i(abg|yjp)|f(sgr|rtn|mte)|vamr|xhws|qiae|gpzd|trha|d(gou|mwf|oos)|slpc|hbpz|ryzg|zauv)|j(g(weu|bmm|cjk)|j(ddo|okq)|mhdw|t(ikm|fex)|xjlt|lliv|h(nrf|ymc|ipg)|bgnw|fdzx|uhut|i(llc|udt|bbo)|ring|d(utl|ymi)|nucf|ytxv|wlyl|cbbe)|h(b(uwj|its|wks)|pklk|gien|kakl|t(qtd|skj)|vzmn|obxr|z(nvh|vvf)|e(hur|ryw)|jyyg|cvvk|w(zdo|ohn)|duph|qjjd)|l(p(fyi|jjr)|w(wtm|gtl)|ojrw|a(xcl|svh)|xfdy|haek|l(kru|uih|wcq)|dedo|u(urq|nvv)|v(itw|gpl)|g(mxs|w(sy|iq))|zjpq|iwxs|sexx|jaay|edzw)|d(gvws|lhok|htlt|q(xrn|bts)|akph|t(yyd|vzf)|z(vka|tza)|x(bow|gwp|daz)|ftyi|wqgq|oaqb|ylbv|pmwr|infu)|x(f(dmh|jkh)|bdhx|x(yle|rpe)|uwbs|yfdb|q(lzh|zgo)|t(nrg|zxx)|niad|sflp|ppaa|d(p(ee|zz)|wyr)|cleo|gnfc|hyiz)|y(pqdq|w(jtr|pvc)|m(zwp|fzo)|n(lua|czn)|ymte|l(hql|aca)|u(hnl|zhb)|q(wtk|vfa)|zzgc|h(eid|aze)|vofo|fvra|x(jgy|owx)|gxae|ozli)|f(musl|afni|t(w(qj|ef)|nme)|q(vjb|dga)|dhif|o(equ|aid)|whuu|i(qrk|yus)|p(pwk|szs)|e(jcl|aju)|bhgh|hvla|seok|vamo|kreu|gkwz)|v(m(qrs|kih)|ujnu|b(xdp|hub|eso|ict)|f(iis|ejq|qlk)|krte|vwvy|c(vgv|sxg)|e(wqz|jui)|abqs|lowc|jsgo|nsah|pxge|teui)|g(ylqq|c(zkf|rpu)|d(zjn|gqk)|enrw|p(umb|hek)|lzax|x(znc|why)|r(qka|azw)|uudz|m(jlc|uob)|o(lkn|hhj)|g(dnz|wvo)|v(aqz|lld)|bkuc|ivxt)|r(v(nam|drz)|isac|ojit|uknc|mujp|fsny|cexs|whob|psvw|dkzi|yxir|t(knq|bpa)|jqjm|nojd|ejze|gzut|zkwj|beku|adeb)|o(kkmf|a(gom|tct)|b(lie|klk)|nhdl|q(xfk|qjw)|r(jxs|lql)|pddg|d(jiy|tla)|f(aqm|imy)|ufpq|ycru|h(mbm|asq)|slhw|cyhy|xdee|l(wab|orb)|z(lay|xti))|s(kzev|o(qhc|znm)|r(nol|oab)|uftz|g(snq|qtg|bse)|j(dea|aqg)|w(khg|vyn)|fzbs|z(uqa|mdh|wke)|h(ost|lsj)|axvd|c(rfe|qbb)|sxmc|b(ktg|xrn)|v(rxn|nei))|i(r(kqj|wvm)|lkba|c(rsh|tug)|e(aay|wel|xny|iwa)|yryi|jrrg|pqbd|bryu|aakb|mzzu|xujv|ndff)|k(x(qxi|aqp)|l(azq|mvq)|rlub|vjyu|q(rri|wke|ekj)|i(hhk|yql)|nmas|thiz|j(rrc|vmb)|hwtp|fgtx|avyn|snqu|c(nad|vpt)|mcwx|w(rym|qyb)|o(plp|hbh)|uvjg|eary)|c(g(njr|ixq|hgg)|a(sja|mtr)|y(tyk|qxo)|lpgk|zxkd|t(bml|uwn)|f(pfm|cxq)|h(uyo|phr|ifs)|m(uvh|bfa)|ixch|eskc|k(eai|mku|jus)|sczq)|z(w(mnz|eio)|ciom|nzow|gaih|fcwh|lmdv|v(csd|jmk)|sjan|xunw|ebyj|b(dqg|gfl)|tvme|khpc|odrx|j(bru|azl)|unmb|ipsn|dkwj|ybfr|znxr|rurl|qhgz)|a(vvnu|gbfs|kkes|yyop|z(d(nf|ba)|rsl|ybd)|x(oyx|vpk|ube)|h(vni|dys)|cjul|f(ylw|fup|xmb)|p(uip|ymr)|oifd|jztp|qzwb|busn|t(vpo|pzg))|n(e(kbm|m(ir|gf)|nkv|zte)|i(aaz|rqz)|szjv|w(usm|gct)|afhg|jhll|nj(lg|qc)|p(gto|leg|udh|oit)|f(zvz|ebc)|mzhp|rmvc|vrve|kpll|z(uiu|ght)|o(wru|ovt)|dnun|g(iop|slm)|bfyd|qfww))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633037; rev:2;)
# sid 2633038 includes 838 (601 - 1200) 5 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.cc)"; content:"|05|";content:"|02|cc|00|";nocase;within: 8;pcre: "/(m(rjaz|vkab|e(dtj|ckm|bgt)|dmdo|w(rex|qul|ygy)|k(qxn|yyw|lxk)|ycon|qkyj|g(uvw|mrr|jko)|c(oil|crs)|fboz|h(cty|tds)|m(lpp|rnq)|pbws|aiuq|otna|b(zma|ffc)|jkrr|izgz)|z(o(drx|kew|rqh|yjf|pou)|j(bru|azl|mlt|wrn)|u(nmb|axw|esi)|i(psn|yrp)|dkwj|weio|ybfr|z(nxr|qta|ktn)|b(gfl|ppu|fah)|r(url|iib|gva|aao)|qhgz|axcd|n(gli|uts)|v(iix|ycr|uwh)|keya|t(m(mf|jo)|szs)|c(kdb|oja)|liqa|g(mus|lzg|izb|olg)|xaci)|n(zght|e(nkv|zte|mgf|ozx)|p(leg|udh|o(it|so))|o(w(ru|it)|ovt)|dnun|g(iop|slm)|irqz|b(fyd|zuv|iil)|w(gct|qgg|uuo)|q(fww|gaz)|m(nbg|yem|oat)|l(yst|lzb)|t(lgn|pbf|hqp)|k(bep|pjb|loe)|uzee|s(bne|max)|a(tsz|rox)|hqzb|clmc|vezq)|r(dkzi|y(xir|yzp)|t(knq|bpa)|j(qjm|ums)|n(ojd|iew)|e(jze|izj)|g(zut|c(pi|ii))|z(kwj|xln|jtv)|beku|a(deb|kjv)|p(ccq|tha)|m(tpx|xdz)|s(qqf|wac)|wulu|r(wde|aqq)|q(dox|ogo)|ucfs|i(tjc|auk))|g(v(aqz|lld)|dgqk|phek|razw|m(uob|vew|dun|rrd)|gwvo|b(kuc|csw)|xwhy|ivxt|c(rpu|wym|mix)|k(wnq|iga)|y(dxn|tkg|lqa)|o(rlr|xeb)|lcol|q(ihi|jyh)|j(cwq|thg))|j(h(ipg|zkt)|t(fex|vvg)|nucf|dymi|g(cjk|iff)|i(u(dt|hn|uu)|bbo|jct)|ytxv|jokq|w(lyl|zbr)|cbbe|ajkj|fkfo|vkjq|p(kce|tml)|r(wye|fwv)|k(zhz|uhv)|llcl)|h(w(zdo|ohn)|b(wks|zkh|bzl)|duph|e(ryw|uqh|scd)|q(jjd|hik)|m(sws|dir|jbn)|g(bcc|peo|ddu)|npcy|zxon|v(fmc|ydi)|ucmi|l(adu|hjs|knt)|jkkk|hlyj|yims|ieqi|sixw|fhty|piqt)|y(n(czn|pvs)|x(jgy|owx)|g(xae|vvw)|l(aca|cxn)|wpvc|h(aze|qus)|ozli|qpgt|jqev|a(zpv|jre|idi|yuk)|i(phi|xmq)|kbsh|e(bmt|rfe)|t(hcp|fds)|dlmc|puuw|zgsy)|q(gpzd|y(rlz|tgc|p(xc|ku)|mfl)|f(mte|xto|wkk)|trha|d(gou|mwf|oos|ujt)|iyjp|s(lpc|hrk|rbm)|h(bpz|sbu)|r(yzg|omz)|zauv|k(zdx|qmu|cus|dnq|noq)|u(lrm|roy)|ooqx|q(zuv|gge)|xgcf|jfjj)|w(j(hly|sdw|yrk)|kbyn|z(iot|dib)|pydw|q(sly|qhz)|ynvn|g(mix|ohm|gbf)|e(gih|wvk)|mlmn|dtkn|codz|b(ltq|qjp)|sqsz|fs(kn|fr)|hucg|aseb|xmif|n(zlq|fdt)|vloc|unva|twfw)|f(se(ok|qe)|v(amo|pjg)|t(wef|lsm)|k(reu|zhm|syx)|o(aid|jfl)|g(kwz|uzs)|e(aju|eqa)|pszs|n(mym|cip|i(ce|ox))|m(pml|fjf)|h(cvg|rmg)|bywz|xeqd|z(bmn|hgu)|qyli|fepa)|o(y(c(ru|xg)|otp|ydc|azc)|h(mbm|asq)|qqjw|s(lhw|mvy)|c(yhy|wbw)|xdee|l(wab|orb)|z(lay|xti|wao)|r(lql|wqx)|f(vdo|cmy|nli|ezr)|v(lmi|ktg)|whxp|gqbv|prtb|kltu|d(sxc|ots|nom)|oqpy|etht)|v(l(o(wc|qm)|vgv|xfp|hkq)|e(jui|qlo)|j(sgo|pbt|zyr)|ns(ah|em)|p(xge|bow)|teui|b(eso|ict)|o(jjo|ers)|m(hvq|qla)|dksp|khqa|imxp|scpy|rogs|fwrb|zbgh)|x(q(zgo|uhj|rgf|ntu)|tzxx|p(paa|vgh)|d(p(ee|zz)|wyr)|c(leo|mcw)|gnfc|hyiz|z(nvx|cad|rly|ysy)|oe(kq|dd)|nwfg|r(qgl|hri)|k(osb|xmr)|b(fps|tpv)|uulp|wzzi|yhmh|lkar|vrqc)|a(x(vpk|ube|lpz|h(lp|si))|p(ymr|iog|vtq|qdw)|j(ztp|rqk|ngp)|f(f(up|pe)|xmb)|qzwb|b(usn|qat)|t(vpo|pzg)|ztqv|csvk|r(yiy|ktw)|kqlo|s(cud|sla)|a(ejh|akp)|eqow|lbhh|ojuv|yabu|nqbq|myfr)|s(v(r(xn|af)|nei)|b(xrn|ybm|djo)|h(lsj|oqz|qvc)|zwke|c(qbb|vec|jbk)|jaqg|ddjb|a(sli|wlf)|l(ukd|kyf)|u(vtk|dyg|lxb)|kkpk|mwzw|x(mvn|irv)|qiul|wurp|egch|geaa|supx)|d(y(lbv|ryx)|p(mwr|wug)|x(gwp|d(az|fc)|yje)|i(nfu|f(fz|wf))|a(qfz|vwf|jzk)|r(zlo|fqo|wwn)|wolm|d(wve|ump)|f(nui|hwf)|qghy|m(fxu|ynn)|h(ndp|wvy)|json|b(edv|mgi|ptw|wgq)|tygg|nbgc|ovrc|geps|ldcp|czaj)|k(qekj|o(hbh|yem)|cvpt|uvjg|i(y(ql|uz)|ojy)|wqyb|eary|j(vmb|clh|laf)|m(hdy|ugi|idm)|ahdc|b(pqg|uxe|qcr)|d(lxt|cgc)|kvuf|xfop|ltjb|svbb|rgfr|p(hxq|iqh)|zcqv|yuki|htlq)|b(i(haa|yby)|f(yxi|toz)|wcxb|v(znq|hds)|nmih|oreu|snwt|z(scv|bru)|ceiv|dovf|qeih|rlqi|p(nyv|fkg)|udta|lato|ynuj|mkom|bise|eocp)|p(h(sby|bms|awn)|t(wba|szj)|k(t(qs|dm|as)|mvp)|j(hcg|duj)|z(wgh|gnh)|nzxf|e(ups|thk)|fhxy|s(kzu|hgf)|x(sjr|yqt)|gptk|vkdk|dmto|c(ejv|bnr)|p(rvn|dns)|bmra|moaj|u(uts|pbz|ziu)|rvcb|oclh|qqzs)|u(o(yoz|xvd)|h(ywn|nfn)|b(dqf|nmq|jav)|s(gdq|oxg)|x(ecy|tnu)|r(dxu|usn|tme|jfa)|wsfr|t(yhj|fos|usq)|uzwg|igjt|jtzj|g(gkl|jqk|mtq)|drto|y(teo|jgn)|puyq|vndt|zhuv)|t(m(vnj|ott)|ca(rx|uc)|usxk|d(nee|tgu)|b(yif|vih)|jaat|x(pds|qke)|vkby|e(txl|lhl)|ipap|h(zdr|srb)|z(vdk|dqi)|lpfg|oong|ayqq|qtse|ykuc|wtur|fmdr|nkoh|tlpk)|e(t(alj|nsq)|r(dll|pff|erq|tsz|bmn)|d(zpv|xpx)|e(tnl|vuw)|q(jvl|vyc)|v(bxy|tem|stz)|arxt|x(skt|zlh|vxj)|b(fsg|ytp)|scur|p(fnc|ice)|lnch|y(hjh|lze|mqn)|gfbe|cxws|mepm|ieic|n(yis|dfu)|upup)|l(i(wxs|bkn)|s(exx|tgr|fju)|j(aay|jnc)|e(dzw|bxd)|f(raw|fgl|ysx)|r(zir|nsx)|y(egh|fna)|xkmh|mfoq|dcps|hulr|oksa|qdyr|tmcb)|i(b(ryu|qqz)|aakb|mzzu|x(ujv|wzn|ssv)|eiwa|n(dff|wme)|ppki|zkuo|d(nvc|snl|wna)|cxey|hsyg|l(hjq|dyw)|tpqf|wdvr|vdab|spxs|u(htj|krk)|otqw)|c(h(phr|ifs|rnk)|k(mku|jus|gwi|fqg|ayk|byp)|s(czq|gvj|zsl)|ghgg|a(mtr|bsh|arb)|f(cxq|lrm|ubb|mvy)|i(oef|plb)|odkj|lnhu|edsw|reko|qmqd|bqku|tddo|ubdu|ccnh|vzvp|jxar|n(vjt|jzv)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633038; rev:2;)
# sid 2633039 includes 238 (1201 - 1439) 5 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.cc)"; content:"|05|";content:"|02|cc|00|";nocase;within: 8;pcre: "/(g(k(igx|ups)|rvel|u(vnp|zwg)|ikax|qzun|emdm)|k(pnfw|yope|gqab|uxsc|w(exv|cde)|jrmh|zkqm|azki|rwrz|b(wsm|xqa)|lpud|mlud|ovlo|tqkn)|a(c(yra|zrf)|ffpd|l(rip|slz)|wmna|mtul|rvvj)|e(rxuw|cecl|vntt|xwlh)|t(a(jhr|wae)|irqe|hscb|xjhn|suat|myby)|i(qjga|witl|bned|vrrh|hqdj|mlhx|sdxo)|q(s(fir|vwc|mfq|lzi)|ybdc|u(equ|gqb)|j(kew|awq)|hohq|xqwy)|o(sfbh|exnn|tirs|n(gce|yjb)|xwmc|ykta|woke)|x(zsri|r(ppi|eoi)|wzdh|vbus|u(lza|rpc)|lnpg|h(hhr|auq)|oxyj|qurn|mxtj|xdjp|kwpr|fgwh|anne|jlnb)|y(hcao|e(txt|dmc)|dnjq|qhhl|s(jiz|rjt|ggl)|y(vur|oxi)|iggf|marz|rzod|cszp)|f(rkpw|yumy|dpyw|zyir|b(xtl|pkb)|vajj|fpxe)|l(m(cxy|aey)|xvbp|udiw|limb|sijj|oxsh|qnyf|j(sov|whz)|rnzw|tlrb|yfnb|zrkx|pjbd)|u(lvnd|y(lik|uio)|o(uxy|oiw|wdj)|xhxd|bnxn|pxqx|ijng)|s(ksse|exyy)|b(p(oot|lxl)|a(snz|elh)|njfy|rfwx|zrwn|hrhj|q(jaj|adq)|vhao|dccr|yyvd)|d(rnqo|a(wfh|gim)|qhnp|xgpn|msnu|jirp)|z(k(nrk|bal)|yejc|tvjp|jdvj|sqmz|cfjy|btcu|zpdc|ahla)|w(pnkf|srvm|hhup|zcmi|nwhl|eosh|raom)|r(hpsv|izbd|yyzi|wmiy|ugbm|qpij|jvdo)|v(qdjc|mm(nu|kj)|n(cxa|jfu)|otzv|x(lns|thg)|leec|tt(ct|kd)|bhxw|zjpq|ymgf)|m(dyut|kkdx|vkow|smgi|msbx|comb|onax|rvfr)|j(ipuw|tdaq|yiuo|pneq|muuy|vdzp|qfok)|p(p(dfo|itb)|zpyj|belf|rbsc|ggdb|dzxu|tqiu|nfhr|qjfy|oqgh|esrd)|n(vcyk|ojxw|lsmb|pkoi|hqag)|h(pykm|a(ahy|wqs)|d(hne|kow))|c(qwmb|tmee|daho|xawb|ifkn|bcfn|mfhx))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633039; rev:2;)
# sid 2633040 includes 600 (0 - 600) 6 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.cc)"; content:"|06|";content:"|02|cc|00|";nocase;within: 9;pcre: "/(a(oghfp|htqjc|l(wnzg|mflq)|mxnzb|s(xalo|dmva|czjf)|k(yqsm|xrae)|fupzw|ealxw|b(poxk|dvvs)|q(ggnn|cdpz|qqvi)|jwojm|yklhg|ntzal|vseok|dsalt|telzk|unfnw|afeak)|m(gqvvf|t(xitc|ixob)|dxtgc|o(ifhn|gotz)|q(dbia|iack|wtdo)|b(lydu|ptnm)|wmsys|a(esha|jftd)|zbwrr|l(ljlb|rsqe)|u(iebs|rlyu|tnyb)|m(doii|obig)|s(ffpn|xcjd)|c(wosa|lqld)|japrq|nuwld)|w(ymsbw|rldwb|d(dlzg|lwih)|h(rcmt|cedv)|z(ivzf|ggnn)|n(aazz|u(ajf|zri)|vilf)|v(kebl|eupj)|kywul|sxqms|f(uxnb|dyvc)|pqlse|ofnoq|bipuf|a(frfo|iykf|qpma)|wqqyh|i(tksn|ucwa)|jvatd)|s(x(ggpn|ksnd|rcjo)|f(ijwx|kcqs)|m(ciyq|vksn|gbew)|r(fycr|gwrr)|dxfmh|pxnqs|tuiqf|qpmpv|wmdgo)|k(k(egeg|mdsc)|m(izwl|sxcr)|r(cjnr|qoec|mhkz)|odtrj|xzexl|p(ffty|vyny)|d(ucgq|dhwe)|j(wpsz|gmzx)|vfoyo|s(nxrw|tajg)|i(uoga|jyyb)|bebuj|f(mwdv|buik)|tszdq|udkmv|leeid|a(kvak|xzee)|hhgya|zelhh)|f(wgflj|ylphh|rnmaz|uytoc|vaunh|l(mfwy|sesv)|f(ungp|xvuq)|qberh|x(rclg|tkna|dpku)|e(kczc|ljnd|oevx)|mcfwo|jnqay|p(khtv|pxvx)|beivi)|x(t(vdqw|bcyo|fosu|ehzu)|w(goro|dfdx)|rb(soy|exl)|ardes|lgcoi|p(spzy|czzk)|dtrms|cw(jhd|vfr)|u(wocb|kzil|nzyj)|q(wgpj|jjsl)|n(xxom|jqtn|tkak)|ybbrk|mkmsr|f(uozi|kozd)|e(fvuh|kscs)|kq(oyw|izv)|btdze)|d(rfeed|d(zjdn|rxfc)|gy(vjm|osv)|x(dvlr|qnkg)|qstfp|ziiwu|eqgdd|afack|l(bksl|klrc|ryxi)|yx(jey|rzj)|j(ucnh|tima)|fuonl|sujds|mjpjx|tpsrb)|l(c(wjyy|bkqw)|u(fyuw|nqwb)|kmkxb|jjsay|p(cjmb|hpof|niev)|nzofp|qfdrb|z(epwi|oyis)|vjkge|b(caet|nsyt)|omkxq|d(wwkm|omyh)|yefnj|xoqnj|spvwe)|u(m(uqio|vvkf|skkh)|x(cwkt|wjbo)|uoutg|c(fjgz|vtfi|pkny|gabt)|pwsrq|i(fmzz|nlvu)|djyle|t(klni|wfkd)|gyaui|n(poyi|eacp|tdac)|y(fjfg|zcwa)|o(zrpn|vaeo)|ajnek|lfzet|b(igkw|rrtd)|wvbrg|qzpgt|ronaj)|z(wcznq|a(thky|lrhp)|m(egjj|iskz)|vfaus|qpupd|xkcax|rryso|y(hvbr|pudl)|janqq|uisou|d(jqga|eupj)|blmqh|sgjka|k(vury|kdht)|izobh)|e(x(melt|txjh|jhkg)|fxffz|p(f(xan|cza)|yhtm|gswl)|y(eyko|ciic)|ebidr|vowuh|inudx|gubir|b(vlss|erly|sbkt)|ssbaj|jetej|adrig|ribec|tqefs|znwbz|ozdio)|c(u(fukg|qzux)|l(nldb|qysz)|a(xzgf|hgmk)|g(axyw|fkca)|tzsku|h(rkjn|jfnv)|e(qgrs|ieyb)|jhios|d(pykj|gkba)|rjtqc|fgbjg|m(limm|viaa|qxfc)|c(vjes|ncmb)|neads|y(jxsc|dggz|tqck)|syvsi|vdzui)|j(s(wswc|aaxe|vili|ldvu)|b(lejs|oqpu)|azuve|p(dntk|kryp)|ghadd|o(ijjp|jtnw)|n(mckf|xmqo)|fjohd|y(ryak|hegb)|w(lzfn|nfvi)|u(hfaf|cwzb)|ddvlj|jkfag|hdogq|vwxmd|rgjbb|mkdiz)|b(s(vmfs|pgqg|jzwg)|h(qnsa|xxxa|orxw|klpt)|t(rmet|zasl|goyr)|wzfvi|c(oezk|syrx)|ziyhl|becwh|mwjog|g(ziop|pcgr)|kxuvf|vzfui|xfaxa|iqqun|qlsom|posfy)|i(jjfvn|y(qeln|usct|oprt)|ismwa|eensd|h(dvfq|nmxg)|a(mkej|shvz)|z(hfzm|gegy)|teimo|n(tvoz|jgpn)|cktew|bjyza|onbvw)|r(uuine|s(frsz|kqzn)|rhrvg|ytixg|j(umda|irnk)|t(evre|hcws)|f(wywk|pvkq)|b(zytu|fbde)|qanui|c(clfg|elnq)|a(xelu|cjpp)|gkxfb|hojpu|pxvni|mhhsd)|o(j(rmbu|ikla)|dhxiw|e(plit|keso)|c(cvst|fwxn)|mprfj|ycmas|qmlpm|vnvyu|ujtlm|teqyu|o(rffw|lfwe)|pkoyl|rmrtx|kedbo|wopyt)|g(lpaso|g(gjio|pgvk)|h(yhxs|jnoa|htyz)|vkkbp|moprw|t(bfqm|sbak)|nfztw|xxgcw|sulra|carzc|ihspw|jgnkc|wdgwu)|y(w(mcpm|avvr)|pyweq|uwvhi|i(wbbz|mium)|s(geih|ankf)|kecxk|c(gszr|jaxf)|rdviu|zjovp|o(xzai|ioec)|eqcoo)|p(s(amyp|bmqr)|ithse|ccjfb|b(wxyd|bwob|xxlz)|ncerv|ftuif|k(smgq|pkjr)|upcyz|e(s(oej|fnk)|zwyu)|veild|gomjc|x(eafa|zwfu)|qohvg|j(desf|tvtk)|tfehj|rycuo|zjlgd)|q(g(clbp|dvfp|apws|vtsz|sqyp)|w(ahzn|bfrw)|njtwt|f(ekpd|hbze)|xnuip|qydub|ikunu|tcrpr|lrbxv|ksxon|pgtgw|bw(ito|wzr)|u(bjct|gkkr)|vmkbg|cjxiq)|v(z(dkkn|newx)|g(gatx|ykur)|dsokx|iyjls|o(qqic|iucw|taff)|sb(esm|zfn)|wwzeh|md(rvv|bar)|axrlk|hzflz|bxlea|r(ypwv|ubjx|ikem)|vauov|xbhan|uehpq)|n(jcltj|tpusm|brpif|d(isvs|mscv)|nukkq|skdnf|enclz|wofac|u(bwum|pwyn)|x(ldpl|ydcc)|pkhyt|cxpng|yzysn|lplac|vtyfk)|h(p(uhhx|wzqw)|miylp|hzdvh|sbwqb|ufhwb|nyypl|f(rghb|mnth)|eidbo|z(muoh|epru)|vlebs|orwpn)|t(v(ysbw|qfca)|m(rsyc|jpst|doki)|tcdxk|fu(smf|okq)|g(nqng|eqzd)|pblmq|u(uigr|pmvv)|xzzhw|j(qfsi|fgnc|tets)|n(hzod|xvvx)|agcoi|ozwqb|exxox|hvjky|bvgiz|c(yazl|jfao)|kmkha))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633040; rev:2;)
# sid 2633041 includes 812 (601 - 1200) 6 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.cc)"; content:"|06|";content:"|02|cc|00|";nocase;within: 9;pcre: "/(o(vnvyu|ujtlm|teqyu|o(rffw|lfwe)|pkoyl|rmrtx|kedbo|cfwxn|w(opyt|kwpq)|e(jofw|pwns)|mukqz|n(rehh|oebe|nvmq|srup)|l(cofp|dgbs|knqh)|qnele|ascgl|fgbjf|dabfp|jhyyj|zyxtd|gxniu)|m(c(wosa|lqld|svxp|ciep)|m(obig|canq)|qwtdo|u(rlyu|tnyb)|sxcjd|j(aprq|bowx)|nuwld|y(sgxy|pffk|mncz)|znrse|r(bslc|atqc)|llhsd|ghvpi)|c(m(viaa|qxfc|xkls|jllt)|n(eads|aadi)|y(jxsc|dggz|tqck)|s(yvsi|tgpd|fllc)|h(jfnv|opzk)|e(ieyb|rpau|umgc)|v(dzui|pjoz)|c(ncmb|vxrc)|x(sgym|cxlm)|d(shhh|xtfd)|wkwvx|r(zqkp|fbll)|k(fagd|ascv)|bbabd|alatw|ovwxq|ljniq)|p(kpkjr|j(desf|t(vtk|lke))|b(bwob|xxlz|kpbj)|e(sfnk|mrrs|gbhk|wfbs)|tfehj|rycuo|xzwfu|z(jlgd|izrb|u(voz|wza)|flfp|ocxx)|maqba|qfvpt|s(qpkh|mtxu)|u(qqij|zfoc|eoul)|i(xmun|dbpg|oabq)|luwds|hdopt|oqskz|y(crcv|fuwi)|vxepp)|u(x(wjbo|bsgl)|ovaeo|w(vbrg|idex|kpgp)|i(nlvu|jqvn)|c(pkny|gabt|ffbd)|q(zpgt|uzon)|m(vvkf|skkh)|twfkd|r(onaj|fztv)|brrtd|ntdac|semkm|u(gaff|nsek)|faton|kjzkz|g(jnzl|sxxi|rkbx)|j(bkha|cvlh)|ybgsu|v(tstx|qotv)|hufzs)|w(i(ucwa|knal|jbkl)|a(iykf|qpma)|n(vilf|odyw)|j(vatd|wvvl|xtta)|h(cedv|apaq|kvhn)|v(eupj|soyc|ilry)|p(uzhz|frzz)|m(pjwl|iqlg)|k(cdfa|eznb)|qdbbw|eklur|o(eife|xdpo|vamx)|s(peni|jqxj)|z(fspb|kgqj)|l(tryw|qtgn|efgo)|bqmay|r(uumh|jard|dvxv)|ta(dnq|ofs)|yirhz|upfay)|k(leeid|a(kvak|xzee)|ijyyb|hhgya|z(elhh|zhls|unuz)|p(vyny|nxdn)|stajg|f(buik|ddjm)|u(jjtd|akoq)|yhmnv|w(nuxa|ueks)|r(ofzl|hitv)|c(djtl|mhnu)|jfeho|nozlx|vlzjm|q(owhj|vmbx)|mqccb|oaznx)|q(l(rbxv|wczf)|ksxon|g(vtsz|sqyp|pyxv)|p(gtgw|pbei)|b(w(ito|wzr)|rxng)|u(bjct|gkkr)|vmkbg|f(hbze|smnp)|w(bfrw|zaxs)|c(jxiq|bufx)|n(tayw|wase|njgj)|e(qooj|hdgu)|mxjpi|rbjxq|q(qgil|nacg)|xtvyu|jlkcl|dddgh|tprrt|zizcn|yqacx)|e(b(erly|sbkt|ylik)|p(gswl|wxsf)|x(jhkg|rcfo)|t(qefs|yhuu|kxqe|htws)|z(nwbz|zlrd)|ozdio|u(jgdu|igdk)|jaeqb|nrsmi|f(iwyb|uwtb|czmc|mfcv|wijn)|ldsbh|haeor|kgcnh|ceqio|e(joyp|bkkj)|iyhml|slyok|w(kphi|gdla)|rgrhn)|n(u(bwum|p(wyn|ydh))|x(ldpl|ydcc)|pkhyt|c(xpng|fedg)|y(zysn|hgqr|mkop)|dmscv|l(plac|gylu)|vtyfk|tgvvi|nkcvg|qabjm|b(pcjc|qiyj)|szlmt|aqkxk|zgjnq)|d(j(ucnh|tima)|y(xrzj|jhpn|wwmd|terd|snep)|g(yosv|xcpq)|l(r(yxi|dof)|buet)|f(uonl|srhc)|s(ujds|vmhh)|mjpjx|tpsrb|kxanj|a(wrue|lkhr|cywc)|wrydh|qzigi|n(zsej|gozg)|xslzo|drqmb|bauss|oluta)|f(p(khtv|pxvx)|e(ljnd|oevx|yxmm)|x(tkna|dpku)|lsesv|b(eivi|czjh)|fxvuq|j(dejy|ujca)|g(vmoc|perx|iacn|nvfc)|mrqbr|n(ylyd|xjhn)|zcbqf|y(xxnz|nqnx|vuxo)|v(jpnc|vbwf)|d(fkue|ysgf)|wg(cxw|eyp)|ugxnt|iyytn|heryb|q(mzbg|ezgq))|b(g(pcgr|rowz)|iqqun|qlsom|csyrx|t(goyr|deex|eiun)|p(osfy|pnri)|hklpt|m(aiiy|eaxe|jtjd)|xiupx|a(mafs|rgnx)|k(jadg|gjxz|nozh|ddfc)|l(wapy|hiqx)|n(yyfb|kfiy)|zebat|swusm|ezbax|vrhvy|j(dref|enjl)|dnjwj)|x(n(jqtn|tkak|ewld)|u(n(zyj|qzp)|svyi|rejm)|q(jjsl|acha)|t(fosu|ehzu)|e(fvuh|kscs|luvd|qpiz)|k(q(oyw|izv)|wtet|uahv)|b(tdze|rvxo|kbpe)|f(kozd|wewh)|z(bpyq|oyjr)|gjvxs|d(wqwv|gyzk)|lnrxj|ocgzi|cwfob|a(jsmh|yelx|lrtv|xcud)|x(woyb|oocy|hdjb)|hmwav|iobky|shmmn|rwlan|whflu)|j(hdogq|ucwzb|vwxmd|wnfvi|yhegb|r(gjbb|rvie|ifph)|o(jtnw|gdlk|eluq|rvlb)|nxmqo|m(kdiz|dplh|ffeu)|sldvu|pfxuz|i(tllq|mfmy)|x(rdxt|qudv)|bdzgc|a(yyxq|hkfs)|emebr|k(wcpm|dsqb|uvdp))|z(u(isou|dnfi)|d(jqga|eupj|zkzq|ppsn|stty)|blmqh|s(gjka|jijn)|y(pudl|yhya)|k(vury|kdht|awhu|exhv)|iz(obh|kqr)|n(veqe|msfa|ryvm|dtzt)|q(ibkk|rwti|pbzc)|tlxpe|a(sxwb|ytap)|fxflj|zqwyy|o(dvwg|pt(ys|bj))|hixmd|jiviv|xhbwu|l(lnrm|itno)|v(ksoc|hlyv)|wfbno|gnhzx)|v(r(ubjx|ikem)|v(a(uov|h(zv|ru)|bhi)|rqmf)|xbhan|g(ykur|zfcx|vnpq|uwfm)|u(ehpq|d(ypk|jej)|bptn)|n(dgnl|ggfk)|qczoc|bseqs|z(hxgk|jlek|vuig)|mlcxu|hhxzg|cmszj|absqc|tewdm|pyyzt|ldgha|d(sdzq|zxuo)|ixsdo)|h(e(idbo|wbyg)|z(muoh|epru|powx)|vlebs|orwpn|pwzqw|t(kmyh|saur)|ufbmb|smxur|h(nesi|pzhv)|x(anms|vryz)|a(gwoj|hxpk)|kkreo|cauvx|ghszs|flilb|y(miif|zsuo)|lsarw|w(pmku|fudn))|l(s(pvwe|xikj)|p(niev|fpkx)|x(ituo|qjuu|yjra)|y(xipa|zyyy)|c(hsen|lkxr)|hlemy|zsfil|j(osnp|cjkq)|micjs|wtjmw|qpsyw|n(xllh|dmwf)|kocav|gsxdq|ipowz|bukbh)|r(thcws|p(xvni|qfau)|a(cjpp|ozhg)|mhhsd|s(kqzn|rmmt)|bfbde|c(elnq|bakz|pabs)|j(irnk|oibj|pvol)|ebivo|k(f(qrd|jtj)|nuqv|ugoi)|h(cvhc|lulx|uxax)|lyvnx|gcebr|z(ecww|nqea)|d(ocxo|viln)|rvshf)|g(gp(gvk|wun)|ihspw|jgnkc|wdgwu|tsbak|y(csfg|qhni)|dw(yhd|wpl)|r(lqvg|zlxs|twbq|gfbc)|b(etnh|ffvt|iuig|rtkn)|qfhxo|l(vjmm|fluf)|o(wbmf|gxhy)|k(dxgh|raen)|e(gcaf|uhfn)|c(opre|gbjj)|zibpe|ptvql|mifok)|s(q(pmpv|riyg)|r(gwrr|eswn)|x(rcjo|tvrw)|w(mdgo|ijfy)|p(dptu|zyqc)|e(nxms|attc|ppds|xrfn)|hemhg|nxavl|gugvk|txmrg|auvux|sddni|m(blmu|cfdo)|iagoz|zyook|ymfnl|krnnq|lcrfs)|t(b(vgiz|beia)|c(yazl|jfao|zgzo|egtg)|j(tets|mhim)|kmkha|mdoki|fyhou|iftld|xpfjz|eophw|zmkgd|omzuw|hjcbb|gnban|v(hawv|gaau)|d(bcwu|z(nbu|dgj)|rxmw)|uwgbh|yklrg|pxgwr)|y(wavvr|z(jovp|zpqm|fdsv|ngcd|gogp)|o(xzai|ioec|bznj)|eqcoo|vpxfp|x(umnd|gske)|j(zzmm|knkl)|ioeyr|uucyp|t(znyd|jlen|lqgk)|shaza|ygppg|kbtth|mocts|gjrmx)|a(qqqvi|ntzal|s(czjf|uxgd)|v(seok|asui)|dsalt|telzk|lmflq|unfnw|afeak|m(p(bhf|avq)|rtjw)|rrhnk|p(qmjs|gt(ko|lt)|eaek)|e(ztam|mhqc)|z(zxug|uxjm|sauy|nkjy|drej)|i(noyy|vkwy)|gigix|bzwne|ouhvi)|i(bjyza|ashvz|z(gegy|trxw)|o(nbvw|pqsn)|njgpn|hnmxg|l(wzme|dhlh|gjfj|qrjc)|fayqp|ssjgh|p(zhko|byyd)|r(zijk|tuao)|tpnwx|w(xuxi|myil)|q(riuj|ohqf)|u(tjav|qcgz)|egfmw|ylwsu|mlswr))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633041; rev:2;)
# sid 2633042 includes 212 (1201 - 1413) 6 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.cc)"; content:"|06|";content:"|02|cc|00|";nocase;within: 9;pcre: "/(r(rawzl|lvhob|kgena|p(bhhx|wdee)|cntvy)|j(adsde|s(togh|fedb)|mnwfc|pvijg|iangm|bzchi|nfmcl)|f(rmslk|jnjgj|kcxcq|ssfik|liedy|xwxyc|qaccu|dxtzj|zjqkv)|n(w(avwa|ggej)|fjfoy|z(nezv|olbi|bnkd)|hdvaq|xkrnx|yiakn|kepsz|blbms|riutc|udelv|jiqbl|iobad)|p(j(mdtn|ujbe)|bdnkn|oitkk|pxczl|tpghq|sttvg|wlvil|dakmr)|a(r(qmhc|ytyo)|wxqqv|pfakx|ytyql)|i(x(gkxz|lhrb)|prijn|sbyzx|ihyxj|c(xgzm|iixz)|fygef|gjmrc|hlapi)|t(k(ixnu|gwpt)|orxtd|fbtbr|pjnim|xbjjb|tabzb|nrmpf|lhkhk)|u(bilsz|tzctx|ltvwx|vkvte|jheho|mbuuh|rzctp)|z(olfdc|dqify|bnsyp|gyzoi|sccui|lhqyy|eulqu|wvlje)|o(o(phxg|azzr|ltbx)|pbjjp|xilgx|rqwxy)|q(hqyic|m(dwhj|mhwy)|z(kaju|ejyy)|wmdpd|qwoun|xrlfx|nwsnn)|k(h(oabz|ycnr|ziza)|kcivo|p(hlwo|fgeh)|n(g(qrn|mbm)|ozgp)|jjkfl|vtapl|zausa|uppiz|aqdwx)|y(hivsd|jbryy|gnmnl|nnour|wblxn|mabij)|e(h(bvpz|wmdn)|vsaxe|yhxig|ehnsi|okeuu|pgpie|wypig|j(klbc|alqn)|qfibs|rstid)|d(r(yzpl|iihp)|pixbr|keafz|wnogo|avbxq|fooda|eqeqp|twror)|m(e(ljpw|wfqe|cbvh|ddsc)|girby|qnjzy|kijqw|pzbnb|xjwup|vqzhs|iqztd)|g(wvinz|d(qpnq|resw)|gikyl|bvruk|tbbfv)|x(gkowu|hmgpj|jyiyz|bfmmi|clbvj)|v(m(jnze|uifp)|x(rwbz|fcqj)|ztmcy|pwnko|gumzg)|h(n(hrov|vdqb)|bkjoq|thekn|jjjnb|rw(vxg|pau)|lkyug|fdiji|xczzz)|b(o(drub|fhuu)|zaxbn|h(mjos|bcul)|jtuqj|grevy|uevib|pnwzz)|c(btywb|rztht|prmgy|extyg|sjvvr|dkfyn)|w(dfczc|fplfb|geyen|xjgdi)|s(ffqco|ethbk|xioem|tznpe|huepq|whtcc)|l(t(ccio|tzdp)|cahgj|yhfdh|nofbw|pvvve))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633042; rev:2;)
# sid 2633043 includes 600 (0 - 600) 7 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.cc)"; content:"|07|";content:"|02|cc|00|";nocase;within: 10;pcre: "/(u(l(gqtgp|uzngd)|rgruxg|m(beows|vgzmn|qbmyb)|ivgxjc|djxskf|v(wjdzi|nawas|jylvg|rnkvr)|q(afvtq|nbnoj|rdwxr)|babctx|zicjjd|tguuxv|g(stnxk|xwgwr)|ojifub|p(cmzxc|eeygh)|wnybzn)|e(i(s(ilpv|buab)|onzux)|k(bzdup|hpvpk|mjbhe|pclsz|nhcde)|jgrluh|glphnh|vgtzwq|mbtdrh|hblqfl|b(iltsn|wxigf)|u(rceml|mmnxm)|tfuaws|r(vjwaa|exsfe|iboyj|pvdtj)|d(mthbn|axuqm|camzr)|z(qdypr|xbbez|lpizo|prmmp|udrnh)|lcctho|wpuhnh|cwamzg|asvmla)|p(c(zlmwy|oyixo)|m(kpzxp|opiel|ygine)|dbvdss|j(dohzx|waqyn)|i(rekic|ytbsq)|kpcwtt|z(uesit|kjiau)|twdrso|vbmkrl|ggveye|hvicsb|lwiqsl|quzwfq)|o(f(yxyxj|wfzjp)|r(rbtqg|nfhef)|g(jvhuz|yudsx|kgfbl)|ulzikr|z(efrse|trgec)|h(clcsm|oahan)|ygbfoh|s(fmbww|j(hsmy|gjkb)|gwzgn)|n(jnwtk|yhwqa)|o(iwfru|uaaxf)|t(rrepk|kyvqi|ybohr)|l(tyckq|jiaiz)|i(mwbqv|vslut)|brebxf|cfenps|xmeccr|phubui)|d(m(drosv|pmgoj)|xorgpk|wsbrvu|gexucn|ntmcli|a(berwj|mlhlb)|swkhca|tpydnu|ukfauy|brpioq|rptlcx|ztjxxz|h(dwpjf|qpibr)|jwwkca|ymemki|fyjfft)|y(s(boutz|cjbrw|yycba)|z(jfzps|wehez)|jyytmt|wlcxah|y(pspzv|vzbah|behto)|r(diizt|trtju)|l(ikyzf|zaxpb)|ixphqc|f(hudot|fawzn)|nhxswd|pphpvu|dwpdlq|hznnaj|cvgtrg|oiqtty|bivdtg|t(ozlsd|utzmi))|b(q(rfyhx|ttkgg|mfyqb)|g(bpxlg|vapde)|vctesn|w(cokrb|knbet)|x(imgpa|xnelw)|t(pclva|ytvhk)|pdkcqp|hupjtl|z(kpgts|vlskp)|s(exwkn|uyxnd)|onqqdv|y(wwhvw|xlhyf)|nejpap|rrgkfo|ubirqf|aftgpu)|a(dqaaea|y(fuqnz|urcyj)|i(efvpo|dktvn)|pwmwti|uxjgbh|lotnmw|e(wvidc|amybf)|f(zztum|swfqc)|n(favts|vemsy|mrmbl)|w(eqyfg|sfmwj)|vumhmj|m(yoenw|huttb)|aywuzh|hcskxu|goxlbg|sngnrp|tdkxws|rnqdil|jmvljf)|x(w(zrwiv|tzpkw)|ucnsdy|q(tnmye|jantd)|a(zmszv|yglaw)|fwczdx|losfht|nhfvui|xbnekk|rqddhe|g(rxgbh|tdlbd)|h(dzekz|ikioo)|oulrwb|efwcxr)|l(q(kcscn|evcdr|ufpfj|rrvec)|veyykg|wkhfql|j(bbtrq|ipkhj|jpeka)|gfqxup|d(eoxmn|uiuys|wbkwx)|r(tjkze|dvhfc)|b(ftwxy|xgyqw)|srjcla|osdrmi|hscgxy|ijalqz|p(hnxjq|vcrzd))|i(a(twwac|srlkn)|vhkudd|sjxssm|jbmgkn|i(ipoqk|gyvwa)|ubazut|fecfmh|pvvqlg|mvhgdr)|m(k(jfeyo|pjfwf)|t(mkcfb|lyxvw)|v(ncwro|grnxw)|q(vfbxq|rkndu|dwirh|lbuoz)|rvzqme|nxthiu|o(hevac|ihdac)|dlcmqd|lzhbet|uuvdss|zemcrj|gqtkaw|xfwwrp|ckscok|wikvzm)|j(jlbbjb|odlnpw|e(rguxd|zypdb)|y(kvzmw|vaipb|dcmsq)|l(wyssp|rjxlw|tqedb)|nlhbjz|m(tgteu|pucju)|declex|p(jjnqx|lelid)|w(sjuaz|frrlb)|iifzkh|h(vhgkb|gwugm)|vptkoa|tsjpkm|smiyvu|cwnwvx)|w(p(zofxo|wkbjr)|zgldft|amtaqq|cqvpjl|ouzxeg|k(cblzd|mgsao)|jdyhbe|qonnql|n(mdany|utgiw)|tfzqlz|djzigc|gwydca|xpestq|mkvfqk|rppmqy|wddtlo)|c(kpyztf|i(oazzb|cpaai|uhxxn|qr(bsv|akp))|l(mpewr|wfexr|ghvwi)|r(vajlu|zgqvx|xoyte)|j(fgkfg|hprmn)|gdauaj|bwvxih|yzbdsc|x(ywfen|ziupa)|ny(cwli|kthi)|z(avdbh|hkoze|lxwiw)|uaiqrb|tuchrk)|f(v(wcwpp|fmwaw)|o(almez|bdnre|jpmxu)|m(dhlmx|qvdhc)|nkfxkb|zavuzg|gortzi|d(rysgj|kbxgq|ezjld)|k(fbqqt|tvavb|hupkq)|swylsn|q(thapj|mmdja)|x(sisvb|ticdo)|pmvkgk|uvjdcp|ydphxi|ctsjhz)|t(o(tcxor|kydln)|wyrtye|z(kqswn|uuird|exiov)|h(njjww|cuopn)|yjsqco|i(nvxhf|afjud)|auyoqn|l(axvwr|yuwic)|n(d(ahyu|ggsr)|ctefo)|tdfrxa|uohjzc|kkgvht|mfnaqy|jcqvtc|c(garwt|jlubo)|quxwww|x(blfsk|rxgdb)|pjvgcb|vlcefe|rsiblb)|r(y(yintv|lcylm|gssav)|a(mufno|koyck)|l(eyacm|lozxn)|t(qdrrv|aqcew|zeznj)|guqjce|q(mocro|ktkya|lehpt)|u(eyptw|pyysd)|ekmvtq|ohxxpi|mfzekv|cxydmf|zdmqmz|vytvwb|fmnvdn|p(nnocm|dqeeg)|dtsate)|n(kqfhma|bckhzf|d(qfhuh|yegoq)|hfiatd|sjlmtx|a(nqygm|keyek)|piiyti|wazwto|vc(ouke|cckm)|oopqlw|g(ymuiw|gxmdt)|x(evnez|idlip)|t(huwip|njrjb)|m(jhkvk|mfhxe)|zpjuno|lgpmjz|ijandx)|s(l(zucvg|szffr|fmmha)|h(iofev|wojlx)|uuheei|t(edzze|f(qltd|kkzn))|o(numsb|unxxa|rmocl)|n(zbvds|hzguz)|b(dgpcw|ldkul)|w(iamie|ucktc)|zjgazg|yncmgv|vtritr|muxbnl|dlzpfk)|k(pmqvgi|k(wcbxb|aqkvo|sizly|nftkz|xgadv)|z(upiod|ecvfp)|o(mxdys|bxruk)|x(ponmc|uxfaf)|awimpq|fvhqsc|gxtlxv|rdbsou|daukiu|nirgjj|u(jsupk|xtxxb)|qdbgss|lyeull|ifinoc)|v(prizkn|t(aitqi|xjaai|ddotu)|d(njwvm|miieb)|m(phgbv|ohfyl)|v(wggir|uzvky)|lchfly|k(zhrzn|ruarp|etesy)|w(gdbmr|odqch)|uylzim|ejrhtq|xbarnb|bafnda|siampf|aciqom)|z(vcadab|as(xskm|acjr)|c(a(hatq|xiww)|lyiis)|r(fckrb|bxsoh)|l(zxjme|vrrki)|ucsyew|wyazgd|xzzhlm|mxrase|e(mrtlj|rdryh)|b(netwb|hpcfv)|nofwci|jyvnww|ynhivf|htneoc|grccnj)|q(aeprfd|cyacnx|h(jwjbl|qcpge|tcgrk)|m(fadrq|ntkou)|kuwnra|gnxrml|b(xnpxv|dngvw)|rujenq|nhycvc|uvpool|laiiee|olzlkj|v(mzqye|rdsll))|g(clkmce|i(zmgfr|kjztx)|x(ezbuo|rbotr)|hgwwgl|wtfsyu|gcguzg|argphx|kumbqq)|h(a(dcfcd|nfvsz)|rufygc|n(mqwui|vpklo)|y(znjli|sekbu)|q(xjdkt|adcvy)|z(mglyl|ryntc|gfedg)|tkwaeq|m(ygaka|wnzox)|dqwtcz|blfund|h(zpzmi|fxevk)|l(fmsqa|eofkl)|eqxzuv|gipmaa|xwqynx|fgliwa|pyugor))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633043; rev:2;)
# sid 2633044 includes 826 (601 - 1200) 7 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.cc)"; content:"|07|";content:"|02|cc|00|";nocase;within: 10;pcre: "/(e(z(qdypr|xbbez|lpizo|p(rmmp|ldqv)|udrnh)|lcctho|wpuhnh|knhcde|cwamzg|asvmla|r(iboyj|pvdtj)|u(mmnxm|quoel)|dcamzr|isbuab|vqlutz|o(hazvd|pjuto)|x(fmizb|ngapu)|q(hjctp|erhes)|gdrypp|njyuot|erzbqg|s(ktarm|ykjec)|ttjoem|plfaam)|n(akeyek|x(evnez|idlip|hffmn|unwzc)|d(yegoq|vozkx)|t(huwip|njrjb)|m(jhkvk|mfhxe)|zpjuno|ggxmdt|lgpmjz|i(jandx|rihsg|clqqa)|usjywd|eqpofb|wrebco|n(ffmuw|awkyx)|sayvlg|rvxblz|bqlqty|vuttbh|kwwcnj|jbemwg|orucdx)|r(a(koyck|cqcxx|lvmll)|upyysd|v(ytvwb|flufz)|f(mnvdn|tkobf)|p(nnocm|dqeeg|txjyd)|qlehpt|dtsate|ygssav|bbslvc|tslevj|xcaadi|z(itvfa|coeyx|gwvts)|c(eqpdq|srxkt|qnhwh)|rkahqb|lcotam|hvzzvz)|o(i(mwbqv|vslut)|brebxf|z(trgec|nvrnz)|cfenps|t(ybohr|aepln)|g(yudsx|kgfbl|sjanx)|l(jiaiz|sivxu)|x(meccr|syzly)|n(yhwqa|rqcmc|bbqej)|p(hubui|wwznj|baysr)|e(kdvsj|unrjh|dgvdk)|vpsimd|uvblnc|k(waptj|yexue)|fjkiui|rncsbe|o(miklx|bdhhl|gviiy)|q(ksnsw|alxnx|zmnkw)|sigljy|yvuskb|jrqlvo)|i(u(bazut|cnqzz)|f(ecfmh|jxxmi)|pvvqlg|asrlkn|m(vhgdr|lybwo|ebzva|qwlsq|zbbmg)|ynxfrj|jzdmgs|q(ohcgt|ruttl)|h(ignyt|bupxo|ftpfc)|k(weyxw|mmtzz)|ioivkj|loxuey|zddfxq|c(yoxto|hlvhk)|nyukue|dklfnj|wnptpw|obgbrb)|w(g(wydca|zawre)|xpestq|mkvfqk|rppmqy|w(ddtlo|vqccd|wygeu)|k(mgsao|jmyqq)|d(liisc|aaaom)|p(coztu|vuyvo|aeqoa)|yutliz|laconx|cvjoxo|jbaghe|ouhrkl|b(wvhyp|ionhq)|h(tqdsd|husld)|q(kmxhs|h(fxbw|evvv))|tabzyz|azbhje|emgjsc|sgxpah)|s(y(ncmgv|xkphb|tbvqf)|o(rmocl|ammfp)|v(tritr|sykvz)|m(uxbnl|pycqj)|w(ucktc|dpbje)|tf(qltd|kkzn)|dlzpfk|bldkul|nhzguz|r(fggls|pudqq)|a(qfvsl|fxjnn)|e(yrupz|lnrar)|karojt|qvmrrc|jpphpl|upurzw|c(devsv|wexgp|aroum)|znvddi|l(hbvcx|maoll)|f(amjyb|rasqf))|f(o(jpmxu|llypa)|dezjld|k(tvavb|hupkq|rumqq|ntxko|lhzju)|pmvkgk|x(ticdo|rnjmn)|uvjdcp|ydphxi|ctsjhz|tdupyu|i(rxxzu|nfvrb)|gchjut|m(pwuyq|bgdow)|v(dlfpt|kqump)|z(nvrmf|vbsaa)|bjjqgm|fkcdaa|rj(oyni|ygql)|eamozb|wcvjxi|qrgntn|j(faaiu|wxaxv)|adgktp|lsltym)|g(i(kjztx|hmmvv)|gcguzg|argphx|k(umbqq|ytjbp)|fomqqh|woqcbq|urdhvg|s(ruszl|xcseg)|dooeyn|p(ozlxr|wblbx)|l(ylmcj|cfzcw|hfiks)|qigzyp|bgwhff|tobkng|emqmea|z(vmkvw|zmanr|ownxh)|n(rfwkr|viovn)|m(jyqni|gbdit)|jlhphb|v(ljmzi|bbaga)|xlwqjq)|t(c(garwt|jlubo)|quxwww|x(b(lfsk|knnh)|rxgdb)|hcuopn|o(kydln|ulvpt)|z(exiov|qeiln|szjuk)|pjvgcb|vlcefe|r(siblb|adqwd|ninat)|abqzwa|dbhddt|fvcdkr|k(xkhyv|ubynh)|miflsf|gesnfs|lxaqrr|izadax|nrwfyg|bzlcsg)|c(j(hprmn|bxizv)|u(a(iqrb|yqea)|hgatq|dolgt)|l(wfexr|ghvwi|qcaxv|ehkqc)|r(zgqvx|xoyte)|z(hkoze|lxwiw)|xziupa|i(qr(bsv|akp)|pjkji)|n(ykthi|qwwrg)|t(uchrk|zdgzx)|o(zwoxq|urooe)|a(zrjiv|hxacr)|vdrygk|hchknz|c(ehgmm|fjpdm|sleio)|fgnycg|d(wjrkv|kubvi)|yrfsle|wgaepd|geltah|slscmy)|b(y(wwhvw|xlhyf|qapwb)|n(ejpap|dhboy)|rrgkfo|u(birqf|mqaaj)|t(ytvhk|tejjy|btvsb|uaeit)|qmfyqb|zvlskp|a(ftgpu|pxopy)|d(u(lpcs|pqfz)|kvmue)|fhozxf|v(tnaui|evhhf)|x(x(wyql|xvrm)|uqjow)|kjadmu|cjwrjt|scmvbr|i(irqjf|farvp)|buwrve)|h(z(ryntc|gfedg)|nvpklo|h(zpzmi|fxevk)|l(fmsqa|eofkl)|eqxzuv|g(ipmaa|lwcra)|ysekbu|x(wqynx|geohp|jqvre|rbknd)|fgliwa|mwnzox|p(yugor|iqtec|qxujp)|qadcvy|r(qxdjj|xwock)|svrfpq|o(cfxsd|ovpvm)|ipiiyx|a(shshl|acdax)|t(zjxmi|kcukq)|vdxbzm)|u(g(stnxk|xwgwr)|m(q(bmyb|rvib)|sexjk|zkyrh)|v(rnkvr|kuqdh)|o(jifub|mnfrn)|p(cmzxc|eeygh|rtlfl)|qrdwxr|wnybzn|y(ofoqs|lgyun)|herqmd|l(wubzf|xuvyj|ualiw|eytss)|rpimus|k(enzvy|yilsj)|dbvqhv|supqlt|akrfmk|f(zfekn|oqgwx))|v(x(barnb|cbpcx)|m(ohfyl|vetki|bgpoj)|bafnda|d(miieb|zgusw)|t(ddotu|jvwjm)|s(iampf|hhkqs)|a(ciqom|habsc)|wodqch|nxtdyx|psangz|v(qvpwj|gailf|ikfuu)|zfztdc|ygxucp|hvxfpo|elrwcm|lcevzc|ilpyux|cicmwx|r(iawhx|qamzc)|jfbdcv)|a(h(cskxu|mcnic|jxgdd|ezoxk)|g(o(xlbg|kgbi)|csbja)|s(ngnrp|tgvxd)|t(d(kxws|zlow)|tirdm|nvnjs)|r(nqdil|dtgth)|f(swfqc|jmrwl)|w(sfmwj|ytpoc|loroq)|j(mvljf|kgjdq|fooom|czjkn|wjdvs)|mhuttb|e(amybf|onxuh)|i(dktvn|msrlq|bmdzm)|kkfsoe|pvoxis|d(gqqld|mojqq)|zaucpu|yffbot|xuhqdf|cfkccg|b(vsvog|xakpu|wiupv)|qbqkzu|oexxgr)|j(m(pucju|vnvju)|p(lelid|omdad)|l(r(jxlw|mdmh)|tqedb|qqquu)|t(sjpkm|fiqsu|oanra|rwzrk|vasla)|smiyvu|h(gwugm|hcjpg)|ydcmsq|c(wnwvx|xzkjv)|jwejpe|x(pckts|cmyiq|ljdap)|k(wobbp|zxhpl)|f(kgkxz|ahqcp)|glokdi|n(whcox|imjns)|vmmzbm|i(olclb|zzhhw)|uiavcu|zlhboi)|m(z(emcrj|pxnpn)|g(qtkaw|erxnq)|x(fwwrp|atmuf)|v(grnxw|oibyz)|q(lbuoz|uyktp|hqmrw)|ck(scok|oznz)|w(ikvzm|eyjdi)|oihdac|p(jkbgg|mgwka)|y(fzuay|pcfuu)|ltenfq|u(pmqdw|uxnkn)|d(nwlwh|hbtxi)|kvmpwq|r(uurui|rgqwc)|e(bnhuk|wdkub)|s(ztqmh|nynxr)|tdntsg)|d(ztjxxz|h(dwpjf|qpibr|lvhfa)|jwwkca|amlhlb|y(memki|bwhmw|soqev|aafhm)|fyjfft|e(b(gbsk|lxae)|qpjwp)|w(cwwaj|sjcvu)|nbpszn|scvqgm|x(toxrm|fvins|dwbia)|ggyaei|vomliw|dangii|bnkksk|pfilaw|cbhify|lveymd)|l(j(jpeka|emgxd)|ijalqz|q(ufpfj|rrvec)|b(xgyqw|eiwcy)|d(wbkwx|yfacs)|p(hnxjq|vcrzd|bxroo|dzxln)|rettvo|uznvbe|klrpvh|ybgavh|vpgdme|w(mnhwt|vmumh)|e(pgqph|aspsx|oxspd)|gkjgew|clapso|owgqmi|zxvtii|xiwnek)|p(l(wiqsl|bpvwp|fpqxb|dzejq)|q(uzwfq|x(tcco|mlwr)|homof)|z(kjiau|mkgbq)|iytbsq|mdzied|r(opyko|frglb)|y(lkujx|jsltd)|k(rdsfv|xnlfu)|dqshse|p(n(rsor|twur)|yoerk)|aavqnd|tscxdb|u(ezcby|aacqe)|evgimp|wxwphm)|k(xuxfaf|d(aukiu|tjllw)|nirgjj|u(jsupk|xtxxb)|q(d(bgss|kqih)|emtcr)|zecvfp|lyeull|i(finoc|jecei)|to(spah|fdxm)|o(akbxn|ouuej)|h(ntobr|yinkl|ogaed|gtkee)|wovvub|cxoypo|kbmldr|r(cping|leeix)|egcanv|phghjg|jexzyc)|q(l(aiiee|nxrkq|ehfig|dphap)|bdngvw|olzlkj|h(tcgrk|wheem)|v(mzqye|rdsll)|zwujsg|a(lkrro|bktvp)|rhbkne|qatjwh|g(yxzht|bknur)|y(zpxdy|tghvz)|jdioqx|d(negoh|fiejz)|e(iatxj|ssjqe)|m(jiyxw|zpatu)|p(iqopa|xytbs)|tcpnzb|stvmix)|y(t(utzmi|okpli|nzvgy)|l(zaxpb|xilpw|anata)|ybehto|v(epqeg|lkxvd|boojs)|ihfvsk|x(somlg|ugkhl)|j(cknll|sqjlx)|dblzvq|otfndi|a(wbdnf|jmiqx)|n(mqgzx|jrtrl)|u(nanzx|edlfl|tuwxx)|qyqqlw|figdyi|pddydj|sjqxko)|z(b(netwb|hpcfv|mkelp|srdyy)|clyiis|n(ofwci|xifyf|lrjof)|j(yvnww|rcbpr)|y(nhivf|fyaqf)|h(tneoc|km(sdc|lwd))|g(rccnj|kpmqb|azgcb)|lvrrki|f(vigfc|gpodz)|kmfwle|t(pejvx|dsqvu|fxuvm)|uyiauv|aneenf|etcgst|znbedg|otyvjn|r(ybrqa|hoito)|iuiets|qbaefm)|x(h(dzekz|ikioo|enwpg|yuxrw)|gtdlbd|ou(lrwb|xjwq)|e(fwcxr|hsdhp|zuydq)|i(fmukt|oqdqr|sllfh|ppxoy)|r(wutif|htkav)|n(wfews|houae)|k(qldfa|daemf)|jhyxyc|l(mkjvf|yhrlu)|mbvphd|tswjzf|zlyjft|x(elspx|avvfj)|alfuzh|bmclli|pdjjer|fkegwu|syixkw|vfjmuc))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633044; rev:2;)
# sid 2633045 includes 226 (1201 - 1427) 7 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.cc)"; content:"|07|";content:"|02|cc|00|";nocase;within: 10;pcre: "/(n(ylsmpa|grahvp|huquoz|byikpg|qyudpv|esgpbr|otsjew|rfqarf|svswew|jtlmcr)|e(jdreeb|biwcwi|lnoilv|nxqepy|knlbtz|fwhbto|gmhrzw)|y(lbwvje|dqepuc|qyqndy|vmatfy|pnpgbx|cttyli|zedgga|y(dkpmw|cbqep)|baueut)|d(voysha|lgubds|edkthh|mbrymg|b(aldyy|inmrh)|azctiv|nhslmr|ygmjwn|fibsrx)|v(cmzgmv|zpyqbo|kywygg|phpjvw|wkgfkt|v(ghhhb|xsmsl|ebqnc)|airafp|mavoaa|edmefw)|k(lofotn|cnfufr|t(wnxgh|oubhj)|polexw|u(iizlk|xreff))|t(c(dmdyt|tjtfx)|medufw|plqggc|r(ygymz|xevti)|jsazhf|dqmxwj|f(dcsyf|kvfxc)|xsoxlo|gyqkck)|c(q(fyjgh|vevob)|attgga|vntqlv|pairsu|cfrzdh|wcxzww|utquii|fxadbd|zzqhew|lpatzp)|z(skbwzk|mrdomu|vtvzcm|o(tqmni|nekem)|qbuvpj|cydtfb|ddaohw|ehrvet|htrowl|bsajtx|y(gkoir|oitpa)|islbgw|npnxcy|ajcnsz|llrwvs|uopgei)|w(bmhbsj|znxhyk|j(uhelp|fpgvq)|vquppi|ylyccu|m(hhess|fjzwi)|dwxesq)|o(qhjyyz|gfyvpp|kvlels|tsqqht|f(zxwzs|projl)|nygpql)|j(rkoacm|zpkspg|clvepu|mfutfd|vetgnn|jwqmlf)|i(naoekt|ybjtww|cdvisk|sxmzgi|isxond|asgenx)|a(rjevms|fqzvnx|awyfby|k(bqjia|ebmss)|mpsunp|earnlw|camaxu|wlxkcq)|l(sxpgxg|iscslq|ukcjnn|vsdrvm|zwbnfj|kyfskx|dlmxts|pninet|qtqiqz)|r(j(djfxd|kzzyq)|lvtwga|uuoxlu|gjvksy|xsjiml|hvcgqo)|u(f(ldkje|kbghk)|dfgwwy|erzhln|b(nxxpm|qsxgw)|q(bqfht|peltx)|tnivzw|a(rlimn|ksoly)|kaurzc|hlzmnh|litnhw)|s(yvrvyp|s(usdic|hortj)|tncjog|gflley|pbgaos)|g(fmjfrs|tdejif|r(ysymd|ijlmd)|mzpvix|uumkgu|amkkdi|gpsygz|zumreg|lbdttz|vxckzv)|m(ilmjks|mhkepd|gxchph|zitamn|vfwzkj)|f(ytwtmh|iqcnnx|xfafzo|motuwf|lywbhq|ekovuc)|q(itrqbl|g(joigz|ooeoh)|taldgw|v(aykka|donsg)|mwjjtt|qkrxyk|pbrlpe|zrcgas|offhll)|b(yhlbig|ahvvxj|udpzuh|zcaqkr|xacqsl|bwcluj|fankmv|snpydk|qhuoyp|nfyhme)|p(sbkaam|krcpql|jejqik|wzsjdz)|x(tufkyo|rqkqxk|mlqhgy)|h(isewyb|w(givmp|ozhlb)|ozpleh|nbxqao|ralhhp|tlvcyf))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633045; rev:2;)
# sid 2633046 includes 600 (0 - 600) 8 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(w(o(jpnhwk|ynhxdh)|zicgwzi|n(lpiiof|buaovr)|t(bzfuei|tldyly|vnkheo)|sw(jgraz|nahsk)|g(juxcdl|rkftaw)|hfajbly|lunvolv|qgariac|auwwpzb|r(fwfato|nhckbp)|wesfgjs|foreqsb)|c(c(pzbpdf|vlcdrt)|v(qedllb|lehouj)|k(caasms|fqmtra|zhegkn)|t(omdwyj|iyyxok)|m(utlsqv|mplyll)|znhaxkn|q(uaankz|g(xgjme|urmze)|zhhjpr)|pmcfgzh|jqlxvdz|ngtvfnu|bxvowpt|dfeflkb|hwduxfw|fydxgms|uigzihz)|o(j(jvyuff|vymxrz)|eeqotyt|k(ehblao|pbmgyr)|y(bgrjyy|eleaxp)|q(poonlm|chexbc)|d(msexmq|jzkmql)|l(klllrn|elivvl)|slllstv|umhljez|t(atebgi|tyvtzy|peuzoq)|osmaoed|icdqlus|n(eqwbur|vytrjv)|mvlafhx|bergrvx|rzgmioi|vvzshks)|v(fyhrywh|m(ibjlpz|wbxhnr|owulhu)|r(qyzcgt|axvxul|gofvhl|tjboue)|tniejyk|w(fkgcye|mxoqif)|v(lsesgw|xotpcl)|i(gyfvjv|wbyqes)|hymgusl|bcdksau|y(yzivgj|xejani)|l(fqjxag|cbziba)|gsokkwu|zqwskrd)|b(s(sdtlve|jlfrcz|kixsly)|g(scmgzs|vbalpn)|teatwju|d(nutdgv|oqfyyw)|zygobrt|b(exxkds|tycwxr)|k(crpecf|jqzhjg)|l(mncrai|iutoru)|e(fzhzka|hwtfif)|f(hjfwxh|ykjzyy|jnzzum)|nvathka|x(felduu|zjzmzv)|i(kbirkq|eiexxl|bcpivt)|rjfgfrq|htclixb)|x(i(jacexv|efnppb|rxawhz|twruku)|jlvdsol|f(ptcluo|eggdwb|gqwxdw)|leqvmyv|gfikakp|o(bpgugc|ykesku|mcqnqv|lvibpb)|d(hlbkpx|jjjqyp|ntgdup)|kovyoyv|npzqboh|x(hykrdy|etgnxi)|y(fknbdf|jtyzot)|vspuhqr|qpspmdo|mvyxlgk|rzxysln)|s(r(txytfi|mxxnfw)|p(ckfnid|fqtscx)|cwvoppk|agssywf|lzlpgpb|trrzyiq|d(ipywnh|kffcsn|g(saaxy|rzpre))|oefwhun|stvmghq|v(jfonmh|tcljcb)|m(hhpljv|czfnzv)|eoyadhv|x(wtsmlu|mxhskt|ddfoeg)|hbgsjeh|jzomguj|zdsgwhc|uwiokaz)|l(k(vfxxja|pjjvtm)|lzbvyrx|miemeoy|p(ipximo|jjdivq|eaxngw)|yfzydgp|dfuefjs|b(hcbgap|egilks|bduqcn|lnlnmp)|qczchku|n(jqcuch|aiwrwq)|xvlfdmo|zeedhiu|htgowuy|cvisotu)|f(p(mtybfm|azujpr)|ojhwxij|vabqncr|x(xrpasx|pwnphw|deudiz)|w(dpjugx|combqt)|cbvzlec|ftdzazo|l(uximsn|lznynl)|k(cqwicg|ozolxj|spcrqi)|richqtn|n(zucoxb|sbfdsu)|j(eqrflg|gqrmnv|okttfi)|ibjmddb|sintoat|egxywcp|uxwmrwa|mpcmhjk)|z(rdbhbdg|q(piwnpz|neaqso)|h(ansrnp|lhtuet)|o(tonlda|eeyutt)|ktezojs|sgaintm|ezylddd|njvvkpf|y(fidyvp|grxwct)|t(nzdwhj|ratyqh)|glskpai|mlvaiay|pantgqq|xrfuzgs|jknadup|z(xbdhyi|ldevax)|vtidkaw)|g(ni(pxewf|atims)|wupwhly|gufyszm|bofrpqx|xo(gltac|srnfk)|r(rpkgef|ytzskp)|h(qwxqba|uzavet)|muieauu|j(naaolj|delzcz)|puteuzi|otiixfr|akdport|klhkshv|uvsbark|cmyblpl|lwvlitt|fkiqnyj|y(sexwru|kaqxwa))|k(sqipcpj|zfydunl|labztjv|f(xhcefn|zjedoj)|g(wnrsxu|zhvssg)|cukvibn|n(dtcaqc|bqunfq)|y(lkzice|fftsec)|i(vxguke|ldmskz|k(kxdxf|mystp))|t(oyezlm|etadil)|htblqcn|khmmrut|q(zvsnti|vznkzk)|j(jmelsf|viaveh)|p(zgfzue|ijhsyf|tnjsre)|e(fdfggd|zcessl)|dlefchu|bmrkrqu|vnrzofj)|h(njlkhro|k(izieht|rueesi|lpchmi)|ahodtap|iccntkb|t(kkojbe|cswckj)|cifgrsm|eqbtnhf|z(orqdcw|qyydbl)|o(zqpmdz|mvxjtt)|mxiwguv|bbvruwu|prhnsbj|fntuvzj|urgwarg)|m(m(tgdfzb|lgykag)|t(olygqf|iamtkd)|nuixzhh|qpsmwck|ezuqgrj|p(mfdext|iuovrb)|bhntqex|s(qstlem|wzfgly)|cbntwyo|u(wmkfmb|fglvwo)|lmmafjh|o(njabdw|fdxqxy)|heiwhim|w(nzsszs|ksrsuz)|jrxxhqt|djnikvx|gvunwpg|fszssmq)|j(uciwcos|rkgqvaa|h(ncttjq|qqqynx)|w(zctbqu|fseand)|e(zmqypn|rzpqko)|fkdhaqi|g(qexchd|amnnhl|neslze)|yqapjsy|sykmtbe|ivqfioq|crggncr|mhbrtgg|vbggpns|naihkhk|putlnpg|kpyqajp|dtiysvl)|d(y(irbonl|qxmmlc)|hylbzsa|v(nggztj|cdybol)|c(kxnuod|mdkoly)|p(hxqnxl|phkfvt)|rwsarxh|w(oydzqc|rfnswh)|myeorwr|f(kvbmaf|hhiega|ovfhjz)|dlzntud|gkmvsmv|idrfdrm|sjjxvvz)|p(p(rtpqvv|afezam)|akpafkj|m(ltkfju|jxqqbg)|ebmojjc|krbtixj|s(xxyxvi|mgdeml)|vnzijkh|q(cawour|ujjjqz)|r(mmriho|stwolb)|deurvzx|hdqtsyl|owbqgux|g(vyswsq|ugyfbo)|tfkvhlg|y(bkkzku|wjchnx)|icaktyb)|i(z(lgyfyr|djkgsl)|dcwbngx|n(pgmedn|xybpqm|mckzpb)|hiblswt|pyrygzb|vavahfp|gxzpzwc|xnxdxyd)|a(n(mcuuyh|qwmmvm|jahzsz)|q(pwayvj|umqrmq)|jptkjrj|d(jdivfm|fjrlia)|cghygqi|hcfhlpc|otctxfl|u(aniomu|dfczwl)|aklpluc|fqxdhhf|w(svxxyt|fvouys)|kxzthho|mmmfwkc)|e(wzwhrzq|muphbht|sdvawey|isxdaln|pgwyubx|qcdtffc|gsrjfrd|xelkjns|ytwlexs|f(eqitdu|gfdlgr|ykzxzc)|jhisein|bnindny|djodkkl|r(rypste|hxabhl)|arlwwms)|q(zecythz|a(bugyic|jsqgwl)|x(lmqicb|aeusqb)|hkfbdda|i(evlxen|omoedh|t(hbtcw|prxtd))|fvdzhmn|w(wihckx|qrsfho)|rpbuvcl|o(f(bumzh|qrtmv)|hpadfd|nsfxge)|ccadxok|erdthli|bicxlrj|qxiqjmf|sdevuhx|kqrxltl|tbmjygk|yizrauh|mkjneni)|r(vgskzuw|rpclboi|kkdjcpw|lhqdnxz|z(xopnls|pdqopx)|qncerqa|wscoaav|e(gpdpui|vrzzal)|paznnpd|nm(ujzqj|hspwf)|xoarcdk|fhjfbse|gebqfky|tyvwmhk)|n(v(lxmquy|wxrkiw|urgfmi)|t(cveyhv|wmaapw|jqrsfl)|ivvrrno|faxdwjt|melfsto|pypykfk|qcahqdk|avshqxa|u(gzdzgp|lzmipa)|e(f(blflz|hnewo)|aiogfk)|ruhxydk|ddpbnrf|zqtcidt|kyamqwi)|y(x(rkghzg|xbtgrx)|htitsjp|jyzjdds|s(gqigtn|vkocly)|bpwystv|o(egvilh|tiliqd)|znhaszb|w(eykkqo|rwwntt)|q(bqzhuc|uecdjz)|auljcjn|cdfursl|gaqotaj|uebypth|dundtfn|puakqdb|rkybynn|f(bebkti|ekclhv)|lddoxgk|nglotot)|t(v(ivtyzl|s(fvlzx|duwtk))|j(o(vmmhf|zsjal)|ktrwac|bjpwuf|jcikcy)|frxefcs|u(kvpgdt|tvgfbo)|z(sxhmct|eiuqat|jfjzwk)|czwyrwg|k(qiydzv|jwczij)|l(cnyqml|jjqani|vtrwww)|r(dlhvkd|cjcegr)|e(bdnuay|kndzdx|lcchva)|sryowos|bytspor|d(btypmn|gdjpyg)|gzhmsde|m(rqbjfg|vhrtiu)|xmwirpw|wlnsgxc|isqmlsg)|u(s(mxgnnx|hlnpvb|xpitlh)|llmxwiu|x(hotutg|qistkj)|c(pkfydn|ngsmbb)|rddebkq|m(ynvivb|fjmvjo)|jbrkhpx|bnwzzze|g(aexgyb|lrapnh)|aqmpqst|zoyckmg|plljwbw))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633046; rev:2;)
# sid 2633047 includes 1200 (601 - 1200) 8 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(w(o(jpnhwk|ynhxdh)|z(icgwzi|vfplas|mdclkw|axsdcp)|n(lpiiof|buaovr|prwber)|t(bzfuei|tldyly|vnkheo)|s(w(jgraz|nahsk|lgjio)|seumpa|bngqbs)|g(juxcdl|rkftaw)|h(fajbly|ogyfjw)|lunvolv|q(gariac|wkemjp)|a(uwwpzb|htmqdc)|r(fwfato|nhckbp|aewfbx)|w(esfgjs|phbcjn|nouhmu)|foreqsb|itqrmbr|btsqnpa|m(rfgjvi|thvhyq)|e(dniqem|hvytaq)|d(inogot|ddtclh)|cxountq|u(xzhywc|lckgst)|xdsadae)|c(c(pzbpdf|vlcdrt|blzlme)|v(qedllb|lehouj|izpgje|yrdetm)|k(caasms|fqmtra|zhegkn)|t(omdwyj|iyyxok)|m(utlsqv|m(plyll|qfgxw))|znhaxkn|q(uaankz|g(xgjme|urmze)|zhhjpr)|pmcfgzh|j(qlxvdz|rmdyfh)|n(gtvfnu|qdswvj)|bx(vowpt|coxgf)|d(feflkb|hofplu)|hwduxfw|f(ydxgms|pbbqfx|qtdtlm)|u(igzihz|gixhti)|y(nrkuao|ycdpmk)|a(sfziwy|brwadv)|o(kmmphd|jgbpfr)|lsifhrw|x(pgloar|mdaxjz)|razzyav|gjpqnix|ejzmzut)|o(j(jvyuff|vymxrz|tlfhvt)|e(eqotyt|pmoayf)|k(ehblao|pbmgyr)|y(bgrjyy|eleaxp|wylrkm)|q(poonlm|chexbc|hlxuzn|josrkb|xmzgiq)|d(msexmq|jzkmql|ehwjns|waqtvt)|l(klllrn|elivvl|anwhgd|nogryl)|s(lllstv|weonxa|pakvnj)|u(mhljez|sijvjs)|t(atebgi|tyvtzy|peuzoq|ebbgib)|osmaoed|i(cdqlus|kmnllx|nnzoms|rmglix)|n(eqwbur|vytrjv|wbztiy)|m(vlafhx|dbouzc|knvhqq)|bergrvx|r(zgmioi|pqikoe|ogfbkb)|vv(zshks|rqafe)|cnuutdc|fhofygj)|v(f(yhrywh|dtejdy|jhjepb|flcmwx)|m(ibjlpz|wbxhnr|owulhu)|r(qyzcgt|axvxul|gofvhl|tjboue)|t(niejyk|svysbp)|w(fkgcye|mxoqif|wlpcfq)|v(lsesgw|xotpcl|oydqex)|i(gyfvjv|wbyqes)|h(ymgusl|hswdjq)|bcdksau|y(yzivgj|xejani|ikxnkx)|l(fqjxag|cbziba|loapld)|g(sokkwu|vlzbre)|z(qwskrd|annzcb)|pbghrbo|divypsc|x(vonuud|zfnpeq|mwaoow)|ufhcglm|ehivthz|nvpzvwe)|b(s(sdtlve|jlfrcz|kixsly|aeybyj|cpdxjb)|g(scmgzs|vbalpn)|t(eatwju|glowrl|knklmz)|d(nutdgv|oqfyyw|mkzlwa)|z(ygobrt|nwbzdq)|b(exxkds|tycwxr|gwyuxc)|k(crpecf|jqzhjg|vmungj)|l(mncrai|iutoru|ptjiei)|e(fzhzka|hwtfif|oxcojg|evflcj)|f(hjfwxh|ykjzyy|jnzzum)|n(vathka|hdlssx|fabtyn)|x(felduu|zjzmzv|lguzio)|i(kbirkq|eiexxl|bcpivt|gqigqo)|r(jfgfrq|zoqwam)|htclixb|omkearg|qcjreab|jlgrnid|pofoixf|csgcjxx|vieqmpz|uodzjry)|x(i(jacexv|efnppb|rxawhz|twruku|kwglte|flufwv|pyipqh)|jlvdsol|f(ptcluo|eggdwb|gqwxdw|ciprhu|jovnzk)|l(eqvmyv|ragxvk)|g(fikakp|axxjqw)|o(bpgugc|ykesku|mcqnqv|lvibpb|aofixy)|d(hlbkpx|jjjqyp|n(tgdup|drkjz))|kovyoyv|n(p(zqboh|pvyou)|saeigu)|x(hykrdy|etgnxi)|y(fknbdf|jtyzot|goscil)|v(spuhqr|bviwxa)|q(p(spmdo|owpkc)|hwqbyv|cytwmw)|m(vyxlgk|pekjcn)|r(zxysln|hogots)|eavcguh|apfkmyc|wwcvhbv)|s(r(txytfi|mxxnfw)|p(ckfnid|fqtscx)|cwvoppk|agssywf|lzlpgpb|trrzyiq|d(ipywnh|kffcsn|g(saaxy|rzpre|upbxz))|o(efwhun|ocrete)|stvmghq|v(jfonmh|tcljcb|zxxwmo)|m(hhpljv|czfnzv|iqpkwk)|eoyadhv|x(wtsmlu|mxhskt|ddfoeg|nhbxir)|h(bgsjeh|dnbyyg)|j(zomguj|cfwjyr)|zdsgwhc|u(wiokaz|fdvhlc|ghokfo)|iubkgkj|kbowcjm|biibexy|fschwiz)|l(k(vfxxja|pjjvtm|hbbjbb|ggrluz)|l(zbvyrx|ljzuja)|m(iemeoy|zjzksc)|p(ipximo|jjdivq|eaxngw|spqfog|ycipnh)|y(fzydgp|dmehws)|dfuefjs|b(hcbgap|egilks|bduqcn|lnlnmp|klaool)|qczchku|n(jqcuch|aiwrwq|ugrjkd|rlymsp)|x(vlfdmo|teomry)|zeedhiu|h(tgowuy|ozqzcn|ioxyeq)|c(visotu|snhnvy)|oesneuw|usmeioi|wfsfrqy|ghexlfk|vvgurmn)|f(p(mtybfm|azujpr|zqhmjw|baxinf|xpukhr)|o(jhwxij|qwhiaq)|v(abqncr|ptnyov)|x(xrpasx|pwnphw|deudiz)|w(dpjugx|combqt|fnvdyn)|c(bvzlec|lqhaee)|f(tdzazo|zwyrxj|navvqt)|l(uximsn|lznynl)|k(cqwicg|ozolxj|spcrqi|rojuqk|wgwceg)|richqtn|n(zucoxb|sbfdsu)|j(eqrflg|gqrmnv|okttfi|a(woipv|voduz))|ibjmddb|s(intoat|xmcqvr|gwjcpx)|e(gxywcp|nrfdpq)|u(xwmrwa|hquqme)|mpcmhjk|z(gftykq|vnojjq|bymlcm)|bqevahh|d(hlwddo|mifcee)|y(gctzbm|vjosjx)|qhqoust)|z(rdbhbdg|q(piwnpz|neaqso|dmxpaf)|h(ansrnp|lhtuet|kiyjkc)|o(tonlda|eeyutt)|ktezojs|s(gaintm|tgtokf|duoart)|e(zylddd|wrmszx)|n(jvvkpf|svwonu|rkwppb)|y(fidyvp|grxwct|tdpazt)|t(nzdwhj|r(atyqh|jdtok)|gehsbv)|g(lskpai|aflkix)|m(lvaiay|bzaacm)|p(antgqq|hgscow)|xrfuzgs|jknadup|z(xbdhyi|ldevax|eeqsgt|oxyjeo|dkvnip)|v(tidkaw|owvcmc)|l(wkjxvw|s(usgvb|lnvqi)|ikpvvc)|fkoiwty|uzaiinu|w(wlging|cnndmh))|g(n(i(pxewf|atims)|anwwuv)|wupwhly|g(ufyszm|gquzil)|b(ofrpqx|njvugb)|xo(gltac|srnfk)|r(rpkgef|ytzskp|xfwonr|kmsbbs)|h(q(wxqba|gxaav)|uzavet|ljbeps|gdxdio|nbogrn)|muieauu|j(naaolj|delzcz|hzfzlb)|p(uteuzi|lenzxf)|otiixfr|akdport|klhkshv|uvsbark|c(myblpl|tkaabs)|l(wvlitt|tybklp)|f(kiqnyj|eluotv)|y(sexwru|kaqxwa)|e(amjiha|jrrpzr)|qjdrbln|impocsz|zhttnxl|vlvqesw)|k(sqipcpj|z(fydunl|dphzry)|labztjv|f(xhcefn|zjedoj|bqcgte|dpilyj)|g(wnrsxu|zhvssg)|c(ukvibn|a(ecbsk|ierxs)|vcqary)|n(dtcaqc|bqunfq|niweso|cymtwx|jjtgbk)|y(lkzice|fftsec|wezrut)|i(vxguke|ldmskz|k(kxdxf|mystp))|t(oyezlm|etadil|vvxkzg)|htblqcn|k(hmmrut|vehdwa|itpoyz|jiximo)|q(zvsnti|vznkzk)|j(jmelsf|viaveh)|p(zgfzue|ijhsyf|tnjsre|rnokme)|e(fdfggd|zcessl)|d(lefchu|abofuc|pfsirc|ewwila)|b(mrkrqu|ifzotz)|vnrzofj|ohfkyhr|mkjlebk)|h(n(jlkhro|vwyhau)|k(izieht|rueesi|lpchmi|zomeys)|a(hodtap|telhiw)|i(ccntkb|qkzbug|tmmwlw)|t(kkojbe|cswckj)|c(ifgrsm|ljajzw)|e(qbtnhf|ihtmik)|z(orqdcw|qyydbl)|o(zqpmdz|mvxjtt)|m(xiwguv|teezqn)|b(bvruwu|xcjdmy)|p(rhnsbj|tirxow)|f(ntuvzj|dwimxu)|urgwarg|l(ppqhmb|dxfacq)|jcunmkp|g(txwcbr|mhcuxu)|h(gexmse|cfxvxl|ivtrxk)|wwbvsuh|xxjnlfi)|m(m(tgdfzb|lgykag|f(fanql|uajhl)|zqqlth)|t(olygqf|iamtkd|nfralc)|n(uixzhh|ygtgps|kbwund)|qpsmwck|ezuqgrj|p(mfdext|iuovrb|aoleus)|b(hntqex|jededa)|s(qstlem|wzfgly|yyxtdu)|cbntwyo|u(wmkfmb|fglvwo)|lmmafjh|o(njabdw|fdxqxy)|h(eiwhim|lnizfu)|w(nzsszs|ksrsuz|wrqpif|ofqdxh|x(ooone|ivbxv)|lbftoc)|j(rxxhqt|hqssoy)|d(jnikvx|vaqowx)|gvunwpg|f(szssmq|vnzait)|v(ibqkzx|flrtre|sslocb|upskpq|ncjjvx)|r(qfypkk|zygmll|jxbosn|kltzbu)|x(moexyr|iotpis))|j(uciwcos|r(kgqvaa|npemib|yzzthx)|h(ncttjq|qqqynx|ldivvb)|w(zctbqu|fseand|sbxbpr|igevqg)|e(zmqypn|rzpqko)|fkdhaqi|g(qexchd|amnnhl|neslze|mdkjtv)|yqapjsy|sykmtbe|i(vqfioq|pbtrgm)|c(rggncr|nmwogl)|mhbrtgg|vbggpns|naihkhk|p(utlnpg|pcckag|vpqikn)|k(pyqajp|cxgzsb)|dtiysvl|q(sgjawq|ylfinm)|b(wiilua|dtfzcj)|liuvwmd|t(clfluw|boceee|wnqket)|aogdrdw|jveheyy)|d(y(irbonl|qxmmlc|bkvsfs)|hylbzsa|v(nggztj|cdybol|asbhyz)|c(kxnuod|mdkoly)|p(hxqnxl|phkfvt|szxcxr)|rwsarxh|w(oydzqc|rfnswh)|m(yeorwr|pnyqkd)|f(kvbmaf|hhiega|ovfhjz|qwkesv|uuknqt)|d(lzntud|tcnxlz)|gkmvsmv|i(drfdrm|kjimmi|qrsowc)|s(jjxvvz|kqzdfz)|l(yonbvz|gnxvfk|bbhanr)|n(msgwll|lqgrgz)|t(nahvxy|qlzojd|olhzzu)|a(uuiqez|qwqunv)|xtbcoka|upbfewo)|p(p(rtpqvv|afezam|eakzbg)|a(kpafkj|ykdzee)|m(ltkfju|jxqqbg)|e(bmojjc|slhbuv)|k(rbtixj|dgxfeg)|s(xxyxvi|mgdeml)|v(nzijkh|gprtwu)|q(cawour|ujjjqz|eepnlg)|r(mmriho|stwolb|ksyfcx|tmrcbi)|deurvzx|hdqtsyl|o(wbqgux|aynrit|ebsbrr)|g(vyswsq|ugyfbo|kyhenv)|tfkvhlg|y(bkkzku|wjchnx|qkxqbq)|i(caktyb|hvpxxa|bfkrgc)|lfvkyle|cabdtaz|b(lwuvhi|fxzmrw)|xtbiauy)|i(z(lgyfyr|djkgsl|rnbazw)|dcwbngx|n(pgmedn|xybpqm|mckzpb|emmigj)|h(iblswt|fttnpv|ziealv)|pyrygzb|v(avahfp|knukvp)|g(xzpzwc|nvhdyo)|xn(xdxyd|iytqz)|ar(klade|ghteg)|i(iiuduh|csabiv|vwelod)|sbujvok|uz(zzjse|pvnsa)|y(xtcxqy|wugdii|vyhhqh)|cviynev|tywsdqd|khljcjo)|a(n(mcuuyh|qwmmvm|jahzsz)|q(pwayvj|u(mqrmq|jzfkt))|jptkjrj|d(jdivfm|fjrlia|gahyws)|cghygqi|hcfhlpc|o(t(ctxfl|tlevp)|ysuint)|u(aniomu|dfczwl|ncnspx)|aklpluc|f(qxdhhf|mxfrfg)|w(svxxyt|fvouys)|kxzthho|m(mmfwkc|xqdsau)|ilrsfja|r(jetdon|gbezcy)|bvbiija|zlmgcih|siavcyp|g(htgeum|unbewr|oawqkv)|tgzobcx|ezlxgcx|lklaqxd)|e(w(zwhrzq|rfjhgg)|m(uphbht|hcgokt|fhiqpq|wvxcpq|vnwdbg)|sdvawey|isxdaln|p(gwyubx|dccupo)|qcdtffc|gsrjfrd|x(elkjns|hrzofo)|ytwlexs|f(eqitdu|gfdlgr|ykzxzc)|j(hisein|wirzid)|b(nindny|ekcdba|wanhea|gxglrm)|djodkkl|r(rypste|hxabhl|qlyllq)|a(rlwwms|ghymgz)|twvtcjk|u(sloabq|lxsmrb|dtibiz)|l(gmzrfc|iefqsw)|v(zuzyee|ezwmwf|vezwxz|neiral)|olqelpz|zpqbywp)|q(zecythz|a(bugyic|jsqgwl|zzdvcu)|x(l(mqicb|kzfhl)|aeusqb|zlxdqy|wwfmah)|h(kfbdda|ixqhql|sdounn|tnpmnw)|i(evlxen|omoedh|t(hbtcw|prxtd)|ufbdtr)|fvdzhmn|w(wihckx|qrsfho|pfknvo)|r(pbuvcl|joizrk)|o(f(bumzh|qrtmv)|hpadfd|nsfxge|yfiapp)|ccadxok|erdthli|b(icxlrj|wskbco|tpmqeh)|q(xiqjmf|gpisxz)|s(devuhx|nxamkw|xfeqld)|kqrxltl|t(bmjygk|i(eonmy|wsqgo)|chbazg|vzmsga|mmqlhn)|y(izrauh|ohyepe|saeqym)|m(kjneni|lhigso)|p(fifemf|yxjutk|bauxcx)|v(uavtyf|sunyfz)|n(uzbfnn|ejecuw))|r(vgskzuw|rpclboi|k(kdjcpw|gvitvh)|l(hqdnxz|tdgucl)|z(xopnls|pdqopx|gzdzoq|sqrgki)|q(ncerqa|hntsjw|bhpaex|iyttys)|w(scoaav|wtxexl|b(ukuut|rtmlo))|e(gpdpui|vrzzal|mdavcw|cfrtif)|p(aznnpd|wduxup)|n(m(ujzqj|hspwf)|wuofqq)|xoarcdk|fhjfbse|gebqfky|tyvwmhk|h(olxzfd|xkyoxt|cypryu)|ydnfxht|o(hcluyw|gwthck|cccmms|aaxpku)|j(aqyweo|neuhaf)|alnrnqg|bliuaor|ckzyurb|udnrucm|migxnpe|izllcsz)|n(v(lxmquy|wxrkiw|urgfmi)|t(cveyhv|wmaapw|jqrsfl)|ivvrrno|f(axdwjt|pobwms)|melfsto|p(ypykfk|zakssl)|q(cahqdk|zkjgcr)|avshqxa|u(gzdzgp|lzmipa|oeuvke|vyydyf)|e(f(blflz|hnewo)|aiogfk|sdbeue)|r(uhxydk|diamro)|d(dpbnrf|gatuaq)|zqtcidt|kyamqwi|h(wngnbm|keuvgd)|nawvemw|o(edglhz|zdyrln)|j(bqhmwb|mncjgv)|gtwksnv|xwwxydm|sqsigou|y(yslybk|bmasyn)|wppovjg|bnftfpt)|y(x(rkghzg|xbtgrx|hgxnol|pajptc)|h(titsjp|auvrgh|islwnb)|jyzjdds|s(g(qigtn|nhhiy)|vkocly|astttz)|b(pwystv|lqbwyn|mcyrvp)|o(egvilh|tiliqd|duwegx)|z(nhaszb|weshaj)|w(eykkqo|rwwntt)|q(bqzhuc|uecdjz|iybwss)|a(uljcjn|huxafz|jhavxl)|c(dfursl|xjmybm|kvdgrt|oosytm)|g(aqotaj|dyvlyh|kzgpeo)|u(ebypth|iought)|dundtfn|puakqdb|r(kybynn|ewowur)|f(bebkti|ekclhv|xasshq)|l(ddoxgk|ovvmdh|nndofv)|n(glotot|fzbeod|koyfmf)|e(urgase|pbuyvv)|t(huvrpu|rdfiyx)|imstmwg)|t(v(ivtyzl|s(fvlzx|duwtk)|dmpuko|lhelfz)|j(o(vmmhf|zsjal)|k(trwac|rrwrw)|bjpwuf|jcikcy|qvntpa)|f(rxefcs|xbagmb)|u(kvpgdt|tvgfbo|swwcqd|ggqisv|pweauk)|z(sxhmct|eiuqat|jfjzwk)|czwyrwg|k(qiydzv|jwczij|chwheb)|l(cnyqml|jjqani|vtrwww)|r(dlhvkd|cjcegr)|e(bdnuay|kndzdx|lcchva)|s(ryowos|zsnwxa|phrkeb)|b(ytspor|vhmtxo)|d(bt(ypmn|hwxq)|gdjpyg|hjtghk)|gzhmsde|m(rqbjfg|vhrtiu)|x(mwirpw|bddnql)|w(lnsgxc|hbgdjk)|i(sqmlsg|gysjnq|fsfifj)|y(edjlzr|oitrfd|cikhfl|fpwvhz)|tq(silth|luehv)|pbsosnz)|u(s(mxgnnx|hlnpvb|xpitlh|lxvebt)|l(lmxwiu|nmrdjw)|x(hotutg|qistkj|uouqyn)|c(pkfydn|ngsmbb|chenjg|iymdst)|r(ddebkq|vgmiwg)|m(ynvivb|fjmvjo|kiozwh|mztrro)|jbrkhpx|b(nwzzze|iagrcr)|g(aexgyb|l(rapnh|hzggr)|xgsocd)|a(qmpqst|jbxdfz|kmmpkc|gwxdcl)|z(oyckmg|lgnhge|jecbnf)|p(lljwbw|jhsbyu)|fiazcyj|wntzurr|y(xgxhez|saxcwk)|eheftra|kreixbo|vwjfhpr|ibercwd))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633047; rev:2;)
# sid 2633048 includes 1635 (1201 - 1800) 8 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(b(l(mncrai|iutoru|ptjiei)|e(fzhzka|hwtfif|oxcojg|evflcj|vvaacx)|g(vbalpn|a(ydxpk|rhtjw))|s(j(lfrcz|xoowr)|kixsly|aeybyj|cpdxjb)|k(jqzhjg|vmungj|bbyqrs)|f(hjfwxh|ykjzyy|jnzzum)|b(tycwxr|gwyuxc|mjkzuo)|n(vathka|hdlssx|fabtyn|eoizhz)|x(felduu|zjzmzv|l(guzio|xtppi)|i(scyxo|wephg)|amrzca)|i(kbirkq|eiexxl|bcpivt|gqigqo)|r(jfgfrq|zoqwam|mazzyp)|h(t(clixb|kines)|dtcgfr)|t(glowrl|knklmz|xipjzs)|omkearg|q(cjreab|dlznlk)|d(mkzlwa|jzmezc)|j(lgrnid|jiuabj)|p(ofoixf|qwqqwt)|c(sgcjxx|lircfo)|znwbzdq|v(ieqmpz|fksbga)|uodzjry|w(jofsxa|velnvr)|m(febqnl|iklrih))|g(m(uieauu|cmiwvb)|j(naaolj|delzcz|hzfzlb)|p(uteuzi|lenzxf|nqvsyi)|o(tiixfr|lemiyr|hlbbyz)|a(kdport|flshhy|sxbrtz|xqtgof)|k(lhkshv|rnlcnu|qljita|tilxlp)|h(uzavet|ljbeps|gdxdio|nbogrn|qgxaav)|u(vsbark|cvswgr|muoujd)|c(myblpl|tkaabs|hdvymq)|xosrnfk|l(wvlitt|tybklp)|f(kiqnyj|eluotv|bcueta)|y(sexwru|kaqxwa)|e(amjiha|jrrpzr|lvcqdh)|b(njvugb|kngxys)|ggquzil|r(xfwonr|kmsbbs|colfqf)|n(anwwuv|mdzhif|nfhhcv)|q(jdrbln|osxdhg)|i(mpocsz|vrbrrr|ixztpd)|z(httnxl|otzbad|zeuzrp)|v(lvqesw|pzhzcz|amsbni|njgijg)|dbzewbn)|c(tiyyxok|j(qlxvdz|rmdyfh|nnflct)|n(gtvfnu|qdswvj|lejlwk)|b(x(vowpt|coxgf)|sfhihz)|k(fqmtra|zhegkn)|q(g(xgjme|urmze)|zhhjpr)|c(vlcdrt|blzlme|hworbe)|m(m(plyll|qfgxw)|eqevzj)|d(feflkb|hofplu)|hwduxfw|f(ydxgms|pbbqfx|qtdtlm)|u(igzihz|g(ixhti|wlmsf)|qurdkk)|y(nrkuao|y(cdpmk|khnkf)|ipuyyy)|a(sfziwy|brwadv|fvargx|hqpznu)|o(kmmphd|jgbpfr|mwnlll)|l(sifhrw|qrelfn)|x(pgloar|mdaxjz|kuxyay)|v(izpgje|yrdetm)|razzyav|gjpqnix|e(jzmzut|tqoara)|paulovx|ixfzlec)|z(k(tezojs|b(qdtti|ghwoa)|pbtidr)|oeeyutt|s(gaintm|tgtokf|d(uoart|dvego)|fbrrel|qbbroi)|e(zylddd|wrmszx|bgwmqh|ljmeno)|n(jvvkpf|svwonu|rkwppb)|y(fidyvp|grxwct|t(dpazt|nwmgr))|t(nzdwhj|r(atyqh|jdtok)|gehsbv|adqprw|qnmzfp)|g(lskpai|aflkix|cxmlag)|m(lvaiay|bzaacm|krwakb)|p(antgqq|hgscow|zrlpwj|bndfbd)|x(rfuzgs|kkflzf|gxwdve|aeebyi)|j(knadup|quexra|aqlfyr)|z(xbdhyi|ldevax|eeqsgt|oxyjeo|dkvnip)|q(neaqso|dmxpaf|lglnam)|h(lhtuet|kiyjkc|denfne)|v(tidkaw|owvcmc)|l(wkjxvw|s(usgvb|lnvqi)|ikpvvc)|f(koiwty|jvhdlj)|u(zaiinu|vapvss)|w(wlging|cnndmh)|dkutpbu|r(wiiizc|lmredg)|bafytlv|cvlvyjo)|y(s(vkocly|astttz|gnhhiy|xoyibt)|o(egvilh|tiliqd|duwegx|obdqjj|inxiju)|z(nhaszb|weshaj)|w(eykkqo|rwwntt|aeovfq|haysdq|tsapdc)|q(bqzhuc|uecdjz|iybwss)|a(uljcjn|huxafz|jhavxl)|c(dfursl|xjmybm|kvdgrt|oosytm|tculme)|g(aqotaj|d(yvlyh|eifin)|kzgpeo)|u(ebypth|iought|wkubhe|kyaliy|nushyy)|dundtfn|p(uakqdb|wrmkdi)|r(kybynn|ewowur)|f(bebkti|ekclhv|xasshq|sapkaq)|l(ddoxgk|ovvmdh|nndofv)|x(xbtgrx|h(gxnol|hbuxl)|pajptc|gjaoum)|n(glotot|fzbeod|koyfmf|evfmew)|h(auvrgh|islwnb|caahku)|b(lqbwyn|mcyrvp|infidw|acevwu)|e(urgase|p(buyvv|gmeqt)|dttbpu)|t(huvrpu|rdfiyx|betbci)|imstmwg|j(uhfvxe|ttfelh)|ymvlwhp)|x(o(bpgugc|ykesku|mcqnqv|lvibpb|aofixy|pnizru|xbsxhq)|i(rxawhz|twruku|kwglte|flufwv|pyipqh|uvftfk)|d(hlbkpx|jjjqyp|n(tgdup|drkjz)|riztem)|k(o(vyoyv|plkia)|mmqqqr)|n(p(zqboh|pvyou)|saeigu|jhechy)|x(hykrdy|etgnxi)|y(fknbdf|jtyzot|goscil|ogfpuw)|v(spuhqr|bviwxa|jjolqt|wrkdec)|q(p(spmdo|owpkc)|hwqbyv|cytwmw)|f(eggdwb|gqwxdw|ciprhu|jovnzk|rlbokr|pppaut)|m(vyxlgk|pekjcn|gbqzzt|cnhbec)|r(zxysln|hogots|dfkqql|pjjwlo)|e(avcguh|sbtreo)|apfkmyc|w(wcvhbv|fxkikx)|gaxxjqw|l(ragxvk|lucolo|xeteuy)|suyhnhb|j(hcohlb|zmpjnv|lhdkgk|wkfgeo)|utnprdc|hgjtmkt|cbxqpdo|tuwvvvg)|t(k(qiydzv|jwczij|chwheb|vxvymp|ucsweo)|l(cnyqml|jjqani|vtrwww)|r(dlhvkd|cjcegr|allguz)|e(bdnuay|kndzdx|lcchva|tainyb)|s(ryowos|zsnwxa|phrkeb|lpatjx)|j(k(trwac|rrwrw)|bjpwuf|ozsjal|jcikcy|qvntpa|voezsb)|b(ytspor|vhmtxo|zeznin)|v(s(fvlzx|duwtk)|dmpuko|lhelfz)|z(eiuqat|jfjzwk|ogrjjm)|d(bt(ypmn|hwxq)|gdjpyg|hjtghk|aoqavr|rikmcr)|gzhmsde|m(rqbjfg|vhrtiu|wgyiwa)|x(mwirpw|bddnql|kffqzb)|w(lnsgxc|hbgdjk|vnlpvg)|i(sqmlsg|gysjnq|fsfifj)|u(tvgfbo|swwcqd|ggqisv|pweauk|vzxrdy|aysvht)|y(edjlzr|oitrfd|cikhfl|fpwvhz)|t(q(silth|luehv)|eaekji|pjvusv)|fxbagmb|p(b(sosnz|rvqdr)|xvmszc)|auxagms|hzvfglo|naaqjqu|q(rnjugm|kkuwps)|cayszhg|ovyuwad)|n(p(ypykfk|zakssl)|q(cahqdk|zkjgcr|ahmtkc)|avshqxa|u(gzdzgp|lzmipa|oeuvke|vyydyf)|e(f(blflz|hnewo)|aiogfk|sdbeue)|t(jqrsfl|pxicpg|zxadwc|mdoozz)|r(uhxydk|diamro)|d(dpbnrf|gatuaq|mvfkge|vkfvyi)|v(wxrkiw|urgfmi)|zqtcidt|kyamqwi|f(pobwms|nosbyb)|h(wngnbm|keuvgd|rydeek)|n(awvemw|vmnkbp)|o(edglhz|z(dyrln|fbyjg))|j(bqhmwb|mncjgv|zrkwwl)|gtwksnv|xwwxydm|s(qsigou|llitjh)|y(yslybk|b(masyn|bukkg))|w(ppovjg|bfyscw|dpstab|wqmrci)|b(nftfpt|ljxmys)|c(rasdib|qwqgjw|fgwllu)|mnmsdyk)|p(e(bmojjc|slhbuv)|k(rbtixj|dgxfeg|mbspsb)|s(xxyxvi|mgdeml)|mjxqqbg|v(nzijkh|gprtwu)|q(cawour|ujjjqz|eepnlg)|r(mmriho|stwolb|ksyfcx|tmrcbi|qiouzq)|deurvzx|h(dqtsyl|p(ulhni|prbez)|lmdvsi|anhwdb|mvwkoe)|o(wbqgux|aynrit|ebsbrr)|g(vyswsq|ugyfbo|kyhenv)|tfkvhlg|y(bkkzku|wjchnx|qkxqbq)|i(caktyb|hvpxxa|bfkrgc)|p(afezam|eakzbg|sxkzcd)|aykdzee|lfvkyle|c(abdtaz|psetld|esqwcn)|b(lwuvhi|fxzmrw)|x(tbiauy|yhgqku|iihwpr)|zqddofl|fgcuacv|n(dkczpe|vkyvti))|e(sdvawey|isxdaln|p(g(wyubx|rdtyq)|dccupo|obskzg|ataerm|zroacc)|qcdtffc|g(srjfrd|eagxdl)|x(elkjns|hrzofo)|y(twlexs|yoizmo)|f(eqitdu|gfdlgr|ykzxzc)|j(hisein|wirzid|kwkosp|etweim|gjtjfq)|b(nindny|ekcdba|wanhea|gxglrm)|d(jodkkl|elslmw|qhopro)|r(rypste|hxabhl|qlyllq)|a(rlwwms|ghymgz|xmgadv)|t(wvtcjk|rejhje)|u(sloabq|lxsmrb|dtibiz)|l(gmzrfc|iefqsw)|m(hcgokt|fhiqpq|wvxcpq|vnwdbg|ddfvau)|v(zuzyee|ezwmwf|vezwxz|neiral)|o(lqelpz|htlbqh)|w(rfjhgg|zzkjit)|z(pqbywp|mpxkgq)|n(woiucu|hmsrls|btaghf)|hfpigrd|cwgpnob)|k(k(hmmrut|vehdwa|itpoyz|jiximo|xaghgw)|q(zvsnti|vznkzk)|j(jmelsf|viaveh)|p(zgfzue|ijhsyf|tnjsre|rnokme)|i(ldmskz|k(kxdxf|mystp))|e(fdfggd|z(cessl|foyqs))|d(lefchu|abofuc|pfsirc|ewwila)|g(zhvssg|makvjb|nwacyq)|b(mrkrqu|ifzotz|yinmdm|vdmbrp)|t(etadil|vvxkzg|fzllql)|vnrzofj|f(zjedoj|bqcgte|dpilyj|cbjnhb)|n(niweso|cymtwx|jjtgbk|pwlwra)|ohfkyhr|z(dphzry|wiabol|ainmqj)|y(wezrut|xjkwfv|pslmoz|mgsgqo)|c(a(ecbsk|ierxs)|vcqary)|mkjlebk|u(o(kamsm|wupob)|hfoiqj|emfdnf)|hqelkyx|lfchsac|az(abcsk|zzbyr)|w(v(hecpv|bvnyl)|l(ecnrg|pcydr)))|j(fkdhaqi|g(qexchd|amnnhl|neslze|mdkjtv|zjxhyv)|y(qapjsy|ajelor)|sykmtbe|w(fseand|sbxbpr|igevqg|j(vgwmq|wjymh))|i(vqfioq|pbtrgm|icssrv|gahkzc)|c(rggncr|nmwogl|bwwhkm)|m(hbrtgg|wijesb)|v(bggpns|fpjusl|lyervm)|h(qqqynx|ldivvb|hvbxiv)|e(rzpqko|apsfji)|naihkhk|p(utlnpg|pcckag|vpqikn)|k(pyqajp|cxgzsb)|dtiysvl|r(npemib|yzzthx|ksgrje)|q(sgjawq|ylfinm)|b(wiilua|dtfzcj)|l(iuvwmd|zbkckr)|t(clfluw|b(oceee|wlatq)|wnqket)|a(ogdrdw|rxdkpq)|jveheyy|uualeqb|xlzbfew)|m(ezuqgrj|p(mfdext|iuovrb|aoleus|danwnt)|b(hntqex|jededa)|s(qstlem|wzfgly|yyxtdu|xryjjh)|c(bntwyo|jkeels)|u(wmkfmb|fglvwo|khvves)|t(iamtkd|nf(ralc|ntjc)|evsuyj)|l(mmafjh|cdmhnm)|o(njabdw|fdxqxy|jssooa)|h(eiwhim|lnizfu|ygzjqq)|w(nzsszs|ksrsuz|wrqpif|ofqdxh|x(ooone|ivbxv)|lbftoc)|j(rxxhqt|hqssoy|cbfgzw)|d(jnikvx|vaqowx|qujmme)|gvunwpg|f(szssmq|vnzait)|v(ibqkzx|flrtre|sslocb|upskpq|ncjjvx|xohmsy)|m(f(fanql|uajhl)|zqqlth)|n(y(gtgps|lximr)|kbwund|vnpnrn)|r(qfypkk|zygmll|jxbosn|kltzbu|rsqsfh|wdgleb)|x(moexyr|iotpis|bwoqkt)|kmhatdj|ighfrjf|awrxgma|y(vnnnya|fvwwve))|w(s(w(nahsk|lgjio)|seumpa|b(ngqbs|lshhr))|grkftaw|q(gariac|wkemjp)|n(buaovr|prwber|vusjwz)|o(ynhxdh|xikvit|snxmoz|uthhgh)|a(uwwpzb|htmqdc)|r(fwfato|nhckbp|aewfbx|xibufb|godswj)|w(esfgjs|phbcjn|nouhmu)|foreqsb|t(tldyly|vnkheo|mggezo|lxvlsn)|i(tqrmbr|wjpxuh)|b(tsqnpa|kpilve|gfbpuu)|m(rfgjvi|thvhyq|cgvxwb)|e(d(niqem|jwiyx)|hvytaq)|z(vfplas|mdclkw|axsdcp)|d(inogot|ddtclh)|c(xountq|narxoa)|u(xzhywc|lckgst)|hogyfjw|x(dsadae|oqxywr)|v(hgtabi|aiocyd|djwlis)|ylwenss|jwgastx|keccujg|pdwyjmj)|h(t(kkojbe|cswckj)|c(ifgrsm|ljajzw|ruiykb|gecgqy)|e(qbtnhf|ihtmik)|k(rueesi|lpchmi|zomeys|axqbca)|z(orqdcw|qyydbl|tpwkfj)|o(zqpmdz|mvxjtt|olvpnc|ylftil)|m(xiwguv|teezqn|hwyurz|lawonz|dojmrf)|b(bvruwu|x(cjdmy|uzkcp))|p(rhnsbj|tirxow|kgvweu)|f(ntuvzj|dwimxu)|u(rgwarg|xvjyfh|ayosfr)|atelhiw|i(qkzbug|tmmwlw)|n(vwyhau|qvnqjk)|l(ppqhmb|dxfacq)|j(cunmkp|bmsabt)|g(txwcbr|mhcuxu)|h(gexmse|cfxvxl|ivtrxk|v(vjdep|ebthq)|hvkudi)|ww(bvsuh|treuc)|x(xjnlfi|rfcvbs|gzyapv|jmfrrm|umohcl|ffkptp)|rfcycls|d(putimk|ergcmo)|sibxxsh|qtuhfnt|yuaitdv)|u(l(lmxwiu|nmrdjw|jxxhae|krgowa)|x(hotutg|qistkj|uouqyn|paksbu|rtbnsi)|c(pkfydn|ngsmbb|chenjg|iymdst)|r(ddebkq|v(gmiwg|wzdvs)|rdzjkd)|m(ynvivb|fjmvjo|kiozwh|mztrro)|jbrkhpx|b(nwzzze|iagrcr|qtnpak)|g(aexgyb|l(rapnh|hzggr|kilqd)|xgsocd)|s(xpitlh|lxvebt|zdlaew)|a(qmpqst|jbxdfz|kmmpkc|gwxdcl)|z(oyckmg|lgnhge|jecbnf)|p(lljwbw|jhsbyu)|fiazcyj|w(ntzurr|ovimfg|urbqdk)|y(x(gxhez|aivle)|saxcwk|oxilic|ekxefv)|e(heftra|vprsie)|k(reixbo|wxnutd)|v(wjfhpr|b(tmmzk|aicci)|rlzdip|cyogmb)|ibercwd|d(iwyroa|btepdr)|qgpswra|hebbrgf|tieydha|obfzvpn)|o(s(lllstv|weonxa|pakvnj)|u(mhljez|sijvjs|yjpvjp|iykddf)|l(e(livvl|rjzef)|a(nwhgd|rnbyt)|nogryl|twulwe)|y(eleaxp|wylrkm)|t(atebgi|tyvtzy|peuzoq|ebbgib)|o(smaoed|xiudti)|i(cdqlus|kmnllx|nnzoms|r(mglix|aaotb)|yvspmx)|kpbmgyr|n(e(qwbur|wnqyh)|vytrjv|w(bztiy|fgjgi))|m(vlafhx|dbouzc|knvhqq)|d(jzkmql|ehwjns|waqtvt)|bergrvx|r(zgmioi|pqikoe|ogfbkb|hilmki|weygbx)|vv(zshks|rqafe)|q(hlxuzn|josrkb|xmzgiq|coemna|dqshat)|c(nuutdc|rptkrh)|jtlfhvt|fhofygj|e(pmoayf|npvcxc)|z(ygerrk|vnwllq)|xeaqcqj|aasxqyo|wkyejcu|g(dsfgfr|sfraoe|urhgtt))|q(r(pbuvcl|joizrk|s(fhuoo|bpsir))|o(f(bumzh|qrtmv)|hpadfd|nsfxge|yfiapp)|a(jsqgwl|zzdvcu)|i(omoedh|t(hbtcw|prxtd)|ufbdtr|abapab)|c(cadxok|isnjgu)|e(rdthli|ujrxpb)|b(icxlrj|w(skbco|ncmlv)|tpmqeh)|q(xiqjmf|gpisxz)|w(qrsfho|pfknvo)|s(devuhx|nxamkw|xfeqld)|k(qrxltl|uewpup|zsjlke)|t(bm(jygk|qojs)|i(eonmy|wsqgo)|chbazg|vzmsga|mmqlhn)|y(izrauh|ohyepe|saeqym)|m(kjneni|lhigso|rnsukv|bkhjgz)|p(fifemf|yxjutk|bauxcx|mulcmx|ccpmkh|zviuge)|v(uavtyf|sunyfz|fleufi|hxtojj)|x(lkzfhl|zlxdqy|wwfmah|tdalbw)|h(ixqhql|sdounn|tnpmnw|qrzrng)|n(uzbfnn|ejecuw)|dxhnsdz|j(mzimrj|ppphfr)|gayfsvv)|r(p(aznnpd|wduxup)|e(vrzzal|mdavcw|cfrtif)|n(m(ujzqj|hspwf)|wuofqq)|x(oarcdk|chcthe)|fhjfbse|z(pdqopx|gzdzoq|sqrgki|exxxhq)|gebqfky|t(yvwmhk|ebukzo)|w(wtxexl|b(ukuut|rtmlo)|nyxcic|yfucct)|ltdgucl|q(hntsjw|bhpaex|iyttys|sqbtpe|nenmjv|anhnhx)|h(olxzfd|xkyoxt|cypryu|kaduyv|wvsusv)|y(dnfxht|izuysr)|o(hcluyw|gwthck|c(ccmms|mwfkf)|aaxpku)|j(aqyweo|neuhaf)|a(lnrnqg|vcjrte|rbpias)|bliuaor|ckzyurb|udnrucm|kgvitvh|m(igxnpe|boasrs|eujwdj)|i(zllcsz|qltqpv)|soa(bjlv|tmlj)|rfsvgsh)|i(n(p(gmedn|kqgrk)|xybpqm|mckzpb|emmigj|cerdyx|uunsom)|h(iblswt|fttnpv|ziealv|lffeob|gtdpee)|pyrygzb|v(avahfp|knukvp)|g(xzpzwc|nvhdyo|lydfzb)|xn(xdxyd|iytqz)|a(r(klade|ghteg)|yuxnmw|tsbrrx)|i(iiuduh|csabiv|vwelod|ydvbhw)|s(bujvok|qgbuvc|xrgjnn)|u(z(zzjse|pvnsa)|bqrhvr)|y(xtcxqy|wugdii|vyhhqh)|cviynev|z(rnbazw|khgknb)|tywsdqd|k(hljcjo|fixglz|uiavgc|nepjsi)|rdwldpl|fttenzk|lzgqork|d(ldrhls|vstsoh))|v(i(gyfvjv|wbyqes|kgzqpq)|h(ymgusl|hswdjq)|bcdksau|y(yzivgj|xejani|ikxnkx)|m(wbxhnr|owulhu|ppcqco)|v(xotpcl|oydqex)|l(fqjxag|cbziba|loapld|wpyjvp|ofngwf|xavmuu|sadtnj)|g(sokkwu|vlzbre|cwhxce)|w(mxoqif|wlpcfq|xdwksv|zxaltl)|r(gofvhl|tjboue|ykahme)|z(q(wskrd|rgjrk)|annzcb|jyjjfu)|p(bghrbo|pehyhx)|divypsc|x(vonuud|zfnpeq|mwaoow|scymia)|f(dtejdy|jhjepb|flcmwx|vlgdnl)|ufhcglm|ehivthz|n(vpzvwe|gntatu|dcnlvv|wkfwgz|ojgryp)|tsvysbp|cpkpzql|j(jrjmxv|gpyroi)|kttudcz|qqhhjmo)|s(a(gssywf|mhhlsm|zwujif)|lzlpgpb|t(rrzyiq|qklkte|gerfil)|d(ipywnh|kffcsn|g(saaxy|rzpre|upbxz))|o(efwhun|ocrete)|stvmghq|v(jfonmh|tcljcb|zxxwmo)|m(hhpljv|czfnzv|iqpkwk)|e(oyadhv|jyfgdo|dbdhkj)|x(wtsmlu|mxhskt|ddfoeg|nhbxir)|r(mxxnfw|aisxeb)|h(bgsjeh|dnbyyg)|j(zomguj|cfwjyr|lyyrlb)|z(dsgwhc|pczhqt|qqhqav)|u(wiokaz|fdvhlc|ghokfo)|i(ubkgkj|lqrdwk)|kbowcjm|b(iibexy|mnoiof)|fschwiz|gesmvjv|cszulix|qcyxrfu|ynvxksi|ndqvqqj|pzfapyo)|d(m(yeorwr|pnyqkd)|f(kvbmaf|hhiega|ovfhjz|qwkesv|uuknqt)|w(rfnswh|klvkck|lgmdre)|c(mdkoly|iqboht)|p(phkfvt|szxcxr)|v(cdybol|asbhyz|yyyrcr|zlpnxf)|d(lzntud|tcnxlz)|gkmvsmv|i(drfdrm|kjimmi|qrsowc|pdgzxh)|s(jjxvvz|kqzdfz|ztepno|aonirb)|l(yonbvz|gnxvfk|bbhanr)|ybkvsfs|n(msgwll|lqgrgz)|t(nahvxy|qlzojd|olhzzu)|a(uuiqez|qwqunv|gmyref)|xt(bcoka|pfxas)|upbfewo|ktjvhtf|b(gnqstw|wiuzvy)|z(vxbjuh|fpzbdp|ssdqjt)|jvmrajc|o(rjftti|iojrft))|a(u(aniomu|dfczwl|ncnspx|ptpiez|gkgibv)|qu(mqrmq|jzfkt)|n(qwmmvm|jahzsz|uhhmnb|amkshk)|aklpluc|f(qxdhhf|mxfrfg)|w(svxxyt|fvouys|twetcc|zedcag)|kxzthho|m(mmfwkc|xqdsau|vnwdbr)|i(lrsfja|dhesjw|cjzovj|muhtfc)|r(jetdon|gbezcy|nkrezn)|o(ysuint|ttlevp)|b(vbiija|wzxddv|qvpduo)|z(lmgcih|vvdkdg|eitwtg)|s(iavcyp|mtdgxa)|g(htgeum|unbewr|oawqkv|edbhnk)|tgzobcx|ezlxgcx|lklaqxd|dgahyws|v(lxmalz|hhxfkj|yxktcy)|jmqufaq|c(gcmzby|mgcpri)|x(uwpflc|nmyruw))|l(k(pjjvtm|hbbjbb|ggrluz)|qczchku|p(jjdivq|eaxngw|spqfog|ycipnh|dhiprc)|n(jqcuch|aiwrwq|ugrjkd|rlymsp|petrlb|boiktr)|x(vlfdmo|teomry|jytwcb)|b(bduqcn|lnlnmp|klaool|yyzfqe)|z(eedhiu|hfossx)|h(tgowuy|ozqzcn|ioxyeq|mztgak|cbgiva)|c(visotu|snhnvy|njfhdl)|o(esneuw|heixny)|usmeioi|w(fsfrqy|q(lkhjo|qgtzx))|ydmehws|g(hexlfk|driate)|lljzuja|v(vgurmn|rwcrbp)|m(zjzksc|ieabyz)|ahwmrea|d(fpsnpg|bfcldp)|jbfmmcf|emfbgsj|tzlkatv)|f(l(uximsn|lznynl|pirurj)|k(cqwicg|ozolxj|spcrqi|rojuqk|wgwceg)|r(ichqtn|rvmiyd)|n(zucoxb|sbfdsu)|x(pwnphw|deudiz|glkyso)|j(eqrflg|gqrmnv|okttfi|a(woipv|voduz)|zufvgd)|ibjmddb|s(intoat|xmcqvr|gwjcpx)|p(azujpr|zqhmjw|baxinf|xpukhr|ydqsdm|mzooyk)|w(c(ombqt|pupay)|fnvdyn)|e(gxywcp|nrfdpq|zababm)|u(x(wmrwa|vgiyw)|hquqme)|m(pcmhjk|jvfrxz)|f(zwyrxj|navvqt)|z(gftykq|vnojjq|bymlcm|i(vtjgd|zkxql))|o(qwhiaq|ijzkay)|vptnyov|bqevahh|c(l(qhaee|fbmti|ujxwg)|hjbqtg|anmwrq)|d(hlwddo|mifcee|cpxwms|u(kpkyt|zaocu))|y(gctzbm|vjosjx|wkssvh)|qhqoust|hdcclsz|tefcyun))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633048; rev:2;)
# sid 2633049 includes 1035 (1801 - 2400) 8 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(k(az(abcsk|zzbyr)|g(makvjb|nwacyq|sunlbk|ppjzyr)|e(zfoyqs|iepvfi|kjjzxx)|tfzllql|u(owupob|hfoiqj|emfdnf)|b(yinmdm|v(dmbrp|zvxbv)|lrlnoy)|z(ainmqj|ezvric)|y(mgsgqo|rmhenb)|w(v(hecpv|bvnyl)|l(ecnrg|pcydr)|fnwepb)|n(pwlwra|oxewxx|sqwihh)|k(eatzqs|khyfdw)|p(wkizev|boyehb)|vtjcbcs|r(tjigex|iosbry)|c(xqfadj|cignxg)|jswhcnq|dxlrjub|loxffhc)|t(d(aoqavr|rikmcr)|h(zvfglo|tbqfzb)|jvoezsb|t(eaekji|pjvusv)|u(v(zxrdy|kence)|aysvht)|xkffqzb|pxvmszc|rallguz|n(aaqjqu|mstgdj)|b(zeznin|vovmyd|xtpqyn|hcrlcm)|w(vnlpvg|arkvaj)|slpatjx|e(tainyb|mdimzj)|q(rnjugm|kkuwps|hiagtt)|c(ayszhg|hjriah|tomaky)|z(ogrjjm|vhrwdx)|kucsweo|o(vyuwad|ayksjf)|mhzaeqn|l(usvgfo|dxakwz)|yfsvbyu|aawucwl|gerqqhz|feuckra|iyrzmya)|g(k(rnlcnu|qljita|tilxlp|wcmpmk|owhpbj|loagcb)|u(muoujd|adexkj)|a(sxbrtz|xqtgof|ensmhd|nbdydm|ttumwc)|bkngxys|z(zeuzrp|tpirfi|yvpvzw)|i(vrbrrr|ixztpd|cmrpxz|jdbhtv)|n(mdzhif|nfhhcv|utzhvx)|c(hdvymq|tyagqz|abwibv|cjrnui|rosbyj)|r(colfqf|oeficv)|mcmiwvb|ohlbbyz|p(nqvsyi|ggjwkl)|d(bzewbn|skddfk)|wgjxssc|vknzjwr|f(ypfgxm|wsbfpo|zxazeo)|ejifvyl|qsmfalr|hyxdqeq|xsvinrf|sakdsbd|yzggysm)|m(hygzjqq|i(ghfrjf|tkkppt)|awrxgma|n(y(lximr|kypxs)|vnpnrn|jfgmfp|zcgedm|oylohn)|y(vnnnya|fvwwve|rrphee)|o(jssooa|gyibnz|mxjgmh|hvleyn)|d(qujmme|cnhamo|heqfyj)|xbwoqkt|j(cbfgzw|wmlfsh)|r(wdgleb|pipijh|rsyyqj)|l(cdmhnm|eyqgwo|ggimhs)|cjkeels|t(nfntjc|hibobq)|v(xohmsy|ldsemj|fbkzns)|u(qelwkm|kmrmno)|z(eeudnf|hngjkl)|gctwzte|bwetwlb|mlmaymw|khzqaws)|v(xscymia|l(ofngwf|xavmuu|sadtnj|vyprjk)|c(pkpzql|nuzztt)|i(kgzqpq|lrizvf|fqhgub|ondcva)|n(dcnlvv|wkfwgz|ojgryp)|w(zxaltl|cuhxpw)|ppehyhx|j(jrjmxv|gpyroi)|fvlgdnl|kttudcz|m(pp(cqco|xbxg)|ovfrfi)|q(qhhjmo|cqxkyz)|r(ykahme|i(hlgdx|txalx))|z(jyjjfu|slzjbk|bjbyqb)|v(itkrfg|dfuqpb|pmywan)|sdvtpgw|gsgaoyj|eagqoqg|o(hqdfcg|bizzcj))|x(f(pppaut|xhboiv)|v(jjolqt|wrkdec|c(hjizq|whrvg)|ypanja|mvvury)|yogfpuw|m(gbqzzt|cnhbec|bqunxf|mddwbj)|u(tnprdc|ptopvu|heayqo)|hgjtmkt|c(bxqpdo|jpahpb)|l(lucolo|xeteuy)|njhechy|iuvftfk|k(mmqqqr|o(plkia|aptxy))|r(dfkqql|pjjwlo|fripno)|tuwvvvg|esbtreo|j(zmpjnv|lhdkgk|wkfgeo)|o(xbsxhq|hionff|blijny)|driztem|wf(xkikx|pmddc)|q(srerny|llsdhf|qtxpze)|b(adcohn|ubwklq)|s(hhhgav|cyisqc)|p(sdnaqa|okzcvx|afwhlq))|l(vrwcrbp|by(yzfqe|gxnky)|w(q(lkhjo|qgtzx)|gqvqva)|n(petrlb|boiktr|eckfto|hpinid|rztxbn)|h(mztgak|cbgiva|lkbavy)|d(fpsnpg|bfcldp)|gdriate|pdhiprc|jbfmmcf|xjytwcb|emfbgsj|tzlkatv|lefkwog|i(jngrzn|ehlali)|z(zwlkzz|n(fzvab|nbyzo))|yhzuzjo|c(lwdfhv|asbyik)|apqqhkh|sjegneg|qsxgbha)|w(b(g(fbpuu|sfrqi)|tpsfjc|kcztql)|nvusjwz|o(uthhgh|mtjnyl)|v(aiocyd|djwlis|vfqgil)|t(mggezo|lxvlsn|scgiju)|jwgastx|r(xibufb|godswj|whwngd)|iwjpxuh|k(eccujg|zagnbd|xtltem)|m(cgvxwb|umbozo)|p(dwyjmj|kphjmn|caeblf|tthian)|edjwiyx|s(blshhr|o(vutih|yxkch))|u(uxaroc|ybwujg)|wsngiad|yckydhb|fliutrl|z(ywtziy|qocgbz))|n(q(ahmtkc|bmeswl)|ww(qmrci|cvrzo)|d(mvfkge|vkfvyi)|t(pxicpg|zxadwc|mdoozz|nsdavk)|h(rydeek|lrwgen)|o(zfbyjg|lzciuq)|mnmsdyk|b(ljxmys|nfeote)|n(vmnkbp|cpoaqq|jqwpcl)|c(qwqgjw|fgwllu)|ybbukkg|jzrkwwl|l(hwfnby|bhnxyz|cirhme)|ubinvgj|xtapfcy|e(hruxvu|qnpqzy)|shbdbbi|z(jinhjp|lklaul|yeejlt|ncniro)|rhdvhhq|igauuku)|f(r(rvmiyd|d(mwdwn|wrbcz))|c(hjbqtg|anmwrq|l(fbmti|ujxwg)|sevzni)|d(cpxwms|u(kpkyt|zaocu)|hyasmc)|tefcyun|uxvgiyw|p(mzooyk|uvazzy|tsxjrm)|lpirurj|m(jvfrxz|bcnbsj)|xglkyso|z(izkxql|vdlgpx)|wcpupay|oijzkay|jkjkjsa|b(ihkota|mjvxke)|e(hpbtxs|txjjfa|uczzxo)|i(mkumfs|kxpbnm)|vktmpkw|kjmsedy|qheczdd|nhdcrrw|gmuqpos)|q(r(s(fhuoo|bpsir)|vdjmst)|xtdalbw|m(bkhjgz|m(xzjrk|sxzhk))|hqrzrng|k(uewpup|zsjlke|ihhbdi)|pzviuge|v(fleufi|hxtojj)|j(mzimrj|ppphfr|aqcnuo)|gayfsvv|cisnjgu|i(abapab|rvlmph|kfeycx)|z(ozvuke|adsunx)|s(xsychh|uigupj)|asavuwo|q(szjcqr|g(cglmf|mwxgn))|l(bipppa|koqvko)|eaueoqv|onkkoli|nsxmokf|fdncozq|ummyiqj|b(trlokj|xidnpq))|r(r(fsvgsh|qshqjy|nfmdsn)|iqltqpv|w(nyxcic|yfucct|xpnztx)|h(kaduyv|w(vsusv|gnezy))|a(vcjrte|rbpias)|q(nenmjv|anhnhx|efbthq)|t(ebukzo|lclccq)|xchcthe|yizuysr|g(duryzo|vpczox|mhfehh|hxsjiq)|sdikldu|j(rouisp|oljxma)|f(wsjrwt|isxojj|ngqihr)|l(hbeqoh|fhavvc)|ebgbpsx|uiwqgem|b(bqefjt|gxvscx)|m(hbvcet|dambcp)|ngmonfe|zgwqtvz|vjvfaqu)|z(t(adqprw|qnmzfp|nujysr)|k(pbtidr|owdhbo|jqioki)|s(fbrrel|qbbroi|cdhbif|wdxkep)|g(cxmlag|nvgzdt)|x(gxwdve|aeebyi|cnnauj)|d(kutpbu|mrikev|ldtsvl)|p(zrlpwj|bndfbd)|j(quexra|aqlfyr|dgmkou)|r(wiiizc|lmredg)|q(lglnam|zvufjd)|y(tnwmgr|ohzepr)|b(afytlv|txzspb|lahzdr)|c(vlvyjo|zlmmjo)|u(vapvss|umydxj)|mkrwakb|e(ljmeno|doovbc)|f(bbdirk|tdulye|nhtqrh)|o(ylwpwr|kgyost|apffjz)|w(nukqpz|tlwnoy)|vxvnply|z(buvjcz|oepexe|mxexyl)|lxjbbku)|u(y(oxilic|xaivle|ekxefv)|l(jxxhae|krgowa)|b(qtnpak|nexrve)|w(ovimfg|urbqdk|zlvazt)|qgpswra|v(baicci|rlzdip|cyogmb)|dbtepdr|hebbrgf|x(rtbnsi|jjsmna)|g(lkilqd|xsolgs)|rvwzdvs|s(zdlaew|kjighj|vmpusu)|t(ieydha|zejoya)|o(bfzvpn|mbjvmp)|jdaktva|kbjgrbb|p(udxlhb|gzwulz|noojxi)|f(xjbjal|oqycqv)|zmbtxfj)|i(k(uiavgc|nepjsi|lawvmm|kkpzjp)|a(yuxnmw|tsbrrx)|h(lffeob|gtdpee|snmgct)|iydvbhw|fttenzk|lzgqork|d(ldrhls|vstsoh|hiplky)|s(qgbuvc|xrgjnn|fxpqkh)|u(bqrhvr|xowcig|rwgtsu|gwwzib)|n(pkqgrk|uunsom)|g(l(ydfzb|borwe)|vbzeoa)|y(pxrqqd|giuyek)|t(lqqiaq|abwpqn)|j(vzjeco|wgnare)|erlgrmp|b(incvgh|ukwvjo)|okxaerq|w(lzgncr|eorayk)|mxhwsqq|pdwcmax)|a(u(ptpiez|gkgibv|nnylvb)|j(mqufaq|gfxdkp)|b(wzxddv|qvpduo)|gedbhnk|z(vvdkdg|eitwtg|iaivmv)|m(vnwdbr|umjqtg|lyytrn|cpqjed)|c(gcmzby|mgcpri|seknrl)|i(muhtfc|jyqdmv)|x(uwpflc|nmyruw|l(qrxaw|sboyn)|mgwncn)|v(hhxfkj|yxktcy|qbmowm)|n(uhhmnb|amkshk|mqrwip)|w(zedcag|qedsvr)|kbsgzmu|hzipjct|t(fftttl|cjnsfe)|odnoozv|rginslp|sjcxojk|qyriqzx|dpcuefp)|j(igahkzc|mwijesb|ya(jelor|ohvzu)|c(bwwhkm|sdzmnl|jrwajo)|w(j(vgwmq|wjymh)|ttaiku)|a(rxdkpq|orqgxo|vopzwk)|e(apsfji|mkklsh|gfwsfj)|gzjxhyv|vlyervm|u(ualeqb|tlmrit|kqfxky)|rksgrje|xlzbfew|khxiaow|s(hjgpxg|abrwas|sxlisb)|nprfevp|zolgnjq|bohiggk|o(pkgqhw|ccmhga|uulwmn)|qfhihdl)|y(e(pgmeqt|vldmhv)|x(gjaoum|hhbuxl)|c(tculme|cxcqzt|bqvjrn|ibvvza)|w(haysdq|tsapdc)|b(infidw|acevwu|yepyil|gggdlw)|s(xoyibt|byypes|uzldfm|pulekl|mcways)|o(obdqjj|inxiju)|u(kyaliy|nushyy|fbfeii|bmdxpy)|jttfelh|ymvlwhp|g(deifin|fouyru|yehvgr|oqwcfa)|tbetbci|fvdapwj|itemhwx|lfspvhf|pnvtwkj|hkrgiem|aqiaowk|dndtihj|qdguglz|zxvujtz)|h(x(gzyapv|jmfrrm|umohcl|ffkptp|pszsyg)|u(xvjyfh|ayosfr|bdmhll|vzwtkz|zzwmzo)|m(lawonz|dojmrf|i(sclvb|hdzwp))|dergcmo|h(hvkudi|vebthq|buvpfq)|sibxxsh|qtuhfnt|w(wtreuc|bjxdbw)|b(xuzkcp|kvekzy)|yu(aitdv|zgskt)|k(axqbca|vojovx)|cgecgqy|z(tpwkfj|vzmhpg|pefisw|etbixx)|oylftil|gqkiebt|pbdjypu|t(fhqmew|sqxahc)|r(ttweck|emhwks)|foesgit|lcrsiri)|d(z(vxbjuh|fpzbdp|ssdqjt|aioaoc)|j(vmrajc|arjtnz)|w(klvkck|lgmdre|rnlkyn)|v(yyyrcr|zlpnxf|fuwjxi)|i(pdgzxh|ewgxgi)|xtpfxas|s(aonirb|vknall)|o(rjftti|iojrft)|a(gmyref|cbykvl)|p(lwogfh|wzybdm|juwwbn)|bwhbbmr|lhsgvpm|g(rpgjlc|ceynjm)|rdetcdd|fnigthk|k(ffaifp|dyvanu)|y(gftkde|tprvtm)|hexyxqs|mfxfclw|dfhvpye|t(l(ncxfy|rhkgs)|rtnakp))|e(p(zroacc|grdtyq)|n(hmsrls|btaghf)|z(mpxkgq|tihuil)|y(y(oizmo|jznaf)|mfiyfh)|cwgpnob|geagxdl|j(etweim|gjtjfq|cmlajm)|dqhopro|xbottwm|l(wtwbob|gomuln|hclbrl)|wmzibwr|auseors|iheacqu|uwvgftt|ortvvla|sgdxcwn|hhnmajr|ryxnyxs)|c(omwnlll|x(kuxyay|ukbezv)|paulovx|b(sfhihz|n(lxkvt|pzakg))|lqrelfn|y(ipuyyy|gzwpuk)|j(nnflct|puehgg)|meqevzj|a(fvargx|hqpznu|tevwnl)|etqoara|ixfzlec|n(lejlwk|euxkbq)|v(jtufim|tjtzam)|s(mdxokp|bavgli|hlfoqv)|c(xarpqg|nvtaqk|oshufm)|flxeyrb|drdcvkq|waiyrtv)|o(newnqyh|xeaqcqj|a(asxqyo|dxqjiw)|u(yjpvjp|iykddf)|c(rptkrh|ukyuyl|jhfpul)|zvnwllq|r(hilmki|weygbx|fkwyyc|ivktch)|wkyejcu|g(dsfgfr|sfraoe|urhgtt|wcmwfw|njqdqj)|i(raaotb|oempwx)|vrutyov|yztzdvh|f(iorwky|qrzivp)|sjdhwiy|l(jlvoyp|pebcxu)|kkgxpmy|epmhoig|t(eleabn|maidqj)|h(oiogrq|pvgcav)|mb(pccdb|xhtib)|p(nnugxf|ydsljg))|b(txipjzs|sjxoowr|m(febqnl|iklrih)|x(iwephg|lxtppi|amrzca)|c(lircfo|uhyyxj|gyurvb)|neoizhz|d(jzmezc|sgvwgx)|jjiuabj|w(velnvr|yyljfx|atelmj|jafcej)|h(dtcgfr|copsos)|e(vvaacx|ovhvii|itewct)|g(a(ydxpk|rhtjw)|zbqkaj|dgjxpw)|b(mjkzuo|fkvywc)|qdlznlk|rmazzyp|pjydzzs|z(jikokq|dnezlb)|a(ryitjd|kgpina)|fnvysyi|ycnozbu|i(qzynfq|dzjexr)|vzqgyme)|s(t(qklkte|gerfil|wgqlol)|e(jyfgdo|dbdhkj)|z(pczhqt|qqhqav)|a(zwujif|iblvqs|lrmghg|ngcegp|hycahs)|ilqrdwk|bmnoiof|y(nvxksi|cjxnjx|sxnwsr)|n(dqvqqj|tcjsox)|p(zfapyo|wdusts|nrtcuz)|wunekex|m(l(wxhyn|qehon)|uzbzcp)|l(vlthpo|nogjwm)|hiibvwt|jyhhnmr|kpnknwx|v(hknqpt|ngxstz)|gucblhm|sxibzog)|p(x(yhgqku|iihwpr)|k(mbspsb|deanot)|f(gcuacv|hgpkoa|tpsgkh)|h(lmdvsi|anhwdb|pprbez|mvwkoe|kajemq|qtlykn|gndcpg)|n(dkczpe|vkyvti|lkdord)|cesqwcn|p(sxkzcd|aidvhd)|r(qiouzq|khplcu|zdbgrw)|o(yzizdi|qcatjk|pnstcc)|wurarmh|iqwgeac|ysrsnnj|u(tzrkcu|rcqqsl|qlhfqy)|g(xrcbyr|dfqbxx)|zhlnyud|dtrfvnx|lhoureu|eufwwas|s(llgdni|ublswy)|vdamzyc|jipwcbe))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633049; rev:2;)
# sid 2633050 includes 435 (2401 - 2836) 8 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cc)"; content:"|08|";content:"|02|cc|00|";nocase;within: 11;pcre: "/(s(njbgdrc|zdhzuiy|qqxiwyz|ympoihg|p(lisebb|jfnqsl|gvmezu)|wveigmu|obtfbyy|m(tmocbl|lixajm)|xgiotyp|atxbyfi|gdflfsf|ihbkdfg)|y(zlgngph|byjaovs|kvojyql|vjlvfof|n(uzeenb|lpzjep|mnidjk)|ohnzsjw|myfnkxj|lgnntho|x(ojnrnm|swdrxd|tdurxr|ktrpls)|wheipao|urozxty|efnlrzc)|e(s(kgrvtw|ggdknu)|cu(yezyq|hwapk)|kqcsbpc|bf(jujoy|ajrbs)|l(gabsln|qukyqw|pkbzdv)|x(mjjbeo|w(qabtq|aigdg))|zqymcwu|fhinhxl|nwfyuly|ozafguu|pelyeys|uuaesyo|qbqguql|tdhfjdy|akbypyn|jcmoxqr)|g(wwsfvob|x(hzlwji|pksowd)|uixienc|m(uhxmcc|yfqsdo)|aqeypxx|botwsqz|c(zlcdzj|qvbplw)|sraytge|d(yjektl|poixkd|nwgcaw)|qehbkgd|o(mlegzx|vaaqfy)|twmnvfi|rfaeunh)|t(t(z(zvrfo|marrh)|koffjf)|ylooqfi|euwcdkw|wvhnyik|axhdnvp|fgalsfw|o(mnpqvc|hwjsun|pnmodc)|gcodxfu|myjbbes|u(sfxgqx|xfnqrn)|dramddm|xafgvyc|pbmvnpz|hcerzgr)|k(yyotosn|cvtcjug|u(gfmfez|rvosfb)|lipcwlx|tkkpswv|sjzldcd|rcumsmd|jjorhia|dbevvix|wxhdotv|nmmrvuj|butzbcy|igxpcek|huelxmg|gxcutfn|zdxgzhk|mhffrph)|a(hdouktm|eacoqeu|xyamcxp|vfjezod|lfqsrou|dvzbbvl|a(dhingz|icyrmp)|pfojxcb|f(zthyud|fssrsy)|wqqriod|s(gqjhvy|nscqli)|ozyrysu|rauxcjc|bftmsoe|imujyxp)|o(xolhmdd|augwkxn|eekevbz|drbqhya|vfpocuc|s(suhbrq|diwitw)|r(g(dbzym|btvpo)|fzjbbz)|nwrzuuk|mbkvlex|yfpmvje|uxnnfdb|ffovpsz)|v(z(yzlexp|mlmraf)|ceemlbn|rdsybbp|o(ytyocb|bfkpiu)|xibhbue|iajizky|udbfwbg|wruozuv|qlaacpi|anfgndv|snvkukc|ybpnkpq|vmexbhf|mhboufs|nsvamjc)|d(k(ktdnhp|bchhxf)|p(xqyedb|qkxsef)|d(qxjkwe|vtabng|weayds)|fvmmmoo|ejfvijk|rwrvpvb|gbggmiz|z(rhrvtf|hbkgep|zwbpqf)|ugpxobq|srxwspb|tqcnhif|a(hltbwb|atxhmj)|cuatlen|b(fxmftc|rwctmj)|ouxifss|ipmqmdz|qhekgpa|j(rwkkhd|wrxlsv))|n(rzdklgx|ucfxszd|zbkvyea|nvyztjs|hm(hpsal|nnosz)|jxxdimp|kuvvjen|bnrzhfs|igixabm|wnandlq)|q(nkdsrjs|rcehznn|lvyeplq|fkaxflw|ioezojr|dcjbpqa|zvjpewk|e(njzmww|yuuics)|y(bgneto|qlvswq)|kuaixsm|m(bbfgww|dtnioc)|h(mamcll|zmzclr|sdrqsr)|p(jfdybg|mnhsyh)|bfqlxov|olvnxfo)|x(losvuzm|xuhavbk|z(iyujpe|auhcxd)|pyusbxo|bnhbnjk|gmnyrbr|w(enxxbs|sbjmna|iwdggy)|qfvyksk|f(mjqeff|rivtvn)|s(bivsua|zechpa)|jjczyoq|aeuiwwx|exhznlf)|j(o(jhiaxe|vocbzp)|g(hwkovf|nheybr)|euchmft|hbmesco|qzssprz|pqukpmd|vfecybh|j(ohcbxi|uywskb)|uhxtqqm|yxlslju|sbbancy|dlhmpdq)|m(zasapuz|ofodujl|htjvkjp|qfgbjil|gwobekh|w(clpsmd|aibxgx)|frkspit|v(zzzxzx|hwlvfy)|krbukis|imygovw|ynquvok)|c(z(tabagf|kauixl)|pzuovyf|k(iautnc|msywiz)|f(swpzau|wezwle)|docycbn|yiswrre|lpdsmoe|jkmbdwn|tyqomqm|cahvrvx|azbpikb|iywkwqv|mxztsox)|r(c(kcisvz|jxzhlq)|d(ktfope|glckau)|y(nhqywn|onmjxh)|f(vlmltx|tmvuvf)|t(wiviki|xydidk)|l(jsboda|cunhft)|gknkeug|aaqwvpy|hdhcjxd|zwupbzx|uwcrvtr|ohiseow|m(xiftkc|dzdqww))|p(kcvvuxj|fn(uxkmr|gzspe)|g(qiufdi|oriwuw)|c(jfzijy|slwaos)|d(toqmhq|orilli)|a(gjqtfe|tnlhyk|otfuio|ffqekx)|y(yfqtsc|ibiphp)|vbffiny|b(tpjniy|auskns)|mftakdk|ldipelf|iqfktbs|ekhvdom|peqhymb|tjlnbob)|f(s(fcdmmw|bxayyk)|g(rgzzlg|vrsixs)|y(vmyqvh|sixate)|pbdwbcf|nilqbze|v(vegraq|cmnwsw)|h(tvnvwr|gcdrat)|arddmbo|blnipko|itpdria|okngpgf|tnoevcj)|b(eqwszrc|ovqkgzp|zpsyaxu|m(amlbmm|gggdau)|gykwocf|jkgwjgg|iosvili|kysjwmy|purtild|n(kjbfbp|uljrho))|u(d(zbfjgv|dukqxf)|kdenyqg|xezlmlk|a(cwymel|siymwl)|j(jxlmms|zbuwkh)|lxyjtwq|yzwalyp|uhvjpme|navtjxw|iwenrxi)|w(bdukbba|g(lzhemo|drlehl)|k(gxweno|kvwana)|f(dkqlbv|tqzozq)|zmoacii|j(voiozo|cqanth)|d(rmldpi|jbuats)|hdkhavg|wpxjoxs|p(ltskjr|oyprde)|nuipixp|rbxmged|vyrngho|tjblucq)|h(yntvyju|l(xpxjfw|vfbljn)|hfrvwzm|xcscmzq|p(idyuuw|mdizfn)|rbsqzqq|gigfuqb|bkcfjsg|fevgpmv)|i(yescics|tqfmclt|g(gvrvmy|ibfyxa)|zypvubw|vtdcjfl|phnbein|hfmkpnf|ihcdclj)|z(z(cxxzpp|vcjoom)|fgemzkk|ovbtocb|dvdtgni|anzsuvu|bqjzara|xgxamqp|levetdk|eraznee|yhywlgy|wnsnoxl)|l(odtrvbp|m(mhjzqx|qhzkxk|iufepz)|v(mullow|fysidn)|h(cqtebk|gnksnl)|wxegxbi|l(vlzhlh|bkhwny)|rcwpyto|qmvmrtg|srizhwc|nkhzxzj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633050; rev:2;)
# sid 2633051 includes 600 (0 - 600) 9 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.cc)"; content:"|09|";content:"|02|cc|00|";nocase;within: 12;pcre: "/(v(s(szweyhv|bsorhvp|edkdsdq)|jsmabscj|lsenoqzo|zzuvgpkx|q(xwpjbon|ouwtotw)|vrvaekga|nftvuwsc|mqjohsgx|g(kfvdzeq|qyptubs)|udylpnaw|r(dzeckrz|xoidyil)|pflvwiai|fdnzeurq|x(oejkpat|tmtuwhq)|hljnhvdo|ywcbaevs)|d(e(vntynuh|lecqmzg)|t(lufngow|gnaqabq)|fpflxkoe|k(dugzxqb|qyedldk)|gwkjbdlu|m(dentzvg|t(zkprjn|jnawvn))|qjdajpwx|bthhqaxo|ynwfamfe|ljbuduya|h(eyrizjy|kwzgbmz)|u(jfivzwe|hbotrnt)|omqmldvb|wiqvkueo|zigmitkg|jjgmqylv|iujacupl|rgnxdfzv)|j(w(kghbnkp|hhwrmef)|hthtapuz|n(lizpdbe|oyxuzfy|wwjphrb)|p(xnicqon|hlyarfj)|bfqwlrtv|x(ccnmazn|vtcullq)|qstqbzjm|atyfqczk|m(sadzult|jnyedxf)|zigoxqlw|d(nfnkxkt|ajhxckf)|jdcslfzm|uixlvjuk|stlzaccs)|u(hqppobkk|y(dqejwgd|leccyjc)|d(oecclzl|efkdwxt)|fhkubglr|qlpbpeqs|lukvrfaa|v(juzqmgl|zimtwyg)|crtymeyu|xanqeotk|pcyiafck|kgubdkrr|glzudgmx)|f(kgonzvva|a(bxwnplw|cyvcllp|pawhdeh|mcnnucg)|tnkdhrdv|d(fdenkwy|yruwyfd)|u(pnsyaqh|npiyuhz|uaunwlb|igfnmvr)|p(fuzrvwr|kvldlqx|xedvipk)|qbdgahme|xfsoelzi|rihgbvcb|o(ylzfudg|alluxsd)|jjugkjbt|ymtumhyx|c(iipbbkq|zjdioxy)|eikufiyb|lohhvxbd|sgfrzdya|mezwklsb|hwtsgslz)|q(h(polvizd|mrcnlrt)|errpoxtv|wyrwqgry|m(tgjynqe|wnzkxxe)|pdpgxlfh|lhonqpxx|qcmdwous|zwqraniq|uldyjejw|coiggyzs|n(ojuiwus|qghjdby)|rxdhekfg|jlvntwvw|xebbfuqd|kczdugzm|tztgtdmi|bbmighdz)|y(c(smybgme|wwhopnx)|yvccgwin|vamibeyu|u(lctspie|urtvfln|xhhpptx)|jgxbxozn|z(inlwjnk|johginc)|kmneooip|ifmfdcuf|pvhsytml|lgqtjibg|eobtbpvp|s(rmwfgzg|wfptzlb)|omgkzurr|n(buynkuk|nlnbdoj)|a(fwntdes|dmukrml)|faxaeczh|mumpeptl|xafonthh)|x(t(rf(njzzu|knwbm)|nlatmzx|dkyfekg)|p(uxufrix|hnuqkie|vuqammb)|fyhbtxxl|wpatfvxo|v(jscpjdo|qmsejaa|trnfbjt)|l(bdbagly|drytzgs)|b(xcjwoey|owbbbyb|vrbgzda)|skrfesgs|qzjziyvb|myifuhae|aypuxmwv|y(krvrkmg|euimxfa)|ikhhkxmy|cjlpgunf|e(pmvbubi|zkderrg)|daafzsqb)|k(n(cpfhyby|ptofkzl|ikgizsr)|q(conktxx|kqxkwpx)|h(upxqcpr|xhaeiew)|t(mftucly|pefacpn)|fhxzivcv|u(onxhmii|gosggza)|lxbnqttg|pamsxvrq|onnmkxct|gfrdbtdz|etdascxf|xnfjgrob|jjpmpezw|mqqfyfvm|belnmzwq|zandpnpc|rfgtfclo|clfbqqkt|v(cezbeuf|fjrptva)|khvbkazc)|t(fptcccfw|jloslxuo|x(qkjyuql|tzcfzuu|zzpygjx)|lobavhho|quqjbuod|ro(jdprcc|iiabfc)|vigwljkb|z(eyvxxoo|yscjymg)|w(ffikgbl|wbtajme)|ahhxwqdc|udeimpru|s(vofyuxh|amnzhin)|t(czwyidp|mmunlvp)|dxoqdipl)|b(qaojhzpd|l(ausfeud|nvzqnht|gelhrdk)|izhxpqxs|m(gueyrum|veahgka)|b(viwdyxy|xviuwgx)|tdiblexb|k(tkrekes|vepmnvt)|pfmanwjy|h(vvuawfa|lxqwtez|wsrmqki)|ddshpmfj|rqwfwnjx|fqxmhcpa|jutpcyil|ytykxyrx)|w(pbgopcux|i(jwpzyfs|rgeqdsk)|g(krgtahq|ugbpdix)|l(vosfedz|drwyjcl)|s(mxdailo|rjekzda|ozgikkq|hnjpbkd)|wiggetzr|o(tojlxww|epdewxx)|fepwryrt|r(yweaqes|nknrrea)|ngvaowqi|kerbfnjv|evlmmten|dsqhutly|jxdddemv|yycswkau|zuapzmos)|o(j(fpkpssx|ctwfdon)|u(dupdrhn|tihvlvj)|r(dxhurzn|xbxiban|azuaerd)|nodrptvs|x(qgdoccw|gstxcjk|shmbxko)|sxpioozk|bjletwbn|qa(rinzwz|proqrc)|lultbfvq|vclxuysd|giycnsop|hlwziaed|mdscezxf|dtoiyhco|tvlhmbgs|ckckvngh|zybcuqgw)|s(d(lymbmvk|jvnbhnd)|vvylxpbk|u(urnspbo|mwhugtv|ndarvfg|yvoxtga)|qwjpmbrs|m(nrioknq|impmwvg)|jhkdarvt|zk(aboqsz|drxeet)|f(jzfrghd|uwkcaqj)|p(jcshgyf|wzomphx)|nshphhpj|tcwcuwoh|s(mkaobsk|lbwkyti)|worbprkd|yyimczzy|ackowkkv|hylqiuiq)|c(chvoaooo|o(m(ibpwzr|cscwuw|kignuv)|nxuuhlb)|dgrkudeb|sfubebvz|ppqpnlin|m(myhckdy|hatiddb|vwbxesr)|isrmlyqh|erdusphd|xvmywxwf|l(bljjydt|tbkhpzr)|qvcxwssb|zmkstlmt|hvazquas|vqkkqdru|kegukmzp|wtuzknmy)|e(lxdpwshn|y(imbxsla|nacspfu|wloqikd)|bdgaoolt|qckmrdio|s(tcmapwh|ollhnsg|kzvympq)|n(ojoibox|gfnydmq|drdhijx)|wzycatys|ryyznden|fvqtdhli|t(rffqntx|awabtds|gennlij)|ukwqoeal|x(meeohpp|nuivvap)|p(czrgjrh|xrpovli)|elkrryju)|z(y(ixkdfuo|geckojq)|mfyxvjqk|fczcnsby|n(edggxkz|kbbrhlf|hbsiyap)|rqyzneqx|euqjshbq|a(kwidmwq|utlhsjo)|z(wlapwiq|avnsafi)|cmteqvol|wggytgex|g(sgpodzh|wqcsuei)|tbvcwwal|liqzcgfs|vaqblimr|q(hdfnqfv|fkkfkxn)|ioracmiu|s(qrjqndd|voaoxdv)|hqgrylte|jmzactfr)|a(r(bjzksaw|iifuumr)|a(jicikbg|tgfrcrk)|pncgvtwn|f(etgekuo|gukmweg|alcxxud|qzdiaah)|ihrdantd|m(llkklke|xrujfhz)|q(kxtdtgz|jufqqor)|e(tbxqxuv|cskksmn)|h(tzkohdh|xjmgiqy)|ztbezhjn|cvgxrsxf|sdnjfdgf|ukacrogz|gbbtcvhf|kjjddazd)|p(sbzjerdx|k(tlyyxwc|qpmzubs)|u(bowntjp|ggbkshl)|j(rauosyz|uqbcltl)|rsmcebnv|laedyxqu|iahkpasn|m(x(ltbgst|ymhvom)|pgclbss)|ybgaevbu|dierfxex|cjrxtcjk|xrfdlybj|pyrutxzx|okguqaip|vkfdmqxy|euukvloc)|m(g(eqnwhjv|nuyyghl)|i(qfrmyfn|mfsckzg)|s(dtfrhyw|pqfawoi|xofpjpa)|x(qpieqjf|ywnmukl|olzwgfh)|cnsfomtk|r(ikqxoak|ukumcvn|mygohxa)|h(ibowxnq|vlewevl)|z(uyknovz|aotrjav|mtinyst)|m(blgkgty|eewfxuf)|kazoyuch|vpddzeka|nzcpqinw|atdnhdid|thmhqfej|lerlkmwn)|g(jk(kvfwzl|aoskvm)|g(rjzaetk|zkdcpuz)|s(aackerc|hdjlwcd|knspimf)|n(qcgstal|dmcscno)|a(kkbypfn|drpvbkl)|r(velgxsw|zvrpnuc)|d(kxtrhra|nslpkck)|v(nfbqjkq|emhlvsa|kmaixod)|hifsmkbv|bkedtzmc|cafmajms|tdztttxa|pndlrmla|f(icwwsqa|tcavrqa))|i(a(uveyims|scrudex)|wh(vcfvfy|wlrwmt)|k(pfnieyz|guoyufx)|rhkngjmd|o(oiuodgs|qchwgrh|zhfaptm|cglxoep)|p(kgslsty|cmmfvpa|zulgdyf)|qecxknzp|l(yollyya|ctgbimk)|nkxnlklx|sdsuelhq|mrsaaits|dkbbkhxw|ennajzlr|taamnwbj|hyduzshs|bglphcxw|imbnnixr|zmfmxuvo)|r(lvvrwwpy|vbdrqudg|ksjudjpl|bkhzhkjj|xlxobbgd|p(jobssfi|snochqp)|o(nockrcm|sprxmdi)|i(pydgxnp|manerts)|zr(ieelug|wllivt)|yqolcneg|mcrgircy|eqxqufon|nyktvxtf|gsbjfwrl)|h(v(ciypjrm|evjvulq|numhtgl)|gsjehrco|a(llarnkw|oynghzl|mwtvhja)|ymppxrgj|srmubhji|d(vznsbng|gbniwhn)|b(lzbypnl|fcyhdkc|drehqxj)|o(lziuejq|snuimep)|wismfiyo|crtmrjkq|piyzscrm|r(hcqxswk|apndvwd)|hqsyzaii|lstyfzum)|l(prgfxfgv|gpcfapma|ndeylpqq|ioalxblz|v(xuihhwx|tharrdn)|txemfmcd|r(zkiyhwo|ydhclhe)|z(ocouvlp|unaoeop|qzygsjw)|q(upcuwbc|nmwloom)|yentuzml|ejqqprxz|mbhhhmuc|juxmcuwy)|n(u(axkpgwu|zibfgoa)|zhchgibx|fjzkmykw|oadnsyce|ibxyxcev|c(kdwpkso|zfajiaw)|lzrpickv|q(alyaoea|goncyqb|qjwobdh)|tpevhilh|e(lzreiwu|hrkaeal)|vwnevlgp|rrhhbpji))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633051; rev:2;)
# sid 2633052 includes 778 (601 - 1200) 9 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.cc)"; content:"|09|";content:"|02|cc|00|";nocase;within: 12;pcre: "/(i(m(rsaaits|pdnoxzn)|w(hwlrwmt|rnxpsqb)|d(kbbkhxw|utveiym|htfdqdu|myddoxg)|en(najzlr|vgwwba)|t(aamnwbj|bumyzqc)|o(zhfaptm|cglxoep)|h(yduzshs|kaeavop|dkgvghx)|bglphcxw|pzulgdyf|i(mbnnixr|gfekefk|ozqejas)|zmfmxuvo|lc(tgbimk|clforx)|n(fwthxxb|uauwiey)|qtnitgkv|kksbzlww|x(vxgfrmv|umvgbym)|gvksbpej|jflxsjmx|aolkjkky|rqdlpukj|sebuoxsh|vagzpqmp)|y(s(rmwfgzg|wfptzlb|bdyqjnk)|o(mgkzurr|ucuwkap|sbngcmw|ipetuol|tvqkmjt)|n(buynkuk|nlnbdoj|iqymnjn)|zjohginc|a(fwntdes|dmukrml|hrxgarb)|f(axaeczh|lpgvejd|bvsdswi)|uxhhpptx|m(umpeptl|vlebbaw)|xafonthh|t(wtgdpbq|ddxgfjb|jqzownw)|d(s(qngizb|kusvum)|ilplntq|gjznrbl)|rjbznzmw|j(abarftt|sqtrygm)|k(ezwwvlz|qwtzftj)|h(withjei|vehyoim)|vqkcmxea|q(ktrvsvb|lvuvjal)|g(w(gbwuvx|feumjq)|jlrliyu)|i(myggxgh|ndhbiug)|c(gksltum|coujnsp)|brivlfjy)|v(g(qyptubs|udbmxab|pwlwsrj)|qouwtotw|x(oejkpat|tmtuwhq)|h(ljnhvdo|pupovxy)|rxoidyil|ywcbaevs|sedkdsdq|p(mrdfgcn|qgbykmj)|bxekyekt|w(ghojmin|faonhvn)|ncvtxcsf|i(fqaglgq|optjeph)|dzehlqvn|erkxjcup|afnjgwgu|fxkaworx|lingceeu)|p(m(pgclbss|xymhvom)|uggbkshl|p(yrutxzx|pwovlwg)|okguqaip|v(kfdmqxy|pcwgtyy|oncpfkv|rozlixs)|euukvloc|g(dawycls|wfcfeqr)|qfblefsd|z(nawodsk|cedrvkl)|nmhzaqef|tqiywdlx|w(zlhdbnq|pnguypq)|y(narbckw|stmfrnd)|k(pkncxqf|etdzmss))|a(z(tbezhjn|ubbhmam)|e(cskksmn|eaveojl)|cvgxrsxf|hxjmgiqy|sdnjfdgf|u(kacrogz|fidjwkk)|g(bbtcvhf|rlrohju)|qjufqqor|k(jjddazd|ixcpylv)|mx(rujfhz|fwmobx|gjtdcc)|f(gdwhnjk|o(ptwscu|ivtulw)|aympypm)|v(fxmawja|qiviqta)|am(jsywxi|npvxix)|pmgoofyz|tezqfjmx|b(mtixgaw|fmrawzj)|wljtebrf|jogmrqem|okrykswa)|c(ltbkhpzr|k(egukmzp|corbzow)|m(vwbxesr|sfgvzke|hfojsbc)|w(tuzknmy|xywygvz|jdkmqpq)|onxuuhlb|c(awdcxkn|rypfsrh)|e(nmdjfzw|ctmkjvn|biajaqp|ilmwbgj|hgtnwhj)|p(agaffxj|rbsuakr)|f(jjzpfrj|wmbcuvg)|r(exuixjc|poedwre)|d(uoparco|fxjqugo)|qybqdiiq|uvxvzqko|bnojsfrp|yuhidtfm|sgwmmijp|hhixyysr)|f(e(ikufiyb|zycbrix)|pxedvipk|a(mcnnucg|nbxodqa)|lohhvxbd|u(uaunwlb|igfnmvr|aiepdvj|oirostm)|s(g(frzdya|ourlzg)|rrjtedz|iynfisr)|czjdioxy|m(ezwklsb|ritzinr|bckqzui|xfnoutr)|hwtsgslz|o(dfxxwpi|yllguuk)|z(uzwngye|xbozzfi)|vvnjneoi|q(ohqttcz|yziqcaf)|n(nswbrwj|xdjybol)|jaupyudc|i(hylrdzb|oejeglu|bmkcfrt|ayqnmci)|y(hucjweg|cjtrkrm)|rmlsseyj|gghrohzm)|u(c(rtymeyu|lkhdmcv)|x(anqeotk|onjfmxh)|p(cyiafck|bvekdea)|k(gubdkrr|bhxmeds)|g(lzudgmx|mb(emdkd|kvrtz)|slzohrk)|ooskrxgf|ipwkappr|jtxidgxe|nrklobuj|txbedqnl|w(ysykywi|jjhgbkn)|fhraloau|mzysiuun|zbvpexlp|uaviogvi|ldczlkli|hoyrtwds|sichdems|a(wcbjxis|dtrduqr)|qwavgqih)|j(x(vtcullq|gucobtu)|d(nf(nkxkt|jpvhb)|ajhxckf|bnzmdkl|jlxjigb)|j(dcslfzm|rdokehe|ooesspx)|m(jnyedxf|ndgxeee)|phlyarfj|u(ixlvjuk|bdudzjj)|s(tlzaccs|bvhbdtl)|atvinicj|n(vuoqjke|ichchcj)|eahfhwxs|rxmwvdzs|tksgauwz|v(kgjwdxa|sihyjha)|glxdnjtn|ovadztzh|wuvjcbur|zdtwgdym|k(xlpvhno|zadyeni))|h(o(snuimep|rhwezha)|amwtvhja|r(hcqxswk|apndvwd)|b(drehqxj|q(zlvarq|elmuip))|hqsyzaii|lstyfzum|ypplnvwp|i(qbwbsjr|bxnqjmg|xdlarao)|grmupzjq|stbzixfv|qiwyrwrb|j(jxsoitq|uzcehjg)|nxhoclbg|dxdbjlqc|xrnvwhbc|mbvidxwi|cbftbidy|w(yzrmtzs|dlkdjop)|kltpamps)|d(j(jgmqylv|gevdnps)|i(ujacupl|ygbsaxm)|r(gnxdfzv|bfmgitu)|u(dffpbkz|oqauwcy|zgtgqza)|bsvuaxih|c(iczteij|otuuubr)|q(ungfxtk|fefxhjs)|yvapjgbj|xwfpzpst|nqnebwoy|ezqrgioe|lkfddfml|hgylkxfc|dinoxlhi|omgrrtaj|zwmpfeku|v(madtrmu|yejztbj)|wsaqrlsj)|o(q(aproqrc|druxmzq)|xshmbxko|c(kckvngh|dftkeoo|wobolxg)|r(azuaerd|qzbpucy|rwxmwrq|gxgwsge)|z(ybcuqgw|jcntalw)|wz(hzjjbm|ctokkt)|n(dqeiotg|xhwefxi)|v(hjqxrfe|cdhzcjr)|egrexasw|oikxxvzt|j(czrolvs|kykxlgv)|d(kmepdig|shqovsd)|lsnngmju|ifvfnriz|prqjidfj|szctyxfi)|z(hqgrylte|n(hbsiyap|ubccasj)|qfkkfkxn|s(voaoxdv|dawrszc)|j(m(zactfr|nzrxzc)|kagkwwd)|d(seucgnc|ouqjwzt)|r(kqlinzl|fumobpj)|pctcekdv|l(gdbxzkn|kpfcqfs)|mwyrqezb|bqkamzjj|wfvdhdnu|f(mpafgwj|gvfpuzc)|vwxdubsg|kfybvsrv|tgcioehk)|n(e(lzreiwu|hrkaeal)|vwnevlgp|q(goncyqb|qjwobdh)|r(rhhbpji|fwnnrfw)|a(bshwjmh|mamiowq)|bzsqcpse|t(uhhvtww|aermdnr)|giibfwla|curnaaim|y(geadtju|eqkkxbd)|k(faldruu|veetdbt)|u(eokjlln|aavsdpf)|ijfgrnoi|dyfurobh|h(xfxcdsc|ynoyomd|aukezwj)|nzenngda|lnrtgdtm|midvfmvl)|m(g(nuyyghl|vxfadyf|ahicyzi)|vpddzeka|n(zcpqinw|lduvqnh)|atdnhdid|meewfxuf|thmhqfej|l(erlkmwn|fgsmgac)|zmtinyst|dtrgmrcc|u(oetkcht|rnvmuju|yvkufek)|xohiwapr|bayatvxs|cydgnvjv|s(jzongmj|tybpqbf)|rnmpfgia)|e(x(meeohpp|nuivvap)|p(czrgjrh|xrpovli)|s(ollhnsg|kzvympq|gthmjhr)|y(nacspfu|wloqikd|pddtonx|lzseuvy|bijfygp)|e(lkrryju|wnxgdhb)|t(gennlij|qnlvfai)|asvmgxlg|n(lcuesiz|rxsxtty)|vpriupta|mbscvoww|wvughlue|onvkmasm|drxjnjjb|fzvssfpk|qnkfnjoo|rflajetj|hjbltaad|cudahulu|iajcxzjd|kuumibyd)|l(z(unaoeop|qzygsjw)|r(ydhclhe|chlaovc)|e(jqqprxz|yagdjfk|pguwufg|obhqpcx)|m(b(hhhmuc|vcndjv)|pydevkp)|qnmwloom|j(uxmcuwy|whcceqa)|wxxahiky|u(vffoalh|uqiieao)|klbczquk|hbkcbuwq|pjuvnrtz|trmvyjes|o(aarqvwo|isztwnd)|fgwbheyo|dsrkvzeb|xyicmfjt|ghjhlfiw)|k(rfgtfclo|u(gosggza|xvbesgi|nadpyba)|c(lfbqqkt|qjcsltq)|n(ikgizsr|einxdck)|v(cezbeuf|fjrptva|lndbane|uivfwgv)|k(hvbkazc|jhmppjd|mnbpfrs|iqzcddh)|m(zxymihu|omrmqti)|hdkqaznq|f(afioezc|svnxxyi)|s(yxzcewl|pgoykzu|mzlmubn)|doyjueio|t(agernat|nzjgbhb)|q(sh(mokyz|cgwtj)|zpumpqq)|itdffewi|bgaysktp|zokagzav|elzriytk|xuybkpfu|g(bdnmzvw|ciszple|dfystlq))|w(s(hnjpbkd|sficfyv|lnenkae|bbwkdhm)|rnknrrea|y(ycswkau|vifdjsr)|z(uapzmos|rundlwi)|a(cbdsvew|mutfhkj)|jjhtpbew|htwsoiad|ikxnnjrs|tajxahnz|vnkkmehz|ktykfzyd|nhhxvyli|ujmulatd|liwjdtky|qdpfwbnk|oxscuipr)|x(yeuimxfa|l(drytzgs|gemuhct)|cjlpgunf|e(pmvbubi|zkderrg|ewmltqa)|t(rfknwbm|xdgqado)|v(trnfbjt|qkaivyo)|bvrbgzda|daafzsqb|m(rarjmrj|opzssbe)|o(xvvytax|kdhknki)|kglwylzq|fnrlkolm|ikhhnblh|xnfunrcn|p(rgfpsda|aqbxcqz)|qgvhxacu|jqzsrigh)|s(s(mkaobsk|lbwkyti|prxflij)|p(w(zomphx|dnskoi)|qejwjei|fektaey)|u(yvoxtga|odoymzr|znbpapa|tdulhym)|dj(vnbhnd|hqiguc)|worbprkd|yyimczzy|a(ckowkkv|btticxo)|hylqiuiq|ctypbvww|g(bqwnfmz|ailpezk)|o(arwdiev|xciezey)|b(ohnrgry|plwmeyf)|vs(lpejwx|cyxjaz)|m(ehcwisa|nfopysm)|l(ydkifqm|hvdudnf)|ecaypuae|fqidnquz|nlwecsrl|q(zmnymlr|afszepo)|ketobuap)|g(c(afmajms|yfuscwb)|g(zkdcpuz|kbrcvyc|tdjnrwn|irvekhy)|n(dmcscno|gszfuwr)|t(dztttxa|axxfgxv)|pndlrmla|f(icwwsqa|tcavrqa|cakpasa)|r(zvrpnuc|xrqflnl)|lnhzhxzz|v(xexxzfz|nsmgoll)|u(jhxaqyh|qdwaluq)|aoojxggk|k(yhhexyz|whafwuk)|qt(pddkwq|cwrcyt)|zcugggnq|ji(spmhqk|llbhuo))|r(osprxmdi|n(yktvxtf|mqamcvo|skcmbhy)|gsbjfwrl|vcxbwvvy|e(imqxshg|a(meazvp|zzwvyi)|oebejgb)|ptzaivla|dslcfwrv|zjupprqw|bymgrzxx|ywjnftdc|w(cvpkkjl|ucjtucj)|udevrvht|fhpzutis|c(vxzjakk|ooxbctn)|huuczaex)|b(j(utpcyil|dznngkq|xirwoim)|l(gelhrdk|rdihaao|eueedms)|ytykxyrx|m(ctyfxyw|gewwboo|smebgvh)|q(zyprduq|krlemcc)|w(ldpmyqb|ukwcvdw)|vemrnuso|rmjrjwic|n(z(smwojz|zyzvkm)|hlkxjfr)|da(hceryz|xozhok)|u(ctyszdr|wsrbojq|erqtmyo)|hleveasb|gtesxtgr|fiphnexc|kwkbdyqe|ixezcbwr|t(yjphfjp|ejkfdlc)|sxfiraqh|clupnfaf|alphwcwl|zvayaswy)|t(xzzpygjx|d(xoqdipl|iayddlb)|tmmunlvp|z(yscjymg|kblgppb)|h(rtcohun|owyvqib)|b(nwevdml|tcxbknn)|q(auilkoz|ovbvtvh)|p(vdridpt|ftobsam)|n(zzsswwj|ygitlnt)|l(jrrigbe|tidomqo)|ofmygdgi|gmjckfsd|jfhbvids|fnfbinqn|s(hderuil|qlxiynd)|vijejwpr|yxrgsuwo|kingcups|cwizjueg|uxrcisej|apslazin)|q(t(ztgtdmi|oxpmltz)|bbmighdz|p(whrcufh|iidwdgd|ynfjlxb)|s(omkttgv|q(vjgsmx|xvpdaf))|fomotubd|x(cwpsjef|ievpzxj|ptrgbht|ftjzdht)|m(htxjgmx|jajbhlz)|ui(usuvnh|hupvnf)|j(ohqhjgi|ymgtilo|udopqum|iuniiuw)|l(w(eeeowf|gffuet)|qhzynxu)|rntxkrzn|iglwqjwj|vtzggakv|gsfgycwt|kbvupczn|egycfodq|newvqgey|csbatibh|wdkpluhm))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633052; rev:2;)
# sid 2633053 includes 178 (1201 - 1379) 9 character domains in the ".cc" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.cc)"; content:"|09|";content:"|02|cc|00|";nocase;within: 12;pcre: "/(b(t(niooago|xiszlgl)|zasfvsuv|liqulreq|eeeccxiw|rstfkyrh|inliifjx|nhbwesms)|u(xyjlylee|raoflhzl|bhenlfis|hlyayhfi|lrtwnqcd|qapxqnyj|nvjclogb)|c(p(xikgdzl|uaewccn)|vntrphbi|qznazwgc|htzcmjzd|wkixuurs)|v(mncjjpjw|dzlamvsf|lokidnzf|pizvdiqz|ssxzgryw|bodyqyrd)|w(yyjmemyr|c(fhfzfoi|nwkppad)|liyibmlh|iafhqmks|voefirie|p(vqbqbua|ywxxign)|syybufid|q(nslanjd|xlmjwkl)|txrwwayk|hpyvgtow)|j(efwcbdce|inqdximc|fptbixjr|ychkvfod|qcxcrewv|tnqngeli|odsjqcbh)|h(vodmxbbj|shakxlvd|mtulkkza|q(qurxbcz|iiiveac|lbjcvxu)|gaxnqspp|byzgkvuj)|l(prjypkey|z(dfoxnxr|kwxzxgo)|mzakglrk|btaxuirj|gypbzdwy|c(yewamxs|gkpufjd)|iendtofx)|o(cxhqmaop|azczqtjf|h(favpsic|ungnbhr)|nuaasggr)|x(nvebbpzz|clqvynul|pgsakbtk|hruxjsvz)|z(twozufwg|mcwxwmae|rjambdjy|qxavjyrc|cevczzyz|dpxrauit|zhjqxcxl|syqucmqi)|t(vsskqjbv|hulntohj|tkcrwlhz|u(jyptfke|czocvcn)|bkqiwffi)|e(buhnsnuo|feucztrq|nbajttzf|rqkxzpuy|matignwm|dddryixk|cwidvzjj)|i(iteagame|bgrxpyqr|wqmlsiay|omvfccci|nhyjoska|fzukxony|zzhqcpfg)|y(ybeuacsz|uoqkpdbv|jigiqbts|mlgtqfrv|pyezqgmv)|f(hpdkuomo|cptgfhul|f(abqmhsa|hmkhosg)|mmwtumez|pcncjvvp|swloqitn|jtmcaxzt|dthsetab|qokjpani|gvkeixup)|a(o(obcspow|zrbazhk)|rgohkhqa|mmioawyn|ipoqfbcq|zhvjolov|sxjlvkfj|juvbycqs|caizriyv|kynwrzqg|w(ylodbvb|kxskakf))|q(pjomqobk|jpifsgyq|dknvzaby|haifashf|gujqifik|kmdnhsta|ryqwjzmo|xneokrac)|m(issehmym|f(jtofhor|rvxbfbc)|vjqersbe|a(xfngllq|wiaokrg))|n(p(lwtqlrl|zxcwiev)|y(kbadszq|caxaxxh)|fjggoohc|s(gmjuuwe|xkotibh)|qjorslhu|iprqpnap|nodejgrb)|p(ueytitks|oembebzc|zzcrxuck)|s(bzqaunpv|oexnnymr|jelhtbqx)|r(noqctges|iynwifca|u(rhgnrom|aykbnut)|tegijjjy|ozwplxrh|gcuphesl)|g(hslvonxe|yvutvtmv|evazdvne|zndsmnmy|kxjulcln|azwnbkfe|ujhqvsxe)|k(xxupzinz|iclpaflt|obdwrkxm)|d(yxujnkqb|japnjbmp))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633053; rev:2;)
# sid 2633054 includes 600 (0 - 600) 10 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.cn)"; content:"|0a|";content:"|02|cn|00|";nocase;within: 13;pcre: "/(n(d(nroawwps|bejqkhtp|gotsvufl|yftcrehb)|a(qbagvudg|pxvtggip|ybgonkih)|rapmezprx|fvfxvopyq|l(zzbwpsnc|hwjjvwyv)|etvmfjaee|b(kjvivknp|qljlpugf)|q(cirayqbg|xcmymyzh)|p(uhublguo|ksxtocxn)|npizllenn|knydksxcy|w(lrjjcusz|mqeukirl)|gfgzrwwrf|vqfsypomx)|g(k(twbioipe|quddxzne|hgpfohfu)|e(oqglfgyl|ixedepbx)|ifmekgtvv|clkcjbolr|wz(qcatnwu|tqmboku)|h(obrtifla|hnojyeoq)|rthyjgtia|lizuwizzp|g(nhjulqfb|xgqeesoh|uezimqiv|bopymodv|mixbvmse)|nunoydyha|owbffhnax|uaivsufvk|tyiqjejvm|jqlytzpgk|afsznchug|mmncfzzzw)|t(k(fpbrqwxk|lhuhyyue|wnlvcvfj)|tfzzblcaa|xz(dyujfpl|tziytsk)|ueugfcjzc|cqsyvtrqo|o(ajabkbez|rhorxfdr|gmkugois)|h(dkdvgcbj|qynfdwbi|fwpxblqt|wxxqokqf)|yzatriduf|z(hosfrbtw|ttetgxrq|ifzwvybd|vbbjvlde)|neojpnphy|i(hmyzwwrq|akhtplee)|d(rhtanqjv|balfndny)|g(nbrkmaxh|fdpzmijx)|jjiztwcou|ljtlnxypo|r(ootsvamx|vjbwmxcs|ugsjrfik)|adlhyuutv)|w(e(pvixvkqg|itttgydd)|h(urfcnwyt|ggxzchwa)|sxvgfrneq|chygrljar|g(gxbzlleb|woslaqct|lkoyxziv)|n(zmgbihkq|bnolsbyu|vtqruymy)|m(usdtkauy|ltdohfpy|wzqigrxw)|x(nxdjycpn|s(ohwcwip|fjfaxmg)|ocsuzfxb)|totpusuhi|jdoevakcy|rincwnmur|frsfiaggj|oimfpeltl|brftnbtsb)|s(j(avozdtlq|yqxpcnrn)|aqxofwayc|b(aroqynqc|euinjmfm)|x(hkhfjvdr|lvnnycwo)|ourwrvayy|rqdppijml|wbiqlgutb|g(qohjvsem|nmcqowrj|acxqoybh)|zeyxppilu|y(pypzixdk|wcrqhoyy)|lhzuxvrwd|k(wntetylj|tamyuxkl)|hajymvcrt|d(rwtofplz|apyscbal)|ftcoyaqih|u(vnqlibde|mptfwjfb)|pviwyigau|ckmswbqvq)|a(a(qzxqrwba|bjravztq)|u(poqyuxaf|cxwwobnx)|hbypktmym|ewutqkhkc|bf(hhibxci|llmpjss)|wejtsrdlj|m(zgaiofth|jhwkosfk)|dpmbckxsf|c(edkwcaup|pbdgaicz)|q(ecvaruas|ksuogfof|qrkqkwlo)|sgcrmndaw|vveqfjynz|nfogynkmb|t(fnqehztw|njfkxqqj)|outkktsja)|m(a(t(lmuftmd|coixdpj)|eafajrrj)|o(nczazlli|ftrbtjjl)|k(vkodchmj|ncvambqb)|ilwfhrfht|hurswxmwj|w(shzuiyye|zdozwwei)|r(itwpmgez|vwlyrsns|ddthbquc)|tfqdkyaha|z(uxmgmnle|pbxlnnjp)|evvzgmldh|ncfycntvp|u(gmxwybbw|msmcqedk)|s(aegwuzxs|ijbxixlv)|lvtfqqtbw|jzwcybany|pmroinhyi)|k(rffyfbjum|k(ohzejblf|dugqttjt)|u(crxhlgwc|euttadhs)|hvoyxookh|v(nskajlqs|oqrcdjhu|fnjuhemx)|q(kftqmplk|e(vptxnet|gjcehid)|yntbheld)|x(imdkobay|orgujdni)|a(trpzeigp|eifusdav|xboistfw)|f(lumjkpto|ctprqtrp)|mg(qicsvqo|hsdkdlc)|drggxdtoo|ekbidjggs)|x(c(alxnstaa|zpzjmbpn)|j(jqzawizh|dbarvqpa)|h(neaeuhgn|piaqulvy|iwjzloyy)|dfnzzabny|b(jkodfeku|ucenmjmn)|rhdlfojly|tyhhnppkb|vnjjeyrho|ebmszlxga|n(exfoqtgw|cecqcwsj)|kszbnyykk|fcycbggaw|gmfuabilg|ywvlrvozq|acuihxrqo)|v(c(vttwtauh|olhdduik)|j(srhahvbn|ktupzhix)|aymoxxwam|f(smakbbsv|mawbddgs)|hamzirkef|d(wlyaqppt|kxnnbwfm)|ucsugfzfp|o(g(bzgqydj|ztdprys)|hiorpdrt)|wyozqsyoa|vquzslhnh|z(kbhybdex|rfijnquq|zkkrtuvo)|ethlzdwyx|k(yfmbsdoy|jqutgava)|svsipgizs|q(hyckhgcx|ilsyvixn)|rjsllzkue|itifxnmvu)|e(golcqhwdz|f(ayprkrex|gmnxtsnd|yuoayady|qeejekrx)|c(sbxpznsc|yswpeaan)|e(wnohaoav|jrhixnhq|buajpggp)|z(aoanbwba|ucjdnziv|ktodtpul|mlnwxglz)|o(ywxcxqfz|vqvhurwo)|p(xcumubps|hhtdzdvk|gyohkwhv)|klvfsibrj|y(ymieimvd|sliiwunl)|d(prdfpvqo|omwwqjju|izjpczpo|lkankacz)|rjeizsekq|qdetmrlfh|vsjrpkzub|spfjcrwmx|thuebpvqu|iyzrslaiu|b(ksuyrufn|wguuieqx))|b(dqfmoodju|h(jqchrxrt|pzypihus|afjqwpjp)|xdwzlpcfd|kkewxauog|pacsnoboa|a(lmpybpkm|aclcjmru)|lvdpxjkel|t(seztupmq|vmulxnxt)|ysvwevgsg|suzmmbdfd|cjsgdfcfp|fbecwzjaa|udsqghull)|h(a(stdquijs|vfilwzog)|rfgyxsgho|wjgikzuog|g(omrcyhwv|egouhfxr)|s(slvxryzz|uddpujsu)|pwkpifogm|j(chirfvlg|nigfsnfo)|z(qqcvulah|nmolixld)|ewnoyfqtp|qntigoipx|iz(ofybypr|tjmmzkh)|uguplbflt|kdvmrewie|fceusmbhc|lrxsliuln|mxvmcqple)|z(uxgybckfy|xamjgndls|q(siruzuzi|vfthxcsy)|i(jhvxpewq|kaaylsdz|n(tzwdkhx|rhjoqmq))|l(fgkbpheg|nfoqxpbc|qznpocsb|iprfdqqr)|nlsfbcuvi|fjkjutxpx|azumyvbwn|zjjegewvq|cvvcwndct|pcisnwkck|yovllkwdt|vrwjspklv|egqbmnrwv)|y(uh(pdrmrwi|xhicpcr)|tempvqkql|jmknxdahf|v(cofryshj|jfiekfrq|urcqroid)|drznbrfiy|rchjosqyj|ojugkqrds|q(tybkqcoi|ivymueqo|ubmtgdje)|yesrryasr|nwordwqgq|iqwstlwgv|luvdahamp|kunclifes|hlgrmmkwc|xsepqiarq|fgedelbce)|r(i(apkwopzo|ogkxbcml)|h(chshrdym|yauhwlfb)|t(qsqoadcr|kfvfzpjy)|rlwmjmhpq|ularmznqo|ogpkhwkqv|b(mbjzuxts|fqaibpaa)|nmissbhwc|arntbxkyw|z(wpwmcosv|kbwbuymm)|w(gwegpwtf|jsdgcbqy)|f(yardorxn|dnznfhhv)|q(mcalrspj|txnkfcmu)|vultcjbuo|pjqkondeo)|o(xhkqqvcvx|z(kqrjdjzn|hkzbatqp)|ukdihcspm|cqlkxtppf|g(fgrlsggb|intaedhf|jnamdtrv)|ibnagjjiv|m(zbjxxmwe|bjqnqllg)|bglsoylpo|q(gvchifnq|rwlxghno|fvuygwoc)|lipbbujbc|dgenzywtq|wbcjlrdpw|ywbbxbbyj|twphryybs|jubuigquq)|l(dgmalteso|vzcgzbnxp|o(njvonzst|tzockrnp)|m(hadawvtf|sitvcjjl)|u(kufcsgrn|hipcship)|rhokwecvl|nruvhadkq|epvhwjndb|zmpnopbkg|kuojguvux|qtjxcgpwf|ldmidiati)|p(g(bcruuxzq|fwcxwvvk)|ihbjdoszh|q(keiqexsg|fqkczbpi|nzeiskzl)|w(stbsnwoa|dlusmjfx)|arpvwkwpb|y(xrsxijst|mxjfkere)|z(cugsfadj|hsawdiwj)|dtgupiqlu|uimofzpcl|fnpnkqaio|oyhkrsase)|u(yjvjgdgla|j(fcjdmndo|ctuaqgxx|ywvnmcqr)|nodckakuh|oexmbapey|l(vpjjkvcu|uypwyhak)|zyyqpoips|u(owweqohk|uliojoci)|p(qizfmgtz|wvyvvptc)|t(zvylridh|enosxcqj)|inlhmrdre|kxrpegeng|e(k(tryxhli|qqywgpg)|elnmvdnk|jmkrhyvb|llqddtkh)|rlexijadf|c(fppgsiwr|jhqxipmk)|bzlifughs|mwidhimle|gcazpuzso|qqeomxahx)|f(vejmyemjj|e(jxnmunaa|ilkizckh)|a(kocdyfen|znuuvlhh|gbkfkxiz)|y(kxyrrvuh|zhxpmjio)|pkabmcdsp|fhhqkwsqe|nzpkxedmj|c(ipgyssho|gvycwopm)|k(kqjkymua|cueheamu)|spdhwmuek|x(kgwkmnys|arxdmwwo)|z(omrjokto|ekcsynhc)|lcibhpsob|oinpdinxz|qanjlihjc|iyasjeuur)|d(s(tazzrdli|zhhazxre)|ubxvdrbns|twlbxaqmy|admghpiok|rltulvton|cytublmhp|eyrjucsel|k(cfuwenyb|xdwtutub)|quuyksfgu|lxtgqyuhh|j(mixttmer|wzdtxlkb)|vklktjjda|iycyvkikv)|c(f(luavyetq|gljwjrdj)|xcfgyvsip|n(lvngpmjc|uozyhdet|rwigizzq|diykvcky)|livlrrqbr|swpbkjqwi|tsritmolo|b(porxsusb|boxgdztm|ghrznalh)|vaptcfaud|u(fdhpsrbc|iznccpth)|mnhnpcwbg|c(ybgeeepp|kefhvhig)|ozymcqvfq|zwehodzde|diehhkvmh|aqrbtqokp|jdzgbkujx)|q(ksydaqogz|s(jxtvsnux|ddzzdydh|krjxdtve)|q(paqlaeap|tptyocny)|bh(rmwbdyw|yplmzmd)|u(lqnctxnv|jpklaakv)|g(wupfihmz|gyvkesxa)|lunnyyfhj|iyzeprglu|hvljneqzb|dnzimpbye|ovsujgfck|tezrgupxq|p(tahdmlqh|xpnknddh)|zfhmckwcq|efeblddml|rgmntlgmz)|i(bgeybyxqx|u(eglgvokz|fdnyacyt)|jolhnnavq|zuyddfdzk|vawqyfgwa|s(vitztrwk|uxjhfuun)|dlhddjwcw|mokdozqar|k(rdcqsbsq|gxdeirsr)|n(jrdydrcw|ibkecypq)|ofcwzgwdr|gtuiwfcfd|xjtlrzybc|pryoxbtls)|j(pnoylbdzh|z(onxystab|easnulms)|tywyvdevh|bulcovzmg|dncnuhujg|omfwonzwk|lezwietip|hkqxxznec|m(ylhfytxa|ajprtdzi|gdtxussc)|xtmwtvwvr|v(dmrwqxwe|pgotdjdp)|y(yvvqxfnz|fgicbzdf)|wweeamjgw|jlpwmoxmy|swkwhmwgj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633054; rev:2;)
# sid 2633055 includes 838 (601 - 1200) 10 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.cn)"; content:"|0a|";content:"|02|cn|00|";nocase;within: 13;pcre: "/(z(l(qznpocsb|iprfdqqr|plfbredw)|azumyvbwn|in(tzwdkhx|rhjoqmq)|z(jjegewvq|iqzceosb)|cvvcwndct|p(cisnwkck|zkwgbpko)|y(ovllkwdt|iimvaajl)|v(rwjspklv|xiohgelf)|e(gqbmnrwv|uhoczfun|osncjdgz)|k(ccwgidhp|tjcrtxyu)|x(wkvhzrkr|nlibzrel|ttrrjney)|qmmuqqedo|ruispjijf|flvcjpzki|b(zrpslnqi|uqjopcqn)|dmbenveex)|k(q(yntbheld|egjcehid|qqexlwge|ctexogkt)|f(lumjkpto|ctprqtrp)|a(eifusdav|xboistfw)|vfnjuhemx|k(dugqttjt|hrenmpts)|mg(qicsvqo|hsdkdlc)|d(rggxdtoo|ebolrjqr)|e(kbidjggs|tylwntnx)|tdxvydtll|b(yjxrfzjj|izbpknme|rfzrswow)|pidviistg|j(hyjocuwc|fdlsemoi)|n(sikxywfe|liqaeeob)|hlvzelnrw|iflhlazeu|wwxuzvxha|c(cuibfvbc|luldebmv)|ltopobxpl|yedwrpdcs|xxnxfntzj)|y(vurcqroid|luvdahamp|q(ivymueqo|ubmtgdje|ezovvdry)|kunclifes|hlgrmmkwc|xsepqiarq|f(gedelbce|mqnfacoi)|w(yifnvgxk|fdfktcjb|ltfgcvqe)|awsyielup|b(dchahqzg|smalmfgu|fmvnnfzc)|dknbsnwfr|sxhgvvupq|n(jfioogep|qmpkrmae)|gclvcvciu|z(iiekezhu|kkggmpcg|dihxgaup)|uixsfzfnv|yhsvseygk|iqgxvlwzj|tettdfrwy|msbkvmvfa)|c(n(rwigizzq|diykvcky|puqgjffj)|o(zymcqvfq|mczmnnfa)|b(g(hrznalh|jnprbpj)|unfetqdz)|zwehodzde|c(kefhvhig|qomqdmxf)|diehhkvmh|aqrbtqokp|jdzgbkujx|escaxhdhj|sekvnlzsi|v(slhvaycx|bdibdwod)|tp(ihelprv|embmeoj)|uqwkpkhsz|lrkpmoqyy|kxrqzjxxv|xfzckfcjt|hlgmuctwd|rriyywngx|wkscypway)|p(q(fqkczbpi|nzeiskzl|hhhkwxhx|kypdwcmq|zdxhihuf)|y(m(xjfkere|qxpzcjv|froodnn)|jheyunbw)|zhsawdiwj|dtgupiqlu|u(imofzpcl|vrduzqas)|w(dlusmjfx|nkjrrngd)|f(npnkqaio|carjlfjs)|oyhkrsase|sqsdhmmdm|exuofkuii|agzzibzuf|j(zkpbegsq|tfmrcwlg|fbqjbbnn|mtpbgvae)|lgsnntbmm|b(wlxxkqma|bawwedtf)|r(xkdfhuko|ccupzpci)|iqrtzcyjg|kzbhbedgu|ttlqmhnxx)|m(nc(fycntvp|vkvhdrj)|u(gmxwybbw|msmcqedk)|s(aegwuzxs|ijbxixlv)|r(ddthbquc|ioyxrszu)|l(vtfqqtbw|wristryr)|zpbxlnnjp|j(z(wcybany|kpudmhe)|hzokbbvk|dhijxohw)|p(mroinhyi|youtvhks)|o(aynzclnl|wbylkkxn)|grartvrek|e(crigvwud|lijwyews|bsguriar)|ivhfdcjjb|xdqeakfez|cleuqxdme|mjofewfbz|desjtanrt|vhpuxpysg|anyrxkhye|qgqmwvlno|htlzwikar)|t(l(jtlnxypo|avxnsjxo)|gfdpzmijx|dbalfndny|z(vbbjvlde|lcqohasl)|o(rhorxfdr|gmkugois|uugwyojq)|iakhtplee|r(ootsvamx|vjbwmxcs|ugsjrfik|pigvhxvr)|a(dlhyuutv|wddgbpsj|x(wmpvawf|vclhhjh))|nltqroztp|k(awacfhfa|pdtggnvs)|tfqcrbkam|e(gltbylye|hexlfpeb|tkdefbkl)|f(toqsddyk|bavllqfp)|p(xqyvivjp|rupawkjg)|h(mafkklzk|cfffqtgf|dcwdksjm)|j(dsknxmmf|gnlpyzjv)|ulpmxrvpx)|w(g(woslaqct|lkoyxziv|uggxqnvt|rvumiyar)|rincwnmur|f(rsfiaggj|dztxtjut|tudxqorv|ypmyhrsz)|o(imfpeltl|zxartkmk)|mwzqigrxw|b(rftnbtsb|zaggxsur)|y(vgnrosuv|ezeufpxi)|d(qfchpyit|ecxkbffu)|aumjyczso|ncvuugldr|isahkbnik|xuzootlzo|q(vterczld|msrdtdwq)|chyouszdk|equvmjzmk|tkbtzzcqu|zdszubnrr|vxbjdzsae|snrhhrnjo|hjibgwbbz)|s(d(rwtofplz|apyscbal|ongsheji)|ftcoyaqih|u(vnqlibde|mptfwjfb|sfnqngqm)|pviwyigau|c(kmswbqvq|gszhqaqm)|gacxqoybh|ktamyuxkl|h(h(qkwhuug|egkcjzc)|tpspfenw)|r(xppbjmjz|dbuaybnr)|trzjmluwk|bxqqowmfb|m(denaheev|ivamaxhj)|v(vbywtbcj|upzvwaur|tokejjfa)|owqladqqg|nkmvhgijt|saewncsme|jruybhunc|wxkfsilcc|ilndwqxbl|lnkpskmkc)|f(agbkfkxiz|l(cibhpsob|tibprlwr)|x(arxdmwwo|ouplbzth)|o(inpdinxz|bfmwythf|tngepjla|qgqonybb)|z(ekcsynhc|mnmyqmnh)|eilkizckh|q(anjlihjc|jhewlssm|zuibjurn)|k(cueheamu|ofxpqgzx|xqcumcmv)|i(yasjeuur|zbvpuibj|gammewmr)|h(iwbxfrwt|jfexovxb)|fcwvlgamx|vvyzdvpae|c(shzxqabv|twpspwol)|gavacegzq|u(yagcpybf|fphmxxol))|e(zmlnwxglz|iy(zrslaiu|lvcrcjr)|dlkankacz|f(qeejekrx|jyojsuqe)|ysliiwunl|p(hhtdzdvk|gyohkwhv)|b(ksuyrufn|wguuieqx)|ebuajpggp|cyswpeaan|urycjkdpx|hwhtsykda|o(hbuqktzr|qdnxpooz)|thxighuuk|v(hwipqkzh|agpqxwum)|shsjmvlri|gjpkvpyxs|npxcsvlmw|lhqefkwfq|qybrcorkw|mkgvbderb|arcwmmwkz|wcygdsezo)|q(q(tptyocny|xsvevkvo)|u(jpklaakv|qnkxqgrb)|p(xpnknddh|cvaxnivj)|s(krjxdtve|fmxjhejc)|b(hyplmzmd|mkkppapa)|e(feblddml|pexogvtn)|r(gmntlgmz|pzhhcyxu)|zczqqugnx|v(umxqdaob|nukwlogn)|noonedtxq|ymlcqbjbf|kphoaiont|w(ynukmkts|hpcmsemr)|ozrbydfxs|xvzzgezhr|lfsewlwyc|c(mtzjgoqc|isaxyivw|abkqdojg|fezmipxy)|huuaxmcmm|d(xealelcp|jcudzvmo))|h(iz(ofybypr|tjmmzkh)|gegouhfxr|uguplbflt|kdvmrewie|f(ceusmbhc|onifjczi)|lrxsliuln|m(xvmcqple|rnkiyaaq)|a(vfilwzog|oatqbljr)|j(nigfsnfo|eppxcdme|atquzmkd)|znmolixld|w(syatsmhb|vproxyag|pjuadbop|ufqnynzh)|s(nldcuuvk|fvhllewz)|p(ddkslmlz|atrncgxa|ligecimo)|bqrplxyyg|oazjnbnjh|e(dadqfnby|sdgafnas)|ytpafscog|d(btlbgvly|hscwxcpc)|htaumdkii|tbxwgaudn)|r(zkbwbuymm|q(mcalrspj|txnkfcmu|nvvogvuu|wnnxwqyu)|iogkxbcml|v(ultcjbuo|fykydvwi)|p(jqkondeo|bnpfhzol)|c(byhvcrwa|twlaiddu)|e(ndczulqd|pgkswgwz)|f(ocacwtub|vlseayjo|kqpftvfq)|xtbhkdsqm|ghlpzfapg|uzquuqquj|l(bydmbnrk|lglrclbz)|mvbvdzwzd|dtiekxtfy|hsiuuugsw|tmusbqljg)|n(q(cirayqbg|xcmymyzh|grzxnnmw)|p(uhublguo|ksxtocxn|ieatwxhv)|n(pizllenn|hupjsjia|grcwsqco|txxyanqa)|k(nydksxcy|qkjcmftw|otzporau)|w(lrjjcusz|mqeukirl|abbkkquq)|g(fgzrwwrf|yeycbccd|xjrzdopi)|bqljlpugf|d(gotsvufl|yftcrehb|fpdnnwgv|hfkytzmm)|v(qfsypomx|vianixmt)|apchuihad|y(mizbowgr|ymqhwkzn)|o(bzwuajtc|yreubcrz)|j(poiqdyja|etcmfauy|vjyoelfh)|h(kyuwxsev|cqhcsuki)|f(gvgiwpff|iivsggiv)|csmcfkfjt|safuoxxmn|zg(kytquay|hgngvrf)|i(bfscsrke|i(gdvkwmo|ckhxdsi|osjxtly))|l(elhvfblq|htbqidom))|v(k(yfmbsdoy|jqutgava|gqcwcqzc|pbufdjre)|z(rfijnquq|zkkrtuvo|lcgpeajx|djrhxwyb)|svsipgizs|o(gztdprys|hiorpdrt|rmbmrssp)|q(hyckhgcx|ilsyvixn|jwuuhdrd)|r(jsllzkue|addozbcp)|fmawbddgs|j(ktupzhix|wxvakveg)|i(tifxnmvu|c(icqontn|ludfumh))|lvaaiqqot|djejvsqhv|mububvsse|eafixdzbf|uclenslfs|nyufzrkwm|vwqqbvotv|bzcimzkqf)|u(e(llqddtkh|kqqywgpg|clwhowse)|cjhqxipmk|u(uliojoci|yhepxtot|ehtcaomo)|b(zlifughs|oqvwjfpc)|mwidhimle|g(cazpuzso|yhpbprwr|epnovyzo)|qqeomxahx|o(zwpoerjo|bvvbkcah|egidwefx)|hmwkrfyzz|n(xgyfrrmn|gjyhsqvi)|i(bcqbnews|ipllxlzw)|rdxcorsqk|a(ecwtzbcy|ngikajjz)|vssvaspvn|s(aunvyeoj|fhaqldli)|xfnfyemti|zpouyhkwi|jhpakqias|llpgjfaii)|a(s(gcrmndaw|fgqveppb)|mjhwkosfk|vveqfjynz|b(fllmpjss|pwqqxsss|zrvflttk)|nfogynkmb|t(fnqehztw|njfkxqqj|ydbsoawh)|q(qrkqkwlo|jgiwfuml)|a(bjravztq|ixgxnspi)|o(utkktsja|qmytmbry)|c(pbdgaicz|jcqofpqp)|h(ztijwruq|tyhnuhjq|sudvdedr)|f(byzourjn|ujrkghzd)|p(gktnsigd|mmorbdtq)|rpeikgycg|u(mcbeurau|rkkhjeah)|eavjcmopd|y(ebudaqjy|jsirhwdk)|jtlfyujra|zzrfgfcpq|l(rmfmgpux|jmpkliny)|kgihdqvny|dicgsaxkq|iubjpylib)|j(m(ajprtdzi|gdtxussc|qjlhhzno|dunrhyqe)|v(dmrwqxwe|pgotdjdp|cdllyizn)|y(yvvqxfnz|fgicbzdf|mcguvgjh)|w(weeamjgw|nokqhovy|pjlgupmr|xzpccuzs|hxjhqaxo)|zeasnulms|jlpwmoxmy|s(wkwhmwgj|ypnhvuro)|atfhznxle|nkccebfkr|g(xifbhjsv|lqlturgl|nzenrgdy)|p(uzgevcts|veivgaql|bvvwfpis)|qrrqajvfu|b(nzcjnauq|msybaary|wzvofooa)|t(glaminza|vsfdodjk)|kzlcfjyce|ekgayffde|ondpalfcv|hzyjrtcfc|dynaxdiyv)|i(n(jrdydrcw|ibkecypq|grbwtyiw|fowuxrne)|ofcwzgwdr|g(tuiwfcfd|atihupxy)|xjtlrzybc|k(gxdeirsr|jprdjiiy|obvitdyk|rvzurwpr)|pryoxbtls|l(ytexaxat|oumbkpgo|aczzwfdo)|v(gpwuilcw|zcjafycu)|qiplpzkvt|s(o(ooutzma|bfkpabo)|hzkivdfw)|e(oasumscw|pwkiefga)|fclgznjim|czaclbsee|rqbsvyzmu|izvhphsry|dnzlfdmzi)|g(uaivsufvk|g(bopymodv|mixbvmse)|e(ixedepbx|vioctnby)|w(ztqmboku|xmzhklfd)|t(yiqjejvm|kkcijsfg)|j(qlytzpgk|byythvyh)|khgpfohfu|hhnojyeoq|a(fsznchug|vhlspmwf)|m(mncfzzzw|dmezsuea)|o(xaxupobm|iundgebr)|x(yjwrjgmd|msefrsre|kcotdloc)|qvayelhdy|v(fdjhkqns|gxhqublv)|ywortceqc|c(pssdkymy|osuflrzj)|fzglrdilg|lywcosect)|l(u(hipcship|yjvnrqtm|zfnewkuc)|kuojguvux|q(tjxcgpwf|yqjpkxah)|ldmidiati|o(tzockrnp|fdncmopc)|v(epkxhkft|uibapfnw)|b(jcgzvvth|muqhydci)|nnmgroekt|rbqtbprbf|e(qnuwdhxp|oiwurhlr|smlnucym|ylsjdwxu)|d(ydevnals|lllczroy|gvgnzyzw)|cpkelszmx|f(irfvypnp|rcxecvjk)|slboxexyt|ggjysvwfd|y(ampsdcdz|rzvedfdz)|plorgrsxa)|d(lxtgqyuhh|j(mixttmer|wzdtxlkb|bynynifm)|v(klktjjda|owojsqdo)|iycyvkikv|z(yiyyiuxt|hxuosrzi)|w(nqiyxsua|caktvbws)|e(ogxwwjev|urqpwqmg|rogqjpvk)|rpwgettih|c(qtefnslr|zvfxxldl|fyfrqkui)|t(sfbvptab|hpubwapg)|pjvgkgffa|u(crofolga|ahfnigjk)|ftnpeqzit|bhwhftlls|q(sjfraiqj|xuihmgcs)|o(pyavzufa|rncxpxld)|nciwdsfkg)|b(t(seztupmq|vmulxnxt|iqdypaaf)|hafjqwpjp|ys(vwevgsg|ubspfbw)|s(uzmmbdfd|ywfygcfa|beidwzii)|c(j(sgdfcfp|bqtttvo)|fnygbmjb)|f(becwzjaa|lrnnculh)|u(dsqghull|muuynytf)|aaclcjmru|zxqgznsqq|e(zsjyyrrl|ewqfnlob)|k(uekidovq|yfoajrlv|ihoagurs|sprreaaf|buvjafov|koyajxoy)|i(nclhjbjf|mgqexlun)|gjuxjahdx|xwioyohnt|rrqmryyik|dexdcxsrd|pryahccyj|v(litqegur|xcxtqqvh)|qfldsrmcg|wfzuiyeot|ntfsojbee)|x(h(piaqulvy|iwjzloyy|kdqcttdp)|b(ucenmjmn|pbwtvzws)|f(cycbggaw|xsqbbpbn)|gmfuabilg|n(cecqcwsj|lfajruyi|jodhrpkg)|y(wvlrvozq|bzohhxll)|a(c(uihxrqo|ihxzqad)|fszzckoi)|vyfnwgjkq|p(jjthpwzo|khteyflu|gvysyxnj)|o(quouizdg|bapuipai)|jedaiwofp|m(nwwepfzu|vgwbvwlo)|c(kecjdtgv|wbmxiqfz|pmjtlylz)|tr(xfikjsd|cwiuwbz)|ukmudyios|esapylmqy)|o(z(hkzbatqp|gvdvuqrt)|w(bcjlrdpw|ugimecra)|gjnamdtrv|y(wbbxbbyj|rv(cqplwm|efjrha))|twphryybs|j(ubuigquq|tpcvseim)|q(rwlxghno|fvuygwoc|qkmobkim)|r(eeqjrxyk|pnxvzwup|ngxpbmkh|yynbrfii)|nzxbkqbqd|o(yanbrher|joogcvsw)|uxcjfnxru|crzqgaozb|b(ccaiusly|gzicrhxy)|smzatrdir|l(xzdnkalg|aybduynm)|mipiujmgg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633055; rev:2;)
# sid 2633056 includes 238 (1201 - 1439) 10 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.cn)"; content:"|0a|";content:"|02|cn|00|";nocase;within: 13;pcre: "/(q(o(xilwidkt|mpfojfqv)|a(dzdwiikt|chwztwtq)|xrnjpyctb|fdffwqlyl|khpfjdzxb|yxmhgydwb|zegvkchqx|dviqmwzbf|ekuloewhs)|p(xweqttmpa|kyksrqbjg|lhwstejxy)|j(e(ewfkcpqr|rstlngca)|degxsuqen|oaeeucttx|jwnwottaj|r(nndnldjr|mqwbwtnd)|vnaqbujfy|qanwhdoqx|nhvvopecl)|f(btkrpuopa|ehqrqzisr|pzwkikuyq|i(smapmlbb|mcdlvsgz)|l(dceajdha|pdktjznt)|hmbjbxhvj|fqutfmjxs)|w(v(wmjsktah|ujaqllms)|a(sewamcfy|enwnlvtd)|ndueqasie|ynsxnbnlz|m(dgkolglc|ysfpbwoy)|cqkydtksv|d(nlimjtul|aqqawwoo))|k(fxermsojo|bbebzjkel|qlzfodpxt|jnosjhdsm|idfozvtrx|hhjfwngzi|axpeerzeh|ghryemxac|zmyjmdohe)|u(gbtevucdc|pozuhfwcb|o(yqgopkdv|arwcrgxm|kbljwfft)|ncfnmgioz|ygwtkdmxp)|n(y(jmbupjjd|loixqnwx)|gukkkjnxd|t(obrxfwrk|cxnmrsdo)|uhfpcccvd|vyoufvuei|etaikdcuk|zknipdvsq|fmkbbseqs|itgzsndpx|lixtwnykq)|e(ia(nkksajq|jybafmv)|knspdfcgr|szcvzjvio|dkuoxotwi|tojxbzedh|cphustwni|pvpgdowwb|ayhrrrdrx|yjcazelds|qfjmesotj)|l(dkxoxdlyt|onkwxxmjx|ckealimhu|h(rlbfedty|yvjmjqes)|bnisdrxlr|eijbwnhhx|xjnlwgfbj)|h(x(zutdahif|klcdhonf)|f(bpbcabyg|akukzdbp)|z(zqxwxmjx|tuauqxzu)|ukvixeopc|covijlrob|l(kdjxjrdx|ebmawfvb|ycfmvdaa)|i(epuaqslt|ojmkeqew)|asvkbnemh|pcevroiam|tgqkpzpnm|rmngcwipx|qbbqnzbyx)|b(anazwyssb|e(aytpzmpv|jqflmebb)|shvujjzfs|rrauqmmop|veicyzjkk|lfsgyblos)|t(akpanbpzg|n(bbktnqxb|hxicwuws)|xbfjpomme|rajbntwgk|hbqtizoaq|kafooxvch|svqovwyex|jmwebxexi|g(gzxrgzye|fjazesal)|ujxbfvexs|mvtwlmqtn|qbkcusegb|wdxsbpjty|vsmcnwvsa)|g(lzwlcqsqt|tqzixflrp|bjvydstgy|qhjdzjtbf|fgtfnopeq|gxecxaanh)|s(pxhipsexd|vdidyytap|bwgpvvuqf|c(jmbkqguq|ahghjcie)|lrmafayab|hqlapxodq|kcjqcvknr|nqfarqyhx|zwqujzicj|xwkhiowtz)|x(fdybrxezg|y(jnuryykl|vhtxuwjw)|mvowigylg|hnyjnrwit|ajkpyjbhq|rkhkxvbqd)|i(bjskkdusk|cayxjovcx|jnryfxwmy|omgkdvwdz|fncrqbmgo|yqcalwjmn|uboyjnhbs|gwqflzoik|qlcdgeyms|iswyepfxb)|d(n(ickdikky|htptjslj)|b(xavkvjdr|dspgjuty)|r(abquelil|xruqytxc|kjygatdi)|dihhejwsu|xhlhlalxw|mrzinhbwz|hvwfzcbwr|ahhunwxoi|fmbrymuph)|v(lmjnqufkp|ainsvjpev|yvikfewne|cahukiksi|nunevczre|mrqviqfpg|fbmeweaog|eryikkqyr|iwxzgfwfr|uonjctgse)|y(pj(zbrkkvo|jhccffe)|hvyedbwvm|ywxvwexbr|aoehfyowm|b(ktnyjxhi|bjccgtra))|o(iqbetdhpu|wzebiglok|qoarduhfq|y(hekokvjv|lnjcpetj)|dzdfwosei|rzojvbaxx)|m(vhygzpyzz|enrutyxug|idrqymawk|hoajalazz|fdacmazcq|jzgczjndq|xxrhawyut)|r(onfkvbtxs|idxnwnyqy|azytilmab|rxrqjhohh|zrwbigrby)|z(huwfxqovs|leqcmckeg|qwhfyosql|zwdwcdwjx|mtmsfusxt|vjvobgyho|jmgrqgylu)|c(ochwgvetn|uwytetllp|wuoylfjlq|dizrciuyc|xfmcyyhxk|iqjqywnhu)|a(v(hayxbwab|sylrdrcm)|rgelsfxfr|gazgqrqtj|e(nparrfvb|amrhitkj)|fehbqphnb|yyfsniacr|mykypxdfw|hfcincakk))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633056; rev:2;)
# sid 2633057 includes 600 (0 - 600) 11 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.cn)"; content:"|0b|";content:"|02|cn|00|";nocase;within: 14;pcre: "/(x(teqxdqchft|mpnfatcdik|r(owkknawxm|wadqdxcmh)|odsdxheshc|s(qmeqhmwgg|hvtqskhlr|v(kkvilahv|rsiipyow)|ynfthixad)|jehfbjjfkx|w(mqkwxpbji|husrhizah|akknpagex)|qklpjrkyhr|vxmhsammlf|pfcivjugun|c(oqpijeyzt|bbmkbfttp|gkuvtpjee)|fuzwxumlfl|iypzmhxmzq|xnfmuivoer|zzolnnpxck|kiledreoav)|a(jgwegcpxer|r(ljvgmfjpg|nuuprevnh|efzmgubyu|fdrhflxlk|bzqjsedjz)|p(mqdgbaczk|cnwzezker)|ewzdenozpa|z(bhsjvdrea|srnehwjlf|fdibumcmg)|x(eoskpcwti|skxmsjava)|cbhcbkrdmp|uqqqmmoako|h(osnkaepgm|xaufdiuhb)|igxonfegtn|lgdzfhbbha|a(gckwdylfr|dkuhkpsym)|tkcdpujgnv|m(zuazbkiix|kxqsfqnax)|yuhoymkipd|fwifgzlxbh|deihvyjyme)|k(smnawmylfm|puxelzixhf|aefecvscoh|nkavrgyict|rejoafpqex|f(hkvbyogea|lyggsxrej)|b(cmxwrcxwx|jedftxmpr)|q(i(yoqpsnls|xatuuvmx)|nyihwkflv)|e(tswfdowyw|ibyvprwem|fwglfmwyz|pynmvjbqq)|g(hxrmsagsw|pyhblfxyi)|dmhipbftoj|wseqmfnync|ivtjwmxtod|z(qujalmroh|hjvyyxxtq)|khkqkbiulf|u(pgixrjnur|mhrawervz)|v(xqioqbtlt|tzibwwota)|j(lymgklhsd|qqcorsdbk)|ysqdfppopb)|j(vijomaeics|q(ikvpjypda|yfqefehiy|azibtgffm)|yvsglqcuon|g(aalkipqbg|vdxlwampp)|odqdpgtjko|bjiqzwdfrf|sqpxfqfeck|ubmkxhyljr|mjxrlikokc|l(ygnzjgqju|glwpslekk)|zxkxuktnjq|witbjjfkgp|fkdjonaapa|ttmbrebjjg|djicvgvqkj|auvzhqvhrt|xhtmlxzzpf|coctedrbfc)|m(rsinvojznj|xkrwbyzsax|u(qoifwncsd|yonrfhbno)|n(jxldjwvzz|uoffxppqh)|vusjwyuqvb|h(oxeumwapc|udccvsvzn|slottorom)|l(nlcnjomyx|pfqqksvyj|zcqbunhps)|cojhqoyepm|folssaegug|pndicdrkkw|wjqhkcfuth|kjavgmxfum|arqqzkdmry|qcsxkgzcey|zojbxwnwcp|gmcepwdbvw)|v(l(bmfokvnne|phwqjmqdb|rqxqmyxgy)|wqeqgnedxn|xvqdyidgjg|dqqnilrien|sxsyxaicjl|othkifvhyy|heumezdran|b(ecchyjqnl|weqlaxipw)|jlmtptnpcw|q(iykqefpcn|hgfahreas)|k(bvamrfafc|ddyrcchpm)|u(eyrwctmzh|nclqeewni|mbcpommpq)|p(czdekreiw|trronjqlr)|ehlidlesti|meqgjjpjaq|ahvjznzwaa|rrwxtzxbny)|f(j(ymrjejshu|ukbwifcxm)|w(ttiwouxjx|wtpkjlshf)|saaebxvgfu|b(nimxodunc|upaakqnpz)|m(mtswbfgtq|tjypyshem)|h(okodjunok|docqhcivq|hhfvhmvdk)|nbbdwsifvi|aineadnehy|o(cfccapwvm|tuejbczjj)|ipjjzsvwfm|c(yejkyhtkf|pbqmpfoyq)|k(eqemstlpz|dzktagrle)|zzujnmwfkz|pxefnegllp)|e(q(jekjexswb|mddqmbqvi)|d(iqsnbtdda|rbdgvwzmi)|y(fvnwosrfk|zdemrnnlw)|kldfkakeil|m(qxtydqmxz|aiwrloblx)|gijfriosjl|f(yknjrmege|bxqpggxal)|jwifpvtwbh|o(buwljogfn|siugtyrqp)|p(ywdzlptlv|ggrmcqeff)|xgtazkjyom|c(gcuheimza|jriozwjvp)|t(uazqopozd|eftqycdnd|cuknucipo)|lpwgicrqtk|acebkaoufu|sxqmoqqyoj|r(iskowxlub|ryofjjbcm|vypjryiwj))|u(s(vjholhsrb|oqghuemmw)|c(ggpuabyiq|xzrnsqhgh|mbkggzmzq)|lzrschnqto|dtnamqhlap|b(qtjpuyzei|shdelbuop)|fgbuipculz|r(bvwdapuzo|tluibivgx)|q(nbfxpajbq|jknyfvafk)|acvlxynpgo|vkexyhluwq)|y(j(lrmqngtmt|hhdcztbdz|qhndbabzj)|wwpqskfnki|s(vjjfqkgky|gipextveg)|ou(leuphhnm|yhlcyxyb)|cveexszqza|k(nmlritdzw|fbyehaoaj)|n(yepxjkyap|ohpoxuopj)|ixqdpohrry|d(vpoqaieka|bospxhplw)|ynmxqxkgae|mgltxfeztx|blfhvwdkds|p(rzcvmfttq|wylhnjcjg|ttmhfqzxh)|vcjpljwttc|g(dfqfvzmyt|yvorqdnqq|pdfytcqlz)|zwdziwnuvo)|w(ccqtvokssf|l(jsjzgqnmk|xjtkxrbyk)|v(jrdtatmsf|oslxnajyd)|dc(dyuuviqm|egogbqvj)|a(mufrygmgx|pbyseplma|fcfgobxpq)|jhmruulalt|y(svdvrydsv|ikkwrqsxm)|fgtfpcgire|q(ekxsyseds|htmrjoooc)|osbuwyvvom|hnwozvnjjy|pzvgpccvxf|nbklholjay|tjhhfplbqf)|g(r(tgvesivfl|mfqtuoggg)|dargacimhw|istglwqxhs|pwatyivrrd|ketkvjzaep|ojvqpqauww|ayvdpcospp|uphfkpwrwy|ckajdzgrxo|bhleuugwbn|lgljselqkz|zgoltqemuh|xcdthhrpqa)|h(pvltnfdoru|gprjzlzbsl|z(fhnvzgtak|qyexhstlh)|lpkoltoxjk|slfydmyjgu|a(eenhloipf|lvsrmrqlp)|wr(uxuyrubv|fvvwatou)|x(qowojxhai|uweouydzl)|kmdkcdznpk|ojrnkaivtf|hzyosmtrns|yqhmvzjtei|nszvqbeemx)|n(p(qkzslmxrx|vnvmbcfzq)|f(fwypyfkqf|yyutshzjk)|jhrxvvkjhl|e(tl(fzxubpl|casxrdh)|ltlsczwbr)|t(dioqlienk|ovqswdqpx)|sjzcdmzklh|ymbcgxnbwm|x(byhghjxfp|y(sqycpqgb|junibubj))|dewdlahbqp|wwklubrjtl|mfdilooytf|nknojqwifw|gagvhudmle)|b(abgvxvpkzg|z(kuiczilsh|cuodwvuhg)|y(mjnejvqsv|dybgwqvvz)|kzsafhfrhe|j(cwkttwbaw|kiwtnlrda)|d(iuxyblxvk|kczcfgfww|qdnndwmym)|lhxwuwixyi|f(eblhtqsap|zkykqchvi)|egpxsjwqpd|r(imhdwziku|waxgiilgw)|tsdgypnssa|ckvaqzigpp|uhulovalqe|swinofmjhv|mrcaxrzsyu)|p(lssorfqpny|i(vydnwzrgh|jmshvvzmk)|m(htwiqmfms|lafxfgduq|pcbihsifi)|u(t(awqixoyt|tydrkivt)|kcihkhzbk|btsrcmaig)|sgltsgwlga|rldpibypsl|xvkrojyflk|n(k(udvtrsae|ioypwjcw)|hqwucvmoh)|kalzeemeue|h(xedtboypx|oupgodchv)|d(blaajwhop|ahoesdgnv)|y(kcmogbthw|dbrxfmqsf)|gfqpqjjgtr|j(qnfxavryc|yxwixtrqc)|wyyyrbcuqh|oavzqasiil|cijqvpyrff|erbdcubkkv|bvjzarlpox)|r(zuxfkmmzro|irhavsjrcy|l(bcpayrhlc|dckypicxd)|dwddpmopyi|r(nuunromgf|aliyhdksl)|gilejdbznc|n(eshaghehv|fzxtqonek|cdcqcbngp)|y(yjmmcflug|hgptlfdlu)|p(m(ehfbiigu|hhhzfoab)|a(ufvlrggy|autqvkux))|hvyowkmysz|w(izwuilbsa|zihohdmrm)|mzrimrcqua|qfssaoditj|xccxskrbga|tusfqbqsnn)|t(a(xonkdkaei|jaepmbnzf)|hhwwzektti|daapwalobl|v(zbrtjyzuz|mfjtdpaqd)|r(drxexxkqf|qatdcpxuv)|f(cwyiiogrz|ydvldphsr)|o(hoggtnqhp|gmnpwjhle)|cukkfklchb|soubbzehvw|msijxeuivz|khqmxytylr|z(hedntqwcy|pkgjpxuoi)|nfkjtzcijl|piodimlghg|togklxvcbp|btwaaxrnkp|wqdxkghwwv)|q(w(zqsqjnpxd|x(vnhwkcjk|eqqkelmx)|abzeakpmf)|oouetsuwfs|l(uaceztgvs|qzdbbccrb|fnwcvuqzz)|gmrbjbjftv|xbcaeurrwl|sfdyeghyda|qskpnvlsmp|z(isxdzxklm|aifanwrqw)|k(dkqsdnowl|ixojkbijy)|j(ufnckjkxy|hsqhkvkyl)|ydcvfnzgit|cwawhkumgr)|z(pzzqntlwsu|q(tofrvvupj|cvteljuex)|c(rsdyuujwq|ytawwhtar)|l(zkepvlsfn|xdfhppqfa)|esjqzdhrly|mnfenpbhqx|a(tsukkhrpr|ywvjnhhzf|xpuczbzyp)|ffqhaaoqcw|djfmqufdqt|xhvyltndcr|k(gcfaueaeh|snmbboisk)|vaxeyfbuqd|rqjfdgbywk|sldqjzvrpb|gksbdbsori)|o(o(gtziazizp|bljmrylcx|mlyjqmhkv)|kdsgzreiur|rgqgkpvmxf|h(wndbtusuy|hkxubnelh|qldjolvvf)|sfsvihpavt|q(fbchjzbpw|zauglabiv)|xuxuurzmau|g(dturjqful|eaakhnpsc)|d(sgkxfmgek|xethmkazk)|akezlobxvq|bxhwfvyrbq|ifthutacvk|vlgzgmburw|preomaqfki|zkjdkbcghj)|c(c(nuqjpqdpj|tytbapzub|fwrjdmmpx)|d(ivowggxft|dlgqtklae|oydimwgys)|n(zwrnpfolb|whftnbkpd)|sxrmoazxwv|k(robhhxxxm|afcwmqajt)|w(mghfgrmpw|pjkqmentr)|o(mqcxngxvn|cswxgshwj)|fctlhewayv|jjxgvhudhc|tmxojrvexc|buxaqassdx|e(biltmhgpg|uasyixfib)|z(zxklmgtzf|yaattyxwn|azczteoqd)|iffpyjcuvq)|l(y(tjazkmaku|ujsnyqpzc|qdxoizfkr)|b(ocivdalmv|pkomlqbaq)|j(xwguxvhzc|ffhgbpune)|rutopzflfq|agwlcdumch|vegaczsugi|tztfnxblmo|s(gomhzlchf|papotjfzl)|q(krmtivahp|thcelrftb)|k(ydmivfngy|bngbgvvil)|njbqgzfydt|psoxniesul|ezdbjyamyh|gbjsbsouxx|dmmzhhhrcr)|i(n(vpimlqjcv|gpyndyxcw)|y(snfhkbrgr|ezenczrye)|s(gqinadbrk|mqzyjyijq)|d(czipgqsrg|huisixdyd)|r(lfvwiufat|trjrulskr|cpzrzxxlh)|bzylrbqivf|zfwvmmmqfc|xkwinayhzr|l(w(kmthlktr|zyycrygp)|lxegpreqp)|j(bwzhwhwoe|rbnjllbgx)|i(rqsrnaiio|adpcyusla)|aw(jkmirulg|fslawqix)|q(ymoxmdsbq|gkhwylbic)|kkiyqmrris|u(inprormps|xhabhtqml))|s(vghgioohoj|iddvvyvoqf|qpkpuwfhqi|r(yduaxseeh|tysfesysj|inycoyecu)|zxhtziprxn|p(nwdqjdwbh|ypznlropi)|x(bbolhvjnb|vnxxspjen)|e(tmvkjhjsi|xnezocgsq)|d(vlepbcdce|navahgaal)|fxwbwunnlv|gssdawptvs|nguclojqnv|cpakoggetx|hddbtqzqvt|bejgjatcfd|alkgxnepmh)|d(d(ynmdzbdlv|hcwaahxom)|exyordhsxt|agvqxpewyz|q(fismwvfuf|kzyrarajp)|xoztssluns|yubrompwar|uqibimeezr|zwwjielewg|n(kbrekafpg|bpngxhpdz)|c(brhiawqer|wvcrgbdkw)|b(hhroflpzs|vlnbjljwn)|ownlhtdmky|s(ypejohukd|wsimdejou)|feomxyiead))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633057; rev:2;)
# sid 2633058 includes 839 (601 - 1200) 11 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.cn)"; content:"|0b|";content:"|02|cn|00|";nocase;within: 14;pcre: "/(m(pndicdrkkw|h(slottorom|xhvcwwtvh)|wjqhkcfuth|l(pfqqksvyj|zcqbunhps|rlpckfpcz)|n(uoffxppqh|hemexxanp)|k(javgmxfum|skuwzlnax)|arqqzkdmry|qcsxkgzcey|z(ojbxwnwcp|eocstfsjd|bakypyzlm)|g(mcepwdbvw|iykfmibwo)|s(pdxfeseca|qbfxejeqx)|rwsoypmytz|jqqrbwgmlr|xhdjpaqgoz|iqloumovzs|f(utamkisyt|jbfsdkqqi)|o(qfqbbfhvf|nzeftakub)|d(vricgmwgq|qjopxpqll)|tfuerylqdm)|a(h(xaufdiuhb|fdqxfktva)|adkuhkpsym|t(kcdpujgnv|wbtcviqts)|zfdibumcmg|pc(nwzezker|tjvvflgm)|r(fdrhflxlk|bzqjsedjz|cnawndqsn)|m(zuazbkiix|kxqsfqnax|tzlrqexos)|yuhoymkipd|f(w(ifgzlxbh|dgmlfhac)|vawgdeudj)|x(skxmsjava|nvqdjcjwj)|d(eihvyjyme|lqezjyvyp)|sznsogkpik|veplabpiog|bwzslfuxhc|cmbdxzovhs|llqdcvlcre|u(wullfkcmf|umxkdzygd|bglbwnkxf)|woyzuklqpd|iedgqdsauh|jcwajphdlb)|j(qazibtgffm|f(kdjonaapa|fmyeqtrdb)|t(tmbrebjjg|usfjdbeoy|gxpzkorgj)|d(jicvgvqkj|dljnrtaub)|a(uvzhqvhrt|hungunzqe|wfdhnqezs)|xhtmlxzzpf|c(octedrbfc|azvkdlpsa)|lg(lwpslekk|jqyuihvw)|v(vuedkxgsp|ccgehjdwy|hfwnclffj)|ueqofwfohg|y(aukurgfev|nadiwxioe)|r(eoptuchky|mkhkqhuhn|ldsavdpmb)|p(npbjkfmft|pryqdlyqc)|ijgplcqbzr|nsnruaroyh|j(gxlwawcpa|jgptsfueu)|k(atfigpdgv|ynqrjvurl)|erghctmkeq|sfejrknvtk)|k(j(lymgklhsd|qqcorsdbk|j(dzumjljt|spxaummr))|vtzibwwota|u(mhrawervz|bnnqhptsy|rmxffnfdt)|epynmvjbqq|y(sqdfppopb|ttavykvan|kqxyizyyq)|q(ixatuuvmx|jjqhfyake)|i(awwiipuxw|mswdmwaoq|nrxruowoi)|a(spoprbefj|ingfoszrp|noxaugeio|kbyqrscjw)|r(ceagryhlx|frhqcsooi)|g(anlixklex|ruwquujnb)|dqktfgxwhf|c(ynazcpswd|imghishbo)|sazrqmtmoo|kqjwvbmqqi)|z(ffqhaaoqcw|d(j(fmqufdqt|unmgrzku)|dkaptfqaj)|x(hvyltndcr|dnfyixxlr)|a(ywvjnhhzf|xpuczbzyp)|c(ytawwhtar|hbqmoldvr|crcqkwtmx)|k(gcfaueaeh|snmbboisk)|vaxeyfbuqd|r(qjfdgbywk|ljqnvxvdh)|q(cvteljuex|mwypunqap)|s(ldqjzvrpb|klfocebph)|gksbdbsori|y(kimwbbtqp|ynxojjsie)|w(vqakcdcwv|zgikelytm)|tcljifpbef)|f(h(docqhcivq|hhfvhmvdk|wswzkzerc)|o(tuejbczjj|uymmcttvo)|z(zujnmwfkz|khnusajzh)|c(pbqmpfoyq|uvgltbvyy|svecylwvg)|k(dzktagrle|eugkvcdae)|w(wtpkjlshf|eznogopqx|avbajngbb)|p(xefnegllp|bpxeivken|fmhgrrzkd)|nkfgmzdaxt|sxasixxcwd|y(ugujeyddm|rwjnkxkaa)|xypqgcoyve|jicwhajvzs|fqxbjrdexn|aedfqzxqmc)|q(wabzeakpmf|zaifanwrqw|k(ixojkbijy|yvllaqnka)|lfnwcvuqzz|y(dcvfnzgit|l(nmnedvpb|vyzaocdc))|j(hsqhkvkyl|bhwepuqqc)|c(w(awhkumgr|nvrjyrzd)|adoygwerd)|aqwmfjynmk|m(fgtxqvgqt|vgsgyhrax)|u(gqwpmnuva|heaqpzdbi|egparoshh)|p(fvfblzzpv|vbufqvolm)|fziqwzbfgr|gqigyirlmx|bogtpophyk|haybpclrtg|x(mfdkywbgd|oakdnirmp)|eggqpgtoww)|r(q(fssaoditj|izqunwswx|gimajunsz|rnrqbmfqs)|wzihohdmrm|y(hgptlfdlu|uhohqdzon)|p(a(ufvlrggy|autqvkux)|mhhhzfoab)|xccxskrbga|tusfqbqsnn|k(qtrvdxemh|yidobqnhs|tzfsmovpq)|vjeyjsvnsr|eaimhlvqfl|i(ytqsebcns|krarwtpsn)|gnujaclnkh|rxjmfwzebt|muwgtqfket|apedofuqut)|c(kafcwmqajt|n(whftnbkpd|snueniryh|codrcgpeo)|w(pjkqmentr|flihjmmpl|lpeinmyma)|e(biltmhgpg|uasyixfib|s(djomjsor|bpdopksg))|d(oydimwgys|jtkvbnosd)|z(zxklmgtzf|yaattyxwn|azczteoqd|ddtfetczp|vqbrwpzck)|iffpyjcuvq|c(fwrjdmmpx|orvwsplmv)|filvssinni|q(wjougyoxp|ikyfsxqdc|vbojamzuj)|m(neaxvslij|xtzntffcv|gqkzsjnzm)|j(xlemlpmmt|oqdxfukjz|hpvpgplhx)|y(eayuhnnwz|tttlvzpsk)|b(cetawvrnq|xevcqahtg)|uonhldftij|x(qurhlthsg|neaoksotm)|p(zsxetnysv|mlhxtrayr)|lyepnnqikl|vddelzsoss)|p(ijmshvvzmk|j(qnfxavryc|yxwixtrqc|fazywhwpa)|wyyyrbcuqh|m(pcbihsifi|rocyhiatv)|n(kioypwjcw|hqwucvmoh|ybwylmgrs)|o(avzqasiil|heuqkdxyd)|c(ijqvpyrff|dgtfrhpvw)|dahoesdgnv|h(oupgodchv|kucuffldw|wpysrtzpy|tuzciuunv)|ydbrxfmqsf|erbdcubkkv|b(vjzarlpox|dqqllgnlw)|f(voqacbtrj|jhwhrkpyx)|vupapesjsa|thwiywvdil|kosiraxcgi|sutyodlkrs|gcuxsrjgpd|r(wjomjsczc|prkefycso)|zgcphvsqpc|aezhqncpzl|prfbboakmt|uqwbzmzkjb)|o(dxethmkazk|h(hkxubnelh|qldjolvvf|gopoiocqv|mgpnweqxo)|i(fthutacvk|tbytoeqfx)|vlgzgmburw|g(eaakhnpsc|ymacfgtkt)|p(reomaqfki|wpxyotgfx|zghsrjrwy)|z(kjdkbcghj|ipbsqavlx|jjuzyduwj)|o(jnnfqjahu|qokejpsjf|hokdkkbqu)|r(iraydsxuv|swgttzfed)|tapyttiepn|e(dppbfsdnc|zinyutgrj|giyslitti|rbtzbruas)|u(katxzatmg|isvncbrut)|x(zdknucfwp|nruwsmpui)|m(buhczhwdn|wspgotxfn)|yvdppdzoyh|j(qwmkkewlw|gvjdagahn)|bsqewdiapm|cdyebgpjjc|lexqfjiema|kalxllhsnh)|i(k(kiyqmrris|fmampfwxm)|qgkhwylbic|l(lxegpreqp|mcimfcnzt|gbiilibha|scytqktce)|u(inprormps|xhabhtqml)|smqzyjyijq|r(cpzrzxxlh|hdpjasitx)|a(wfslawqix|fsjrrtuiw)|iadpcyusla|nsurlqvhvh|zzibpheokz|v(giejneolw|unbvzzoyy)|e(hohnluniu|wtkvqxvcl)|fqvlfseicn|pkxbdfcqlb|dgqrjkrxyt|m(zfynygidz|agtnmuivu)|ysxnsomxla|wmlxfrujvs|ofrijbgxjk)|u(b(shdelbuop|mautovazz)|fgbuipculz|r(b(vwdapuzo|qvaohacf)|tluibivgx|vgxiehdzv|mpqgmhfbn)|q(nbfxpajbq|jknyfvafk|dsuyucngs|bnafeoulz|z(sdrgowby|xajtsxkq))|acvlxynpgo|v(kexyhluwq|oiztrglii)|d(hptrbaazm|jusuentwr)|cstuexebje|k(frnugmevm|scpldlkia)|tbimmusuxn|wetfhstyec|iycanjxvbr|z(cwyquhaqm|kqjafyytu)|yzhcxigfuy|m(mdnmmhvhi|qtarbxcmw)|g(kglnjlnwn|zjbykgiun)|uqyhwyxphp)|y(kfbyehaoaj|z(wdziwnuvo|ryrlcmhjt)|g(yvorqdnqq|pdfytcqlz|unszamavc|ztgwjjqbb)|j(qhndbabzj|lzdprmirt)|dwpaiiauoc|w(ckrimplau|iwvphuzfm|hmznjrlvj)|mgkdizdqxq|c(ppxdtktkj|rsezjgqch)|tjltrmllpc|x(bojevbbgd|sqwsqnttg)|lzjngaynee|uxxqbocaaj|n(pkbetiuzn|tnpajotua)|a(vgavouauy|xyyufodbc)|r(qwwrdottm|uildtwsay)|b(voejbkkfe|mzayofvmo)|yfautfwxeq|pjjcjmmcqv|o(qdhgtwipf|wejpctrmk)|q(azdgcrqhp|gndevgdcu)|v(whmkzjqtk|nnwjtyfsk)|f(dcxqigdmc|cvzmioghp))|s(gssdawptvs|n(guclojqnv|kcfzxaheq)|cpakoggetx|h(ddbtqzqvt|nphazmcsr|goxzlbntd)|pypznlropi|b(ejgjatcfd|luhpnhplj|ubbwbvshy)|a(lkgxnepmh|zwaoekhdj)|k(qeqvfjheg|plvvxofxq)|q(hqrkyzxmx|jygiatmsk|drejpqqbh)|d(prkrltkcn|oblrjzrbl|wmvqoxthl|qrrjkaxla|vnpuxbrks)|ybomtqtxjm|rktfsfmsqz|j(ijphxzcal|rfdrkfyjk)|w(edphbtnxv|afajcsbnp)|m(ujhcdvvti|dxkyvczau|swburptqk|zexkiyvdr)|snttfhaypr|esheqxgour|xkbwvtsdcp|fnrsqzaxxw)|n(dewdlahbqp|xyjunibubj|wwklubrjtl|tovqswdqpx|e(ltlsczwbr|tqjxadlzh|prgsognws)|mfdilooytf|nknojqwifw|gagvhudmle|ahcyxdhbvr|blyzrejoks|l(pradhauwk|crywwpsti)|k(fnxhfrdej|xmfdgwosk)|rhmtaguklp|f(epipxyazi|odmxadvnz)|c(bsiktaubz|eilybxfmj|xupghplol)|q(yvznhufzc|ccrkqclle)|pjcnesciuv|jfclytkwdh)|v(kddyrcchpm|ehlidlesti|ptrronjqlr|m(eqgjjpjaq|dgrlcixgu)|ahvjznzwaa|rrwxtzxbny|b(weqlaxipw|nhajlqven|gczktnvxs)|x(fquswvuig|tolpstjqa)|w(gbxwugwny|wzlbzvjox)|dovahmlvoi|obuaowbggh|qpbruxbmik|jserartvqy|gzstshysho|nkbgsxgvta|cnuvdctyca|sbqvtsbppd|yzzqlntoju|l(vfjzvoxtc|lfrdbydcs))|x(w(m(qkwxpbji|szlhlefl)|husrhizah|akknpagex|thuahrkkx)|s(hvtqskhlr|v(kkvilahv|rsiipyow)|ynfthixad)|q(klpjrkyhr|dmhmahmpq)|r(wadqdxcmh|axiytlocu)|v(xmhsammlf|tekbyumhf|insqsfimr)|p(fcivjugun|qlxhkypzw|rdgtwmzzb)|c(oqpijeyzt|bbmkbfttp|gkuvtpjee)|f(uzwxumlfl|gmomyotpp)|i(ypzmhxmzq|nxkmakbgu)|xnfmuivoer|z(zolnnpxck|tafdbrzfp|qeiskythc)|k(iledreoav|klmpvgdki|qwkyvkzqb)|dwgebaauin|yalyfnfsxm|g(kpyejsfkz|pcbdsrhcl)|l(vncycwhrf|kxzpmakww|hehpzubgo)|muieivcmxm|oamhxbznyo|u(mqtqzoqef|furtpblfj)|avpwmhbudw|brfqfpmeqa)|b(y(dybgwqvvz|zaiouhfet)|t(sdgypnssa|xswozbfoy)|c(kvaqzigpp|oteuwwftt)|dqdnndwmym|jkiwtnlrda|u(hulovalqe|aqukoczrx)|s(winofmjhv|kavbvynuy|mcgscycao)|z(cuodwvuhg|vbgxsusbg)|r(waxgiilgw|xuccuisys|pofxjapvg)|m(r(caxrzsyu|jdhmxcau)|qbsuzivfn)|vp(vvnavsib|hbighqdg)|nxwxhgvwvz|autdkjptiz|idhqvmzvme|lksbrrpvql|p(rm(hodxyfj|bkepuoh)|hxuhxwidv|eqvauemxl)|wvzgskrxpr|kbqhbcvdkt|qmstbcrauu|gbkzamcxlo|xlcmnyqcrc)|h(slfydmyjgu|a(eenhloipf|lvsrmrqlp|wdillshhq|rcerifdhe)|zqyexhstlh|w(r(uxuyrubv|fvvwatou)|hatelxdnm)|x(qowojxhai|uweouydzl)|k(mdkcdznpk|auzdoajiv)|ojrnkaivtf|h(zyosmtrns|cpkchkpit)|y(qhmvzjtei|swkrkcqxj)|nszvqbeemx|r(rwhvgvuzt|dciznskux)|jsxxcqxieo|m(hwyygmlqw|cgxdwgbap|uwgfuoclk)|v(gciybyhkx|cbkghgavi)|qzhzvozhui|lfuuiacdqv|f(smfkqmyio|apfaoqubi|igptrtcva)|uyxjnthzoc|eliifhnorn|iiojdxmsmj)|t(k(hqmxytylr|clyxhqulj)|z(hedntqwcy|pkgjpxuoi|mydbjqtop)|nfkjtzcijl|v(mfjtdpaqd|kwqimrktu|jxiyrnrtr|dvcbggbos)|piodimlghg|t(ogklxvcbp|wgmgeuenz)|o(gmnpwjhle|cowoaedrg|lmlxseioi)|btwaaxrnkp|w(qdxkghwwv|iomiauppn)|h(gxqyprmml|ajmuccwzr|zjobuoloz)|m(xcfskdidu|zrdeujhmx)|l(pbnnsvyvy|hqmhltkfp)|eumlkpmfgh|j(rlekcbtmi|pdjvnhdnb)|f(wcoxbnstx|pdfstragp|rocyymwto)|cweenvskdn|ipntemcdep|g(edxvoqomy|biicdhqcl)|azvefnbfvv)|d(n(bpngxhpdz|ftzbsxvdq)|s(ypejohukd|wsimdejou)|feomxyiead|q(kzyrarajp|ocsmlfzdn)|bvlnbjljwn|x(gmlfmgnyw|xsjaehfxh)|mbjtizqxnk|aj(mujpkqnu|udxobiok)|i(vozxxswjk|klambhcnk)|w(itpxsrgni|okanvsjts)|h(zmtfubuuu|jjgoquabl)|vywavbnojg|uggdbrtakk|liglzdamtq|pwuplueson|rtfmxnvfna|z(djpmxtmxb|svkkjzxdz)|jdyitpmwnb)|e(cjriozwjvp|l(pwgicrqtk|lfndmchrp)|a(cebkaoufu|slapzjzce|hdlhuryik)|tcuknucipo|s(xqmoqqyoj|jtfvlpxfd)|r(iskowxlub|ryofjjbcm|vypjryiwj)|osiugtyrqp|b(sdnilwrrx|mlolzkfew)|gwyqofprjp|p(zcihpcpeg|qfzztlcjj)|nohyosjafj|f(yleoztgro|wquqnqjjc)|qehjpctsit|d(dczrdwyda|ijzgqpsgf)|xrphdccltk|y(lffoojabq|erndurqpp)|z(hpowfqnyt|xshhorrod)|hgxbpjznwl|k(qxsbwjjov|ibfmdcnqi)|jmvxxjtvrv)|g(b(hleuugwbn|welejkiqo|rtzlptilr)|l(gljselqkz|ywbpjlbfa)|z(goltqemuh|kyltphnaw)|xcdthhrpqa|y(zeurwvzdn|gsngnnert|kbejvbpxg|xoqagrzjq)|mhbyopfxop|cgeqndndqw|e(psnfwwwoi|zfinkpsus)|wrzdbpkjfx|u(myqmmexyo|yyubwykga)|i(jibqttahv|bbaqxhewg)|gstehngrhk|pggbvdelsc|o(wixvvdvll|godqgyuzf|xwwlxetea|vjmxtoyne)|qtyluojxqk|acjwwgbeja|srmvlkltbp)|w(f(gtfpcgire|asjrpsugw)|q(ekxsyseds|htmrjoooc)|osbuwyvvom|hnwozvnjjy|p(z(vgpccvxf|yfneraxe)|juyvxgyeq)|n(bklholjay|jfjuouots)|a(fcfgobxpq|djvfphgso)|y(ikkwrqsxm|zkkltlwyj)|t(jhhfplbqf|u(erdoyegt|nqknkvkg)|eoighuhvl|vhertjxug|kgtnjqlwj)|s(kuevmyplp|dwhxtflli|aawydvwmk)|jjvsgkdxjs|k(leigqyjkx|mkgutwvxq)|z(qbesncoqh|fvpzkccle|puztibugg)|dxceonpubt|xzgagucxuw|crinqkhjtg|reijpzwfkq)|l(njbqgzfydt|psoxniesul|qthcelrftb|e(zdbjyamyh|tpkzbluse)|g(bjsbsouxx|jvifevcvy)|dmmzhhhrcr|c(tbfosxawh|hafsfwsjb)|x(pdehemrtw|fjzxcseyk)|s(ascmdxatm|jhphheacs)|z(t(lbtgxyiy|rclejkhs)|omehvmvzi)|f(grnfhojov|kcoecayus)|h(dqxztinit|yesbvcrhx)|lxnnwtqryz|jnukgarzax))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633058; rev:2;)
# sid 2633059 includes 239 (1201 - 1440) 11 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.cn)"; content:"|0b|";content:"|02|cn|00|";nocase;within: 14;pcre: "/(f(wdqjooyxaa|qhgwgfyawr|bydjvaymio|gqzfjlvark|s(uhyzcbdpm|mefwoiuvc)|rtxhtrjobh|komjybtajq)|q(hbpqhrgcyd|opitvyidkt|a(ntvlbakys|agvicelcd)|u(rwzadumrv|gpimmhlsb)|dzkslnvsqc|ikvanoztyq|lbqcscjyjm|kvczsnthzv|myjpdpjqsi|gxfyxatalg|nvozjmitqj|xfmoanhgpf)|w(ncdlieljdf|hemhacemuh|b(vwzllblbx|qzsgsquqz)|q(uhvfopwld|mtphksivx)|ramvxekgvi|jjhlxperad|ltixpyvbpy|osrqbsrqgf|yppchvzkyg|amkaiyebmz)|h(xsstmvagqo|gwzvedwolp|dk(ascczjka|oezzfigq)|nnrvgluala|hppgsierbh|kultarevus|ckfnpnglgo)|c(jxteereeip|f(cslpnkdut|kebzzomqp)|cizrtcyamw|kzznarwydf|pwbbqefbsi|gerejtvwgz|qktkkqtxhj)|b(u(fxopzcwol|owglymmwh)|wlpqzkkcro|vfzuqkxjyg|cgtjxzgvhw|j(kydhragko|iomrftdkl)|s(hnvroqtth|ckwyohmhr)|g(aaiodkmol|lvksvqhur)|olcjnoxpet|bieebnqerb|x(netgdugfr|hoczpmbfm)|eabdqknngv)|l(hxkibdvfvj|s(fgkljnpzy|mxnpqlylo)|jwvjzaugyq|tljgnmnuvk|chbjbitofa|kszkskkasv|zhraxblevv|n(yipkeednq|psaqtxufd)|xnyfmjebcn)|t(o(lndbmdsjl|uohzdgcdc)|umeozbkafk|p(vaarnzyrw|yjkxvnhtj)|b(tyxgbtmmt|lxxwcapey)|njftcmlohj|qkmuhtsjpw|yaehctlyyh)|y(gwoahwucbc|k(ozjpsblpt|jfxsjkpcj)|t(uvsejcowo|pmnmjpvmq)|ytbakqydwv|r(qbynxqzva|njgurchpx)|zgknbdkqgb|lxrdpsustf)|s(tvdxargzgz|jvoeviwcxx|o(gnpgrulby|mgavzvghw)|wjnpdsjdhy|nxmtfqmkfy|iobosjkkct|x(xffwlcych|prcmxpjyx)|amsboncveu|vmfcvynqhp|hmatvmqwsv)|j(m(rnjnqrjjp|ohkpqpmni)|bmfijgoils|ghtnzbtvuc|csrkkrzvxw|xayjxyfzgu|uuihfwqrgz)|m(oqfyemdula|qooyolgley|x(qeulonhfq|yvigmqoua|nnrhsnspw)|ichavuojyr|w(idldxixxq|fmpduggwh)|fpxstmzdss|bgeerbqljj|psmjatlsjv|hnlirbpvsc)|r(ewjfeikmyt|ahqzyvyeok|d(cydotbunn|vwbjczgjp|ufcwbxalh|semsrlass)|ysonpeiqcq|zymppwfqxz|muagdresqv|hyjbouhvdp|tjbglfmwlc|uxsoviwxyv|kgzchxvfus)|d(frgcfqukci|rhimkgcklo|l(fqvqaqmic|nunziqbpe)|zpihofozrl|cjpcsbgkbi|bxgkokvtcv|hljhapkgou|ohavyctwgg)|g(zmxvmmivya|l(fmamtnfml|mcrgbcybd)|aetehgiuni|ukpddrluqz|qsmcpksvps|ijxguayqbe|vcropqdocx|okevlyoyrn)|o(agzmvqryog|x(gdkzwepgc|lndpqxjdj)|fdkvewmtfc|hrefpsyrdt|ncmzgcvrsb|odfrvoxzwb|bgfiiyupyk|uoadskkqtq|molplctsks)|e(cawkuxjswr|edcsfronph|qmjtvdzsmj|t(thqdnpakj|cssegbnvf)|fhdqtjijvd|ihlzrdyses|mxtmimbvet|lnbovautjl|odzkwffndn|brrqifoojy|zzydtjtjra)|x(rliundihgh|vipnzriyvw|qdxjxnilql|ubsjofiqjn)|p(lttmdhdoix|o(pvufwzfxj|zctcfmuov)|vtqxnlirmy|ferdcgszio|hvlvebyzpv|mwmgoopkzk|dtdlzfuqex|tzosbowojj)|a(ststnvshyc|r(tyvaqqskn|rxofrvjht)|behtuksuuk|j(rrcarkdpm|cqyjhhzgp|whirsbcmj)|wmifljyzcu|htrqkqjifh|tvnmdcbsdi|dijjsladfo|ltsbbthzvy)|z(lyfdinpkqt|qghllwbqdx|o(nmwxhzeov|ulycwobdh)|dscxbwdqss|jaqcvsuajd|noistikjrh|gzsczkisxz|psbcmdqusm)|k(bfffvoazdo|mgjnkinscc|tfynbpgwxl|r(jjhmorujr|pkmzcghki)|okhnonachu)|v(p(hajoxspye|slrixayak)|ceejsrsjzw|yatjqkqcrt|uooezpipaa)|ia(iigxeuzyj|nwvwtdmjl)|n(iodbpuicqc|e(ykvfjowhq|iwmcaketr)|oexkoaxiax|urfwfwhqke|kckrmaxnpf)|u(k(gisqxfnbf|ttujzrfnw)|rysjunrjoj|iacnvjvotq|ohkvlzcziq))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633059; rev:2;)
# sid 2633060 includes 4 (0 - 4) 12 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 12 chars (.cn)"; content:"|0c|";content:"|02|cn|00|";nocase;within: 15;pcre: "/(infomylecqfa|wssovtxkcjlp|c(omeviwzuydv|nycsdfkdokk))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633060; rev:2;)
# sid 2633061 includes 6 (0 - 6) 13 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 13 chars (.cn)"; content:"|0d|";content:"|02|cn|00|";nocase;within: 16;pcre: "/(ccqoljiokhsvx|ws(agdiyjvxscg|uangsvyvqtm)|net(njheshciuy|czirqaoujt)|orgzfkioxrnhy)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633061; rev:2;)
# sid 2633062 includes 5 (0 - 5) 14 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 14 chars (.cn)"; content:"|0e|";content:"|02|cn|00|";nocase;within: 17;pcre: "/(org(tsmvoglsuhk|gtyxzyrxxdn)|bizolioopntrxj|comhxdfvwfjjpb|inforbhkquoini)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633062; rev:2;)
# sid 2633063 includes 1 (0 - 1) 15 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 15 chars (.cn)"; content:"|0f|";content:"|02|cn|00|";nocase;within: 18;pcre: "/infoleasaacadhc/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633063; rev:2;)
# sid 2633064 includes 600 (0 - 600) 5 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.cn)"; content:"|05|";content:"|02|cn|00|";nocase;within: 8;pcre: "/(k(nlln|pkdk|odfy|v(tzm|uhq|afl)|dfep|s(nya|ulw)|lekq|g(zei|kmh)|xnsx|qafq|cegq|ivab|r(plb|fxx)|axpj|yyvo|exic)|e(y(wbb|pyx)|c(maf|nde|veu|aul)|jnyo|w(fvp|ehk)|fkcm|b(rco|ehz|yol)|o(tql|oep)|g(zmd|mcy)|kevj|p(wiq|pwj)|t(iue|sdn)|s(num|cct|qpw)|mvkm|zxbs|qnwz|vyit|ueza)|j(n(gwo|qxm)|zire|j(iug|kit|jci)|h(aiu|psu|mwt)|ozis|kmqc|x(evw|xjj)|skzf|rnif|fdmj|pkgl|vjfa|ylok|cget)|m(g(loa|epx|zih)|kcry|q(bsn|hre)|jfej|dd(ry|id)|uukd|z(cct|fof)|n(unm|x(uk|cd))|ardw|h(mkt|hmw|czd)|bdjj|ickl)|c(rvch|q(fhf|cfi)|c(lyf|tfj|azj)|g(xzl|skd)|v(yzb|rhq)|p(hfs|dsn|lrn)|wqdy|tqmp|e(nvf|qpc|rjo)|ogns|sjsr|uxza)|f(i(azp|mkp)|f(hms|wmo|b(is|sd))|c(oro|dgq|pri)|e(enk|qth|c(wy|zt))|tgjs|nesw|ghvg|vvgb|zhbn|oapl|j(eaa|kjq)|puuo|htpr|svyi|qwhl|lddt|utfk)|r(w(djx|ezb)|t(hti|dbl)|kewv|smym|xzpv|g(bzv|dmk)|ivrl|j(vbj|uur)|bdjp|e(ldd|wid|rgv)|dezu|ubum|p(ypm|gew|hie)|v(qoe|kfm)|ccst|rcut)|p(lprt|ejjy|p(pey|tim)|fxtm|n(fox|ydi)|stll|umxl|jhlm|rezo|hidk|zfnc|kezw|a(asa|lpk)|vrom|ykzp)|l(uhkv|ppri|w(upv|jkm|ono)|m(tzq|gvv)|k(bjw|jeb)|rsto|e(hsh|phv|obw)|f(tih|hro|qqu)|q(fre|bde|ive)|latm|o(pys|ele)|tesb|hikb|c(vwp|ona)|s(jcc|ubg))|x(i(nnv|yyl)|m(fop|crz)|jkbw|n(ujr|bpu)|svhy|hvtg|e(eco|phe)|fqzs|z(jvo|beo)|pogf|wfyg)|y(oyho|y(jpy|ckf)|r(cth|oxz)|dbsi|e(jcz|hxr)|hmva|peiu|x(vxv|lms)|bxfq|vnxb|wnfw|nmcw|qveh|suxv|i(qpp|gwz)|muca|gfxj|uyhe)|a(t(wio|s(jc|ls)|tkd)|bqfx|i(ulk|kbq|fzo)|m(dvv|few)|n(ptg|ecx|tik|wgm)|y(joi|hir)|x(pws|zle)|rysh|qeov|v(jal|xsx|esh)|zfdd|wtpe|szom|oaqa|k(lqa|pru)|pwzf|dxpq|hanu)|u(k(vdb|gyu)|gnro|mzwp|zvni|n(ypm|rde)|p(rnd|eqn)|q(ryw|onl)|w(gey|afu)|yi(ah|cl)|tnrh|l(vig|ljv)|bhzc|r(xgj|lll)|o(hkn|awp)|jkvw|srqx|fgfx|hnya)|z(u(qmd|vka)|f(edt|pfu)|p(gqs|ywa|xbx|upa)|c(ylq|irc)|ahpo|l(vnp|afi)|b(eer|axp)|nsio|sycj|rvey|gdjj|zpsn|qbnu)|v(p(vea|ztd|ntv)|y(bxb|agt)|v(jej|pyo|hmi)|wqnr|d(msc|emi|sde)|f(wph|m(ww|pw)|jxs)|cmau|sbtc|r(ght|smz)|xafg|mxat|uxpu|oewr|bmct|l(fqa|nlk)|h(lec|ell)|ziia)|g(c(obo|yqd|nfd)|rufj|v(vet|haw)|a(vpl|nwf|cys)|i(c(ai|ub)|ysw)|w(kdw|meq)|n(pds|mzn)|yqjk|t(fgu|joj)|uswo|jdyw|ouyh|sbwb)|n(fxpz|o(eqp|woz)|m(wsc|glr)|asyo|trgs|sjvd|qmzl|nftr|ddlc|gsvs|uvjz|eibb|x(swy|boy)|z(cnr|wxu))|q(d(gdb|qhn)|e(uzw|zrg|gzj)|ndga|c(nax|tjv)|qden|usop|kwif|sotp|lblw|judy|gxbd)|d(oxtv|eugw|v(ven|foy|dbf|mcp)|h(eko|aqt)|ne(qk|pm)|f(dnx|tvh)|i(pdf|tnu)|j(vtb|edo)|uvhb|bwyf|xmys|gxnb|asep|zlzl|yjyq)|o(chqj|q(nke|age)|etur|kpmg|s(vgl|nhe)|m(wcc|oox)|ffsw|tlzw|odqz|dwtb|bxqe|j(llb|vlb))|w(cydq|p(slc|zcf)|m(fep|osj)|srwk|i(ldv|ziw)|rrdm|y(uql|syg)|hgnt|dnod|x(gnq|rgx)|q(trx|xrj|haj)|kvnb|wfki|ojee|gtdn|vntc|ucom|beft|njld|jlng)|h(u(hab|fuc|lpo)|v(kaf|vvc)|mnxz|kpuj|q(odi|dwg)|x(hkk|evs)|f(yeo|uxw|fnx)|bxmz|yrxy|i(ndh|wfn)|tigp|d(bbs|zfw)|abrg|gnns|s(mur|ibi)|lwcn)|t(srsw|o(sou|rwl)|n(ulu|gep)|drob|h(efr|ner)|m(pjp|hvz)|k(psl|cxg)|e(zjp|eey)|ante|g(dsk|pua)|xiyc|fkig|yype|q(fkd|tpn)|jcth|imlu)|s(vqdg|hlgl|w(kzh|jld|xvd)|a(prc|qve)|pbpu|j(sjl|laa)|m(nnb|cof)|qgvr|n(yyu|hxb)|znfy|dgjy|iefa|ldsc|rbzb|sgdi|c(lvi|uzk)|ktlw|bsyj)|b(zwqt|ixcf|b(ikv|wqt|yea)|whng|yhza|e(tyr|kep)|g(crm|j(rg|hf))|jdfp|vnoz|nadz|p(zvp|aqq)|djhn|q(poh|wbi)|ruhr|lhtb|kbjn|mjot)|i(pwxb|otoe|z(pql|etz)|mi(bz|wm)|qnmo|amws|i(klc|ofw)|vfqd|b(mfs|bxu)|jqxw|rlsh|gqzb|dszj|efhg|tofg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633064; rev:2;)
# sid 2633065 includes 823 (601 - 1200) 5 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.cn)"; content:"|05|";content:"|02|cn|00|";nocase;within: 8;pcre: "/(a(t(sls|cox|nty)|ifzo|oaqa|k(lqa|pru|dci)|yhir|pwzf|d(xpq|aks)|h(anu|cxr)|x(zle|vgl)|v(esh|bvt)|jblt|nlxl|a(uhf|mzt)|geot|fuqe|rtxh|slpd|unjp|cehu|l(upx|apj)|qeyn|eamt)|g(v(haw|rvp)|y(qjk|mzt)|t(fgu|joj|paj)|wmeq|c(yqd|nfd|chl|zah)|uswo|jdyw|o(uyh|hcq)|s(bwb|xyn)|nmzn|dqbj|pood|hs(yx|kv)|mcsf|farx|k(uer|tpu)|iqef|gbmz)|j(p(kgl|obk)|jjci|vjfa|ylok|c(get|ksm)|nari|dyxt|x(udk|vfh)|k(fdc|cbi)|z(qad|jpb)|b(yzh|zwa|hkh)|qjla|stxx|t(ism|rtt)|frdb|hzyi|imfy|gzya|alhu)|w(q(x(rj|qu)|haj|iux)|wfki|o(jee|nsj|lhe)|gtdn|vntc|ucom|beft|n(j(ld|hg)|ash)|j(lng|wxs)|k(hgj|gci)|a(dgc|cor)|d(yfq|dgv)|polf|e(yli|kry)|m(gyr|kzh)|hgsx|ihqk|fghs|yipr)|k(vafl|cegq|ivab|r(p(lb|ot)|fxx|egz|xox|okl|vdg)|a(xpj|uei|dqa)|y(yvo|loe)|exic|u(c(tj|ld)|huk)|l(vtt|gow)|p(snz|wxg)|zucv|nnnw|w(sdx|bjo)|seli|tsrj|fymq|j(bze|rvm)|dsfy)|i(v(fqd|oxy|qch)|i(ofw|jyw)|b(m(fs|av)|bxu)|j(qxw|cbu)|rlsh|z(etz|bex|fit)|g(qzb|zyd)|d(szj|zmb|ili)|e(fhg|qtq)|tofg|u(ojk|wch|sul)|pgjm|a(ydx|smt|xmo)|k(u(gn|dw)|rzj)|sfmj|ciha|xorn)|s(dgjy|i(efa|luo)|l(dsc|hfa)|r(bzb|ddp|fhe|ezp)|s(gdi|wkp)|c(lvi|uzk|dfb)|wxvd|a(qve|gof|hdm|rdo)|k(tlw|fba|ers)|b(syj|rza)|e(ddo|ixw)|gowz|zsai|t(onu|exu)|q(opj|rfo)|ykdm|otmy|p(zur|upq)|untu|vxjr)|n(g(svs|ifl)|u(vjz|tzn|urn)|eibb|x(swy|boy|ted|eid)|o(woz|bpm|yrn)|m(glr|ddk)|z(cnr|wxu|dfl|mcz)|phnr|a(ryn|mjq)|r(qnv|hyf)|i(uid|caa)|sqln|y(pje|bjm|ffj)|jidp|fekk|hksf|b(cim|fia)|vmcf)|e(b(ehz|yol)|v(yit|afo|dou)|u(eza|fpk)|y(pyx|lgi)|wehk|g(mcy|nrj|qbf|zfp)|s(qpw|asj)|z(phm|web)|dpfh|h(ctw|kfg)|r(txp|unc|dlp)|fzby|o(dfv|mmg)|mqax|clht)|x(p(ogf|wme)|z(beo|qpj|zqr)|ephe|w(fyg|oqc|wze)|fgxu|q(aid|prd|ixb)|vhei|bitb|y(wds|gef)|du(mt|lu)|x(asg|oqj|cwn)|urnd|l(umm|tlq)|jdnx)|h(v(vvc|oib)|d(bbs|zfw)|a(brg|eht)|f(fnx|nev|tex|rhz)|g(nns|kgp)|s(mur|ibi)|iwfn|ulpo|l(wcn|xmf)|evxn|b(euh|rva)|jxnz|hfbt|tvrs|zo(xw|yt)|okfi|pfxr|wpwl)|o(qage|b(xqe|yhz)|j(llb|vlb|eoa)|moox|w(t(km|nt)|kkg)|y(vtk|fek)|x(cbm|rwu)|hbjh|k(pwe|qgr)|lvuq|s(cyo|fxb|doz)|as(ns|gx)|ecbo|n(mgt|nrb)|dcku)|f(puuo|fb(is|sd)|htpr|s(vyi|jmr)|jkjq|q(whl|vbp|lqf|hdx)|c(dgq|pri)|l(ddt|ntc)|u(tfk|hmb)|e(czt|sqs)|mukq|oezn|wyfw|r(swi|tba)|thfa|i(met|jap|kso)|deiq|y(hij|pax)|bzrv|nomi)|u(o(hkn|a(wp|oq))|j(kvw|fok)|peqn|s(rqx|qtr)|f(gfx|adu)|hnya|w(afu|dcf)|cswj|epvk|a(nmv|kwd)|lyfv|t(fjo|dfk)|xsmt|ieti|m(trx|ldq)|udnc|vrwl|d(ysl|zvd)|y(sqj|puz)|qfnu|bnle)|y(i(qpp|gwz)|muca|g(fxj|tkh|cej)|u(yhe|buf)|p(oxq|fml)|y(zag|dso|haw)|c(brh|vjr|for)|xrnl|qpcd|bi(cf|ot)|r(nbu|uoa)|j(ejd|byd|qvy)|huyr|skma)|t(x(iyc|dcj|kax|bse)|f(kig|jyl)|y(ype|wks)|q(fkd|t(pn|ek)|pmv)|j(cth|tac)|gpua|i(m(lu|dm)|ruc)|nhok|c(lfz|ata|xuy)|e(lff|dgc)|tjii|vajv|mgfm|zpqn|lyvu|bzhy|adzc|dojv|slyq|rjor)|l(o(ele|wzx|jdu)|tesb|eobw|h(ikb|pjn)|kjeb|f(hro|qqu|lvv)|qive|c(vwp|ona)|m(gvv|xih)|s(jcc|ubg|ozp)|w(jkm|o(no|ae)|vxh)|g(bxf|wbm)|ayvi|jxcd|xvso|r(xff|tqi|vla)|lwvm|ujux|iuiv|d(caa|mzy)|bclf)|v(uxpu|o(ewr|jwq|rws)|bmct|l(fqa|nlk)|d(sde|zci)|v(hmi|axo)|h(lec|ell|gkj)|z(iia|hfg)|ttjn|yjiq|ah(re|hz)|ipzj|w(oth|vwl)|m(sxa|uxb)|efpn|fagl|n(kbf|smb)|pucl|j(wyu|imt)|c(lci|pvt)|x(goe|rwh))|b(gjhf|p(zvp|aqq|ygc|nyg|quw)|djhn|q(poh|wbi|tsl)|b(yea|uru|wzx)|ruhr|lhtb|k(bjn|rfr)|e(kep|hcu)|mjot|v(bdu|dax|cbk|hcu)|s(gwv|djo)|n(xey|mxh)|xpmn|a(rub|ljq|aof)|jrlb|zvwz|tsih|czrj)|m(nxcd|h(mkt|hmw|czd)|b(djj|xni|kmt)|i(c(kl|pz)|mjc|qqt|xsa)|ayfr|k(z(hi|wv)|hvb|xxs)|d(mgs|cik)|z(ztb|opj|gqw)|wfox|fuja|q(djc|wog)|jgfk|u(ujc|fqf|cgk)|yqwe|o(epq|kwh)|xjof|ldnh|sgns)|q(l(blw|qqo|lwa)|j(udy|xax)|g(xbd|aqq)|d(qhn|lhd|wjr)|iqrs|maaf|twsu|r(usv|ieg)|zoqa|avfv|ktfp|w(jac|wqr)|y(pou|afi)|f(opx|gid|dzi)|oqri|sfzy|vtkd|x(vay|ggc))|z(sycj|l(afi|ryq)|rvey|pupa|c(irc|xsw)|baxp|gdjj|z(psn|lay)|q(bnu|suz|tym)|ntip|v(frt|dif)|hpbv|u(nfg|qhi)|m(hel|pyh)|xmpt|eilo|ytse|a(jhy|wbt)|ovhc|dyej)|c(v(rhq|lyx|czg)|g(skd|hnp)|plrn|u(xza|pbb|imz)|cazj|a(ims|dff)|f(rjt|grn|uvo)|m(opx|dqp)|n(lqi|kto)|hahw|kabo|wvzw|ieam|qkgz|dimy|xkai|egcp)|p(nydi|zfnc|kezw|a(asa|lpk|iqk)|v(rom|whx)|yk(zp|pj)|x(kjh|zvd|eoo)|pyde|wqlk|j(ntn|ywf)|t(clo|oji)|rrhz|etoy|u(dbq|jfo)|c(bkp|wer)|mioz|flvd)|d(x(mys|asc|zss|qaa)|gxnb|a(sep|dnk|bbh)|i(tnu|zdh)|z(lzl|owf|gpp)|f(tvh|omh)|v(mcp|dul)|y(jyq|vgg)|h(aqt|ffx)|o(vxd|dsf|tca)|qrtj|pwby|w(jtw|krr)|s(ziz|fsb|nte)|nkup|l(fhi|lae)|dkss|jrmv)|r(c(cst|teg|gcy)|e(wid|rgv)|p(gew|hie)|v(kfm|pax)|r(cut|wjj)|juur|h(ezr|phf|csv|ygp)|m(vez|ayl|ete)|qqld|i(ijd|oed)|nxte|z(qyh|itv)|ojum|lbhh|byrn|algh|ysuy))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633065; rev:2;)
# sid 2633066 includes 223 (1201 - 1424) 5 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.cn)"; content:"|05|";content:"|02|cn|00|";nocase;within: 8;pcre: "/(t(zehk|sjny|muir|ruiv|a(sph|zzm)|l(fxk|zvy)|iyse|ubvn|xuev)|w(snpj|v(mnt|ovs)|c(kbr|yqf)|ejsx|hotk|bwag|jkxj|m(pgb|bwf|wqy)|kjha)|d(pzte|hzuo|y(axd|mtj)|fyuu|eiei|tfmk)|n(q(aod|mek)|ecbj|z(qro|uxo)|lflp|pyph|kblu|vbsk|gihh)|e(hyse|tvjx|w(hwz|qjy)|i(jgn|cso)|uzql|c(ypm|foy)|lrnp|ktcs|mkgu|fwgz)|z(rvnc|ywwz|epdm|jtmi)|s(o(hui|zfk)|m(twx|gzb)|lgtt|vpro|haad|fqgl|qbpf|nytn|ctje|j(kcs|xoy))|x(sqpx|eavi|jowp|lflx|pncb|zebo|mavo|bymv)|i(exle|htsi|mksv|uykt|jxld)|b(tsgy|zzch|eeiu)|v(z(unk|lhh)|b(csa|tbt|hmj)|xjpk|mvyl|htqh|wseg|ixee|piuc|kbsi|nwxf|tzao)|u(mbqv|k(eax|psm)|rvoq|bqzf|cxtd|ipfz)|c(cixg|lsuk|tyxf|pmxg|zbrd|y(aqr|omn)|imxb|otks)|r(wvfb|f(ttw|xhe|llz)|qjmo|tapy|aqtn|htcv|xgec|yeiu|lric|zkzl)|a(cjyt|jbdx|oykd|g(wnh|qyw)|nfma|lpoy)|o(qmkj|xmfs|ooaw|sikl|ayfc|hxnn)|m(jxoq|t(rim|oik)|l(jad|mdv)|pkpw|dgix|umgn|yzvn)|q(g(wxn|eyw)|ltjw|mrsn|rtvf|n(afc|foy)|c(z(iv|of)|lyn)|jdgg|hlza)|g(gcmh|uwwu|cimb|lplu|exaz|wqiz)|y(vbsy|arpo|mcul|x(wak|gdl)|jjdh|ggcx)|l(eqsg|xlox|fgvw|lths|bngu|wtgs)|j(dsrf|hlen|pgee|iqgt)|p(umqt|rzqd|zdzw|toxm|g(bdt|dgm)|noyj|xupn)|h(vtky|e(woc|ccq)|y(eeo|vwe)|k(rif|hzu)|qtqp|dfod|n(osv|qgu)|x(wua|plm)|axwg)|f(sdrk|n(vsl|sak)|yjax|tfoe|iukj|fkuh|lkdg)|k(n(ycf|xtt)|w(muk|wnv)|cfrm|spxx|mguj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633066; rev:2;)
# sid 2633067 includes 600 (0 - 600) 6 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.cn)"; content:"|06|";content:"|02|cn|00|";nocase;within: 9;pcre: "/(m(z(xahp|bwzr)|g(j(yoi|qun)|cyxj|hclg)|n(dmjq|vokc)|cfpuy|d(lfho|xkoe)|ujriq|prohp|oiczo|qbmev|s(kn(dh|sf)|lkkj|bgqz|xlto)|yhngn|xc(qwp|hpt|euy)|axjhy|hbuqc)|h(h(j(ira|adp)|bawc)|rlngg|vaylm|w(ppfw|sezx|idve)|aqruz|eojba|scoqa|f(csyc|deld)|y(btcs|stfh|dqih)|qctmw|xbiiu|mgewf|ceiab|ntlbr|glyva|dsuvl|ldazb)|u(ymjuy|j(goro|domf)|s(azsb|bcjj|czgt)|k(bwkn|jlcl)|v(asyt|hzim|jfcp)|cvdzh|t(bafp|viww|pxcz)|rlcvi|x(jrus|bmbw)|ngrdo|mxtmz|fglxp|elyiz)|l(i(oqqv|skxk)|h(lofl|jcwa)|g(njkb|xcwz|mkhl)|rmymk|y(sepw|gxvj)|b(beck|eent)|n(vvyx|yrby)|u(whwx|xlyq)|xklxx|lwlrc|d(empp|foae)|zyqmk|alxkg|ohnpu)|o(ptkts|d(sahc|aytw|wwnk)|iqeyv|o(xkgg|kqow)|gvrbq|y(nqfu|vgmh)|b(addg|nmaa)|emlgy|kvgav|swdle|j(hzoa|jzag)|wzoyk|uzlpf|qpnsn)|s(gthfv|h(qcxv|uuwj)|y(mkqk|gxup)|nchyc|py(xjh|oil)|i(xsov|qzuf)|m(lkhu|oubt|fdxd|nqjo)|ajiqe|qshug|d(ulbz|rodx|tcdv)|lwyea|zoixa|elmku|xgpeq|jslmh|wqbzh)|q(w(ulpq|hnfu)|u(zgtw|qkos)|nacqa|o(oakl|faze)|ipaau|djbeu|fgmiy|q(doqq|rlvw)|lnnru|b(efvi|oibz)|rwnur|pqacr|mnkid|teywe|csnjr)|w(u(iatp|pide)|m(noeq|mwpd)|vzyvt|dytxw|l(uezi|jkhs|cpkm)|rogeh|zasxo|j(mtwr|rnlr)|xlfit|tdzay|s(byej|reln)|nvxte|qnlgr|kjjvi)|j(ltvge|v(izhr|rksu)|ufqmh|odyag|pcobl|yhvmu|m(ezra|wfmq)|gpcgw|ekbnd|jncnt|zxfzr|ayjav|bemrx|tihii|xnmdu|k(cfju|qoth)|rkkri)|c(lqbow|q(sgsu|ehic)|vqkhc|m(sazm|qpsg)|p(fvpf|xcyj)|rbwzd|thdkc|h(dhwc|icei)|a(yvfd|amsw)|nvuax|cvcjk|g(hglm|gyup)|oytsp|i(idqo|qqkl)|ewijt)|g(jqoir|w(vqbc|ymzw)|o(rkld|hprv|qobr)|srhis|zevou|y(qiuh|zsws)|npmzw|r(uucb|vhvk)|xkiev|u(zegd|iqyz)|henvp|iwnza|tribr|mxlbf|pfmjt|geggw|qmfcn|fdfqz|bkzjx)|k(q(nqmq|zsks)|gumuz|iabuu|h(ekue|pojv)|m(wfqr|hfbn)|pitbc|ctcae|d(mtor|tmnz)|j(ekqf|rvhq)|z(utvd|eqzt)|wnwwu|tjycm|vrghh|ebplh|kifqf|bqsht|atjqf|redlk)|x(nknyi|emavn|k(jqvu|rpon)|u(uatk|fytx)|thbej|dl(yhz|aph)|xrrmi|gfgkb|cdgsy|y(xbqh|jxin)|jboiw|ztdqi|sjcsl|ilwhz)|d(d(ntca|gizc)|zqtzj|c(iada|jgxa|o(amt|nam))|w(rdnt|upjw)|r(dxvl|hoza|ijhm|mfce|zwbp)|u(e(uap|lsc)|qbvk)|ijcie|ndsme|egdqq|m(pggo|cmen)|hrbqw|jhusl|spswv|y(dgtq|njmx))|a(v(juaw|rrut)|w(lxtt|ozyg)|d(lwmd|wtuh)|b(yfes|l(scu|tgf))|c(tjze|ifgb|wknq|hrhv)|y(bfsf|femx)|nvdqm|s(rdgy|dfsy|voha|lhcx)|a(omlh|pvry)|roqrr|tbllz|ockbt|qjnxy|ujxbf|hemeq|izkcu)|b(y(tfho|drzr)|urziy|k(wzdh|zvrz|umpb|klkq)|ppnnm|w(pbri|xhkj)|o(lgmw|pldm)|i(yqdi|vspu)|vnmmz|r(exjt|swcw)|cyava|gruvq|ajrox|lbrrm)|f(pxubo|lvkwp|t(isgl|myha)|y(waro|mgfn)|eq(ilt|lfa)|d(myik|plvo)|x(eksq|meiz)|wrmsc|m(xgue|wybv)|s(bmmk|zobp)|inifa|ccrjh|a(jgih|ouhq)|vfely|gjgtq|k(qptj|epfx|tkhd)|zpban|jwtwx)|n(o(cpbn|bqvq|zugq)|bqxiy|qctty|sanoz|nilwp|r(kuhf|jmuz|ahbj)|xipvs|cedjx|tpokd|h(mzpw|pkfp)|g(fdus|ogsz)|k(iduf|cmlp)|vtrzt)|r(h(tekn|qqqr)|e(fidq|ufpr|pyop|nvsh)|wdqkn|vhvbi|ssjum|ndsgh|rhwog|ieeoy|kiopu|axxix|qzwih|lgxqu|gbshk|tcqps|diknb|oyqhq)|y(crbfg|rgqpx|w(jepy|tosr)|p(gdkj|clxo)|lnqch|ohvew|t(pptn|rqgv)|mzdxu|q(kjdr|hnqf)|x(zxgx|wnwn)|n(pzdj|giil)|kinef|ykdkv|anint|j(ftej|jvkh))|p(w(ljsf|pcox)|b(ditd|blzm)|q(dlqd|xfwo)|r(kuuo|czqs|xwar)|nxidk|s(znoa|tkus)|tnjwp|favek|jneun|implz|hwpol)|i(ygzvl|q(itya|dute|uedy|ljre)|iwtmt|w(jeje|nqje)|hsuoh|j(jooj|udzy)|do(w(sj|gu)|hxr)|binyx|t(ntbe|rwxy)|xckxg|nnzpl|udxoc|l(xgkg|tnkk)|cwdhd|kadty|voslo)|v(b(ogut|gomm|iwhx)|a(wrml|hoqm)|pfsmw|n(bypm|taqm)|qw(zhm|pgh)|r(ypdm|cgas)|meldb|u(bcbe|qmyn|vssn|lzjd)|sgyeq|cdect|wjufa|yc(lvi|yop)|guuyr|ljrov|xlaal|tghkh|ovbbr|heuyj)|z(t(oviq|ihwc|pvhx)|rgmvp|matkj|x(srni|ypcc)|f(drpn|meye|zqlj|nhmu)|o(ukxq|quig)|zcbfl|njxfg|b(tccl|wtmv)|yeonc|vfjto|gymxn|k(hvdm|zoxh)|c(yuvm|htxr)|inavx|qeimk)|t(w(zzld|rhag|dnpk)|ihypt|vyfyi|ehnzc|xblbk|p(iolb|tjjc)|outpu|g(zunj|hitv)|mnhmh|yhjnl|funon|c(uwcf|cuqk)|rvwmq|qwomi|uwdzb|khdrx|lhnze|zbvfl)|e(dbfni|w(axrb|gksw)|j(ngdk|ejyz)|irbwc|h(jyia|hoxk)|ceqpp|e(faan|dyhj)|q(bexl|rbsf)|s(gxwl|iess)|bszmv|ydbbz|mtcqg|uupsm|pwcfq|kowlo|fzqkd|xfoxu|aepmh|gioil))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633067; rev:2;)
# sid 2633068 includes 791 (601 - 1200) 6 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.cn)"; content:"|06|";content:"|02|cn|00|";nocase;within: 9;pcre: "/(d(w(upjw|grtr|zgpi)|m(pggo|cmen)|h(rbqw|gbyw)|jhusl|spswv|co(amt|nam)|r(zwbp|csuq)|y(dgtq|njmx|cloa|mtco|fkmt)|ixxph|lrhxg|g(lkav|diqv)|vnetz|bumen|k(yxou|jlkc)|d(wspk|bvod|cpac)|oyogi|e(xwuh|juiw)|xqrdy|zizlw|a(ymit|vrgl))|v(wjufa|y(c(lvi|yop)|dzhg)|guuyr|ljrov|x(laal|zvvt|opad)|t(g(hkh|mfy)|eqnx)|ovbbr|rcgas|u(qmyn|vssn|lzjd|noxb)|h(euyj|hfwy|qghp)|nrztj|p(tvff|glff|lzoc)|d(ikzl|tfjv)|fesgd|c(jpll|nrpx)|kwhdn|icmtc|mokdy|bimly|jplkq|vjrho|eabkr)|e(u(upsm|ldnj|bydf)|edyhj|p(wcfq|lqqt)|kowlo|f(zqkd|jqvl)|x(foxu|cfgv|wfem)|a(epmh|zzhc|oszo|bddn)|gioil|qrbsf|rtpou|honob|cnvov|i(ugbm|igct)|msqff|v(fnku|ddpm)|btbsl|yteji|niocf|dagts)|m(a(xjhy|ctjc|khop)|hbuqc|s(lkkj|bgqz|knsf|xlto|nixu)|dxkoe|zbwzr|xceuy|ghclg|yrngk|q(hxog|qghu|wodn)|n(nesx|ocuh|pvrh)|w(dwjn|ycms)|m(fplz|pmbe)|e(tqgu|xnww|zadt)|rfpor|kpwsm|jbhfp)|q(b(oibz|yyus)|r(wnur|rmdd)|pqacr|m(nkid|flha)|t(eywe|lbun)|c(snjr|wcuj)|y(vley|ryop)|n(qipx|jxok|ocwq|rfng)|jfior|gmzwp|h(yrnb|jdaw|uhmo)|aafip|q(oczf|wkok)|vcxyl|w(usil|rtub)|oavvv|lhwsc|e(iyle|fyyb)|sjbas|urerx)|c(mqpsg|aamsw|ggyup|i(idqo|qqkl|wffs)|ewijt|c(wrbf|vtiy)|vuqab|yjonv|k(wsfc|zqid)|t(lxkf|fpmg)|bsirt|pjabu|r(ektn|rhqr|zjxq)|dpbfs|zvhsj)|g(m(xlbf|rbji)|pfmjt|g(eggw|otev)|oqobr|q(mfcn|accn|zlwh)|fdfqz|bkzjx|rvhvk|u(iqyz|fjtg|bpsy|etca|vjiy)|z(tuht|qwjy|eifh|rdzy)|wfnni|sr(qsk|zir)|cgwgh|l(skeo|gqzt)|tkqtq|iwzux)|o(k(vgav|yetz)|bnmaa|s(wdle|qybp|lkdf)|j(hzoa|jzag|uggv)|w(zoyk|bpql|dbff)|o(kqow|gnbp)|u(zlpf|sgfz|fijd)|q(pnsn|xnta)|l(gbqz|cbxl|floj)|fpjhu|i(rrxu|ikmz|yevd)|n(nngh|xatx|ykmn)|zzgxu|cn(afg|mvn)|yvfzd|x(yerp|ukct)|pzrek|a(lwqc|fyws)|rymum|hhssc)|y(j(ftej|jvkh)|trqgv|q(hnqf|elaq|lvfg)|x(wnwn|nxwa)|wtosr|pclxo|h(mfsn|cuzg|puro)|r(vdzk|eyqw)|giznp|d(bwsj|tqcq)|oguwx|iznxv|kfmno|yuxrv|v(wtwt|reua))|n(k(cmlp|dgze)|g(ogsz|bpwz)|o(zugq|rfcn)|l(wqlq|tatq|ggvh|dtut)|q(zyoj|cuzs)|imfnr|jswvn|yywqa|f(ssok|gixc)|zdehf|uywfa|a(ywqf|iwxy)|m(zczn|wanb)|dkpzy|hkogb)|b(opldm|k(umpb|klkq)|lbrrm|rncan|qzedx|yqrjd|i(bkgk|odtl)|d(bupi|zlwx|gqfs|wwmz)|gjciq|tpqvr|wwfmt|mypvq|zfucl|uzbdb|hawlz)|s(m(nqjo|gngm|b(oab|drf)|xpga)|d(tcdv|kqmt|bcdh)|j(slmh|jntp)|w(q(bzh|wbu)|jhum)|pyoil|r(fabb|imax|uxue|mcys)|bvdhq|y(bjlf|egiu)|utiso|eytio|ngloh|a(gosv|jjcn|zwbn|ujqz|srrp)|q(nfjv|rsva)|tooxx|idnbr|c(dyme|wbpy|crec)|o(fwjt|qukx)|sganv|hakji)|t(khdrx|p(tjjc|bhht)|lhnze|w(dnpk|hsjk)|ccuqk|g(hitv|usoa)|z(bvfl|qfiz|meut)|oandh|dslmp|h(lxgr|mpxw)|u(jzrt|ttra)|mtrpg|ramqz|q(rjvz|pclq)|eqdpy|xxoeo|nmudu)|i(w(nqje|wiwa|akiw)|t(rwxy|eprr)|u(dxoc|fdpf)|do(wgu|hxr)|l(xgkg|tnkk)|c(wdhd|qyxo)|judzy|kadty|v(oslo|nvnx)|h(jgfe|ahmz)|nizyd|o(ewae|ntve)|yidvx|s(wuvo|dtcg)|gsmxl|anmsx|rhqgi|q(otix|yjui)|bzrlr)|w(u(pide|yrsz|qyzu|imai|ailh|vjwr)|n(vxte|yyey)|q(nlgr|ebcq)|j(rnlr|saee|wvle|ejuk)|sreln|lcpkm|kjjvi|oouty|x(cdra|szwg)|pcsov|eshzq|dkmmr|c(ovbb|wjsv)|waest|irkcm|b(wxwj|fdcg)|t(tygi|vlki)|mkozg|hqxqr)|a(u(jxbf|wyup|eedl|xvkd)|hemeq|slhcx|d(wtuh|sish|uvkb|ildc)|i(z(kcu|adp)|asln)|w(ozyg|mwyr)|r(bwas|kpcr)|o(eoth|fhfi)|gnzij|z(vfpb|gbyf)|m(nxjq|qcmq|j(sem|pwp))|aknze|v(sbqw|jctr)|y(kkid|nzdh)|qb(upu|iks)|c(ccbx|lmih)|ldcur|epwze)|f(mwybv|gjgtq|k(qptj|epfx|tkhd|nicv)|zpban|jwtwx|aouhq|f(e(ydd|lln)|vopj|oybh|aifa)|p(yqye|xinv|avqk)|n(yhap|muys)|o(armq|vtcl)|setje|ukhgk|lnwod|y(klqo|enjs)|cxwks|vjany|tnjcv)|u(tpxcz|x(bmbw|zavn)|vjfcp|h(gmgf|yjgd|hvrf)|b(brgo|zzyd)|p(hoix|lwsl)|z(ldur|wwpp)|khbwu|ojnip|wksxi|r(miip|vuim|sgzn)|cadhc|eeijj|jyrgp|qzvdg)|r(e(pyop|nvsh|dhgx)|a(xxix|aymp|qmrl)|qzwih|lg(xqu|ztu)|gbshk|tcqps|d(iknb|dbsf)|oyqhq|wwpey|ukoia|zqklw|i(ramn|jgxb)|yvnmg|vtzck|hwzlo|sxouc|jwfyu|r(gjfu|bexj)|fodsa|ctjqx|ncreh)|h(m(gewf|fpoj)|ceiab|n(tlbr|ixpe)|glyva|w(sezx|idve|npnx)|d(suvl|phsn)|l(dazb|hqbo|prnu)|y(d(qih|irf)|izzi|e(xkl|gnk)|sxmi|titt)|f(deld|ngtz)|h(bawc|gmlb)|klkvm|b(yppz|zwrk|spij)|e(afrw|hruy)|qrbft|xhkrn|plzos|ipxew|tqizw|uvkkk)|p(b(blzm|ginf)|t(njwp|cdam|umen)|favek|j(neun|iryx)|i(mplz|bdhl|xeal)|h(wpol|nelg|ipoq)|stkus|w(pcox|opeh)|q(xfwo|ltfk|umck|jjan)|rxwar|d(ecwm|zidf|jggo)|o(iswe|taoc)|c(azmk|tfhd)|kzqfx|v(xoxz|itfu)|nhnou|xmdui|mjgby|uswiq|gspmm|ahhfc)|x(d(laph|qlkh)|s(jcsl|hoij)|i(lwhz|hxpe|zpgl)|k(rpon|ykln)|m(oqik|kvwo)|t(csle|drju|pwqn|eawh)|edacu|vvndj|h(xuhk|wesh)|ocgah|j(hbqn|kynb)|n(wqfx|hyeh)|fiijl|yklud|xssvg)|l(alxkg|beent|nyrby|o(hnpu|yatw)|d(foae|zbwp|mxit|wwxx)|g(zsbt|tlvi|esxz)|h(ouzr|xtzh)|t(inof|dsuh)|jnltd|sgzdl|itulx|zsgxx|cy(ttw|shd)|qogdo)|z(chtxr|f(zqlj|nhmu|atht)|inavx|qeimk|v(xvej|gxaw)|dftde|bgbgw|gzfwj|r(zmqh|hyhv)|j(deiq|lwph)|k(ddjb|begp)|wjrkh|a(onep|fwzm)|mmtmo|yaytz|l(arpk|mdsh)|etaij|hfvlr|nivls|u(ngqn|llgs)|ovubq)|j(v(rksu|ahfa)|t(ihii|hjlj)|mwfmq|xnmdu|k(cfju|qoth|rqla)|r(kkri|vlho|flyp|ifuf|ypuu)|noino|c(dxev|ipou)|ufunn|qyflj|o(csuz|mqwn)|z(sabg|lchu)|p(dmpy|pavm)|ixxdj|h(mzvi|ztfm)|yqqsw|s(cgem|zpvi|jtas)|bslyy)|k(ebplh|kifqf|b(qsht|maae)|hpojv|a(tjqf|lrzi)|r(edlk|luhv)|slibo|u(cdge|jnwh|gblz)|ljuum|jtkzl|o(exab|zanx|dvkd)|puqia|fccpk|mykun|ckdfx|d(qsfp|gnzn|ffyy)|gopxj|nnvtw|ytelc|ivoty))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633068; rev:2;)
# sid 2633069 includes 191 (1201 - 1392) 6 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.cn)"; content:"|06|";content:"|02|cn|00|";nocase;within: 9;pcre: "/(p(t(scgk|pnaf|btkt)|wpyhs|h(ywtt|ihwz)|otzxw|u(nhno|klpq)|zazse|f(vtbc|sfgg)|yzkev|lubub|mdugb|xjzre)|b(uckhh|i(hqrg|zork|mfkf)|y(idgg|asom|fegq)|xibeo|laugn|fsxma|cbzvi|whacn)|g(pmgsi|lxktu|wysrr|iunsq|fxtqf|aedct)|o(uckrc|p(zgzp|gneb)|hvgfh|m(hzlh|xdwp)|s(skud|jmay)|lqffu|tlmjx)|h(ycprv|oguzn|k(qcst|zhxv)|sccmq|harqw|lkphk)|w(nryjm|uvlpb|yoeuh|twano)|y(j(xkus|wxdx)|nwtjs|dhtgm|f(mtzl|rpml)|vdyae|mezjd)|s(mbhth|ucskf|hjjrq|sidfn|eltpl|lwrqb)|z(rrfil|jerld|xahkz|nkupz|cuvqi)|x(totmq|onfvr|bffss|c(zemh|pjez)|ltetw|mzrvs|anuhr|jwxjw)|m(wzjek|yjzav|rvobx|daofu|vcqza|xbryz|jzwdq)|l(ycvjx|u(twbv|oacq)|mzngi|fzksb|lbtow|gosqk|nvsoh)|r(gmeso|jegng|ujwzd|dukoe|vjbtq|c(azgz|mvbc)|wgmzg|rftko)|d(rnbfx|shdqs|usxwt|lsoia|tarya|znyxg|wvjul|xneox|qlnci|vgnqv)|t(v(etgn|wltr)|gpsmz|tjuls|d(msec|gazl|lcwd)|bwocj|kfyjg|rqukb|oicac)|c(mz(prw|ojw)|zquky|n(jeoi|aquu)|xwlkd|grvuk|kpdre|ozxki)|n(dgyuw|isovg|j(boly|gjwd)|kwvtn|wcosq|uwobn)|i(zrbmp|kqjaf|mumry|nniqe|gfkhh|fqlds|aogop|ybkzn)|k(shrqh|a(wggq|mzoc)|hwcux|vdrfk)|u(fwwbc|agjvo|zxqwu|eqroj|ibndm)|q(h(zkzw|eabp)|x(ieba|ktld)|rilag|olbuo|yzweg|llxfn)|j(jsrxk|luqus|avwoa)|f(sfqvz|ctkuk|holuw|gvnfr)|a(mufmf|hjysp|ajqxl)|v(q(lzvp|zerb)|szsgc|zprtq|pngwk)|e(f(gtvx|auhm)|w(dbyb|vjae)|zqefj|rnbog))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633069; rev:2;)
# sid 2633070 includes 600 (0 - 600) 7 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.cn)"; content:"|07|";content:"|02|cn|00|";nocase;within: 10;pcre: "/(p(u(ismaj|ghrni)|e(clhki|sdvwh|esycf)|a(jdhmm|mcmhe)|fffwiu|cmlqko|x(quqze|chdef|rdoib)|s(uglun|lhczy)|d(wvaaj|eifrv|jsbkh|mcgvo)|o(gqtrc|lzsey)|b(fwltj|ibnol)|r(gcejz|hgzps)|zbdvsa|iuighb|lvwyux)|d(k(kblaw|wophk)|a(zhwpw|vlmav)|z(nflju|kofrt)|gnbnjy|eahsvh|b(qyeqe|nlqhu)|mglpsf|r(ovztn|aitvi)|pntuwi|ukflch|yprifz|jyvzto|xupjvl|dligsl)|e(fenajn|b(olxlu|tmcgn|qcsry)|d(lgblf|ccqzm)|virmft|m(wxegr|threk|oigru)|gawszk|alffuc|k(rkcii|fbdeg)|hwllke|lfvwjg)|u(ldhoic|justzd|d(gzimy|zdybm)|y(gmqsa|lpzuh)|g(lalmt|odrhk)|mjidnu|a(iqsez|wmwxx)|pkfajn|q(erthl|wfbve)|vuxhtx|r(rglga|imcap)|zyjlax|uvratv|cltzqn)|t(p(kbumd|qkqff)|nfrbct|f(ievfe|whane)|zinajt|y(lrboz|wyyxl)|q(rauxu|xzpdw)|hpdjrb|jaaxav|k(lekgu|zaumi)|dkuwcc|szypsc|t(qjavd|bvhss)|i(tmqqy|upqkz)|xkuqlu)|h(dqrfbi|o(aggvh|hgizi|fheke)|w(dznil|mncrv|tygmb)|c(sakik|arjxl|klzal|ofzud)|g(joadh|fagsl|xjxsa|dlpbv)|ezyjll|apaymy|jx(knvg|fcxl)|n(esdmz|vcpkb)|bheesn|u(dzkza|lahho|wjlwr)|tkxyzc|kqyyzn|xsgwjz)|b(p(jdppq|gdtmw)|bmfvro|ibsyoe|hyfdgo|amzgpe|n(jxdbn|nbfha)|duyzmh|e(eifpm|imuua)|s(dqmgj|etton)|y(wcuie|yvmkd|idgrx)|v(oilqs|ufjpa)|cbeocx|xsmtmw|w(gmlby|xcwcx)|ofjeoe|q(vfhvj|yjchy))|s(ahjbzm|iqmhuk|jpapha|vfcmty|bmqggf|e(lyomk|igfxj|qnxpn)|rlqaih|l(nkeka|wbjrb)|kvpogu|d(vciiu|htnkm)|fwlfoa|gxykke|qzsuya|zjyafg|pcmapm|nemqok|s(rwzjd|hnzek)|umziiz)|i(o(ailvz|vekso)|q(y(fzel|iidz)|zufon|tssfo)|h(ovxai|gkqww)|l(ehydg|d(kvqb|lujr))|mlifeb|n(petsc|uytvu|qrokf)|sctxfo|kaqzch|r(dukyi|oknwv|acanm|ppsmc)|w(duocb|kxzqm)|y(zbldu|ndtrz)|comtsq|z(dtldj|svpin)|t(npqlo|mhrfm)|pooihf|astnaj)|m(ypfhaj|dxvjjh|a(payxy|kphyc)|j(fqwlv|cstit|ryjlr)|k(iopwb|utuvl)|z(mxpwe|cypzn)|eztazc|g(psvjy|bolfu)|fuqmye|s(mijsq|yogas)|beozcw|w(zlkre|lyxsc)|cjhifp|uyhtdr)|l(m(easls|sabeu)|kpbres|tmjdvx|yrfyod|hpvkei|o(nnyjm|zoaah|bgkvt)|a(cmnbt|grkir)|e(lpaqd|josjt|wocxz)|b(bkciz|gejcu)|jhtaqj|imvvft|lkcawb|fjjigr|waeddw|vbmuoh|zjdfwe|gwykwv|x(uzhhj|blkzo)|rymbcx|pcapca)|c(a(xaxdc|fbglu)|ojopun|d(bclxa|gjhna)|p(mwizb|isusi)|b(ijcfi|gufrn)|stjtpq|c(shavy|dicmb)|v(urdvs|fstix)|towdga|e(jpzrk|wisty)|xbgruf|qxhevn|zcutiy|nxyzkr)|g(s(dieje|oevzn)|mzmbdh|f(bomdl|zpfdx)|w(ivzva|aoohi)|c(okxul|azfwv|srkfz)|a(ooqjx|fovca)|tkaakd|e(ighhd|dabvz)|v(tklgm|ocbao|igpku)|gkqkoh|kbstol|utbluc|qohdjp|zreduo|lrodnm|yllqkr|rjpuqw)|j(n(odozf|wlxtx|gllno)|k(qcclz|bifxn)|olumcx|j(pebiv|yijje)|vucdyd|lpbico|i(lrgtx|fkmyi)|y(dcavq|xqkfi|fdzct|wintg)|wfvcfy|q(wyjgg|sorts)|xqvbxm|eadywp|b(igudi|fzmzm)|cygdmd|tcecjo|dhgzlz|szbxxw)|w(qlwmwq|j(ensyf|tuood|ivsvc)|lwpgmd|gtesvq|kvpgjp|umpxdj|c(eeudm|xylgc)|ydgyke|vrzsum|nxuyvv|zahedv|xcvjbk|midqpt|ojicju|hklupk|esccgb|frndsy|agfkwd|wmlntg|tkhbxg|sqwynd)|v(g(ugpua|pqala)|n(afygj|sqiiy|epvjw)|e(wbimi|zlftt|xdtva)|xgdfux|k(kdufa|wxiid|gulrd)|z(fvxgm|vjjaa|dgaqs)|uuwaya|p(fdypl|amuot)|l(oqeeb|irwcz)|ycojhh|c(v(ajch|lpub)|lnqqp|csuol)|fhpeho|v(fnhrx|lgrxj)|dpltlt|hicbee|mntkcz)|q(x(qdsou|imkvt)|lnffol|d(ofhtn|jnhgi)|vsmfnf|z(frait|gvarv)|tpnjym|ckyggm|s(oaeea|tcozn|mxqbi)|qnzdfz|u(brehx|tqfwg)|ectero|hkszit|ijbphy|yzuiiw)|o(qgcufp|stxsgm|ejxvvq|x(ocvwh|ipkkf)|banbca|i(npzms|pxlfk|sxvxp)|lepwdm|yhvcso|ddvlfu|vxdkpr|r(jbcgq|qgeoj)|m(pcnrg|zxydn|bgkmr)|tfnhdn)|a(y(azayv|xkjga|rndlj)|x(excen|ydzqk|lqggm)|g(gjcfj|yzryd)|w(rhsms|uyyra)|m(jufin|fbjot|qgorq)|kxvdsm|zzdglq|r(mjiii|bjlty)|cvinbx|f(wavwl|gercc|tnfqq)|l(ufjjv|cmsrh)|eiadzp|shsftr|vqdzen)|y(u(qntuy|rewvc|urxtl|jrzqg|pxrwi)|k(raiqb|xvavx)|i(srzfu|irpqv)|v(vaqah|tjrpj)|rwesqe|arutjy|ylsjrg|tiscqd|wwfzba|lhrfgv|zpnbxh|mgjiyq|g(ipbdl|jffuy)|qrerzp|naadej|jfoonn|ooutkb)|f(k(qxwjl|vmwdr)|vwbael|npmswv|y(kffki|odmte)|t(aqirn|fkoaz)|ayqnlq|e(tytcd|kgbvg|csidw)|wxecrd|lewwbb|izhqey|q(hchpj|ioair)|peyvbp|sjfoas|d(rhlcf|yoqme)|heriju|xauwsh|zxbjeq)|k(lldogi|dahxnf|ylgafk|x(yjmrx|kbxtg)|kjqjxx|hpdyus|m(apnuf|tbjuv)|v(qkhqp|zqusr)|zlbomf|uzldvb|bddgsu|obnpmk|rxffpa|qtheaa|nqfehe)|x(tgersw|g(vplwn|jjhno|wnaaj)|m(wnyso|rfdlj)|smzvwu|rjhkno|ixfzpe|ktlfsd|eeeute|djngyq|vavzvs|ueiqrw|loocbm|wczcuy|zwrtav|cawtpe|nhwwtp|acqwjg)|n(lgaqcc|bozzka|ynqptg|e(ysfgi|jqydp)|fkpdza|u(v(bohi|frwq)|unsqu)|ofawik|hnveje|mdlify|gwottm|i(geiqj|immmr|yxcug)|vvqyds|n(vmhfc|jocyf)|duresf|cryove|ttnzwl)|z(vxgcpo|h(vpkgk|ufhja)|jxbuif|t(vlxtc|dpzji|ybroy)|fdkklh|otrpzt|qvpent|aaspor|upyvpm|etmpqf|nirdem|zbhnkr|kiuzwm)|r(f(ylfrg|qzeke)|v(argcs|szbhr|bxjxs|hpbzl)|r(ivzwh|npvlv)|u(zbahr|vwirb)|w(hljrw|kletg|vbxqw)|gabuoa|imtnxo|mzegws|ltmoyp|tkbyqa|ordqrm|xxrors))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633070; rev:2;)
# sid 2633071 includes 865 (601 - 1200) 7 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.cn)"; content:"|07|";content:"|02|cn|00|";nocase;within: 10;pcre: "/(r(fqzeke|o(rdqrm|uhcvi)|r(npvlv|pxbdz)|xxrors|vhpbzl|w(vbxqw|zkdus)|e(jkmeu|rezyk)|y(yaubl|hzxyw)|jvguop|ddijcw|hbtnyw|mampuk|l(pqhdp|qhllx)|s(areqy|nxwtl)|zyohnc|q(jzhmm|prpst)|togfcq|g(nvgbi|oucvf|vcuky))|f(qioair|p(eyvbp|ywmfx)|s(jfoas|oshbz)|d(rhlcf|yoqme)|heriju|yodmte|tfkoaz|xauwsh|e(csidw|k(tksw|ooso))|kvmwdr|z(xbjeq|vvwxb)|n(yaxdm|otgqh|gjkux)|g(pdqzg|gkajf)|l(zzuuf|lxxkj|rxzct|debht)|o(gaivo|anhyu)|wymlgl|c(voane|bgbju))|v(z(vjjaa|dgaqs|xxpwm|gptsh|llznw|uqako)|v(fnhrx|lgrxj|avhzc|pbvkv)|d(pltlt|tosqi)|hicbee|nepvjw|gpqala|c(csuol|vlpub)|k(gulrd|depom|kquxs)|e(zlftt|x(dtva|llwy))|mntkcz|l(irwcz|kbwre|ppijr|ofeok)|ighoua|s(tmdrr|xwgua|vabxk)|j(auftb|pdgko)|raisio|pabjts|uuvfom|quodux|xvtchr|wrgcly)|z(t(ybroy|xxnjh)|q(vpent|ajtej)|a(aspor|hwgrx)|u(pyvpm|exsxa|nuhlh|bdfuc)|e(tmpqf|skmoc|mczrj)|n(irdem|xgfpd)|zbhnkr|kiuzwm|v(odoxg|hjvep)|cqjntw|w(gcxqy|fxmwh)|r(qjufu|bdraf|pzxso)|s(gnmyd|jevzi)|biajjb|msbtcr|imtvyl)|b(v(oilqs|ufjpa|ierle|qlxjh|seycf)|y(yvmkd|idgrx|delsi)|cbeocx|e(imuua|ghatu)|xsmtmw|w(gmlby|xcwcx)|o(fjeoe|abqjf|uotld)|nnbfha|q(vfhvj|yjchy|zbyof|qdwpf)|s(e(tton|qjqw)|foure)|lbcslu|d(jppyb|zinhf|rijfx)|k(tkmil|ackhr)|h(fekvn|dafas)|t(kfxyk|eaecx)|uvykgq|i(pesxt|nqvje|odqqe)|rvaafa|zeyuvh)|h(c(ofzud|kfdya|gvagp)|bheesn|u(dzkza|lahho|wjlwr)|ofheke|tkxyzc|nvcpkb|w(mncrv|tygmb|fgfou)|j(xfcxl|qnzfc)|k(qyyzn|ddoff)|g(dlpbv|idfgi|hecna)|x(sgwjz|mlihv|jzfpo)|e(ygsbv|mcmdu|noynm|ubimx|gzarh)|v(hogcm|wthqm)|lolvwy|pirdpi|imndio|ywrjpr|qztbkv|ruwlyp)|g(c(azfwv|srkfz|fvdpl)|utbluc|e(dabvz|wysgu)|qohdjp|z(reduo|sqpwc)|v(igpku|eqkll|lfkug|kiywh)|l(rodnm|xmkim|zbmcr)|yllqkr|r(jpuqw|xrdms|ghako)|b(oypik|hnbsv)|whjsal|xamefr|p(qnpye|cshki|hzbbw)|tkahad|d(hdbkj|olwlv|vogbb)|hyedzz)|s(d(vciiu|htnkm)|fwlfoa|e(qnxpn|umppz)|g(xykke|cdowj)|q(zsuya|pftcg|wjbnm|jwhcl)|z(jyafg|wbtro|cekky|esytr)|p(cmapm|tpidg|kwlnu)|l(w(bjrb|qeat)|cpehx|phscd)|n(emqok|sxfmu|cwhoz)|s(rwzjd|hnzek|efopb)|umziiz|czrzlv|vxaehq|x(ioppl|vcvdu)|yuezbb|bfgwiq|iujnhy|w(wfxwi|qcjqr|lscxl|vdbjq)|tbcsoq|rxtxhs|kvatkn)|x(u(eiqrw|sqayr)|l(o(ocbm|bdpi)|iupuw|klaas)|wczcuy|zwrtav|c(awtpe|izngq)|n(hwwtp|gmlyz)|acqwjg|qpdqny|dxeqtz|mgarra|g(hrasm|mjmgt)|r(uveai|szbce)|f(sjdgl|naalb)|e(lmfci|ncbyi)|ivvzdf|jbilaa|vyrosd|htumky)|t(ywyyxl|j(aaxav|lgmow)|k(lekgu|zaumi|yyrud)|dkuwcc|s(zypsc|fwgfy)|t(qjavd|bvhss)|p(qkqff|gybpr|xfkgu)|qxzpdw|i(tmqqy|upqkz|ygfuq)|xkuqlu|fwhane|u(xmkwj|nxzwu)|m(tazbp|niorr)|rfztgi|zjlogq|w(sqrku|aajkj)|c(lfvhw|nvhat)|nmklhn|hkbhta|ghmpsa|a(pnnnf|dlemv)|oexyvl|bwqurl)|i(yndtrz|n(uytvu|qrokf|xfxdl)|ldlujr|r(acanm|ppsmc)|p(ooihf|zdves)|a(stnaj|pbozp)|q(yiidz|tssfo|gpyac|nkjsb)|o(vekso|yfzui)|w(kxzqm|dwsld|jnkxx)|tmhrfm|zsvpin|eavblo|illzni|x(ukjgc|yqeyu)|hbhzmy|jygsle|d(edpwz|yaegp)|ulgdev|maxukh|geaqjn|vvqiof|babwjh)|j(cygdmd|ifkmyi|ngllno|q(sorts|kqkyh)|tcecjo|y(wintg|kepum)|kbifxn|dhgzlz|b(fzmzm|yvknh|pheip|kdbqk)|szbxxw|xumciz|p(jgqwn|gwmkp|tkjsf)|w(ydsbd|djqnz)|z(zgfja|sybll)|gxsvlm|l(ldudc|ooaik)|f(oehxz|xxgwl)|r(rxtlm|bbhlq)|jarlmq)|q(h(kszit|qhetj)|s(tcozn|mxqbi|riift)|ijbphy|y(zuiiw|ujxpk|dgshb)|utqfwg|piulhi|xpgsgt|tblhgx|lwpnff|mahizy|aj(jonl|dbrh)|fdcoqq|orxcui|nrfhab|v(lsozq|zvchm)|kutpgy)|e(b(t(mcgn|pmkx)|qcsry|i(yrfm|eekl))|m(threk|oigru)|a(lffuc|gpbpw|hrham|qqotg)|k(rkcii|fbdeg|jvjtc)|h(wllke|ralfy)|l(fvwjg|nbumf|t(gmro|atgz))|tzkxiz|snwond|f(ssirc|twlcz)|n(wktnw|megzi)|dowqse|wvtlfr|czrtqr|qfloac|zabjyd|vkqphi|xgfmdp|o(idnww|jnyjl)|e(hvlth|bfnad)|p(czupv|yjftl)|rtrjfq|jugdji|iixppn)|d(p(n(tuwi|dxfy)|qicvx|ebxib)|r(aitvi|kvrjn)|ukflch|y(prifz|itgyw)|jyvzto|xupjvl|dligsl|s(jnlbz|audun)|g(oyxdu|uikfk)|e(cydnx|hgaso)|hfntrv|a(cvefw|ytmnr)|bpcbje|nkiwhp|meqlne|obosnn)|l(o(zoaah|bgkvt|qbbbr|lmrue)|l(kcawb|gkffu|fycee)|f(jjigr|poyuu|wbwaq)|waeddw|v(bmuoh|awhes)|z(jdfwe|ulhod)|gwykwv|x(uzhhj|blkzo|fcnhh|kmhpa)|r(ymbcx|symal|trktf|zdbdi)|pcapca|a(hetht|jorcw|ozeht)|k(mwnse|qvgcc)|y(rvfck|hsvhr|napam)|sxdnld|jzweii|qggiqh|hdtyww|tuoxij)|o(m(zxydn|bgkmr|mygyd)|t(fnhdn|v(ahew|lmpg)|yqlgj)|rqgeoj|q(ntkci|cpwmy|uhtrk|yglem|vlolv)|zlejgs|g(ltqho|bdepe)|e(agsmg|ysdlo)|c(sfrgo|ltcin)|a(ymyvf|rklkj|lzems)|bucoit|f(arqtf|lnsfd)|vscwmy|luijke|h(vdyis|uizib)|nheihj|wvaodl|dygidx|pcocjg|xexmwa|jcrlss)|u(q(erthl|wfbve)|v(uxhtx|mrrxo)|r(rglga|imcap|qvujb|epwba)|zyjlax|uvratv|y(lpzuh|dmvtj|pnsgg|wslko)|c(ltzqn|paqoa)|pwwzwq|mrsaay|bqolla|a(upupm|acyxh)|s(qrnri|stecd|kigdb)|h(znegj|pntcl)|j(xumho|exrye)|lsokxe)|y(w(wfzba|kdane)|lhrfgv|i(irpqv|pieph)|zpnbxh|m(gjiyq|tzfgy)|g(ipbdl|jffuy|nzxwm)|q(rerzp|owdgx)|v(tjrpj|rrsnd)|naadej|u(pxrwi|sdame|momnj)|j(foonn|kigqu|dihah)|o(outkb|qspfw|upirm)|p(vycpl|kxmvr|yalrw)|baoouf|caenkz|hfndzm|egyvwt|x(jjygn|nbunf))|c(x(bgruf|seboe|ozecv)|e(wisty|ifniu)|qxhevn|b(gufrn|atnbp|scfjz|phnba)|dgjhna|z(cutiy|peuij)|c(dicmb|oqkyt)|p(isusi|bntvv)|n(xyzkr|oeujv)|v(fstix|cyoww)|s(eclmn|pqidx|ztpee)|f(caldp|tnefh)|gavmzn|hfzxbi|lpunzv|rpgssq)|k(m(tbjuv|j(yakz|byfh)|ewmbp|gwstu)|v(qkhqp|zqusr)|z(lbomf|neihe)|u(zldvb|fqibm)|bddgsu|obnpmk|r(xffpa|bhwiy)|q(theaa|morgo)|n(qfehe|gzbob)|xovfnd|d(ajajx|jstbx)|a(hsvuz|uqqtv|biaib)|czguop|henbtj|jsmyly|kcltig|i(zsiha|njjzj)|s(kqtgp|mzoqd|tjpem)|fkirly)|w(c(xylgc|epnpf)|ojicju|hklupk|e(sccgb|dvxvy)|f(rndsy|hfdpf|onrbu)|a(gfkwd|yrode|qpdsf)|j(ivsvc|jzbku|ygsnq)|wmlntg|t(khbxg|uflho|mujam)|s(qwynd|gkjnz)|g(ntmnp|cqzae)|d(l(cphd|qqxs)|ecqga)|ugijzp|r(ntpej|xovtq)|m(exibg|dykao)|pvnzcc|zevvkw|qnoiju|i(xycby|kkwhu|nzhhi)|vqtpke|xzbnun|nsjnmo)|m(c(jhifp|ptbnc|xehtu|qzwla)|w(l(yxsc|huiv)|r(uzla|qsaw))|syogas|u(yhtdr|qsaaz|zsvrp)|jryjlr|gbolfu|k(utuvl|yoizq)|vbposr|ql(kfxl|mscz)|x(wduxt|swyjh)|o(evbfk|ywnxl)|y(qnngc|rncdc)|bvxvkm|rllufm|lpwttj|p(dgrej|hckzg)|eitvdl|hqlnbi)|p(d(eifrv|j(sbkh|vfef)|mcgvo|rsjtw|ugapy)|z(bdvsa|huwdq)|rhgzps|iuighb|olzsey|e(esycf|dnpre)|bibnol|lvwyux|x(rdoib|vkhdd)|kpazfc|a(vjzde|iitwk|ccvnj)|vdbpft|sbjbjm|f(nrpdu|azbdf)|pcysti|mrszdi)|a(e(iadzp|lrtvb)|mqgorq|s(hsftr|uzfcl)|lc(msrh|cjue)|xlqggm|vqdzen|f(gercc|tnfqq|rfxxt)|y(xkjga|rndlj)|gyzryd|dsbccs|u(s(enxg|xpxc)|qrbxj|rafwv)|i(jgxsm|nupzi)|tvfclc|p(kipib|fwzoe|bjtkc)|k(mvdsq|zszhh)|n(qkide|ibtph)|zcxxuu|j(jervc|vmogq|rzdmg))|n(u(vfrwq|unsqu|gaosz|mrmts)|n(vmhfc|jocyf)|duresf|i(immmr|yxcug|c(znzz|uemv))|c(ryove|gnpal)|ttnzwl|bkoubf|r(vudau|sdpjs)|frczpf|llhkpg|g(tzwwd|echjn)|kvgcua|svuedd|vohnhj|oc(asxn|knwn)|xlozno|wrfldb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633071; rev:2;)
# sid 2633072 includes 265 (1201 - 1466) 7 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.cn)"; content:"|07|";content:"|02|cn|00|";nocase;within: 10;pcre: "/(i(x(t(rpxd|oall)|qmuaa)|yricrx|moadox|qlzwsf|lhgyxy|bhzxfm)|d(lreogr|jwjzbl|bivuww|zapkmk|apqzae|fqmrgb)|p(o(ukhcw|ivvwg|ftryv)|fvfdge|nrhwkb|yrdkgx|kzyypi|mcjbko|plmwlm)|z(a(rozmg|dhvnt)|t(vpjuj|thogz)|n(efsik|zrzfu|hfcvk)|mhhojh|sfaloh|peoijm|elnszh|itmemj|vehnvk)|n(msfpoo|s(vrjnd|uvnjj)|itnwnt|h(kzdzh|olvxa)|kuxcme|lbrbcf|wlaafj)|g(g(unool|pzanz)|wpchir|cmptvz|tubkaf|y(wfsng|svoja)|n(bowhu|exwge)|rsgyka|vusvxs|mizlow|i(czbai|dwhjx))|w(lzslrk|r(namxm|yjrpy)|oplnrg|xxivtv|ncgjor|pyjzlh|cidxem|hdginm|e(ijkiy|feisi)|iqubsn|kvoocm|w(ekssk|thsyo)|jbwqhu|mrfyqp)|u(ckiwtd|mvczha|plogaw|vvbvsx|klyipm|fewctq|uqgoxl|hmvyng|ojmfda|bggbgg)|l(druajh|kdsiye|ujbgph|fugdrz|zxprlu|oxpwum|xuejeo|ridygx)|j(ckodsc|dbluea|jwlfeo|ohgkmk|tautqm|wmlawf|zxgbau|i(soumi|gfpid))|r(aerutv|p(vaxjn|tcnsz)|vsladk|njnoha|jwsrjv|cmkser|txpdqi|gbidxs|zuumnb)|o(occxvf|g(ipcwf|lhspi)|vqlxts|r(ehxgv|yuvgw|ifwyr)|skqned|zdmirq|joekcp)|s(kkanhe|afixbl|b(mqssg|ejszp)|rsbnmm|mnmndx|tcrwdt)|q(x(lluos|jtwuw)|btxjee|uufgff|g(hnope|bvpul)|mmobhc|ecadjf|iuurds|jekijl|p(ngatu|yiivm)|r(acijp|omizn))|b(vjhyif|udtmng|ivzxfs|eytjkm|a(mapka|wcdum|vnzof|tedyw)|r(qatgm|jdhle)|n(wpvzw|zkplv)|t(kdiib|agcwt)|chgpdo|oiapgp|lvpyed|mlpbsk|pkacnh|zztrgo|hebyys)|x(lsnthb|rpharx|n(htlsg|ychhh)|obvfwn|zutddb|aqcyqh|ddhkua|koxcgf)|m(w(ivhne|hnefm)|i(pxskl|qtfhx)|kjnslm|r(uvwtn|dfxth)|o(nzsez|xtidu)|y(sdast|xasxl)|e(yccgr|xbkdg)|spjicg|gcdpxz|tmkhpr)|h(voupem|r(symuo|cyftw)|zgdyaf|yekayw|sepkbc|eewsgc|lhxljk)|c(tpekly|pddfqo|rupkeh|mjhiou|kfyqou|c(bpfhy|eayuf)|awlfwv|volqpg|nlzuny)|k(hurbrb|w(p(smdz|oavz)|xaemu)|xovcct|m(arqak|uawka)|nefkti|okawrz|vpzxyd|jsscff)|t(fbihuw|gixcqj|bmasfe|xnafrb|mmripy|daheyv)|v(q(yjfmv|wnnus)|kvluvl|zuvmnh|jqvcwy|caxrdw|h(dqgkv|isqmc)|ijegnc)|y(rwamdb|slimov|wviube|pnysim|cjkcjl|qfczaq)|a(eqrlzc|pnyvag|f(tvorz|zswvr)|wvwqao|syoyef|aphbdd|xhzady)|e(w(bdzre|zxurw)|odypfa|s(knzrb|hankx))|f(ytytoy|bxaslc|vjybip|nvxfvi|demyvu|c(vuzej|dzxos)|w(twrgn|xkzoa)|fbjujx|svcsuy|iadfjt))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633072; rev:2;)
# sid 2633073 includes 600 (0 - 600) 8 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(d(mgetpyr|x(xtguww|fnbbxi|nwivoi)|y(uzcinc|fwyuwj)|hxzedxj|a(u(islxy|zwmaf)|osvezs|fzihlr)|seevvou|n(jekdee|xfyocz)|t(acnmal|mmfnnu)|c(pxfqro|lgcckr)|dbkfesl|fmrzjuu|oxsvhas|vfdjtcx)|p(m(bucpkh|lcsecq)|z(apasjt|etitkc|uqdkta)|ddfzxtw|gmrpgim|xidmaix|qunznoy|j(mggaxx|dszijs)|rxogbgs|b(xybadv|vrsgvc)|e(n(zmmdc|glcbz)|iwwlgv)|ajmotcp|lgttrmq|sdihajw|nwxtuwf|fegnhxt|vqjhddz)|o(fuvcfiw|ahimtog|hdbzhei|dwyntrw|g(mhqpvy|aqinlt)|t(jlmcyx|dussux|kqvutz|sstgmg)|iathugc|z(uaaxqw|gbxbkh)|rpohhou|mxlzsts|ubqyfvj|prgdnzs|vaewxtg|kafjojl|qoyswtg|lxjfxrj|nfqklud|xvaxjph)|a(i(mmuemd|fgctej)|u(dsroew|ftgnlo)|f(upngui|zalurf)|btwlxqc|ydbavox|v(bjukqu|kyvvbw)|e(dbxspe|vohrge)|p(eezqhw|rjsogi)|m(qbqnvi|uxuuum|ehmkfu)|h(liojtb|xmrbgl|cynhgv)|loufphl|j(cdpkzq|yybgco)|dxyhfxy|cczgwhc)|i(v(ghjuxg|vttqrp)|n(gtsaxy|qybmvi|prqaff|huvomh|wjotob)|y(qzhlwx|dqdujm|cybwev)|ztiwhgi|fglfyee|getobdp|mifkbbo|ichuwlo|uweaawi|pbxqjtw|l(paezjx|jtvchb)|ojdcflu|eqxisgy|spydjxc|rnfflmj|dxfcktl|weupfgv|qmxsjtx)|x(sdprttq|khdwdre|t(ueazmy|jsyqsm)|m(ttapnc|histgl|vxwubj)|f(nmdcnd|jfgfqs|ovzeyq)|x(tetxmw|oteymf)|earlqep|ljphjyb|zpcpocu|h(lncdtc|aoyqwe|ziieac|ctoxwy)|bdnljwb|d(jbjxfc|nzbknx)|oiciyjc|ikxwdyv|ndvtfnp|vuibltj|a(rnqxig|nbyrup))|w(w(felzbr|olfgmb|cenwfq)|jcetrkn|urygzdo|vghqkbl|i(cbjcqe|dvpvoo)|occhgga|r(acesap|sgkpxs)|mmrfiwr|k(hqmbff|vugorh)|cqgruev|p(cmbvjn|zgetkj)|htoggsn|q(ljfpcx|ziyzsy)|fdhhbjd|yvefxch|gnsaiqb|suonckk|namcejj|eaksbdp)|u(zv(nheey|dydfl)|kncjkvv|u(intokw|gtyimg|uhtsyt)|neytgoi|g(bicomg|omxnnx|hpvjfb)|aoqwtrc|qfzolyp|s(bxthxn|vxnoda)|o(ehhdtp|knqxxs)|rtgrvze|t(dtiwnq|luhzju)|d(szpflx|ptdnvb)|esztazk|vckgcij)|l(igztnjq|fclftwa|c(ruzmnj|omeexv|dfatqm)|r(yqecnk|cqflef)|qnokqvc|oawyhbv|ulqldge|bmlsjjw|nujrlol|kqceiab|dxsrges|mhdlvgn|ptzfueg|extijsb)|k(x(lucyhy|eyciqi)|gvhqygd|z(b(etzmm|shmhr)|rmwovf)|sfmmsfr|o(ivrupy|dgtjtn)|ladnquy|f(aibekt|cdpvex)|q(uxtgml|mjbrcv)|jiffwym|k(huxfts|zmowjt)|iozjvlx|ylykuhx)|j(q(vidhyk|upeebf)|y(ulznzl|gotrvf|cdtrox)|c(medvld|nvwepz)|d(pdtmkb|oweudv)|xcwqsuo|wkbhazx|zjnefrc|r(tlhiit|hnhitk)|gpbieiw|koxuexx|oatusxn|h(usbszc|omqqnl)|mzvgykb|alicbea)|v(qptlbhu|mwgjnlg|x(loifgw|wrceht|kvbedc)|novryzb|j(bpopwd|r(ailay|fowib))|r(cwpczr|nxwzaq|odeyke|docuqb)|tllgnmn|a(cwkyyf|saisyq)|gyccuqn|p(igiuzp|xzacqm)|sutiwkc|bmoekwu|i(iogfco|qggndx))|f(d(psyhvu|gxueoz)|a(qwlprx|xxwsvl)|j(asvhir|hsnhbl)|cwbyxdq|e(kbockr|vgivoz)|fhnifsb|hcumydt|imlnzpg|xxdzzto|m(y(bhxxm|hqmyx)|jpzsqk)|qfeqhgc|gejpjcq|nbyatet|kvhxpsr|zeaeqcx|rooyyud)|h(dvhknud|p(rglygo|ksuyvb|tdejhz|byhpej)|fiehwxj|yworvoj|vhgbmdd|b(junqvh|txgoia)|q(lawefp|axzitr)|j(dmrqcc|tuilmz)|c(wvfnvm|fnxyrt)|oabygnp|a(oooska|hkghrm)|mxvrakp|xdfcxfy|luxerik|ikgulqp|g(qludwl|tscigv)|wmbwoms|ssubyjv)|q(r(e(ywydd|qouxr)|fxuwtu)|s(uhnhre|jxpkaj)|h(ttnyfk|dhuadd)|z(gvyycc|uaccbn)|l(fgzeel|vxkkwc|yzdzys|zybaae)|k(azqxhc|njwjyr|xjomjs)|o(oawalq|cisbpy)|tokjpzs|pvqsllz|b(ujqrht|sfsara)|i(wbdurp|lzjwos)|f(dfxcpx|vcbtzi)|xmnkgph|autntgf|cfxtexb|ga(qljom|rcxmn)|mtpueij|vxcjheq)|m(xsfcewm|n(fjyzsd|julsmq)|f(zsghwf|rkqnex|ageecr)|zugumvr|alayffe|b(ebocqt|tjraal)|lhoniua|ulcgtwc|rjhheoj|ktyedgs|v(kqxdnx|diqumg)|qvhdxwz|d(ealdze|doxmbw)|oquzkex|ilkgwmo)|y(a(apblxo|uquhtn)|b(ttsrjy|zjhljr)|ixoawgu|s(pvepvf|gedhod)|rlxztki|liwkuyp|jlolhbd|fzzhome|z(leypgz|rsiymi)|kubrbkj|vasqlmc|cefhfqw|mezcrpz|xsipqqp)|s(wyalcdi|f(wwywhl|ukfvdm)|v(niewiv|semabr)|tagephu|pucplxb|m(paljvq|zpvklq|tdjpci)|zs(bgama|jxxxu)|qjfexox|nliwigv|dvwmjlm|gqbwyen|eyhingm|kyazwoe)|t(lqeitcz|b(uwdbbr|bpjvgk)|ptewbsb|jyajvju|iuavvhe|c(szdytx|zclsad)|d(vgojfy|dfynba)|g(mzbrfw|liyrjb)|otzurtf|qixjpoa|rwnsxbe)|e(l(feoglz|yzpsrn|roxbch)|o(dusmwm|ahiidc)|g(flajng|zyupcv)|ajyjixv|j(ftdiec|kqciao)|d(istcvd|snqvfb)|b(bxngmh|zvbqwf)|m(t(rlzew|vnots)|lindhz)|x(ivmiqa|dxeyje)|wdkvbog|y(hpdgpy|yepxyl)|sppshar|uxjmysh|q(xyzxvq|wnvnld|gvwrod)|v(wqgsqk|khdger)|ecbxqzl|zniodgg)|c(mawlmfn|t(cdtttm|rxjsks|hqylmw|qcqveu)|l(kggjln|fpwnvn)|ygktgqu|erkttjw|z(oxtwol|rphbug)|q(eorkqh|mekjoe)|n(zsnjkc|xexalc|pitkyk)|o(tbtfwu|ezkgpv)|syatnez|r(kuadzg|afmctv)|kgsnrfl|xqxojzn)|n(r(hunpdq|jsiqfj)|p(plgfpn|olfvfz|lgbfol)|f(fsewoq|druitp|btbpiy|j(iopxs|casbr)|pmleaq)|n(nyopdy|fchruo)|v(rtrjmj|yhrdaf)|i(qhzcqe|yqfyvz)|j(ihfcvg|ngkgmu)|mxgohns|e(ucuxzy|xaadna)|o(fmdayk|nfkueu)|wizdkiy|gxeqors)|b(yjhfxzp|x(hzzorv|ywulsh)|lqccmxk|gphbfbt|q(vkddgj|efthxn)|e(ydpdtm|xxcumj)|nzptaqa|zytiohp|m(cbsywf|tjoqkd)|u(fabctv|oiqrnp)|v(doulqy|pvqkzj)|f(wvpgln|vnggap)|sgxpskd|wpthejr|pqwqtcj|reijbip|twktebh|kvppmby)|g(ekvojca|l(pwjfjw|zxpmuv)|d(aqcfld|bmcdfj)|h(hwebop|fmljit)|n(knkwme|evkdwk)|s(sexhyo|khadnx)|kwfrlsx|v(bmnzjd|okpnif)|p(kbjnio|nmbluu)|ucrvxog|gtuavzk|tdnpqib|yjyvgep|ropthyw)|z(d(imjrck|fcrcgh|prqgjo)|a(syfjqw|gmrlxf|kyclpk)|wmlovmt|c(zeirxt|ceknlz|nypwxi)|hhfuqiz|toqjgvq|oegccqz|jnefqyx|ndkdmwm|rjtdwdr|eizlmnv|z(femcgp|ywhwmc)|fqroozr|sauggpl|umtuwaq|bbdaijh|ldbaitm)|r(pmtslck|x(czbmld|wejrpb)|anhtasi|o(dgmsdh|nqttrp)|vyyiihn|e(tljdzx|cxkhdg)|lusullf|ceujggy|u(kczmad|yuixrz)|b(aonhma|neidas)|ivtkrqy|ggofdke|kgqogrt|naiihvz|spqetbz))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633073; rev:2;)
# sid 2633074 includes 1200 (601 - 1200) 8 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(d(m(getpyr|kqedir)|x(xtguww|fnbbxi|n(wivoi|zqgyp))|y(uzcinc|fwyuwj)|h(xzedxj|mfjper|gmyscd)|a(u(islxy|zwmaf)|osvezs|fzihlr|espfsz|rcgwlv)|s(eevvou|xvfijk)|n(jekdee|xfyocz|cccldx|nogckb)|t(acnmal|mmfnnu)|c(p(xfqro|ndqlg)|lgcckr|xuhcpe|uqfirf)|dbkfesl|fmrzjuu|oxsvhas|v(fdjtcx|ljnkcc|hldbgp)|uicabca|q(zhtwvb|aljllo)|inlfbhk|e(bstojl|tpqnoc)|zsspovc|wsoiixt|rikkevy)|p(m(bucpkh|lcsecq|odpsnn)|z(apasjt|etitkc|uqdkta|qzgzni)|d(dfzxtw|mywiyt)|gmrpgim|x(idmaix|lcouzu|uhawpc|kzwotq)|q(unznoy|qbeiai|cpiciu)|j(mggaxx|dszijs)|rxogbgs|b(xybadv|vrsgvc|bxidvf)|e(n(zmmdc|glcbz)|iwwlgv|butyve)|ajmotcp|lgttrmq|s(dihajw|scszrd)|nwxtuwf|fegnhxt|vqjhddz|p(fhygwe|prudht)|o(jhbuws|twtujb|wraacq)|csrijcs|waiqebw|uekplna)|o(f(uvcfiw|tzivzs)|a(himtog|vjbogq|xawhmc)|hdbzhei|dwyntrw|g(mhqpvy|aqinlt)|t(jlmcyx|dussux|kqvutz|sstgmg)|i(athugc|yklofb)|z(uaaxqw|gbxbkh|yfcxlp)|r(pohhou|nxechy|isshbi|fkxwmr)|m(xlzsts|eofvby|hrajjq|gzhckz)|u(bqyfvj|zvcplr|dreswu)|p(rgdnzs|dhusrg|spsjdt)|v(aewxtg|vccftt)|kafjojl|q(oyswtg|nwscir)|lxjfxrj|nfqklud|x(vaxjph|untjem)|c(tmrdmd|jjmjcm)|wmbzknp|ouranio)|a(i(mmuemd|fgctej|yfiiwr)|u(dsroew|ftgnlo)|f(upngui|zalurf|pauiiz)|b(twlxqc|aqdjks)|y(dbavox|jpsgvr|vstnwz)|v(bjukqu|kyvvbw)|e(dbxspe|vohrge|qnoycc)|p(eezqhw|rjsogi|lxzgif)|m(qbqnvi|uxuuum|ehmkfu|axntil|dvehdb)|h(liojtb|xmrbgl|cynhgv|zkdaah|ugwmaz)|l(oufphl|anncxq)|j(cdpkzq|yybgco|fldyuo)|d(xyhfxy|iqbmhc)|cczgwhc|k(hlcrif|sbotxx)|obsamla|w(ylodrj|vxsyux)|t(tudgig|ofkcxu)|aqzhkps|nxgixxv|qorvcfg)|i(v(g(hjuxg|ctiat)|vttqrp)|n(gtsaxy|qybmvi|prqaff|huvomh|wjotob)|y(qzhlwx|dqdujm|cybwev|rheokr)|ztiwhgi|f(glfyee|pwpjvs)|getobdp|mifkbbo|ichuwlo|u(weaawi|joavyb)|p(bxqjtw|kcqpis)|l(paezjx|jtvchb)|o(jdcflu|ltfgzi|mcoyas)|e(qxisgy|bsurhf|eebehz)|spydjxc|rnfflmj|dxfcktl|w(eupfgv|gtoykm)|qmxsjtx|k(sstvul|traijb)|aopwffb|t(ctlics|riqnhs)|b(jgkqwm|uspthj)|j(mtqdhu|stlftx))|x(sdprttq|k(hdwdre|tjlynf|jzyzop)|t(ueazmy|jsyqsm|cztopt)|m(ttapnc|histgl|vxwubj|gcbjed|yrncyf|llndae|qvvfhk)|f(nmdcnd|j(fgfqs|yeeco)|ovzeyq|gllgsz|qhwxdi)|x(tetxmw|oteymf)|e(arlqep|pfjzwc)|l(jphjyb|wfwsaj)|zpcpocu|h(lncdtc|aoyqwe|ziieac|ctoxwy)|bdnljwb|d(jbjxfc|nzbknx|uipqtt)|o(iciyjc|honoon|arioib)|ikxwdyv|n(dvtfnp|sodesm)|vuibltj|a(rnqxig|nbyrup|xgkenf)|rvpfdim|q(lwgjhf|dvmavs)|ugqdfyi|w(qqcncq|xsxwls)|g(eflxmn|lpmddq)|ykhzbhr)|w(w(felzbr|olfgmb|cenwfq|laoxtk)|j(cetrkn|zhzhdz)|u(rygzdo|vsndtj|ohafhy)|vghqkbl|i(cbjcqe|dvpvoo|gkkpbz|oyzkak|izrvhq)|o(cchgga|ygecqy|amvhby|lmtgqz)|r(acesap|sgkpxs|dbxtbc|ecujjv)|mmrfiwr|k(hqmbff|vugorh|zpznaj)|c(qgruev|lcusdc)|p(cmbvjn|z(getkj|zhiiu)|gbzrtt)|h(toggsn|bmawhm)|q(ljfpcx|ziyzsy|xftojw)|fdhhbjd|y(vefxch|hdtiaf|dmdgpx)|g(nsaiqb|pfsbbt|qopppb)|s(uonckk|oogetw|tpljqg)|n(amcejj|oraoep)|e(aksbdp|luamak|euexzh|zznznn)|aytjzjw|bwsoujj)|u(zv(nheey|dydfl)|kncjkvv|u(intokw|gtyimg|uhtsyt)|n(eytgoi|confps)|g(bicomg|omxnnx|hpvjfb)|a(oqwtrc|bunivo)|q(fzolyp|ponlvv)|s(bxthxn|vxnoda)|o(ehhdtp|knqxxs|n(ivlbm|zndbq))|r(tgrvze|afehcp)|t(dtiwnq|luhzju|rrzdbh)|d(szpflx|ptdnvb|lpiimb)|e(sztazk|qzyixq)|v(ckgcij|jdjbwl|tbukht)|fulgzjb|i(iylsta|jkldao)|mmshtwr|luljjjs|j(xeztgb|zuxsbf)|xlqmezp|wngymjj|hpbnqlc)|l(igztnjq|f(clftwa|yehmmq)|c(ruzmnj|omeexv|d(fatqm|zivxk)|zdrczm|srjgru)|r(yqecnk|cqflef|ozhoru|rfeazw)|qnokqvc|o(awyhbv|wvucnn|nptsrn)|ulqldge|b(mlsjjw|juztui)|n(ujrlol|efklad|mzcbrk)|kqceiab|dxsrges|mhdlvgn|p(tzfueg|inhoae)|extijsb|znkzaot|y(cgxlnv|vafhco)|ssulgcm|t(ulqkmk|gdjtnj)|a(peiccg|dholfq)|h(hpmikq|dugbdv)|g(atraje|pcpzux|rhkzke)|xtizcif)|k(x(lucyhy|eyciqi|nvgsmo|avzslw)|g(vhqygd|njzjar|fhiyvz)|z(b(etzmm|shmhr)|rmwovf|zernao|xdxuua)|s(fmmsfr|jrsqqo|ohutki)|o(ivrupy|dgtjtn|eeywrd|jgcdyw)|ladnquy|f(aibekt|cdpvex)|q(uxtgml|mjbrcv|aiwdxm)|j(iffwym|mrojuu)|k(huxfts|zmowjt)|i(ozjvlx|yanjwd)|y(lykuhx|muzqkr)|hqlgipy|paixqeq|w(wwqaxt|gveowq)|bbquvqt|ujkriln|nwhoivn|coamvlb|d(lengzy|tcdfym))|j(q(vidhyk|upeebf|jlmxon|pcfqnj|dcrkmy)|y(ulznzl|gotrvf|cdtrox)|c(medvld|nvwepz)|d(pdtmkb|oweudv|rmejyz)|x(cwqsuo|xkodoy|bxjpxu|urdtzx)|w(kbhazx|mwgryr|zbuixl)|zjnefrc|r(tlhiit|hnhitk)|gpbieiw|k(oxuexx|yjtugw|rpkwmo)|oatusxn|h(usbszc|omqqnl|ahkyes|bgnuor)|m(zvgykb|ijmijd)|a(licbea|itzdar)|t(gjibyi|cgiwfb)|nhmfbnv|utiihrj|ijfseeu)|v(q(ptlbhu|tukpuf)|mwgjnlg|x(loifgw|wrceht|kvbedc|cyglks|vtklfi)|n(ovryzb|hcgstv)|j(bpopwd|r(ailay|f(owib|wfeb)))|r(cwpczr|nxwzaq|odeyke|docuqb|ujytmt)|t(llgnmn|cmelyx)|a(cwkyyf|saisyq|wqtzsl)|g(y(ccuqn|zlrfm)|kejpqr|dfvogh)|p(igiuzp|xzacqm|plvcuh)|sutiwkc|bmoekwu|i(iogfco|qggndx)|z(aodbap|oqpjzw|fkhwde)|fvtvkep|hq(znxkx|blovk)|vjglulj|wqdegod|uumfxid|c(ywrndd|dxnfkw|rqcxtf)|dgofybp|lkhsahn|otqrkic)|f(d(psyhvu|gxueoz|wjeffs)|a(qwlprx|xxwsvl|nhbjzg)|j(asvhir|hsnhbl|usnlpq|kmgwdy|llhpty)|cwbyxdq|e(kbockr|vgivoz|pxqkfo)|fhnifsb|h(cumydt|jynlcq)|imlnzpg|xxdzzto|m(y(bhxxm|hqmyx)|jpzsqk)|qfeqhgc|g(ejpjcq|bqdibu|diupvv|mutzwl)|n(byatet|ouijoi|hrufhu)|k(vhxpsr|weuoxd|lbtung)|zeaeqcx|r(ooyyud|ytlegz)|b(dodxjm|wadpmv)|lnrzruu|uvdguzp|okkufif|wlzjays)|h(d(vhknud|hrakwv)|p(r(glygo|aoqpb)|ksuyvb|tdejhz|byhpej)|f(iehwxj|vqlfiv)|y(worvoj|qwdxsz|tkgpdf)|v(hgbmdd|mtttai)|b(junqvh|txgoia)|q(lawefp|axzitr|mpzzrs)|j(dmrqcc|tuilmz)|c(wvfnvm|fnxyrt|xmgqut)|oabygnp|a(oooska|h(kghrm|ngvqe)|ncfgic|vwnnde|dxmdxq)|mxvrakp|xdfcxfy|luxerik|ikgulqp|g(qludwl|tscigv|oliqrp|xuntua)|w(mbwoms|yfdvjj|sslhxt)|ssubyjv|e(afuhfg|deuuko|zmeimj)|t(zikemf|jkzkmg|dgytkr)|kuxhphf|hcxcqhw|zcuhlcq)|q(r(e(ywydd|qouxr)|fxuwtu|weyxte|hrmtcw)|s(uhnhre|jxpkaj|xolbia)|h(ttnyfk|d(huadd|ildeo)|jxufkm)|z(gvyycc|uaccbn)|l(fgzeel|vxkkwc|yzdzys|zybaae)|k(azqxhc|njwjyr|xjomjs|hzqstr|fpjyvg)|o(oawalq|cisbpy)|t(okjpzs|rkwpkl|mndeij)|pvqsllz|b(ujqrht|sfsara|xmrfbd)|i(wbdurp|lzjwos)|f(dfxcpx|vcbtzi)|x(mnkgph|unwpju|dqownd)|a(utntgf|ymlhjg)|c(fxtexb|jfpwki|zfljqr)|ga(qljom|rcxmn)|mtpueij|v(xcjheq|uakvdb)|j(hjdhlz|snxqdi)|d(conzar|kcflof)|eatwxvz|uqbzykv|njqirxt|wvicwtr)|m(x(sfcewm|kfcssh)|n(fjyzsd|julsmq|vpqwwv|ugclym)|f(zsghwf|rkqnex|ageecr|lytxzp)|z(ugumvr|cluwgf|yycmmy)|alayffe|b(ebocqt|tjraal|bqmiqv)|lhoniua|u(lcgtwc|jvbaqi|gvtoqv)|r(jhheoj|vqqusw)|ktyedgs|v(kqxdnx|diqumg|wffygc)|q(vhdxwz|jlxmdy|hmkxza)|d(ealdze|d(oxmbw|tvigt))|oquzkex|i(lkgwmo|feqasr|yejyjv)|s(jmhmnw|qkrrbl)|y(vveevq|kbnztd)|h(aqpdit|urfmrl)|c(cysvlc|pcewlj|bcalew)|g(fxxuqc|cxskqt)|m(gojmtw|eadelh|xazyte)|pncnxts)|y(a(apblxo|uquhtn)|b(ttsrjy|zjhljr|svjtoi|vqtvlk)|ixoawgu|s(pvepvf|gedhod)|rlxztki|l(iwkuyp|ddpeal|frajsj)|j(lolhbd|ywnjxa)|fzzhome|z(leypgz|rsiymi)|kubrbkj|v(asqlmc|jiungb)|cefhfqw|mezcrpz|xsipqqp|wdrwurh|plxdtbp|upxazps|gbynblj|o(ocyfmw|fvmnwc)|hqxmyho|ejxqfha|q(fugrea|udkxvj)|t(buupwh|ylhtiy)|d(lvkduy|bnpsit)|nnnbxbc)|s(wyalcdi|f(wwywhl|ukfvdm)|v(niewiv|semabr|orxhkm)|tagephu|p(ucplxb|ljppko)|m(paljvq|zpvklq|t(djpci|kxnry)|nnanvw|xsbjye)|zs(bgama|jxxxu)|q(jfexox|d(rchnw|zjgjp))|nliwigv|dvwmjlm|g(q(bwyen|dorpk)|gzycrv)|eyhingm|kyazwoe|j(ccjjeu|xmdyxq|vvbfad)|c(ibwprd|vprdwh)|bjclmsw|yzvpzrh|aldgfiy|hfiizhm|skxuabf)|t(l(q(eitcz|gbdzh)|knvhtg)|b(uwdbbr|b(pjvgk|asrwh)|fdjhwm)|ptewbsb|jyajvju|iuavvhe|c(szdytx|zclsad)|d(vgojfy|dfynba)|g(mzbrfw|liyrjb)|o(tzurtf|x(xfadd|bqzcn))|qixjpoa|r(wnsxbe|nxicif)|eynbgcq|xlzmyij|k(soltkf|qrwdwg)|ammmvbp|y(wkxfte|qgkkso)|mmmmgmg)|e(l(feoglz|yzpsrn|roxbch|lcdedi)|o(dusmwm|ahiidc|xekdpe|zdtcpq)|g(flajng|zyupcv|woeqdd)|a(jyjixv|xjxgxk|hbcqya)|j(ftdiec|kqciao|phigat|wxzebo)|d(istcvd|snqvfb)|b(bxngmh|zvbqwf|ntcgpr|ybskli)|m(t(rlzew|vnots)|lindhz|prngry|bwysey)|x(ivmiqa|dxeyje|kebigz)|w(dkvbog|svtatq)|y(hpdgpy|yepxyl)|s(ppshar|wmmntu)|uxjmysh|q(xyzxvq|wnvnld|gvwrod|aevbis)|v(wqgsqk|khdger)|ecbxqzl|z(niodgg|keeuqn|wssyhx|jzysbb)|hucscuv|cpsmjco|pwdaeht|f(mujwju|lcewpc))|c(m(awlmfn|rpqafu|jhtgco)|t(cdtttm|rxjsks|hqylmw|qcqveu|iiiior)|l(kggjln|fpwnvn)|ygktgqu|erkttjw|z(oxtwol|rphbug|xbszpe)|q(eorkqh|mekjoe|avymuz)|n(zsnjkc|xexalc|pitkyk)|o(tbtfwu|ezkgpv|mwhmdt)|syatnez|r(k(uadzg|njjsq)|afmctv)|k(gsnrfl|cqrrpx|hoapfc)|xqxojzn|f(aawsys|dvvspq)|v(lbcvjp|iuaxyv|tzsmyt|jreusq)|dlixnlg|p(kqlibo|sjzufe|bhmecu|vzbvbu)|j(johueb|qhvyyt)|cnqiknv|uvtdygj|bhftulr|wgsdjtk|izspkdy)|n(r(hunpdq|jsiqfj|nsgmhf)|p(plgfpn|olfvfz|lgbfol)|f(fsewoq|druitp|btbpiy|j(iopxs|casbr)|pmleaq)|n(nyopdy|fchruo|xtctzk)|v(rtrjmj|yhrdaf|acslxg|szbhst)|i(qhzcqe|yqfyvz)|j(ihfcvg|ngkgmu)|m(xgohns|raefka)|e(ucuxzy|xaadna)|o(fmdayk|nfkueu)|wizdkiy|gxeqors|x(myendd|smabcw|vsxdkd)|l(csksxb|rysoqe|klryrh)|ywbbxzg|s(jntpvj|swxruk)|zozfrxy|qrwyevy|cpylehq|tohmeax|hpytflz|ufdmtwx|a(zvfuhy|ilgyba))|b(y(jhfxzp|rzvtym|y(adqqm|rfzks))|x(hzzorv|ywulsh|fapqcx|wrvbsv)|lqccmxk|gphbfbt|q(vkddgj|efthxn|ygwicu)|e(ydpdtm|xxcumj)|n(zptaqa|chhrzm)|z(ytiohp|uvyrnd)|m(cbsywf|tjoqkd|kzbeky|mcwhar)|u(fabctv|oiqrnp)|v(doulqy|pvqkzj)|f(wvpgln|vnggap|q(ewbgh|wkxts))|sgxpskd|w(pthejr|uihkuu|lrlhlg|mlaget)|p(qwqtcj|eqzsnr)|reijbip|t(wktebh|mxtpjo)|k(vppmby|cyxqfw|lwosph|xposnh|gyarom)|dmzgpup|h(sugjpe|zekanx)|iipeosc)|g(e(kvojca|pzxfqj)|l(pwjfjw|zxpmuv)|d(aqcfld|bmcdfj)|h(hwebop|fmljit|kvvbeo)|n(knkwme|evkdwk|omeyzb)|s(s(exhyo|qpkid)|khadnx|pgdhog)|k(wfrlsx|dqylzi)|v(bmnzjd|okpnif|jikowf)|p(kbjnio|nmbluu|zztvit)|u(crvxog|nntcmj)|gt(uavzk|gcukv)|tdnpqib|y(jyvgep|dhtvge|kdlyid)|r(opthyw|ewmoyw|lvswij)|zxthmlz|ffgcnji|x(xcszve|pkotmx)|wvrvfig|bshgifz|qakykow|a(dlzeyl|cbdlej))|z(d(imjrck|fcrcgh|prqgjo|nbgfqk)|a(syfjqw|gmrlxf|kyclpk|zyydjw)|wmlovmt|c(zeirxt|ceknlz|nypwxi)|h(hfuqiz|qmrwyf)|toqjgvq|o(egccqz|fjhrvt)|jnefqyx|n(dkdmwm|kfnwxk)|rjtdwdr|eizlmnv|z(femcgp|ywhwmc|oxokzm|etwdns)|f(qroozr|vcrcjv)|sauggpl|u(mtuwaq|npeacp)|bbdaijh|l(d(baitm|kyafu)|vnvwje)|yehbdbh|v(asvstq|dothhw)|xducwxz|p(bvaeaa|hfzqis)|mqwzleg|k(cfdhah|eimlvo|yrhbqm))|r(p(mtslck|efyczc|biqzve)|x(czbmld|wejrpb|hknusr)|anhtasi|o(dgmsdh|nqttrp)|v(yyiihn|esfcxm|oimqcd)|e(tljdzx|cxkhdg)|lusullf|c(eujggy|fdliog|dfgnrc)|u(kczmad|yuixrz|adwaen|jjpoya|zpzfgp)|b(aonhma|neidas|wnzbmg)|ivtkrqy|ggofdke|kgqogrt|n(aiihvz|ksrsvn|lhzkfu)|spqetbz|z(fbebes|thrllu)|javlutq|r(hughaa|egkoiu)|mvltmut|tdvvvgi|qavcmfr))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633074; rev:2;)
# sid 2633075 includes 1665 (1201 - 1800) 8 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(x(m(histgl|vxwubj|gcbjed|yrncyf|llndae|qvvfhk|wlgpnz)|e(a(rlqep|munuu)|pfjzwc|r(uqvog|oygnm)|icjmek)|l(jphjyb|w(fwsaj|zsmbh)|ukmvuu)|zpcpocu|h(lncdtc|aoyqwe|ziieac|ctoxwy)|b(dnljwb|qugvhx|bxnvxh)|f(j(fgfqs|yeeco)|ovzeyq|g(llgsz|jkbxv)|qhwxdi)|d(jbjxfc|nzbknx|uipqtt|ihjups|emtfqz)|o(iciyjc|honoon|arioib|ecpucb)|ikxwdyv|n(dvtfnp|sodesm)|t(jsyqsm|cztopt|visbod)|vuibltj|x(oteymf|hfulkw)|a(rnqxig|nbyrup|xgkenf|avkwym)|rvpfdim|q(lwgjhf|dvmavs)|ugqdfyi|w(qqcncq|xsxwls)|k(tjlynf|jzyzop)|g(eflxmn|lpmddq|gorldk|oobzhe)|y(k(hzbhr|tmjhf)|ijuyss)|c(evlbpy|uahbxf|nysuov)|s(xrxabi|pcwvxa)|jiusxai|plwwfnr)|w(o(cchgga|ygecqy|amvhby|lmtgqz)|r(acesap|sgkpxs|dbxtbc|ecujjv)|m(mrfiwr|spvhch)|k(hqmbff|vugorh|zpznaj|psgvqn|cbdspl)|c(qgruev|lcusdc)|p(cmbvjn|z(getkj|zhiiu)|gbzrtt|yllvth)|h(toggsn|bmawhm)|q(ljfpcx|ziyzsy|xftojw)|f(dhhbjd|ncmssg)|y(vefxch|hdtiaf|dmdgpx|uqjvqk)|g(nsaiqb|pfsbbt|qopppb)|w(o(lfgmb|gshhv)|cenwfq|laoxtk)|s(uonckk|oogetw|tpljqg)|n(amcejj|oraoep|mkwtnh)|e(aksbdp|luamak|e(uexzh|wugru)|zznznn)|i(dvpvoo|gkkpbz|oyzkak|izrvhq)|aytjzjw|j(zhzhdz|czmywj)|u(vsndtj|ohafhy|hfnyra)|b(wsoujj|ojyjxi)|z(paarcr|bygrlc)|l(tqaavq|jskata)|x(imqimj|bjlgdd))|b(x(hzzorv|ywulsh|fapqcx|wrvbsv)|lqccmxk|g(phbfbt|eljumu)|q(vkddgj|efthxn|y(gwicu|ffpbn))|e(ydpdtm|xxcumj)|n(zptaqa|chhrzm|pvipcs)|z(ytiohp|uvyrnd)|m(cbsywf|tjoqkd|kzbeky|mcwhar)|u(fabctv|oiqrnp)|v(doulqy|pvqkzj|xtkcvf)|f(wvpgln|vnggap|q(ewbgh|wkxts))|s(gxpskd|cvphmr)|w(pthejr|uihkuu|lrlhlg|mlaget|ycqsld)|p(q(wqtcj|byffh)|eqzsnr|bgpzul)|r(eijbip|zctfcv)|t(wktebh|mxtpjo)|k(vppmby|cyxqfw|lwosph|xposnh|gyarom|sxalas)|d(mzgpup|bpjukl)|h(sugjpe|zekanx|ilyxyr)|iipeosc|y(rzvtym|y(adqqm|rfzks)|zydxgu)|onzmupf|a(xrqlpm|htbnkh)|c(auwzms|emvoyn)|bezipyz)|q(i(wbdurp|l(zjwos|tmipi)|foziwp|qoonua)|k(njwjyr|xjomjs|hzqstr|fpjyvg)|s(jxpkaj|xolbia)|ocisbpy|f(dfxcpx|vcbtzi|mcvimq)|x(mnkgph|unwpju|dqownd)|a(utntgf|ymlhjg|opcbxb)|c(fxtexb|jfpwki|zfljqr)|b(sfsara|xmrfbd|fozygm)|g(a(qljom|rcxmn)|hqamwa|txjbbo|gkibkw)|m(tpueij|qkfquv)|r(fxuwtu|weyxte|hrmtcw)|z(uaccbn|fcypmf)|l(yzdzys|zybaae|pwryfw)|v(xcjheq|u(akvdb|qofsd)|dzfaho)|j(hjdhlz|snxqdi)|t(rkwpkl|mndeij|dpwbqe)|d(conzar|kcflof|linqkj)|e(atwxvz|nuyspz|bgsmtb|zlgrou)|uqbzykv|h(dildeo|jxufkm)|n(jqirxt|qjnoiu)|w(vicwtr|mjfyiq)|qlzbxdn)|i(n(prqaff|huvomh|wjotob|yqlxru)|f(glfyee|pwpjvs|ccxeef)|getobdp|m(ifkbbo|rebzhj)|i(chuwlo|pmmuoq)|u(weaawi|joavyb|a(gaeea|doucu)|siczmx|znruwg)|p(bxqjtw|kcqpis|dwfjcg)|v(vttqrp|gctiat)|l(paezjx|jtvchb)|o(jdcflu|ltfgzi|mcoyas|bccyqz)|e(qxisgy|bsurhf|eebehz)|s(pydjxc|qzsfaz|ykxqfu)|r(nfflmj|juclfc|upbnfl)|d(xfcktl|tgbwsj|nyefcd)|w(eupfgv|gtoykm|nuxess)|qmxsjtx|y(cybwev|rheokr|yayjsc)|k(sstvul|traijb)|a(opwffb|hifxoo)|t(ctlics|riqnhs)|b(jgkqwm|uspthj)|j(mtqdhu|stlftx)|z(zkymij|uceeno)|czxjalk)|c(e(rkttjw|qsbpua)|z(oxtwol|rphbug|xbszpe|pjliey)|q(eorkqh|mekjoe|avymuz)|n(zsnjkc|xexalc|pitkyk)|o(tbtfwu|e(zkgpv|bfhji)|mwhmdt)|syatnez|r(k(uadzg|njjsq)|afmctv|yynila|toaxmm)|l(fpwnvn|gyzawp)|k(gsnrfl|cqrrpx|hoapfc)|t(qcqveu|iiiior)|x(qxojzn|ocaofz|vohctc|biqnpp)|f(aawsys|dvvspq)|v(lbcvjp|iuaxyv|tzsmyt|jreusq|dvixng)|d(lixnlg|eutnnc)|p(kqlibo|sjzufe|bhmecu|vzbvbu|wnlvyh)|j(johueb|qhvyyt)|m(rpqafu|jhtgco)|c(nqiknv|dcsjgw|qwlrvb)|u(vtdygj|jyrcqa|kvjbun)|bhftulr|wgsdjtk|izspkdy|ategwit|ycohcop|grsmziy)|p(x(idmaix|lcouzu|uhawpc|kzwotq)|z(uqdkta|qzgzni|syrgab|vahavi)|m(lcsecq|odpsnn)|q(unznoy|qbeiai|cpiciu)|j(mggaxx|dszijs|uftgws|ejmuqu)|r(xogbgs|ebgjqn|juvzpe|ceynap|lqnlqn)|b(xybadv|vrsgvc|bxidvf)|e(n(zmmdc|glcbz)|iwwlgv|butyve|aypbsq|gvxnpp)|ajmotcp|l(gttrmq|xsbrky|ochsbe)|s(dihajw|scszrd|wnlfum)|n(wxtuwf|dtdker)|f(egnhxt|qihkct)|vqjhddz|p(fhygwe|prudht|voaifg|wjflun)|o(jhbuws|twtujb|wraacq|usjtvx)|c(srijcs|wtiaiw)|dmywiyt|w(aiqebw|umuoqa)|uekplna|y(rtdziw|nzuijc)|tjzxcwg|gupikjt|iwmdhtz|h(hpdqph|jwiqwe)|kwtxybn)|m(z(ugumvr|cluwgf|yycmmy)|alayffe|b(ebocqt|tjraal|bqmiqv|sawlnp)|lhoniua|u(lcgtwc|jvbaqi|gvtoqv)|r(jhheoj|vqqusw|ykgkhn)|n(julsmq|vpqwwv|ugclym)|ktyedgs|v(kqxdnx|diqumg|wffygc|ocqtcn|ruchbn|undenw|tkctzf)|q(v(hdxwz|kpoyb)|jlxmdy|hmkxza|ifujry)|d(ealdze|d(oxmbw|tvigt))|f(rkqnex|ageecr|lytxzp)|oquzkex|i(lkgwmo|feqasr|yejyjv|zmtdcs)|s(jmhmnw|qkrrbl)|y(vveevq|kbnztd|crmphb)|h(aqpdit|urfmrl)|c(c(ysvlc|niskk)|pcewlj|bcalew)|g(fxxuqc|cxskqt|wleflf|vrgkmz)|m(gojmtw|eadelh|xazyte)|x(kfcssh|y(mgdqc|gdkqg)|nmvdfe)|pncnxts|w(ziikqe|vyukdo)|trpcrju|j(jfqscf|bsfejo)|exhsvgr)|l(r(yqecnk|cqflef|ozhoru|rfeazw|dxzrkb)|q(nokqvc|bkhybw|acxgic)|o(awyhbv|wvucnn|nptsrn|yeepei)|c(omeexv|d(fatqm|zivxk)|zdrczm|srjgru)|u(lqldge|tkopkx)|b(ml(sjjw|xvwm)|juztui|trjrwl)|n(ujrlol|efklad|mzcbrk|fnmyre|kextld|xqatyb|blcmtd|ntrppw)|k(qceiab|gctlka)|dxsrges|mhdlvgn|p(tzfueg|inhoae|akgaph|dvbcnm)|e(xtijsb|ilbiao)|znkzaot|y(cgxlnv|vafhco|nppnel)|f(yehmmq|fjzxri)|ssulgcm|t(ulqkmk|gdjtnj|bnatvp|coqgmq)|a(peiccg|dholfq)|h(hpmikq|dugbdv)|g(atraje|pcpzux|rhkzke|yqoyif)|xt(izcif|kamnv)|j(m(jswdl|cgacj|btvou)|xjqxfl|nplvjw|bmsmwl)|i(t(nghrz|jptvl)|aznmkj|zguiip)|voefbgi)|y(f(zzhome|czlkol|fnrvnr|rxyjnm)|z(leypgz|rsiymi)|s(gedhod|cwcaqd)|b(zjhljr|svjtoi|vqtvlk)|k(ubrbkj|nmatdi)|v(asqlmc|jiungb)|cefhfqw|a(uquhtn|fclpya)|mezcrpz|xsipqqp|wdrwurh|p(lxdtbp|ntdwtl|wafwdj|xhlktw)|u(pxazps|srlhka)|g(bynblj|twdfhu|ddoeqs)|o(ocyfmw|fvmnwc)|h(qxmyho|auxbin)|e(jxqfha|dahlup)|q(fugrea|udkxvj|b(atgfm|twxcw)|qotbrs|zsjaed)|l(ddpeal|frajsj)|t(buupwh|ylhtiy|lykohe|cupbzd)|d(lvkduy|bnpsit)|j(ywnjxa|psptkw|jcflct)|nnnbxbc|y(lgjzxc|dmdsvt)|rkpuvgm)|k(s(fmmsfr|j(rsqqo|fzrwt)|ohutki)|o(ivrupy|dgtjtn|eeywrd|jgcdyw)|ladnquy|z(bshmhr|rmwovf|zernao|xdxuua)|f(aibekt|cdpvex)|q(uxtgml|mjbrcv|aiwdxm)|j(iffwym|mrojuu|ymlwbe|dnkuik)|k(huxfts|zmowjt)|i(ozjvlx|yanjwd|saftfq|fwljni)|y(lykuhx|muzqkr)|x(nvgsmo|avzslw|qpiycg|ueyctd)|hqlgipy|p(aixqeq|vbgjna|yhyzfx|ldwypf)|w(wwqaxt|gveowq|srgoee)|b(bquvqt|aojuzy)|ujkriln|g(njzjar|fhiyvz|mbofqe|airxhx)|nwhoivn|co(amvlb|hbajq)|d(lengzy|tcdfym|ujhaib)|vgfibjs|mbdrauq|ahcwqkx)|d(n(jekdee|xfyocz|cccldx|nogckb|qxfsxt|knwtcb)|t(acnmal|mmfnnu)|c(p(xfqro|ndqlg)|lgcckr|xuhcpe|uqfirf)|d(bkfesl|h(qzbtb|kpxkl)|pwicbi)|a(osvezs|uzwmaf|fzihlr|espfsz|rcgwlv|bahbze)|f(m(rzjuu|jdagt)|hjanic|aoinit)|oxsvhas|x(fnbbxi|n(wivoi|zqgyp)|uyttgz|zjeeed)|yfwyuwj|v(fdjtcx|ljnkcc|h(ldbgp|ygtvj))|u(icabca|gjzked)|q(zhtwvb|aljllo|ibgokq|osxcps)|h(mfjper|gmyscd)|m(kqedir|djkjlx)|inlfbhk|sx(vfijk|nqogh)|e(bstojl|tpqnoc|wuxwxc|msavzz)|z(sspovc|jpeles)|w(soiixt|kqklrc)|rikkevy|p(oaqway|rligpe)|g(cotqcg|dijhiu)|laghlrl|jttvplt)|a(e(dbxspe|vohrge|qnoycc|oboseg)|p(eezqhw|rjsogi|lxzgif|phcnbr)|m(qbqnvi|uxuuum|ehmkfu|axntil|dvehdb)|h(liojtb|xmrbgl|cynhgv|zkdaah|ugwmaz|tvwalj|asfujg)|l(oufphl|anncxq|woriim)|i(fgctej|yfiiwr|emmgnp|qmwrcc|apnxkt)|j(cdpkzq|yybgco|fldyuo|jnhfyv)|f(zalurf|pauiiz)|d(xyhfxy|iqbmhc)|c(czgwhc|yjozyb|maaefk|gynyte)|vkyvvbw|k(hlcrif|sbotxx)|y(jpsgvr|vstnwz|cjgvpa|arozbq)|o(bsamla|lecvyz|milvvf)|w(ylodrj|vxsyux)|t(tudgig|ofkcxu)|aqzhkps|n(xgixxv|fzspmm)|q(orvcfg|wskoqp)|b(aqdjks|mrjrwz|dxtlth)|x(nbaqeh|knfsqj|cikfow)|z(ynxrnk|isafps|pfiypz|kvmtfn)|g(i(qwzci|onvhx)|htlwwt|zxcwdw)|s(ivvmor|ucwrnu)|umqmohq)|j(d(pdtmkb|oweudv|rmejyz)|x(cwqsuo|xkodoy|bxjpxu|urdtzx|djlbwa)|w(kbhazx|mwgryr|zbuixl)|y(gotrvf|cdtrox)|zjnefrc|r(tlhiit|hnhitk|iqggkw|xplxhe)|gpbieiw|q(upeebf|jlmxon|pcfqnj|dcrkmy)|k(oxuexx|y(jtugw|wtutu)|rpkwmo|qglmak)|o(atusxn|dpgggf|cyanar)|h(usbszc|omqqnl|ahkyes|bgnuor)|m(zvgykb|ijmijd|lfyvdi)|a(licbea|itzdar)|cnvwepz|t(gjibyi|cgiwfb)|n(hmfbnv|odovxo)|u(tiihrj|nywbja|vyjiqa)|i(jfseeu|hmynnm|kubngr)|le(jakqh|lzttr)|s(qbuvln|mqppyl)|p(bvvafz|iffadl)|vchnifh)|z(o(egccqz|fjhrvt)|j(nefqyx|djjqnr)|d(fcrcgh|prqgjo|nbgfqk)|n(dkdmwm|kfnwxk|mbbkqb)|r(jtdwdr|irqxvc)|eizlmnv|z(femcgp|ywhwmc|oxokzm|etwdns|myaehd)|c(ceknlz|nypwxi|dzixtr|bsjuzm)|f(qroozr|vcrcjv)|sauggpl|u(mtuwaq|npeacp)|bbdaijh|a(gmrlxf|kyclpk|zyydjw)|l(d(baitm|kyafu)|vnvwje|aayong)|y(ehbdbh|xtnoyl)|v(asvstq|dothhw|jjmxud|wtpsnz)|xducwxz|p(bvaeaa|hfzqis|pyvhld)|mqwzleg|k(cfdhah|eimlvo|yrhbqm|hcufaq)|hqmrwyf|iwbsvwr|qjajtjy|tuelsbq|wsycpqf|gqekvtm)|f(e(kbockr|vgivoz|pxqkfo|jjwcqu|modffv|iuswij)|fhnifsb|h(cumydt|jynlcq|vmnhqh)|i(mlnzpg|ykadwc)|xxdzzto|a(xxwsvl|nhbjzg|rsferu)|j(hsnhbl|usnlpq|kmgwdy|llhpty)|m(y(bhxxm|hqmyx)|jpzsqk|atgosv)|q(feqhgc|kdmzik)|g(ejpjcq|bqdibu|diupvv|mutzwl|hwkddy)|n(byatet|ouijoi|hrufhu|ivykot)|k(vhxpsr|weuoxd|lbtung|nbonif|ibycze|rvcisq|bassfk)|z(eaeqcx|phvkuh)|r(ooyyud|ytlegz|mfmoba|wsesif)|b(dodxjm|wadpmv|gzugye)|d(wjeffs|rcfmmf)|l(nrzruu|fevokk)|uvdguzp|o(kkufif|ywwsia)|w(lzjays|fkxgio)|vtwfhrj|cibhqzd|pyoctzf)|u(a(oqwtrc|bunivo|itxomt)|g(omxnnx|hpvjfb|dkjpiy|koregg)|q(fzolyp|ponlvv|hllxpd)|s(bxthxn|vxnoda)|z(vdydfl|ksosux|eaaivi|iiaykb|ynuuph)|o(ehhdtp|knqxxs|n(ivlbm|zndbq))|r(tgrvze|afehcp)|t(dtiwnq|luhzju|rrzdbh|bqsdoz)|d(szpflx|ptdnvb|lpiimb)|u(g(tyimg|yytix)|uhtsyt|ithvny)|e(sztazk|qzyixq)|v(ckgcij|jdjbwl|tbukht|domihz|zikhcs)|fulgzjb|i(iylsta|jkldao)|m(mshtwr|wbwkdh)|luljjjs|j(xeztgb|zuxsbf|uioehh|gqhalp)|x(lqmezp|mzpkaj)|wngymjj|hpbnqlc|n(confps|wmrhpg)|bpqzxfw|pftkdbv|yykekqv)|o(g(m(hqpvy|rfmvr)|aqinlt|ukpfac)|t(jlmcyx|dussux|kqvutz|sstgmg|oextog)|i(athugc|yklofb|zfxbzc)|z(uaaxqw|gbxbkh|yfcxlp)|r(pohhou|nxechy|isshbi|fkxwmr|snjcdh|dkxiyw|clttuj)|m(xlzsts|eofvby|hrajjq|gzhckz)|u(bqyfvj|zvcplr|dreswu|koafhq)|p(rgdnzs|dhusrg|spsjdt|vxsqxc)|v(aewxtg|vccftt)|kafjojl|q(oyswtg|nwscir|skqudh)|l(xjfxrj|vzdzmc)|n(fqklud|zyvyzb)|x(vaxjph|untjem)|c(tmrdmd|jjmjcm)|w(mbzknp|fyrqgk)|f(tzivzs|ngkqqx)|a(vjbogq|xawhmc|avagca)|o(uranio|dvwqkq|jxabfn|rldnoi)|sbibvbf|d(j(nsxcp|shhhi)|elbsfr)|jzimrxe|hacavtm)|e(x(ivmiqa|dxeyje|kebigz)|o(a(hiidc|edyxv)|xekdpe|zdtcpq|innkgr)|m(lindhz|tvnots|prngry|bwysey|zkkohp)|g(zyupcv|woeqdd|gkjexv)|w(dkvbog|svtatq|tolcwe)|y(hpdgpy|yepxyl)|l(yzpsrn|ro(xbch|rdju)|lcdedi)|d(snqvfb|umoxtw|kuetvg)|s(ppshar|wmmntu)|ux(jmysh|khpcu)|j(kqciao|phigat|wxzebo|djogvc)|b(zvbqwf|ntcgpr|ybskli|elulfp)|q(xyzxvq|wnvnld|gvwrod|aevbis)|v(wqgsqk|khdger)|e(cbxqzl|rjoevx|wgtomx)|z(niodgg|keeuqn|wssyhx|jzysbb|owtdkl|tyoizv)|a(xjxgxk|hbcqya|iufqdl|wzzxbg)|hucscuv|cpsmjco|p(wdaeht|avsfct|nwrdxv)|f(mujwju|lcewpc|kzugmw)|tbvnodp|rmzbpgy)|h(y(worvoj|qwdxsz|tkgpdf|zdgxss|azwvvm)|v(hgbmdd|mtttai|fjyaux|nflqwr|kvqqry)|b(junqvh|txgoia|libxfw)|q(lawefp|axzitr|mpzzrs)|j(dmrqcc|tuilmz|fvatfe)|c(wvfnvm|fnxyrt|xmgqut|hjzsbx)|p(tdejhz|byhpej|raoqpb)|oabygnp|a(oooska|h(kghrm|ngvqe)|ncfgic|vwnnde|dxmdxq|ipekxi)|mxvrakp|x(dfcxfy|fdutvk|kepjfe)|luxerik|i(kgulqp|dbiqgc)|g(qludwl|tscigv|oliqrp|xuntua)|w(mbwoms|yfdvjj|sslhxt|eqgnsv)|s(subyjv|pdxmuz|udtwqs)|d(hrakwv|toglrz)|e(afuhfg|deuuko|zmeimj|sbqesv)|t(zikemf|jkzkmg|dgytkr|pqqhkq)|k(uxhphf|btmywl)|h(cxcqhw|ygebtt)|fvqlfiv|zcuhlcq|nwbkirb|uturvrs|rmqqaff)|v(r(cwpczr|nxwzaq|odeyke|docuqb|ujytmt|tdipjb)|x(wrceht|kvbedc|cyglks|vtklfi|xbophr)|t(llgnmn|cmelyx|pjfntl)|a(cwkyyf|saisyq|wqtzsl)|j(rf(owib|wfeb)|hwairw)|g(y(ccuqn|zlrfm)|kejpqr|dfvogh|cyhzoh)|p(igiuzp|xzacqm|plvcuh)|sutiwkc|bmoekwu|i(iogfco|qggndx)|z(aodbap|oqpjzw|fkhwde|hofneh)|f(vtvkep|fxdqru)|hq(znxkx|blovk)|vjglulj|wqdegod|n(hcgstv|koygpj)|qtukpuf|uumfxid|c(ywrndd|dxnfkw|rqcxtf|hcwhgz)|dgofybp|lkhsahn|otqrkic|e(ptyrav|vubwjf)|kszqxrh|msmvztj)|n(v(yhrdaf|acslxg|szbhst|q(drwej|xrqtl))|r(jsiqfj|nsgmhf)|i(qhzcqe|yqfyvz)|j(ihfcvg|ngkgmu|scrsgy)|p(o(lfvfz|dbqvo)|lgbfol)|m(xgohns|raefka|bntheq)|n(fchruo|x(tctzk|usvid))|f(druitp|btbpiy|j(iopxs|casbr)|p(mleaq|fpftb))|e(ucuxzy|xaadna|yfejyf|tcbbnq|buorar|loehgu)|o(fmdayk|n(fkueu|eklfh)|lyymfz)|w(izdkiy|qgsjov)|gxeqors|x(myendd|smabcw|vsxdkd)|l(csksxb|rysoqe|klryrh|ogiiss|ettlig|xykjyj|unsyer)|ywbbxzg|s(jntpvj|swxruk)|z(ozfrxy|dxztxc)|q(rwyevy|zybzsj|gazmhb)|c(pylehq|vsclmp)|tohmeax|hpytflz|u(fdmtwx|geqvcw)|a(zvfuhy|ilgyba)|dsvrnmo)|g(n(knkwme|evkdwk|omeyzb|rfughy|qtjvnz)|s(s(exhyo|qpkid)|khadnx|pgdhog)|d(bmcdfj|reyzet|ojpmmz)|k(wfrlsx|dqylzi|hyowpu)|v(bmnzjd|okpnif|jikowf)|p(kbjnio|n(mbluu|sjuzq)|zztvit|djmlsa)|u(crvxog|nntcmj|wktvpk)|l(zxpmuv|cjjmph)|gt(uavzk|gcukv)|h(fmljit|kvvbeo)|tdnpqib|y(jyvgep|dhtvge|kdlyid)|r(opthyw|ewmoyw|lvswij|vsnzzq)|zxthmlz|f(fgcnji|eoseli|tenpfl)|x(xcszve|pkotmx|sdacyz)|wvrvfig|b(shgifz|phtlwi)|e(pzxfqj|cnuawe)|qakykow|a(dlzeyl|cbdlej|tvotxm|mrwdsb|fbdzht)|j(lghqew|qvdxer|utugoq))|t(c(szdytx|zclsad)|b(b(pjvgk|asrwh)|fdjhwm)|d(vgojfy|dfynba)|g(mzbrfw|liyrjb)|o(tzurtf|x(xfadd|bqzcn)|krcwgv|wqaglo)|q(ixjpoa|ydshvj|sk(dsgp|zcke)|ekyyqt)|r(wnsxbe|nxicif|dypczy)|eynbgcq|xlzmyij|k(soltkf|qrwdwg)|ammmvbp|y(wkxfte|qgkkso|rbvryq)|l(knvhtg|qgbdzh|ogizjw|mpvaan)|mmmmgmg|i(vtqglv|nvgbwi)|n(vngqda|gcdcib)|zstfvxo|t(yolykv|wfeiop|ehlfsi)|ugldujx)|r(v(yyiihn|esfcxm|oimqcd|zvqbtu)|e(tljdzx|cxkhdg|skyymk|dswqsp|yljxkw)|lusullf|c(eujggy|fdliog|dfgnrc)|u(kczmad|yuixrz|adwaen|jjpoya|zpzfgp|lrnlqp|hnqphk)|b(aonhma|neidas|wnzbmg|snhzvh)|i(vtkrqy|adgznn)|ggofdke|o(nqttrp|ethttl|rhirqj)|x(wejrpb|hknusr)|k(gqogrt|qonnej)|n(aiihvz|ksrsvn|lhzkfu|rrfnpx|glsuaq|efnfgl)|s(pqetbz|fulycx|djwudm)|z(fbebes|thrllu)|p(efyczc|biqzve|kzpwvq|jszvum)|javlutq|r(hughaa|egkoiu|fxfyum|ykjpne)|m(vltmut|hgzuem|mpearm)|t(dvvvgi|xcbwkp)|q(avcmfr|qcjkmq|bbtzji)|h(tawqlc|byejcr)|wtukmwg|yrazjty|arqrepm|dlqexwu)|s(p(ucplxb|ljppko|fgkynh)|m(paljvq|zpvklq|t(djpci|kxnry)|nnanvw|xsbjye)|z(s(bgama|jxxxu)|fxtgqw)|q(jfexox|d(rchnw|zjgjp)|fgsbfc)|n(l(iwigv|emhec)|stxfkt)|f(ukfvdm|yugzyu)|dv(wmjlm|lfifv)|v(semabr|orxhkm|bkklrm)|g(q(bwyen|dorpk)|gzycrv)|eyhingm|k(yazwoe|qntosn)|j(ccjjeu|xmdyxq|vvbfad)|c(ibwprd|vprdwh|upehsr|xhpbke)|b(jclmsw|odvega)|yzvpzrh|aldgfiy|h(fiizhm|xzwbdg)|s(kxuabf|eoarqa)|o(sikibk|xdbjcx)|x(fcplen|vmjnju)|lwdammv|w(mcgary|dcbwkk)|txfylzj|u(utfynb|zvrsmq|rzapgr)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633075; rev:2;)
# sid 2633076 includes 1065 (1801 - 2400) 8 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(g(j(lghqew|qvdxer|utugoq|rwwczj)|l(c(jjmph|fzumo)|oxrajb|qezlzo)|a(mrwdsb|fbdzht|ckhnaw)|k(h(yowpu|xjkbp)|odatij|phxjoa|jmvyra)|bphtlwi|n(rfughy|qtjvnz|b(oflxk|cwuye)|lswyuo|dfeblb)|p(nsjuzq|d(jmlsa|aevhe))|f(tenpfl|cnxavg|jmjdjs|hsnlop|nrmquw|izqoml)|rvsnzzq|ecnuawe|u(wktvpk|precbb|xvgmus|lgnrds)|m(bqzjwn|jxcvlf)|hgwpccb|iiyjahc|wd(qhncy|jbgfg)|s(suyyio|lsvage)|zudmncz|qkqpfjd|osmupdx)|d(prligpe|q(ibgokq|osxcps|w(ldfia|emfvl)|xqmekd)|g(cotqcg|dijhiu|yxrbee)|x(uyttgz|zjeeed)|w(kqklrc|tedsbi)|e(msavzz|skdkoo|vsjubk)|d(h(qzbtb|kpxkl)|pwicbi)|f(a(oinit|kqnid)|mjdagt)|l(aghlrl|rsiyzi)|j(ttvplt|kifnnh|pdrcze|ydnxqr)|ugjzked|mdjkjlx|zjpeles|s(xnqogh|odxgln)|n(knwtcb|zhqocz)|a(bahbze|j(ywhft|dycnc))|hhpkhaj|t(bipnno|meevyj|gzhbyt)|riinyzb|cpxgbjn|kkeizhf|vhwvwpl)|o(d(j(nsxcp|shhhi)|elbsfr)|i(zfxbzc|fzaydx)|g(ukpfac|mrfmvr|azywcf)|p(vxsqxc|nnumpd|asaqhj|khgpxw)|ukoafhq|rclttuj|j(zimrxe|mjfjyd)|o(dvwqkq|jxabfn|rldnoi)|h(acavtm|etniiy)|wfyrqgk|a(avagca|uhgxzd)|t(oextog|pedvqv)|n(zyvyzb|klgmvo|bzvgxz)|qskqudh|s(sqzjhg|xeygci)|z(ifryon|rrpjpw|abtmae|klvbxa)|yejpgao|e(ysrnzp|xwspmm|odffgk|riglnn)|majejfm|kecsjsj)|q(i(qoonua|ltmipi)|z(fcypmf|mfqbps)|g(hqamwa|txjbbo|gkibkw|zbblvj)|v(dzfaho|uqofsd|ffzhpb|eneegz)|t(dpwbqe|pboglb)|l(pwryfw|mkcleg|idtmah|olzgyx)|ezlgrou|d(linqkj|qvxqdr)|bfozygm|aopcbxb|q(lzbxdn|pnaajt)|m(qkfquv|mawvgz)|w(uwnvyx|hbqgzw)|xr(fzfgi|nmuit)|hwazqyr|k(jwfntq|hfwcbi)|y(ettybf|lslhes)|caievwh|jjrkniy|pvxbabo)|f(nivykot|r(mfmoba|wsesif)|v(twfhrj|bctjqw)|e(jjwcqu|modffv|iuswij|ubpsiu|hfchki)|arsferu|c(ibhqzd|rnciph)|k(ibycze|rvcisq|bassfk|fqufzl|nfxwzs)|q(kdmzik|uzyntd)|wfkxgio|h(vmnhqh|qkcnjv)|ghwkddy|b(gzugye|zzacue)|drcfmmf|pyoctzf|i(ykadwc|gwkfky)|zphvkuh|jlhhvik|tsepnad|lxqyclp|mrelwli|sdgqapg)|m(v(ocqtcn|ruchbn|undenw|tkctzf|ecskwl)|trpcrju|y(crmphb|muunbe)|j(jfqscf|bsfejo|dxfcwb)|bsawlnp|x(y(mgdqc|gdkqg)|nmvdfe)|q(ifujry|yknnol)|wvyukdo|i(zmtdcs|bmfnwy)|exhsvgr|g(wleflf|v(rgkmz|axtvq))|l(vbqpak|dllgof)|dnomtqy|riannln|ctzckqy|mvmlhmb|ztduajq|p(dqepdf|iwqubd)|ulzdasa|fshvsle)|p(t(jzxcwg|n(ldwav|cqjzy))|o(usjtvx|abeupi)|g(upikjt|xechvk|hmtbev)|zvahavi|r(ebgjqn|juvzpe|ceynap|lqnlqn|alfura)|iwmdhtz|l(ochsbe|umjkdt)|e(aypbsq|gvxnpp)|ynzuijc|swnlfum|c(wtiaiw|vzahjv)|h(hpdqph|jwiqwe|liorlr)|kw(txybn|qgyfq)|j(e(jmuqu|busno)|tdlzza)|f(qihkct|klilww|jfoxun|rvyulk)|p(rftbka|xkultw|attybb)|x(mjkpjp|dotudj)|u(yagmbk|uqwvxb)|aykxijd|m(cmqblm|jvgaoy)|n(hevutx|aodjvr)|bkcnrcn)|x(xhfulkw|e(amunuu|roygnm|icjmek)|m(wlgpnz|flfgat)|tvisbod|jiusxai|l(wzsmbh|ukmvuu|cfpmps)|s(pcwvxa|wqjgwi|yxpads|rdxcye|geqfti)|g(oobzhe|llasma)|o(ecpucb|kdyfov)|c(uahbxf|nysuov|xevcqs)|d(ihjups|emtfqz)|plwwfnr|aavkwym|fgjkbxv|z(rcunxr|cbamnp)|ijrivmj|hxthvhf|vxxekbz|u(yzhgcn|zdtkkv)|y(qobmgp|ehzoea))|a(z(ynxrnk|isafps|pfiypz|kvmtfn|dmgpyu)|g(i(qwzci|onvhx)|htlwwt|zxcwdw|bhqpqz|dtelll|kywhjh)|i(emmgnp|qmwrcc|apnxkt|ldqntf|ongpzf|gcvzwp)|x(knfsqj|cikfow|dsljug)|omilvvf|nfzspmm|b(d(xtlth|vseca)|fgvukj)|s(ivvmor|ucwrnu)|y(arozbq|fajhsn)|hasfujg|u(mqmohq|edkinz)|j(jnhfyv|mbduez|cqbazt)|l(woriim|rwsfad|hgixub|ztokjg)|pphcnbr|c(maaefk|gynyte|amodgw)|w(mgizdq|obrvft)|vrubttm|ezqeyjn|fjcaeje|qgccokv)|r(i(adgznn|epcflb)|b(snhzvh|rvdbzb)|o(e(thttl|stoew)|rhirqj|dgrmqc)|q(qcjkmq|bbtzji)|n(rrfnpx|glsuaq|efnfgl|tpuvpv)|h(byejcr|eyeioh|fkejzf)|s(fulycx|djwudm)|e(skyymk|dswqsp|yljxkw|prrrqq|hvfjii)|uhnqphk|k(q(onnej|sxkut)|yytled)|y(razjty|nutxci)|mmpearm|vzvqbtu|a(rqrepm|lhutpu|etrbim)|r(fxfyum|ykjpne|zspoaf|uhkynn)|d(lqexwu|igbfcg)|p(jszvum|wnggnm|iypwaz)|l(slxdey|zzvcov)|jifihbq|fwbevpa|zaastdf|gaqdnzn|wkfjoyo|xgqxzqf)|l(i(tjptvl|zguiip)|g(yqoyif|zffdul)|ynppnel|k(gctlka|cwvjhv|juujyp|npzqrb|ywfgdk)|f(fjzxri|waliky|qlrxpo)|j(xjqxfl|m(cgacj|btvou)|nplvjw|bmsmwl|erjtrl)|u(tkopkx|bijdsp)|v(oefbgi|axawms)|r(dxzrkb|prlykp)|t(coqgmq|bvigwu)|p(akgaph|dvbcnm|izewvq)|q(bkhybw|acxgic)|n(kextld|x(qatyb|wzaie)|blcmtd|ntrppw)|x(tkamnv|hyxujk)|e(ilbiao|hshfdn)|c(rqpkzv|ysaeov)|h(kefztu|jxgmwv)|sdiqwlp|d(ixhkar|jtodfv)|mfvfplh|z(lwgyrk|ieacbj))|j(smqppyl|p(bvvafz|iffadl)|v(chnifh|mraikk)|lelzttr|r(iqggkw|xplxhe|yzcuiw)|n(odovxo|knxdxa|ebuhti)|k(ywtutu|qglmak)|u(nywbja|vyjiqa|trnpkh|rozfsy)|m(lfyvdi|mkyxwl|djrifh)|o(dpgggf|cyanar)|x(fdvoxx|uinelm|kzjuxl|llpcgb)|yfidrws|t(xddbgk|nxstos)|c(fcvjdq|nfrgri)|b(vwyvub|zoihln)|idajtoy|qohidbt|jaokeau|hlxecjw|fujersu)|w(k(psgvqn|cbdspl)|l(tqaavq|jskata|kxnlrq)|bojyjxi|zbygrlc|x(imqimj|bjlgdd|fixyrp|nkwmpy|rnunad)|n(mkwtnh|zqsctn)|e(ewugru|wdlafs|pkwacs)|uhfnyra|pyllvth|yuqjvqk|w(ogshhv|siybrp)|fncmssg|qtokvty|hxasjmf|g(ythzbq|krgljc|mkfmbn)|c(ppkfuf|ttaiyr)|vguaehn|imlktxd|ofzebgw)|z(q(jajtjy|mbprar|zlxvzu)|tuelsbq|c(dzixtr|bsjuzm|iyretl|jyfigi)|v(wtpsnz|vwxovq)|w(sycpqf|ewvxoq)|p(pyvhld|ymmbpl)|laayong|gqekvtm|yxtnoyl|rirqxvc|n(mbbkqb|jziqkc|qsgaqs)|i(urjyuv|vpesis)|jkkwutp|z(sgbfem|ycqxtf)|u(sstpxl|ujatlt)|fododvo|oqfipct|edfvnxs|hfyhyrx)|s(n(stxfkt|lemhec)|w(mcgary|dcbwkk)|t(xfylzj|ydrzbi)|x(vmjnju|hnhhyp|zwngra)|bodvega|s(eoarqa|vovwye)|u(utfynb|zvrsmq|rzapgr)|p(fgkynh|snynxr)|h(xzwbdg|redzsb)|k(qntosn|pbeuwi)|q(fgsbfc|ipmcfs)|f(yugzyu|hmosij)|c(upehsr|xhpbke|lquudk)|z(fxtgqw|urnvot)|vbkklrm|gnsgxvr|m(gclxvj|eqytij|hqqiob)|d(vmfcgo|mzqgsx|xysffj)|a(wtgkhe|hnetey)|ixqflwl|ecegrev)|y(s(cwcaqd|pibdhr|tyrtaj|aajmhq)|j(jcflct|vnhuxg)|y(dmdsvt|gslkpo)|q(b(atgfm|twxcw)|qotbrs|zsjaed|sbmtyd)|u(srlhka|wjwtom)|f(czlkol|fnrvnr|rxyjnm|vhpnts)|p(wafwdj|xhlktw|izqoij)|r(kpuvgm|apizld)|edahlup|hauxbin|t(lykohe|cupbzd|nqqctz)|gddoeqs|xucefpc|c(uothoi|chwqtl)|msqexpx|v(escuia|fxdoic)|doubijo|ksfwlld|ncspjcb)|k(v(gfibjs|lrleog)|p(vbgjna|yhyzfx|ldwypf|jlnmcr)|j(dnkuik|wdykqn)|sjfzrwt|g(airxhx|lhfmov|mepfiz)|i(fwljni|nqmwni)|c(ohbajq|rfwhec)|x(qpiycg|ueyctd)|mbdrauq|a(hcwqkx|yobikd)|baojuzy|d(ujhaib|ptjjvz)|r(bvwdds|wjqbcz|ancbxh)|o(vgycfs|fopuqr)|w(owjwdk|haxbfj)|zasiqlx|u(iboxzp|bfpcri)|tzewdtw|lqecdng|f(vaageb|skvbab)|ebkcjvu|qblunjm|yvtazty|hkynvfn|nqyibst)|e(z(owtdkl|tyoizv)|mzkkohp|d(umoxtw|kuetvg|vxqdoi)|a(w(zzxbg|ubilw)|odlyhy)|j(djogvc|txtbfg)|g(gkjexv|fnrdlc|cveebj)|t(bvnodp|amushv)|oinnkgr|b(elulfp|zxfvqv)|uxkhpcu|rmzbpgy|ewgtomx|p(avsfct|nwrdxv|psisec|okrnuh)|w(tolcwe|skrgqr)|h(zdwpzr|jrtqza)|qbuzdnv|siltnoj|xltspji|c(z(gorwo|zvubc)|psxomb)|iucqtbg|nbihxmc|yfvyxtx)|i(c(zxjalk|fnnwgc)|s(qzsfaz|ykxqfu)|ipmmuoq|w(nuxess|mlctte|hblmdy)|o(bccyqz|tuuvwm)|ahifxoo|u(a(gaeea|doucu)|siczmx|znruwg|rronge)|rupbnfl|d(nyefcd|pfdsrr)|z(uceeno|qhdsbt|rvmunj)|pdwfjcg|bxlmorr|tzvegvu|yomneyn|gspopkd|qvtmjfv|laxsucj|f(vvassp|dylwrt)|kadftej|ekamarx|hkqkedu)|t(n(vngqda|gcdcib|uyewne|iacxph|fzqjzw)|l(ogizjw|mpvaan|prublc)|owqaglo|z(stfvxo|lxhoup|uvhyfm)|rdypczy|invgbwi|t(yolykv|wfeiop|e(hlfsi|vhlds)|hqklsv|o(emeeh|ixghy))|q(ekyyqt|skzcke|jeldvx)|u(gldujx|o(lwldt|mdahy))|jprlkjz|w(wnwpya|rhteiz|atfree)|c(ybetrp|aynbps|kckxmx)|h(xdquzq|zofjgp|tcyspf)|y(dzxulv|bcfgfa)|kpgweas|gtrbylj|bficyxp|vqnypko|e(bskqgc|tvtjry)|shoqadg|xphlbkz)|n(l(ogiiss|ettlig|xykjyj|u(nsyer|tjbrr)|dmmvwv|amcqtw)|w(qgsjov|uwcxfr|mzemwy)|v(q(drwej|xrqtl)|zrxzef|givkmj)|o(lyymfz|efynik)|q(zybzsj|gazmhb)|nxusvid|u(geqvcw|vaywfr|anslck)|cvsclmp|e(t(cbbnq|xdtkb)|buorar|loehgu)|f(pfpftb|xvtsyu)|p(odbqvo|ltckxz)|dsvrnmo|j(scrsgy|rngnqg)|s(ywkcss|jjewcu)|rrwzdlx|ynbwwnt|h(adajql|ypijou)|z(aqaxjs|xbhhyx)|bx(sgmrl|gmngk)|abncyuw)|h(n(wbkirb|mltrjp|rnceft|qyoyaz)|w(eqgnsv|znfens|akkxan)|esbqesv|k(btmywl|k(wwjyb|jfcpz))|s(pdxmuz|udtwqs)|j(fvatfe|zndosr)|tpqqhkq|aipekxi|y(zdgxss|azwvvm)|x(fdutvk|kepjfe)|v(fjyaux|n(flqwr|nsqfp)|kvqqry|gabpbx)|u(turvrs|orjzjy)|r(mqqaff|tkuwak|azlntf)|i(dbiqgc|iibkix)|c(hjzsbx|kkibuc)|pefheuf|gwpslcw|h(whkzpc|nddyjr)|dypvbfu|olpozgc|fqbxujt)|v(zhofneh|t(pjfntl|zdewec)|gcyhzoh|e(ptyrav|vubwjf|abhzyn)|n(koygpj|gyqedg)|k(szqxrh|ckwadd)|m(smvztj|gpcwde)|x(xbophr|mxfxlw)|jfnogqb|qdpfwzs|yemjjds|r(zigier|mnffqt)|fkkcgax|ua(qnosp|hniye)|wpvpwwt|dhwcaej|pxjbuwf|vjpckli)|b(o(nzmupf|kdviwn)|a(xrqlpm|htbnkh)|yzydxgu|c(auwzms|emvoyn)|p(bgpzul|qbyffh|nlymde)|r(zctfcv|husxnw)|vxtkcvf|q(yffpbn|tygxah)|g(eljumu|qagcft)|hilyxyr|b(ezipyz|wnabsz)|s(gjoqoh|klubfi|xcuhpq)|kjtajab|ekgisli|tshkzim|nnuqgvj|xwzwamu|ikirkud|w(tsmmor|biwdpk)|umwgqbr|zjmrcbx|jcmziji)|c(x(ocaofz|vohctc|biqnpp|wupsmm|mdysem)|pwnlvyh|eqsbpua|ategwit|c(dcsjgw|qwlrvb|ohoeye)|y(cohcop|actemw)|d(eutnnc|hxitmy)|lgyzawp|u(jyrcqa|kvjbun|raibps)|rt(oaxmm|cfxte)|g(rsmziy|ihjmrn)|kpduyfn|o(fasivg|bnlcev)|m(jqlvth|qadvam)|vjgkefr|j(xehyzh|wuueox)|q(naighp|dqhyct)|z(kcmzqo|ynsueb)|nrptgrl|f(hknbqp|mbovxo)|snnpmwb|bkdsnkp)|u(j(u(ioehh|zpohr)|gqhalp)|m(wbwkdh|odqpoe)|aitxomt|p(ftkdbv|jrjpqy|ddfhaa)|tbqsdoz|g(dkjpiy|koregg)|z(ksosux|eaaivi|iiaykb|ynuuph)|v(domihz|zikhcs|hxbpoe)|n(wmrhpg|vxzwjw|hrcopg)|y(y(kekqv|xzhfa)|vlnlpy)|xmzpkaj|qhllxpd|cnnloin|rubvzqd|i(xtubqi|oknbfl)|s(uuvpnq|vtahzt)|hrmzqek|obkcfdh|l(ostkws|bbpjmm)|b(isoovs|jodoye|fejqmy)|frxmlup|uvohhgy|edqgtfb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633076; rev:2;)
# sid 2633077 includes 465 (2401 - 2866) 8 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.cn)"; content:"|08|";content:"|02|cn|00|";nocase;within: 11;pcre: "/(d(n(loherd|tuubvv)|w(qlfuti|frppee)|gbvjqam|z(vtzeaf|okklkz)|uwxkcls|v(ikggki|fiygns|aqrikh)|h(qiemzo|iuqqyz)|f(kwsouw|dnvejh|znvkou|pstnop)|b(elmebz|wqfbcs)|i(psvupa|oremeb)|sndgmsb|cpksqow|t(qjrapb|epddzo)|xnkqlxy|ydvsied)|j(n(xozvsw|lreooe)|kc(imtbg|dpuse)|odfdake|g(anecxe|gsmvgm|xdkvzf)|ausbhtd|j(aqufet|joedro)|b(tdotcr|kzkyvn|pnffdk|durkfk)|plohtfz|t(sqqcsx|bwcfum)|wbuzzcn|l(uxuptk|oxnpwk)|fkjmmxn|eqvgqaj)|l(ohpcsec|ienkqht|a(zeabcs|uzdyxu|wjqtdd)|v(knkzxc|qlrwll|ykpxzt)|d(mhkuyi|fvnlxp)|zgmspqx|scpsnlm|gsvyzfl|wiewsdd|neujyzs|hqvdmzj|lpgranj|xuvoyef)|c(mnmegpx|lk(ddalr|hyeza)|ugquiwm|v(uptobp|z(jcwuh|utegn))|r(wtglcz|agxout|gtjhwu)|j(mkwopa|shjdzw|lfzmik)|y(jiauni|gwayvx)|hiutwck|sotuvef|c(tsgkxm|seqhlz)|owmvqru|tfbsqwm|brhyhmb|xonnjzd|kmwadxq|zccrail)|m(u(xerygy|frvcto|axmfjx)|p(ctodmr|zctgwc|xmjjpu)|m(wlweri|zlacti)|qvwqofw|s(ddsbll|bfslyp|ulzirg)|lvracay|zmlouwh|rxxclbw|outkwqc|jkxfdnq|cjtmzus|bznjxcd|winrniy|tnnltpj|kujlblk|iqzzijh)|u(whsqatp|g(lyiiwe|xtiosh)|xyrsygo|mymqrze|fovwlpx|sdolwcx|jcnutld|nkgwzuq)|o(duesejg|o(uydsvz|sfxrxi)|i(xsqubc|lbnmob)|s(fqjamq|grmcnv)|l(lxlypu|spdzzr)|zsjqasc|rtqjazw|cjzlfba|xbegrjt|bdondcl|v(twmkdw|cxckpt)|jkhcfcu|amwrvpk|ttmgtzc)|x(sdzjnsw|ryuhahp|o(fmnyhx|uzmkin)|k(jkeset|gxognf)|j(yykgqe|mogatn)|tytxpmi|nrhkaat|d(coomvh|qxdbam)|q(enrgtx|cgxftz)|iuerwhj|hiucgqq|ppcoivt|l(c(wajfm|mskwc)|dzecat)|vszhmdi|fbcidbh|xpkawvx)|p(x(plewfi|zrkohk)|qamlqkc|y(sktdfj|cygbqd)|ltnswps|pqwfcqp|s(iyptyy|vnyexm)|n(kngchj|uhtevp)|r(ywuotc|dopvqi|kkibmh)|krzahpm|t(clofwe|xceega)|m(zvubtu|nviqyi)|a(wxowfc|zcgxvz)|iefymnq)|h(ojixihw|blvuvqn|nmcjbdm|i(mhpzol|swjwwz)|anavezi|cshoray|tkayezq)|b(fdkzdxa|t(pfodrv|bwvwod)|eumcyjl|vsafnfb|bwhnjlz|shtgssv|nsqgbgq|cpecrqn|jncqloz|r(rahlqq|nrxvaw)|lkglfax|xtpmnam|zuajlir|qbalpzt)|s(aljrnzk|fihxrbx|ifzkkhy|g(uyjcdz|bretxz)|xnnzqzq|n(rehamj|owggsg)|o(zvwuqk|euwkuj)|bpfxhhi|hysaffi|cpdrmrn|qgkfvyk|tazkmaf)|f(siaphmr|itwvfih|y(pwllvl|elhbpx)|fvqawcg|qzbfotf|a(kswxgs|wfcpmt)|uibbnfl|mubhxts|vlobmyd|hehcnap|xoferfg)|r(l(tchfev|bzzfpe|fgtusg)|s(lkzmkw|coappq)|flzjrum|xqhqrbs|qxjzfto|d(eqcage|vuumqh)|rlqsnmi|cjflefj|zgefbpj|glqafnq|hubdjvm|blchmvi|ympaovt)|z(o(icgpoh|ledxqr|xwtoor)|evbjfol|zbwfzbx|w(ekxsnm|fnkoqt)|harbzer|cqrjjao|gcmbryd|bxbwcve|jlfmmer|djislhi|ridpnws|izswsov)|t(ok(jisqo|eguje)|b(ypmcih|lwehys)|emhfwjk|y(rqbirl|npezid)|q(sxishk|l(elpxx|gipui))|a(flrkgs|mgjyks)|vlifman|u(wmfcpi|hxnetz)|dfiruvr|idonmve|mrocstl|s(henxmm|igmuli)|ceqdkvj|fncfysa|hqhwnyq|zagzlas|ncsmcuq)|g(hdtlseo|oogogny|zg(hccbm|pnesl)|aemhegk|srlacgy|ctdhxvw|wczioww|d(necnhg|dtmahk|egecxm)|j(xtvqow|mqhpsj)|tptzeuo|b(fmevxn|hsrvmr)|kohayir|eydmmlg|qgmetge)|n(f(gnbull|iitsix)|i(lvnszf|wzgqil|usvygv)|s(vhhgiz|sqcoqj)|traxzxu|cfeyffz|nj(ofmgx|wnicp)|xtldena|v(rzempi|thhugl)|msybjya|dwgyybf|qxxjzsq|k(susrdn|udyffo)|hhohklw|ucmgxnf|o(zbubzr|ihybwi)|r(jusmql|viqfeb)|aerikru)|e(mwbosms|jovjffd|hqyfjwy|umatgin|l(ihtwff|ugljwh|priaqp)|eygsdtm|gwrkyrf|rxkosxi)|a(szmmlkx|n(cuisbb|kvfxhc)|ddcxyyr|hschttq|ipcauis|r(jgyktr|cqzlql)|l(axhskm|inpdfv)|pgfnbme|mgudjmu|wotahis)|q(b(unqtyr|ztngdb)|r(enkazs|zefntj)|sqjcvjg|uhpyfwf|t(opxxrv|javbhc)|ohzshqs|mq(cnyiu|qhfco)|ipujvhj|j(fjvyye|vdlatr)|zlelacf|kvybvug|nbdmwlh|amseinn)|w(zvafoby|r(hvqngb|kulpjf)|xugvouj|bkswmnt|k(yebwdr|sxbzde)|nbejfwh|lwalkpf|vylckwk|esxnwfb|ahbxxuj)|k(wonqtev|q(yuoffr|hcilix)|y(splots|hudmsl)|arqehnb|o(nowalc|waevih)|guegxic|pxeknnm|eucrjna|buegmtu|swykazq|ztolcqk|nktvxbb|johrnsw|xbehpas|l(wkmrgd|ecdycd)|mvwvlqb)|i(f(mziulk|pftvrm)|davlahk|qpsvmgo|n(iaqgoa|ookqpx)|cqbzamr|zadiskr|bxjfcjk|jjvaaga|gkjiutz|tzjldnz|wntlrxt|sriwzwf)|v(oytxkmz|c(jczwyy|wvhvpr)|vnpyaii|bzogtgd|ixvbaxb|jjxfoqr|w(cylhjx|xcrnuo)|nbqwrqq|a(delfwp|nedeij)|rszntnd|l(zclslu|gyrxsq)|tzzdpvo|hsggtsl|gyeteoj|ellalrr|zttntez)|y(tcagtse|zekqdhy|e(nrkesj|zyndil)|rgwcoie|argwzvy|k(kflume|fqfjky|exlqxn)|jobhfbd|mwoittu|cbiqtul|skoisil|hoszcak|xponxkv))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633077; rev:2;)
# sid 2633078 includes 600 (0 - 600) 9 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.cn)"; content:"|09|";content:"|02|cn|00|";nocase;within: 12;pcre: "/(d(b(rrvepie|iwyuvoq)|on(beymzh|oigeol)|gqmsepsf|t(njwhxxk|ogebgwe|slapxya)|r(zrsszuo|vctawtk)|wwjtbglz|l(uwlitwl|ydyvrra)|p(gvqgnmi|lfeqzyp)|zqhhoprb|hgjmgtvh|fvwklvli|uenlkamm|merykway|d(rkwfcvl|xmqnzze)|jgihqgpw)|n(gzuuazhj|etyxltui|f(xrfbsmx|ktjomcz)|pqtjuqvb|lsxmkrwh|boegmfwt|szeqidjr|owxnqdzx|c(qeftgxq|ehhqell)|abnlyamb|zzyktpks|vzxndccv)|a(ikyjlcuf|j(rtspspa|inxonea|ocobwld)|zbtdcohu|hdukbkeb|uwszssvt|czexbeuy|q(gnkroyt|fstcmyf)|lcwdqvyf|ykciffyt)|x(y(auuzqqd|ciswoio|hmmhmpf|eincmza)|eembzial|pvbkgocw|u(kpwoerq|fcxirqc|buzbxib)|s(hpdpazo|uinzidb|nmmtnko)|grimxkbr|d(sukuwga|gkchaiv)|jienyyvu|w(zgalafg|oavxktg)|qdnulupi|n(hnahihc|rwfxgqh)|mspbsaxf|h(truowtc|qehensl)|bxuqtlgu|awhqwvcx)|g(c(wgoigyw|fjcetzt|qlmfhrh)|m(bhdjwdw|zxkuycj)|n(uoqkoda|drejyio)|o(jjjoorw|t(hmsvke|pusfxj))|p(wptituq|xnbygql|ykbxvji)|ddqpqfvd|jabziwgc|qlplidzp|z(amvpzgr|ohozbqv)|ussvnfob|w(wmnrbqx|vmzbact)|b(euhhtsb|obgenhs))|m(g(yeqxmja|wwjagyk|avwfpsw)|qw(jqqtfm|ddptbw)|s(jqseyzx|tioyqwr)|mwtsecck|zfkuoazl|hofzwquj|adkhgqkh|u(kisqdlz|qstkzyf|gopdbkz)|dibxrnuu|y(qwhdmny|clfxbcb)|nrfqlkbq|ibhgomcx|kytojpiv|pvviiewj|o(vklqzvh|fplbcjf))|u(j(rnewgru|sbchzpg)|g(ykffcff|wrazyhp)|cnsrqlhv|d(mjnurxu|borfgbg)|itrihnoh|w(cqrbnto|llrmovp)|l(ibgwkbd|jnumuet)|nnvmiyga|mglmzrrz|fsdjvoot|bhgfypid|abjfcecm|uduwtjxq|vrxxqewe|pbcfmmvn|h(wsvzztr|orvewhx)|smajgdat)|z(t(lnyqtsf|ydtbmhh|hzooymr)|nsrkzsbb|ubpdhyck|xcbkiise|p(qfmbbwz|oogbhst)|a(xuvfxxx|bqrgsct)|lourgpav|qlzdyyfh|k(jleadfu|ypylogx)|ehbikxrx|vzkccgce|d(apgmkwg|xdyyzpy|lvyvplh|tximlti)|sprprcdd|fhqeewva|wwqvfkoc|cmfmbdwu)|j(g(mblkrof|qfxihvd)|vcwxhnao|q(wohbstm|xrytgyf|vgfdbiw)|m(cvabbra|arvoubi)|eryegazt|bxmsyhka|r(lplcqsm|aqdfwvx|zfmyeda|chtmxbo)|lwbweavy|fagiwtuq|xigpfsxo|txujgkhp|ucgfdqfa|oxerpnnr|acdrsyqm|ifctzetg)|w(ke(lxumkt|yzwitm)|qlkhorps|r(tfibjtc|bjdjvjs)|fujkgkcd|vjzjjram|s(dxvgzqn|onviujx|fzcmqxx)|guasynbt|l(pgvwvnu|sxibrdd)|wpqaxxbg|te(tmaswz|xxtfpz)|mg(gwzond|fgjees)|ydoeylrn|asvvjonu|xtkindjb|pinfqwmo|igiirmdp|jearswlr|hzgkcndg|zbtmmieu)|s(e(kxuawtj|bapyzsg|jujdflo)|yhxdqfzu|pxkyjpsp|lmxxkfui|usifhwoj|ccgpjtdk|f(atlwkcd|ewlklal)|tcukeeoc|abiyhgdd|rasskuda|nhjgwops|shfkoahq|q(bymkdlu|fhtowtw)|imokolbp|v(knmwyie|elsaaol)|h(wojufmc|lbgfeot)|mnlgsjpu)|v(o(icwucqw|fmocmvw)|x(v(qumjoc|gecsyk)|dazahar|fbicssh)|u(rfjdowl|prnipfp|vzmvoej|bcclgjn)|q(vmyxqhb|asonext)|fdmqjamn|lptlradr|r(qqvthca|griuxmr|bshnsvi)|ghchcznc|i(zrmmimz|kejyiyo)|p(cleywua|hsmcipo)|mtbxgfdc|eegkjwch|ckqonpkp)|r(o(fsfqige|mkeunpx)|rxtwxnlp|fcofxerm|cujzkuvv|j(xwaaely|ngmbdfh)|eukphbux|y(hhkmtfo|pubgdyb)|w(zzuadwm|gbxkzsz)|v(vvaupin|xxomymj|yvbvakt)|tdqveaty|gynsxfif|sl(mvvkcj|wytqmf)|hlugzarx|pmegwzet|zeoqnhng|bdsifqqc|dqnkrkfu)|f(k(pogcymz|odeckrz)|z(fwtgfhb|egzxsxh)|wdnvirbk|s(icwouag|hzxiadw)|a(rnwmror|nwvjqcy)|gcjtwxkp|thufmacq|u(bobeevo|pavdvgx)|qkrzyxet|i(koeoqpb|oxgproy)|yikjxexk|prgkkyrw|dvlwxoan|oetulxfq|rbztwizz|vljfktjq)|p(wmxtlivp|dkzbsybi|z(dqpugjo|mflulss)|h(vjhrcli|olmdvfl)|o(hqshdxt|kdwlvcb|tylhdas)|e(yjaczww|wkijoth)|i(axrlmkl|trfrbmd|btjbfio)|j(feglpxp|atgxzbf)|u(ymgdgmg|jlojqfg|vjauzak|htbquve)|xyryzdjq|nqaliunq|gaavckpq|tkdrifdh|yprgjtsi|amaqlwau)|k(x(jtfvhrk|nnibkvn|wnbwdsu)|qwlypfnp|l(aiapxxu|yzdbfri)|a(u(gdiqve|bwyddt)|tucywny)|v(cvhtfvl|awgraeb)|fbprhnmd|j(gqnkwag|locomsg|yoqaedp|xxityrz)|embqthte|r(mnkkezo|exykzdj)|hdrcmnvq|t(bdtudcw|jtldqvd)|p(znavaza|emmtgtv)|wtqzoyzw|srxlvgne|omkfaetb|zrjcldrx|ykfupoyq|ketavccj)|h(hxtrzwsc|k(qngsrny|pimltdx)|btktjkhu|nhupmlwj|afupygmj|y(lfgibyl|enlzsrc)|g(lkkkfmt|yskmtrw)|xsnqgfyp|i(x(txdbom|xjtehr)|dbztgea)|m(nzeokjm|xqryfhm)|tdzmuroi|dgomvvqz|uzvjafae|lpymyjty|p(muzaypz|hoghscy)|vipngmmh|qrgjwwrl)|e(wlipsafk|f(uckxobm|karxqij)|h(kqapqrm|ozqfvvk)|lncpwxyy|bysdondr|iqdumgch|tfgnmnwn|pnyngrsd|mzwxomzj|rxcbngvc|s(rfiwfhl|heqktos)|cczvhowu|xgcjlaad|onpjvyul|jkcoxnhg)|l(vztwptgf|pqzlodna|xftgxdrk|krkqdtgi|u(aurfmus|eoiylhh)|hknzvfqc|ghreeeag|yglifdba|rdyvsgqw|wyhkpzgh|jwuzhpxv|fovoidhl|qxpwwoow|n(wyssdnk|vytcrhk)|cbtplnfl|bomxbsql|soxrcrys|tqbuefsc)|i(h(ervmuar|qibohkz)|k(duytnuu|askloah|cafsoel|idholhh|qwmcklu)|slulelhm|j(hmxbnjy|bzaasaf)|ecredgag|cwkyjebi|utsuicvl|b(zoerucq|krtzwad)|v(ycsjqri|rkrvwfq)|m(ogizlkh|jnstrpy|edlotaq)|ievmweww|nabgsfcx|xutcqcgx|pdrymmsx|yonywopc|gpqzpmbi|fyjbbuqo)|y(i(uhjheiy|veiqvun|pecutka)|yrbteztv|z(qlioxry|yqsdzuz|wfysdky)|u(sgncpgt|qioohyd)|eavzvvca|mdofhaza|j(uhfgkwt|sdqqcxd|rixwrym)|hwfcvhrw|fcmpwmlx|o(xnxymlv|owiwuwa)|sokkftlj|c(tokzhjx|nnvjqun)|vbuxpssc|tpzjpzeg|aedwfuvk|lpxljkjz|xxeofdqo)|b(n(peqxzty|kkgfznz|gpsvtqq|ipztzfx)|gbxzyxid|l(wcmcjem|l(bygfcj|vzwqru)|yvgtryj)|fzozqkvx|hnumtvmk|jakxuoss|x(mfwfmfc|pqqcgce)|tvyiixyv|p(pbkmpjo|rznhvio)|y(mluhkdt|lzpmszt)|rddnubaq|vyyqkyno|sqnnnxgp|ekraekte|cztjnhqn|wgguvwpc|uciscbyi|bzbbpdqi)|q(p(citbeof|ruwbida)|i(bbefkmb|tertbuw|kyuobyx|nuerjgx)|hwsrdedg|yayqslla|vfqelewy|a(oonzsky|zwpncts|vpmehqb)|wqytityz|mhmkmhdf|t(kucwdpa|crdejss)|ftkyqbon|cafxpfos|q(xbuschv|wwnxsbj)|kvyzxuol|n(esfwtwe|agnfnmk)|oiztsbfu|zxqjuylw|rhumffxi|urghokoe)|t(g(sxuhnzy|fnfjwha|tgspohd)|cwxltmde|a(sulwdmj|bvltoas|asjckju)|hteglcgc|t(ayfnqfm|jjyvxmh)|vvheukpa|dkhaqcrq|fmyxzfrq|x(euhdkzn|cvglalv)|j(wshxrfd|rkcxemm|uhepswp)|pezjnlbw|ebuiwmel|yfscmcpk|bzeuawtz|nagofimk)|o(z(ufxkfvy|kwzhgex|f(eiihlo|zumjzm))|obipxpoe|x(utzklqv|fgrqrdd)|swliigov|ppmnemqr|n(ndgupqi|rhmeluh)|iipelfuk|wmavtaeo|cfcvbnsf|koxrhopf|qrxiuxmy|hvwleijk|moimujhm|urdpyaoy)|c(w(othxefk|nwfnkwf|zrldteq|qjlwbsy)|n(svuxmkw|inwwdoi)|vgdxowoy|f(cobuyjq|eihtsgb)|b(cibecmt|koncvne)|misyuccx|qbcznpzl|i(dsdpuii|ynwtsvx)|tdarsfyl|omirkiak|lobmlgzy|pqetpquu|clobayng|rxzrwqsn|zlroestf|uvepbyaz))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633078; rev:2;)
# sid 2633079 includes 841 (601 - 1200) 9 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.cn)"; content:"|09|";content:"|02|cn|00|";nocase;within: 12;pcre: "/(w(t(e(tmaswz|xxtfpz)|kcrzwcn|jobooih)|m(g(gwzond|fgjees)|kcopyel)|s(onviujx|fzcmqxx|jlnncqk)|y(doeylrn|gqdunjd)|asvvjonu|x(tkindjb|o(crtqiq|jasdtk))|lsxibrdd|keyzwitm|p(infqwmo|fzkcamt|cnxfowb|ydsjzyl)|rbjdjvjs|ig(iirmdp|udlmpr)|j(earswlr|ftzmxao)|hzgkcndg|zbtmmieu|ocethroi|uhkkvvdn|vfjxkzls|q(muzslec|pwraccf)|fyhohsfg|c(yargywk|qxhnahp)|bisqlkqi|wjptdtio|nsrqidko|gslpsagu)|o(wmavtaeo|c(fcvbnsf|ktwqhbt)|koxrhopf|qrxiuxmy|h(vwleijk|xlgywyr)|zf(eiihlo|zumjzm)|moimujhm|u(rdpyaoy|ttprbol|vaarcki)|nrhmeluh|xjbpxluu|f(dncwxbf|sbiqrdc|lamnsjl|upwdeoe)|i(l(ofxlwa|sdnfis)|xjuxchk)|yrkfkyzv|ae(ekbfed|wzxdxy)|gohgmxof|ofkzkfha)|v(u(vzmvoej|bcclgjn|etmssjp)|i(zrmmimz|kejyiyo)|r(griuxmr|bshnsvi|sumfcor|hwilsbb)|p(cleywua|hsmcipo|jfdhtch)|mtbxgfdc|eegkjwch|x(fbicssh|hregbql)|c(kqonpkp|bmhzorr|dvuqihi)|q(asonext|yainnoj)|a(qtbruqs|vguwqtc|zhiuxkv)|f(etzauby|lgnsnht)|nnbzhhgt|s(lomirtr|beangby)|v(mdnwowr|nnsliyz|usjrqdg)|kenxbzbo|w(ivooers|copmpft)|ttgtmvvj|zaeyznjb|dqtzagcw)|d(t(ogebgwe|slapxya|uvvezqk)|u(enlkamm|nyixacs|pslopgh)|merykway|d(rkwfcvl|xmqnzze|soffmbf|nrtqdci)|j(gihqgpw|z(qjlzaw|ulzibs)|vslerur)|r(zvwuxgk|sdasxou|okavnzy|chxogre)|p(baopiwy|xfbugox)|e(obuxdbx|qhibzax)|o(avthqge|zofjdok)|g(awamysp|fdexcab)|yxthquvp|wb(skvdps|iddzbh)|s(ykkdupv|hhomecr|zozhogy)|ckcvilkh|voilrzqk|q(nxltlia|zucsons)|ffifakvc|xgmzydoa)|k(jxxityrz|a(ubwyddt|tucywny)|v(awgraeb|nkcxqcn|xvprubc)|s(rxlvgne|usmkcon)|omkfaetb|x(wnbwdsu|qeavitq)|p(emmtgtv|iajdeig)|z(rjcldrx|eqbdkbm)|r(exykzdj|oekqrdo)|ykfupoyq|ketavccj|t(yepamzw|flwvkta|nfoepyp)|i(zufgjwr|yqzdliu|ekzvtdz)|n(zanhpxz|sjqzcwb)|fyqohwir|mlyuwvya|chnenfpw|wqpxgmig|q(zoxsfwm|dlndank))|f(p(rgkkyrw|ntjdojh)|shzxiadw|d(vlwxoan|qlnjwxv)|o(etulxfq|hjgjtkg)|k(odeckrz|lybagga)|a(nwvjqcy|exiaeou|kjwezhe)|z(egzxsxh|tvbsxqa|yzkbits)|upavdvgx|i(oxgproy|bdelhxw|mxnhrei)|r(bztwizz|sjjzahh|ggnhtuw|qawjlzx)|v(ljfktjq|ekknund|wgwxykt)|bggeffsm|h(rgxqjsu|grrcbbq)|edmuciwq|ffqpsreo|y(pwjekwr|bzywiep)|miltyuid|cjijencw)|t(x(euhdkzn|cvglalv|yeveope|ucmdkma)|j(wshxrfd|rkcxemm|uhepswp|jgeukio)|p(ezjnlbw|woovnvj)|a(asjckju|yvsoasl)|ebuiwmel|y(fscmcpk|oezwwdi)|gtgspohd|t(j(jyvxmh|yypsvh)|ddeeabk)|bzeuawtz|n(agofimk|rujiwcv)|f(ggixjrg|lizosnq|ncbjwdn|amikwxq)|m(jwwozhl|zaiszvb|lhmtual)|v(slkfuwe|mdicneu|igfolyq|nlhzdtq)|rpaawddc|orjuecir|l(lpnlagb|jvbktsq)|wkoukugi)|s(i(mokolbp|unyviul|djbmsja)|v(knmwyie|elsaaol)|h(wojufmc|lbgfeot|ojvsfyp|zanipmq)|ejujdflo|mnlgsjpu|q(fhtowtw|aketgpk)|c(rssvnlj|ldagfig|mbshsae)|jtnkgvsq|yzjnqadt|r(hecfvsr|pxuhwmj)|lgpdnhpq|u(wqwgodr|rldonyx)|sjqbgpfj|x(pbyucyr|csylgve|mrsyxzt)|frbwapgl|ancnhukf|k(mfcrbsz|uwarizc|vzuctwq)|zqktxinu|tqntmvcs|paenraje)|h(t(dzmuroi|yrgjmer)|dgomvvqz|u(z(vjafae|divbvj)|drwlqcj|pgvolqk|ekbbbac)|lpymyjty|p(muzaypz|hoghscy)|m(xqryfhm|ayaaacg|earnvsq)|i(x(xjtehr|zckhbu)|dbztgea)|v(ipngmmh|xcznkzn|ggzrrci|wnsbzxk)|q(rgjwwrl|hefsjtz)|e(fedbism|qsokxwg|vcegkyi)|o(idemjyn|ldqijla)|zqymjiyc|auyjdzdg|x(hlrvisy|lwyykns)|j(ounrtmq|dsoovbn)|hfufauvc|fauaroym)|a(l(cwdqvyf|rxjmxha)|q(fstcmyf|srxacgx)|j(ocobwld|nlvulor)|y(kciffyt|rwfwuoh)|pyzoxtwh|vsfwxwat|bmbzmurc|m(ckoeips|ejkpsvn)|hzxahmgy|kbxzykgk|zwwswcie|ozcxspxm|thspgsma|ayhmtblm|nhxtjewx|g(jjoyaax|ergjgle)|xwkffcio|wwsakzwh)|q(cafxpfos|q(xbuschv|wwnxsbj|leeiymb)|kvyzxuol|n(esfwtwe|agnfnmk)|o(i(ztsbfu|wxbfbz)|ljaggax)|zxqjuylw|i(nuerjgx|ulotxgo|txgnjms)|rhumffxi|avpmehqb|u(rghokoe|zrnkkha|uthbfar|trpgyzl|hadtzhf)|d(bnnkbhk|gvyvwtx|fgjdtuo)|h(qqrdkbw|k(gvamaj|jjtjko))|m(kmumdpp|vheqsdm|tgphhep)|y(xjghmam|gctdqpz|wkywicn)|llondknm)|r(v(xxomymj|yvbvakt|t(yvpsvj|amwuej)|ofjfkmp|siihpsd)|hlugzarx|pmegwzet|zeoqnhng|b(dsifqqc|eemfgpc|qxfevjd)|y(pubgdyb|odthedw|mycucpd)|d(qnkrkfu|rekayem|ncdpikc|cjivkcv)|slwytqmf|x(mzyfczp|zwlrudg)|k(tyxszdl|ujfddvb)|l(woeqyhu|ospndbx)|f(yirhgto|adlgkii)|npxnbfsq|u(mygeghb|kfgiefx)|tullvmqc|aopvgklu|gjfqxgxe|qyoacqvd)|y(c(nnvjqun|budocqr|pzgukzm)|vbuxpssc|z(yqsdzuz|wfysdky|gjwysdx|tlfuewz)|j(sdqqcxd|rixwrym)|t(pzjpzeg|nviongu)|a(edwfuvk|uxsrgik)|l(pxljkjz|adbfyrq)|ipecutka|uqioohyd|o(owiwuwa|knphmcb)|x(xeofdqo|ubsjtmf|rxlbbyc)|etuferpg|rtgxkafn|yajfcpyg|sfeyipxr|q(ivpgdud|yexlgpz)|bgqfkbku|wvxfcjli|fkmxrsfw|pqhgbcgn)|z(e(hbikxrx|utuhuiv)|k(ypylogx|ruagipd)|v(zkccgce|acauded)|d(apgmkwg|xdyyzpy|lvyvplh|tximlti)|sprprcdd|fhqeewva|wwqvfkoc|cmfmbdwu|h(dbowmwh|vvdhrgz|gedbdhc)|iccpfiye|pguryppi|bcbdcofr|z(pwpxudo|ywwitdj)|l(cylypmx|mgketmo)|xajzsixs|ghenofwj|meyvilsn|qdixxicp|omoxhgrr)|u(jsbchzpg|h(wsvzztr|orvewhx)|w(llrmovp|nbqpigq)|smajgdat|mhscbibi|b(iilidur|ljczcsb)|itecyjld|rncrjehs|v(zenlbyj|mriwmfd)|zesgstlk|lwezewnj|urxwoqzg|psjmozhl|cuagteqt|ayputfkl|ngddjtmq|y(tfdooqx|ckmhxxr|rplunkl)|k(kiwslwz|emdqdwo)|fmhykxnc)|x(n(rwfxgqh|zuqhiov|eopmxcj)|m(spbsaxf|zlerahd|atfbrks|wgqilvi)|u(buzbxib|haakiqt|aqxyger)|h(truowtc|qehensl|vpsuyyl)|b(xuqtlgu|wjuijhl)|awhqwvcx|yeincmza|z(rvhztqh|copukja)|tjnnivsf|wnoidbho|ropdipih|cqjnmbsw|dhqnedcg|j(osrgwng|xwgcavz)|swobdong|xmqfwdhj|fjpirvwv)|b(l(yvgtryj|lvzwqru|nyfmfbi|ktrhaya)|e(kraekte|mjvdazb)|n(kkgfznz|gpsvtqq|ipztzfx)|c(ztjnhqn|jlhmzxc)|w(gguvwpc|ruptpap)|u(ciscbyi|rtozrco|leeopne)|b(zbbpdqi|sgimlfx)|p(rznhvio|uzhsuva)|ylzpmszt|k(cntlnze|fhdosxa)|f(v(hfsnpe|gjzeuy)|dfoptbr)|g(zrzlpka|fartwhy)|v(zlbgbls|nhvsrso|fwghmwo|qqtprrz|ypuoeql)|rmoshxxr|dmqfhjuy|i(b(bntugn|yzzejv)|zouegyd)|q(harlxbi|ymzvkbb)|seigjtct|twtqrquh)|c(lobmlgzy|pqetpquu|c(lobayng|kkxviad|oluhhor)|w(zrldteq|qjlwbsy)|i(ynwtsvx|qagwoey|dbtqaqq)|r(xzrwqsn|uyrqkqo)|z(lroestf|qnbrckc|zflgwuz)|b(koncvne|yjmgbdz)|uvepbyaz|f(eihtsgb|owtolui)|obsfwmhh|glruiohx|s(ykxdjdh|ljqxlnm|qrqlhrt)|m(bujbrbt|xzcabxh)|h(ivgvkbq|wlwydyq)|qhppwevq|kmjgonaz|tztuiagj|nhvdnnae|avuslfnz|eblgtzbq|xiqyhvrk)|i(k(cafsoel|idholhh|qwmcklu|pnqmcca|ujhduzh)|j(bzaasaf|rfsaeed)|m(jnstrpy|edlotaq)|x(utcqcgx|dnfarqd|xvafuyl)|p(drymmsx|aaurhzv|vwikkkf)|y(onywopc|tywqosv)|g(pqzpmbi|jjzuesj)|fyjbbuqo|vfdlcsqe|cmgsiqbu|t(dhlwtke|mjtejsl)|w(bwlcspj|gaxdscz)|slaiwcow|i(slvzxhn|vuypcez)|z(bmvloft|gjurviu)|hfoykixm|uixlaomy|ohtposyx|r(tygwabw|acprjzt)|bdidrwfh)|p(o(kdwlvcb|tylhdas|yebxbap)|u(htbquve|ushnxbt|lgdxjrx|agihddh)|t(kdrifdh|xphpezq)|i(btjbfio|fofjcfi)|yprgjtsi|zmflulss|a(maqlwau|wrasjpi)|k(puawcer|yrvvlkh)|mfbipnyx|e(i(rgldzn|pbusyt)|wixjqpt)|xxytakkv|bibjpkbm|ggeavdcw|q(dwbthxd|ewifury)|hpfwnjoj|sekqvurd|pdwbosrt|reyrmuls|cwwcnxfl)|j(u(cgfdqfa|dkjynmv|rowvhya|pztkswf)|oxerpnnr|a(cdrsyqm|bnutnss)|q(vgfdbiw|xarjjhs)|ifctzetg|r(zfmyeda|chtmxbo|fbiyyjt|uaqmedm)|p(b(nzgviy|uzuywm)|ayuccor)|cwxobonv|wuhfztfn|dxxbmgum|vwxjyqap|llvxljij|k(gthnfsc|projadr)|fkrpymwr|sxpgidir|nqtyryxe|h(cjpjbhv|avrehwo)|zzgedntk|y(mdgsuez|ktnnavf)|ekpedcsu|gapnnlhd|bdegbeug|tzyxpzjy)|g(c(qlmfhrh|kkhsgji)|p(xnbygql|ykbxvji)|wvmzbact|bobgenhs|o(tpusfxj|efxuebv|gpastjz|fjtkbco)|j(desfwbq|kdiukup)|m(nyggzid|kmtkxsn)|zyvybbdn|r(boroxtu|whwowup)|idahbxtq|e(rqbfkjh|kwujssk)|y(mubwodt|drygpjf)|godivbam|vmfgxtnf|trjneqsv|hjtamljm|qmtohhup)|l(n(wyssdnk|vytcrhk)|u(eoiylhh|rjcsrwj|yfytecc|phuprxk)|c(btplnfl|iczldid)|b(omxbsql|wxrmrix)|s(oxrcrys|papiycu)|t(qbuefsc|bpiedxm)|o(btbijrk|grrpsqo|puhdaqa|qnytxqu)|i(vmsrpor|rjbhhzi)|r(zzuzhda|mvadlzz)|yaoqfflt|f(rnacnfm|dgicxna)|pezeuxui|lhxlofxe|m(vvxbwwi|pnmxmbc)|vrtvekwc|jwinmhhz|dnlnovmr)|m(ibhgomcx|qwddptbw|kytojpiv|pvviiewj|o(vklqzvh|fplbcjf)|y(clfxbcb|bgievrt)|u(gopdbkz|auliqon)|s(tioyqwr|fugitcv)|g(avwfpsw|owqmcov)|r(ygdnlqk|fscvwnc)|fgupkfyj|c(snptjhx|rhhrozb|kadscku|glybipu)|x(ushkcme|qcwqjgf|dtizbgk)|h(xrvfwkz|buknepi)|jhkmsero|mbttqhew|djiyhdvj)|n(v(zxndccv|qbmacsq)|qnvpatbr|c(xkjhnob|pikaupk)|kcdsfqux|e(zuryiok|aakgtwp)|iagepuzp|xoucmehu|m(rrpyngs|zfrsiys)|bjofcoap|prhnglfj|s(mjpopir|excoaud)|jsixglcc|uxpvjhsm)|e(cczvhowu|x(gcjlaad|jwwcmnv|rvgmyvi)|o(npjvyul|mzbborr|xyamhln)|j(kcoxnhg|hmircva)|pxkssarq|t(yqweids|dwrgeqv)|uuwbhohl|ncvvmaqa|axbognai|fggmmkad|emkbeyqt|lyihcnsr|wukluubr|qlkzptyh|vlkzsbcd))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633079; rev:2;)
# sid 2633080 includes 241 (1201 - 1442) 9 character domains in the ".cn" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.cn)"; content:"|09|";content:"|02|cn|00|";nocase;within: 12;pcre: "/(u(xypfousp|lnnhvqka|ho(ugmtis|krecym)|ifccsxmy|fftzfcsh|yhcqqiug)|s(trosdiiw|hkghwcjb|yjstcvtt|eumqibwj|whbgkrqa|ckefkkeo)|w(ivxrsrbq|zibcktqg|rrzifvor|fyflrlaz|n(ndkuech|fkkrybs)|uaokbcpe|b(grjdpbe|zcfbycj)|syrvheth)|y(cqfztvjc|tmtdrvzu|iyrxdaay|zvxvzktb|h(iwwjnfb|nvhjewv)|uaevfrjo|datuzghd|vgffopmk|xixxtzlk|ggdcsrvf|rvtjhwpu|ywsiajjf|wusbjsqu)|a(uqijpzec|xriqfoap|bulfqxdx|p(rhlfybx|czroavi|lazczsj)|abepihvt|vyjbspec|dtehvgul)|f(j(qbnovme|ljulvhz)|m(byeoweq|fcupfgo)|clzlhsay|thrhhldv|zbqbdgeh|x(dtfyvhs|vemkcvu|iknzzjl)|nnwpggfi|bvnsjmzu|lqhebgtm)|i(rduzovpl|m(sjvgntn|xfmcfka|ujmfltr)|hwapmtst|wlfpxthi|bwyghcuf|cmkvztvp|jztejiep|zkytbyzq|lmmabdtf|d(vsvzpgs|xqcdtyp)|vmxhoioh|ppvzytxp|qsbdmqww)|n(mxvxtjks|v(hkfqaet|ehzudlq)|urueairn|zrraljgq|xubebtsc|bpkiwsje|lrlersbj|qxyvnefb|knrtwqda|yjeeskpp|rbefzocm)|m(gwytnkpg|akesegtk|wwxideik|zjcjjcpw|tuuoegvy)|z(jancpfmn|rpimnpai|p(mszraeh|oyifyhr)|ydnvtxwh|zqbemvdi|aebemqqv|iwggjgxg)|l(ntvjypvv|kaekbtkp|fticskwz|erfqdpds|votulgoc|xvuczges|dibgteas|skotzzoc|ujugktxs|aujrcmle|wndmugnp)|k(iyxinpph|vewiojcs|abwrzijd|zfmxytgt|wsahltbr|pmebgdrl)|x(f(xpkwail|lunqmuc|vlpyvbj)|dgqpbgim)|o(mdstknhw|d(cdyxtgg|offidgv)|cnovcdcj|qkqzxnvh)|r(tpcxnokn|sjofajrl|dexbtmbl|qfoyamxm|i(ykwfjrk|chpmxwk)|lhfyufcj|bqeyruxb|rsdkbfam)|g(l(umtvyba|wxcypgw)|csivbjhr|qmutwgsb|ozuqcors|uotojjhc|h(bisgatz|upyevvu)|stjftjem|t(xvtgfba|rhyqbbo)|aaswpbvd)|p(hvdxfqjo|ohodfbmp|ukyoiemh|bwvqyhym|senkmrce|rldkvshr|aybebxmo|vvbseusa)|d(iwxdyvah|ckdihkic|mqnzowzn|hhxygqcy|ofladpyl|lvrnwjbd|yafftsaw|tdbsexab)|t(myioxhol|h(gjqfnzx|xmorjwb)|ovbtdytk|cnvrzsoa|qigeyopv|e(edbpapc|tvymfmr)|njxykvcx|vylshbwu)|h(m(xssvqth|zzplqca)|wajzxofa|qqrxsahy|gzupuzcr|tboibbyf|bfqkcvav)|j(dadbambi|nbashdbd|keayjkvf|wkzoouzo|vxurzrys|r(sdjrspa|egvzkah)|hxudgtrz|yqckvpce|szmwuysv)|v(csqnkewx|azzozceq|enomxidf|wcfpqfrp|bvitbmhj|qglwqhxb|yrdpkxdw|lglzmvzy|smhbxwsx|pupfwfmk|vtzlfhnr|flidjygs|dbnywvxm|iuqlgdkt)|q(bjmticet|h(vgmeqpr|tbsvyik)|sbqmahpf|uhegdsfm|rjmuecrh|yzvkyihx|jnpunowg)|b(ksvuabxv|m(sobnvbs|pixoyne)|xdegbpmw|tlzwmvhh|oxykfmos|agsaodfh|b(ywzxarj|ngawqzt)|qyyudofr)|e(d(dwqwqwg|myfzrmh)|jrdczcdk|qxwaasik|m(upuembs|xibkhtr)|i(crlhfpt|gptirte)|owqgjioe|aakqnaes|ejokoqeq)|c(vivriptz|ijzeqtqo|glmxnytd|n(omqrthn|jidtzmv)|esttveky|cgdbkzxk|kyrnlltb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633080; rev:2;)
# sid 2633081 includes 600 (0 - 600) 10 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(o(v(dbkbanqw|zyblwvzu)|nkbmczckv|yggubqasc|e(quaoonss|dcrtgoox)|bcgrgazkk|ggpuxeuaj|rrzowsvqp|h(yezaobbu|i(dtymkyn|wcevdrg)|ggreqsly)|qnhyhxxho|w(adgmqojd|umdldueh|ownxumxk)|kwlyqatzk|dxekbohnv|iceryeyea|swblpfjbh|fcbzhgmmk)|p(z(zyxnzhuv|izvvfrok|aznhccwv)|gjknukenq|hveymfjym|p(rgolkdbs|hheamgbo)|q(jngnsbel|gbzoiiiv)|d(hktebvhy|zcugvdhs)|e(kpproksm|boykudxj|rnvpeubo)|o(lnhkgktp|rdtjaxob|xeaddsay)|b(cplwzisq|uustnags)|ymdpiqjfx|awdpzyxss|wwqwnnczz|lunhhbgqr|korzwiqsc)|a(y(rrajawlx|jcasjywv)|uazxosspu|ehlgprqjw|nzbfwdynp|r(invwzila|pxfaqanv)|jjzjxnuox|pibpbavkf|clsflfvww|dqpddbkzu|ldirpuwfr|g(lfpklboq|itllsvhk)|qshyoourn|otesshofc)|l(ofoagpxrg|velnxzbts|fbujarrjb|q(scspmfzu|yjipktvi)|cbhrimvzt|neiqlsasm|h(ewpdixzd|izjvwdrv|vfkjxycj)|wzqfyrlcc|ybarigref|z(khqnwqsw|uqkzfcxu|iygdyxlg)|sjwbozorn|b(iacffzyq|npylwiir)|ivsmwjoio|a(nxowfxnr|stzbejke)|tyacbkqso|dqdueejyw|mvupxhwje|kscliyyes)|t(y(bmxmebgc|gtbwppvt)|asograsgu|x(vjauhdpi|afmqvyws|wwukficq|gnzpsjkp)|c(akiwpexp|gvjypcey|evzrnoct)|rk(bvtaiss|mwpnxkd)|ponaceevy|i(mlpszfml|znitjqxg)|vkcnouqil|eczqikctz|zmamlgxay|fxjezhobs|bawzxjiuw|tjmfzgazw|segxszrdy|oourvdubh|k(srrfhqic|rwdwrtrf)|dfqvkrgqx)|y(o(ueojxlfs|fraowinr)|e(bmykujlp|yynjirdg)|svddoaqjz|tlaabbvua|fauzqzwga|i(nbdeirrv|pkvjmvri)|h(wxvlipse|vxzjerwn)|avrvrmcou|lxhoxokkz|zfnguwmtt|koisetbiy|bmsjjqwds|cizrxqjap|jwgaoxpix|rgqbfkwcs)|k(r(dvscmyrq|onzumfen|vqforlul|hzxdezpw)|g(omzdjpcp|dbqyivjq|atkvywpc)|t(adabcgvz|flsqaveh)|vtczcttcq|nirfwkcyk|ervuhfmwe|x(araewrxz|lrfkcbbm)|l(ckjsuvot|fgcfknnh)|ovrdxjeth|aylrrizzl|wrdqndouk|yevmncwbg|urpgctzwk|kvmqgzndt|bgccpelha|qqnquptch|zjxzqilmk|srsoyhalm|hjlzyxgcx)|h(l(mcbijktk|nisjbben)|iiunjaxwi|j(hfixzlou|uninikba)|m(mpzjjkgo|banogzpd)|b(gxrtnepn|hlaopuhs)|uhjktyzxq|vzjescdho|govxtukhi|ffitmvzgw|wojtvifhn|zlbqzeotz|crpwurnth|noqexinya|swelzzxdt|yzzogamlh)|r(dfarfyewl|ubakrlhjt|c(mgcfvvkz|rkteprhs)|v(miyrsaqg|ppzgujxz|kovijmkc)|yxsylvlpj|pybuzoriu|gtalqvdiq|mgqxrbyih)|j(ofgmkppnw|z(jqrkewes|gqmmhcjz)|jzfeqosqi|gselwboeg|nwrujrwjt|b(opginylf|eqqtzgwl)|v(c(fuhtqge|rjdirzf)|jezybyqq)|spgdqigvj|ycimwznbk|x(cgrdckcu|womarmdg)|ucqbyxtsu|dbdgnqaxs|awzbqdayn|rpfjcfalm|cohbhugmr|wzjpdzybm)|u(p(tiifohwz|jcspkige)|a(inuwyjfu|umovxgpi|earxyhci)|xpwokffox|s(lgnpouyv|mekbsxnf)|zlbopczyi|kawjzcupd|mikszednw|i(knneeauz|pbktpoky)|n(vpjbdyqi|ushoqlur)|r(ypzacugb|lwsnisgv)|tlgkgjyen|j(jpqaqgxu|xqsluegg|bmfurclu)|btnwvngdp|cjcpczygo|y(jdlpiunh|qxbukttm)|wztgzmubx|gzyvonhch|feqnbvcuq)|c(huhytigrt|uhdfxwnka|sozbudxtp|p(lqtlywip|ytkmhmxr|viobzfxw)|b(nvbiqyug|ummirbfd|mlrwhljt)|x(xwxhilkm|dezijzgm|ulobkeit)|j(whygmsty|tcbdegmn|bjvddacc)|t(rgcmkuiu|pakvlnsm|ilkgrmsb)|y(xfpqvzcq|wzufngfh)|kkgtfczla|m(wpysqjhy|gppjwkeb)|o(sbffhowh|unrczqkw)|emwdpyxaf|zvhsijays|lbokrccjc|dgpatgdzj|igfcixzeg)|i(x(tabspzby|egusrvpa)|q(plnyvpvq|kyqbscni|cbkcezvu|sdaxjskm)|g(zziwrshc|crfrqqud|kcemuzsl|helapcou)|nwdddufrs|vntyzuqnr|e(updxjuxi|ingfqkmo)|hk(dknfxxf|zhsbcav)|s(emevgkjs|wnhqckam)|f(cyywesqp|tcsxnvpu)|i(phefnefu|evubudwe|uncnfaxw)|k(hfxwdyuf|qupaxsjc|lbiplxvf)|c(tzskjcdt|ovzkxotn)|zgyopmusk|y(ivhwrqjk|koikpqxf)|urcoftzju|d(azwmqdfd|ichadqwj)|jv(idumzoa|fjyxmtl))|w(n(jhmyjhgb|anlxiakb)|hvkazjmli|c(gllrijxn|ifuedmmp|ufifwpgl)|d(bzsumsgx|mmfiujks|ufhxfuke)|zytuuwtpx|x(rxsiovwf|wemyyxdk|bengwvfp)|pflpqvbzz|ijyicesjj|m(xqdvtdsu|jiwnyevw)|y(wqsiczcj|xatifgas)|wlfqnytkk|svvuyqzwd|btdbabydy)|g(x(vhalimid|okxnjliw)|z(slzitroz|wrkmcxwi)|r(azxqyycf|mpjnggqg)|o(jkjqihzp|ukteuggk|aqvnumlg)|jinlljkbb|d(wrnrxkpz|kugcdwkm|esyqthfz)|u(urdkmyaw|hqdiivjb)|cnhbtentq|g(zxyiivcd|fjyqxcvr|obnqnhny)|y(mlazrlbk|aopsdndo)|bcxtjyxha|kaooizeej|wagzlkkqp)|q(e(rmmckdnm|xyisbtlj|bfcuihbe|wpwblqyp|qsydpsap)|algxgxllz|uzzvbzxjr|c(jzfglqwk|xfysecug)|lx(tlmquqp|dqpvpcd)|z(rggnrqst|wymnwlfq)|j(mfzqundc|bsxbqmeg)|t(ygzbkllw|zednzdpj)|xnfyvttcd|fyrlggeei|nozusdkjo|srbqqldgn|bjrvsfcav|gizkcyjfp|psblwpwww)|s(k(itrebbxc|rzdahhka)|hjxgnwqps|mlcantlnr|f(aytkyszf|pulswrra|yadpwcrj)|acfyagazq|w(pexexepi|nixkksxu|xfpgakgn)|jixpmmmdc|b(rqdyowtk|ilhpphnk)|oxcyoxjlt|g(yopqzipq|jznunyft)|vwxzmamgw|dnzejrarp|npminjjim|yvyvkthln|ptaheyzvf|tkougdgom|zqyagdzlt|rmbfkjcmn|sbonvmkjl|ukrkitalq)|e(e(xbwswtfj|qrmzfsgb|mlatvqjf|eecwqqir)|c(iirtzyru|tncqkiww)|tolzzzbtl|ufkfxcckk|nwznydaxv|s(slegoqsd|ofpjlqyl|qehowkal)|ajaztenhc|fkqpawrpy|d(ikktgffw|swskziww|manvhgum)|kircpbnlj|jjeretjii|rtbbjlbor|m(cjqebsqm|nnckadug)|iojteglzr|zdjyshzvr|vmbwtwsoy|qtyhwhbrk)|v(t(qsayantm|rfbfsmkp)|j(bpejqeum|hoatzxvv|owiauaxg)|euqlkomwl|w(ulbnrgku|syyxrbdd)|y(usgzyoen|bbyfndrf)|o(prjskkaq|azaxpjle|ucuyupfl|rxkfnkjy|ijgsklxv)|fzudkngym|b(tnkqxyxw|rweavhlf)|x(ajfjovji|dbsyembg)|h(foptcqyc|jtkyiuji)|n(jkyjjsjp|xbszjaqi)|v(eyjzawmv|fpofipyd)|pgbdnzctw|qytotijba|rdnijsjqs|zeokljpnr)|n(v(hutekouk|gwxifnsb)|coadkmcmj|f(bupqnetc|osylrppu)|k(csmjtwqy|mzwhfrcx)|e(wemwkafz|twmlowxb)|ncqysyepa|b(tgewdooo|xzglqffw)|wacxnhtjp|sbuabxjqc|ynkeeyyew|ttzgunacl|rgfbusrat|gnoumvclz|d(axbspquf|qyembfds|lbmeawxe))|d(zizyzmohp|kuyjavips|b(elugtnnf|hxdxefmy)|nipvewzoh|yprnbwnmw|q(qvzsqvot|pxzmctck|nwxiwvyh|sdzenljz)|pcuslcvds|wzilpnvdx|mpclcgjub|aqnajrolq|intigkyow|o(oacpxyrb|ritwbdhn)|exzjaxrvx|dqiqaetvo|clkeeeztn|hpvuakkih)|f(m(ambmyufd|jijsghsm|tgzcqpfo)|lbjsppmrd|wlthlbupc|jhoefrmdb|r(aoeuourm|grqpcptu|liyuxcej)|dopslagux|xgorcpafg|fyctqrjrq|ebrzbnvmz|tvpksyxbf|usmntsxjz|c(qzojnssf|drdbjbni)|hdvorcjcj|nofdijadj|ocdlapgxp|qymxnlacb)|z(eltfcskzj|w(vkcvmwjv|pcnuendz)|i(s(jbcbstm|uoidemw)|zhqhsmsc)|lamablafs|yqeqalrjd|d(sqfwznva|cvkpmfoj)|m(opsksajh|sdobwlay)|o(dysbatnb|agmstwyz)|z(fpkynaml|acyxdnqp)|g(swvspqqo|oaewagul)|a(xwljozsk|vrgmzgre)|tajzcyxnf|fzrrwmnuz|ryhebhnmb)|m(oiyvhyjmr|k(efldcvdy|gsgignht)|pvpjoxdox|s(rdyogbsk|aocxnrnf)|h(twrkeyft|fwvzeogq)|dakmjhfrj|abacgdzoa|naraevqmp|q(alahfczw|bgdufhki)|j(dcwdshop|sqidwjob)|guuyocgqu|zexmyxjvb)|b(f(mkknnlcg|khsbvscw)|g(bpcesftj|qjtpukru)|e(zacswoae|wqrurdvy|bzairrhn)|uqemfuyis|jctqybzpe|hkmnlooiy|ootzvkhes|qsjlqaeqg|yewwcnjxk|pphbfwyco|w(yakypjbi|lctnpvma)|z(cvkcteba|vijwfjzi)|bxwilkego|sbcfnetaj)|x(zyijkpxgw|uqcbpqhjk|g(zytbkenv|apsefakf|xbukvmls)|d(acupquqz|czdiheji)|f(azpohdqh|saeoktzh|wqnpjfzj)|i(xuqlwrex|ljlmdzoz|rccdtgfg)|l(jyonrvgy|nqpnxtfq)|abntimrwb|eujcndzqc|sfxxitlsr|cziddjoos|mzssuqhrt))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633081; rev:2;)
# sid 2633082 includes 806 (601 - 1200) 10 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(c(zvhsijays|mgppjwkeb|bmlrwhljt|o(unrczqkw|sogxqozm)|p(ytkmhmxr|viobzfxw)|l(bokrccjc|hlkatzol|dgjqjonm)|tilkgrmsb|d(gpatgdzj|otfmkicg|minkslaw)|igfcixzeg|v(icmeiaxi|envaowwu)|s(xvokvrwk|jkxujjdx)|n(llaudjsb|teytgcim)|elaxjrbht|g(ztcgxvta|raavdlyp)|k(nggkexuk|bpbhvzor|fwrpodze|ocomhlbr)|jsvtuhrgd|c(dunvfexy|yvrgahnu|n(odbawiu|ycxunyz))|r(kzogmbxz|ekyazhof)|qxxcpmkds|xmxvaljce|ysveexuqr|whnocayms)|p(zaznhccwv|buustnags|e(boykudxj|rnvpeubo|zzxftfnl)|oxeaddsay|l(unhhbgqr|ndjgpcqd|gfhjrqdp)|p(hheamgbo|ctgtwlcx|seogdywd|qubvkgte|mypedgpx)|q(gbzoiiiv|zdrkfxmj|csvgwkip)|d(zcugvdhs|phhrxlfd)|korzwiqsc|m(uqkraajj|ewxtyetz)|w(guvedihf|wiuzfmeo)|f(zrkcudbs|czfkqepe|hdfhhwnh)|i(nopuwdmm|iwkvpkfy)|u(cmfuotqn|imtlqhzd)|njvwtpbzz|xdndnygsn|ygkifuxue|clfhuehhd|amfhmexdo|hllrqeaad)|g(yaopsdndo|r(mpjnggqg|imnquvox)|k(aooizeej|hovsqsnv|xwztbtsg)|o(ukteuggk|aqvnumlg)|g(obnqnhny|hhnpzxac)|w(agzlkkqp|xyerzlne)|d(e(syqthfz|zvsllle)|jtmpozgp)|jjuvigsns|e(dtghgrip|styeoasv)|msvyyxnbx|p(tixgmvzy|usnmcfkl)|snptjdwme|vzfjilkcu|bsesofblg|zgmnfkzzd)|k(kvmqgzndt|bgccpelha|r(vqforlul|hzxdezpw)|q(qnquptch|jyswwgqr|ssgakkpa|lrdckgok)|l(fgcfknnh|sgwyuyni|atbhflcs|rbgjhwkj)|g(a(tkvywpc|gpjqiaa)|djtebrnx)|zjxzqilmk|s(rsoyhalm|sznzbhwu|owbjckqp)|h(jlzyxgcx|xduzsxqr)|djwuyeiut|udikptmxd|ijzjwixqj|f(vlqarjmq|cvhjixbi)|wnivrkcao|x(xrglwgsm|oqzpkzzd)|arzsjhuvn|mzyeodblb|oyuusloei|ynatouxfi|vrhwpcftf)|j(awzbqdayn|r(pfjcfalm|wrbmscnc)|x(womarmdg|zemlrfho|ulmjfxju|jvzievgb)|c(ohbhugmr|zchatoiy)|vjezybyqq|w(zjpdzybm|dwhzgcev)|u(jxgkwzbc|clsczjip)|y(qailmklt|jajzmcko)|pkrracnzw|sspfztnht|f(vscyklwj|ofqkitoa)|tgbzomvtd|iuuneepfo|borfvopyp|gylqwsvnd|nszzzydkb)|s(z(qyagdzlt|fgminpyb|u(cimzxlq|qskjizv))|krzdahhka|r(mbfkjcmn|gvorqcgh)|w(xfpgakgn|jqqmnlwy|gclwulnc)|f(yadpwcrj|bmrkxnun)|sbonvmkjl|ukrkitalq|j(ttstdmve|utzwqzpy|zqsplqez|luahoytl)|xjlhelnrp|g(fkuxdugj|uqbpbnlu|mocbsebd)|m(gopbueby|njbbqwua)|ofogptosp|vsiewihsg|n(mwlbywcp|pmrtmouu|emefpsrj)|e(tlazfjfi|goawysoy)|lumsvzgdt)|z(o(agmstwyz|jtqpekwf|ysrfzfmd|vneaflcj|kjxdagcp)|goaewagul|a(xwljozsk|vrgmzgre|smgdeddv)|d(cvkpmfoj|fdtjswzn|sjewxxgw)|t(a(jzcyxnf|gvceiuw)|shnvphfn|xslnpnpq)|f(zrrwmnuz|jrdkezar|cunjehel|izgbzysy)|i(suoidemw|mkuwxzqu)|r(yhebhnmb|vabaekbr)|zacyxdnqp|hrwbkhxum|s(jyzrdtbo|nzeazlzu|lvicbaes)|cybgmtogx|prwgnbiav|ufethiwkb)|f(rliyuxcej|fyctqrjrq|mtgzcqpfo|e(brzbnvmz|ncyejdgs)|t(vpksyxbf|dlespnuz|ixgaibii)|u(smntsxjz|vmausmzv)|c(qzojnssf|drdbjbni)|hd(vorcjcj|kojnpwd)|n(ofdijadj|qwwggaqv|pjemiykv|calaorot)|o(c(dlapgxp|yzjjajy)|lempkhkx)|q(ymxnlacb|farroudo)|kuwvqskxp|g(ozbpxfgj|ahzcfdsf|tfhjizvv)|y(vwsdpbpj|feghinom)|x(sdxssbmg|qvyuqnuh)|lvqcloofb|srcutozez|diqffdhni|vpbdmzoie|bdymcbzpl)|h(b(hlaopuhs|lvxlplrk)|c(rpwurnth|xtbedgvz|audrcdhs)|m(banogzpd|pnomzzvq)|n(oqexinya|xqqrdkhc)|s(welzzxdt|gakoqzco|mtyjelft)|y(zzogamlh|psnioluq|tkboqsbh)|j(xajhhwcg|camzoylz)|k(xchwktjj|owquuprv)|rjdbkraso|o(gbvfxfvc|trkrhqiy)|d(mlqlejnn|jhrzvpzi)|p(mrgjgqsn|nqjfmzyg)|a(exxeqcoq|coxuovrm|twbklylh)|inketrnso)|r(vkovijmkc|p(ybuzoriu|vwbpxgbd)|gtalqvdiq|mgqxrbyih|c(rkteprhs|yimutglo|paulqjjh)|f(lqrvdydx|axepebei|tvvxzuma)|l(fwtkpfei|lkpsrdzd|nghlpwya|ysjiruaq)|k(vtreqout|gvdsqhqz)|subvqjzou|h(wgewciqw|qjcwzxme)|jsnrqsvhv|y(krwgugpz|ovkznzxh)|e(jnvgjihq|oifotoqv|hkmzpzdb)|ahoxrmmwd|o(zdgjpkhg|lqdztggm)|wyycnijfn|ntfuatxxt|twwocqtho)|b(p(phbfwyco|vghildzw|scrshvjv)|e(bzairrhn|fitbioxj)|w(yakypjbi|lctnpvma)|z(cvkcteba|vijwfjzi|arubarky)|bxwilkego|sbcfnetaj|qvhcukihk|famqifcpn|iz(wycgrhk|oeuzyhf)|gbwtprimh|uhcxwnooq|tmtldorfa|n(fvwasuwt|rxvftdof)|dsaibhvfn|vxjdlykcr|ckyynffmq|j(clvpdkvx|mkcxrxsm)|yhtaaomxn)|e(j(jeretjii|tgmpfyia)|s(ofpjlqyl|qehowkal|hdnfajbc)|r(tbbjlbor|gbusgnzz)|e(mlatvqjf|eecwqqir|dbuwjjcb|abegzrrv)|m(cjqebsqm|nnckadug)|iojteglzr|c(tncqkiww|kturxkqe|jnnwonrt|fycgmxar|uviwrfuv)|zdjyshzvr|v(mbwtwsoy|taypsnoy)|qtyhwhbrk|d(ghljswcg|amwuqklp|fckblhtk)|bppndxdss|oqkrtbkbi|adxufvikl|x(nwpuwvfk|wfrwvkaf|xdtwiips)|u(fwwvdqtv|vrubtlca|kyzdiqsu)|twoswjicx)|l(t(yacbkqso|flxetpkd)|z(uqkzfcxu|iygdyxlg|ddtxbzab)|astzbejke|b(npylwiir|kxgijhbt)|d(qdueejyw|hhxmyjow)|h(vfkjxycj|pkkykqpq)|mvupxhwje|k(scliyyes|iyghxlab)|etobpzzeu|x(vyizvsgz|wiskpnun)|jrbkqcrqi|fdethnurv|vxyhardtw|umpuhfnfu|n(timtmspd|mlxiqibw)|phyxehcyt|oecffvddt)|q(j(bsxbqmeg|cizgjeiz)|e(qsydpsap|dygyswwi)|bjrvsfcav|g(izkcyjfp|mfahzgbg|tudteztx)|l(xdqpvpcd|jgdvebqu|igmkchhc)|psblwpwww|w(rocvcxdj|vqrjhnbz)|q(fbclwcmc|yxwtboub|actcvomm|wkzcpsno|ducwsfuo)|k(gijkydyg|isagikpl)|ibutqkqkp|r(jesiarra|wlvhjrdm)|vsmrqmdrm|x(prmubwlh|d(tkailif|kkpacly)|akwwpnvg)|n(muxfagss|ymsptadb)|ccycfemyx|s(pxquvama|tjafioia|rargssfr)|oc(tmehqyz|hayinrp)|zxsmmypxz|a(rtvdixrt|inzgafzw)|mpoteqwwt)|a(l(dirpuwfr|xdlpabmk)|g(lfpklboq|itllsvhk|pmueqfdc)|qshyoourn|rpxfaqanv|o(tesshofc|hduzterh|jjsjohjk)|k(demewaha|svgclehi|fycdwkvm|rlkbkgni)|zejslyklk|axqgubgfm|vnefvdcwv|x(xkrpffbz|shpooexi)|inlkepnfg|m(diajaoqb|ugywcmxm|inufrktg)|j(dfjwvhxa|zsepbrvi|mptwbxxq)|cvkbvaqxw|duzcplrnh|trycpwzjt|p(rsrnyxky|zjthtgem|wujxhdon)|sfmdxrzev|fqzctkkmv|y(mkawjjwi|qdlnkscf)|bbzctrtoc|efnnqqixg)|i(ghelapcou|i(evubudwe|uncnfaxw)|d(a(zwmqdfd|rkgrzhm)|ichadqwj|snrxtont)|j(v(idumzoa|fjyxmtl)|cjriebie)|covzkxotn|k(lbiplxvf|kmgheuwe)|f(tcsxnvpu|wiqezvgb|iqnevpvk)|q(cbkcezvu|sdaxjskm)|ykoikpqxf|swnhqckam|bgrpnmgxy|v(mcoopwfn|efwxsort)|aanqrztww|e(gmqjagse|urijyybq|oetffwdg)|x(ukhcopiz|yrdopemq)|wtszjapvv|moifcehdu|lpnlwdlow|h(qrjgfqui|mlzcsjgf)|nkixixaij)|u(b(tnwvngdp|hdwniafe|qnrttyyo)|cjcpczygo|y(jdlpiunh|qxbukttm|bxdkdvak)|w(ztgzmubx|qdsnnzdz|coplvzzb)|gzyvonhch|r(lwsnisgv|rynkzekt)|feqnbvcuq|aearxyhci|ppdtucejy|u(dobpkzdj|wzxgbpqy|cukrlngn)|tgsbyoghv|x(bebkkqmk|hayeqpxq)|jkttvkqqs|ojrxrwjni|d(grwqiuen|kdexszxw|nmwbsctk)|mwebqgphv|vehavkbkl|i(ltymjbqx|scwssozm)|skzpollgq)|n(t(tzgunacl|gedbhitt)|vgwxifnsb|rgfbusrat|g(noumvclz|mgevttdg|ynejmroz)|b(xzglqffw|ttzzqwxe|blitekkn)|d(axbspquf|qyembfds|lbmeawxe)|fosylrppu|chkdgrcso|p(kwroypuw|cfwdyvvs)|agptokvmn|uxkievael|hyxvsewnw|sxknijhli|m(bbkkxlll|owtbkpjb)|kxqkfqqyx|xspqktyro|lifghkxvx|zdvcnxamb|nelstinsi|wtltwmcrh)|d(o(oacpxyrb|ritwbdhn)|e(xzjaxrvx|spphbned|awffqtjq|cmxgwovp)|d(qiqaetvo|e(imaxsky|sjwynxh))|clkeeeztn|hpvuakkih|v(rtfgspqe|uhexhnbm)|i(k(vlqgknf|jwkrnov)|msobzulu|hmyunxaz)|u(hfrrysnd|vmshhbxr)|affqyxruk|mpernavil|gjhsbqujc|qaylzgdef|zparllpgn|yjigdejco|r(tfocskxq|magrxolf)|w(zvtzaxsi|emdgmkxn)|nqcspwyns)|t(s(egxszrdy|ygzdmafq|tmsdqehb)|o(ourvdubh|vcmgmsjx|xsippxbi|kkljxdrm)|c(evzrnoct|airedfgy|wqljgnfz)|k(srrfhqic|rwdwrtrf)|xgnzpsjkp|dfqvkrgqx|g(giarzdow|jpuvfjwh|vbjlcfej)|liyfvmgtn|ppuhpbnfr|aliyodsor|ihlqoxcvb|nwgzesgbq|m(qejjwxxa|ccpmzhkf)|qxturzfvv|j(nhivdeeu|vvkijgga)|vglalhnfw|wnwlxhkia|uzztrdthd|yivyfwtaj|hfltbiwmo)|x(s(fxxitlsr|yqgqzbus)|cziddjoos|m(zssuqhrt|dvzgymuz|ctgjpflf|yblkhlkk)|lnqpnxtfq|gxbukvmls|u(xjufkvyr|rzwaroke)|xfbkmxtca|zymnpbywv|flnsdzbgl|v(uvpuuudv|igcshthi)|rkgvwifol|qoivqhjsp|dvwftalqz|hjtvdynfn|b(psrehkeb|jgyfirzb|wwyorqsv)|ylbswaddr|wbeljngcp)|v(b(rweavhlf|uufiqsaa)|v(eyjzawmv|fpofipyd|gpelylag)|pgbdnzctw|q(ytotijba|idpxenpn)|rdnijsjqs|t(r(fbfsmkp|zjbilcb)|wnjdvbob)|oijgsklxv|zeokljpnr|ijwhudzwe|xsnqnzhgl|h(cxmvevcc|tpiirddl)|cuiwjuxxs|k(qieqptln|wmjysckw|rbfftoru)|mnodbqzjy|egstbrqgl|snobqvvnw)|m(q(alahfczw|bgdufhki|srydbkrn|klzodtzq)|j(dcwdshop|sqidwjob)|h(fwvzeogq|iyluence|nmqcdybm|jujiurkk)|guu(yocgqu|rdduja)|z(exmyxjvb|gkkdwquc)|r(rvmbhfbs|tczavfuz|hbdolegq)|bnzawmwrt|elerqenkh|csnpliekv|l(uciuqhaz|dvrejhmx)|tcxavpqqu|wpurfiduj|m(gypffgzf|qzsiaptd)|dgcznumvc|pbupphvnw)|w(nanlxiakb|d(mmfiujks|ufhxfuke)|yxatifgas|svvuyqzwd|b(tdbabydy|rlfnuhef)|w(bcpxjmpy|uxgtqbcn)|vfuetusyx|k(qjhplbpf|aajfsczy)|iqndfnbki|pp(qucecck|uxlslmf)|j(mdhzwtqt|ovtdhxfn)|t(xgpjcbrv|lggzhrzu)|uqwnfqjez|en(unuhicq|ypcohab)|zcyekogun|o(bwaeopmy|edplqlaz)|czpuujoys|mygbhsrrm)|y(jwgaoxpix|rgqbfkwcs|adpqrarfz|uhzxdvbdv|q(gjyqurwc|qqcyhltb)|nkynctpkd|o(vrjkcfty|mvixobvr)|dsktpmayx|p(mkpfdlnn|xemijisi|ytwkvkim)|l(vpabwxcd|cifqglml|ebrpvnok)|gvkfwxfdl|yvwpapxgd|zjwlsqwbh|s(nqwbfklc|zcbuggid)|hsxantzrz|fqclmfjki|k(oygikvdi|ssxkrmxh)|bkvlkgggx|vpukrnsnt)|o(i(ceryeyea|dysqqpnk|jsjtwtyl)|v(zyblwvzu|kpphrmqa|ayhysxhx)|swblpfjbh|fcbzhgmmk|w(umdldueh|ownxumxk)|yxnonarjt|a(ucwsixar|xtymeoiq|qgyudxmn)|ngajamngf|rcjrppltv|e(hehjvdzu|lmmpkehp)|tzjzvzrka|qakqpkjst|d(jonptgqh|baxyqwvy|htvaylwe)|ujmhhkcge|llwnuxsbv|heinenayc))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633082; rev:2;)
# sid 2633083 includes 206 (1201 - 1407) 10 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.com)"; content:"|0a|";content:"|03|com|00|";nocase;within: 13;pcre: "/(f(i(nqhkgzmb|erqlmckb)|jjmnazdfk|l(utfpnrza|grqpeuca)|udoxpnbkd|ovwncqxsl|nnnfvivvp|awojmkfzx|wnlsqpcao)|y(a(qponewmh|mqvccvzg)|p(ogzlqhsz|ztveuhie)|tzlzyuwha|hysfirgij|uyyfrwwer|zvbzgtvwi|vgqhvdzfz|eqgtvrlmz|soctwvnob|mbnqpybpf|nzbbwryxd)|e(nfqfmoxnh|ydpepxlan|ljamtbzpv|ghnzkshoj|jvqqhweaf|pewudikhc|imtghylwq|ccxashxqp|qldihfhky)|j(bxgrjfovc|tmqpvhcqf|w(xhwosysu|kpynfzft|prxtmsfa|icskgemy)|ymxruhvkv|owsoopxlt)|d(uhotzmfay|jwdjorjfq|twstzkbrr|ohigobzpu|piqcbaizv|gqtxspcxz|wqagzulcg|hvtnzfivd)|w(lpidkggqm|o(aefbqzum|dvqtroff)|gnwptexth|bckmadyvm)|m(xdnomolzy|m(oczybprb|ehcbdwsq)|qyddozgmb|gxzmlwxdk|epfvmzwet|ljxeipjah|fnjbcoijy|holsakcaj|wkrfwoixe)|a(rziqpywwb|lkxvaptvs|ocorhondd|ftyhpdfsz|sifnbowop|bfixwxftu|j(aqmhfckl|yxnhnrmd)|ykbcmtasc)|x(xalpwjpxg|yvoeysqgx|mzrierdka|kosyosyrm|uadsorpxd|t(esoeeeye|jgypbdlm|zneqfagr|sehoaove)|riugzyivr|afbhiwxej)|g(umxvoesjg|m(zexsbcct|vamlphwf)|iqwyjtcdp|fgveugara|sfaklnlua|zvszwzicz)|c(xebstdkvn|fserftnou|hxmkzbjrv|svanztnfs|pnudemhzq|jntjherqg)|b(lzlbboqby|rxfbtwzxq|smrrrcrsb)|k(gjtrudpun|eoruionpb|onxzriqce|qyxudivsu|sleqnbgyl|nfngtmsbt|vozsowvnw)|s(n(rsdiqlwn|ablorgzp)|gvzaxubyb|ptrhoxqkt|hpykbdzfk)|n(b(ftpalrld|tkqypqai)|y(zbgewcmv|tzciqvgp)|sckyasuuo|emzoajtxw|tbshtkwgb|ncnptwaen|jawrandva)|u(pcmlutiiq|jejooundq|qjkdpadoz|ydkzzjmie|nrnkibwqq|h(ordgslwr|xwlkufqj)|cgokkzssa|vdmlotaiy)|r(zgffapkxq|yxnqgrfqd|tvapytiyl|dqowtnvcd|lddnspbds|xyguluvot|ozwjzyppe|mbmwxazwf)|i(vzgpxusxs|g(whixwuyf|yoppbxeg)|qtdcmgjne|aqljjahwy|hqhsazzai|ytfqeqzfp)|t(n(hqtzyqtp|ptkkdfxh)|flgxlfetk|vhdfvsyvs|svvvpaith|xpmchssyu|prdixvdqd|mvvbbiobf)|h(rlixipova|pjdkcbawe|fnyntcild|iagpzlyyb|zkpchkkhj|m(afenhagd|zduivdyp)|jeblbfpus|tkmgkpxwn)|l(o(staymbjj|zvgelaam)|c(dmedmiig|baksmoer)|qddvtkdvw|sfqlzhjtd|vbfebbvap|tzbaoqscv|pgjpeudho|msvoflgje|lgmujuonp|hkgsjnnht)|p(j(pdsjzgzz|eqnuihrd)|kadzkgiyq|lbfrxbdfy|znelrqung|medmnqneg)|q(uztkdmzmb|kwhzjnsgw|x(nmfdabdl|mdyxmman)|cocbooser|sbyqozbjr)|v(wmeynlrzd|uinozjcue|b(whhlfafi|tpsezsky)|cihmwjgfw|vawpcafno|xxeetfvwj|tetrajogp|rsunjwkzy|mxucogslf|kehsmcugs|yaobomwqh|ofcuveuzb)|z(ghhcxtywv|ieydvlfbw|ruovikvuv|nnygicsfa)|o(cskwxyvzj|nntqgkaks|ipkphnjwz|dwimfwvsa))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633083; rev:2;)
# sid 2633084 includes 600 (0 - 600) 11 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.com)"; content:"|0b|";content:"|03|com|00|";nocase;within: 14;pcre: "/(e(e(hjecijbcw|xagjppurs|mgjqecdyf)|p(szlboyjav|cbnlgnnzh|ncvgvcymq|pmrknypwn)|tntiojqfkm|m(alciiwslg|sv(bmghpgq|dsdrfht)|igffwsrrr)|vbaybefdyi|b(worpikrnk|hkphavwpj)|xaeiiadxsj|nl(cjfyhsof|rvokhilj)|o(tvrhyvpvy|hhoteahda)|cfikozltje|z(pmjbqsxyd|kqedqfztu)|iwbhczybyh|ssxihddrwp|hcjswlidev|g(idphohhsh|plzedleme)|wfzcbitplz|aqvtckjfbf)|z(j(jcnghtssj|ulwtotzkz)|w(bpqfzokhx|ayugpormq)|c(uvqlwffbk|krojhjnik|haownhyus)|g(pgpytdvbk|qokcfzlgu|tqsgngbug)|ohhxpuxvvb|kwtugxacpj|mhrlohgoup|eceibiznxb|qmabhxujbv|h(okrhayybm|svhztzpsb)|a(neuzadebb|whahbdlcx)|y(scnzfziwt|yshowrrjk)|xguntwxntz|natgkmxqvx|fngqczgzgy)|n(tl(ovbnjxmv|rhngsfbu)|m(kmhgrkddt|zbevbfsmd|xtrtmqytd)|l(idhvejugi|btawmrbge|ymhejtemn)|j(qplxomjid|vychptzgf)|fpckqeooto|iaryqetwbd|podydzincx|baysmqbxpq|ofwgltqlem|n(ufvzdmliq|zttmbsbdw)|hrcbfeariv|uwnclebnli)|q(j(ofdixzldq|bzrokbxjw)|zooymslxej|v(kscmdvrcg|oxepfyfur|nfaywhwhw)|c(ovgdpkpof|czqdwvbul)|xwtrgyngip|r(tvsltukyk|gwkxtrpyx)|igjmagmuoc|lpoqlbliuj|sayfwfvvrb|wnseonbpqg|yrtrpbpfkr|g(dbibgvtvx|kvxgwrqfb)|ksxmcecord|e(wwcdqykpp|fpkggiigl)|q(naurjqmmj|dxkwidofg)|oduztlllft|h(ioaiopooh|gsohmvdil))|h(qcenmglolb|y(hpgkquybw|uujlinnza)|uxuvcvprnb|v(whnogvlph|pxklxpqkv|tmtbebwzn)|svozcbknwn|z(vpraiwvsh|bvglzhrye)|emuteulhzm|dfdaqzfuug|grzqoiuhxo|l(bndiehelk|koezqxkrt|jwiwlhibx)|aopiokcujj|rbmpkvkasd|j(wfffidttz|suhmxerpx|uafelwaja)|c(duzoeqzar|ybdzbuyag)|iyqtjqffrn|byubmgmgok|kwrhqbfdeh)|x(izvsbwdslx|v(bdhhixpyw|pwszokmhl)|hm(ytzlxrvx|seehlnfj)|q(hvowqnieh|femrxcott|wvxgdetmq)|e(jbrwxvtuu|dlzojhkwe|ejrgowcyl|oimuuufuc)|y(e(sixpooor|lnwfrrxg)|xcsukifhh)|ljykmamzqj|jmsuawqqxr|uydvngktqp|dmdbstyqhy|mnceqsouiu)|p(y(bbdzvtkrb|ivnymymik|zqxphcqco)|rfqwjkvujj|tkbgzhoepi|jfjssaalvm|oeowtufpqu|m(yavedgkdw|qtpgruaxt)|a(zvhqurgtp|yiizpazkb|mmodalhvi)|u(otnqwxehl|cxxofxwpy)|itqdfmalct|g(nagheqauq|jvvhfilqd)|fyntmfjgwh|zitkhcewzb|cbdikkyzpc)|s(u(sfrpkmrzt|vagvtvgpm)|h(t(ljcojrwy|tnafuivg)|oiserbdcg|giqnoyrdy)|e(jqbfmfqqi|vpprzyvmu)|siyljaqkgb|p(ytawaenht|nvygspmcd)|bqowzydntu|ygjipyyozq|n(vklffpueg|txwdytxpx|rhzlsvzuh)|o(jtiyphkid|aflmpywku|emfnzound)|a(dhcncusxr|apuauggdv)|zanofgoacr|cksjcbmtbz|dmeidxcmlv|llhdmtubgb|t(ajbzmjxyt|zzlahkyhy)|qbbormwgaz)|v(ssysrvxbnx|ao(kvsvfjch|ghqxyybx)|bbwnnppezc|j(vahzrxfvy|sbdcdsllb)|x(ktprmuvqy|mploukihf)|dhcixylvws|c(qrcqquuvn|fsppatujq)|l(avkxblljl|wemujcvjz)|q(iwalemauc|ouxuylewm)|goozaigjup|typcmdkcqu|fznmwonnco)|y(c(waxmngnej|mtlqbpmlh|jzuscgpwd)|epdtgzuezz|j(pcexjxqug|thkkckwkx)|atjrfxouxi|xuchizbazl|l(ykfdtdbot|mqvzpdgyb)|w(stqpztdkj|oufuenvae|lvpxuzuvs|rcggcrhwt)|nbrcsthxfo|g(hbvjuaobd|yhewzubvl|rsvknwktb|ihtyaaiaz)|degjdlukco|k(ngviogcsh|sltojevwc|ywftwssjc)|mucxcpjxea|oxrxdejfoz|sbicpwdzdh|uytkpodguk|tlslhujbex|bihllfqqik|rebbormnoc)|g(r(doesavpcf|uovxgkbxm|ctmtbpxpe)|tpiiquxowt|zgtpxmgmbm|cnt(lbtqmwh|kesmnzu)|ocrjzqzxpj|glgmyssqls|dieefcxgfk|h(ewflhlbsp|ietaatqva|ovouwjtts)|f(yddeatvmo|otktestxg)|i(tudoxbgcm|glzliktas|hhlhihwxt)|uiqvjsvvyh|lvzmhhfpey|bvxjzlbrow|qvlwmbwtzp|sosrgixshg)|r(k(lzfcufimy|mntjntxlu)|j(mtvgodtzj|iirwllcao|zkeijkmnv)|mitvlojrqx|x(pdxzdvlok|czeejwkou)|b(cpcccbtff|uiqzukujr)|whkwnecbyu|hyclrzjxsu|f(muxmrmlmc|tvbjokngo)|y(xitjzslxx|tmxwibier)|z(pdgztbyuo|kpayajeea|iimktfabl)|qqysrqecnp|pibzminwnl|lovosznhar|d(xxtcwwrhp|ednuurfar)|ilnmlaujme)|f(zlvhqndwvj|qlcfqqyzvk|frfcctxnix|u(ttrrsujxs|aecahxbnm)|s(kszeaqaie|fyysdrrce|adybkmktd)|i(mukiqtqnr|ybrztssae)|cieqtergpj|mxvpjfafah|rjqfgkwivn|oojsurotzz|glzuloksnw|aocrqirfpu|jwqavxqmli|pctjtxmrcw|bddsjiamuk)|u(vlcmrjlovj|h(cfmvozryr|zgcgkujvs|dqnnkysll)|x(ieimjfdma|dxdxaplra)|plcerujiko|tltgrzvdzl|dsidkndahl|kncqporbdy|m(nkrwvkmni|mazflpglb)|o(kxbwcbrmf|qipdbnrbj|rkzwqhlbp|yltizkyzl|bjyzbrfks|oowdesvjx)|n(jdtwjkors|ajxcjrity)|ziuyiqtdeu|w(dxzxpmewh|ooziotysz)|g(xllcqrhmh|twzfwpxva)|s(pmtpvfbvw|subvzdtxr)|lnxnbqgkgg)|w(mxekxhdmkg|z(htqqovojz|plebcakps)|a(ykcpwpmsw|ruphyltbv|mldpcsaod)|lnfmxzxvlt|epsyxzntrb|t(gmmjgggze|xalmkabhh)|yqsdokirsk|i(qfxfaeztn|vfmwinhml)|kqxyhxwxeh|ctnwamzkdm|sndhcvnnjm|nvqqgvhsgn|qjdnlxnvjz)|o(mpwrpajgtr|ohsysxrerc|b(xnjhrgxbk|rnjpzoebw)|v(rsjvhcujc|oezarppun|utlkbmhcn)|aytntmqrqr|xhtvqggeeu|p(xlwahxrhn|axjpbmosa)|r(glolzsjzv|rpuexbmpy)|jlgchvqdnn|djvknpzroh|cjsfuacdhr|ynafvxpvfl|hmgiozxgzh|tdvohmcxbq|krghoqbmmu|ndtoaquors)|a(p(fjgczltzi|aimzgimzg)|yvvuzctjjz|q(xikjqeilw|dozwedpoa)|e(pmcqeyzei|ktouilwxn)|u(iupedekzf|hpquzwqpr|ortaqccig)|k(jcgxuiuff|ywwphioey)|o(mtunvjzwt|qozooppox)|sgwfrmzssd|gjqogkcvwq|bfbquckrwb|jxjyfbivbt)|d(f(c(qmdvityq|asbzpagb)|atjuibmkh)|q(itcugaxgy|ewgfupyyg|yiirnhdlq)|x(hspsmhukg|zmlnpbhdn)|c(lqawadezv|snovepkbw)|rddtxofuuv|u(eyqqqrgvb|fdvtuvtns)|ggajdxmaso|j(rucrewffq|abhtgbaqw)|ycgrcbympd|errfdttyjq|vagkmcjnll|iipcphagdg)|k(cxlkgmvvyq|h(iojkzuvpi|otsuspseb|dhrxwhbxl|qofxcesuc)|v(asbpvpbcu|wjrhbizco)|uibwfkhewh|n(jwljtgkru|yfwqyobsv|zsehbales)|mdxvmegqnm|oketywdidj|j(nmzbfnacz|wzodhdbee)|xamyasmoys|g(gnzotkewf|uqohmpjxe)|d(beomsjnel|kokpptfoq)|btgvwkxubt|azkalpvmye|raztnmzgiw|tyhfmqmlzh|wtwhfgckzi|z(tjiuejxhm|cfhuxsklm))|j(p(kvbelrixh|xugzcrawq)|r(towbqzzya|ccclkcrbf|xubdxrkhl|wturapdij)|c(nsjqmeoyv|raujnndwp)|mvtmufqflo|x(bkbubiiis|vzfsnlpii|cxeitcomv)|alfhgvvcyw|y(azcbueqxq|mdqtksoue)|o(rrhvpjqhn|jmezpqlih|cudxurtrh)|hkzcfyvzvq|zayjmxcuoi|uuattanefk|kufatowgog|ecsydlgmqx)|t(d(zzujzethk|faggdtmfk)|o(anpnmtudn|mrdcykegw)|q(qqwfepfih|ojsshmqbe)|cstxhrvvbz|b(amdtxdzgs|bsqbkdnlt)|t(wavbvjkgn|pdzvqupqu)|lhkgjtaoua|exohlrbflk|u(vtfqhrnrg|isfbcwdmf|qvboujouv)|adwkxpidfm|fgcptamkrb)|i(l(mokvixxzo|qdyfvwwgy|prfgwktot)|z(fijagsroj|kovwiqzuk|usrzehbir|jbyyrqjeb)|fkqaegjmjt|b(syrwfioli|nunkazyki|ubjhhzlno|cpzmtwpnj)|p(cstjvyysn|bocntxhpl|zmqndxuhr|lnqrkdyqn)|k(wfnvvqnzg|jovtqdxrq)|wrbccncrch|a(mdsuzrszy|aosmwngql)|h(onlpamngu|qmiyieprf)|d(fsjkjmsxh|krzfpvcwf)|t(bovfotrki|kdiirhano)|vmvuoxeatp|jzkguuxmra|r(osmeypwqt|ytmpypxsm)|xnyhjvhbya|msdacjikkf|ofwzcvyndi|geujozgzft|ixwuwulciq)|b(hymarrqdif|d(vplrrujbx|nglvfppqd)|iz(hoeksbzp|labmklqj)|wdopvhebiy|f(kluvwvvne|qyebjgplw|ruesgfdfh)|u(sugbeokxj|wywftyngo|gfeqqjphr)|t(dlonleynv|wdyurdisk)|b(nxdfiqlue|eloxbnmmj)|e(nggjnpwnj|adaxmmftu)|ywwtclcfwr|nirnwqjxpn|zectmxdset)|m(w(kutggjaui|grzwcqtkt|nuyhplwzh)|s(xfwyiorzf|coejytoqx|fguhtccgh|kyfmfvkzc|jfwexdypu)|fibsfbjmgc|rxciqvqrpu|b(nk(ejktdcr|mhmyyaw)|qnogyhbzi)|n(drygtksvf|uqoojpkwz)|u(ltstfhvfp|s(qcgubxef|osmhihuw))|j(kyzjoewbj|qhqdeybur)|t(yptumublr|wetyikrik|znfaeaqye)|qfccxmhdvd|yyrolatkor|zqylweibul|ejqqfcdynz)|c(nxcjloshbh|bveugoetwk|phfqhapefb|j(amwhmyaes|eaioqieyl)|a(ppuwrdddn|etessnfbp)|c(xcrlyozdj|oajezdohp)|v(tsvwksael|lkapwddjo|jvzrymmzn)|h(uikcxfjuu|bkhrrmqoj)|twxwmeuyfy)|l(sljjrazjwr|ebiistkcff|c(lzxcgyoqm|nomkjdmhe)|kqwmrynkmu|ujnhugjiue|z(plmffwqzr|ifdeviruw)|opdrbcmqcu|ly(ggtewwfp|horyrauc)|gogxgulfvq|m(zaygrvjpn|mckqzlgho)|rcrhmtocoh|qbcjdegrrf|ilqurrmewr|vssarkmgcn|x(xacewkaye|wbtzqplio)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633084; rev:2;)
# sid 2633085 includes 844 (601 - 1200) 11 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.com)"; content:"|0b|";content:"|03|com|00|";nocase;within: 14;pcre: "/(i(t(bovfotrki|kdiirhano|qlwwtsmqn)|vmvuoxeatp|l(qdyfvwwgy|prfgwktot|mktlxuwfh)|jzkguuxmra|r(osmeypwqt|ytmpypxsm)|z(usrzehbir|jbyyrqjeb|evheldzjn)|x(nyhjvhbya|gvuxauawt)|msdacjikkf|o(fwzcvyndi|ofepjtwyx)|bcpzmtwpnj|hqmiyieprf|g(eujozgzft|drmpznkoo)|d(krzfpvcwf|eeqntccyo|xtwsarrmo)|i(xwuwulciq|wwssailpl)|plnqrkdyqn|w(ryybiyuzh|pfuazenpl)|ktzuimveiv|cksdyljbya|yckyvbjwzo|eepehqvmdc|ueiajmxzxd|q(xoweugxkf|jtoisxesy))|p(g(nagheqauq|jvvhfilqd|hvrnvoifm|xbvwgmond)|ammodalhvi|f(yntmfjgwh|dtisclkvn)|m(qtpgruaxt|tisvxhcnb)|z(itkhcewzb|vqcfbrqnx|qmdsffikb)|c(bdikkyzpc|cxpdepjue)|rgyrbzvyyi|k(tzahmmygl|vcqdgmrtd|pfxiranbi)|jmmmktmysp|ipmiavnrpa|ujzlyyzizb|d(nayfcardt|aluhfwlqi)|bgvtmvtqcv|t(rxhviojwe|clfloaxdl|yeqeqdebc|ncgbvjhze)|ozaoteuosf|ytvvvueyxs|pixzsfserz|lbppndyxdj|qkuurjsrac)|z(a(neuzadebb|whahbdlcx|amilphylx)|w(ayugpormq|npokuibqn)|y(scnzfziwt|yshowrrjk|qcdjmaqgz|ulsnrnnnd|olgmnjxbk)|xguntwxntz|h(svhztzpsb|ctxjyfsxs)|g(tqsgngbug|maqgdwqqv)|n(atgkmxqvx|oqzcykmgb)|f(n(gqczgzgy|bsimrotk)|vnacjpclo)|chaownhyus|qerefgthhr|i(qrbejemwg|kpyspehef)|bjdivhzzsm|lduxttprrx|e(cnjztxfqu|giiorweij|idrtmxbtp)|uvzmfcrupj|ogdijiirpl|psmualdhhk|jxadqclzjj|z(mhprkzhqp|owcqpotaj)|shgasmyuij|dqeczgdphn)|c(j(eaioqieyl|ftxdmjlsb|urxmxomtt)|h(uikcxfjuu|b(khrrmqoj|wknywail)|wdeixwjdr)|twxwmeuyfy|v(lkapwddjo|jvzrymmzn)|cslkwsffph|l(fklrzwhup|cvlrkrvho)|gashsoxgte|n(ttjrpdegq|kcwlrknzm|otrfuzued)|z(oognphbzm|gktvymzyq|yjwokevjm)|qeitlmmbxb|s(ojvxeyody|ugxcylxim)|w(xqzhniihl|jbfbixpkh)|kibkhmepol|mldssntsus|anveudszjg|imejxnazep|bhpilavesq|pfmgkqfnbb)|l(cnomkjdmhe|l(yhoryrauc|vuqujdeej)|g(ogxgulfvq|gvdktxrzm|ktwmjddju)|m(zaygrvjpn|mckqzlgho|dnijswnsc|eozmhtlhp)|rcrhmtocoh|zifdeviruw|q(bcjdegrrf|niqqkaoyn|cbkalfsdd)|ilqurrmewr|v(ssarkmgcn|utuzgykqj|hfshdoavs)|x(xacewkaye|wbtzqplio|yrpxoxcgd)|wnvioowxgq|s(bmjnvrqdc|titxvxlbw)|nnjiiispli|urxvvolhae|d(bfddgzktz|ifuqwujyi)|bbgspxcapv|hzrugrbtuq|aqycetjrxy|tocgoztntx|yaqkoocuoa|jllxtrblcy)|s(h(oiserbdcg|giqnoyrdy)|a(dhcncusxr|apuauggdv|btyujfkzu)|zanofgoacr|cksjcbmtbz|d(meidxcmlv|okgnvpjyh|vfxviahhn|pbqjcjaxc)|l(lhdmtubgb|ktqlgiper)|n(txwdytxpx|rhzlsvzuh|bkaignoof|qjgmxdspk|ckriigwck)|p(nvygspmcd|pryzacjlw)|t(ajbzmjxyt|zzlahkyhy|jiljxmqwe)|q(bbormwgaz|zhpnctxfl)|o(aflmpywku|emfnzound|kgraffjvp)|v(xziurstgu|pufnajblv)|yvaqkrzrcj|gynlmzzyga|ebeglhilxa|i(utfgzsosw|wobqiepti)|m(hdodqyujv|zwlcwhbjy|wydxjxyyi)|fnyerdsdeb|s(pjcjuozkd|zympnovqs)|jqeutahweh|rveplqoquy|bsexrlxmwi|unhmptshlg)|k(b(tgvwkxubt|uanjugjwp)|nzsehbales|a(zk(alpvmye|esyscua)|lppuuhstx)|d(kokpptfoq|wgwhxubtr)|raztnmzgiw|tyhfmqmlzh|wtwhfgckzi|z(t(jiuejxhm|vqodaojo)|cfhuxsklm|rhezfoszp)|h(qofxcesuc|lqecuyzkk|ckndkmvih)|o(ugxgorlvw|fwkekjlko|oalvsxyuu)|u(hzimvogva|qxlhjguul|gwflyhpbh)|xufbtfaysp|v(fvwhynjdx|dlfcmvdtw)|q(yppzchedj|rwbnykpkj|akfhmsril|ijcpgdubt)|m(zjtskynyy|jkmqwaxyb)|yvccblhttl|eqotpddomh|iqflvigfxy|f(ywkxbbbfw|lzikwpyky)|cmoqgbcfqh)|u(w(dxzxpmewh|ooziotysz|fszkzrcxt)|g(xllcqrhmh|twzfwpxva)|s(pmtpvfbvw|subvzdtxr)|l(nxnbqgkgg|qqvftltqf|bwsmasuhn|wfrvleqzr)|o(bjyzbrfks|o(owdesvjx|vvjwvabs)|rnerskxvv)|m(mazflpglb|uxrtawxfc)|j(hrrnhnmdy|bikaeyctj)|tlhdlwmvdq|f(shzptmgtl|jjllsxogx)|nxoejozvhy|ztkuxkkcwx|qsimenzviy|ehadmochix|rvzrvoatzv)|r(l(ovosznhar|sdcgqbtgi|nrgzrdawk)|j(iirwllcao|zkeijkmnv)|d(xxtcwwrhp|ednuurfar|wtyuufalt|n(zdhewwic|qjwnfotf)|jvinxjuvi|qenjcanmh)|kmntjntxlu|i(lnmlaujme|vyunrkskh)|f(tvbjokngo|jdoxssxug)|z(iimktfabl|lpqooejcf|djhdknuid)|u(jfgfdlbfj|zjahmfpgl)|o(gwblkrhbo|dyfjwmdlo|rdxshmjpd|osfkgrvvv)|ypqcvqnhiv|a(vuelagicp|sykndfdhp)|t(rbrhgdiim|zvcfsituc)|qrnpwcijtn|x(uqzrjbsmw|vgsxyjojn)|r(wfuvqyofk|vkjbrcjbq|kottlueim)|cnmxytkvbl|eszssgnxae)|f(i(ybrztssae|kpyhhekoc)|o(ojsurotzz|dojvspmdy)|glzuloksnw|a(ocrqirfpu|yjvofaphw)|j(wqavxqmli|btfefftwn)|pctjtxmrcw|b(ddsjiamuk|quytnjjgj|lyyfkzimx|xpwfungeo)|fmrgkubmtw|cliqeycpzl|d(iytsdsuxq|rozksttlg)|udfcoyvmpt|xsmzcpncsn|h(jiobhmyzp|ryvxvzbvj)|e(qxofsmekk|atgcntvlm)|kuwzhheoat|y(cjkkcpfqg|opkmbypoq)|toieabrixy)|a(ektouilwxn|g(jqogkcvwq|xleldxhia)|bfbquckrwb|q(dozwedpoa|zwxjwcvlg)|k(ywwphioey|byaqgccwd|qcokztnot)|j(xjyfbivbt|ttnbwouui)|o(qozooppox|ifsheybzx)|i(gbuwyvoqs|dgbezgzfk)|d(iadwfdkhr|xhiqxwbob)|scrfbztnbn|w(lsnpvbsvq|bjlpoqwze)|t(zsibhfpfg|sjljrrcuh)|zpbawttabz|m(khrwmosnf|h(cjmirhlt|ysfwnalg))|cgmkygsajt|pyuakwoxjd|u(rxhsivesv|uofvzpyzt|xslrwjafv)|vzjgvbyocf|awjdfneech)|b(e(adaxmmftu|miputtnom)|f(ruesgfdfh|flkuortjf)|beloxbnmmj|u(wywftyngo|gfeqqjphr|tyuwrferd)|y(wwtclcfwr|xxxvvcpap)|nirnwqjxpn|z(ectmxdset|vmudneqao|olwtzhftp|dgqjzzpir|xedvykmgp)|i(z(labmklqj|jysgukwf)|lzptgyagv)|ssggxrrwxn|r(hpemxywej|ieaplajxc)|c(ujykouymf|sbveznqdn)|wrzobwsnjp|dezcgqwvqz|p(oxbkqbxvs|emlmdkini)|mlvevwmfer|qpimmwebqa|juthzljnjx|xkysvedtgf|tdjcyeebom)|q(efpkggiigl|q(naurjqmmj|dxkwidofg)|o(duztlllft|vfvhvaaaz|bgqhlgpqu)|cczqdwvbul|rgwkxtrpyx|h(ioaiopooh|gsohmvdil|xpoyaxodd|tlscrmmim)|vnfaywhwhw|d(mflgwltrk|immmpwudb)|k(tkpzvjrrj|myykifkie)|utmpqlihcs|l(feggmwlyj|ybxglyctk)|jzffxilkcr|x(znmpbvfpu|nkaoxiqyi)|y(twptrijnk|hltiswrzb)|tlrbemdbqo|i(fwvrosqwv|qvvqbvghc)|gnbtjddwey|fkpjzqxipx)|e(iwbhczybyh|o(hhoteahda|lffvjsxbt|bgbndkahm)|ssxihddrwp|hcjswlidev|nlrvokhilj|g(idphohhsh|plzedleme|jtqivrwuc)|wfzcbitplz|z(kqedqfztu|xakfccuxe|iforxzvwz)|a(qvtckjfbf|gcgkghhan)|bhkphavwpj|fncgqedwya|mfmhsjueve|vz(syfdtsif|ynfvtyaw)|uwkwdarydd|d(njidylzty|ohboruygo)|q(easwozaxy|nzvwbvfok|oorjkvprc)|eljneeppfy|r(gptcpivxm|whcpsovoh|hhjtpmdqf)|tpuurdompv|cg(ojdrezfs|rnfetzha)|lkxhqiyvzt|pghxnzcayb)|y(gihtyaaiaz|t(lslhujbex|fmfrwhjkj)|c(jzuscgpwd|uvwkauoku)|bihllfqqik|rebbormnoc|w(rcggcrhwt|nldsuqdin)|udbdpczqjf|hnoijbmivl|ztkxnygbva|popvfrkjzt|i(tapgtnmfa|yqiofxtdn|lawbvihsl)|xfburkzbqf)|g(fotktestxg|lvzmhhfpey|h(ietaatqva|ovouwjtts|kaaolhybf|yzsjohtod)|i(glzliktas|hhlhihwxt|qyuescrbx)|bv(xjzlbrow|ipzlnynf)|qvlwmbwtzp|cntkesmnzu|sosrgixshg|rzjkcxrqkb|d(rvixainrz|askjrezck|untazthyd)|ksnacribvs|v(gjmwtmnfu|krngljbkc)|t(xuytiulmg|hhthgwxjy)|w(zrghteujd|ehfnaupiz|xnfdrdvku)|g(wlzwupxoe|odgamcwci)|o(ubpwbodup|szmsumyhx|kfnptwkkj)|m(nyozinwkm|dntqwocuh|pnjpjdwtx)|u(rouzsseaa|eaqvefjho)|awfvagtehv|nmxevbpsey)|x(u(ydvngktqp|lqrllwahj)|dmdbstyqhy|v(pwszokmhl|yvvtppzgo|gejjfuzia)|y(elnwfrrxg|xcsukifhh)|eoimuuufuc|mnceqsouiu|jpmnlpqxhz|lthvoczqry|zanhldvbfv|x(egfscnvkk|gpswlyuqb|ttybyccll|rurchcdmx)|o(gfvnusnhw|ctpmkeqau)|h(duumfkgaw|mkhmekqjl)|thaxyrfmxh|ghccxvsofg|wghyixscjk|f(ikmukuugt|ogujionvy)|i(pefgnoncc|kymdoerkq)|k(nhtgvaasp|euuimfvvq)|bcjludkakv|r(iyuqaqyqu|clthrjydr))|m(u(ltstfhvfp|s(qcgubxef|osmhihuw))|j(kyzjoewbj|qhqdeybur)|t(yptumublr|wetyikrik|znfaeaqye)|qfccxmhdvd|w(nuyhplwzh|cqhajfiqy)|b(nkmhmyyaw|mywdigshv|ygwjtssbk)|y(yrolatkor|qwxqgtnqo)|s(jfwexdypu|ezxrbbeue)|zqylweibul|e(jqqfcdynz|ydzdjjmui|qdksbpwwk|lcssfdkbo)|x(xicjtwktv|ouxklkvgh|ukkdyzhhs)|v(zslpicdqh|wajpztdnc)|g(atgfbuypu|iagbdegjz)|d(fudtltveb|uktqlbsci)|hfyawakgat|aznkkspwni|icmkujxpfi)|n(l(ymhejtemn|nhmujdfjb)|b(aysmqbxpq|xwgkxcpwf)|ofwgltqlem|n(ufvzdmliq|zttmbsbdw|kyasxxcjx)|hrcbfeariv|uwnclebnli|m(zbevbfsmd|xtrtmqytd|khjjduyey|czivabshy)|y(mjzvebgdf|zwezezfyh)|wtigovdttq|e(t(iclbhwtl|axwxitht)|izagjblnn|czlbkqnqq)|z(kdopnzahm|ggbpthlat)|c(ctrvrwlkp|uojhambgr)|kakeknheuj|q(acanikcfv|lzonlldoi)|vxafiwryfh|stpmvxpoaw|rsqgxdbhhe|izwodmqxhq|acbwgrooxz)|o(h(mgiozxgzh|xqavbymdi)|v(oezarppun|utlkbmhcn|wxberdcdb)|tdvohmcxbq|k(rghoqbmmu|giomnacwz|hfqsjjfhu)|ndtoaquors|brnjpzoebw|p(axjpbmosa|dwjapbgwg)|owohjnqjyj|uynwmiuhlz|mhpusnxnzp|gbsjpmtpoc|zpmwvavsit|fcpbimcrlk|rguvxzcqym|i(qfygewffu|allssbrux)|svnflfqjfo|dzfycpbzgg)|j(o(rrhvpjqhn|jmezpqlih|cudxurtrh|ynnqkunef)|h(kzcfyvzvq|w(pzwupbat|hymnuhnu))|ymdqtksoue|zayjmxcuoi|u(uattanefk|ocgzgqoiz)|kufatowgog|xcxeitcomv|e(csydlgmqx|hkgjpoxqk)|craujnndwp|n(haeaqcuch|ffvmsithc|ephrfkoej)|w(ianzoxiqy|lyjlzlwzm)|dxahkpannq|g(nmcaxiiqj|pbweoupge)|pkpyptvtab|m(rprgxyrsd|daepqshon)|iacyusfztf|fnibadlndn|jqtccbpytc|tvalmnndhc|rpdcyhvgjx)|h(c(ybdzbuyag|uhrawdqvm|jkxgrrete)|l(koezqxkrt|jwiwlhibx|giobpcrcv)|vtmtbebwzn|byubmgmgok|juafelwaja|k(wrhqbfdeh|dtdolnqol)|d(ibrshusdq|n(fbmqocvt|xgzotctb)|lyzjlpfvx|mpqbbelpt)|tusexpcfsw|yabkaufdew|g(lqvjufiox|qidnxgljt)|xgxzqkfycx|hscofalrye|o(jxgjrjkqt|wyeawccef)|iggbpwladh|a(nvgddvvtd|cylwhxomp)|e(tjolcvrzw|hvezzjlrm)|u(tmglgwrcq|ktpylokuq)|rzmdycpncw|qhcjpbvwhe)|w(zplebcakps|s(ndhcvnnjm|ccryizrar)|n(vqqgvhsgn|blaillueg|kowtpltxg|shotmobsx)|a(ruphyltbv|mldpcsaod|afiufjlhm|ktkdthctg)|ivfmwinhml|qjdnlxnvjz|g(wusdxmxrk|qcuqwcwpy)|jmswrmkmyt|uqgcpoeook|yfpwenqqpy|l(phagioipv|rudzdlslg)|e(fqptsveja|otyebopsx)|c(kplgllwfe|brhngdfim)|kdiidtaiuh|vgcvmaiwfo)|d(q(yiirnhdlq|mjzpkepqr|dpkyiclud)|f(atjuibmkh|casbzpagb|tnkmiwsty|ywgkbmfyb)|ycgrcbympd|e(rrfdttyjq|f(rzyrffje|wwtlpeqp))|ufdvtuvtns|jabhtgbaqw|v(agkmcjnll|opmngvnqh|xpwimcbpj|wrlvjwlkv)|i(ipcphagdg|klauituui|uuaxdqjes|blqaoztxs)|x(zmlnpbhdn|jitvgpxxb)|b(lxgnroeov|pqqknljif)|a(dcdiusvei|sbqqxizmd|uxbxxkuxi|kdgmctvme)|lackztvgcw|p(leedrygns|i(fjddeexl|vutinimq))|r(uikytrfzg|vyiysaxda)|dglfdycavt)|v(q(ouxuylewm|uhuqvsqqb|pzywhjyrl)|jsbdcdsllb|l(wemujcvjz|pqeenasaf)|typcmdkcqu|f(znmwonnco|rozkrbjyy|dyrfoqher|siomdivfl)|k(ilhjczpqt|dvzvapzuc|hvexhacpj|fnlpbvboq)|r(ixrplownm|ziceyflac|ucoonkdmd|krifezvfp)|p(bltisqjfa|mjimxnigz)|uajbgeqpqt|bwuhqfsgrt|vihyndfnfc|mharqklxul|adpymzfcpr)|t(exohlrbflk|u(vtfqhrnrg|isfbcwdmf|qvboujouv)|adwkxpidfm|fg(cptamkrb|stsbxfvr)|t(lqagpjpkt|cxwtdxqmh|qaxcnscmc)|i(ydzkbieed|ovttwzfdz|tubfctbpy|qodwzoigz|fuwbyxhrd)|ksnbqysksx|rtpprnnhcb|ncidgelzoz|obviljwmpv|jtglnhhhfm|b(xklzabnpf|hhpnyvnap)|vw(rkckialr|nxuykkhf)|h(ckdhqjqil|rvhjnrmny)|chorjjnkzy|mpiidjiqbd))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633085; rev:2;)
# sid 2633086 includes 244 (1201 - 1445) 11 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.com)"; content:"|0b|";content:"|03|com|00|";nocase;within: 14;pcre: "/(i(ubyydbkqrr|nwwnyhhwfa|wtckqvvbik|kzldcdhwyn|mfkfpfljcs|z(bknoklwfa|rzupchkcj)|cxrqnxyksg|fwnbjqanra|tnomyedorj|qpfcjmazgr)|t(gqbshphght|nndeutybnk|bnfaaxsvdw|mcfvbsidaj|h(hvnstpkgt|emziwbvky))|y(dcqjtjmopy|h(zahlkzpjk|gukdiyjfv)|f(dvwuxfcxt|pbdpcycgt)|cfxbescalg|ypmfvmbpls|bwbzvidfcs|qybykkajfh|rjbqrchxqb|ixairenhdp|nrmlszbmse|urvknhwygy|jisnwcxdbi|a(gevuyrqsf|lazicojdt)|oateivqspl)|p(olkshrnfvg|s(skgccqsen|oitqjmiow)|mmvolakjlf|hhnwytnqzf|kajclfwoyn|ayqpoxcnhb|pszazxeyty|ejuaeitrse|jattemboll)|x(krvsklhqrz|bxlwttlffh|x(tsnhgtofx|ropafvmls)|wetqejoawv|jtrrkhopsf|fldfmbwlgm|vjapxptmcn|lxgwaxqbxw|svxetjmmmn)|d(dtcjmrffgq|awvvzyqkwg|ivssoisatg|e(udhkhieih|hmifhldvr)|hhdteiwwdg|tvissjusmf|laixxoynpn|vwwfnvahez|nmlmybsudu)|u(sckdpckmlg|amdvoecjhh|b(cawpzndbv|oplimtwuf)|tqwzyebceb|gbhbenkzip|e(qwxjfnvku|eqgjnxxqa)|fxanvtcrit|mthnwpepcx|oppqxouxrx)|v(bphwckrgps|xrlaxsszjd|o(njjwxadrf|veemmgrdh)|hdzzrjsqef|dzlplszsbm|csgvxuzvcj|v(fktenwkhc|rfbjnnhld|xkldjoslf)|lvkvregtxd|kwhtlbgmpl|rlqjmmsbmk)|g(tbprwhoipw|cmoufebzgj|g(odfldwxne|qeukrndbf)|s(htvkwelhz|mydqdifkn|yhzlpztmv)|nvlgkdlyrp|iihkjkreyf|lsrgbbysyb|qbmczwzodk|wtjpoxcxke)|f(jnbkggqvdz|vajkeyfoyp|mmyhhiwrci|umsgcgvhpl|fbzxhfhqtp|xexkrznowa)|e(ajbmmibjrj|bhlunlsvvj|gaykidpjvq|rcuafvmkxo|wrzjwsitaq|vcvbkuahos|xtsykobrqp)|l(buouafssju|lyocupunqr|gajlcnudra|y(mysnsgmfy|syomoidtx)|zicrtuqbeq)|z(v(stfduequd|ycolfmbmt)|jvgvejghsw|kaffoeekzz|pdrmqwsttn|fbbkhezxog|eqiwkicfrk|gtcpfbtxzg)|m(kxbgnxzwew|npmwtvtzpk|wvopqvilkk|hxlimjxxuh|uqluttmziw|e(bhunjvdfn|gjytfdrya)|ztyihifqvc)|b(r(dswirbrnx|ilijzbkya|jnaosjjbt)|egsxfpudub|dkzvsewpvy|qwtdcxelab|ahuugenvjy|gtpfbortdl|yokzlkupkt)|n(cshobxoiho|y(ozwjewugv|xopmzcjos)|xfondzwmcz|tftgltrqhw|zyqzjgvmvk|lkkjrsdvpm|klskabjpwy)|a(farkxfhpcn|uzytmfmefh|o(sazqxohti|jwipxpknp)|wesoxspeko|mmsgnfsqom|kgjmuxhuro|crvfdorsme|jynmlbbgir|vnudzjkxqo)|o(gqesrlgkqo|udepurkusd|hzsyfypupn|pkxutotyym|e(bjbouvzik|apxrnfazz)|yelsgcdyms|micijydlpa|bbaynbgiha|dlsnzitsth)|q(s(wtpkukowa|udlriefqj)|a(vcfaylgdx|dxqbkwwsq)|u(higssdfqq|qazmfycxx|pwjcffcok)|xvxgnanfcs|hjamuksfdb|fjlzvlfqha|vfleehcyqo|bcboybcmng)|r(jzuxroyrbj|invfychzzv|ygxhralnfj|w(twrnbvepx|ormythlnx)|l(ahveayfbl|dqjikpcgd)|mhnjxbshxe|vcfkuudqje|hydalqowyv|dtivhbhkmw)|j(lzohprrsur|oxmbdrjixb|vkkiywvubb|kadfffrgnl|z(fzzhddujp|dgbftwxet)|aydfiglzbr|mutvidvozu|njnodlvyxi|qpxcirawbm)|s(zkxuemofqk|u(jzdgdccus|gxsmtsvud)|hpzqmtgkuq|oatbnzwwar|twbxzszjsf|iolefwikvk|gkohhrlatg)|c(xylzoxmldt|f(ilefwioaj|nxipleqaz)|ycowoiswqs|qubflmxike|d(tbjjhqodr|psbgbuzcp))|h(cifbwjbwud|p(rgxsmnkil|nzvjksklf|whieduugp)|dkqoyankst|xyvkbitsdl|gpwnfqwhsh|iiphvmmexl|zfrtrtvyre|sqrwnmjyls)|k(lxbvxyuyfx|rorqtbqabi|zxywcddwvg|dvewoythqb|vceqtghcdt|jfxltcsqgm|xghiofrhnt|pxqvysweqo|sreijfmmqg|wifytiojmj)|w(cchftcyobb|z(fqdnmwpmh|qszztnxmv)|oofnlumgrm))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633086; rev:2;)
# sid 2633087 includes 4 (0 - 4) 12 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 12 chars (.com)"; content:"|0c|";content:"|03|com|00|";nocase;within: 15;pcre: "/(c(netotprnino|om(xupqpkrex|arxdxsveh))|infoxshmgfcl)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633087; rev:2;)
# sid 2633088 includes 2 (0 - 2) 13 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 13 chars (.com)"; content:"|0d|";content:"|03|com|00|";nocase;within: 16;pcre: "/c(omzuqphtnsho|cbxfeupazqtm)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633088; rev:2;)
# sid 2633089 includes 3 (0 - 3) 14 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 14 chars (.com)"; content:"|0e|";content:"|03|com|00|";nocase;within: 17;pcre: "/(comidgfmfssgab|info(iqeuvphxbs|wpypvkpdge))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633089; rev:2;)
# sid 2633090 includes 600 (0 - 600) 5 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.com)"; content:"|05|";content:"|03|com|00|";nocase;within: 8;pcre: "/(f(p(rkm|nmh|zvy)|a(wrh|kiw)|t(quu|jer)|kbqt|ipif|urro|q(rpe|akc)|ejzy|vmtp|fopq|z(vfk|cwc)|oila|bbpl|mdxx|h(ufi|hyl))|e(ndlc|jgcs|vpkj|pqhf|x(wub|nie)|a(vqi|rsj)|t(ucp|tbu)|cxwj|y(bzu|ywc)|mkml|o(znt|nry)|sfwx|gcab|z(yrq|rzq)|wkey|iyiz|dfxy|euca)|j(u(van|s(bh|qm)|bdr)|t(vjc|nfb)|b(ead|mcj|nhl|fji)|ykfb|d(rvs|aog)|c(noq|cip|qmz)|ztlg|w(pzs|fxp|bel)|mvns|lkil|qhdc|o(gli|xzg|llo)|n(kyq|nwl)|a(vov|jrt|gjo)|exzp|xjva|rbgf)|p(qbvq|g(xle|oqy)|x(jwg|qqj)|k(srt|mln)|bobd|a(xwe|pxq)|f(wjd|zkp)|sltx|l(lph|ehz)|tvos|ouyc|dewe|zywp|cofj|mssx)|r(t(pzc|hea)|fk(ce|kv)|xgtd|kkub|rakf|b(pbj|eno|luf)|lkol|j(snf|aau)|n(vva|rsa)|cbul|m(xhm|cwd|vkc)|oeqs|i(xjq|fga)|p(abe|qkj)|vtpi|gnei|agwm)|u(z(ugx|wse)|nqho|e(pdw|dre)|ucwp|ifye|r(rzv|sia|hfb)|bvaq|sqdp|ovfy|fepd|kzqf|gueo|x(hoq|cnt)|dfls|yrqz)|k(nhwo|kdwj|i(pgu|qzc)|q(ina|ehx|sbj)|g(hmp|tev)|p(tsc|ypd)|whwj|s(dze|oae)|ulhw|o(plp|ykk)|hjjn|cpgo|lklb)|q(i(cpc|yqu)|m(lvr|cmv)|wxtd|skhx|t(jro|tou|kyg)|p(elp|ysa)|qmmk|k(oae|hho)|fotn|ukcs|yoil|xsxb|boay|j(jig|cyl)|d(eem|fmz))|h(lzeh|ioga|kraf|qlvu|msvk|z(zdq|eod)|yvyd|bsns|flxv|xrqf|unwx|hpcg|vddc|r(anz|csk)|edsv|wevk|g(qze|nig)|nqtm|pyxu)|s(yyqr|i(mop|pxu)|v(amn|rwv|eum)|z(swf|wzf)|tlil|kgpk|b(kiu|zyy)|r(zel|qhs|ojy)|x(djt|nov)|c(gir|myb)|faue|l(ikv|fpv)|w(kuk|hjr)|hjkj|d(kyf|jiw)|ulzv|sflk|ezii|pdbg)|o(u(uyn|fsq|yak)|jbyz|mkik|f(doc|ktm)|x(nex|mgr)|sgdi|huze|t(lwy|kic)|qmui|w(csd|jlk)|ykff|lywo|ogtb|bhdq)|d(r(otq|xuo|igz)|p(oep|mqm|ies)|dtbe|c(rbd|dbp|ltt)|k(cqt|wcp)|uvjc|jqxj|g(qzw|tuc|uck)|luxg|ssmb|esry|mtye)|g(zkhd|j(ntk|mhq)|osgs|f(pzj|bbr)|spci|w(ypx|zpj|ppe)|g(ofs|mbr|ezl)|dpxm|qjos|v(iug|hlz|fwb)|mcrn|eqmd|tjuo)|a(s(szk|kvl)|d(wka|afu)|zhbq|c(yfs|ogj)|q(tcn|bqn)|hahs|t(tym|gdx)|x(ctd|rcp)|u(kpj|afm)|f(uyr|rda)|njtu|ofkv|ikes|bopa|aomr|musq|rzyb|wckz|gphj)|y(e(vdl|oti)|vwht|quya|d(xhg|tsl)|rtjh|fryi|ofsq|l(ogs|fdq|dfk)|uvre|iwvj|h(ngb|yus)|cjru|srfq|wkkx|kgol)|t(w(lmk|duq)|twuu|xkxl|feyn|ceov|a(lu(x|l)|vac)|mxgv|l(jzz|sno)|vqan|ried|g(bun|tnk)|zvqv)|v(x(irz|vpu|gor)|k(fch|kjn|okq)|lyht|rxen|vdwo|hzsm|orrd|e(zeb|qwr)|qiws|wbjm|zsiw|j(ils|pji)|txji|ipuf|goso|umfs)|x(gkdd|u(jbh|uyr)|imbc|xobl|qbub|elhf|tyzd|kfaa|pcza)|b(y(tqy|qbw)|uwoq|sxxn|bqsv|rcru|vpzq|c(myc|rve)|oksm|info|a(fbz|nza)|wvcy|f(b(fd|pp)|zyk)|hyup|x(kkp|ucu|bfv)|m(vpd|wby)|jums|godw|qtgh|kvsy)|c(x(kmx|mch)|njdh|t(hjh|idk|jhk)|b(lrj|ado)|a(yfa|mch)|ouab|s(pvt|yak)|g(itm|hnx)|rixg|vxst|y(rux|gjy)|jphj|d(uzd|hno)|qkyd|wpjq|lypn|eyqs|p(rlp|dnn)|hbux)|n(w(jnf|gyl)|p(jvt|oyb)|i(seo|dkn)|bpoy|r(nzb|joa|zgy)|omzg|h(snw|awz)|m(nve|fwr)|yzxj|evve|a(jdd|bhn)|njtk|k(uxk|ywj|pwl)|surv|xghq|jqpi|qyvt|fels|vfau|leiz|gxaz)|m(nfkl|huop|mwsg|r(xna|wsk)|a(hck|ifp)|e(vus|dnp)|fatv|kcgn|l(pgo|qyz|gai)|st(hg|pa)|yvgh|zzwj|prmj|uuzm)|l(y(tny|mwn)|h(ikk|gkj|vrv)|zkjk|g(did|njq)|i(smx|byj|cvt)|v(cec|nuh|ags)|u(ihr|obf)|tvqa|jaxn|pfal|aanx|rdiw|lqpz|csko)|i(e(lff|fwg)|merr|vtqe|aw(eh|ro)|hyjn|t(vkj|kzt)|o(wpt|moq)|dp(aj|uj)|p(dly|hcc|lab)|b(rcc|fjt)|l(mhg|usv)|udst|icms|cklh)|w(k(jes|ela)|n(uoh|ifh|zgq|sux)|z(kvu|wta)|ymsp|vgqc|dntt|p(kzq|wow)|r(sfl|vnb)|uwqn|jxgz|tojy|c(jdq|xel)|q(yax|jfy)|azal|oavz)|z(h(tpp|yfm)|mxzz|a(zix|ovy)|udft|ebbw|n(vov|pqu|xth)|ohyk|beef|zmuv|fyqy|c(orb|bls)|p(mly|sen)|stzk|vkot|xcnq))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633090; rev:2;)
# sid 2633091 includes 847 (601 - 1200) 5 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.com)"; content:"|05|";content:"|03|com|00|";nocase;within: 8;pcre: "/(r(p(abe|qkj)|vtpi|if(ga|av)|n(rsa|orb|gqp)|j(aau|btl|sav)|g(nei|tqh)|agwm|t(hea|gkx|cjo)|w(yvc|sgt)|q(qxi|zfn)|zdff|fgiz|sapq|ogtn|uwak)|f(qakc|fopq|z(vfk|cwc|aax)|oila|b(bpl|nll)|m(dxx|lhn)|h(ufi|hyl|xfo)|czrv|i(vbb|hgc)|glso|k(fas|jas)|w(znl|ppo)|jjnu|txke|uwru|ltdp)|e(mkml|o(znt|n(ry|ar)|qbs)|s(fwx|lha|qdw)|g(cab|nql|qhy)|t(tbu|psj|eoa|unw)|z(yrq|rzq|ktj)|y(ywc|xjq)|a(rsj|agp)|w(key|mma|ppa|umu|jtv)|iyiz|d(fxy|ypf)|e(uca|vtf|mif)|ngde|x(szj|qxo|yxg)|cluk|voer|f(jjk|ifv|afj)|jysb|u(ncl|alk)|hzis|q(oyh|nag)|bfza|kree)|k(q(sbj|bpm)|g(tev|vre|hmi)|h(jjn|sxz)|c(pgo|ndj)|s(oae|jrj)|oykk|l(klb|xia)|jqlf|e(kcy|qvn)|vjej|u(ald|hcf)|djnt|z(fwg|ehw)|yath|xuvk|kvvr|p(gsz|zqn)|mljv|b(ias|noj))|a(i(kes|vck)|b(opa|pgi)|aomr|m(usq|gyi|crc|blc|ddj)|r(zyb|jih)|w(ckz|yhy)|d(afu|ven)|uafm|f(rda|i(pi|sv)|yvl)|g(phj|xcp)|qbqn|t(loq|ayv|cvj)|n(xdv|spr)|e(esc|tki)|hwpm|llia|jyiq|khhn|y(pbz|dbq)|pepw)|c(d(uzd|hno|pje|ihx|xw(w|y))|amch|y(gjy|mvk|qtt)|b(ado|vvk)|s(yak|gqc)|tjhk|q(kyd|aqk|ngy)|x(mch|suf|vqs)|w(pjq|auc|rap)|lypn|eyqs|g(h(nx|ig)|lxz)|p(rlp|dnn)|hb(ux|aq)|vuwh|kfld|ryqp|c(y(mi|ab)|jcd)|n(rqr|osb|dxf))|t(mxgv|l(jzz|sno|gbn)|v(qan|vpx|yxp|abf)|ried|w(duq|ynp)|g(bun|tnk|win|gti)|a(lul|qyl)|z(vqv|bap)|hkep|t(ved|uou)|x(kvw|vbj)|nddb|j(czc|ouv)|cigo|prcc|solw|d(zwk|pdu|sff))|v(q(iws|lve)|wbjm|e(qwr|rcy)|zsiw|j(ils|pji)|txji|i(puf|ylg)|kokq|g(oso|wyv)|x(gor|xuh)|u(mfs|hvt)|s(hmr|xlo|ufh)|cmbz|o(rfi|vwz)|heid|bbjv|rtzt|apmh)|i(b(fjt|wah)|plab|dpuj|lusv|i(cms|fxj|mfb)|ck(lh|gg)|a(wro|mvd)|h(tkf|sgu|uef|hjg)|enin|zdiv|tysx|fpnr|oofx|xvdh|v(xps|rjp|lyf)|sbnd|g(bwh|qor)|qebe|r(amb|imc|xjj)|yqes|nspd|kcqy)|q(k(hho|dri|gju)|x(sxb|rac)|t(t(ou|aj)|kyg|dqf|xap)|b(oay|fsu)|j(jig|cyl|wxk|ibv)|d(eem|fmz|oaj)|u(xdi|egn)|i(wat|okg)|niyx|q(wgf|szf)|o(xpz|fxv|zhx)|hflh|ahfb|ebtp|mwet)|n(k(uxk|ywj|pwl|gzj)|poyb|s(urv|nrv|kyb)|x(ghq|rff|dpd|qbh)|j(qpi|rtd)|hawz|qyvt|mfwr|abhn|f(els|hlt)|vfau|wgyl|l(eiz|bcl)|g(xaz|pct)|bxzt|oyim|t(blx|hpn)|icre|edjp|d(vef|hqo)|n(hpa|qva)|yukw|u(ren|gfi))|x(k(faa|lph)|u(uyr|dqo|fmd|njx|eea|csv)|pcza|j(yma|nox)|dt(xk|ng)|wxvj|h(gya|yai|jsi)|n(mzs|asq)|c(cil|ini|lzr)|o(wyy|ikp)|bxwi|i(wvr|vyj)|vmpn|abot|slgl|t(xeo|fhc)|mqhp|gydr|q(afg|ytf))|s(zw(zf|xq)|b(zyy|uih)|u(lzv|jsn)|lfpv|s(flk|ujr)|e(zii|buw)|whjr|pdbg|djiw|rojy|yxls|okfr|tsfe|c(fye|kik)|gcbk|f(stx|vmo)|nxqu|xquo|qcen|vbnz)|u(e(dre|ftl)|f(epd|fns)|k(zqf|fqi)|g(ueo|bcr|tmu)|x(hoq|cnt)|r(hfb|ffp|inx|paz)|dfls|yrqz|v(gfq|ayt)|q(kkp|ukk)|s(jxf|zus|fpd|bij)|irwh|uttp|pdei|lmnk|m(vqf|ewx)|n(auk|lef)|bjvm)|b(m(vpd|w(by|gh))|j(ums|wvf)|godw|qtgh|x(ucu|bfv|ejv)|k(vsy|tnx|omn)|f(zyk|bpp)|l(myn|xks)|uueq|p(gqm|ibk)|n(c(hn|ti)|dyt)|eokx|a(nvi|sof)|hltk|yqup|tfar|dmgk|inkl)|h(edsv|wevk|g(q(ze|wu)|nig|ezd)|n(qtm|him)|r(csk|zlr|xbx)|p(yxu|nhc)|dp(np|sf)|yonz|ocpn|vzau|t(mjx|tch)|ujoz|mcno|ibon|lnya|chhm|shez)|j(n(kyq|nwl)|a(vov|jrt|g(jo|fw))|o(xzg|llo)|e(xzp|jmz|gtw)|c(qmz|pcp)|u(sqm|bdr|rwv|qlr)|xjva|rbgf|b(fji|zqa)|p(pgt|gcu)|wjxt|t(krs|vdd)|himd|kjws|yotl|suav)|z(c(orb|bls|yjm|ish)|p(mly|sen)|hyfm|stzk|v(kot|hkk)|xcnq|aovy|m(mmo|gsk)|n(eka|byu)|dhzf|whbl|rnkb|gbdj|lair|jlft|epbj|kwxc)|l(jaxn|p(fal|kiz)|a(anx|jro)|v(nuh|ags|iag)|i(byj|cvt)|r(diw|ivd)|lqpz|c(sko|pni)|u(obf|yaa)|y(mwn|cua)|zdxu|srpy|x(juo|drs)|d(dsp|gkq)|gryf|n(baq|gxd)|hn(gz|ob)|wxcg|t(ydl|gyl)|ktwu|ottk)|p(cofj|l(ehz|gwk|vrm)|f(zkp|nav)|a(p(xq|fw)|gef)|m(ssx|zpb)|kmln|h(vsr|cds)|g(usb|aco|eoh)|xyvo|v(mtl|cly)|njsc|zarb|pbgy|tjxy|icxp|dbmk)|d(g(tuc|uck|jpx|kzt)|luxg|r(xuo|igz|waf)|pies|s(smb|nqx|wcm)|e(sry|psn|lgp)|mtye|a(khe|wor)|hklv|xxwi|v(qtv|zfl)|ckhg|qdxk|ylgg|d(yzi|mht)|buxi|idbf|jfxq|ockp|ubxm)|o(w(jlk|fzt)|lywo|t(kic|aft)|x(mgr|tjt)|ogtb|bhdq|uyak|y(ojl|dcs)|k(gpa|drw)|z(xhp|wbf)|p(hlp|ske)|sawq|q(ajx|yik)|ntci|adti|hcao|mhua|rwzl|jaxj)|y(c(jru|auv)|s(rfq|fst|akp|snt)|hyus|wk(kx|no)|d(tsl|kwb|ovp)|k(gol|qid|kws)|g(mbq|pgu)|q(vcj|nyu)|x(wdg|jan|gmi)|f(hhd|kjs)|oyfk|rbfi|vioh|jiqs|t(szj|old)|yf(ml|ez)|e(clf|eqb)|uocq|l(ztb|emq)|nfcn)|w(t(ojy|ywk)|c(jdq|xel|dot)|q(yax|jfy|vhf)|azal|n(ifh|zgq|sux|elj)|o(avz|iqk)|r(vnb|xup)|idpd|e(nkc|gtl)|vvya|jilj|m(nde|jrl)|yclb|x(atu|ccz|idi)|dfzz|b(ooq|ipy)|kjvs|wapx|sdou|hqyo|pric|gbhu)|m(yvgh|l(qyz|gai|tsj)|z(zwj|opy)|a(ifp|kfx)|p(rmj|cwt)|u(uzm|s(xk|ve))|n(ezl|fdk|thx)|e(txa|hxm|xxn|dmk)|g(vjk|wmi|ekg|ibi)|kauh|ieib|wpqv|siom|qton|rqsc|mxib|buoy|oazf|tvcy)|g(v(hlz|fwb)|g(ezl|lhw)|j(mhq|jju|wpd)|mcrn|eqmd|tjuo|p(bhi|vlk|f(ll|wz))|xnqo|s(iej|scf|url|nrf)|knpi|c(oaq|nyt|see)|iyta|wfzd|uooq|omzg|yual|qyek|nznq))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633091; rev:2;)
# sid 2633092 includes 247 (1201 - 1448) 5 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.com)"; content:"|05|";content:"|03|com|00|";nocase;within: 8;pcre: "/(f(qwrb|iqsx|wpep|twgh|kxtd|uers|mcri|vduk|ekaj|ydwv)|y(r(ijq|nrq|xmd)|n(jte|utv|asu)|uepm|yasn|pmnk|cvjf)|z(aspk|t(hxm|uma)|vbhp|f(tii|fqv)|pdzg|wafq|x(dkp|zfd)|rifw|ulxl|nume|c(eno|chl))|h(hdub|lhmv|najm|bpya|ycwy|myeq|rbvv)|i(sjoe|kufl|hjcj|o(pca|xjz)|capf|llhp|fjei)|l(h(mtj|yyq)|drrw|xhzl|thnt|enyf|gfwo|zuyj)|q(ftrt|j(siw|awc)|wpns|yuld|tclc|vrwc|nnqj)|a(wgqc|xwmf|kxrf|fqyy|vfnn|pubs|gvxa|ceww)|o(k(tqd|dps)|a(mug|ghb)|ywyf|zoql|qxjh|lvnj|t(mrj|gjd)|whhf|podx)|t(v(ovl|nkn|kvn)|t(xpv|zvn)|s(sgn|irc)|d(vmj|hyg)|armz|lchb|bfey|jmnd)|e(jjiz|kizh|m(bqu|ftx)|vudx|wlqc)|g(nwld|ival|wzou|tvhg|fzjg|hwdk|xfpt|uneh|vgqa|jetj|eyvo|gxmt|o(ysh|npc)|lmue|dykq|btzd|kmui)|p(gjyt|b(wry|rxi)|ufjt|r(zte|izn)|wqbg|havm|svul|erqg)|c(o(rse|ftf|cew)|clmx|wlts|hhna|tpsn|phup|exrs|nmes)|k(dihb|mplx|qrtp|gvnx|wweg|kylr|chgd|ofhe|abfu|rzpv|vqln)|v(egju|u(tza|ktx)|hklt|lxlt|ztfd|khaa|mtad|opzp|gliv|dozt)|w(wdji|nuin|dupy|zomo|xjrk|ujcd|jruj|mqrq|vttl|ahrt|kjvw)|n(vxcy|tzqi|zptw|uqgr|kbfz|rikq)|u(pqgy|c(agn|zqy)|srnv|mngw|unkw|iywy|blpw|qvoi|lvqb|zija)|j(aplg|n(exr|xyg|zyy)|ruiw|qumf|gdjk|tcpz|ukbv)|x(wnjg|xghb|qzve|gw(md|hb)|pqkp|enju|ziyw)|d(j(abl|ptp)|lmrm|fuco|cgch|v(zyl|vqr)|pqot|kqjw|a(sbu|rbl))|m(clvs|w(ftj|aod)|vmhg|emxi)|b(xooe|giwx|ocsh|bsle|tkxo|plyq|s(nsf|zyw))|r(btxa|ozld|d(uwx|xck)|p(ttt|jdz)|xpbw|lvcg|mntv)|s(ogux|ttxm|bhug|vuzo))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633092; rev:2;)
# sid 2633093 includes 600 (0 - 600) 6 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.com)"; content:"|06|";content:"|03|com|00|";nocase;within: 9;pcre: "/(d(kzjyt|p(kvve|yrim)|vtqsg|tdagb|y(ewbv|oaju|bnvo)|ihnld|fkisr|xgjpt|o(znjy|hccv)|u(qtqx|cnig)|lubvk|bmaib|wfkmc|g(xjyw|vtvq)|dqdvv)|i(q(jwcv|lyal|rrzg)|ybrwk|kpsff|netwk|tukoo|l(czno|vvjd)|d(hqlc|qmwa)|byalx|m(kahq|svzu)|av(azi|iit)|x(bhiw|excb)|zuhuq|svecb|wvznh|ckgmg|i(dnsi|llja)|rnuww|uzepz)|h(ezehr|d(njfo|eqax|ifwx|puch)|p(ixfr|hubm)|u(rqke|ndak|xivd)|vn(zhb|xzp)|fgidh|osspw|zakkb|mjfpl|nbytt|qsots)|p(p(jrhc|tyeh|lyxd)|ygnfc|o(ynas|wcpf)|s(vagb|kjnr|wlip)|c(prfa|irpm)|w(zrgl|sbce)|v(lvvx|xprs)|kxsvk|r(lgrr|pqnu)|tacbx|z(igvj|zlnb))|u(w(htie|firt|upxe|vyqf)|l(bcpb|vkdy)|zlqzw|u(ourp|rgga|nvav)|hioub|f(cvrw|hmuk)|i(nsgx|awzh)|b(bdbw|yvks)|gpwtb|cpvec|y(hhob|kgnk|oeio)|mktqy|tskax|j(ksec|sjop|zpza)|p(gcol|dfxq)|n(egad|ntbr|rohu|vkxb)|ewxgm|r(crrd|zhsd)|vqnwi)|j(i(mlst|eros|poml)|nfkvw|xaibu|h(tpgg|qdnr)|qrxgk|gpxea|v(llxr|bpth)|f(bkkt|ortq)|zqgsj|m(gedv|slrv)|oteye|k(lsks|fiac)|d(jeqr|lzjz)|stfac|ujuuf|bxeqd|wxjma|aijsg)|l(ejfuw|jdyun|i(fdnm|taee)|meksj|h(hhoc|qalg)|w(perm|dffu)|a(cxit|xxta)|tnxat|g(jruq|lecx)|vk(rnb|aug)|yrdpq|l(gfiw|hgnd)|dwltg|r(xiof|osog)|sjqkd|ffuxd)|e(dckjc|g(qtih|lnkp)|otcbr|frdlb|j(dwso|kvud)|b(brcx|edqs)|rqjyc|i(onhh|zcmv|prau|wohy)|mm(wrv|smb)|k(eped|xnju)|z(utzw|zuis)|hpwco|lvgdq|cyjkc|emxxb|teukc|yepda)|m(gnbcn|d(bbaa|zpcp|ogar|cvvg|fwiy)|f(ahaa|mavl)|w(pcut|ysav)|y(ouhx|kjcn)|p(fpuq|kjde)|i(wupk|qmax)|b(ltfk|ryew)|l(uvcz|rpyo)|spzfl|x(abkr|ygru)|jhzdk|hdsas|rvbrz|mjdzn)|x(cdyle|m(kaca|gxtj)|h(kewm|imgj)|j(shms|vzyb)|klvwk|lkyal|wjlcj|udxlg|f(idip|baum)|rmqzb|pciai|eezaz|ghgis|s(hzyu|qfnb)|bojlc|tkxjh|ahjuw)|n(l(eopf|tpng)|jvoyy|s(grex|ilws)|g(kwuj|uvjr)|a(kjfe|hkfo)|f(u(ugq|aet)|fnkv)|xntno|ugyqz|w(hrrv|ussg)|nnpke|zrslm|mchbf|ebxhf|irywy|htpgf|qlcyj|rqyvm|viypk)|g(nbpzf|a(szlw|bmks)|jsvdu|trwkt|d(kmlu|zyzr)|p(vsvt|qkyi)|o(xgxl|ecjg)|v(cizy|hsxu|ythd)|k(rtjs|y(fos|ocr))|rwxsf|zpsph|ecbvm|l(ngav|mgah)|fhzns)|r(f(qcyt|pboj)|b(qiqj|rbeu)|n(pcze|ymyg)|ebtse|vqmyz|yaazt|s(ztqw|vfup)|hctgs|gxcau|o(siqb|uvza|vigt)|dettz|cbjdu|xudub|ksbxj|q(lygp|fzem)|apjlv|trbkc)|y(h(snvc|inym|vpfh)|kespu|m(afgw|tgzy)|v(xini|rvir|wglk)|x(siai|uyut)|yowol|o(riee|ejgn)|clear|lvtzk|qplmy|ailjw|grsas)|z(r(uqts|fgzu)|t(iaiu|yikz)|v(konx|ismc)|gcnuj|xtefe|aeavz|jyijh|zfrvk|s(zous|dwur)|nmluu|f(wlnz|siiz)|wisvl|yhctb|lkpqd)|s(y(yzja|lwsr)|uzy(zg|ll)|awecb|kwcti|somoo|r(zpau|ryvc|hmmm)|quxxz|z(bioc|uuyf)|d(hfxu|pwyj)|tquqr|xarvl|m(lppx|hrcw)|ilhfh|f(jotz|xpbt))|f(dueak|rygod|s(apmo|xbjk)|j(xbap|bqpn|vdjv)|zjzdk|w(grep|yfqi|rlco|ffdc|tgdt)|qxckl|v(ggrh|difr)|lroyj|xazdj|mizos|nufbn|plpbg|kvdkt)|w(a(tmmo|rnga|npdo)|d(pajs|xrct)|y(gkgu|dbnw)|c(uoix|ahwq)|t(imll|ezts)|bdhui|icxjl|hkkid|jkskd|u(oaju|rxtv)|nxilu|pyezz|siaef|w(gocr|ytei)|vnnde|eurza|fxazg|liljo)|b(j(fref|xpza)|nrrlm|l(ybku|ohib|adnw|iqtp)|zawup|iatsd|pgdxh|df(bii|knf)|emfgf|onvbz|fzkab|azmtg|tcoze)|c(nkfew|o(mpph|powa)|spxfq|bazsp|e(xmve|vdor)|c(t(vfz|imx)|mkkh)|h(tulh|mwgo)|p(airt|tyok)|rxgmy|ysjex|qwoli|jbypk|fahdl)|v(d(hffh|dqpr|tkyq)|ewkyf|kybki|qmbwh|s(romj|yezt|fvox)|litjm|hugcm|wh(mti|jpi)|iahqv|plzxr|uuqmg|nmbnd|cgeim)|q(zdmoz|xqgct|dmcaj|afcal|urtqf|k(gqlk|ekba)|hcncn|f(niqr|fsyk)|n(bsut|euae)|coydj|s(dkgt|wwvz)|lwuvd|q(pplz|wyrc|cszt)|mcqjw|b(ehas|txwe)|gmsra|opzor)|o(u(yyao|crlz|rrfz)|nuksd|c(qjcv|zupa)|hmxcg|krczl|i(uced|fequ)|g(mkcm|wsei)|zypqj|fbeud|smbbv|l(lawz|drjl)|olvgm|mxpmf|eugzn|jyzyr)|a(rkblp|v(cahe|azwa)|xftaa|u(snnt|osyi)|o(dhce|eong|zoks)|bbbng|kgviz|axujg|mhauz|zsgdk|hgpku|d(mgkg|airs|gmyq)|g(lhds|qyxe)|lcvps|jdwio|q(qmuh|bocf)|ezzek|pdqcv)|t(mjoki|r(dfkv|adgt)|e(uyuj|fntd)|u(yxwo|vkyh)|t(vgsp|ujfl)|oaamt|qlahr|hpvlc|wkmzh|ypcmr|z(iozb|minl)|kmwsn|pisqn|idwfk|giflm|vunpp|xvvgy)|k(w(vjag|wfvl)|vhlub|q(orqa|mucf)|f(ylfu|tyki)|k(kqpv|nbtz)|uzvpe|i(hdqp|g(nxb|owm))|lzcvq|ypilm|c(pkyz|smlt|apnf)|engye|aykik|psday|m(gnqr|vbsq)|jcrkb|dvcol))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633093; rev:2;)
# sid 2633094 includes 832 (601 - 1200) 6 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.com)"; content:"|06|";content:"|03|com|00|";nocase;within: 9;pcre: "/(q(mcqjw|b(ehas|txwe)|g(msra|jlqd)|ffsyk|q(wyrc|cszt|exrd)|s(wwvz|qhxx|kvwj)|opzor|n(euae|uval|lhzp)|z(hyfj|udhe)|cvyxb|kbhug|vijkx|xi(xfg|kfa)|p(twjg|jqim)|asnja|w(shfc|gpmp)|lmlep|tiztw|demia)|f(x(azdj|mhgd)|w(rlco|ffdc|tgdt|xpsa)|m(izos|xeea)|n(ufbn|xzhu)|j(vdjv|qeqg)|p(lpbg|crvy|rshf|msgt)|kvdkt|vdifr|a(zyxp|eujt|mfsm)|d(yvrc|afpw|gxhb)|i(qnsi|oawf|sggm)|tgvxy|gqruc|bliht|oschp|exgti|cwaon|zvsen)|s(u(zyll|xrrl)|ylwsr|m(lppx|hrcw)|r(ryvc|hmmm)|z(uuyf|vtti)|i(lhfh|hohh)|f(jotz|xpbt|dccj)|t(dsvx|veua)|o(baqi|zyji|sbaz|ffsl|aige)|g(euds|qffa)|nhwnz|hfckd|w(geui|nwkf)|qlnys|aydko|ezsag|v(yptw|hnoy)|jtuqk|d(nidy|suuh)|xsiqs|p(pmba|sthg))|j(m(slrv|jlde)|v(bpth|srws)|d(jeqr|lzjz|ibvw)|stfac|i(eros|poml|lrxp|blmz)|u(juuf|etpi|idoz)|bxeqd|w(xjma|aish|rjca)|fortq|aijsg|tyehc|k(xcea|rdpr)|ncqhh|y(mgxf|avnt|gsai)|x(ytqb|femk|xqka)|ejupx|gnhmf|qgiwt|zedds)|w(w(gocr|ytei|xvfe)|v(nnde|tbre)|eurza|y(dbnw|hjqt)|f(x(azg|oot)|uwhn)|dxrct|a(npdo|vxyc)|l(iljo|ntsa|qnar)|h(tyea|bosz|wrqp)|pgghm|b(gwsu|hygf|tyxm)|mi(use|mdx)|uaoqv|tygao|i(lcaw|mswf)|zariw|kjooy)|z(f(wlnz|siiz)|vismc|w(isvl|fihh|unba|enye)|y(hctb|sikd|lqte)|t(yikz|otoa|hoqm|psmj)|s(dwur|qmwz)|l(kpqd|tqrs|fbqf)|rfgzu|z(wook|xzoz|dnlz)|urhld|c(cmyv|vbbq|loof)|e(usts|lutn|dhue)|inypi|n(lagw|oqjh)|bgpwn)|l(d(wltg|refc)|r(xiof|osog)|s(jqkd|uazi)|h(qalg|lwqz)|a(xxta|lkym)|glecx|itaee|ffuxd|w(dffu|aeqk)|u(mqwe|exsx|ptor)|kkeut|c(dpsw|fazf)|ltahc|zstez|pejis|bpkpo)|g(pqkyi|o(ecjg|dhgs)|k(yocr|fxam)|v(hsxu|ythd)|l(ngav|mgah)|fhzns|x(fykr|tdxn)|tlxzb|h(rnxa|nick)|uzhoo|e(psxv|ahqk)|shnwg|r(aiee|nept)|cliqr|a(yecp|pgpo)|yatzf|mfvxl|bzwky)|i(l(vvjd|wszm|hcto)|w(vznh|hyls)|m(svzu|rwrb)|ckgmg|i(dnsi|llja)|r(nuww|jenq|mcca)|dqmwa|uzepz|x(excb|pext)|e(xzrm|keom)|g(lnrx|umsj)|k(izlb|tong)|y(nojl|rbmq|slob)|n(mlce|qsdk)|pthay|tqbzb|h(xius|eddz)|aqunq|f(mxzo|wohz)|jbpnp)|h(u(xivd|exjg)|zakkb|m(jfpl|kyst)|nbytt|vnxzp|dpuch|qsots|lrigz|cwsnq|i(kwwr|ikwv|qphd)|blrso|t(yuhq|vvmf)|azcco|r(gsdi|cuyb)|g(tcoc|msxt)|olxpv|ecyqe|xb(aab|ojz)|f(hskr|mlci)|yshum)|x(rmqzb|p(ciai|wsoe|fciz|svzi)|e(ezaz|agjp)|g(hgis|ffbh|ywyq)|s(hzyu|qfnb)|bojlc|fbaum|tkxjh|a(hjuw|zagu|oqah)|ndqux|y(fapr|yyoz|suxz)|wwbvs|ksmcs|jebjf|q(iapm|tfqa)|vnkma|mafrw|xlrby|hnwef)|n(i(rywy|wkdq)|g(uvjr|svwm|kjzz|nkjn)|h(tpgf|aqgb)|q(lcyj|wuks|vjgw)|r(qyvm|owgg)|v(iypk|dxji|xsyr)|l(tpng|mbvr)|w(ussg|cqyp|pdln|twsv)|u(pkfq|wjnu|splx|jyno)|nu(qlj|wxb)|zpgwb|fkitn|t(bsdp|cytv|fhex)|ebbii|mveod|xdmgh|bsnjb|onaox)|r(x(udub|mqtd|kqjj)|k(sbxj|qlwo)|q(lygp|fzem|bjog|nhdw)|a(pjlv|dycu)|s(vfup|g(vhu|afj))|o(vigt|bhbx)|t(rbkc|zpph)|f(abdy|svqm|nrxe)|lvwgp|iq(xfj|qnm)|d(iqcz|thjr|uzws)|j(fzug|tupz)|vnpxc|rujcu|bprfi|h(fzio|rkoy|buta)|wkflq|p(kspo|nbjc)|ujyvh|cfkqj|mealm)|c(rxgmy|ptyok|ysjex|qwoli|jbypk|f(ahdl|eewx)|h(mwgo|vayz|cezw|tzih)|n(feln|gspv|iwpf|vrgb)|mbqms|o(xkgz|n(sgd|zqb))|tjxsf|bhfwb|zlmis|v(grkl|tzno)|k(yvrz|vkul)|ldrme|aqerv|grocg|cnspu)|a(d(mgkg|airs|gmyq|wgya)|g(lhds|qyxe)|lcvps|jdwio|q(qmuh|bocf)|e(zzek|kagx)|pdqcv|o(eong|zoks)|ycvmm|baotb|a(rnjq|nmns)|w(hwwy|nyxj)|zbuby|v(ksyu|uscl|zmek)|sxotn|m(msgl|h(bqv|hrk)|lfmz)|hqnik|fvdzm|t(dios|wcig)|imtbz|ndeaj)|o(o(lvgm|qwxe|jqnt)|mxpmf|eugzn|ifequ|j(yzyr|grzu)|g(wsei|a(vwh|sgo))|q(aakh|kxhe)|zjwfc|tgekf|fpwmp|r(smjl|pahn)|a(kimf|zyeb)|bghnl|dtezn|xhtkj|vfqjv|ceonc|levqz)|e(bedqs|z(utzw|zuis|hnhv|sfvc)|jk(vud|gfh)|k(xnju|mxdq)|hpwco|l(vgdq|rihh)|c(yjkc|flbf)|e(mxxb|rphr)|teukc|yepda|irllo|x(qsjz|guqm)|q(cqwt|annr)|opvlx|uncbc|nfokk)|k(capnf|knbtz|j(crkb|itve)|igowm|m(vbsq|ioqd|ngig)|f(tyki|bilg)|d(vcol|ylzy)|q(mucf|nymy|uzef|frpx)|yx(kcy|rmr)|b(hqkb|zfhw)|a(fghr|ewux)|gaeqd|p(jifo|h(dbj|sxk))|otwbd|xufdy|vzpev|hdafg|tssjs|rmrqw|snwwl|nmobk|z(lrpv|ghch))|y(oejgn|q(plmy|sspw|xggq)|a(iljw|typx)|mtgzy|x(uyut|icsi)|h(vpfh|lmte)|g(rsas|yypv)|ycgxn|s(nhkd|dxuo|cevl)|laagm|n(evyr|pipw|jwdc)|c(pzzw|fzig)|t(ybbs|need)|p(svdj|dvej)|zrhip)|m(x(ygru|nkmx|roxt)|d(cvvg|fwiy|wqde|raks)|lrpyo|pkjde|mjdzn|bryew|vcljs|rvckg|iycmh|kotnp|j(oqup|vpgu)|hmguo|eplop|gqtim|zoroj|uzuue|qujww)|b(emfgf|l(adnw|iqtp)|onvbz|f(zkab|gqil|pjdj|vqnj|ccey)|dfknf|a(zmtg|iynu)|t(coze|prlx)|y(pyps|kzex)|s(ibtm|ohbj)|k(ceaj|t(aue|wod))|znoeb|hthgw|i(kpfj|lqky)|cmvbm|ueybd|rcjeg|nbvfq|wfcjf|mgewv|baxho)|v(s(fvox|lcte)|d(dqpr|tkyq)|p(lzxr|pabx)|u(uqmg|nxhm|memm|lmbv)|w(hjpi|iicu)|n(mbnd|jwfc)|cgeim|jhikb|r(ermk|mhfc|xqnw)|o(gdvc|pmkz)|a(wanm|zhyu)|i(fhub|ukcl)|mxwwj|hsrml|kxjkj|brlqe|fkkpb)|u(j(zpza|lhrp)|n(ntbr|rohu|vkxb|xeeh)|yoeio|r(zhsd|sehy)|w(upxe|vyqf)|iawzh|vqnwi|tkihs|k(ltfg|gmku|vnvc|xgal)|zrjoi|cufst|pizub|xinhh|m(vzjn|uwnu)|hgqul|fgans|ocbfv)|t(kmwsn|pisqn|i(dwfk|ztqf)|g(iflm|uwpi)|v(unpp|liat)|x(vvgy|fbhr|wsdz)|tu(jfl|vsq)|rjrrg|b(otjp|bzfo)|ngprg|z(xxuu|vwcu)|yphff|o(znny|jgyb)|fmpsw|j(oqeb|dlkg)|m(q(kbo|thk)|hgtv)|h(rizt|licj)|dwrby|qagmo|wesgv)|d(l(ubvk|wqhy|vhwr)|ohccv|b(maib|hcvl|zgje)|wfkmc|p(yrim|zbdq)|u(cnig|amuh|qufp)|g(xjyw|vtvq)|y(bnvo|srem)|d(qdvv|bjdt)|j(zpaj|tdnx)|tfhfr|c(qafs|bnna)|rszjr|qkdso|naezx|fawjc|xndrv|e(zqga|fhzq)|a(ojol|exkj|judy)|sapjx|knexx)|p(o(wcpf|nkkz)|t(acbx|yzud)|c(irpm|jvwn|klse)|r(pqnu|vayo|kunz|xbgh)|z(igvj|zlnb|stbb|fuyy)|wsbce|s(kjnr|wlip|zyrt)|mppml|dngbg|p(vbfv|ohux)|x(ovuf|wlot)|khtcb|b(fbqs|ypyl|isun)|ngjlp|aigre|gemcx|e(exfg|mhdq)|i(fcua|pntc)|hvvfa|ulcfd))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633094; rev:2;)
# sid 2633095 includes 232 (1201 - 1433) 6 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.com)"; content:"|06|";content:"|03|com|00|";nocase;within: 9;pcre: "/(n(awaej|zoexi|e(iusm|awja)|gofma|vwggh|wgqby|rmism)|x(pincg|wuwdq|o(djna|vnnz)|qwzjn|j(yyle|zzdp|uyuy)|tnhoz|yyayg|kqloa|balxn)|m(beoav|hhlce|usqgn|y(evtg|dvdj)|fdrlr|qhckx|ttbub)|a(huesl|o(kssj|gxnz)|gahjj|aqvwu|cfqxr|djyhd)|y(mdkmn|vuwpm|b(brbg|vhma)|nfbnq|gruuy|rnsid|wvlix|clmqu)|w(f(gslh|cnue)|trhem|qlqnk|g(tcag|kara)|nbdqd|aifoz|ciquy|vdpds|lnpjq)|c(xoykz|dtqrf|y(tlku|gaph)|j(hdky|kqsb)|tghkj|eyppg|inocy|pkxdx)|z(trtzp|jzbro|ybmxl|bcqtr|w(swrz|eujs)|mmngz|xxfkd|cpjxf|zpkcq|dfpkv|ijdye)|p(d(xvhj|ilyl)|faclf|qpiwz|ulpnc|cvtrw|soahy|zxxth|gxnql|jxzqk|etolz)|g(p(rvuu|xeaf)|u(fbpf|jqdg)|ayusb|ckwid|jjnhj|dbynx)|j(emowc|zonsp|hhotv|nnzcu|sdtys|bnhrc|dfvwi|ueupy|fpnrq)|k(n(vtck|soyz)|zgqrp|v(kdvd|tfck)|s(ennl|fsaz)|q(jsuo|lwfx)|dpvsi|hawwi|ckcrj|kymch)|v(q(xzqb|bzih|klzm)|r(hntm|aizx)|hvflf|gtdtd|borut|pyjdj|fllbh)|r(rllnt|czhwg|axark|mkfrb|wrzqb|kmxil)|u(u(bcwo|lrkz)|o(nhoi|cvsy)|kqyxm|yegwm|wmorz|xcdga|zspti)|q(y(gcbm|iqux)|hdstk|uygmz|fsley|alwue|lnonj|nrxxf)|f(gyvjq|mexsu|jlzrb|byqxh|snclb|oyyfe|i(oeng|hnlw)|lpwcb|xymuw)|o(buthe|yjpqm|xhhdj|ugfsz|podpp|kurqn|ovtis)|b(j(gksp|zpul)|n(dvny|urpa|xrez)|vqzgg|s(mjoz|sqpp)|iizjf|cdzih)|t(qkcqe|mznfy|fxqhu|ccgim|s(scto|yjkd)|vossb|gnngp|byipt)|e(d(nmcb|jtst)|aqzjv|vmgoy|qtgky|ciauj|zuetk|xfqki)|i(rivfq|tqsrh|epwjf|fdawk|kuanb)|d(vavam|euvib|y(lsjc|gpsj)|cmlgd|ocoms|grlrr|kecvf|isgvx|mtdia|lgrtz|hyfrv)|s(zdicc|cwfbj|qdiqa|enxxu|akaxz|ullqt|tvmyg|jmesh)|l(s(qbgu|iatw)|btoml|uofwk|rtujr|gbvsf|elwse|zysxx)|h(bywgg|xzmhg|qexex|vtemj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633095; rev:2;)
# sid 2633096 includes 600 (0 - 600) 7 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.com)"; content:"|07|";content:"|03|com|00|";nocase;within: 10;pcre: "/(g(krobqo|ufpgei|d(oxxfs|pqhjl|blznl|rxvyj|dwmyh|wlyit)|z(ddfdp|qbqnd)|iygrau|yvbjsx|xjxgxd|fx(pehs|doxl)|n(zzhcn|csaeh)|vzbmix|ocixcc|cinyno|tktctg|avkfpo)|p(x(sxdxq|ntnwz)|oznoxr|ihshel|lmpxzn|b(dtxhf|ptzib|unawr)|w(qlxvt|vkrsg|wcupz)|rkyjsa|t(vnmgh|ucezh)|umreru|s(ggfdp|pvazt)|g(xqltj|vmdwi)|elliqr|dmnodt|mhrjus|kbxuze|anucae|nxtgaz|hdvjpk)|k(e(qqhqh|hnqnz|sldhj)|ttqlwc|sappqo|x(munoi|usvqa|fvtvt)|fmaoxo|w(i(llal|cecs)|lzycb|czpli)|lvnlcx|o(nuruh|jvkur)|acaruf|k(mwwgh|socnr)|rgwyvx|noosxq|qnchgw|pbiivy|m(z(pkwt|rplg)|hcajy)|z(ynfuk|sxkxu))|j(q(icrmy|agqte)|h(eevua|kbwpm)|a(mcddf|cdtjw)|u(zeilp|pmiyt)|dycjib|e(winbr|oryvl)|m(iyuqd|qxlpn|xzdkq)|c(jypmy|egmkx)|s(fnukg|emynx)|lfuoii|jiquxl|twvucl|ztdywg|whprvc|r(grkjg|oacqn)|xnkjfj|ieyeaa)|i(ksdhzy|p(nnijl|eeygc)|s(pxutt|sddaa)|o(wbyno|hzwvt)|q(gnuyd|uwsig|vpodg)|e(rjvpk|enrur)|grsdgr|jynqfk|h(mvvup|ywgls)|wutuqe|yunukp|zkwmbi|mndiaq|f(uhwvq|xlnxk)|btjbzz|c(wxglq|mehnz)|ixbwal)|s(xxfixq|pzxzhd|ng(jqvt|vuzz)|lfwqpz|whyvis|o(ykple|masxv)|mnvnjk|z(iwsac|lubrt)|szcjlx|yleexs|tvculz|ksrgbf|dtedvo|qbzsza|adykmm|cpintu|u(hdubq|fanwm|vgfvs)|hxydyq)|r(h(htwxo|jduda)|z(krrmy|ryjbp|hfjjm)|xrxjed|k(brcaj|aorcp)|fjicck|sbdozb|jumgnx|i(prwch|aedpq|dwire)|t(lhmpa|j(isxo|qxic))|y(tgeoe|wopek|ojhqn)|wxdzih|v(izaso|hopwj|srxcr)|lxtyri|oq(jpol|tviu)|qcydmz|ggulxn|nncrkf|e(dzqly|rpwrq|zkhii)|bncqqq|dvejgo)|d(mwgpfq|kdyqro|d(hkxbd|pbhir)|htohch|n(ucxnb|hzpgm|yedtt)|jjukpl|x(vjjot|rjtng)|z(ucwaq|fczxz|tycqh)|vkrpag|cgfnhf|wmvelw|lvrrxm|refxji|qcwkgo|bzrjle|ueoies)|c(f(ldwre|iniuh)|khrwvy|vglolm|y(aofzm|zrpgm)|h(vkrte|zcvem|pswbe|kdbuu)|n(fwesr|xnpwr)|r(b(ddis|nxtx)|kjces)|jymfsw|dutosy|x(ufzac|xqscs)|csrnns|qokoei|sghxdf)|u(ccqepk|d(rabpu|cijfn)|m(bldnf|dpsxg)|l(xeoyk|wvfcc)|s(xptgi|vpaso)|z(qfevl|cibbp)|fihiiy|a(ltxie|airjt)|ogapok|g(eqnbz|nlesf)|hzeoda|pfttai|tyfktl)|q(m(jjrdz|ypftf)|t(bo(qrm|htx)|vscxq)|q(rkmjn|ogtkm)|cayeui|ifrtdx|z(ynrxb|etgqz|pbsjg)|ozcyss|r(gprli|nnulz|kleft)|x(xwdtn|jsdxq|dmyfc)|klsinq|y(mektd|vsfov)|belzbz|uizbku|n(mhwji|wgfze)|p(ncxuz|gxhui)|jmrsqu|fplass|lzpocx|wkrbxn)|n(u(bovca|ymxye)|rfmtzo|zajrrx|j(rwpkh|mrrfm)|m(tgdkf|zwwms|gzlfl)|bjgxpj|gjrrad|s(sgvlv|bktqy)|f(mkwlm|dcndk)|acjejs|i(ttffs|vldfg)|wxauwf|p(wyxhr|jlmsd)|ddnieu)|x(ufchms|q(fxqhc|xqzwp)|chdysh|svqshp|yermmh|k(cpelw|mevkt)|a(ngawz|jrhqk)|xfgurt|d(ylbtp|jpcxs)|bjznfm|hyagpd|wzozwy)|l(mwfhgk|fwgfch|enyatq|o(swpqt|zistj)|q(cmuqj|rvjfi|ftfuy)|vecjby|sdbfnv|nvksew|r(itsqs|dpygr)|a(ohfbn|asqpw|scdsq)|ydosuc|x(iygva|blhwt)|lixwpk|zdkiyh|whxhuw|gmeoel|pwqbru)|w(w(yjozu|lsymc)|fsldzh|v(ktwok|sjrtv)|r(dfzvq|suybd)|nldjuf|hzcppo|simdwo|csxaie|xhffuk|iajxtr|ogolmh|jhwlii|tgabnd)|t(h(wymhf|mlxku)|d(oqcew|kawfy)|a(gxdwy|w(ucrz|nzjz)|cyzqz)|kaeczh|iernyo|yzxflu|jjjhru|lneofl|fdqmxd|xkmxgy|nwiaaf|bbbgin|rflwqc)|a(l(bfrlz|vngcf|fknpc)|xfsqpw|uscmto|kkqaxj|aqwzty|grvaug|zjvyct|mcvgpq|w(einew|mpchc)|bmgdht|n(kzlyd|tolah)|d(xsmng|tbmuv)|fptqvt|jmlsww)|v(nzjtou|oyvrvx|dmuhdn|r(exihl|dimox)|x(emlox|vtgnu|izynr)|hlbmcm|grrhcq|saxzzi|firtrg|y(kornj|ogrcn)|ursych|l(sdysz|tprxy|ghdnr)|wgnwre|bfuycy|vifbcg|kvnekv|qowjkd)|z(tzxesb|c(cwtea|jjhjk)|j(hthns|kssnw)|nsrpzx|x(fsgfo|zambd|goubq)|qgogtd|ykuimg|e(twygj|wgajd)|g(xskyn|woohm)|wqkiss|lfmnzg|zhlqfc|udrgvb|dcjjul|ketxaq|hwuqzc)|o(k(xepwr|bpxuj|cxwfb)|abnftn|i(dofnn|mzfca)|fqyhhp|purpix|wkjllf|m(nsvja|mrhnu)|z(zzijp|yaxso|djxyz)|u(bjspb|ulnau)|vsjypz|hnuaru|jeptrs|b(xtclh|ehnkz)|gmiujp)|y(a(nfngo|wybrj|rcnve)|k(dkuzy|kpczs)|dglzvb|mbdpbn|jncpiu|u(iboyt|nkoqh)|riiczm|glssiq|sjqqqt|vsfzbi|w(teyrb|fbmyg)|znqjsy|lvxloj|emhdor|hyfcgz|ozysvf|nraxtr|btroae|qhehme)|b(i(irbom|rksdx|xpqzu|gzykb)|vcfhxk|ecmnto|qogoau|kqzmjl|w(niduc|ceutk)|achisi|fflpat|dp(vryi|lrwy)|yrabym|smxvca|rkaous|omovzz|jwgmfi|c(qgsem|yktgm)|lrlmea|tgygrb)|f(yqnxvp|e(ifkcb|omsvh)|aftuei|v(tctku|bbgiw|zwhxp)|wmzoju|llcxvn|z(okskx|dpmoc)|jhdraw|qxlmdb|fbydvs|rkqbbk|m(guptx|qwahq)|dftlwv|pnqlvu|g(acjgh|nupwc)|h(ckect|ituof)|uixrrb|sbzuel|bchuic|nfplqw)|e(igqals|n(tedle|qedsn)|gpoucg|dimsks|pejdne|b(xenvt|ormzz|krjof)|uvkczi|e(hlpky|xhvxf|sedtm)|lyfjci|zpaeaq|kshycd|chbprv|a(uvftl|nxfaf)|vhoeml|tgofzk)|m(n(ynjmj|xzwzh)|svtomm|mawzbv|p(ztkve|aymkg)|uokita|a(xsnrd|hhsot)|qkerxf|vloeew|w(lgvxi|krdlc|qnial)|iaayqv|eezjwy|z(lnkyw|abfsz)|jehjtl|oicxrw|kgwdzo)|h(zsmacr|y(puehs|hbxvw)|n(mvxam|sglft)|qynilu|devyyy|c(fnxuu|urrkk)|vwqhdp|tqclid|hqqzrv|xbkesv|o(vgrvx|edtkf)|pygfce|gjfove|bhcgiy|enmdux))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633096; rev:2;)
# sid 2633097 includes 791 (601 - 1200) 7 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.com)"; content:"|07|";content:"|03|com|00|";nocase;within: 10;pcre: "/(k(ksocnr|q(nchgw|dlecs)|pb(iivy|gsgn)|m(z(pkwt|rplg)|hcajy)|w(icecs|czpli|oevil)|xfvtvt|z(ynfuk|sxkxu|emqxz)|o(jvkur|auqwm|xwmcz)|h(lzvem|emkno|twrxb|zkcpb)|ubltqh|vquwwr|ntarqf|ljfwko)|h(currkk|x(bkesv|lboxv)|o(vgrvx|edtkf)|p(ygfce|xxrco)|n(sglft|xmwbj)|gjfove|y(hbxvw|wzmgc)|b(hcgiy|mqnrd|fjxde)|enmdux|v(dvvup|nlnqy)|k(k(urcm|rutu)|sfjhv)|lczhqg|qkqbjt|rp(qgen|lufz)|shuarb|dmpwrr|t(yufbr|dxoot))|t(b(bbgin|wjopx)|rflwqc|acyzqz|x(arkpv|xlqfe)|e(njmka|skqfz)|s(faahz|llwjc|rziab)|o(uleeg|elhed)|phpewt|jbhpvr|nybznc|mlqftt|f(nfxwe|sercx)|kjcgaq|ytnryr|idcaxi|cpjxfb|dtgzzm|hesgcu|lnfhfe|ztmarj)|i(eenrur|f(uhwvq|xlnxk|ajfip)|q(uwsig|vpodg)|b(tjbzz|sitze)|ohzwvt|peeygc|s(s(ddaa|qvwg)|jqmny|vdtap)|c(wxglq|mehnz|k(owdt|tefq)|bhxwu)|i(xbwal|ognhn|ekcau)|w(ionio|qzwlo|zbqdv)|xhvpgt|d(vfzxg|jkcwy)|zronek|mvdsrs|jgcpuf|tfxnwf|r(imtnn|pgfnq)|knybbl)|c(f(iniuh|riihq)|r(k(jces|dszm)|aayba)|xxqscs|hkdbuu|w(vouow|ksfjf)|dtshkr|pybkey|i(opwvz|yqcbr)|a(ylxcx|lefge)|usadwm|mptlzx|jiqkzu|e(tpdrb|jakhk)|kozjmd|gquxol|nrqlol)|p(s(p(vazt|ersk)|uvyvl)|g(vmdwi|twfzp|ghyfb)|x(ntnwz|xoeyc|vmrqf)|elliqr|d(mnodt|xcgdd)|m(hrjus|feiri)|k(bxuze|tqtjr)|a(n(ucae|dsgo)|dihwh)|n(xtgaz|fbava)|b(unawr|tyhrm)|hdvjpk|t(cbpau|dpket)|lfctsh|y(upaxg|cbffk)|j(mynns|bdwkw|edtbe)|qosmgw|fbxtwv|wpjyed|r(rxogl|kghit)|z(kymno|okexl)|cgnlyu|ofidge)|f(v(bbgiw|zwhxp|viqrt)|u(ixrrb|phnsd)|hituof|s(bzuel|qgnia)|gnupwc|m(qwahq|lwyhs)|b(c(huic|yvwv)|fljsx)|e(omsvh|jsiub|fubqg)|nfplqw|yteusd|z(ahxlt|wrhwp|cflak)|woqzpl|o(yycbp|jdrkc)|p(qkheo|stwhv|nnoec)|a(osoqe|cmzkd)|rxqomc|ktsahi|jxvgfj)|v(l(tprxy|ghdnr|sijrb)|w(gnwre|oqlqy)|yogrcn|bfuycy|v(ifbcg|lssix|odtag)|kvnekv|x(vtgnu|izynr)|q(owjkd|mxlpc|utzsb)|s(uydde|fxyug|ruoed)|gubflh|z(zewdf|g(xgyu|comy)|egnej|njbsb)|f(mxkkq|lryqm)|aqrsba|oecfov|psnvum|ineonu|cqdxni|j(ilwnl|nnmbu)|rouyza|hevngj|mvkzoh)|s(zlubrt|o(masxv|xpsef|ectef)|c(pintu|bspcf|riyui)|u(hdubq|fanwm|vgfvs)|h(xydyq|ixzer)|fopmbr|m(kycds|bzwcp|fyjhf)|d(xbwam|nclqt|jbwuj)|wjpens|q(gsuxn|trynh)|xnriiy|ickmvw|kqisie|lseuku|p(pckxd|rthtl|balit)|ysniiy|vwqmfr|slwbla|gjeugv)|l(rdpygr|a(asqpw|scdsq)|whxhuw|g(meoel|ypwhd|xzctv)|pwqbru|qftfuy|tpxqhs|sruxbd|nstwuw|hkzrtp|ucdnct|davpbi|op(cpnb|hhiv)|lwpcfj|mwopqp|cjmnal|z(utzmt|cokmd)|eufxgf|bkdmvc|xmxwti)|d(wm(velw|cnco)|l(vrrxm|bajyq|qstur|tjrwp)|nyedtt|r(efxji|dixts)|qcwkgo|bzrjle|u(eoies|kbtve)|m(ttnve|llxyw|fdmsd|sfrfo)|k(xqfdl|jjzja)|tgkiro|fnzxet|vbxngl|onzrlt|gatjuc)|o(k(cxwfb|iqrfu)|m(mrhnu|fjmvk|lvjcw)|z(djxyz|afjuk)|behnkz|gmiujp|j(ityxd|pbxpt)|twmxjn|s(clsda|qwnem|ysxoc|arcvl)|a(owqjz|jxppx)|oiptqn|p(rymfm|bwcwo)|d(abfpq|xpuab)|v(bclvz|oqkig)|hmgmsm|f(yfzxh|xrckj|n(zsds|jghd))|x(nrjvk|ypbdh))|w(xhffuk|w(lsymc|unuwr|mbqlo)|iajxtr|o(golmh|ydjyl)|j(hwlii|dnurf)|t(gabnd|lozev|heebi)|vsjrtv|zmsgnd|y(gvbsf|xwsad)|bacuwr|r(bohlc|xehro|yzkxt)|h(bpzyf|gzvnh)|l(uffxa|liulm)|fhipcu|glqkbq|azviaf|pkfbqt|ufksej)|m(z(lnkyw|abfsz|dvyth)|j(e(hjtl|ywvf)|nygqh)|n(xzwzh|axynx)|o(icxrw|sudmi)|k(gwdzo|qisej)|p(aymkg|hbfki)|y(bifzq|cpqpg|ujfmk)|a(ynkzr|hgbbu)|qkdpel|shovyz|wcvqqj|g(mjrwx|psvct|qztwk)|i(qwvdt|vxruy)|fdoydy|b(jhrkg|ohwwq)|htbrks|lsffwv|xqqhjh)|u(lwvfcc|g(eqnbz|nlesf|rwscb)|zcibbp|aairjt|m(dpsxg|uonlw|ooaaz|iiyym)|hzeoda|pf(ttai|kujm)|t(y(fktl|pieb)|m(ywfu|mrnd))|q(yerob|geqjk|xixtz)|wbxt(qy|gk)|i(pkljv|wcbcl)|f(nmpxs|xcwey)|nqrijw|r(pxrwm|vxgyv)|jovbnu|o(qbvls|glnll)|b(sxegl|vlpfg)|xxwpzd|yfukfc|dgdtun)|b(c(qgsem|yktgm)|w(ceutk|pxgtq|dwntr)|lrlmea|dplrwy|tgygrb|z(zgucq|jxmxm)|ftrrvp|h(gvzev|phwia)|ezghwm|klfnuf|adqijk|r(yukkx|wqhhq)|yoxeuc|ndfaig|gpecef|b(oihkj|pzcip)|mjdjdp|xlahml|s(kqxnf|dgklj)|ovfygk|qsvxzr)|n(acjejs|m(gzlfl|hzxtt)|u(ymxye|jzzvd)|i(ttffs|vldfg|yclet)|wxauwf|p(wyxhr|jlmsd|lgnze|asvma)|d(dnieu|nsxtb)|f(dcndk|hmuih)|kybfaa|rbujhs|h(csltc|lwaos)|q(xvtlc|waaal)|g(eudnt|ctaek|djvgq)|n(batpg|gaggf)|crtrky|jqlbpa|s(igzpu|qjqui)|yuhuxn|vqdebh|zitdzh)|q(j(mrsqu|dlfpr)|z(pbsjg|jyrml|mdoyw)|p(gxhui|cvsgd)|f(plass|cddkg)|r(nnulz|kleft|aiszy|trfgr)|lzpocx|yvsfov|wkrbxn|n(wgfze|aqprg)|x(dmyfc|pqyzf)|q(wfhfv|fwfsa)|e(enbnn|mamza|kwkjr)|v(vauqs|zypxf|d(yozl|wcub))|s(mpbik|zfear)|asxzra|dsndeg|iwfajh|gdzqbm|kzjzel)|j(acdtjw|m(xzdkq|yzroi)|twvucl|ztdywg|w(hprvc|u(nifb|vezb))|r(grkjg|oacqn|wpule)|xnkjfj|i(eyeaa|cqwcp)|hkbwpm|v(igmvk|xddps|eydrb)|ctdvgt|uyjpam|pqqkqv|llkalo|q(zpaib|vffpa|tmwep)|shzaor|e(dxnzj|hopzo))|e(vhoeml|n(qedsn|ufgko)|t(gofzk|xcqkk|zuctd)|an(xfaf|faxx)|uvbccb|l(yholx|hpkxg|qdcpl)|e(lpyur|ygkhb)|gfbcou|ftbvsb|cptjak|wwiuhj|bcarbp|ziofzf|qloxzf|r(hrtzu|rlaqs)|kgjxft|d(ljbxu|gljwi))|z(ketxaq|h(wuqzc|ughsj|cqdyn|gpeub)|w(zrrza|uvito)|iqmcdy|z(vxsii|ldtaw)|cgljlp|leumvb|fsrfsu|sppxio|mhaexa|b(gbibf|mxatm)|x(dadyu|yepbd)|qhuage|yvvgnv|u(jagrc|q(loyq|yzsg))|eqliys|aesjni)|y(u(nkoqh|ahomj)|h(yfcgz|hjnld|dlhur)|w(fbmyg|nyepf)|k(kpczs|ztgsi)|o(zysvf|vqoif)|nraxtr|btroae|q(hehme|xkfur)|mpnmxu|fkdppy|d(pzqus|fskcp|tflpn)|x(dywzt|tjcrd)|twxbnz|cbcicf|r(lrelo|ghpqo|vqdzn|wetbh)|a(kiimo|fhyix)|ehvqbv|yrohzj|g(dukwm|qnioz)|ivpjqh|ldmpac|solyuf)|r(g(gulxn|ookmd|highb)|nncrkf|o(qtviu|wdjxt)|e(dzqly|rpwrq|zkhii)|vsrxcr|bn(cqqq|mmyx)|t(jqxic|wcemu)|dvejgo|s(dfcsz|rkxnd|kthnv)|fumzml|ybymvj|r(oqoyn|ujewh)|xocnni|wqxxbu|hstnwd|psbbep|uflzfc|cwvmip|arhqyo|ihytas)|g(a(vkfpo|yffet)|d(wlyit|fpfqd|qhyxg|yniax)|z(qbqnd|ojufg|sbpcz)|k(yskit|jtupm)|nrtjhk|meyxnt|efhijp|vcwnxv|x(nfxpg|sbznt)|g(lzvhb|whkro)|ufwfyr|rhahqm|lcrjmn|pwjjwr|j(lfjbv|jlzpm)|ouplst|qbuzag|bqtqlm)|x(h(yagpd|cwupl)|qxqzwp|w(zozwy|oqylj)|t(almjh|tpzhx)|kntkkg|felbel|r(kunvo|likdl)|s(mzgso|dbflj|pyrnd)|upetnw|edylno|j(s(gebn|xwcs)|gnmuk)|vausmn|geucqa|zqsuvg|cyobof|d(mcyti|vokkj)|nahdix)|a(n(tolah|ylxka)|wmpchc|d(tbmuv|sqwpo)|h(fbftu|vyqun)|zjejrf|m(rtaag|mldqy)|tpqwox|ircnic|uqfwlt|jyjsqc|kxlvsd|avipti|bexiff|ppktgy|qmdyeh|vcoujw|yazbgh|rcomsg|cljtfe|gaevfq|sopyzt|xyxkyt))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633097; rev:2;)
# sid 2633098 includes 191 (1201 - 1392) 7 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.com)"; content:"|07|";content:"|03|com|00|";nocase;within: 10;pcre: "/(y(m(zrvgp|efldu)|emvtcg|tjvnxg|ginojp|cgazmo|wfffwu|yycxju|zxonhp)|g(qasaks|trjopb|savktd|levtvz)|z(c(scxfa|zjzdk)|eoitfi|tsyfwu|oeuyaj|j(oaaxi|smdzx)|htvhef)|c(atjkpm|s(uxhky|acsax)|jyiewr|guwbqc|bpeebp|nruikt|lkygfh|r(pulmd|gvebj))|j(s(xziec|lkpuz)|bpghfv|mgyogf|cyzmrw)|r(uykjvn|x(lzony|ctyuo)|rjoymw|nlaepq|obtbnx|b(sspxm|ysquq)|lbzjlt|hatqov|vmonrq|qpknmk)|s(tfctou|klzsuq|sdbshn|wfvlpw|aavxjc|vebfda|okxibq|hslktm|ricftn)|a(xqouoy|kadolx|j(fnpfq|zhant)|tjmfmk|avrlfy|dninvr|lojwix)|l(c(kanyu|aaxzx)|yxbaas|vjofrd|oisfdh|dbzksc|htuozm|gpzlph)|u(vbycuy|afgqab|nlmmxl|qwnams|uddaxi|cbivvw|himgxd|zborqc)|x(n(n(zyzf|tjoq)|lfxtx)|u(wxtvz|fynqp)|dvpnsp|kwsyvk)|p(kbqyzy|fxbdqz|c(rdtfr|hmifx)|uyokim|nyhoin|wymimp)|q(ul(mcrs|vivw)|tyrwml|w(mewbx|druno)|pwxnkr|qumjsz|brjxkx|izmfsr|x(qmevu|xmlxv)|rzjajz)|t(eihakt|tutrps|wqwuzz|d(fihwz|hrtah)|alutgo)|w(ycwmvr|rrsvjq|auspqp|ssyfua|blwlhw|tprxre|ldsxyt)|v(w(uzpaw|oxlav)|sbcrae|htymog|rjagnl|zayzwa|pnxoyx)|k(p(bkwjp|nkkbe)|c(nlxoc|bgpts)|wuwzyw|sparpu|g(jcnjp|upzgd)|nlkrzn|yjmtet|rnxfnf|xmdmnc|kvjyxj)|f(vnchyk|rjtves|tdjkuc|abjppj|xllkzo|ippjfg)|b(tsazyb|smpabp|zqsgsu|wsubja|brcjrg|q(tcjfw|vdbla)|mxefzu|njiuac)|n(f(okgho|qthyp)|agexot|rxuydi|thsyaf|dtfprn|nitufp)|o(vawwoa|xvlinp|wjkkyu|aeyvzg)|i(mebeza|hvtzbx|xfvtta|fdmaij|ykvwrv|pxzuqp|vjjgmc)|d(baactx|mrwfsg|d(zynox|kirwi)|gpxocc|eybvab|hteqpg|svmrei)|h(xdqhpk|s(wihal|xsgtx)|tplrhm)|e(plzcxx|j(vrdjn|rmmhs)|qudbfk)|m(tihyng|spblcx))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633098; rev:2;)
# sid 2633099 includes 600 (0 - 600) 8 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(y(qdqyntx|a(zzzwke|rywycx)|ogtjyrt|jpazwaq|z(xzkbxd|datvla)|d(xsyrit|gptwuv)|c(vfmtvn|oyhcrf)|tlarqvw|lajfjgw|eqvoylm|kglbwie|w(azgfyh|njbusc)|izpwaen|vrmuumy|xifvagp|ygmagoh|scuxpho|ftvhtgi)|l(x(mpzyiq|wcgsuz)|t(repbux|scrfmt)|if(ytoms|lzldl)|v(pskklp|ituknk)|f(oxlnhv|egjehs)|s(txxzha|hlcwrz)|b(wzgzta|bcslwq)|lccsczl|dvmitqn|eqicxgx|o(uvbrvf|lxhfhl)|j(lvhrla|cuhfqx|wmvibj)|zzmrltm|gydzbrf|aclhlai|hxyefzb)|z(t(oohkug|zogbvt|ivptqz)|v(uvmgeo|rqxial|pmngyx)|oxydqip|zqobpie|qqeaqry|y(twviig|ydopur|waxprl)|amcblvs|u(cabqek|aogdbn)|h(wlssep|vyednb)|gltoiic|ktuecax|lhklumn|bbpvgul|cyejofv|n(bqavjh|dumnis|mgmgup))|r(m(ixtljo|tvlqrf)|l(yaznma|gzskui)|f(qczmtl|pbccjy|dfakqr|blvdqc)|z(phrdma|fcejyd)|n(drpqro|soxano|qafjao)|ddsjhcz|wetoiko|t(mxxqut|uysmrg)|rdjpjik|jkqfnii|kvpogam|u(hqxpun|skqxvk|qxamsj)|s(mnndte|yotaye))|i(xpqjexc|cztfixe|d(xcvpkp|irtxpl)|b(grwhla|usjpzm|wvvqac)|mjpxnzc|upozdbg|lp(gpcjz|jfsul)|a(ejhcay|ausstn)|k(hmwqdx|smcrpt)|t(rcvbjc|urckcc|dkyjba)|yxfvpdt|qvzyzsl|raudbpo|ipfoycp|p(opsmln|vrkykk)|hxyeuun|gercpab|jtokifx)|k(kcluicw|n(sjezjy|zezxln)|glbabgm|y(diqzmv|gptxaz)|d(miasze|jxcjre|fuuamu)|e(hpqntg|ixqfjd|acbgtp)|wzrhotu|lkmxtog|j(ilmmfa|ndseqm|xcivsx)|ussmpxa|qixcbwq|oyzhsua|afdckdr|mkwexfm|cdfaqxi|fcuqeuy|iutkslg|bdfcpfl)|w(pdkyves|k(vkdjlr|tsmmjr|qjeujl)|i(clhowq|exvexd)|w(hcbcni|bhvovj)|d(scwjmk|yajanh)|h(ncwcqv|ceiixn|udabds)|u(arinfw|boqxcl)|e(ghiihy|kobpfy)|vyqysnh|yaxnexy|otocfgi|myxlzkr|cdgxojx|zjwypps)|q(ugjbaox|ttcwzcg|m(qomvbv|bunoxo)|x(ocicee|rgxmel)|i(hlxgvn|oxgqcp)|s(cahysb|xeivsx|neexxm)|d(qmxfzs|iswtdw)|whfauhd|nepvnyi|lmmzhnw|jaubflf|f(ijlqsd|jtgdkm)|hxdubbt|k(kjeebp|crwmqp))|e(o(mojhau|rijcjq)|kotirnb|a(kqpxzh|hpbmna)|d(errgrh|fpkeqd|raavqf)|cjkqnas|gjkufcj|vwavorq|j(soyioj|tkousw|myjufs)|rrrkblf|zgbzpiz|bgqinsa|ntukohv|mgzzurr|lizmorl)|d(y(oouqvd|swgqek)|n(psujbn|ivglog)|a(jqzmur|dxedva|cdvyha)|l(jyxppp|vjkkmn)|i(crflsp|tbdjns|nsqoai)|p(tgywop|aekbdw)|u(wwcuev|zxmsek|vjraro|pngdcd)|m(jscmzd|qvozmj)|ophzgto|jnkedsd|k(fbdzfe|onveaa|cpehrr)|x(kgxnra|epvmgj)|swdumhe|vkttwyg|qmvcucp|gyiebdo|h(wbzxqh|kkrnvl)|w(laijvr|oehwxr)|edvbzcj|tpslajj)|j(a(bdvcqw|mrozes|ejtoyc|rzfpzg)|wwlopno|smrftvw|k(cjubnf|vsgqkg)|q(jytgym|tyiwxj|qledtm)|pmgdoyx|c(druevd|ezavux|wqgrhg)|emjohxz|vlvcnyq|xcqnjdo|dkwuove|illbkfz|uvfcuub)|h(daznyee|v(ukslim|bbdplo)|mhbccbp|t(ftizho|vwvgbf)|r(rrieus|mnszyb)|icftkzn|qvrvqjh|zsxdhxt|yjygkkk|ctjsefs)|u(w(qigcjz|trtggt)|nnqlffl|d(vgaseb|wprswp)|s(qlwpdt|mkxiae)|ooxuvvc|xewfhrv|c(oljmdm|pncenk)|q(pocmyi|iqdkny|rxsdvl)|a(dwwvva|weiiaj)|vjeqnie|m(zrytua|dakqoc)|krafscx|invlynb|bixdfqm)|v(i(loydfe|eknbyr|jufmqd)|ygkjrna|m(ubnckd|togzes|ryxsbg)|lgbdhzy|gifispk|wjawred|z(ahdmjd|pxoaru|vbufle)|c(wgabee|hbvymn|cywhsg)|s(bgfdyf|afjbir)|jwiyrdh|oaoudxy|k(bbkntc|dqbrou)|e(oizeep|jolqbv)|uvkckdj|bqlnmhb|ddgjdtx)|n(e(kaiszi|aifahp)|d(cztcul|dfiwea|wtgvxr|usgzlp|aintln)|yoegvfg|w(zkhguv|ldhghi)|ticcbab|gzdgbhl|loftbyu|k(fwpqgd|ynntqs)|vqhwxen|crbkeae|ubibvth|aqgmjdw|qnsxhwu|nuihvxj|bksvpak)|o(a(pvuqfd|vxqphm)|mhgwmyx|i(mfqocm|qyfdxg)|qdxhezx|zomagtp|gdusogg|rgpdwki|hjavzid|s(orqpdn|jzuvld|geredl)|vmnwtgq|d(klhhgb|cegrbe)|uvkotzz|xtzsxjj|nzwdcpk|lwzevct|pscqyhg)|g(a(fidwcr|rclnxu|zxqkad)|m(vytjhm|zojxuf|qrsdor)|klsmwky|qmnpzwp|szivqxs|ldrvnns|cmazjwb|v(czcwzn|qkerca|yfinmd)|y(aqgtlb|vfdejf)|zrrcnqs|d(viyfum|olnqnn)|f(rstakv|iapxcd)|p(fansoy|ihrypc)|utqzmqk|n(uvbgis|igqosy)|wcbfrxd|jlnqlpz)|s(u(kepmnl|wgtept)|n(vtujuh|ofihkg|ngsumj)|cdyquhj|m(jnnfpf|olyfqp)|p(hvyhjw|fmmnji)|w(zrjypm|gehgah|omfugl)|hhhjxrp|yybkubl|oeinvwn|aobchiv|kdtahdp|sszdeqa|f(furjcj|jzgbve)|iezmzpf|bshkxnm|gwjkflw|qdrslsq)|x(tyx(phxj|qcqy)|oqsytip|kbvsiof|r(yywddo|ngptho)|q(vphcyf|ntvwya)|n(gdusvi|hxwjrl)|yrqpxrl|gbvprmk|i(agjvim|wvhwyj)|dbxkmzn|jgeukuf|l(rxojyn|iziutb)|zbzcxye|czwaouf|udxapkg|wjpvanh|pjzmaqy)|t(ypqktjm|g(vuyvxp|zhcxah)|ldxqkju|jwsezkv|u(zwpetm|inmemy)|qetuuqw|w(iyhxlv|emozhp)|n(ooleqk|kjprzx)|ojvslgd|i(tejxoc|sskrvj)|alguhbr|b(atookp|lomvsm|wvrxte)|e(nxqdaz|omefdz)|kwwzplo|zggbzkk)|p(gxlruph|ihtnvuc|ou(jtqie|mlzyi)|p(dgcajf|jkkyfz)|zrotkdz|d(hfertm|yzxhlo)|h(fxvpnf|ccbxqs)|vzeefcb|wvvlfgi|n(wffahg|ungkpt|ycopbe|kntmoz)|y(aduwfi|zrqemu)|s(reuelw|iecivp|mwzjvx|ambgij)|jpczyjb|kdztgwk|cbqcati|famhdhd|rpbjntk)|f(e(arawtt|fiicmg)|u(vnkecx|dlxtan)|tdzfmkj|c(gxlgbb|nrtpme)|aa(wuivf|pames)|hsstswy|vmzwhhf|phthpuo|rbtweik|mpfgzlc|smfmndz|djyxcmq)|b(eoquujg|u(yoqvuo|tqiavi)|omgnjpw|smoopgk|bpubkgn|z(ihpngz|ciuksk)|gptnsfq|izmuocf|fanbshb|q(ousuwi|uhkklp|rlavre)|moyrqah|xtmppis|dldfwdt|hjffqzt)|a(i(iyexas|lmavmb)|z(ydbbbv|oyqwil)|a(rfyfep|lzxmkh)|b(lhuaxo|hbtoew)|vcglhzh|n(wylbcq|bgvnxk)|t(xsejkk|fwaegs)|wnkenvw|yjahcql|d(rumsmc|kmmlvo)|qazppqv|ohwezol)|c(q(kkvqgj|jpuvmp)|jqnjwzs|kmbligh|xymcvfv|fapyxas|b(fmmbrv|kzmxbu)|cfqgrus|awsmxpw|rvrfjmx|zcqncoc|o(meowko|wodjpy)|ethizpd|y(heuiva|cnzjsw|uajcjd|ngqpkq)|gwkxnht|myrbhaz|snrjcad|lnvrdgk)|m(gkwspfb|e(hqbxhh|xljprh)|o(hdewea|ypkjtg)|mxywieo|p(zusbuy|h(gwyxh|bictm)|jeccie|ufoclz)|d(vtptiz|fktgtd)|coppibj|bllshio|nzkeltm|zwovkbk))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633099; rev:2;)
# sid 2633100 includes 1200 (601 - 1200) 8 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(y(qdqyntx|a(zzzwke|rywycx)|o(gtjyrt|dubibc|omxtqs|qqbbtm)|j(pazwaq|zsqdhc)|z(xzkbxd|datvla|amrsrm)|d(xsyrit|gptwuv|b(yckrg|zzizc)|cagxxh|tcsvbu|fgfotz)|c(v(fmtvn|bnedj)|oyhcrf|xomsae)|tlarqvw|l(ajfjgw|qgcbtd)|eqvoylm|k(glbwie|fjgacr|ycyvdj)|w(azgfyh|njbusc)|izpwaen|v(rmuumy|uqacgo)|x(ifvagp|tvrcug)|ygmagoh|scuxpho|f(tvhtgi|mqewgq)|p(pvwckd|bgfvep|ctgjnt))|l(x(mpzyiq|wcgsuz|uxepzq|afalmx)|t(repbux|s(crfmt|egjnv)|z(gjoni|zsseo))|i(f(ytoms|lzldl)|zbikww|edotov|ydplmj)|v(pskklp|ituknk|avjzwk)|f(oxlnhv|egjehs|taypcw|unquhb)|s(txxzha|hlcwrz|qzvyoy)|b(wzgzta|bcslwq|klauzj)|lccsczl|dvmitqn|eqicxgx|o(uvbrvf|lxhfhl)|j(lvhrla|cuhfqx|wmvibj|hznqmc|nzefay)|zzmrltm|gydzbrf|a(clhlai|ywjtgf)|h(xyefzb|nszbpb|hqtgmn|lnimqd)|mpffvtm|qqjuqjg|k(vvmczk|gwtdle)|piihsnv|rtkrapd|nldlbgh|upvqqja|cwwprqe|yxyugie)|z(t(oohkug|z(ogbvt|kvbzc)|ivptqz)|v(uvmgeo|rqxial|pmngyx|olamsv|xwqspl)|o(xydqip|mtxafd|oeebud)|z(qobpie|hzaqin|dryesg|pfuwxv)|q(qeaqry|mkhvbt)|y(twviig|ydopur|waxprl|pbvgib|icdpzm)|amcblvs|u(cabqek|aogdbn|wlinim)|h(wlssep|vyednb)|g(ltoiic|nuirwv)|k(tuecax|wkzokp)|lhklumn|b(bpvgul|ketgsi|uatrzx|ykipmr)|c(yejofv|ulpekc)|n(bqavjh|dumnis|mgmgup|gwjwef)|e(gwxmkt|quzgau)|itpruku|wxqtaoc|f(fxvvxj|ufethj)|jhlnrkc|p(whgzan|jcmyup)|xqhpslc)|r(m(ixtljo|tvlqrf)|l(yaznma|gzskui)|f(qczmtl|pbccjy|dfakqr|blvdqc)|z(phrdma|fcejyd|ruyfig)|n(drpqro|soxano|qafjao|tazscm|uvekdv)|d(dsjhcz|oercvi|huszlv|cszutu)|w(etoiko|gshpaw)|t(mxxqut|uysmrg)|rdjpjik|j(kqfnii|nqijrc|uvcfmo)|kvpogam|u(hqxpun|skqxvk|qxamsj)|s(mnndte|yotaye|shhgry)|xnolgnv|o(ixzdsi|b(fwexu|waqht)|ewntdz)|a(fkqbyd|umagpj)|yjehlfz)|i(x(pqjexc|gljkrl)|cztfixe|d(xcvpkp|irtxpl|rykkbs)|b(grwhla|usjpzm|wvvqac|mqxyoi|dfiuwz)|m(jpxnzc|escdyv|tmvcba)|upozdbg|lp(gpcjz|jfsul)|a(ejhcay|ausstn|bbomjd)|k(hmwqdx|smcrpt)|t(rcvbjc|urckcc|dkyjba|aqgmyv)|y(xfvpdt|reywib)|q(vzyzsl|jlrbin)|r(audbpo|lgfhxq)|i(pfoycp|etntaw)|p(opsmln|vrkykk)|hxyeuun|gercpab|j(tokifx|rxgfxf)|n(nukxwc|diwhnc)|subbuwi|zjrnurt|ogmlcwa)|k(kcluicw|n(sjezjy|zezxln|wtbcmh|huiiup)|glbabgm|y(diqzmv|gptxaz|phofer)|d(miasze|jxcjre|fuuamu|opmsgp)|e(hpqntg|ixqfjd|acbgtp|copiut)|w(z(rhotu|qvawi)|ogrlwq|ictoem)|l(kmxtog|mzyuzg)|j(ilmmfa|ndseqm|xcivsx|bhvkpp)|ussmpxa|q(ixcbwq|hlozet|vgumou|lxdxie)|o(yzhsua|r(prvth|jumml))|afdckdr|mkwexfm|c(dfaqxi|ynljpm)|f(cuqeuy|koikgz)|i(utkslg|feimeq)|bdfcpfl|zbmwddp|pyzqacu|rnwfrkb|tnptpih|xfpseav)|w(p(dkyves|wndpiz)|k(vkdjlr|tsmmjr|qjeujl|pjprjs)|i(clhowq|exvexd|iqojrh|vffrwm)|w(hcbcni|bhvovj|tmqeen)|d(scwjmk|yajanh|ivompi)|h(ncwcqv|ceiixn|udabds|fesanr|puelqa|sbejrp)|u(a(rinfw|hulnb)|boqxcl)|e(ghiihy|k(obpfy|gfuxf)|wpmzje)|vyqysnh|y(axnexy|dzmqft|bwwyow)|otocfgi|m(yxlzkr|mjnkds)|cdgxojx|zjwypps|l(nszbqd|mlmytr|vsekjj)|foikoqe|noqbdfu|a(powlqx|solwis)|sfmhcin|rbfigun|jamwclu)|q(u(gjbaox|skiwei|bgdqxb)|ttcwzcg|m(qomvbv|bunoxo)|x(ocicee|rgxmel|kgygxq)|i(hlxgvn|oxgqcp)|s(c(ahysb|ewweb)|xeivsx|neexxm|ppgkao)|d(qmxfzs|iswtdw|fblayt)|w(hfauhd|nsinyl)|nepvnyi|l(mmzhnw|uwzwhq)|j(aubflf|vlkhfu)|f(ijlqsd|jtgdkm)|hxdubbt|k(kjeebp|crwmqp)|y(dwxdkl|hrerep|kuedsk)|eswzttm|ogzoxjp|p(qmcjpj|colnhi)|gvhaoke|z(uverim|pqgeii)|bldwipr)|e(o(m(ojhau|rdwhc)|rijcjq|kejzar)|k(otirnb|gcwoss|iiuavn)|a(kqpxzh|hpbmna|opfahi)|d(errgrh|fpkeqd|raavqf|ywmsrp)|c(j(kqnas|rzdyk)|hdrcsr)|g(jkufcj|yooxzn)|v(wavorq|kxameq)|j(soyioj|tkousw|m(yjufs|lvhyd)|wtcztj)|rrrkblf|z(gbzpiz|peztav|ktckho)|b(gqinsa|pxmavw)|n(tukohv|pqjqbu|jxobnd)|m(gzzurr|ivbbff)|lizmorl|y(iymynw|mvadcj|nplljz)|fnlsfsx|trskppx|h(uzlony|weygyj|beszwe)|i(trnwaz|vccdaa|ntrrpi)|x(o(hvzcn|jnksh)|wfkeio|xeotst)|wmbconj|eoypxee|uuazgzb)|d(y(oouqvd|swgqek)|n(psujbn|ivglog|uf(angu|pjni)|jqhfur)|a(jqzmur|dxedva|c(dvyha|wyqjc))|l(jyxppp|vjkkmn|eqvnvj)|i(crflsp|tbdjns|nsqoai|pggbjd)|p(tgywop|aekbdw)|u(wwcuev|zxmsek|vjraro|pngdcd|nopwuk)|m(jscmzd|qvozmj|tjeshf)|ophzgto|jnkedsd|k(fbdzfe|onveaa|cpehrr|goddqw|zndsvz)|x(kgxnra|epvmgj|gojnqr)|swdumhe|v(kttwyg|dmtrvy|rubzrg)|q(mvcucp|ldnysi|jjmqgk)|g(yiebdo|inslvp)|h(wbzxqh|kkrnvl|jdwpzf)|w(laijvr|oehwxr)|e(dvbzcj|zaybzb|aoykah|osntfo)|t(pslajj|vnqsec)|fztdknx)|j(a(bdvcqw|m(rozes|ssbtj)|ejtoyc|rzfpzg|wrdvpa|yxmmkt)|w(w(lopno|ynres)|cwawol)|s(mrftvw|iaqniv)|k(cjubnf|vsgqkg)|q(jytgym|tyiwxj|qledtm)|pmgdoyx|c(druevd|ezavux|wqgrhg)|e(mjohxz|stqhve)|v(lvcnyq|ubvtcs)|x(c(qnjdo|ewcdz)|husipo)|dkwuove|illbkfz|uvfcuub|n(uwkczn|tkhogs|ewnpxg)|z(gxuuay|qifirk)|fgisvdt|titvsjc|hqmjihj|ruzpsch)|h(daznyee|v(ukslim|bbdplo|cznqkc|ivgzst)|m(hbccbp|ixpoki)|t(ftizho|vwvgbf)|r(rrieus|mnszyb)|i(cftkzn|jsencj|fjeszs)|q(vrvqjh|ubgyrl)|z(sxdhxt|mcyedb)|y(j(ygkkk|lqhdo)|ogyumx)|ctjsefs|fyrzxuq|p(gthfzo|kefxed)|gangftc|hzhjfts|xiicrlv|on(zdnku|vllwk)|jnvukya|n(ugrwpj|bekbzo)|b(pdgokg|gqjctc)|sfkqnoq|ukrupwo|wsvkyuy|lulkcgx)|u(w(qigcjz|trtggt)|nnqlffl|d(vgaseb|wprswp)|s(qlwpdt|mkxiae|excecn|hzwvwc)|o(oxuvvc|bayyxt|ihycpv|nqqxhc|pzplpy)|x(ewfhrv|nfpbvb)|c(o(ljmdm|emnby)|pncenk|ccyfju)|q(pocmyi|iqdkny|rxsdvl)|a(dwwvva|weiiaj|okocoz)|vjeqnie|m(zrytua|dakqoc)|krafscx|i(nvlynb|krfshh)|b(ixdfqm|ryklau)|fpkjlla|lwcmcog|g(wirtbx|iwattl)|htmxmdi|ewnhrvi|pdawfml)|v(i(loydfe|e(knbyr|crkik)|jufmqd|reitaf)|y(gkjrna|riabiv)|m(ubnckd|togzes|ryxsbg)|lgbdhzy|gifispk|w(jawred|fgzoqj)|z(ahdmjd|pxoaru|vbufle|ljnwli)|c(wgabee|hbvymn|cywhsg|mztsjk|lswjqb)|s(bgfdyf|afjbir)|jwiyrdh|o(aoudxy|qcadka)|k(bbkntc|dqbrou|anqkzg)|e(oizeep|jolqbv|eamzwk|zciuce)|u(vkckdj|xpjovl)|bqlnmhb|d(dgjdtx|fykxnz)|hvlypll|azuffls|r(uumygl|orketn)|fhijipe|v(luyyil|kcsosm)|qesojdh)|n(e(kaiszi|aifahp|iupaot)|d(cztcul|dfiwea|wtgvxr|usgzlp|aintln|veqvpg)|y(oegvfg|enpfzj)|w(zkhguv|ldhghi)|t(iccbab|hgftwj)|gzdgbhl|l(oftbyu|amdmxa)|k(fwpqgd|ynntqs)|v(qhwxen|yqgtjj)|c(r(bkeae|nxlwg)|qotcqf)|ubibvth|a(qgmjdw|ttzdue|razvzh)|q(nsxhwu|cdvstr)|n(uihvxj|igqsyy)|bksvpak|i(hlosbh|mghwyg|jhtaox)|f(kkldul|wxocrn)|obwmyla|hjvynjn|pqhotad|x(mgwgby|lloosu)|sihtmpd)|o(a(pvuqfd|vxqphm)|m(hgwmyx|ocguzh|fvxcrb)|i(mfqocm|qyfdxg)|qdxhezx|z(omagtp|sxoilu|yndjae)|gdusogg|r(gpdwki|dtzrnq)|hjavzid|s(orqpdn|jzuvld|geredl|cmzswb)|v(mnwtgq|hwkvbz|lrwzyv)|d(klhhgb|cegrbe|gprgzw|wuizmi)|u(vkotzz|eghucm|zbjruq)|x(tzsxjj|z(jxxgy|pkitp)|qkamuf|xbgimw)|n(zwdcpk|ciivyz|fsonqm|lscvma)|l(wzevct|xmoglf|hqilfe)|pscqyhg|yl(aiaua|ouwet)|wbejzpb|t(zoiezq|qqqfsh))|g(a(fidwcr|rclnxu|zxqkad|cgkkrd)|m(vytjhm|zojxuf|qrsdor)|k(lsmwky|bzwfcy)|qmnpzwp|s(zivqxs|watusy|yeuyjg)|ldrvnns|cmazjwb|v(czcwzn|qkerca|yfinmd|wxlnxm|dseeor)|y(aqgtlb|vfdejf|ttyqkp)|z(rrcnqs|erdcxd|nvlmro|azfpwf)|d(viyfum|olnqnn)|f(rstakv|iapxcd)|p(fansoy|ihrypc)|u(tqzmqk|wedcin)|n(uvbgis|igqosy|wrtarw|qvzujo)|wcbfrxd|jlnqlpz|t(tddabv|avilms)|hsuhnhc|b(nhtlsq|geoynw)|r(ewvdcu|hpbtfu)|ivqfhwa|x(pkcvhg|wkgdwx))|s(u(k(epmnl|csqrs)|wgtept)|n(vtujuh|ofihkg|ngsumj|ylypvt)|c(dyquhj|ohjghp)|m(jnnfpf|olyfqp|zxjhpi)|p(hvyhjw|fmmnji)|w(zrjypm|gehgah|omfugl)|hhhjxrp|yybkubl|o(einvwn|zgfbym|lmaxpr)|aobchiv|k(dtahdp|wgdpvb)|sszdeqa|f(furjcj|jzgbve)|i(ezmzpf|brmzum)|b(shkxnm|fhxjtt)|gwjkflw|q(drslsq|fjjvqx)|v(wskggp|vjqmmb)|jkshlcq|e(dkmzgp|kgvgit|osgaht)|z(osocqb|xrcdbn)|trcvfab|xdvwoat)|x(tyx(phxj|qcqy)|o(qsytip|njjbnm)|k(bvsiof|pvnrym)|r(y(ywddo|ljwcn)|ngptho|ucaiqf|bsqshd)|q(vphcyf|ntvwya)|n(gdusvi|hxwjrl)|yrqpxrl|gbvprmk|i(agjvim|wvhwyj)|d(bxkmzn|ofuvws|awlagv)|j(geukuf|pzxklz)|l(rxojyn|i(ziutb|fdlts)|knnnno)|zbzcxye|c(zwaouf|akwaug)|u(dxapkg|chsbny|manalq)|wjpvanh|pjzmaqy|b(uexexy|twdnxy|dajyyn)|m(uqvdoy|vqzbgh)|akutajg|fidthan|sbkgrcz|hvhygwf)|t(ypqktjm|g(vuyvxp|zhcxah)|l(dxqkju|unvrdv)|jwsezkv|u(zwpetm|inmemy)|qetuuqw|w(iyhxlv|emozhp|wsclly)|n(ooleqk|kjprzx|lwyekc)|o(jvslgd|urpljq)|i(tejxoc|sskrvj|ugrafx)|a(l(guhbr|nbhlp)|ycvgdj)|b(atookp|lomvsm|wvrxte)|e(nxqdaz|omefdz)|kwwzplo|z(ggbzkk|wjwmru|mbkctd)|fhokiuc|r(perxrg|uouoiu|svehvk)|pbqkxax|mrplsbr|d(voawgc|zaxgxw)|v(rzoumc|ezurum)|tfoxkty)|p(g(xlruph|ozpszv|fhdctn)|ihtnvuc|o(u(jtqie|mlzyi)|dzwxnj|wcxnhp)|p(dgcajf|jkkyfz)|z(rotkdz|xfitxt)|d(hfertm|yzxhlo)|h(fxvpnf|ccbxqs)|v(zeefcb|vthkrh|xojmcm)|w(vvlfgi|rvxtdt)|n(wffahg|ungkpt|ycopbe|kntmoz)|y(aduwfi|zrqemu|hqbtdp)|s(reuelw|iecivp|mwzjvx|ambgij)|j(pczyjb|oisdxy)|k(dztgwk|qbsnqv|slxxvu)|c(bqcati|evsync)|f(amhdhd|eliaov)|rpbjntk|lehtiax|mftxalu|errlngw)|f(e(arawtt|fiicmg)|u(vnkecx|dlxtan|knhctz)|tdzfmkj|c(gxlgbb|nrtpme)|aa(wuivf|pames)|h(sstswy|ugnmse|lctjmo)|v(mzwhhf|zspyhr|lzybkz)|phthpuo|r(btweik|ytyhqv)|m(pfgzlc|rubneu|ewracy|utliur)|s(mfmndz|wjixdc)|d(jyxcmq|ztjiqt)|z(cruhya|isnwxn)|i(mopjig|kfyeqx)|y(fmmnkr|wzaejq)|qaxogfy|nuffoxv|jraudfq|oydgyau|blbjkvt)|b(e(oquujg|qjotgb)|u(yoqvuo|tqiavi)|o(mgnjpw|uxmizc)|smoopgk|b(pubkgn|u(uanqw|hdkrz))|z(ihpngz|ciuksk)|g(ptnsfq|keebic|jdrqpu|upfdiq)|i(zmuocf|smnmje|lhqfgt)|fanbshb|q(ousuwi|uhkklp|rlavre|dzxetx|eexwso)|moyrqah|x(tmppis|cqaidc)|dldfwdt|h(jffqzt|dhfiyz)|p(icxqbc|vqcwdl|ececdr|loakis)|n(hdwupc|kaaqzm)|kiipvsq|y(lccbyz|bptprg)|v(tokhdg|nghqrq|yqtttd)|wraujob|tcsqyhu|lgfkxmq)|a(i(iyexas|lmavmb|wwyyqu)|z(ydbbbv|oyqwil)|a(rfyfep|lzxmkh)|b(l(huaxo|uojqc)|h(btoew|robsy)|dsuxsw)|v(cglhzh|yuzbak|rtrgff)|n(wylbcq|bgvnxk)|t(xsejkk|fwaegs)|w(nkenvw|jlxpzk)|y(jahcql|pdzhgu)|d(rumsmc|kmmlvo|uuuapl|wnzojy|gicvor|mvtutc)|q(azppqv|ilgleh)|ohwezol|u(kthsdd|mcmjae)|h(dciism|rvbarm)|fsotzib|m(jsgmgi|qqmvib)|efxqwou|r(kzaofd|xdseqw)|x(xngjyt|ysjokp))|c(q(kkvqgj|jpuvmp)|j(qnjwzs|aztbxv|nubvey)|kmbligh|xymcvfv|f(apyxas|pffwnz)|b(fmmbrv|kzmxbu|vpgvzq|gnzpsh)|c(fqgrus|gjjjii)|a(wsmxpw|savqcg|xbtiuj|nqgjrz)|rvrfjmx|zcqncoc|o(meowko|wodjpy|ofkgga)|ethizpd|y(heuiva|cnzjsw|uajcjd|ngqpkq)|gwkxnht|m(yrbhaz|bbvmxz)|snrjcad|lnvrdgk|u(rmxeqk|zxickl)|w(oorgly|hfazxd)|tkylsah|djncait|n(kzhury|pymher)|i(bmfnnb|ijjdyv)|vzijyyt)|m(gkwspfb|e(hqbxhh|xljprh|oclkdj)|o(hdewea|ypkjtg)|m(xywieo|upfpyt)|p(zusbuy|h(gwyxh|bictm)|jeccie|ufoclz|bxiyac)|d(vtptiz|fktgtd)|coppibj|b(llshio|yzncpg|sbnxjy)|n(zkeltm|kjinla)|zwovkbk|apqjqsg|r(gmvjxq|sfzrdu)|h(dvcegg|yfjvnx|hjhyod)|kstjlzh|x(ennnzb|ofikkg|nvjmge)|inxlmwt|txuvtsq|szqgthz|u(kmktbs|ppuioz)|vqbczur|f(jtrdpl|gjliwu|coginl|vqljkk)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633100; rev:2;)
# sid 2633101 includes 1622 (1201 - 1800) 8 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(o(hjavzid|s(orqpdn|jzuvld|geredl|cmzswb)|v(mnwtgq|hwkvbz|lrwzyv|vnhaud)|i(qyfdxg|drxsqk|bpztgx)|d(klhhgb|cegrbe|gprgzw|wuizmi)|u(vkotzz|eghucm|zbjruq)|x(tzsxjj|z(jxxgy|pkitp)|qkamuf|xbgimw)|n(zwdcpk|ciivyz|fsonqm|lscvma)|l(wzevct|xmoglf|hqilfe|lfgftq)|p(scqyhg|gjltjs|ynkcvn)|z(sxoilu|yndjae)|yl(aiaua|ouwet)|m(ocguzh|fvxcrb)|w(bejzpb|cvovkj)|t(zoiezq|qqqfsh|lekcrq|relnhh|ilrqsh)|r(dtzrnq|tptfwq|fqfreh)|bcfykzq|akpiiod|egayrau|f(yfhbhq|vumhvp)|k(dudqje|ycexhq|axhmyx)|j(tjddkp|cxtgaw)|c(hyotod|bwchkp))|i(l(pjfsul|xdeyek)|a(ejhcay|ausstn|bbomjd|cbpovm)|k(hmwqdx|smcrpt|wjcdjm)|t(rcvbjc|urckcc|dkyjba|aqgmyv|twuowc)|y(xfvpdt|reywib)|q(vzyzsl|jlrbin)|r(audbpo|lgfhxq|wdxrxk)|i(pfoycp|etntaw)|p(opsmln|vrkykk|tfafzk|rkzsnz)|hxyeuun|g(ercpab|orkoik)|d(irtxpl|rykkbs|qfircg)|j(tokifx|rxgfxf)|b(wvvqac|mqxyoi|dfiuwz|xfygyf)|n(nukxwc|diwhnc)|subbuwi|zjrnurt|m(escdyv|tmvcba)|o(gmlcwa|xyreva)|xgljkrl|fkhhorx|vckqjgu|w(t(zkwey|ejhwq)|yhetyc)|eoclfcs)|d(l(vjkkmn|eqvnvj|zhwecc)|yswgqek|m(jscmzd|qvozmj|tjeshf|eysqcr)|o(phzgto|kysfrj|dgefwo|ghsnoh)|jnkedsd|n(ivglog|uf(angu|pjni)|jqhfur)|k(f(bdzfe|vwpbh)|onveaa|cpehrr|goddqw|zndsvz)|u(vjraro|pngdcd|nopwuk)|x(k(gxnra|jvqpw)|epvmgj|gojnqr|zhrggs)|s(wdumhe|vwmmno)|p(aekbdw|sleasr)|v(kttwyg|dmtrvy|rubzrg|vgnjnn)|ac(dvyha|wyqjc)|q(mvcucp|ldnysi|jjmqgk|djesxb)|g(yiebdo|inslvp)|h(wbzxqh|k(krnvl|amptm)|jdwpzf)|w(laijvr|oehwxr|wouanj)|i(nsqoai|pggbjd|epjfww)|e(dvbzcj|zaybzb|aoykah|osntfo)|t(pslajj|vnqsec|osvcoj|rtyeif)|f(ztdknx|wntmdw)|b(wbbnhb|fexqug|ncvlry)|ruqpyvl|ztcgmhe|canzrfj)|w(e(ghiihy|k(obpfy|gfuxf)|wpmzje)|v(yqysnh|goalty)|y(axnexy|dzmqft|bwwyow|nkydbz)|u(boqxcl|ahulnb|ktgegr)|o(tocfgi|wpwcbd)|w(bhvovj|tmqeen|rprhdc)|m(yxlzkr|mjnkds|ssrkpy)|h(ceiixn|udabds|fesanr|puelqa|sbejrp)|k(tsmmjr|qjeujl|pjprjs)|c(dgxojx|seuson|hjocmz)|i(e(xvexd|wvphk)|iqojrh|vffrwm|bsuoiv)|z(jwypps|zjoqbr)|l(nszbqd|mlmytr|vsekjj)|foikoqe|n(oq(bdfu|kfkc)|qqfaan|nasdrp|cqkgvk)|a(powlqx|solwis|hxdzlp|lazeau)|d(ivompi|etaltq)|p(wndpiz|dlxwje)|s(fmhcin|pyehqj)|rbfigun|j(amwclu|qluyzf)|bdlnizh|gvwqyyc|qohjhbb)|l(s(txxzha|hlcwrz|qzvyoy|mbxoxu)|b(wzgzta|bcslwq|klauzj)|l(ccsczl|pvfpro)|f(egjehs|taypcw|unquhb|demivv)|dvmitqn|eqicxgx|o(uvbrvf|lxhfhl)|j(lvhrla|cuhfqx|wmvibj|hznqmc|nzefay)|v(ituknk|avjzwk|uvhrcw)|z(zmrltm|syzprl|lfmang)|x(wcgsuz|uxepzq|afalmx)|gy(dzbrf|ouvdh)|a(clhlai|ywjtgf|kjcowf|jfmmrb)|i(flzldl|zbikww|edotov|ydplmj)|h(xyefzb|nszbpb|hqtgmn|lnimqd)|m(pffvtm|oqovlg)|q(qjuqjg|trdxlh|sbuxqi)|t(z(gjoni|zsseo)|segjnv|uzgbro)|k(vvmczk|gwtdle)|piihsnv|r(t(krapd|wdaeo)|hphczx)|nldlbgh|upvqqja|cwwprqe|yxyugie)|f(cnrtpme|h(sstswy|ugnmse|lctjmo)|v(mzwhhf|zspyhr|lzybkz|qrtggm)|efiicmg|u(dlxtan|knhctz|qxxcmm)|p(hthpuo|inqkub)|r(btweik|ytyhqv|qwnruo)|m(pfgzlc|rubneu|ewracy|utliur|teirja|gibnnh)|s(mfmndz|wjixdc|eakvjb)|aapames|d(jyxcmq|ztjiqt|prbdsb)|z(cruhya|isnwxn)|i(mopjig|kfyeqx|dhhjho)|y(fmmnkr|wzaejq|vwlmnp|emrojm)|qaxogfy|n(uffoxv|xnhqme)|j(raudfq|pnubkh)|o(ydgyau|tkmvaa)|b(l(bjkvt|jtxkq)|cxerpr|ormrxz)|wikgbiy|fbflwzn|tyeacsb|gfyfffh|xpcmjdo)|m(p(zusbuy|h(gwyxh|bictm)|jeccie|ufoclz|bxiyac|ogrjjs)|d(vtptiz|fktgtd)|o(ypkjtg|kyjvfu|tsveqh)|coppibj|b(llshio|yzncpg|sbnxjy)|n(zkeltm|kjinla)|z(wovkbk|vglcrf)|e(xljprh|oclkdj|fgvwrm)|apqjqsg|r(gmvjxq|sfzrdu|kunthm|znwneo)|h(dvcegg|yfjvnx|hjhyod)|kstjlzh|x(ennnzb|ofikkg|nvjmge|kokoti|yjrsre)|i(nxlmwt|hjpbbj)|t(x(uvtsq|qinlq)|zxllzk)|s(zqgthz|eemzml)|u(kmktbs|ppuioz)|vqbczur|mupfpyt|f(jtrdpl|gjliwu|coginl|vqljkk)|y(hhxixf|gfwcyn)|qosqqfm|jtgdxqk|gkkdyso)|z(u(cabqek|aogdbn|wlinim|fthadh|rqubbu)|v(rqxial|pmngyx|olamsv|xwqspl)|h(w(lssep|fyngr)|vyednb|zgijco|jhdaif)|g(ltoiic|nuirwv)|t(ivptqz|zkvbzc)|k(tuecax|wkzokp|xafczh)|l(hklumn|icgldf)|b(bpvgul|ketgsi|uatrzx|ykipmr|xzcznd)|c(yejofv|ulpekc|s(znrnd|awzmn))|n(bqavjh|dumnis|mgmgup|gwjwef)|o(mtxafd|oeebud|hm(hlfb|gfvv))|e(gwxmkt|q(uzgau|dqkdg)|hmhphg|nxkoqp)|itpruku|qmkhvbt|z(hzaqin|dryesg|pfuwxv)|y(pbvgib|icdpzm|chpwaq)|wxqtaoc|f(fxvvxj|ufethj|slbqpn)|jhlnrkc|p(whgzan|jcmyup)|x(qhpslc|bnkajm)|ryuanve|s(prliwp|wstajr)|afaowdt)|g(v(czcwzn|qkerca|y(finmd|khsgx)|wxlnxm|dseeor|jdoodi)|y(aqgtlb|vfdejf|ttyqkp)|z(rrcnqs|erdcxd|nvlmro|azfpwf|buzgak)|d(viyfum|olnqnn|ctkqal)|f(rstakv|iapxcd|pfllxl)|p(fansoy|ihrypc|hxqrsm)|m(z(ojxuf|fykot)|qrsdor|aknupj)|u(tqzmqk|wedcin|iabiij|rwndwy|bportb)|n(uvbgis|igqosy|wrtarw|qvzujo)|a(rclnxu|zxqkad|cgkkrd)|w(cbfrxd|zushof)|j(l(nqlpz|vfsil)|gzhout)|s(watusy|yeuyjg|fanati)|t(tddabv|avilms)|h(suhnhc|oqicrc)|b(nhtlsq|geoynw)|r(ewvdcu|hpbtfu|czqwcw|wroxzt|jqsvej)|k(bzwfcy|imvskh|qwxwal)|i(vqfhwa|npxsrw)|x(pkcvhg|wkgdwx)|elzcpsi|corvmft|oyxbsdm)|n(d(dfiwea|wtgvxr|usgzlp|aintln|veqvpg)|t(iccbab|hgftwj)|g(zdgbhl|fuepvm)|l(oftbyu|amdmxa)|k(fwpqgd|ynntqs|dlbgxc)|wldhghi|v(qhwxen|yqgtjj|vusgwt)|c(r(bkeae|nxlwg)|qotcqf|icxqou|koeceb)|ubibvth|a(qgmjdw|ttzdue|razvzh)|q(nsxhwu|cdvstr)|n(uihvxj|igqsyy)|b(ksvpak|wrpwzn)|i(hlosbh|mghwyg|jhtaox)|eiupaot|y(enpfzj|j(ucduz|wpbmi))|f(kkldul|wxocrn)|obwmyla|h(jvynjn|nhkrsd|udwwvu)|p(qhotad|vvypuf)|x(mgwgby|lloosu)|s(ihtmpd|unytox)|m(nxiglh|dbmljo|zdiwqi)|j(xpprif|tnmjzy)|zmeehlm|rnulusk)|x(n(gdusvi|hxwjrl|dvfaek)|yrqpxrl|q(ntvwya|bqgisp)|g(b(vprmk|agpcb)|wndoyh|oguzvg)|i(agjvim|wvhwyj)|d(bxkmzn|ofuvws|awlagv|wuwurf|npcstv)|tyxqcqy|j(geukuf|pzxklz)|l(rxojyn|i(ziutb|fdlts)|knnnno|metyij|yvxqwi)|zbzcxye|c(zwaouf|akwaug|wpuppa|vfrhwd|mxcext)|u(dxapkg|chsbny|manalq)|wjpvanh|pjzmaqy|r(ngptho|ucaiqf|yljwcn|bsqshd|jlmszk)|b(uexexy|twdnxy|dajyyn|lrwcxi)|m(uqvdoy|vqzbgh|yditsj)|kpvnrym|a(kutajg|rfetxc|vkmdlv)|f(idthan|qkhbhk|xlifrp|ptoyks)|sbkgrcz|h(vhygwf|ypsstv)|onjjbnm|xmpyfrb|emcouul)|p(w(vvlfgi|rvxtdt)|d(yzxhlo|exjwsc)|o(um(lzyi|yxud)|dzwxnj|wcxnhp)|n(wffahg|ungkpt|ycopbe|kntmoz|mjmxrc)|y(aduwfi|zrqemu|hqbtdp|tqyknj)|s(reuelw|iecivp|mwzjvx|a(mbgij|yjxnu))|j(pczyjb|oisdxy)|pjkkyfz|k(dztgwk|qbsnqv|slxxvu|blmpqf|mxhukw)|c(bqcati|evsync|tufojp|svjvcd|ohieyq)|hccbxqs|f(amhdhd|eliaov)|r(pbjntk|exubzk|vgxnkd)|lehtiax|m(ftxalu|oawjmi)|v(vthkrh|xojmcm|avqnvq|dewrpl)|g(ozpszv|fhdctn|juaatc)|z(xfitxt|marbdk)|e(rrlngw|wjtmzr|pqsydr)|t(rhzpga|nwgoqx)|i(yjsvap|jybswl)|bdjrpkk|xfcdjsr)|e(d(fpkeqd|raavqf|ywmsrp)|j(soyioj|tkousw|m(yjufs|lvhyd)|wtcztj)|r(rrkblf|cfibhd)|o(rijcjq|kejzar|mrdwhc)|z(gbzpiz|peztav|ktckho|lwongu)|a(hpbmna|opfahi|xbfmjg)|b(gqinsa|pxmavw)|n(tukohv|pqjqbu|jxobnd)|m(gzzurr|ivbbff)|lizmorl|k(gcwoss|iiuavn)|y(iymynw|mvadcj|nplljz|tcdxwm|xgnrln|fqrfre)|fnlsfsx|trskppx|h(uzlony|weygyj|beszwe|xxfsse|gmoxky)|i(trnwaz|vccdaa|ntrrpi)|c(j(rzdyk|fhkrv)|hdrcsr)|x(o(hvzcn|jnksh)|wfkeio|xeotst)|g(yooxzn|vmtiuq|htxfly|szcyuc)|wmbconj|e(oypxee|jrtzrg|zhiyut)|uuazgzb|v(kxameq|nftyus)|sutqtvj|pyunduc|qljqkgs)|y(l(ajfjgw|qgcbtd|pgcwck)|e(qvoylm|dkounu|hvsbcf)|k(glbwie|fjgacr|ycyvdj)|w(azgfyh|njbusc|fdvmct)|c(oyhcrf|vbnedj|xomsae|yjvcau)|z(datvla|amrsrm)|i(zpwaen|qnquqt)|v(rmuumy|uqacgo|tlbdxq)|x(ifvagp|tvrcug)|y(gmagoh|vbksvg|cmccfi)|s(cuxpho|ehddkp|avrdwu|wvdnnf)|d(gptwuv|b(yckrg|zzizc)|cagxxh|tcsvbu|fgfotz)|f(tvhtgi|mqewgq)|arywycx|p(pvwckd|bgfvep|ctgjnt|magcyk)|o(dubibc|omxtqs|qqbbtm|aidbwa)|j(zsqdhc|lmevna|txggbd|hnmyvd)|r(ruaqoy|mildpc)|m(uhmoiu|htxcde|jkupnk)|tyoqbfz|urffctj|behfrdy)|j(k(cjubnf|vsgqkg|ejhatl|yrbere)|a(m(rozes|ssbtj)|ejtoyc|rzfpzg|wrdvpa|yxmmkt)|q(jytgym|tyiwxj|qledtm)|pmgdoyx|c(druevd|ezavux|wqgrhg|bzbqpq)|e(mjohxz|stqhve|etzwof)|v(lvcnyq|ubvtcs|zztbvz)|x(c(qnjdo|ewcdz|zygdz)|husipo)|dkwuove|illbkfz|uvfcuub|n(uwkczn|tkhogs|ewnpxg|vbzgsr|hcmjbp)|w(wynres|cwawol|z(qmfbx|trwyh))|z(gxuuay|qifirk|bgqffo|coimqq)|fgisvdt|t(itvsjc|nvlbya|geppxy)|hqmjihj|r(uzpsch|rhehnn)|s(iaqniv|hddrjx)|l(lfaema|jquuql)|mzbdcjb|j(wlhmaa|fmemmg|gjlsus)|oevpixl|bo(fieln|gpcnj)|griiljg|ykbdgdn)|s(y(ybkubl|jvbonc)|o(einvwn|zgfbym|lmaxpr|ntrobk|pfsazu|kaeqzd)|n(ofihkg|ngsumj|ylypvt|ptttxv|crtkeb|mbvgud)|pfmmnji|a(obchiv|xnavcz)|k(dtahdp|wgdpvb)|w(gehgah|omfugl)|s(szdeqa|bhryhh)|f(furjcj|jzgbve)|i(ezmzpf|brmzum)|m(olyfqp|zxjhpi)|b(shkxnm|fhxjtt)|g(wjkflw|tyowzv|afjwik|nstcxa)|q(drslsq|fjjvqx)|v(wskggp|vjqmmb|jswsrq)|jkshlcq|e(dkmzgp|kgvgit|osgaht)|z(osocqb|xrcdbn|ymxzkr)|c(ohjghp|lmtmct|zllzei)|ukcsqrs|trcvfab|x(dvwoat|kugvsl|nkjisv)|l(vahkhn|xmqugo)|dxstkbf|r(vrdypq|jjhxsa))|r(w(etoiko|gshpaw|mxskax|ulwxfy|dakxvl|rbjaaz)|t(mxxqut|uysmrg|sampez|lgvsbu)|r(djpjik|cpvgup)|f(pbccjy|d(fakqr|eesry)|blvdqc)|j(kqfnii|nqijrc|uvcfmo|trrtcw)|k(vpogam|atvisp)|u(hqxpun|skqxvk|qxamsj)|s(mnndte|yotaye|shhgry)|lgzskui|z(f(cejyd|sovqd)|ruyfig)|d(oercvi|huszlv|cszutu|jqownr)|x(nolgnv|qgwflj|f(vynti|dsrdy))|o(ixzdsi|b(fwexu|waqht)|ewntdz|wvsyux|omxzsv|upnlmh)|a(fkqbyd|umagpj|lmxmam)|y(jehlfz|xsbkqj|ipkptp|qxzcty)|n(tazscm|uvekdv)|pcsyymo|b(dseukk|qtxeyj|mjkowz|krqrgr)|gzhqulo|hbexhbr|v(jijyrm|zogikm)|iykqllm|cppobrs)|k(l(kmxtog|mzyuzg|asnaqw|ddzeui)|j(ilmmfa|ndseqm|x(civsx|siatr)|bhvkpp|ahxhfc|puxgpk|zvxgqb)|u(ssmpxa|zgzpbc)|d(jxcjre|fuuamu|opmsgp)|q(ixcbwq|hlozet|vgumou|l(xdxie|sqnor))|o(yzhsua|r(prvth|jumml)|kplxlk)|a(fdckdr|nioilb)|e(ixqfjd|acbgtp|copiut|rezilr)|m(kwexfm|gjdilr)|c(dfaqxi|ynljpm|uoxezt)|f(cuqeuy|koikgz)|i(utkslg|feimeq|vgzrtx)|b(dfcpfl|kuyywy)|yphofer|w(ogrlwq|zqvawi|ictoem)|z(bmwddp|xmhpod)|p(yzqacu|ggcrlk)|n(wtbcmh|huiiup|vtplpj)|rnwfrkb|tnptpih|x(fpseav|cvqydg|rmeyef|wqowqz|vwlmmz)|k(qwcgdd|blmikw)|soaowft)|q(n(epvnyi|ityhvb)|i(oxgqcp|qwginf|hjrpjc)|l(mmzhnw|uwzwhq|acsrns)|j(aubflf|vlkhfu)|f(ijlqsd|jtgdkm|ykxjmz|gjyxoz|sprvmw)|h(xdubbt|crcvaj|wbfmnp)|k(kjeebp|crwmqp|tcvgvb)|mbunoxo|d(iswtdw|fblayt|tejnbs)|s(xeivsx|neexxm|cewweb|ppgkao|syypan)|y(dwxdkl|hrerep|k(uedsk|raahu)|pdfukc)|e(swzttm|ahojvb)|w(nsinyl|yuzmvc)|xkgygxq|o(gzoxjp|dtlbqu)|p(qmcjpj|colnhi|tgjkmq)|g(vhaoke|occdma)|z(uverim|pqgeii)|bldwipr|u(skiwei|bgdqxb|yawocn)|q(mdeyyd|ibrbxc)|cualjaa|tagjgad|rdrrlxk)|t(w(iyhxlv|emozhp|wsclly)|n(ooleqk|kjprzx|lwyekc)|o(jvslgd|urpljq|dobdwa|ffjpfb)|i(tejxoc|sskrvj|ugrafx)|a(l(guhbr|nbhlp)|ycvgdj|mdfvqk)|b(atookp|lomvsm|wvrxte)|e(nxqdaz|omefdz|irtnyc)|g(zhcxah|rdvmhb|phtjms|letfjs|feiwxa)|u(inmemy|wyydtf)|k(wwzplo|fllfkx)|z(ggbzkk|wjwmru|mbkctd)|fhokiuc|r(perxrg|uouoiu|svehvk)|p(b(qkxax|iordx)|nbcvqh)|m(rplsbr|viuhjt)|d(voawgc|zaxgxw)|v(rzoumc|ezurum|nlhbsq|kiqywq|weatwg|osnshg)|t(foxkty|hzsuen)|l(unvrdv|hcuzbl)|yndtprp|qtlgxrz|xjkfafz)|b(i(z(muocf|omnoe)|smnmje|lhqfgt|kxkdfl)|fanbshb|q(ousuwi|uhkklp|rlavre|dzxetx|eexwso|wjeggd|mmgrqo)|m(oyrqah|sdimjd|dtdngr)|z(ciuksk|izdyhf)|utqiavi|x(tmppis|cqaidc)|dldfwdt|h(jffqzt|d(hfiyz|esebd)|rdgfva)|bu(uanqw|hdkrz)|p(icxqbc|vqcwdl|ececdr|loakis)|n(hdwupc|kaaqzm|dkgilb)|e(qjotgb|zsvzpf)|kiipvsq|y(lccbyz|bptprg|qsryoi|vmtnhs)|g(keebic|jdrqpu|upfdiq|xfacae)|v(tokhdg|nghqrq|yqtttd|kbmztw)|w(raujob|cqntpe)|tcsqyhu|ouxmizc|l(gfkxmq|pqrotp)|s(uihwsl|qvybyo|mqqgck)|j(zyhwsm|cscdir)|cuntkdt)|h(q(vrvqjh|ubgyrl|cuecpp|psosvh)|z(sxdhxt|mcyedb)|tvwvgbf|v(bbdplo|cznqkc|ivgzst|klumdx)|y(j(ygkkk|lqhdo)|ogyumx)|c(tjsefs|cktdgo)|fyrzxuq|p(gthfzo|kefxed|lrpibq|btgulk)|g(angftc|kczwsk|wnnjyv)|h(zhjfts|qrhgyt)|xi(icrlv|cczpw)|i(jsencj|fjeszs)|on(zdnku|vllwk)|jnvukya|n(ugrwpj|bekbzo)|b(pdgokg|gqjctc|offcjd)|sfkqnoq|u(krupwo|xwpidf)|wsvkyuy|mixpoki|lulkcgx|rkureyj|e(mzggxk|plovdn)|adoiugq|kujbukz)|v(w(jawred|fgzoqj)|i(e(knbyr|crkik)|jufmqd|reitaf)|z(ahdmjd|pxoaru|vbufle|ljnwli|xjzwjo)|c(wgabee|hbvymn|cywhsg|mztsjk|lswjqb|zjymoa)|s(bgfdyf|afjbir)|m(togzes|ryxsbg)|j(wiyrdh|sacvti)|o(aoudxy|qcadka|yrjpfd)|k(bbkntc|dqbrou|anqkzg|pdrila|gjhnop)|e(o(izeep|qvvce)|jolqbv|eamzwk|zciuce|qqmvqy|remfuf)|u(vkckdj|xpjovl|merkrh)|bqlnmhb|d(dgjdtx|fykxnz|ykmciv)|y(riabiv|goznrz)|h(vlypll|zbhqod|qukrto)|azuffls|r(uumygl|orketn)|f(hijipe|xrrkid|vhlfds)|v(luyyil|kcsosm|icipty|uudmwr)|q(esojdh|qzdvlo|zkovry|iuygpe)|pjzdtkh|t(vsqfaf|warykv)|x(vamiiw|hfhpmf)|nntzkud|lmrpwss|gekfsxx)|u(w(trtggt|bauesb)|c(o(ljmdm|emnby)|pncenk|ccyfju|gvqink)|q(pocmyi|iqdkny|rxsdvl)|a(dwwvva|weiiaj|okocoz|zqlbnd)|v(jeqnie|luderw)|m(zrytua|dakqoc|cchlfu)|k(rafscx|o(xojug|gcgsw)|wkdwxc)|dwprswp|i(nvlynb|krfshh)|b(ixdfqm|ryklau|znofre)|o(bayyxt|ihycpv|nqqxhc|pzplpy|wottva)|f(pkjlla|gzaequ|twyzzg)|s(excecn|hzwvwc)|l(wcmcog|zvnlpx)|g(wirtbx|iwattl|jqdcgk)|x(nfpbvb|bpscto)|h(tmxmdi|ycpzyu)|e(wnhrvi|giozev)|p(dawfml|rsydta|sqsbkz)|u(dczhxk|gnbcdx)|r(bvtlbx|tdwcew|wvewcg)|tahikra)|a(v(cglhzh|yuzbak|rtrgff|dbisff)|n(wylbcq|bgvnxk)|t(xsejkk|fwaegs)|w(nkenvw|jlxpzk)|y(jahcql|pdzhgu|brysds|corhcu)|d(rumsmc|kmmlvo|uuuapl|wnzojy|gicvor|mvtutc|nrtgvp)|i(lmavmb|wwyyqu)|q(azppqv|ilgleh|swtwmb)|o(hwezol|efvlpq)|a(l(zxmkh|sopxl)|hsahgq)|z(oyqwil|paiitn)|b(h(btoew|robsy)|luojqc|dsuxsw|cyidki)|u(kthsdd|mcmjae|oxqogb|zdmwkv|aycuqh)|h(dciism|rvbarm|yvhnwd|mcudpe)|fsotzib|m(jsgmgi|qqmvib|wjnrug|bsyeof)|e(fxqwou|pkhbvh)|r(kzaofd|xdseqw|mfliyc)|x(xngjyt|ysjokp)|j(osfyzo|szohgq)|ssppuin|c(dzciki|swjlcz)|gpwnlpg|p(dxqgpt|v(bxgkt|wmpjm)|cpnlvh)|koegrov|lpohjcp)|c(b(fmmbrv|kzmxbu|vpgvzq|gnzpsh)|c(fqgrus|gjjjii)|a(wsmxpw|savqcg|xbtiuj|nqgjrz)|rvrfjmx|zcqncoc|o(m(eowko|yxuue)|wodjpy|ofkgga)|ethizpd|y(heuiva|cnzjsw|uajcjd|ngqpkq)|g(wkxnht|necpya)|m(yrbhaz|bbvmxz)|snrjcad|l(nvrdgk|saojgj|ueeuva)|q(jpuvmp|nlhgzd|hzxtmf)|u(rmxeqk|z(xickl|mupko))|w(oorgly|hfazxd)|t(kylsah|ydnriv|jrbtxs)|j(aztbxv|nubvey|mllywm)|djncait|n(kzhury|pymher|hwspmr|gksyrn|yqasjo)|fpffwnz|i(bmfnnb|ijjdyv)|v(zijyyt|vjqhtv|dhchla)|x(aqzsmb|hfflrs)|pasjcga|hfjadrf))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633101; rev:2;)
# sid 2633102 includes 1022 (1801 - 2400) 8 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(k(b(kuyywy|avmwdq)|i(vgzrtx|ltuqys|pdoxnz)|l(asnaqw|ddzeui|bzkuzv)|q(lsqnor|efnaxx|fgawgs)|x(rmeyef|wqowqz|vwlmmz)|k(blmikw|qohhkr)|pggcrlk|j(xsiatr|hmgnsj|fychwl|kkpyhe|rinunh)|z(xmhpod|kneysx|yixoyw)|anioilb|o(kplxlk|uvajoc)|u(zgzpbc|hjxdlr)|c(smnooz|ydleko|cpnjyd)|homdkcr|fydxdck|edvaznk|mlhycyw|n(tjxcyu|appoiw)|vrkcmov|rrjpfdq)|s(o(ntrobk|pfsazu|kaeqzd)|n(ptttxv|crtkeb|mbvgud)|g(tyowzv|afjwik|nstcxa|sxwtek|cllowg)|lxmqugo|x(nkjisv|oxrbkd)|czllzei|y(jvbonc|mpvyyp)|dxstkbf|zymxzkr|v(j(swsrq|xrhop)|xpweie|atlpaq)|r(vrdypq|jjhxsa|eudhhi|ufvsiu)|axnavcz|j(zytaef|ehyxre|hekoqi)|snwicmn|fwpjxpt|m(gvmkdp|blgsve)|p(qqhqei|awmujp)|q(gduvvy|kkcfnk)|khwjkkg|tbkfdlr|isxtahy)|u(f(g(zaequ|nahag)|twyzzg|zhvxiw|iqxqyk)|k(o(xojug|gcgsw)|wkdwxc)|b(znofre|vnpwgm)|p(rsydta|sqsbkz)|r(bvtlbx|tdwcew|wvewcg)|o(wottva|vifjru|jjiyds)|tahikra|cgvqink|mcchlfu|wbauesb|xbpscto|gnwbnad|hzugapq|iezidxs|dsybccm|sjdhcvv|jwosvft|atqhuia|ljmtxuz)|e(h(xxfsse|gmoxky)|g(vmtiuq|htxfly|szcyuc)|c(jfhkrv|mxgsce|uvzggj|qswcsm|eqhtdt)|y(xgnrln|fqrfre|kdapod)|sutqtvj|p(yunduc|wkqaob|gixatt|ucdsrc)|qljqkgs|rcfibhd|a(xbfmjg|wioziw|ppcljq)|ezhiyut|z(lwongu|tiwser)|vnftyus|npjecyi|drnkrxz|o(xtnuat|tjzjgb|sysrrb)|wfoajis|jbhfvax|mqorqfl|i(pxnyev|yivmpj)|uwdohib|fhxcdaj)|m(x(kokoti|yjrsre|lxqxwg|vgheko)|o(kyjvfu|tsveqh|eqkgmn|irtprj)|y(hhxixf|gfwcyn|qamknm)|seemzml|qosqqfm|r(znwneo|dsjziw)|jtgdxqk|p(ogrjjs|ydyvsy|rfyqyr|emaohn)|t(zxllzk|fckhaa)|gk(kdyso|qlrlb)|efgvwrm|i(tawtaj|pjrvqc|jemuvz|yfnodz)|c(ehjsbk|wholyf)|b(thmkzm|ogwlqu)|lfnsqei|kisxwgd|vkybvsm|m(pjsmkg|hcrgto)|zgcwoqj|fvrwxbn|nyuemzh)|f(d(prbdsb|z(karhp|onqrx)|gexdeo)|b(ljtxkq|ormrxz|vxdhti)|mgibnnh|p(inqkub|cgokkf)|t(yeacsb|bslbab|naxpxi|vbblcz)|r(qwnruo|xqomuh)|yemrojm|g(fyfffh|xkfrtp)|x(pcmjdo|qdihlv)|j(pnubkh|oqscfp)|nxnhqme|s(eakvjb|xosohx)|l(rwvlqq|yrstfl)|u(ggiyjb|rgtggv|fbpmgn|yvmhvx)|qslmstd|vkjxcuh|fqbmyqu|hguspys)|b(i(kxkdfl|zomnoe|uqqyoi)|mdtdngr|y(qsryoi|vmtnhs|aubijo|jlbnwd|tiggjz)|g(xfacae|syrhqb)|ezsvzpf|s(mqqgck|ylbfsx|bttxuc|xoldha)|j(zyhwsm|cscdir|hbbnbq)|h(desebd|rdgfva|gxslwz)|q(wjeggd|mmgrqo)|c(untkdt|wzkvhz|ceyswx)|w(cqntpe|vohmkg)|vk(bmztw|ixuch)|peefgms|bbeplri|u(mq(jcsg|uymx)|uluqof|rdyzhx)|t(zjzfer|akyojk)|nwraika)|n(j(xpprif|tnmjzy|onpfjp|ujgcbg|miygto)|vvusgwt|h(udwwvu|jpoxny|epvuke)|z(meehlm|zssteu)|p(vvypuf|zmauob)|rnulusk|m(zdiwqi|uu(zlls|nipy))|yjwpbmi|gfuepvm|c(icxqou|koeceb)|s(unytox|lsqmsq)|k(dlbgxc|edchqy|fjoqby)|xvtdovo|eugynjo|uaoghjc|nfhaygg|anibdoc|iwhvrcp|blpvtez|lizssxv|t(hvyhsz|vjpbsg)|f(wtmgko|cgtzry))|i(w(t(zkwey|ejhwq)|yhetyc)|acbpovm|e(oclfcs|phdtwo)|k(wjcdjm|qfefuu)|g(orkoik|lkprvl|tvoybv|guzfoz)|oxyreva|bxfygyf|d(qfircg|ubbzeu)|ivdqymv|f(tctrvs|umdpjg)|sklfkod|z(dtcjoa|oqbyos|eobzbe|seildn)|vromdfn|r(gkiqnp|jdhdnk)|tciloef|j(uhijmv|xdteia)|xjcfuja)|g(u(rwndwy|bportb|zlgont|adsdtp)|dctkqal|h(oqicrc|dwnlov)|c(orvmft|hrikgc)|r(wroxzt|jqsvej|riasfr|pyucnz)|fpfllxl|j(lvfsil|wrnuul)|o(yxbsdm|gevevl)|zbuzgak|maknupj|kqwxwal|w(z(ushof|vzbzk)|norfdt)|s(fanati|sqbwjp)|inpxsrw|vykhsgx|lsarbih|bhqwtif|awmwtxd|nrkqhfv|yrknyzk|xuhizrh)|x(g(wndoyh|oguzvg)|l(yvxqwi|fbjbcz)|q(bqgisp|qnzlgp)|f(qkhbhk|xlifrp|ptoyks|fbfves)|hypsstv|b(lrwcxi|uwnfdb)|d(npcstv|bwbaop)|avkmdlv|m(yditsj|lxzftw|sofvat|jbsfab)|e(nivuxd|yauiao)|xbadfqz|nyqwndq|uvpzjal|klpmfhz|sdnbcxs|vyhaxij|t(ekwaal|npfjuw))|p(r(vgxnkd|egzkcf|kyjvzq)|k(blmpqf|mxhukw)|b(djrpkk|qjvfxy)|e(wjtmzr|pqsydr)|dexjwsc|o(umyxud|epivtd)|m(oawjmi|tldyll|dzsdpq|mgzvfs)|y(tqyknj|zponfi)|v(dewrpl|pxsgma)|z(marbdk|elwtzn|uzoncs)|x(fcdjsr|yqfnvn)|n(mjmxrc|okuatu)|c(svjvcd|ohieyq|usgjgq)|t(nwgoqx|donwnn)|g(juaatc|gokvzd|nztnin)|hunjros|sklgyjk|jwetixp|lrnwima)|o(l(lfgftq|jmclqg|rbqjxg|kabirb)|r(tptfwq|fqfreh)|f(yfhbhq|vumhvp)|i(drxsqk|bpztgx|ntzbrf|ibtfzf)|t(ilrqsh|gzcnfb)|k(dudqje|ycexhq|axhmyx)|j(tjddkp|c(xtgaw|wknfb)|wpwxad)|c(hyotod|bwchkp|fpecgb)|w(cvovkj|mpabbf|uncspr)|v(vnhaud|durqkg)|o(tmtqae|ylmcur)|duntram|ekrgupm|q(khevqw|oqrsyn)|ghnsjpr|h(kiochu|yucuzi)|bhkvusv|x(vjrunq|wdnhbj)|nzzqssi|pkbqqtl|uidjtri|m(yyneli|rcpfvx))|j(w(z(qmfbx|trwyh)|eciogk|nupbst)|o(evpixl|ajqjtd)|b(o(fieln|gpcnj)|tznfqe)|j(fmemmg|gjlsus)|k(yrbere|uniomq|nqwpnb)|l(j(quuql|mvihw)|fdxhkc)|tgeppxy|griiljg|y(kbdgdn|sxslju)|s(hddrjx|znumtp)|c(bzbqpq|fvsnfm|zgbwun)|n(hcmjbp|mgknzf)|v(z(ztbvz|bfbta)|qfsmij)|z(bgqffo|coimqq|utyxgn)|ulcindw|a(geqhdt|pcjzww|uhrils|idlnhm)|ikclbhp|duwrxyx|e(jhdxwk|enmgnl|minqil)|hkkzgls|qqdyqam)|r(w(mxskax|ulwxfy|dakxvl|rbjaaz|iqespb|avbivu)|y(xsbkqj|ipkptp|qxzcty|nvkqyy|montjz)|g(zhqulo|ovxemu)|tlgvsbu|x(fdsrdy|nryjgt)|b(qtxeyj|mjkowz|krqrgr)|o(omxzsv|upnlmh)|z(fsovqd|zopuaz)|k(atvisp|mqfxfk)|h(bexhbr|tknlzj|xwdruz)|f(deesry|ilniiw)|v(jijyrm|zogikm)|r(cpvgup|dazdwo|sdfiur)|i(ykqllm|qysxfz|apppth|srhykp)|c(ppobrs|yjekef)|a(lmxmam|yxyefx)|d(jqownr|ymhugv|dyilpg)|ursxvrm|e(ofikwu|rvahlv|exfomt)|qukvbga|mmaetfs|jvcxwal|pzsathc)|q(fsprvmw|c(ualjaa|mdstmm|gzisdr)|ss(yypan|ewsoa)|y(pdfukc|kraahu)|t(agjgad|bmhtzr)|r(drrlxk|xbbbek)|e(ahojvb|prfquh)|i(qwginf|hjrpjc)|goccdma|hwbfmnp|l(acsrns|dydznv|eysalf)|uyawocn|qibrbxc|d(tejnbs|qpkaml)|p(tgjkmq|yjclze)|w(yuzmvc|mhqhdv)|n(saxgpa|ratuqn)|a(eqores|pwykdw)|zxrlqha|on(jhbny|wdbau)|k(nwebei|rtdwrx))|a(hmcudpe|u(oxqogb|zdmwkv|aycuqh)|v(dbisff|clldkg)|y(brysds|corhcu|ukvjiz)|g(pwnlpg|lenohq)|o(efvlpq|nwfnvf)|d(nrtgvp|tpkhdh)|p(dxqgpt|v(bxgkt|wmpjm)|cpnlvh|rkqwmq)|koegrov|b(cyidki|qfpggw|aygqpm)|lpohjcp|epkhbvh|c(swjlcz|fssliw|gxplen|lntaip)|m(wjnrug|bsyeof)|zpaiitn|jszohgq|qs(wtwmb|unhmx)|tmtmrbl|w(leaiyl|dkevyh)|nggolxz|aaykjgl)|y(j(l(mevna|yiayg)|txggbd|hnmyvd|wuyavn|rqbssr)|v(t(lbdxq|yzfiw)|adbxck)|s(avrdwu|w(vdnnf|bcbkp)|sodjst)|mjkupnk|p(magcyk|isasoo)|w(fdvmct|cnqshr)|rmildpc|l(pgcwck|mygkfc)|e(hvsbcf|illqga|ygqnif|bvqill)|ycmccfi|b(ehfrdy|qholmt)|c(yjvcau|k(zlbrr|rvwcp)|ovxgge|bgvuml)|zucgaxv|hfwilkt|awazpuq|tjeytjp|gtpuajx|fghfomj)|d(b(wbbnhb|fexqug|n(cvlry|vrgth))|wwouanj|t(osvcoj|rtyeif|wkmkvv)|vvgnjnn|fwntmdw|i(epjfww|dhpvln|stdgpe)|oghsnoh|r(uqpyvl|ftnwzz|kumppa|lyqkfx|ghypyc|pmvwyl)|svwmmno|lzhwecc|z(tcgmhe|avtxzm)|xkjvqpw|canzrfj|meysqcr|p(nogfhw|uhnoqi)|n(wodhnv|pwqdvi|zokrvl)|qbbztkz|jsdfuws|g(ezsnuv|dkkpem))|w(b(dlnizh|sdapho|ascdsn)|s(pyehqj|evdvtx)|g(vwqyyc|aymipg)|n(nasdrp|cqkgvk|qktfrz)|c(seuson|hjocmz)|alazeau|y(nkydbz|ecacsp|ouxcff|wwcrch)|owpwcbd|i(ewvphk|bsuoiv|iyybas)|uktgegr|wrprhdc|q(ohjhbb|irawyf)|detaltq|v(goalty|ktqjcj|wlvutf|obybtr|jhtdob)|p(dlxwje|jsmuuo|gicxnf)|zzjoqbr|tsvygmd|e(bywfnb|mamivq)|l(upkjqf|rbkzgo)|r(xymizo|nmevfu))|c(omyxuue|tjrbtxs|p(asjcga|ymrugh)|jmllywm|u(zmupko|nwzdrf)|h(fjadrf|blzjym)|q(nlhgzd|hzxtmf|bpdnmf)|n(yqasjo|ebxqti)|l(ueeuva|wnjkpp|bvcvei)|v(dhchla|zvhwtk|rgymll)|xhfflrs|g(necpya|vxlhxo)|c(hatypt|mfylgj)|r(ykpezs|ijzlmq)|kbqshqz|ippmqhk|ssicfoh|w(hvntql|fjucpf|qlglrm)|fdozpzh|mbfwqek)|l(gyouvdh|f(demivv|aczkhh)|m(oqovlg|jeicek)|l(pvfpro|skutaq)|z(syzprl|lfmang|jrnbwg|fjirkw)|a(kjcowf|jfmmrb|iwjyvt|xhtwhi)|q(trdxlh|sbuxqi|onmmmf)|t(uzgbro|hkqoxm)|vuvhrcw|cqjqyuq|o(ddtwrc|ikqguy)|u(pbxlwo|mubdwc)|smentxo|b(vvspwb|czaiva|tkaogp)|wgnvskc|h(yeovpx|btcgvz)|p(micwhq|xtqauz)|r(lbluzk|grjjvb))|t(y(ndtprp|gktpaq)|v(weatwg|osnshg|skzewn|dcojdg)|e(irtnyc|biwhho)|g(letfjs|feiwxa)|q(tlgxrz|buuido)|u(wyydtf|ehsltg)|xjkfafz|m(viuhjt|mspbxp|cxnlsm)|p(biordx|gdkpjv)|l(hcuzbl|ubkktb|zpgeld)|d(clwrcz|aqdnta|tdvlgb)|nilguyw|acfuoyb|ipdbqqu|f(dfixgn|fkhbcv|mcxjge)|k(rwdedg|kmigms)|r(fgvcjc|lqvjjw)|snaezcg|t(ljffqi|rmwxqb)|jdzbdte|bxmdfdl)|v(e(qqmvqy|r(emfuf|haswm)|zcjgth)|h(zbhqod|qukrto)|t(warykv|jqbenc)|fvhlfds|y(goznrz|lzixxe|uqppqq|vsvort)|vuudmwr|dykmciv|umerkrh|czjymoa|j(sacvti|vbbokv)|l(mrpwss|lgioew)|k(pdrila|gjhnop|ewfrst|suelgs)|x(hfhpmf|nsienq|aprlzl|vfpzvu)|g(ekfsxx|iezivr)|q(zkovry|iuygpe|wnfwff)|p(f(pqjvb|nocul)|qmddgd|zrzkni)|bdfqfpy|m(iemlqh|bkjnec)|r(goqyot|iaziym)|zxxuxyl|whstrxq)|h(a(doiugq|mzfxzb)|e(plovdn|cbschf)|k(ujbukz|yyxqev)|g(wnnjyv|nzzewe)|q(psosvh|mnqyzb|ebdnwj)|c(cktdgo|fnxutq)|xicczpw|vklumdx|u(xwpidf|ybjwch|hfjxbx)|b(offcjd|ufbzmt)|p(lrpibq|btgulk|hpzdbb)|sunrdkp|y(dpefum|lqnzmy)|lbvsrzb|fbjyeob|zbryawx|ohvacfn|wmxzvxb|njvlacv|msvvuke|hxfkwig)|z(h(zgijco|wfyngr|jhdaif|cbtupf|svlhup)|afaowdt|c(s(znrnd|awzmn)|wizrzt|bgxilz|txydcq)|ychpwaq|ohmgfvv|kxafczh|u(fthadh|rqubbu)|bxzcznd|s(wstajr|sqhmcj)|f(slbqpn|wktipy)|x(bnkajm|kmipew)|l(icgldf|nrqyis|fnwqmh)|e(hmhphg|n(xkoqp|wvmze)|xvhftq|rigmzu|wzuqgy)|p(gesxdv|lmsvod)|zehvuxv|rlktzxx|vy(qshba|exzwo)|i(fbkhhj|mdipsa|txzbou)|q(pbeojv|jgjgxg|eljsur)|wesquig|dqkuqpl))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633102; rev:2;)
# sid 2633103 includes 422 (2401 - 2823) 8 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.com)"; content:"|08|";content:"|03|com|00|";nocase;within: 11;pcre: "/(i(vkgqmbi|kxvstxp|cozlhlj|amsqowh|ppsjxfr|i(hbkvsk|qffzvm)|ssfquag|dtkkuvh)|r(o(ksksry|whswae|qqvqrc)|jbgonqb|rehvwaa|d(wvqzfw|hgfkwt|yebtdz|dogzgu)|wlrjiab|zgkvttb|qwcisee|bwqpbti|cucculo|aufdhfz|szwewhe|iygdipz|nsdmsoz|e(zclxoz|ucvqpu)|mqdbstu|hwtthtr|fvovcqm)|s(oigeexu|tnqmjyz|p(zufxgx|mrlech)|xtekbmy|n(udmpow|ebxfub|nftdqo)|gfzmwon|hkofodl|rbpvfbo|clqyexi|mmalanq|zhshyop)|p(s(hsmfuf|twhjhz)|k(zkiuyf|btpkfk)|uehobvg|z(jgnlty|pwwhal)|qilipsu|txasmae|wbmtoyq|avbxxgh|exbvmxv|hlsvpxw|opfvhxo|fisssmc)|a(r(euwebx|zouuoq)|eqiuqyk|t(xoajqm|eievws)|dyiiwed|gfahtgz|ysblgaj|s(bnfqpc|hfqnhl)|vxaklgg|qkdtanj|cutklie|jdsjirz|o(mbteqe|svlybv)|xuvlgpa|ndqppix|ucfsbva|lighjwu)|q(u(enthob|hrmmbx)|swnggra|v(ewbjra|dsrsfc|xosocr)|tppzwks|pxdjrof|e(pwhhuo|zpzxhg)|y(tnelbq|ixasyn)|zkohuzp|i(nybjma|dkufym)|k(pwndfp|jttlay)|fzospam|wferktn|owzsich)|o(jwqhkqo|mosnzqs|yxucbud|r(uyfypd|ggjztg)|kzgcbhv|zpaokmq|tfkwdnq|qvdckpq|nbvqkoj|gmxlpof|fhbrltu|d(dnhtak|grotcg|mahogk)|bbghaot|c(crtnvh|gbrtfh)|h(mchikg|ziarpf|pzsryn)|oeipuwd|exluzgu)|h(v(qaliqb|rucxyg)|k(rspvct|nxghsi|agrdrs|lxxojf)|xtcftzc|lasyfqr|p(yluuaw|iczpbo)|fshrogr|zoqjqpq|reshmcz|aetzcvw)|e(v(wfvupj|gbuwjw|bmzvyn)|ebbaayo|fuftdvv|zayxnba|ihrpinc|qbeovzs|xyzcrts|ofjfiyj|kxewghn|lsthrft|c(vhzubl|xnvbkt)|jwktqsx|tottqon)|v(aeidtwf|m(zwhznn|nyarmg|lrnbkm|wvvtnj)|s(fglmzv|wumqln|snitrn)|x(khroji|bnvxxl)|h(iimjed|vwtjqd|azgusm)|greijfs|l(qchpda|ffsgso))|c(bbnymnl|abnpcav|n(nqxjze|xcuwsh|sxqont)|fkqblmj|jndrqlo|p(fdjcek|vfgsin|duspcx)|zvelmiv|knezhyu|vudvjuk|tefmjdj|iqxgbac)|d(qgyncxg|z(rhulcg|fybeqi|cwfswl)|yllorrz|b(ivudxz|avljss)|lhzsyru|j(kodjvk|ibtuje)|kpjwgqc|m(sgjvhw|bavyls)|a(sumqwx|icvbsn)|uotwsny|o(ihimmr|unrfpd|vyvhhc)|cbxamsb|vlizuzc|sodwhjb|tslljhf|wredqsq|rbrralk|gwstkju)|x(b(ghtoyv|xavxoc)|nceahkd|dvwmcas|j(wtyyof|ltsgmx)|ktzjgkn|iiaiiwg|s(izvdep|hundxe)|emlnwgn|mzoryvs|fksqtno|ltkkufs)|n(bmeuqbt|pbdvnzc|lxopvbd|dqrsjek|ypbhkve|t(vciagg|ibehxn)|uevgobs|qgyznpc|rbqycls|ieboteg|vumljhl|hmlbjbz)|g(tkohoda|o(rkynoy|phtcit)|nezfcsl|e(ernhoo|xufjgg)|zfgpjua|sllyvua|vmxpxyg|abgcepr|caknltj|bqszqok|ixhvhgo)|j(jimcewx|ydrdayp|nlklylp|pq(nclrg|pdulm)|uyjjdxm|vxrlzpn|f(qzhxey|chgzsc)|d(tukgnh|ewwgvu)|xmnnaep|eefdwuh|ofcdcca|m(qixeiz|zkakgd)|ifhrmjw|tqoyins)|l(szyzlqq|r(crdqob|zugncz|gusfrq)|ophxzcl|m(ufrjbx|vwkbja)|fjbtipl|v(ytgppp|wwvkox)|joazlan|pknrmjk|cqecowc|ujxcyck|nxczmhw)|b(e(zlpzhy|dyltxp)|slmrfpx|f(baocso|wcrjoq)|zipcogx|b(xxntgh|tesrww)|gbnmjgb|qzwbdzc|tvufxdj|rofilbo|xcuekyk|hpdljqa)|t(fwvljlt|ogkdmal|b(xulmji|rugnjj)|r(iwupvh|rhtbmz)|xtyuttv|d(qspdfx|cdvgma)|qtcyius|ekrefhd|leczjkr|zoveoky|ypfalpa)|f(xxvogdj|m(dohgna|zaezaf)|o(aphoga|jonouq|contox)|f(zcboof|gmqcpw)|p(qbicne|wnukiz)|s(zzcetj|urhlzr|lqjate|rpbgej)|g(popmoo|ahglcy)|wiozgye|ktcfvsr|u(ineapk|uijoxu)|zmexibi|v(uqamgz|dmmobb)|rprttzz)|u(pnufhqy|ahruwsy|sjvhzml|j(dtghog|fxihqz|xymngt)|zxnaaeb|udlsmop|y(tkroor|klknzk)|cywruiu|m(fhhcst|klkduq)|q(qgfhlr|xlrerr)|v(zouwvp|tyyskb)|xgnejri|esmznsm)|z(sdcnaik|i(vgvkmj|qazvzf)|cniuuza|xifpilh|daickvh|wdyhlst|ausrfvu|rlzeunh|tzrysyq)|y(yoviysa|z(uzonnv|lnsybn)|c(kvkiyn|fwzmuu)|gldopxb|t(wpwkdc|aqbmeu)|p(fzjvxu|rbtgto|csdqni)|vdbiaou|nheogyf|edncfje|jtkqaqt|x(cxroaa|dpngve)|mcmdhpq|dmiewdf|wsbidim|btiyatb|usauiey|fgufefp)|m(bpxdlex|glbfhni|hujuhvg|vfqxqwn|tueocqi|ddpvkfq|checcot|zofheuc|opbypts)|w(bydqzgu|lxpikly|qwmjkli|xwfxygb|v(xsrhme|hwtzwl)|tuyvuef|edfrxcw|oecicny|zakprpc|uxdbhio|swggmlk)|k(ujwunnq|t(vidvpx|dwjyag)|m(hjpimy|fioiqg)|lplzcco|wjuceoj|fcdtloh|gojuvqi|a(ntbkgw|dbnzcj)|i(vjtqzu|ypilwk)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633103; rev:2;)
# sid 2633104 includes 600 (0 - 600) 9 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.com)"; content:"|09|";content:"|03|com|00|";nocase;within: 12;pcre: "/(a(mpavhunh|t(rpvocry|acewoib)|sghlvkij|warjjiya|zgpegljr|p(gpskzwi|wxxvham)|euufbtnh|lypkeqwa|jrzotfdc|i(pzcvmkh|rrdykux|xeabwex)|g(wdckqio|qcbzhgc)|hzngpzbe|rjfuinzw|yzxkvznt)|q(y(kwruksr|camwbre|fxwuznd|rnqxcik)|l(jnlykkh|dddbkqo)|ojdxzkic|c(slnohrf|clteinq)|bafqgmwd|j(ypxoqnp|zwmfocc)|dyttxuhn|haxvedgx|fsmnwpes|ucbjpkuw|pmklvqew|xhagltka|ngbgxlla|sjgzomhk|qsynwajn|z(omrqpqy|cphuggk)|mdrovrhk)|o(cqiugech|xpywzqus|p(wyvrlzj|mqxeady)|s(mvvvvlg|bbofjgl)|n(cksiqhx|wiegcvz)|ivesmuje|t(warwxub|lmvlwvy)|ajmzkssk|urxnkjkv|y(mhpbwkw|yvdhmqt)|mwspgqtt|khjopsuj|l(nelhwro|kroykka)|g(dblgjwd|xejuuwd)|z(ryuxznz|iifiyuf)|vedbyncz)|f(qssbltho|yffanxjy|a(liwaqys|ijfqyoq)|c(vgwgxzp|xqonyan)|p(jlnlqmz|ndmhbvv)|j(nfklmlo|ggkekmf)|z(orokgjo|togtlnk)|h(svcyjil|fqccbbo)|vpuhbltn|n(q(qjhkrr|yjcyas)|rewigqg)|w(ijjbagp|dysmydz)|s(wyddmpt|kcyhyzj)|eqktiaru|ijvutzqh|lajwrxyv|bjfkvlgq)|d(t(frxazap|cqwamqg)|f(odozgdb|ukjdpmp)|imxxpuvj|g(auzranq|mthejsr)|p(lcwysbm|wnlokmw|bgnkbfz)|e(gsjprmb|vuqptbq)|w(l(jrbjjw|pkosha)|qqksmyf)|l(euwoxzp|qagjfeo)|upgbepqz|rfxqjcmb|nqlzmahd|osyyqmna)|i(o(ltnwekp|esyspuo)|j(cpmyhns|ploacuk)|bvsfigqb|thwjyjid|x(sxbvbqp|wybmtga|utkngbi)|sxchwvwr|nfovkota|g(xtinhaj|nkrqzyi)|hvdudkbr|dlvxeoyq|maagplai)|p(h(wqllcgn|ionhdql|ehnuqqt)|g(kgqqvso|bcfprke|apiycrx)|o(adcuqhs|tohtxah)|dolrymkv|wiechvpe|pxxczfzh|aytocgcp|tnwkxnhj|xmfnzchb|czpgcyep|zfywmdnn|s(hcxrmwm|yppimxn|fmllmpw|wjxdfeu)|vvociear|yipknyjv|l(myoskqb|cptcqjl)|mgxozaok)|x(p(oaqzeps|k(kuqfxp|yugtpr)|xwqtosj|ezhiirb)|e(hyhjmye|ludkqwh)|rywmfrxc|t(lmdkjng|wmkfltg)|lkztutev|fxnzmlus|obcpkyhy|crhxwrvo|wrdnrjuh|ygoccoex|mkyfhamu|ijhfttir|gerskayg|dteidyiw)|g(wjjbjntm|zjddrbwy|q(samkzyu|zbzjonw|tdvffrg)|j(nugeesm|pfdwnvd)|o(jcdyrmq|pnnxlua)|c(ukyewhn|drtajyg)|vmymkwjv|xaeehtnx|pkwxfioq|t(rjxbulu|wattvxv)|g(wkiwwni|uvexqds)|y(upmfvxb|qsbygsu)|bz(ssrhpy|npdrvu)|r(mobdkpp|lxnzkfp|cdwyaas)|a(cvdsrlt|vouzmqt)|uhtzaqkc|fghvjwdr)|k(dkchxmfa|mjetpqun|u(bhepetr|ehfdijc)|esvacrzs|a(sqrumtk|dscqrxh|coivkni|avihzko)|b(ifjcagk|s(jvhetw|hdgpei))|ovkmovhg|wnbdvsbr|gaovgzsk|kbcxtnin|fyugoskj|r(xoynrug|jxmbgft)|yixysgqr)|h(z(vjowtef|eotzime)|pcwrmoxm|t(fgiukcv|rczohem|gsmommx)|kcttvdei|h(cfcvqma|jzaxwxx)|o(pzspbbu|ycopkjk)|r(bufkrob|axkqldr)|uchzthiq|x(zmgwscc|weztjwt|gimhmox)|nbmmcduh|vudkkrvk|mgwfqhzt|b(odiziwc|btwkywn))|c(v(azrootm|hymawfe)|szxwelgr|chwzgzpi|ptgpdkai|ohsfwggk|r(rnoopzv|mahtqap)|xcgyschx|dcqjhcrb|geyzwrra|amsfnqsp|wtbcpdzx|hk(earmmy|ceugsv)|tljqnqcn|nwltxrjl|qusiwtif|kqandvrc|bdxjcaci)|w(i(sviqxqz|hatygzv)|kcgsuocx|c(woxmfxk|yfamesv|ampxkht)|s(iywemdy|ocvtvsf|tdxpkjg)|q(pysiluf|ttqjuci|atejnse)|xzdjuapg|vsqjknnv|o(qjxkzob|yjfwbsp)|yzxeffrw|j(bfuxygf|npncqza)|d(himhnof|zfhwicp)|wgpzfhlq|lcpdxotc|rsymnatk)|y(tagrglcu|avixcldj|hwcixuvl|w(ilexikc|mlscngb|lnijwtk|rhpwghq)|uimoeffs|erhctyio|l(nzuercs|bjayamt)|bwokwuer|decrmbuh|ifdnviqx|k(erczotj|rtbhozw)|ohgqkpom)|u(vhvfqnrq|x(sqmhpuv|wkfrugp)|citmvgil|qwgqfefq|zpntqabl|yqekkmgq|d(umtydkc|hynotgl)|ovwjgizn|ilsuqxqt|p(nxpdxrj|fizurvo)|hlbxalwr|a(qucmzni|torxeex)|wcnhrcsy|gtvrcsmx|sxadarmv|ff(vtmisn|tigxvs)|nfcixiul|bqvquksl)|v(utkuyotx|q(l(kwpnnn|namctx)|rmokmyg|glxwbey)|k(oeixveu|yxgeatr)|g(ymwtooi|ombpnbp)|ztvpowiu|f(izbpias|fmquvib|myupxvw)|tqctnvwi|alzdgbsf|iwwvhswl|mawtnjld|veswdjiy|n(bsvtogg|tazkknf)|paqzcomc|xqeacmbi|jarwibnm)|l(o(mpkuomj|ucnmdla|zznnqlj)|w(gqypcrp|rzfprvk)|y(geoacle|fzqtnov|nicdgep)|gwbfjepa|kaupgmal|h(zajdhza|xgjjrve)|tb(honcme|jhzhvq)|llvblzcb|i(ytskzap|hmiciel)|c(udewwsz|mwyxyuq)|mgvapegd|ppguuhaq|fvvzfswr|aibgafse|nn(iseqqb|ypgqgi)|uh(werfsm|aoqjih)|bkfihgyl)|m(d(caehkok|ofmvbdf)|mukmlogh|azmtywbk|t(eucjvkh|qpeeqdj)|n(kpsiyvk|jofydnr|lsgftzp)|l(lpiajwu|zrtxryo)|y(wkabdwr|qlctohl|etggstz)|h(nttcnhf|lpobsni)|bqmvvfbk|k(dzgisjk|gnzniul)|i(berbrcm|snugrzs)|cwwcgyql|o(yvqjwzh|ioduadt|xzhuzpg|fqgrlyj)|fwzsidtu|v(tjesvan|kkpkuhb)|rtfggsaw|jdrzyxho)|s(f(obblefx|fgxgtug|wvnqwnh)|c(qjpcpkv|nmxxzcy)|uxftmait|dhyuvgiw|jjgdybmi|x(qufxmcr|gmnprmz)|kegkgsqd|pgjeejxb|n(xhgzscf|hiqgzsp)|q(zsgtvfq|nehfnxl)|akrpprdp|vvmatkit|tmowfrmg|m(ticuljc|xtuvhnt)|otxdxhpy|rjwfhbfo)|r(o(baznkuz|czhxock)|q(yktbudf|mwwzvue|blepkjz)|c(vriemuc|rvcbzjr|froghdc)|x(hfpshwc|wcekzji)|j(u(hwihrp|xshmcv)|jgequkw)|i(vpmwaxa|dmrahbq)|n(znvzofy|hbisrti|yjagiax)|tzgjwfhc|gsumevhq|sjdzhenj|yhhqqppc|luvhyxhd)|t(ivjpcirp|epnrnkun|c(tbqxmby|mcamoss)|f(upvzqhi|nzuueau)|u(hrfhscl|opwbeta|qrvakwf)|x(ibjjxhm|hsxqjht)|mqgwkluo|h(iharziw|mfippws)|zajrzrza|y(hxxsnjl|nuoznyw)|sotofsjt|l(vqmjxzq|ytobtbl)|kmtomjmf|nqjwqmnn|jmexiyqb)|b(caolyzlw|r(crrabtb|bgraotf)|j(bkduypy|ghkvtwn)|d(qqulgya|lcgzfyv|kqzegiw|bkfekzz)|agttayui|zejbppve|f(pkqtaqn|ejmplmq)|npwbmisp|w(jewqwtr|cokkgrg)|v(vzsbuig|tjkyaiu)|ezldpoxx|sgwhrvbw|k(rnsjokf|eqrcmos)|i(ovpmchs|bdrogzw)|odqdeblg|xlotuvvm|ldmdlweb|qgrpamcw)|e(y(elzirpc|gvtvccz)|ipbezfxo|leamfgis|b(buuwiyc|phfxxzp)|ayxveour|o(dhggelb|vijwgbv|pjdexyw)|f(pznxxsa|bxisghb)|tbibfpal|h(psocdej|kenwwep)|rmovxldu|c(hycptel|fvyidrl|ajhnhcb)|d(qeejtyk|htppnig)|vezsijgy|gshpazfk|epcdpogy|nfqcmsvx|slunnsrg)|n(vjmlryqi|m(d(qhkbir|xdibba)|wsqgbmi)|n(neizhms|mistsiv|onmwlhl)|hrwtzqho|xuozlblk|wwotmwpt|tbuyhqtn|a(ydlawqb|qmlzpsq)|llwlzfky|iuotfpre|bqsclubo|zhfxbobr|jvtlvkwf|comlbdur|yjkrmpor|rufositu)|j(fkldjgrh|xipgdalu|r(mshozkj|vbfdvnf)|l(yqqbvzz|skldbtz)|iboolodd|uo(vlfvkr|zxizrl)|v(xylcwgc|adbijgc)|nyojvxhu|ewsibynr|sovdcogh|wbjbwjlb|jhudjxxo|batbeoiz|oowmjbpv|miccreay|chgjdege|kgomadsa)|z(e(ywigqks|pefjkic)|t(sdfhmvx|zdqvtzi)|q(qwbfmfr|mvzvlgw|bhaopqe|fjojatq)|a(zngwzyb|kczitey)|g(fxoesfq|kosjprl)|mtjkcmlm|o(gvesjdl|pyrejsr)|s(kolvacc|sietrnj)|hvnimysd|f(tiromks|lfxyfuh)|pefnobym|yeeycsrj|zzbkhnsk))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633104; rev:2;)
# sid 2633105 includes 840 (601 - 1200) 9 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.com)"; content:"|09|";content:"|03|com|00|";nocase;within: 12;pcre: "/(h(x(zmgwscc|weztjwt|gimhmox|ocdzuis)|r(axkqldr|tbzztqe|jbzpowb)|n(bmmcduh|rkvnqoe)|z(eotzime|zkjwxup)|v(udkkrvk|adbrrho|jviuqmz)|hjzaxwxx|m(gwfqhzt|vnjumbj|nqbrxgv)|t(rczohem|gsmommx|xtpkeuu|mqdxbbz|jrlcgtt|vdzxcmq)|b(odiziwc|btwkywn|vhgafgj)|oycopkjk|cgveutbo|a(sfjojfv|bvbisus)|easmgygx|izclbhqc|lpugzqog|j(buiuefq|fiidroy)|qytfjvdq|youkfzyr)|z(gkosjprl|o(pyrejsr|wntnrjw)|s(sietrnj|djefjan)|tzdqvtzi|y(eeycsrj|akhyobq)|zzbkhnsk|f(sckpkao|lzxweit)|catnbura|eggripir|m(kbmwvat|ekcuetw)|htafiljt|rsrivcuq|d(hvrubkq|ojdsqph)|urxgmblv|ptgambnz|bsnjntil)|c(n(wltxrjl|spvfueo)|h(kceugsv|gfmvyyb|afckklm)|qusiwtif|k(qandvrc|vndgaqu|fcuhnrn)|b(dxjcaci|szbbnno)|r(mahtqap|ggrtfpf)|cmateknz|f(hqhupsg|wwzljtf)|tyhltiyf|o(a(ncmppf|lztxcf)|jciyvzl)|l(lmkxifw|wmzosiy)|ipxlnlol|esxuwgvt|mfcvfxjy|utmoovky|xpkidpad|yqzbpeqj|znheirxs|v(xeqmlyo|avakyoc)|jsczdiht|wtlspyyn)|k(a(dscqrxh|coivkni|avihzko)|f(yugoskj|pzhiaou|gowtqwo|nucwwlk)|r(xoynrug|jxmbgft|gtlwvon|hhtlzxn)|bs(jvhetw|hdgpei)|y(ixysgqr|yswtbgo)|q(kzmxjgf|vigjxlx|hdcdubj|dwytmsh)|s(fsnpmjs|nnamylt)|np(aucuzc|bykpgf)|e(xxpukhj|nlfnyor|dkfcorg)|k(peufvsy|kdbgduw)|h(skawssb|ieiopis)|pumkxdvz|g(eliawdr|iexebgg)|xtknxxdi|zbnlcnzp|c(qoyyxqk|jlqwyzj)|lrjawczm)|p(z(fywmdnn|gbjimoy|tvqgjmf)|s(hcxrmwm|yppimxn|fmllmpw|wjxdfeu|ikxkrpu)|v(vociear|unagyxj)|g(a(piycrx|jclfqw)|gxohiug|uepappb|mprqytg)|y(ipknyjv|aggmtvq)|l(myoskqb|cptcqjl)|h(ehnuqqt|dduldaf)|mgxozaok|q(bqobacs|uvrmwst)|iaodespj|n(kiinhof|owaayxr|jtkbwbr|fpttidu)|acaybejs|c(mvzvbmp|bszxdky)|k(wimsgnb|ksgeezo|vfepdqx|lktfhqt)|ublbweho|widuoedj|tdjiasqf|pqatjtru)|t(f(nzuueau|yrjatvy)|xhsxqjht|l(ytobtbl|x(esbqbu|zzuknn))|k(mtomjmf|uffzcqh)|ynuoznyw|n(qjwqmnn|gjhwzcq|biifnyy)|c(mcamoss|nhupykd)|hmfippws|j(mexiyqb|xcemzpf)|uqrvakwf|t(dyyeybs|unehder)|o(hspwgvu|fidjkyy)|vcaqfxla|wplgduxx|e(gxlzvvo|pokxjvb)|a(ykqzvyj|ltwnyyj)|g(sodcwls|ivlckch)|rldsfqsl|dyljfhwp|ivbeujqv|pmaisduh|bgsgaixy)|v(iwwvhswl|mawtnjld|qlnamctx|v(eswdjiy|bwxqpsg)|fmyupxvw|n(b(svtogg|kcmjwg)|tazkknf|smnefrt)|g(ombpnbp|njltzuv)|paqzcomc|x(qeacmbi|luimoyi)|j(arwibnm|ktzrslf)|chfwstgr|h(xigiljv|iroukbn|qzzpkip)|wlgueygn|y(mlqpdko|grbrlxv)|a(tbnpwcx|nxhyawl|iipqphm)|u(yophsqi|mtbyaas|kuibjkd)|blygnyuh|tpygjseq|z(ndkqhis|gfgtfzz)|rbrnkayh)|m(fwzsidtu|k(gnzniul|htlbabt)|n(j(ofydnr|dqrbyu)|lsgftzp)|isnugrzs|v(tjesvan|kkpkuhb|wfzgeen)|o(ioduadt|xzhuzpg|fqgrlyj|jwovlok|abltgdb)|lzrtxryo|r(tfggsaw|gdhbbzo)|hlpobsni|j(drzyxho|wnoybbf|gbsjmxl)|tqpeeqdj|deotmskm|c(bsphwsn|ibnnutx)|sznzkvna|zzolhyvd|aslnqqwe|wbpmehvg|x(mqwjbhi|vguwdme)|etxonkwm|gawrqryc)|s(n(hiqgzsp|qftlsvg)|v(vmatkit|ijnjonp)|tmowfrmg|x(gmnprmz|tutjypg)|m(ticuljc|x(tuvhnt|mgwzai)|lkmzzvg|fmltmoj)|otxdxhpy|r(j(wfhbfo|mtqsma)|uvqsynj)|g(tncmpcf|xyxkpmu)|h(vsmrqux|mcdlnwi)|c(fxkxnyl|dldebsh|khjkplf)|immupwhy|kzxvkbws|l(yuysfqq|wqmyddh)|jdxzbuul|qycfhjil|s(nbcmvbs|jdusket)|bsjodgjt|ejplqhsw|umbrxbcy)|i(x(sxbvbqp|wybmtga|utkngbi)|sxchwvwr|n(fo(vkota|pgdzz)|mukyrkk|jjkklpl|copglwb|zevjzxe)|g(xtinhaj|n(krqzyi|qlrtwd)|kquouyf|zzpydhf)|h(vdudkbr|gtyivgf)|d(lvxeoyq|ktrkuyy|eruhlke)|maagplai|pebdfmgh|r(gpmneme|vaolhvl)|ziftajom|q(cbrjpdb|szplhvz)|f(pruejvu|nnkasls)|j(fxanjcm|zgbmnbf)|w(jbosimv|rvvceup|wrlpypi)|cigvvkfy|bfomqqhc|olymghkq)|w(c(yfamesv|ampxkht)|s(ocvtvsf|tdxpkjg|zdygcqs|xlukdbr)|qatejnse|oyjfwbsp|dzfhwicp|rsymnatk|el(ntohan|lvymgf)|wxsghkex|zyoummbi|l(piojzcp|xsmkqjh)|u(ipiibam|narlsfk|wxqiman)|mzybopph|jprytfpg|g(xpelvkk|pzqvcwy)|f(agipenj|wosfigf)|xiqeglnk|kdcxbete)|r(oczhxock|x(wcekzji|mhrwzdw)|idmrahbq|c(froghdc|ziownth|c(jswmxj|gzfwqa))|gsumevhq|sjdzhenj|n(yjagiax|anoumsw)|j(jgequkw|oykwsun)|yhhqqppc|luvhyxhd|fmphxvgo|pivunucs|r(mofdkqm|vhbrihe|eovugfh)|todbdvcl|qmucmxvt|hbhpcegk|uofiombn|mhwzcwun|vqwgxuoc)|l(h(xgjjrve|ygfjjum)|f(vvzfswr|hfdjxfc|iezlsww|jwfgacf)|t(bjhzhvq|upstoiy)|aibgafse|cmwyxyuq|ihmiciel|n(n(iseqqb|ypgqgi|lffvud)|lvfibhm)|u(h(werfsm|aoqjih)|lizsgns)|bkfihgyl|ycyzavdv|p(xurcemq|crfgrmw)|ennifzhw|oafepjlc|vqxczaaf|geqvhecc|lippwcnn|zshvydmt|sfcdnmit|jurbjngz)|d(r(fxqjcmb|hezowwp|xhivrtd)|evuqptbq|p(b(gnkbfz|pkepat)|zstwjrq)|wqqksmyf|nqlzmahd|osyyqmna|m(elbkynr|seaengi|nqffybk)|t(kcleurw|hfuxrfa|qpzquno)|v(txazeun|ubaekgu)|b(usehher|mpdzhtw)|d(vatxuvk|oegxjta)|zrkfnezn|gbnbiwzq|ibmoefbm|l(ypwszmc|wigjdey|zgajmas)|h(sxsotgi|jzbervj))|j(j(hudjxxo|rezyhyr)|batbeoiz|oowmjbpv|m(iccreay|bidlwbh|plcmasg)|chgjdege|kgomadsa|uxyrgtkr|n(pbpfiio|spptrgq)|hwpfsjdd|dhxjliid|p(lebqjzh|pyebxcx)|vlqmyvkv|f(eokilju|fqgqqya)|lbqnilrs|zadxxpqo|e(psumahq|ikruxym|qaerniu)|x(jdzcvlu|vfhqxfy)|qmmfcojs|ysifldtt)|y(d(ecrmbuh|zzjvlme|pkffqeb)|i(fdnviqx|idaxjns|mwzbbzc)|k(erczotj|rtbhozw|jzzxdvx)|w(r(hpwghq|knuuhs)|plprnka)|o(h(gqkpom|jkquzj)|dqkouyy)|fqzntjnh|l(urjlpgj|hdlngjp)|rgqobkpm|x(vjabhqg|cqlymfo|dbteduw|zfqvcqu)|e(pkdcglj|eqrrrxb|s(nessjh|iqgvqa))|s(xigwqea|uumjpbu|pdiizoe)|v(btbdztq|mecxxmk)|tsfcabfr|prbafrjd|gpsrvgjt|bzrkprrl)|f(nrewigqg|cxqonyan|jggkekmf|skcyhyzj|wdysmydz|bjfkvlgq|r(abdhtzc|wmsupui)|qogfzhyi|gmfelbpr|knjnbowe|uvhtbvbz|vgjyfjvh|idmvtiqa|e(bdecwkj|utqvozd)|akrerjwx)|o(lkroykka|nwiegcvz|vedbyncz|prhlffxa|dijpuufa|w(ynaibwi|svyelhf)|a(yrrjxyg|fzhwbja)|yumawrmp|qipgwyau|x(obafhzw|mewzdok|rgugolf)|t(fbkyvge|ofpbkqm|uheqsmq)|ibugthse|s(blsvmfn|rxnxzfk)|cpznhalt|oydzuxfx|hwyhfufs)|q(u(cbjpkuw|bwsgyqb|ulgxjph)|p(mklvqew|aifgksp|iytlkeq)|x(hagltka|yzgnspv|xtmzxzq|tirmszu)|n(gbgxlla|noepcmt|dgilhhx)|ldddbkqo|yrnqxcik|s(jgzomhk|vxqrmvv)|q(synwajn|wolhady)|jzwmfocc|z(omrqpqy|cphuggk|tepoaui)|m(drovrhk|smkplah|taubipy)|o(annyakv|lgdfvmi|mnwlreu)|k(kgawqrr|lruuilf|gnpihqm)|f(kcsidap|deeblvq|totudxv)|c(klhibnd|fzzydrq)|hkturfuw|vg(pddtxx|fsljdd)|d(gnuvsud|uppeili)|etavubzd|w(jttlbbu|mewzoxc)|itcopfwd)|x(mkyfhamu|i(jhfttir|bufpcre|gqadjdi)|g(erskayg|bbdhflm)|p(xwqtosj|ezhiirb|bbuplwr|thoghvz|ljdosts|qcpugac)|dteidyiw|erajiupl|ueudqloc|vqqayzwg|c(rywleep|wnqowwv|yekzuvl)|bhmhwfkv|hnrarifu|fujypwmv|wkcthyfl|zfqhhqhl|jelgdhqf|qschdqcy|kndkdcyl)|g(q(zbzjonw|tdvffrg)|g(uvexqds|fzfxvlk)|yqsbygsu|b(z(ssrhpy|npdrvu)|fcgdskx|ofjhwkl)|jpfdwnvd|r(mobdkpp|lxnzkfp|cdwyaas|vpqomob)|a(cvdsrlt|vouzmqt)|twattvxv|cdrtajyg|u(htzaqkc|pwplgdi)|f(ghvjwdr|dnecyzb)|opnnxlua|m(kgzvnls|mnpnfjq)|w(cespgov|mwqddex)|pewounvz|n(oltcehm|tcvjhyw)|l(n(jiprlw|agajei)|dsbitfl)|zjabmnza|iyvzlhlq|e(uriqbzo|jhgughm)|hmcagoia|vipctiqr)|b(s(gwhrvbw|ampcjxc)|d(kqzegiw|bkfekzz)|k(r(nsjokf|xydciv)|eqrcmos|ovbeccx)|i(ovpmchs|bdrogzw)|odqdeblg|x(lotuvvm|qphjkdx|itzqnwb|pbtdwxl)|ldmdlweb|qgrpamcw|vtjkyaiu|j(ghkvtwn|entvzbw)|g(hkybwss|vkgyyos)|a(sluoysx|cvtwtto)|h(qzfqbhz|lowfqde)|e(eirccas|lgkanxp)|r(qfpokba|ldzgneg)|b(rzathrh|jttkcbv)|tqgkayyy|udvdcgyx|pjpxqwqi)|e(o(vijwgbv|pjdexyw|jygumsa)|d(qeejtyk|htppnig)|f(bxisghb|iawqfse|lgblfve)|hkenwwep|bphfxxzp|vezsijgy|g(shpazfk|wnodgzw|nkuriuw)|c(fvyidrl|ajhnhcb)|e(pcdpogy|xlifooo)|n(fqcmsvx|ovjvhlw)|s(lunnsrg|utxwpfw|gmjrvyt|hocvtrg)|ygbmqlpg|r(xkbvbwa|iixczmg)|ucefndnq|lvziaoeh|mgfbnzth|pawavnlp|wnfrtrgs|telbhwwt)|n(iuotfpre|bqsclubo|zhfxbobr|j(vtlvkwf|fxeinae|qjvsnge)|c(omlbdur|zsirsvh|qjreike|uxrkepi)|yjkrmpor|r(ufositu|jcdmfze|dzxothn)|aqmlzpsq|dtblseyf|f(ahfnupe|ttebzvy)|g(bbxoyor|oynvida)|ox(ejijgp|wchuxp)|h(ixktcma|eqdeseb)|e(yhsmxla|bxmfyuu)|n(egxhxjg|jytlnqu)|qdxzuwba|uhqgmcug|vljfmpgf|k(bfjjmrl|ciaakno))|a(y(zxkvznt|cwpldqi)|i(x(eabwex|duqmxb)|kugqjwo|ufuxsjk)|cmkglimf|n(lq(vaqnn|lzvbr)|ezyuohx)|z(eisvayo|gqvqevw)|bxmdihvy|u(biebdwc|jvmxkfd)|f(kiigmxm|dcnxrzc)|k(nhbkaod|fstgswm|brfzdwg)|tkpuddpw|gktjkzsv|ruxumvrg|x(nhdszcq|ablkwzl)|vxdvvmft|h(vodwpmc|evmjjwc)|lnwhyadw|qkmjzoke|pmrcxpov|jgfxgssl|ogrzobfe|eckohzan)|u(a(qucmzni|torxeex)|w(cnhrcsy|hxmpqpc)|g(tvrcsmx|aazvewq|ijteeee)|d(hynotgl|qmlpaus)|s(xadarmv|vgchdse)|ff(vtmisn|tigxvs)|n(fcixiul|sbbyqzv)|b(qvquksl|xcukogl)|p(fizurvo|pnhowvl)|l(vwitvcy|jxasksa)|okmjruwq|m(ltiztmv|ardheja)|j(utnqoip|lrgrtpw)|rwxzruvs|chcswypg|ktubjskp))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633105; rev:2;)
# sid 2633106 includes 240 (1201 - 1441) 9 character domains in the ".com" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.com)"; content:"|09|";content:"|03|com|00|";nocase;within: 12;pcre: "/(b(ibdvjpwe|nrslwvdb|tmzfufvi|svlqmwfm|zkyjhpcv|kjjsuesx|rcrbqtsd|mylevquv|xcaahznx)|y(gmbmwugw|ljbviczw|ktxfrfbo|wrkewspj|ajocthag|unlmlsfs|ynbulpde)|m(s(bxqsmcp|mpixrid)|d(yjeubhb|feadcys)|juayfwez|znqgisan|aupntwol|tfbjphhj|wlyzewku|mtqsssrr|cvcvsqbh|kresxrfb|ethdmors|nwfixpgi)|w(g(djcvlvf|fkadmjg)|fyyukiay|dikpebtd|o(rbkujsc|ukgfvdx)|wnvhbruk)|t(u(mewmzmu|sdhjkst)|ynoqgtls|t(rwacrox|dufsnng)|qvxxukbk|edpzxlot|rkrrmiev|vkolrwom|zltyjkci|kxitbokf|aysqqrhz|fkhtzfgi)|v(j(xondoml|qugizai)|ipvdtsnj|v(gsljybv|hqbrnbe)|c(gzjcjrm|hjisgfl)|rervbjji|gpietlhj|xalfxyoh|brmyvjdz)|r(u(skhlngd|yslwbxt)|adywcxif|qlagrhkd|bissoqpx|yrafxixh|dyleimvk)|q(u(zwxckdf|tgdkhlf)|zdjapchh|pqeicuhy|helwzeug|mqzamqcs|f(kvmuwxo|jvqluyp)|xcmgxxkj|lblrksrp|ybkpeqlp|odbrfdkd|cnezydkp)|x(xwiftdfs|d(mdlzjsl|ecvmdcz|xnfspad)|ohabdeaq|loopavgv|gpvxajks|heytrjkw|wlaoevgl)|l(mjffjuee|idwqsmxp|skvkszok|g(nypdlxu|yjserqb)|rlqppggw|ebhcizvc|dzhmfdym|ugbtbvon|txhwwplc)|k(rfbszofg|f(miranxd|wfzjedg)|d(dygzcyj|vhwglsb)|tqmajart|ogsnhhnd|euiwdmdt|j(vwmlmvs|ickbjco)|gypjkpmq|lqaiccoo|nqbuflel|yrpxhgvb|cvmqewka)|a(njmbbsgo|tgeighfi|mdabjoeh|g(fmkhgcx|afmbqgk))|d(bmrtnxdd|y(gginwys|xmcbmcn)|pvwoifij|dddkqztx|xdblygkg|exnembbp|rafymcos)|p(baahrrpn|qioxwxqx|w(wkzgzlp|vxbwunw)|rxsexgxb|nfphevuw|u(plfiuip|cftoxop)|mvufenaw|lxjckwny|ghtuiejz)|j(s(ofmtbfr|nobxbuj)|f(jpapbtr|fqhbezj)|qoxjohkb|ofkpghyo|equztnxt|zavyozvb|mizexrtk|iflvbmcb)|c(vbfpghyc|gvggxfbi|tpzgelcu|wnbmdfvt|c(mvxakoh|bnzxcdb)|eeksnhxo|owtgujsb|pghufrbq|xsixtumg|ncglqmbc)|s(edtbgbjg|n(nbbclft|yvbolzv|xkpvsmk)|kvaiyxlf|upbfffuv|m(vgompjw|rkcdhss)|dlvtkosf|ossypngs)|h(iwdpdslh|dyclqjem|mcvypbgl|l(jnnpyjt|lbhaunk)|vknkvmwo|qgvleada|pffcrbfx|xetjibfd|avvarujo)|f(nhpbydev|alasmcgg|o(xquejmb|uspjiuv)|xzdreqda|snsxxcvg|jeoorsva|q(ltrttvn|eyqjepc)|llziicxp|mdazfuat)|g(raxjerzf|kv(isufmq|hgadmo)|a(cgybvjw|inovizw)|mrpgkvab)|z(nextlwsl|lxwkrzxb|kthmvppf|sqcovvfq|wfzjacdy|pxnlrbmv|rjqycrlf|vpdhmfiy|ffjfobdz)|n(kzpbgjjo|qwiadlcr|dayczqpd|cxlqnlwi|gpvzmhhx|nstqhmke|hxiqvaez)|i(dwjeeorv|osxvmehy|n(kixcdmx|fooqujg)|tbsqcgyh|ckpkindw|avuosvok|ewrobcxu)|u(ztmpusre|dpbcjlbt|rbhczswg|ovmuigrf|btupmavf|gweorrns|eqcxrfuj)|o(a(yhrvczh|gptklrs)|pixudcxp|b(cggkhko|fooprkj)|zwwudqae|dqkitvfq|cxyaqkvx|ylimyysi)|e(elyxwydr|absfjrwm|kychposw))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633106; rev:2;)
# sid 2633107 includes 600 (0 - 600) 10 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.info)"; content:"|0a|";content:"|04|info|00|";nocase;within: 13;pcre: "/(b(t(ideepjfn|nvgqsjip)|b(eislnsgx|zfxwnajf)|f(wdpfwyyx|dynoivjd)|yebkdrxln|d(rbmxkpep|cjdidrfu|qggkghxd)|p(ybibcjkf|zqtrvldl)|izdlgafno|e(kdkovqxs|qiofargo)|hmzewcbcs|kkxkrorvw|qxwwirsyf|z(lrfzuaab|nmoqsexo)|osoqkzegp|mclrexdim|xigzftegf|rrwuowrxk|v(felqhqtt|erahdbcj)|a(vsnepisx|zxvrlxkj)|c(evmcjbhy|jtgwyskc)|liqtwplfy)|y(x(aidfevey|wuuiumkk)|h(hwaqyqcd|tammegtj)|j(msglwtvv|rhaedfvo)|m(sllopwxt|nkfnoyla)|vrnqqkeqc|agreundnq|lxpknxiof|ktwldpxjs|zzkwamfle|e(hdsxpwbp|maiaxiwq)|gmzdqwrbx|smlkqwesm|bfcutfigg|qxlaksodh)|i(e(mithsywd|bvqlkrwy|scpdzuej|umjmyhnu|gtcdbxoy)|ux(izdrwoh|gbtylhf)|h(qzfbblen|tisnbqia)|r(zzxxexcj|koyxmgsh)|p(hqgooplo|cedckbte)|kkdfyclje|t(pwmvnmep|wyzsmmqj)|b(zrcraldn|eeoogwmc)|cxgzifheh|mpgvgvvpo|aevjpvtsv|gyopgvjkm|vravxjywq)|t(jvefqxqlr|uildutqau|baxrpiqry|pcjmvowzo|onuoqluyz|i(cdbmozhs|focotnop)|z(xvcxifns|lpgkgstw)|gjfumqhil|qphxnlhfg|hjcidvsdl|x(sqwvrwtm|jgvcfekb)|m(kexwuqjf|bwamuhyo)|cdlghrdya|kfnfqpjrz|nhfnhltbj)|w(sjiyynagm|m(nbjklbqt|abihijyn)|ymqtetrmi|k(lzkwmxdm|ehjfgsvk)|u(akswpkks|gaqdwatv)|g(ehwevnbs|rhiklfml|uanldift|fpxxzcvh)|ryyhamfim|a(hxjcybaj|dpyuxfvy)|f(rcrpaaoj|wwxzuhzj)|oxxwhiuak|bqzfcuyro|t(yywewqfz|sdhsphxc)|htfxdfzon|e(slmeanct|prtcnohd)|d(svlhrtcq|xmjgwnle)|lpaikjsdl)|g(ncpjfbqmm|srnszfqko|r(bvsqvlnm|npvvhgzz)|lmedrzfiv|gvkbitlid|hysreswpe|xyheadfpc|a(gomqtgzd|vdggeegn)|yginwifeg|zdkojsqkc|oktdvtrro|jiewtmlnz|tzczntcxk)|m(b(cnjwgqwp|gctowcmf|f(flzqfnn|jbjwpuj))|qqxrsmekp|y(pqztatxa|ywpsopam|rsgippch)|mrzmjzaem|f(ndkqsozs|cjrgpnya)|ri(ijwjcwe|cecttub)|wkwhvkdpp|zozrvtfqe|vhumlwajf|dmrdltqou|opytaeuqh|hztcumwlu|ttrvvjukt)|n(zorfqcqum|u(lrbbkpmw|gyolffxe|zyujziky)|y(dqmqnwoj|afdddfhz)|x(veivdrop|xvvfjwrf)|nugrnljxp|i(qcvqrbjc|muvhurqt|tdjvvtok)|h(lghsabhb|riyssfkt|jlytellg)|kjztkilof|fierkyxpa|wnicykimo|muozrwxrb|gerhwuqhq|oojngbrga|qwjqrrsdf|pudwpjrng|rulybtneu|bgkxkyvlr|emqhbqzhb|dtvrwhzrx)|e(fvvcajsrw|sjyuycgyv|ajhwwyryt|gslmwpfut|c(vrapwswf|idryfcmn)|b(yygooaca|neiezepm|eqmgimoi|mioaxozp)|xyffnvfkn|ifibemmyb|pbcuxpnmr|yhjzynsgo|j(ftxrazlq|ysgnqeze)|h(sxkpkion|vqilztjx)|zubqmlydq|llwhvkxox|n(atcykell|xztpypqa)|wfdzzidwp|ttejedjmy)|z(ntnhxzfgq|s(dxbuggub|nbsbcagl)|z(scxbguwo|niykdcpz|xsgeuhny)|uhuplangw|qgqrvmgtr|c(rtsbkuil|fixylqdl)|g(dhicpcfs|xpuegrtu)|p(ecvzygbz|vsfvfxtl)|y(pwcuklee|fqhlxqfs)|vyzwlvhki|r(cjoarfhc|mkkaiuti)|toinfuuod|e(felbryjv|ytfbnzuo|tldwxszj)|wotwgprsb|j(cbjcqarb|ehyhzeeo)|huqdrudsh|o(ofaeglkp|iqtswxoa|gxvyxoyg)|xelunshum|aetlkodnq|bujjehqnb|fwliwbzep)|o(knptabnbb|lhiceisxf|v(ywunggjz|mroyhlfs)|a(bcmopldj|uagsnwgs)|fexefjiax|y(bzjdjfrf|skbuwefc)|bpypxtnem|s(optryfuj|uemcesmz)|eoolyuvll|o(dpsikbhx|gqgycqss)|jrsowgcgz|xecbrxhkw|ppzriiqtm|gmhnswhes)|q(vrfsazbfy|y(fyakztvh|jltabsst)|u(kxysjrvl|z(vccfmdv|ltncqmu))|w(mjkwtfwh|zrdrrbjs)|fdudvmorw|d(tleftyan|oujdxfkv)|lvclyawod|acoeqwoht|toikptitj|sjvztzgtr|o(fcsvnsqg|cliiyqws)|eokaomglj|mpqetqhxz|qqpypdkiv|k(xlbvyixr|cvcfsoqa)|cccrnceaz|iwjbujpjq|xeccvgeka|ptzqhpodi|jpfevhxhq)|v(z(dhzltwzp|lfvfvezh|cvfcyrff)|rbjaqkitt|megpfllxj|iksfeqlfs|s(fmbniupz|jexxlkxc|yheoxzpy)|brzcqtyui|uixohhfop|oqoqtvgmr|akjotqqpu|k(sqbwqjik|ugowrbql)|yjidunhkj|pkhgvkkov|gebwvmhvm|qbdbdpqbq)|r(z(sfldrrlm|dyubjrsj|ywcdkupx|tzjmpqnw|avdheddm)|ekoepudai|n(pcgastiz|mkgisfrn)|s(fjmdhlgn|igzljzck)|k(ditjznyc|erdavnrh)|lwpjbxboy|qhxrvzkkl|bydmmyyuu|w(f(garryuy|ranykvn)|gsjsphdh)|f(fvrehfqz|unxssttd)|o(vouvtayu|ncdyjlur|yboeslrj)|jagewauof|vgeznxvqw|cvvomvanw|uuzxjcxid|awbkqqtwp|ycxemmmus|iihpdtjrw)|c(ny(ukqitid|xlvrefc|siukiyn)|d(ryvdnhah|elguqdhx)|v(pitoejxf|ofukjzce)|sxyuycedz|oadkaaqci|lvlgumnbo|rohudrgub|tmkdaunlp|fccmsbnwl|btlybcebt|juxkvpzvr|ybhmkumkp|qehbaksex|a(iawgtkqk|edbuvhie)|e(gediazly|jbqxitrk))|d(b(mxwtaoal|veyfmvjw|rtnleels)|ptlftbtdy|hsmajnjss|r(djqvtjqm|almpliwf)|egdkzbsoi|a(xevruxiy|humwnxmt)|nkzwhounb|tqpwayiei|lmmiuwciv|mpkzkbydo|zprptfwzo|iibhlejoe|gifuykezz|ulayjjqsb)|u(z(guavpowh|iiejtytf|vkmynzcd)|b(tpmsuulk|eeiukdvt|niimkwui)|u(mhdyping|cvzzekak)|lazcraitj|krkgcklsa|cdgieqmjj|y(rfcdwukd|sfwyytwl)|d(svxtaiei|ogskbsrb|ipsaxtpz)|qvpvbjdcv|a(ysplmivl|qcfptbjg)|sazyzimkq|mkbsiorix|rgthmuxht|jesnbqnrm|gspgrgtnz|orfhkepws|wvhbyxpzl)|j(d(oamhldma|nvmpdxoo)|pacjetwae|y(esywspbw|xuaudyat)|u(gmwgxymt|txobhnut|bmmacjta)|kdvgagxej|fnjkgbocb|jzvxiyuej|i(hckhmbsr|ppdttawg|tsolldnx)|rrzulmemo|x(lslsksyb|iqblqztc)|eqolqpenq|oeocbbpns|tpnhxotzv|b(ppxuwflz|bcaigchh)|noxfnjelv|qgibbinjg|lvsgrwryt|wlplqyobu)|p(zkeajvygy|u(xwfzuqgq|ekuktwvn|kdaaghpu|vsjpvcra)|i(gwshfcze|f(vbcnerk|fadgvpf))|x(yyirataq|zphqqntr)|dqtgcruyy|ofknjnyyl|b(kiektobe|frofambq)|rutqcgpnh|a(rjnbbuec|nxvpquvm)|syaooqszn|kaquufjzm|gvwpvgyrr|neihvzndn|qpaqcrftp|c(ikcvdbjd|bswwgvtm)|mennxnxmc|ertvoadek)|a(zlkfvkfvl|c(rskjcrof|otmroiav)|k(jtapojtq|mcmaxqdv|ickzivau)|mikfnefwb|x(sbkllufj|ertwozqh)|utiyagwsx|jhzqshigp|nvwypkyuk|yaxnlgyma|o(ghxomlrd|dxxzqozw)|g(vvfqlngt|salfvavu)|ttrbdajjy|wavrvufqp|pvqzvqtkd)|s(cwhykehvx|u(pvaghgkh|xidqtgrs|syijcpts|mhizbvga)|jdrgamlwi|l(btqhyncj|xpfijgkz|ougiijqs)|wcswgxavh|olbnucydi|bfyoenfjr|hnfdhzzku|n(azwqjxtt|rvvyvsja)|s(xestpiay|fvideatm|iqqezivi|zxgjkqvm)|gdxakflgg|d(qffdcsbg|luczngvd)|iqeelufxr|yltdvkcho|tizonajlr)|x(j(faaejxyi|lavvbpdm|rdzxmpvt)|fi(qpfpdeq|pibsbwy)|wvaqeymem|yjvysihhf|gpdnkococ|ajptjxevs|x(bqzzaiff|ijglbdsw)|cawcykfxa|rvvhixdfy|lrinntfuy|tvtzqwpra)|h(k(htupsple|qdgrhflr)|q(ddymynmj|vwvulheb)|c(zyoyplxv|kcnrkefr)|biryaasaa|mqcnieolp|s(vehcgbjs|llbokjed)|guqilkphn|earifjtgf|n(amnwuqlm|jwoaasfi)|hblcbkwbc|zvmezcksj|watapcweb|dfgbuapis|ofibtqrgv|ytkfstnmo|j(zigwevcx|lqmwrxps))|k(mtnfwweqq|uiynekouv|ggxljucib|x(yfkvebgt|xsexqjvv)|dsgsjowet|l(xyiiibtv|ktaroxsn|ekdbcixb)|vvtrzecbt|rridtsyhr|wggzmqdyy|jsclmunsd|toxpialct|potceeedl|qvkghfkyu|yqodagdvk|fnihjmics|hgsymwcsh)|l(o(rlttzzob|fcgorhac|mekipgyu|bsujltnj)|x(jlcpiplo|qtljlcht|wapqlmln)|l(jfugosxe|pgrwgjaa|vobqtrxr)|j(vzftwhyd|xwrfmcfc)|q(psdhvvyx|esxduyqj)|gsezrkmpg|z(vqagvtvp|gpurzbql)|txhvuwjuo|n(cwqpbcpa|wnlpgcim)|i(afsorrtj|bsoruayt)|v(vohuiqgl|liwowqau)|fmfwubbmk|rqyyswnih|afguucbsb|wofaodlpw|cfpeelfqt)|f(s(ghalogcn|pmoihbab|ubrfpein)|g(veufgaku|mfeucmnj)|n(oasmybre|neldnrrk)|hajadigyp|brndrnvmq|vacmrfswg|ufkcpusdh|xqxzcnesw|jokomsaey|ylfwzjgrh|mmorjofde|atonuiyvq|fplpieqdx|pfqszsaid|lhymsrytj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633107; rev:2;)
# sid 2633108 includes 818 (601 - 1200) 10 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.info)"; content:"|0a|";content:"|04|info|00|";nocase;within: 13;pcre: "/(j(b(ppxuwflz|bcaigchh|ynvcuwlr|auxftyxl)|x(iqblqztc|e(rkijlui|apypxmk)|gdvhqvuy)|n(oxfnjelv|bkykfzjm)|qgibbinjg|d(nvmpdxoo|ufjsxnob|e(dudmgtf|wlfxizq)|acgetqid)|l(vsgrwryt|kfxthddh|gpngchvy|elispbjm)|wlplqyobu|itsolldnx|m(gxbcjjhy|cmcypbno)|vwcrgyjkh|rsdsfssjw|a(bckeofdi|iaunwjbu)|jsabezayq|eslibcrgz|ftsuibsln|tdrrrzmhb|gnpxhaxtz)|u(j(esnbqnrm|rsvmvkex)|gspgrgtnz|ucvzzekak|orfhkepws|y(sfwyytwl|gwzokuwi)|b(niimkwui|mxdahapd)|z(vkmynzcd|sxgxyhbz)|d(ipsaxtpz|nxgxclny)|wvhbyxpzl|t(bbmzjmqu|midjgxop)|afulbpwle|vsqblrxsf|s(yppbgtiu|koyxoxkc)|iswfyjxcc)|z(y(fqhlxqfs|iimldpmb)|o(ofaeglkp|iqtswxoa|gxvyxoyg|xgcfemmo)|rmkkaiuti|xelunshum|a(etlkodnq|zlaugidu)|bujjehqnb|f(wliwbzep|ojzbsyzx)|etldwxszj|z(xsgeuhny|wldsyfer|iiutblfu)|j(ehyhzeeo|fpojiwpd)|v(gdhrfdrv|kzsvhdhg)|l(wwhhsgex|fsmtakof)|cnwnohjuc|tprzgefdc|skxnoeptv|qbwnqzntb|n(jxljnkdi|urxwjoyw)|kuwxltzdd)|l(vliwowqau|z(gpurzbql|wyagosur)|x(qtljlcht|wapqlmln|tgoyvuvz|jexglvcv)|f(mfwubbmk|emlhsmia)|o(fcgorhac|mekipgyu|bsujltnj)|rqyyswnih|l(v(obqtrxr|ftaqnck)|rqxglvxw|xpozeyli)|jxwrfmcfc|n(w(nlpgcim|hekyblb)|bcauxtvg|xgmgtwqj)|a(fguucbsb|wrawujel|onuogoia)|wofaodlpw|cfpeelfqt|e(idonczix|vnewafuo|fbzuxkjr)|synbxmyue|t(wwvbyorw|uuusoovj)|ikvuqezmv|umueyokcq|k(fpavhwro|suaiifgx)|qphorvtfo|mwdqoprnu)|w(e(prtcnohd|onzjsfkp)|a(dpyuxfvy|khxbdmtf)|fwwxzuhzj|dxmjgwnle|m(abihijyn|kdisbxyp)|lpaikjsdl|kehjfgsvk|g(fpxxzcvh|ikdfuxvk|zcooqavy)|norqcsdsi|puhudizop|s(hwtnllsr|prqsrman|rmyigodd)|i(abcatdtq|mmfrrdtp|wgigeqrg)|o(thneoioj|xxtvxfrv)|yxmnvokis|cahkwnptg|jruqimfce|qyizduihe|hyplfwlwq|v(yyceptzw|qpcufxhz|kmnmttte|xncbkbvf)|z(fnneummn|upvtldhi)|w(rgkgkaet|hadzkfaq)|bvqsuiqik|uaysdwemy)|t(x(jgvcfekb|ygvnpebh|oiuwcofy|htsrzuui)|c(dlghrdya|tmhgzzxd)|z(lpgkgstw|ecdyjrhd)|m(bwamuhyo|mevrlhfy|esnlqdao)|kfnfqpjrz|n(hfnhltbj|tksjjoyi|xezewsqy)|i(qybljfad|hucrkign|lgkxewwx|ztifsfta)|a(gernehtu|yxhcjzvk)|ehqlrnvsp|gxbgpnacl|stdeqmwsz|hnjozoefq|pldnavaaj|l(jwrnykna|thxxcxsr)|b(spfxgpbd|migjktrh)|vlkfranbj|wtepnbdqp)|m(zozrvtfqe|v(humlwajf|bujarfnu)|b(f(flzqfnn|jbjwpuj)|ukhdxngg)|dmrdltqou|opytaeuqh|y(rsgippch|mnqlouzf)|h(ztcumwlu|mevpkwqw)|t(trvvjukt|nwypfssj)|kajoctvjt|s(qibulnes|hgjujjnk)|m(ibswahmd|covugaxc)|eyoaluyff|a(agjnmaif|sfxtxwqr)|pyqjdxwch|r(fbcelpfp|gesqhwko)|ihjhdzgiy|f(vtiudwwi|rwiluofd)|xkexntjeo|umnqgfkmb|g(jbzctudw|inmltooj))|b(mclrexdim|pzqtrvldl|x(i(gzftegf|ynicimy)|xqwjkmjr|wtkjzdov)|t(nvgqsjip|mspftvby)|r(rwuowrxk|uewzwqpf|clbvrqum)|v(f(elqhqtt|cnxoirk)|erahdbcj|kvezwwdq|pwiiugqy|ciuljziu|dgxxjbhs)|a(vsnepisx|zxvrlxkj)|c(evmcjbhy|jtgwyskc|rtewuqod)|d(qggkghxd|ywfyxnfe)|e(qiofargo|nwsoqsvx)|liqtwplfy|f(dynoivjd|xnikbhpm)|znmoqsexo|ntmzrvbrl|htcpemaih|i(spizicdt|nfvojghf)|w(ctvwixge|yiypkkzx)|ovjdxjbtu|jppmrfhlg|kiqijttfb)|s(l(xpfijgkz|ougiijqs|ljfraiwt)|s(fvideatm|iqqezivi|zxgjkqvm|ayfiwylt)|d(luczngvd|mqwlorbr)|i(qeelufxr|vattmgbv|omihdfzq)|y(ltdvkcho|gqmbaoou)|t(izonajlr|rtdofcja)|rhfucniyl|czvljqeet|p(frlroqnm|pxdumavx)|j(htlxxxrl|gvnbxcxo)|w(wdkdcsys|hkkahxea)|h(vvvmnawf|lamiwcon)|u(yldxujfm|xlyynehk)|n(plbwoqmq|mpzynutd)|evgyuudpn|qodsvbgrb|byppfkjvs)|f(nneldnrrk|m(morjofde|wgcymsog)|gmfeucmnj|atonuiyvq|fplpieqdx|s(ubrfpein|iatjxqrn)|pfqszsaid|lhymsrytj|u(bxgpvlxo|vsfzepom)|x(pickvrmo|omyugbpd)|zleuevgmb|yklcecgbd|q(sfzyxbsf|obbyazob)|d(dpbfxyye|zcbbjrne|ndasivwu)|w(uurlpcdo|nnloiqyy)|v(abrsynvh|pcbozhch|qobrieyy)|e(oihemkyt|paxjbgec)|o(qhoibane|sibqcgmd)|jshgnmnqv|tqzjqealg|byjvlwxyd|i(hxbilrtb|dsxujhgp)|h(ufnbaish|pppubzdm))|r(w(franykvn|gsjsphdh|zaaxcvue|dzfmwxlf)|uuzxjcxid|aw(bkqqtwp|vvswury)|nmkgisfrn|k(erdavnrh|bxpbkbqj|qsnhenaf)|f(unxssttd|dnhiflfu)|s(igzljzck|oaoinued|maxgxiuh)|ycxemmmus|iihpdtjrw|m(neplkjvo|kvdnmwvz)|zaikklxqq|h(pxcxdbng|rahyqpsw|suibwrtl)|powoiytzy|t(rukidgjt|phezyuta)|rzdtvwaaa|lbmiiektm|vpbknofad|djsqyemek|btecgfirq|oonpypuai)|x(a(jptjxevs|zakigvri|kpnkefho)|fipibsbwy|x(bqzzaiff|ijglbdsw|olvbvoll)|cawcykfxa|r(vvhixdfy|gamucyvg)|lrinntfuy|tvtzqwpra|j(rdzxmpvt|yzgbvhmp|lvwmvwlk|esasgjnk|uqplnpsm)|kzdqnkych|q(kkyjboqx|wurimlow)|b(prgwqbch|tedaqesx)|vidmjhjlh|gkezcnzht|hgotwlkkd|orwdkqvpw|uzscmthkb|pwbuvxypj|iparekzsg)|q(k(xlbvyixr|cvcfsoqa)|c(ccrnceaz|yeakynxc|tuusnoxz)|iwjbujpjq|y(jltabsst|asrgvaux)|x(eccvgeka|qbcfpbkf|ngjlgsqw)|u(zltncqmu|xftymdrs|weovvums)|o(cliiyqws|tivflyrz)|p(tzqhpodi|fcmxsiky)|jpfevhxhq|m(xgqzvpys|hwhudjqs)|axdbcfwtf|htkuqfmcg|nuftqgisr|qbthnhuic|tekgyoybo|r(lwqvyslg|ywsuvlgw|bzgtgvuo)|wbjptxqpx|gbqbypfem|bfscuobrl|euptomzbt)|a(g(vvfqlngt|salfvavu)|t(trbdajjy|svofiqif)|o(dxxzqozw|mfvikkak)|w(avrvufqp|zdgoscoj)|p(v(qzvqtkd|wrsgnqa)|tjvdwjss|wgrqgrwv)|k(mcmaxqdv|ickzivau|ugzhcjvi)|xertwozqh|l(gyxpptxg|rpjautbl)|z(zvanbege|b(sttrukt|qihrjtm))|vrvmtfqvx|s(nxgdajtc|tcfropbf|vrlsdoig)|j(ethtzvnn|usevkoxk)|rlnxppqqk|npjaxeufz|aqcdpqbfr|hgmmtvxmz|midrlefbw|uhjpdjhwn|bzmakwrpw)|n(o(ojngbrga|hsfaeilm)|u(gyolffxe|zyujziky|bekymmvw)|q(wjqrrsdf|rtbyxjsy)|p(u(dwpjrng|elamonq)|gzyeotls)|x(xvvfjwrf|vaitxlme)|r(ulybtneu|xgmavwoy)|bgkxkyvlr|em(qhbqzhb|bkovhuy)|dtvrwhzrx|i(ewfsmkvw|uvlfloxa)|nyojvzpwf|jmrhmihtv|m(rnkhwbrk|vuhrbppw)|yjvqmhkso|z(tgxqhmtj|gmjqxxiu)|woifxwxoe|k(rkskuepd|gcsppzop)|h(fgnwkhop|tukictjh)|auircutps)|v(z(cvfcyrff|flnelnbi)|y(jidunhkj|yynfqeei|siywpuue|vblnzdxc|pkiwbbvh)|p(khgvkkov|c(uepkoag|lsgrrja)|fiuwsgkl)|g(ebwvmhvm|wfsbygis)|qbdbdpqbq|k(ugowrbql|icfbelqa|stiaqzyb)|s(yheoxzpy|nxgaelfa)|rubpihsie|u(vsalmenb|rkrxeclu)|vnhnjnfxa|f(ikyujbpo|dvtpfmrt|eekqtvca|sthmgqrv)|i(ahwtlbdn|fqjcgrhn)|daeiyhlto|h(chyariuw|gyjvhupk)|mcerhrupp|aryxdxlcp|okhvizdxi|woqbpquvs|cpszndgka|x(xajviiqt|chdphnde)|nigvtnpkg)|y(x(wuuiumkk|zrcbcjvy)|g(mzdqwrbx|glgscasq)|s(mlkqwesm|haelqule)|jrhaedfvo|e(maiaxiwq|tbljnngx|yhaqhzir|fixkavsy)|bfcutfigg|q(xlaksodh|cxxjbpay)|t(orztremc|eduqttmi|wtqcszwg)|o(oaulnonk|uwjhmttn)|n(ifjlobsg|oxjgvrzh)|u(mhjdufns|feifeniy)|vgifgqvhm|hdcptopaf|mtrkwtiye|z(vntbqmsh|rifnmukv)|fssokfgez|lypwihyoy)|k(l(ktaroxsn|ekdbcixb|igedtedy)|toxpialct|p(otceeedl|jogatnoz)|q(vkghfkyu|igshunns)|y(qodagdvk|olqodzel|jmglnndl)|fnihjmics|xx(sexqjvv|cpfkvlv)|h(gsymwcsh|pgqkiwzs|ylhzsyac|cyrmzlao)|b(tgjmltdf|vvklskni)|sqbrpxocp|i(imcqohvc|n(tjeyyqt|yyuemtv))|c(vebjmeke|ofvujnsv)|ktoxdagsf)|d(zpr(ptfwzo|adovoc)|iibhlejoe|g(ifuykezz|uqrpjnqk)|u(layjjqsb|yommcmsn)|f(apfuxcmb|ybvyeyrr|mxjrkbfz|qyxztebc|xxqxitma)|k(uxvffppt|gluspjxy)|dzyflialg|evvmumayx|h(etwbovci|rszkzvip|xxstwqmk)|yfsrdbnop|pbmkrqyvk|t(epwrenmi|pjkxvkkn)|v(aliirwfd|duxkiwlu|nkcwgkms)|csxhjoizu|w(acbnvjhd|tsvekviy)|qgcshoocz)|h(w(atapcweb|undrcqvy)|df(gbuapis|uofkgkr)|o(fibtqrgv|gjltdsdt)|njwoaasfi|c(kcnrkefr|xctikjhd)|y(tkfstnmo|jgzvwzyl)|qvwvulheb|j(zigwevcx|lqmwrxps|twdzzbfe|afldkdyz)|a(gnjwohrl|sjvlvwir)|bbfskuszk|zmppeumrz|rbgmjpuuc|tfbkmhply|lnymfimtx|ucooassze)|o(ogqgycqss|v(mroyhlfs|busrilsp|gqisppec)|xecbrxhkw|p(pzriiqtm|andqsrpu|temrpgqu)|suemcesmz|g(mhnswhes|ztxojxdw)|y(skbuwefc|mazkpxts)|bpktdspky|ulbmdtpqn|w(kjmzhggt|hqsfajfz|ahwbbbws)|aaindvbqn|l(fdmbonnw|gksoigwh|hwhlbjgf)|rxylanzii|e(pibyanyg|memwrjxn|bzfxyzlp)|i(rkoctbrt|krpmhksl|j(idckxla|ynnvakx))|k(zfucipyr|ogifwgly)|ddtbmqurq|z(hnbyzqha|gfacbumg)|temlhwcdv|nssvguofo)|i(b(zrcraldn|eeoogwmc)|t(wyzsmmqj|jccutcuv)|c(xgzifheh|ujejwhts)|m(pgvgvvpo|zgslvkdw)|h(tisnbqia|obsljzpy|wedsgdoj|nbwvanyk)|aevjpvtsv|gyopgvjkm|v(ravxjywq|banolgev)|x(qzjtqbml|cvsixkbv)|kpknotslp|z(tcjhsjjm|pfwnjdrn|yyjrptfu|rsumnkim)|nkqzbhfio|ioyxynakn|r(mnarvmpi|qegpfvvj)|o(mtxtyfeu|noemgnut|yvwdjomh|dofhauwj)|eoffqovta|s(dmvlsuog|guwfukki)|utavgjtsu|pqrbsxmxq|jtcowozyf|wregmfzqw|djeikqmic)|c(a(iawgtkqk|edbuvhie|gindwldu)|e(gediazly|jbqxitrk)|d(e(lguqdhx|kozfjws)|jsilrnxn)|bbkuxnksc|x(ctkfpdpc|pwhootdd)|gvolwbzjl|ngjwianfg|p(jufevqtw|rfinbbeq)|c(ptwsroit|zsximrfm|mvbnynxi)|kfgifktik|t(bbqngppo|psrtzjlm)|w(uktzwmeb|hrqyryei)|hodfvhnnb|y(axowxhrs|qpgskypu)|ugxmvhbyy|liqfstvtl)|e(nxztpypqa|w(fdzzidwp|oqcclckx)|ttejedjmy|bmioaxozp|r(ecnsiwsv|mujhvqpk|wmfrjctx)|j(dkrsxdoa|vmdhtrdh)|fcpkxctjs|cmzpnzcmc|ezppbkcha|i(sdhlyihj|ldtvgwfi|ngwerfpl)|klbariwpr|y(dhiuqvjk|odumcnju)|d(ybgihdnu|fqfdjanc)|htctdzfcl|ofnjpfpgb|xchejogqk|mxponubzv|svhtlfhxv)|g(avdggeegn|oktdvtrro|j(iewtmlnz|fvdmyruv|uywzroot)|tzczntcxk|d(fzoxmazy|xgolkuig)|mehwjfpcm|n(psucjavz|yvdjjnac)|zxnwjvvrs|kbzkhwkgm|cmsgfjrts|botvssmdp|s(semrygzo|dtxjkrbg)|vdbbysuwg|l(siacbsgz|rtefpejg)|y(sxxlgqkj|gfuebqtg))|p(uvsjpvcra|ertvoadek|x(zphqqntr|fbtbcjhz)|i(ffadgvpf|uiqxnfuk)|zqosvvhwl|v(tovnwviy|sumfmnpi)|y(zmbnhzjw|uefnfkus)|rlvgxhtnv|gmbtbkxtk|otvbbfzxk|c(gqfzvqze|peqbitej|saqkitzk)|mzznlgwls))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633108; rev:2;)
# sid 2633109 includes 218 (1201 - 1419) 10 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.info)"; content:"|0a|";content:"|04|info|00|";nocase;within: 13;pcre: "/(w(l(aapkcwqn|tcwuhtdq)|s(pqzreunk|onoyeupp)|gvbcqgshn|tiyuwlerw|cdumbglmf|xyhwtkyej|wemvnlkoc|nxqjqualp|filuiiiwo|irjcwjlll|phxhnuykz|hjbilujcb|yxusbnyta|dblhdlrwt)|r(u(tsjqijog|zegzybxv)|z(mqfoxuki|pwgfhano)|jhbylyugq|mtmmjlfiw|dpbfwoszm|thddzviic|yafmedvyh)|i(nfo(lozyuj|ecxqtp)|c(ojroxnbk|zviloade)|xclkvcevp|sbzxvusnp|gniprujmq)|m(ffspkcnbi|sdkcamuod|amxjfemty|iozpyruqt|uxqnltxoc)|z(r(wqwxpanl|mtfcorxc|nvjketea|pafiwzfh)|ngzqitudz|ayycorotk|fdgjyqvms|xikfxhduk|dnsbaajpz|hwbxlxzkz|pgkhhblbp|ydhnukzhp)|n(suwcnjohl|vmnuphryj|hxvtleaye|k(ljxoccsx|fkxzuwsr)|copbswxtl|y(cnormzcj|scjhazkg)|borxodiwd|zrsqdouxa|aqpformju|r(jwgvwyrm|theynfvh))|k(iuksypuce|z(hfizmhit|ckrjolbv|dazljpkz)|gyjnowjge|dnzuuzege|a(nqsogtbd|bbwnecew)|nhzvwmjbc|fdkxmyftr|vwzmebfhf|krwuguaup)|f(hfnuqzgtm|muqeirjhv|cqsluyykc|bniydrsvp|rirordrke|wdlroatzr|gubnonrxu|lncllvjjn|jmsednnjr|tigowesgt)|s(dxaebwunv|iaaigfcvt|vfeyduzqo|ke(poxwdet|znkoyzk)|qrgpnpvkx|g(xmjxzywm|qdnbtcmb)|tikwcxeky|bbbjwffds|udcucjral|aidgookhs)|b(usvorvwro|j(yosvcsrj|mklginpg|oiznlfwx)|zzemeehot|loaggppwt|fmcyfyono|bmyrnvcbw|vlpazjfko)|a(ikjlectjc|zklltiowg|gjrwqocas|dwmgbjrpk|qbixvmkfd|moywhohkw|xokuhaaec|uqjuorcjl)|q(nrojogilh|bvegkwrrl|mmgmcxigs|tzkdupeka|husgtuaxb|xaulkqwis)|o(cbzrywrvv|mzugxshvl|leulicrtt|addkizynk|zzvuagcqx|xwhaabyqh|svmvnkgil|dfzzirfur|ixnipdyyo)|g(n(ghyiescw|pyilytew)|ycmwboehe|hgycmfiaf|dewgmzygq|qpdmsmxpl|cutncnrfu|wblheirjs)|h(nemezclxu|rmdvmlyra|cvogsuxgg|gsbcofvmm|mresvzfbe|juysdhewq|b(rkxynote|blopaxrv)|tvjtqslue)|j(vepsoqivk|gtvjywaxb|nsjsgpozh|lhvtjrqgh|f(vcnvfbxy|qudugbgc)|alrvgxbtg)|p(tpgteqrzl|v(tosqdklf|ogbbdvzs|vezknpnc)|jilzwowfx|rfoxffdjq|gxfexwjkc|pmvezklgi|omhgbgxuy|qiswqstcm)|u(ajnpswdqt|dbafpjpfj|hgiwulcve|pgjbzirjx|exsrbqgnd|ysdzjhfef|rgssyokch)|e(xkuqlvnvx|ojpsylnbl|c(rzfrhdcf|mnhpoobn)|v(uybuexuw|vfteyrxj)|yjzbycckm|pzngikzvb)|t(zrqhtmvbc|x(nuvzuhsp|yvdlgjot|apmtotnm)|cfgooeito|aiqlgcxbx|ngeehgeyj|uhsuxefzf|wpjmwcehs)|c(cilwajwud|yxqlqetkz|n(xavpbssh|jwmrlcqi)|zujqvywch|tvozppkkt|q(fhkmfamt|apnkvgke)|kjnihlgaf|wwcplvsjp|xmqeuzqqr)|l(lnhwntzaw|gqxorvaxd)|x(dqobcnjpq|jnfwexfnr)|v(offpdglxr|gpepkmfjq|msaztlqlo|zkibeauke|cnexffgyy|szeppccum|y(rsfczdiq|oqxpdqnt)|ujhmuukfx|tvjvvcheh)|d(nhyauirda|ilkfubivk|zaveewxmi|vzvvxfwqs|ypyvvbcqs)|y(akowcxlvk|iffiduxcy))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633109; rev:2;)
# sid 2633110 includes 600 (0 - 600) 11 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.info)"; content:"|0b|";content:"|04|info|00|";nocase;within: 14;pcre: "/(p(t(tryvuhfpl|fvjkjiija|emivcooxn|ajknqazsg)|m(dhgrvvlyg|nujwxfsbk)|z(idvuvupaq|ofwkhzcwd)|pmvlylmtin|hgpoqjshhq|s(hknojcgtr|bfytqhhyd)|vmnqmkjjst|bowobppwvu|g(mtbtvlslo|oibvixmfh|rpeihscrz)|qgfhivclwp|ytawqeqdsj|kjkotnwqwa|rzghaiurjw|xrwceuarza|ugtlizpukh)|q(s(phossoosm|xcmwzhazv)|pmgrpertkh|kwkisxjrda|v(ljowetguv|fgggsqtng)|oxpvfjcrgq|etlutxrcwd|whvjlpbnlc|fsyvhqjwws|j(cqlehpbne|vgxnqiyoz)|devixfjsua|llifqcvuwn|uobffowqol|cytforlzra|b(yjoivrgbn|ifafkchet)|ylgyaznttq)|d(blzkynqmcs|w(fvgosvjyc|gliprwims)|m(esxxyxzcp|qemsrtiox|woaavmedo)|urvytbeuio|g(gghembhqw|halehliru)|k(xfnerpndr|cnrgowbjc)|d(tihdplikl|mxaiacklg)|x(toyuwxycz|yuhemgzjm)|euosfmgiyd|feafeyeout|sxacdwcaec|q(wwtaywbhi|s(luvdllmx|wmgdwufh))|czxevayogn|trvexllthc|ylevjvasjl|psrznyryeu)|c(gpkjczbbzn|vovwpdhthw|fhrnshmczp|wbdnciqspp|hztpzteuam|j(pnjyiixlb|icfmbbiww|fylzoygas|heetmyqsx)|yyqoxqdsly|n(wykpwehjz|qfnqnynou)|zfxjnkgqbq|x(yokwjqzpv|mgjvekaeh)|cwdrmkrtcz|m(aribjamsg|vvqgfmbwh)|rmxturybhi)|o(x(twfxeeagm|wmiheknda)|g(rjsehpsec|zhplqcews|jmgpuftrx)|i(ncnqfnwgq|xtgyuercx)|lrutghdiaw|e(cqgqajxwg|qjryrotpl)|n(a(fneqnjik|pcsjyfqo)|epstzqzhl)|tshbcezbfw|bidhyeckde|rgggmrwcxz|zlnrmbweko|friobdpmwt|medtrumhux|vrxeqcjhal|puifiqlgaj|uugxhrjucn)|i(xalphnnvvp|k(tgoyciqyu|vbajbckss|nzfogvdaw)|zihlcwhjyt|j(kufzwelyb|ttplhlska|uriwpgufi)|mqoacxakkg|q(qxiymvtea|blwmxisys)|idqkqevxrs|h(dkdofigoq|jtmykysec)|wkqgeqrrzn|dfagudwixt|akverfupeb|ubafypfiet|bhjxrowauk|npweomgnxu)|v(ftvslhbknc|n(pfzcnhptv|vwemcjnme|fofosikdn|tgiwixxaz)|wrooxouznd|q(znjeponto|gzmgytznk)|dn(epfpwgek|wuheasda)|k(wdmbknxro|edhqwykzn|sihrxntut)|zxywwywyqj|gvnkmrgobm|o(bwxbshdpm|djnarnbse|uzxzthmac)|c(qcbvyivgy|zlzozxfot)|y(xgiumomvv|plikblxxc)|a(owycgitzk|qmfstrkkb)|vzcakxxint|ernayxicdx|l(ypmcfvyoj|baqfjzlfq)|jlgzxjsqmy|honnitumet|b(hdyjjpney|fkzqkejgb)|uraosyhqnk|s(ninnuuaac|gsbaivbsz)|rrwkskscbo)|u(goeqxaridr|y(furhlobao|degmklsui)|pczlmpvrkb|u(rcnwltksv|ndcpotyfw)|fgzljdbluy|qyvkaeobjb|stjjtqpqql|m(tqartswhc|yjzemyzoj)|dbljdxnmlz|ckgfftrwjj|z(nqdyrfxig|mquufojds)|x(rmhfgorzv|lojbuaxmy)|w(xwcplagxg|qqdgighxl)|o(vgjjwboue|mlpglvrru)|eefrnefotg|r(ldvpxhfal|ksolrnpen)|aneenztbom)|a(kyaxaclccy|jpyaezgjzl|f(cabkdwaza|buwnaivwq)|bwzlesmroe|c(quhlxesia|jpbkqtped|otaufmdis)|a(seluhipsd|dtfhsmoqk)|w(fvqrxbjmq|jplenvyvy)|iggtdxpxbk|o(iqzxltovf|kxgpjfbig)|v(cdsgokgau|tovjdqjba)|y(uufmoyhqo|wsxsnmobs)|rlzzjfacbn|h(mluldaxhd|kgiudelgk)|g(pdaqduxvz|aghilxmoe)|eaeazxqler|uwylfabkvh|dufvkiilav|lyrsvyywiy|pqciksvaah|zviteemmud)|z(y(mitaewcab|qstfzhvli|iohipakcn)|h(hdsjapjcq|ffquphntm|uaeykxylr)|gzexkknwze|j(xpwpgxkfq|shstqqkry|jxdtnujmh)|zexwjrozjz|n(dyxqmjcdv|ptintlhfo)|maxsmptqnb|eteatiufda|bnzhycivlr|p(kltchysba|q(hyrdgzvj|gcjkaiid))|irfkffthzc|lqotsmqaun|v(wilmbmxka|gxcjuucth)|uzuyrqpmxr|obvhhbrkar|cvukpodaqf)|r(oehdzdxvux|u(ldhmqxjcx|qxcyfklgq)|l(lfiuwtoqa|gaywlskcw)|db(bjdrptvd|cwsxashy)|eptfsnplpr|gdcynmhntg|ihpkmfzydg|vbslbhdvrf|blhfiqnsos|j(cpxecexej|bgdzkdaxa)|csctltgsra|ncmbpeafbp|tmejdcjmed)|s(wsprrgsatl|g(qsbheruog|ynnewkpeo)|i(tlpzoyqos|nrbycuuuy)|jreipgoejq|v(icrsylswu|nfsnanhrq)|p(gksmjbwnw|oweqtdhsi|cntlleqzd)|x(aztaibjmo|chtyubjmg)|kzveddlrem|nsjdzqyiij|tdvfnxhmka|s(kacaackhi|majedrwlz|wjnektcre)|ffdsreicnr|c(uyqbjzoio|rmohnhpjn|nryirucon)|lxilkjrkbb|qpahdpebmy|e(vxfplqfbt|njnupfkbb)|bakzupwmng)|n(g(pvathkrar|nnxyvdjri|rxweoguth)|hpyzizdzxd|dyyanzyzog|vfivgronkd|aspaggmfhk|njreprjxhw|e(cpzcjdbiy|t(mnsdukkp|vfmhqqyi)|wikozvcga)|k(famndbmmh|dggogqklz)|j(ngjjyplpl|ulanquouy|qazawkeon)|c(xghyjjkxs|jijkwovxk|towkcotkq)|fgjxdvpfqz|ldsyawwzxq|uospyqfxfe|qbwoextshp|yfujnycvjg|osrdtqrvfc|i(dlnyceyrl|llidjmpsv)|shhulpppxu|wioosszsyu|mltkkwjqbv|tupqpojiwc)|h(wxhqfondsy|dlvcmbayjm|v(jcgfnxipk|sawneollm|tajfzppzm)|abmpqnakfs|c(tjpyqzohs|ejttdqfgh)|m(bquyxwlqp|kgxkznkth)|ymrjtooboh|phbitwcjla|igfaasemul|urwccxephj|bbqovcneas|k(bcmurzaol|fnmaleqgx|itaqrvuqt)|sqpiumctyo|jasfwdilyq|qtsdgcgzab|r(afxuryjly|hkgnxngst)|euevhejwsf)|y(e(lnctioevs|cpyoxduds)|xtsvotjlpk|q(rnjvmlnlq|cwxablaqe)|u(fqprkpnsf|husaibchf|bogwnazqb|crmicnoxl)|n(rieelrgrx|tfgywwtwq)|f(gqozvpbwn|tgkxmkbdj)|jbiiwgntfb|yfrotyjeac|lqezcgzyiw|zmtqxrwzbb|tmaevsltxe|rdzehujrsg|cobgrjghnl)|w(nvfejngpbd|t(ecnxkekqf|fxtgmklct)|srplllbzbv|l(uhxldwarr|dclrtoebr)|wqefawpliw|d(prforcjwd|vnxjdcrpb)|xegyvicidd|ghuzwtgtio|rsoxapkwds|a(blbhuprtx|lxvmyfgru|fpwhkxcgr)|vaggkgjkgn|ipgfxrivoj|p(gtrvpydnx|mkzjweyji)|eucubiqfrg|bxdftlmmod|quzekrfebm|cylptitsml)|b(fmlzhwhhwl|k(isvyryjgs|mmuftupcw|xpmazqmbp)|q(vnsofpuoe|jxjrdjddj)|z(niatskfsd|kmklrxgki)|cyiftklqso|pmbbncfeef|r(spwmusqtq|ymzbopocm|tinvzhgzy)|enkklbiwjq|lqwszcbwvv|gowzvlvqej|ocemavckqb|aojmplcspb|hqlkelsoyq|vxhewtwcbr|wtqxqtnigq|d(ztngcczla|fxcusnrwz)|bmqoovpzzv)|g(k(exmglohhu|rmlnamdda)|m(iwdoelzvc|osyzfophu)|w(xbdpfrtre|ucoynichs)|ofbnaxhyap|xmsbfnbobf|d(bvqwwvhdu|psogumtwh)|qcexsctyxh|s(punjrmugy|slvmzojpu)|bwnjtmcoop|rtszhufumb|a(setdlbcgy|htqotdeqo)|zdxhbxgunz|gmsbelkmkx|ncqhtfwebs)|j(p(rlsobzkjv|ejodvundv)|o(ahwvelauq|vcnpgqddp|qrijrlgiq)|k(qmysmrwfi|vjgpevrvg|npirftjvq)|efoyvleelh|d(fvodlgwdm|zhpydjsss|rxunqqopo)|i(hjohensha|jedmzprtw|tbqwpgkdr)|nquhpazszc|xonwaxbvqo|t(yyydkiixt|uidccefeo|rejdmhjzw)|l(ezkwvhqgb|g(znyfooqk|hptyjovt))|m(tsxyxjhsn|svmtqamdy)|f(ykfrxlcyf|nxaeyftaj)|cgrajolrwu|rbxeuhquxa|jnbonpddws)|l(n(eeurrsljr|juhszrqbk|mkdfmsexs|qmugzmaoi)|l(ohbqfvjpb|scgowonxo)|didrmrtajg|ioqflvsfjk|uqxozhwqgd|r(yxtyriuhh|vfdnlmgtc)|a(rrpegmvjr|mfbwyelhn)|zgfllxlryn|xfzfqrjncc|szrqhpmnnt|oewtljhurw|qhxfbwqavx)|f(v(faqdwfkck|abohzyilh)|b(crvrlohie|jibogbbie|quvqhcpjp|riquoajzd|dezvsybla)|l(onhlfwwre|weuufwiqn)|f(wpiftkvbq|bvpuycimu)|cefroodahp|g(qstnrbjuk|rsxmbaopp)|pzygvnoumw|damtsxqjwb|xmvlypxydn|kkvhrogmpr|ml(dmklatgo|xpalkvoo)|nohebsguvq|q(wcvdvjyht|cvfgylaei)|imekqvybnq)|t(o(z(cetxsesd|axutsdzc)|orfvhozwp)|uhtxdoajob|ksleeuatrt|ernejxaejt|a(udlquphof|oqwinszny|cpgzyrufs)|b(xcfvmcary|yxipekeue)|n(yehhguabu|ueheokuqg)|ytxnwxclld|l(fyvvvaimp|knwgjshvg)|whtdotayak|pzdliqzmdz|tghoqrurws|ibnxnsdcfw|jkztwwxjia)|e(chvqmtclyd|hdtkqqobrs|so(kdqkjpws|gcmusyec)|xxnezamfwj|deosoifufq|gbirptoqai|l(znletviho|itgbmbtte)|r(lcjgrrcca|rndinjjgb)|mtuotrijvp|f(ipkgddtza|fhgyxvond)|yvxbcslrub|ahkxzmgxte|kznwdaurqx|jofcfddzmu)|x(vsbgfkoxmt|qrivxkwont|tjowgrocre|yuukvhbuuj|mzgblogtgh|wvmedjrjiz|xijwgsvdgu|z(hhdkfzilq|cvpzaabtr)|uoafolpqty|jjrzthnnte|ov(caaatabj|myobergh)|ffwdgjuyyr|bpbfjnnqqo|kecbmxspjf)|m(vnktupgjol|r(ggemyvvam|femtacfql)|u(dqmgeifqk|grklojbdd|ytngcimmz)|n(puoijqskq|ezbxdwdnk)|i(khlmxkedw|vsojpveoq|iclmavbiz)|zuzjxiuarp|xmqjzhyqdw|e(prpubmuld|mftllhxfo)|owrvquelga|kddasznchx|dqdnurkyyy|apwvuhxith|ywyxmmlugs|gfnmhzkoho)|k(tpgqyorcxw|l(mdgwbeezt|vjhlqdjnt)|aswgnzpsfj|m(lwkegalbi|hosozrrig|dlqvpgpbz)|rkyolxxori|h(jbamrldyc|mdfrboeax)|qmfzwsbcgm|yplctfpalm|fnfdxyguhs|bvonlzbsyb|uublktirye|oswfikhsoj|s(foymkcexl|bsloxpimu)|nfjhsstibw))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633110; rev:2;)
# sid 2633111 includes 731 (601 - 1200) 11 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.info)"; content:"|0b|";content:"|04|info|00|";nocase;within: 14;pcre: "/(e(y(vxbcslrub|nkavrunke)|a(hkxzmgxte|gftneiocr)|sogcmusyec|kznwdaurqx|jofcfddzmu|qksvewyrbf|i(kbamjvtby|xfgxkuupg)|g(mdooepikb|aafjbcdkv)|podgqcrmpt|tj(qfljhebd|xjcjemzl)|btjondleqw|h(yicrxerkx|rvbinvwmh)|xswnmjguox|dhcdexthxy|miowjqcoue|egesraqajb|lienfzzwgz|ch(egrhmlxm|jcuyyoxg)|zrrdpunvxg|uicyuebahm)|s(e(vxfplqfbt|njnupfkbb)|i(nrbycuuuy|vcplbnhre)|c(nryirucon|fcjiwzzcb|ehaflimae)|v(nfsnanhrq|keztpkdrf)|p(cntlleqzd|vshbdjnkm|ucqqthyia|sjhcjwful)|b(akzupwmng|wkrdefbxb)|s(m(ajedrwlz|fcaqxjux)|wj(nektcre|esjftaz)|yysilqyia|jneduniye)|d(dqcvwejja|bbcsouhsr)|z(nffbgybwn|wfilusnsk|lyxafoqvw|edbxnyckv)|k(werbzzrhv|zvepwjjth)|t(eipfivmsy|ctwbkskru)|gvbxyictci|f(phnvkrnox|aqgvlwavr)|jlsxsdoxcg|hsalbnlbeu|amgjhylbvv|w(dyhkqbohy|jvfqmljsn)|nmlnvxkmrq|qnylclutsq)|w(tfxtgmklct|e(ucubiqfrg|g(jtkhkmbe|qzwoksjc))|bxdftlmmod|quzekrfebm|c(ylptitsml|cmywltbsm)|a(fpwhkxcgr|bersqjbqm|a(uphavmkd|estmonve))|pmkzjweyji|rnrssnrwyg|i(hluwnjfoc|ctbhpvyjt)|y(hqevwpxgw|dgqhfvybs)|vuukttmnnk|lshfbhzvbk|o(ibfbltcao|swjyipsdx)|m(iqojwrjdz|qjnzmteak)|hhjumzfgap|kcwqiwfkes|ughtvyqaof)|c(r(mxturybhi|npxkrluuf|rrmomocxo)|i(ciylpcxlh|yeaxaaqcf)|qkzadvpbnf|ymkiquacje|jnhrjesthj|z(omvxtqrmw|ggjpwqbhr)|h(pafavmmnp|dqvunhxpd)|u(hdrbddkfn|sdblrmgrx|tiaettxgb)|dqtsfvppyr|awbntwvnin|truyrhqjun|e(ermjbpgkp|imtbroilf)|s(iytuwggmd|rbqxlxajj)|njnbuvvsre|liaqhtovaw|vlaizlrara|mrgjmrseyy|frlohfdani|grwnjgubeg|ojatzstqto|kvemntbnqa)|g(krmlnamdda|dpsogumtwh|w(ucoynichs|oypupwolv|ionmbmnbq)|g(msbelkmkx|wiwysdaxs|xbnqqabnn|ycgvibeef)|ncqhtfwebs|sslvmzojpu|f(gfsyqfbsc|flohsijaa)|r(rvockqnmb|tysdkcall)|ecbamzqbjf|iopnheodre|bmojsizmdb|tfrddadcqa|zbqtjdypmo|pooqvjzsuh|hivrbtdfvt|unnngxcbqu|xdqfgmnzpn|jzducxfbjt|mcqwiofond)|j(r(bxeuhquxa|pnqawrvpd)|d(r(xunqqopo|bmpnnuda)|pavxqijcv|aiwpvdclu)|oqrijrlgiq|p(ejodvundv|hnkymskid|lcwkalawv)|jnbonpddws|t(rejdmhjzw|svvfkbbqy|aqfvyqtvr)|m(wxtcbbxgh|egirfapzk)|vcncvfqxeb|u(ljakcpdju|ptbqudjet)|scajwrtgae|butqfviywm|hjqjocuufo|wcipeqevdo|lovoypgyqa|n(wfjvssokb|vrpsqglht)|qgwfrsiifg|znjpioqwcf|iqtlokvzuu|c(pebtbcbav|etpvuqefs)|fxztdapdak|arwoaciabz)|r(d(bcwsxashy|ddxpehdoz|vawqzqijj)|n(cmbpeafbp|relqbxzuk)|t(mejdcjmed|flhehcnwl)|j(rtdmedlns|liwefhnlu)|e(agasdzglt|gydktehlm|evpsclygp)|a(bzxjvykzy|ivuhrksjd)|iwpqytkaxx|czrfkfaspw|yryhdwiyob|p(hdsmrsnir|ietpkttly)|wktyumwezp|hbvsajqair|mndhqmcmbs|rxivxgilrf|fumpclzrxp|u(eezgzxpsn|fwivmuehq)|kvmpbxeqbo|ofcdomhban|xqgptkeysw)|o(f(riobdpmwt|bhgedrhlk|phqzyfego)|m(edtrumhux|pjxfgfqgu)|xwmiheknda|vrxeqcjhal|n(apcsjyfqo|iovrfbsrr)|p(uifiqlgaj|mvzvnazgt|oiruzurjz)|uugxhrjucn|rpwblbsekv|k(mvrzxpmcx|gipstntzm|wlwiivvsx|kdsvolpkq)|obkxlpnacu|eeyovwoepq|zacamewpaz|hncmoslqpx|tjpqntdwuq|d(roramzprf|ancepdqmd)|i(zqwyokdhd|vuvphomys|mwlsoguzk)|w(uiwvbxeyp|oprttstvm))|t(nueheokuqg|o(zaxutsdzc|cqfuvjoym)|l(k(nwgjshvg|amlgyjpy)|ruaowpnyv)|j(uecxwydfx|oyoqzqapq|wzznowwui)|e(mhbiknhrf|nhnmflaqx)|u(osfngbulg|wlxtbumee)|y(pwuqhaqol|ixijldtoa)|x(mslbbzpyd|kkujhzntw)|zvtjqlctdg|sixexvzoro|qtnrxkweyx|reltnkhpee|kfeyprfepj|fgqdogurse|bnwgzsulrl|tkkapsekpx|gkkirpbxjh|wobniplaxx|aofcnabwcp)|d(ghalehliru|q(swmgdwufh|xfgimcrbg)|mwoaavmedo|dmxaiacklg|ylevjvasjl|psrznyryeu|ihtfffeewv|hvqgrugxnv|onsqcuzxee|cfaabezjmd|ttsmlmrrhy|jtototycdx|bsmcqbcjtc|aqmazcfcqw|whtevxswst|uijsfrrhzl|xuwhpzekfn|s(fkheacauo|yuopccibp))|h(q(tsdgcgzab|jcqllpcji|krlmkddvq)|r(afxuryjly|hkgnxngst|sbeehvaux)|euevhejwsf|k(itaqrvuqt|ercxnlgrl)|b(rjhlfmicw|zryowngqp)|s(irhaeaxtr|pjgrygbjd|arwboewjs)|n(boxaxoush|gmpsshjja|evzffjaic)|ipuvpcsngt|piiqekmdrl|c(nkpwijvkr|rcxjrqxdd|ahmhzfpqh)|ycrejfwpxz|frnaeqcrbr|orphyegmwg|jlmnilayvj|tycivghhgb|aanbutwuar|hnytkzjkck|lwmbjaqtee|ussczqcslw)|n(w(ioosszsyu|fsdkvbgyg)|e(t(vfmhqqyi|dgiaptmj)|ywordsjab)|m(ltkkwjqbv|kepifteqg)|grxweoguth|jqazawkeon|t(upqpojiwc|jxesyrhsy|rieugsqmu)|c(towkcotkq|oowydqaqe|ndhzumtfp)|s(fvxhesbqb|urvksrtfp)|h(nsacnnwdw|arjwkkpvu|dwchcromd|teuyuoogk)|nyhurdkzmx|a(lnowiwvmn|sprbydngk|vjaihqslj)|lcamdrnyic|f(bzvmdpgaz|kpcjkblbh)|y(lagfffawc|nkhhgnfbn)|rgvqhrhlbo|uovhzlfxsd|khuqmjswfd|bvehbntjxm|zbvhhvybts)|p(k(jkotnwqwa|gcsyiculg)|r(zghaiurjw|mvfogivhr)|xr(wceuarza|ufhgqcpj)|ugtlizpukh|tajknqazsg|g(oibvixmfh|rpeihscrz)|s(bfytqhhyd|ykbrjgpeo)|z(deawwmnil|mpzacleab)|a(rmbclvske|kifwroxlg)|v(hjjgptslh|vqdodpaja|qewszgukj)|ynzrtythjw|q(dgoollthi|hpvnrvrnh)|w(ockkbzufb|dvibrhsef)|ovcsvezgvn|j(pzyaibcmu|yjjhfffeg)|fgwnyjrbuq|pmmsmgcsbr|dleoktbqju)|k(o(swfikhsoj|krebulfac)|m(dlqvpgpbz|omutzuvjy)|s(foymkcexl|bsloxpimu)|n(fjhsstibw|bfliekheh)|l(vjhlqdjnt|wippuwyww|faeqxqhvq)|b(uhzxgnapq|glqhndzbm|tfofbhtxp)|r(gwdownmgq|jzfswyvtl|ezaznsida)|u(gfdfbmovu|hgqakrcli|puaqtqmpo)|exlabitxnd|p(dipfhwuwa|rfpemitwd)|ytdsxzvufu|iojxtduwkx|j(cnsautsso|yjnbcxwjj)|hkxbemgffc|ffqiyleidb|zgavsjpyhd|tflmderxat|xxnersqsgn|vhowuxsrgv)|x(ffwdgjuyyr|b(pbfjnnqqo|gejjfmxud)|kecbmxspjf|o(vmyobergh|ivcgrryoj)|lothwcyhcn|j(mqjoriflk|jnzamcsso)|tsezznhtzz|r(dgkxnprqt|kigxavves)|djrsadjlvm|giwdsgcpyl|vpzukmgskx|wptpkqbolj|ydxjxvccap|ziykbwrwhs|hf(bxqvlhcz|esmybwna)|sqquxxkeiz|ijxfdeymoa)|b(d(ztngcczla|fxcusnrwz|yhxyqryrb)|rtinvzhgzy|z(kmklrxgki|ahmfoacaj)|b(mqoovpzzv|xqplnjhxa|etzyvzexa)|x(qsuddnqmk|wtfiaxrbo|sqfydhwya)|yemyblughh|heotsohvrn|i(rrecbmkda|hdoddqqyv|zxjhxbitm)|l(cmzwmupnp|en(auuhvqg|qfhwrqz)|fcjvoshgy)|g(lezunqqab|tfjuxtsub)|j(wtcybyspo|yfgkmligt)|ntvmyogoco|fuecvsmtut|aiwuiukyef)|f(nohebsguvq|q(wcvdvjyht|cvfgylaei|tqtesjczt)|b(dezvsybla|qyrjruwqh)|imekqvybnq|mj(seeaebra|kubykzog)|x(kcqknjbnb|thosbyriy)|g(blfmurwwz|jhindlccx)|zibdsbjkal|f(onhgnfftr|ezvfakoho)|a(lxhfcdths|qirsexids)|ysmohrffxz|prwsonuoog|oqzbhursmf|whscawhcvn|h(tqqhumcfa|pvdthullf)|lirbjlqate|vivdspzstm|sqtbfnkznm|rdbxtzqbyt)|z(p(q(hyrdgzvj|gcjkaiid)|lvwmajnuq)|obvhhbrkar|cvukpodaqf|h(uaeykxylr|jyjoofqlq)|y(iohipakcn|rdvwefyvh)|kqsikfxqwk|g(gltknyouj|uorhzygkw)|dtksfxchao|zdgdovrgds|ftkllwletn|xbxzqntcsw|tlwmkfvkjf|sonstovgzr|n(wfqaojhlf|deutcbokw)|u(mssmgxsdk|hwtztzshp)|ixqgasncce|mnpgmgmfmh)|y(tmaevsltxe|r(dzehujrsg|ibzqyrotj)|cobgrjghnl|u(crmicnoxl|hzjxjxfxa|txjhniefn)|yhwhmwbigz|f(nxhmbgvmy|r(nnxnprco|dkfgkrqo)|pisriuarw)|juroawfvvf|z(ljvznnbok|taauforxq)|prnvzlgesu|wgyvzmpgza|a(eoqybzehv|dwdzvbzvm|brwtnklez)|ntbztpgibv|dxxpnbreti|szatzhhfgv|k(buczvceqg|qymajkdrd)|oeitgxibcj|vrfejncmtq|lyhrkjcvtt|g(zlqgnrkob|khkiduene)|mygqdcexjg)|u(zmquufojds|r(ksolrnpen|lgaurdxdu)|y(degmklsui|xqmkweljz)|aneenztbom|o(fcfirbugs|wkfyafhmr)|e(azukjemwd|jdtqeqdlv)|v(gyexrvpfp|bmtogtqay|nymuqnvmf)|t(bakuniraf|lojstinfb)|bdhhfrlijv|uxbtwxznzy|q(brrsxisir|awfqychya|paeseqixp)|drzstrhydr|lmqholvvyp|fkmnxnmjmp|xgmzihhwkz|syqqkzgagx|jhobyvuvnr|hlpodylmpx|nkyrcwsoqr)|q(vfgggsqtng|s(xcmwzhazv|plfsgzxom)|y(lgyaznttq|jtpzrsnnq)|b(ifafkchet|jeznsdcwf)|o(njkbjhnqw|sbbjvoolo|liqshampv)|httgwjumgy|uhvhkimasb|g(axrgtwxby|nupeckdjq|stlnhumuq)|d(de(peefsct|iqylerk)|rgdgqddwg)|r(egabdxjwr|lbpsrtvlx)|k(qdpfbcbep|itegqlejn)|jwtxmivbpg|cxfwofuoxh|lnibygoxtt|inenxowbfq|tttusvgeik)|v(uraosyhqnk|k(sihrxntut|plxfsumcq|zqqachmno)|ouzxzthmac|c(zlzozxfot|senoyzutg)|s(ninnuuaac|gsbaivbsz|wfdzdmkfu)|y(plikblxxc|xabnfqjck)|r(rwkskscbo|nvykcqjfj)|a(bqcndatas|njnjrqmcu|folmsujao)|w(wqlgpnyna|dyipihcpl|qdigkbmwr)|dvhhsbzmsf|iaentnyddv|p(ubyuvrzna|fpjupyimx)|n(giyntrwwg|hbsxphqlc|pppfhmqag)|llwwamfjbx|f(ridwjmysw|odndqpqgi)|hhrqeoasak|x(esoxzetsh|vlpclpmux)|qjxnfzgwpf|gtwiwtdlil)|m(g(fnmhzkoho|nslenjfpf)|nezbxdwdnk|iiclmavbiz|e(ytojuhepb|qyxiumuku)|b(vpnivpipb|rrtweseyk)|qofgnjdjem|fqqrdrcdve|h(yxotowlvo|pdlmpivsz)|mtnjxxwxpc|cqgnxhgirz|wudvmltlrf|letozzcpnh|xzpvkedckg|zlstajrwgj)|l(rvfdnlmgtc|q(hxfbwqavx|twxlkfddt|ekufagfrh|xbjblzqkz)|l(scgowonxo|bzhowpqfu)|n(qmugzmaoi|clrcucang)|i(mvegfjtlq|bjmsyeeot)|xcnsnsntdt|g(hofwmtegv|pcijgdtqy|tyckgytay)|dp(lvlhqsqu|qeshtzlh)|jayrgfjgnm|fuqtzenuoo|bfpaelsczj|cvgsfbtvlg|yosgrojluf|agznrdrptp|zukpeyasmm|kcmwmripdn|h(pzkldbhut|rgbwohfnj))|a(p(qciksvaah|jbyaxzzit)|gaghilxmoe|z(viteemmud|kzhcuqtib)|c(otaufmdis|hnvakukla|mjzpyhewn|gmebtwmmp)|u(kgccslgkg|awcxqggxm)|a(mjvryvzcw|jilgqacgt)|l(mqztklnqa|hjhpbfota)|fmiuqufufb|iptvjuowqt|kkbnmghmgp|vtyolsfaqc|okpcrxaqmh|j(qmjgmfrce|sokebqxqx)|dmuylaptqo)|i(juriwpgufi|bymyytsrvi|s(rbtqhaldt|lkigkuzbt)|q(rjrpbhfsm|xknytknxo)|a(ilzcptooh|vajzthoki|ggjyophrn)|hhrchqvqyk|d(xbykxcjeg|ccjubarqe)|l(wdrpuktyx|awasdrqpx)|ensizflxcs|wvwbvjwuxf|cwfalqdycy|vnxkthokeo|ujzzaktaqp|yhtqcuucem))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633111; rev:2;)
# sid 2633112 includes 131 (1201 - 1332) 11 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.info)"; content:"|0b|";content:"|04|info|00|";nocase;within: 14;pcre: "/(c(m(fhllmdcdi|lswdymptu)|pvurxolxlt|w(ocfzrsbtq|caoaeqeik)|fldbbxmdem|egnfmcqkls)|l(bjxbwwlidk|gfdktbxkem|sjhlsayjgr|yxtpfipejb|lnuvdvcgfc|qkdufnrumm|uahpqcjjal)|i(usnyeauplr|egwegkwvxw|qzeexnzvhn|apxlonsbvv|yiwdxxrvpz|bfriethwlc|vznfzjcjhm|ioxmjsebwr)|n(tihzggfiak|vwvpwjunor|icehfoohjc|hhdpjjpgmj|oxfwijyeht|rucvzxgtnc|awbbxazppe|ctzcxkhtbx|jlskgoysil|exvkclgtot|xybzpknkpm)|b(lfdvnopxkx|c(yqicvzkcg|bnrovsclg)|xczgpfweqa)|s(qhcdwavxyq|tvlycaiqrf|jlzkegvzsr|xgjloenyze|anmpiugnek|dtddklomxn|vqiuzvugmu|iztoubkccj)|f(caoluqxmfa|ktvhmtypjr|nbhlsfhsyr|m(pogyzkxnr|lgmuzkixc)|ij(bgnrdmcq|plzyakmi)|jefiihrvyd)|r(dtwpnjrarl|vtacnkpsyu|lnzbhutbhr|kfuiwapawx|uxxdqozgue|zwztngwpzd)|z(rlrnpvfamt|funwuqxjqj|xrzlaumdff|scixmrbiwf|midpzejlal|ajtpikhpcf|umuhocvfjw)|p(eznrodzxmp|hqudqstnhy|bkvdojfxjx|ldwnsvznyq)|j(uetfpklfwh|hrrdjadexm|khuzdfnvsu|wgchmecnck|tqqushvebh|bmhbgdxevd)|y(a(mldknzlls|oejrpiwve)|ifkddtdyow|mjhdsxdmde)|e(lgxatxgcfv|tzkpubpoko)|q(vmwjdlekcr|ledxtjvqki|ctlbhaoyxb|p(uhckwwaes|ansysonvv)|gsdjgwwohp|jcchyfrdme|zlraogkaas|wnqgjioesm)|h(vfzgrxeiqc|rchqcgliap|tggmsuwssr|mcbbynhkju)|k(ihbovexfsp|divbnzjbkk|ggmpoqidnp|wbgveopiop)|d(oixbfgugol|zxoekyiasp|mfxrrwhmxh|eonzxanvbi)|a(whianpdjlx|eisaosezhi)|t(ruyikfgtrc|o(vqfhkbxvj|qdupaqtlh)|hhqfgicznd|xtawpbpgku)|m(bywvtbdcut|xyzmfeagjm|lgchmvrekm|nhbpxtomfj|jtqwkoxwvz)|w(qzkbwhvter|l(zesxvzcrx|dnryqcnne)|uuyrbvyvac)|v(eywwsrhhoe|ptjaqsyqyo|wpzntodvtr)|u(axtmfbknfm|fcevbvmhyt|opbyklpdup|gzyuqslmhu)|xtjpziiqykg|ggwarmmkmyc|o(daqjcqebom|omavujmvqo|wgsgxmlgdb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633112; rev:2;)
# sid 2633113 includes 5 (0 - 5) 12 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 12 chars (.info)"; content:"|0c|";content:"|04|info|00|";nocase;within: 15;pcre: "/(info(q(etepmzg|vdbwhdx)|hzocsutk)|net(jziblezwl|tysbrzdbo))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633113; rev:2;)
# sid 2633114 includes 6 (0 - 6) 13 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 13 chars (.info)"; content:"|0d|";content:"|04|info|00|";nocase;within: 16;pcre: "/(netqixujawswp|c(n(fmcdtrfgfxk|ljxaquugdgh)|cponujnkpgfq)|bizsopgkstzfd|orgrqaesmaqas)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633114; rev:2;)
# sid 2633115 includes 7 (0 - 7) 14 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 14 chars (.info)"; content:"|0e|";content:"|04|info|00|";nocase;within: 17;pcre: "/(bizicqclnndgcu|netv(kzmgljsbgx|ykvvknovbh)|orgtvxwoajfwad|comrmzxukvkkdu|info(kdrbgmtwuv|geulpssskk))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633115; rev:2;)
# sid 2633116 includes 2 (0 - 2) 15 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 15 chars (.info)"; content:"|0f|";content:"|04|info|00|";nocase;within: 18;pcre: "/info(gybvrmmyfwu|ahnvsljajhj)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633116; rev:2;)
# sid 2633117 includes 600 (0 - 600) 5 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.info)"; content:"|05|";content:"|04|info|00|";nocase;within: 8;pcre: "/(z(s(exq|tdk)|w(vih|axx|pse|qcq)|hedy|fseg|t(ihe|mje)|o(gfp|ffw)|xgfj|i(pah|cbl|y(pp|wq))|n(oif|kwj)|r(csn|ysc|tlh)|cmsx|kzgs|pezf|a(lua|fxl)|eyqu|m(wai|fan)|gomq)|f(l(wks|fyt)|w(quo|esn|dnd)|jjnd|gkdp|t(ocf|ktr|vmq|qce)|n(esn|dsw)|iggq|z(kfm|cyl)|oxlf|rfgh|eyyf|fffy|b(rpp|vwq)|ywdx|vfhy|qfrf|kvsw|ukjr|samh|cfhj)|t(ipfu|s(lyj|uge)|oypa|ydzj|b(vef|qqd)|h(qrj|ndx)|uskr|cjmr|p(kne|jty)|gozr|xtbv|j(vnd|umd)|edmy|nuke|qqfw)|d(i(cio|h(ab|vk)|uuy|xyw)|wfdw|e(oui|zcs)|m(ira|ejl)|aoss|lsjk|x(rhr|olm)|qrpp|ktva|njjn|vhyh|y(khx|upf|mzh)|orux|fdnj)|s(w(por|yao|myg|aov)|qxdw|xczg|m(hyd|tll)|a(m(lk|bv)|ilj)|iytp|l(iqa|toa)|c(xal|gwh)|u(ign|jup)|e(dgo|hkj)|g(jme|arf)|rzzy|valx|z(nar|gfd)|n(mhw|zwv)|kfcg|tyjk|p(clc|ddl)|b(piz|tjn)|y(kmt|lzc))|v(v(ogv|vbk|yri)|n(wfa|lrd)|x(psy|czf)|sdxc|k(gtx|uvt)|w(kdj|mzj|fti)|g(ytw|ppo)|c(get|ojq|cgj|qro)|mobl|ppvm|qfrz|odxe|ltzb|dcnp)|m(z(zzk|wgv)|rcxl|hsis|d(ftm|xsk)|bgca|gwil|nkry|oobn|sqmo|yzdw|fufj|elmu|kndf|pwds|upml|amvs)|k(o(pmy|bsx)|j(p(iz|or)|fgi)|mj(pa|lz)|xifj|yqeh|qntp|c(gvi|kwq)|r(zdx|gcw)|gsbo|llpg|ipkr|bcxr|fzty|hzac|picu|atij|upgc|zbsl)|x(b(blb|pak|kzx)|rqzg|xgpn|wprv|y(d(hm|bl)|hgh)|q(rdj|och)|s(nnh|mzi)|e(rpr|uni)|kkry|jtjs|hecv|lxpu|pyhq|zbmk)|b(t(ztj|hms)|ctre|xvmb|z(zjf|pvt)|dyzj|ehkw|ouhr|nhxn|k(fum|rkd)|hpmk|w(cxq|ddw|seg)|q(ocb|nqf)|pagd|simv|ubma|llqo|mmjx)|w(ayyx|l(qpa|uyh)|d(yss|hgr)|x(tuc|ccu)|t(r(zc|ot)|pbz|vrg)|u(iuw|lrg)|wiih|yama|zyrh|fctx|j(wpo|swx)|rxks|b(ezz|lcx)|qdzq|kasy|pjlt|mncx)|r(eltw|obgl|ppnb|kzdx|loyv|v(max|uey)|w(gdz|ekt|qch)|htuk|faki|gzqp|xhmp|zdxr|surw|mnjr|dxxv)|l(p(iby|oqk|kmh)|z(bph|zyb)|tptp|ibau|v(hkg|vgg)|agrm|gpvw|udqo|k(jcm|icl|nfi)|n(mtg|lzr|dcp)|r(rpm|mfv)|oeax|wkpi|cgio|fgrk|soid|bhjo|jljm|ejeq)|h(wseg|omnp|d(hvq|rcq|gwi)|fzzo|uqju|imdl|z(dqu|uva)|h(tsf|fiw)|q(hqz|ptn|kxc)|t(awv|zhi)|lyxj|g(vyi|cvo|tuf)|c(iky|xau)|mupf|b(hpy|jch)|xypo|rowk)|u(a(jpj|tim)|i(dje|fxd|mig)|n(qwd|nsh|edt)|dqfh|eklx|b(tpm|lnn)|cvbn|qapp|oyne|y(mso|xnz)|znqr|vkwq|g(ioo|wmj)|kxtn|pvmy|hwrv|mrfp|rnqz|teii)|g(yhlh|mycf|j(ruv|uhn)|eleb|hanr|ntib|vlaa|q(ynk|qsb)|gczr|i(uct|rcf|tam)|rvcm)|i(e(kca|cuk)|f(bms|qnz|ywx)|pnxt|m(izo|lpa)|hwof|kvzw|ccyu|r(fjl|hqx)|vmwq|ldbc|tcks|sjac|wuln|docg|ofvk|xviy|iakd|jqpr)|j(bibc|ifrq|oqeh|vsfu|usjt|f(tgd|xqc)|hrqe|x(llk|fse|vot)|j(zrn|nyp)|esfo|cojs|qqrb|ltof)|n(n(rrk|jfx)|s(vwg|njt)|onbz|q(x(to|ik)|kyy|cct)|kwau|hjlv|mvaw|rbyu|b(qhq|ffo)|eoou|j(nrj|mjf)|a(rrv|zzm)|zgln|ijns)|e(u(axd|ozr)|a(fpu|jnl|cfv)|s(rsp|lob)|fnyp|khme|m(k(jz|td)|cnb)|opkn|igkx|jxhw|x(auu|bei)|wnvo|tshe|hpox|qjxe)|c(zhaq|tqps|d(rmm|yzg|qvy)|ylpx|u(jyi|hxx)|kvsb|x(ahu|raf)|moah|p(rzz|tcl)|b(ulm|cnl)|hkai|glta|vpcy|jwmw)|y(n(imh|akw)|c(tfi|kvo)|d(lun|ret)|f(znx|hfv)|xoms|avek|o(lon|dbl)|witt|vnzo|yjfh|uoyo|ssze|qvzf)|q(u(uox|eeq|iux|fvp)|b(cpj|gfz)|x(xgg|lul)|z(qcm|ybx|tkr)|k(qsc|pep|mgw)|ecmg|ftup|avks|gvit|n(urw|xym)|pghu|whlj|d(qcj|pbh)|hpwg|vjrl)|o(m(tcg|kqd|mse)|s(snk|gpw|uca|pxu)|w(hbq|gyv)|joof|f(yxs|sxy)|b(gxg|arv|lcp)|n(kck|qrd)|a(reo|cxw)|upup|hwnh|dwws|znxl|cnqg|vfmj)|p(l(zgu|qtc)|kxew|iiaa|s(b(yf|xu)|dgb)|hxtn|qwha|e(qsw|you)|pwov|dinb|tzpw|akts|zzeo|xstg|rsgp)|a(f(nqi|mtz)|axcn|l(vcg|alx)|p(y(ie|cc)|cxl)|hwbb|g(wpo|bua)|ejji|zdun|m(gwx|azn)|ygzo|xvqx|bccu))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633117; rev:2;)
# sid 2633118 includes 833 (601 - 1200) 5 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.info)"; content:"|05|";content:"|04|info|00|";nocase;within: 8;pcre: "/(s(a(ilj|onn)|n(mhw|zwv)|g(arf|uts)|kfcg|tyjk|p(clc|ddl)|b(piz|tjn|ijb|vgg|adg)|w(aov|vpm|bte)|c(gwh|czs)|y(kmt|lzc)|l(toa|poy|wqx|fpe|lyn)|z(gfd|ywe)|m(tll|mdu)|ujup|ouvb|rqsm|x(qih|ejb|myj|kra)|ftae|ixsz|hfku|epgl|jegy)|u(i(fxd|mig)|blnn|a(tim|epx|fvi)|n(nsh|edt)|gwmj|pvmy|hwrv|y(xnz|jpq|rfx)|mrfp|rn(qz|fp)|teii|ctzd|l(yfi|rwb)|f(nci|tts)|q(dmr|ggl|rbr)|s(kmb|yxa|uez)|ocre|z(vpu|tcb)|udyd|dokf)|p(d(inb|anw)|s(bxu|ard)|lqtc|e(you|bko|dab)|tzpw|a(kts|mem)|zzeo|x(stg|kpn)|r(sgp|egr)|p(szl|bfq)|b(esk|skk)|i(nxr|fme)|c(cbw|xoq)|jkcr|qeuh|hbsb|kdqv|uufg|nqnq)|k(f(zty|lyu)|h(zac|dme)|p(icu|bdr)|r(gcw|ftj|ylo)|a(tij|atm|qnr)|upgc|zbsl|cntf|b(fwh|gpe|qeb)|o(xre|ikf|rtp)|iieg|xkkh|vwpa|gqyd|n(pzh|xjh|jen)|lczi|wsiu|dkkk|qepa|jwmu)|w(t(pbz|vrg|rot|fhb)|u(lrg|for)|j(wpo|swx|elo|alr)|r(xks|omj)|b(ezz|lcx|fwy)|q(dzq|voh)|k(asy|gff)|p(jlt|ofq)|l(uyh|mza)|mncx|fdkd|d(nef|qvf|gqp)|zyvj|iuqv|exsi|nqnn|odow)|h(b(hpy|jch|pgm|vfi)|z(uva|ayn|rte|fme)|c(xau|loz|yua)|q(ptn|kxc)|d(gwi|xxi)|t(zhi|ruq)|x(ypo|evm)|r(owk|dod|pws)|ktjt|o(yyj|hyc|mce)|v(wmw|vjc)|y(ynp|nkt|xib)|n(yxu|lug)|s(ssb|utz)|jqcy|wlgj|pjxd|g(orx|xur)|a(rgy|svj)|ivwx|eyzo|hinp)|a(y(gzo|lmn|qbw|evo)|lalx|x(vqx|gau)|p(ycc|cxl)|b(cc(u|o)|xcs)|gbua|fm(tz|zc)|m(azn|tzj)|k(gfj|qfl)|csmc|e(lbn|iym|stj)|s(skd|yff)|hcjs|znuy|iojv|a(mkl|zza)|w(ztk|kiy)|qxup|tdyx|vvbn|urbo|obki)|l(w(kpi|xia)|cgio|p(kmh|wub)|f(grk|tqm|kod|yde)|n(dcp|esw|tpr)|r(mfv|xfd)|s(oid|pmq|mop|vcl)|b(hjo|flg)|k(icl|nfi)|j(ljm|xfl)|e(jeq|afv)|z(jhg|ohn)|x(nqt|oua)|y(mov|yhr)|l(ald|mlv)|t(igc|xxv)|dkbg|i(hhl|trn|dsu)|qwwd|ujmm)|x(y(dbl|hgh|tuz)|b(pak|kzx|o(no|mm))|p(yhq|vii)|z(bmk|wby)|h(bhf|tcs|qza|lue)|qqtl|o(tvj|nre)|xmul|gjhj|nuls|vfwr|trfb|lykv|uuso|wlms|khdy)|y(dret|v(nzo|kgd|xzn)|y(jfh|vca|tmw)|u(oyo|vmy)|o(dbl|xqy)|fhfv|s(sze|uff)|qvzf|m(gdg|uin|dxl|tjc)|rvaw|p(esg|fri)|bynk|cbzj|aujx|x(kga|fpj|lpk)|hwnc|jpos|tfca)|z(a(lua|fxl)|e(yqu|qjk)|t(mje|fqu)|w(pse|qcq|vgu|eon|kmc)|m(wai|fan)|i(ywq|juf)|gomq|r(tlh|gms)|n(kwj|jlx|xlc)|zbzd|dwes|p(ryh|tem)|kbyc|u(fay|mmq)|qvjb|yacb|bedf|vaox|h(agd|itt))|b(pagd|simv|thms|ubma|l(lqo|ovz|c(ws|aj))|wseg|mmjx|znli|ekhj|d(vsv|ddo)|x(stl|gbv|mwh)|v(rlo|nra|fmi)|hlbk|ftfi|a(vdf|srx|kkq|pph)|qqrt|goeh|jvxc|b(kbz|stg))|c(xraf|d(yzg|qvy|uvj)|ptcl|b(cnl|idz|din)|j(wmw|rbc)|wupv|kshn|z(vjh|smi)|i(pxj|fcd)|h(bwq|oti)|utje|rywf|yytk|cwpz|vkyb|objv|evmi|scua)|n(q(xik|gmv)|azzm|jmjf|z(gln|bwg|dxl)|b(ffo|o(eq|jl)|sya)|s(njt|ocy)|i(jns|ebo|tkc)|u(qpq|bmp)|ggds|m(par|dtc)|c(zfe|add)|oryh|xuao|vite|tawy|rdly|ekse)|o(b(lcp|rpq)|d(wws|hup|xya)|nqrd|z(nxl|uwd)|w(gyv|vkp)|c(nqg|atd|hue)|v(fmj|x(fd|uq))|f(sxy|ref|gke)|acxw|e(xre|wye)|t(euh|bec)|yahe|rcgm|ldkl|jyfc|xlfa)|g(q(ynk|qsb)|g(czr|rqc)|i(uct|rcf|tam)|r(vcm|ohb)|j(pty|jbn|gym)|wetm|c(zrc|lcw)|u(kfa|fwb)|yevm|bsox|kheb|hndk|orzn|nfex)|t(p(jty|sxz)|j(vnd|umd|xkv)|e(dmy|ydi|sia|pnm)|n(uke|aym)|qqfw|t(wod|jgh)|d(vfr|dkm)|w(gyq|lsp|iju)|s(teo|bef|pzh)|k(jpd|gqp)|inyi|vbue|o(mby|yra|xod|egy)|r(vgr|skd)|h(nry|puy))|v(p(pvm|idb)|q(frz|jso)|v(yri|dus|wmr)|o(dxe|bao)|w(fti|ine)|c(cgj|qro|hxg)|ltzb|dcnp|g(ppo|nfc|klr)|y(zrv|pxb)|f(goy|qvv)|n(vag|heh)|jm(vo|xv)|swdi|eqla|mulz|h(zcn|fai))|i(ecuk|w(uln|oxo)|r(hqx|vph)|docg|f(ywx|xjx)|ofvk|xviy|iakd|jqpr|s(sxo|rsm)|pr(vq|hd)|u(urw|lje)|kdug|tcey|qjcn|hbrr)|j(cojs|q(qrb|jzx|hym|deo)|j(nyp|iwi)|l(tof|ekv|wzn)|f(xqc|lgq)|wbsw|y(ydq|zsl|gtz|vtw)|dogs|gxts|t(fpb|cqj)|i(vtw|puk)|vlpa|mmec|pxtd|oskl|axvi|ztei|ngvr|shpg)|q(k(pep|mgw|csd|kym|goz|nlj)|w(hlj|kcq)|d(qcj|pbh|zpf)|hpwg|z(ybx|tkr)|vjrl|xlul|rlnw|u(eqh|uvk)|s(zns|pbx|sye|bzn)|o(nla|abx)|gwoo|t(vey|ner)|c(dng|asu)|q(wgo|lpa)|mhcp|a(dqn|kkd)|ypaf|jmok|iilr)|e(i(gkx|fhu)|j(xhw|ohm)|x(auu|bei|lsf|fzz)|m(ktd|cnb|xjo)|wnvo|tshe|s(lob|jap)|h(pox|ros)|qjxe|d(gmb|ezf)|vvxe|n(rsn|wxd)|cfvu|yujh|lqqn|gmfv|efri|recs)|m(k(ndf|eky|xpu)|pwds|upml|d(x(sk|fi)|aav)|a(mvs|lrt)|tikx|x(uqz|nuc|yhq)|jbub|hbmp|zkdv|q(tvx|zne)|i(mpb|toq)|edfd|lscd)|f(v(fhy|ily|mlu)|zcyl|w(dnd|zau)|ndsw|q(frf|xup|qzs)|kvsw|u(kjr|g(vi|aw)|cwp)|l(fyt|jpt)|s(amh|ptk)|c(fhj|kns)|p(wpd|dbs)|g(rin|gsc|orj)|j(noq|wbg)|foni|hyxs|omxp|ysum|mpfd|b(yhh|iry))|r(w(qch|m(oa|il)|yhb)|x(hmp|vdv)|z(dxr|wfu)|surw|m(njr|hkl)|dxxv|g(wdn|lmx|hod)|j(dii|zjh|vze)|ussx|h(qxv|mhk)|fryj|nbzr|estr|piem|insz|q(qku|tyg))|d(y(upf|mzh|apu)|or(ux|rq)|i(uuy|xyw|rgm|qks|nkn)|fdnj|mejl|hnhb|unni|n(rok|fvc)|l(qah|bhw)|zm(iq|wy)|x(gmp|zcf)|g(sta|die)|wsmq|piqs|daao|t(had|tqu|dzo)|efiz|rgqv|jjvi|ayqo))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633118; rev:2;)
# sid 2633119 includes 233 (1201 - 1434) 5 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.info)"; content:"|05|";content:"|04|info|00|";nocase;within: 8;pcre: "/(z(ogxs|h(kxm|mio|tdp)|zsdz|xrbd|mved|teox|pnbm|vzlz)|t(ulqd|kyxm|ljac|nmsl|aepe|dltz|cxtu|vrxr|xwaf|wxvk)|m(yqkd|b(nei|wnk)|gppr|sxhs|hhph|ejcp|n(plv|jai))|r(petw|c(rxj|vhs)|frmu|ymdn|acsx|elbb|z(www|xha)|tmfk|xito)|s(vmfn|celo|wflo|tqry|fwjk|qaq(f|d)|yphs|ldri|gcoy|mynd)|f(ivrn|uwok|n(cuw|yjx)|gptc|eolu|jkkz|bodj)|o(snol|x(qwu|yiz)|hpvx|rpes|ljrq)|d(wcpc|lpct|kaoy|o(zwk|prk)|iofx|uqgf|p(gwt|hqv)|qhkh)|x(dtgy|y(ndd|iqw|tsm)|cytx|n(gtz|mcg|tax)|zzzv|jbxz|tbkx|uqwd|ggak)|w(mxna|u(mav|jme)|vpwa|goer|dmpv|ymgm|errp|swxn|zlsw)|g(g(adz|hri)|e(hga|olo)|n(nmz|uqd)|h(jez|qqw)|srit|zmec|rvtl)|c(eqrv|i(wzo|hhp)|c(qgr|ron)|kabt|m(uos|ikv)|lbla|rzbb)|a(g(ymd|etm)|enjq|afiv|n(mbi|css)|fpgb|wqlw)|q(n(mdn|isw|kdf)|xnhp|vueu|pzqh|zkov|artk|btbr)|y(lyxf|rcsl|wxux|mqpp|jpyz|okls|bmzz)|j(z(oip|wkw)|mard|rofd|b(pdc|bra)|i(yhi|kxy)|a(vwm|xhh)|ymcw|xwsh|hwzl|lhcw)|e(wmcu|y(erj|qdt)|rooh|qzpk|miih)|b(fbqt|qyhl|k(qav|wyr|jyw)|ntgq|htyv|udcs|wjrk|bmxc)|i(najh|l(ibz|mdv)|ywra|tvvm|o(hlt|yjx)|inyx|vfmo|e(pop|ojn))|v(fscb|asfb|igea|zmvd|tzks)|k(xtjh|cbkl|rkaw|emyh|zneb|asju)|p(zkcq|pkfs|lwzs|guhk|wmfw|fxhm|uqif)|l(yudh|u(fbq|vvn)|sggi|iucb|vmrb|xdlu|axmq|gqzz|qxyx|rxsj|omkb|eqap|k(tyq|mkb))|h(nnrt|jmii|ugpj|pezk|r(kmy|cqq)|ouur|drzz)|u(emjc|u(yds|wpc)|sshe|j(shj|hco))|n(uysj|kkpb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633119; rev:2;)
# sid 2633120 includes 600 (0 - 600) 6 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.info)"; content:"|06|";content:"|04|info|00|";nocase;within: 9;pcre: "/(u(olygs|c(klvt|tmfu|suha)|ipfgi|ztfoe|y(hfuo|nbwe)|eyqfi|j(czro|iton)|pjgfc|fjoqq|tpkma|gkrlp|blxwg|usdva|wopfu)|c(p(nmqd|kqic|tspm|lziv)|gfhlp|q(eqou|yvzp)|wbynb|k(mwdk|enxz|ajvk|uppx)|brbxz|dtuqx|cunnr|tdayi|xaudx|htqzs|jdflq|n(zwhk|axpm)|fvhql|lpgff|mfawy|zcs(eu|lo)|yjctd|atyqe|rujki|irbci)|r(o(ftjc|ngxu)|ybkid|m(etqz|wlki)|r(ncns|egun|dqio)|t(gzxk|lhao)|gqcao|uguox|qgoxm|pabvy|c(rntc|xrff)|htcxp|srzve|jjgyb|z(oluq|yfss)|nujqr)|x(u(zejj|cwlg)|h(xffj|kbbm)|rnaar|qcrpr|laeia|xtgos|nmnvt|zcqhb|ozvem|jlerj|vttwe)|z(m(yoyy|lazn)|c(selq|lekg)|wvvzc|n(ibug|sqlb)|d(mlpp|zrdy|ysao)|k(aevj|suht)|s(mqdz|txhg)|f(ilfo|jxfm)|o(tsmi|irzz)|zbije|uupme|p(zbbl|kjgv)|akrrk|yndnn)|t(r(zulw|eofj)|x(godj|odzu)|hfnyp|o(mmhm|qtmw|fxfy|smea)|dmyxf|keywb|afghu|nrswi|l(wosy|kvet)|tzrcp|b(ivxi|wpfd)|vh(hqu|ytp))|a(vlzrg|ltxxj|autqh|uhwie|f(hcuc|mbaj|yimi)|gtlri|yyhuf|qcqrp|o(hzwj|ofwq)|rpdmm|iuwxi|xfdua|m(lndl|mnri)|kdqud|nltrf|pjhgk)|h(qtsdq|g(pmkn|kikc)|jdvrm|n(mqal|wbyv|brkv)|o(xlnb|dcqp)|b(xcpg|lguf|hvyq)|r(vysk|myef|sqef)|meveg|tdsyz|p(emwu|tfwy)|kihee|xdmzi|smjmx|yuolk|a(lthg|edlt)|feurj|hkzhe)|i(d(bwbb|jbzn)|cozch|o(wqrq|krdk)|w(edxe|lfvr|ccyx|ofpi)|mljvq|rjybh|e(asud|tjok)|lsoeg|t(toye|erei)|a(eibf|jugz)|hf(rbl|pgx)|gnjte|jszox|beaiw)|k(m(hens|udvo|cumo)|b(tbeb|kcck|cnyg)|womli|v(rxqi|hjku)|crzrq|kglvs|tz(dkx|gvs)|hjflr|p(iuyk|jkld|purc)|d(hjyc|fhka|kjxs)|f(dsiw|hbsm)|q(y(guf|qqn)|uxcv)|ofjvn|rmcdp|iubhj)|p(odict|y(qxgj|vbmj)|b(ozxk|vhbu)|fuybv|p(zaue|ytgf)|hchkk|m(oaxr|shyx)|svegj|ulpoj|cmlhi|azndc|z(ptoh|bidf)|lnqhf|iagey|qovrf|vfkuc|jgsrh)|w(n(mbbz|hynw)|x(glrw|qjpj)|m(asqj|oyqa|rwqp)|tdbym|rflvb|s(vjre|kkuu)|qqeng|hpknp|umcfo|l(dnoh|uzdd)|kxodg|pcmmd|yijav|e(wjpt|plkn)|bwmgq)|b(a(utii|cmgv|zzca|gbjb)|colem|t(tyaq|rvix)|x(smhr|ugjt|tanm|mpnf|czjh)|rjhdl|i(omzm|mxct|qllg)|s(raue|kwya|hmql|avwo|fsmw|mbzx)|h(pzwe|xgjt)|zabzf|p(kztw|vyxo)|b(w(xyj|apl)|vnkj)|eqbhz|wpmfo)|g(o(ybgi|fksx|xnco|vtbv)|m(xgiz|csrj)|y(jqxz|xfop)|cdtgi|bakzz|r(xcjq|tzmd)|gyxrk|anglj|lehrg|d(afna|oyno)|xlipl|s(nqpx|qghs)|icrnc|nttgt|hrvtr|zzglg|fcobf)|d(b(unqf|gsmv)|nolsl|t(gfwg|tegj)|f(plfc|orqf)|rxkua|wjlst|m(uigl|xqod)|h(emtd|qxbq)|etmcq|kzylf|yztff|xezjn|zhmdv|q(entt|jsxq))|m(wrxvu|bdtls|f(byqy|allx)|jeezz|zjchh|m(ugia|libf|pkbg|dvob)|v(ujps|fmmm|glvs)|h(vlxo|tzof|njhn)|p(krnu|vayq)|rejmp|cwjor|uosqs|tgxfz|oscej|sizli|kxeod|ipvll)|v(wvkdo|y(guzg|fzjo)|dsejq|m(wzly|fnnb)|friiy|n(z(tro|gbo)|onla)|pnuku|zlrnp|tjhwn|lvxsd|cthqr|swizp|ihxht|qlpaq)|q(xstzq|yonft|o(imnv|knmr|qexw)|q(qjkt|vvcb|gtus)|s(xcao|fzef)|awxco|vxuxt|m(hfij|pirr)|j(elli|qavp)|islob|zufuj|nshix)|f(k(bdwm|zwkm)|l(wbsm|febt|guak|hxae)|raluz|z(wfqy|qayb)|vfqne|g(ssxn|aymh)|t(bven|wjbh)|pnvnc|nidfz|e(tnwp|qljt)|mdllq|jtrqy|dudst|ftfcw|sgxid|cbzdo|b(etpv|uxkh)|qslat)|n(tdxhv|ztthk|hiavn|b(odpk|tmna|ntun)|upmwx|gbljf|yygsn|a(afzc|nvar)|i(adas|nhqi)|skrtq|jyntk|vjvxx|qbuyh|lvnfh|pcddj|xebfl|codjj|ocazz|dzyoi|flujc)|j(bzjqo|gukys|awedt|h(kzus|opff|raih|yjfb)|imysx|cotze|ebxlf|n(wrbb|cyvu)|vfzyg|sveln|qmwcj|kvzif|l(lfmb|cbfk)|ditsr|y(lpmr|kxii|vztj)|w(xbxl|bdpx)|zcrnf)|s(m(mmwu|tnqm)|o(jrkq|hakv|vbsn)|gplsu|q(kwyt|jsat|exkj)|p(msgy|jask)|vekfx|l(mjtj|wlsp)|y(ljta|tmzu)|sqhly|fggea|d(qvkn|gquc)|ipnsc|j(jxhz|zfyr)|ucbun|x(vxdr|yoll)|tmane|wmmvd|aihlo|cglsh)|l(fhfip|kmknq|qxwth|gfrne|n(a(yju|vzt)|mqog)|rivsb|ilvmg|zokbx|a(vcwu|zdvv)|vkdwi|t(dokh|khkr|gyry|nwoi)|bzdce|o(asql|cpeg|vwfq)|wgxrs|drysa|hfyxl)|o(p(iwmi|houc)|kqvgu|n(u(muw|ekm)|dbuc)|driak|syaew|rjryq|ldcsm|wfqrr|vddpr|iktem|f(qbjj|zoqw)|cgkjz|uqxug|gaiuv|yrrrq|brtur)|e(c(slku|xcoy|qena|bcig)|nnrjf|vcesk|ulngf|y(sxpp|gfkl)|ewlvl|fstmu|oeing|m(jpoh|bdne|zojd)|g(ychy|mvfq)|k(irsp|rejd)|zedky|qguff)|y(guceu|vblqc|nhfar|m(bejy|mvbz)|f(numn|hlxo)|h(bvpr|hyjp|s(psz|zls))|k(ergu|jkjs|vhcs)|j(kwhf|zxka)|skkmt|xlouo|t(hfho|xaja)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633120; rev:2;)
# sid 2633121 includes 834 (601 - 1200) 6 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.info)"; content:"|06|";content:"|04|info|00|";nocase;within: 9;pcre: "/(y(hszls|xlouo|t(hfho|xaja|znpz)|k(vhcs|hmfg|ovuk)|jzxka|f(hlxo|yxvn)|a(nwuy|vche)|r(hxnt|ijfh)|b(tifw|idhb)|wnars|g(coxz|owns|mmvz)|o(pvan|cydn|ykbw)|eeyuc|lmlrj)|m(h(tzof|njhn|zhhw|mnne)|fallx|sizli|pvayq|mdvob|vglvs|k(xeod|gwyq|fznb)|ipvll|nxhdp|uyxyg|t(hmwq|jfcr)|b(pgqm|holt|ligz)|odfio|c(zjxl|dyhm)|ecxkr|j(oabq|tiku)|liviq|arads|xzmca)|x(o(zvem|xrmb)|j(lerj|npta)|ucwlg|vttwe|h(kbbm|nukd|atyv)|p(btwd|tkfc|s(eoo|qkn)|zime)|k(fkfq|xllq)|gqejw|x(gvnj|tdku)|tjvwl|r(gbyi|covv|bvba|mmgk)|dpafj|noghw|m(g(uae|ahc)|mawg)|yznsj|srmcq|qjwdm|booup|erljn|ahjrz|cgucp)|g(o(fksx|xnco|vtbv)|i(crnc|kxlf)|mcsrj|nttgt|h(r(vtr|mjq)|tvjr)|sqghs|y(xfop|gicz)|zzglg|doyno|fcobf|xokjf|bhbtz|l(rpui|sthn|nghy)|tenaf|rofwf|knmnz)|k(q(y(guf|qqn)|uxcv)|v(hjku|qcki|bhyi)|p(jkld|p(urc|tfs))|m(cumo|piej)|o(fjvn|b(phx|sus))|d(fhka|kjxs|eaeh|rjek)|r(mcdp|xpyl|qpbq|nbnu)|iubhj|c(jszr|uzrg)|snvio|eosel|jdgvc|uatwd|bsawy|kvquw|y(mznj|ogdu)|nsrwo|gzsyp|apzyd|hxcpo|levvj)|w(luzdd|k(xodg|aomq)|pcmmd|yijav|e(wjpt|plkn)|bwmgq|x(q(jpj|ifi)|nkdt)|s(kkuu|fzop)|h(dwug|olvu)|dlsie|o(rfwl|mbfx)|raalw|g(angg|qwqq)|iwloi|vv(udw|tix)|c(sqqa|duvz)|nyrzr|tqlcm|u(rmik|vixg))|s(l(wlsp|zaem)|j(zfyr|ockh)|x(yoll|xmny)|o(vbsn|qttd)|y(tmzu|xpfm)|w(mmvd|gamb)|aihlo|c(glsh|fsyn)|q(exkj|voah|unmm)|dgquc|f(fxsq|jltb)|u(cxcj|dtuh|affd)|s(yjie|sgon|hslb)|b(gmad|hyzd|kzku)|k(hfih|tmvz)|ndfqy|efcfa|htrxv|mdjkm|gtbau)|a(iuwxi|x(fdua|qcdj)|m(lndl|mnri)|k(dqud|qmhe)|fyimi|o(ofwq|fohr)|n(ltrf|qolh|opcm|pwfq|icsd)|p(jhgk|yyay|mkib)|tgkbi|b(hnmm|rexh)|zayin|rxddw|w(mayp|qswo)|gzikg|q(kiab|hugj)|ywrwa|lzaea|uwael|agjxa|erdln)|f(twjbh|mdllq|j(trqy|zvoc)|dudst|f(tfcw|mfav)|g(aymh|pnjs)|z(qayb|lzwb|ivvf)|sgxid|eqljt|c(bzdo|owmh|eedv|crcf)|b(etpv|uxkh)|qslat|l(guak|hxae)|r(icsk|nfra)|p(kgrs|xleq)|y(iqem|ellz|ssdw|pqpf)|x(cjex|ianf|wttb|ufdh)|h(inhi|auci)|k(hcaq|xwzl)|aqlzv|ovhrw)|t(bwpfd|osmea|lkvet|vhytp|dioqq|kdicg|pltak|rpzmz|t(ggka|snws)|zeqfo|aksvx|h(otea|kmlf)|e(cgrm|ahgo)|jarti|mdvpb|qmlbp|shoqx)|n(v(jvxx|hnst|smea|esso)|bntun|qbuyh|lvnfh|p(cddj|wmrk)|xebfl|c(odjj|wxhf)|o(cazz|krvp|gugl|qjgw)|d(zyoi|keto|cydp)|flujc|setyr|w(tjbo|zpvg)|i(nzok|pooy)|h(noiy|krds)|aprss|y(rqew|hjza)|gzhfv|k(jgiu|anhe)|m(dfdf|rtsz)|zigqp|nnwku|jpeky)|u(c(tmfu|suha)|j(i(ton|hir)|grpn)|f(joqq|fput)|tpkma|g(krlp|xvck)|b(lxwg|cdvr|mqzi)|usdva|y(nbwe|zfwd)|w(opfu|cdtd)|h(juxt|uorb)|nrbon|o(opug|ddru)|vjwyq|s(vjzm|eqdt)|xktrh|k(tguz|jjjc)|e(ijht|fzol)|zfwob|lllpd)|e(m(bdne|zojd|unmk|mpmj)|k(irsp|rejd|zsqg)|c(qena|bcig)|gmvfq|zedky|qguff|smgmk|luupy|b(fniw|txxa)|iebty|w(qshu|fnvr)|azesz|dlzfd|rjeeh|v(islx|ozta)|oqrhe|tiexy|xnkql|exwck|ulhxt)|d(mxqod|hqxbq|z(hmdv|rrll|gwlb)|q(entt|jsxq)|dvkot|kpguz|cyrtj|o(kmov|fwuj)|nkfet|vjmuk|rxxpb|p(zgzz|reef)|tbhqk|xndsk|f(thqp|jcbk)|w(vofs|wbib)|autng)|i(l(soeg|jeho)|t(toye|erei)|a(eibf|jugz)|h(f(rbl|pgx)|wqiu)|g(njte|lvdh)|jszox|beaiw|djbzn|w(ofpi|sorg)|etjok|r(skmb|zomn)|csqhe|k(csky|jdsd)|vctqe|yeeux|pbnro|x(imjr|rvck))|j(h(yjfb|irru)|y(lpmr|kxii|vztj|hskf|jphf)|n(cyvu|qwyb)|w(xbxl|bdpx|ztbl)|l(cbfk|vvlq|ejnb)|z(crnf|upbk|ayul|wcmp|slro)|idqne|knura|gbxai|mwspx|rqykx|timug|smlxh|u(nhsf|kqkn)|orcsw|efutk|jdvnx|qxauk)|h(n(wbyv|brkv)|p(tfwy|oded|wxnv|gfph)|gkikc|r(sqef|eyrb)|h(kzhe|woym)|a(edlt|neeq)|q(puai|oron)|d(jbhp|rgap)|y(enhl|yzuq)|s(jkkr|ejwf)|zjbak|oymyr|e(qhms|xibs)|b(kpgp|asoe)|xydvg|v(lacd|ipqo)|catwc|korhz)|o(l(dcsm|wbhn|sxin)|w(fqrr|rqlb)|v(d(dpr|chn)|kzsc|mfao)|i(ktem|r(lgz|bcs)|poei)|f(qbjj|zoqw|wmlf|tbbd)|cgkjz|u(qxug|sfsc)|g(aiuv|nauy)|y(rrrq|fyky|zohu)|b(rtur|izwv|apte|mugt|orky|evlr)|j(yfbj|rnbm)|sagkg|rmeon|pypph|n(qjbh|oihd)|t(nkao|ptym|ejas|rozo)|mxybg|x(olig|zfpa)|aserr|dozvl|herqq)|v(cthqr|n(onla|zgbo|mkcx)|swizp|m(fnnb|gnpe)|ihxht|q(lpaq|zwxk)|u(phfe|ixzd)|v(jwmx|dtsc|cpvk)|zvfav|o(fcgd|rstu)|wuddu|apxfr|b(omuc|lzbg)|xmtfu|lejzc|djuau|r(xjik|ejdk)|p(fbge|xvfq)|kcygv)|b(b(vnkj|sbzg|dsac)|e(qbhz|uoxd)|s(avwo|fsmw|mbzx)|a(zzca|g(bjb|vcp))|w(pmfo|unqx)|x(czjh|howt)|i(mxct|qllg|yiub)|h(xgjt|awmk)|pvyxo|chxog|q(sqzz|onbb)|l(k(hnn|dpd)|awav)|zfgdl|okgsw|ydpkj|vvpzo|kcwor|r(vjez|cdmc)|dnhze|nvikc|tcztk|mtyig|filub)|q(o(knmr|qexw)|m(hfij|pirr)|j(elli|qavp|whfa)|islob|z(ufuj|jndv)|n(shix|fdeg)|latou|gterv|cpwky|ubawt|tbcjx|redxe|pacgr|qoiza|v(tbkn|fqdb)|wlykz|dbmhq|kmdpw)|r(j(jgyb|pixw)|c(xrff|douv|kswr)|z(oluq|yfss|lovr)|n(ujqr|krhu)|o(ngxu|zkig)|w(zivs|tdue|henb)|r(wcby|htvw|ynqo)|bdqat|m(rism|svto)|vbofh|g(psdp|nxlw)|akaxu|tlcyc|h(nwrf|lodq|fhft)|edcyw|xwyvp|uouxf|qfiyy)|c(zcs(eu|lo)|yjctd|k(a(jvk|lfn)|uppx|opom|hioi)|q(yvzp|xgpx)|atyqe|rujki|p(lziv|amtg)|naxpm|i(rbci|zfnw)|otwac|s(rlsi|uhgw)|hoauo|x(ntsa|qzvy)|g(bhqx|yswh)|j(gxwl|wmix)|vfzwl|m(gjgi|mvde)|wtcyl|feare)|l(azdvv|o(asql|cpeg|vwfq|wvns|kfjm)|t(gyry|nwoi|ziko|ejil)|wg(xrs|zlc)|drysa|hf(yxl|pjo|zav)|rbjns|g(zpff|cqsn)|x(jhth|xdzo|gebl)|jagwg|mjebh|uecgq|q(bcaa|vlqs|wpoo)|e(junw|suff|cewn|nmda)|soclw|igbkt|kldgl|bgpyz)|p(i(agey|sbpa)|qovrf|v(fkuc|qhwg)|z(bidf|nrqd)|p(ytgf|oryc)|j(gsrh|hqiu)|t(afuh|gted|svgm)|w(g(imx|pxa)|akld|bnsv)|l(y(fwc|yty)|ihtv)|e(aphl|nlpr|ghds)|cn(dze|jna)|rfcsj|djoaj|y(xskb|wett)|guizm|munmj|bmpzm|s(owcm|jjce))|z(p(zbbl|kjgv)|a(krrk|squv|qklz)|yndnn|ksuht|fjxfm|clekg|hkewx|uooic|giihr|dksja|tcrcv|bgnrk|vqoem|jjmtq|s(igep|nxee)|w(wxut|pntq|eius)|x(cxbk|btuf)|nzfmv|ijyyc))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633121; rev:2;)
# sid 2633122 includes 234 (1201 - 1435) 6 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.info)"; content:"|06|";content:"|04|info|00|";nocase;within: 9;pcre: "/(e(bhjsz|j(jerk|xtom)|fbmql|tthzs|abpnw|vxehh|qgomc|laipn|s(nkjy|dxkj))|h(nuuhw|dhtee|swzpk|p(fziu|cakp)|i(tscz|samo)|hlrlk|kwbpd|fdjyc)|f(eywna|x(rsmf|hewt)|z(m(bba|sig)|iiab)|wclif|nkcsu|fqsbs|mowfk|vbkau)|u(b(gmrw|enzt)|e(qclo|cgri)|wgfne|tarnv|fomaa|zdfra|nmpwu)|r(vavwk|irsuq|tjcqk|miihe|lhabd)|z(nuogf|ggdwl|wegnb|ujkrt|zqdws|ieggh)|n(m(wxfs|bmvu)|d(ilre|xdub)|sdvwm|ixwvt|nhtkw|ecelv|rqerc|trfnc)|w(vwoiq|rahul|wqggh|b(bjoe|tsfo)|fqhhd|eksne|ljdpn|j(bwjh|lpjs))|o(l(psts|cfcx|dyav)|avjoe|z(rifu|ajmg)|g(assj|rpod))|v(u(ejco|loeo)|ojcal|l(gxzo|lwjv)|xjehu|eujxt|n(gzda|ixqs)|phhrg|rqwcl|soncp|dsybt)|k(nkbsv|emxob|swcdb|uqolw|iwrta|fuihd|yuoxy|p(trsi|jtas)|rczky|z(javd|fftf)|qjwto)|m(h(xpha|akim)|lgbpf|jbkii|zusby|prbiv|kpsin|w(bevh|zgvv)|tllqh|uqshh|rnafm)|l(kdjxq|mzmch|lvood|rpaig|iixhp|h(yypt|ohkf)|qbfkr|ntjoq|gmsij|byxzs|aepax|yfqbt)|p(vmhml|ocpno|zlbin|p(gjck|bctv)|xngdo)|x(w(drcz|ydfp)|d(zvii|piho)|cwxmd|hehns|ixrvf|xlyfc|tcdnw)|d(ytsky|ebllj|p(tcib|dyil)|wmles|mcnpr|irsjs|sufgn|fcxin)|y(axgfu|wdfmg|ukdpc|zeavr|yocys|szjwz|jsljq|qobgm|oiljt)|g(wo(jku|byd)|vlshh|r(ghov|laji)|zrsca|fqwzx|titdf|hfmem|pllay)|a(rlzkk|mgyxd|nfeye|ssqmg|phgth|xgfbr|euwqu|hbjnb|qrgmw)|j(rltde|qasro|aztqo|nubpb|tmmnm|oofxl|zkcso|kweus|f(xsdg|hfls)|bvzjs|pyjrk)|i(gdtii|oflar|eqbrh|lnrwj|qlfkz|voben)|s(cnjeg|tvlyz|ltciy|qrxhs|iovjk|bgwnp|acefw|pvhzh|gynsa|v(eqso|uujg))|t(goeye|tenjx|ndone|w(qmnp|bivw)|vbsgc|ryazl|quzmy|zqhsf|mmgva)|b(ezgzq|caskv|pjauw|ajqno|qqddp)|c(h(ssng|azxx)|uslzz|mslmo|qxpjg|vbdho)|qiqyeu)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633122; rev:2;)
# sid 2633123 includes 600 (0 - 600) 7 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.info)"; content:"|07|";content:"|04|info|00|";nocase;within: 10;pcre: "/(z(g(oilqr|uethp|qgehm|hhrhk)|wttfhf|yghrku|m(yhtyg|qsofn)|s(algze|zzuxs)|e(qmuvm|ayyin)|fgrfmv|bgrpoa|l(hgnqg|kcwxi)|dasdef|zpvqqq|nvdiby|c(tibhw|pfndq|gqroe)|opncce|vijjgh|qfwhql)|m(t(xyfon|cwtet)|q(yuvms|hfyec)|lcnfgf|oiahxm|kgjcfz|c(ipjqs|jywee|prech|ladlo)|p(moddt|fujkr)|f(kqpjv|xasoc|dkkto)|exybyz|rrnlby|zvabdd|gqovzl|dmwgul|ncoyis|vc(xgqm|ejei)|y(lqthp|brgkv)|swabzb)|j(y(gfwxz|avtxl)|j(chezo|sbubv|wxrbn)|t(jreej|vmasw)|p(ikgcb|ktwhq)|eonemj|gjdnol|oxomkx|bmlnvm|amqsyb|uexclw|npfxss|qxrztx|xlszhh|crrnwg)|u(iklnob|bulkyv|wabfoi|y(irxqr|cecpp)|scqnml|k(ptpyk|yhspr)|j(pfypy|ztoat)|ekczev|u(mvsxn|gswpx)|x(dikaf|azoax)|zmwngj|pjhsro|htyknn|rapptx|fmntos)|x(xhddhr|s(nnczy|qixrz)|jpntdy|mxavpz|vlcosq|tzxnjt|d(btdpx|dimle)|grwuvo|esvnre|u(nnhlm|kayjo)|yhudae|pumgmp|r(eqewv|zkdlp)|kexgoi)|a(kzxbye|t(qurzm|mukqn)|s(tsqqm|xggpk)|o(oqrgc|emgmz)|jlsgqn|ic(zfzc|cfdg)|aqhyll|b(lqhoq|yfaal)|f(pvpbk|tgtxu)|pvukkm|q(xujhd|ffqxw)|umsrvw|cvezch|hqrpds|dkvkbh)|i(y(qkpow|mjmwu)|nkuhmb|b(noirv|c(rrfu|iluy))|g(sputo|gepgp)|luvbak|tfaxtu|oglxvf|adwxhf|zxcaen|d(cxytl|hohnl)|ejijeg)|c(khexsd|e(qnhnl|wnlse)|gbtyww|o(qgauc|xvqyu|kubul)|q(tbedw|svrls)|u(uncoo|kzmkf)|abmzku|rudyjz|whqhaz|lgqlvh|c(ivqul|ekdbs|kndwc|mcipw)|iesbmt|nuemoh|ffdkms)|d(s(kprnd|gnpeh|vxgzc)|l(ambpr|rcccr)|m(uuqnp|sntmg)|r(mehjk|rxrlc)|p(bsfhv|raysz)|yvqkta|uwjvdw|fpjppy|q(wawnu|nvupa)|iexdyr|w(qrzkx|dvxan)|bmiooh|a(dthxm|cwxpn)|d(cbfvl|rpicp)|x(eagqm|jjntx)|n(gbamo|vnchc)|zqubdv|kizcvu|hmgrrv)|h(a(ygzig|hkesc)|g(rcoiu|xvluq)|t(mrvos|dcopz|rsacm)|skiozr|e(e(wdba|rcln)|hrnlt)|ubpmgf|yqpwlp|w(qcfnm|uzavr)|jqmznd|ptfjrb|mujqse|kkbgeg|ocpcuo|cmggep|ircgep|roxtuz)|w(s(ieamj|csinn)|e(hjenj|qrssb)|ykmcbq|w(xvook|zzdya)|d(xlavw|noskz)|j(ipwdu|tdvjx)|f(dfsia|jrwim)|isjuaq|tdubhc|vxbfvo|x(qmwls|yemuk)|aawoos)|k(vivpxd|zcjgvq|e(eixuv|ueiit)|w(kcabq|savqp)|u(lsvon|xkias)|fbeuku|t(xebym|dttti)|x(zoiia|qvkui)|m(naavb|mstdd)|cxtuid|bqjfej|lftqdb|pantrk|o(uuoow|lgroq)|hwvmzy)|e(v(ygkad|vgwcw)|n(gsnfi|jgmnv)|eg(jvqh|ougi)|d(lgdue|fqois)|o(wevoo|hlktw|rpivy|bmneh)|wrjlfd|s(r(yoob|dxvc)|qxhjq)|fakixx|l(nyhom|keaen)|hpjxif|mantis|t(jiasd|arkml)|ztdsxh|y(ztwqz|ezcab|iyouf)|qqzhvu|p(itkyh|zrtkw)|xxlgmk|aq(cuns|rujq)|ilaxjg|bwrzja)|l(criwmp|y(qzcqx|guudv|tjtww|pbwmw)|e(gncwb|luwnw)|l(wazmm|nbjfh)|wgncqp|s(nolbg|adjxt|gsmjp)|ajdnok|n(nunbl|xrdud)|hfsbvn|d(mevyl|cmepv)|injzdi|t(mcpwv|wzmfo|sgxuw)|uv(jsbw|xork)|kjqckd)|g(fwuykg|w(dijvg|zdgcx)|jdcwpg|b(bwsvr|mybil|wnuxc)|avxfdi|gkethg|vjrgfw|hfaehu|kayydp|iqzgpz|qfwrhg|usikop)|p(w(pzrzr|sxahx)|jetowr|k(dwevx|zkiqx)|f(libun|isnez)|ypkusl|vcnvan|gluthn|hzoceg|ezantk|ulpmpy|tjtyaa|imrmxw|asppae|njaqco)|v(v(pzrjw|youms|mbqwu)|ctvnqq|p(wcexq|pxyts|stnlx)|mjhhwk|r(ujjei|zkcyt)|ngbgrf|a(lmebi|npohz)|e(azmoh|iehfn)|g(espvl|jeubs)|uufxkn|indfvo|xfkprw|fdmoje|kfusyr|drhwfj|bsxrgv|jlpzwd|wlfawc|oelwgs)|s(vigmhn|t(cpcsr|adwuc|nbnwg)|l(nsepl|lbwhb)|p(psxzm|wpmvh|dnlov)|w(nugvq|uwxfx)|ochdow|j(znzea|rgtgt|yaadh)|nabwce|stxfob|hsfldz|iiwymu|rjquwm|kemtel|ggzvec)|r(e(mbrot|otvoh|yqsil)|jdvoud|dugjpr|bauxua|h(yeobi|ffdpq)|yiloqb|l(jlfyu|eodql)|fkilzw|a(fhkti|ustmx)|z(uqkmo|rsizm|yiosb)|c(jdojh|gmjqm)|geskhj|vftdkb|tjltjf|rfrnni|k(ciyjo|waevd)|otklxo|wazuwf|mdmacw)|q(y(dsgwk|lchaf)|xftgvb|nwftcy|b(irwur|drntf)|axpnvn|g(ujfio|wwlko|isclk)|zpzxve|rw(zirj|dwwi)|slgvno|hrglmt|ecdvco|jajicc|vpaoqx|p(tfqbc|cwcsm)|qoscoo|dmyjlf)|o(l(jihlq|avopj)|m(qgvaf|ysied)|o(iteqa|zkkgc)|s(pzrmw|lwyvv)|p(gbuuq|fpbqh)|d(pdmts|gwpqv)|k(pbuvs|ifovu)|uo(ulps|lajd)|cewtpf|hivskw|arbdqf|ewdyfs|buraly|jegsfs|w(xecse|chvbe)|qfkxmk|gwtjat|ypjnyo)|f(h(jbjex|kobxw)|u(yapsx|ruvga)|pfoblp|nfncjc|x(upiyq|arfsy)|i(w(cjqk|jfii)|esrvb)|s(bkcim|lqqqv)|tolgph|l(euqsy|zmzca)|yjymyi|qcmhlx|rgcfpq|vslcly)|b(pbmqjd|efgycg|wsxolo|t(tdpbp|kpcuf)|c(gsqua|toltn)|f(qswto|wrqby|ywwti)|z(ycyfy|sltca)|v(pqliq|xqxwi)|q(tcrkg|oathg|frztf)|ifgipx|o(qrurf|dwwnk)|jvmaoo|rhiqmg|apijuo|mmxppp|yhhosh|h(uhiiz|acjsf)|uczkaj|kgmyxq)|t(aptkks|tmhyvc|wcquqe|eesszv|o(anujw|viyld)|rvqdem|q(fdsph|xamjj)|xcbivz|dknzjb|lncyen|hxbedz|nmukfs|zcgtte|y(jmwyx|qprrs)|imkluh|mdraap)|y(s(qlxmr|l(wakk|axgl))|p(qsxrt|chmol)|r(iuqrh|cbikw)|tepysk|f(sbhcf|cavwf)|y(wkeiu|biuaj)|aleqlq|j(qumvu|gyecn)|nxohnc|m(wryvk|sphfe)|c(dlhzb|zxhut)|eeritb|dzljax|girany)|n(zdqdze|d(jmtap|rxwoj)|p(nweoe|eeqka)|a(lhtzw|vqjav)|wmokcf|s(tfmsv|rrcke)|t(kkqis|pqwjq)|l(qnndf|aywdu|vyxoi)|g(pehpx|qkqrj)|rphnna|nbjppf|kttqnz|vuwupc|b(npxaj|wuozs)|q(apood|gnxpg)|cxivne))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633123; rev:2;)
# sid 2633124 includes 809 (601 - 1200) 7 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.info)"; content:"|07|";content:"|04|info|00|";nocase;within: 10;pcre: "/(q(j(ajicc|uyvrl|wboyk|ortiu)|ylchaf|v(paoqx|lpmfj)|p(tfqbc|cwcsm|nkwsb|hxbjy)|g(isclk|ohwzv|yhofg)|qoscoo|r(wdwwi|muzeq|ambns)|d(myjlf|gkzlb|ffocf)|k(qbbdn|zzovh|wugth)|b(telht|gnjbc)|hwxqvw|w(lejyd|ikcaq)|t(nbfct|rfdgo)|x(ctlgg|xtbsx)|odsejg|auirug|c(jobeu|hqvnd)|iqzttb|efvakt)|h(gxvluq|t(rsacm|tuwfo)|cmggep|ircgep|e(ercln|waybq)|r(oxtuz|zctyl)|nuowuu|b(ijgwa|yofoj)|ai(cqng|uwvx)|s(gwwbp|kuqtz)|khfeaf|v(igdva|mwfhl)|lscnot|zzgbto|fpdpsi|xgpnjk|pcifaq|qwcmaz)|b(tkpcuf|y(hhosh|bubxs|gmvuy)|o(dwwnk|wjqye)|c(toltn|hoviv)|h(uhiiz|acjsf|dwteu)|u(czkaj|yxjvi|fzrzx)|fywwti|k(gmyxq|uxuxw|lcbmi|bhujt)|qfrztf|xksmzj|l(zfatq|f(oqbq|zpep))|ildihc|mlnzoq|r(dnodl|ymofy)|wesckh|pwxwuj|z(pjdmw|fdman))|c(c(ivqul|ekdbs|kndwc|mcipw|oqncn)|o(xvqyu|kubul|wkocx)|i(esbmt|nrlmq|kderh)|u(kzmkf|qtymd|ohifv)|nuemoh|f(fdkms|baxqs|hnzeq)|z(hzcie|djdhl)|e(cewnt|gfgfc)|gylguv|xxbhyf|ljpfhb|murdpr|vxippp|rxvrbe|w(qwzhi|auulz)|jadofz)|g(hf(aehu|snbh)|kayydp|b(wnuxc|gmlqi|powzh)|iqzgpz|q(fwrhg|nnefj|dcmkg|eulnz)|u(sikop|ppeqp)|tqkuqd|x(lxjxz|bjfhw|c(stwr|pcuk))|eerytc|v(kpftn|mrxug)|n(aoumo|tfsuo)|fjoaby|pw(gmjh|wkue)|mfgkgv|z(sigac|rxsdb)|obqorz|yvrfok|wutmqf)|m(d(mwgul|bcmzb|ndmze)|c(prech|ladlo|ftdle)|ncoyis|v(c(xgqm|ejei)|wlrfr|uthju)|qhfyec|y(lqthp|brgkv|shflc)|f(dkkto|esnkk)|s(wabzb|evhxq)|l(h(fxig|xvlq)|iwlvq)|m(cmgbd|rycpy)|kxqfdd|rmguaa|bvwtlv|w(jgkkk|soqwp)|j(mjnmt|rpgju)|aotxef|iakbjk|eqhslp|zefjac)|z(dasdef|zpvqqq|n(v(diby|yzos)|wdooh|iysfb)|c(tibhw|pfndq|gqroe|vpbwl|lryxi|hnsvj)|o(pncce|lsxis)|vi(jjgh|yvvu)|g(qgehm|hhrhk|dqctb|ligpo)|lkcwxi|eayyin|q(fwhql|taxae|pqmiu)|yetnkx|sqjtwo|agsplq|xdbxvv|kjalgv|f(fptqp|tiplw)|bxvski|tzhnxf|rjnqly)|n(c(xivne|byqpq)|b(wuozs|pybhz)|g(qkqrj|reios|djlzy)|qgnxpg|vsjuua|j(grdlp|trbvi|zcubx)|h(fzizs|qhmro)|wpmsgt|llvpai|k(kgkns|yqqdi)|okgrjm|uvpofr|z(znpge|xjyiw|opwyr)|mlexze|ywtojw|n(qpfrv|msnkz)|t(yzanw|bepnp))|u(x(dikaf|azoax|vreks)|z(mwngj|qpjbz)|k(yhspr|qwemk)|p(jhsro|ovicr|eyivg|zsvrx)|h(tyknn|kibyq)|r(apptx|lezkl|jmife|tzzpz)|u(gswpx|dqsdi)|y(cecpp|thfxs|yjzet|htuut)|f(mntos|qrokc)|w(wkyxg|gdzbx)|ifaknf|bsmnmf|lrgwow|jtxziv|qouaal|gaxlnb)|d(d(cbfvl|rpicp)|x(e(agqm|xrlw)|jjntx)|s(gnpeh|vxgzc|mzvrs)|n(gbamo|vnchc)|z(qubdv|ejifx)|wdvxan|kizcvu|msntmg|qnvupa|h(mgrrv|gtiwe)|t(u(puwa|tfnw)|knfpz)|u(vvghd|ifuxs)|oauwgl|r(orvsj|mxkfq|bijab)|ynbzzh|fvxojb|jvxqek|b(wykof|jujxf)|gqgwpl|pqrljs|ahksiy)|i(a(dwxhf|vqjoz|xiham)|zxcaen|d(cxytl|hohnl|iszlq)|ymjmwu|ejijeg|wmmdcm|oluktz|cerzgj|jqakit|lkhgdb|t(arszd|jbixh)|k(rpirf|qqrpr)|uuklxe|rlslko|pdxzdi|blekrl|fiqnqm|iklfxl)|e(s(rdxvc|jwojl)|qqzhvu|p(itkyh|zrtkw|dbzyl|llqlt)|y(ezcab|iyouf)|v(vgwcw|cfkvf)|x(xlgmk|nvenn|qozao|jerwi)|aq(cuns|rujq)|i(laxjg|afqum)|o(bmneh|airfe|ruaav)|b(wrzja|ftucr|pkieg)|d(mgotp|oxzny)|m(zifzw|yrgfh)|k(vdmaj|qikxb)|l(nzcun|thueh)|c(kpknc|dfupf)|wwtwem|nxxmfe|fduleg|uuravi|tdpevf|zhxnkh|gyslun)|l(s(gsmjp|sacfp)|l(nbjfh|xamzk)|t(mcpwv|wzmfo|sgxuw|bddax)|e(luwnw|eqbaq)|uv(jsbw|xork)|kjqckd|y(tjtww|pbwmw|qxnsl)|nxrdud|whmlje|j(zphpw|pdjvw|blloi)|q(qksbh|jcwny|pmoou)|f(cxxuz|aheyf)|c(njedg|eqbef|ipamv)|gfxnll|x(mlpub|nozhw)|mfdgdm|b(ccxtq|elhxn)|hzmorw)|x(r(eqewv|zkdlp|b(nnzd|zuyi))|ddimle|u(kayjo|xldhu)|k(exgoi|safhx)|a(udqyr|isedl)|s(rfeaj|cwpxz|lvtbl)|l(mgoqr|agnay|bzoeq)|o(szbii|nmilr)|thoovf|ywizas|f(ummtj|vjjlg)|qonkoj|xudnmu|wjazxo|vlvyik)|r(cgmjqm|o(tklxo|uoozk)|zyiosb|kwaevd|wazuwf|m(dmacw|epswy)|g(oicya|ywwtz)|q(mkdwt|zlxao)|xoiqhi|yhhsyd|elrzcn|dzpusr|u(gpnqj|bxumu)|rnfigg|b(izxae|csftz)|puiaea|i(bnhdd|xhvao)|vcvlsk|fkrcsj|swbpzk)|o(p(fpbqh|chcau|uiexp)|q(fkxmk|hivuv|edfns)|w(chvbe|ofpmz)|mysied|lavopj|gwtjat|y(pjnyo|xolir)|f(drkim|lzgai)|behqyl|e(r(vnds|qpjo)|cqdkc)|hfbedn|r(xretg|jesld)|a(fqokx|etjeb|zajsl)|z(mfyoe|fvrwb)|kyykgr|j(dljje|pxsaq|cnrpl)|ujkdud|tkdtch|octbgg|cmtmea|nisegx)|k(p(antrk|sjhxp|ueuzm)|mmstdd|o(uuoow|lgroq)|w(savqp|dolek)|hwvmzy|eueiit|x(qvkui|veejy)|k(jgwlh|cgbqp|nubef)|v(paxln|mjtti)|g(oqrtz|smlfd)|y(qsaev|gvvly)|j(qljga|yvzwn)|nsgnoq|bvnhaf|dvwebi|cbqdam|uzriek|s(bwzfi|ipfrn|tvcyt)|q(cgjod|ghhgm|vvxai)|akoitw|f(wrcyv|xnhjj)|izwdrx)|v(r(zkcyt|hgjrm|dcqnw)|f(dmoje|uqobn)|kfusyr|ps(tnlx|imax)|d(rhwfj|nxbag)|b(sxrgv|cobpn)|jlpzwd|w(lfawc|bvabm|gqwzg)|ei(ehfn|qlzc)|a(npohz|ztpsh|exmpw)|oelwgs|m(mrgos|tjiiv)|t(kioxl|yheah)|x(msqka|eaush)|g(zhigh|g(dfkg|nylv))|sumcpr|vvvlnv|hapmdr|yszfij|clykbn)|y(c(dlhzb|zxhut)|e(eritb|kwrtx|whhgn)|y(biuaj|hwtmp)|m(sphfe|zaxlo)|d(zljax|dcmpv|rgyfj)|g(irany|xxyug|ztcgn)|l(wqdun|ajlws)|q(xbzlp|ajeoi)|fnjyxe|z(vvukv|zykkw|dzvxe|xkcig)|p(amecn|qsgxz|wpggu)|w(srwqe|qwsfs|fznjf)|aqredc|isrfxd|ra(yghw|jsbc)|bjmorz|hmctpv|kjziuc)|j(uexclw|npfxss|qxrztx|y(avtxl|nmewa)|x(l(szhh|oyws)|vukfv)|jwxrbn|cr(rnwg|fkxk)|w(bfucl|tvryq)|i(erxfr|wuviw|nqjof|vygnm|lgdqy|arviu)|tpsrwi|f(desaw|yphgw)|de(jwba|zyvu)|oqxomi|bftysc|glsbox|ltfqao|pbnrwn|hotdkz)|t(l(ncyen|eunxz)|oviyld|hxbedz|nmukfs|zcgtte|y(jmwyx|qprrs)|i(mkluh|wxqkv|qeotl)|mdraap|bydtgx|k(puqjn|bwesz)|x(neomy|rptta)|rvolgc|jagajt|q(fhpzv|mayyh)|drwryn|epirsq|pbdpru|syapuy|tvvdoj|g(bnmej|dtceb))|f(slqqqv|yjymyi|l(zmzca|plepa)|qcmhlx|rgcfpq|vslcly|p(bgoef|ngyqo)|odtbrh|e(utqkz|melak)|d(mqqyq|ktprq|dxlqr)|fdzxze|i(taudy|indbq|dzbff)|alphgm|zdputw|cbosug)|s(jyaadh|llbwhb|rjquwm|p(wpmvh|dnlov|gsgej|jvoxw)|k(emtel|lznvo)|g(gzvec|jzldc)|wpwcqf|o(mhljq|hoxpb|ciihy)|s(ppqdv|mocyu)|e(lthuk|kbmab)|hvhjco|b(szfyj|afkqa)|d(dtkqj|cfhmi)|iswyys|ynbzqr|xvwyzq|vlfxvm|a(hgrqy|mgyqq)|cndezk)|p(ulpmpy|tjtyaa|imrmxw|asppae|n(jaqco|tcnsk|dwjcd)|l(ruaml|kggpg)|w(rdlvf|jirip)|etxjlz|d(hlpqn|c(wolc|yavr)|mwwsf)|bessdr|kexosx|pjypum)|a(dkvkbh|qffqxw|kzsnrj|y(ionuq|mxlwt)|mhvwaa|g(jyraf|pzsbg|whooj)|sobsts|c(fkmka|ypoal)|uhnzbf|t(rkpot|ulfbt)|nfbiiv|lhtkmz|zycorf|hixhck|epnuco)|w(x(qmwls|yemuk|thmfu|obicu|ietup)|a(awoos|jjxjk|wcqrh)|d(noskz|fxcyc)|eqrssb|npaofp|m(swgfs|vvwya)|c(xczjx|eyvvc|fqubc)|lnzdrx|rgvwms|obhuei|j(iagov|viwds)|gjjqvl|svictj|y(nezry|mjmnh)|ugptgk|zlwqxc|bkmvyz|wobfia))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633124; rev:2;)
# sid 2633125 includes 209 (1201 - 1410) 7 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.info)"; content:"|07|";content:"|04|info|00|";nocase;within: 10;pcre: "/(g(vqygpo|wqrenk|xv(jszv|shoj)|ryfuts|ourjkl|qbeefx|epfudu|cwmqje)|c(q(yuhwq|qcvyv|ixvut)|c(gbgec|artxu)|gvvqtj|sbuysa|lbqaxx|hujdzq)|p(lafeaw|qqmwds|grgtir|jossdq|erimth|rnqmah|mcoaxx|dfzpjn)|w(pjthnt|znvnnf|qqrzut|cueoqp|lnxlgr|y(isfxz|wahck)|vhbsrp|jlztre|detpjd)|f(szwptd|rfkvxm|c(omqxo|qlhnp)|egmhqh|kxlvmq|byoofi|yimlal|weuyvm|xquwuh)|n(ifhymv|g(rcixb|khinq)|u(acccx|joisw)|hjubkf|tncisz|kdvemh|yvovcc)|z(xipxlc|h(ywxbc|cnqrh|bmtko)|jadtcm|k(gvgfo|enrqh)|mwunhx|rohbsg|lqpayj)|r(awyqom|hprsql|eceevu|udupwu|jzibxx|lciaan)|q(euvimw|f(olxag|bfjbx)|osomsp|hrtdls|ryfexx|xrkvdw|z(bvzli|mvsuw)|qkjgfp|csdbsv)|u(u(jucqb|cuvbx)|c(aerif|dqutz)|dkbunx|prqafv)|j(g(lstma|odneq)|lqvzba|i(tejyp|iwril|bfxsa)|vitxel|aqxhzn)|h(o(cjppn|nvlud)|v(ufozi|yjzaj)|sjavzt|jqntjf|bvyldh|iyytei|qyliue|ykvxul)|t(zkjbzs|oyrodc|wsfeqy|yxshii|hgfcgn|fmakvn|xhijui)|l(ttwlzh|fyrgew|qndutk|abswbl|ieyskl|sbhjee|xhtypq|ovctsp)|s(nbhgwk|cfpqvx|mkdzas|qalakc|tfdjha|bzcphg|omvfyg|zgthmk|girjph)|x(y(dvokc|auaav)|xrdnwe|kepcuh|tsbacp|pdqjsy)|e(zgczjj|iqpzbl|vzvatf|rygfbp)|i(z(mpgrm|fxwow)|xdsgtb|lfjunj|i(opjpl|pkeme)|dzghqw|muujhw|glbtwp|eavrwp)|o(b(nippe|cfvhl)|gaolqw|amttrl|mtsoqm)|b(msgitm|z(s(jfjm|fcjw)|geyfw)|hzmavn|yjljwu|vguaug|ffauwo|jmeuzx|ncyzbd|kiyiwj|ahbbtb)|v(onacxl|jtapco|vwewib|aklhvl|lrgovi|zprwna|qlqtps|mbbjxa)|k(meypjz|jkrvol|g(sdndo|jcsqh)|siwhhu)|d(xltnnr|d(banfg|wtmgr)|yfkeyb|jeaxiq)|m(zfdvlq|owcfio|jqauax|wmedzx|aklpad)|y(xh(vtjk|tnbi)|p(wupzk|qjxps)|mkldtd|a(ceqhe|upzqg)|yuqcjg|cgteef|iwwblt)|a(i(yslvi|hwwsg)|vdursc|brzdjm|f(epken|ogxke)|rpfbqi|uuflkw|plppvp))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633125; rev:2;)
# sid 2633126 includes 600 (0 - 600) 8 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(g(j(drfnut|ccmicy)|ajiqopx|e(rregpp|ukbbru)|w(vflctn|cyobre)|trfoivl|qxlpjmb|rcvdfps|zi(zptpf|aivwd)|ddaybab|flyakzs|ikvjcdb|sblykfu|czivdqn|gqyqllk|xlqpqxc|pgupeaq|ntsslna)|a(v(vazijw|zplrbw)|whrgrrk|a(sjvths|cedthm)|f(gnqbjr|thxgra)|h(pfijej|wnxxeb)|civbrch|taayxbi|elmhqyp|n(egcngo|hanfef)|sjvrrze|qpcmghx|yncymzy|rredmkc|oogwvdx|kdxcbxr)|y(fzklaex|hlmxpvx|p(vxgkqe|iatmwu|cuvzuu)|r(pgqoqu|jdazis|lbvykw)|gxxzhem|e(iylxyb|civcsc|mvegyx)|cgvnybm|b(vqyihj|oqzivs)|q(fnggan|yogtdt|kakhmh|alaebi)|ihlstnn|t(jkhfkn|piyslk)|wrooaps|j(pdcrnv|xdfwpp|yqctsg)|y(zhxxbn|pqwepc)|swwvejq|oatppxv|lwxkuvr)|r(y(nvoara|issqfw)|u(umtptj|kzohie)|f(ruuvqu|ejugue)|hbgtmng|jdhnxhd|e(twdydj|jnbaqo)|bshzkvq|i(pgxuyk|uzgnby|h(brnoa|soglf))|kwfcyvt|rnwrraq|xvprxcl|wclzjqi|pkqkdvb|niousog|zddoshb|sadkgor|ddwrgxq)|b(g(gxcdbp|txavip|kkwkxz)|u(sfbeie|mhmrpj|unjvau)|s(i(fxqqy|mxgcf)|twjdkj)|r(zcmfkq|jdnyde)|j(ohnmoh|lunlcc|beotzq)|w(ollodb|pgoeem)|xnqgcpu|fyqjtny|v(p(dazfj|oomzq)|fmpsvc)|e(eidfvb|zkxunf|vtaxpw)|pngqqmg|dditarv|i(llqobk|yhgfop)|njkgyvt|hbtvtbx|lyrsatd|aliarft|txgxymk)|u(l(igasxj|ddhblz)|t(ykxyiq|sbkwvb|tztqqy|dqhiex)|k(vzboys|clohan)|u(oikjwm|cwicsw)|dntqzug|b(rcalzv|vqlkqv)|o(caclpl|nkkdjz)|z(gnmieo|juqtfe|yovgfm|dvbpzg)|j(udlomv|hjecml)|arqezzf|m(zrcypc|lujgvn)|y(aasgzt|z(vduuw|giiqg))|fphskek|evapdwm|sblxuiq)|z(vraliee|bnqobak|nibgzjx|jpexpop|azulayz|yulroxr|qciybcl|fogtlox|ervyoom|r(pdtrxn|oybnju)|l(ffjzog|ppnkvr)|wzklpyt|guwoesx|slrfceb|kagqaaa|dnguxvb|pqbrcxf)|f(wroyukm|f(qnoaiy|ielixr)|x(prmnqc|djhknj)|tupxbdb|d(ypdadp|xhfdat)|e(bpqwyh|jyvrhd|twezcp)|gpdwnys|v(yybasg|itgffe|foiwxi|tiibvf)|z(thlkgy|jnilsx)|b(zkireq|xfoqls)|qijwykt|uasbkmr|ksftlvj)|d(x(etrhty|hpfsyy)|q(nmaing|acuhri)|y(qvdtdc|szbywi)|f(iwoggd|spvhir)|r(bsjjjn|vtjtwg|jnrajn)|zxjiqkl|pgqiyfx|eqbkaoa|h(fnplyk|bzyxba|sibfat)|ijtfqxc|jsayhjv|tfdnrla|ujskwcn|dszbzed|mfuohht|gtzhynl|wuvprcw|viqpdtj|cvzfaov)|w(utvpykm|defbmte|e(enpbrg|sgfnul)|j(gtadsb|rivsnm)|affocvg|lfvvedh|rytxzzb|ypmejaq|hozgfgo|mayqvsb|o(zezolt|ynkuri)|grbsrsf|ctflrjo|k(ofnkta|euuvlx|cyegof)|p(lseaul|yrgvme|rtfnbr)|xleguzf|tlcpktb|qjxlqjc|wokizqc|zcauivd)|e(u(jnduki|axwgcz|xooeei)|lwozqks|nkucqzg|xdqagvo|yuqrqss|rpdmffu|bromyax|z(hkiypm|wlemoq)|jhtsjln|emborcu)|o(xjkjrsu|q(vzyiow|szjtwb)|a(ejwgqe|vcumce)|t(vcchgg|rvdioq|hcuepp)|fnyoyhh|hyorcrn|lvmjhie|gqsyffw|pyuakrs|ejayvfj|dhtwyzv|y(uzooai|anhrxu)|vifjush|mcuqlef|novywvu|otczfra)|x(xbslrtk|v(bwfvwb|zzazdi)|zhigmbv|ovgosjq|govojvv|ausihma|w(fxjmbo|irtfkw)|rkefzhu|c(afgogx|ywgaor|eppnxf)|mcnynur|ezxrykn|dguvinq|n(owpncy|bhjhfb))|m(f(qklacu|bngeww|mneuau|gjamlg)|a(fdwmqo|ajmigi)|h(hsxqwl|wdigaz|zzzcli)|c(rebmax|fbkpkf)|l(txkzdi|ppckrs)|s(btvnlm|lbuolv)|u(hfniru|npmvyk)|y(mxfnsr|oysupe)|x(hesxyi|nokwfy)|dysonfw|otohmmu|gfzdmbc|p(tcutzy|rzxjdf)|vngefsc|wacyvcf|i(zcblzc|oaryvr)|qemluiv|mtastug)|s(uqzbgbp|iyxcqpx|r(rjdvgp|vxkanx|wfuwbt)|xrubsqc|hqpmkhy|djtakpe|couobcl|p(etzhen|vcyvrf)|g(dnjnhn|kuryah)|qcmodoe|zhuqeoe|fozhwqu|slqeblo|vzuqsoc|tkwugtv|byzegrw|mabwjzu|ltkcgqe)|c(wfzrgcc|i(bompzx|fjbtke)|z(kujvck|bukpnc|njhbrp)|crtbdom|n(uzccgl|jdiwbh)|dcmtcxd|kf(kxkic|pgkna)|uazmjli|pnpiyis|acfznwo|m(jmboif|plsnpp)|y(ltcegr|cgihaj)|xpgoweg|gpguhwp|bmccyra|ljwglpf|tvsvbwx|sdtmgmj)|q(adqvvnj|llpfooy|i(ugdxej|rjevov|agpbpd)|gxnaglj|bajyape|xkvlqwi|muwgdth|wfcxgnc|okjsrql|vmrqlgc)|k(tmviuqm|l(brxmlm|jertpk|ebbyjt)|jscmged|wzlxpov|pqkmlfl|oeqnknf|y(ruhvxs|seiuyw)|quiqivq|szstdfv|djaodzt)|p(b(fcqxtr|elzomq|juojvx)|s(tdijpq|eukonv)|hhqibjf|pelunmd|emvarjc|n(vrldsh|cuctkn|plpblw)|akqpkws|lbayute|v(l(cabia|qaeqd)|ajxmbk)|ybsxwqz|zuoujfc|r(vthero|qgnwln)|d(owfcyb|trqtcp)|thtchzu|kgypelt)|t(pchzpvd|yjgmijc|rsajdfy|h(nkncll|bcqjhe)|femfvla|e(cdmnov|auevgg)|nbfzuvu|u(paoogp|zgyrcf)|g(pdjdlk|vchjox)|ldzvawl|mmqgrus|tajsayf|wkyxvyv|jamkwal|blxhwzj|cqjplmb|sefsvdk)|v(ingeald|udptlxr|j(txlmkq|qzwjqi)|pbyheny|o(nilcid|lkgrhn)|t(uadrbz|wfejgq|edqntl)|w(dnixgs|stiqlm|zzkrvl|epgubl)|b(mrhzok|epeqyr)|ewvbuxf|d(frcvct|aavfvo)|szbxajx|v(nemjke|tjzbml|biuypo)|fjwdfqg|mfcicqy|cvregyo|yrtsobn|qhqezko)|h(m(ikvocm|gxmbzp)|k(qvenzz|wtbhpg)|h(avzixs|mwizlj)|vfgfhmj|rylxuop|a(xzklma|pdllqy)|tyaulcw|iktisjf|ptzjtgw|fvzhsiv|etoxdau|uqsjyhk|n(thmhci|ulseht)|sihenbr|occxiiv|d(rrcxib|qufllv)|ymmvdli|bhsiccs)|n(ddfvcvz|u(lblbue|olmslb|pxoyxm)|zm(dcakz|kwobb)|qmcmcxf|k(typnsc|lnaqga|ckpseq)|hfsmreq|tyrmvae|c(efmsid|vqtgxr)|njhiuhy|p(hpyerq|zskrhx)|gpgdtak|xzoxddb|svbikyl|jyazidj)|i(l(hcsfma|qsfhic)|h(vvnwak|iyksus)|z(acudxm|xaeofw)|chrnjrf|gzrqavp|tfjtgot|soyrtoc|bekmnqk|m(rgsaxf|lprotn)|o(nhpanp|kakwcz|deqyej)|uttojkb|q(othcgp|byfbet)|vvujwky|f(wsbprp|mmwyxt)|w(dowsod|pnhwbu)|yonguda)|l(v(qplqqy|flkutp|obymsl)|zubkagr|kxeaofb|ltmvupq|iqtzhuq|rvjbepx|q(bkxkij|hlavrg|zewnte)|tmcwexm|grvjawb|n(tgxrau|yzxnau)|u(yjtllk|pwmnqm)|fwfldxm|m(nhbfxm|cxvfrl))|j(y(mfqiwf|fzrdnv|dzowwv)|f(pnuzlc|ydvlrq|ucxiuz)|n(hayeqx|ljaxjk)|vcbtmjc|dhwisfl|s(z(wjpjp|jnbgk)|efnwgy)|ightvsq|ltglwmm|klowabc|u(mkkgoj|tflivn|dtbjbp)|tydjmpz|h(wxuiwa|dbqpir)|goenrpi|paryijo|q(xdrqso|mcjlqn)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633126; rev:2;)
# sid 2633127 includes 1200 (601 - 1200) 8 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(g(j(drfnut|ccmicy|nyjqtu)|ajiqopx|e(rregpp|ukbbru|tdkwxi)|w(vflctn|cyobre|xywjdz|fgztzg)|trfoivl|qxlpjmb|rcvdfps|zi(zptpf|aivwd)|d(daybab|ppqdcc|rpshft)|flyakzs|i(kvjcdb|ezrbxx)|sblykfu|c(zivdqn|hzilof)|g(qyqllk|ofaczv)|x(lqpqxc|sfgzbo)|p(g(upeaq|hrncv)|zmklha)|ntsslna|vy(ipcbe|kzztl)|hrpnuyr|uhqkojo|odhzoig|y(agluso|ypdgyi))|a(v(vazijw|zplrbw|gcnnac)|w(hrgrrk|l(ewjpe|sjwyh))|a(sjvths|cedthm)|f(gnqbjr|thxgra|myrvcv)|h(pfijej|wnxxeb)|c(ivbrch|hraaef)|taayxbi|e(lmhqyp|dzzlnc)|n(egcngo|hanfef|nwclyr)|s(jvrrze|xugjzm)|qpcmghx|y(ncymzy|cgslko)|r(redmkc|bwlnmm|qpwgbw)|oogwvdx|k(dxcbxr|pzangd)|lohyiky|u(ppfnbr|fqsivy)|izxnkcx|xlupvci|b(izlanw|cibegr)|phithhj|mlehntm)|y(fzklaex|hlmxpvx|p(vxgkqe|iatmwu|cuvzuu)|r(pgqoqu|jdazis|lbvykw|orejaw)|g(xxzhem|dapxsf|lzkfsa|oadfdp)|e(iylxyb|civcsc|mvegyx|ngsxvh|hfydfm)|c(gvnybm|lznkur)|b(vqyihj|oqzivs|skzzkp|p(galjp|xgpwf))|q(fnggan|yogtdt|kakhmh|alaebi|naokod)|ihlstnn|t(jkhfkn|piyslk|clwfda)|w(rooaps|trycel)|j(pdcrnv|xdfwpp|yqctsg|clmiyt)|y(zhxxbn|pqwepc|tciykx|durkhp)|swwvejq|o(atppxv|yebhhi)|lwxkuvr|z(udycfi|aaqjuy)|amfevyy|d(qkadzp|snskzu)|n(fhqipw|ifnulb)|musfrxa|vgyusaw)|r(y(nvoara|i(ssqfw|gtutp))|u(umtptj|kzohie|pdoalh)|f(ruuvqu|ejugue|pteboa)|h(bgtmng|zzigpa)|j(dhnxhd|blevno)|e(twdydj|jnbaqo)|bshzkvq|i(pgxuyk|uzgnby|h(brnoa|soglf))|k(wfcyvt|tjppma)|r(n(wrraq|agmjk)|idqxdv|onsmrh)|x(vprxcl|bjtagx)|w(clzjqi|xoqllp)|p(kqkdvb|jftphv)|n(iousog|yxwzdc)|zddoshb|sadkgor|d(dwrgxq|wuftol|lgcfca)|ctzootk|t(yjhmqp|pwdtrp)|q(axubzq|getapb)|gpoinkn|ahgyxzp|ofnozdy|vwtnnhj)|b(g(gxcdbp|txavip|kkwkxz)|u(sfbeie|mhmrpj|unjvau)|s(i(fxqqy|mxgcf)|twjdkj|pygvhh)|r(zcmfkq|jdnyde|fpybme)|j(ohnmoh|lunlcc|beotzq|mjwcnd)|w(ollodb|pgoeem)|xnqgcpu|fy(qjtny|vzavb)|v(p(dazfj|oomzq)|fmpsvc)|e(eidfvb|zkxunf|vtaxpw|gxkxcd)|p(ngqqmg|ayjpci)|dditarv|i(llqobk|yhgfop|hjaoce)|n(jkgyvt|sseoze)|hbtvtbx|lyrsatd|aliarft|txgxymk|m(bdvgbi|vicige)|ylwimrl|zqflhhf|cabatoa)|u(l(igasxj|d(dhblz|hmdyb)|fvmltj|ectvwy)|t(ykxyiq|sbkwvb|tztqqy|dqhiex)|k(vzboys|clohan|mpxytz)|u(oikjwm|cwicsw|kdhgef)|dntqzug|b(rcalzv|vqlkqv)|o(caclpl|nkkdjz|bezqzg)|z(gnmieo|juqtfe|yovgfm|dvbpzg|erkbkm)|j(udlomv|hjecml)|a(rqezzf|mktcfi)|m(zrcypc|lujgvn)|y(aasgzt|z(vduuw|giiqg)|mzmxpk)|f(phskek|jdeiei|rgwdah)|evapdwm|s(blxuiq|cjxlsp)|c(cbgvyz|iblmnb)|qowxjwq|x(vnmidw|spcbmj|rqjfrb)|p(dhdxbe|wiyquy)|rmllpyw)|z(vraliee|b(nqobak|wjkbnm)|n(ibgzjx|wrotop)|jpexpop|a(zulayz|ucsrds)|y(ulroxr|tmicqi)|q(ciybcl|ebtmsb)|fogtlox|e(rvyoom|zoxjdy)|r(pdtrxn|oybnju|jcjlea|nzutvk)|l(ffjzog|ppnkvr|ybizmk)|wzklpyt|g(u(woesx|umwdp)|rbdgbe|ztybfm)|s(lrfceb|uizxux)|k(agqaaa|xmafak|loiozn)|d(nguxvb|dekjxt)|p(qbrcxf|kqbjda)|xmhxhgz|m(bnpkjb|vybfjm)|uhlmllg|c(cjyfhb|flyzgm|ziyelj)|ilstppz)|f(w(royukm|svgjzh)|f(qnoaiy|ielixr)|x(prmnqc|d(jhknj|aiwyz)|wnvmbe)|t(upxbdb|avkujv)|d(ypdadp|xhfdat)|e(bpqwyh|jyvrhd|twezcp|dtxybi)|gpdwnys|v(yybasg|itgffe|foiwxi|tiibvf)|z(thlkgy|jnilsx)|b(zkireq|xfoqls|gzposb)|q(ijwykt|jkxsom)|u(asbkmr|thvzqi|hlqnft)|k(sftlvj|yqoebu)|h(liqiwl|ilzjbn|bfojeo)|ociyefv|aeygwvv)|d(x(etrhty|hpfsyy|nofutf)|q(nmaing|acuhri|tvuqeg)|y(qvdtdc|szbywi)|f(iwoggd|spvhir|kalehk)|r(bsjjjn|vtjtwg|jnrajn|kybitf)|zxjiqkl|p(gqiyfx|eufqyy|loqubg)|e(qbkaoa|kgijel)|h(fnplyk|bzyxba|sibfat)|i(jtfqxc|hgqopi)|jsayhjv|t(fdnrla|esfhkj)|ujskwcn|dszbzed|m(fuohht|so(lfrd|vhwt)|yoxhuj)|g(tzhynl|honuik|aairfy|zbkest|qwsmwx)|wuvprcw|v(iqpdtj|sircmv|aqkzfp|tvadme)|cvzfaov|n(jnljff|y(bisob|scxjv))|b(nyricu|hysrgf|eqxznx)|ogwyagj|a(lfozoq|ccintb)|kpqhnnd|l(nozqul|grxdmq))|w(u(tvpykm|qdjpnc|wsnwme)|defbmte|e(enpbrg|sgfnul)|j(g(tadsb|espuu)|r(ivsnm|xecpv)|zvlpbb)|a(ffocvg|eftnju)|l(fvvedh|vprffy)|rytxzzb|y(pmejaq|bmqfkm)|h(o(zgfgo|pjwmu)|yeyagr)|m(ayqvsb|rwivrp)|o(zezolt|ynkuri|eyjsvg)|g(rbsrsf|kgtqkj)|ctflrjo|k(o(fnkta|yxuru)|euuvlx|cyegof)|p(lseaul|yrgvme|rtfnbr)|xleguzf|t(lcpktb|czanfs)|q(jxlqjc|cclzfm)|wokizqc|zcauivd|nteeruz)|e(u(jnduki|axwgcz|xooeei)|l(wozqks|oqjqbr)|n(kucqzg|djpylk|lbalyp)|xdqagvo|y(uqrqss|egysvp)|rpdmffu|b(romyax|qrgukr|etsldu)|z(hkiypm|wlemoq)|j(htsjln|utoidi|oqsasv|bjnkbk)|e(mborcu|pdhfpw|ilmfbh)|a(vkcbnl|pkzcjx)|o(sxkdpw|zcuohn)|fzdsglp|d(inqbok|mkizhp|ahehvh)|gaypdgm|qelwkim|t(uasmoz|psivxa)|vgleflf|skryxfb|iubbvjv|m(ppjpzl|fifril)|wwgawnt)|o(x(jkjrsu|nilcli)|q(vzyiow|szjtwb)|a(ejwgqe|vcumce|oqjjgk)|t(vcchgg|rvdioq|hcuepp|uzfbzn)|fnyoyhh|h(yorcrn|lrheop|vzivko)|l(vmjhie|okvsxp)|gqsyffw|p(yuakrs|gqtvpu)|e(jayvfj|f(fcvbr|dwwuj))|dhtwyzv|y(uzooai|anhrxu|huecdr)|vifjush|m(cuqlef|kwxczd)|n(ovywvu|prfsql)|o(tczfra|xnypbs)|wduqlhy|jchbudk|iqtjjcc|ubjxrfp|rmghqwr|cqrcszy)|x(x(bslrtk|subpoi|achlxm)|v(bwfvwb|zzazdi)|zhigmbv|ovgosjq|g(ovojvv|kgystl|mmiceh)|a(usihma|efuqid)|w(fxjmbo|irtfkw|jzhtjp|yqwdft|updnzo)|rkefzhu|c(afgogx|ywgaor|eppnxf|mbkxdq)|mcnynur|e(zxrykn|c(gyadj|erqyq)|ynoedg)|d(guvinq|khfees|qzyayi|sqgdei)|n(owpncy|bhjhfb)|lptiqqw|u(qexdwi|wnqdmc)|k(piyptl|ovjlqz)|qonfpkv|j(rzrwib|godqzj)|skdppyq|itwrpxs|yyoczyy)|m(f(qklacu|bngeww|mneuau|gjamlg|zdhbtf)|a(fdwmqo|ajmigi|hluvmb)|h(hsxqwl|wdigaz|zzzcli)|c(rebmax|fbkpkf|qkxmot|wpxpdz|owxiyx)|l(txkzdi|ppckrs|yffffy)|s(btvnlm|lbuolv)|u(hfniru|npmvyk)|y(mxfnsr|oysupe)|x(hesxyi|nokwfy|ikrvxe)|d(ysonfw|c(urlya|zzpwh)|wxrdww|teqwzw)|o(tohmmu|ikcdyp)|gfzdmbc|p(tcutzy|rzxjdf)|v(ngefsc|wiepzm)|wacyvcf|i(zcblzc|oaryvr|hdtakc)|qemluiv|mtastug|e(azsrym|lokvud)|z(piwujd|vmcmtl|tebydx|jxzyvv)|j(ubxsto|qicajd)|r(p(flgas|xxhdv)|macfus)|toknyhe|kqiizri|bhsjnbr)|s(uqzbgbp|iyxcqpx|r(r(jdvgp|qivax)|vxkanx|wfuwbt)|xrubsqc|hqpmkhy|d(jtakpe|oojpmq)|c(ouobcl|zkghnw)|p(etzhen|vcyvrf)|g(dnjnhn|kuryah)|qcmodoe|zhuqeoe|fozhwqu|s(lqeblo|jpwwhj|pqouhv)|v(zuqsoc|tghmdf|vefxal)|t(kwugtv|mxnlyn|reteks)|byzegrw|m(abwjzu|bivvwu)|l(tkcgqe|rerolz)|ofthbbi|j(chzaoo|moxmdo|gdxlfx)|n(lckdxy|sahwec)|y(msdtlr|heaeeo)|k(feiwyv|yuboff)|wswecon|espxoht)|c(w(fzrgcc|zdvryc)|i(bompzx|fjbtke|rfgqjn|sehhbe|dyeceq)|z(kujvck|b(ukpnc|kahdo)|njhbrp|qxpugi)|c(rtbdom|ehawjd)|n(uzccgl|jdiwbh)|d(cmtcxd|bgkyzf)|kf(kxkic|pgkna)|u(azmjli|qhqkon)|p(npiyis|ouvsss)|acfznwo|m(jmboif|plsnpp)|y(ltcegr|cgihaj)|xpgoweg|g(pguhwp|ilyjva)|bmccyra|ljwglpf|t(vsvbwx|zvqfxa|herjoq)|s(dtmgmj|wuyixe)|v(tjmnal|mrsyzt)|q(sispiy|cxbdye)|j(uitcnd|igetyu|leiuyd)|eebrppg)|q(a(dqvvnj|zjgsqs)|l(lpfooy|vcrkbx)|i(ugdxej|rjevov|agpbpd)|g(xnaglj|vkemez)|b(ajyape|xizlua)|x(kvlqwi|tjbnjh)|m(uwgdth|rkyzeh)|w(fcxgnc|lluhed|orjney)|o(kjsrql|cheunm)|v(mrqlgc|ojvjws)|qntlbiz|j(vppimw|sditmf)|s(pnyhii|yrsyno|cooeov)|rsuqshl|p(yizxdd|frjwbc)|uddxmnj|ezkspsw)|k(t(mviuqm|zhuikh)|l(brxmlm|jertpk|ebbyjt)|j(scmged|nskzos)|wzlxpov|p(qkmlfl|okglnr)|oeqnknf|y(ruhvxs|seiuyw)|q(uiqivq|d(uqzhx|lpmhs))|s(zstdfv|oweuom|dwngsj|tzctgq)|d(jaodzt|mpygln)|ghudljm|rpucnkn|zydmdfz|chkghws|e(zfbvoj|yinjye|rytkhl)|veknlfq|b(gewbtp|mkidkj)|aqblcps|mjgbhxc|kyhuxsx)|p(b(fcqxtr|elzomq|juojvx|tsngfp)|s(tdijpq|eukonv)|h(hqibjf|vrqqla|quprbp|xciiam)|pelunmd|emvarjc|n(vrldsh|cuctkn|plpblw|xphiah)|a(kqpkws|rdqmaq|sxcmqy)|l(bayute|qqpbvk)|v(l(cabia|qaeqd)|ajxmbk|tucoea|yottmh)|ybsxwqz|z(uoujfc|szkeqw)|r(vthero|qgnwln|nylnjf|fgtmqf)|d(owfcyb|trqtcp|myvlbx|bcisip|wzzbio|kbmawa)|t(htchzu|ppxabb|bvtafu)|k(gypelt|tlslbk)|m(zhpyhf|ajrzxq)|w(tzulls|gqiecd)|u(sktsrz|ipwram|ligjyi)|fryzpmk|gkhvjkj|jxcdvbl)|t(pchzpvd|y(jgmijc|tvkkql)|r(s(ajdfy|bjvaj)|ckloqt)|h(nkncll|bcqjhe|hfjsif)|f(emfvla|cvbmab)|e(cdmnov|auevgg|fyuyjz)|nbfzuvu|u(paoogp|zgyrcf|exjota)|g(pdjdlk|vchjox|bhvkau)|ldzvawl|m(mqgrus|rjpics)|t(ajsayf|ywgwki)|w(kyxvyv|dpjzbj|tvljaj)|j(amkwal|znxaxt)|blxhwzj|c(qjplmb|gbxean)|s(efsvdk|wjeuwj|dponlp|kratll)|avjsaki|qemisuq|zmdmetd|vdnrfbq|ijbncgc|oawrgsi)|v(ingeald|u(dptlxr|vcddrp|rpyhet)|j(t(xlmkq|mjhla)|qzwjqi|uybspc)|pbyheny|o(nilcid|lkgrhn)|t(uadrbz|wfejgq|edqntl|sbcqfn)|w(dnixgs|stiqlm|zzkrvl|epgubl)|b(mrhzok|epeqyr|qundsb)|e(wvbuxf|ntqhby)|d(frcvct|aavfvo|kclqxt)|s(zbxajx|sderjg)|v(nemjke|tjzbml|biuypo|krvbqq|ilvmsc)|f(jwdfqg|zional)|m(fcicqy|nvucel|jolouh)|c(vregyo|yewgkh)|y(rtsobn|whxpng|nirwyn)|qhqezko|htheqkg|zezhsgd|nzspheh)|h(m(ikvocm|gxmbzp)|k(qvenzz|wtbhpg)|h(avzixs|mwizlj|uyrnvz)|vfgfhmj|r(ylxuop|zatdyv|wypfie)|a(xzklma|pdllqy|qsmtmt)|t(yaulcw|dawfsh)|i(ktisjf|jqpqfs|fjomkd)|p(tzjtgw|onbuek|xqypli)|fvzhsiv|e(toxdau|xtskqx)|uqsjyhk|n(thmhci|ulseht|rajnff)|s(ihenbr|evaygj)|o(ccxiiv|wfbayc)|d(rrcxib|qufllv|fixbdz|sxkoqh)|y(mmvdli|lrqrgz)|b(hsiccs|iqqtre|zhxeou|sggfyf)|j(yrxyvg|ulqziu)|g(vankbv|jzdvys|klrgct)|citmaje)|n(d(dfvcvz|inshlh|vwgbmx|cwfetp)|u(lblbue|olmslb|pxoyxm|vognta|gqngks|esjksh)|zm(dcakz|kwobb)|q(mcmcxf|dfwmhf|pkbutb)|k(typnsc|lnaqga|ckpseq|dwvixq|khqbbv|zlsppd)|h(fsmreq|dgfuok|vcmgib)|t(yrmvae|nfmdpr|dtzmio)|c(efmsid|vqtgxr|krtses)|n(jhiuhy|rtlkol)|p(hpyerq|zskrhx|suvipm)|g(pgdtak|knrlga)|xzoxddb|svbikyl|jyazidj|y(cipqvl|haecck|tppsnv)|a(sbcywc|umwogn|rbuhhe)|w(zvkocg|pnxmvy)|m(njmwgy|lgpmqn|oxtnto)|r(hdoexq|ujpihb)|lftjfrf|b(bwyggh|pvdelb)|ftblrzo|iwsdyti)|i(l(hcsfma|qsfhic)|h(vvnwak|iyksus|zfiyey|unkluk)|z(acudxm|xaeofw)|chrnjrf|g(zrqavp|cjmhzn)|t(fjtgot|sjcrij)|soyrtoc|b(ekmnqk|mrexxt)|m(rgsaxf|lprotn)|o(nhpanp|kakwcz|deqyej|mzikwy)|uttojkb|q(othcgp|byfbet|j(emleg|bvesw))|v(vujwky|fcsrcl)|f(wsbprp|mmwyxt|czrngv)|w(dowsod|pnhwbu|rqjwiu)|yonguda|rmalmvy|kegqpiv|nutacse|i(nvgqqg|cpszxm)|eosecex|pacxaxj|x(kzegws|adzwyp))|l(v(qplqqy|flkutp|obymsl|ljgcic|iceyhd)|z(ubkagr|ldgxru)|kxeaofb|l(tmvupq|svsenz|zeiptp)|i(qtzhuq|vndcid)|rv(jbepx|tsbgs)|q(bkxkij|hlavrg|zewnte|pafmih)|tm(cwexm|ewvkv)|g(rvjawb|x(cfcbd|aduup)|pxtthg|hdnwqy)|n(tgxrau|yzxnau)|u(yjtllk|pwmnqm)|f(wfldxm|cmunhw|vekvmp)|m(nhbfxm|cxvfrl|iucwzs)|wqypkhe|amaqlfg|bzhloql|sudpfiz|ypgdscf|jytzuup|emtargw)|j(y(mfqiwf|fzrdnv|dzowwv)|f(pnuzlc|ydvlrq|ucxiuz|wbjwsd)|n(hayeqx|ljaxjk)|vcbtmjc|d(hwisfl|wpwewx|qa(pdhh|dleu))|s(z(wjpjp|jnbgk)|efnwgy)|i(ghtvsq|hqhpao)|ltglwmm|k(lowabc|bkutcn|jickip)|u(mkkgoj|tflivn|dtbjbp|jvvgho|nhtpdz)|tydjmpz|h(wxuiwa|dbqpir)|g(oenrpi|wfopiu)|p(aryijo|myvycb)|q(xdrqso|mcjlqn)|a(fammld|aqpdhl)|m(sxcszq|zhftho)|ebkusqw|jspqwvn|zawablf|ovauard|rejwamw))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633127; rev:2;)
# sid 2633128 includes 1615 (1201 - 1800) 8 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(p(a(kqpkws|r(dqmaq|zqony)|sxcmqy|fmvjow|wznrmg)|b(elzomq|juojvx|t(sngfp|ftdnk)|gtexui|dcvyis|ihpzdv)|s(eukonv|jmmomo)|n(cuctkn|plpblw|xphiah|mglysn|apxfkb)|l(bayute|qqpbvk|ptfxro|djsyda|kxhxgw)|v(l(cabia|qaeqd)|ajxmbk|tucoea|yottmh|fhguii)|ybsxwqz|z(uoujfc|szkeqw|tvygjl|kimhcb)|r(vthero|qgnwln|nylnjf|fgtmqf|cosbch|jxytaz)|d(owfcyb|trqtcp|myvlbx|bcisip|wzzbio|kbmawa|ralhrw)|t(htchzu|ppxabb|bvtafu)|k(gypelt|tlslbk|sqreym)|m(zhpyhf|ajrzxq)|w(tzulls|gqiecd)|u(sktsrz|ipwram|ligjyi)|fryzpmk|h(vrqqla|quprbp|xciiam|irrlvk)|g(khvjkj|fovnlt|srekjk)|j(xcdvbl|blznsg)|xtvergo|q(tzgcvu|rzroez)|o(qprkts|cnyolf|iuklft)|ehztjhd)|f(v(yybasg|itgffe|foiwxi|tiibvf|puqxjf)|z(thlkgy|jnilsx|mzatoz)|b(zkireq|xfoqls|gzposb|osumlp|bhdwpj)|q(ijwykt|jkxsom|sspuhp)|e(jyvrhd|twezcp|dtxybi|lyolco)|fielixr|x(d(jhknj|aiwyz|nsagd)|wnvmbe|miwaiq|auntul)|u(asbkmr|thvzqi|hlqnft)|k(sftlvj|yqoebu)|wsvgjzh|tavkujv|h(liqiwl|ilzjbn|bfojeo)|ociyefv|aeygwvv|p(soumzq|hfwath)|g(qfabpm|mobzwi)|syzgtrg|rysdhvk|cenrjqy)|r(e(twdydj|j(nbaqo|dynmm))|f(ejugue|pteboa)|bshzkvq|i(pgxuyk|uzgnby|h(brnoa|soglf)|kvjicz)|k(wfcyvt|tjppma)|r(n(wrraq|agmjk)|idqxdv|onsmrh|fihith)|x(vprxcl|bjtagx)|w(clzjqi|xoqllp|towqog)|p(kqkdvb|jftphv)|n(iousog|yxwzdc)|zddoshb|yi(ssqfw|gtutp)|sadkgor|d(dwrgxq|wuftol|lgcfca|ojwbzc)|ctzootk|t(yjhmqp|pwdtrp|notawt|booadj)|j(blevno|ffakxx)|q(axubzq|getapb|hftxrf)|h(zzigpa|iypwfx)|gpoinkn|a(hgyxzp|bcrhta|nispjk)|u(pdoalh|jhtlxx)|ofnozdy|v(wtnnhj|posscm|ddjjcn))|y(p(iatmwu|cuvzuu|fxnqww|yzqdcw)|q(fnggan|yogtdt|kakhmh|alaebi|naokod)|e(civcsc|mvegyx|ngsxvh|hfydfm)|ihlstnn|b(oqzivs|skzzkp|p(galjp|xgpwf)|rerqua)|r(lbvykw|orejaw)|t(jkhfkn|piyslk|clwfda)|w(rooaps|trycel|pkcowc)|j(pdcrnv|xdfwpp|yqctsg|clmiyt|mwwgar)|y(zhxxbn|pqwepc|tciykx|durkhp)|s(wwvejq|qqnrvv|fuiqst)|o(atppxv|yebhhi)|l(wxkuvr|a(ezftl|bdwhs))|z(udycfi|aaqjuy)|a(mfevyy|rppgcv|s(rnqie|fudrc))|d(qkadzp|snskzu)|c(lznkur|nbwzag)|n(fhqipw|ifnulb)|g(dapxsf|lzkfsa|oadfdp|ibaukb|vcusrl)|m(usfrxa|tmvfga|sxbzev)|vgyusaw|k(szupxd|fbhiox|khjcyh)|h(azrtrv|wpzdsj)|fbounrv)|v(w(stiqlm|zzkrvl|epgubl|qsxvdo)|s(zbxajx|sderjg|nkzydb)|v(nemjke|tjzbml|biuypo|krvbqq|ilvmsc|momvaf)|f(jwdfqg|zional|hwngqt)|m(fcicqy|nvucel|jolouh|rqewee)|j(qzwjqi|uybspc|tmjhla|c(cfjgb|syfyq)|jpnrhk)|c(vregyo|yewgkh)|y(rtsobn|whxpng|nirwyn)|d(aavfvo|kclqxt|uzvxet)|b(epeqyr|qundsb)|t(edqntl|sbcqfn|icvqxb)|qhqezko|h(theqkg|ootxnh|plvxru)|z(ezhsgd|kurzvx|qwwjdp)|u(vcddrp|rpyhet)|n(zspheh|dgcqrd|ovsiyi)|entqhby|i(ziumiv|jnytsf|ngltbm)|gembjfw|x(dkcwfe|wlqtrg|cflazl)|owphpox|kajzmnz)|u(t(tztqqy|dqhiex|u(nzvge|sosej))|jhjecml|m(zrcypc|lujgvn)|z(juqtfe|yovgfm|dvbpzg|erkbkm|flhfqo)|y(aasgzt|z(vduuw|giiqg)|mzmxpk)|o(nkkdjz|bezqzg)|k(clohan|mpxytz)|bvqlkqv|f(phskek|jdeiei|rgwdah|iaidgi)|u(cwicsw|kdhgef|qumbae|hjnfes|bsozdd)|e(vapdwm|uorjyn|puwpil|iwoajj)|l(d(dhblz|hmdyb)|fvmltj|ectvwy|zybxwd|wflcfj|xwnzli)|s(blxuiq|cjxlsp|ggsimd)|c(cbgvyz|iblmnb)|q(owxjwq|nfprai|cywowy|widnig)|a(mktcfi|vdsemr|jjlodh|yhiged)|x(vnmidw|spcbmj|rqjfrb|tjksje|uhtqre)|p(dhdxbe|wiyquy|ghkiye)|rmllpyw|gogiuay|v(ambabm|vaipuj|rfthae|hvuhyo)|h(matsgh|ebiryt|noifkb)|wgkmteb)|a(a(cedthm|phauic)|c(ivbrch|hraaef|pxpobj)|t(aayxbi|urrgcw)|e(lmhqyp|dzzlnc)|n(egcngo|hanfef|nwclyr)|s(jvrrze|xugjzm)|h(wnxxeb|juthbu)|f(t(hxgra|iumex)|myrvcv)|qpcmghx|y(ncymzy|cgslko)|v(zplrbw|gcnnac)|r(redmkc|bwlnmm|qpwgbw)|oogwvdx|k(dxcbxr|pzangd)|l(ohyiky|vjftba|ngsnhp)|u(ppfnbr|fqsivy)|wl(ewjpe|sjwyh)|i(zxnkcx|irjwvb)|x(lupvci|oyjvye|vmxkxw)|b(izlanw|cibegr|nbzffw)|phithhj|m(lehntm|ttzycx)|dmqwrfw|zucaapp)|l(t(m(cwexm|ewvkv)|nklxtk|jfifuo)|g(rvjawb|x(cfcbd|aduup)|pxtthg|hdnwqy)|n(tgxrau|yzxnau)|u(yjtllk|pwmnqm)|f(wfldxm|cmunhw|vekvmp|hqkwtd|lfcwth|eqrihd)|q(zewnte|pafmih)|v(obymsl|ljgcic|iceyhd)|m(nhbfxm|cxvfrl|iucwzs|fcjyxe)|zldgxru|wqypkhe|r(vtsbgs|cqnywq)|amaqlfg|l(svsenz|zeiptp)|bzhloql|i(vndcid|zumcwq|laqgzv)|s(udpfiz|npdvrq)|y(pgdscf|cdxqne)|jytzuup|e(mtargw|ascwcl|znjxyn)|p(qnchcf|nfudfy|ynvpvw)|oaevpqw|xfacgnj|cklxsne|kzxoegr)|h(a(xzklma|pdllqy|qsmtmt|olnoug)|h(mwizlj|uyrnvz)|t(yaulcw|dawfsh|vzfcjm|ufseho)|i(ktisjf|jqpqfs|fjomkd|nvlamb|govnkz|wodeow)|p(tzjtgw|onbuek|xqypli|jzzarr)|fvzhsiv|k(wtbhpg|nkblra)|e(toxdau|xtskqx)|u(qsjyhk|pzccwj)|n(thmhci|ulseht|rajnff|m(lakta|ybjkw)|qwjigm)|s(ihenbr|evaygj|tmeeit)|o(ccxiiv|wfbayc|uihyud)|d(rrcxib|qufllv|fixbdz|sxkoqh|txutua|gcqxcp)|y(mmvdli|lrqrgz|obwmgz)|m(gxmbzp|ipahyu)|b(hsiccs|iqqtre|zhxeou|sggfyf)|j(yrxyvg|ulqziu)|g(v(ankbv|zgnky)|jzdvys|klrgct)|r(zatdyv|wypfie|yojuaw)|citmaje|wlbplro|xeijlhs|v(c(apgnp|thxzw)|udoeue))|w(r(ytxzzb|xzkyfb)|y(pmejaq|bmqfkm)|e(sgfnul|zgsssd|rqeesi)|h(o(zgfgo|pjwmu)|yeyagr|rswgss)|m(ayqvsb|rwivrp)|j(r(ivsnm|xecpv)|zvlpbb|gespuu|y(xjpcg|bhhdd)|ibioek)|o(zezolt|ynkuri|eyjsvg|bpebjo)|g(rbsrsf|kgtqkj|mmrkoc)|ctflrjo|k(o(fnkta|yxuru)|euuvlx|cyegof|hwadhg|qlqbla|yrngpj)|p(lseaul|yrgvme|rtfnbr|uvkvua|qvrieo|nwowst)|xleguzf|t(lcpktb|czanfs)|q(jxlqjc|cclzfm|kivyhk|epvskg)|w(okizqc|hwrlfu|pabyef)|zcauivd|n(teeruz|limadl)|u(qdjpnc|wsnwme)|aeftnju|l(vprffy|ewmrqe)|fjsbzzw|dfybjwi|s(eifugh|kxlfrl)|vaniodf)|o(l(vmjhie|okvsxp)|t(rvdioq|hcuepp|uzfbzn|vpvyjn)|g(qsyffw|b(azqav|plcwx))|p(yuakrs|gqtvpu|lpdmei)|e(jayvfj|f(fcvbr|dwwuj)|wedldg)|dhtwyzv|y(uzooai|anhrxu|huecdr|vygeli)|vifjush|m(cuqlef|kwxczd)|n(ovywvu|prfsql)|o(tczfra|xnypbs|iopqoi|v(svacn|xjmxe))|w(duqlhy|qqzqmz)|h(lrheop|vzivko)|jchbudk|aoqjjgk|iqtjjcc|x(nilcli|klrrhn|shpfhj|ruxxvn|bserhk|zfodet)|u(bjxrfp|abvfna)|rmghqwr|cqrcszy|smlyoti|zqsfrhb|fgjfbrb)|t(g(pdjdlk|vchjox|bhvkau|quqkdu)|l(dzvawl|zsqpri)|m(mqgrus|rjpics|iftare)|e(auevgg|fyuyjz|ossnpc)|u(zgyrcf|exjota)|t(ajsayf|ywgwki|uvvjuy)|w(kyxvyv|dpjzbj|tvljaj|g(wehjx|lmvtk))|j(amkwal|znxaxt|jeimga)|b(lxhwzj|ikmtqa|zyfdip)|c(qjplmb|gbxean)|s(efsvdk|wjeuwj|dponlp|kratll)|r(sbjvaj|ckloqt|yfhkfn)|a(vjsaki|mpocez|wghkye)|y(tvkkql|resgto)|q(emisuq|ffzqzy)|z(mdmetd|gcifjx)|v(dnrfbq|savxgj|hwdstq)|i(jbncgc|hdxuyc)|hhfjsif|f(cvbmab|xzgmnl|zdwlda)|o(awrgsi|tcndcu)|p(csxuxo|frtfdr))|c(m(jmboif|plsnpp)|y(ltcegr|cgihaj)|z(njhbrp|bkahdo|qxpugi|iamuvz|lvkgql)|x(pgoweg|zgrffj)|g(pguhwp|ilyjva)|bmccyra|k(fpgkna|pdcaac|oazefa)|i(fjbtke|rfgqjn|sehhbe|dyeceq)|n(jdiwbh|lzpxfs|hiaqnb)|l(jwglpf|bzkmmn)|t(vsvbwx|zvqfxa|herjoq)|s(dtmgmj|wuyixe|lrwnkh)|v(tjmnal|mrsyzt|qekquu)|q(sispiy|cxbdye)|d(bgkyzf|ygdkva|feolim)|j(uitcnd|i(getyu|kjdtc)|leiuyd)|c(ehawjd|xwqtcc|pgrlef)|e(ebrppg|yztdgy)|uqhqkon|p(ouvsss|ftnavm)|wzdvryc|a(iaebkv|nwccty)|r(htrwfj|yopnds)|omoplfi)|m(o(tohmmu|ikcdyp|sgojsb|ohsqml)|c(fbkpkf|qkxmot|wpxpdz|owxiyx)|a(ajmigi|hluvmb|nmcfsa|ppwauq)|f(mneuau|gjamlg|zdhbtf)|g(fzdmbc|kfigxa|uhlxid)|p(tcutzy|rzxjdf|qjnuns)|l(ppckrs|yffffy|vzgnsq|kmrhle|losanz)|s(lbuolv|juwomp|xeexip)|v(ngefsc|wiepzm|optutj|udorom)|yoysupe|wacyvcf|i(zcblzc|oaryvr|hdtakc)|q(e(mluiv|csnti)|ozqzag)|x(nokwfy|ikrvxe)|u(npmvyk|aygkti|kssqsp|fiobcv|wanlrn)|hzzzcli|mtastug|d(c(urlya|zzpwh)|wxrdww|teqwzw|bkobgg|kizzpm)|e(azsrym|lokvud)|z(piwujd|vmcmtl|tebydx|jxzyvv|kzbjpx|udofbl|hmpmfp)|j(ubxsto|qicajd|modcpl)|r(p(flgas|xxhdv)|macfus|bdyfan)|t(oknyhe|slqbeq|xrhrxc)|k(qiizri|iqzaqv|udlwdp)|b(hsjnbr|soaozv)|nuytvqw)|q(b(ajyape|xizlua)|x(kvlqwi|tjbnjh|cwzaiq)|m(uwgdth|rkyzeh|difrpc)|i(agpbpd|e(mhukm|hsvlt))|w(fcxgnc|lluhed|orjney|hxuxja)|o(kjsrql|cheunm)|v(mrqlgc|ojvjws)|qntlbiz|j(vppimw|sditmf|ljlosq)|s(pnyhii|yrsyno|cooeov)|rsuqshl|p(yizxdd|frjwbc|xysphd)|a(zjgsqs|jpmpsp)|l(vcrkbx|kdbhpb)|u(ddxmnj|whdjti)|e(zkspsw|dluvze|awwojg)|gv(kemez|zcnio)|n(hhrkjv|fnespo)|ymxrmyz|ksanemv|fmlfgem|chchenz)|x(g(ovojvv|kgystl|mmiceh|ifzdsf)|a(usihma|efuqid|digenv|wgjwzt)|w(fxjmbo|irtfkw|jzhtjp|yqwdft|updnzo)|rkefzhu|c(afgogx|ywgaor|eppnxf|mbkxdq)|m(cnynur|uarbws)|e(zxrykn|c(gyadj|erqyq)|ynoedg)|d(guvinq|khfees|q(zyayi|ufheh)|sqgdei)|n(owpncy|bhjhfb|pdkqmr)|l(ptiqqw|olhszd|trywxl)|u(qexdwi|wnqdmc)|k(piyptl|ovjlqz|wxmklu|igsdir)|qonfpkv|j(rzrwib|godqzj|vzhicp)|s(kdppyq|obiahf|swlbci)|x(subpoi|achlxm)|itwrpxs|y(yoczyy|cdkzet|lmoifd)|t(uditbi|hpympd)|vwqxied|ftjigsv)|d(y(szbywi|qzyfei)|p(gqiyfx|eufqyy|loqubg)|e(qbkaoa|kgijel|vlnzit)|h(fnplyk|bzyxba|sibfat|lcuibk|dpxerk|xlfuil)|i(jtfqxc|hgqopi|eavbwt|nzfzjv)|f(spvhir|kalehk|vasnzg)|jsayhjv|t(fdnrla|esfhkj)|u(jskwcn|sahwcj)|d(szbzed|gsujde)|q(acuhri|tvuqeg)|r(vtjtwg|jnrajn|kybitf|qzkrzf)|m(fuohht|so(lfrd|vhwt)|yoxhuj|zblvib)|g(tzhynl|honuik|aairfy|zbkest|qwsmwx|ixiwoj)|x(hpfsyy|nofutf)|w(uvprcw|gjwtbs|edflmk)|v(iqpdtj|sircmv|aqkzfp|tvadme|ysrxdz)|cvzfaov|n(jnljff|y(bisob|scxjv))|b(nyricu|hysrgf|eqxznx)|o(gwyagj|oerkru)|a(lfozoq|ccintb|ezpdvk|jgnqqp)|k(pqhnnd|hdccmj)|l(nozqul|grxdmq|lhyxzz)|zzadxgr|s(onuguc|jwpddh))|z(a(zulayz|ucsrds|cgxgvg|ebefgc)|y(ulroxr|tmicqi|jzsxgk|mhizal)|q(ciybcl|ebtmsb|npzouw)|fogtlox|e(rvyoom|zoxjdy|lhzlbe)|r(pdtrxn|oybnju|jcjlea|nzutvk|qfffln|gozcxb)|l(ffjzog|ppnkvr|ybizmk|buqxyq)|w(zklpyt|ewajtb)|g(u(woesx|umwdp|ovisp)|rbdgbe|ztybfm|lxyjoh|wlgipm)|s(lrfceb|u(izxux|ngnie))|k(ag(qaaa|fbwc)|xmafak|loiozn)|d(nguxvb|d(ekjxt|zduoj)|vuhieu)|p(qbrcxf|kqbjda)|xm(hxhgz|vvzxo)|bwjkbnm|m(bnpkjb|vybfjm)|uhlmllg|n(wrotop|acfawq)|c(cjyfhb|flyzgm|ziyelj|xcvzql|isadis)|i(lstppz|busofn|hekxjr)|h(ifhebg|mojphx|kkgdkl))|g(trfoivl|qxlpjmb|r(cvdfps|glicrx)|z(i(zptpf|aivwd)|gygiup)|d(daybab|ppqdcc|rpshft|guwdqr)|f(lyakzs|xfaksk|mfbbrp|jhvdvp)|i(kvjcdb|ezrbxx|dtlois)|s(blykfu|iutqwi)|c(zivdqn|hzilof)|j(ccmicy|nyjqtu)|e(u(kbbru|hnher)|tdkwxi|sdbyri)|g(qyqllk|ofaczv)|w(cyobre|xywjdz|fgztzg)|x(lqpqxc|sfgzbo|rzpaik|gutnyf)|p(g(upeaq|hrncv)|zmklha)|n(tsslna|hdigfz|oxwkhk|lwlwzk)|v(y(ipcbe|kzztl)|xionig)|h(rp(nuyr|tvjb)|mjtekl)|u(hqkojo|ucqqqy)|odhzoig|y(agluso|ypdgyi|bvijfz|sscqoo)|a(dyacbk|lxysyg|harmvg|wlbadc)|bodlerw|ljruzty|kndwwpg)|b(e(e(idfvb|hihwo)|zkxunf|vtaxpw|gxkxcd|lzjvhz)|r(jdnyde|fpybme|hsldyf)|p(ngqqmg|ayjpci|kqzjfj)|wpgoeem|d(ditarv|uetqrk)|i(llqobk|yhgfop|hjaoce)|n(jkgyvt|sseoze|ffhzie)|h(btvtbx|mgmnzz|wuekcl)|lyrsatd|v(fmpsvc|poomzq)|j(lunlcc|beotzq|mjwcnd|pqgcyc)|aliarft|uunjvau|tx(gxymk|kablm)|g(kkwkxz|iczxao)|m(bdvgbi|vicige|teiwbj|dhebda)|y(lwimrl|nymmpx|yinhet)|zqflhhf|c(abatoa|qslndj|zuvvjs)|fyvzavb|s(pygvhh|aqhkzw|xikzzt)|btinarf|x(yjjezq|mrvdlq)|q(yatspv|cpdave))|n(k(typnsc|lnaqga|ckpseq|d(wvixq|pcozf)|khqbbv|zlsppd|bahwex)|zmkwobb|h(fsmreq|dgfuok|vcmgib)|t(yrmvae|nfmdpr|dtzmio|bqsldp)|c(efmsid|vqtgxr|krtses|yqnxuv)|n(jhiuhy|rtlkol)|u(pxoyxm|vognta|gqngks|esjksh)|p(hpyerq|zskrhx|suvipm|lhcsvq)|g(pgdtak|knrlga)|x(zoxddb|mezijg)|svbikyl|j(yazidj|xtacif)|y(c(ipqvl|fdqye)|haecck|tppsnv|xfpdsx)|d(inshlh|vwgbmx|cwfetp)|q(dfwmhf|pkbutb)|a(sbcywc|umwogn|rbuhhe)|w(zvkocg|pnxmvy|vustml)|m(njmwgy|lgpmqn|oxtnto|gegrlu)|r(hdoexq|ujpihb)|l(ftjfrf|mktvoc)|b(bwyggh|pvdelb|rfrdoo|qneusf)|f(tblrzo|gentmg|cxpoon)|iwsdyti|e(lrvdhn|zmfmol|rkvchn|xpmfqy)|vvqskhb)|j(f(ucxiuz|wbjwsd)|s(z(wjpjp|jnbgk)|efnwgy)|i(ghtvsq|hqhpao)|nljaxjk|y(fzrdnv|dzowwv)|ltglwmm|k(lowabc|bkutcn|jickip|twplsc)|u(mkkgoj|tflivn|d(tbjbp|ofqks)|jvvgho|nhtpdz)|t(ydjmpz|tbxxli)|h(wxuiwa|dbqpir)|g(oenrpi|wfopiu|pmywzy|yoojtr)|p(aryijo|myvycb)|q(xdrqso|mcjlqn|rtxwsr|sfxxle)|a(fammld|aqpdhl|qvpjdh)|m(sxcszq|zhftho|asohpe)|d(wpwewx|qa(pdhh|dleu)|sxpfdm)|e(bkusqw|pnmsku)|j(spqwvn|aifopl)|zawablf|o(vauard|uosslp|dxhybk)|r(ejwamw|hxnvof)|cwjuvcd|whprqhw)|s(hqpmkhy|d(jtakpe|oojpmq|mwupeh)|c(ouobcl|z(kghnw|wwxhl)|qmkfqy)|p(etzhen|vcyvrf)|g(dnjnhn|kuryah)|q(cmodoe|mmwziz)|z(huqeoe|r(kexnx|vsfuj|bjgci)|ebavvf)|f(ozhwqu|udknve|fsnidx)|s(lqeblo|jpwwhj|pqouhv)|v(zuqsoc|tghmdf|vefxal|ihsudy|aulkcn)|t(kwugtv|mxnlyn|reteks|ecwbyt)|r(vxkanx|wfuwbt|rqivax)|b(yzegrw|loyspb|xudkci)|m(abwjzu|bivvwu)|l(tkcgqe|rerolz)|o(fthbbi|ycjhps|cqynbh)|j(c(hzaoo|rkwmd)|moxmdo|gdxlfx|nrrqjc)|n(lckdxy|sahwec|edwnhl)|y(m(sdtlr|ksrwr)|heaeeo|sqmiky|eybbie)|k(feiwyv|yuboff)|w(swecon|bemops|zqfuax|ucjzif)|espxoht|iohmjah|umzplru|a(weywpr|ugkxgh))|i(s(oyrtoc|qpkuwt|ujurkb)|b(ekmnqk|mrexxt|aqupsm)|h(iyksus|zfiyey|unkluk)|m(rgsaxf|lprotn|sweida)|o(nhpanp|kakwcz|deqyej|mzikwy|inywgh)|u(ttojkb|xfpbsu)|q(othcgp|byfbet|j(emleg|bvesw)|uhqdtb|kiopzo|vqtbok)|lqsfhic|v(vujwky|fcsrcl|wcbugp)|f(w(sbprp|zgxqo)|mmwyxt|czrngv)|w(dowsod|pnhwbu|rqjwiu)|yonguda|r(malmvy|ouyezs)|kegqpiv|n(utacse|tvtllq)|gcjmhzn|i(nvgqqg|cpszxm|qtiwcn)|tsjcrij|eosecex|p(acxaxj|vlbyzf)|x(kzegws|adzwyp|islgua)|zcseear|d(kriaou|blbcud)|cuxpemf)|e(l(wozqks|oqjqbr)|n(kucqzg|djpylk|lbalyp)|x(dqagvo|uqrnur|cxaemp|aluomo)|y(uqrqss|egysvp|lqyxdz|cspxcx)|r(pdmffu|rtgsih|mpdkdp|tsvbjq)|b(romyax|qrgukr|etsldu)|u(a(xwgcz|pmpqr)|xooeei)|z(hkiypm|wlemoq)|j(htsjln|utoidi|oqsasv|bjnkbk)|e(mborcu|pdhfpw|ilmfbh|yssslc)|a(vkcbnl|pkzcjx)|o(sxkdpw|zcuohn|vjefib)|f(zdsglp|fccmsl)|d(inqbok|mkizhp|ahehvh)|gaypdgm|q(elwkim|fvpfnx|tlcugw)|t(uasmoz|psivxa|hpuppk)|v(gleflf|wdvdel)|skryxfb|iubbvjv|m(ppjpzl|fifril)|wwgawnt|pgrunju|klpdcco|c(wfaqsk|gqbsan))|k(q(uiqivq|d(uqzhx|lpmhs))|lebbyjt|yseiuyw|s(zs(tdfv|chkx)|oweuom|dwngsj|tzctgq|bhioyw|snjgml|inlpdq)|d(j(aodzt|tfokh)|mpygln)|g(hudljm|grdzyj|l(bvlpv|dhkgj))|r(pucnkn|qwhhxb)|z(ydmdfz|tunwzv|ncrxzm)|t(zhuikh|vwptfh|gojhnx)|c(hkghws|vsopfx)|e(zfbvoj|yinjye|rytkhl)|v(eknlfq|vbpebf|spvuig)|b(gewbtp|mkidkj)|aqblcps|m(jgbhxc|leiwml|gaevlr)|kyhuxsx|p(okglnr|bzpahx|pdjnpm)|j(nskzos|zbnnka)|oumagqa|i(d(niffp|djwwn)|jqmzad)|hymjgwg|xgauydj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633128; rev:2;)
# sid 2633129 includes 1015 (1801 - 2400) 8 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(o(tvpvyjn|o(vxjmxe|fbodwc)|e(wedldg|sujwrw)|wqqzqmz|x(ruxxvn|bserhk|zfodet)|z(qsfrhb|evlllc)|gb(azqav|plcwx)|y(vygeli|dqcqjf)|fgjfbrb|d(thzntm|frbciv)|v(qlqkvn|edvirp)|u(ktvovl|vmexzb)|qvnrbpo|i(catdwi|flaahs)|ajyzeol|persayt|k(tvtsae|hpojjc)|nvzedkc)|w(q(kivyhk|epvskg)|k(qlqbla|yrngpj)|p(qvrieo|nwowst)|erqeesi|j(ibioek|ybhhdd|jgjenf)|w(hwrlfu|pabyef)|d(fybjwi|goowfs)|s(eifugh|kxlfrl|lzebcu|jzxclv|vhqque)|le(wmrqe|fgnxk)|h(rswgss|d(joldn|gfoej)|zcxmmn|ayavxf)|r(xzkyfb|aydgnz)|vaniodf|g(mmrkoc|xtiuzt)|obpebjo|x(ugzksr|fynfyt|nollmx|dopgln)|fmrvozr|ciefmel|ypcslhd|ujlbzsg)|a(c(p(xpobj|znjet)|eljhpb|cvwufl)|xvmxkxw|a(phauic|kvbotj)|f(tiumex|hakqvn)|zucaapp|iirjwvb|l(vjftba|ngsnhp)|t(urrgcw|excbjc)|u(egdwtn|pooobz)|dqisjqz|bkngxrd|j(jlocvh|tywlpb)|khpfzjw|g(qawznf|zeewwb)|wtsdyce|sttyppy|h(hpfniz|aceaie)|nplvwys)|v(ticvqxb|x(dkcwfe|wlqtrg|c(flazl|ezkaa)|svokud|tzythz)|n(dgcqrd|ovsiyi)|s(nkzydb|ubmsdr|ehtcfl)|h(ootxnh|plvxru)|o(wphpox|vpbhof)|j(c(cfjgb|syfyq)|jpnrhk|yctaoq)|kajzmnz|z(qwwjdp|yzblan|uzukjv)|i(jnytsf|ngltbm|tgblzt)|c(hmiydg|qztqbj|oibtri)|d(tmjhqy|fcyycx|qtafhd)|m(hkcoaa|qslaqx)|fnlogwt|uosmuzf|ymyskqy|lhvebir)|b(sxikzzt|nffhzie|e(lzjvhz|ehihwo|xmgekq)|m(teiwbj|dhebda|xcgssv|cidlmu)|y(nymmpx|yinhet|vghfoy|ijvqhi)|x(mrvdlq|uwvbes)|h(wuekcl|cdpxif|hpgmaw|mrhcuz)|czuvvjs|d(uetqrk|brrhfv)|g(iczxao|nbzzvs)|jpqgcyc|b(usxcgi|ktygdz)|f(ltphqd|clrjie|fytzod)|u(nnxawq|ddxhya)|lfstpwf|z(wcexey|ztsclm)|i(oulpql|ejwpju)|kczitab)|r(u(jhtlxx|afhrzv)|qhftxrf|tbooadj|d(ojwbzc|bauksv|gkgawo|jkakdx)|r(fihith|hovohs)|ejdynmm|a(nispjk|afqgnf|rqhaoy)|w(towqog|zrjolq|jwcnmd)|jffakxx|h(iypwfx|m(wbxhr|vqehe)|oowlqt|pbbjwv)|ocfvzvh|yawysyg|iqknkgj|z(c(vdzlr|gjgoh)|kkmllp)|f(wwsavo|hpolmi)|g(eszjgy|webxgf)|b(hnjrgx|yfptmo|ekhsjm)|p(e(uahgy|ychzz)|mcaqbq)|mpvverw)|c(r(htrwfj|yopnds|ppojct)|v(qekquu|rykzax|hohskc)|o(moplfi|gnqgky)|z(lvkgql|otvdbl)|lbzkmmn|xzgrffj|s(l(rwnkh|sjxzb)|ocfkyp)|koazefa|n(hiaqnb|tiyyep|bmglff)|d(ewvjxc|zieqxk|jfvcup)|f(fhwltn|kdumfr)|gp(hymbn|nuliu)|uroocng|tbjakbm|c(gbzwvs|degieg)|adfqoni|ywukmhg|msxumdz|pwboffa)|u(l(wflcfj|xwnzli|viagtn|ounhoi)|h(matsgh|ebiryt|noifkb)|w(g(kmteb|fxgzm)|efjzep)|ubsozdd|t(u(nzvge|sosej)|tyczjb)|v(vaipuj|rfthae|hvuhyo|qzoffx|eqjmip|bnyewl)|a(jjlodh|yhiged|uwjwea|r(lxxek|xdikg))|f(iaidgi|eosnbc)|e(uorjyn|puwpil|iwoajj)|q(widnig|edtsuf)|x(u(htqre|lkhuv)|orcffi)|pghkiye|c(tiztbk|rlkecu)|y(akhfzw|zlvwfb|nmuzue)|j(sksjkb|pthkga)|gryauzj|ktveypd|dsbkhgx|r(qozphp|abcjyt)|idekemz)|t(o(tcndcu|svfsdk)|aw(ghkye|eduqx)|m(iftare|qwovcf)|pfrtfdr|z(gcifjx|tovagh|jwvevq)|b(zyfdip|vegjsp)|yresgto|eossnpc|lzsqpri|v(savxgj|hwdstq|egagqd|bgeski|yivieo)|g(quqkdu|zbffwv)|r(yfhkfn|cdnsgq)|t(uvvjuy|reirsi|zbkngo)|wglmvtk|f(zdwlda|slhswi)|jjeimga|ihdxuyc|k(uzafrm|mddxpw|qltdyq)|dqmcfnv|sycqmvg|x(kzsoux|peitgj)|nuxckwi|u(lmofbe|dyrlwh))|h(o(uihyud|lfdrxf)|xeijlhs|i(govnkz|wodeow)|p(jzzarr|dvcuso|gqjbar)|gvzgnky|v(c(apgnp|thxzw)|udoeue)|stmeeit|yobwmgz|d(txutua|gcqxcp)|m(ipahyu|jkugrc)|knkblra|n(qwjigm|mybjkw|dpekir|yfukyd|rjqhqn)|j(izvftp|wdugss|oxvwgt)|e(pescyq|qcgvfj)|u(hlyhys|eucwzp)|leqacrb|zceihpt|fmnkonq|rinzyvw|a(yokglw|kmpcgj)|t(dpruqv|ellqpk)|haoftkk)|l(mfcjyxe|p(nfudfy|ynvpvw|ximunj)|t(nklxtk|jfifuo|wtssgo)|ilaqgzv|e(ascwcl|znjxyn|lwozlg|mvdunp)|r(cqnywq|jdgxhh|popiir)|xfacgnj|ycdxqne|cklxsne|k(zxoegr|umcmah)|f(cgodlx|ktluri)|u(qjcrue|rgynyc)|vzpviog|j(sdfemk|fkazyk)|d(skibqq|jadfao|rsuuoh|llbjbo)|q(olifyd|ahncvn)|svppptj|gxramcn|whryhqg|nwgowew|batgwuh|ocsodmy|avxwfnh)|f(s(yzgtrg|bdevqr)|zmzatoz|b(osumlp|bhdwpj)|e(lyolco|nlcvdu)|g(mobzwi|ainvci|jispkn)|ry(sdhvk|kwtod)|x(auntul|dnsagd)|q(sspuhp|usdgmg)|p(hfwath|xvmnwp)|c(enrjqy|vghgva)|thzugkt|mublxvq|fnuzbny|nhrmqez|hbasfvk)|g(dguwdqr|f(mfbbrp|jhvdvp)|a(dyacbk|lxysyg|harmvg|wlbadc|ekxjcz)|y(bvijfz|sscqoo|irecrt)|i(dtlois|ecqsng)|b(odlerw|bxeugf)|n(hdigfz|oxwkhk|lwlwzk|pdxadu)|vxionig|ljruzty|x(rzpaik|gutnyf|xjhgog)|zgygiup|e(sdbyri|fzrjbo)|r(glicrx|fjmicp)|k(ndwwpg|rjbxcz|zpkjfl)|mypaghe|gayinln|tqwaxtr|hkdqces|wvpifzq|owjnghk)|m(guhlxid|nuytvqw|k(iqzaqv|udlwdp)|d(bkobgg|kizzpm|jknysn)|u(kssqsp|fiobcv|wanlrn|uitnps|xkdepx)|l(kmrhle|losanz|tuxwcv|cskrkc|qrtrdn)|q(ecsnti|hbjqij)|s(juwomp|xeexip)|jmodcpl|t(xrhrxc|ihgatf)|rbdyfan|v(udorom|blnfna)|o(sgojsb|ohsqml)|pqjnuns|bsoaozv|a(nmcfsa|ppwauq)|csofwef|xsizrhx|hveeyzq|ytzttva|zrhqqti|f(sbfivs|uwyoig)|eiuedwf)|z(q(npzouw|julbsu)|rgozcxb|l(buqxyq|cmfvzj)|h(ifhebg|mojphx|kkgdkl|zzbhvq)|xmvvzxo|g(lxyjoh|wlgipm|tnatsv)|k(agfbwc|gcskeo)|d(dzduoj|vuhieu)|su(ngnie|izkpy)|c(isadis|zytyts)|w(e(wajtb|tqwix)|vahhry|xlthez)|y(mhizal|zzpooe)|ihekxjr|aebefgc|j(j(qdgbx|fwmrq)|aufiiw)|t(nlwoya|meexmr)|z(kvfvqt|ezogtd)|nlbkrkv|vlkxxiu|u(kbrrac|olksem)|fjfhavr|mbfyood|ptsldsu)|e(r(rtgsih|mpdkdp|tsvbjq)|y(lqyxdz|cspxcx|tqdpjj|ggkvgv)|p(grunju|mhljny)|x(cxaemp|aluomo)|q(tlcugw|gyrkdt)|u(apmpqr|xcrtzs)|k(lpdcco|xfmvyc|bzzrru)|ffccmsl|c(wfaqsk|gqbsan)|e(thvywb|joqoni)|b(gcscew|ixgncg|yyzrbb|djnllp)|soschoy|w(ubohgq|kcleko|tsdbzf)|twhuwzr|mtlqfkh|o(whvydl|cisfbb)|ijkcyyj|a(soykyo|zhuvfx|rlbtga|fwpiaw)|vzvvnug|gkgdgty)|n(f(gentmg|cxpoon|momlof)|y(xfpdsx|cfdqye|yrzzxd|rmjdox)|p(lhcsvq|qchicn)|cyqnxuv|vvqskhb|e(zmfmol|rkvchn|xpmfqy|owrmkc)|j(xtacif|ieqpfv|bupmrz|mpuoqo|zmuasy)|w(vustml|cesohi|xyjtqe|mvzhel)|bqneusf|k(dpcozf|exjwfd|kdufmw|zvnant)|tbqsldp|lmktvoc|d(gbengg|yjnjls)|iyzwqna|arvbjlb|u(meyjbw|nezdpi)|n(xzvblp|uqgpff)|h(kdrxgq|nuxion))|d(w(gjwtbs|edflmk)|h(lcuibk|dpxerk|xlfuil|uksfna)|a(ezpdvk|jgnqqp|xilsoo|owistm)|s(onuguc|jwpddh|iejgpa|nlpowv)|v(ysrxdz|sfugdn|oeeuex|mkrbzt)|mzblvib|fvasnzg|k(hdccmj|jgqtda)|l(lhyxzz|rbfrem)|y(qzyfei|sckmum|gsgcjj|xavjqy|wwltxa)|rqzkrzf|g(ixiwoj|dedndh)|o(oerkru|nxqoeu)|e(vlnzit|yqrkmx)|u(sahwcj|xnpeii)|dzhfdcw|cqgvhas|jcglrgm|tkomloa|presrfu|nzfnfaw)|s(w(zqfuax|ucjzif|yiyabn|ovczmi|vhvojt)|z(r(vsfuj|bjgci)|ebavvf)|qmmwziz|b(xudkci|iqjmgo)|ffsnidx|ocqynbh|dmwupeh|umzplru|t(ecwbyt|vetpbg|teppko)|a(weywpr|ugkxgh)|n(edwnhl|jdwywl)|y(mksrwr|itpfuz|u(njiyy|ylncw))|czwwxhl|m(bgqyhz|fuwbzf)|kggmcho|gntwzrr|jmzlphj|hvopgko|xxpmeqb|spzpagr|p(wlnpgl|nlthle)|vlkzjes)|x(y(lmoifd|jthbtb)|t(hpympd|cotjbb)|s(swlbci|yqifrx)|a(digenv|wgjwzt|ielowl|hfxgol)|l(olhszd|trywxl)|v(wqxied|dzixsk)|d(qufheh|plzuxi)|ftjigsv|k(wxmklu|igsdir|aufxuc)|muarbws|n(pdkqmr|vrkmku|mmqdld)|ovsqskr|pjnvrhr|idbuuwb|udfzpwi|rnhpfoh|ekapchv|jvuvadc|ggokevf|wacitwn)|q(e(dluvze|awwojg|kdrpuk)|ie(mhukm|hsvlt)|g(vzcnio|hgtgjd)|xcwzaiq|j(ljlosq|pearsx|jwfxfj)|l(kdbhpb|fdkrct|qrcznk)|p(xysphd|jzkvpp|venlhw)|ksanemv|u(whdjti|dnydrb|jonzbk)|m(difrpc|btlues)|a(jpmpsp|dvfprp)|nfnespo|f(mlfgem|poxtzl|aonora)|chchenz|s(kvhkkt|qmigpm|oveqsn)|o(cjbzqe|d(vzrgc|ltlxq)|jwiagp)|qzzoeqy|rievofz|dfyhwsj|hcvljvb|tlzxmch|bndlmms|yqzkzds)|i(s(qpkuwt|u(jurkb|gbjne|dbayt))|c(uxpemf|saexga)|o(inywgh|jccxep)|d(blbcud|guzmqh)|u(xfpbsu|mnudkq|lkzgme)|r(ouyezs|zyhxff)|q(kiopzo|vqtbok|yixaff|jckowd|oypxbb)|f(wzgxqo|rrehix|luqncs|ghnjan)|i(qtiwcn|pufixm)|n(tvtllq|xlkzor)|vwcbugp|xislgua|wugjybm|pzedbaw|lwutqgg|bixpoxd|y(cxnjyj|evqxqy)|z(ijxidn|gyopfe))|p(n(mglysn|apxfkb)|j(blznsg|vfwjvp)|r(cosbch|jxytaz)|b(tftdnk|dcvyis|ihpzdv)|l(djsyda|kxhxgw|lmqvmh|onuhoc|muzhea)|hirrlvk|a(wznrmg|nlmdcz|rdgcya)|x(tvergo|mwyhgs|viugbk|bbdcmk)|z(tvygjl|kimhcb|vewlmk)|q(tzgcvu|rzroez)|o(qprkts|cnyolf|iuklft)|gsrekjk|ehztjhd|ukckkdx|cfhjusp|twaebjr|p(jkrpun|pbioxl)|y(eicbea|vnhgio)|m(thckgp|gtxbnx|uukwpe)|knklzip)|j(epnmsku|w(hprqhw|fyifmy|x(swxbv|tknup)|c(zgzay|aynlg))|d(sxpfdm|rusomr)|t(tbxxli|xzwbnw|brcdiv)|q(rtxwsr|sfxxle|gcrbsy|ykdlse)|odxhybk|aqvpjdh|j(aifopl|gxsfhq)|r(hxnvof|viygzu)|k(twplsc|zmuzvq|ltoeid)|mfcjqbx|fndbvis|v(iwncif|umkrnl)|b(vdgsfy|ilqcln)|zxrpfmk|pwdkoct|ihegxev|xkbqwdt)|k(t(vwptfh|gojhnx|sfmsxj|uipkox)|p(pdjnpm|tlcinh)|i(jqmzad|zwucob|qfkfni)|j(zbnnka|yvccvw|issyuf)|s(bhioyw|snjgml|i(nlpdq|mxfwt)|zschkx|pqfedv)|z(tunwzv|n(crxzm|bxxjl)|fbxvtn)|c(vsopfx|powesu)|gl(bvlpv|dhkgj)|m(gaevlr|dupnha)|rqwhhxb|d(jtfokh|tvwpvv)|xgauydj|q(uuuxil|zvgagr)|fzbouuc|v(hrmsth|njxikm|rjjmmw)|youuzjw|kmgpknl|o(wcdyiq|mvnszr|vvmstg)|npamvdw|h(orwsmu|pwnyin)|lrwxlgg|evnbalc|wyptzul)|y(fbounrv|p(yzqdcw|zzpdxd)|s(qqnrvv|fuiqst)|labdwhs|g(ibaukb|vcusrl|tloqrc)|a(rppgcv|s(rnqie|fudrc))|m(tmvfga|sxbzev|qliuwv|lwifld|vgftbe)|cnbwzag|hwpzdsj|w(pkcowc|hvgtxg)|j(mwwgar|aifarh)|z(x(tdlms|urebu)|urqwlm)|b(emeaez|nbqgqe|foeohf|uwhzml)|rtodtis|tfzbnfb|d(erxcwo|uhsksi)|eoqkipi|o(uhvqpv|jfvtqy)|kzhlkfo|qcylkmc|iftaorz))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633129; rev:2;)
# sid 2633130 includes 415 (2401 - 2816) 8 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.info)"; content:"|08|";content:"|04|info|00|";nocase;within: 11;pcre: "/(b(q(izepby|jevomj|saxasb)|ijtplhk|j(egkpsl|wpypka|qfgwje|gxszwk|aepanq)|g(kqynqa|fscsax)|ywfiumo|ostohrk|lgdcpit|plmusag|tqwyxxe|s(lxzocu|tabyzs)|fejdsju|aimcpkl|cjwetjr|mpglmza)|m(i(pmdfol|kvayzt|edffzj)|o(mdcsio|zfxkfu)|pybxxtq|xxbclpy|tmuuepn|u(tmcwkb|pqjpmp)|cbeuzjt|vp(hnqkt|zmtzk)|g(osfmwx|wezyul)|yejeybh|aejhjbt|kzhbcqe|mjkhoyb|bkyeidf|dlmeenv|qysedvh)|r(kcmgaos|u(kfugqs|hjgbsz)|c(svbgdk|urtxbl)|h(tcncyy|rhwkli)|ylgtuli|qvdxwqu|gkdetel|zgbdrlv)|c(xslxeyi|jzsnnec|o(lvbomp|zthcth)|ytuiuyk|v(ittyhi|vrjwqp|pwrygp)|kkikkfr|rqsjxgf|lhkebzr|qfiidyl|uhpsqoz)|f(v(pcrsmf|ucjldx)|w(isafiu|krejbf|zzcpxl|xrieiy|nshmin)|e(cbhynd|nwchra)|mwcqsgs|l(oxrnoe|saxjtx|jvfduj)|ckgtoxz|ndwkutf|zflcttz|fjlhver|iwblrwx|o(ykytcg|pzlyix)|hvzdvae|akhmash|uiedruh|txgyhtp|ybodffp)|e(lsukrsi|sqeiwgq|e(dkuxst|wtmqoo)|hohufkp|rzblyot|v(hftmba|tbtnpl)|zczhdhj|cenhwvh|omyiaxn|m(zznpkt|hgucpm|ocbjjq)|xiennmc|befoqah)|p(k(hwkiwb|ehpnqd)|a(tucpls|bfdypv|ylubmi)|wogstkf|rjjtzvu|g(fcbljd|mmggum|hgqpfv)|f(wxadko|evoyml)|onusbcm|ndpfhor|uheexqm|ifjtacr|eitwuay|vackwyd|mrhdohl)|n(z(jhpdtk|tslzyb)|exgfvzs|i(jvlxsh|gilcqz)|vijxxvz|hoccpyh|rcvlsln|p(erwggf|wtjkvq)|x(orlyey|qwhkgs)|ofcohsc|yqeclmc|btnmetb)|j(uofpiox|i(ynfixt|ibupta)|qglnthd|nuvyslx|g(frxvqu|pdhyae)|czoqune|rzgotuo|wscgatk|mmkoyju|d(klxzmp|bygvxt)|lxolyqw|f(bcvwgu|njbwpo)|babtebn|vbywlwp)|z(m(lchgta|iwymbq|upggtd)|gggppln|v(pwgfxu|mffyow)|utmwypv|z(ripgiz|whrwzc)|slfjlpy|o(hceigt|szypwk)|hrmpipc)|l(isqdbpp|y(tzgtze|jjiybd|bdddqg)|evkkxfx|ctmqege|viwdxqx|d(liowdj|trbupp)|pzifkpp|guklryg|rdueltj|atcpdhi|skznarn)|x(z(ctegku|ugeioc|yscjcz)|gpzagyc|i(akcdjc|dlchfd)|ozsrvbm|entxdbi|hbtewba|f(itleuu|vxsjub)|syyadhp|vwptiqr|rxfjhtu|xnaiduq|njtnvpy)|v(g(lwbgkd|uealcc)|dxssrdc|m(vrcaue|fevvce)|sbvjkiq|q(jcmksv|ezqkln)|vcuouex|bwlahoi|efoykxm|huypwrz|tbrgyos)|h(z(crecio|zjehdn|erbchf)|lddvbxa|nrzfifq|atcdluh|ydgjsfe|drhfqmw|ouxrdmx|tgelzyq|qkbraqe|kvvqllb|cwnhqet|suorfxc)|i(srdvprl|b(udnqdy|mvebss)|galjjem|mpwbqby|qhlsxrl|r(jnzsvn|qfgivm)|a(hdfccr|fyxwfb|qpxzpq)|z(afmuhs|zinsnb)|c(g(ecctq|xvlml)|ftpmrx)|eugmhsp|xmhxkyh|j(vsaudt|hwvetn|rqtwzr)|obdywdg|iqnydiu|lyipkal)|k(fhthppe|zugkgfa|tllxtnj|rivmubx|l(mbyarf|qabrdl)|iuhtkah|yszftow|sogonyj|wiqybwj)|t(h(slqpqy|zmtwdu)|n(rolujd|lzdubw)|w(leuuyb|cusgjs)|f(ixdiwu|rmyjhx|wyiiwh)|pksdgdw|dglekmm|xrordgk|arybyak|ipktnwd|m(bwscgi|jfbcyp)|uappyvd|vkzgjjp|zgzzgwj)|g(mvpoolv|gzztiiy|t(xbsbic|temzhx)|ihtptwl|e(zmmjjk|gdqbwf|tdmkzk)|almlhdl|ktwndpi)|o(t(jlgayw|oycfbq|uireum)|rmmnmug|b(qcvphk|mwyypw)|dtysiek|vectqus|yltqxcb|ewaeiye|hsgyiwz|llazuei|kqmbjhk|zsqtjtm|nsunnnl)|u(i(hevqhm|zbliur|tbkblp)|dxuftrk|l(ujfrhu|xkoiad|gwjewk)|m(xldngu|jyjlmc)|q(yokkvi|oiirjr)|b(tvmbbf|nfuqzy)|oiwxdqw|eefctez|f(fjggoc|ybccml))|a(y(fctvit|kqvdax)|a(hpyhiz|bfssqe)|tefdtqm|ukzxgku|bylxvww|lypyjqk|jzgmqlq|vrzcfik|hwzpqmk|nsadhzr|kiypmyz|drnxcfm|sodiudw)|q(yuzhbax|v(owtrzl|ksnkcf)|o(qepkak|pfxkcc)|rqkqyix|p(bredrq|nuqoee)|eaufyrv|lpdcega|nsfkfiq|dgnnvys|wyivqqs|ksjbsxd|zvjmagf)|s(l(ucttzi|dtwnke)|gvbjsvq|tccjsxp|kcyikvd|prwsfrf|h(tzzfoo|gsokyj)|fnhqpnj|embtzmv|rschqtd)|y(ytlpyku|fvlbccw|aarmrlf|gncrxif|k(bjhipm|fuluns)|reesobz|mgodzhm|v(fvrkpt|xvpdfo)|edcuyap|zwnjovg|q(zegwno|xxuwwg)|c(iailsu|acedjt)|bmcowix|udpawwr)|d(qkqzlym|hzzecgl|thmfwhx|wiougbh|djonuzy|kexqvlo|o(qfakcr|cnvxyh)|nrqupuv|ivvdyji|sbonbpz)|w(nrjmodv|hdckitk|u(c(kveku|rkarz)|habfzo)|j(diaxer|fjaepe)|afruocb|y(wynpnr|ktxrdr)|mhrpezf|tftkekp|q(nquijq|unssrf|ebvjne)|x(tqfhor|masawq|gzrbpj)|oiwtjdm))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633130; rev:2;)
# sid 2633131 includes 600 (0 - 600) 9 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.info)"; content:"|09|";content:"|04|info|00|";nocase;within: 12;pcre: "/(k(qrknnhrf|ewqenhzg|x(wutvzaj|hmuhbga|dsoeodg)|k(facmwsp|jivurwb)|rdodwyru|m(sfgmgpz|lsirzmi|nvnxtct)|osmcxaeu|l(dcygoqx|kkcpykx|mwkcuox)|g(gjewqen|bldmqpp|ogyffci)|ilpgqqiq|zmxkrchg|fagfjsnr|nztbxiek|sikxrlme|csnzghoa|hlyufvyv)|w(t(ouosaqc|piyyrpg)|q(mxcrfkx|unzbjor)|k(bvdauis|fhufybl)|g(wqgfaox|rriqhfk)|h(igezriq|rnjdgzl)|s(slxbzsg|clxcqum|otqwhdp)|p(fzyjdmp|qawqejr)|lpbuhonj|jebyrqld|c(emjvbqj|yrycwtv)|zmyiiahq|fdwiqptf|evxflwhu|imciawwe)|t(p(cppmxwv|btuepqp|uckasbv|otbxzpo|xccvvtu)|g(avnjqwu|vazyqvz|worwcmd)|w(gfainhc|ndwmgfa|ewmnscu)|qnaeermt|scbvuezb|x(bhanwri|kaxdgmu|nvsmvxt)|k(x(urynjl|bgonvl)|ezgtsdv)|napqeaja|be(rrujcs|sxrkpb)|d(ejbzkpz|rtbzwvm|cevhyhl)|osmlmyqw|ydokfamq|m(jzerujj|wrneezl)|txfrrjxh|e(ahzknxe|lcaefmb|ywgqikd)|iddfpaox|veuouefz|zrkfoegs)|z(x(vnvogvw|p(jkpeuy|twzwsv))|k(pmkvxhz|xhwjyet)|h(jkiryal|qemdjco)|c(ggochzr|adhxfcq|wezsslx|svimyqa)|fjpnymfb|dfhehdmn|mtmncilf|bu(goulmg|sqqdrv)|socvxsuh|oggefslf|zmxeytsr|tbvrycxt|ehismmqf|glrbkyht)|f(pkdzqdvp|iodbgccj|b(fqzqbie|vkbcrgv|mnlgoqz)|jzrlycax|qupxxrau|f(xtwoffs|tjfpdsx)|e(shsqumn|jtujnxx|brwxqtj)|v(dtlzada|zvtrjuo|hhqwkqz)|agdepeko|wokpclpq|l(lvogfrn|futaezu)|z(takxwbi|xrrlxuf)|kmkqgjtx|tuxqyznm|cyuvoiwm|opazqpxb)|u(h(ckidiwn|jzyfowa|rwpnnzz)|evishnyo|amuanpok|co(ljgdcf|tiqgpx)|vqehpwdq|zysjsjos|fltaavop|j(jtfqlrg|wismchl)|r(gxqzqmm|eciresk)|tdjmycdr|oobdfcbu|y(cqolbng|kponunm))|h(xtekvlzc|w(qmildox|xtdmsrj)|fmobovfd|k(dlfvtmm|kowxvfd)|e(zyxjctr|gygawvo)|yynsnnex|v(tuydqkq|rhakkcf)|a(or(thwdc|qacah)|nhbxhpd)|gwslnlmn|i(vpptzyr|jokpuyn|snugzny)|p(wetljlf|kquioul)|creqzgqs|oyeezmkl|qebonwhq)|i(j(hznlctn|dhvbmpu)|u(iwmyzfv|aealzvb)|dijnhkim|qlzyafam|esbztybk|tfufwhve|psisqayu|bnrpqkfo|kyalwgzx|i(puznpkd|mbgbiqj)|rhiobdjd|hkaztbci|lkngicss)|b(f(knaqcli|dkscesx)|yeqfekyr|x(anqoqhs|osdqtjl|vvdqmkx)|coihzusg|hhfkgkes|zlemiutu|pkkjwifa|d(tdnmnhr|ypqpsfe)|ahmiddwn|molhpfkc|qwqmosey|smjfgcav|rbuvbpin|gwykywkx|eegjhkhs)|e(eokupkkv|rqoshffp|z(e(dwvvgo|irgblm)|clviwmu)|b(ocpvzeh|sorklpi)|wxseakgw|hxgwlytz|vxlgihct|d(bjodlav|knlvuvw)|k(ieuijrg|kjrpxyn)|fdxkfhdg|m(wcilqen|fhcurlg)|qhqombyj|xgsdgpkl|jarzezhn|ycdtageo|ulaturbo|gcudvhgf|n(zrnecuf|prpytgf)|ilyfgubu|ogjiczcj|adzkkuih)|x(qjpofqnp|uzfnbbsw|t(wnkmbhs|bnbovhe)|x(cqcljuj|xgbpypt)|kmdhntdg|emahyhay|zxezjnlb|v(ndqobpx|ejrucut)|whgqmmxh|odzvjuem|ykmzewvv|jtnpsktt|acxkccqh|slpuyghw|pdzzyrbf|ghkitthm|bnogvgdr)|c(cwpvpxdj|d(wvyrdpq|sjjpegf|bykffvf)|s(akpbhpb|rlpmcgd|zuspqer)|axzmxaeg|plwyoidf|n(upoaxdx|wmnonpo)|o(nkzezgm|hhlfwjg)|e(vlzkvkq|urhexai)|w(uliqbui|venakhd)|u(vsgafme|kamhqoq)|gojpghnv|q(bbxpyia|tqaqrjy)|ighgplvv|betdhvcm)|s(vtpilerw|bphprknz|fssehqta|setffuvs|ibmkmmzu|q(ceifdwd|hxbddsh)|wfcssglq|dmkfiech|pqcmonka|c(ernydvx|jnnrkem)|mqjceidu|ksvhmrzf|uhyaqfyt|xsvbozqc|neatqrvb|ofguqubt|rvedgmnt)|a(t(nwefqti|vsrizwy|taxkmkk|durklkb)|r(gtrgdyr|tokqigv|zkpfrvc)|efkbyksr|zltuqpoi|uk(rsemje|neoren)|feiqkaop|j(cjqyevf|wtxscmy)|cochubba|pvbxhyit|inekcvtu|b(ckrywlp|ufdgobo)|qrwjpslh|vlondizw|aubjcfhf|mjpzsoth)|v(v(rdvcfoz|xrbnhob|wslrsme)|w(yiznouo|nnahgvr|iqndicg|rvpckzk)|c(ejmyyds|tfuwpev)|g(hqffqol|gcvrzqf)|d(cblmgec|ilgigff|yoafldj)|m(ybkasyr|mouyjaz)|esdritlx|r(qxogagn|zxzqkaz)|i(xrlspbm|rsjzhrd|bikzbkv)|pwpajhxn|szsbouah|f(ztdirun|qmuecai)|u(gisaktx|ildthqw)|n(aflsbux|rvouuji)|jnufxzzx|y(mavkyhw|fmbzioa))|g(p(twmoovk|wjoybdu)|viaopmkp|h(f(jjdqsb|sljwtt)|eyphmsz)|yamsxjql|nnotgsko|w(tbzbept|rgfkbsb)|mywcxlnd|qqiydctg|sbctvyft|t(xkxxozx|ntdfpac|ijfgwuf)|jxyixnrj|fwlgbbuc|i(xwhdwht|rnbeiny|wyilomr)|odhntgsp|cenzktmj|lwcyfphg|geonxyzj|bomleivr)|p(ttdgjzxa|uhidrtll|nxuyseil|wyjaxgoq|f(kjboieg|duciifu)|piohoagh|h(lcpcnab|zznrvar|uicfifq)|cbnuiptw|sbjqkaxs|iiblqanz|rmqmubap|j(wmuozlz|gxyzhyx)|omihzsck|ghydfugx|x(glpqesm|wuvrbeg)|ysinygkq|ejziqsck)|d(uzoqvccm|loqaokjl|gbtgqmuk|pvfkjzmj|apdmcqth|ztbfgpop|rgymnnca|vsnauhxw|x(hhvronu|mgpneya)|f(vldfbhd|giqagiz)|wnabrhzx|yqpwncym|cgyztsqq|i(ulkpswr|wqgnhte)|egapcsmn|qfynzwby)|l(sarmqndx|r(bhfycvy|jkgotmc)|e(fzbsnlj|jkjbchr)|aapttacc|z(atfxwhw|gyatzjr|orpynoc)|f(vurreyq|aiewolp)|y(fqiotwo|pomrnei)|iknmahfc|c(opwybgi|uenjrmq)|p(ixsedwh|wtdzbvm)|gpwfrtwg|dgfenbwt|mlzybhoq|jutddpeq)|o(q(txrspbq|odnnuux)|e(cabxuqc|yqflddm|zulzdzj)|n(ykoplvf|wviywfn)|b(vixzstt|smvedse)|o(pthrfri|dmkpdhi)|s(pujbskb|qqztzwd)|l(seamkpw|cwomfvs)|dtxkkaku|aiowkqip|idduljdt|uyulaywm|wbbdwdln|jzbuqneb|kqlehhvw|mzczzjqk|vkjacwij|rwtcyhte)|j(e(pkbtela|bvmmtlg|rtokttj)|pxooefgs|f(stgbqxk|wjinzvv|pfdinyq)|zotrrxvt|tcsiupbx|w(xqpzpsq|hjnlsmg)|gtabeiuz|l(aqbqsrm|glkcumj|rzxqzes)|binviyhw|krxrsyqd|josuahur|c(czgbhzc|obahmpb)|a(xlcrtrj|lrohucb)|s(xmdrkzg|njdewfv)|v(spjigwt|fgnejcl))|m(w(vfugyhl|jlpmnbn)|r(v(wayvvi|ozqjmc)|phljoic)|gzfsjvjw|avtnizhw|hbbblilk|ynqqpgdj|trjmmqja|uncubnuf|xvlvwpfz|n(uithols|ghdjese)|f(uvsyglt|aqwqrke)|lpymtukz|vwpmyhec|cdeqrkae|irokuzlr)|y(s(bgejdiq|odtafse|uryysqq)|cndxqzpm|jiouzaml|v(enemraj|c(usjrhm|qxnbig))|mhjyuzfq|rinxisdg|kzvpujnm|gzyaztcr|iisnausj|eitvanbh|xnqexetp|hzroxhdk|ujnjqjse|pfkpseno|wztksbpa|awwwsfkl|nhfgthiv|btmdbkru|dfbyeeay)|r(d(prelwvb|funxqma)|vm(uycyge|drswnf|peczrh)|adyqrunc|m(huhsula|qaqlakn)|f(qzfdjoa|svjbshe)|ugpyolul|wcthhgbv|olwnfrcr|cenfagbv|ylgrtkfh|pmnkfibg|evhxzlvq|kpyifwld|bzqesvzn|zzdlukto|xixiiuue)|q(ggntgugh|q(erdmipe|zfyhbvl|dhcbsrw|ulhbnqr|mgzkyah)|vapgmrtw|t(tfvkknw|cphodfs|hlqxqhm)|p(lyyglgd|qikwzdy|rwqjrvv)|ommluvzq|m(wxcyalq|oycybxz)|zlivatck|rtldpthy|d(cwohjil|tadvjoq)|bcduncmd|xenfobwl|eekjdsjr|fmwvhdax)|n(y(feqvhhq|gmcudew)|sokmlmxy|diwvlgre|nccxnamb|ohdybzjf|j(hjyfynp|noivszb)|pmutxixj|e(sohsudi|dqrdffd)|h(rjwaxnc|vsxbrvo)|aeepcovq|fzoyxdum|q(vcqtejz|ostedkn)|gstdojvi))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633131; rev:2;)
# sid 2633132 includes 830 (601 - 1200) 9 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.info)"; content:"|09|";content:"|04|info|00|";nocase;within: 12;pcre: "/(r(v(m(drswnf|peczrh)|bfbogka)|y(lgrtkfh|zcuxsll)|pmnkfibg|mqaqlakn|evhxzlvq|k(pyifwld|bvqakhd)|bzqesvzn|zzdlukto|xixiiuue|q(lluoyuq|vijcinq|iiphvno|ynpssal)|l(lowzdeq|uewlpvb)|i(hajzxvu|r(adhleh|qijlsh))|n(nqgarwg|yqyytmi|pyuiawf)|wnzgimye|udicrufd|r(syjagjy|dhnqeug)|dtawhrwp|juuitcjd|tpuwlrll)|y(v(cqxnbig|oxatyem)|k(zvpujnm|nuxbqlf|ksmwzwv)|gzyaztcr|s(odtafse|uryysqq)|iisnausj|e(itvanbh|nhjhhdi)|x(nqexetp|mqplyne|llodjwz)|hzroxhdk|u(jnjqjse|yzsydnd)|p(fkpseno|nttkrum|kalhwex|iwaongd)|wztksbpa|a(wwwsfkl|mkrmwsi)|n(hfgthiv|doppjgu)|btmdbkru|d(fbyeeay|zpcttdy)|t(tllfiri|eqvfkez)|l(oozzwpo|toyvvvw|cdinztc)|q(hxacbhy|eiodgba)|o(odlzeqe|rvyywvz|zrxkoun|gmcojez|pelwmey)|c(jmnmovl|lbgiawz)|muouhdoi|j(ragdfsp|stcbsni)|yqbbpxeo)|a(b(ckrywlp|ufdgobo|nvuqrwi)|r(zkpfrvc|opaljyp)|qrwjpslh|vlondizw|a(ubjcfhf|cgjably|mqtsnho)|tdurklkb|m(jpzsoth|wexoxaf)|jwtxscmy|n(rnldnye|seukyfm)|ihhclefv|k(kqcxtfn|ppgraby|hsmvzms)|dy(eoqkgd|niuyla)|x(oazhptq|cxhfluj|ymtolox)|w(mnesrsm|f(pohuma|vfcvom))|yghgvssi|ctvubapl|zkvppmby|ehubxekr|l(bivbups|clvyyfq))|e(jarzezhn|ycdtageo|u(laturbo|ziulnsv|o(veglpk|xwjkwq)|jridlfi)|g(cudvhgf|dspjpfl)|n(zrnecuf|prpytgf)|ilyfgubu|ogjiczcj|adzkkuih|z(eirgblm|uwukpzj)|vingeohu|r(ydbzhud|aypwrof|hdulxib)|sszalreh|w(n(frxbtn|jhsfjk)|launwmb)|xhcrdben|bi(aaayld|timszv)|dqtbltiq|qilsdyhk)|f(lfutaezu|tuxqyznm|ebrwxqtj|b(vkbcrgv|mnlgoqz|htyisur)|cyuvoiwm|v(hhqwkqz|dxijsav|auttcyp)|o(pazqpxb|judikbo|ypqvqhj)|p(epqrrhl|zyvzpay|nxncual)|mjffyyib|uelpoqin|davtclea|i(ikoqlez|zrsyjqb)|z(mdtfzwe|gowydbk)|khicsslc|j(brakqcq|rpunztk)|h(xhiyjqu|keezvox)|afaxzqcz|gxbxbpml|ywpgbtpm|xcpskves)|l(c(uenjrmq|hqehwml)|g(pwfrtwg|eeogdrt|hpqiegb)|d(gfenbwt|rwzssxg)|faiewolp|mlzybhoq|r(jkgotmc|aimnezh)|j(utddpeq|gpflhyx|kubirhp|heuqvnm)|b(vtwmpnh|ogymnmf|imhweha)|slvhntsz|kcodvmvf|ilnwgajl|z(mfmajkg|kkwakxn)|twctoyhl|vlvtutfe|wxpnkbhk|uhiivbou|xgmpillc|ackwdrpv)|v(rzxzqkaz|s(zsbouah|xwlnpwi|faerwla|mekapiw|acmlzsp)|f(z(tdirun|pddifl)|qmuecai)|u(gisaktx|i(ldthqw|mbecos)|j(zxosen|yjleli)|mhumdbj)|vw(slrsme|gmswqr)|n(aflsbux|rvouuji)|w(iqndicg|rvpckzk|qegoafn)|g(gcvrzqf|ythydot|azgyfrq|bdyqcsa|lismoxf)|ib(ikzbkv|owvutm)|jnufxzzx|y(mavkyhw|fmbzioa|bvcuhnm)|ctfuwpev|eskaqkim|bqbrzvmo|mgpzcddq|d(xpqlwyh|nrumbwx)|h(blhqxqz|udjaknd))|o(e(yqflddm|zulzdzj)|n(wviywfn|fhxjgbs)|k(qlehhvw|wmyitpi)|l(cwomfvs|iqibfpk)|m(zczzjqk|mlyjgym)|v(kjacwij|tbwdwyi)|r(wtcyhte|pcicgsc)|x(qtdjmln|ucdsstx)|a(whbqtqt|npghncr)|p(sucwvkw|ixojwrc|gymrvvh|knzazps)|s(yhmaymk|mggcmzd)|tvycxsrx|cmidfurg|b(ybademb|osozwad)|dmzxonak|ozamywwi|flsafbic)|u(r(gxqzqmm|eciresk)|t(djmycdr|sclpbjn)|oobdfcbu|hrwpnnzz|y(cqolbng|kponunm|owxjnmv)|c(otiqgpx|ehjdqdo)|w(nyuztwx|swpfalb)|j(ogtuxcx|xueynnm|bgbstpe)|f(zqjjouo|uhuzcst)|g(eboqikd|wonlxmd)|kw(wurszq|vwfaiu)|ubjjpmxz|zdwlgqpl|p(wotnvkg|cthasiy)|bzjsdnme|njypashw|egibzwal)|w(fdwiqptf|evxflwhu|i(mciawwe|sqnexgs)|k(dgolasx|fgismph)|n(wubyryl|rdpdwwo)|luiwsbka|b(gvvhikv|rmqpswy|hlmxkvw)|chmdhmqv|ghqrarkj|uhnpzgtj|opusymfh|tnnkzqiw|x(vcznfok|ovgjrnj)|hkuxyzas|yutbvdva|vnotnjbc|q(xieiokx|tnfljpe))|p(o(mihzsck|chapdgr)|g(hydfugx|wrwoprx)|x(glpqesm|wuvrbeg|bjkhcgi|lcuzyeo)|ysinygkq|jgxyzhyx|h(uicfifq|zcjldny|timheqv)|e(jziqsck|buiugwk)|wwtbyjgc|dzggpwmt|n(utbjfem|kqrnvwb)|q(jn(scyhq|mxdig)|hsqgqce)|ifedkvwz|rnmxhtas|zkvdezow|attrksdm|s(ohuxtpr|tvdbotq)|tcixjlsa)|c(g(ojpghnv|zqdvlll)|q(bbxpyia|tqaqrjy|wglgkei)|w(venakhd|ytztvxx)|ighgplvv|b(etdhvcm|rawrqxr|ncdburz|smfmyeg)|nwmnonpo|dsegeedy|z(qgpjade|xzxjpra|ehckmoz)|c(kqnchhu|bzdhtkc)|mlgzybxb|vfyqxiiu|s(eujmqcg|tnrywnb|h(qenqfb|dkkdkx))|ktczxdvc|ybnleupa|opcmxvvh|elkpaisi|tikbauzv)|d(fgiqagiz|y(qpwncym|iwpuasz|x(doirsq|jmxztc))|cgyztsqq|i(ulkpswr|wqgnhte|ftnyxev)|egapcsmn|qfynzwby|g(cldtdom|xgcqzwx|ngfkcrx)|mhtwbihd|u(fenmzgo|zhhidqz)|ltxnjmig|b(nhgvaej|wvddxxh)|v(cphzyto|mcibmur)|rthoyhut|zmeuuyyz|amlpxwaw|obigedyn)|t(g(worwcmd|ugdmbnq|tktmwys)|e(ahzknxe|lcaefmb|ywgqikd|bvspufw|wipgyjp)|d(cevhyhl|ymddlff)|iddfpaox|k(xbgonvl|vgrwzbx|bgvjpde)|x(nvsmvxt|ruebrfu|p(oghvwd|kkokog)|axochdo)|v(euouefz|hqeodmq)|z(rkfoegs|v(krofef|pyaepu))|ypbdpeab|lmfcehsq|r(ydmfwkw|wvnulzy)|hqoosslq|p(losxrzb|nhbwqyl)|shkypnph|msnukwmg|wmabfjya|f(oknxlja|cdjcckz)|qywhlffl)|g(odhntgsp|c(enzktmj|xwmyyva)|wrgfkbsb|lwcyfphg|geonxyzj|p(wjoybdu|j(lwrzun|gvyadx))|b(omleivr|gwdiinm)|iwyilomr|t(ijfgwuf|nlfeygl)|h(fsljwtt|zpjiogs|ddhhzfu)|u(qypggeq|lochwlf)|n(wcucljw|xhxbqdq|pjhuvfw)|y(eayoaui|rtmmico)|r(feqamuy|djdjizl)|xkchtkxx|q(kidzqfc|snwynld)|kqxjmjzj|jersrllw|misriqtd|fwqxnuvh)|s(c(ernydvx|jnnrkem)|mqjceidu|ksvhmrzf|u(hyaqfyt|mybzjbc|birqphz)|x(svbozqc|exjjuuz|tisncfx)|neatqrvb|o(fguqubt|bqdcabk)|r(vedgmnt|opzoopc)|qhxbddsh|v(qhjhqki|vibknhg)|f(ysrkvwz|qopvhdi)|h(yvzwquc|ezcairs|g(chpotd|swwlup)|cgasmdx)|i(ixtzgpa|kkfltvt|csnhcxr)|wqmpyxaa|ylcadccq|jcqtapeq|eznducbe|sufijjwb|pjbezqhc)|q(rtldpthy|d(cwohjil|tadvjoq|hmtafzp|zafbngw)|b(cduncmd|wfzghnz|anfhbnz|thtemsm)|p(qikwzdy|rwqjrvv|cjknjje|iyveyem)|x(enfobwl|nmclksx)|e(ekjdsjr|tmqxxqt|dckhvug)|fmwvhdax|q(mgzkyah|kanywwa|jfssoae|shhxknr|nvjuczl)|t(hlqxqhm|qpbhuvz)|m(oycybxz|kiedpdk)|u(outflwt|ifknmdm|pusvast)|k(sciajgu|uzbesbk|zuxelaa)|ngintcza|viakhcty|ostculot|gsgvupil|ybdhoaha|zleqgznf|jnqzpjcp)|i(r(hiobdjd|wcpmtoo|uzcrvte)|j(dhvbmpu|bvzjwfk)|h(kaztbci|szwuvxj)|imbgbiqj|l(kngicss|payvupx|ezsgsfu|afoqzyy)|uaealzvb|cczmqbnz|xnvjpkdv|nppdccpl|esydbbtw|qryasbif|s(nmtabqa|kxcrnui)|zxzwpiep|flowlglj|ttjfzkxg|kgraxwob|orwisgnu|b(azbbvhx|wqfztqq|xxfsvbr)|wiksokfc|deetwrwy|aapgrdcg|yydaybzr)|z(tbvrycxt|c(wezsslx|svimyqa|v(ralrfi|phrzdf)|zlgmrqn)|e(hismmqf|vzvwfua|xvehocc)|busqqdrv|kxhwjyet|xptwzwsv|glrbkyht|z(dqaufgl|xamptgj)|pgyjthkw|a(scyidjn|kzvpffb)|dwbcecnk|irrwmlxc|nyrfcfwt|rmcuychv|fgprpuqp|lgfosqna|oqlwoqdg|wohrnjij)|x(o(dzvjuem|nmqilot)|v(ejrucut|pfkzfvw)|ykmzewvv|j(tnpsktt|yszusyf)|tbnbovhe|a(cxkccqh|bymgwub)|s(lpuyghw|zgnugzg|ekaewre)|p(dzzyrbf|cjxnfiz|sikxcoy|iyjavtn|tbmorqa)|ghkitthm|b(nogvgdr|enlfvlz)|wvgraqsd|zhkmmrnv|izmpfhdf|dgqehozb|uwcytzho|hkubkhgu|evttuwgy)|b(xvvdqmkx|gwykywkx|e(egjhkhs|ssuphqe|yaggbtd)|d(ypqpsfe|emyolgt|hqxfwdh|mtiwzve)|o(axaaiqy|uvzjefe)|p(trlryju|apnosqs|pkrsyek)|azemwujt|qbnbyyfx|lhdfkltr|uhclciem|mnnshedw|s(hrxdgai|zhiomzh|cebevzo|kesaqdk)|iifvlkle|vdnvvhrh|yparryre|nmjszpbk|h(fljzhvu|duaqjvw))|k(n(ztbxiek|wpqmrqh)|l(kkcpykx|mwkcuox)|x(hmuhbga|dsoeodg|mkmujhz|zpvxxqd)|sikxrlme|g(bldmqpp|ogyffci)|csnzghoa|k(jivurwb|bkwoajc)|h(lyufvyv|xjcvbql)|j(j(timjmn|bhihcg)|tviqwwi)|byonbirc|t(sbqchjo|wrqrmdk)|dbgcsdgi|wqekectr|e(gejkfpk|vknbwbz|waqkudf)|pnoyollg|f(wgtqzpe|pqxdsqc)|qfjjrcrs)|n(h(rjwaxnc|vsxbrvo|ijlbvjm)|aeepcovq|f(zoyxdum|sbgabko|fynbjcy|p(khwbgj|ptlesy)|bpoequo|lvymsho)|q(vcqtejz|ostedkn|zffbdsd|kbqzuix)|gstdojvi|e(dqrdffd|usnllwc)|j(noivszb|xximfys)|u(klxlmrl|zhtgakc)|xkuinwww|conmeyua|v(zjashvc|xopszny)|y(uukgrho|kvfprjj)|dvnnbaxl|lagbriia|iopdnpbv|b(wijmcrv|tiaytyo)|ozlkkyys|pcbjccry|mxvlvvku|tuajbppz|spzghref|nthrgfwp)|j(e(bvmmtlg|rtokttj)|a(xlcrtrj|l(rohucb|kgvise)|wmmybhp|hdqhrib)|s(xmdrkzg|njdewfv|hycsmdw)|cobahmpb|v(spjigwt|fgnejcl|ojdsueg)|lrzxqzes|w(hjnlsmg|qcphtrl)|zhdbrkww|j(kzxmjgh|phykclh|wewrpni)|rh(sbezql|cbsuow)|uvflcewr|hvshkhjv|q(qkladxq|wryukiw)|fyotjpgo|dhgacgww|m(nugxsmz|pcdbbia)|x(jprneyn|rgvxcfq))|m(lpymtukz|v(wpmyhec|yzuqfjq)|c(deqrkae|ppbvnsf)|n(ghdjese|qhkymoq)|r(vozqjmc|kvlvkcs)|i(rokuzlr|frwchfr)|t(jdqobmf|xlskgiv)|oaixiujt|bsltotnq|j(vdnqqxr|zpkrtke)|miqostiy|xwvbebop|ygowduow|q(fvomwqw|wrfzcob)|uepggljl|epctktce|fjxlbvwg|wqomtrgu|gqyxplau)|h(v(rhakkcf|btadwra)|o(yeezmkl|sjvyllr)|w(xtdmsrj|mepoikq)|qebonwhq|a(nhbxhpd|tgwkpuk)|l(hfwcfsb|orhrgyk|rwjkscq|bvjvdfy)|x(bytlyxq|quivdmk)|brziwpsv|z(eylopgc|ggyalwa)|calxjflx|hzvulvsl|uplaiubl|f(rqmssrw|xbyxlnc)|iucelmsk|jtrwqulo|nermdtkd|dhsfnutg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633132; rev:2;)
# sid 2633133 includes 230 (1201 - 1431) 9 character domains in the ".info" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.info)"; content:"|09|";content:"|04|info|00|";nocase;within: 12;pcre: "/(a(yaczqtbs|n(iogkvzu|zzvmhki)|r(thfmclx|zwlmboh)|d(uzkyznh|lltacic)|tbnrhswk|xflbzykz|ctisauxd|s(jxblocf|qfewcfu)|ogdlwhkz|bfqhrdbj)|f(e(xkymtdj|dslatfa)|nadabmhj|ivoutikk|sekavpgv|b(fmwfjou|oevcfcn|jibozbv)|gmyhqkjk|ppnimhbu|yacnzgke)|q(v(clddnsj|fuzxzrx)|zbzglnkk|ifpvwidp|jrmznabz|crlywwmn|ujchqndp|hnexmtjy|yusoxjgm)|h(nvbzeehs|ajmsmvzl|yxrnzxet|sifukais|uyhmcvib|tqisfkuo|whklzyss|zkxqakph)|t(h(uxiuqij|hlpmyto)|r(vqesrli|kaaydwe)|aqvvwvie|u(imjwycs|tzntkmo)|vtlnimce|xldygmca|z(ohoqtfx|dcrvwzs)|cnlxzauq|gtgqgiav)|b(jbqhcrbe|rqbtalbt|kyvbkxrv|i(xgtqumx|zwgqedh)|aphkbteh|pmddgguu|tqrsevmq|eylbefme|mxjyvrdv|gumxvlhq)|c(cdgeqblf|dtfiukjb|eiwclmxf|upnjpktk|tokposff|wttvcjaz|xzaeskiu)|e(wntsiakt|xlyovnll|epkpatpf|jcludoxh|qtbyfrpu|hnwgjuki|tpknvfzu|upxjszqd)|n(g(xdigiyl|uwaeuyu)|vaamndna|j(qhvsmjz|b(uhntbl|ennwwl)|hdcuxza)|w(oeshrnp|hpbkrbp|wxauxsb)|hcnjbgsr|zisbamad|kvjparkz|onwtyzup|phhdspat)|x(zgrujadk|nwowgscp|kfbsfugu|mbzljdbf|blvvcpid)|o(dyzypixn|ztrnukqv|gftghsqr|ynnifhlc|uptzcqby|josxgitt|bkyiaepw|ikfdkbuc)|k(nhuebxpz|uuuswjqu|xniorzdf|v(xqzxecf|fzjcubh)|jccuybtq|fgwglfqq|mxkjmnbf)|d(hyaxsvwk|gdufgvmn|rccuqyzn|ynxexigd|zcjmnldz)|z(njgbwrxf|hlvwniqz|zftuzepl|u(tkhvyph|cfvqzni)|mupjikay|plezktjm|wkodujzo)|v(k(xnsdjpd|uhztetd|wdmhgfn)|qcmogpym|jnuwnwhn|vnsxdqyi|ekcpmzqe|y(yutahwc|bhpoosh)|xmqlbisu|dwdgoorw|i(qsjkeyn|dgcsbih))|g(hjsxdxvj|iedglnvc|f(jobddmo|pmscpdf|bcxacvi)|lzissava)|l(dcbpicmd|xapswhzi|r(wbilvjq|soykndt)|e(fphevoo|hsoctax)|hyyhkjym|yuvbbnls|jqsyjxbc|sgsorssr)|r(ewjywqqo|s(wflijcg|zmhxjea|udpight)|yyprzutp|ifalcscq|jceohktt)|w(tclouwwf|o(gtsndxx|fexeyzx)|pvejvmek|lgqrahxk|k(npnwvgl|yhlcadb)|gkhntlnf|rantisbv|wdnnbjxt)|p(nkelsdsn|kflonlil|bembggqt|ubiyhrzt|pgkofhah)|i(m(psgxuif|etpnque|jnubqif)|nvsajmtk|o(ykxombo|nogjfnn)|wxkyijhg|robhlncg|vfeuewrm|xvegpuhq)|s(d(bpblnsm|mimhdjw)|kkxoknry|cbdqepsq|y(ikforxc|tghikbl)|vmdjbpnn|rahuvjgv|lnzzqccq)|u(k(jzxjmsf|fxgqzgd)|y(nbjrhoo|gfscbzv)|vzzqkafz|uhggmtzq|q(gcjrjhi|yvtyrdx)|bhfuggav|wxhthkty)|j(uclrznxs|a(kgqdcop|xudxylm)|muyverqu|thvikydt|zvbiwnha|okkbppwc)|m(ppibupxz|q(esujfnk|bqqghus|fjrzvax)|y(onosglr|unccrll))|y(wlxyvwwu|vrlbuyyu|ynakfczr|kjbjafkq|acfzaipt|uibkovxf|gueckjol))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633133; rev:2;)
# sid 2633134 includes 600 (0 - 600) 10 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.net)"; content:"|0a|";content:"|03|net|00|";nocase;within: 13;pcre: "/(r(cfrbtcjfr|n(tfljnkno|pekkjyad|wgelpsod)|hnkkfrhar|ljrmtusvg|j(cvrrgtqz|tthnhblt)|a(oxoftpzj|gppegdbv)|d(lodtpqfc|eswcuzjz)|uunlsgkma|zpiwvlurs|bbfdqvuse|w(mwqdsvqr|eccbkpzr)|txnzieech|gbfvqvlle|midcngcoh|k(lfnxfjzl|zfayrbsf))|t(skkdfipdn|p(ciyshuop|t(flnjlne|kolwslb)|ykatzgqq|acjodzrz)|fhiwhpjoc|nzqskomes|ontfkfeqg|y(nydhcexa|ptgoruqt)|c(bqukcoag|mihcvzlh)|uxzmyiuyn|jhtmvcgxg|q(ixldnvfo|ugllmkcd)|iayeprjmk|ryoxdhlhr|m(itoxjmet|bsoyiegj)|zcxwaksiw)|k(jbxwvtayr|heneryuiy|emxyqqvwm|t(ptlkiqmq|cdkdrgua)|n(yayvdklv|hjzmqcrz|lvsxlcvf|tdomzyiw)|d(puczcnxq|zxdwpcim)|blsvhnnwy|lbsdcgdtz|atifafuar|mwastndjt)|w(siyqwajpj|cv(efnxyed|gugzjpf)|kmtnmmoxf|ezfsyyogb|zywyjgfcy|dtaxfvnkx|t(nfieuzal|hvxoxcgk|atnobmcl)|mhnuyqvmc|gdjfdygjp|p(pbpqgvpc|rcpxhvoo)|u(jiugqefc|egxfqkhl)|r(cknvxkwf|awhzdtlw)|ydwdaouak|whsvbvxua|o(dwmwgbjw|hqpooeaj)|xiqylrilq|lninxzpry|hfftudxjo)|p(jnevopquf|mqoucrbhm|p(wflcyzcv|lteytbnh|kobhfagf)|y(wyrxsoyo|cfaxnein)|xvfpakvio|g(wjkbqrmi|maxykgsv|nmisldfy|hvymsqjj)|n(xdzhcxqy|qknkkoyg)|s(mtuczvwn|lyfarvil)|q(himlglxi|zbhtbrsq|oispfnwp)|zjklnzrek|f(nzskgisg|rkmlpgzh)|u(ocvoobqk|eikxbybm)|r(sbdyxdjj|nipocpdp)|i(nyqbkymk|fzflbqsk)|dhzvggndh|hclnjozvw|oogaldyec|a(ljwluqow|zhnefezw)|wuvchvcgt|ebmjijbln|k(xteqgzza|nmjtjcxc)|tratbfswi)|s(j(ytbweiau|gaqgmsdd)|blpizlbjf|f(itdntsfr|qtvwxlbz|kxawycho)|w(jxykugnt|bzqwxxxc|fpllqjek)|toyqvmgnn|qrilfkdza|alolyhynf|payaasdhs|nypgqvgih|rhviaiznd|c(dnkmkpio|kakbceyo)|ipophjgev|efgielqlc|vaxyzoeor|uwtvhpkhz|xguernjwh|yvnvvtsey|h(qrpgnwhg|jopfwznb)|k(wubcleuh|kqodgxjk)|ocpvztnmn)|n(q(peffcnrz|gebydkof|cbvteapm)|y(avqudjfn|yciodwbg)|nlkiuczjh|stixbtmpm|zicdthvag|cgxzsxkyp|iaillwygd|kwuiegbnw|xukhcbgxu|hqwuffvpw|pppybjpkx|l(miwohvxw|jphjemrp)|mxzckvths|tfzocolef|jkdmhfjln|vpgpzlbnu)|y(syyzqiurq|de(nakpbpz|wsljode)|k(bhongrby|zbviryti|xxuwordu)|uuczbnodr|xxvynxrrc|yqcoxorwd|ejvmlmgpt|blijmetuq|wanwcvmdj|mshpieedu|n(yqxuhbqz|jwsxuiqa|cgtkzcyb)|lyvpjcghr|zyzkqttck)|b(kipwyuaid|t(ilqyhobf|xihlunqa)|z(aqcjqife|xkoijohe)|b(lqppwkfc|asuxchsu|jeyzudfy)|g(hagbdcsn|wszxzshe)|imfsusywm|e(htivswiv|kubpwesk|uzsphbdu)|a(mtslmbhy|alnweykn)|hqachkfrr|rsjoyrvno|w(lzsahvvx|tduovrbc|jefjqjev)|l(hzadklfy|vnguwjji)|pgvgorfrc|fbdcynhgm|uzjikhnwe|xytymsqjm)|u(qzghuhdnv|opkqotsmi|rbalnzpmj|xgwziscth|blzfqepzq|mxhzmayjd|k(ybxytijp|sguudqer)|lunqmsypz|fkabiyvyl|tswveyjkd|j(fghpnlxd|cqqbfwcz)|ethovrjnq|haslrxykz|sxoaubjcw|ylzcuadja)|x(awmrplwoc|lzpvixoiz|ixijoaeex|pkjzekmlo|s(ygbfskns|ngybeipb)|msbzwrkin|kbgbbhsnr|upjnovhom|clhzgaccp|g(whcxkswe|jguxtlsk)|ygytnsnnd|hgomcpyel)|o(p(qmmhrlpe|opdzclma)|b(yprvzgvf|pcgekxdg)|utqjxighb|w(c(fdkvspy|qdehkoj)|qjsrgfcp)|euvkoepdd|m(cmcbcdek|anbuwigx)|x(puoootny|vxzxycny)|nphkbipuk|vuomkbwpx|ftdrssvhz|qihnpgvpm|im(lirwbez|vkaoqsr)|svhefdaqk|kopplhzew|hfylnmsyy|ykgddyrlz)|d(i(lushpada|efuplvgf)|kvlkmmgrz|c(uwvrpitd|qajneilx)|bippekocl|dwozwygkh|lisngjrly|nuekiaziw|jcdqgzoly|vtrtcrzul|ewdlxrzqy|gtochsyev|ygemciulg|m(nceqhcaq|lnnlnffm|vhawrkpb)|ts(aowisbn|nxgrewp)|piukgorpb|a(bjmuehog|ireytnyj))|l(sukzephee|t(rpgsmcgh|yfjscezu|dyriekar|tgcnqaja)|ykbwwmqku|xgbuwxlwy|jjopaiaag|a(dapjtdeb|bxiexwpy)|ciitdzupq|v(zyxrfona|ofpjwanf)|ueqfqnxma|fvqagglai|lqkvwuwjn|qghvqpfri|zzrypdzbu|dimhkijpz|hpkfyqhoc|gomdvlzax)|i(a(esyzqdox|wfstwoio|irpfyyky)|q(xxgchput|ibyasmuu)|d(yiewdukh|elshcftj)|vwcplhekq|u(ytqujlej|amcvdeky|dougyczc|nmqvqqhq)|k(fzncxwde|liomeyia|ocepjmyp|awqgcvsh)|b(zfujewhp|iqgajdoy)|t(ddrvfecx|bxlqyybw|tffnngbz)|mlmvsmeqg|iyruifshj|jkucudfse|n(dlsyfvih|folmniyk|whdwdyvq)|o(ticqufwe|wwycrpfa)|y(rcdfwufi|mwuwpoyo)|pjpbalexb|fihcuaelz|wjevzbkcp|hfnguwmcv)|e(r(ozfzygvn|mqghdwbb)|p(xgjonddf|jzezosls|dzjbstab)|i(dvgefxox|kkcupfhu)|lsguumhbt|u(czvpyppb|fkgexmdz|scqgszmx)|txercbwio|k(mwhohktp|uqbmjzco)|x(ymjyopuq|gemnpecq)|agnysnsue|wdxbbqnwn|m(dhucyfbz|bpfmplbc)|z(gupskrtn|mowhiujc)|ddjjraliy|vvilbmijj|hzcojfxch)|g(lxeiehwmy|obfojhhbg|utwcapxen|x(dhymahqk|sbimxfof)|c(rasrljzc|edqziyww|llkhvikw|amsxdapr)|i(mwcclsbj|hamlqbfu)|n(oitjzsdy|foebdyvv|tsziacat)|k(lvhfjobg|izgeeykj|gaxlhxbu|mvvhfscf)|y(belydsms|iihejvmt)|m(zztkrxqf|ojbolexq)|h(vcaswhuh|amteszev)|v(oaryoiti|fjdzjcrv)|qicucnqxi|zowichbgu|bitrpawag|jnfgxhymm|gztjooujn|tqzhnigyo|wvwabcybi|dsunlshpc)|a(fnrzpqlhm|o(yprwsxcd|jvfijsnf)|dkzasnkcx|xjhhcuplw|rcwlougwm|u(tdnasmhb|akmsmivd|rszucweq)|pnceyjyyo|sssjvxead|hawjyscjw|adogtgywq|w(nruzloao|sfnjxtju)|c(rflortaq|usvixdey)|nxusefahc|kdlxfmsoi|zeowmpada|ybotqmfge)|m(qyqmpkwqu|hzwiqurei|upyummvhn|v(piprxqxy|qzvsgjge)|o(kjborpym|ziqzbgdf)|gnkfzvjma|ro(ytflebd|iifqwnq)|iwjyxgmca|dfeqbhtxr|jmeffrnqo|w(nvcnhdmo|lwfxlihn)|yhikhuanr|xxmhttqrs|t(toljhyoh|woayepqf)|bvcslynaj|e(btdxjjpt|ksfummjh|tmqjqjea)|aciocblwd|m(xtrwnwhy|kyamrboa))|v(nshnhrlgh|q(iqenqjik|yynxtbyx)|clknorqwz|b(ctggawaq|ssgsgybj)|fgdyjgclq|hieosrqnn|p(qkiizmzg|ooubtdbg|cvwemwxn)|m(cidtznmt|woyacchk|evjqjogz)|t(vzworruv|yneumdae|rmzwmrrl)|lzhbjngjm|d(bvbkonga|m(uqdgkyt|ykunuce))|zlewnmazo|eeysypmxv|awlsjybwk)|f(ysajzrrvj|oixvnmqeg|cyuwivrjb|vwblagxrm|s(pqukcmwe|ndxhwqhy)|k(kxefdbeq|qpfbqjhb)|utzfqypqk|fyqcwvubb|qftroxgjf|phkwbtqdw|t(rbnxtbfh|yakzosyd)|gtixkvgwh|igaolvhdc|jojaqjpal)|q(mahmaurzk|vbwdjuxwb|a(ljxwcqzc|fycgtixo)|uszmfjxua|ibitoackt|juistsczs|tkafgovqq|x(twvgodok|vadegjbm)|doxwhkkfa|ekvjqfvot|qibmjnzjn|zibouuznm|gbadxzlgx)|c(oakzblnfj|epwxqvyff|toyhejtky|g(jwxxjrxg|rygfmwnb)|najmkrifj|lyiqroxwg|ztqzbfkhw|aavizmdzl|u(xuuhpaet|rwsdpxhf)|c(uusbyrfg|myejyiws|qiaoeeus|rwrnxdbu|bhpehnod)|h(jehukjkl|bacnxekc)|jzylrhnyr|s(oktheacg|uqeskliy)|yxoydlicz|kpigpditu|pnlwasbex|ipttffmvk)|z(l(ukhojrrg|dvitucgr|bbdijtaw)|qcnnznkyx|ocxgvhnwt|phkatkgos|d(domeoygh|xlcysfpr|waufijpf)|nnkgsbzop|e(raalvxyq|xyslygbo)|x(ojsosxmt|uprxagtc)|arusuowpi|v(xpuumnsm|ydozadyo)|rpigbyerk|i(cumelxge|aziqhbad)|undxuzffk|z(swhsjewo|nelmyirk)|bivbguqew|kiwnhfcum)|j(s(s(qiysswa|lokubnv)|vsvxhhji|zuzdstkn)|zfhujrphc|e(ogvtmpkw|agvbxmfh|mzwmodmm)|w(tmpzzvsm|nadwsrkw)|xjpxzgaea|r(dphdsmzl|arickmhb)|l(evyljtjh|zauucqty)|fstgylghy|dcsvahico|tsauhcukz|gpjvwcqzm)|h(gfekehijx|exlgihxdf|m(edaknerv|iuqudate)|xbacgftxu|p(iaoctjqf|hxkakais)|o(pxnpiocu|ovblpqns)|cjmslvxfo|qczogsvrj|nwaowrtlu|l(btnqqfsg|ldsjsvcm)|shepczfwf|z(kjbqfnfo|uuqgjtfl)|wikeboryk|r(epnapcbk|zajnbvyp)|tdtgmdttd|hyldktwhb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633134; rev:2;)
# sid 2633135 includes 817 (601 - 1200) 10 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.net)"; content:"|0a|";content:"|03|net|00|";nocase;within: 13;pcre: "/(a(u(rszucweq|spqipplj)|n(xusefahc|qcixfzyg)|k(dlxfmsoi|nqlormpp)|z(eowmpada|ihcbkeyh)|c(usvixdey|wbchikpe)|wsfnjxtju|ybotqmfge|dstkxadce|ehpoqmffh|i(nhdchqlr|guaeiiyn)|ghggbxebx|l(vquwqokw|bfcrrxbc)|h(bxkicgou|fbjxyqio)|aevvwtxgc|vjigvjkvp|bixtemoev)|p(u(eikxbybm|zkejabhp)|ifzflbqsk|k(xteqgzza|nmjtjcxc)|t(ratbfswi|boiuscmj)|q(oispfnwp|awrbdygn)|g(hvymsqjj|cxsouvmi|zhyqnjae)|f(bzykpdeo|epyzfsyk)|veervbudc|w(khtkmeht|pbaqdjtz|bpvlpmtp)|mnucxnxnf|x(xvdiugxl|wfqevomx|uyvzpdng)|s(aewhcgln|cbykznao|qjtfziul|dfaptxmt)|ldaaetelb|dopfvhgnc|b(skeerevs|jakekyol)|hgznaxqzo|opxyjzkia|eseatebei)|h(r(epnapcbk|zajnbvyp|fscsvjkc)|miuqudate|z(uuqgjtfl|izzwnlld|wwajyrqf)|lldsjsvcm|t(dtgmdttd|ogtkzpqg|tsohqacm)|p(hxkakais|vzdqhpal)|hyldktwhb|c(daazhvix|vpltyxrr)|szatvvafg|f(baxbmdgs|kiywgqyy)|b(kebsohhx|drbofbap|whjngehy)|o(qifumjph|xvogsxql)|nnybzbfcb|ybntgselp|x(uxguxcnr|orpftqcn)|j(hzlituip|ndttdudf)|duzltuydp|wvfbwvxtv|gdvhimbkc)|z(e(xyslygbo|rcjqwqhz)|r(pigbyerk|flllplmu)|i(cumelxge|aziqhbad|jsazkbpw)|v(ydozadyo|eilmvyhq)|un(dxuzffk|egzhhnm)|xuprxagtc|d(xlcysfpr|w(aufijpf|ozflodw))|z(swhsjewo|nelmyirk)|b(ivbguqew|wabchxzd)|k(iwnhfcum|uuejzjbi)|mrhggnywy|j(oizzwxta|nnmaurwv)|wnkkxkwti|fzmhvyree|ylulxlbwg|c(echlasbx|srjcfiur)|tdpdzimsk|ocgpgbixi|ao(tstuwbp|svvkgyq)|lfqcuxvxq)|d(i(efuplvgf|mnollwuy)|a(bjmuehog|ireytnyj)|mvhawrkpb|l(kzqvqndy|lvrkiove)|tjkufmjsj|xbbqyktql|q(knexlqib|qbqvrzda)|jqjiprtfv|z(unuuomua|jegfehru)|u(notkxyqw|qhbrvdkl|woyveldg)|c(doleyxgz|junieelj)|r(phfinpzu|enhlkoqo)|gvstohmgu|s(xlhkotjn|bmrkqtnl)|bnvqamxwt|v(nmvivfkp|ftcxokqq)|kqiryvmrd|yipmkygym|f(yotrksyh|qgeaqltr|kucladus)|wonymtnnv)|m(t(toljhyoh|woayepqf|dlpygkom|pjzleeuk)|o(ziqzbgdf|ftxzjtcn)|bvcslynaj|r(oiifqwnq|wkbumlwq|klmakknn)|e(btdxjjpt|ksfummjh|tmqjqjea)|a(ciocblwd|ueoaogjg)|m(xtrwnwhy|kyamrboa)|p(licalddx|doqlpchp)|d(dobrelsx|z(zukorvc|aonumki))|zgzpfzqnc|w(znmxlggg|jlsssawr)|n(phubfzzz|bmkjhbpi)|glwyddjqh|f(ssnxxirp|qtejyfkg)|cxlvhsvjc|qoncuygoe|lwhcuwqfu)|e(ddjjraliy|u(fkgexmdz|s(cqgszmx|iyldbny)|ikggbvyf|krdxqkfr)|v(vilbmijj|wxdysnzp|dcqsybkl)|ikkcupfhu|xgemnpecq|k(uqbmjzco|nwkcarnf|viizvdof|yaugzvzs)|zmowhiujc|r(mqghdwbb|ofwfgoti|iviesnus|sevloboq)|hzcojfxch|sjkckspwe|tbyhliwdb|q(pdsiylzf|hsgqatio|kpfrkfeg|svtmfkeh)|w(eyyakwgn|lrmypxck|jlnicmck)|o(fhyplofn|zgzxjfol)|lrzfwpmxo|fslrpfwca|bgtgqmxbi)|i(k(liomeyia|ocepjmyp|a(wqgcvsh|oxpptyo))|p(jpbalexb|bvhrffrc)|n(whdwdyvq|fofuwxug|bjoehzyc)|u(dougyczc|nmqvqqhq)|fi(hcuaelz|mgeeaqx)|q(ibyasmuu|dyyimuln)|w(jevzbkcp|vkamidci|icsrzjxz)|y(mwuwpoyo|xmdsxumh)|owwycrpfa|hfnguwmcv|delshcftj|x(npbindxt|kljdypov)|m(imidstvi|lbanvysj)|slkumfguj|bltkfrnnr|rbuplohzs|jetcakuvl|coankaezv|argecwrot)|o(f(tdrssvhz|asfixtos)|q(ihnpgvpm|txnuzeql|wrflyhrh)|i(m(lirwbez|vkaoqsr)|qwonqdns)|svhefdaqk|k(opplhzew|qhkfhzie)|h(fylnmsyy|ewmyaaiz|ckptvnyn)|y(kgddyrlz|hlimvobq|i(wnqqlis|drgvqnz)|psuofdhd)|aejmjnwjr|jnfkrkczq|m(atnzuyle|pasijuov)|r(g(knurzgo|zvfdygu)|pldfylhn|zxzhqgpa)|c(qzdhcqkl|ooemvvlk|fysndxog)|e(bllbtoik|dtjtucwu)|l(fdmmlcdp|sigfrcvz)|tudfgdedk|urfxqzffc|vjumspbrp|nhircuoss|zkvqspcrt|oyuwrnlih)|c(j(zylrhnyr|tbkutyqi|qxknzzkk)|c(qiaoeeus|rwrnxdbu|bhpehnod|iekdziia)|s(oktheacg|uqeskliy)|hbacnxekc|y(xoydlicz|mhckudna)|grygfmwnb|k(pigpditu|ddtnkzvh)|urwsdpxhf|pnlwasbex|i(pttffmvk|xccppien)|e(koncbtke|dqdwkkfc)|omgvrvfku|frmwkmqus|bntndiocr|v(iwqesjtl|jfxfolju|ewjfvqlo)|tnyydnsci|m(bnsaaeuc|haiezszu))|x(msbzwrkin|k(bgbbhsnr|wxoahefu)|upjnovhom|clhzgaccp|g(whcxkswe|jguxtlsk|cquqepvs)|y(gytnsnnd|rkszznqv)|s(ngybeipb|tgcpcuxb|keiffyps)|hgomcpyel|jnncuitst|d(szacuuji|jyfltysg|fvuxiimn|hotwhcxz)|rguxfthkf|f(cxigvzws|wnoukkyx)|pxgnakqwl|v(mqeohiqt|wjlrgxaz)|emknupuar)|l(a(dapjtdeb|bxiexwpy)|c(iitdzupq|f(juhzfpx|ildavwu)|pezndlhh)|v(zy(xrfona|cqhhdw)|ofpjwanf)|ue(qfqnxma|dgcfezy)|f(vqagglai|ohwaymts|iswkecoo)|l(qkvwuwjn|ydipxqfp)|q(ghvqpfri|xdzulnmo)|z(zrypdzbu|gvbdtcks|eaythofi)|dimhkijpz|h(pkfyqhoc|hvngpynm)|g(omdvlzax|zmyosfgg|sskaydnr|yifywqja)|mwueuhbav|x(vepaikpa|mpvjgfms|ixyygbhl)|bxzuibfht|kwosivzih|p(kurlfafe|gcvqbffz)|nmydzfpuv|rqosrkuoz)|t(q(ixldnvfo|ugllmkcd|cmfpveda)|cmihcvzlh|y(ptgoruqt|g(erpjcaf|brhojzu)|awnjysuq)|i(ayeprjmk|irdrzccp)|ryoxdhlhr|m(itoxjmet|b(soyiegj|pcmjjdq)|rkjkngsh|tgpfjugz)|z(cxwaksiw|wswvkgge|tqfibabu|vzsyuxxw)|k(rpiftctg|nhjxmtoh)|stgpxiqsl|ln(deejpds|xqujbic)|ptsoehmqt|e(tdazdemi|qcamfbvy)|n(tvyjiznh|wyrqluoq)|ggvlfdrqj|htclxdlyw|varhnpzet|asbjkqswz|w(yptaangu|phndusuf)|xsvwuwvxt|u(tplwavya|pmpjvmlc))|j(rarickmhb|e(mzwmodmm|xzqvpmma|pludkczq)|d(c(svahico|nimcuov)|wfmswtqn)|tsauhcukz|l(zauucqty|tdbjotfh)|g(pjvwcqzm|mgegbcct)|nywrjtxnu|jkappjawh|a(qypngsht|cwouypfe)|ucsobofxi|xrgggxfal|s(jdarcrmw|velmlrvq))|s(y(vnvvtsey|exuludmz|avxtsgoo)|h(qrpgnwhg|jopfwznb|mqhtjrtp)|k(wubcleuh|kqodgxjk|eqexgubb)|fkxawycho|c(kakbceyo|i(pqzxrer|mimyoty)|lqaespjj)|w(fpllqjek|pktfhinw)|ocpvztnmn|m(barxaqkr|vrvxlltv)|rpjviggyv|gkavwjbtl|l(aohuktux|dndqquap)|zbptthxxz|j(fegslfvs|toukccvb)|tjswxybly|v(udnjmfpv|pxxizuem)|i(kmtozosb|jvoeskno)|pumecywij|u(jjuffmdq|tjxzcghw)|biytsyemc)|v(d(m(uqdgkyt|ykunuce)|gsjsxdvg)|zlewnmazo|eeysypmxv|t(rmzwmrrl|zkperrmc)|m(woyacchk|evjqjogz)|awlsjybwk|w(igosrdxo|tbzldvuu)|p(lghzbtee|qqtxsnop)|frmagnmol|ykffksohk|le(ymecsnw|uvvscsf)|uyondatdh|v(choodcuc|hmadryfo)|cyqcllolz|r(qxneluvi|jepcyooj)|gkrtxwbtf|bpapguobr|qjylqmwxb|ibzdflqaa|ocvwcrsgq|jxryllkmw)|b(euzsphbdu|z(xkoijohe|klsjkobp)|aalnweykn|w(tduovrbc|jefjqjev)|fbdcynhgm|g(wszxzshe|ipkmqmnp|djhjjpsy)|b(jeyzudfy|wqsrxvtl|tiehllec)|u(zjikhnwe|ljnpklsp|wbxdycaq|vetzcjsq)|l(vnguwjji|frrhsqdl)|xytymsqjm|p(rnehxrrn|oehreqeg)|oiakjpcro|c(expanlwg|cqrbrsal)|duksxwovl|nflhluduv|jktxnhica|sxeimqduh|izyuvhkbs|qpkzpdxss|knskkvbev)|w(tatnobmcl|whsvbvxua|u(egxfqkhl|mkgupqgw|wqizhbmj)|o(dwmwgbjw|hqpooeaj|akkaxhrl|jtxrpzkv)|xiqylrilq|r(awhzdtlw|iryjagjh)|l(ninxzpry|feubvtfn)|hfftudxjo|b(lwbsoyoh|dxhierpx|eunghkdi)|p(ocwhqjyv|rbrimehm)|e(idplnfvm|wtvudbfe)|s(owoyervw|idyyugyh)|yxybeegiy|q(twqumwyn|bimbkkef)|zxzcessuq|c(pjrfiirr|rbbruclt))|y(n(jwsxuiqa|cgtkzcyb|dtodtdbx)|lyvpjcghr|zy(zkqttck|claswrb)|k(xxuwordu|vuprcfpn|rthvljrb|gwmqzswp)|d(nmnprdiy|ybzpjotp|gppkrxyr)|q(hpdtpknp|ccbtgjnb)|ynetcscsv|abqfoqhhy|tgplxbovv|smljlvwkx|piybqontn|ciommezdh|mmzxamkve|rcbodnywz)|k(ntdomzyiw|b(lsvhnnwy|ybtfmbzk)|l(bsdcgdtz|dpqjmtbv|qimszfjx)|a(tifafuar|iqhxltsp)|m(wastndjt|ldbkdzuq|emnjxcfd)|tcdkdrgua|valczyrqx|c(uygnvoka|kvpljtzl)|d(zzuwdlcn|surbthgw)|g(qeteyjct|ooribwgb)|yzuckyaup|r(zwxpdbyi|xykrdcti)|ecibdqage|insydddhp|q(ciogecta|lvzonlar)|f(aygwlpkg|ioshxrqw)|kjasgrrov|j(hhxmjmao|cslswykc)|pcxehovph)|r(txnzieech|g(bfvqvlle|chrvllei)|w(eccbkpzr|qtgopcjm)|m(idcngcoh|fqewxkul)|k(lfnxfjzl|zfayrbsf)|u(nfdpbsxd|ifkjuhut|bwmnsucy)|jibxcchhp|yoimuoera|h(swppewui|ddzfptin)|fqpyjafcv|xdnoysafb|ryzqzwfir|vy(zaxzwxq|nbbpnvo)|svelojbli|oirgrjvez|phvkisxui)|f(s(ndxhwqhy|vehfrjro|dotrokmd)|t(rbnxtbfh|yakzosyd)|g(tixkvgwh|yqmblkjm)|igaolvhdc|kqpfbqjhb|j(ojaqjpal|ivvjxomd|pvduuytn)|oepgbqssu|v(hoyjdlfz|vfxmsntu)|couureudy|uxevaqsgu|ljoimzijq|xmudljxdn|aaulfjsrf|rjhukdgsv|w(lfytxuup|uobpdjml)|de(alahhsq|yaqxfrc)|qmttgvaqh|nzgvgoctm)|q(t(kafgovqq|dowrqwfk|qzjvnmcp)|x(twvgodok|vadegjbm)|d(oxwhkkfa|novumqeg|hplhjnnh|frdwlukm)|e(kvjqfvot|jdyijvww)|q(ibmjnzjn|mncqlfda)|a(fycgtixo|dalyzasw)|z(i(bouuznm|vyjquml)|pbloczji|gvpfwyzp)|g(badxzlgx|wlsyxvdd)|i(tntumqzd|jxzpghjw|oyksozyz)|n(zkevknhd|gxzuagng)|b(sklwakmm|anlmoenk|gaxmuuml)|u(uztjbhwu|mybrnxzd)|k(mrtizbbq|tujuxnbn)|rjenwlvcw|s(qnxyqmci|djqajwbz)|orylahijg|hqeibevnm|jntsqbiis)|n(m(xzckvths|vriejpys|jhwisgex|pgxhlpcj)|l(jphjemrp|etnxizbx)|t(fzocolef|cuwsfucq|wyfsbbiv)|jkdmhfjln|vpgpzlbnu|wzrsjyjbr|orelvuzfe|i(hjlrsyzz|kjctitgf|tgsypfvf)|anixohqsz|u(mtvgpqtj|sggoqvgu|tafrmzqg)|h(buthqdlb|mfgsumqm)|phsgnenmm|e(oqvxrvfr|wrdkxoec)|djvtcsyrd|yidvltayi|fzauvcnfi)|u(sxoaubjcw|y(lzcuadja|uxfkxxro)|k(sguudqer|ilifzjca)|l(afvjbrll|jauricjd)|j(lrwocunr|bxdthxds)|dvcoasbvn|m(iyvigvgx|vipzomxx)|f(pxknzxnb|orxgmigs)|pnzxvlyzd|uhyreuges|tzdvpmhvq|z(itlkdxgr|xwpwphjl)|regxscmdr|b(gznkhbuh|xclsoxdf)|v(sodaxqrj|eduddbpl|bglzxzuq)|xejfztkwu|oezeppnvv|epgzutexm|hsjbtpvjo|ctrusufjz)|g(tqzhnigyo|w(vwabcybi|dmthzgql|utyehvyf|jgvaekce|loihvlym)|h(amteszev|ytqjmzkc)|dsunlshpc|mojbolexq|y(iihejvmt|awpyvpke)|v(fjdzjcrv|zehgewae)|k(fbmoilnh|jlbbwdxx|mbwblruz)|p(hliokktn|eqlxfwqb)|ljzztozfh|apsvyuepp|q(itqxjaax|ksktjkhk|ehzuzpod)|ribovzykx|x(eftwqbnf|vssyqdmo|hqbleucy)|cfbfakhzd|evjtlddxh|j(gtpdfqra|ufpqkvzs)|u(jhsyisqj|uupyljuy)|irciwdpoq|fsawamfyx))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633135; rev:2;)
# sid 2633136 includes 217 (1201 - 1418) 10 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.net)"; content:"|0a|";content:"|03|net|00|";nocase;within: 13;pcre: "/(n(xaajgxtts|nhtmirrid|uawcybybj|bjwfhksff|knsvyekob|frsvdkmsf)|y(xswmegrva|elbtvvpxk|b(ajzfhvrr|qbjpdhez)|dvnstuvpi|jt(owifjbt|evslrqs)|zdnbtjwwh)|l(syjxtaspb|l(jeadynio|ihjnqikd)|hbjdnjjmt|zfimiowyd|kferkmvwd|ujujookzd|o(mktaandq|spbfzkvh)|pjpgntmkr)|c(oaqjsjlgw|zkizqeoyf|b(gsimtgqa|inioklgd)|uagfcdnsp|nflgyivaf|gjkmjlfsp)|d(cepzmynkm|wotphaukv|ansbepvwp|xcqedcwkk|snbklfibb|tereqaztl|doezctejn|vygtxsuve|hpplosfxe)|e(e(pisqctwh|jsqqspik|cdopwapu)|tzmeveiju|ojlaqplqj|ijvgbgraf|rpjkkiuqg|cqhekoviv)|u(xgzilxqso|p(msmifcbt|vsvurifj)|yaympftsw|tryducqna|zulqbuwee|rlgxyhtlf|gvzqwrgax|etbnkowsl|fdtfwsvht)|w(bdbwttufs|obratzhvg|vqxqsyymq|hllxtfvwp|euwffaoyz|jjsxrvpvr|mktvayjkd|zoiyhyidm)|g(glaoubbyx|c(gvxkbhjz|fziclkai)|zhcpnxlnd|iskwkvrxb|nmqeiuvdz|bgkhncomf)|p(w(yktiugsl|amqbrjxs)|etcjpfrow|svilddptf|pkdvufyoq|bbdxcunuq|a(sbtglzeq|qjzvzkua|vauwyzob)|jmspwxmvq)|m(nwnakghxo|wxtbcqszz|idjnlcxhx|slzpdhint|kzehidjjz|yayjqsinj|ogmwscdgp|gszotqvyb|cekzcnnum|ftlzjjhgd|trgwmiywd|m(yuoodcgk|zamuypvh)|dcqohhspk)|a(klifwgaqe|zfsowanex)|x(uaszlxsac|zclrzxohu|l(dcimojrh|ilmmyjqm)|azlhicfar|ejarvkqcb|fmvldidbw|nhuklvvhr|jfvhgfhnc|ydmlzjncf)|t(tfkimkaxr|eojxfydrw|ubvsegyps|vcdzdzgqd|g(lxdhpghn|edftubbz)|f(gjsigpcq|irqqtfje)|dzfpfcqaz|hjjtlwmku)|z(creuxretn|trhkotiml|qnrghpigk|a(yvirvgka|oguxeiex|skijostp)|rwkeciwui|hsrcylfvu|iaycmwokm|goyvfzjid|ymgmbaxsy|oneojqmgc|dutapvayf)|q(nnitcigmy|flqnkcfcw|azhvbbjfx|zhagciupx|ussagkabq|kviowtapv|y(lmgjkock|bclwdukj)|xnemqcafv|glzmjgldn)|i(orqcdbuqv|pjkhejtod|gsbasgizc|in(nlrpfzr|kkcphtl)|nvgqgzqpv|loxdaogvt|hckxhueod)|b(i(ayqjnknf|zqmebkdk)|dn(ivztkew|uhpwkfg)|pwylybxsk|zujihvafd|whinrpzzq|bptybxhpm|hcotpjdcx)|h(u(yozdozsk|e(kzobgei|ggniufa))|fcicinunz|m(ryjcyikz|vcuzznwr)|dqcmvqvvt|edgdymxic|h(jerhuyug|dblugaqc)|otadwhfeg)|k(s(tolomqnl|oijipwxf)|pazzhfuxi|kmfmnenjr|ovwvfrnuf|dxucibylf|fkthhgnhb|vcgpumfzz)|r(hgtgorqxh|ztcgjrfpz|kwalsrndr|anptkrnpw|bduwipmdk)|f(erulgbbbv|rmqigfwib|kwqryyocx)|s(meicgdwpz|yvsitpetq|zoxpspgjq|j(lkrxodgs|qpenwohg)|c(ddnsdajl|itbyauwc))|o(w(jawshaih|itzqqjdm)|zwezxtpgk|jqpnpsbro|mhjjwgnrp|cdhlsmoir|lstgrkhmn|uoyissusu|tnsvrbppl|xcagcifrq)|v(ezvdjbrcl|czbxjbsiu|ufpxpyvsn|decfchdly|npgtrldsy|v(gbrinhik|bqiunhgj)|mxkrihfzx|pdgjxqgpj)|j(slctufklt|vifjvulao|odorcdlvt|djaysjamu|ebbozrcwt))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633136; rev:2;)
# sid 2633137 includes 600 (0 - 600) 11 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.net)"; content:"|0b|";content:"|03|net|00|";nocase;within: 14;pcre: "/(e(v(p(oqzoqjmr|tchlqcfx)|ywgykvdiv|ivqukdrpv)|n(dddofygqt|nlqhucuvp)|qzvkjyzokr|tsykrynjyy|chqyuwrnzt|iqeiimfiio|ghzxnsdpeg|a(ygbzffkgp|noonkdakm)|s(lgxrzolyu|tbwdniqbs)|zwbxbqepje|yiozdwvxse|jkmughtzgv|u(aflifduyc|ngcnhvxup)|bbxklvyxtp|lkokzubklj)|q(a(skyfvghpv|aumeimjgn)|qnedmozsai|o(lqfnphdvo|yjmmaovhn)|f(prvbvvbwq|hevfrqxdy)|etisxllxld|iadzzwsepb|g(veqhnnmex|ugypvjqrb)|y(lrcdayxiz|ebtoqbjfk)|r(tdixeaekn|hcaijmvnb)|m(maxzmqtkl|fzasvfcfs)|k(pivcskubu|wtuqsvosx|vcqizqdte)|szhptatkiv)|o(rpemlcudgx|f(krzffsnlj|ipndhcrnt)|x(ukqbpyevf|cpamejcyi)|j(efkodcczr|gxffidpoy)|wrmpymsmrq|u(qkrzfhcfk|kfnphnbqx)|y(htwlggvua|ztucsidxb|lmzhdpfxu)|q(xwyzqcghv|rhxreiuvj|diaqxblqm)|a(xravnrbps|gwkgwrhtk)|v(hapicqqrg|onjsywftn)|laomvadlkw|pfvkybhlyx|tollsymqdo|dwwsnvsusu|gbttrrzfqr|b(vztrxzrdu|lystkuckq)|kzlwgkphts|holwrxmhtd|osfctdsxsj|moonwbdlwm|ckikxsomrz|swtgvfawlw)|t(jgkjdemtnz|wkoukdtkjx|a(cmsqqztgi|tzkrviclj)|l(bhvqbwmdj|fndryehnj)|ogceeavwvd|v(yijoofqmz|oknhndwmr)|krlwrbcebu|qdnbmgtncn|r(vreanbuob|uweuzsktk)|pmkpwvknjm|u(dkveerqin|pmpfpbeyj)|d(zodwfldqh|msxoucvhm|coxjmjhbs)|ekwzuvnbad|feqsukdani|bcinilugiw|g(nnmyjrkup|boedaobyl|ujjyrrsyq)|svysiwgehz|ywrpjciezt|iqgxsvbvjg|zozsqittxh)|y(gyrrdnhwlg|e(bmojpymyk|nmrzthycr)|j(xnazqydyw|stpawuwvg|lbgqlspej)|fmxlcgzifg|y(cmfdoctbo|ozivvfbjh)|bogazwauml|w(jztmbihja|noxwwqvxg)|nwfbhkherh|vcmgqqkafv|kcmzsjvxka|migtfltnyg|xzohfeustg)|k(r(fcvohcfza|amelfbjlw|kxsfnewph)|wicaesdmqs|o(ekeydxxuz|meijwmgmz)|japbactsak|u(wvkegpxrf|nszzaryne)|efydspwkne|ygwjgljhux|bftwpuzawr|q(uejyfopgn|qcbwwllkl)|g(qmykrlmci|mcgjuxiso)|sarknfxqvx|d(jzzndxrgq|eymcfxqyn)|a(krxsukmqc|sgktwfiuj))|l(hwhmledtvu|npnbypiqfr|r(ttbshftde|mnduccruy)|czgrxyqwtr|duzptqolod|f(zzartcwyj|oppsvxfuz)|oxgfqmjrct|m(thgftmbmr|ufcnbkdnf|lvwmaoyek)|qlwbpgrmcd|ybrjowpisg|p(savohzbgh|hceoelzvl)|lxn(byzcbru|ldsubdf)|efghoytskl|bjatjxuooc|ujpnrgupdi|xyjqrcovef|soktsmepac|tdoqhmwzqj)|z(kqsyuhkxmr|itvinycgog|dhbshwfrqz|l(bocteqieg|hqcqiqief|imomsqiil)|gipteutean|jfwmyffdqm|c(vorikfejb|nutngtfbi)|tujdxoiygn|xnodwritox|n(uoiwxdqkm|alxilveju)|qagsoeoako|wiiyxkdmat|znlsarrhqd)|d(mdmhepmvfn|s(uqeocwcgy|lybyivccc)|b(l(yrptjvvj|mikzzlid)|junvdorik|yiqlkaots)|rdkgzrwvei|laolryzvep|v(kyoywyepa|lxtiiwgxv)|h(wlmwrgbgv|fqbajrnmc|kelqqmrcj)|g(orvnjehtb|hcptdrxnl)|o(cqnzezbou|viewmnnaw)|kwjynlirgi|pbysumzaie|e(gtuhptmmh|mipmeazma)|xheffzhpjz|wdjcuxvhuk|qtsbwkddxt)|h(psqicrocky|qjciowrlta|z(uslalolpl|eklkxdvsi|mcexwceai)|sfniahkhnw|e(qiyqmwrjg|owngghwwh)|i(xrayhxggk|azcnlamjs|iqlmxmpmb)|jzijtxgoqs|g(kxpedlvpv|eoayhixpc|wxjytpdsa)|k(cswpxcput|nlrbumfqy)|w(xtzervcfq|lpnotfnut)|x(ggpdjxtnh|dhhxwcgxv)|ydzglebzlq|luriudgpxc|uondyfbrjd|adheosolwh|hfzarnxldm|oqgmezbswi)|w(m(kyygqpxkf|rgfsvntrt)|s(nytjffoka|gjmzteikx)|w(vhhrfwtmg|rnlnkaqpp)|hxrhtncgcn|z(sdgfkqldp|vgdkbrals)|u(bhvylgknt|cipyqcbiw|vsyxdljwx)|lizwifxtmv|y(amwxkjkti|xpmshprfy)|jpvpuxxaur|ovpviticye|nmmqedoaip|bpuiwiyqdl)|i(q(kwagllhkx|meoiopqnf|umrwnztns)|t(fpanwaxje|ijqfnycgb|pycfleiha|bbohcxqye)|o(hyqqxjeui|dhehpklmt)|gqlbdwxfms|f(saehrouhm|jgxmopqgn)|ihdmqnjqtg|a(simqriuii|meifnjkqx)|xydnwzoypf|y(rthhnklpd|yaguwfnfs)|l(x(ucrrobvc|ttnjrejy)|bdkndjmnf|qerlswwbo)|j(oencyafbt|jlghqdnfr)|pilkrxatfd|nosdsvppzg|rfixbwfkdp|enoukmwxnq|vxwcqtakce|casfgllsit|kqxqpcbytu|uykpydzwsd|wiuvxkrlnu)|u(uuzdimkher|jgxvslqrkm|vjkijvophy|cxnnzymepk|s(bjopifodm|xacdhvfeb)|avdrxponer|faobnwhhma|k(dgwxqtnpf|xpsetopsi|paopklvxw)|hgenvxjpkz|txxekabamh|p(gigprxada|tyxnhqapw)|r(tmntzqyfa|glxzrlrfn)|ijrkqevtxh|getwyuyrhy|q(pjvwsbmwx|ybqaqjdas)|mmkaordvdd|oiipcsozsd|ngzviltird)|g(s(fvodlkdys|xllbxsgko)|n(kluimdxxr|jcvwtfwdz|yptgtpreo)|zodkljyadc|vblrqguukv|dxrerezykz|c(paoqrgwzm|jjbbeoskg)|leccseuyxm|j(qtnmvwqdf|begguwxjy)|yyrjzuwinb|mkazvkebdc|p(ibxvnaena|aiuvwmvoi)|b(usahbvnqp|qthocfpsg|izlleefrx|vhaliffzz)|r(oprlhvbug|mjmaqoqtl)|q(rkeumxdbi|bidlggbmo)|u(izctkefky|zvpxjztec)|tnbvwxdxvi)|s(hpkkzcccdc|e(acawjwrnh|kqlhdcqnh|y(yxhpjqge|dyurxviy)|gfdvmyaua)|ikosfgnwiy|kxzvkmpwdj|yjxgyfkxtz|suemadhuuf|npzopbjuhc|j(rovquzhyn|ulfjgxfjn)|l(dymnzhtkz|txrybosxg)|r(xvcibdvvy|nvtljssyj|wepeuiqvj)|diqlvivpic|f(llkfwpcod|fzwuxltpk)|vymlixfnso|zaorftffeo|uesywytrkn)|x(ocnphnzlnz|tw(tercfwzd|hcopsfzm)|w(vjvldamkx|rxgwvdziq)|i(qwmyrpspv|kpnzduwse)|aeyqzxbdnt|hhgkpikdre|easjoagnak|c(iakoaaqae|fcaxicvmv|hlgkehbhn)|yoiuqqtiuc|s(wnkjcbxeu|ouakknyxq|vgwdgvyzk)|grsqzzranr|uznujlsqpr|p(rtwonexim|uxbfskdml)|lfjsnkjpsl|fgjrzyrvuc)|r(r(ijikwwwbv|czshiqtgs)|llmygmvqse|z(ppbwcuqom|mmnluqttq)|igiztadikr|hx(xxbibbyp|oqjfxlzw)|vcmcktgcug|qdodcyahxi|u(fehcvltms|rpuxdnqdl)|s(uwwqeavwk|yfazzbbnm)|m(jdpkwptlz|xhtnvrwjz)|d(jmmjskyci|eyrglqgio)|x(ifgryhmvw|afnkmglch)|twnujhoxus|blsgalbetq|ejzshzowcg|gqpaiidpzi)|a(s(vuxgeswgn|izuewjmng)|q(einsunnfx|descdzedu)|bprmxjwsvz|j(lagleqiub|vvqbkmwgp|fcvqpejhp)|fbgkkiuhsn|iojnsoqyfb|g(agonslvlc|nawseajbf|hkgnpqfiv)|exetaiqokq|x(hyfawljxj|diraqmojh)|wgmeisqzwb|vj(tightala|jcdonzqf)|cfenyvncgr|uojilgmbom|zdeqvgbjci|dfqosoejub)|j(u(uwximkpjo|fkvnvrwak|gyeewkxdt)|tcwtgktgnq|q(yzvhjeuku|rdqnsrlxv)|jwwfljwmkz|pvcsunignq|wpezxyweij|bajuvsdpyn|yhqbhahnlo|k(pfpkjxspe|ouleksbam)|v(stydgucwc|zdgyygltp)|iaxqiaqqpj|ertmftjwsa|chqztyqnol|lscwyqzvob|suysgewrsn|xfmlmocanh)|m(akeqsdkcfa|iqowpqbzzz|xmixojsfmp|o(mkvzbskyw|ewthsafnm)|t(cpqgciwqd|njupefroj)|mavlxwgviq|g(rwcmuccos|bfexsezhd)|ebtxrdcxox|qnxmtijwwd|lvhcqclkll|uyjycoqusg|diuzdgxclt)|n(i(nybrvapwg|pldtxvdyc)|totnlcwdka|urvxpjzpkr|o(kmowvrirn|srsvrpbhb)|q(wdpippkqg|v(xctixgas|llfjtwng)|nvapbhuea)|rrgfiwioum|kbwbgqcsmx|n(qpwbjphbf|jnwrvmaur)|cqumifwdhh|jlfrspcjus|y(nyucubzvv|qtgiutrrl)|x(qyvjmnhbq|leyuthfak)|luxdafovjv|fqrwqanfxc|bvlaclrfit)|f(m(yedwvzbkq|flzdgoevh|ttpzwwnui|ktjwfwjbi)|wjbdjkkzyh|onxhcmqnup|e(fshrvghtk|ulxzvbkpx)|svoigzatat|j(rydedhlzu|fdymmeelh|gzmcafrwq|zrnswlnxr)|rzdzjhmrxk|krptyyvhec|d(qkldnlasc|mgeovqqna|fkbmwcbvs)|gfjpzjpwvp|f(xwvfzqnlw|yqstqcvne)|igjtyfvisj)|v(f(qgsrynoft|bqelkgevd)|njkylayhgp|bqidzxlglv|i(veujhvrct|iutanuxay)|c(iiudcaryt|haibtoydq)|z(tqxjslqim|jxxhrbpyv)|k(cyqymcamn|lridijptt)|s(nsqlguafs|bkaaulral)|x(cltbvdtvb|nrzarxjxz)|apvlatrzxp|ovtrjccrsl|yuzdipqxtm)|b(esequhdfeg|lrqzwqdcgh|m(dqniebkxc|genpbfyvo|ayvsqpiih)|criapbknlf|u(rtzwvpvxz|dbgspopgg)|y(kuwkoodsq|zgahlxfyy)|scqfcdfqrj|zoshunxdio|qybkqvmqbl|w(exhjsqocl|itoexphyq)|h(efjdysxam|jixgydfak)|dgecrddzdi|nickfxofbc|a(obkqzepio|hinsjlhvc))|c(eosapynhsy|k(hjjtqrmmy|evadhggex)|s(fjrfzaxfm|ehgtiqfcx)|v(gnhfhgoyk|agtuzeveg)|om(qjvjofwz|xaizbbml)|uovvshjtfv|bzdzqwgpdk|g(tvveplerj|lwowopfcf|onwqsyfdj)|iqclhhjwdv|c(tgmmrfrfy|amuuizift)|n(gqfudkvnv|cbflburri|mzezvqfcr|rlinzcpsh|hxltgtswa)|x(ivrrrmazw|wyvmpzcgg)|fjnynvdopj|qynqnmneed|pcyagvfxgq|lqbvaranqs|zbnjiwgwti|arbchtnjna|wwpfcmxrvp)|p(r(raayqshxl|hdvgnusho)|i(tdqohzreo|eeoqsslxi|mqvsyxbgf)|gduhxnguin|avoirokntw|wjvonodnys|nvybgaerga|f(ntajhsyim|ojkgwoftw)|skpgnvzpdz|tomhtyeoyr|zkilodwkmj))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633137; rev:2;)
# sid 2633138 includes 854 (601 - 1200) 11 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.net)"; content:"|0b|";content:"|03|net|00|";nocase;within: 14;pcre: "/(z(c(vorikfejb|nutngtfbi|omeaxpnzj|hdjnmfqzi|jrgksyrry)|t(ujdxoiygn|lmxtdznro)|xnodwritox|n(uoiwxdqkm|alxilveju|nkgainurb)|qagsoeoako|w(iiyxkdmat|hrhymvljd|fzozzhdxx|acczncmkx)|z(nlsarrhqd|dsxommtrs)|k(xizbqkook|zfeojkutu|taafvhvsg)|snmgwftelb|y(nniecgagk|kspsmdkpy)|ovswzugtsz|f(fsieyimkn|quytbofhs|xuiazxzcr)|p(gnbrtwlxh|qcdldqarz|eajpzlqvc|dpqbfcmxc)|g(kvfxwryiy|nogekdfyq)|jgodlahkxe|hicrgpmvqj|enqiispkip|l(brfnnnehu|tbolqtnfr)|apfvnoxkez)|a(cfenyvncgr|j(vvqbkmwgp|fcvqpejhp)|xdiraqmojh|qdescdzedu|s(izuewjmng|grotkdnyi)|u(ojilgmbom|uhzkyorpt)|g(hkgnpqfiv|bbprbstfh|zkazytwcy)|zdeqvgbjci|v(jjcdonzqf|nypsowexd)|d(fqosoejub|cznnmeeno)|i(qfonhalph|bhevfxtbq|uxuycdpjl|nenwaptmd)|ojxivvjggk|f(iqphqxzlu|qdczpnruc)|a(yzccspkhr|qcxvmpasm|gwljznnde)|y(wobkoqyrm|cconixroi)|t(jfimrsvxy|pzrpehfvm|dyyyndkqf)|lcfkuaidpl)|n(ipldtxvdyc|q(v(xctixgas|llfjtwng)|nvapbhuea|hnthklobr)|fqrwqanfxc|b(vlaclrfit|gqwzyzdhj|kkapcgvmr)|y(qtgiutrrl|cwfocqjze)|xleyuthfak|a(efajswurq|usjofvikb)|jwficivrmm|w(bqeehpxfo|luojrogdd)|s(oppiheuxl|pzwvkhmyr|xfpafstas|cnrjkttaa)|lhwbpinufu|gcxabgqpyh|peqzkwoeiu|mqjdbsyfmg|hezoolyoyt)|q(g(ugypvjqrb|qgugigmnb|ezrzhmejo)|k(pivcskubu|wtuqsvosx|vcqizqdte|ofctmqbxu)|fhevfrqxdy|mfzasvfcfs|s(zhptatkiv|ingwkqvwv)|yebtoqbjfk|rhcaijmvnb|h(mafrdyipr|ajizrocyl|ytbvwpfjv)|necrwnothd|ajkusfhvos|lb(rbivzdaw|gxjqgwlv)|tznkfhtubt|dgeiczydgw|zuyspafgmg|udnseinary|ezcylybpes|wguukurgik|qoufprygaq|jydgtfvajx)|t(f(eqsukdani|fgwxzcbam)|bcinilugiw|v(oknhndwmr|amhrcouka)|a(tzkrviclj|xfyburgqm|lnytyderb)|d(msxoucvhm|coxjmjhbs)|u(pmpfpbeyj|npxrzrdyc|jhjycqqsj)|g(nnmyjrkup|boedaobyl|ujjyrrsyq)|svysiwgehz|ruweuzsktk|y(wrpjciezt|pzjnbuhnm|gjitnkyuf)|iqgxsvbvjg|zozsqittxh|nnsrbxnejy|ehzdiyumeh|c(sbiprlpzp|zegktysqf)|l(tpwcrfstq|xtbvztxxx)|qaphwcuyew|o(tsxwbbypa|lvfkxeqhk))|f(g(fjpzjpwvp|tjzhdeyou)|e(ulxzvbkpx|mzfuujpcm)|f(xwvfzqnlw|yqstqcvne|czwldpjir)|j(gzmcafrwq|zrnswlnxr)|m(flzdgoevh|ttpzwwnui|ktjwfwjbi|mqnvyhzwd)|d(mgeovqqna|fkbmwcbvs)|i(gjtyfvisj|ylmdrvtte|beeabmxvf)|h(fmsgixznq|gmptlreqh|qgpfgscsw)|n(cmdotzohn|mlhwdfhmo)|v(bjkxrygpm|vqndbyohk)|r(ddnctssny|ngtcvggbw|rgxomslns)|p(bykstzvnt|imcufxuod)|lnwnyywbyo|wueluzhmme)|y(w(jztmbihja|noxwwqvxg|eoprdpmcn|vbfhhwvzs)|j(stpawuwvg|lbgqlspej|iojgijhdr)|n(wfbhkherh|ilsgsxkhx|elcwjwovp)|e(nmrzthycr|evkmesyeq|rtjcadjhf)|v(cmgqqkafv|xuupampph)|k(cmzsjvxka|ehimhvbuw)|m(i(gtfltnyg|ygqifede)|xbkzraoie)|x(zohfeustg|kphboglhd|b(rfwzfhbs|hhujkshh))|ldlikekdzz|azvxecpgtx|d(bkmtvfvqg|hypgcrbky)|q(xyqlnszaz|ucmxmblgi)|fohyqwgbxa|zdynjpgnvi|sjvboeqyqg|rthnvyrmdt|ogmmzdudei|hqexjtjjhu|i(lxgkzkgkq|wcpnpsben)|p(dgagwamyu|ulbsuougq))|o(d(w(wsnvsusu|lzsdyayb)|syuadelgz)|y(ztucsidxb|lmzhdpfxu|xnjnxyssa)|xcpamejcyi|q(rhxreiuvj|diaqxblqm|xxozhfpqq|kuotnicdf)|g(bttrrzfqr|dgqtouvzd)|b(vztrxzrdu|lystkuckq|waxgazlmt)|f(ipndhcrnt|lyksijvzp)|kzlwgkphts|a(gwkgwrhtk|foyobkyfu|sstahgtab|cqswipfob|yoxsaxqrp)|h(olwrxmhtd|buqevllgb)|o(sfctdsxsj|lviohdrmv)|moonwbdlwm|ckikxsomrz|swtgvfawlw|rvhckcfpxp|t(gzkxrmlkx|jdbxaqypg)|vdhdxmfcbf|wapfvrohdo|juhhlapqux|upfxctnlap|lzqkbddwsv)|r(t(wnujhoxus|gqlpeggws|zayeebjyx|ntfufcwag)|b(lsgalbetq|wmwnbgnbt|teobncwat|xppxkhtef)|x(a(fnkmglch|uhaexhby)|jxupezubz)|e(jzshzowcg|abdcokgxo)|z(mmnluqttq|uhjudoiee)|g(qpaiidpzi|kearvopur|oxhnnznyz)|mxhtnvrwjz|hxoqjfxlzw|u(rpuxdnqdl|qokftfajk)|rqgpxrnnkp|j(iwijcgabh|bxlqiaoor)|vzgcdtlrym|sibzzfetvo|q(vrqierdft|icoqcmpob)|oonnisnfvx)|x(s(wnkjcbxeu|ouakknyxq|vgwdgvyzk)|g(rsqzzranr|mgnvgkkrj)|uznujlsqpr|p(rtwonexim|uxbfskdml|lqnxvdchx)|lfjsnkjpsl|fgjrzyrvuc|c(hlgkehbhn|xszjuxxtz)|t(whcopsfzm|kpjiczitx)|y(kcutxnliy|mqexqeras)|oqzkgzlwyk|b(vuigiznrc|rkaafhvgm)|xxmnbvwpkl|nwtamnbfjq|zowtdlbjwz|vrjcxylvnv|ebdmxtqixq|qjghkeziro|akxetmotit)|l(e(fghoytskl|rboapchjf)|bjatjxuooc|ujpnrgupdi|xyjqrcovef|soktsmepac|m(ufcnbkdnf|lvwmaoyek)|t(doqhmwzqj|awctpzslx)|lxnldsubdf|ayxzdlrsmk|i(symrvpvno|tjjbuoazy)|phikpdxkos|yrlqhgpayj|qevpeeqoff|v(bvisemvcc|hrdyeyldy)|o(yzloynwrh|tifazrehu)|nqcqaxeiwk|rrkcmirgqz|zmpgvyoerl)|s(e(gfdvmyaua|ydyurxviy|tjuucxqmt|uwpqdzamk|xleluipbl)|v(ymlixfnso|fmkpjxtls)|r(nvtljssyj|wepeuiqvj)|j(ulfjgxfjn|isjuwlcpv)|zaorftffeo|u(esywytrkn|okpanfbhm)|h(vzvsbznih|okktethps|nzpuvylme)|k(cyjnhyepe|ilxwvitvx)|f(ottikmblk|bxogcfhvs)|pegqogsyyb|npsfbgzdef|basdyycals|aaeofkzzgd|odzifzftto|cvxdsqznke|lbgkarnetg)|h(knlrbumfqy|y(dzglebzlq|ptbwitjue)|z(eklkxdvsi|mcexwceai|imebgjkbh)|l(uriudgpxc|htknyppct|iidboagnd)|u(ondyfbrjd|jjefrcwco)|a(dheosolwh|wcmbbzuay)|h(fzarnxldm|vjupnehyw)|x(dhhxwcgxv|indhjkjee)|oqgmezbswi|g(wxjytpdsa|etcufirqd)|i(azcnlamjs|i(qlmxmpmb|idgepwna)|tkevgfpqq|grdpvnwsv)|e(owngghwwh|cfprpygan|qqhykjwxb|dllkkqhpi)|vrcufszowu|wssvyjbtui|r(zikwqxbgd|vrhrjjfle|mnocvdgse)|dgqdeufzcp|p(hrbvdtuot|zehnuvyww)|fkkwmczvxb|jcapbdurjp)|d(b(lmikzzlid|irenegjbm)|v(lxtiiwgxv|tuiszbigt)|hkelqqmrcj|e(gtuhptmmh|mipmeazma|wmqeawkyt)|x(heffzhpjz|vdtgfmmrp)|w(djcuxvhuk|agrdgjqss)|slybyivccc|qt(sbwkddxt|qgahqpxh)|oviewmnnaw|g(hcptdrxnl|fzldozjif|yabrfzpuz|uqhofgprz|mwqcgdljw)|f(icipdgjxw|xshuqlggo|hqfkkbqsm|twrhpbhpc)|u(n(lstqwckf|bjhfipht)|yhwirvegz|dlxjqkasf)|p(zbtccgswk|mvyahcqoo|pyxoueouj)|znaatkjjos|ychyshmfig|mt(otryftkb|mxupfeur)|k(qqqpsofyx|cisuomrqh)|abymeytcoz|l(nezdkgyjf|zvudsyekm)|r(yhuvccwja|tpsgymnfq)|c(uhnhhxkgr|msyiledbo)|jhxaaeguai|dxeyfvvwwy|iyxgaikolj)|i(r(fixbwfkdp|dwadjtkiw|seoaounhh)|t(ijqfnycgb|pycfleiha|bbohcxqye|hbxuynrhf)|e(noukmwxnq|wchtunpmw)|v(xwcqtakce|lvctamxfm|srzwjtvkp)|q(umrwnztns|ywnianxez|ipxcxjolp)|c(asfgllsit|ieqavuufj|pwwhxedvz)|y(yaguwfnfs|jogeuwxwc)|k(qxqpcbytu|kuhgejyjq|ygjpjlriy)|j(jlghqdnfr|irftwlyel)|l(b(dkndjmnf|yrluwlci)|qerlswwbo|x(ttnjrejy|dhiyphqw)|rpngcmysh)|u(ykpydzwsd|abxcnifae|ufgutyecc|voctkefio|nyjiqpjck|sakzcfaov)|w(iuvxkrlnu|yyrgtulge)|obobfvloeu|pnnbqdvovw|mv(scfpaqmi|utjnylrm)|a(gfrwlnwqq|bwbeaulof)|bnsfhpcluh|zzqzkzxzbv|x(zcyqwhjjs|owujdkbgp)|soopqrtoeo|iiyrokyfnv|fxxafllrsq|n(fogrxrzpe|dlyzjxqiw))|u(p(gigprxada|tyxnhqapw)|r(tmntzqyfa|glxzrlrfn|icrdfwtaz)|k(xpsetopsi|paopklvxw)|i(jrkqevtxh|bgdzendky)|getwyuyrhy|q(pjvwsbmwx|ybqaqjdas|solkyevpr)|m(m(kaordvdd|aqtxdpvs)|dtqheaxpu)|o(iipcsozsd|vokjvnyom)|n(gzviltird|swajvwhbk)|a(pssqufvge|hjuqimlqo)|zadyprgzye|v(ysfndrzmm|vcrgliemn)|hfttbpqvee|fgdxgdcprn|wdmwqmtfjb|jtrulnrgxa|lymybnsymw)|w(yxpmshprfy|j(pvpuxxaur|oxefizqfb|ujqikaeln)|s(gjmzteikx|evzpcfywe)|o(vpviticye|nxrilslif|wiwmcsych|srockrpzj)|nmmqedoaip|bpuiwiyqdl|g(pmbazzeyk|ynxyvdmvs)|vfobdwhveb|u(dposqmwpl|eksnpajsr)|i(htvuabchw|vsopixqkv|dthqxgwfd)|x(kxwajermu|cosrtgkrr)|twoggwgnth|fkkbtigtor|w(ouhqhnjva|eopojmgnf)|rjkokhexsn|eusmtyrqtu|dxmhygdiks)|e(u(aflifduyc|ngcnhvxup)|b(bxklvyxtp|jbxoaflzc)|lkokzubklj|v(ivqukdrpv|jvgmzmpuf|tisjaybiy)|d(qckdpsbtr|xqbdnyimv|lkmxztdui)|h(fwtfyzmht|lsnjbyuho)|j(aagfthwin|vcivxtwgf|yflyjohjm)|q(fbzmmrajq|kyxrczbme)|seefzlteut|cnuutvyicm|av(yexugxdw|dxdshoqi)|e(dxcamekyw|kqkglbefb)|zxqjzfbaie|kkavpsesec|mxpwcrcoek|ngdwrsbsyo|r(boymlxlcw|janqsuwri)|wxaysueibz|orwjkerbkf)|m(g(bfexsezhd|jxxncjvmt|xhzylhlrv)|ebtxrdcxox|q(nxmtijwwd|wrwnisxaq)|l(vhcqclkll|iicvlrfhk)|uyjycoqusg|d(iuzdgxclt|evhqwlrpj|pvhwmrhvf)|t(njupefroj|wesddshie|vzmjiqfjz)|yihalacgxr|r(pwsrceckb|ttnbezlvx)|fhxecuyyko|vqxfwzpjyv|m(gkinjgytn|itptfsyrc)|ntymxqhstb|zwcbjmcwvn|x(ntxbkqvcf|iilcvpyvp|vtgoejqxh)|ptlthzwzzn|iueulwbjgd|crhfgtanfr|wzmazfnefq)|k(a(krxsukmqc|sgktwfiuj|oedwfnrku)|r(amelfbjlw|kxsfnewph|fcubhdyqp)|deymcfxqyn|gmcgjuxiso|yhqzkfmbyf|f(voetexjzx|sjtlrxheh)|c(emydxlcga|lnnwvmrce)|onydcvroak|v(nubtkbbfv|pwkcfpqvo)|nslgnzqfen|i(fiossaacu|xjcwswytc)|hflevyafrs|lfoykeqsub|kfjjezwnvp|zcovjoobnl|enbzsvzoou)|v(chaibtoydq|o(vtrjccrsl|ywawwmknd|qtqzdtuub|sxbaoploi)|yuzdipqxtm|s(bkaaulral|shkhbzizk)|klridijptt|zjxxhrbpyv|unmterotnw|n(cywgkffer|kzselnjhg)|b(mueedkdfo|yckrdfpfw)|agkmltlwlo|m(feujxpmsb|wwiofmzhh|hwnvgcbmb)|x(zdutoneiq|wjaebyspo)|i(cavmmchgy|byewhrkna|nuuthtlpj)|tqnckzanew|gibqejctge|ptspjxoesc|dfzsdpqbrj|woqdqlyzhl|rbxrexljym)|g(q(rkeumxdbi|bidlggbmo)|u(izctkefky|zvpxjztec|sjghvxxcj|notqwmzoj)|n(yptgtpreo|lrsncqneu)|tnbvwxdxvi|sxllbxsgko|b(qthocfpsg|izlleefrx|vhaliffzz|jswbxcmxn|riwkbvfgz|fbbxbnylo)|jbegguwxjy|rmjmaqoqtl|fjoposxves|g(rbiyxavhd|qikrqgvxf)|ehzmwrjoul|pyorbambyg|ififftjsiy|cnpvifsvsb|owudvqhosk|z(nibsnahob|yrxrlqqeo|fyqurybff)|vhaxaeyuag|kczgdwmetv|alsfgnkmbu|mqwohjofda|yzfososjbn)|c(gonwqsyfdj|l(qbvaranqs|fgrffxrya|kwmlqbyxn)|vagtuzeveg|n(mzezvqfcr|rlinzcpsh|hxltgtswa|uzxotsjwg)|z(b(njiwgwti|ekjcqrvq)|pdhgdwait|oaforrvdn)|c(amuuizift|oddrtacvl|flcadbgxv)|arbchtnjna|wwpfcmxrvp|x(wyvmpzcgg|kqunotpfp)|syienither|edskprwtya|hylbefeyvx|f(rkllpgami|yvmsufujr)|m(jehdgxqom|gakdwmoqb)|iczktkwatl|ttqcdkoqpf|bhmczyigqr|qcxwefiqqf|ythipfwlzb|omthmcfgzn)|p(avoirokntw|wjvonodnys|nvybgaerga|f(n(tajhsyim|gvjdvswm)|ojkgwoftw)|skpgnvzpdz|tomhtyeoyr|rhdvgnusho|zk(ilodwkmj|cazneutq)|igdhbmhtdm|hyqasaxvcl|qqeegupavd|dlebcyylie|o(izlanoita|venritysy)|e(swsmfcioj|tnudmeldp|ymsnxzqoo)|yorstrjzrm|lkerqyomyw|bpbhtytxnm|ussjizwnts|mrwgesuxqs|gjdytwcxrr)|b(m(ayvsqpiih|btxkqannu)|nickfxofbc|a(obkqzepio|hinsjlhvc|yfftmgtkx)|witoexphyq|zuuwflvyqb|g(wzaabsfzi|plltmjorq)|f(oaxvghzjz|wcokzanbr)|exmjztpnda|pviejamkby|o(dlktcnxjp|jffrheqhh|hfxgcubzq)|reozmzlisr|qjwdhnzmvs|szeizdcvco|iz(pjqwkfzp|erygnpjc)|cnqrymeuch|j(bsnwhjace|tyinfmdvj)|b(qcerkgwzt|potlrmwvm|crdftzbrz)|kynfsfjekf|vxycrwxasc)|j(c(hqztyqnol|cwlxvqtjv|krhlsywwo|rmomnaknm)|l(scwyqzvob|cbyngyigo)|q(rdqnsrlxv|absqmfbmw|fujkvhxpt)|s(uysgewrsn|eossvmtli)|x(fmlmocanh|yoivjpkok|eyftueccf)|ohlwbmwfcu|a(mfkuancdq|qcdqbinkq)|h(hkpfhsbtk|ypvguakrl)|tlanvjlnvw|gqoatkftjn|kvzsiourfp|p(soomcfxil|oazbdbxqn)|v(jihxxuoir|hcipegudp)|ndgddiooeq|i(bnkjxlzmm|qdkflziyd)|f(zforzkfeb|uvndykyfb)|ucawquyqyn|dgsgjtgftp|b(rmcyfnwsk|sjzhowqxd)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633138; rev:2;)
# sid 2633139 includes 254 (1201 - 1455) 11 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.net)"; content:"|0b|";content:"|03|net|00|";nocase;within: 14;pcre: "/(l(fcaxwpgvfx|wzapfavbhb|yydghyqvid|c(uyncjvyse|imlgepvxt|agbnrwfbu)|dbtdbmaivw|m(tzieqorjn|arfhavhdf)|btomuaauzx|tulhcfedif|xzslpkhzpq)|v(jpejpftzlf|mspumrxkip|rajyprqbky|wqwcfjsenu|syfspamumf|qotwoktgfz|abdifsfzox|ixoqdeeajj|ksosocpkaq|elxgmvhkzr|nxrjdaeunv)|x(mphimfexan|v(lwypscxmo|cuodkrzgw)|speeqlrcvj|dmdcacnido|nxpepwfwxu|tqelxqbjck|lyfiwzmdsn|bhuhjaqivo|izwiucnlfs|kzuxhpkbyc|zlqxkohael|xfdgeygvhf|jlmvnkklld)|j(kksaiurzct|u(gepsdjwji|ilfvdvmkx)|lzbmgbvnsp|qbwpkhugob|ndyktfwjef|bzugczdely|xoaaxgftob|tunffmodsr|zmqzxwncdz)|e(ohlchnfoha|hmzqryfqec|wnoxoqvkui|ehwsauiydv|tscwwrrpiw|jfzvmsqoqb|molykussqu|cgmjuhusbj)|a(u(xxxxkqtwz|fbvpnzfxd)|z(gzekdumqp|ilyhfvrgx)|rniztfxjun|nypjlinjmp|vrqdtmmrkb|dcahtpxfhr|qmrkzlmzfl|pffkoypgsu|kyywzpetut|juvyanbowf)|p(j(piaapqzda|cahwjfflu)|vzrqzdhpop|p(zrmlrzeow|qguqccmkl)|g(dyezakezk|tdifsqzmn)|m(rbedtzkhz|viubxyvrk)|trnxdttdpv|uafmsznkmp|lofvnejpcy)|z(b(swnmqxgld|mhwrrbjqi)|s(yckrpczll|koljqkbqd)|yotkfbrybu|vitmxjcjvb|ulumviasmi|gxviwvfybs|nfznuccwsd|krpcxlouzu|qfyalulepx|lunlxbgtcu)|o(k(ciylwptns|hgdukvjhl|kgesvzdfi)|i(huxqpcuuq|untmebpgt)|z(thfzmhtzq|zueejhugm)|r(gscwoxhud|hbzdpqbvx)|enjcmnrzce|lvatexhrwg|aaonamdrmb|dekpedlyly|mpzuftcxez|csewghjnna)|f(wshmhknkuy|jvdmuasoch|bnrjnblpia|tcdpqappua|fklzjvpyva)|y(kbfccxixxs|fjmjwehqjt|zbfbrtbiko|ekwrqgryos|xhivnbejwg)|t(tnszuqfvdt|riawjmgahu|u(retqjxsbf|zjorsdkhr)|cmtxyktjzn|kkyeiemkax|lzyearjgiv|wmjqnzpxgj|nncseafyza|fpprgozkku)|r(bbowenbldu|z(nzawihfjq|aomtckdoj)|cznywtkdnm|kcuwaokerc|orqapfqiya|u(pjxtlstyy|lvilejhws)|dvchosuxvj|taudqpbarr)|u(f(elauhgvey|lkoyvwemb)|e(rpsmgccrl|tplwwcdmy)|rhkfskkbge|bheeolsvut|p(pshgwbfij|naxxblamt)|aldtuznxuu|shwpdfpqjh)|i(zquyhveipi|sgfrlexwsh|b(oqlstqjvf|zuqtjvjyu)|ylpjbkufjx|qtyygcqqsf)|n(dlfhttywcu|ipmhtgzipw|jdnopcokhq|tnulwvmbib|pqhzopiedc|u(ituzqohhy|osntynerx)|bkyfifpmyt)|s(p(dlcxicqfj|ueqbjpxxu)|ipfgtywqru|zjupgkcevq|acskkydkmq|revsauwfxp|dqicnufota)|c(arckbibpha|vdhgpighxr|hsnasvrocr|yhxzxguaib|qmghbueyiq|izxjxtdzsv)|g(ncwrazwivi|m(iiuomeuqw|qpbsyhvei)|haqpnzvhaq|djddlsxrnk|k(fpvgmdcdh|wzewagzxa)|uzgtpcfupm|eqmojkkcnc|yltgubqlte|jv(heuxepmo|wrdaledq)|recydbgjak|brgdrwjhza)|d(vjtucxsppn|debvxqyxav|yqycgcjysl|njekhgfltu|z(tmbmbozwy|mtpszywir)|qhowrhfilw|gilnbtvwic|tsktgqecst|mqvgfmswmm|hkperuftsu)|k(thzesovbsw|vnrozqgovi|x(hmnchwzxd|kgwbpboku)|emcxwjxnso|azokciwyaq|hrcedeqpxp|kieatsxnjr|upehogphoh|pndrvktrtu)|h(y(kmgmryfek|ywpswugir)|dgblieiumf|qhamuipuod|f(lorijimdq|puityamla)|aynwkkfocu|uewtkwerdr|krjxynmpob|tycejmyurq|iopquujglu|bzkmmjkhed|ccmukjyonr|xyabdenyyu)|q(skiecvvltp|awjdwnpgjc|xjnhjjwmsw|dxzfxtgelj|jcroafxepk|w(ankitnivc|vgukbczps)|pmknfbhmkq|uokgckeyzn)|m(f(zxmdimdwf|tyfkkcfjh)|nfivahkbbx|vkzrqjquht|assthsjjhk|sgoggjjdlq|kowevlryvr|rantfhsbcg)|b(wshycbakvv|q(vttlloepo|gkzxbljbu)|d(qsibnyxud|tofukmdew)|btecmuwhhv|kwaghlksyc|xgixssgwcp|ygfhdfhiei)|w(ueqlaxurkf|csrljucdgi|anvhgxepdg|gbnmxkzozh|djmofjukwp|yuiojhxbwb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633139; rev:2;)
# sid 2633140 includes 7 (0 - 7) 12 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 12 chars (.net)"; content:"|0c|";content:"|03|net|00|";nocase;within: 15;pcre: "/(c(cwkeezcsvft|nenbmddnbky)|bizahxpaqtgc|info(epdyvvuv|mbraitqo|rznkrabb)|nethfnmvummi)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633140; rev:2;)
# sid 2633141 includes 3 (0 - 3) 13 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 13 chars (.net)"; content:"|0d|";content:"|03|net|00|";nocase;within: 16;pcre: "/(ccvbvwrtofpxf|netdqnothvocj|bizvmbugzxxdf)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633141; rev:2;)
# sid 2633142 includes 3 (0 - 3) 14 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 14 chars (.net)"; content:"|0e|";content:"|03|net|00|";nocase;within: 17;pcre: "/(infowwguopdqfc|orgylrkmkjntnt|comiiffdubnlvd)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633142; rev:2;)
# sid 2633143 includes 600 (0 - 600) 5 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.net)"; content:"|05|";content:"|03|net|00|";nocase;within: 8;pcre: "/(m(a(aup|rkz|flr)|cjda|s(apb|ojm|jtc|sxz|ipi)|vdni|g(qnf|pvk)|oips|dqdb|pryj|e(poe|key)|k(jbi|koi)|zhwp|lbzv|w(odv|pfr)|n(guy|nxw)|x(yje|dtc)|ykdk|jlnz|qcxc)|x(c(usd|pwq|rdj)|e(zpg|vgs)|agmx|vuvw|j(ehp|prz)|u(iyz|ynh|ekr)|p(zhk|qjn)|kotg|ggui|wkmg|yudt)|p(f(xhr|ocn)|plfq|adge|u(qap|rsn)|h(qtd|hey)|b(xmu|ude)|jomg|lrnc|z(nib|rlv)|oztq|w(biz|xij|uxn|w(jk|qv))|qdcn|n(dwc|peu)|xqqw|tmhy|m(jnv|hnz)|cpra|dhcd|shjp)|u(ypye|sxng|t(vgs|ibx|ukf)|o(lww|csq)|xrjk|c(gcc|zzo)|gbcc|pxkv|r(rij|kgw)|bbyx|vmfy|fwli|kqcr|mluy|nbvm|q(zri|mkx)|imab)|f(r(yuy|wif)|e(mva|iiu)|pxhx|vayv|x(peq|zuv|jzt)|j(dip|svx)|fccq|h(igu|glq)|dvva|y(jcb|wxy)|whxz|q(uni|ksm)|z(csq|fxe)|gddf|mbzq)|j(s(whz|jve|kal|iwx)|h(xvo|ymf)|aiul|i(cbb|drd)|o(ubz|ggv)|yypl|c(zsx|bpd)|tjwf|fkpm|b(ozr|pqd)|zuqf|x(luv|cqo)|qniu|k(pgt|yho)|r(daj|hyq|szj)|e(vfj|kdv)|w(phw|tir)|ucxc|grzj)|h(mpiu|j(hlt|cnf|gqn|iva)|k(itc|yxv|dwm)|svce|vlzx|teew|p(zul|vzb)|ybzp|ddon|bdvg|erws|inlo|uwfd|chnh|fcip)|v(v(h(vy|pv)|iiv)|wpac|rgaw|g(lvb|zma)|fgxg|dvkb|nuvc|e(ddz|qvp)|hbku|m(woo|lst)|penv|ynvy|t(wry|afv)|iill|xbsn|lgdi|ktit)|s(vqtr|fhfm|rcaq|ecva|hpwf|yhnv|burn|tlgx|akoe|u(tis|wdo)|lmdz|mseq|qbqn|wyhg|pnoc)|z(s(pjk|wpg)|z(xzz|btu)|a(llf|pto)|ofcu|eotq|pdpf|uqlb|fbjv|bfnn|dnoo|vkba|cfia|lymx)|n(qudj|t(rwu|sbd|wzc)|p(ktj|vyr)|n(xoy|how|rex|ngc)|i(fwh|qrn|opw)|oqir|f(hsz|clx)|veyo|a(sze|glw|jrp|nxo)|ular|c(iel|nph|zep)|jaxn|gjbp|zhsj|xtoy|hozp|wahq)|r(m(qdo|yzx|hyh)|k(lzd|rgy)|d(yhy|okk)|ykxk|a(qcu|tph)|pzat|lhxv|xiib|jcbd|zgqo|rujp|cgsl|q(ugt|sel|tyj))|y(y(nvy|rqv|knd)|cnhu|phny|n(fen|qfb|xfz)|tscw|xwow|qkum|mwbp|rpjg|o(geb|ekg)|jtus|gdko|iqxz|leyz|frzc|a(iuu|agp))|i(v(lhp|qxh|aja)|wdmw|ggmx|qysb|mcfr|tqdg|cpsx|nvvs|kedz|lyjj|xxcv|frwo|r(gyd|kmz)|jikt)|l(usub|h(sqx|ell)|rxzz|x(amk|nml)|nfjl|dgul|elyp|lvcr|bafj|g(yzi|dlq)|s(qez|yxk)|a(rqo|tei)|w(qrp|uau)|fojk|vxll|katx|yxbe|ooze)|d(vduy|h(ygi|usz)|liep|mopb|bbcb|d(wto|fyo)|xnje|g(vjh|fhe)|o(gri|nsj|svt)|rjeu|thza|s(awa|ovn)|fkxl|clqf|ewqg|pacy)|o(w(fuo|cpk)|f(hkz|rfk|ywj)|u(gqp|pwb)|ziyu|pnhf|x(cxo|vdi)|bdqc|hmhy|gqug|rnbn|c(wcd|aft)|vriz|q(roo|naj|lfs)|dehn)|g(s(qlp|ozt|bbk)|i(knh|oke|dqs)|f(rmu|vsk)|asvc|m(goj|fvu)|ggyo|njdr|dzmx|jsbj|vnqm|zxjw|qjmn|kmey|hgmp|wask|ysdx)|w(u(fyr|koq)|b(ajb|xjs)|mffd|t(wlv|doi|vem)|l(dfh|gfe)|evua|pyok|wyrk|hmgh|fkcj|iwtq|jmlp|x(igv|upq)|kkyb|rllp|gxpm|nhrs)|t(v(rev|buh)|rzie|agbk|jdqb|c(eba|wxo)|n(gup|dfd|eyw|fum)|e(jph|ycv)|h(tad|spn)|u(axl|cgv)|y(foz|qzs)|ddrz|onct|qatg|mhiy|s(vua|mts))|k(o(eii|jdh)|w(xlp|kxi)|x(yfw|cnd|iay)|eitp|vrmy|k(irp|ouz)|r(bnz|epv|wqc|xjt)|pwus|g(vxz|mfs)|j(hak|uqg)|h(qpr|rbs)|sbyr|fciq|a(vat|xvc)|l(uzu|qye)|ufax)|b(k(xwt|unr)|j(ffw|khz)|n(fyv|jzz)|g(crk|qbn)|s(fia|aap)|ffgs|ltva|ywuc|mxft|t(kuw|img)|qdye|bdlf|aenc|uykc|z(gpg|exf)|rpwm|h(axe|rft)|pqea|ijia|vabf|dpbx|xqec)|c(psgg|x(kby|znh|xma)|kuqj|w(i(tj|aj)|wdo)|t(dfk|ogu)|oykl|hpxy|yhnk|firn|u(xxc|ihk)|e(wno|lrk)|nakm)|e(d(euq|oaj)|l(uwu|azf)|j(lxq|zan)|gsgi|cptu|hntu|knai|iyqa|ymcq|taxi|plcw|wfou|xwqm|uikl)|a(zbyj|x(xtk|nwu)|dihi|qxns|g(soe|omp)|k(khu|vbz)|y(jim|yvp)|hfgx|pazj|u(izr|mou)|mcbf|agvz|w(quo|iig)|smfj)|q(dhes|oqax|l(gsb|mdd|aqb|dia)|ctdk|kayi|h(adw|nqc)|p(mpi|jvo|vjm)|srri|xymv|tliv|u(rix|xdh)|fmil|ennp|w(tlf|nva)|yzsl))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633143; rev:2;)
# sid 2633144 includes 852 (601 - 1200) 5 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.net)"; content:"|05|";content:"|03|net|00|";nocase;within: 8;pcre: "/(r(zgqo|m(yzx|hyh)|rujp|cgsl|q(ugt|sel|tyj|vpf)|bedn|t(qgn|bvu)|u(rjw|bxl)|nneh|v(uqf|oyv)|x(ylz|zjd|roz)|j(yiz|sip|qkz)|fzfo|oboy|wuxz|i(hqa|nhi)|gnjy|hcdb|enrw)|k(sbyr|f(ciq|lfj)|a(vat|xvc|gxm)|w(kxi|agg)|k(ouz|gtv)|juqg|r(xjt|gnq)|g(mfs|nwm)|l(uzu|qye|v(xk|ab))|u(fax|klv|wuf)|hrbs|mvry|ofvi|e(cxb|dvu)|pitp|n(xjt|pgp|ean)|x(ngq|kak|dcc)|zjqm|q(jgg|kza)|dvlq|i(xkz|uke))|l(f(ojk|b(ab|ho)|qxn)|g(dlq|son|xqp|eqg)|vxll|katx|y(xbe|bui)|a(tei|swm)|ooze|s(yxk|eqq|bjk)|e(tmr|mox)|clad|q(qjk|hto)|rvqf|h(ups|gwx)|d(lhz|jfl|iff)|u(vml|gvo)|jgdz|b(dkm|vwb|gnu|ixw)|ztnx|xmqr|isjx|wfae)|n(iopw|j(axn|lvc)|twzc|g(jbp|ppk)|zhsj|x(toy|zlv)|f(clx|eok|wxw|rnk)|h(ozp|gwx)|c(zep|irp|kzk)|w(ahq|hkq)|mgfh|o(y(ha|ax)|gso)|q(whi|tyy)|rlwg|evrf|b(djj|afa|upy)|khxt|atqp|lhdm|ssfy)|e(doaj|knai|i(yqa|nqr)|ymcq|taxi|p(lcw|zgi)|wfou|x(wqm|hve)|u(ikl|uuf)|g(oql|niq)|h(ncq|tnw)|o(iep|mwm|ktb)|mfhs|f(uao|dzc)|bxrp|aebx|csnw|rbzx)|a(u(izr|mou)|k(v(bz|in)|ivx|hjs)|mcbf|y(yvp|nlh)|a(gvz|yyy)|w(quo|iig|ebs)|smfj|f(hbr|syn)|ntwo|hqex|posc|olil|dnrs|b(cka|htn)|gfgv|ittf)|t(nfum|y(qzs|ita|vbd)|ucgv|d(drz|yha)|onct|q(atg|cpu)|mhiy|s(vua|mts|wwt)|e(ycv|mqb)|w(xsf|tjw|zgm)|v(pom|dsy)|fifi|ivwm|lmpp|pyjz|gvxl|zatb|j(mbo|lhw))|j(q(niu|hnb)|k(pgt|yho|nxg|dqi|uzr|hhx)|r(daj|hyq|szj|vpl|ckq)|idrd|e(vfj|kdv|hjh|oio|sjy)|w(phw|tir|jfw)|s(iwx|wua)|ucxc|xcqo|g(rzj|inx|zmd|egl|voi)|h(ymf|rzw)|bpqd|j(ykc|eqo|x(ai|zx))|drqf|zqmf|tktu|cd(mh|bd)|lokq)|i(cpsx|nvvs|kedz|l(yjj|bqg)|x(xcv|krx|wls|fqf)|f(rwo|sgn)|r(gyd|kmz|uiw|lja)|j(ikt|qco|epn)|vaja|w(skh|eat|nwq)|t(tdg|yyb)|h(chg|ocb|k(rr|zc)|hao|vxa)|qv(tl|ma)|urjz|dkgk|b(gqr|rpa|ovd)|sokj|mesz|inwb|pkaa|eaay|zrxf|auks)|p(cpra|z(rlv|jtx)|mhnz|d(hcd|qcj)|shjp|fule|n(twu|igy)|r(emf|rza)|vgsd|jppt|o(zsk|alo)|xksn|lhgr|g(zez|ljp|fvb|nsp))|w(hmgh|u(koq|rua|yic)|fkcj|i(wtq|pbb|qtz)|jmlp|x(igv|upq)|kkyb|lgfe|t(v(em|tk)|mjm|gzf)|rllp|gxpm|nhrs|v(xow|apr)|a(nez|crq|wns)|phbw|m(xqb|ply|oog)|wsgc|z(gek|sgt))|u(f(wli|lqg)|kqcr|m(luy|ivj|zsd)|nbvm|q(zri|mkx)|r(kgw|epv)|imab|p(sgq|cyo|z(sy|no)|fkd)|z(ieu|vlv)|djxu|xmon|hqsp|y(yqi|n(su|rj))|b(czj|uuj)|s(udi|lkn)|wkph|o(xfi|tff|gmr)|elqp|uhro|aypu)|y(n(xfz|efq|fwf)|o(geb|ekg|suc|yzn)|j(tus|dqp)|y(knd|qwd|ivf)|g(dko|brj)|i(qxz|cam)|l(eyz|hbq)|f(rzc|jqp)|a(iuu|agp|rfq)|hvzd|p(lmk|kyi)|x(hxi|pzt)|w(wym|rzi)|vtue|eiig|rfly|qnlq|kbmq|dnex)|z(pdpf|u(qlb|wfb)|f(bjv|kls)|b(fnn|gwd)|dnoo|v(kba|wua)|c(fia|dyy)|a(pto|xgb)|l(ymx|gas)|swpg|r(upr|vqc|itl|qut)|g(fao|toa|rwh|kaw)|j(bdt|wwq|exa)|xdwf|m(dvj|cau|xvg)|q(uxe|otf)|ytkt)|b(u(ykc|njb)|z(gpg|exf)|r(pwm|msr)|t(i(mg|ak)|gsm)|h(axe|rft)|pqea|ijia|vabf|d(pbx|ajv|wsm)|x(qec|vlo|dyz|nbp|eyd)|n(pyx|zpo)|c(kwu|awo|qso)|lgpe|esqw|ocgc|sjow|btuu|jjrz|qgpo|wczx)|h(pvzb|e(rws|lsl)|inlo|uwfd|k(dwm|lxf)|ch(nh|uw)|fcip|nfpr|b(axx|qsb|leo)|o(yjo|inr)|acum|sryt|mmam|gpwm|z(eso|jbn|mev)|vcur|jvas|tbkt|dsmg|xhmx|wxct)|x(e(vgs|ogy)|u(ynh|ekr)|p(qjn|inn)|g(gui|vnv|kjk)|w(kmg|iho)|yudt|c(nnd|wmj)|z(nxh|tzt)|jxzd|s(dhq|xsu)|ibrx|rcen|o(dbb|sys)|kyof|vwla|hyrz)|v(y(nvy|zgy|isy)|t(wry|afv)|iill|viiv|xbsn|m(lst|tag|gvd)|lgdi|ktit|g(zma|fqs)|n(idl|uqq)|fkuz|o(xlq|abb)|asov|jkcl|dhwm|r(ucr|szh)|cyhj|u(ued|xed|pbe)|wwhx|zoho|pydm|sozk)|d(r(jeu|cai|mgi)|h(usz|fby)|thza|s(awa|ovn|iyv|tqo)|osvt|f(kxl|xoz)|clqf|ewqg|p(acy|qnv|ics)|dkss|b(zgu|uza)|g(zov|ovf|qut)|y(hjg|qrk|odo)|aaxl|iszl|xeof|w(egc|xyk))|m(l(b(zv|op)|qbk|jkr)|e(key|mhr|rhw)|w(odv|pfr|fly)|a(rkz|f(lr|qe)|cco|kbw)|kkoi|n(guy|nxw|uwn|arg)|x(yje|dtc|pry)|g(pvk|boj)|y(kdk|dvx)|j(lnz|tls)|sipi|q(cxc|bcl)|okob|mvgy|b(avp|hbv)|h(nrs|ids)|unqf|djsz|tdls|p(iuz|bss|fhd)|vfvj)|o(f(rfk|ywj)|c(wcd|aft)|v(riz|emo)|q(roo|naj|lfs|ioi|shl)|u(pwb|gki)|d(ehn|tio|ywk|bwh)|wcpk|l(map|ixa)|i(pmd|hvt)|j(afx|sou|lik)|k(jee|atg)|aifi|gufp|s(q(ya|ef)|unh)|b(yhy|ggh)|pegz)|g(h(gmp|ewv|hrv)|wask|i(oke|dqs|qqh)|sbbk|m(fvu|vdp)|fvsk|ysdx|cigj|d(ulg|nrb|qvk)|t(wth|qhh|mwe)|z(zrp|geg)|rlrk|p(gcp|zba|ehl)|khaj|qown|vnja|atlw|udvp|jlnm|epdx)|c(firn|u(xxc|ihk|wrw)|e(wno|lrk|obf)|wwdo|n(akm|zem)|x(xma|pdg)|q(egw|xib)|dwzt|lnqn|zafg|vtsq|rnng|pqqa|m(ifp|ndr)|k(tzq|vdu|zor)|gedl)|q(h(nqc|ytr)|ennp|l(aqb|dia)|uxdh|p(vjm|y(ru|xa)|hgg)|w(tlf|nva|ica)|yzsl|irif|khpb|z(lpm|tac|exy|aiy)|xupf|nere|vdxw|c(fdw|rwz)|fvyz|blfw|guxq)|f(rwif|z(csq|fxe)|g(ddf|cpc)|x(zuv|jzt|gtw)|hglq|q(ksm|efp)|eiiu|mbzq|u(qui|nue)|owbt|b(lqc|hgv)|p(fhe|oft)|w(fhu|anq|vao)|fxuf|slvq|yyun|nhxa|iu(lu|ea)|ahuo|juqu|vtpo)|s(wyhg|uwdo|pnoc|yrjb|zpeb|a(qfy|jgg)|tfwg|mcds|l(rhg|b(my|qf))|krln|hyvo|nkyx|qhos|iyqe|f(dfi|ytj|jzu)|stpu|jaqi))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633144; rev:2;)
# sid 2633145 includes 252 (1201 - 1453) 5 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.net)"; content:"|05|";content:"|03|net|00|";nocase;within: 8;pcre: "/(h(s(afp|lnx)|qoao|x(vfi|biv)|b(edh|ppf)|lfqu|fmgn|yvth)|r(oiea|nsbb|hbip|wtjt|gchd|qkjv|p(lzi|ytx)|dfhk|fnip)|e(cavh|agrq|lkfe|bmxx|wqkh|hcfb|dltu|maab|jwun|taom)|s(jaey|d(esd|pmk)|rbzj|fyei)|g(mbja|lauf|bbum|vgsj|eshd|pfbr|hmma)|o(cahr|b(qth|xqk)|u(gxb|bai)|iczf|rubg|fekq|pfcb|edgq|hbyd|zceg|omwr)|a(s(mgi|ndw)|qmbd|vnum|ekgq|b(zfm|qea)|zbde|x(wro|ryt)|cwxn)|b(hqhm|xjwt|ux(ux|nb)|zubk|vmqf|nsbx|cevm|mccm|lneu)|u(yzwc|a(agh|ewh)|rcve|kvpf|bhvt|gsce|uivo|vikj|erzt|lfbu|sboc|itzg)|k(mjyc|ygic|x(itw|hoi)|lqwh|aqpe|rhtb|slvk)|p(ifwa|zxvl|s(dse|ugi)|xkpf|v(vsw|cya)|hmmv|gd(gk|ho)|ffre|wzyo|ajyw)|y(zhbn|y(yld|gxi)|efud|rknf|gu(bg|xt)|k(zlt|evm)|dans|jefb|plup|sftb|nwqw|upoc|mxmh|bynt|ahwz|qewx)|t(j(grf|xzy)|x(xux|gxn)|v(mrm|qfc)|yizb|zfde|m(zkg|cuj)|bvog|hpdk|ucxd|fcgb)|w(cepq|auua|nuyn|fxad|s(lqg|ajx)|eguj|ycxq|qzgu|xrhg|vhqy|mkhd)|v(uqun|ppef|tczy|vpzz|nmrt)|l(wfky|jlod|lrfk|vhck|uhnz|d(zwq|ncz)|trtt|atxa|c(kpr|prp)|n(pmo|xza)|kmcr)|z(r(czd|mgk|rgc)|bxfy|wibq|qnum|yxpq|cloc|g(yzu|qcl)|nwak|przw)|q(irgo|z(anl|lfh)|nitq|f(adg|kez)|afgt|qctl)|j(xlkh|m(kxd|fcj)|dtzc|qhoo|uoso|hwwq|k(idp|bmn)|cqxi|pqsd)|i(dvnp|tkhv|noue|hvzx|lcvm|fvwk|oriw)|d(pnfe|dfgq|tmxt|mfbz|acwz|nzge)|m(pybt|r(kgs|tdo)|xufv|ubvs|htxf|yrtq|jhgk|kdtv)|x(o(yyl|tpv)|q(aqg|dft)|wzja|itom|uhxh)|n(w(bco|zgm|sum)|xxbk|ahma|clcv)|c(otdj|mvrd|tdzk)|f(bfjy|m(sja|ggf)|zyth|xtkk|cqya|emis|qqfv|tbvt))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633145; rev:2;)
# sid 2633146 includes 600 (0 - 600) 6 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.net)"; content:"|06|";content:"|03|net|00|";nocase;within: 9;pcre: "/(d(gdehs|ylotp|r(hfpj|r(odm|urm)|gsuk)|j(f(eqf|flg)|okoj)|fmtyv|b(nqsz|hvld)|lcmdh|c(fgud|gxqw)|m(ulbn|gdsy)|wcmmu|dhsyy|iskjm|hljyp)|n(z(omay|kxds)|y(pvpm|ycku)|xvxkj|aqesx|ttkij|kirbh|u(fzgk|o(prb|yjx))|bajsf|rrdoz|mdhvb|ofbgh|p(wtvx|zqkj)|cjnwe|qbfag)|i(qlvjs|p(qshs|whqi|scec|oenb|frcm)|zuhpg|gqzjn|mbidc|o(ngwk|dbkq)|k(dnbp|pxza|zowg)|ynela|a(wenb|iekg)|ckhrn|bjnpo|f(lvdq|rsrw)|j(cudu|gspo)|irdjd|vtynh|ekpzt|uatsu|svqgb|lphku)|v(o(mzyf|bwsq)|x(erdo|ysts)|e(tviy|lbll|zihx)|s(xhes|fwyr)|u(sqxl|pcpf)|jcram|mqsof|f(fmwi|ucrw)|r(tfph|ydcx)|tgxbv|ldcqk|walgw|iuvjv|kngrc|n(kxic|ccge)|z(whif|vfnx)|psium|bmgcu)|u(xbgtx|l(mmdi|pfxj)|e(nwfb|zzcz)|awcpr|kkvfj|y(iatp|rdxn)|hepry|uazku|qw(diz|gkq)|ploow|r(fzza|wdrx)|jnpgc|vrsrr)|p(r(amlf|isrs|gckk)|dphce|u(ulur|lhxa)|zcrza|i(nvnf|mtkz|jsjj|zusm)|wdnum|l(mfzs|qvvw)|kkgmn|e(bmbx|qaoq)|q(tqhd|upvq)|pdpao|xnkhc|yzazw|bcync|nqgos|sjakv|vjwmu)|h(nnexg|umzpn|i(izpo|txqv)|m(bvcu|znkr)|gvydf|d(thpc|iyfp)|h(hajd|mqhl)|roqpa|awghu|sfyai|x(fcul|icbc)|q(ndoo|bxpl|ozfn)|e(ulka|bptv)|oydby|bwirx|jkdzc)|x(q(zvfb|jglk)|m(jnkg|nyma|bqvw)|u(qctb|jigb)|cdnjb|vxuhv|k(avss|bbmt)|ygtzg|j(dgoh|jyag)|i(upgu|ebty|junh)|r(gxmv|cszf|plgx)|pwzgx|eevhf|o(cfpw|wpwv)|dqyve|tbatv|fohjv|sayxr|b(einx|cdpr)|ztffv|aakqh)|k(yinqs|beyyh|zbbhy|m(kejz|myoi)|o(bjzr|gvvz|rbrc)|h(tphy|zubz|jzls)|xrohf|jaica|tfyid|i(vzha|nbgu|qqkk)|lfija|n(lrwj|bqaz)|k(thwx|pirh)|avpzh|c(yqfe|pfmx)|sgwjb|raoxs|dosqt)|m(qnsfe|xgasx|w(rvrh|iuel)|u(egns|tuuk)|y(qjrb|ddrh)|gbipb|lyeem|o(jgxg|zvwn)|tqzkl|iikvn|jiawe|hpfnk|mlzcd|pylwb)|f(o(hith|vncs)|mbhyc|w(cxea|gpcv)|r(uyax|rqcq|afkv)|s(fiyy|lwpe)|g(boqq|rpjo)|t(dlqh|oibq)|zqent|kyaso|b(ieqn|hnpb)|jaiam|uounp)|w(v(dlke|jkpv|cxce)|bfxpk|t(adye|ehpj)|ydrte|c(wcea|mkxz)|xtzvk|wedms|ghhnw|i(yspg|bsai|acmk)|jhaoa|osxau|hjqvi|l(xrcd|gyxm)|movfx)|l(n(qzgw|kevl|nffu)|q(ndcm|lxdu)|ha(qfr|zbt)|s(kfma|dwzv)|vihum|ojrez|m(cong|myyz)|y(ksjd|yjzk)|f(rtsy|yopp|eamd|kukg|paif)|x(dcre|jxps|nhzc)|jzsji|bdcgu|cmkva|k(vnnn|hfwc)|dqmxz|aopqf)|z(i(innt|qnyn)|cfzcz|k(pbdp|xxqu)|xkvsa|p(pobr|ldka|vedw)|tfruv|uhhbs|vxfgz|lsmrx|dnxbn|g(exiv|izve)|fvamr|wrhat|rjrom|scydl)|c(o(xgkh|ickq)|u(exld|hzcw|lysg)|p(rcdw|qtlc|yqlb)|mcppn|zonus|skeqe|l(oand|huso)|emfmk|jfokx|wkpgm|kfkza|dyfki)|q(c(mqdp|nmji)|m(luxj|wlmg)|rdzqi|nsfll|wqrpf|asxda|e(ommo|segz)|thmmw|yyxdr|lkhth|brtoc|itfyw|oeuqp)|a(zzfeb|gn(akx|gyc)|scxag|k(ylvk|casa)|brtxg|ybbsi|aggsp|j(kthc|unny)|cpayt|p(iglz|lmip)|d(b(vht|oov)|dpql)|twdyo|x(neob|ptzo)|l(ksvh|rllu)|u(fqex|yezy)|mpsiq|oqtvn|nsece|evqbn)|o(lcagc|d(vbff|hlai)|a(ohhx|hkdx)|gfrbd|zhkzh|v(sbgv|fxjd)|h(kkzw|prkz)|s(behv|grbt)|uobwh|yoars|cgnjq|rqiod|xiplo|jhlsq)|g(m(igzt|pcdo)|g(bjzk|eqmv)|u(f(trq|bnx)|lfxo|oyya)|yvdlq|jnqlh|zszzr|bkutb|kzvvl|qrymn|ahrxx|rmmbi|oixpg|dkxvf|howjr)|b(nrmbe|w(ijdj|ylbg)|b(iuyi|uexm|jybh|ocpc)|qkrta|ombzd|ueixr|yctaf|vzacj|x(gill|tdqu)|ccdfr)|s(wrgen|r(nfre|wsqd)|kbxiw|lhwbr|bfzur|z(spiu|aycf)|ifkff|h(vtzt|sicq)|jaygd|g(pidm|hghs)|e(fpos|xpgn|hflg)|ynhhy|meoju|t(dqtt|gfng)|ne(anq|rur)|sgkew|fwdoh)|y(arstx|n(webf|ktld)|h(mdup|cfhx|degp)|pjfrw|s(eyfv|iuki|vjqv)|fcpev|b(hwwi|rnmc)|iovbk|d(oyfg|hkwb|wcfs)|l(nzov|ptdh)|vekdc|wqeya|k(tttj|zbzn)|o(tcia|idry)|ynwvn|t(iwso|uwda)|cfynq|ecgaw|zhmhp)|e(nexpb|gokpl|ysexi|i(ymzp|wglt)|c(nfbm|dcut)|h(gheo|mspd|wkzh)|lbcqd|o(gnif|isdr)|xzroo|w(wtag|dijx)|tetfr|qnmoi|kwywn|pzamf|zdmbi|vmusa|bzoee)|r(vcfaj|qbcjy|zzvof|wyftt|x(oyzs|qiqj|hksq)|y(wyyc|cpez)|eqool|p(hfth|coud)|r(usyx|zrbo|dsch)|smfnt|fdece|n(oiyd|ijyg)|jpqhp|annzh|deoox|bloae|leroz|tkjbn|kvrus)|j(t(ijwi|ysbi)|kriep|zrixy|akcuf|mhhog|hcxjl|oixvi|jfvrz|l(xgct|hwrf|elmt)|wqups|x(efeo|midh)|uytuu|rzkfg|ygevg|crklo|pajbw|qmxop)|t(y(opww|iumi)|c(teqp|cxfv)|bqiyo|wjpma|q(xigj|hxzo)|l(vnnr|u(dfd|mzx))|f(vxhf|hzlr)|hssps|udkjn|o(vlck|mrsf)|n(nmym|rkso)|v(jbcw|hnsy)|evgdn|spnwc|ixekv|xkjro))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633146; rev:2;)
# sid 2633147 includes 829 (601 - 1200) 6 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.net)"; content:"|06|";content:"|03|net|00|";nocase;within: 9;pcre: "/(b(wylbg|x(tdqu|vpsr|ppyb)|ccdfr|bocpc|p(orcs|fvgv|vmqe|ktpl)|a(ftdn|lvny)|hjmia|yxgpx|l(volh|wcxl)|myhrg|f(fqvz|mryz)|gqhrd|nprht|r(tlpk|fcyf)|ktcut)|k(k(pirh|kufk)|c(yqfe|pfmx)|s(gwjb|dlwn)|hjzls|raoxs|i(nbgu|qqkk|mtsq)|d(osqt|ujel)|o(gvvz|rbrc)|n(b(qaz|fgv)|jbkx)|f(skqn|izah|ynks)|l(w(xfc|ghw)|ahek|plph)|qfmne|b(fgkd|aheo)|aryjd|towlb|jixbo|m(dmlc|udwd)|wccrh|yucsj|vfrhf|p(gnmr|ahgb))|z(d(nxbn|qrzs|drgn)|g(exiv|izve|bbnl)|f(vamr|rxsu)|pvedw|wrhat|r(jrom|hpzz)|s(cydl|rclr)|k(xxqu|bsqq)|e(ttum|pozj)|j(yewx|ngkz)|nmyia|az(iyc|jfc)|h(orlp|bbhh|ggcz|rpwl|azds)|ilghk|oydrs|uiwnt|tqsrv|mgysq)|o(yoars|s(grbt|ifia)|c(gnjq|anvx)|rqiod|xiplo|j(hlsq|turp)|u(acay|divv|ncje|mzpu)|i(vakt|ooyd|povf)|g(whaa|ydgj|gojd)|doajs|frahx|hflkm|e(ltcj|dvlq)|azsxd)|y(b(rnmc|dxdx)|s(iuki|vjqv|lmov|qxhm)|h(cfhx|degp)|t(iwso|uwda)|nktld|dwcfs|cfynq|kzbzn|ecgaw|z(hmhp|pubw)|l(ptdh|bytp|rtfh)|u(znfm|ndjj)|j(lwrn|fwnm)|fxhtk|p(mypp|dwzr|rdpy)|r(qlmf|gcmu)|yszee|o(gmnr|arqr))|i(jgspo|k(pxza|zowg)|o(dbkq|bboe|ybwx)|p(scec|oenb|frcm|xnat)|u(atsu|inpj|kbbm|oxtq)|frsrw|svqgb|l(phku|hvbs)|r(gcpm|finh)|z(svqg|gnlr|xtsh)|c(xvuo|fqrk)|wuevf|nkkmd|ickgy)|g(zszzr|bkutb|k(zvvl|tace|uqhb)|qrymn|a(hrxx|asqs)|rmmbi|oixpg|ufbnx|dkxvf|h(o(wjr|eku)|dkea)|xamol|eocps|c(ldgq|itto)|m(nqar|qdei)|n(lxrd|zebt)|g(cfkl|nkfm)|tdtmt|sbgvj)|p(pdpao|x(nkhc|pgjc|wtwl)|i(jsjj|zusm|lpnf)|y(zazw|iofq|rprh|ccxz|hdar)|b(cync|ahtt|ookk)|n(qgos|sozw|gdig|rtpu)|q(upvq|rkxw|hndy)|rgckk|ulhxa|sjakv|v(jwmu|zund)|m(hvpe|u(ivh|xdc)|pilz)|ayhls|t(rtik|xevt)|frivj|z(wfnx|pofq)|g(awcz|yijg)|dwkyy|jdygm|kxcot|hfskk)|f(ja(iam|cfh)|grpjo|b(hnpb|wgki)|s(lwpe|rbbl)|uounp|c(tvmw|panp)|m(ahno|lskz)|a(nqha|deie)|h(cluo|dfae)|z(pzrh|arop)|flowc|k(npaj|voqh)|d(amto|oapl)|vwpjc|e(hymu|ncob)|x(owba|nigd)|ozwbl)|a(x(neob|ptzo|aodp)|l(ksvh|rllu|lqec)|u(fqex|yezy|ushu)|m(psiq|nlet)|k(casa|hmcc)|oqtvn|n(sece|jqpe)|e(vqbn|hrbb)|hizxs|a(fdda|gofl)|c(pigw|xulb|njuh)|iatqi|w(ezob|trjv)|gjfig|t(kmqn|sxtf)|bujjz|dubpd|sbgdk)|r(pcoud|l(eroz|ntze)|n(ijyg|sjbc|tqau|xuae)|rdsch|tkjbn|kvrus|xhksq|q(qojx|ueih)|ajdwg|dyeoi|oyyei|u(xkvh|lfzk)|z(umwn|aejk)|v(znao|kwpd)|etqku|swsld|jvgfp)|x(ijunh|d(qyve|snwj)|rplgx|tbatv|fohjv|jjyag|s(ayxr|fxkf)|q(jglk|pnne)|b(einx|cdpr)|z(tffv|mihi|ohxf|ipkh)|a(akqh|brkh)|owpwv|ujigb|g(sxwn|wbws|vout)|m(lnih|bhlc)|pujwo|ykjgu|va(sux|ynh)|e(spbn|ycti|vfmz)|cidgt|hmfmm)|j(t(ysbi|ciqc|xuvh)|r(zkfg|iqqz)|y(gevg|jgga|qwrh)|x(midh|pkky)|l(hwrf|e(lmt|jsn)|gxyu)|c(rklo|mihq)|p(ajbw|hywh)|q(mxop|pmjn)|irjbw|dunoc|w(lupf|gffp|enxe)|f(nkun|auny)|u(lhwl|inck)|nvlkr|m(vaoo|yfmq)|slyvx|z(jxjy|avnm)|hmbtd|aznig|byney)|s(tgfng|n(erur|rwfw|czpi)|e(hflg|fbrm)|hsicq|wxvmy|d(cxfj|iidg)|jgmui|feocn|ryzoo|p(amoj|wwsc|zhxy)|yiqhl|l(ajml|nkiu)|o(u(wil|qoh)|ihwn)|xpwiz|b(zlef|ltau)|ugrnq|aqjny|gdzpl|vgohz|mlckn)|h(x(fcul|icbc)|q(ndoo|bxpl|ozfn)|e(ulka|bptv)|m(znkr|yrva)|o(ydby|xkfz|pdhv)|b(wirx|knke|lrcl)|j(kdzc|brlt)|i(txqv|gndi)|l(zkrb|vgqm)|wjzkf|ccqcs|noydi|rwrus|zglxr|tglqi|y(ozsj|iqej)|kuhsi)|e(w(dijx|cohe)|z(dmbi|emjk)|h(mspd|wkzh)|vmusa|oisdr|cdcut|b(zoee|yqoe)|pvfdj|u(wqah|ahey)|x(myng|eupi)|n(phlj|mjoo)|eprth|dnzzm|acegy|i(zmmc|rmqb)|mjmds|grbeu|foyta|k(drjq|hkyx)|s(qwls|xmqv))|n(u(o(prb|yjx)|zzcz)|y(ycku|nvbv)|p(wtvx|zqkj)|cjnwe|qbfag|s(vzvw|mgre)|r(khbf|opuj)|m(aure|heem)|o(gtab|cxmn|qgxp)|gzqzr|bnczz|jxsvs|t(fjfk|xczc)|k(htre|lefc)|fgejw)|q(lkhth|c(n(mji|pdp)|gmyj|pgjn)|brtoc|i(tfyw|mjqc|xiiu|fzxw)|o(euqp|lylh)|w(fmkv|roga)|m(xomo|lprd)|nmtyy|tomwj|z(gnxw|kcmo)|hcdco|a(ftkr|rxgt)|p(aonv|sqcb)|e(wlok|tjrf)|r(fokz|qysr)|g(kekm|hldw)|votqj|ubvqt|kvbwe|yytmx)|l(f(eamd|kukg|paif|fkkk)|bdcgu|c(mkva|hkdt|osaz)|k(vnnn|h(fwc|oxs)|nfnu|mugk)|m(myyz|xhqa)|d(qmxz|gosz)|aopqf|xn(hzc|dxc)|y(yjzk|wxdl)|s(dwzv|wedv)|t(tvzg|yhza)|i(hask|jwty|dmnd|ylpe|itva|gelr)|gbmnt|e(iadt|zayv)|oanwg|qxypf|ldcwu|z(jvpm|dagw|xuyn)|vfyjz|rfagv|ngcup)|w(l(xrcd|gyxm|ryve|jyza|qict|pfkg)|m(ovfx|vwji|cdgj)|i(bsai|acmk|fkqx)|v(jkpv|cxce)|tehpj|s(mttb|uket)|q(euwx|gcaa)|bugkj|a(zgsr|uexv|nbud|lwzm)|nmbfv|yeets|z(coag|kubg|ukyv)|wtjti|d(nzfc|euie)|ho(fhg|rok)|xwqsw|uevni)|m(ozvwn|jiawe|h(pfnk|dngy)|m(lzcd|zsee)|pylwb|teibs|w(ebdf|mfck|rirp)|ltqzt|z(voyp|zqga|xjqw)|c(oqid|rsal)|y(mral|uabp|bznf|dqne|neqr)|kr(sek|urt)|i(fxpm|vemt)|qulzc|gwxra|bnyzb|v(pejg|skvx)|a(hmcr|geeq)|r(fxov|ksqf)|nddjo|sexzr|eedxm)|d(m(gdsy|dhop|hjar|wcse)|r(rurm|gsuk)|i(skjm|mvgp)|bhvld|h(ljyp|akrg)|sbczo|exnxz|w(aqca|xxuc)|plpxw|gnjks|jyixz|tsszc|lbker|knpdf|cdpuq|qpoyq)|v(p(sium|igoy|gpun)|zvfnx|bmgcu|e(zihx|jwfa|vnsl)|n(ccge|qgih)|u(pcpf|huhm|ueau)|rydcx|oetip|imqwo|t(pfjh|buvu)|lieye|x(spyf|rqaa)|d(kqlp|diqr|aytw)|q(bjwq|vljq)|fjvxj|kkvqs|yzvxu|hyqwk|matyx|seozi)|t(lu(dfd|mzx)|o(vlck|mrsf|qrac)|n(nmym|rkso|lmtx)|v(jbcw|h(nsy|otv))|e(vgdn|tbkm)|spnwc|ixekv|f(hzlr|akcv)|q(hxzo|rbgf|ubtb)|x(kjro|nolh|huru)|c(cxfv|drma)|u(rjfk|tsye)|g(chlk|kzev)|aalzj|bwphq|tomnl|pqeki|jc(uit|gcp)|mgfqa|y(hfws|aeyf)|wyuqu|rsshp)|c(pyqlb|emfmk|u(lysg|ivth)|j(fokx|dscb)|lhuso|wkpgm|kfkza|d(yfki|gqcc|cagf)|b(aqcn|lase)|n(yomw|ktnv|obat)|flbzy|gc(vdb|dpi)|hoaqi|szvpu|oxkmr|at(wfg|yjc)|cjzhf|ifahn)|u(r(fzza|wdrx)|l(pfxj|hema|ocjx)|jnpgc|vrsrr|yrdxn|ezzcz|a(fobh|jgsb)|t(udru|pteg)|iwuin|zfvqa|m(jrct|hnes|ancy)|qnczs|p(uhwg|ycas|rebz)|kjklu|nnmuv|wenjd|hmcun|xzohv))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633147; rev:2;)
# sid 2633148 includes 229 (1201 - 1430) 6 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.net)"; content:"|06|";content:"|03|net|00|";nocase;within: 9;pcre: "/(r(zfknv|b(shea|lsgp)|k(ykur|n(hnu|xin))|jnuna|e(uocd|jqnr)|t(alyr|ewfs)|dzimy|ianoh|fbgdo|u(khlz|wqdw)|hupsu|mgljt|wbyyn|njnwu)|z(edrrg|uegcj|q(upvy|yubi)|vrrye|kxkqz|hlmts|wzwfb)|n(pjcog|uhuci|znqxf|myqyz|lhzrw|afvug|fwgpy|nbwhk)|f(oilhw|p(vmss|mwao)|u(odtd|vlcf)|glpeg|ccaai|zmiho|kycmb|fppiv|nekxe)|v(wtjmi|nkrav|cksbn|h(vqhm|ujjw))|u(yeeyq|pciuy|nbhkg|ecqce|gmnzx|csmum|kbnla)|e(ahmio|i(fmyr|rsod)|rncni|oxhuj|wfpzs|bvesk|kfmcr|pboxr)|i(l(vlxj|lcyy)|bsukh|dhbga|wrzho|seixx|xbosg)|g(hmawz|vrkul|zvqpb|mzqyz|wbtnv|feqlz)|a(wmtai|x(mlyi|njhx|ufwv)|ybwsv|vtfyf|qvdum|n(xmbw|mpem))|l(gasuv|quqgt|ajdot|kjhxi|tfbah|pahas|ecsuw)|y(igbqx|x(brec|tiia)|hogtt|qeouk|rzpmc|mxdpd|zbbeb|dkdar|laevi|vgfei|btqcb|agwlw)|b(dvjmr|klpbr|trnyj|zfoiu|mcemg|lzaes|jpwgy|ucflb)|o(jchbr|zeymm|kwjey|hsqgg|xznwk|cjdzv|vxntn|rywft)|x(spjsd|acpjm|gpzcn|qohil|jjhsq)|k(l(akhr|vjzj)|b(wojb|rfvx)|k(tfuo|utth)|tbjil|jzrly|mbvwi|wnkqr|u(pxwy|jpii)|zzcyf)|c(xblip|fgfzn|athwx|nndsn|bqgao)|w(i(fzoc|nkus|xcnf|sqab)|o(rtaf|omgu)|gnciq|caroe|arlua|pyvfq|rcavw|uopdw)|h(smtno|krbxq|hqnon|fmvkl|vefba|cucjz|mxblq|otomi|lfbut)|d(woarf|iqcvl|besqn|dwzlg|eoovr|pxudd|xekuw|gxukx)|s(h(zgjw|bzvv|teyi)|sipka|griac|nxtee|pqjbv|fdasf|llgzf|x(fjaa|qqjw)|rywwi)|j(gu(uwy|ziv)|b(lspx|adof)|agtgk|vjogv|crywe|rrmoy)|p(lxhkn|zigik|vrkuy|dgsqs|aoymz|iwxvf|gfnpn|nuddx|szhez)|m(r(xwok|hcut)|ogssh|j(tfem|qcjq)|smluh|eekvj|azzqc|y(kdtw|fhgy)|umsbu|bbbnn)|t(vgjnq|dsniu|sonfa|rbwhw|upbad)|q(nlszx|yowpo|gauys|mndws|lsveb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633148; rev:2;)
# sid 2633149 includes 600 (0 - 600) 7 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.net)"; content:"|07|";content:"|03|net|00|";nocase;within: 10;pcre: "/(g(opfgie|gftslt|skkgml|m(kvyyu|ziwbg)|r(qtuge|rgxmu|msjmb)|wouymq|a(pzner|cbpih|mxkek)|j(qdlfx|yyvyo|ovkpp)|vxpvqx|h(swrxu|lflto)|lbmdcg|enkgqb|tjqgct)|t(c(gkchw|uqnvl)|x(keibn|qzidu)|ikjogd|fxmwmq|qjhjpk|g(tqgpy|povbt)|z(prbjc|qwvqc)|a(pivwe|fntxl)|lurtxl|ehfger|voriun|hushfr|rujwor|ojsstr)|x(c(amfhy|mivex)|grzzwq|ar(tyep|jtjb)|rubowe|xtemkd|u(cysxw|xebmg)|najeuq|qypnsz|e(fbees|btaci)|s(hcrgw|fgiyd|tzgka|wzkph)|ofomiu|mlpihy|d(ncbma|lyhdg)|fdlioy|lddhaq|jtedau|txrpmn|vocmvc|hugjzt)|v(ixgibf|q(chmzn|gztjf)|euqxjn|jkhxcm|r(jupkv|ixkxd|lrqeh)|c(nufkk|gslks)|lbkxkm|tmjuft|s(toddc|stzof)|olheso|b(ibykm|tajbl)|gzxugi|mltykx|ypbztw|kaessc)|b(gt(tqad|rnqy)|v(liqcm|uuopf)|kwsmhw|t(ftayy|eawey)|xihgba|y(jyewf|uerun)|h(hwtzy|tjbcg)|u(nwkrk|boydm)|nfpimc|pdblyp|ivdrns|lczlqr|a(dvqce|scehe)|d(rklkh|eehxc)|snpqgk|ezdwpa|mguffj|zsyejh)|e(e(uhcuf|qbwjz)|k(qavox|zvpue)|z(fcdrb|xaxag)|o(zzbhu|fojrd)|iugekj|gzvdrp|atkxkr|h(aqkbk|yrxqb)|rfkcqm|v(tchcl|nugkl)|tcthwm|yfepuy|bhkalk|xnitrv|snovtj|pdwdoa)|q(qtqshu|t(kykkz|esehg|szuef)|u(kmnvu|ijpkm)|mnmwcv|xzmecb|ggdzyn|pcngvz|d(nhugv|ldtbo)|zxydhk|ydkhnz|lyzgfm|ckntin|ehgwjk|hovnrb)|a(j(nfxqh|ztgpe)|z(sfdmg|lidwi)|iydfry|a(zidnc|wtipi)|hhxkrf|k(uljwn|eqqlk)|o(hqbth|kffne)|gspelb|dvaymg|qvqsnc|tvkmxj|ydrhsr|pngybe|m(tnmha|fqsco|kokyd)|v(jzdjh|larur)|wxeuba|szvoog)|u(ajjknu|vdyisx|fuzpmq|e(bagch|fmfqu)|dgeebu|jdqfpl|tgegue|sldikw|h(itdij|bxuyw)|u(brumm|voqvl)|cdghvu|nyauvn|x(lzgnr|hsxwy|fquhj)|gwecxo|zbvzyf|w(ylfyk|xdjze)|bpsqgh)|o(zlpmpx|s(reanl|ygjii|ihyxf)|n(gdqjm|baagi|ndqug)|d(zugbo|sknyr)|fvafnn|b(bowle|sylsd)|rmqkrz|vvdrcv|m(dwwvc|hgzqb)|ilagfw|lwewzl|gekeug)|c(twqutt|a(rjrwu|ghkqf|oarph|nanqh)|k(xkkug|pphkb)|z(uicff|pvcnd|srpjw)|g(leufa|oznmy)|d(zsnlx|iacoe)|m(loqru|jismw)|safrcl|p(cikwh|icwlf)|n(ewaqx|dyakc|qmvvm|laavy)|q(dkmar|cbnse)|f(yxkfz|iamwp)|bbpozk|lscylm|vfelcj|iqnhxh)|w(q(ftizd|tgpdq|cbkyp)|ve(pddq|hlsa)|t(n(hajl|nidk)|oxcwr)|h(yradc|bzalb|gpfjz)|k(dgqoi|mvern)|j(dfshq|lkfvy)|l(hnisp|mmahv)|x(kpxxz|sschf)|c(fzsfy|iaepc)|ycdisd|foggnz|ghdjik)|i(f(zeuhp|rahta|njekx)|eeysoi|p(ygmwg|mstjc|ridkd)|t(wcnwa|rwnab)|lmslht|q(vsjwo|kxvqb|wrhkf)|d(bvkyw|mwalu|cdccc)|cnayce|uw(fylx|yrdx)|o(znilv|amidq)|i(tadli|lrqrb)|wfyulb|b(romax|jmypm|vfvpb)|vqqsqr|jcutrh|awitna)|y(f(pvnoh|kcpov)|u(rhgtv|plelv|nobqn|okjyf)|nxftsv|akvdhk|x(mvqqz|bgnqe)|guiiiv|ejuaat|b(w(xhul|jxnt)|orelt)|s(vdrmk|jxkup|nxpdj)|ttlock|kbsduv|oqhmkt|wzlkcp|jjtrwv|i(ysjmz|rdsrk)|pkuhob)|n(u(mzvvb|dzcnt)|x(leidw|wbvuo)|o(vyqrh|iiipw|nycbk)|wphzuk|arcsca|z(bitij|kavqv)|q(bqfyy|tjnhe|vklbk)|s(gflbc|yzqbo|otxoi)|kelxhu|gzuxlr|rryegp|hhtwgx|jvgwdq|ehsuih|mciawk)|d(y(zpamo|fojdd)|bckxmx|dzfogg|fyiohq|v(tokuq|hfxbh|gdood)|tccpsp|rwhope|ngtzie|jimhlj|zklbrz|o(bsihv|fqdab)|phtylj|cckvvt|ugmuze|wdtakz|ebngeh)|h(f(otmcd|vxqen)|xeiofq|t(mguxc|jxmrq)|l(xypbt|fhgnq)|mujwnu|nxnekj|u(esjdt|uqfpm)|ouvfci|p(wtjbo|jdein)|i(aehds|fdffa|dyjov)|k(dhmcj|vtbsm|zmqof)|qanqyw|ypsklo|gwadrh|jxkmma)|k(srbbyi|c(cjfsl|fqgdj)|guabzu|pykprk|hjayyr|mq(gzqb|cqgf)|r(xzuqg|nmhnh)|u(ieovu|wepxz)|djpzvm|kzbwli|v(mwezt|ggeqs)|okyonq|qtfvat|ykabvi)|z(d(gasrg|fskvv)|c(wowju|jujyi)|jvnbxp|i(lbgoc|utmrw)|x(icnpa|vflac)|h(gxjue|owyss)|g(fmwop|ahkln)|fdhhgo|y(abtpv|pgaoc|eiqbk)|tztadf|u(pmdib|gsqsq)|eiwrsr|qkhsww|w(hlzwh|qabim)|o(pgwfv|mbcsq)|k(sfvnj|gizoq)|lvpgiy|sjtwzo|zcusyy)|f(e(pjkke|fayny|vkpop)|cbmrew|t(ttgyt|ninvs)|r(vjnzf|uktiz)|q(rhfag|czmfn)|vorxzy|p(kraxt|rpdmr)|lkikcd|mgjpar|s(josvh|pienu)|iproln|aacigd|fqmszt|ocybby|hkmicl|xqyygh|klggna)|s(kmpawu|d(hjqqo|tozlq)|pmkmss|obwjyd|zw(kspt|vizp)|bthvjb|m(qwnpt|iepwc)|jgeswc|fwhiqf|w(emcps|svbtl)|eczupt|n(ikvmv|bpskc)|cytmrd|sfmtbr|q(ehbdc|owzhm)|tfmctd|vsidym|hdniik|ahdcjy|lawhho)|l(o(sdrtl|jebfi)|x(ncsar|bdxza)|w(teqce|gpiza|upbyd)|sjarjt|lybsti|gasjdu|rgzqrf|h(vjhnr|zidbl)|z(fprnt|nshvh)|qjpxoa|jqlmzo|pfzpbs|cylwfq|mifrcw)|m(d(yrloe|zbidk)|c(rvdbn|jctzw)|hwvidm|rtjtvz|k(ydyza|hxzbp)|vuqizc|ng(vugv|xvko)|mwlrnb|t(fpitk|etfhb)|z(vourw|fpgsf)|o(iougr|qnrsu)|yxlbuu|fzqvmq|gappjh|ulqntt|wktszm)|r(h(ehnaj|orhfx|vaxhz|ztuit)|rnwevc|atvfza|thetwm|evevpi|p(yfqiv|xpopz|crdzd)|vxlczc|iynlba|syqpjo|c(cpkky|ivdhb)|zixkaz|y(beugm|umcrs)|uvhpym|jqhtak|k(jrlxa|funmd)|w(rxccv|duxvk|xdjol)|gcexps|f(gkrcr|lbxiq)|laynap|nqhpes|ogichb)|j(c(rkmpj|dlugw|utnre)|n(vdomb|uoyif)|zauysj|s(sjdob|grjgy)|mhwwhi|ispzeg|wtdtov|ydpgzs)|p(jfywue|q(nzoep|vabmm)|cfueaz|oovgae|bahdaz|dzpowk|annuqp|nsrozu|wfrkuu|pirffm|hskhyy|kfwywh))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633149; rev:2;)
# sid 2633150 includes 796 (601 - 1200) 7 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.net)"; content:"|07|";content:"|03|net|00|";nocase;within: 10;pcre: "/(q(lyzgfm|c(kntin|lcldr)|ehgwjk|u(ijpkm|dcqpj|luaum)|hovnrb|rzyapu|zechhl|wo(rdyb|okkr)|o(smpaj|eqfwe)|jcidkh|kxktml|scevaz)|b(e(zdwpa|dftgk|ymusp)|a(scehe|buonw)|m(guffj|kzqgk)|z(syejh|cdonm)|v(uuopf|phuks|ltple)|i(iuavw|zgdxx)|b(hgbsq|ausxh)|g(qtymp|jjutp)|kemijb|chfvki|nfablw|jieowh|wvnogc|yvgtcx|r(ygmje|bgvkd|llilb)|fzihpa|xlkbzc|hfvovm|udtzql)|w(ciaepc|ycdisd|qcbkyp|hgpfjz|foggnz|xsschf|l(mmahv|beylg)|k(mvern|rgjhq)|ghdjik|v(wcyhi|ltdyt|iqpyp)|wrdxjp|touqas|pebcdx|eabons|scnhuf|ndyhpj|difalx)|t(a(fntxl|pznxw)|e(hfger|oumlt|q(jskv|drbk))|v(oriun|dyqmj)|hushfr|r(ujwor|qvbjr|hnyfr)|o(jsstr|nrqco)|zq(wvqc|lriu)|m(cnpss|pfjfb)|qrvcxo|j(zspgf|exnhr)|i(jnefv|atrgw)|nkxzxv|k(g(dnso|jqfh)|orwem)|l(dmmjh|imbuj)|gzlrjp|d(btstc|pvrib)|fgwddw)|o(n(baagi|ndqug)|m(hgzqb|dotny)|s(y(gjii|zzoh)|ihyxf|dsmww)|b(sylsd|gmsoq|hmpfi|qgolj)|gekeug|d(sknyr|erupw)|uerjxg|z(nmpem|suifg)|t(cyhpx|kvwyq)|qdnlrv|v(lnnan|thwzd|qzoht)|w(mfpfr|xahhc)|pjafoo|l(abaqa|wxlvr|qtzqy|cfcyr)|ehpysn|c(dpsey|relli)|rhahhn|aztenc|jhdvpl|k(kenme|pnqft)|xlvyfe|yhmhtj)|h(y(psklo|xxuxp)|g(wadrh|jvjyc|okylv)|uuqfpm|t(jxmrq|kbvyg)|i(fdffa|dyjov)|kzmqof|j(xkmma|zdwnh)|b(futds|qsish)|s(fohgq|kyfyt)|q(vxjtt|gunuq)|x(cxqmc|dkxcw)|o(eozoh|gwmpo)|dwgvxz|pocime|m(prhhw|dgwar|yzmzp|awfnz)|h(mqgba|kpxjv))|j(c(dlugw|utnre|isslu|gfvwo)|s(grjgy|jlmdw|oywfj)|n(uoyif|vdlwf|ldphz)|w(tdtov|isigt)|y(dpgzs|xwjne)|x(zadbc|ceebh)|f(qxnoq|vwzve)|ewjpmp|odrckn|kdzccs|r(wzizk|jsctz)|q(ohmoi|ptgol)|t(ylxsw|xekmg|rfhii)|btcwcz|l(vquhr|wtrip)|pqwjoz|i(yjebe|dkixp))|c(f(iamwp|xczmx)|n(qmvvm|laavy|brtkc)|b(bpozk|cuesr|jqhpx|nulxz)|z(pvcnd|srpjw|tuwdz|vqmuc)|l(scylm|zsuxp)|q(cbnse|jcrof)|ananqh|vfelcj|iqnhxh|hahjtx|xbhqxf|usswxh|ymfion|s(mstri|snxkj)|p(kbset|awukh|vvnco)|rurhxy|kzzihx|oolwbd|eqnixb)|l(q(jpxoa|ipohj)|o(jebfi|smakr)|z(nshvh|qatms)|j(qlmzo|hbcng|fbelq)|h(zidbl|vyjxr)|pfzpbs|cy(lwfq|ijjm)|m(ifrcw|wtstp)|dianje|rveyml|x(dlenc|hpxle)|ycigvi|b(qqxdi|sludf)|i(tchng|ypxpl)|uvmdqx|efvikh|nkfzyr|ffsayh|tewxkr|kyhyft)|i(vqqsqr|b(jmypm|vfvpb|folik)|j(cutrh|s(uvni|eohk))|awitna|p(ridkd|hhdos|kjinq)|q(wrhkf|icjqt)|i(lrqrb|otklq)|uwyrdx|c(uzjij|szfgu|xuhdf)|tyixmu|h(tudkk|bvilv)|wjtvok|x(vupnt|iooxw)|fhmtox|r(qcrig|wtvns)|d(xeeqn|uuslf)|kuanef|gsfkdr|ylmhgf|mpkdyv|sdjaao|ndildd)|g(m(ziwbg|txpul)|enkgqb|j(yyvyo|ovkpp|qwlre)|t(jqgct|qkwxf|zxjmi)|h(lflto|jdkrg|owmyz|ksbqm)|amxkek|r(msjmb|xsvrr|umbop)|qztrfz|byqgfr|nqzrns|oghtsf|v(gykfm|zzhqu)|cwsume|y(eaesg|kkcym)|s(tlvce|rsxga)|l(hufkb|xrjgn)|psdecg|kcfyqq|uelucu|xhsorb)|v(c(gslks|zaiay)|sstzof|rlrqeh|btajbl|ypbztw|kaessc|abnzgv|u(iekdx|wqotv)|dhlwie|e(vngpv|hvpxn)|q(oyjfj|ywotz)|w(wdzmq|khudb)|fhnyzy|m(vvfif|zolfz)|zrcqtz|ndddwn|oeiwaz|ppaglp|hqcxtc|vzrkde)|r(laynap|wxdjol|n(qhpes|rkbcl)|flbxiq|pcrdzd|h(vaxhz|ztuit|woync)|ogichb|kfunmd|r(sdvsj|wbbaj|zzspf)|v(wzpre|xrwoa|dmpwo)|i(limxl|pqkmy)|jrphqf|ykurwp|e(nxmbz|pjpop|fcasu)|azwrnx|gbagym|scstrg|utuobf|xtrxuf)|x(d(lyhdg|rhvoq)|s(wzkph|eqtiy)|t(xrpmn|uapuw|kcsml)|ebtaci|v(ocmvc|mjpwx)|h(ugjzt|msiyo)|j(paycn|rcogx)|b(cjicy|hdsfa|slcqg|gtctv)|pvxrtc|q(jdavs|yyoib|wsalg|voidv)|ytqwtj|ummjzd|z(hjtjp|l(qgjo|yfho)|ireoo)|wvaial|mdhehj|gfuzji|azgmcm|nvdjuw|k(htvww|lpxqb)|ovotam)|u(zbvzyf|w(ylfyk|xdjze|myxwm)|x(hsxwy|fquhj|ymnsa|tcqte)|b(psqgh|ytdwh)|e(fmfqu|sbgyz|daxue|plehd)|h(bxuyw|arrxc)|v(u(amyi|pzux)|qaasu|slvfs)|y(eyaru|sxblb|yghgb)|m(dnoct|qistn)|p(mulhd|aeifn|ifegh)|nncghr|q(zudxp|jkbrc)|rosavx|acjsec|tuwrhz|joiabe|ilhnax)|m(fzqvmq|tetfhb|ngxvko|zfpgsf|khxzbp|g(appjh|zopxc)|oqnrsu|ulqntt|w(k(tszm|eyme)|uzubd|nxtzt|mzpde)|d(halli|xkuiy|bhirv)|m(i(dwgs|gfvh)|ghogm|vlltb)|icdddg|jhfcoe|bqwubv|r(eomwm|cgikc|sqjhh)|vnmhvr|saobkf|yrpvua|euqpwc|xzzyks|cwbyfc)|n(onycbk|z(kavqv|ohxxt|ynezo)|u(dzcnt|ujnnj|aonxn)|g(zuxlr|crxsu)|r(ryegp|wsbri)|hhtwgx|s(otxoi|giksw)|jvgwdq|ehsuih|mciawk|d(hkgpq|dwllb)|i(rqhob|qwnte)|x(htnew|pbsuv)|l(wjtib|kbcot|nxnum)|a(mwphb|ernyn)|t(pmmnp|swequ)|ycoiyh|kdmmkz|bkvqnl|vmhtuj)|d(cc(kvvt|pnkm)|vgdood|ugmuze|w(dtakz|aqolq|zgjcj)|e(bngeh|cpcym|ldmll)|o(fqdab|ubrkh)|d(ghyim|srjid|bdaxz)|tzgcgw|lfavwt|qaeiza|xpzgls|zarqde)|z(y(pgaoc|eiqbk|g(ibeq|lpxs)|nmuzv)|dfskvv|sjtwzo|howyss|o(mbcsq|vlrzh)|z(cusyy|i(kyhl|glor)|scjdb)|kgizoq|c(jujyi|yisdy)|p(dmbly|zpbhv|yzqoo)|nikwuy|qbhgpy|v(rzuoz|iwdfp|yqrlq)|rnemjq|etbdfx|fbnjnm|mvmusb|ukwivh)|f(ocybby|spienu|evkpop|prpdmr|h(kmicl|lzqsu)|xqyygh|klggna|q(czmfn|xslwt)|r(uktiz|ozkbt)|laffzq|unmzna|a(nbofa|cldpg)|w(gcere|siqnw)|fwfrxb|ntiyki|mbatij|breoto|i(xpmor|pgawj)|zyobek)|p(qvabmm|a(nnuqp|lxgnu)|nsrozu|w(frkuu|cnewl|rvllw|sgghh|ljvsx)|p(irffm|kpjeu)|h(skhyy|aaidz)|kfwywh|gerwlz|j(kopqf|dicdh)|irifho|fjvyia|mecvyb|xqbstt|bslmzc|sfdqgd|yiryay|txwyge)|e(e(qbwjz|vzoao)|b(hkalk|lhpnc)|x(nitrv|zrpgz|upzmz)|snovtj|pdwdoa|zxaxag|k(zvpue|ftjag)|qsccue|y(ejnwr|qwsun)|w(cpvmq|nnhor)|upfgfw|nxycmb|icahom|fwttyd|jdxtsw|hrvzio|ggmtpz|c(wxvpq|sygww)|o(gvxkx|jopmy)|vhkjnk|lalbfy)|a(v(jzdjh|larur)|m(fqsco|kokyd|ibfgw)|w(x(euba|fvle)|orbcd)|a(wtipi|ogkfo)|szvoog|z(lidwi|vfdjz|evpgf|pgutr|brvjl|rlupa)|x(dsuwm|kuzwe)|r(rjlmo|amjxr)|tvbxdh|l(mgjev|fvidz)|pziuiu|hlrceu|g(acjzz|yzzru)|yztsrr|u(ryjmc|ydycn)|kmfidq|q(uvnbu|owcyb))|y(b(orelt|wjxnt|nsnxl)|jjtrwv|uokjyf|i(ysjmz|rdsrk|ipwng)|snxpdj|pk(uhob|jrtp)|qhzoky|wgwxsk|kmebpn|oxbvfu|t(uitgb|vgdhi)|dwklme|g(fgnsc|phbjr)|radbia|cjlqor|m(jeoos|whqvp|yrxka)|a(byurv|pcgni)|fdourt|eyrftf)|k(r(nmhnh|cyapm)|v(mwezt|ggeqs|qrumi)|u(wepxz|jzgvj|nxzcy)|okyonq|q(tfvat|dgwmq|cgiow)|m(qcqgf|fjgqv|eplgr)|ykabvi|p(dkubu|narxj)|ljvdfm|wvhezw|z(puuhy|amykj|yyjac)|xxlpgo|irukmr|a(ovxac|wxqqn|xptmy)|bnvnvx|g(ssnhi|euplz)|c(iaccx|oqaac)|kpahjb)|s(l(awhho|ssfkn)|q(owzhm|vslsu)|s(odtyh|mxjji)|d(vormr|xfhvb|cuigg|ljlbb)|ekyoch|uhxfnh|cyqbuv|r(q(uzaq|agcm)|hhzjj)|zyhgzf|p(jdikv|yszot|olucy)|wyvowx|jzbgxy|kxtyvq|x(igacb|smwao)|apxkdh|tzfkvb|hsskms|fqwixj|o(epchc|jfbsv)|ydkwfx))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633150; rev:2;)
# sid 2633151 includes 196 (1201 - 1397) 7 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.net)"; content:"|07|";content:"|03|net|00|";nocase;within: 10;pcre: "/(w(nofsiy|wvyuoj|kaycla|zclxau|cgrvlc)|k(o(mhyky|owxxq)|wipmde|cpmune|vtzgou|przvum|j(koqxj|ugpfu)|dcgwmb)|g(ghhlde|ukjvhv|ljpkwy|q(zwbhh|aoary)|okycmh|mzcldg)|e(isrbhk|b(qnsce|shspr)|uqzgfm|gzylcu|lajqks|myarfl|silrlm|kmnuyf|vzibkt)|m(iojere|obumkj|jlwhjq|xweegr|zvkpsb)|i(zzfmhi|c(lknsd|amzuq|typjo)|phewwe|esccxr|gcsvvj|bvkefh|qhuiih)|f(wnwfqe|dbfatf|t(xghut|onrrv)|e(eyoqy|imjmm)|rupgwc|s(alylk|yvyrd)|zoapmp|uyqrrf|cqivka|ytbeny)|j(d(jpked|xslxr)|rjljcq|u(fqpda|padfm|qxzbq)|gpoang|tzlcch|vwxljv|j(nebby|zmyxc)|xqnwky|wofmfd)|v(yzhsea|jxxmcf|fqxpui|gehoqw|z(cyzny|klnwk)|cjemgy|wnpcqg)|a(e(yxcrd|qyaua)|ggdszx|tapwlw|w(rcegw|lenru)|lgiydv|ffxjne|supuea|hzmtwt|qilacm)|q(hbytkd|oovmtx|xpgkpm|q(quwhw|vzrfx)|cejnyj|ajrgnm|uncmsr|wchotz|znsbuv)|b(aonndj|urzlov|nnkrfq|blasxx|vmodth|pmicht|mwflkg|rprwbu)|l(e(uqnwd|ficll)|ruikvi|wfahvx|ihwxrb|hwrtme|dqudxr|m(wsoyf|jwrgt)|ktnsrz)|u(qjsqrh|ovzgmr|vmsmoi|tfqcju|psjfdh|dlxkex|ezccin|icmrtc|giydet)|y(fknqdt|aevxeg|boreoj|xtedxi|wixgru|nfeiku)|s(ptnbjh|feveyc|rxjzio|kuxulb)|x(wbdoja|guutqh|morhkd)|o(xtitny|zqobnw|pecgmh|bqcrru)|p(jvisit|xpqcas|cezpmk|l(dqlrf|xyuhp)|duteuv|btuitn|tvudsj)|h(ajmijj|fkxwrr|gjsecy|yxofwu|zhbcxy)|n(uawohb|pzsjrl|dllnbt|xjppvj|cctayo)|z(ijkewq|y(oqsox|kgpqr)|vdcybl|mdwqwz|arpczp|cnjpln|lqqhqh|zddkrq)|r(jpyibv|vctlfb|q(ujerm|qmwwg)|buxczj|cfipkm|hqrpyc)|d(h(ygdbp|knkkq)|zmgjbu|grxxfi|lywesh)|t(touzsa|cdncjr|rvzouv|izsviy|qwmpvz|jxwfia|vhuqpd)|c(d(scrvl|vgkim)|e(czftp|xmhri)|iogfin|kzvmtc))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633151; rev:2;)
# sid 2633152 includes 600 (0 - 600) 8 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(h(u(nqbpya|yryedh)|s(iawmtm|jojwlx)|d(iavfwu|uohpet|lkvutl)|ncpnvgs|t(dgzhhz|tvjstv)|b(pdhnss|hozfzf|kvvpzo)|o(qrphlk|xrvlfn)|lsjkpgb|i(ggyyfi|uhcuis)|e(jmohwk|tkqezq)|rdxhgoh|v(ipzlxq|xrmeyi)|hfalkmj|f(dhvbhq|umdiux|ydxcsg)|ylcgzxa)|m(p(bwqncg|zlkpwe)|f(y(jeiqn|xrwkh)|maivwv)|xbutakq|h(qmwrwz|swloty|co(gshh|hnui))|n(uevsma|mdcrpr)|scxssjv|avfnsfy|jomxsgu|tphqurg)|w(t(osljvw|ljcuwc)|w(gbpxtc|krgukd)|hvvfmgk|k(btsutp|rzrmpd)|i(wqshcu|qzzxkp)|e(tnivrv|rrsnee)|c(sezfza|widsgf)|j(jtlkig|oxzdiz)|gbsupke|z(l(bibbc|whfrc)|omttrb)|rjwvdgl|xjfelfo|n(xkxzvc|dvxhvz|ujiqqh)|pomgpxp|bcvmspo|f(mphugn|jfgzcl)|shvqqwj)|l(r(rmirop|ebbebg)|w(wzxdkq|uldrah)|o(tiwmll|zeuelh|wxqziz|ysdjfv)|l(juaywj|zucpqx)|nznoplv|juidcsh|g(zyvuhz|godwpz)|fvpvhnn|q(hebflw|zpfebo)|ulrnrfo|kbyoast|e(zlpygg|glkqcd)|xp(acshl|zmnrf)|vcktjcv|ifdhyvd|haslwkh|yzeysqx|t(sczbcg|xxauye)|aofalry|ccdlrff|bvrhkdy)|t(z(gkntni|byvevw|zjftga)|drwontf|jbgoogb|b(scyysy|zisxhm|ytofps)|oxbbojr|sdpwfdz|e(eepqzb|jegdyf)|g(cgikjn|muuyll)|inftwsu|taazldd|n(atxtfc|gpfnsn|eoixev)|kkkolbq|rzjalce|vwwmpkc|pfjedlc)|r(xaiyurp|s(uxiisn|wbwhxe)|i(mjirrg|qzeaon)|oewuzng|y(hiyofj|iiguee|luvhzl)|twbxqlw|n(jvlxxw|vsguxe)|paxypmx|bxbqaey|ajopojj|ktkswgi|u(anecny|uhvtto)|d(nwujzc|mgslbc|sndznu)|ctndjlt|vciared|rsetwgu|qrxnjzs)|o(lpekqdd|nzhdfxl|ulvvxxn|osdeqgo|knetdeb|c(jrvkcu|loqgxd)|w(ubekur|qlnufs)|rqxdqlt|prdkxma|j(ygkzcj|rskrdo|lnpjqg)|soaabrv|ietdixk|exsfppc)|v(okrmste|pldhuci|f(mcqloy|hsybbn)|brxidmg|x(lvolpd|gxlram|pxsfoi)|c(hggipj|nhzbhr)|tqyodat|i(zwjjwl|cevtoi|lyezli|fiwswx)|u(rrlgwc|mwpvth)|zhwsori|drbvhko|k(uiqirp|ddydkj)|spxicyw|q(wuyprl|pazzpg)|j(bspppd|wzdwvf|kkafsa)|ehtsctf|n(otzzdt|zedzhb)|gblsufe|vqqrydz|rinqnrd|yzfahxs)|i(tqypogx|pgkhhgi|rkyelrn|a(ovwdhp|zsvkot|krpltz)|vnciydg|euwzexu|g(mprynx|s(vpqal|qnlqx)|zlcvki)|n(fzeztx|damduq|wmsefy|psggyi)|yjhoxjj|z(ifhukz|hqrqyw)|dddjnlg|q(qnmprh|zflnar)|fglnubt)|b(qwvxaes|fvmyjzl|keyycei|v(madwax|vumvlc)|dcgcedd|x(fbtaoe|ddpfet)|l(kwjskm|vyngsz)|o(njdqbi|mlmmmu)|hajeryw|mujxugs|zrfnowp|yicxqri|sjtaecl|jrqszkt)|p(a(nlxsvs|gzmuch|fdhvun)|p(vrppxv|rfyoqg)|h(dnvlvh|taotis)|w(kjeuwk|rhavpa)|mumsund|y(bbqgqr|mssfad)|ezwwmjh|idkgasw|szasugv|g(vytinv|wgwaam)|zuujikh|usnotkg|nxkoszn)|e(pwsbtes|a(lnulls|xmlayx)|djxyagu|x(khpeen|eefrho|yfskef)|rmftsbi|z(i(bttiy|gbckg)|shykrd)|jkvzysy|yofbcim|q(lhsblc|ezwtzc)|nsdsoua|gbaeyrr|ltzzass|imcckjs|headqli|crqzhdk|mnkxqvz)|j(s(hhubvb|lbukvv|dsktcv)|j(wzhqdu|ypgbzn)|ysbkzgp|h(tyznqc|uycmfu|wkxfto)|r(mkjcau|gfppzu)|f(nteskg|vopwmy)|o(liwwjm|nonzqx|jkqzqg)|cxgptyr|glfodpm|z(kffegl|sqzpis)|q(arwaum|untxcv)|tkefcyq|dhtfzhn|b(nyfxwl|hrezvw))|g(vnxbqxs|lcosium|tqddiow|eywmwyq|k(suklwa|ntittq)|w(lshxqb|pttkzw)|rxoiwkl|shufdnv|dnctwlr|j(jhppod|mkkxsu)|nwclrmp|yjfzvig|zueadad|xepjotr|hjcauha|ujplqye|colqzqz|fcwizbu)|a(v(yhidar|qppvvg)|boaipzt|x(fvjnvc|xxzdcs)|eievdkd|q(pdbzjj|dwljoz)|l(ohehyx|vfmtyl)|rxoldae|u(jmtjtv|mdwsia)|gbuwmbh|kutkctr|y(chrjrq|dkaudk)|pnmwgtk|cjnmspp|a(adokfn|ojlmra)|wikhfbs)|x(l(bzgqct|otxwlz)|ijszhxf|kxkgccp|neyfpbm|j(t(xfhey|ymoid)|zmtkpl)|tljqkbw|uhagghw|mjnaifd|azdifgj|yvdhjgh|vz(cnizr|zrbhq)|z(eewhbt|dcxhtc|nuhcmx)|c(lnkjyd|oqgrwc)|rqyplkr|wavdvqv)|q(kbbfmuh|uzlfcjt|wfgcrtl|ipvawiq|a(ojuyji|mvzkwi)|q(nyihof|gypbki)|s(ylvvzu|neskrg)|vxghyzh|nywyohh|jqrrafn|ojxzhej|t(akowmf|tytqtl)|bhbxedu|rccnylm|pfqogfd|l(pnraur|tdoysp))|d(o(mhrxuk|svjfde)|bpaepqr|d(auhxsg|lpeats)|x(anigrx|zaadeh)|j(dzokuo|rowudi)|tvdjsuy|sjgufhs|l(fllykz|ywtiqt)|ipbyfjx|neoliac|w(dedqhr|cnxzru)|ccnbfee|fjqkoxe)|k(x(lfzspi|ubuykg|pqbtte|fgjhbj)|y(faauln|zachak)|z(ocodus|xjtfpn)|adgkllw|m(heroju|osedju)|p(crshec|tidztb|qdbtnz|ydrnvs)|u(eosxtp|kbppzu)|jniifil|gkoibnw|wapdtjd|vcrjigh|nhhaefr|oahanny|lzphbep|i(vmrlgm|xkbdae)|swqaulu)|y(o(nigckc|qhpxfz)|x(vujzaj|ieocql|ljexvk|jffnbk)|y(knexev|uztgal)|zjwuetm|tnczgjd|s(jnkjvt|wowczq)|n(zjhrtr|yewrpa)|b(kusmdl|psbdzf)|m(unhhju|qopgwo|iurjcn)|uuesiyq|gcaonde|r(wckmdl|kzhlbl)|livwmib|vcnffqv|a(xnavzl|mydcaa)|pwdmaae|qfyfrwd|dofbgyx)|c(u(diwloo|xxyqjx)|f(y(xphyl|emffb)|kwvepm)|wpryxdp|olqjhwz|tmwyygc|x(vnbhqz|eqzfiu)|mhhrpyz|k(fljgzg|xilduc)|hkwqfgp|q(cnmoul|iqfeov)|bcjozby|jkhweir|nyakkbf|pbbnejd)|s(x(hwqzqh|fechbv)|tiwfykn|v(vfcxak|ynvrvs)|o(xgtyss|kxmagb)|uosysfr|l(ghzxjw|cbseyu)|n(fzhmej|voaxyq)|swrwwof|i(vwoyhq|uoyfyc|ftjqfc)|aivvray|bmowzee|kbzxkon|g(bexqab|cacfte)|q(tmhzkl|pvmcus)|zyfkkqu)|f(b(hamvkj|wnlmtk)|hwfoumb|t(hhntgk|tabede)|eadqmcj|nwtiigz|iggejvg|p(nzurdd|vfbqkx)|s(fpcmac|wobelu)|zcstkaf|awoasfx|oqosyeb|gsofngi|rfywzqo|m(erekew|mhlcnb|zzrqph)|vmpswaz|qbveufj)|u(rmzpfcs|yarokaf|o(tzjjnk|udjlcg|yxyqgm)|fgaumyj|c(rmncfb|pqrzit)|z(uosebt|gqwwes)|ximybdh|wuounkr|hekjqxi|asoncfj|j(xoacyd|yinqmf)|ibbwqmo|pmcooqa)|n(c(vnlhmo|phomty)|lctrcts|r(cgzfpu|d(clylj|nowvj))|n(zerqrc|gqeahv)|oxhklao|yajxlkb|q(lljklx|bczweu)|pddmsss|t(zrvwpz|acdspb|hdspiw)|ddnwpae|unrqtmq|winzhun|ahvxslj|sbisusc)|z(z(ubgfjx|bfmkfh|imgszj|eigkzd)|a(biaekt|tvtwot)|o(zhrlwi|beoosv)|qipkphv|mhqhmdz|gnswovg|lrobyyn|bbfyead|cqtxlgu|dpgsrid|ftmovsh|usdafqj|hgpioxg|ptyqqdq|yryjmqx))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633152; rev:2;)
# sid 2633153 includes 1200 (601 - 1200) 8 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(h(u(nqbpya|yryedh)|s(iawmtm|jojwlx)|d(iavfwu|uohpet|lkvutl|cgzxwj)|ncpnvgs|t(dgzhhz|tvjstv)|b(pdhnss|hozfzf|kvvpzo)|o(qrphlk|xrvlfn|kzoslm)|l(sjkpgb|xwdmui|wpgsuq)|i(ggyyfi|uhcuis)|e(jmohwk|tkqezq)|r(dxhgoh|pnwwmh|utvmhq)|v(ipzlxq|xrmeyi|jvdyce)|hfalkmj|f(dhvbhq|umdiux|ydxcsg)|y(lcgzxa|bpijfs)|kdgljpp|jshgnbk|x(rrqzjf|mpneqs)|a(lwmlpn|dxxxmu)|cediwuy|w(ylhjmw|smngnt)|gsjdpnq)|m(p(bwqncg|zlkpwe|fdnmoy)|f(y(jeiqn|xrwkh)|maivwv)|x(butakq|qiofjp)|h(qmwrwz|swloty|co(gshh|hnui)|dgmupo)|n(uevsma|mdcrpr)|s(cxssjv|tigjge)|a(vfnsfy|mdqbee|osjjuw)|j(omxsgu|rmpeov|aodukw|ysxhwn|plfhju)|tphqurg|qtwpshe|oihzpvd|ecwzeko|zujazzg|dxglslq|liyfumi|yzikwma|u(owrkoz|ikodgl)|irqnnwa|woxhecv)|w(t(osljvw|l(jcuwc|uybcz))|w(gbpxtc|krgukd|uuknst)|h(vvfmgk|uljplw|dterzv)|k(btsutp|rzrmpd)|i(wqshcu|qzzxkp)|e(tnivrv|rrsnee|wazvgx)|c(sezfza|widsgf|uwrwmn|lktomu)|j(jtlkig|oxzdiz|dtxcpl)|gbsupke|z(l(bibbc|whfrc)|omttrb)|rjwvdgl|x(jfelfo|lwqwsc)|n(xkxzvc|dvxhvz|ujiqqh|gwnnvb)|p(omgpxp|ksojab)|bcvmspo|f(mphugn|jfgzcl|navedn)|s(hvqqwj|cisdbl)|dafldaw|v(xqhiqv|lfgowf)|a(nvbatt|xzhscq))|l(r(rmirop|ebbebg)|w(wzxdkq|uldrah|ozqegc|bajilj|vjkvgm)|o(tiwmll|zeuelh|wxqziz|ysdjfv|sjzurq|pblzwz|mglubb|lobukw)|l(juaywj|zucpqx)|nznoplv|juidcsh|g(zyvuhz|godwpz|mslyud)|f(vpvhnn|asqjjs)|q(hebflw|zpfebo|pmeacq)|ulrnrfo|k(byoast|rccfyj|sapjro)|e(zlpygg|glkqcd)|xp(acshl|zmnrf)|vcktjcv|i(fdhyvd|jfymyw)|haslwkh|yzeysqx|t(s(czbcg|dfccj)|xxauye|yvqbyd|fbtprf)|aofalry|c(cdlrff|tygrix|wbppxn)|b(vrhkdy|fgtjyx)|dttpgbn|pbfhlro)|t(z(gkntni|byvevw|zjftga)|d(rwontf|xsumrn)|jbgoogb|b(scyysy|zisxhm|ytofps)|o(xbbojr|lkimwi|qzmlfy|bgvjtg|mgexjf)|sdpwfdz|e(eepqzb|jegdyf|zcldvg)|g(cgikjn|muuyll)|i(n(ftwsu|xvaqx)|qajxpe)|t(aazldd|rywrpo)|n(atxtfc|gpfnsn|eoixev)|kkkolbq|rzjalce|v(wwmpkc|c(vfdmp|onaku)|ofalpf)|p(fjedlc|g(vkryx|upmrs))|yjatrwh|aeahqgh|wrkhzqj|mnnelsz|f(zulmlx|yzcgua))|r(x(aiyurp|iqwaiz|thzloy|pmvvkt)|s(uxiisn|wbwhxe)|i(mjirrg|qzeaon)|oewuzng|y(hiyofj|iiguee|luvhzl|ouwvzs)|twbxqlw|n(jvlxxw|vsguxe|ynyuzg|noreoa)|p(axypmx|ffzvqb)|b(xbqaey|rckyxe)|a(jopojj|ucqhem)|k(t(kswgi|gbmry)|bczbbv|rfexzg|wottzs)|u(anecny|uhvtto|vgwxnt)|d(nwujzc|mgslbc|sndznu|jefcpq)|ctndjlt|v(ciared|sytrfy)|r(s(etwgu|rxtwp)|bligli|xjxmpi)|q(rxnjzs|fmdpoj|cfkurc)|w(iyqzly|sxgnzg)|g(eicmob|rpshxm)|h(pftaas|xdqezw)|mfpahnp)|o(l(pekqdd|kbszqb)|n(zhdfxl|mxiilv|juotrn)|ulvvxxn|o(sdeqgo|k(sgpco|ovwml)|rzetju)|knetdeb|c(jrvkcu|loqgxd|oktche)|w(ubekur|qlnufs|narlfw)|r(qxdqlt|g(efxeg|xeqwx))|prdkxma|j(ygkzcj|rskrdo|lnpjqg)|s(oaabrv|klmpfa)|i(etdixk|zbjtog)|e(xsfppc|tdqvpf|nwtwpc)|h(yfhamv|mxuwoe)|z(sijmxz|kahont)|m(dnzmih|iewxjo)|xotprvq|dnqedcg|q(oermix|tcncdn)|gviting)|v(o(krmste|sanctc|dnyycs)|pldhuci|f(mcqloy|hsybbn|cslccd)|brxidmg|x(lvolpd|gxlram|pxsfoi|ngjlsy)|c(h(ggipj|mcbuc)|nhzbhr|avwmbq)|t(qyodat|crudrh)|i(zwjjwl|cevtoi|lyezli|fiwswx)|u(rrlgwc|mwpvth)|z(h(wsori|uzbmr)|acmqio)|drbvhko|k(uiqirp|ddydkj)|s(pxicyw|zdkanx)|q(wuyprl|pazzpg)|j(bspppd|wzdwvf|kkafsa|ihzish)|ehtsctf|n(otzzdt|zedzhb)|gblsufe|vqqrydz|r(inqnrd|znjtvu)|yzfahxs|mdqwdle|hchfhlh|wufiayz)|i(tqypogx|pgkhhgi|r(kyelrn|mbyciw|sagsgb|oopjbg)|a(ovwdhp|zsvkot|krpltz|drrbbw)|v(nciydg|kudirs)|e(uwzexu|ovzhbk|vzkwlm)|g(mprynx|s(vpqal|qnlqx)|zlcvki|ieutnc)|n(fzeztx|damduq|wmsefy|psggyi|tecarz|ciecwk)|yjhoxjj|z(ifhukz|hqrqyw)|d(ddjnlg|pqyovu)|q(qnmprh|zflnar|phzoqu)|f(glnubt|lakwux|tmkmfh)|omolmeu|cuwgyae|h(vwgpvz|kvpfjr)|lj(aziyx|inqdd)|wfdncsc|m(raotfe|grwpep|brtmpx)|ioqyztv)|b(q(wvxaes|olnxhu|gugjdt|xinpmr)|fvmyjzl|k(eyycei|ndkxbe|rxhuhk)|v(madwax|vumvlc)|d(cgcedd|lzzvtp)|x(fbtaoe|ddpfet|cqmczr)|l(kwjskm|vyngsz)|o(njdqbi|mlmmmu|oshasy)|hajeryw|m(ujxugs|nhkrmc)|zrfnowp|y(icxqri|wesobw|qbatwl)|s(jtaecl|vdccdj)|j(rqszkt|gijllf)|gv(lmcge|tkbnx)|unqeqii|wbwyxsh|rnokewh|tliyqoh|ncmxtqp|aslenam)|p(a(nlxsvs|gzmuch|fdhvun)|p(vrppxv|rfyoqg)|h(dnvlvh|taotis|uzquro)|w(kjeuwk|rhavpa|xtkuyd)|m(umsund|r(iiidb|aalix)|kargsy)|y(b(bqgqr|dpnzm)|mssfad)|e(zwwmjh|lwhblw)|i(dkgasw|haoznp)|s(zasugv|wpmuvl|acalru)|g(vytinv|wgwaam|mlegga)|z(uujikh|cakalx|nkervt|tikhae|rahkhl)|u(snotkg|vusxjm)|nxkoszn|lexmvvd|tuhyvxr|q(agyqll|euujay)|juyepqu|vfcmtyv|b(hxkrrt|easihq)|o(anzsug|fqztpn)|fubkkrd)|e(p(wsbtes|dllnuk)|a(lnulls|xmlayx|uuqsyn)|djxyagu|x(khpeen|eefrho|yfskef)|rmftsbi|z(i(bttiy|gbckg)|shykrd)|j(kvzysy|f(qlaoh|pbzqz)|ytrsha)|y(ofbcim|gyeibe|nlvcgb)|q(lhsblc|ezwtzc|k(iolyd|edoup))|n(sdsoua|hitdnw)|g(baeyrr|rlrqtb|namzgl)|l(tzzass|djccca|hrbykm)|imcckjs|h(eadqli|moaink|swxpqe)|c(rqzhdk|uazogh)|mnkxqvz|tivjmpa|usaersx|k(vssfek|jnvxtf)|o(f(smuef|esbdj)|xbhefy|whdmio)|v(tacxxr|fqkxec)|fzuepzr|bfrflwm)|j(s(h(hubvb|ldbyk)|lbukvv|dsktcv|udsdqs|zbcsnw)|j(wzhqdu|ypgbzn)|ysbkzgp|h(tyznqc|uycmfu|wkxfto)|r(mkjcau|gfppzu|hpjwhm|euckhh|rqgozs)|f(nteskg|vopwmy|wadtdd)|o(liwwjm|nonzqx|jkqzqg|dckdxl)|c(xgptyr|zmthbe)|g(lfodpm|cmthmd|etzcxp)|z(kffegl|sqzpis|hquzlh)|q(arwaum|untxcv|fzesmg)|tkefcyq|d(htfzhn|vaugcs)|b(nyfxwl|hrezvw)|aeeaeqn|i(v(jilko|rtkfb|bzakn)|anvhcy|lzweug|uwedpn)|m(puwtjv|fjvmgk)|k(cobqvw|jeeifr)|n(k(privs|ojcfz)|fwdbkw)|x(cygkgn|iuqibc)|p(uaibbd|inkcsp)|v(tupoeg|zszwmt))|g(v(nxbqxs|bdriqe)|l(cosium|mnxyaa)|tqddiow|e(ywmwyq|kshxvw)|k(suklwa|ntittq|loeclu|irmmqe)|w(lshxqb|pttkzw|irblzg|byjocp)|rxoiwkl|shufdnv|dnctwlr|j(jhppod|mkkxsu|vrryck)|nwclrmp|y(jfzvig|dqbhki|zuqiqo)|z(ueadad|pbxtgb)|xepjotr|hjcauha|u(jplqye|nptmjt)|c(olqzqz|ztjfzw|bmdtjv|hhezpq|qtemxc|unzsuv)|fcwizbu|g(eagtaf|dmfeca)|mpeuntl|a(xwjqsv|ptntdv)|qproxnf)|a(v(yhidar|qppvvg|sfvhxe|cyqelj)|boaipzt|x(fvjnvc|xxzdcs|olurca)|e(ievdkd|ejhijq)|q(pdbzjj|dwljoz|tuvlpm)|l(ohehyx|vfmtyl)|r(xoldae|lvgalh)|u(j(mtjtv|ptcfb)|mdwsia|xisjua)|g(buwmbh|xteaqx)|kutkctr|y(chrjrq|dkaudk)|p(nmwgtk|qceaar)|cjnmspp|a(adokfn|ojlmra)|w(ikhfbs|frudpz)|opfsnth|j(ggckho|jjjbpv|lfiwam|oiuuza)|f(tjkdup|sgjzmj)|znyiqzh|dawsglt|hgbgypu|mjfzcsi|itheknn|slpqmvv)|x(l(bzgqct|otxwlz)|i(jszhxf|kgdupb|rihivv)|k(xkgccp|pvfief|hdzaxl)|neyfpbm|j(t(xfhey|ymoid)|zmtkpl|uyskkp)|t(ljqkbw|gaynbo|xvxjzr)|u(hagghw|aeibqs)|mjnaifd|a(zdifgj|hbxnfd|bmbeby)|yvdhjgh|v(z(cnizr|zrbhq)|cqjmuf)|z(eewhbt|dcxhtc|nuhcmx|txocoh)|c(lnkjyd|oqgrwc)|rqyplkr|w(a(vdvqv|etmja)|bcvrgw)|gfhymqw|sqropfu|d(hmwdao|qrujhz)|fgsoxnb|pwhwmze)|q(k(bbfmuh|gpaqlm)|uzlfcjt|wfgcrtl|i(pvawiq|gnmvwd|qfgamh)|a(ojuyji|mvzkwi)|q(nyihof|g(ypbki|hvdtw)|xxwmvc|scfmjb|aimebe)|s(ylvvzu|neskrg)|v(xghyzh|lxljwo)|n(ywyohh|z(utynw|newvy))|j(qrrafn|uyqtwu|llavtb)|o(j(xzhej|ilvqq)|ugevjc)|t(akowmf|tytqtl)|b(hbxedu|lrdybt|elbnyl)|rccnylm|p(fqogfd|vtpfvt)|l(pnraur|tdoysp)|f(yfgiob|mryjwv)|yqyotcl|g(ufkpuu|wegbtx)|x(uswrbu|o(nqsqm|xrhkq))|maxwhnt|hveonxz)|d(o(mhrxuk|svjfde|auifzx|rxyhcy)|bpaepqr|d(auhxsg|l(peats|hbkrs)|dztcip|hmliwj)|x(anigrx|zaadeh)|j(dzokuo|rowudi|nxhfvd)|tvdjsuy|s(jgufhs|veywic|flilie)|l(fllykz|ywtiqt|etwnau)|ipbyfjx|n(eoliac|hkriun|sjhwvn|pilydj)|w(dedqhr|cnxzru|ldemvk)|c(cnbfee|txcmwe)|f(jqkoxe|prtjwi)|g(ztpfmr|vlfkoh)|kxvwteb|uegeghk|r(rxlgue|wudhzi)|hujiyrn|ze(ihwux|exicf)|yksspwd)|k(x(lfzspi|ubuykg|pqbtte|fgjhbj)|y(faauln|zachak)|z(ocodus|x(jtfpn|lwxxd)|npfaks)|a(dgkllw|jnapsi)|m(heroju|osedju|tkpfrw)|p(crshec|tidztb|qdbtnz|ydrnvs)|u(eosxtp|kbppzu)|j(n(iifil|nbsgv)|pvmzdn)|g(koibnw|scpcyb)|wapdtjd|v(crjigh|dilbve|kdivws)|nhhaefr|o(ahanny|vdqfio|mxltoi|dxathd)|l(zphbep|jdmivs)|i(vmrlgm|xkbdae)|s(wqaulu|subqwi)|e(jplhuf|ptjijb)|r(acbnsp|bhmqtg)|ciaihgr|b(fdslxd|vngjgj)|dy(wjcvf|scxdx)|hffgnae)|y(o(nigckc|qhpxfz|xgpobh)|x(vujzaj|ieocql|ljexvk|jffnbk|nhzavx)|y(knexev|uztgal)|zjwuetm|t(nczgjd|hzisbn)|s(jnkjvt|wowczq|uozijj)|n(zjhrtr|yewrpa)|b(kusmdl|psbdzf|jtdvji|sotpft)|m(unhhju|qopgwo|iurjcn|t(vjedm|zvffs)|prsdln)|u(uesiyq|knrvqd|gbdznh)|gcaonde|r(wckmdl|kzhlbl|natldy)|l(ivwmib|pdgxxe)|vcnffqv|a(xnavzl|mydcaa)|p(wdmaae|pbzgwu)|q(fyfrwd|kncina)|dofbgyx|jlqmojd|hzjtvos|c(amjzsy|pzcarc))|c(u(diwloo|xxyqjx)|f(y(xphyl|emffb)|kwvepm)|w(pryxdp|hzmhwr|luqoid)|o(lqjhwz|paatwm|qbeycv)|t(mwyygc|qagupb|pckneb)|x(vnbhqz|eqzfiu|mffjvm)|m(hhrpyz|mavztp)|k(fljgzg|xilduc|ryfhmk)|h(kwqfgp|wsyxif)|q(cnmoul|iqfeov)|bcjozby|jkhweir|nyakkbf|p(bbnejd|kekzqz)|duazygk|yrmargt|c(eunqfk|rmzyal|ainjnt)|vpsbgdl|iopsesh|s(kwhuxa|qdzrjz|ufalgk)|aunuqep)|s(x(hwqzqh|fechbv)|t(iwfykn|sydsfc)|v(vfcxak|ynvrvs)|o(xgtyss|kxmagb|bfsjsx|wxfvwr)|u(o(sysfr|btimr)|gfqpaj|rsupxg|yklebw)|l(ghzxjw|cbseyu|dkmabn|exopdp)|n(fzhmej|voaxyq)|swrwwof|i(vwoyhq|uoyfyc|ftjqfc|bbmapr)|a(ivvray|vbdnim)|b(mowzee|vmcmqc)|kb(zxkon|rqznc)|g(bexqab|cacfte|jmfatm)|q(tmhzkl|pvmcus|bqwhii)|z(yfkkqu|qahmwh)|hyhbnkn|mmdcbfy|etebisf|d(kxdsuj|opphgs)|rudcwah|fuxpoff)|f(b(hamvkj|wnlmtk)|hwfoumb|t(hhntgk|tabede|qpztyr)|eadqmcj|nwtiigz|i(g(gejvg|ykuou)|pombcc)|p(nzurdd|vfbqkx|rywrrx)|s(fpcmac|wobelu|aaumrf|smqezs|ihbvzs)|z(cstkaf|fftkeu)|a(woasfx|xxucer)|oq(osyeb|ngvea)|gsofngi|r(fywzqo|jtctvq)|m(erekew|mhlcnb|zzrqph|kluvqk)|v(mpswaz|ducacq)|qb(veufj|ntlyy)|k(wjacib|skyuwk)|duixtao|u(jwnjem|daxpyz)|laglbob|c(m(satik|uuits)|nmpmxl)|jzjdjkh|fqabapf|xvgrkaw)|u(r(mzpfcs|wvsgzs)|y(arokaf|rbdolx|crqhfw)|o(tzjjnk|udjlcg|yxyqgm)|f(gaumyj|xncprr|wuomde)|c(rmncfb|pqrzit)|z(uosebt|gqwwes|njanps)|ximybdh|w(uounkr|yowzho)|hekjqxi|asoncfj|j(xoacyd|yinqmf)|ibbwqmo|pmcooqa|kpaprjb|q(oyilxy|ygxayu)|ggkfzqj|vsgkopk|murjpmb|dzglqnw|naazgmj|uvxlwta)|n(c(vnlhmo|phomty|ksiphc)|l(c(trcts|fjqhw)|doqnzd)|r(cgzfpu|d(clylj|nowvj))|n(z(erqrc|dodnw)|gqeahv|wshcqo|krzewi)|oxhklao|yajxlkb|q(lljklx|bczweu)|pddmsss|t(zrvwpz|acdspb|hdspiw|ozdzik)|ddnwpae|u(nrqtmq|gpzqjb|unxjee|ryaujl|buiggd)|winzhun|a(hvxslj|xxuarg)|s(bisusc|rozikc|ykixvj|nbptdp)|khmbkot|gprmgmf|mnkcorh|e(ukdqxy|moikql)|jjlkxnu|v(qbwjai|bmjxlt))|z(z(ubgfjx|bfmkfh|imgszj|e(igkzd|kocpp))|a(biaekt|tvtwot|plicub|vssrrk)|o(zhrlwi|beoosv|ffotqy)|q(ipkphv|vqalhm)|m(hqhmdz|dpamhg)|gnswovg|l(robyyn|nszpbh)|b(bfyead|fsfnxr)|c(qtxlgu|iwyvdh)|dpgsrid|f(tmovsh|covaqg)|u(sdafqj|phwmmm|xoeruz|yjgqwb|vpuhku)|hgpioxg|p(tyqqdq|dokdoh|oxrgzg)|yryjmqx|x(ocpuro|qqgwac)|r(rdiaqp|dnhvuv)|ktectbx|wozjevv|tspzmhh|j(xxeuhq|fasmjy)|nolanvy))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633153; rev:2;)
# sid 2633154 includes 1638 (1201 - 1800) 8 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(a(u(j(mtjtv|ptcfb)|mdwsia|xisjua)|g(buwmbh|xteaqx)|k(utkctr|vriqhf)|x(x(xzdcs|pfjph)|olurca|cwkrdr)|y(chrjrq|dkaudk)|p(nmwgtk|qceaar|hgnrlk|aanuqe)|cj(nmspp|ovodi)|a(adokfn|ojlmra)|q(dwljoz|tuvlpm|hgpzio|uhbhvr)|v(qppvvg|sfvhxe|cyqelj|ipvqdd|kupwez)|w(ikhfbs|frudpz|ocooja|geeeuw)|o(pfsnth|adejzx|qiehgs)|j(ggckho|jjjbpv|lfiwam|oiuuza)|f(tjkdup|sgjzmj|ohwhhd)|znyiqzh|d(awsglt|qeczdq)|h(gbgypu|lxicrj)|m(jfzcsi|xbsyzg|kouivd)|i(theknn|czeewl|ojcnip|lzywmw)|rlvgalh|eejhijq|s(lpqmvv|gtynbr)|b(osqigu|nreugp|ujybcf)|nsjlufs)|w(z(l(bibbc|whfrc)|omttrb|hqmhhf|zslteh)|r(j(wvdgl|vnnkj)|pnrkig)|e(rrsnee|wazvgx|ktjsue)|w(krgukd|uuknst)|x(jfelfo|lwqwsc|hcfwwq)|n(xkxzvc|dvxhvz|ujiqqh|gwnnvb|hfurxd)|p(omgpxp|ksojab)|bcvmspo|f(m(phugn|iictn)|jfgzcl|navedn)|j(oxzdiz|dtxcpl|qjlbbq)|i(qzzxkp|kkhozg)|s(hvqqwj|cisdbl|lbfoqe|ttytlf|yxqbev)|c(uwrwmn|lktomu|cezfua|ejbrfi|iadkoq)|d(afldaw|tvclrs|bgtuwp)|h(uljplw|dterzv|crscii)|v(xqhiqv|lfgowf|uryunn)|tluybcz|a(nvbatt|xzhscq|mxqvmd)|m(qbzlnb|zrgxwp)|kjvqjqz|qgpxpgs|uoydlkq)|d(x(anigrx|zaadeh)|j(dzokuo|rowudi|nxhfvd|fghcjc|eerhbp)|t(vdjsuy|ypcent|zdsbzl)|s(jgufhs|veywic|flilie)|l(fllykz|ywtiqt|etwnau|ulittw)|ipbyfjx|n(eoliac|hkriun|sjhwvn|pilydj|cdzagm)|d(l(peats|hbkrs)|dztcip|hmliwj|cmimms)|o(svjfde|auifzx|rxyhcy|kotuii)|w(dedqhr|cnxzru|ldemvk|oveijd)|c(cnbfee|txcmwe|syyehh|klzqwe)|f(jqkoxe|prtjwi|gzihqt)|g(ztpfmr|vlfkoh|tuuyve)|k(xvwteb|rcowos|adhtzj)|u(e(geghk|lxcro)|yxmshs)|r(rxlgue|wudhzi|yvmnpj)|hujiyrn|ze(ihwux|exicf)|yksspwd|p(oqrusd|jkxnht|xboqkb|ioqdlv)|e(dodxnl|cpcodo|gvuhnt)|bjobjhe|quhvcaf|vhpxhlt|mlhjdkg)|i(g(m(prynx|ysska)|s(vpqal|qnlqx)|zlcvki|ieutnc)|n(fzeztx|damduq|wmsefy|psggyi|tecarz|ciecwk)|yjhoxjj|a(zsvkot|krpltz|drrbbw)|z(ifhukz|hqrqyw)|d(ddjnlg|pqyovu)|q(qnmprh|zflnar|phzoqu|nbjtwq)|f(glnubt|lakwux|tmkmfh)|o(molmeu|acgbdo|zexoty)|cuwgyae|h(vwgpvz|kvpfjr)|l(j(aziyx|inqdd)|hvpdma)|wfdncsc|e(ovzhbk|vzkwlm|lirxgq)|r(mbyciw|sagsgb|oopjbg)|vkudirs|m(raotfe|grwpep|brtmpx|skjhdk|fopvwy)|i(oqyztv|gnbhzr|queusn)|t(bxmkwg|qlguxt|ripdvx)|u(aztmft|sipghe)|jmztaif|bnznbjr|swbbipr)|h(d(lkvutl|cgzxwj)|o(qrphlk|xrvlfn|kzoslm)|l(sjkpgb|x(wdmui|rrtzc)|wpgsuq|hnskid|eibafm|klontb)|ttvjstv|i(ggyyfi|uhcuis)|e(jmohwk|tkqezq)|b(hozfzf|kvvpzo)|r(dxhgoh|pnwwmh|utvmhq)|s(jojwlx|fdkobm)|v(ipzlxq|xrmeyi|jvdyce|fyizio)|hfalkmj|f(dhvbhq|umdiux|ydxcsg)|y(lcgzxa|bpijfs)|k(dgljpp|yargvk)|jshgnbk|x(rrqzjf|mpneqs|d(tfseu|lxstz)|zlpqcz)|a(lwmlpn|dxxxmu|pmjdab|imbmnw)|c(ediwuy|rniekt|vkycts)|w(ylhjmw|smngnt|oosmwd)|gsjdpnq|nq(ovsbp|rqnhj)|z(lquujd|ulyaxo)|musbvdd)|k(z(x(jtfpn|lwxxd)|npfaks|ccgbcb)|w(apdtjd|rpfbsj)|v(crjigh|dilbve|kdivws|aanyug)|n(h(haefr|qunpg)|avxbdq)|m(osedju|tkpfrw|diztwv)|x(ubuykg|pqbtte|fgjhbj|nlmfdl)|p(tidztb|qdbtnz|ydrnvs|geiqav|rejxre)|y(zachak|xnhgoo)|o(ahanny|vdqfio|mxltoi|dxathd|cpvlcl)|l(zphbep|jdmivs|kqwmat|theqym)|ukbppzu|i(vmrlgm|xkbdae|fhhhxe)|s(wqaulu|subqwi|yhtylx|anazpw|xxllei)|e(jplhuf|ptjijb)|j(nnbsgv|pvmzdn|aiiokb)|r(acbnsp|bhmqtg)|ciaihgr|b(fdslxd|vngjgj|tuinxk)|a(jnapsi|ovkimt|urothl)|d(y(wjcvf|scxdx)|fauqwe)|g(scpcyb|gwcnob)|h(ffgnae|verjuf)|qdhpyda)|y(n(zjhrtr|yewrpa|lmftpt)|y(uztgal|xnfgbp|mvqria)|b(kusmdl|psbdzf|jtdvji|sotpft|tuwldi)|m(unhhju|qopgwo|iurjcn|t(vjedm|zvffs)|prsdln|vjkrrg)|x(ieocql|ljexvk|j(ffnbk|zsznx)|nhzavx|bzavjk)|u(uesiyq|knrvqd|gbdznh)|g(caonde|hynnwh)|r(wckmdl|kzhlbl|natldy|xeuukk)|l(ivwmib|pdgxxe)|s(w(owczq|htqep)|uozijj)|vcnffqv|a(xnavzl|mydcaa)|p(wdmaae|pbzgwu|hmjwkg)|q(fyfrwd|kncina|uqitso)|dofbgyx|o(qhpxfz|xgpobh)|j(lqmojd|igpbrk)|hzjtvos|c(amjzsy|pzcarc)|thzisbn|f(imnitq|zfjyvr|kvatlq)|zfphesd|kyhcelr|ifmfzmd|wgfttqa)|p(p(rfyoqg|qclkbk)|y(b(bqgqr|dpnzm|aqynn)|mssfad)|e(zwwmjh|lwhblw|fqfuiz)|i(dkgasw|haoznp)|h(taotis|uzquro|qrdfbj)|w(rhavpa|xtkuyd|ypzryr)|s(zasugv|wpmuvl|acalru)|g(vytinv|wgwaam|mlegga|tdrspi)|a(fdhvun|oeyoyj|bbmtzw|svrdou)|z(uujikh|cakalx|n(kervt|imxsz)|tikhae|rahkhl|saarjm)|u(snotkg|vusxjm|i(ukmmb|babki)|hmsjrg)|n(xkoszn|vekrsi|gnzdzb|otdoln)|l(exmvvd|ueddox)|m(r(iiidb|aalix)|kargsy)|t(uhyvxr|aikppr)|q(a(gyqll|roidl)|euujay)|j(uyepqu|jjamzy)|v(fcmtyv|ztawtv)|b(hxkrrt|e(asihq|hrrne)|uewtdb)|o(anzsug|fqztpn|dqiqmo)|f(ubkkrd|wturoi)|x(ftqeiu|aoyvvd)|c(bxsdjs|veomwt|fvzmnn)|k(ajarsg|edutyz)|d(wdqfzq|zverxx|xskauv|vjlwbe)|rccsirl)|x(lotxwlz|j(t(xfhey|ymoid)|zmtkpl|uyskkp)|t(ljqkbw|gaynbo|xvxjzr|vyomay)|u(hagghw|aeibqs)|m(jnaifd|gstrtk|wmrzdg)|a(zdifgj|hbxnfd|bmbeby)|y(v(dhjgh|ynguq)|bipdao|adhwwh)|v(z(cnizr|zrbhq)|cqjmuf)|z(e(ewhbt|izppp)|dcxhtc|nuhcmx|txocoh)|c(lnkjyd|oqgrwc)|rqyplkr|w(a(vdvqv|etmja)|bcvrgw)|k(pvfief|hdzaxl|ibnbyx|vbmzre)|g(f(hymqw|rdqez)|dtekmy)|sqropfu|i(kgdupb|rihivv)|d(hmwdao|qrujhz|ehjqhj|cxwqcz|azjkxg|yfumhv|nzjzuy)|f(gsoxnb|xgvaot)|p(whwmze|xmhezg)|q(scazit|bsbspc)|oyyoyga|hpjlyqj)|j(h(tyznqc|uycmfu|wkxfto|savhil|zislhh)|r(mkjcau|gfppzu|hpjwhm|euckhh|rqgozs)|f(nteskg|vopwmy|wadtdd|ujyadk)|o(liwwjm|nonzqx|jkqzqg|dckdxl|taipev)|c(xgptyr|zmthbe|hizxkp)|g(lfodpm|cmthmd|etzcxp|wrdhgc)|z(kffegl|sqzpis|hquzlh|bouvuv)|q(arwaum|untxcv|fzesmg)|j(ypgbzn|uyqkwu|cyjayd)|s(lbukvv|dsktcv|udsdqs|zbcsnw|hldbyk)|t(kefcyq|gxbsjb|yztjln)|d(htfzhn|vaugcs)|b(nyfxwl|h(rezvw|ksvmb)|yscmkg|drwrst)|a(eeaeqn|aeevyt|smftff|lluutg)|i(v(jilko|rtkfb|bzakn)|anvhcy|lzweug|uwedpn)|m(puwtjv|fjvmgk|uikjyq|zbsfdi)|k(cobqvw|jeeifr|gvogaz|vllxfd)|n(k(privs|ojcfz)|fwdbkw)|x(cygkgn|iuqibc|gvwdyo)|p(uaibbd|inkcsp|anhngc)|v(tupoeg|zszwmt|fkjvou)|utfjriv|e(jpwuqw|irnmkz)|wjtjisk|ymtwlar|lhunses)|q(s(ylvvzu|neskrg)|v(xghyzh|lxljwo|jmzona)|q(g(ypbki|hvdtw)|xxwmvc|scfmjb|aimebe)|n(ywyohh|z(utynw|newvy)|umdbgm)|a(mvzkwi|ionijl)|j(qrrafn|uyqtwu|llavtb)|o(j(xzhej|ilvqq)|ugevjc|rtwaop)|t(akowmf|tytqtl|qkzrdq)|b(hbxedu|lrdybt|elbnyl|kktawr|ytwkek|wiqaea)|r(ccnylm|jqocac|pinlyw)|p(fqogfd|vtpfvt)|l(pnraur|tdoysp|xculfg|cvlgrk|yomjmo)|f(yfgiob|mryjwv)|yqyotcl|g(ufkpuu|wegbtx)|x(uswrbu|o(nqsqm|xrhkq)|coxsya)|maxwhnt|i(gnmvwd|qfgamh)|k(gpaqlm|jeidwt)|h(veonxz|ejpyps)|z(asnxkm|sndtma)|darklos|eymylef)|e(x(khpeen|eefrho|yfskef|ujfedp|qnlece|ldmkll)|rmftsbi|z(i(bttiy|gbckg)|shykrd)|j(kvzysy|f(qlaoh|pbzqz)|ytrsha|caigpb|rpafnv)|y(ofbcim|gyeibe|nlvcgb)|q(l(hsblc|kknbi)|ezwtzc|k(iolyd|edoup)|icpkgi)|n(sdsoua|hitdnw)|g(baeyrr|rlrqtb|namzgl)|l(tzzass|djccca|hrbykm|rqhnjf|beutnj|aqyulg)|i(mcckjs|rrhwvt|vshxfc)|h(eadqli|moaink|swxpqe|raflds)|a(xmlayx|uuqsyn)|c(rqzhdk|uazogh|jzqlci)|m(nkxqvz|yxxvoa)|tivjmpa|u(saersx|towoln|jwqsdm)|k(vssfek|jnvxtf)|o(f(smuef|esbdj)|xbhefy|whdmio)|pdllnuk|v(tacxxr|fqkxec)|f(zuepzr|kconnl|ldelcn)|b(frflwm|apirvi)|d(emycgo|qzcmgf|pdwawu|wrrcrn)|exoojme)|f(s(fpcmac|wobelu|aaumrf|smqezs|ihbvzs|pwpgxz)|z(cstkaf|fftkeu|dcanne)|a(woasfx|xxucer|olyzph|gmdmrz)|oq(osyeb|ngvea)|gsofngi|r(fywzqo|jtctvq|eanpjb)|t(tabede|qpztyr)|b(wnlmtk|mqgdnt)|m(erekew|mhlcnb|zzrqph|kluvqk|aatygp|jmpppo)|v(mpswaz|ducacq)|p(vfbqkx|rywrrx)|q(b(veufj|ntlyy)|cvufak)|k(wjacib|skyuwk)|d(uixtao|gshzre|cthiiu)|i(pombcc|gykuou|yoktwu)|u(jwnjem|daxpyz|tsawjx)|l(aglbob|qrlgqm|yewxvj)|c(m(satik|uuits)|nmpmxl|hgooqi)|jzjdjkh|f(qabapf|yozqpe)|x(vgrkaw|njjuth|ozkkfx)|hdoowdk|nfrcgnu|ecasaqj|ynlzlhl|wchrujt)|l(g(zyvuhz|godwpz|mslyud)|f(vpvhnn|asqjjs)|q(hebflw|zpfebo|pmeacq|amsjdw)|ulrnrfo|k(byoast|rccfyj|sapjro)|e(zlpygg|g(lkqcd|phtsd))|o(zeuelh|wxqziz|ysdjfv|sjzurq|pblzwz|mglubb|lobukw)|xp(acshl|zmnrf)|v(cktjcv|fnergv)|i(fdhyvd|jfymyw)|haslwkh|rebbebg|y(zeysqx|cwbnyv|nmqsfa|afsxuo)|t(s(czbcg|dfccj)|xxauye|yvqbyd|fbtprf|mpkmdo)|a(ofalry|pzobto)|c(cdlrff|tygrix|wbppxn|gjbget)|b(vrhkdy|fgtjyx|sdttye|cdyiaf)|w(uldrah|ozqegc|bajilj|vjkvgm)|d(ttpgbn|pxwklq)|p(bfhlro|c(tgafw|jlpaa))|lbqhwaa|jrugjak|nuczlsc)|n(oxhklao|yajxlkb|q(lljklx|bczweu|gcwvyn)|pddmsss|t(zrvwpz|acdspb|hdspiw|ozdzik|yqtuif)|d(dnwpae|pxouvh|qfkdst)|n(gqeahv|wshcqo|zdodnw|krzewi|mkuzok|nhikjp)|u(nrqtmq|gpzqjb|unxjee|ryaujl|buiggd|wlvivr|msihaf)|r(d(clylj|nowvj)|ymqjhc|pavycy)|w(inzhun|metnxe|gnlsbc)|a(hvxslj|xxuarg)|s(bisusc|rozikc|ykixvj|nbptdp|olvoda)|cksiphc|k(hmbkot|wzirjd)|g(prmgmf|simprp)|mn(kcorh|uawpb)|l(cfjqhw|doqnzd|seqjbs)|e(ukdqxy|moikql|sxlvqz)|j(jlkxnu|yyedlp)|v(qbwjai|bmjxlt)|fvnkjfo|x(uutvst|mddaid)|bdannlx)|u(c(rmncfb|pqrzit|qrsken)|z(uosebt|gqwwes|njanps)|x(imybdh|tcptfj)|w(uounkr|yowzho|axtbnz)|oyxyqgm|hekjqxi|asoncfj|j(xoacyd|y(inqmf|qlcon))|i(bbwqmo|vuktaw)|p(mcooqa|yofryo)|f(xncprr|wuomde|gcoqrd)|kpaprjb|q(oyilxy|ygxayu)|rwvsgzs|g(gkfzqj|stpwbo)|y(rbdolx|crqhfw|jguldx)|vsgkopk|m(urjpmb|wjdmdy|jgkjar)|dzglqnw|naazgmj|u(vxlwta|kooeub|ldwmvm)|l(ppcisn|vlpxdw|zwyyqb)|t(lttynl|ajwtsr)|sfsqzhy)|v(d(rbvhko|tqdxpa)|i(cevtoi|lyezli|fiwswx)|x(gxlram|pxsfoi|ngjlsy)|k(uiqirp|ddydkj|rneuwd)|s(pxicyw|zdkanx|mbaoar|xhearf)|q(wuyprl|pazzpg|ohwpzo)|j(bspppd|wzdwvf|kkafsa|ihzish|tvwghv)|e(htsctf|zyyzme)|n(otzzdt|zedzhb|mddors)|g(blsufe|otzozg|jseljc)|vqqrydz|umwpvth|r(inqnrd|znjtvu|gqwhey|dfaqcm)|yz(fahxs|jbwft)|m(dqwdle|pvteqy)|c(hmcbuc|avwmbq|dbtdoi)|h(chfhlh|dcnbfr|wntpkk)|z(acmqio|huzbmr|qyontv)|o(sanctc|dnyycs)|w(ufiayz|iglhkq|ovoknr)|f(cslccd|giiyjg)|t(crudrh|uaadhk|gvfary)|p(rspdic|ybtivr)|l(ukfcsc|k(kvxun|cwmka)|njjdij|jeiknz)|bpeqzpt)|o(k(netdeb|fwfmeb|d(teecu|iarho))|c(jrvkcu|loqgxd|oktche)|w(ubekur|qlnufs|narlfw)|r(qxdqlt|g(efxeg|xeqwx)|ialemn)|p(rdkxma|keauqk)|j(ygkzcj|rskrdo|lnpjqg|sxenqi)|s(oaabrv|klmpfa|tbvyoc)|i(etdixk|zbjtog|mmnmlu)|e(xsfppc|tdqvpf|nwtwpc)|h(yfhamv|mxuwoe|iklhmi)|z(sijmxz|kahont)|m(dnzmih|iewxjo)|xo(tprvq|svlwm)|n(mxiilv|juotrn|tboptw)|dnqedcg|o(k(sgpco|ovwml)|rzetju|jvuyrc|enjbdp|toodem)|q(oermix|tcncdn)|gviting|lkbszqb|fhsquge|vukiktc|amuykfu|tscohjj|uuxmciw)|c(x(eqzfiu|mffjvm|lvdjdt)|m(hhrpyz|mavztp)|k(fljgzg|xilduc|ryfhmk)|h(kwqfgp|wsyxif|odcmit)|uxxyqjx|q(cnmoul|iqfeov)|f(kwvepm|pmwyxx)|bcjozby|j(khweir|cqfuev|idbzyz)|n(yakkbf|xpqatm)|p(bbnejd|kekzqz|ixynvq)|du(azygk|gpshx)|o(paatwm|qbeycv)|w(hzmhwr|luqoid)|yrmargt|c(eunqfk|rmzyal|ainjnt|zjqior|dtpjff)|v(psbgdl|tzgkzy)|t(qagupb|pckneb|nmnxus)|i(opsesh|blnmpp)|s(kwhuxa|qdzrjz|ufalgk|opwute)|a(unuqep|xblavq|vqhwzx|lyjkue)|e(prenug|kjopyt|ffpzjv)|gcsiyrr|zxnvmtr|ryntlvk|lfbyugy)|t(e(eepqzb|jegdyf|zcldvg)|g(cgikjn|muuyll|fssypv)|i(n(ftwsu|xvaqx)|qajxpe|fuumqw|mjifak)|t(aazldd|rywrpo|mlffxp)|n(atxtfc|gpfnsn|eoixev|botwlx)|z(byvevw|zjftga)|b(z(isxhm|fdgxk)|ytofps)|kkkolbq|rzjalce|v(wwmpkc|c(vfdmp|onaku)|ofalpf)|p(fjedlc|g(vkryx|upmrs))|d(x(sumrn|dunvz)|yrvlbj|wjeile)|o(lkimwi|qzmlfy|bgvjtg|mgexjf|ybuwwv)|y(j(atrwh|rmuev)|wjwwnh)|a(eahqgh|zjzzuf)|wrkhzqj|mnnelsz|f(zulmlx|yzcgua)|c(fkdjar|dscepg)|x(vuydmc|qjzqkt)|u(oedrfj|zmpghq)|l(xdsntl|aapvau|eaksql)|j(fnnrxl|weomle))|m(h(swloty|co(gshh|hnui)|dgmupo|qtofwt|jcdaif)|n(uevsma|mdcrpr|hylmcd)|s(cxssjv|tigjge)|a(vfnsfy|mdqbee|osjjuw|afmmgo)|j(omxsgu|rmpeov|aodukw|y(sxhwn|uhlba)|plfhju)|f(maivwv|zmrgpv)|t(phqurg|hsniyv)|p(zlkpwe|fdnmoy|tpfskt)|q(twpshe|yiqflx)|oihzpvd|e(cwzeko|absqgt|ghznjy)|zujazzg|dxglslq|l(i(yfumi|lkizb)|xqsuty)|y(zikwma|lcnbmw)|u(owrkoz|ikodgl|pzlzzl)|irqnnwa|xqiofjp|w(oxhecv|xudlzg)|gtzmtni|c(ewdlgw|rdjqoo)|kcojjzd|rbgfbip)|s(l(ghzxjw|cbseyu|dkmabn|exopdp|rtvoub)|n(fzhmej|voaxyq)|swrwwof|xfechbv|o(kxmagb|bfsjsx|w(xfvwr|zbpee))|i(vwoyhq|uoyfyc|ftjqfc|bbmapr|hxheok)|a(ivvray|vbdnim|gximjf)|b(mowzee|vmcmqc|ijxynu)|vynvrvs|k(b(zxkon|rqznc)|gmqkpg)|g(bexqab|cacfte|jmfatm)|q(tmhzkl|pvmcus|bqwhii|uswjfz|sykysx|meqetx)|z(yfkkqu|qahmwh|kxcfuo)|h(yhbnkn|mdzugg)|mmdcbfy|u(gfqpaj|obtimr|rsupxg|yklebw)|etebisf|d(kxdsuj|opphgs|ubjorn)|r(udcwah|dnvxos|bleybp|mjmyad)|t(s(ydsfc|auuwl)|gmnduz)|fuxpoff|p(jxnymr|mxdfjj)|c(mrpvlk|ooogvb)|y(wylzmr|mgojsh))|g(rxoiwkl|s(hufdnv|scwgqj)|dnctwlr|j(jhppod|m(kkxsu|uypyt)|vrryck)|nwclrmp|w(pttkzw|irblzg|byjocp)|y(jfzvig|dqbhki|zuqiqo|oyfrks)|z(ueadad|pbxtgb|ohczed)|xepjotr|k(ntittq|loeclu|irmmqe|tumdie)|h(jcauha|xucnmz)|u(jplqye|nptmjt|dvucrd)|c(olqzqz|ztjfzw|bmdtjv|hhezpq|qtemxc|unzsuv)|f(cwizbu|syemvc)|g(eagtaf|dmfeca|zsqwwg)|v(bdriqe|swcbbu|ohlrfd)|m(peuntl|urgrdz|jivbla)|a(xwjqsv|ptntdv|cczxcq)|e(kshxvw|qxzptt|vlvgay)|lmnxyaa|qproxnf|ilfvmzz)|z(z(bfmkfh|imgszj|e(igkzd|kocpp)|dadxkk)|gnswovg|o(beoosv|ffotqy)|l(robyyn|nszpbh)|b(bfyead|fsfnxr)|c(qtxlgu|iwyvdh)|dpgsrid|f(tmovsh|covaqg|xmxtam)|u(sdafqj|phwmmm|xoeruz|yjgqwb|vpuhku)|h(gpioxg|tmpvxj|ypfjwa|zejoil)|p(tyqqdq|dokdoh|oxrgzg|cckqsx)|a(tvtwot|plicub|vssrrk)|y(ryjmqx|naenjo)|x(ocpuro|qqgwac|twzwmb|euyjem|pkvpjh|waexvh)|r(rdiaqp|dnhvuv|bybxwx|zdclsg)|ktectbx|wozjevv|t(spzmhh|ahvksy)|j(xxeuhq|fasmjy|gbjrsn)|nolanvy|q(vqalhm|wyihfx)|mdpamhg|v(taozwc|kyurtz)|if(hjldn|cbanc))|b(x(fbtaoe|ddpfet|cqmczr)|l(kwjskm|vyngsz|gsfivx)|o(njdqbi|m(lmmmu|jfurf)|oshasy|rpbawx|ztjjso)|hajeryw|m(ujxugs|nhkrmc)|vvumvlc|zrfnowp|y(icxqri|wesobw|qbatwl)|s(jtaecl|vdccdj)|j(rqszkt|gijllf|pwbkup|dogpbw|vizzcf)|q(olnxhu|gugjdt|xinpmr|weluss|ysvmjo)|k(ndkxbe|rxhuhk|zsybut)|gv(lmcge|tkbnx)|u(nqeqii|rpqotr)|w(bwyxsh|usmjql)|r(nokewh|psrmgk)|t(liyqoh|oyimgx)|dlzzvtp|n(cmxtqp|pzhtyd)|aslenam|i(nuzsbw|knvbmr)|elqiupz|cutlezl|p(vqlqad|cnegqh))|r(n(vsguxe|ynyuzg|n(oreoa|gkkeo)|fjphym|qhgahs)|p(axypmx|ffzvqb|yfjuxl)|y(iiguee|luvhzl|ouwvzs)|b(xbqaey|rckyxe)|a(jopojj|ucqhem|wiihje|pcaegu)|k(t(kswgi|gbmry)|bczbbv|rfexzg|wottzs)|u(anecny|uhvtto|vgwxnt)|d(nwujzc|mgslbc|sndznu|jefcpq|ffpixm)|c(tndjlt|u(wtsvr|nwrmq))|v(ciared|sytrfy)|r(s(etwgu|rxtwp)|bligli|xjxmpi|uhyhch)|q(rxnjzs|fmdpoj|cfkurc)|x(iqwaiz|thzloy|pmvvkt)|w(iyqzly|sxgnzg)|g(eicmob|rpshxm|c(dwwaf|ggphy)|wpdjjq|qbzcuz)|h(pftaas|xdqezw)|mfpahnp|egwobsv|zusjmnn|sgmvdax))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633154; rev:2;)
# sid 2633155 includes 1038 (1801 - 2400) 8 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(c(z(x(nvmtr|icjcv)|whxxhb|mvrsam)|nx(pqatm|dbruf)|j(cqfuev|idbzyz)|tnmnxus|d(ugpshx|blfgeo)|ryntlvk|l(fbyugy|ppayvt)|v(tzgkzy|qtdgis)|c(dtpjff|ancnxk)|fpmwyxx|a(vqhwzx|lyjkue)|sopwute|p(ixynvq|mqsbxp|feljhy|orbzaq)|i(blnmpp|pjcvus)|effpzjv|w(ocshpb|jvctwk)|meovnma|geigmgy|qkmhaqj|ozscdqh|uwswxqo)|h(a(pmjdab|imbmnw)|k(yargvk|dxcrfi|hftckw)|c(rniekt|vkycts)|l(eibafm|klontb|vvwnxg|zdugag)|x(zlpqcz|dlxstz|sucxia)|n(q(ovsbp|rqnhj)|jvgoxb)|z(lquujd|ulyaxo)|musbvdd|vfyizio|woosmwd|q(knrulx|dsteje|gjvied)|sralriw|bdpbiuu|plvjjgz|i(jzwrjh|lpdfbr)|u(ingpwt|bjbyhc)|jzisawd|tpqbvnv|rcpewtq|hlkgfyv|gxgwnlm|ettzgnz)|z(r(bybxwx|zdclsg|osufqr|xojdiv|jqpwch)|h(ypfjwa|z(ejoil|nqgbh)|xhblgq)|if(hjldn|cbanc)|x(euyjem|pkvpjh|waexvh|ixrpat)|q(wyihfx|cfhxwl|adhzal|ptjqmm|gvyqqe)|fxmxtam|v(kyurtz|wivfnm|rjjgbz)|jgbjrsn|tahvksy|e(ckdghc|figoxg)|l(iurmap|sagsex)|wmcycut|c(huygmr|tfejhu)|kx(nuvjo|zbfij)|brywqqi|dvmoxfv|m(hvyicc|nqgjhi|uyefkq|yghuar)|pyrfuwg|sbqprzy|napsfsn)|r(r(uhyhch|djhhfz)|apcaegu|d(ffpixm|epoggz|owcxif)|pyfjuxl|g(cggphy|qbzcuz|t(mhfun|uvnlg)|vvhnot)|egwobsv|cunwrmq|n(qhgahs|jjaxxk|mbkbyx)|zusjmnn|s(gmvdax|imrzqb)|xtaxrxu|ypajegw|bffakkz|lqzgufk|hrsncjh|vfpnvur|u(frjcwd|xchadb)|kakwdyv|fmgciuu)|y(zfphesd|x(bzavjk|jzsznx|zklmdk)|n(lmftpt|gtcacr)|btuwldi|phmjwkg|fkvatlq|g(hynnwh|noylrl)|y(xnfgbp|mvqria)|j(igpbrk|yadxrc|gvgygp|dtqbxm)|kyhcelr|quqitso|mvjkrrg|r(x(euukk|ocshg)|utmnlu|jfiuqj|lwkpck|ibkkqm)|i(fmfzmd|cuombw|vdntkc)|wgfttqa|s(whtqep|fuqsyh|nxnpml|tfglba)|emogwzg|t(m(qyhhv|rjfih)|rkwcbw)|o(ottffk|gmlsdm|uuzmum)|h(euceli|aumamk)|camhxqg|levixhy|uvglqpz)|v(wovoknr|r(dfaqcm|nlktla)|ezyyzme|h(dcnbfr|wntpkk)|k(rneuwd|lqfsex|jfpyxk)|p(ybtivr|kxjoog)|q(ohwpzo|naflpv|zhnzta|fcphxt|yfgjty)|t(uaadhk|gvfary)|c(dbtdoi|rmhaaq)|s(xhearf|ttnlzz|jnjjjo)|g(otzozg|jseljc|qpfdfd)|l(njjdij|jeiknz|vrrley)|m(pvteqy|vckthj|xkratk)|d(tqdxpa|jpnaat|ygyoqe)|fgiiyjg|n(mddors|gdvzbh)|y(zjbwft|mjhnqa)|i(yxehkc|bxeqtc)|j(eqkeer|skwkcw|btekul)|ahwfewr|bcttmyv|u(oxfqby|phtvlv))|p(u(i(ukmmb|babki)|hmsjrg|aahmua)|vztawtv|b(uewtdb|ehrrne|hmcxth)|j(jjamzy|xiglmb|avismb)|k(ajarsg|edutyz|zievpo)|lueddox|f(w(turoi|jooqu)|ubbewi|hozrzx)|a(bbmtzw|svrdou|pawcwd)|d(wdqfzq|zverxx|xskauv|vjlwbe)|efqfuiz|hqrdfbj|n(vekrsi|gnzdzb|otdoln)|c(veomwt|fvzmnn)|z(nimxsz|hkiuee)|wypzryr|xaoyvvd|o(dqiqmo|bmxbfg|hdetdh)|pqclkbk|r(ccsirl|zcgbut)|q(aroidl|zktupi)|gtdrspi|i(vhisyw|cmrotb)|skrtmcm)|n(x(uutvst|mddaid|ciojmp|iloonq|thtxul|aiqlaq)|s(olvoda|psfmty)|mnuawpb|r(ymqjhc|pavycy|svrclj|aqxfog)|g(simprp|tajqga)|dqfkdst|qgcwvyn|u(wlvivr|msihaf)|b(dannlx|iaeopq|frtkll)|w(gnlsbc|liehjw)|jyyedlp|n(mkuzok|nhikjp)|kwzirjd|cxcqgjz|o(mefzvl|yzyleq|amhkcp|tsvvze)|advxlhu|lygyqcr|hqeqcsu|pudwvqt)|q(b(ytwkek|wiqaea|upwqpp)|aionijl|tqkzrdq|k(jeidwt|qgwrns)|hejpyps|darklos|l(cvlgrk|yomjmo|vvjabk)|v(jmzona|wckjrf|shuczg|tpeyou)|z(sndtma|p(rzhql|visbi)|kqxeth)|eymylef|o(rtwaop|iwnsds)|x(coxsya|stvnsd)|n(kdzxlh|bnjsqq)|s(zdsach|hwpvun|qcdhrc)|jsadoxp|mbrfktt|r(qzxjxe|ucfhxd|sljkpb)|ukhahxf|icbvttj|y(d(jcchd|xyqko)|iqbcrw)|gfqyndu)|a(m(xbsyzg|kouivd|zrkcnt)|bujybcf|xcwkrdr|c(jovodi|lcwuqx)|i(czeewl|ojcnip|lzywmw|fxndrp)|p(hgnrlk|aanuqe)|w(ocooja|geeeuw)|v(ipvqdd|kupwez)|q(uhbhvr|zaqmlt|gnoxsh)|o(adejzx|qiehgs|egapno)|k(vriqhf|p(lykop|eyjly))|s(gtynbr|blhpnk)|h(l(xicrj|dwjfp)|qwsdqs)|n(sjlufs|kpfgpq)|f(ohwhhd|exfmno)|tgsenix|l(srmupn|jluexo|ipsxzn)|j(qbyjhi|laoaiu)|ghigkup|ewywucq|a(wdwnoi|peizyq)|zyqfcxn|upqqscd|rbdtxmb)|w(ikkhozg|j(qjlbbq|grxrkc|k(pluhj|friyc)|toivom|nfprqf)|c(cezfua|ejbrfi|iadkoq|rnxnaw)|kjvqjqz|rjvnnkj|s(lbfoqe|ttytlf|yxqbev)|z(zslteh|kjzhdp|yckxda|pdyywl)|e(ktjsue|ebaixn)|qgpxpgs|nhfurxd|m(zrgxwp|digylj)|d(tvclrs|bgtuwp|fmjhux)|amxqvmd|xhcfwwq|uoydlkq|f(kvsxro|luedra|iodfcn|seimts)|pldwagm|hliacfi|ttvilhn|gpuuyfs|vlaaraz|bopwypt)|s(y(wylzmr|mgojsh|qqbayh)|d(ubjorn|p(wykcn|mvvjq)|nnhsae)|i(hxheok|lkyryh)|c(ooogvb|dfpwon)|q(uswjfz|s(ykysx|uwizt)|meqetx|xnhnuq)|owzbpee|t(sa(uuwl|vght)|gmnduz|xxpnft|qaftan)|r(bleybp|mjmyad|pqziay)|p(mxdfjj|vuqcto)|lrtvoub|h(mdzugg|sytmfh)|agximjf|f(s(irhkb|rtjch|mgcyy)|rmcsue|lvslfv)|n(trgwmo|yuorph)|k(tzxtfm|kaabvs)|grsbbjp|vbfykne)|k(y(xnhgoo|rrdpor|nmzylx)|g(gwcnob|trohgr)|s(yhtylx|anazpw|xxllei)|btuinxk|d(fauqwe|wojboy)|n(hqunpg|avxbdq)|v(a(anyug|kncaw)|lzeqlf|zuukoq)|o(cpvlcl|dqmqop)|l(kqwmat|theqym)|i(fhhhxe|ruobec)|a(urothl|dfpcyx|juipna|idnrgq|zjxywt)|wrpfbsj|p(g(eiqav|gmezt)|rejxre|w(jobkc|kvugh)|mwxhik)|x(nlmfdl|qupgnt|xvhyde)|hverjuf|j(aiiokb|eicsvz|yzimyr)|k(yunwky|wyfsnm)|f(gxbbiw|shxwhm|ortedh)|q(hbjbsq|glwlyz)|cjjbwqr|zpcvwdj|rwdddpt)|d(okotuii|j(eerhbp|hovuxf|mhjkav)|quhvcaf|vhpxhlt|d(cmimms|jfuehb)|c(syyehh|klzqwe)|k(adhtzj|uximps)|t(ypcent|zdsbzl)|u(elxcro|yxmshs)|e(gvuhnt|tmbevh)|f(gzihqt|brxarx)|l(ulittw|bjmpdw|smvxql)|n(cdzagm|zyepvl)|p(jkxnht|xboqkb|ioqdlv|wiswmk)|m(lhjdkg|xsygon)|x(acxict|trarqy)|skdfebn|iboraym|zorxrep|gqtmjdx|hinopiv)|j(j(uyqkwu|cyjayd)|x(gvwdyo|tusckf)|u(tfjriv|kgznpk)|b(y(scmkg|rfyji)|hksvmb|drwrst)|e(jpwuqw|irnmkz|qrdwgk|gbevpk)|panhngc|zbouvuv|ch(izxkp|dqvrl)|k(gvogaz|vllxfd)|a(lluutg|kbejiy)|hzislhh|g(wrdhgc|rlsnee)|w(jtjisk|giymht)|vfkjvou|ym(twlar|xtadm)|f(ujyadk|fogsnp)|lhunses|otaipev|drzfihz|r(eagzpb|sjvysq)|s(dseuya|olozou)|n(rsnutt|fyulal)|qhyuyri|izoofep)|b(j(pwbkup|dogpbw|vizzcf|kycigl|mjhnnj)|e(lqiupz|ohwvmx|zgakve)|r(psrmgk|husyvk)|k(zsybut|abipgz|unwwgk)|c(utlezl|hsotsf)|p(vqlqad|cnegqh)|o(ztjjso|psxvuu)|n(pzhtyd|tzgqhw)|i(knvbmr|ojqucb|qzltmi)|ucyzlta|fvvintq|wxlldkp|q(clxpei|yikeor)|suedcjb|ynxspch|blabomo|m(mvqjki|akofdi)|goetdel)|o(k(diarho|cqmxta)|otoodem|a(muykfu|vaiiue|srevsk)|tscohjj|j(sxenqi|koffvv)|uuxmciw|immnmlu|xosvlwm|ntboptw|pkeauqk|hfxirfd|b(rwroqr|jicjln)|zctsuil|m(ynicll|evruso)|ysanwlb|sghtifx|gpebtri|vxffupv|w(rziwan|jnfqyy)|rgscfyu)|x(z(eizppp|ffdjqo|sudpzw)|q(scazit|bsbspc|ldmpsn)|y(adhwwh|vynguq)|tvyomay|k(ibnbyx|vbmzre|oxcycw|zblrnx)|d(yfumhv|nzjzuy)|o(yyoyga|cytmhb|adrkgs|pxgyyq)|f(xgvaot|cudsms)|m(wmrzdg|feehpo|mdloes)|p(xmhezg|oeirjp)|hpjlyqj|g(dtekmy|kpovkn)|a(tvrahj|gzonwq|m(hqlrc|cwrje))|lwycsrj|v(pqmsha|sbplno)|idsntyq|xmjpxuh|uynjmrr|ssqfolj|rbxmtdm)|m(g(tzmtni|dqpmyd)|c(ewdlgw|rdjqoo)|l(ilkizb|xqsuty)|hjcdaif|fzmrgpv|wxudlzg|thsniyv|p(tpfskt|xuswxj)|n(hylmcd|vcracw)|k(cojjzd|xaqgib|ywixdh|dfexek)|r(b(gfbip|vxxjl)|ufbecm|klyxyd)|q(yiqflx|bosmuf)|u(azhrki|vbayuw|lcdlcp|syxdis|kgyjmq)|mimsgge|albdjkx|y(otjlul|ajoeei)|v(vktfqh|ppzfsv)|xjsmpvk|dnsipaw|biywkrr|zvavqem|ofpjcqm)|i(g(mysska|ukqatn)|t(qlguxt|r(ipdvx|skbbq))|bnznbjr|qnbjtwq|s(w(bbipr|fegyp)|lvampb|cehram)|u(sipghe|ocahro)|e(lirxgq|yytpeu)|o(acgbdo|zexoty)|i(queusn|tfmedg|hhjcjz)|m(s(kjhdk|nquvl)|fopvwy|ylvwpr|zdoggd)|y(uqxgkp|celnel)|cjprufk|r(fwbowb|geelqy)|h(nnqdcl|wnylta|frugco)|z(kphqpt|jcxfea)|fkzkcav|vxwscvy|jibolvp|aqwymtx|kirtxuh)|e(q(icpkgi|lkknbi|hwjxhu)|myxxvoa|i(rrhwvt|vshxfc|wseqhp|yootyp)|e(xoojme|bshblx)|d(qzcmgf|pdwawu|wrrcrn|xbacod|afvpxo)|u(jwqsdm|ffkgvv)|x(qnlece|ldmkll|gjjqmt|nunfwv)|f(kconnl|ldelcn)|j(caigpb|rpafnv)|c(jzqlci|ccmmjf)|laqyulg|vzexjpa|s(vzwlks|xcbrbw)|h(jreuxk|bocepg)|y(cfjvua|remptj|zsysyv)|nrdvmji|aimrayi|weshklp|oixwdrf|tdqtnyr)|t(i(mjifak|ipllel|wxyxvv)|gfssypv|d(xdunvz|yrvlbj|wjeile|sbiaij)|y(jrmuev|wjwwnh)|l(xdsntl|aapvau|eaksql|bbalyz)|o(ybuwwv|vqwzmq|npusaf)|uzmpghq|x(qjzqkt|ijqntc|woxjng)|j(fnnrxl|weomle)|t(mlffxp|jclmac)|bzfdgxk|nbotwlx|azjzzuf|w(zlmhpf|qaliqt)|eymjvst|kjootue|zsunexg|c(fksmmd|ystevt)|hintlrs|fqlqano)|u(m(wjdmdy|jgkjar)|ivuktaw|f(gcoqrd|qcxdzm)|p(yofryo|klkgka|ltaymv|dmzolu|hinbjc)|c(qrsken|arnhfk)|u(kooeub|ldwmvm)|g(stpwbo|chtwka)|sfsqzhy|t(a(jwtsr|zbucy)|mzuttk)|l(vlpxdw|zwyyqb)|j(yqlcon|fprjhw)|r(wtcwnu|oegxgc)|k(rqiftx|wvrlvb)|y(xmoxyj|ymmsce)|ofdodcn|npqyjoe|b(wgwmwd|qqqkem|akopuw)|hbsrcqd|akvdewf|xgwfbba|dyswnhf|wiunsnv)|g(yoyfrks|e(vlvgay|tscgvf|yjaldx)|m(urgrdz|jivbla)|v(swcbbu|ohlrfd)|gzsqwwg|fsyemvc|j(muypyt|sheohr)|ilfvmzz|udvucrd|acczxcq|hxucnmz|ktumdie|qyfrhup|z(hgjbjf|xiksfx)|ollcnfo|t(dgssqc|txvtoh)|r(rvnywh|kuivyz|ufxasi)|natxxco)|l(j(rugjak|ncpckm)|pc(tgafw|jlpaa)|b(cdyiaf|rezwgj|nyylbj)|nuczlsc|d(pxwklq|ytrvvq|niapdc)|vfnergv|tmpkmdo|y(afsxuo|d(atpvm|jdghk)|roobam)|q(amsjdw|qoqrve)|z(gfdbvw|b(uhcqj|mkkip))|svfzqib|rzqkcuq|k(tvxuex|ihqasn)|w(avibwr|nqwtdi)|f(jovwvl|hivkmk|ysmeki))|f(ecasaqj|ynlzlhl|wchrujt|x(njjuth|ozkkfx|twknqe|yxijue)|a(gmdmrz|jdmpms|bzakwz|uzmpoh)|l(yewxvj|foultr)|iyoktwu|m(aatygp|jmpppo|oxlngk|ssddur)|f(yozqpe|mxjwxk)|b(mqgdnt|encbez)|d(cthiiu|bbsoaq|ghxpef)|qcvufak|c(hgooqi|awdqkm)|vtciusi|sdyefpi|u(uzsawg|skkfgi|hpgtxz)|g(xlrgim|dpkoei)|p(qpzgud|tukvlj)|o(afrwsh|xjsxpd|cnizdk)|khofydu|t(ltxacb|fpcivw)|juofiey))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633155; rev:2;)
# sid 2633156 includes 438 (2401 - 2839) 8 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.net)"; content:"|08|";content:"|03|net|00|";nocase;within: 11;pcre: "/(z(qlqjfdb|hzfkbnj|j(kplggn|sxewyj)|agawens|idlynxc|fruyavo|ydrsmpi|myuhhsu|zzmktrg|otqlkzq|ddfabkh)|o(l(lslryd|vnlqbh|jvakfj|ffzbuq)|pnjpltl|dpqgjlp|i(zjvuch|rjktte)|f(vchddy|anwupc|zmwdey)|v(b(ajkbg|jjvpc)|ousunt|vhwbkk)|s(zjpjsv|uwmnab)|myblwst|tbjrufg|gbnlgzu|jznxckb|o(kopsmp|zlufii)|kjjidxl|hxsrwbm)|m(stkqjnf|e(xiwgyu|dwqawh)|q(szuqut|wgsgwb)|t(ocfezi|yvernf)|r(zsuukx|miiltq)|w(icxitn|tmkada)|k(gwiwyi|oodvmd)|ozmersr|a(wosgwg|qgrqea)|unlwzpv|dplltqx)|d(s(shfabc|qqihce)|j(eirced|khlozh|hrvbjl)|osqbrvk|l(o(jzbkx|lcdry)|ketmfw)|x(mwhtjo|pivbpq)|e(oipcyt|czjnmd)|u(y(zssef|kwlzu)|wcxujb)|bnlmdjf|kphcqjt|h(rmzyhg|xwhwfl)|idhidit|agdusoe|qsnjzlz|pkzrmek|yqjcumm)|j(v(yjftku|xdbdmd)|gqygmgk|oupyvst|fgttknt|znyomcn|pfrxtmq|cdedpbd|ijbhkji|y(kqsfrt|rtcnlt)|wbitvmk)|n(w(igszep|bomflh)|plptpat|snlarfw|qjhourq|rasfihu|xlplidf|bpbdxda|y(mviygk|vcndas)|mdfzjdd|g(vmvaob|xsauyt)|zfstjab|eodvryc|anedglf|tnelcjr|nvsonzj)|k(valdfez|ffzybxx|wkmnaow|mkvufcx|u(cewheq|huuwlo)|ktcxlbj|egmfhil|a(vcghqa|lqxofp)|hhyythn|rcnqgqs|ncufxkr|xaqtxwy|bxlukbp|dsxigiw|jhpaepi)|s(jodxwbs|kaymges|s(dlifhj|vetaqc)|mwhsfgm|wcalyby|iyrbhap|poqaoow|c(mvtefg|unutfc)|vntolzc|lnparga|hrunody|gecbzwd)|h(kzgznyd|rdccygt|xjbzgaw|h(ybmbds|xbbzfc)|j(ocokau|mmeeao)|guovlse|chvqdcj|ikvgmvs|wtppsvz|aqgqexe|mycfswh)|u(k(vzkjus|dcnhbf|ardzcg|wxvqzw)|rmvizfk|l(zxcdcc|lhhvvq)|ecnghyx|gdohczw|tlannep|fvdztwr|diaeegh|c(lzqfrk|orhpzy)|ogztxiw|sslqrjb|bnwlonl|iloaxql)|i(qjjspsu|nhgckou|hlqbtqt|buftict|p(vtloyn|fkltpc)|w(sirysa|zlxxsa)|y(jlxqnd|tdfjpz|yhdeko)|xmrvpvj|d(agpjwi|dxbwwi)|frgnyue|v(witlrd|zbijev)|u(vhqnln|futtxn)|cmsmvwd|tqapjkl|mfhywsj|lkehoxe|jvkiiuo|z(xwuhwe|dyphlq))|f(e(tokbbc|ifknfb)|v(kgzdqo|eyehjx)|le(xmxci|ekrbw)|z(fbjynw|eehvvv|vehfmq)|izjnzvv|k(tdfozq|wjumiz)|dggrngx|alxjehy)|q(glqyqji|jqveiya|xlcewqe|so(qbhun|wxwkd)|p(jpqoee|ywffpk|hknyqs)|w(aynbeu|uufrxb)|b(knztep|xbluhj)|k(mwyocv|dwjbjx)|hiudwjv|ynyosfu|mjwoavl|vpuozgz|cwziplh|tbyfnby)|t(vfxmibs|z(warqjb|yvaxlv)|faxhdil|qnyqoku|gpkcrys|t(fbinpv|skwnzu)|h(yaomcc|oyshpz)|kxdtgmc|w(gajmhd|ulqmxm|fhvvyy|pxdlrv)|sgwwdzr|rpcxhbo|nxvybtm|bpoihil|apkojkm)|a(q(gwvklz|pfkbdq)|scwpiin|efobuzg|t(mhlkil|sfouse)|bzuaozg|ngzwlyk|i(knvvjl|wsxojd|ztaylh)|kqnvzdy|hcyggnx|ovfipdm)|v(a(ogjyxq|jjbazq|ainekr)|fjhftwm|qhszuix|vplzpwu|k(knytow|ybrzqc|mmrnhd)|befbwnk|drdpmwi|xwybvfc|n(hycohe|leofvn|ipmedu)|ozrgayy|wcgzbxw)|e(wdlnbdj|o(nemukg|lswlqx)|g(ydyrtp|htcqdj)|vswnwoa|lsxtxxl|u(xxgscy|jxaitp|ttcykn)|tfzzyss|dzingnm|ievquep)|x(ahfpsiv|gdiuctr|b(ncjvnw|elboqy)|nr(szeqg|yvuhg)|smiwiyi|rwdqyqb|u(oamxyx|swdmrh)|wyhadhz|ejczvhs|ynpdidc|qlbinvi|fxgaelk|plgumkk)|l(w(jdgerz|qkklkr)|y(hjaaei|pxshnh)|j(resfaz|iyjxei|frmbzi)|icderkz|t(ltrqrf|yjzzsw)|a(siuwbn|iwdhby)|kpqerow|eulcvlz|cuwndtz|xpomwwy|psrzpvq|bjellhy|vcbuvjp)|g(gsavpth|n(ggenjv|wqdqgx)|x(ivkfkh|gkaedg)|dpibwbg|lqsoaja|ahrcczt|ieuqtxw|b(umzobs|cnljxm)|olistyz|uetqhjg|zdzjgtx|cyvwgoi|snqnkwe)|p(xyrdkvh|tspjutu|keqkxrv|wbfrghl|cxiopez|rinzhiy|mghdtgm|eswjqgt|s(sajtod|juiewk)|p(bychrz|hqxboo|zcxgad)|hvbrria|d(pqfdfv|fzuxsj)|ysyqviv|bmqdqrn)|r(jbibbiz|sfiiand|r(jmfzxb|ubxajk)|cndpsse|u(lwkvyr|efkabp)|hqhxqcb|w(scirml|nbxtry)|babwtek|vbwjooz|anxhutk|zautuwx|euktpbe|gmminfj)|y(j(hzzqak|bqbnto|fvaauz)|tmhqrjm|b(cvorac|smxdte)|qbuybjp|shkolye|pvstczl|r(zzmaja|mzcqmz)|zzaaopb|gqnlxwd|dkfckdv|yvsfltm|fouzsnb|vghbdko|isjkggg|lqzvudy|xdeimfd)|c(zle(msca|wtlx)|ycrsaem|q(ruttyc|izftul)|gfrcrim|ageuteh|hsqzhor|idjjiig|mjmurbr|vefaycw|c(nnbnxf|mlkeea)|xlskrol)|b(mkaffyn|s(tyghgg|jltveb)|norwhes|zbucvnz|yehfrqb|kwofyhk|d(fdocpi|ykmzje)|hrxhymu|qagfqcx|vnkojtu|rfkwowa)|w(adtvwoh|pnxwxni|gsspbsi|cwdpqdw|ibcrvpx|j(tybnta|slapnr)|yrlxwgj|hfmzqyt|nekmqwy))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633156; rev:2;)
# sid 2633157 includes 600 (0 - 600) 9 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.net)"; content:"|09|";content:"|03|net|00|";nocase;within: 12;pcre: "/(p(lrjgcjzf|dnrlvhla|sjlktkka|o(jglltun|fpqqwpc)|fadhsoxn|byvuxndv|u(fbvtctx|mjsmbkg|lakqkeh)|ewsrursb|w(mhulhrt|qicjwws)|xxaxmplc|juxownwc|gsxddpmv|n(seumlml|gknpaxh)|vokehqys|k(wqtbavo|xlotfah|ycswixi)|zkhsclhj|texdymge|cgjdvtom|atamlzwm|rxfkcxbe)|r(p(yaqstbi|nofjent)|emgkunrt|t(cjvzwpd|yemjbbi)|xigsycpb|kgygiuqa|yqkwctfe|r(vjinmvl|ewefjtj)|a(vkciwnj|gpgwpfa)|q(ewqdfag|g(hkolkb|tznkdo))|znjfazhg|dfxipfby|v(hlamzzs|lrwisyc)|mychzims|n(zdmfqzu|udbcygx)|oyvtamqn|b(efxoqgk|owagvxm))|a(jncmeuks|vjbunzot|f(nfbdoxa|tcugacc)|iusxhvoa|z(aguwbfc|whncvwo)|s(tuohxnu|azpbgac)|kolycdtz|pwljpodr|hwphhfor|tljbzsqv|rfmjqftu|otpszmbm|nckltuwm|unzltvui)|n(m(ymxvdoy|jpjvpah|gkmojzz)|z(blltyyv|peuqudl)|o(nwcgcno|swisjzs|otkljbn)|uogxxlre|e(ocbdlwp|t(cqpckz|vxonru))|hdjajobu|n(lmmbvmh|bsyyogm)|g(uwfvpzw|zqgqiae)|lknizuti|flzmxvqs|cqipwoxf|tadqgrbl|w(runarxn|wfzauox)|bfsdoemb|dhybaevh|xsoddwzr)|k(p(fgcpuey|pgqzrwe|ikwmsjn|jmjlhus)|e(rlfbujc|pgojljz|czvgsip)|tayiwhfm|voendzia|kmedfnpm|z(dlxbsvv|vfhlxkm)|gtvpjgrn|ysqbrmlv|bhfjkugg|flyzrhus|okvhncau|l(jiancah|yhwrdas)|ikxfqrcu)|x(b(unpivzp|nfiakqs)|wdaedmfo|a(ytnikzq|akkvfnt|myfuehc)|dhnjwwxv|p(felmxwc|abziehj|txsvdtq)|y(bljilrh|wsouuhr|iwghwbf)|q(hprnzly|yppogvu|chrjuyo)|xgurupno|okgcoufr|f(epghtmz|krhbjwo)|smtipisd|mczlpcqa|koyosnbj|ektjiktm|n(llrtdft|mktmsot)|iriatxsu|lrrngvgg|culjvujp)|f(dkzqshlc|t(jnxsnyf|eawcqph|geahzhn|fomdrti)|vanyauux|xeyaacqx|zugrftdv|wqfikori|pjoufraa|oucgeqmf|s(lmbpzom|kkcjmox)|bnbzvrmz|eliiqdfp|l(pxdmxwf|bhfkzep|jfxgasn)|rxigqfam|fcvhmebw|i(ioiltap|jpgmnqd)|qbkhqvjb|c(ixujlbw|onkpblu)|nptrkdff|kbsiwakt|yplaltzg)|i(r(sfwpqov|hmjgstp|evruupx|qgbulmp)|v(gpdikne|cmefsxs|elfczbk|uqirusy)|t(eznamdd|yosvsws|hsshlnp)|e(rcfhmur|spculby)|c(qyayiiw|nffsasl)|f(gjzzmri|hsbdblg)|adhlmflv|z(guttldu|dzidmxz)|npsmyxkz|gjcqphru|pubdskxe|klsgvggw|qfwkolnk|hwsfnktz|lwqrguwd|jaucivoj)|s(j(lmhjfqr|upvoufz)|qjrhvmmt|rawlsdjl|t(gyxmxhy|alvozaf|qliirqm)|y(x(fcmsde|vwfazm)|gtrfvas)|uoqfclmx|vbaletos|s(onamhbo|bcgshvb|vjerxuh|lizyfbc)|cb(oyrzjb|zfnzjb)|wybmbcle|zqsqzaqd|gsehctxx|omdtqqqx|l(xvvhnlx|roqsmte)|hqoomxfe|ksctfmxi|ncktoorc)|u(ggwotruw|nzigrpju|m(phwlpca|kviocow|xjkltfs|oprazrf)|wkeotylo|e(zkvxvmz|blcptwr|gtroytk)|vcwnulic|rzrnxavs|bcexxrsx|kzsmvekb|ajqjtsvn|cqutlvbs|q(xdowupi|guotigu)|fhtigddh)|c(l(kdmxuux|qfoyiqv|rznpktk)|xzpetfhk|ijgkoxcj|m(dwxoiwv|ufgjtfe)|q(cfwwwnt|ebnzyap|bowjcaq)|yhmzkcmi|g(kachpxq|dmqwzdt)|bieahfob|dmalqsnl|enjstoxd|p(spcjmbt|kewsidz)|j(txdxiap|ccmrlcw)|tiqnaump|axkoiihb|kfzucbjo|ngisxmtf)|g(anikcwqw|oajgfioq|g(jmuwxqx|symvrjn)|z(ncaqeec|fwlqija|qpqkdvg)|r(uwxxofx|vyyvqha)|ndiroska|emmluqng|f(hceduxb|syvrouw|lvgcfbn)|tmpxkwsh|yiyygutq|uyjxvtfk|h(gogoynw|isfqinn)|m(lioymbt|ektzqil)|l(kxmcqnl|tpfujkx)|qgifpsrz|iwiqkkbn|p(fmrdlzd|juarzbq)|debiuyde)|m(jcpkykqg|dwwuwshs|i(sahccdu|npviqqc|pvoqual)|mzwuhzjw|elpsjmmi|v(suqijme|qoorzvz)|tjyggrin|u(cspwtri|vhcbico)|a(lyvwxkj|royjabr)|nleshrnj|ywbeizev|xewbmrro|hnoqklkx|l(odhnsiz|mhpjxuo)|zsxwpfaj)|j(chkqmvhr|m(sdsiebc|kufkwuu|wrtvaib)|bnltlkke|z(vcofvgf|jtbsong|yrodsuo|hlmjxgn)|o(zdsgyeq|hltbzmv)|e(jkuadmx|ioptflu)|p(kvjzlmo|caessef)|gwfwlqtt|aazympnq|hrdjkiwi|tqzydnmp|dkowekuz|ritbrlzs|klvvpspo|wffhjaie|xxgbuywi)|t(b(toeiary|niaiska)|z(nwksgrp|iozpjkb)|jpjhgtfu|p(jpdnpar|vukfgcp)|vixjuebm|wl(jhvhyu|kxrxlu)|yznyuqrp|lpnkhkpl|hwlyfcmx|a(qophifa|cziiqlf)|qixftdpn|oczbvhzi|idzgqvae)|y(j(soqioww|xkjpwui|onouwid)|bfehgprv|gcfpuddb|owndkhxf|h(bxcjlzl|gdjcdbc)|d(drqyecr|rikrasp)|r(fkuaduf|scaudcs)|ltvuzcqg|cavrrtti|xfxyaadg|flmfshai|isydaevx|vnytyfiq|qvitznaz|uiclswko)|l(d(ucvjyvg|scpulpm)|l(buvaukf|cknbscx)|edlxvovb|zjfzrqyq|i(eeokmqi|rrpubmv|lfkmlqn|cizmxrq)|jfrrtivo|a(uwyhqpc|hrmiwhk)|y(efinnlu|fihmraj)|sqkxxcdn|mwijmdxa|pxnzwnos|b(vglhmnu|ydkzioc)|wrwyjusd|rygvngsc|fhjhjzpk)|q(ggtahdzy|dwlixxzz|xl(cmglys|xomnlo)|bzvsbgip|zdwirpcg|s(zzavmxj|ehohbft)|u(iarcmzv|upilgbg)|fkvifspb|p(djlrqny|ogfheec)|atnrvdom|q(nfvwram|wybvzph)|e(gdbjzjx|kjdygws)|rjoehdjn|iniemhzr|w(juegxqh|rmekaqb)|khzujhkp|nyuemroq|chtpirxn)|h(v(jtexxda|tvirivi|vhjtsed)|r(lgkltwn|fjvytca|ueeyodb)|j(vxpsjkq|abwmcnb)|d(nhepeon|qhlqitn)|osjsgxkb|nrrvispp|b(tzwsjgn|qumytfu)|isyrxosw|utjqjqic|lsymgmdi|aahxqclc|wlgcsopl|eliezhoj|satidqut)|o(w(oybwqba|wmxjrty|rzetzng)|nbfnujye|zjvqjiwq|gfsjpnpq|r(kjzzetp|gx(qykek|brkng))|f(kwmwbam|xpejlgo)|y(wvplwrh|xrhcuxy|paqlyqb)|c(hkteinl|bwwbujl)|j(mngvszq|osfeojq)|xbpqxbhg|p(flixzvc|mammynv)|uqhvghsf|h(qqghlqt|tmbxcaz)|qmxhwuco|iyohsekl|lbnmssvy)|v(p(dzfxxel|mbblbmp|wwldipn)|c(hmbilga|geiidlj)|s(cqcjqwl|dybsmkb)|fhzuejxf|gfqjwbrv|o(ktjflbv|gtvqbua)|ziamftkp|eymeswya|vvmedpvw|wqgaxtvt|hhxmpgbe|rwkjxsvc|d(fgyncav|ttdlrdh))|b(f(ptjpfpy|fymqqya)|z(ntycsyl|vqbssld)|loomwvks|qwltwcje|sacknjsy|d(cxydyfd|vxwgucq)|mxnceasl|yvpzwaxg|jiqmvaex|ivhjhkor|wiudnzfg|ufascfbt)|w(ppmtizvp|z(agaguya|tekinnk)|t(hvigxoq|tbmldpp)|kvnskuoq|f(pwpukkf|upgrnlv)|j(ikowtvt|ycnatae)|s(zocvnsm|vkhlkiy|grfetja)|yshhyyfs|efddjins|a(vkjbvss|qsvcsji)|n(atwwrkc|kubqodv)|qbjvpohm|oibhkmox|gaotavbl|urusizgr)|d(jrqbqpxr|v(efyoljh|mjuelyt)|ialrlmvz|yggsyuyj|rtvlpdud|kbmrtyik|lrdwivck|ayawdehq|nshxadot|xnzpvsow|pl(dorjxj|rhssog)|cppqbpit|hrqsdbdd|e(qhgrxge|fjyxede)|djvitijj|uhvqjkic)|z(c(zojvpmv|p(ocknzn|wxmtrr))|gerdract|n(yaboasv|jnqqids|wnmpmrm)|p(kxylojy|wvsysnx)|s(tjkkpat|jtejgbx)|a(wdmsitu|nphdrfo)|q(kgrswki|cofqalc|rktrdjb)|w(rjvtcqu|xrujjcb)|z(ejvftqu|vimlxon)|vorzzgmg|hrmasccv|jtsavogs|rpfdltsw|byqyezas|ffhfysfi|klxjjkpp)|e(o(szajdll|wjyolyp)|g(euerccy|tpdilsk)|h(qgdulzo|tiyyopd)|y(hjgoxql|vaxvvzt|yrzrujc)|nvjzqwjz|ktxqrwnd|d(bftcbxm|hpikfdw)|f(bpvrpdw|qhzytyv|veysxhp)|lwtetlbb|p(xknfaxi|czzpxro)|jwdqyvzi))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633157; rev:2;)
# sid 2633158 includes 788 (601 - 1200) 9 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.net)"; content:"|09|";content:"|03|net|00|";nocase;within: 12;pcre: "/(p(t(exdymge|ruxhqza)|u(mjsmbkg|lakqkeh|dxgscqw|gdhvaal)|cgjdvtom|a(tamlzwm|omckmgs)|r(xfkcxbe|kfpvwgq)|k(xlotfah|ycswixi|kdfwuas|aanugjn)|w(qicjwws|hkrbnlf|ddigyjn|pjxpenq)|z(hrcypvy|coxqsho|bcgbtcf)|l(rfxykqn|hrzrmbg)|p(bmleqxy|xpwxpbi|dhbrrlw)|f(xudzjeo|egwgdjx)|e(jfahbbo|ddfnmlk|tlzwfrn)|d(whsyfpw|yacjxjq)|srkhkprf|nkpbjxlv|ydniujbh|v(erwtpwp|cfvkswx)|qpevawzh|bhuyebcr)|h(j(abwmcnb|dfuaxpn)|w(lgcsopl|uzebxvh)|vvhjtsed|e(liezhoj|rfjvqks)|satidqut|u(kikkyis|qffiqqp)|f(rgoykal|wsmspjw)|q(tgqgtca|pvloael|mccrjcs)|p(cvsklxj|lbcjkab|ftezkwg)|m(gllrgtl|zpcnolx)|oiwacbwg|xdyyrisu|afhcggsz|dskjhfrc|c(cdftnuj|xcuygvk)|gafxwczm)|g(mektzqil|g(symvrjn|owgbggk)|de(biuyde|iiijsw)|z(qpqkdvg|fnyxrti|vqkoqpy)|hisfqinn|p(juarzbq|vzdlome)|f(syvrouw|lvgcfbn|nxtcrlk|pdulmlz)|ourltkpt|czwlxikv|i(oahzbfc|qucbrzw)|bzovpxsm|x(icndqrf|nmvdxom)|jxympvgl|n(qvxdnuh|hkfcofq)|yeldsudt|l(gflzrxr|xqdakog)|qgauvqvy|eighofwo|uhgozarn)|w(s(grfetja|zjvvslc)|ztekinnk|fupgrnlv|urusizgr|kt(fqhbwy|lpeykd)|e(lrxiubp|bpynrpg)|tiiyvwqc|iqffrtxu|p(hbwrbcp|dbrkjfz)|y(jhodyzc|bggzddd)|o(lwbthyd|eyxrxvc)|dkhrasea|nitytcha|cctkqltz|aodveqpo)|f(t(fomdrti|jdckhpk|tbnzfyi)|ijpgmnqd|conkpblu|yplaltzg|ljfxgasn|u(zhimwuw|diuzvtg|xlrkyey)|r(mlecwci|xdxdumw)|db(dtjxvh|gieuzz)|m(ifcecus|pgfejzy)|p(vmvqatd|suzmovd)|vfcasqck|g(asummql|gkblzte)|z(tdidbza|zbffyww)|ohrfewyu|wefnnqsk|xnjmuufm|klqtolcx|bcsgyaxl)|o(y(xrhcuxy|paqlyqb)|iyohsekl|p(mammynv|vhceidp|sqtiryy)|wrzetzng|f(xpejlgo|hokswdx|flkkfdp)|lbnmssvy|k(mjwzejz|usyuuow|gqsmegp)|v(uhtcycb|yokyeoa|tntisdr)|nvztiolz|s(ikhwdwh|fhngzma)|d(gllokpz|ljdxyih)|hqmtzcqb|oybzpern|g(z(voynts|dqsmyb)|rjvelrb)|a(sxkkjry|doyhusp)|ehoirdtz|ri(snhrbi|falbhg)|xhpyvclz|teotmkyn)|e(lw(tetlbb|ubycoc)|p(xknfaxi|czzpxro)|h(tiyyopd|dcfcqjv)|jwdqyvzi|f(qhzytyv|veysxhp|pmoaxyq|crojqpw)|y(vaxvvzt|yrzrujc)|i(edxzigk|bktmcvy)|c(lcunxqt|skdmowr)|r(wzqexkl|bwtgdjr)|wcgnclpc|unreplfa|d(uozqpmv|fkczlms)|b(ceteadt|zumivrs)|sdpqblho|knxvvycm|m(kczfqpc|zvvgaxd)|nizwhpjx|qkbxmkdi)|l(b(vglhmnu|ydkzioc)|i(lfkmlqn|cizmxrq)|lcknbscx|y(fihmraj|cpvzcse)|w(rwyjusd|llefdgk)|rygvngsc|f(hjhjzpk|wknnsae)|v(wcbgann|udranxi)|qobuzwau|hpcomkzj|spwienwr|afbfuufz|j(tgqpgra|elalxdx)|zivbojdk|x(jvjyirp|gdgkvpi)|tpboagtw|pfxowehs|uoukaold|gmqqvymh)|s(t(alvozaf|qliirqm|vsvrhdj|fdxljlx)|ygtrfvas|jupvoufz|c(bzfnzjb|iyblryj)|h(qoomxfe|efpyyad)|k(sctfmxi|kayxetv|cvklluf)|ncktoorc|l(roqsmte|ofxqkdv)|u(awvybtv|kqlhdhk)|z(cvuarwt|nqpjpdj|yokwvpz|mrouubu)|s(bkallai|ipzhtgk)|i(bxtvyoj|ozpgrno)|rpooujma|esuytbvp|v(vqvesjj|ssgjrsn)|f(jgqeiqk|njobnut|vcrhvma)|wingqcyc|xuaxvnpn)|j(k(lvvpspo|kzileeb)|ohltbzmv|z(yrodsuo|hlmjxgn)|m(wrtvaib|jpmsvlj)|w(ffhjaie|nhuqdhm)|xxgbuywi|u(zjtukjx|wbykifc)|paddbvrm|y(gmwjdrn|cchzeam|ytvtfkc)|q(xtuvmhe|kwcpdsy)|h(ksqzgci|nhhgzcp|diwzrgf)|shfwilts|a(glenvic|pjkhjgm)|nx(absubz|oeticr)|vpfnyyyy|tkcwsdfx|iwwilimf|rclwfbqx|gwdddpjo|c(ullbfjc|alxhufj))|m(x(ewbmrro|linrsbi)|uvhcbico|h(noqklkx|zkvobda|wrkycxu|qnjbkzm)|l(odhnsiz|mhpjxuo|ckjbfar|vsyxcvr)|zsxwpfaj|v(qoorzvz|saxliea|cvnlaup)|f(kujydfk|igfkzkz)|y(sakwjed|ecgktsh)|k(tvfgmpc|kahcsny|psbvmay)|plqgjsfe|curmkqkx|shfuqvzf|nvfztxkw|jmqiccgi|ialinwfq)|c(jccmrlcw|a(xkoiihb|nymyxlz)|pkewsidz|q(ebnzyap|b(owjcaq|ihtrgy)|yabcudn)|kfzucbjo|n(g(isxmtf|evsfht)|skcgdnf)|mufgjtfe|lrznpktk|r(uzxkpko|qimqnpy)|o(lazibzi|crttsqw|mlkljqq)|snghcxvn|w(tsissho|dqifzcz)|uc(frccdq|ketxhl)|xawthblh|t(hgpktur|ookxmts|ltyvdoj)|c(nnoxtda|jdmyfpy)|bqbtbfpl|duswbdlx|vcphefcb|zuzpidhg|imahckaf)|i(gjcqphru|pubdskxe|r(qgbulmp|ngyhlqp)|k(lsgvggw|vfkzdzs|ynfewcu)|vuqirusy|qfwkolnk|h(wsfnktz|ngdvznq)|lwqrguwd|cnffsasl|j(aucivoj|dweimac)|mgdolcsb|d(jkbddgg|czbmuwf)|ubwxqnvj|f(aywsqwt|dehyiab)|z(gcrmdhf|iflgobu|utfhfuk|hdczfnx)|svxvwzgc|o(uzlhwnw|ylyzbvs)|xhktokfy|b(rqtotmi|xncfbpe))|x(q(yppogvu|chrjuyo|ukbkkaa|hyyswal)|n(llrtdft|mktmsot)|i(riatxsu|xcwyivx|soeccem)|lrrngvgg|c(uljvujp|hrngfxp)|a(myfuehc|liryckl)|yiwghwbf|ukspudjb|o(d(magzzj|hgmfho)|hpmdhrg|icwtsqm)|dhhklefw|v(pkspvrf|ftykwyk)|tnvidbos|rkplszbw|wzbqqxkt|k(fuipngx|khpnzxs)|pfdmhgkc|mdkvnogs|zbxaavng|fnpomevk|hjgbicep|sospvbhj|g(scvhsma|tkxitol))|v(h(hxmpgbe|xsbqvqv|bmwpzur)|r(wkjxsvc|pfpvfbw)|d(fgyncav|ttdlrdh)|ogtvqbua|c(geiidlj|kczwjmw)|x(toaolkc|lzrekyn)|j(eithjxx|aodxqja)|tp(hrpegl|lbcjzh)|irfcttjt|z(wccqmmu|cibclks)|nfelxpqv|q(scekhxw|pkfhvzw)|l(yyhuzdh|kcrshmy)|btktwbmp|pdktinpz|enkqovav)|z(cp(ocknzn|wxmtrr)|w(xrujjcb|iayzlba|lawrsox)|byqyezas|ffhfysfi|k(lxjjkpp|xghuomn)|zvimlxon|qrktrdjb|i(wszmqlx|rzrofbz)|owzibzmu|p(aaxcsoo|nuvefng)|sqkuumeb|mpncxbal|nlkkrhco|xoeilmbz|vvmkidfw|e(iksplvo|tawikoq)|ynoxeelh|h(lbybgxa|iaozzka))|k(l(jiancah|yhwrdas|srpmfwz)|eczvgsip|z(vfhlxkm|rgxqaxi)|ikxfqrcu|g(uqxwidq|xbytozk|qvzlqvl|bpiaqlb)|d(ifptknb|jbhgfkn)|h(lqqfrhy|atkefor)|mctdbvpm|t(vdaemvm|ecbbfcd)|wkxdgsep|x(tppgtue|ylxkihy)|q(tsivbnm|jtixbck)|pgpmywwh|y(etknjdy|utquxgb)|ukwwydul)|d(lrdwivck|a(yawdehq|babpowh)|n(shxadot|rdaiizf)|xnzpvsow|p(l(dorjxj|rhssog)|xauholm)|c(ppqbpit|gggzhgu)|hrqsdbdd|e(qhgrxge|fjyxede)|djvitijj|u(hvqjkic|ilmhkig|azxpvrd|pjccebs)|g(uyimpyl|zmnsfbk|lspkfja|ssiauhx)|fotizkdx|i(fkqyoij|bznrykm)|tmbqhuga|vfkceyjv|bkidshff|jjrdcizf|sxsnnjvg)|n(n(bsyyogm|pdzmgwe|rednmvp)|zpeuqudl|w(wfzauox|uxyksmq)|x(soddwzr|ymixbks|fgtbtdy|oyrtdkc)|o(sntisfo|vnwgdyp)|f(lcowefw|sopzxbn)|umumwdbp|k(moaqien|yopezss)|ciccualz|gdpqfoor|q(abzyhpg|drbmnhp|rfpmahf)|abssjxfd|sa(zuijkg|asngbf)|tztujvby|lkukuxja|iczabmfa|vvmcitix|rajlflbs|jrqmcwjl|hwxgrqbn|dvozmjmm|etvgdyhd|bkiqeagm)|y(f(lmfshai|xqihzbg)|isydaevx|v(nytyfiq|evrhlfs)|q(vitznaz|ejtwpcq)|r(scaudcs|vbkklhr)|drikrasp|hgdjcdbc|u(iclswko|djvlnya|vuxyijb)|l(chagzsl|muoonxc)|bwnncipf|z(clgchde|ythroso|uhzhsfx)|c(akcpvuo|uhbwjbr)|k(lvtaoet|vcxsbgp)|n(oxbtrwd|ggnuqkp|qfpmquu|ijpaiht)|eplzclxm|jlluxhun)|b(mxnceasl|yvpzwaxg|dvxwgucq|jiqmvaex|i(vhjhkor|ystxrri)|wiudnzfg|u(fascfbt|gmmtdmu)|oufkzwpy|kdnvujas|n(uyqflzr|bdhqcxe)|rptkpewc|e(qvcgecr|mleovjb)|pdbwmlpb|f(geenioc|jzshnjd)|zbpmqjwd|apxgfdbl)|q(xlxomnlo|q(wybvzph|odwyjnn)|pogfheec|n(yuemroq|znbqepp)|c(h(tpirxn|rajxyn)|gfjunyw)|ekjdygws|l(wnxmdsz|vxbtedi)|wkevhqdd|oyzeskpn|h(hsdwndj|rjqcfts)|z(mtmcvir|zezhris)|kswlfgan|irbsnoze|g(ipxznev|qxckkpw)|avnbqpmd|ujqjzess)|u(e(gtroytk|tfghxox)|q(xdowupi|g(uotigu|vlzdoz))|fhtigddh|v(ymrzkpo|bpkbukz)|a(yzoujyn|hvgfsjv)|p(gtpooba|esrkyyy|qymvjjz)|s(axuldav|mwatzue|wytojox)|lykxmkjx|ncctkxwp|rjdeggwa|ylqrdmls|xhfxfgwo|dihofzkb|bqyqbric|uzjybdws)|r(t(yemjbbi|ikitemp)|agpgwpfa|n(zdmfqzu|udbcygx)|oyvtamqn|r(ewefjtj|t(zzdnqq|wgqfhi))|b(e(fxoqgk|hztmag)|owagvxm|gpqomxv|z(rqmxup|idpwqe)|soksngk)|v(lrwisyc|yfxshyl|deqtjiu)|x(hbvsboz|rzgzuxr|pglvszy)|c(jasolau|xejjqht)|wxzsbwog|y(fzqwwqj|jgfzvqk)|z(azqcztm|psdmwou|lbcebwd)|e(vefwacc|moaeqth)|dhclmucp|fwwwpbfa|mteehvno|pavdfjbc|qouwvuol|jevkzkyj|hbiycvlz|kbugqzeg)|a(r(fmjqftu|ttfokse|sgplnlt)|f(tcugacc|jpbbwkf)|o(tpszmbm|jqqsrxr)|nckltuwm|u(nzltvui|iiqjbps)|t(odasydh|nuvyfmz)|qwzslgcs|c(tdycstg|rkpouej)|mjzztzbn|bn(tqxsck|cuxyhs)|wckzxqth|s(hbtzsxg|sarcdom|btlmjdc)|pdcdoqia|g(yierylu|vhgdnwn|zcepomb)|xbbiciou|e(lzyyogf|qxanhnc)|iiuexbbu|j(ifwqijq|byzbtxh)|zasngfcj|ayrxesft)|t(a(q(ophifa|bwgmap)|cziiqlf)|bniaiska|q(ixftdpn|fdnwrsw|pjmnqmv)|z(iozpjkb|kclnvib|tydilnb)|o(czbvhzi|rojbmky|ngakqfg)|i(dzgqvae|zxxzjlw)|c(tqihlfc|vmrmnjh)|dkxbpmfi|g(aakcymp|lzmfisw|uhxgmcs)|n(xerrnbx|maybfqs)|raqmcpzz|x(kzcsjfd|n(ehotmc|kfqrtw))|tllaqiep|efzqbmmr|pjenrehc|fxyklprw))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633158; rev:2;)
# sid 2633159 includes 188 (1201 - 1389) 9 character domains in the ".net" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.net)"; content:"|09|";content:"|03|net|00|";nocase;within: 12;pcre: "/(w(q(akzisfa|bdeefno)|orxsaaym|y(eavtalh|xivuvnc)|dloldvnk|snbikjth)|j(a(vphlzkc|iovyayh)|x(iqcijle|chqiulo)|rqdctfzu|orfmdckh|dnuapqeh|u(ueydnmx|qofxzas|sdtedbm)|qjazgntl|ysiyeway|lgfosexu|zjedtfqi)|a(fabyndlp|gaxhpxig|t(gktfole|qkheicd|bfakplp))|b(zamvbktb|vpanvpgd|l(tiykipb|nzjhowk)|drktjdpi|gryzetic|auzplczu|byibveky|ijkslfoe|yhftjrdp)|l(jq(acgywb|tsulzv)|rixwyifx|pblxnygn|vfqvswno|ngfffgfz)|n(etbxerma|mzpmphbh|whjshlko|oshoftqd|fnjxtmdp)|d(fltmtjvc|xybstqqj|oiscivua)|v(jihwbkfg|amhbtwsw|u(zidarqx|uruxasc)|i(hejbxkv|xppoplg)|rfvlbctj|ldgmcyro|vvyfxpvk)|f(sisouxpu|nypqcboa|rkslakal|uukzsmrm|oeppfowz|w(wrnnphv|hczsvjh)|kzzokxmy)|s(rbaufelt|fccnupyd|l(fmakcvt|kfjrlgv)|jnxrqcus|akbdojfx|bjtkgaxm)|r(cpfstpfy|v(ysjgcps|cbkzumv|oprpdbf)|dypsnvtg|bzmtfrly|hjwccbom|ggfjpwiu)|t(ntidtpbt|t(nkemzls|smqmcio)|x(uwkxcmx|hymdder)|cuxsuhqt|vgbexmrr|mejvdxau|bcsvltjv)|k(yhfeleiz|l(rqfkovf|btzkkxl)|hrxstmnj|fakpqwng|qsexixsr|taxcqmmj|imrcrbft)|e(eclyncjl|ymlzvdpt|c(savrtok|opzvkgr)|zkpfycdv|bqipohqq|mzbiplvq)|u(n(vsirkxh|fqackbt)|qvrlyamo|giedljpt|wbaxzbdw|yngqramg|v(pxrcjjl|hsmddmv)|hpkhrxqg)|z(s(pdctzef|julmhlz)|mpnriljq|yuaeasrn|ghdykqlp|jhbitbid|cuhfswck|vxljufqg)|c(ejztklxo|byuhoapr|siinylal|mgbwiynp|gdifsazm|tjbfrecu)|q(n(awxzope|uztjdsc)|bmyxudpd|tkfkbtef|haeliann|ajafyatx)|m(ne(viqxzc|bygjqx)|pnagxkev|qizjzejg|lsvzaqsj|kigdqtzn|axbexxaf|rnxxzvvp)|i(h(dmxpsht|fvoditn)|j(vpcpvsa|cpacqim)|e(gqaapfo|lzxowlj|fgktnff)|taxuzgtj|cgfxflge|gbgrjbpc|llvevorh|rrhnbzjs|ixonmhaq)|y(yrrvsvbh|o(tnbifpl|oityuxe)|gmsvakwv|fongceez)|o(meukjchf|irlvspzs|hqqmsovn|wvkfmfhj|kvponrnv|vdsrryzq)|x(amkrpiqs|yrtwegyj|kkpubaog|pdohspkk|n(uhpulky|alvxuaj)|fmuiruot|gowogpjm|hwxmafxk|wqfltmhr)|p(ynasfqds|dayfezxo|jwhzhval)|g(h(hvwpdje|rsvlnvi)|vpcizxrp|dejddwps|aiefuuig)|h(czbghlkx|vhsatmqu|zkkiukld))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633159; rev:2;)
# sid 2633160 includes 600 (0 - 600) 10 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.org)"; content:"|0a|";content:"|03|org|00|";nocase;within: 13;pcre: "/(l(m(hfcocgiz|izlwhesy)|jhuxzxzol|qhqpeirem|g(dhyydfnj|qwrjleff|purcyxdv)|l(ppnnwlty|jduuvcqv|msbubdlo)|f(rfvmadhd|epqjqeeu)|h(ipovjlpk|efmkugdq)|topvgvlcz|u(fusmkwvl|oghlbihh)|ylzxeqigs|oixetapoj|saoolftmg|ztkixtidf|ewbqbnfty|cjaqvwlqg|nindbrozr|r(jvauesks|yrmdfpbh)|wilyzjlim)|i(z(cbraikou|qvkzbalz|bjsqepil)|bnkmdtgig|damhjkpzx|o(zvvsgddp|kdwcgsjr)|p(qhvpcebn|jaftwhun)|csblrizsu|f(ycxpkryb|mrgkjpxr)|snjcwmksv|wmfyemamb|ehjrupnrr|jgtpbezbd|x(smhvakgv|noxfasce)|lhiyjbfjv|r(eclsvolg|hxmkhkdn|gadhnhqr)|aprpgsvsz|thnyennuu|uceznkohx|vivphwsre|gdsyereoz)|b(f(kcihrrot|znugykbm)|o(zdnjelnn|mmnjznor)|l(fgfzmimq|clgciucf|x(haqqfzs|qzjpthk)|dyuixbqt)|vdfoyopvo|clonpofaj|y(criwcvjg|ronlomse)|auxplgjxp|jcdifkuvv|qhncuiupi|iwrggfgkd|xkqxawtrz|msxdzxcov|nudzdrxxd|gmuivumlv|uricvouzv|salnrlewo|rpktkbyds|dprkbnwzc)|g(m(kfdalzku|nolgbcze|vyejpclv|ocifvpbm)|gsiryoluw|xwoarybqf|koletizbc|sgmljdgff|t(oxzhqbat|yzgrsmcw|mennqzdd)|n(mrfratpy|kuudfjby)|iletyuffs|y(rkngosdh|yskqgkgq)|jxhwehosx|rwoseaafb|bfungcsgg|ednelxtjk|waxihrwnq)|f(unqqnjenf|y(glxmormb|brlevexg)|hrzozwcru|i(jjtzomkg|mmtrkdsc)|psthmqudt|xrftbxrek|t(ywgnuezu|luaopxga)|dkerjtvdt|nyxepwfhe|k(ymvozxhh|pvijnjqr)|j(voiyhmwv|nagfxyyd)|gyqoesxdx|wfavgymuo|cmrqsysip|b(lxzlxgei|ixgwshbt|yypiiitl)|s(hvupdnwy|bjviqhso)|aijylzaaz|owlbfardc)|n(qirdghwgk|evbbgdydg|bncsyiuje|clwynlucr|zzxgfprfb|dhqzithsx|thdgqyuqk|k(fediemqs|jvuehzpz)|apgpximeo|nffohvhrj|fwilivcyo|ordjcavsz|mspqngsgz)|z(uuybcnjmw|c(hpnzobrq|rdypbxbb)|rhdcptrwp|z(vieeupft|hgsgcmuj|nwdvaogb)|dt(zrjzudw|nljnzzb)|emoocuzhu|f(koysimxg|bqvaoluc)|bbmitdlbc|n(kbmiqkjf|ynkmkqma)|qonuvanjs|wholefknd)|c(edwinlpju|l(oyokykht|jytwgngr)|fvzbukukx|p(esuzgxrt|reqoplkz|zorxvmik)|c(zhhbobls|eawhaqxy)|d(uztxosen|cltnlnjz)|u(tzfelrbt|htbdqooe)|y(zwrbchug|jvavhrty)|isnjlsins|heqrdstob|aywbtfpwo|supgdhveu|klyjfqiko|gzstdvjvo|rlktqwtcg|zdjczweze|omfgznisb)|y(ernzcsnfb|zmeukvnsj|q(dibzadtw|percbebg|xkkligcp)|akxcfblgn|b(lgriuhwa|oiglkrvc)|j(fuhscdbq|dyitbocg|sviftlsz)|tbmxzkdgk|l(llsylidg|ummltxhf)|vlduqbzju|d(mgffsdqb|xuuxrjne)|m(enitgfvl|tsopqsaf)|k(lskzzrow|wxamxdyh))|w(z(wvnomywj|eqazbvub)|kjbdlyqzc|vchktbkwl|fchtofigh|xjicgaszs|e(tqngpmdi|erdgpmxn)|s(xwueknmh|mnodtzkg|wqhhhjbi)|m(uvanmhhk|kqvposgv)|borsoqvqc|r(flstklmk|zqotrtqw)|nmiaejtxp|u(qwpzvwyo|pwhjbaxz|bfedhcoz)|pgeiuuzie|tyhtyuztf|qpdbiqmgg)|v(njmcmxlfz|d(mekoakze|hmozlnfo)|armzwcepi|ezqdixxrq|utbunqaza|c(tkijbysn|djwmsrfv)|g(bkaqzqje|kkwxdbzm)|lfptdbgqw|yzcxcqhad|xfnfvakae|hkmxkveeq|tcfglvppl|i(ykmmxipb|bxefbmjt)|wbeykrqix|jcnvbxfmp|pyytwtxie)|s(whygitbwc|f(ivuvuzmr|zejfxgkd)|y(kqsbjrva|hjvsnjbz)|csbmeehey|i(zalxjouo|exkqzicw|vjtxlhyj)|xnmolhwmv|q(zdanlnwl|hvxbjxyc)|kr(ksaobdp|geobrtk)|numkrdchs|vswnuaxff|rv(wbwpltc|boavayt)|zhrfnogko|equmvooij|lxwxjcegl|t(wqffvtid|jjuzwsxh)|dkcgsuuim|gdkeddtvm|jqvxwuulg|pxyyouxaw|ayklyqfhk|hjbkzgfii|sdmyltkxf)|o(e(rysyqodb|djnzwmjf|oxgylsur|ekuqhoua)|oldzrderx|jnibigmzz|a(jxwunxka|gsucnzau)|bovxnorry|dhhfighns|hqdrovfzf|vcqnmrzrp|yxahhwegg|rrjrmawzh|udtgambjc|xfxphvxcw)|j(j(vyssfavf|y(fdirfhl|kewdwzv))|zrhlqpctr|g(nsjtugmz|wvotmiwr|yeqikjwy|mfhygrqh|acjxssfm)|n(gwvsfcpk|fjcbzaum|kbymkykp)|l(wxamivch|zlativas|sbnqoswe)|h(wgilqfps|lcefiqjw|bqtenmly)|v(zvzcjvuy|fndhufrn)|svknmdnrh|u(nyrlntqo|fnwusvzh)|p(rivmalzg|nthojlvr)|fgcvbglub|opfqajgxs|rbftnhnse|cunfnfcxr|m(kpvqbfwp|nxxxwqpb)|y(ikqhhkhs|vmjuzamc)|xbcxnkzgx|ibylrxkxy|boazeymhj)|e(ujpiokaly|i(mvencrda|naznafga|igdxtyfe)|mypzadmkj|w(hzonfjks|rvqcuonc)|jfyalryrq|o(zbpjuavh|cjrhtmic)|p(ezpngbcq|cinwilyy)|tqivjojkb|zzueuzssy|afnudmrbd|rzvrboocm|d(fktdfqsv|vjqadmbs)|lcqenvqig|hpjwtyhhz|nmdsqmmtn|ymojktmop|vdmiqtqrm|euatwubmk)|q(thhpwlwtc|htteekmsu|switfyxdq|v(cfqjnklj|eyulylkb)|ddpsjoomv|oxrqaxgbr|lpcxvcwwl|z(cehvbutb|vvfqvdpd)|roqhapisu|fppqcnxnv|xbzaqjpio)|x(u(vvvzjieq|kzrflrmc)|mgatrarff|pdrcnqjki|q(gnovffdh|npfcbbug)|ebwbkiqcw|ghzdwrjeo|w(vwgihoqp|ekhwcrez|rjctpjmm)|lwitmpsvf|ougixbikf|cxnvrtbcv|h(hoizowet|oibxrryu|wfxqodyf)|kvfvixsli|yrnkypzje|nqstkrarj)|h(u(jfcpvkkm|mljbdfaq)|v(ljupmjhb|ashcynks|dmlfvloj)|ndionagko|qvxthttqv|y(mfvbuwuz|slylnlhf|nozwgxyr)|obhezzcsb|l(wimzonuw|jzpbmkjo)|rrfjkaeyy|z(ndiaorev|xancitjk|yvsczdjj)|x(phukuhfu|czpwxhxs)|p(zczfrocc|r(nxolavq|obczhjh)|kfmupzss)|m(rxssfmbm|tbhzoadi)|wasxefbln|calacurvu|jdwukpbjs|g(fgknnxvj|vxlaxvdn)|emopyixlu|tsorkmmtj)|u(rgjxgntdi|s(eazzmfrv|iizbuqcp)|mabjrwdpi|t(hvcfzlcs|xzzisluc|nlardpry)|vcurvtmvm|e(cqgmgxbg|ohrxmapc)|nsnygyfdt|d(tkiegmde|v(ufthmmp|xsattwr|msjzwea))|acreoyjtf|i(pzmuffpy|lrxzfthr)|qvkvjnqbk|pualhoyxl|ueoykatnr|z(slyemkgp|qkpunaqy|euzfbvws)|hueldocgl|jvuiptqlc|luikhzete|ceukvxktg|xibmjlfdt|btwdmosfk|okmthsgvs)|a(c(udivqgyc|fzqjgcju)|q(zckvozyg|qownivsk|aiwkzjlr)|pjddduvet|b(wghklqdf|daivlmxr|ngsaftye)|l(bohejsrx|hdqermly|ryujcdwn)|d(tipzqgqh|ytgvcsld|eopterqo)|ortlcbscw|tqexjjosv|fjdoaxfob|yeizgpbbf|gqwxyrnrz|ifyuecaio|ucpknsskx)|m(hyueyqzfb|bdmnwhfoh|a(clxxoblu|uwipnzvh)|nlfzudgav|j(zrujwjkl|hjpmkicw)|yryfbgdbr|w(tmxhgraw|etbjqndl)|tpvhbcotw|qwqjfukkp|zehxdokgz|fjqhymjzs|psmwvngnf|djhuqwbse|r(mxeufzte|gxertwai)|utcgozxsi|cobeuatwn|gwrtrrahh)|k(d(dwjfrkka|rrdrbjnn)|jhmalokbi|zzhtcbgfa|rdskpakwc|t(odnvsrva|pfmenfom|spzerogc|zgboaciw)|uklsluvrw|pcfjofypc|h(clmzuexh|bdyakjlt|abdkxdeg)|l(fwuqppvv|aqkjsyku)|q(nlhrdrur|vdhjaaai|gckizmoi)|o(hbdgoqgm|unvfiqpj)|k(zkacfcbw|oundubhx)|arynzhwkk|yvkzwxdhi|c(claslbkd|gzznepby)|whnxjrakk|vupvpxuta|iguuryose|guauermfz)|p(dvquyhtmn|mgnkdudai|h(d(ymxvdml|srdxqbg)|azerofrd)|ocevhhtei|yjaqntkka|qvhlhavqc|npnhqoepq|rxskmbyxu|zlfztiwga|x(w(ycmzuub|hcxttxu)|vjmgyrkf)|sbgchwepn|eltztucib)|t(wlsbdxcut|ncdayuqrn|eagqjwbop|toazszviw|v(ilqlxvso|btzrthiz)|uffguigcu|h(xaayamhj|sjzskbui)|puqhcnogo|k(raqcnbaj|aomzogqd|bnqcrflj)|sjzgxuzez|cvbjuuboa|ypzxmcbsk|oywvjvndc|ikpptxknm|fwxvfpojk|jkwdgcsut|aqgyctots)|d(u(pqgxxvgc|kyvknnko)|v(qitrpvla|poeqoeyi)|p(nmietzjj|bkgwemnd|dganjmkh|onqsmysz)|dzrzodkdw|tkujbuyda|mmcjjsuvh|jfifmeylr|hvrpumndx|fzkuvhint|n(nhexmwvv|jmempzob)|r(opvxzcmu|vlhicvbd)|cckziilky|xgqorroov)|r(rcxjcgvll|zaydljndw|i(kxptlxql|wkgaasbr)|m(zyhnwtmn|cqbggzub)|l(nnamyosc|wapohmdw)|n(xebubjit|fcsweqkh)|vbbadklcq|x(dalzezjh|lfgsslfv)|q(xfbvifxf|gsqdooch)|hvxdxgyqf|syvnvwuzt|pktdpniwu|bfbwqrovj|gnnmhydym|e(fzlavmrh|qyxymsuq)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633160; rev:2;)
# sid 2633161 includes 753 (601 - 1200) 10 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.org)"; content:"|0a|";content:"|03|org|00|";nocase;within: 13;pcre: "/(k(w(hnxjrakk|mvqfwphd)|v(upvpxuta|wsuvamhx)|q(gckizmoi|ubmrygop)|c(gzznepby|uwnianmr)|i(guuryose|eqalsqaj)|g(u(auermfz|bzwsxni)|khctenmo)|a(dovkcaqb|jekqeohg|pysixdlq)|j(qmvafrzm|gbjlioeb|yuwishkq)|tvlfgxids|o(gmgrymsl|owsrcfcf)|npzgpghjz|uojlmmxwb|mnnvwecal)|w(rzqotrtqw|u(pwhjbaxz|bfedhcoz|ibnwzxcy)|m(kqvposgv|aprhdcih)|tyhtyuztf|q(pdbiqmgg|noinsypj|jfualtrs)|e(yhuelgys|oogruoso)|b(frlzqesu|ccuvczsm)|wahluswjq|owdkzlhip|fclsoiksp|c(dgkvbzov|vgbotycy)|d(lsxbqaqn|uklsnxnu)|v(hcbudnni|nfwxpnbz)|pbsxnnfnn|k(zwqadhnt|tgxuhrah)|lckeplchw|z(ehkuisjg|foeszare)|xnrluvehi|gjsamhpjb)|f(owlbfardc|immtrkdsc|s(bjviqhso|hdeiiomq|suntykac|gavuakrp)|byypiiitl|f(glhuufcl|njuvyecq|xeqvwjra|jpuzmbgk)|g(ogpbthth|nesjrzxj)|l(jngwoqar|ehmqcayh)|vflffxhpf|wmdjwabfm|a(mleuqwck|prflntms|dwegvohg)|h(robggevz|muxkdknc)|k(vqreauui|krdadzaf|eukksnhs)|y(jzxlvwdr|mihnnfbn)|x(wvjnmvrp|vlxjzkpl|afuraazu)|m(jlsungld|gsyedjtx)|dxtmsibkg|ceptqmour|jtyeszlwt)|h(p(kfmupzss|robczhjh|hjcpjfax)|vdmlfvloj|mtbhzoadi|zyvsczdjj|gvxlaxvdn|u(mljbdfaq|feqybjct)|y(slylnlhf|nozwgxyr|rgepvzsp|ettytewq)|e(mopyixlu|otrslzii|axznmddl)|tsorkmmtj|i(ztkigfro|mgeezwtm)|syhaqxdli|j(jniidpek|sgtjohjj)|a(pblpuliq|mwajaqxj)|wwsujbseu|n(nyudyeod|isfkxapw)|r(extpdrxh|klecpdzp)|d(lvzcihqv|woypdkex))|s(i(vjtxlhyj|aboiuxyi)|p(xyyouxaw|pgsxwmod|fnktplql)|ayklyqfhk|h(jbkzgfii|aiukumol)|y(hjvsnjbz|vwkamamf)|sdmyltkxf|q(hvxbjxyc|tzumctiy|qkotxowe)|r(vboavayt|prmbltud|ecoonwqk|gihtzzbg)|l(wwaxjcll|ycdolimw)|u(vzmqzqtk|fbdlrjzl|ifugyazh|ytoaiowz)|trbojfhmv|m(utpdxwgg|kpvlzdtb)|v(alhrofdi|zxjimpji)|xiuaextpl|efafaxgqm|fqbygsybe|c(fffaxlly|tecuktoz)|wxyyubcti|o(letwpgzv|pwnaenvh)|zwqzpvbri|nuijortsc)|n(f(wilivcyo|qwfjjthe)|o(rdjcavsz|fhhgylen)|m(spqngsgz|gywuallk|ebwwwssg)|jljgxvdth|ixgfaoqkh|k(iyecoyak|epxnhcxf)|b(spvpgojq|gvhovwri)|s(ooawjhbe|mudgkbiw)|d(dwykemmo|mjwavjrm)|h(gmumxkhm|pzvhimfc)|aycrekprb|rdbthgqni|ztpagymlz|piyajrekr|uwumpavka|t(emxotbgb|wpbefhjy)|qpcjzylew|cffrwrotq|wgfwwyxqs|eorjfdxzx)|u(e(ohrxmapc|fsqtdrbj)|zeuzfbvws|ilrxzfthr|s(iizbuqcp|ufvnesyu)|c(eukvxktg|yuefwwys)|d(vmsjzwea|obmhlmok)|x(ibmjlfdt|eyzuiuva)|btwdmosfk|okmthsgvs|gzpsnlamz|hgnsdymuf|pbuutjoke|f(tzwfmgnz|pndxdher)|m(ezinzedx|gyohhztz)|qcnybleir|j(uxafmqds|dsrtxndz))|j(g(wvotmiwr|yeqikjwy|mfhygrqh|acjxssfm)|lsbnqoswe|i(bylrxkxy|qelvjxzu|rdqocobd|xjpfnnwr|hxgjrewp)|boazeymhj|mnxxxwqpb|ufnwusvzh|e(ixwpfqyw|kektqwnk)|s(axqaahsr|lhprqdqt)|w(vqzaoywu|rikdshtw|iwiomapo)|f(crwxoshe|vguppqln)|o(hhvmtmgs|ewswspsx|rbyrofru)|pkdyxfexi|tbcpmafbo|h(bhrmikiq|jzfpnszh)|d(lsclruzn|itdjxttu)|a(jitlmqln|pungqgpn)|rpbxepqgk|jzqrtzqwo)|r(x(lfgsslfv|vyilttrl)|bfbwqrovj|nfcsweqkh|g(nnmhydym|uxobrbpo)|e(fzlavmrh|qyxymsuq)|qgsqdooch|ratdzxnme|f(mmsfcziq|odjovsym|tchetsdu)|o(ibrwujux|xkapsxcw)|sobeacaay|y(sbfhfyoi|msnlkiyx|bbbalngr)|tb(kjqsqat|clmdqqc)|arwylmvaf|lzppkrfsy|m(mujbxinq|otidtyda)|usvjoclsj|jnxijvkbk|cwzoruwgk)|z(n(kbmiqkjf|ynkmkqma|jyqykbya|iewzejdp)|q(onuvanjs|qlpddelt|ypvhpxwk)|wholefknd|carilbcqr|eutjfofgs|tdjniwtph|ftxjyzzdu|lmkrnktop|xnfqfwumk|a(k(qprjkvu|xvgujil)|cejfrsjm|lxyevvyf|xpobevxy)|s(ozqzljko|mumyxcjk)|mtplnjjmp|ivxzsznbl|bgghpbunn|hlqhgmdxf|doqnusnjd)|e(w(rvqcuonc|pnnvzfrb)|v(dmiqtqrm|xayqstpo)|p(cinwilyy|rdyrtlci|wzzcjmny)|e(uatwubmk|eognppaz)|dvjqadmbs|c(ticzwfox|xuyuaeqh)|g(uizdtouv|plxqxkfv|aepckonf|vlfoobib|tquaiovp)|q(ucyxvtpv|jinljleb)|kwzgfzqhm|idrnbdiaw|yaimjzhtq|jvmrenowk|oqguzcsgb|xm(kcvzvfk|ozmvqor)|saliboxdu|a(olqacplw|sawjmmzv)|fsdhaddzj|u(spoimqtl|illfblzb)|bgsjmhuzu)|p(x(whcxttxu|vjmgyrkf|nzvnztze)|s(bgchwepn|lgwywnxw)|e(ltztucib|apwpxmka|wqzaglwd)|hazerofrd|g(xwarjgqp|imsvmnxk)|mlaanviin|wljqpshjx|l(ybciqtvr|tkpbghac)|p(ahknymmj|zhgxiuuq)|jdcthkndk|bvssdiwbx|ufpcrkvjw|c(vruhhxcq|lacssbkq|iiaqnhtq)|r(dfolcapa|fowpgnoc)|ydoutxdjl|q(bihudthk|qzmsniew)|dhxdpksjr|kilqqnhng|tlbnukuex|icmwlujrd|vurfysopf|ooxyfqdda)|l(g(qwrjleff|purcyxdv)|mizlwhesy|u(oghlbihh|fcabkpfe|sjguybut|lpoqrtqm)|w(ilyzjlim|sawehrmm)|hefmkugdq|r(yrmdfpbh|tqnrvaxd|rjhsgeiw|fbslewzb)|bgabhwssj|c(hcghpdki|qsiffbvk|acrfgplm)|s(plrqjfkd|ggclxmjv)|epdldlurd|jjhiooosc|v(kfokugey|jdiqblop)|z(vlyttlsx|lkcepbws)|l(pklfnfkq|vjxssrsv)|xpfcsesbh|phlcplwbs|qigeyumfd|t(cpjmqdta|lmkcwkho)|k(kjmauyxg|eweeqcrg)|ampbbqzim)|c(p(zorxvmik|ssmqardf)|klyjfqiko|c(eawhaqxy|yjupluyx)|y(jvavhrty|otvbuuso|snwzadyd)|g(zstdvjvo|sopredwf)|rlktqwtcg|z(djczweze|nwubrosg|vfzkmwzb)|o(m(fgznisb|zejipuk)|bclctjeo)|ljytwgngr|b(khlgyqxr|xofoxaiz|bovzmdfi)|vhjwsiwhq|f(frsjxhaq|hiomlpax)|i(eowvmocr|uqkoittj)|mfrozslfl|dctcdsgpm|n(bttnivsz|ldsjwony)|elfdamqix|slevjrixk)|q(v(eyulylkb|rrxkygst)|xbzaqjpio|snivbyssp|d(sblepefb|mnpljmcl)|t(vqzubjgr|boaikjta)|j(epjidiim|zsjizrql)|cxrzjkibk|pwfcsqrku|i(akkodrby|jfroexgr)|r(epfeftmy|rmyahmzn)|u(jodqomlo|frmcoqfg|scjpyhqe|lknrnwnb)|abmrvnvnl|qghfoykva|nfcvpdjyy|wcqxtcnwc)|v(ibxefbmjt|wbeykrqix|cdjwmsrfv|j(cnvbxfmp|yqkabkmo)|pyytwtxie|dmavmubhd|vbqfgrykj|orxascrqu|holksownh|zutafzqdt|umsdvbjoc|fdcrlpive|lenspqpjm|tskfainfj|mlqnkzzrj)|y(b(oiglkrvc|exvlyxqg|cbkmoogg)|m(enitgfvl|tsopqsaf|opusgref)|j(sviftlsz|nhxzjeaf)|k(lskzzrow|wxamxdyh|qsauqrfg|gawqmwhh|ffcqezdk)|qbhpupjjv|oa(zfwnfgp|rugynwo)|pwmdzeejf|i(kvwlpmdp|snnhekur)|ayffrcipx|u(jdkkurgf|t(lwmkfum|mabqjlu))|efnuhnghv|zgqtnygts|syizrispi)|g(m(v(yejpclv|somlsem)|ocifvpbm|iqtboacx)|b(fungcsgg|xdnvetme)|e(dnelxtjk|c(zuxbwfz|apdqfva))|waxihrwnq|ibdjkqvgm|qbrawifat|rhxymqtkf|p(yfiumpjn|mqukgeyy)|k(gchaswyb|jcmrjupn)|utqmcrtuz|feomzdkwj|vipsxymzh|necyjwogs|jkirlfmxd|lpsvqcsvw|yostnznbn)|o(rrjrmawzh|ud(tgambjc|mmmmejl)|xfxphvxcw|navftmuzi|z(xuavjkti|ilpxhfin)|m(ahazozom|wqeefper)|plawzrpco|y(xlcfrpod|twkfpetc)|j(kbprxqef|phankosp)|ibmumtrgd|ginkftvxu|tqoqfglbs|dgxujbczo|ep(vxwgake|okblako)|vsdnvhjxo|q(xqhjpxfv|gmpiigxl|hafvnudu)|lfyuipgya|hqyxnnppa)|d(r(opvxzcmu|vlhicvbd|yskjwqbr)|c(ckziilky|yocpqptj)|xgqorroov|n(jmempzob|pkgresdy)|b(bvfoknph|ldcpmufh|wbgniydp)|i(omjrizih|bhmfnhtq)|f(nmnvmaor|crvzkzmh|iwnmrugt)|p(cqpwbfry|xguvmfzr)|ouamzdigf|v(egkhilpt|rbjtdued)|jrvrznlig|g(gvulzypi|uxpsfemb)|m(tlockdfv|qtsihtqx)|yskucbvbl|q(cxzriyap|krpajnlz|nsaozlqp)|wvuvhcwev|drupksvqe|azvzrdvco)|b(uricvouzv|salnrlewo|r(p(ktkbyds|hzjgsvy)|ypdlrihw)|dprkbnwzc|vdpzddazp|aerknwtcb|kzxyezxao|qmatgztdp|b(oywujnax|cgkaedmy)|wxkgpoenv|lvbsczwhk|n(cupwxesb|xpxlyspw)|myqvursea|zcjakjlrw|oaxlhwldz|eoezemryf|f(pqnkesoi|xfylrckb)|x(kmicpsfp|pkdzinot)|tsriagpof|gyegcqjfc)|t(y(pzxmcbsk|nlevtkad)|oywvjvndc|i(kpptxknm|qjweoivm|ykcjksmd|bskxmalv)|fwxvfpojk|j(kwdgcsut|wqzwsaru)|a(qgyctots|vqjfedeh)|vbtzrthiz|h(hxxmtlbj|vrxrnhnu|bkrusfym)|ggjjtvpww|zypvofmcb|w(m(kcgtbvr|cgzenfb)|nhgwrxde)|mwcxpmcfz|ubuoffway|l(skgzqykp|hpmwzlhl)|xbgzrzdtj|bbhovrbha)|x(y(rnkypzje|pwraxqqn)|nqstkrarj|h(oibxrryu|wfxqodyf|dztrwpva)|wrjctpjmm|u(kzrflrmc|jzhoqnvm)|s(lwxelxqr|ebnbzijx|ymidtueq)|fxcmmsmgt|r(rqsjarju|ppieamlr)|e(hkqtcflv|doutzgxq)|x(qfxqqquo|fhevzlfb)|b(hmycktcc|v(ornevyo|qmfocrg))|gvaenmsar|liluergjm|m(ycjhanhz|sbjsvelo)|injhrfzai|puemafnxp|dgudzlyye|obhctgxhu)|i(a(p(rpgsvsz|pmyjgxn)|ruwelwif)|z(qvkzbalz|bjsqepil)|t(hnyennuu|vrpizplc)|u(c(eznkohx|myrpnww)|bsahpfkg)|vivphwsre|pjaftwhun|gdsyereoz|r(hxmkhkdn|gadhnhqr)|f(mrgkjpxr|garmmhlw)|bbedduzqn|j(hgyqpddm|uoarrpmd)|qhrxrkfup|y(sdljcygp|mfmroeyv)|hbcumbqyx|n(qnvvygaz|hhbrzgaa)|d(behwekis|xyyslyln)|wgmurhbhs)|m(jhjpmkicw|gw(rtrrahh|szbjbii)|rgxertwai|e(nxqbptnx|dvgmmcbx|ylvbnelf)|lprilluii|iwdfajlua|nrxymdhro|oykyfyjfn|borvrjuef|a(tibuwzwo|kvcjvzsk)|hnsdprtjg|t(fbqyygsa|dztaiapu)|q(xznwcfrc|wtwkzswh)|d(qdvkgibs|drtecakc)|fkklvywgx|vswqzndfo|ztxwzgrwr)|a(ucpknsskx|d(eopterqo|jdpnpbti)|q(aiwkzjlr|dxfnkfsc|wrgxrlvn)|zpbmyovqh|o(r(gkdodsu|hesldcw)|lrwcfcry)|l(c(osuusex|flfkkcx)|fwxohjpa)|a(bqvfkavm|uarayugo)|p(m(ipizebi|qhnlsni)|wkqjynge)|eosllmvse|rvyuqryqu|h(fpmlznrj|asaaadbz)|ktzgkmuvf|fucpetaca|jisvxwhpk|ycwzovofk|gajpkgzhs|xrqncybdb|mgnhgagya))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633161; rev:2;)
# sid 2633162 includes 153 (1201 - 1354) 10 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.org)"; content:"|0a|";content:"|03|org|00|";nocase;within: 13;pcre: "/(g(kghsbutoh|htyblckvw|vdzcrhpza|bdpjmaxop|uhbrbqkve)|r(l(kpgrabcw|qzhmfdcx)|xlzxldrqe|jvohkwzqf|sjypengqe|zqhkphhtj)|y(srqogjxlo|xbygamzom|p(idgfsvii|hfypyuqq)|bagfmvlif|tkbbpkzob)|e(inetvojgl|yncbhltjv|hehtxasfi|uorebfyrb|xiezwfjnx|lxaruryvv|gfncanibi)|o(eqzfasdxy|nhcvmrgpc|ouospuwly|mmzgwknsb|dhwwcsjyj|tdovvbdbh)|x(vzbfhbbkq|diefgsxht|juoyrvlpv|xjidoghii|bnazqdtck|zmcrtqskx|pskoympgm|fdbkkdaih)|b(nfuhhvqbb|jwatogajp|flrfwunlk|xifteybsn|bzdhhtuxm|webonoudb)|m(plxlxqzmk|ocngehuwh)|p(sybuwbmir|u(agvztpnc|xpwuupjs)|ycbxlpmft|bqfjpiycx|dijnzureg|hudhomjlw)|q(xvkqyqdfr|a(tngmncsh|oopimxea)|rhoizlcxi|hkyeqjghf|e(ururcsaa|nrgaiyrl)|uvwlssyki|dhpijpzse|navlorntm|zrlfdniod|paducegia)|h(lgfazbdss|tmnsdkdlq|plqxqvsan|kvxqqfuiv|envicjjhd)|i(ydrgdzojx|elrqctafc|vrqslglgr|ajkjpryuf|fopplbsds|stdlvbuxj|htyfhuvsg)|z(h(eyouaakr|drtnejbx)|pepqzfsmn|djbjlwbeh|sfqmeqoyh)|l(duypuahvs|xrecyzsqo|uwtprkkgt|mhigrnhqj|k(viiiqnza|jsvyjfow)|trzvznpqc|zaxysifok|sumvhzfhe|vqkpilpfq)|c(orywbwyip|bymhmsedf|ttdlczzmh|zydjbtsud|ptkjcnpmw|aisvyojmm)|j(d(dpcolgco|aqksogbz)|bgvtwjzgt|wqfatepyz|yekjqvvzl|jygthpang|pstjxjwel|fwdfrjuhb)|t(pajkittrl|oonynclih|epifvsdgr|yvukbrsqq|cvmybknsj)|d(cpqaoassu|zfgkkprdk|tbryzaiak)|w(njmgixuqg|piogajxsr|twpcyxhjk|ltgscrwee|keqcaqusb|qahfmzzcw|hcgjdtccz)|k(xlxdgjclw|ovctsoopw|uuzkhqnns|tfrjinrsi|rrijpelyp|lafaqujnw|bpxhfvkkg|qyhkvmpys|aqbngacxx)|s(leaimpuvb|hwzhylglt|ckhnbpqox|qymuhfygv|gbnnbbzpg|zjlfbtmvo)|f(afkqgtmsd|l(lreljvxj|tgfqfvev)|xqabfvhly)|a(k(klyrwnpv|evokmzdm)|dbjvfdgfa|qjcyboobz)|n(gongfekdj|xagpxuwny|cigopbozh)|u(qhlvqxkbh|egbxinavc)|v(uuewkaexe|nneinxllw|isarnnjej|cqlmptzjx))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633162; rev:2;)
# sid 2633163 includes 600 (0 - 600) 11 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.org)"; content:"|0b|";content:"|03|org|00|";nocase;within: 14;pcre: "/(x(i(mulgkfecb|agdyqddky)|rdwacrgycj|w(typqyjpvo|mumshlbgo)|anjarcwscf|ujjjsrgsfb|je(mzotvjiv|dhvnesgx)|k(zutruipaq|fzyxejygk|hefghmduk)|nscyafnmmg|vizkknfxiq|dwhcieexnu|z(jblauhljg|xbzaravnb)|lkrhudshhc|psfvcpuwcp|hajcmklugf)|c(rvetqnysip|nygexcndft|z(wjznbgghs|npalysoaq)|b(krzayepix|jtfgkjqne|qflvggkes)|lknmdsxmoe|dckrwcituh|k(rjvauscxm|nnmeptwzi)|jaungtsdyg|fincklzijq|g(mdebusapg|lamxrhvdw)|qediibmgvw|cbkinhclxc|uozrefjuxc|sywnwtdgfp|hbahytoint|xxdjlywjap)|p(b(hxxcmzwpa|kfjglgrwz)|atbwfakoua|f(sxgovpqrg|cwwvmxejn)|n(qkadwzjzq|kxserafue)|s(mbufliqja|vrfcevbck)|wowgwmkzuf|z(uekipzzfc|fcnyozrlf)|xvanbunohu|e(rtqufaiwg|aiijitujg)|pbfiynotsx|uzarmbvpam|tfpsyzzunr|vtlafofuap|jjycwlzogr|rnsxsuhdft)|m(r(qfkgjhotr|xhxyvdobq|bbagksyzo)|g(zatdbftkp|twplujkmi)|tntdjlfkcv|dtubbxawle|m(rsozklzae|wgnlzvnje)|s(seosrcuuh|ihysybfca|zrlkmvkpm)|j(wxyspnazc|kcdrxjbsx)|c(erhlnpgub|mhyznrfdx)|fjpcopscfn|xzimptcsmt|lfyxhksuke|njpggkaiaf|w(gquryttap|uqauxrjki)|ugissidvnw)|n(n(lyehjnjxb|mguoqsfdk)|y(exdqlpoaw|lbezbjswe)|juigtwlhvr|wsezwkieic|xcrgwlusqi|rzmmbfuxnt|a(iajhqshbh|eeofxfquh)|lmiensklvp|f(medxprjgn|aagahzsnu|dovtypxbq)|ucafmjngza|q(valskhkhf|jbajjxhmt)|eadcjypmha|bxjzgqozdh|mhbjngqlvr|dvwbsihckp)|g(ywefqzsihy|k(hxflnoklw|gqixcnama)|d(uryftfijt|dwcswhnoj|qwrpkuizb)|l(mrjbhumqn|xpkaqqpng)|zjeuxejycq|f(iguqofphf|bvtlfoqww)|o(smazbbdiu|vslfekwnl)|mydrezyyue|j(vhvguqklz|nznkqioaq)|vjkytkaiza|b(lkoutnmai|fdclplnqd|hfyazvvdj)|rxajiduvap|chxdvhxmqv|gxqlhgdqlp|tjqfdsqqxs|xwgulprrvm)|i(wjxhlwscwz|fkxtitdseh|exojyvdykg|zxmmyyiula|vssrgxcnpp|pyboqojvnw|gtpfcmapyn|r(bhbjtltdz|hvxytpjss|xyjwroyol)|o(fancylcik|bvcvcictn)|hjevvqijgy|xsomzxgcty|twiritgaio|aaqchhvkmp|l(lrirknwhw|rmvezqbkf|bpqyzoqaz)|igubdkilvb|jngdmzqhjv|sjxtfqrdyx|njkjsvwyjs|ddgajytixk|balkvjwywk)|h(yqpfdyhdfl|m(eibrgnydd|yoqbsjdop|vdavygkvk)|n(oluzdobva|vwrgtxrin|taddorpha)|vyxcrldcmc|z(ozpxogdfm|twjeuxupg)|bfhaxevome|xixipyxumh|sfetccumyw|r(bdozmoyca|fztbpuqwl)|tdyqknoccb|h(svzdhvqlj|hjlirsojd)|gdzsdwbtkp)|v(rljqrtqind|z(idnmljqud|ovitytmwe)|t(wfpkizvzw|gqnromkjl)|dspizqfgdb|p(zxurteter|knvhtsojg|dkaudtmjq)|f(hcgmuyvoj|spaxqpilb)|k(qhdcsgbfn|dzixlcfjs|kjlnepsnc)|n(qaqqklktv|fzdkbxlxb|pywuesuuo|ziwlqosas)|aljkywoqfy|bvspreqpwo|l(cedtqfvlb|uskrkmgnt)|s(ilerjonqz|rutynaspu)|jzfnhgowsi|osmpgoqcqc|mgupvmfwcq|u(jdxrsuapl|fepfhrqzi)|v(weyjaovcl|rjvuclluw)|eaaxwfhghm|qelnjqfaep)|u(blawoayqol|q(ejnvkgxyh|rtdbtlmmq|locavodtt)|j(ebnwjsrmd|gqybnkqlz)|wwsprejdqw|g(ocqcbulcd|nblebyyer)|r(msmnfvozo|ogwzkqroi)|vbdykchckv|tprwtpfvny|dcwfnylkap|z(yklfedapm|damavrmww)|exosycmvjp|m(kqpbmtfho|clezzxcop)|fpnybtjpww)|z(dpoegkuuxv|c(rorsmetip|tejvvolyn)|q(fjzcpjsjq|awkfefpqo)|y(mjjxlcwek|bupcjaztt)|j(cdnraaayu|pvwfelvxj|fmehjwbua)|z(usaliyoxq|lhgqsoesk)|w(phklgnqkq|wrkxozqff)|mxhlinoizf|ffwhkdiaxi|opjldrnebd|rdbrmwdwdg)|e(h(yvlqipnej|bxwzjmlms|onglnnlpx)|d(zsnhvseyz|pnffusbxa|orayqpcsx|tlavtgcux)|g(lketlbyqb|rzzlhdtog)|y(mzfpfkqqz|slzxhhfib)|jjpforpszo|opqrxbrvsy|t(detktoxgd|rkgjsfwnc)|pwttktvhjq|lkoqcavxol|qiiocnzkzk|m(dfkmvdqec|iiysfoaoe)|ecvzoomjsr|kqqxmkygwv)|o(b(iqmgrmvme|kwyfhmbum)|j(afhzpaduy|ilcglftdc|jgmefxkqf|hcwbrnbgr)|q(dtlbeafth|oycmxoizm)|s(klojzfimd|pjkxldzdf)|mwyprkcrjn|r(cbfkhgqre|vfdkcpwmm)|l(akvflyfej|pxajkntwz|nqfjwtgqj)|ebzfkloivr|xdskrdxajw|o(rvgrrvqel|uoolvywbp)|kcxilkognh|y(gncpfhrow|hcdgaisle)|wpqvhlujdd|gbhubmtiia|crnsmbhnez|haeqfoiicy|zmphghcqyt)|r(pcbcpsxseq|btsisdprgu|fpbckdopcq|o(ecdyksrlr|ktnyddeqb)|lzckyjwaos|dkrmsbvcdb|ihtrthwrye|qhtwvtqvwg|a(zzznksyoy|gqllhwjwz)|marjqrdlea|ncpdzrhfnb|wsojfclecc|s(igqtgpgnv|uhwreneam|weuelcyvl)|kvnnfzshaq)|q(d(jcudwouyo|kyjvhhlev|waasklpnz)|gsvhdhcuqz|kfsxmmhugr|a(uzorabyqd|htzsdsmyf)|b(ldiootrpm|kunglutio)|xcfqdwgukd|u(qgdstsjng|issvzqrmc)|ipnwcxojwj|m(htodvcznr|sorxxltei)|vyytmunclv|jjvhmipbnp|wsykfhuhbt|qrolxlwcrt|cqzijihrbi|hgmrsiophf)|b(d(vlvrqjykx|njacvkdtl)|u(rwygcovms|dmvpimrwu)|s(xzmbsovqr|ftwrapsuz)|z(viexquzdy|nldxxnhnz|pplaavlcd)|ti(ejdmclcv|rmdmkovv)|h(dvxggemkd|jrzotnczw|sfcayhquf|iyjilonsp)|n(tzxviimcy|ofdvlkxzf|qtgjxhlpa|hlsfdaxjp)|r(mvaxyqhtd|ombqgbdze|pdvkuxuxu)|fiocsntvte|khqhfbpfyo|etrmdqibjl|oupsnufyla|aegdiipzsz|wjkjzqdyik|v(mvoubuupx|xmxrofyep)|cqixfxlwrg)|w(x(chdilhmzg|xubgjiodc)|e(bkogoanym|wctuxgknu)|pvhzxvpdkt|yvlcfbmobx|kscpbljokr|l(pppzsqpum|jggzqsjfl)|hzuhcmbrns|gdukurarqn|j(zxehcafgc|ytyltfgpg)|n(bnjvibtwb|nuffscvvp)|idcivtbuka|rcmzvyjokz|w(qyxyjqidk|ymamntdua)|qbonsndxsw)|y(hovddutnkc|f(slqskuees|mylwuxeey)|x(rxtchwkjy|efiolapsa|nknyawaej)|p(kydoulewm|rtossnpcu|wmtelrlng)|gwcuvywixr|yvcpxkvvoa|zyxzaggyyk|s(itwrdtckk|tkcvuzowy)|ekaveiqdac|oiwquovlyv|ljtncwnoep|qofponyiyq|a(bvonhupib|ljizotchg)|k(ibzclztun|qjfzqvzxa)|b(miejdushz|wpofldyja)|cwgwdvanuo|dwwxkzgcts|mlkhoygjrf)|s(s(lacvtboio|piptbalhz)|r(q(wedwakjx|lcssbnyz)|onkazpwbs|gedjsjunq|dinemdxbm|liywwczii)|x(bnxahzdrg|lbymkxgmr|tbklciabb)|y(etbpuvocp|surgdeudc)|ixomuavsnm|fvssyifeul|lvkceeyfiz|ggjiezxiyv|dgoflevygd|ouoqshauyq|pxbcibycmm|cvtkwmjjkn)|k(j(isdtxuroa|d(xabewoow|dixiusgs)|bqqtloxkk)|hjnrvqnvqb|wvwfyngfab|v(vhvlhxkcy|kldylifcs|rqpdlfzjt)|bkpvfgtuoy|kmrrqcslyx|s(zjajilfjn|rozrticyx)|t(eruauvihb|khkuyuudl)|zlbkfqdyop|d(fekkhhsjh|mhwiuoolv)|udrceeivle|g(pupjsbdri|zbihaiecz)|pguhmybdiy|f(muqtxvzum|zrfqdsrto)|e(jhnnkornm|swxxaupim|mpjziietz)|npiainurih|rvudyaaldc)|l(nxudskarrq|ventbkvhgm|dqafxaepju|gkrstydiko|plixgsfegi|xtpxxspnrm|fopgqmwzkr|aunkrhciiz|hdsuptixyj|c(gxpjlemdg|bqaxsltcg)|bviyjpawyb|m(zmznbkdoh|nojxdmusq)|ufaxwgiefn|oyfgkazdee|z(mvyqcscar|zuzpkqdmf)|ewyrjijxmd|yjakicvbco)|a(p(peoqnhetb|gahwzyjpu|siaqbsbua|eoceeolbe)|gbporsaoyv|iinhadhseb|wgltdjkeac|zc(vujdbive|lepgtauh)|hyrykdwjru|nzqeamakcm|jcdzwpuafy|rtdmwaymdw|fqgmdglygr|ukigszxdkn)|f(z(jtwnesshd|xzemzqnya)|xehffbqgit|o(nicumbnhr|hkoytwxso)|hwryqqvcpq|vexsfaeqfg|w(bwfedstbd|ztgfswohk)|c(mmrnctdvr|nruizmtsv)|t(ygttnbnso|siipjzban|khswtelcu)|a(jusbdxazz|qjziakzxs|zxvwtstvq)|e(csplnlhoy|rejhzwcyz|vjzffaebu)|g(tvbsbopma|llfyzgwow)|pjlqrjsxlo|uzjkdrrsxu|roweibchwu|lagldwmzwp)|d(p(cnfgrwfai|dzbcrcxdb)|b(f(rgwfjpzl|lobcgnzc)|oecjicizf|ezmegoxkt)|noaanqdspd|savjiwfgld|z(lvelbzwja|vnmscgwhc|ghvujequg)|cmoxkqqnqv|agbmwatyxr|o(ibfujhgwu|sgpgidvfo)|lakzhphfes|ynssuupype|kxrqspgqpz|qfgbtdxopm|tt(wmumeyxd|cpxgpsdj)|e(pbqtvfgtb|mdmpofjlw)|mhcduscbgr|dnjwtgxiuj|ijcdvrueiw)|j(i(genlzdlct|akadmxgbt)|dzrtfzwbhr|q(woybaxnns|qynucyvgc)|mxooykqgjd|ftaujlhrdc|w(uublqgyfo|vujgnhbcq)|jprvdzmwhr|ewigifuhmn|tmtjtxztez|lctrdbavio|xyjbipynqw|gsvslwdhvm|cg(oenbnptw|rhutmmxz)|bluvzqedrt|vfjxvmpsxp|n(jwpwwcorp|ywxjeukdb)|aezjxivvyi|rtrhskwhxu)|t(g(jioxdbiav|dzedjwvjj)|f(jwqiksbna|kxpyhsiaz)|lmwibsrkck|n(yegbfrdoo|hpaeavybl)|k(zpqhtigte|xbmiuewbe)|v(xusgiuzdb|hxqamaupx)|bemtpxbdwo|q(dtcoqoglc|iinxjhfek|ylnzrcsbu)|i(cnhnrhwge|kaivggwrv)|m(nwyfxvlpy|o(dmqritjt|aditiqps))|w(ruappdufi|ltvrawrzu)|exufdlmdth|jotghxqnkr|hzenummiwa|ofvsfzxnuj|rgbxfsowzt))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633163; rev:2;)
# sid 2633164 includes 804 (601 - 1200) 11 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.org)"; content:"|0b|";content:"|03|org|00|";nocase;within: 14;pcre: "/(r(w(sojfclecc|jwwxrsbpa)|s(igqtgpgnv|u(hwreneam|xyckbmmb)|weuelcyvl|njeuodcmg|eohptbart|goezhrstu)|k(vnnfzshaq|blgrwkybk)|o(ktnyddeqb|zbhhskcho)|agqllhwjwz|b(gnzzgqpux|mdwcmvvvq|svhoqgxqa)|qzlbmmztmd|z(dflcyawgt|ctjxneefq)|x(kbyhsqnqv|zibnvmlmt)|uhsadocewq|dughfztvmj|t(waityhogv|bhqrbktxy)|e(csknytmce|actnjzphd|lxjtzzrmt)|jlzukoanhx|cztwrqlrtx|fqoiezqhmj|igpgopnrzv|rwletpmevf|gpaejigwch|hmydsamhdo)|n(eadcjypmha|b(xjzgqozdh|zjiczilsi|fypshsamb)|a(eeofxfquh|qlkbpykyv)|f(aagahzsnu|dovtypxbq)|mh(bjngqlvr|pdqsdkxp)|d(vwbsihckp|mvltalzfz|npngylsfh|unzkgdxqo)|y(lbezbjswe|gdsyvykzv|nyxuvfqqh|qdtavaxiq)|znsgpzxfvb|g(ggtfgbtfp|pqvownzam|iredqlifv)|wxtbbchcrd|ifwgdfatxk|cnpypzrrfc|x(zwplqmkwy|nzceimhxf|kzwgzklsb)|jjjvfeceav|kpqzhedvmg|qbbcegwyjf|vysosueaad)|y(pwmtelrlng|b(miejdushz|wpofldyja|afsylrzkr|rjpycljgy)|a(ljizotchg|snohxwqay)|c(wgwdvanuo|ndudfbcoj)|dwwxkzgcts|f(mylwuxeey|efoxjmpfz)|stkcvuzowy|kqjfzqvzxa|m(lkhoygjrf|jylqikifw)|e(oyhtnvxsb|sqjpwpauu)|wybybhftqd|o(kvxwfdayh|dnvtkhvwz)|q(bqlensmsl|cyclityzg)|ubasiijgdf|txszuqwjbl)|d(o(sgpgidvfo|bflsfpjku)|m(hcduscbgr|ijmenscva)|d(njwtgxiuj|tpvkmixkh)|e(mdmpofjlw|eppzlsfwv)|ijcdvrueiw|t(tcpxgpsdj|wsurjadwt|hnvehmsnx)|b(e(zmegoxkt|ewcdrarj)|cbbnlihcp)|p(iceutjpmr|figluyaem|geabjgexv|vviewnezm)|sicsjhlvsl|hvculeximr|feiifgtbff|kxijysxqkv|y(blcmyngyz|czkmmcrbd)|niamfslijd|z(hcsfnxfgp|ffhgivyjw)|wngjpixjgs|lrazyiuzsd|gpaoxbvtcu|vargkevhfg)|j(v(fjxvmpsxp|mrbphcnca)|n(jwpwwcorp|y(wxjeukdb|ppwzncfd)|rosnbmfcb)|a(ezjxivvyi|fzwogueqw|ggtsgnhzt)|wvujgnhbcq|rtrhskwhxu|f(eidipjeyz|qunzbzwxi)|pbffuttgav|u(agrozbonh|muxpxdrck)|j(byqdsfuco|vkgovbgsd)|bfpoedwquy|ztyutelrgl|m(gjngszwmq|pdimgnjno)|kfypnhcdmv|iipwenkbou|xwrvoyhdmd|hkwsavpdke|d(torpodsmm|qrpbwstbj)|gyfxqzixft)|v(u(jdxrsuapl|fepfhrqzi)|v(weyjaovcl|rjvuclluw|qhpdzcwtw|muycezrxv)|e(aaxwfhghm|rabsrxsau)|srutynaspu|n(ziwlqosas|krmtxlveg)|qelnjqfaep|l(uskrkmgnt|irftbioot)|j(elqizzjzu|ittbtacds)|d(uarqptsry|rsfqpjuag|yyirmqmye)|b(eaivagled|kysikdiul)|h(mfvebikup|uuulcirjj|agirleesw)|r(spypjsspc|zcgvtngvv)|fdfbvkcvmm|clbdgbqpce|m(gllvqvsfe|rxshvcyoc)|osdozrxyxo|pluuyyusqq)|x(d(whcieexnu|qgmvlpfwj)|z(jblauhljg|xbzaravnb|zhfghienu)|k(hefghmduk|gxjdkuhfv)|lkrhudshhc|p(sfvcpuwcp|kqwwdppfl)|iagdyqddky|h(ajcmklugf|muyudecyx|vktaplmnt)|q(tvvebkcsb|aqlicnroe)|f(ccmxmjfzl|kkpvoswnc)|ymeiliwacw|rpasdyazpq|ehdrgrlttv|o(lwpsszxky|tuntfjanf)|a(twcdgxpdh|cwfstjlua)|wxgjwqkzxr|c(bzghmjzsn|tomqrufni|ccdpuxoeu)|xljbrfxfgp|t(ppnbnrdhn|fwyjqsjao)|smqgmamplk|vyizimkulv)|o(ouoolvywbp|lnqfjwtgqj|g(bhubmtiia|wvsrbctme)|q(oycmxoizm|gyxwzifau)|rvfdkcpwmm|spjkxldzdf|crnsmbhnez|y(hcdgaisle|pilgjzltq)|h(aeqfoiicy|yfvqhkydi)|j(jgmefxkqf|hcwbrnbgr)|z(mphghcqyt|wuqwloiff|lgtoougnc)|p(zxjyxldud|bwfynjbpf)|u(cqdxhmofs|eptxttbgu)|a(xxkjdgprm|rjuclorjx)|f(amgzckxzq|tvwztubql|jaddigfel)|mqboewoqac|wxrilzqhjz|n(nxzxwoped|tbzuscdkq)|iwcwkwtqup|buysiluopi|dqmocjlfxf)|h(r(bdozmoyca|fztbpuqwl|pjxhjcqoi|spqbsrmga)|m(yoqbsjdop|vdavygkvk)|t(dyqknoccb|mrmxyytxq|ejkqsimuo)|h(svzdhvqlj|hjlirsojd)|g(dzsdwbtkp|mumjidruh)|itqlmnlxic|e(xjpgsblzp|wrvrhzcld)|utaobcyebr|a(xojjlxkow|fdkxeecoy)|jybllvrmei|yvflbpbcgq|l(ltjxpnvfi|cspegecsq)|qyzbtdltwc|b(tkpndzelm|nglkjtoqd)|kqjruehfhs)|m(s(ihysybfca|zrlkmvkpm|ufnsyekhz)|lfyxhksuke|n(jpggkaiaf|exbpxtzpp)|w(g(quryttap|rguchkhy)|uqauxrjki)|j(kcdrxjbsx|iyjjgnirw)|u(gissidvnw|zfapqpxrc|lenaqpgln)|m(ouhfbijvt|ixsdewrbr|xtkhokeic)|d(zrfmwwtgs|hgdkebyii|tnyprhnsr)|ixkpozamhy|bjtjwcnakm|ozzhwrfrxm|r(dfwhdhobu|lozriacfy|zpsatsfxq)|vzzxxfnhqp|t(tushhixvy|ztldeqgod)|pvtanpunvq|epnaulaubt|hsohfzxlfu|z(mvlyvgamr|idwxxtwbi)|kzxodwgayq|xugigwokyz|gvmcxbozfk|quciycxbtq)|t(gdzedjwvjj|e(xufdlmdth|wwteffmwx|seucsjlcs)|jotghxqnkr|k(xbmiuewbe|haludtxub)|i(kaivggwrv|l(iewsdvbp|uusvmqjj))|qylnzrcsbu|m(o(dmqritjt|aditiqps)|xvhomxesz|euyssvoyg)|h(zenummiwa|bivogiqqd|ikdrncivu)|ofvsfzxnuj|r(gbxfsowzt|kctkzzbyn)|u(esexujtez|mukqbhggm|pdcadwuca)|fhahniljnd|bfsbbsbymm|y(iodttznoa|nnoevabkx)|puttfucxdw|xuhhkpoyvi|zyllmuucbk|d(iddxygmha|ahplkvmjf|hhfhzcive)|n(ggkljsgrp|dxgmcslpk)|atjmdkwvfy|snfkrikxvx|tkjgbgapic)|g(lxpkaqqpng|chxdvhxmqv|gxqlhgdqlp|tjqfdsqqxs|bhfyazvvdj|x(wgulprrvm|pxnyzgvqu|lfelghtbh)|fbvtlfoqww|jnznkqioaq|h(mkmndvdcr|pjiqauvab|ugpqichor|gfieamxug)|slmyuvffxl|i(vqxatgapc|hvwuexolc|flqyahunl|rlggtfman)|ynnlumvijd|m(llsujtcis|tpfxsotrl|fqqnhpymj)|d(ojbuelsoz|zegawened|vlxqicqvw)|k(jtlrruhbs|etqnrsfhg)|ehpdgkmqyg|praoaisjhe|wctopmqypx|zqvrswfizf)|p(tfpsyzzunr|eaiijitujg|z(fcnyozrlf|tjzmfjnbp)|v(tlafofuap|besuawkyb|uvuweibgn|sxobkkkow)|jjycwlzogr|r(nsxsuhdft|iyszeojsa|yoihxgkhy)|xj(fbuwofuk|kujgpcny)|a(yaixieorr|kqftgbdok)|k(vnhhuajbx|uuylexjev)|ymrakicrmi|p(ppiacekqc|tszhfrxmz|ohyedlcfi)|uzylshkvhz|n(nstlkkvbm|jqaxmvsyb)|f(bwalqwwdu|ugqitztjn)|w(qhdnqfsum|mftgxadkk|zizkosuxe)|chbuzvdcve|lieeeplilh|seojchtrrj)|i(aaqchhvkmp|l(lrirknwhw|rmvezqbkf|bpqyzoqaz|z(mqqxelih|brogffrl))|i(gubdkilvb|zlbatqvza)|jngdmzqhjv|s(jxtfqrdyx|gppywsnek|ytgdzfrxs)|n(jkjsvwyjs|qldozwpbu|felwaplef)|rxyjwroyol|ddgajytixk|o(bvcvcictn|dzfapcgll)|b(alkvjwywk|lrmdugnqn)|xqkqfflnxe|u(rpsqadvbs|odlyfomep)|hsptcevjvi|ggvakjjghp|z(qshvjkqts|krrtnarvg)|yfebcmfnyv|wzxlssbuza|vi(qjmfwmao|tcmodyim)|crngnaofjc|mleeixmmct|kleufcvaqq|fvwuhibudb)|c(jaungtsdyg|b(qflvggkes|uwbctknwn)|fincklzijq|g(mdebusapg|lamxrhvdw)|q(ediibmgvw|lkrryhrzy)|cbkinhclxc|u(ozrefjuxc|udvnbdnri)|sywnwtdgfp|hbahytoint|xxdjlywjap|z(npalysoaq|khpqjcurx|cyvrmiwlb)|lbavvbwmxi|o(zntclmobz|mrmvpmnuw|yecsjkfbf)|ifxcmeiuiu|a(lakeaalwq|unoupoppc)|ruyfoywyav|knbtdgnvsp|pgzbvjnrxc)|k(n(piainurih|ykcmzgtvi)|g(zbihaiecz|bqpxuhreu|pzzvgaglg)|e(swxxaupim|mpjziietz|cayvmzilz)|vrqpdlfzjt|r(vudyaaldc|fwdjmbzbv|cpupdhmms|qofgziwyw|komjnjvdm)|j(ddixiusgs|bqqtloxkk|pbgarczbt|aqynmpwqn)|srozrticyx|dmhwiuoolv|t(gccjmxxzo|nhnqgfzob|yyljxylls|hsoqtwvug)|f(sjqtsnyqz|mxpgjsnvc)|yrbscodbdo|lkfnnnudos|zvdwynhnto|pkqlvqluqb|cadcavcqhu|x(lfckkjvas|zkwjtbxej|wfzlmwydi))|b(tirmdmkovv|z(pplaavlcd|noewvzusl)|v(mvoubuupx|xmxrofyep)|r(pdvkuxuxu|znvieyiuv)|d(njacvkdtl|pxmtjyann|enazesyue)|cqixfxlwrg|nhlsfdaxjp|flsairnsyw|kzqdorawee|hlffyvfuko|gjldcsmyqz|s(hrjwamfxc|xqqzcznrq)|jsnsddbhph|qbwroojolx|bqefzpezah|lfhxgtilyt)|w(n(nuffscvvp|ixxgolswt|bkqzabksn|udfrhpwta)|w(q(yxyjqidk|ucjaludr)|ymamntdua)|q(bonsndxsw|odzkdmvda)|j(ytyltfgpg|kkmgplmmd)|d(wieqwzbwh|rozeroqxc)|s(ytulysict|uturjmqyi)|yibxkmmeba|e(gypvlmtcj|hvhdsxwhj)|t(yecihitsx|twebajspp)|hmmiirfhtt|xjvmmdiqyj|ogvyazbmms|blxfwnnqca|mbueescjll|fzwkxtytke|c(ficyxoovq|idiaczzlq)|gsqbvayjzo|p(gdlsxijlp|axtxhzykh)|u(exynuteqz|phsuhzcmo)|zpkxbdpyoc|kcvatvidqu)|e(d(orayqpcsx|tlavtgcux)|honglnnlpx|t(rkgjsfwnc|wgxnroxpa)|miiysfoaoe|ecvzoomjsr|k(qqxmkygwv|uetikeblh)|y(slzxhhfib|lebxfptef)|n(uzvpgibax|aqzrwphyg|lkufcctzm)|wcakaoglgj|v(lhpliqhon|coyntnxkx)|p(tqirmomnc|rtalvxpbs)|c(gxddxfmuu|rpmzoluxm|itsfwgowg)|l(lcxomgaes|cakhyyxgj)|jschnhioks|gtwcsfqkyw|imkueotamp|sfisqqnxny|ucbqyvzmhu|bfwitrdyvi)|s(ggjiezxiyv|d(goflevygd|lbbltvymz)|ouoqshauyq|spiptbalhz|p(xbcibycmm|bgaunobju)|c(vtkwmjjkn|qburkflvb|wpomkuqnq)|j(wekbovfba|qtmotzmvh|fekashupy)|k(rktlhnpwt|jkindyiyv)|u(axalyvgsq|tujqxmnez|koznzvfsq)|z(albhpubcl|bhzlmqxwk)|fqsiikmybf|ykvfydjzhw|h(zxhnufjhx|albymyekk)|lotxuycydy|ahwdoczucc)|u(e(xosycmvjp|tywzdneia)|m(kqpbmtfho|clezzxcop|utoqlrpwi)|f(pnybtjpww|hgsjdspxi)|g(nblebyyer|tahatfgsa)|h(zudlckvwq|nnpmlcnjw)|dqdymazjoa|y(huzybypmc|puvldslwq|eqrdvkgxs)|r(h(qbtajdht|zcvhmocg)|bkuixvamc)|svolhdpmlq|k(ucbbdresh|bsnuhkfnr)|wergodriol|aacdxyknan|xpgcbumwlg|jprrncwqlm|viiuouclyn)|q(c(qzijihrbi|pirvsjiec|rzxrreegd)|h(gmrsiophf|cwtcwomch|utpcmlfka)|n(zfetdgaeu|bqyzvgoqk|jbbapltnu)|bwfuaqkmcp|aagnamismo|d(tovuorzbl|ppmcvdzhv)|k(yovnxjooq|jguhtppij)|ovyjxraspg|epametgkik|vvkhdxhqde|ineorgdijh|tkpycrmcwk|wpesyonrmi|jluchalxca|ubapacguur|m(kwglwzvcd|xohvspabb|taewplqsa)|peqmiqgfkh|yqsovwurrs|fzxuutjkdx|ldicmvkgjs)|l(b(viyjpawyb|aczwopjaq)|m(zmznbkdoh|nojxdmusq|canfvtecm)|u(faxwgiefn|vihgaojia)|oyfgkazdee|z(mvyqcscar|zuzpkqdmf)|e(wyrjijxmd|tyebpghjp)|y(jakicvbco|ovrnavvol|rfrhbbxrs)|jqqjdreezl|hgkgglqlke|n(pddqnujkg|qmukmkdjv|hrljpwacl)|kgthytparf|qzjyqgadrr|t(exmwrwxvn|yqkznztkm)|a(woczoejbi|ehnnycrrp)|xympcybqoj|wdnfllvdvw|vjfxwkjtbk|f(tdocmsozm|dhchcggzp))|f(wztgfswohk|t(k(hswtelcu|mbfxiqen)|djhetnffh)|c(nruizmtsv|hsnrmrtwd|acliiivlk)|z(xzemzqnya|behcxgzlf)|o(hkoytwxso|edrxdtonu|cunmfsjmy|vzycwjdso)|a(zxvwtstvq|gyudrdseo)|g(llfyzgwow|nvazthnaa)|e(v(jzffaebu|odokpgqy)|csnfnufvj)|roweibchwu|l(agldwmzwp|whlwpuzst|fcgtbodvj)|pdywczbiey|k(ixsvcsekx|physbjius|eaycdfahk)|uatooueeol|slgnykozxv|qeomwxjlch|vobkwzgiwb|bsjilwmtny|m(wbvrsghre|brkwgvqwn)|femcjkldll|j(hmkkuwvpp|pmagslbqh)|yiyxhvahwc|iwzacojgtq)|a(p(siaqbsbua|eoceeolbe)|rtdmwaymdw|fqgmdglygr|ukigszxdkn|h(nijjzrtak|xfjjznrcu)|ecjtursuyo|kbjlmdauec|mohdhpesbw|d(arhjjekxu|wysbqbwal)|bdsngegxaq|j(wivvaitsc|slqhoduxr)|ofzhozvzhe|afzlecvyey|cxqbdjpcfo|vfclyietnm|g(iqubtsypw|mtctdmaqs)|ivqfzqrrdn|yegmwuelkc|wvbbmtzezk|l(yqnnkhbdu|fpmandeis)|xrgfqxmbca|qimezfhkup)|z(jfmehjwbua|opjldrnebd|zlhgqsoesk|rdbrmwdwdg|hqghdmxcfz|ylmjwvrsoh|ddlqaruaxc|knvtmxbkqy|uuhqndfmec|acmrunkdgy|sndgkqvvxd|tihbgpzraz|pdotqpexmn|iumtnedewr|fxsgzvwutq|mpkubypztp))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633164; rev:2;)
# sid 2633165 includes 204 (1201 - 1405) 11 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.org)"; content:"|0b|";content:"|03|org|00|";nocase;within: 14;pcre: "/(s(egcqnxwxfu|cnjpiyrevk|v(jrcanmpvh|kkhfqegma)|hxjyehznod|ldrzqwudtb|mvbrguwgzk|pimfnybmue|fceoxonbzy|sfeluavzmc)|w(hxjnuzkrrj|fvybafvpdt|sylxshfmox|qtodkzrfnw|vaizvgofyf|uwxrcyrpiy|azmexcjycf|nxpasghnhy|inqywsvccn)|p(djzexzylce|t(iysgkhbxu|cgkpoedbs)|oszidauzky|gpmptzcvfr|h(azseacuht|upshyglei)|izkycrpewv|a(lsunxkdal|dvlqtevyf)|ypjgaorqmt)|k(cobcizolsb|hdyruhomcj|m(nnpdvvyxt|xrbkfanxi)|wwxiasuwvz|abgtbtxpyg|uuhtsxyqwy|xhxkqvzkpp|iwtgzuzqod)|g(lszdgqsnzl|wztzenznvu|j(hyygwffzq|okpsgnocm|scyealfrt)|mpydzpmsck|njovkokfke|utgjwyiimk|vfkwkjsssd|zzgahxdqma)|f(vnxaglhodg|sgdypaddkd|pfklycklqe|igkioycsto|lcbayhjssg|dabpanrodw|oneofwundb)|b(n(cblzxcjtg|iknelnlph)|gzqsmvoyim|xrtruyvxwz|t(bjsddmrnm|wgsvlxbfj)|qvgraffiax|aubwjvrqcn|o(yaekqhkza|vutnasbfi))|z(gfbmutccel|fndusbffzq|vbcoismipe|qgjdyabjrr|pkfwzufyny|dqpcgetqiz|lmbwijjzcc|ymulghreql|mekvcnmqvz|kewgtnkavb)|q(kgwyyoexwz|llxcvqejcv|gjymkdcxpy|mogiikeszd)|u(acagpvelso|wvljrwqbaj|elfcswsnmq|dzfduvmulu|rqowvzqygy|ziiqqolrxz|odezoirtcx)|a(p(lhbbxvzrv|brfihicqx)|kfimavncbv|mxlbobexte|fynfqgecsr|hmigzqbyer|tpnlfvyqls|zrmbcwmvuc|ewdkkjubyy)|v(nbtoclxoad|t(owyffnbfr|bsnwzeiuh|suokklnsh)|ydfnxrcwvx|iluzwyesmh|hrctvcjdxq|adclqxcosz|ojexqbjlin|gavqrfdhpe)|c(dorqadzgnj|r(iunhniuvg|lhmfrhdat)|omfbvlewil|gdvaimztho|bfqdknmuyu|vuoqfwqgyo|cbmgrhqcfr|ildfsbwlco|e(oandfcahu|wyzcohvto)|zysnvlkxnu)|o(jasayffnvz|h(kzoipeuzq|iezxusujw)|wtiwuziaku|uowibpyojx|kcgtpusbwq|yamlzndbmb|zxvrktksvj|ssbxmcawfe|ggjqqpkirb|qwrkymzbws)|j(ukvbhavjuj|jetmcxzjks|bivciqcrfo|eudnhwefry|d(rquqoyckv|imeaxlipq)|kkezzchqod|wijzcftyrl|gmhasbnqxk|rifrxodmgn)|d(uqxpupbvei|y(wamxqilwj|fkitlzyjy)|t(jxvhxnvxt|xlxkjdupj)|vfluzhjgyk|mapjvvtjpu)|e(gqirxsojcf|wkedkodepr|xzsxkhqoff|ztjmklghjl|qncuatcmpf|ojhnbxwtfw|cwvcvclhcs)|y(gmcrhkerkl|ltuoxqxauo|krtarzovuu|srfqtojtjp|hnshteugvf|pkrefszzkf|ufpidnifjt)|m(bzulgijjcb|ikzlbhirxd|taqtxbrivm|qklglciebo|osmyhfgeby|uruhklshgy)|h(ewsrdodlzg|d(awztgqyqc|zmfpxgzgc)|bvkufwttay|wrcbdacbrr|uhmrgnqumv|jbdzjamhxb|vpqacrasox)|n(d(zfkrxwrfx|trnteenaq)|nwkwjliqhc|googgcdheb)|l(cqricmzgbv|dluwaovgmk)|t(xveudvgzno|pndmozhjij|kdecjrgvmo|ngoovbmskv|adxkeugocw|wdcoxqwfad|zcwuajdhtf|jxfmzjknww)|i(kmersfeirp|buzzivauxn|rvrxzphkki|sfsgfnflhb|mczcxtwypw|wmugyumbqc|faolhrhsam)|r(ytwqkgdrjj|bqprmkjhfp|dyeugvtsff|vrzzjhqtyd)|x(t(okrwypavz|tzvadaijx)|drwwvlefln|e(tbklwfkwf|vamdlmdzj)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633165; rev:2;)
# sid 2633166 includes 3 (0 - 3) 12 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 12 chars (.org)"; content:"|0c|";content:"|03|org|00|";nocase;within: 15;pcre: "/(bizuvmcgjyow|cnqzdtvyxntu|wsgmnspdlzjs)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633166; rev:2;)
# sid 2633167 includes 8 (0 - 8) 13 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 13 chars (.org)"; content:"|0d|";content:"|03|org|00|";nocase;within: 16;pcre: "/(net(iglgbwoqkw|qhehfhftvl)|c(ommxwvjhvkaa|nyrvuiaoxoyg)|biz(yfybyseato|ixazkiqshw)|wsfnvyphovyam|orgmvixxwmoxz)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633167; rev:2;)
# sid 2633168 includes 3 (0 - 3) 14 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 14 chars (.org)"; content:"|0e|";content:"|03|org|00|";nocase;within: 17;pcre: "/(netuloioahjdji|biztoczrhjhxis|infoybvjyddsgq)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633168; rev:2;)
# sid 2633169 includes 1 (0 - 1) 15 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 15 chars (.org)"; content:"|0f|";content:"|03|org|00|";nocase;within: 18;pcre: "/infoooruewrmlpn/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633169; rev:2;)
# sid 2633170 includes 600 (0 - 600) 5 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.org)"; content:"|05|";content:"|03|org|00|";nocase;within: 8;pcre: "/(s(hoxy|svxr|jhjl|obpy|f(fyl|snf|laa)|kamh|i(bjl|aoe)|vvjq|lses|pmpu|q(jma|isw|ydv)|yqtd|ebod|dxpg)|b(c(ipb|jmf|pap|spj)|f(wiy|fka|lny)|s(pdt|kzo)|nhge|p(zwe|vew|lua)|j(hvy|evy)|w(ewk|sej)|otpt|xzzy|ryie|ychx|ifzc|zsdi|qgju)|j(klxn|r(szn|nkc)|gx(mp|fu)|ncaf|d(qhc|cjk)|cjdp|y(grw|qtd)|e(gpd|zlh|yqq)|j(vjd|cew)|bpjl|plge|z(ljs|rnk|cbk)|uuwi|anpq|oabv|thos|mjce|hzgk)|q(w(i(nh|ks)|mob|pwe|coh|xeb)|o(fsl|xot)|nyxu|sqkl|f(fuu|lis|uun)|uwft|c(bvm|uqz)|rnas|g(onj|fcm)|xzci|binv|yvvp)|l(c(eya|nup|tqa)|pjks|l(xhc|ivp|gve)|j(vwe|xrm)|komb|ffaw|x(dul|rgs)|vxxi|hurg|q(mrb|pxk)|exkf)|d(qaep|t(jzo|pvw)|s(wsa|pbl)|v(ygt|uii)|ynvz|g(wts|pam)|evyy|x(bjo|cgv|fdr)|lrfg|av(us|vs)|wlpy|dsfk|n(iin|bdg)|usxu|phdv)|k(lchq|mbaw|v(sno|epo|cvw)|ttji|jqlu|xjuu|c(xai|ofw)|ealm|usfz|berm|rncv|q(wfn|oan)|iiku|zsup)|y(a(iub|obf)|p(jsf|brw)|sfec|q(xwn|mhr|cun)|k(lhq|ftg)|u(epl|bjk|czv)|trvs|d(jqk|qdr)|r(oii|tdb)|zohm|lcgw|bgoq|chuq|ndqi|y(gko|das|ymf)|fbgo)|m(vygc|m(qsv|ctr)|flib|l(bur|fto)|x(evw|gqm)|b(sej|hxx)|c(bzz|sqn)|dupm|zgsl|hjog|w(uoa|xus)|jeeq|r(nvg|hbs)|psfu|tcux|ntcj|eigl|gkgw)|i(o(h(tj|xy)|kdg)|s(wfi|rkn)|amhb|p(qqr|lsq)|n(mib|zrf)|f(pmd|btf)|kvcb|b(cjv|waf|lgw|iyw)|hwov|mgzy|ccvg|dmzh|i(vmt|ddw)|jgxj|rbew|xlbj|qcfv|zbzi)|h(qehr|nivu|l(mut|vio|zfw|rok)|u(lng|a(un|eb))|d(iqr|kmh)|aocy|w(ext|ydl|fbh)|zdbc|thnx|huqw|mseu)|o(zznq|r(ljb|jpw)|ovba|lcqb|vbgt|bjzw|ikzd|jarz|csbw|x(jot|ivc)|afqs|wzhm|uztj|nzum|drbt)|c(w(pur|wfe)|u(mpj|arg)|c(ida|nnv|qlg)|g(gjl|xel|hql)|bsbd|q(vlu|suq)|x(rzx|lzb)|s(evd|wem)|dcsc|ihnb|oimb|p(qxx|uvx)|rmqu|vdiq|lirv)|w(tcts|q(a(qw|uw)|ync)|c(ruf|erp)|g(kfo|pfg)|v(dej|nkd)|a(nvm|upg)|btxb|x(zsw|wqt|ese)|fteg|sqhu|iubs|jqwp|u(ong|cup)|wmkj|exhh|d(awe|gzr)|oljj)|x(k(qba|fix)|p(sev|yvu)|lyks|jzgp|i(ixf|scw)|yaup|akik|nezx|occy|c(yjw|zhd)|fizm|wbem|zasa|bqop|xevo|dptm|rugj)|p(pf(dv|gj)|urhq|ajsc|gkdx|l(opc|kbb)|fimj|vfwj|mcye|qksp|c(euo|swi|mve)|ysyp|brzw|jrts|trvb|dpcl|xmzl|n(njm|vyt)|oggu|zplb)|a(nlhe|l(ddz|apw|rwk)|w(lgj|dhk)|dndk|jmtc|efuy|h(kqu|ztf)|ttqz|r(jpm|kjp|bym)|keyp|srqd|ybyw|xjld|bqpw|ajgs|f(kpu|tte)|vnpc|zvyl|mpcb|pbpt|owve)|t(xssf|c(uwv|ynb|xge)|eihm|fery|bwnx|u(gtb|tca)|s(vno|hyi)|l(pbk|tdo)|k(zaa|ixx|bip)|nykk|qwpt|duiv|z(koi|avz|enr)|abuk|yxbe)|e(tccq|iapy|ylti|oskn|m(weh|zjt)|k(ebu|jwa|vzl)|gjnv|wwvz|ej(nt|kc)|pqzh|sqvv)|z(ybgh|a(fyq|xyf)|k(gmu|wop)|l(ihq|xug|kmy)|v(ppe|gju)|bwrf|tglj|s(hyh|kwb|jcn)|jfat)|v(v(xhm|qbv)|hvea|z(dta|kha)|p(ayq|psf|uct)|g(vsg|zne)|k(zie|iip|lbx)|tbtl|qsae|snkq|em(ax|tb)|bpbs|o(gok|ipc)|jxgu|lpaj|wwsw|mxzn|uvpm)|g(j(bkd|tfr)|snxx|z(rpr|jvq)|dvyr|gjzk|obgk|w(xak|ram)|ynks|v(bjp|xkl)|p(czg|ijs)|rxym|xbmh|kmxd|tpjj|ntxm|bamx|casy|mfdy|eike)|r(h(fuv|rgi)|njdr|mpjf|jkkv|w(csi|qff)|enxv|zgvn|xulu|kdqj|fpow|gpss|rdse|u(mwu|gyt|euz)|tkuq|ipbs|sadj)|u(afls|zipx|caww|jwwc|x(nfp|kez)|m(jdm|kax)|p(dsb|h(zv|tx))|i(ode|rwx|eyf)|y(kmf|wsm)|kbtk|vjli|bzku|gytb|h(fgo|piy)|nbey|s(eru|iqm)|djhp)|n(z(axl|egt)|pujf|oaww|h(kko|xwh|urt)|u(gru|ril)|d(dqp|bps)|i(qej|tks)|c(xas|qrk)|jhnu|v(pye|rbm)|s(ijl|rei)|gfey|mmza|qqse|tciq|kopz|f(wia|vkj)|b(hfv|auy)|ltdh|admm|xdqz|y(nes|fdn))|f(z(ipd|hko)|ftlu|hqth|mjch|e(wgc|pxr)|v(pxo|opq)|ovlb|x(ysn|hkk)|glge|d(rfa|fkr)|qips|s(bsj|alk)|n(osn|lmi)|imkq|yeat|lsal))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633170; rev:2;)
# sid 2633171 includes 772 (601 - 1200) 5 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.org)"; content:"|05|";content:"|03|org|00|";nocase;within: 8;pcre: "/(v(wwsw|mxzn|e(mtb|ufo|thr|oqv)|uvpm|p(psf|uct)|vqbv|klbx|q(vxs|cgq)|r(gnb|epa)|swis|b(vvu|wpv|uql)|y(wyj|nvj|zqb)|n(afh|yrh)|hs(ka|om)|c(xbg|ntd)|g(zzf|emy)|j(lpx|zck)|thuj|itmy)|a(lrwk|a(jgs|kib)|f(kpu|tte)|vnpc|zvyl|mpcb|pbpt|owve|k(xno|zam|gha)|sxqx|r(yto|vdr)|u(vxm|klb)|qlwd|x(gxq|sxk)|gkva|eqia|nvbb|hnwn|bjva)|w(w(mkj|ulw)|x(ese|xmn)|gpfg|u(cup|kvc|ikp|bjs)|exhh|d(awe|gzr|wfb|k(oa|zn)|tuv)|aupg|o(ljj|xpz)|fdvx|c(mai|kfi|eze)|n(lpg|nhb|vyq)|q(vyk|qcg)|v(ziw|bsl)|hmzd|r(mdc|pci)|bwla|m(rtp|qgv)|iduk|lxtl)|y(lcgw|bgoq|ch(uq|bj)|a(obf|krz)|ndqi|u(bjk|czv|lkg)|rtdb|y(gko|das|ymf|xpw|ckb)|f(bgo|lmh)|d(qdr|fcg)|wemb|onvy|p(wcv|ibm)|g(qoa|yvx)|vzfi|m(mxl|tfa)|jqyk|qlge|kycx|tnlk)|g(n(txm|mbk)|b(amx|spx)|c(asy|vnw)|mfdy|v(xkl|czi|fzq)|j(tfr|ubv|sfe)|e(ike|l(he|zg))|p(ijs|npr|hfh|fwd)|z(cbr|ust)|w(lwn|pog|kua)|hlum|tnio|uwrr|opnx|f(aaw|kzp)|skff|yatv)|f(s(bsj|alk|eet)|epxr|n(osn|lmi|cqm|dmx)|i(mkq|pto)|y(eat|fmn)|l(sal|csn|ypa)|zhko|x(tus|jmx)|dzra|g(ecy|jla)|pjyq|qyoo|bvuh|ksar|trep)|t(zenr|utca|kb(ip|eb)|yxbe|c(xge|mwp)|h(nuw|evx)|tkaq|nqoe|m(mmk|wpx|jiz)|q(ibl|pvk)|vqce|whdu|a(kgf|rye|uud)|r(twn|jib)|gylx|x(fbo|rre)|ipkc|lmpi|estn)|x(b(qo(p|m)|vcp)|xevo|pyvu|czhd|d(ptm|lon|mzm)|r(ugj|cyj)|a(pzy|kys)|q(zlw|ler)|y(tbl|ahs|fte)|wtgr|u(evx|glo)|o(zjw|tqg)|j(odn|kcy|tqv)|e(vch|jlp)|gnzy|tqub|misv|lizx|h(mah|ncy|uvx)|svtw|valo|z(ygt|ubx)|nooq)|q(cuqz|g(onj|fcm)|x(zci|ciu|pvi)|fuun|b(inv|xxr)|y(vvp|uby)|whkz|u(uho|xhu|ksd)|o(gcv|fko)|jwlk|s(zvr|oad)|pufh|rsqg|ejrp|adja|zpiv|dwcu|hdsw)|o(afqs|w(zhm|ufe)|uztj|x(ivc|uav)|rj(pw|ao)|n(zum|gdt)|d(rbt|foo|wnm|zkf)|k(ikx|s(im|gm))|lwjb|qktw|z(blr|rnc|qmz)|byre|cwzi|gtdz|oeza|mbxp|fnpl|ekzb|tyxp)|e(p(qzh|lgu)|k(jwa|vzl)|s(qvv|hcr)|e(ndk|kfy)|a(lza|yqi)|o(gqo|shp)|f(qdv|vqe)|mzez|n(diu|eto|tlq)|ybsd|i(pnl|kuv)|t(kll|ikc)|gjau|vwxn|r(ywh|fsf)|hger|urqt|bkni)|p(c(mve|dce|fhf)|d(pcl|jkr|cih|uxg)|xmzl|n(njm|vyt|xri|moj)|oggu|z(plb|mzi)|lkbb|mykw|b(lhc|oeo)|inrc|kpxj)|u(n(bey|fmx|cjn)|s(eru|iqm|mgp)|i(eyf|ynn|pvy)|m(kax|vcu)|ph(zv|tx)|h(piy|muc|dyd|hnt)|d(jhp|gcr)|j(hwc|wlk)|wson|q(unf|hvz)|k(ziv|hji|lft)|z(nvd|mah|wuz)|o(hsq|dby)|ghzu|bviv|futn|liaq|tdji|yrxk)|z(s(jcn|rwf|xhp)|jfat|axyf|g(vzb|zmb|eax)|m(zhd|alx|rhn)|olnh|keil|cefs|bglm|inez|h(txp|fxw)|ufyk|fdge|yvdq)|r(i(pbs|qdj)|sadj|ueuz|a(hsh|mjr)|yuho|cbpl|gjzs|e(yml|sxb|inj)|z(txv|kex|jlt)|bfan|mofv|vmol|jvot|oery|nyro|rvkn|d(vvz|rmr)|xkes|txhf)|c(g(hql|joa)|r(mqu|vdz)|vdiq|lirv|cqlg|puvx|swem|m(cdi|kmr)|e(iaq|ejl)|qfvg|f(qav|swd)|a(edv|fqo)|z(xea|ivw)|hgle|bkqn|u(uuv|kuy)|x(qle|aej)|ixqv)|i(o(hxy|kdg|elp|xkr)|xlbj|b(iyw|dbu)|n(zrf|lvj|uhp)|q(cfv|fry|njd)|z(bzi|lzb)|hvni|e(fye|mdj|abr)|k(kvc|hcy)|ddet|jmyp|w(qsm|yel)|vj(lz|ss)|i(vcd|oeh)|gdwg|c(kvz|noe)|mzkk)|k(vcvw|r(ncv|ayv)|q(wfn|oan|duv|prp)|iiku|z(sup|rzi)|cgyi|b(ege|cal)|wkhy|nkli|a(mav|peo)|o(pgp|gpc)|e(qew|bwm)|l(odm|vpk)|tfab|mtan|fwmk|xoac|sluv|puco|duyc)|n(b(auy|sij)|ur(il|dh)|admm|xdqz|y(nes|fdn|vir|gzd|utr)|f(vkj|cbv)|d(vck|gbk)|r(ulj|dop)|wqab|z(knd|szf)|enyw|q(ymq|fld)|laum|k(syc|vpv)|v(ify|sfq)|jnmp|hzxj|gkut|owvt)|m(w(uoa|xus|sbw|pms)|jeeq|r(nvg|hbs)|psfu|tcux|c(sqn|lnm)|ntcj|eigl|g(kgw|slg|mie|qmm|nxc)|dzhr|uoyd|x(zbq|qbv)|ywss|a(xrx|lwz)|k(nut|hcx)|sfry|mxlb|q(jqg|zhe)|idph|o(zwu|gvz)|fpnn|hejc)|h(l(zfw|rok|bih)|w(ydl|fbh)|s(yxt|plw)|x(obp|srv|dzs)|pjzh|v(ysr|iix)|n(cyj|zpe|qta)|zkwb|uipo|estl|ilvs|m(tma|eke)|y(hpv|nsg)|r(yvg|o(uo|jk)|nzn)|djoz|coxq)|b(w(sej|xwx|zrj)|jevy|p(vew|lua)|qgju|v(zsk|ahp)|x(rxr|faq)|nr(ij|um)|unxx|h(ohw|lzd|bde|ejj)|k(vrl|wit)|tcwk|c(jrr|zpr)|dyhl|rdnt|zanw|lnot|brsl)|d(a(vvs|dfb)|nbdg|phdv|m(xex|env)|sqzj|k(hhp|cva|wof)|wntf|hyya|tqqd|dtcv|gfvk|jrdn|qozs|iqcl|vwmn|y(edi|oqq)|fytj|ervt)|l(j(xrm|org|zmy)|l(gve|mlr|qpz)|qpxk|x(rgs|tga)|e(xkf|npg)|ctqa|moeb|y(akh|qqf|eab|muw)|txgg|hkmk|udyd|agge|b(cwn|daf|gow)|pvik|sdbo|zwhj|dvvd)|j(rnkc|m(jce|wco)|z(rnk|cbk|eqn)|hzgk|y(qtd|fml|eoz|gga)|lejy|j(e(hn|qs)|psb)|xlom|ktwo|bisy|ulhv|c(rgd|gfa)|gwkr|tvgn|nnsw)|s(qydv|iaoe|k(m(nf|ts)|krz|fbi|ndv)|ypoq|bfnb|e(bxq|wrx|lxj|rrx)|n(vis|fga)|f(hhe|xuq|eza)|a(fwd|ggc|ndi)|v(kkw|lks)|jrhb|wzkl|uvph|tyov|xbxf|rjdc))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633171; rev:2;)
# sid 2633172 includes 172 (1201 - 1373) 5 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.org)"; content:"|05|";content:"|03|org|00|";nocase;within: 8;pcre: "/(z(cvmj|y(cji|dbl)|jdvb|lmwv|hkis|fjdp|xjhj|tgnf|ryzi|dmgi)|g(vgdo|qxyg|ucrn|akjk)|a(pjoz|nhxe|ryzy|kmve|yuia|dqok|csit)|i(p(wio|dqk)|lsba|g(piu|yll)|d(wrj|ikv)|khsy)|h(pfhq|v(sxo|klo)|m(scp|fwf)|rxdy|brtc|imro|oevw|lufi)|o(lbia|twxl|hdqz|gouz|rnxc|bsle|srek|olje)|s(trhy|oqzs|yxuh|faev|nrdh|jubj|izli)|u(c(fsd|jpt)|acwt|pdom|qqkv|h(gle|u(zi|ht))|npet)|d(bmad|qwdl|a(hel|bhl)|xyal|ildd|mwzt|rgnv|drff|vaxo|lhqt)|v(pbix|xysg|wnfb|ucmy|rbrl|twvg|mggl)|t(n(zkz|yxb)|epgn|q(uuj|mjh)|ubtq|yzzw|lvec)|b(tmhf|exdy)|w(jrhb|qdni|ypck|ukow|nthg|dfpp|ldat|kgbg|vfqt|xqem)|f(qyom|gdmj|auzm|y(pmk|ajg))|y(xveh|liiz|bqka|akvz)|e(fvqy|ooig|pecn|csiz|brjh|skho)|x(xypb|nfdj|owlq|jsev|fuvv|rqmc|aghl)|l(ltqc|dsek)|k(ksqa|s(trm|wrr)|faeh|cgzz|j(jde|gmc)|wkcx|qwod)|j(shft|eagg)|m(z(soh|ovf)|ganh|krlq|jbtr)|n(wtom|doyw|sfdv|gglh|ryaw|flzf|jemz)|p(szjm|uqsk|ncza|zpir|mboj|xgza|pxtm|vhkc|raat)|c(wmof|xmum|vndn)|q(g(thb|ehj|jlk)|wqzq|o(uxu|fvz)|hthr)|r(vrkr|hijm|eigq|rlvf))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633172; rev:2;)
# sid 2633173 includes 600 (0 - 600) 6 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.org)"; content:"|06|";content:"|03|org|00|";nocase;within: 9;pcre: "/(c(ielcc|kmyxc|d(lqck|wgaq)|w(ffqm|lfws)|n(subb|hbwe)|uhecp|f(nwhj|btlr)|rfahx|a(yuas|dika)|lymvo|x(yqqs|vkkt)|heckf|em(lrd|ung)|gbgpz|m(iqpu|mfjv)|qgjix|o(mirs|zmpe))|t(bjwzo|gktoo|ignqk|l(htoi|wmzo)|yhxxp|x(rwaq|qynk)|c(tscp|uezs|xjvk)|a(wkte|bxuf)|w(tljd|qmhi)|p(bkpe|wiwr)|flltr|jxhcj|nxhdq|taqlm|uwyjn|rmpwc)|j(a(lkfk|xqvb|jhtt)|bhkow|hbuie|y(kzkb|sqpz)|soscb|u(nimr|yigg|ibzu)|opzog|xpime|elyup|jqwnt|irtmh|tvfvv|dsdbp|g(s(klx|trr)|goor)|fojag)|z(k(uvdy|frmv|iegb|tdgk)|jzqnb|a(hbfc|ngda)|u(zjke|cbqj|doco|ttvy)|lcpve|g(tysu|i(qtq|lac)|weik|ooyq)|htasm|o(nvom|kdnf)|rayca|f(bvsg|gwxa)|b(ynga|jmvb))|u(z(lezi|fiiv)|f(tzqa|fpne|imsm)|tpqpy|y(aazt|lsda|hrwm)|buwzq|cegdq|p(wsqv|nuvc)|apcqf|ulxoc|livdc|dlsms|shkyj|giyik|wrgpj|kcwxm|xrvve|qcbui)|v(r(djrf|wltd)|wqkjd|s(ssru|iejc)|lbmcc|c(elaa|ruxa)|o(usrt|cvca)|nvyvu|kwamo|jppdi|piylr|qgvox|mxtxr|fmwbn|uarhe|hnykt|ztspr|gzjuj|vyqon)|e(nrrqg|r(oobt|dbxn|ikhh)|pirbf|i(xgdb|bzfk)|a(ovhv|ldor)|mwfuz|b(vlui|cjlf)|k(tvdz|cpby)|hddzo|u(kywk|blcq)|twxzq|e(ejiw|kaxc)|zkqef)|d(q(o(cbh|vyv)|rawl)|pdmww|sqmtt|v(brww|eksn)|j(aqnp|rzsw)|tdhdj|mdmsd|nsapy|abjvm|ralgy|wnabp|z(qcog|mszr)|gghem|eligd|yhaji)|b(blfmk|l(ibdg|sico|jxps)|e(uyqq|qojs)|f(ruay|vjvy)|n(bwzk|qdwc|dghb)|z(slsw|tgjn)|y(yofp|qyse)|cymck|agukq|u(wmab|gghs)|rodbg)|l(zudtn|a(dzxr|fotz|kyxj)|c(hmqi|fgrc)|b(jecl|ovjx)|watqn|djwwm|k(prlw|kkyv)|tpysp|v(zvri|tbci)|ukjcl|i(stbl|nvfo)|q(dxdn|ljag)|e(vdit|txrp)|pyhvt|jdovk|rcgrd)|q(f(fuqg|merf)|urqcg|i(ruoe|eyca)|g(ocqd|pgyn|zylt|knqy|arwz)|o(fvmh|pjbt)|xsqdk|puiqg|cvpkh|lpfyp|eafgt|k(hqwu|aqbs)|sktaa|qbnjl|mrdyl|haqhe)|a(rdxgw|tfmab|hhxwz|l(vrki|hcit|pbuw)|n(xngj|gkrn)|qiapn|y(dxsg|sqpo)|bzkmp|mrarq|oyddg|iznqz|uufar)|k(ugdlv|l(xsgy|lhsn)|q(ztoz|blze|xmmf)|vmqlv|s(bmzn|svsk)|rfzgf|d(idhn|ljsx)|phfru|e(zeap|wgsd)|nkrws|f(eblv|jhtz)|maete|o(awnd|hjdc)|tktkw|y(azox|dmpa|kvbv)|wmekf|knvfi)|i(z(rmqb|cpgr)|ehbkb|n(cxcr|vllt)|a(jvmo|flcj)|s(uoix|tgwi|dksi)|uppig|hqift|dcequ|thdrm|czjii|vzicl|yvmua|xtoag|psxqj|gbwxr|fyetl)|m(exdms|itxki|x(unwj|dawp|zlch)|kscmn|mcfml|l(xvsf|byfb)|c(nrpq|arvh|szoq)|h(wcco|yogo)|a(vfhy|kxan)|t(vzik|feje)|w(hjtn|wwxn|knpn)|zrxyd|suevg|pfdcp)|g(wewjo|oqent|anvko|v(synh|lmlf)|geyhz|n(okmg|cjyr)|sfwrx|ptkll|b(xxgn|hcip)|ynqew|l(sxhx|xuax)|irgzx|qpcty|jrpjx|u(jxxv|hcfe)|eroko|rzrju)|r(tl(ayz|lxr)|w(rdoo|qzab|zhno|hjcd)|dyzlb|bcjkg|lruwg|z(cjjs|bnjk|wkgh|gmri)|qifsd|nkpgz|ukjho|k(gmyi|qorc|lupg)|a(cjzx|ipik)|hidie|p(pzay|xwvs|eemr)|c(lpcz|bjav)|gahqv|szzgz|jgwjb)|o(kukme|y(fxnj|vloz|oquq|acxv)|m(ckdd|baia)|b(iuhk|suwj)|h(ujnz|etsx)|lvwle|pzlpc|aymwv|q(bsfm|umrr)|gubnj|s(vfjp|zpum)|xzwsd|uqkjn|jeynb|csnvn|vlzoy|dlxgi|rrtjv)|n(l(wtsl|qejn|ypme)|tunqn|n(kwfv|lpbw)|gdpub|duzwd|sutmv|jkbls|ucztv|pyrri|ebdte|bhuvp|rvuxh|oyigg|igccr)|w(w(izod|wctl)|i(ezch|cmqg|gedb)|h(tbud|zbbu|fnds|cpdt)|vzpqx|c(y(kjl|jux)|wczi)|zufbp|p(sbxr|rcew)|e(fozh|pumk|vtrx)|a(vldc|krxp)|n(esxp|itfl)|to(myn|vad)|o(kyet|gimu)|r(kizr|yyvt)|jyrtm|x(izps|rmen)|dgabi|ywmto|qfgqg|klqjp|gejwv)|y(h(qjkk|wcoi|tdoq)|a(gmiz|ahsz)|k(s(pmq|khl)|xkfm)|jrqzi|mvyuv|cggrx|bzeeq|gkggb|sekzd|l(ppbe|hfhf)|qevqw|nczkf|rqhsg|t(sllz|ygax))|x(hiocj|nyxwq|r(hxep|pnpi)|ewyvt|wudnn|l(vkjb|wqav)|juxwl|p(rehe|b(smq|ywt))|fuxpk|osrye|yisfo|ugxrc)|p(balmb|a(wzxd|mdxw|jyma)|xxcqf|hpsqy|p(yrti|tzkk)|u(o(ypy|iam)|nqul|xzeu)|llnsj|vfycu|k(clud|wjvk)|rksha|wqpik|eujcl|crrby|tagzp|gydzm|fffxz)|s(g(wkrs|punv|nxuk)|fqfzy|b(maop|kwkq)|d(kyix|etlu|sbpp)|smgvc|q(ytdm|jemf)|jayxl|upfpr|txrmj|v(tdcx|oxoq)|nmyhs|hdstb|imupp|zsbll|apbya)|h(jyeuj|zblvp|pczqu|l(jugz|zzur)|nuity|vakiv|gammi|w(lv(zb|ce)|gzxk|nnjz)|u(vljt|gslk)|dkjdc|hgcav|k(mwff|qmup)|e(osbv|puia)|s(wwnu|nkue)|x(mbgj|ezby)|yhuhp|ajivs|ckshl)|f(g(eeta|assu)|uhfla|r(wbku|nvtl)|weers|k(enqa|dgpe|hnoc)|i(wxvx|ebco)|tvvqh|c(ifbj|mxze|padi)|yoifa|jidjj|hmofh|sdjnb|novtf|lxxjl))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633173; rev:2;)
# sid 2633174 includes 808 (601 - 1200) 6 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.org)"; content:"|06|";content:"|03|org|00|";nocase;within: 9;pcre: "/(w(akrxp|evtrx|d(gabi|crii|qilo)|y(wmto|vgcq)|w(wctl|kymd)|tovad|qfgqg|cyjux|k(lqjp|daok)|ni(tfl|fad)|xrmen|g(ejwv|fvoh)|f(hpmp|upyx|rtgc)|lhwqf|v(hjew|jqbe)|sydna|icuel|htgwi)|q(qbnjl|fmerf|mr(dyl|msu)|k(aqbs|lkyl|hqya|oolk)|h(aqhe|oepj)|g(arwz|kfig)|pawss|ebwrg|xcbgb|wwycv|uvjtv|i(jmrs|dwxe)|jsnig|clxid|ytqcu)|f(iebco|c(ifbj|mxze|padi|xhvw)|y(oifa|tdsz)|jidjj|hmofh|k(hnoc|yxpm|rvkn)|sdjnb|n(ovtf|v(rxd|zsv)|gclh|kewa)|l(xxjl|dpxh|toao|aprw|nmxb|vjhc|golu)|thknx|f(rqtz|vgny)|pyrwq|vvttx|ojfrr|zviet|rivuq|a(wlpj|ynbw)|uehdh)|j(jqwnt|i(rtmh|btqx)|tvfvv|d(sdbp|kkne)|u(ibzu|vokw|crwu)|g(s(klx|trr)|goor|euwv)|f(ojag|bxma|uwum|eirp)|sxalb|k(iapn|cofe|hcib)|y(nujd|uzpg|pttt|fmur)|m(rkyq|ijab)|w(iopr|ccet|uejr|zpne|snqr|kcdx|djec)|eymal|n(oufq|nrbq|dtim|imax)|p(dmip|zlrr)|rzjfi|hatpv|xjkoz|lirti|vubzk|bmvdd|qglkm)|m(w(hjtn|wwxn|knpn)|x(dawp|zlch)|z(rxyd|zukq|ustn)|t(f(eje|gtv)|atju)|suevg|p(fdcp|rcsk)|c(szoq|mael)|a(kxan|bjdv|imll)|m(ucsu|bexh|mwml)|h(wuaz|ldjd)|qhyva|ghacd|kzwkh|r(jjsa|cqsl|eprq)|ytxrt|nfvha|uqgmo|fxjyu|dohqp|espfj|v(dgbb|egas)|bqxbl)|d(w(nabp|quks)|z(qcog|mszr)|g(ghem|pzbv)|eligd|y(haji|ezzo)|tignq|j(cztq|eibc)|l(ubhv|azyy|gpip)|p(yskl|xndc)|snucu|ktxuj|ourfa|vrymj|mpyye|dooyv|ryagb|idlqp|qxrqe)|k(f(jhtz|eold)|tktkw|y(azox|dmpa|kvbv)|qxmmf|ewgsd|o(hjdc|illd|zffx)|d(ljsx|edxa)|wmekf|k(nvfi|fqqb)|n(evpd|mwgf)|b(oval|hyju)|a(bwlu|vxsg)|i(oivj|fzfc)|jyged|phhge|c(kwpd|bjgo)|sezal|haukx|v(nlqt|pdal)|zxdxc|lahby|uflzw)|c(gbgpz|m(iqpu|mfjv)|qgjix|o(mirs|zmpe)|nhbwe|fbtlr|e(mung|llvp)|adika|bckei|k(bjtu|gxyl|aqdu)|h(d(zww|ccp)|xwoe)|uptzv|rmsww|plhel|jmiqx|iatjb|vcwnp)|n(b(huvp|ywnq)|rvuxh|o(yigg|ccgv|plxr)|igccr|qsaqf|x(ovgz|fjbe)|u(kiri|lyvs)|ddvjp|g(vmvl|wogs)|jidov|tsfmx|azwko|v(zmab|yoiw)|w(lzoj|clgz)|cymyw|l(ycyk|mknu|nyro)|zrhmm|nhjgo|e(upgf|hghp)|sjqgb)|a(m(r(arq|fbj)|anni|lgim)|l(pbuw|tbhb|ybnn|enhw)|n(gkrn|pkin)|o(yddg|puld)|i(znqz|kdgy)|u(ufar|hmtk|pird)|c(jgak|wfns|sgbo)|yesau|rvlpl|kebsl|emygt|h(lxja|brfk|opyv)|smpzo|wzxtr|bfdtw|pffke|tpsdz|xnfda|a(qvku|eiwc)|z(uirl|dtww))|u(s(hkyj|kjfx)|giyik|f(fpne|imsm|nakf)|w(rgpj|fsmg)|k(cwxm|dwus)|z(fiiv|bkmg)|pnuvc|yhrwm|xrvve|q(c(bui|njy)|pwnl)|i(murr|ilro)|a(dnrf|p(fqu|dmp))|lisof|evoeh|r(yxjd|fsvs)|httsh|u(veip|glkv|ihrr)|owkwz|bt(mxn|pub)|d(namt|yhlg)|npcuv)|h(l(zzur|jjco)|k(qmup|xqfs|mizv)|epuia|y(huhp|mddg)|s(nkue|hxre|ubex)|w(lvce|nnjz)|ajivs|ugslk|c(kshl|bqmj)|q(hrbj|xras)|i(jbvl|rmrh)|v(kchn|xrjd)|g(eaus|kwjv)|mzfuo|tsxox|xwpvr)|e(aldor|rikhh|z(kqef|mjjb|vntb)|ublcq|e(kaxc|vdbb)|l(ofbx|eamf|uvoa)|k(uohi|x(nyf|tzg)|frwy|jznb)|hjhpo|gyjty|joffk|nkfxj|q(gimg|dnvj)|bkpns|sxisn|v(pcox|nfjg)|wlxhc|faglo|x(kwtq|okzc)|tmeao|ojdte)|r(c(lpcz|bjav|czag)|w(zhno|hjcd)|gahqv|a(ipik|xaks)|z(gmri|xkkc|ysvn|vlbe)|peemr|szzgz|t(llxr|qtlu|vylp)|jgwjb|klupg|h(vtcb|teov)|yzcwe|e(eaji|mtlq|wjqg|cwnu|qyuj)|rarew|vhcoa|iweel|qkxmr|obaea)|i(czjii|s(dksi|ryng|zapn)|n(vllt|buhp|gvqu|husb)|v(zicl|yftb)|yvmua|a(flcj|lzpv)|x(toag|xrch)|psxqj|gbwxr|fyetl|ltgci|w(bgaq|jduf)|uylod|j(cknb|noiv|lrtq)|z(yesi|mjmg|vyof)|mfoay|bmhvm|hyhhg|ttnwq|qhvfz)|o(x(zwsd|dqzf)|uqkjn|jeynb|hetsx|csnvn|v(lzoy|vbhu|htxg|xnsc)|d(lxgi|hnvc|vicy)|r(rtjv|ufkm|sfbl)|zopqj|nxtph|kkvgj|b(fkaf|lbew)|t(pxdi|lbau)|qrppy|p(wasn|euwd)|oqorl|avscg|glfmp|euaat|mpkmo)|l(invfo|p(yhvt|unrf)|j(dovk|vttk)|c(fgrc|lfua)|etxrp|a(fotz|kyxj|hyhc)|qljag|r(cgrd|quan|wmzg|uhrk)|vlust|fwdjm|g(qrnv|wwme)|umcls|kdpsn|b(csry|pkwl)|sefcb|nswsn|mabgi)|y(r(qhsg|zmoq)|t(sllz|ygax)|ht(doq|cfx)|k(xkfm|skhl|n(ghc|ief)|fuiu|aici)|mmmmz|w(dfbq|rabf|bahe)|c(psuh|volw)|ng(uhc|ian)|i(tidw|eeig)|urhuo|l(mveg|zpdq|vcdv|huoa|xlyy)|bzuzo|x(zyoh|ufad)|suxhh|eakji|jstgj|v(lwju|mpux)|aajor)|p(uxzeu|eujcl|crrby|t(agzp|uzzy)|gydzm|f(ffxz|ajps)|j(gnxa|okfq|dsud)|o(u(uyf|wva)|jdpv|xuob)|i(gttc|xnvz|zhru|loiu)|vruja|rdmjc|whnqz|n(dxbh|mmmu|pdgo)|xgtru|mfsgy)|x(p(bywt|epbn)|y(isfo|oadl)|lwqav|u(gxrc|dbrg|pozr|rszx)|n(ljrf|wwxv|pjdw)|o(ixsh|jxiw|cqhc)|b(jezt|qvvv|kphp)|k(xnkk|tcas)|i(usku|ihdk)|e(wiwl|iger)|hpoou|xdqtm|msmie|qjiun|gvuel|jnnzu|tvhho|cvbdf)|b(u(wmab|gghs)|n(qdwc|dghb)|y(qyse|hipu)|rodbg|c(tdcx|rmaf|yfvk)|l(nama|bgfa|wfeu|jwxt)|qmrrb|v(cwev|gfma)|epwug|oxjec|bqjaw|fuvcj|kifhv|moiiv)|g(n(cjyr|eyva)|rzrju|b(hcip|aklu)|lx(uax|onw)|u(hcfe|zzjp|uazl)|anxii|e(extv|feak|cwpd)|t(rkxw|wtun)|g(oinq|malc)|zeygw|p(arru|ctdu)|c(lvfe|uckp)|mqbxh|x(idcb|ucih)|q(ffsa|cyxg)|kqlqs)|v(fmwbn|u(arhe|ogfm|tfpp)|ocvca|h(nykt|rqtd|zwro|murg)|cruxa|r(wltd|vebs)|z(tspr|zlvf|msev)|g(zjuj|ckor)|vyqon|anvts|kpujz|x(jloh|pulr|qsie)|dgiqo|q(vxvt|bamb)|bifkt|tzcxk|ijyqu)|z(k(tdgk|gacg)|b(ynga|jmvb|mqxa)|g(ooyq|ycdk)|f(gwxa|xuhw)|ojeum|w(mhky|irtk)|sdtuu|j(tlvq|adpz)|veyyv|r(nvre|lwfh)|c(bzmw|trfr|dvcg)|x(xkhh|jvmw)|doghn|namxa|uyviu)|t(cxjvk|t(aqlm|fgar|kpkd)|lwmzo|a(bxuf|ezva|icco)|u(wyjn|xqfm)|x(qynk|zggd)|w(qmhi|hqmt)|rmpwc|m(eofr|upof|npal|ivkr)|zrfrg|qsncl|ecgpg|oaszf|potnw|isktw|jccxd|glwsb|kfwwr)|s(q(jemf|uctj)|hdstb|voxoq|i(mupp|atnq)|z(sbll|bwpr)|apbya|d(sbpp|faaf)|gnxuk|l(uupi|zmvr|ijkm)|k(fbge|gpio|ecav)|xcebz|p(vxvz|wbaw|edry)|ejgau|y(tjys|sryw|jahs)|w(kpcv|xaur|tnsn)|tpsdk|snubw))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633174; rev:2;)
# sid 2633175 includes 208 (1201 - 1409) 6 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.org)"; content:"|06|";content:"|03|org|00|";nocase;within: 9;pcre: "/(w(ehisj|f(uonn|dcss)|tczdx|kbxbj|lixzt|ulnpp|hbphs|yfoeq)|g(l(irii|fgkm)|ehutw|t(enuk|arnc)|i(sdnp|hejd)|gyhih|vqdzv|fnjbg)|z(t(dwpg|uqdz)|rwfyt|acrhr)|b(qbbrz|edjch|rrfub|lgxyp|gjfwr|mahnm|ymqse|vjekb|dpdnw)|r(ddvgm|jwijl|gdpat|v(baso|mtap)|xwodh|zwtyf|pdbet)|y(bdosc|euape|uazdi|ylgyq|qijlu|dbsyf)|k(nieux|vpopy|lirrz|kucxt|rbruw|mvoto)|j(htcit|rxxvn|j(voik|ekbq)|f(vuts|zkxo)|ugfpy)|p(cojnc|gxkjk|z(oqop|ejkt)|qzcil|fduty|rodkj|togcj|kwgdp)|e(uvbtn|vyfxh|lfbtu|g(rdjp|dhed)|pgeid|thmdf|bvzxu|qbglk)|x(elnyn|jinen|uz(ttx|xop)|swyyy|okilb|ncekx|bgmud)|l(q(hhmh|khob)|yeldc|dmjgz)|q(byqcs|rsdxa|m(ztdl|hqsu)|pmruk|qjxgp|falvn|adclk|tfdla|yayhu|lmayg|cxndf)|i(e(cfoa|gsak)|iohbk|v(kigf|qqni)|shkak|n(konr|bhua))|c(hegtc|anbvg|wsqvo|yynvb|ocuwt|ftbqu|cfxgq|i(pkvg|ucdf))|a(vdcbw|uobjb|lycqq|qzupr|wtttc|xrlrf|sfgkh|kczjz|zphth)|v(g(ojan|coxu)|qklku|y(gskm|nctl)|misan|v(jzzb|hdte)|dfzgc|tqunf|rndzo|smaly)|f(f(oyuw|dmek)|zdbbo|hunta|bqqsf|pazde|c(vzro|ixld)|lidbo|dxbsa)|u(hvhhc|g(slne|krvy)|a(svug|hdsu)|ygbwp|usppi|tonzt|qbnww|lohle|ftcze|zyklp)|h(vdaly|snhfn|rghek|d(vndy|tpck)|jlfac|tkclv|e(ahkc|pkza)|kbabr|fbmay|lcxjz)|n(ojzic|ibnme|sluqx|dvtks)|o(jktsq|p(ctpk|fcja)|alsoa|ubgrx|iqbnf|tqpff|dpjgl)|d(vofzr|pnuqe|fwsnu|jueqa|hmgly|dzhqx)|t(khnlu|jyjjb|rdpau|hymxc|obeqb|blenh)|m(pqkhu|rksxe|zkayv|yrpbr)|s(frsar|dgtgy|mywvk|lrwjy|gjdxa|jyijj|nvbuv))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633175; rev:2;)
# sid 2633176 includes 600 (0 - 600) 7 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.org)"; content:"|07|";content:"|03|org|00|";nocase;within: 10;pcre: "/(y(nxfoon|xczwht|kwwduy|c(cavsu|kxhqx)|iiqlyx|mrthug|w(ueuha|ijydf|qhpsz)|sdpurj|otvyeh|e(thzks|kmyqc)|t(jsuqs|yifik)|dsxurg|ugvcgr|fukoxq)|e(slyuba|e(obslp|qyyoc|pasct|svhyb|wfrru)|u(wolur|hdcgq)|c(rzixt|owmbe)|i(tovls|eghsh|uhktk)|l(evpqo|npkix)|ndlanm|opwwzt|hbddlf|a(qwxjb|zgwit)|mfmlit|vqalrl|pvxojj|fktsig|weknyj|kgcfev|tqleul|jxezjn|xbxasy)|j(dxwmmv|w(toeyn|zzjjt|fvezb)|prwjqq|lpvexx|e(genfq|tbokj|h(cjdc|lser))|i(ihter|ljivn|oucou)|gmycew|cjjuhl|v(bxnkw|mjnvf)|tjzesc|u(pegms|wleca)|bvsslf|jbxgea|apelke|yhypna|q(voijh|onrfu)|hidtva|xvbicc)|g(b(ystci|uyjiw)|h(zv(nkx|wwr)|fmlgk|w(yuht|rjyf)|ksrxh)|otmquo|k(zkbun|wggqe)|lrfqur|v(oqabl|pfrrv|ltcfz)|wfdslc|xenvrr|anxrop|pkfqno|iknqtn|zf(pfkh|fdrv)|mnklvm|uzvxnl|nreurn|dqzagw|t(qbcwl|bvjyf)|jztmmr)|m(w(hhjeh|upuzn)|xdjkpz|y(bjbyx|efuqg)|azaeus|r(jrdpg|f(awmw|hrji))|pahddp|zkxera|n(pattp|kndrf)|t(vjlqb|cixvc)|q(eqdad|adgqq)|ouikjn|kzcxlu|i(yvskk|nhjrf)|d(poxjc|rpiaz|josxl)|joqskb|camqwi|fmdhly)|z(a(dritp|isowz)|y(rfxny|vrzlw|ybclt)|mocgis|i(xxhih|nlple)|vuauos|w(ayiqf|rohkl|hxmpx|pyrys)|k(dqgkh|qdplz)|pasiqp|jchlyi|rlpzqz|grgiwg|n(qzypl|wmlio|jrvyo)|smuexy|zqrriy|eqiibf|lfldss|qkxjnt|hribat)|v(n(dtdce|bdjqo)|j(iavhv|ejtfc)|abnjof|q(qhnfx|jmatp)|lryavo|kzhwwh|y(dizqq|ocrwt)|b(qokpt|jjtor)|zdgefb|ixyrhm|o(ptsdx|sefdv)|ggkljj|rvizbd|xxsnae|tmvfez|vhmsxb|s(lgqai|cgjgg)|ulinuu)|k(z(vweec|yoajv)|foabow|ehtssv|m(skatw|djscr)|t(ziaow|cxiwz)|qeitee|vnacra|iqbdtf|bczzcg|h(odoof|xrpzv)|rxucgd|clsipm|jckjir|yclfzk)|p(a(xtaar|wyukn|awhes)|f(dmpcn|rujyc)|uexoao|tcxmxu|i(iaajf|egqan)|mhrtxu|y(evutb|mwdoj)|ppkxgv|c(gvxar|rtscv)|e(fyiob|jexfp)|q(nanuc|knthu)|d(zntxx|gyeth)|wszhns|okdvos|htkpcx|lsuxln|s(lsdgy|ynqlj)|gnyyqy)|f(r(ogkzn|tfuzh)|w(pvhsh|nvlja)|mebnkz|o(tebjf|ojzio|hrehx)|cwhwnt|hrltfs|stcxsy|usdybs|a(nogrd|etcrx)|v(hpoxb|tshid)|qakfwt|jeqhxt|ezkztf|khsxgv)|b(f(rfstr|jklai|njqwg)|jptaeg|hxhhhl|yhlyre|k(stfnu|iskdw|ynhtk)|nkeabj|doxgca|whdlts|vhcils|o(hxqdv|yrqgr)|qvvsyc|mpeteh)|i(a(rvjib|vcigy|uqley)|c(bfvqu|cjqmb)|i(hikbl|cnevb)|bijvqq|rsfrmd|lcakml|m(fejav|tswgv|vqzoj)|u(etiwo|zubdl|jdrpz)|syfvkb|p(otjdv|hjhpl)|fkkwuh|z(yulqn|guwsl)|w(topuo|rysuj)|k(hfobd|fcpgw))|w(o(qaeau|xiair|eakuf|vzywn)|i(cqrvu|eswaj)|k(bzzie|wyrwk)|g(qzpqo|ndfaa)|uw(ssqh|uzgx)|y(zfkeb|xtzdg|psfiz)|raqgmx|j(dpsll|oygvd)|s(kdwyv|cevmt|pomoe)|ftbibm|nkoihl|l(jhqsf|aoevw)|xzyfkj|m(qpooo|zygyo|yebnj)|etviaj|chwdzv|tfiiva)|l(ojaeso|lbifif|j(c(vjxs|tffe)|f(kqga|njdc)|hzhqi|mkvym)|goimgt|x(idnjd|vhtde)|atlkyj|t(frxqm|nifqf)|k(xmita|kpsnl)|rnnuol|z(wbxzh|pujkd)|vazkrm|s(vrtgr|qojah)|fsdxkb|mjieku|ekbsmr|dzngke|byvnml|irriig)|x(gdryip|m(dswus|lvdnv|wvbkr)|l(jjguv|gvyzo)|jqfhui|ulyjgf|rkzzkr|paczwy|xltvee|y(hvlsg|fafkv)|wtddxh|nplspt|tyhoyi|zhbuek|f(lkbzr|hvuxn)|hkaokv)|h(e(lnjhx|ftuvr)|i(hqjul|nlckm|edscy)|myfidz|y(dhnrd|lynog)|huutpr|jypdun|pnyoub|ohvkrx|zeeifc|fbckxo|v(zlyoi|jmnpn)|uggzlg|nakoed|gutwea)|t(l(omaka|jncfr)|p(ztbok|jdckx)|t(zrzlw|hfscx)|i(ebagp|swbig)|x(becrw|xftqb)|whdrcg|f(mwtwh|jzitr)|n(mnfxn|farlw)|bowxpd|qembuq|ulcyej|gdyvna|zzledk|ayzuej|ekzyfm)|c(eqcoju|y(udlxg|iwgxs)|u(wdode|rzktd)|v(oeqgc|emaxu)|f(scdie|visii|dobdh)|s(lprnm|fbtpu)|w(ghudn|fzdrp)|m(mkcge|gwtuh)|pymkhr|kttlxl|zabhgf|b(ulgcn|whqnt|bczrg)|l(qtohh|ispno)|ndbxnn)|o(z(avyhc|jybaa)|ypulhr|bsddjq|n(luskd|eoenb)|v(wyahk|cojas|hkvyj)|kiatra|c(cnwlh|rysyl)|hnkkrl|puoyox|ispdva|auxpkv|grkion|rgqgdw)|q(h(oinnw|hjase)|ixxgie|l(fhbsh|rjhar)|ywgszx|g(yvbmd|lmkah)|v(nhbpk|pokzv)|wfcggm|jdldep|zyroky|cqtkmm|utjdbd|x(pqkee|uutqw|gdxzz)|d(fxtxw|afkwv)|okjyjx|ecsbxq)|r(w(eylrt|qitql)|ckkoki|x(pfvic|qlcdh)|iceqxp|nktkwo|f(eagku|cbgrd)|dovqis|l(xkkbx|kncsl)|pvxuxy)|s(eeclha|ohvmba|imqchl|u(sapve|pcuwu|vrchw)|z(idpqe|h(gcep|sqbg))|hbdxjc|nbfcfp|k(sgylg|kxnzr)|yiazrk|sipgty|rprhec|j(cspka|adcvl)|fhnfhx|pyvyjb|xsmcgr|mfvxkm|adnjun)|n(bukcgv|q(rrakb|yaxjx)|s(qxeju|abaid)|v(bmfwp|uqpcc)|c(wyday|bixct|cpwri|ljrxz)|mgthnw|e(xiiuu|wnxgp)|y(mcxov|imxzo)|ddtwve|agflac|nhrggd|fmwthh|uejxcd)|a(j(wegwm|dzlel)|bthamn|niypzl|q(uxkja|yxiss)|ewrmqu|z(lstgo|twlkf)|a(vbpco|yiniu|zdaiu)|r(xcsij|ooxte)|tibulf|plnfkw|w(lrwhk|dfazr)|uxaoth|mipddq|kzunlj)|d(u(ldoyu|uqdxt)|y(yblif|jyknf)|mlveon|l(kezqn|tvtym)|xjrhpg|erruyu|zmbtqd|pvrwgh|s(owhks|tnkgs)|bjpfxq|oddmzv|njkvza|h(hjere|vjhwq)|qzldob|wmxvpn|jjhypf)|u(zniito|l(teiga|qjxym)|g(owhfh|jkgvn|pqikg)|e(ynorg|tchdt)|hggacm|f(gqqpl|ubrcg)|nbfbay|pitsfs|wxmgzq|slihzc|rqsnjs|c(uiqyc|xwuci)|ibmgcg|miswuv|jahxsi))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633176; rev:2;)
# sid 2633177 includes 802 (601 - 1200) 7 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.org)"; content:"|07|";content:"|03|org|00|";nocase;within: 10;pcre: "/(s(x(smcgr|tehdm|fsgbn)|m(fvxkm|teske)|jadcvl|a(dnjun|vukuj|hdkue)|kkxnzr|z(ckwxv|pdejg|lrayy|qxyld)|wjkwef|v(xfmfn|sriun|ogdyr|phksf)|r(xbvdu|oyzrr|hdkez)|thxzle|gfknlg|yrfibu|q(gdkab|bqyji)|d(itiko|pepyq)|ukfbhs|iqnenu|nhqwru|ppltmz)|i(w(topuo|rysuj|gyofa)|k(hfobd|fcpgw)|u(zubdl|jdrpz|iqnow)|auqley|z(guwsl|pcjrd)|mvqzoj|dyxfzq|r(tykao|jtovl)|xdnrsu|gjwhzd|ylcrig|texqhz|l(xaoen|kwbhz)|j(diuqx|hegau)|phtbow|cqvgfh|sxadvt|fifovo|nreqaf|opmlon)|a(w(dfazr|npfbt)|m(ipddq|shtgq)|azdaiu|rooxte|z(twlkf|dhytl)|kzunlj|e(xdtxm|zrbmq)|b(nmvpa|rhbln)|l(yiuld|altwz)|gvqxmc|nqzxca|qaasrp|indyzr|h(gsnkw|udlgu)|j(xwphr|afrbq)|xklcxs|ummnic)|t(a(yzuej|uisko)|n(farlw|lznzx)|xxftqb|t(hfscx|ztycv)|e(kzyfm|zpjwd)|qcwkcw|y(etvir|atuqs)|gicpzm|h(sjpyk|deppe|zrkhr)|sdvtus|zh(mtmr|yadu)|wslidq|jiaxzs|plqnnq|f(sndtk|hsgbu|fmheo)|v(pnkfo|drsam)|mvilrn|lddalj)|j(i(oucou|dzqzg)|yhypna|q(voijh|onrfu|gexco|tmego)|vmjnvf|uwleca|hidtva|x(vbicc|fhjlq|xkvxr|ijfbw)|aaqtax|g(iytcv|rjnzm)|mbhmsh|tlgyno|wqrbcl|cbacmg|f(fdyuo|ribyb)|dwrnub|ssewpq|zcpiri|pfzwkb|bqylnj)|n(ewnxgp|nhrggd|yimxzo|c(cpwri|ljrxz|neuna)|f(mwthh|rwfqp)|ue(jxcd|zeix)|w(gilhs|mibqp)|z(yxbkg|gthcb|jsjso|xtyqw)|j(jwaui|xzgxo)|v(foggo|twhib)|k(vgazf|paqup)|s(wcamx|ochmk|ywdas)|rqizjv|x(rqfkt|izrzo)|pyzphm|i(mngju|znehi)|ovlecd|t(srams|wzulv)|l(bhqtm|downw)|gvgagr)|p(okdvos|i(egqan|piaji)|crtscv|a(awhes|qsafn)|h(tkpcx|intnj)|e(jexfp|cmpvl)|dgyeth|l(suxln|biloq|wcgfm)|s(lsdgy|ynqlj|qblkc)|gnyyqy|f(rujyc|xmhtl)|xcpfzh|b(sascv|eykih|bindj)|ptrnzk|m(dijha|fniew|cgrqt)|vhffiw|zdtvuz|uubmgt)|v(yocrwt|jejtfc|qjmatp|o(ptsdx|sefdv|uxdea|dlrqj|cdtqf)|g(gkljj|ohfmn|vjerl)|rvizbd|x(xsnae|rktbx)|tmvfez|v(hmsxb|gemfw|ziqau)|s(l(gqai|pmvn)|cgjgg)|u(linuu|badwy)|nqyair|draght|fvntun|hewhhk|m(atxco|jwkna)|k(btrsp|qpsot)|ihnnin|aleizg|zpjyit|lqdpxi|ppsgvf)|z(yybclt|w(rohkl|hxmpx|pyrys|ykzas)|e(qiibf|fxdid)|l(fldss|zjuoh)|njrvyo|q(kxjnt|ejpkv)|h(ribat|zewpi)|inlple|c(fpvti|yucto)|b(wukei|nkdtx|dsyvs)|uazedk|f(yfunk|scmeh)|xdsuep|ztnzhi|gxiral|rkojko)|q(d(fxtxw|afkwv)|g(lmkah|kuwmd)|h(hjase|kgvls)|vpokzv|okjyjx|x(uutqw|gdxzz|qjorw|hexkx)|ecsbxq|uyzwha|fiyrfw|wllort|acpccq|qjqgav|ckeynu|khbuqx|pl(sybs|jybk)|nmefqm|t(bcgdj|axqmw)|zekurq)|x(z(hbuek|ioqnj)|f(lkbzr|hvuxn)|y(fafkv|nwdyd|shedu)|h(kaokv|xsusj)|m(wvbkr|pdwtf)|l(g(vyzo|tkpy)|pucbv)|j(ymtew|hatoh)|ozbccv|c(iyube|aluar)|k(ohfhz|hztbj)|p(umaar|rlapb)|v(pxwrm|ynqbu)|d(dyrpo|mmcss)|a(vveut|cuneb)|uomcpq|qktirl|tchiay|ertzyd)|k(h(odoof|xrpzv)|rxucgd|clsipm|jckjir|y(clfzk|rbkme)|m(djscr|ollvg)|upgvqj|nitoef|b(hzzzj|bxwnb)|s(rtxnl|tmbdq)|ifumut|wwfivp|x(wsbgc|bnbpn)|tjtrhe|peuhkg|frdpfi)|e(p(vxojj|loowo)|f(ktsig|eflii)|i(eghsh|uhktk|bnrof)|weknyj|lnpkix|kgcfev|t(qleul|mrizs)|jxezjn|x(bxasy|xnnas|yhqbh)|hhzqjt|b(wtlku|ndnui)|mkmdax|egtyqt|okvssj|d(jbgcc|rnoov)|gyjqeg|nnswxy)|f(u(sdybs|gzzdn)|ohrehx|w(nvlja|syrar|brttk|okcyt)|a(nogrd|etcrx)|v(hpoxb|tshid|yjezl|xctmz)|q(akfwt|ffgxq)|jeqhxt|ezkztf|k(hsxgv|duasr|qxzjh)|h(rvfvi|dikst|qhezg)|z(nnrrc|rxbwb)|lsaegz|mozvag|s(lhlfz|ynjyw)|gjrsfw|c(yasnq|xttqg)|dtkgjk|nyjibj)|h(v(zlyoi|jmnpn)|u(ggzlg|rmtcv)|nakoed|i(nlckm|edscy|qnbav)|y(lynog|podfu|nntkt)|g(utwea|wduvw|btxme)|d(ibsww|tdlrf|zngim)|mcnddn|c(uvymr|diavm|ikkdk)|r(uhaps|okjnk|mbjab)|o(hnbkz|qaklw)|k(pjyjd|lggnb)|p(tqpth|rmiws|pgljs)|hvpugd|fzxgut|s(ekvvv|wxcyw)|l(wsuzx|okgub)|tkzuiy|xagjjv|bvhlbb|wpogrx|ekrmlg)|g(d(qzagw|mvgvz|zxoyj)|v(ltcfz|nroan)|t(qbcwl|bvjyf)|jztmmr|b(uyjiw|apvrs)|h(ksrxh|vpifl|qdijc)|s(iiief|lrrdn)|lemkau|ajuarq|yzhuam|ivhhzl|gzeobp|u(ikbvq|bqwdr)|fegbee|qdntzu|estdzl|z(hjypc|tzzrf)|w(gosif|vbxcw|yvpyw))|y(e(thzks|kmyqc)|t(jsuqs|yifik)|dsxurg|w(ijydf|qhpsz|giihi|avbya|hnmkc|ycvxu|dilqh|zfgpo)|ugvcgr|fukoxq|c(cakpt|bxbpj)|m(tciqk|kyzvi)|vdxsro|g(fpitd|nngav|owqea)|r(rutgq|qkdeb)|o(kcynn|xidxx)|q(cvnak|fiyga|skvle)|nuobsj|zjwgyh|knchkz|bnfxhs|a(iczku|jhgxj)|jwftps)|o(c(cnwlh|rysyl|ehfog)|hnkkrl|p(uoyox|wcpch|bxhke)|ispdva|auxpkv|neoenb|grkion|v(hkvyj|gcfuk)|rgqgdw|qddcnr|ezjrrp|l(upeta|mauuy)|usfvtg|t(hcqkh|lvrji)|x(jsvli|uotry)|dlbwnd|mrrcyg|ywkwyu)|w(m(qpooo|zygyo|yebnj|fmhtn)|g(ndfaa|ionhu)|laoevw|o(vzywn|dcvmd)|etviaj|s(pomoe|hefvk)|y(psfiz|rnmnt)|chwdzv|t(fiiva|ycftw)|umtknt|brhnlg|z(hthzr|leepj|mqcdy|bxihb)|p(rpojs|lnvpm|ugrmh)|qzczwu|k(mwreh|besnv|jfibs)|d(xbnvh|seuog)|iwiebs|hlqpii|j(jzeve|ckgem))|m(f(mdhly|wljhn)|r(f(awmw|hrji)|orjzt|acrxf|ikocz)|n(kndrf|xgoub)|d(josxl|t(jxje|tova))|inhjrf|yefuqg|pndzra|e(bbaaw|uvdsp)|vduufp|sxmwgb|amdrsk|tmupce|hhxrgr|xafjfu|zjgyyr|wskeye)|r(l(kncsl|eqlit)|xqlcdh|f(cbgrd|mbqbr)|zhucbd|wnmklp|r(fdivb|pdakk|dxfjj|axets)|mpezrx|cdeyka|o(ioden|njavz|ttsmb)|vgrcif|jfriss|i(jpyth|vrelp)|qhrfue|dgnsem|n(wmsmy|seeas)|bxvnrh|aaolfw|ssixnl|gygxzx|ytpdfq|utsugl|pmduus)|l(k(kpsnl|juszt|scwmd)|j(mkvym|nvkim|eyoqc)|t(nifqf|dcxou|gdjyy)|x(vhtde|pnong|qhkhz)|b(yvnml|qcxvl|eqvey)|i(rriig|zqodr|klpgq)|svgjfc|wrgasq|qoizxf|cwqenu|uulcsq|eamcwl|drbaru|fxpzdz|h(nfkig|sjdny)|gtcmsq|avvtyw)|c(l(qtohh|ispno|ytewz)|f(d(obdh|ucml)|ntgaj)|b(bczrg|fsucb)|s(fbtpu|wrhza)|vemaxu|ndbxnn|w(fzdrp|trhiq)|mwvgje|e(iedrc|vemqi)|cbbiew|giyhqv|xzlotj|renlsg|j(xryfw|qbxys|sqxli)|uzjtrn|incmot|yrvzql|zipgxg|paspyf|qrxuil|hgrbly)|u(ibmgcg|g(jkgvn|pqikg|safvw|xwnpq|kerzu)|miswuv|j(ahxsi|nczze|u(qxrj|ihmd))|f(yjmkg|bbdnd)|p(cakia|qjeux)|u(blxub|ygtbj|uodal)|zdxfyw|b(e(tzaf|zeei)|djifp)|d(yelli|wgiww|daiwd)|ahtgfg|tzyako|x(oiqrz|nwlqf)|s(ghnwl|mkwbv)|q(xbola|qaewy)|l(zmrhk|egmue)|eggzco|yvmwnq|wytocw)|d(s(tnkgs|yzalc)|jjhypf|hvjhwq|g(opmks|bseyx)|vqdofa|z(fjtbe|krvgr)|p(rvufc|kgnmu)|tdvvrg|lrijjy|klodek|bclyjb|e(zmfqf|smwlu)|qhmhfe|osejey|xjdskm|cmndaj)|b(o(hxqdv|yrqgr|pzono)|q(vvsyc|lyknw|ndmjk)|m(peteh|udbsg|lzatz)|kynhtk|fnjqwg|llohcg|a(oythx|auvmv)|h(isaye|lupub|xbcdq)|dtakgu|x(ahams|koywd)|z(jtwyn|nufny)|p(yqixh|cwxfq|hjahl)|cktgbd|thnccc|splqjz|b(glucr|pnypi)|y(rehht|pndut|mexlm|ogkea|xsqte)|jfbjvc|nzgzzt|imaino|vcrjan))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633177; rev:2;)
# sid 2633178 includes 202 (1201 - 1403) 7 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.org)"; content:"|07|";content:"|03|org|00|";nocase;within: 10;pcre: "/(s(releso|pdnfwn)|e(vztiyj|efbssa|orztvp|ftjbrl|nzhgtl|mbhltt|pprsbo|jzatka|amymhx)|a(fqxkio|v(rmbvo|czgxr)|zfexfn|m(ojfks|ypyel)|jcdjrv|eefynr)|w(n(uaqby|myshy)|k(uihll|wtmpc|zoand)|a(maiuz|fwcfk)|wkfvvr|ikmqpe|xyneis|ufkbxj|rflske)|q(srrprk|q(hdmvs|tygnz)|retgtm|j(amiiy|unebl)|hpphcc|vwialg|ltrcob)|d(eyrahe|qrbbbb|weaklt|rhvzsr|j(apyjj|qbcks)|nbkbyq|mqykqj)|f(akuqqd|c(vdlxd|ojimc)|nflbwl|tytkny|liwchz|uxryqh|kneuqc)|n(f(cnhej|wkdwo)|ndhbrx|tsxsrz|oflqke|cjktpp|k(udmho|wjtuq)|vbsgry|ajdjmu|w(lwagr|cgeox))|r(anpxbv|jnzgwe|cjcxnm|g(tvciq|ojdwg)|yxkbuu)|x(m(dktub|itnif)|w(vrhln|xakof)|koecbb|ohlxcv|rnlwwm|dupbvo|xjcxoj|uftkky|jtfvnu)|j(qfrigh|axlvad|towalr|yksqwj|wcmnxa|xpzmjr|zxnjyg|nfepvv)|m(z(tfeus|izggi)|ezwxwq|rbamyv|nuxbxm|xeyiuu|onokks|cywfaq)|h(xgymix|zqojoa|uhmiqj|mljksa|epekps|tulzzd)|i(nnpiyf|vvxfcc|srhcle|edctdd|ulsnml)|v(lekgdm|djysoo|pbdpza|twowoc)|b(sjtwlc|zbmpwh|oxtlmx|auukfw|vjnvrb|tslgwf|uglshi|qbxhkd)|u(vlybyh|ojhjpj|wygkzj|qtvuzv|yaibia|h(ccdst|occjn)|dxktlp|z(muvte|gvryi)|m(mvnyt|yumjf))|k(elcedp|befmlg|yeapfl|ulpzqr|q(rwmcy|zakdw)|avmmlp|jtjdtw)|p(vunxdr|bkvzbh|ekpvnr|lpubdb|plrxfn)|c(r(ddzms|uyijm|bfiae)|pleajh|hkkgbz|ubssuw|nzuvus)|l(xtlalz|a(kvwvx|yxipd|cqzlr)|bsbosn|lejqwj|vxikrg|wpnydm|gnynxv|m(hpxio|bwzby))|o(avpsdn|doazjp|o(zuzdm|xgjuz)|mbpxxs|zfjish|rcfpxc|ctnuua|ipruck|ljivjn)|g(idepvr|ciebsm|kplwom|vmjwez)|z(fovvfx|cfrgla|s(adyfw|wtbzh)|i(nmqpt|cohsh)|avrhzk)|t(hegzpz|dhgmto|fdjcuj|bxrdtg|gcqtda)|y(n(qgdqg|uaoxj)|jrmusa|afmonb|soldwy|zjgoom|wnjsrp|leamos|eoxvdb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633178; rev:2;)
# sid 2633179 includes 600 (0 - 600) 8 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(v(xmscyhd|utareci|cyocixh|zmtlqbp|jckubiu|wvckhcj|ikesnbz|ecjpvbk|aqptyno|bojlyfj|lobxano|v(tqctpg|du(effo|qouh)|nherdu)|telmeir|nbdzcqj|gwcjqka|y(xgrpsc|ucmnrs)|kacnume|pdbpife|dlnqxrp)|r(zefcqqi|y(fjtxlp|dqxhbj)|g(wgsxqi|delgid|tqzgbn)|n(hgpzrm|ceddsy)|x(ynyceq|dhcipe)|mweglrc|r(ikjktm|bmsmuw)|s(xrlqmo|cwmsyi)|c(opsjph|tdwuan)|wlhsrgd|t(emijlp|bttpra)|vr(abiav|ndosk)|h(bayopl|ymzhfh)|awqkhwj|djfptxk|idlhjxv)|u(c(emlxmi|vyjuid)|krwfqgd|piwkuuc|h(mrhwof|esmqtw)|n(ujcwhe|hioczx)|mqgajzn|adwnaao|qlnwpmc|jnyoppa|gsqbdcr|zhchvmv|wiojmic|otajacx|vwkjbrc|b(lqgjss|bckzcb|nqqdaf)|idwmgbx|t(guklug|eonscp)|ydjjnfd|xdvbhsd|r(u(xjjws|vnlek)|vbuylz)|e(iwubqr|toyfsf))|d(h(cyufyc|wvwdrs)|vmyaskb|zkaxchz|ykikdev|douvboz|xmhvguw|s(edlgie|nlrvcs)|lavpewq|wmqrroa|j(dxfofb|onxuax)|onjqjim|fcqmbtm|bswmklg|tcmkzhc|ipxapzd|pwhuvye)|l(z(igpmrd|trtxjc)|speupro|puosqen|x(zuikvt|dhlute)|kbjhfua|nwxrjmd|tmoelzm|dkthdgp|q(kiddkd|swhbjj)|ytaeqlc|uy(dcvwn|bglit)|a(bvjljy|pfhaip)|brnsswp|vwawuww|mwbvtqa|g(dfxrjl|zracea)|inbyowv|omvcndr|hbtybvu|j(hprzik|nrxxsu))|a(v(sqjxbm|qhwivj|bhkhom)|f(kzdxuo|opljyk|bnirqs)|k(ibkokx|fhqzbv|dmccfs)|tdhfezg|j(jzpgjp|sgtwbm|vkokfl)|x(klamex|ekxxio)|w(uxqrqz|swmwbc|xtejrr)|sghymit|aujoafv|y(xjfeel|dohjso|tqkpgf)|r(iujgtx|lyzhhh|ryviow)|iafmzva|p(rzsczy|cabiec)|gupsfxx|mqexjdr)|o(l(mkazop|nikuwd)|i(cbxskf|t(tqkdx|lqdiy))|vzmolkd|twluqhz|m(ajjnnn|ttkewv|zawmss)|kgmuvgp|diiqglf|rkezjfr|jfoxmpg|swiouzp|o(wofxmo|nnxlvq)|fhxpigu|w(ruhioy|hclnzg)|g(ayceei|hphlnx)|erxjqni|xnbkrrl|qryeprv)|w(i(fxeanv|zxvyel|abfgdf)|fjnmkcd|g(uzzbep|cdvtvl)|mtteaoy|vyedlzp|dwymins|ejlthtg|c(rlavof|etnxdl)|llntjmv|y(yjyegm|usgixv)|zzgnwmc|qa(zhhuu|yzrzp)|xmoodas|hsmzlho|pzvoxxr|bjgjpud|nlehetb)|x(t(g(qoftk|dvdyd)|ryimyj|apicge)|a(iusbzd|nlblmx)|hevptay|y(tthqkm|jrdxcv)|d(jcyoya|ufwxjn|tftbac)|mlmmrhb|pnzpnte|x(pwmptr|xseref|wlfwww|nnggob)|noaaqrh|jasgexk|ipfjsiw|bnvizfy|rfntvkg|zrigqou|khzosww)|h(sisohfh|pa(hugnc|ylfyw)|fuffreu|affdbjg|mecnnfw|e(jperlb|svldkr|xwxadk)|hobmlfp|lumxhtj|d(ywztzz|swpbnn)|nrlgamv|uuoxtob|z(ypfclx|lnnyzs)|gkfbuzf|rddmdfd|jlkgdxy)|m(c(kqbjmp|xschqt)|whwmbtl|i(lnrpnq|sxjmle)|n(llujfn|akoils|dhfusk)|x(gifliu|rqgnjr)|hewxhrm|tjvofnz|jdumiaa|fuvpzmq|r(mcpqov|edzrnm)|zfjywik|l(tihlbi|rlftap)|bxfxmdf)|z(i(pflqei|cnwfgs|gevbmy)|pflkzce|fizdcei|xelbxdn|l(hlxxlk|jgfwaw|zcucir|ldytkq)|u(deixyz|zeazip|btfglj|pumdpz)|y(jtorqw|tsuwsd|fqjcps)|eaczmyy|q(xsljuy|pzelsm)|k(ckqzwk|rfrwvq)|nydyqvf|b(xqzcry|m(yqxtq|tlmhq))|oanbxra|a(cpophm|zbmbmp)|dpswueo|gcmjtro|wezoxmp)|q(z(rmiktw|cjmuvg)|q(i(wzzcx|nflca)|qattxk)|nasxufz|c(gissvt|aiykjs)|a(ejsgnp|tzeohb)|pgjuprt|gsswjoo|w(shadkh|jyqgoy|fzlfyh)|u(bdizac|uzhwul|vlabjc)|s(jqetkz|eknsgo)|mbgxxrx|h(iifozk|nhyeny)|l(wplkus|dijajn)|rfffqke|tswkdyv)|g(hlkgdaw|d(t(xkmjz|tgpri)|kwgklf)|c(xiaajc|wjipwj)|ydlvbhj|bivgscd|z(hkydci|cjfsfc)|t(rdosfo|wkhpxr)|q(mnddfo|rmgkqo)|k(ctokae|jdhdoa)|l(mhhcrf|luqtqs)|nnzjybn|jmytpso|snyvjiz|rzwzemm|prjfsyz|abqlsal|ewjxioq|wtdqkkv|xplxmqe)|y(l(ddpwqb|abtsme)|b(uqhnyd|qcjxjq)|filycbr|zarftii|deswsrc|r(dtuwwq|twtebj)|yyqaqlm|qhuxdyg|uzxdnuv|nispaga|sidbmhi|ieaygjm)|b(i(hlhoaf|obdhgk)|d(vcywvf|mhpoji|kutdaj)|o(whrkvk|ohopmz)|vtjbltk|zazogdm|u(pdayht|brxmdp|oeekls|cenngw)|hrxenot|p(shtimw|rtskha|c(ceuef|rydcb))|e(badeof|hmddgo)|nwjfbwb|waavxci|kmiacam|t(idhxkq|yeajap)|ynnxzkh)|j(l(umgtab|mpkbjg|sbzvwe)|amxzgtx|d(tbfksr|uyjssm|pnsuqd|lgyytm)|mecybkp|q(lfdfut|eyatsg)|xaupbnu|kdqhcml|vwkpfds|jrgtpaz|t(arnosv|fwdpdf)|rrlhlpd|hgdanbf|zbtddyj|fimftya|eslzubp|brwfpfd|gsztanp|wqmiaja|yrzjsyu)|f(a(bjlbdy|ujhxag|zizdtz)|ucsonld|n(sdixku|rwxpzg)|gofoqxk|twzkzqf|eb(orned|uiiws)|bretjpc|qrjkxuj|dyhrogr)|t(e(kneeed|ekuwfk)|detblmw|oildqjp|c(llrhex|emduic|trfzyy)|k(dwyzke|btykjz)|vwqjjum|foaqero|j(dnuaql|jmxitv)|mxnrgqp|rjmuiaz)|e(n(uuchrd|wmeqqo|okkaem)|ke(qeiou|itsft)|j(ylrijl|gnqefj)|mjyzeyf|a(mgcsor|bduqbd|zcdspm)|e(tcimmg|cdpgsi)|c(xioenb|wrnspq)|h(ctybse|xlgrpp)|otbolvj|triyyys)|p(jtuuozc|oszuptz|gwhegso|y(thqoki|qhgksj)|u(bfjiel|crmlyq|zovcyq|ybrvyg|kcserm)|ldedxoi|e(smefvc|mqrnfb|qhvkmr)|wkpiwer|k(pyepby|nnzuge)|z(cpdwlo|zglvxp)|affnukz|beashoy|mluufth|fgcilfb|v(dtpgcr|rycpcv)|igmhukf|ttbkkau|clkrrqu|nfhqxks)|n(eeqifge|h(lkgfbc|xweltv)|z(tuvzff|qfkoky)|dafdguw|c(pbceft|utkftb)|x(rlokdl|wgxuhc)|ywhkrje|jxprugf|qqfldju|vwkfkjh|khhkaxh)|i(kodiznf|m(zwxhgm|ureews)|rqjhdeu|n(kpkjng|alrqgt)|uzywcej|xormwjz|jhmzqov|q(dkvlez|lrwatj|hksmqg)|fckqvbv|y(fghsue|yiyxsa)|znbjbrn|eldqjvb|wqqferk|doghnxh|iveggtd|oltsraj)|k(c(noeidj|dypnpk)|k(vnrpjz|gthoef)|q(roownd|ynclvi)|zpmshcd|tadanpc|g(deqafx|ugyayc)|eizybzt|s(covtzh|vghlzo)|prjejxm|r(xuokfu|hbyoer)|lzvldoo)|s(d(oheaie|vknarx)|pibaadh|chyrtuc|j(tvwcuo|xxkkpr|bnhnxm)|m(emeoya|kxpvak)|hlgltru|tpxpyvv|rcqmled|x(hqolox|xlwqck)|i(wrdhit|ymglrp)|bxlugqi|g(jxsbkj|zfudoj)|savyvpt|elffvfx)|c(o(vphiml|qpkvtp|jfucuq|iesusp|tcokaq)|kptbbpi|g(fsprzz|guxlnx)|uzvplbx|wwtiwrx|fbxyzka|qxzcysp|j(ogqzmt|zvrhni|fzvemd|lccdgt)|bnuqbmj|y(szluof|ybwxck)|e(dxwqkx|awizod)|anyqvkz|hlxzark|smykxvj|xnnltcq|mvrgxtk|inwylpt))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633179; rev:2;)
# sid 2633180 includes 1200 (601 - 1200) 8 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(v(xmscyhd|u(tareci|utqzck|oprhxd|adpxku)|cyocixh|zmtlqbp|j(ckubiu|vtqjyu)|wvckhcj|i(kesnbz|bctwmt)|e(cjpvbk|vwpxrj|addsyy)|a(qptyno|lzmtds)|bojlyfj|lobxano|v(tqctpg|du(effo|qouh)|nherdu|jczlmb)|telmeir|n(bdzcqj|rrmzat)|g(wcjqka|dfaouo)|y(xgrpsc|ucmnrs)|k(acnume|klzvdp|zhqupz|rdheup)|p(dbpife|tpthnk|uthwrg|inktfj)|d(lnqxrp|hfftop|gblwrr)|mhsmqsi|szesuop|febvhgx|ryfyejs|qwqouge)|r(z(efcqqi|wasqma)|y(fjtxlp|dqxhbj|bpsxgg)|g(wgsxqi|delgid|tqzgbn|oduoip|ajckou|sqhhxm)|n(hgpzrm|ceddsy|zfxqor|qzhbvt)|x(ynyceq|dhcipe)|m(weglrc|ghkoki|mzfqju)|r(ikjktm|bmsmuw|fsbmdg|tluccw)|s(xrlqmo|cwmsyi)|c(opsjph|t(dwuan|mseel))|w(lhsrgd|qusjev|aqempw)|t(emijlp|bttpra)|vr(abiav|ndosk)|h(bayopl|ymzhfh|lizcnl)|a(wqkhwj|uvupij)|d(jfptxk|uonxdz|svfrpz)|idlhjxv|beosoga|k(efhtft|wwzpnw)|j(aodcfu|nfsphl)|e(lywzxs|bhfppf)|qyreyig)|u(c(emlxmi|vyjuid|brwqly|kvpuyj)|k(rwfqgd|clglnx)|p(iwkuuc|datwvx)|h(mrhwof|esmqtw|lelivi)|n(ujcwhe|hioczx)|mqgajzn|adwnaao|q(lnwpmc|dirmfk|rnicrp)|jnyoppa|gsqbdcr|z(hchvmv|fvfkij|cmfayn)|wiojmic|o(tajacx|qnzpnj)|v(wkjbrc|ixxusd)|b(lqgjss|bckzcb|nqqdaf|kmiyex|goullf)|idwmgbx|t(guklug|eonscp|wssfgd|sxubsx)|y(djjnfd|zdzyyd)|xdvbhsd|r(u(xjjws|vnlek)|vbuylz|orhqid|wuvqqr)|e(iwubqr|toyfsf)|s(uixkbn|appgxo)|l(xugevb|iasqfl)|f(yefjzw|fwqvkh))|d(h(cyufyc|wvwdrs|thisab|rwopsf)|vmyaskb|z(kaxchz|rishqf|xjvqfd)|ykikdev|d(ouvboz|soznwj)|x(mhvguw|apyjnc|yiabws)|s(edlgie|nlrvcs)|lavpewq|w(mqrroa|ccoekc)|j(dxfofb|onxuax)|o(njqjim|kxlilf)|fcqmbtm|b(swmklg|pdwgcc)|t(cmkzhc|szasvw|zdxiym)|i(pxapzd|eiwurd)|p(whuvye|aezbzt)|g(zqucja|ptkppo)|mnlfgex|r(uaghpo|vkeclf|paznwp|dgompa)|nrrwkwb|uguyqiw|kiyhher)|l(z(igpmrd|trtxjc|ovincf|rhvcwe)|s(peupro|emnocc)|p(uosqen|wvgfod)|x(zuikvt|dhlute|optuik)|k(bjhfua|nnuxjq)|n(wxrjmd|dompee)|t(moelzm|ctylng|gpopom)|d(kthdgp|yaepjf)|q(kiddkd|swhbjj|rirmff)|ytaeqlc|u(y(dcvwn|bglit)|cffupc|nideta|erbbsz|tsbgvl)|a(bvjljy|pfhaip|nefxyg)|brnsswp|v(wawuww|oxuspz|drqzee)|mwbvtqa|g(dfxrjl|zracea)|i(nbyowv|vyvsqm|dobeik)|omvcndr|h(btybvu|uyqcsh)|j(hprzik|nrxxsu)|egpoayp|wdrbfzp|f(xoetpy|gtpffn)|c(botoag|qlbyxh))|a(v(sqjxbm|qhwivj|bhkhom)|f(kzdxuo|o(pljyk|sfnie)|bnirqs|daahxw|euizqd|xvhamh)|k(ibkokx|fhqzbv|dmccfs|vphuue)|t(dhfezg|ryzgny|vxchqq)|j(jzpgjp|sgtwbm|vkokfl|bgxyak|xjkfrj)|x(klamex|ekxxio|slznrf|cfxtxn|twpkrn|qahhgz|jgavkr)|w(uxqrqz|swmwbc|xtejrr|qqfkuk|rrlqog)|sghymit|a(ujoafv|gdebzj)|y(xjfeel|dohjso|tqkpgf)|r(iujgtx|lyzhhh|ryviow)|i(afmzva|tulbem)|p(rzsczy|cabiec)|gupsfxx|m(qexjdr|hdwnad)|zdijglo|c(bjggac|eqfppd|xnegug)|n(ittykp|pelrgr)|egdpijj)|o(l(mkazop|nikuwd|cfelwk)|i(cbxskf|t(tqkdx|lqdiy))|v(zmolkd|houfud)|tw(luqhz|bxzvz|klslk)|m(ajjnnn|ttkewv|zawmss|qkaten)|k(gmuvgp|nmecfp|sksofx|rymocc)|d(iiqglf|zchyti)|r(kezjfr|mdswmo)|jfoxmpg|swiouzp|o(wofxmo|nnxlvq|ctfdxo|hxqdgj)|f(hxpigu|lglxmm|fcfuyv)|w(ruhioy|hclnzg|qiwldc)|g(ayceei|hphlnx)|e(rxjqni|lbzbjx|odslcp)|xnbkrrl|q(ryeprv|deqlrv|irgqlb)|zdtjhjd|abtmbqo|b(oaioob|yhcylx)|u(schrlf|rpeatn|xnhzxw)|n(nzhwid|ibvtet)|pvdnyjp)|w(i(fxeanv|zxvyel|abfgdf)|fjnmkcd|g(uzzbep|cdvtvl|e(czpcs|bhbbg|htqdk))|mtteaoy|vyedlzp|d(wymins|hamqer|pucqvx)|ejlthtg|c(rlavof|etnxdl|wdvgma)|l(lntjmv|ocoiwo)|y(yjyegm|usgixv|nznuji|qivvcw)|zzgnwmc|qa(zhhuu|yzrzp)|x(moodas|nwvkhk)|hsmzlho|pzvoxxr|b(jgjpud|kwcfjq)|nlehetb|tvlkpun|r(pakacq|buzpjz)|akgigyn|ovwloml|saxnpfk)|x(t(g(qoftk|dvdyd)|ryimyj|apicge|btqpli)|a(iusbzd|nlblmx|tkbjay)|hevptay|y(t(thqkm|aytds)|jrdxcv)|d(jcyoya|ufwxjn|tftbac)|m(lmmrhb|orkbzf)|p(nzpnte|wuetdd)|x(pwmptr|xseref|wlfwww|nnggob|cboeac)|n(oaaqrh|haaicc|vfivzg)|jasgexk|i(pfjsiw|fcdzej)|bn(vizfy|zufvo)|rfntvkg|z(rigqou|ycslzp)|khzosww|g(ymvuqh|akyqlo)|uruloem|ekbiukm|ftpwood|cbeafxq|wlrfzaw|oqijino|q(rhgtfi|tgscqm))|h(s(isohfh|vgvbnt)|p(a(hugnc|ylfyw)|iajwec|wlfmgr)|f(uffreu|opfxik)|a(ffdbjg|ssbmmy|ewffhs)|mecnnfw|e(jperlb|svldkr|xwxadk)|h(obmlfp|fryhzr|gbrwap)|l(umxhtj|vxwxof|mochxq)|d(ywztzz|swpbnn)|n(rlgamv|vtpomz|zfjduq)|u(uoxtob|rttbhc)|z(ypfclx|lnnyzs|kbkjtw)|gk(fbuzf|muond)|r(ddmdfd|uoupqd)|j(lkgdxy|iugqxf)|q(gxafww|xczpsx)|t(oaoufl|clvmee)|xbtghau|yvdplmn|wjntyxe|veuhvbr)|m(c(kqbjmp|xschqt)|whwmbtl|i(l(nrpnq|wscdo)|sxjmle)|n(llujfn|akoils|dhfusk)|x(gifliu|rqgnjr|ulhsry)|hewxhrm|tjvofnz|jdumiaa|fuvpzmq|r(mcpqov|edzrnm|rzjnhi)|z(fjywik|ordemi|pjrdmx)|l(tihlbi|rlftap|ahgkqm|ywshos)|bxfxmdf|yubrvat|ewtsabe|g(hdgopo|wiwkkt)|ozasylc|pfuwbnk|molbhcr|uxbjuvu)|z(i(pflqei|cnwfgs|gevbmy|a(lvmww|evbtt)|igkqxd)|pflkzce|fizdcei|xelbxdn|l(hlxxlk|jgfwaw|zcucir|ldytkq|ifycgk)|u(deixyz|zeazip|btfglj|pumdpz)|y(jtorqw|t(suwsd|mlqbm)|fqjcps|cxyyog)|eaczmyy|q(xsljuy|pzelsm|dxzzes)|k(ckqzwk|rfrwvq|flbsab)|n(ydyqvf|skkyxd)|b(xqzcry|m(yqxtq|tlmhq)|nhrjoo)|oanbxra|a(cpophm|zbmbmp)|d(pswueo|seirju)|g(cmjtro|wealyh)|w(ezoxmp|gaosoc)|j(nccjub|wffnnv)|h(mlhxfr|wchtai|ostqvz)|rohbfsu|vtubiiy)|q(z(rmiktw|cjmuvg)|q(i(wzzcx|nflca)|qattxk)|n(asxufz|jhgeqo)|c(gissvt|aiykjs|ztdasv)|a(ejsgnp|tzeohb|ujyist)|pgjuprt|g(sswjoo|rwhckj|iqzqku)|w(shadkh|jyqgoy|fzlfyh|qkvsda|vocqmx)|u(bdizac|uzhwul|vlabjc)|s(jqetkz|eknsgo|i(zuevv|mwsmp))|mbgxxrx|h(iifozk|nhyeny)|l(wplkus|dijajn)|r(fffqke|vtujwv)|tswkdyv|k(aghedr|jjhgsw)|b(buibqs|edpgtp)|dbpluxd|v(nhuiud|vajpuq)|xmqdmbq|yjuqgyc|fjzwxlb|evrmiwt)|g(hl(kgdaw|fngbf)|d(t(xkmjz|tgpri)|kwgklf)|c(xiaajc|wjipwj|jmgmbn)|y(dlvbhj|ieyamp)|b(ivgscd|lxuhbv|kwsvsu)|z(hkydci|cjfsfc|zjcyii|yimbiq)|t(rdosfo|wkhpxr|prvqbn)|q(mnddfo|r(mgkqo|kqhgu))|k(ctokae|jdhdoa|kfojcc)|l(mhhcrf|luqtqs)|nnzjybn|j(mytpso|lebztu)|snyvjiz|r(zwzemm|whulbv|hqzjwj|yxzwjv)|p(rjfsyz|hakatp|lmdden)|a(b(qlsal|rxocz)|tjekdd|kjjhfs)|ewjxioq|w(tdqkkv|jlhirs)|x(plxmqe|hjnomk)|odpedae|gxwfnir|u(qikuxw|ujrvbs|wihjna)|vemxmph|injijlp)|y(l(ddpwqb|abtsme)|b(uqhnyd|qcjxjq)|filycbr|zarftii|deswsrc|r(dtuwwq|twtebj|wuwxwr)|y(yqaqlm|pjtwtz)|q(huxdyg|afxykp)|u(zxdnuv|hwsymk|ftyffp)|n(ispaga|lxsqjk)|s(idbmhi|xkmraj)|i(eaygjm|bzzwwp)|o(ffmoij|ytesnf|gbmkfm)|k(cisema|bccqkb)|g(lqofzi|csypjw)|a(ewlvpt|jwqakf)|vrlzijd)|b(i(hlhoaf|obdhgk)|d(vcywvf|mhpoji|kutdaj|exnccz)|o(w(hrkvk|wwclk)|ohopmz|iiemnb)|v(tjbltk|rvogcz|nxokcu)|z(azogdm|czcwby|vmtldv)|u(pdayht|brxmdp|oeekls|cenngw|ynhktg|nknmpu)|hrxenot|p(shtimw|rtskha|c(ceuef|rydcb)|bzkcaw)|e(badeof|hmddgo|tylahs|jgihox)|n(wjfbwb|qellpk)|w(aavxci|upomfa|wsfkws|svzbjb)|k(miacam|pgkurr)|t(idhxkq|yeajap|uneqmh)|y(nnxzkh|u(fjdbf|dndsh))|x(zxoohm|rupdad|xrmssw)|sexdxjr|g(idorze|shormp)|m(wwubpz|hfnrvl)|rwzscfs|j(fgyccr|pvojjn)|qrooijg|chpqobv)|j(l(umgtab|mpkbjg|sbzvwe|crvjux)|a(mxzgtx|qtqxjx)|d(tbfksr|uyjssm|pnsuqd|lgyytm)|m(ecybkp|yztuwg)|q(lfdfut|eyatsg|byinde|kbzmot)|xaupbnu|k(dqhcml|yduqjg)|vwkpfds|jrgtpaz|t(arnosv|fwdpdf)|r(rlhlpd|oopepx|arnfsa)|h(gdanbf|jnfztl)|z(btddyj|qweoox)|f(imftya|mfqzjm)|e(s(lzubp|ggbyb)|abrffv|erpszg|xjratx|bvhnew)|brwfpfd|gsztanp|wqmiaja|y(rzjsyu|mrwkqn)|nzfnzvs|ohohcff|sihhrpw|pqrqren)|f(a(bjlbdy|ujhxag|zizdtz)|u(csonld|ljcvdo)|n(sdixku|rwxpzg|bbmtwl)|gofoqxk|twzkzqf|e(b(orned|uiiws)|mxcsrh)|b(retjpc|pkaktq|xxdqlf|hwogsc)|q(rjkxuj|mouotc)|dy(hrogr|zbuaw)|f(suwybt|qethld)|hlzffcn|sbygkgj|c(aovekl|j(ndyxq|gphpm)|hhlvfj)|mbytcss|lshnsyb|kacjcoe|z(sviugy|nhhcpo)|wgrxcgc|xiakvtd|vzhhuil|jkgesyx)|t(e(kneeed|ekuwfk)|d(etblmw|tozvaw)|oildqjp|c(llrhex|emduic|trfzyy|obqrwk)|k(dwyzke|btykjz)|vw(qjjum|dijdp)|f(oaqero|adypix)|j(dnuaql|jmxitv|hzsqtw|ckkcss)|mxnrgqp|rjmuiaz|z(vvuwyf|ovqcxm)|b(ulhnhw|brfqxn)|p(knpgfp|qrswnn|mqijqp)|nc(jgdfs|dffpn)|sizhins|lvyrsdn|ttqfmeh|wylmvbn)|e(n(uuchrd|wmeqqo|okkaem|ftumqa)|k(e(qeiou|itsft)|jsofah)|j(ylrijl|gnqefj|dnhsiv)|mjyzeyf|a(mgcsor|bduqbd|zcdspm|hdbrih)|e(tcimmg|cdpgsi|fujedv)|c(xioenb|wrnspq)|h(ctybse|xlgrpp|rhqicy|tzpgpl)|otbolvj|t(riyyys|ttnfrv)|v(crzefd|slevii)|iswujyn|x(ffbisv|clnfcv|ekegjr)|dnzxjrv|y(buobke|srdzzg|tbinbx)|byckvvi|rzofmrh|uvpkuhz|wrdodmx)|p(jtuuozc|o(szuptz|kpzfvq)|gwhegso|y(thqoki|qhgksj|xjeyfn)|u(bfjiel|crmlyq|zovcyq|ybrvyg|kcserm)|ldedxoi|e(smefvc|mqrnfb|qhvkmr)|w(kpiwer|inhexq|nflyff|ealzjd)|k(pyepby|nnzuge|riouzd)|z(cpdwlo|zglvxp)|a(ffnukz|vdstwi)|beashoy|mluufth|fgcilfb|v(dtpgcr|rycpcv|nyyjez|acxvec|ugswkb)|i(gmhukf|cuaxyh|rgvdks)|t(tbkkau|yvhhmc)|clkrrqu|nfhqxks|r(uaoqjy|ghnfku)|h(ahxvik|sgreho|exsjwl)|p(gaiqbb|ysykgp)|sutaian|d(ghwodr|syqlif)|xsycgqf)|n(e(eqifge|tlcdaj)|h(lkgfbc|xweltv)|z(tuvzff|qfkoky|kmsmdx)|dafdguw|c(pbceft|utkftb)|x(rlokdl|wgxuhc)|y(whkrje|yyyuns)|jxprugf|qqfldju|vwkfkjh|k(hhkaxh|rfqito)|mcomnfw|ltglvcb|iqbrxsz|gnbucyk|pgpaqfb|w(odrika|yhrxzv)|auyrruv|r(zodnos|xfabbe)|nmdwfzz|uhnrlmg)|i(k(odiznf|mgsfpy)|m(zwxhgm|ureews|tshzsv)|rqjhdeu|n(kpkjng|alrqgt|puuyiv)|u(zywcej|jxhqpu)|x(ormwjz|qpsdpx)|jhmzqov|q(dkvlez|lrwatj|hksmqg)|f(ckqvbv|olpzfx)|y(fghsue|y(iyxsa|fghkn))|znbjbrn|eldqjvb|w(qqferk|hrhnoz)|doghnxh|i(veggtd|eipsow|txnpeg|bwjgsi)|oltsraj|p(cncjes|nfbemi|rufykt|laewbp)|saejpap|t(rfqfec|mctuhw)|bpksysj|hrhsacf|atcfjiu|gvjrmol|cibntay)|k(c(noeidj|dypnpk|vhtmqb)|k(vnrpjz|gthoef|ptmtkm)|q(roownd|ynclvi)|z(pmshcd|ieshid)|t(adanpc|ljjtwu|jetaba|safkah)|g(deqafx|ugyayc|ceomkp|emmusi)|eizybzt|s(covtzh|vghlzo|qibpxt)|p(rjejxm|g(bpamz|cmrmd)|cpcvnx)|r(xuokfu|hbyoer|dwimxz|peyhrj)|lzvldoo|n(fqusah|ddqjnn)|vozjfts|urvnmxg|d(zlkrdq|bfrzvt)|bpgneri|myhenas|h(rnwvic|zlbvsj)|wngbijh|flzehex|ozgcxfr)|s(d(oheaie|vknarx|hxoicb)|p(ibaadh|yfqaxp)|chyrtuc|j(tvwcuo|xxkkpr|bnhnxm|nfabzo)|m(emeoya|kxpvak)|h(l(gltru|bbdcl)|awclgg)|t(pxpyvv|mkgqnh)|rcqmled|x(hqolox|xlwqck|fmrcil)|i(wrdhit|ymglrp)|b(xlugqi|hediyr|ymaasv)|g(jxsbkj|zfudoj|gmclxt)|s(avyvpt|lhlmqz)|e(lffvfx|yntzbr)|qtnwbyn|f(oepank|wdnrbu|rdlkdn)|z(nezezl|cnbqzq|hqdhih|jnomcj)|a(ytphxc|xehyof)|wobbprj|u(plgjkq|dcbpdr|swujru|xswpbj)|okdyonl|y(nmurpw|rjjnio)|lbrqrnw)|c(o(vphiml|qpkvtp|jfucuq|iesusp|tcokaq)|k(ptbbpi|hollbn)|g(fsprzz|guxlnx)|u(zvplbx|ifljjx|vstcwt)|wwtiwrx|fbxyzka|q(x(zcysp|mewea)|pqxgpq)|j(ogqzmt|zvrhni|fzvemd|lccdgt|xzlnwq)|b(nuqbmj|mrvtea)|y(szluof|ybwxck|nqifvd|xhlsbp)|e(dxwqkx|awizod|vzjsjh)|anyqvkz|hlxzark|smykxvj|xnnltcq|m(vrgxtk|hjlimg)|i(nwylpt|aooydm)|liacyen|vxwiqbp))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633180; rev:2;)
# sid 2633181 includes 1585 (1201 - 1800) 8 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(w(zzgnwmc|qa(zhhuu|yzrzp|ckryi)|x(moodas|nwvkhk|rhjnel|pybjdf)|h(smzlho|wxnqww)|g(cdvtvl|e(czpcs|bhbbg|htqdk))|p(zvoxxr|wmaipe)|b(jgjpud|kwcfjq)|y(usgixv|nznuji|qivvcw)|i(zxvyel|abfgdf|ngctjo|kutxwt|cfttxy)|nlehetb|c(etnxdl|wdvgma|tizdwm)|t(vlkpun|zqngyv)|r(pakacq|buzpjz)|l(ocoiwo|tcukzp)|a(kgigyn|ckjpbp)|d(hamqer|pucqvx)|o(vwloml|retfpa)|s(axnpfk|goqgmf)|e(ahgeaf|jrxrqe)|mgydetx|jrcrfsp|kzsbsxx|fryrmuq)|j(v(wkpfds|rrtkix|iyjswu)|d(pnsuqd|lgyytm)|jrgtpaz|t(a(rnosv|qoviz)|fwdpdf)|r(rlhlpd|oopepx|arnfsa)|q(eyatsg|byinde|kbzmot|gbvlec)|h(gdanbf|jnfztl|lvnhij)|z(btddyj|qweoox)|f(imftya|mfqzjm)|e(s(lzubp|ggbyb)|abrffv|erpszg|xjratx|bvhnew)|brwfpfd|l(mpkbjg|sbzvwe|crvjux|tzoxlm)|gsztanp|wqmiaja|y(rzjsyu|mrwkqn|sdaidh)|nzfnzvs|kyduqjg|m(yztuwg|ubijdc)|o(hohcff|jceyti|gjiekt)|a(qtqxjx|syashp)|sihhrpw|p(qrqren|bwbuzq|xxjvih)|xencoek|iqidjur|u(xooebk|thlpsb)|ccmzeuj)|h(l(umxhtj|vxwxof|mochxq)|e(svldkr|xwxadk)|d(ywztzz|swpbnn|udipes)|n(rlgamv|vtpomz|zfjduq|xxykxo)|u(uoxtob|rttbhc)|z(ypfclx|lnnyzs|k(bkjtw|klubg)|iqvqct|oxqrcp|hwanfp)|gk(fbuzf|muond)|r(ddmdfd|uoupqd|ztbuzq|chwvnd)|j(lkgdxy|iugqxf|xejkmv)|q(gxafww|xczpsx|bojnid)|p(iajwec|wlfmgr|dktjzv)|t(oaoufl|clvmee)|fopfxik|x(btghau|qbgkyw)|a(ssbmmy|ewffhs|dxrzzw|vdggki|owpcwg|qmbrnr)|svgvbnt|y(vdplmn|elswhj)|wjntyxe|h(fryhzr|gbrwap)|v(euhvbr|dwqwei|olbcgz)|b(uozjkg|kelwmq)|ccecijq|kgsvpkd|omahfll|mnvvbsd|i(ntoyzc|yxgqoj))|s(p(ibaadh|yfqaxp|bqnbxf)|c(hyrtuc|erpspn)|j(tvwcuo|xxkkpr|bnhnxm|n(fabzo|vlmws))|m(emeoya|kxpvak)|h(l(gltru|bbdcl)|awclgg)|d(vknarx|hxoicb|avlnnh)|t(pxpyvv|mkgqnh|orucdx|gumwwj)|rcqmled|x(hqolox|xlwqck|fmrcil|odjqct|ekwmvt)|i(wrdhit|ymglrp|jlkjlr)|b(xlugqi|hediyr|ymaasv|umrojk)|g(jxsbkj|zfudoj|gmclxt)|s(avyvpt|lhlmqz)|e(lffvfx|yntzbr)|q(tnwbyn|jyunhz)|f(oepank|wdnrbu|rdlkdn|porckt)|z(nezezl|cnbqzq|hqdhih|jnomcj|zoxevd|fzqttm|yvtvmf|unrkun)|a(ytphxc|xehyof|vlwbdz|ajhprz|dhqvup)|wobbprj|u(plgjkq|dcbpdr|swujru|xswpbj)|o(kdyonl|favgiq)|y(nmurpw|rjjnio)|l(brqrnw|wrtyza)|vvdadxi)|l(q(swhbjj|rirmff)|a(bvjljy|pfhaip|nefxyg|ehjqjr)|b(rnsswp|ejwriw)|v(wawuww|oxuspz|drqzee)|u(ybglit|cffupc|nideta|erbbsz|tsbgvl|axalhp)|m(wbvtqa|kgcahx)|z(tr(txjc|mehp)|ovincf|rhvcwe|eegkes)|g(dfxrjl|zracea)|i(nbyowv|vyvsqm|dobeik|ypxpla)|o(mvcndr|yzjznx)|h(btybvu|uyqcsh)|j(hprzik|nrxxsu)|e(gpoayp|sfboby)|p(wvgfod|hbjiya|xrcxch)|wdrbfzp|knnuxjq|semnocc|d(yaepjf|malgfr|wqjppn)|f(xoetpy|gtpffn|jnfhvd)|n(dompee|nvipkh|lmboej)|c(botoag|qlbyxh)|t(ctylng|gpopom)|xoptuik|r(v(hditl|axiiy)|uwdqds|mmciju)|l(fauwen|uddrrq))|d(j(dxfofb|onxuax|aoczmm)|o(njqjim|kxlilf)|fcqmbtm|b(swmklg|pdwgcc)|t(cmkzhc|szasvw|zdxiym|wurfsx)|snlrvcs|i(pxapzd|eiwurd|fnnicm)|p(whuvye|aezbzt|ffzjge)|h(wvwdrs|t(hisab|obsyq)|rwopsf|eswwzt|diuyxb)|g(zqucja|ptkppo|qbfmqj)|z(rishqf|xjvqfd|gxrssz|qpsgrj)|w(ccoekc|wvjgnj)|x(apyjnc|yiabws)|mnlfgex|r(uaghpo|vkeclf|paznwp|dgompa)|nrrwkwb|uguyqiw|k(iyhher|yirszm)|dsoznwj|l(bhpmrz|dzytoi|fjazna)|vncopqn|q(khhelp|bmuauy)|egyrikg)|o(v(zmolkd|h(oufud|gqrys)|sishwl)|tw(luqhz|bxzvz|klslk)|m(ajjnnn|ttkewv|zawmss|qkaten)|k(gmuvgp|nmecfp|sksofx|rymocc|tfntfs)|d(iiqglf|zchyti)|r(kezjfr|mdswmo|zwuhic)|j(foxmpg|ridyoi)|swiouzp|o(wofxmo|nnxlvq|ctfdxo|hxqdgj|gdrxpp)|f(hxpigu|lglxmm|fcfuyv)|i(tlqdiy|mlxtxj)|w(ruhioy|hclnzg|q(iwldc|vkfuv)|bpyphc)|g(ayceei|hphlnx|fckibf)|e(rxjqni|lbzbjx|odslcp)|x(nbkrrl|ccgkcw)|q(ryeprv|deqlrv|irgqlb)|zdtjhjd|a(btmbqo|rpyqxb|osoomm)|b(oaioob|yhcylx)|u(schrlf|rpeatn|xnhzxw|dglpni)|n(nzhwid|ibvtet|fxixnl|wvzpuc)|lcfelwk|p(vdnyjp|rgsxit|hnhozx)|hwjoivy|yvxmpra|cltrgwv)|a(a(ujoafv|gdebzj)|f(o(pljyk|sfnie)|bnirqs|daahxw|euizqd|xvhamh|nuimpo)|y(xjfeel|dohjso|tqkpgf|nmbsyx|jygtrd|kqripy)|v(qhwivj|bhkhom)|r(iujgtx|lyzhhh|ryviow|pyuwch|kcetpc|azixud)|i(afmzva|tulbem)|p(rzsczy|cabiec|gxhyxs)|w(xtejrr|qqfkuk|rrlqog)|k(fhqzbv|dmccfs|vphuue|nrmzqe)|g(upsfxx|exkrse|nfnyfn)|j(sgtwbm|vkokfl|bgxyak|xjkfrj)|x(ekxxio|slznrf|cfxtxn|twpkrn|qahhgz|jgavkr)|m(qexjdr|hdwnad)|t(ryzgny|vxchqq|baxdhl)|z(dijglo|mflkik)|c(bjggac|eqfppd|xnegug|nrscxg)|n(ittykp|pelrgr)|e(gdpijj|nklyru)|dmorqgi|spdcnoz|bijzqcn|qedlvsx|u(ypphbs|pgdavo))|y(q(huxdyg|afxykp|ypokcs)|u(zxdnuv|hwsymk|ftyffp)|n(ispaga|lxsqjk)|labtsme|s(idbmhi|xkmraj)|r(twtebj|wuwxwr|cuyxns|eklovc|pgsfhg)|i(eaygjm|bzzwwp|dgnvjq)|bqcjxjq|o(ffmoij|ytesnf|gbmkfm)|k(cisema|bccqkb|kicqdp)|g(lqofzi|csypjw|vqlcnf|jtjnne)|ypjtwtz|a(ewlvpt|jwqakf|rdxbbb)|vrlzijd|xpcvjrt|h(ecnuec|wehfxf)|wvbjimf|zkcictj|chbtrny|pepyflv|etaasiy)|c(o(qpkvtp|jfucuq|iesusp|tcokaq|rfxaho)|j(ogqzmt|zvrhni|fzvemd|lccdgt|xzlnwq)|b(nuqbmj|m(rvtea|kuhzk)|i(qsyhl|dfzdh)|lrigjk)|y(szluof|ybwxck|nqifvd|xhlsbp|gtdows)|e(dxwqkx|awizod|v(zjsjh|wqirb)|bhdaap|uqsfal)|anyqvkz|h(lxzark|gubgfx)|s(mykxvj|aitvqr)|xn(nltcq|gtknz)|g(guxlnx|ofjpop)|m(vrgxtk|hjlimg|pxzyoe)|i(nwylpt|aooydm)|q(xmewea|pqxgpq)|u(ifljjx|vstcwt)|k(hollbn|zthglr)|l(iacyen|fqtdla)|vxwiqbp|f(idnqjf|hjtscu)|drlgwts|raddrou|trwzhrm)|t(c(emduic|trfzyy|obqrwk|nbrfyx)|vw(qjjum|dijdp)|f(oaqero|adypix|kdaxbq)|j(dnuaql|jmxitv|hzsqtw|ckkcss|bnbhoj)|m(xnrgqp|cvxgxt|keltxk)|k(btykjz|egzjao)|rjmuiaz|d(tozvaw|xjqvce)|z(vvuwyf|ovqcxm|ndyyrr)|b(ulhnhw|b(rfqxn|wxraz)|ssrrpq)|p(knpgfp|qrswnn|mqijqp|esieph|aejndw|zglmqf)|n(c(jgdfs|dffpn)|hvjece|kxqqtb)|sizhins|lvyrsdn|t(tqfmeh|lzubfi)|w(ylmvbn|widdkj|pdherv|uuaryq)|usoajio|e(hkvtha|relimq|aukzov)|a(gxmlmc|hvmjxt)|xczgtgs|ybupros|h(izucvx|myhiqk)|o(ebsubh|pgvzuy|mlxjoz)|gbzoeoe)|f(g(ofoqxk|vsxjde)|twzkzqf|e(b(orned|uiiws)|mxcsrh|lrvnxz)|b(retjpc|pkaktq|xxdqlf|hwogsc)|q(rjkxuj|mouotc|grcbtf)|d(y(hrogr|zbuaw)|fkbyrj|pmijtm)|a(ujhxag|zizdtz|eoadpx)|f(suwybt|qethld)|n(bbmtwl|lovulm)|h(lzffcn|fpwvxi)|s(bygkgj|azlnxo|cgrfuy|jomejl)|c(aovekl|j(ndyxq|gphpm)|h(hlvfj|kdgrd))|mbytcss|lshnsyb|k(a(cjcoe|qzzoo)|ldgoku)|z(sviugy|nhhcpo|fylgsw)|w(grxcgc|dgnlyt)|x(iakvtd|nnfafc|ptcdai)|v(zhhuil|mawful|kktccu)|uljcvdo|j(kgesyx|xczrjf)|y(tqewgq|gseffj)|r(kukdzq|fnwdjz)|p(fbtqye|jyhhfg|irgxzi)|ipvepnm)|x(x(wlfwww|nnggob|c(boeac|aaife)|vxzyco|anvwwn|kpkrzh)|jasgexk|i(pfjsiw|fcdzej)|t(ryimyj|apicge|gdvdyd|btqpli)|b(n(vizfy|zufvo)|hxdrrb|vodpet)|y(jrdxcv|taytds)|rfntvkg|z(rigqou|ycslzp|osozmr)|k(hzosww|wogtof)|dtftbac|a(nlblmx|tkbjay)|g(ymvuqh|akyqlo)|n(haaicc|vfivzg)|uruloem|m(orkbzf|bcpoyn)|ekbiukm|f(tp(wood|xade)|wqhcrx)|cbeafxq|wlrfzaw|o(qijino|bbemvq|eiksrq)|pwuetdd|q(rhgtfi|tgscqm)|lmkutzp)|e(k(eitsft|jsofah)|e(cdpgsi|fujedv)|a(bduqbd|zcdspm|hdbrih|ukopxl|srhbqj|ckfzlt)|h(ctybse|xlgrpp|rhqicy|tzpgpl|vhtbzg)|n(okkaem|ftumqa)|otbolvj|t(riyyys|ttnfrv|yuapnn)|c(wrnspq|eqdbqu)|v(crzefd|slevii)|iswujyn|x(ffbisv|clnfcv|ekegjr)|d(nzxjrv|rwanuh)|y(buobke|srdzzg|tbinbx)|byckvvi|r(zofmrh|gmlmas)|jdnhsiv|u(vpkuhz|scxadp)|w(rdodmx|yqzizc)|g(mabipk|fdfrhb)|l(qazlgb|dbiaqa|kdpwsr)|fqhaofk|q(kskyrd|aiafpv)|s(molnzo|hplxob)|z(oqierw|jyvyuu))|k(z(pmshcd|ieshid)|q(ynclvi|sscqvu)|t(adanpc|ljjtwu|jetaba|safkah)|g(deqafx|ugyayc|c(eomkp|vnkxy)|emmusi)|e(izybzt|fhtfpk)|s(covtzh|vghlzo|qibpxt)|p(rjejxm|g(bpamz|cmrmd)|cpcvnx|zgtnah)|r(xuokfu|hbyoer|dwimxz|peyhrj)|k(gthoef|ptmtkm|oiyebo|zjbyli)|c(dypnpk|vhtmqb|hoeddc|iehldt|nrlzqc)|l(zvldoo|ikdfvx)|n(fqusah|ddqjnn|wuviwt|gycsmi)|vozjfts|urvnmxg|d(zlkrdq|bfrzvt)|b(pgneri|ghbrcv|fbkpli)|myhenas|h(rnwvic|zlbvsj)|w(ngbijh|qzqptm)|flzehex|ozgcxfr|yottkkl|xjbvvon|jbrlcmx|a(nlwenh|wexhza))|r(g(tqzgbn|oduoip|ajckou|sqhhxm)|w(lhsrgd|q(usjev|lrlne)|aqempw|pbyvqz)|t(emijlp|bttpra)|v(r(abiav|ndosk)|nmonek|ttxxlw|bgztwv)|xdhcipe|n(ceddsy|zfxqor|qzhbvt)|scwmsyi|h(bayopl|ymzhfh|lizcnl|dxcdgp)|a(wqkhwj|uvupij|zrbado)|d(jfptxk|uonxdz|svfrpz)|idlhjxv|ct(dwuan|mseel)|b(eosoga|xuibiz|jiaazd|rceppf)|k(efhtft|wwzpnw|bvheva|jzosxp)|z(wasqma|nthcsx)|r(fsbmdg|tluccw)|j(aodcfu|nfsphl|lbvyru|cwhyic|wwqqba)|yb(psxgg|hypyv)|e(lywzxs|bhfppf|hwpagq)|m(ghkoki|mzfqju|pdtymk)|q(yreyig|bqagdi)|psccdgy|orwaeca|ltimrcp|ukxnlkn)|g(z(cjfsfc|zjcyii|yimbiq)|j(mytpso|lebztu|byopxz)|snyvjiz|t(wkhpxr|prvqbn|cjvkwz)|dttgpri|r(zwzemm|whulbv|hqzjwj|yxzwjv)|p(rjfsyz|hakatp|lmdden|vtcczo)|c(wjipwj|jmgmbn|vyubhb)|a(b(qlsal|rxocz)|tjekdd|kjjhfs)|e(wjxioq|kyeuml|pinpvd)|q(r(mgkqo|kqhgu)|palltc)|w(tdqkkv|jlhirs|lyypcu)|x(plxmqe|hjnomk|iyjerf|kmyhmn)|odpedae|b(lxuhbv|kwsvsu|dcvfjj)|gxwfnir|yieyamp|u(qikuxw|ujrvbs|wihjna|jmlffb)|h(lfngbf|ydggtg)|vemxmph|k(kfojcc|xlvplh|lbjdie)|injijlp|l(vpbedm|gctnlc|ulmahq)|f(basgmt|akcjbo)|m(tniocp|zspmwn))|p(e(smefvc|mqrnfb|qhvkmr|kqwfbx|xdmxkv)|w(kpiwer|inhexq|nflyff|ealzjd|vvbbue)|k(pyepby|nnzuge|riouzd|ibmhpw)|u(crmlyq|zovcyq|y(brvyg|ksres)|kcserm)|z(cpdwlo|zglvxp)|a(ffnukz|vdstwi|slqipo)|b(eashoy|riyyvx|favfnr|ghozdy)|mluufth|fgcilfb|v(dtpgcr|r(ycpcv|fdqbo)|nyyjez|acxvec|ugswkb|pcznta)|i(gmhukf|cuaxyh|rgvdks|ihctna)|t(tbkkau|yvhhmc|hqtacr)|cl(krrqu|uumje)|n(fhqxks|vtxihf|wuwazl)|r(uaoqjy|ghnfku)|h(ahxvik|sgreho|exsjwl|iukltt)|p(gaiqbb|ysykgp)|okpzfvq|s(utaian|oexlef|rlotqs)|y(xjeyfn|vcvdfq|ltnpln)|d(ghwodr|syqlif|yaryew)|x(sycgqf|vthsmh)|qpodqlg|g(uypefl|cbcjcm|wkepyb))|b(d(mhpoji|kutdaj|exnccz)|u(oeekls|c(enngw|yuscu)|ynhktg|nknmpu)|w(aavxci|upomfa|wsfkws|svzbjb)|k(miacam|pgkurr|bcsrtr)|p(crydcb|bzkcaw)|t(idhxkq|yeajap|uneqmh)|e(hmddgo|tylahs|jgihox|bcdvqm|xkekow)|y(n(nxzkh|pgjop)|u(fjdbf|dndsh)|hhhmtd)|iobdhgk|x(zxoohm|rupdad|xrmssw|wejlqx)|nqellpk|s(exdxjr|jhlsop)|g(idorze|shormp|mdcure|nnuuch)|o(wwwclk|iiemnb|kmcvzl)|z(czcwby|vmtldv|xlkudo|grcqld)|v(rvogcz|nxokcu)|m(wwubpz|hfnrvl|cljppo|gnjizw|eltxzm)|rwzscfs|j(fgyccr|pvojjn)|qrooijg|c(hpqobv|zdjbjc|wvzegi)|h(zchjzg|qvaoeu|hmsdho)|a(slanch|gkiezx))|z(i(gevbmy|a(lvmww|evbtt)|igkqxd|o(cjuld|vknbe)|nvhbth|lzkjwr)|q(xsljuy|pzelsm|dxzzes)|u(zeazip|btfglj|pumdpz|eqsgqs|upxrkx)|k(ckqzwk|rfrwvq|flbsab)|n(ydyqvf|skkyxd|zoxvir)|l(zcucir|ldytkq|ifycgk)|b(xqzcry|m(yqxtq|tlmhq)|nhrjoo|abtclz)|oanbxra|a(cpophm|zbmbmp|sksjph)|d(pswueo|seirju)|y(t(suwsd|mlqbm|ttwtq)|fqjcps|cxyyog)|g(cmjtro|wealyh)|w(ezoxmp|gaosoc)|j(nccjub|wffnnv|bltmce|suldml)|h(mlhxfr|wchtai|ostqvz)|rohbfsu|v(tubiiy|pdztin|kiwzxq)|fyzeuxc|srgwimc|x(m(gdxuf|ifcra)|wzpzwt|uulmbr)|cdonchw|zzooxxt|mkevahr|tbpzbia)|m(i(sxjmle|lwscdo)|h(ewxhrm|usxvpb)|t(jvofnz|mgyjef)|cxschqt|jdumiaa|fuvpzmq|r(mcpqov|edzrnm|rzjnhi)|z(fjywik|ordemi|pjrdmx|lakkqc)|l(t(ihlbi|mrgzr)|rlftap|ahgkqm|ywshos)|b(xfxmdf|nsvaip)|n(dhfusk|zfpims)|y(ubrvat|xwfnhd)|e(wtsabe|krnegq)|g(hdgopo|wiwkkt|gssvur|ctqqxx|zokdcw)|o(zasylc|qijeuu)|pfuwbnk|m(olbhcr|akegzw|mwaiac)|xulhsry|u(xbjuvu|kyytio|fansxj)|q(xlpwjp|aftuae)|siyaizs|v(ulsrzx|abywjv)|kk(perdb|zetqm)|wqolmki|dyxygdd)|v(e(cjpvbk|vwpxrj|addsyy|ejuorc|xubwum|rnbjbd)|a(qptyno|lzmtds)|b(ojlyfj|hnequp|bidaoz|x(oapfr|cdvcd))|lobxano|v(tqctpg|du(effo|qouh)|nherdu|jczlmb|fnsxzq)|t(elmeir|yfbrep)|n(bdzcqj|rrmzat|afrkag|yuwrbv)|g(wcjqka|dfaouo|ryyypd|jbbdvf)|y(xgrpsc|ucmnrs)|k(acnume|klzvdp|zhqupz|rdheup)|p(dbpife|tpthnk|uthwrg|inktfj|rfmsou|anxrcf)|d(lnqxrp|hfftop|gblwrr|mwpspy|ylfqxo|ptrxyt)|mh(smqsi|glgws)|ibctwmt|j(vtqjyu|ltlzgq|kfpelp|zxuega|jbbfae)|u(utqzck|oprhxd|adpxku|rjplxc)|szesuop|f(ebvhgx|txvzry|cjcnlp)|r(yfyejs|wyncbh)|qwqouge|w(afzxdn|qqsprc)|o(mbdkcm|agmvir)|xdneihg)|q(u(bdizac|uzhwul|v(labjc|iqmqr))|s(jqetkz|eknsgo|i(zuevv|mwsmp|kognd))|q(i(nflca|vcvdk)|qattxk)|m(bgxxrx|qoecjf|rvnpuu|alstzf)|h(iifozk|nhyeny)|z(cjmuvg|wcnzlq)|l(wplkus|dijajn)|a(tzeohb|ujyist|ystwcj)|w(fzlfyh|qkvsda|vocqmx|arpqcv)|c(aiykjs|ztdasv)|r(fffqke|vtujwv|sgjida|meftqs|rxaxln)|tswkdyv|k(aghedr|jjhgsw)|b(buibqs|edpgtp)|d(bpluxd|mjcpzq)|g(rwhckj|iqzqku)|v(nhuiud|vajpuq)|x(mqdmbq|rriark)|y(juqgyc|hnguqs|ampepf)|fjzwxlb|n(jhgeqo|fdtpkb|c(vxeks|zawcb))|e(vrmiwt|bmfiwf)|i(nwxfci|bwdeut|hxcrje)|jsphkmh|o(emrfeu|zxumsp)|pprlxyt)|i(q(dkvlez|lrwatj|hksmqg|cmydju)|f(ckqvbv|olpzfx|vknhxx)|n(alrqgt|puuyiv)|y(fghsue|y(iyxsa|fghkn|ssbhw)|ivqwvc)|z(nbjbrn|zeqnex|popvfu|caujqs)|e(ldqjvb|pajxyu)|w(qqferk|hrhnoz)|doghnxh|i(veggtd|eipsow|txnpeg|bwjgsi|jydray)|oltsraj|ujxhqpu|p(cncjes|nfbemi|rufykt|laewbp|ehlifj)|xqpsdpx|s(aejpap|hyxdbz|fybowb)|t(r(fqfec|kznds)|mctuhw|yjqxpj)|b(pksysj|naclfq)|h(rhsacf|ybirca|stuflx)|mtshzsv|atcfjiu|g(vjrmol|byflol)|kmgsfpy|c(ibntay|bxgpik)|l(qphzgy|bicvkp)|v(wuwoye|vedomf)|jvqfvrx|rspfgcu)|n(y(whkrje|yyyuns)|j(xprugf|ztobcs)|c(u(tkftb|yjicb)|aorxgs)|qqfldju|h(xweltv|iquwoe|q(vkjyn|usmeu))|z(qfkoky|kmsmdx)|x(wgxuhc|teagas|pufarx)|v(w(kfkjh|ywqhq)|mdxheu|lfuagq)|k(hhkaxh|rfqito)|mcomnfw|l(tglvcb|cbrkrq)|iqbrxsz|g(nbucyk|sdwtgt)|pgpaqfb|etlcdaj|w(odrika|yhrxzv)|auyrruv|r(zodnos|xfabbe|akuiwa)|n(mdwfzz|hccewb|z(xritg|ehwyy))|u(hnrlmg|ocxjrq)|ohspyuc|duhlywh|tjndsxf|bbztirn)|u(w(iojmic|jdsmxo|okwvwj)|o(tajacx|q(nzpnj|irqdp))|v(wkjbrc|ixxusd|rdiisb)|b(lqgjss|bckzcb|nqqdaf|kmiyex|goullf)|id(wmgbx|jzepf)|n(hioczx|imydkj)|t(g(uklug|xkfif)|e(onscp|zxmza)|wssfgd|sxubsx)|y(djjnfd|zdzyyd|athlou|faybmw)|x(dvbhsd|yrhnsy|ibvnfv)|r(u(xjjws|vnlek)|vbuylz|orhqid|w(uvqqr|edlxr)|xcrthr)|e(iwubqr|toyfsf)|pdatwvx|z(fvfkij|cmfayn)|s(uixkbn|appgxo|xsdstl)|l(xugevb|iasqfl)|f(yefjzw|fwqvkh)|q(dirmfk|rnicrp|ygdqrh|vbbkjt)|kclglnx|c(brwqly|kvpuyj|pomnqy|rstuzo)|hlelivi|uswctxi|aqvzuts|ginzibb|mknpytk))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633181; rev:2;)
# sid 2633182 includes 985 (1801 - 2400) 8 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(v(b(bidaoz|x(oapfr|cdvcd)|nocgpd|aaqvkz)|f(cjcnlp|rquabp)|v(fnsxzq|lpaust|ogepcx)|oagmvir|wqqsprc|p(rfmsou|anxrcf)|gjbbdvf|d(mwpspy|y(lfqxo|nwvmg)|ptrxyt|gmpysy)|e(rnbjbd|lnhfcn)|nyuwrbv|j(jbbfae|cffcfd)|r(qphgrv|fskcxc)|alwnqxv|x(dtbuhk|jmfvet|kdyzjs)|z(mvruvr|ecpsmf)|tasrdog|ibkywng|mjxqein)|e(a(srhbqj|ckfzlt|katosu)|q(aiafpv|dbyxak)|s(molnzo|hplxob|afcnwh)|z(oqierw|jyvyuu|wxqjmj)|u(scxadp|czsead)|r(gmlmas|fgxpty)|gfdfrhb|t(y(uapnn|nhxuw)|lplnje)|lkdpwsr|ceqdbqu|h(vhtbzg|nnkpno)|d(qwktbs|dfziny)|f(rblsfv|uecqxl)|n(bxuwxu|amsamc|nkjehp)|mspzich|vtotovw|p(vzdfwo|cxalbe)|k(mlnkrv|bvvuxc)|x(kwrddy|ganjex|yhvubr)|wrrzjhv|ifdyvqt)|h(pdktjzv|dudipes|o(mahfll|kvwsbo|twqbdx)|v(dwqwei|olbcgz)|m(nvvbsd|ctmcat|fdkgsd)|a(vdggki|owpcwg|qmbrnr|eicvee|dfcxnf)|bkelwmq|i(ntoyzc|yxgqoj|cqwyci)|r(z(tbuzq|gpoxa)|chwvnd)|yelswhj|z(hwanfp|abxqgy)|hjsbyxp|t(luryre|mwnkih|dizvdk)|e(kyueix|wvfbjg)|l(gfuakw|wjutyq)|upclvfu|n(ynelnl|obiqwj)|fkyvsmu)|z(x(m(gdxuf|ifcra)|wzpzwt|uulmbr|ewpvdg)|c(donchw|crufyj)|v(pdztin|k(iwzxq|xnnha))|j(suldml|kmsmka|fncebk)|b(abtclz|evmvzw)|i(nvhbth|lzkjwr|ovknbe|qcrbvs|eholnn)|zzooxxt|mkevahr|u(eqsgqs|upxrkx|svrrbm|ckimcl|kibums)|t(bpzbia|hsscau)|n(zoxvir|pxxxdd)|a(sksjph|asgclj)|o(byhrqn|mdflaq)|pseswtz|s(yxjrzv|abgxzy)|l(tbcljg|nrmomw)|rzhscaq|fdxwlxd|wrjwamz|hpgqxgu)|y(g(v(qlcnf|pcfgj)|jtjnne)|r(cuyxns|eklovc|pgsfhg)|zkcictj|c(hbtrny|bnkkeb)|p(epyflv|uogmqi)|hwehfxf|qypokcs|a(rdxbbb|wgdoxw)|e(taasiy|kjrvkv|ivlnln)|bieoiwv|y(bmetsq|hsihmb)|vplajsp|st(zsdat|mtpvx)|nyimqav|l(wmhpvk|qfdfde|prwqwr)|o(wkezhg|zgbhat)|j(anhgty|hjlrhz)|txpafyl|ddrtwmu|mllyutg|ifnoxaf|wbyzlrg)|w(tzqngyv|q(ackryi|orapdy|tutsaf|utsvpc)|c(tizdwm|itgimo)|i(kutxwt|cfttxy|fnrljd)|x(pybjdf|oqfhcv)|l(tcukzp|mktyfj)|m(gydetx|crjnbc|vzddfl|sftfdn)|a(ckjpbp|wfphao)|j(rcrfsp|dbjbes)|p(wmaipe|dwdrbn)|sgoqgmf|k(zsbsxx|hpstck)|o(retfpa|nnwerf)|f(ryrmuq|oejvts|crrgoy)|hwxnqww|dngonen|u(jposzt|rglrag)|z(qnsaox|hmwtuw)|b(hkjrxb|npfnzh|ubbycg|jfanfy)|vtoybpp|ecyygsb|nyoifrt)|r(k(bvheva|jzosxp)|w(pbyvqz|qlrlne|ohkrxk)|azrbado|znthcsx|psccdgy|h(dxcdgp|keoail)|y(bhypyv|tbmsfa|zndfgo)|orwaeca|l(timrcp|epsvwu|gwwlcd)|v(ttxxlw|bgztwv)|m(pdtymk|vmhluh)|e(hwpagq|fjubju)|u(kxnlkn|vqrban)|qbqagdi|b(rceppf|kapjeq|oewexx)|x(qwgzjg|rvhixv|ihiirm|oaylxl)|dwgblba|s(v(tyzqe|scgfw)|quddqx)|jnmcgex|chwwlcb)|l(luddrrq|i(ypxpla|hchvyt|jxqzyj)|oyzjznx|z(trmehp|eegkes)|d(malgfr|wqjppn)|fjnfhvd|e(sfboby|hxbvgs)|aehjqjr|r(uwdqds|mmciju|cnicni)|mkgcahx|n(lmboej|g(jqcff|rvapo))|u(axalhp|tnwnre)|tjlvuhh|wvphjia|sikfgdz|hyxnywc|qxegkqv|g(hbwlxn|avibws)|joxfrhp)|m(h(usxvpb|szocjy|rnywko)|n(zfpims|xatwdz|nmtgpu)|ekrnegq|kkzetqm|m(akegzw|mwaiac|vapxzg)|o(qijeuu|xgnqqr)|t(mgyjef|rlxdiz)|wqolmki|qaftuae|gzokdcw|v(abywjv|mzqwxy|nzdgpq)|d(yxygdd|roinxk)|u(fansxj|spqhpk)|a(zcjnbd|dknmhm|qvxseu)|jqeeswn|p(jiobmt|hgdeyy|kzjzyv)|fehmqqp|x(wvetzv|hmooso|mymhux|penwrp)|cq(ggtcn|sebxv)|i(pljbsj|yuxlkb)|bhkwrhw|spkeyfc)|t(o(ebsubh|pgvzuy|mlxjoz)|e(relimq|aukzov|nzdyal)|w(pdherv|uuaryq)|z(ndyyrr|ocdidb|jaesmf|uwpefu)|d(xjqvce|rktvcn)|p(a(ejndw|ihjwm)|zglmqf)|a(hvmjxt|sipifr)|mkeltxk|j(bnbhoj|cejgix)|b(bwxraz|ssrrpq|tzxhci)|g(bzoeoe|aubcoo)|f(kdaxbq|eugmcj)|kegzjao|hmyhiqk|c(ozraqy|fnxkkp|yjetsq|hhumad)|nlzyqtj|l(wizigi|hrtrwo))|d(h(diuyxb|tobsyq|znofsg)|q(khhelp|bmuauy|juhwku)|twurfsx|pffzjge|l(fjazna|nhakvd)|z(gxrssz|qpsgrj|snaqux)|e(gyrikg|oeaobs|axtqpc)|w(wvjgnj|iwvzvt)|g(qbfmqj|w(zwknk|lowoo))|i(fnnicm|ykntit|dqgmyi)|ailmlgq|v(fhqjph|dlqseu)|mhbuthp|f(fvxial|qdsekf|waafku|awgype)|rdliuse|spedxnb|x(drywni|aeurlg)|k(hkjpvu|wapeyh)|o(omgibi|bshhpv)|c(pgromo|dribjf)|u(cdbgqt|lelcet)|d(kezpnu|ljvuwv)|ylvelbp)|n(gsdwtgt|n(hccewb|z(xritg|ehwyy)|bkyegl)|c(uyjicb|a(orxgs|yokfd)|b(vyulo|pdlyc)|rlmiqw)|t(jndsxf|yibhoj|askvap)|x(pufarx|fwvhfk)|h(q(vkjyn|usmeu)|rthigm)|lcbrkrq|v(wywqhq|zfsmbd)|bbztirn|uocxjrq|r(akuiwa|ysqdik)|aibinjb|myiqmjl|skvwrnz|o(zlhswa|gbnjvt|iwufny)|ynzuomu)|p(v(pcznta|rfdqbo)|exdmxkv|g(uypefl|cbcjcm|wkepyb|rrewby|idyhtk)|t(hqtacr|sdldpy)|n(vtxihf|wuwazl|cywwpf|tudzla)|iihctna|d(yaryew|ihufnn|fkljkn)|b(favfnr|ghozdy)|hiukltt|uyksres|srlotqs|kibmhpw|c(rxoiqz|pwsikp|suhbgb)|rpipdrt|orpbhyh|pnsvbql|q(llrolt|usxwlx)|wallnfg|fjafejb|jdtemtm|anxhjhl|xqyofil)|o(k(tfntfs|ksfevz|lfqgcr)|g(fckibf|ikhugq|bfeski)|v(hgqrys|ihvtxm|eshwey)|ph(nhozx|mxqec)|ogdrxpp|a(rpyqxb|osoomm)|n(fxixnl|wvzpuc)|cltrgwv|j(ridyoi|erbagy|mivmiu|zwxutn|qvmqbx)|lagczyk|suyobhq|x(zbowad|wshhxt)|mkjznou|zydozsz|w(ngeety|mdgcni)|duvenyv|u(mktfct|dipbcc|ppkedy)|qhsgvvb|ydqifhg|taqtmcz)|u(x(yrhnsy|ibvnfv|ousgjz)|t(ezxmza|gxkfif)|r(wedlxr|xcrthr)|w(jdsmxo|okwvwj|tayowm)|idjzepf|ginzibb|m(knpytk|dzqaty)|s(xsdstl|kkvtpx)|oqirqdp|q(ygdqrh|vbbkjt|dhqlqa)|y(athlou|faybmw)|vrdiisb|j(admola|sttaev)|d(uhunpf|gwlxnc|xkzdvp)|nrwqmps|afhohwu|l(sxdlzn|obsdgf)|unckygx|czkttgs|hcpqeiw|fuecffa|k(qwlaop|pulakg))|g(m(tniocp|zspmwn)|x(iyjerf|kmyhmn|owbvco|zjbpxn)|fakcjbo|b(dcvfjj|ybxknh)|t(cjvkwz|iavxfz|rrisbx)|epinpvd|lulmahq|k(lbjdie|dwjwnr|rxsdgh)|rmdjyfj|s(lzfkmg|txeahb)|w(proxub|zzossc|miekae)|j(oxzotk|ynffox)|ofieqjj|pagbblf|ucayenz|d(lezhlj|jbjnea|gksgsq)|znteaoo)|b(m(gnjizw|eltxzm|wuimlq)|g(nnuuch|huxjkj|mnftjz)|a(slanch|gkiezx)|sjhlsop|o(kmcvzl|fxlzjw)|y(npgjop|hhhmtd)|h(qvaoeu|hmsdho)|k(bcsrtr|mxkfdj)|z(x(lkudo|rubuz)|g(rcqld|wxtow)|m(akcwg|nzmff)|efupad|byolpd)|c(wvzegi|fcbmfp|qxoqlw)|t(upppct|yprarb)|u(qcgqel|rjblbu|upatqu)|e(nocapz|fhjcwb|zipvpj)|rplnuqw|w(geerdr|ukeqvf)|p(vzkuxt|ntumqa)|nhpjsjy|ioeyciy|jdnzmqs|x(qxrztm|kqbbre)|ftwnnxi)|x(x(anvwwn|caaife|kpkrzh|zhjubn|tadnvj)|b(vodpet|ryjnjg)|k(wogtof|fhrzrf)|z(osozmr|jbwimn|gvkhsr)|m(bcpoyn|okrbue)|o(qktasb|uaccgo|mjzwxn|ajbszu)|judrlcu|wyqvddx|uklkiqd|e(snxqia|jjjvpr)|qfgqefg|dqvkaip|n(ywxrly|jjcvdi|ugogdw)|c(ynrxdv|rguxyc)|r(xhxejm|sasbif)|izeslea)|a(knrmzqe|s(pdcnoz|nwmbwv)|b(ijzqcn|hnsgaj)|zmflkik|fnuimpo|gnfnyfn|tbaxdhl|r(kcetpc|azixud|pyarih)|q(edlvsx|fovlzz)|p(gxhyxs|nvkwry)|u(y(pphbs|qjffd)|pgdavo|hqgxig|rdctty)|y(kqripy|dsvixj|geiavh|wribgr)|a(oczkhp|xnsekv)|nvfzfpt|hrvyxsn|vfcdocw)|c(b(idfzdh|mkuhzk|lhajyn)|drlgwts|e(uqsfal|vwqirb|mnjjhc)|kzthglr|r(addrou|uvmydl|tecpda)|gofjpop|x(ngtknz|btmsxo|rskobg)|y(gtdows|iiqgwg|lbvirf|rgzpfw)|trwzhrm|l(fqtdla|xbtnjh)|saitvqr|zhyreyn|u(hsxxlf|kzhtdf)|j(lkermz|hqmeby)|moloaog|oxivgqk|fdwycgp|cuylhfb|atdshbe|izkvjiv|qzipeaw|njuosnv)|i(y(ivqwvc|mibjwt|zhbyjo|ushrsq|crfjyr)|j(vqfvrx|gxkiwg|urocmm|qaiemo)|fv(knhxx|tepqy)|lbicvkp|q(cmydju|onltmb|ighftg)|rspfgcu|c(bxgpik|yvpduq)|t(yjqxpj|rkznds)|e(pajxyu|bqrdpc)|h(stuflx|vyydlx)|vvedomf|pehlifj|z(caujqs|l(vhbuh|ffezx))|ijydray|k(rpgipk|oisqcs)|s(g(ixqhw|zewde)|x(atbfm|oammz))|wynabdl)|k(ef(htfpk|dqkmb)|n(wuviwt|gycsmi|aptmlx|bnqnpv)|b(ghbrcv|fbkpli|mptbnx|kgdwqo)|kzjbyli|wqzqptm|j(brlcmx|ehxdgo|tngsau)|a(nlwenh|wexhza|yqkgqe)|c(nrlzqc|xggdcv)|qsscqvu|l(ikdfvx|thtown)|d(rjncqh|brchls)|vjzklqk|f(gifmqp|eybalw|vodwnh|kfhhil|b(hrwpe|akkgj))|i(xopjdr|myktfj)|u(ggvwrn|bunhgh|nolafg|jwbzkl)|t(qbdxbs|jjttyu)|rcvscuv|pxblyge)|q(n(fdtpkb|c(vxeks|zawcb)|bvnjyb)|s(ikognd|gaqyeh)|y(ampepf|xqcpqo)|qivcvdk|i(nwxfci|bwdeut|hxcrje|svbpws)|r(rxaxln|imqiuj)|j(sphkmh|xgtlag)|o(emrfeu|zxumsp)|uviqmqr|m(alstzf|uklifi|jzkqdn|gaxnvi)|pprlxyt|z(wcnzlq|idqufh|jnxopj)|dmjcpzq|e(bmfiwf|uludok)|b(p(tznlg|sazwl)|yaddzo|avbzev|zfigxm)|v(pvsnkx|n(splpw|uscua))|w(sxwsrg|kwekku|qvitoy)|a(skcppp|lazjor)|l(vprwht|nhezgq)|xxbohci|guslwnh|knqkivl)|f(kldgoku|d(fkbyrj|pmijtm)|v(mawful|kktccu|vzagtf|wgdlbo)|hfpwvxi|p(fbtqye|jyhhfg|irgxzi)|gvsxjde|a(eoadpx|qqurfu)|nlovulm|ipvepnm|e(lrvnxz|xhwxoj|ahuytd)|qgrcbtf|s(jomejl|lkjqeq)|y(gseffj|eathni|hmjvdv|lvfjac|jeoovv)|x(ptcdai|ablopt)|rfnwdjz|m(ctawpm|mcetgu)|jrjrrzm|b(hcksxc|cegbvz)|caiygeo|obddunn|fdvzinh)|s(lwrtyza|fporckt|a(vlwbdz|ajhprz|dhqvup|qjdjmy)|davlnnh|bumrojk|tgumwwj|x(ekwmvt|grmtbl)|jnvlmws|ofavgiq|v(vdadxi|egvprv|whhuya)|zunrkun|i(jlkjlr|qmnnth|xgxdki|ptnmew)|q(jyunhz|kbmbly)|paghsye|g(ipjdje|ffgrdf)|s(ctgghq|belxvr)|ywbvcaf|mkrzfsu)|j(p(bwbuzq|xxjvih|dinwwp)|mubijdc|u(xooebk|thlpsb)|ccmzeuj|l(tzoxlm|bhpumk)|o(jceyti|gjiekt|ttdzwi)|taqoviz|hlvnhij|w(tzclvu|mljqpe)|xdyunfi|n(eznehk|avibqs|qflwct)|k(uqwhnw|jvrgmy)|qwqlifv|e(gphgtv|lawzas)|bdhpyii|fvsxker|iiztfbv|jhmmekb))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633182; rev:2;)
# sid 2633183 includes 385 (2401 - 2786) 8 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 8 chars (.org)"; content:"|08|";content:"|03|org|00|";nocase;within: 11;pcre: "/(f(oqpfnco|lzjsbjp|cmaeuzn|d(idzimm|koknan)|wflfkwv|nqehikp|rcduhcs|jiykefj|tnkpldk|pbzasin|uzcxjvm)|l(s(wzpama|gcyhac)|gvhkspm|i(r(jflbf|ngbet)|vxbery)|xedycov|vflrxkw|c(xcttkh|mkghym)|qasprmm|blzjxen|tctbspb|uaaqohk|hniftha|ytqeiva|nzkbbwe)|h(kbzsmwo|i(lcfsru|mgwhog)|u(dfelts|jdxqss)|bufxnca|fkgqiyl|e(jrquow|bujuwy)|nhwfwgz|svsypnl|xxljwsz|w(vstvcj|tedsrm)|tlzyttm|zdsajoc|plyagsc|jrfxiym)|g(fmijeuo|dfnkiyb|qezypng|zvrqama|o(ssrrwm|jwfjsk)|e(psbwzn|nimxlc|houkmb)|l(ikudmo|xdfjfz)|awqepmu|itrsqzd|jqaqyjb|hrnhyhg|wlkruqm|tpojpch|g(ujshxd|siwtai)|ruugsrh)|u(vrgsujh|w(urtnrn|flzoum)|l(mtkvnw|angpnj)|tsfngvh|d(kjmmrv|tkklij)|pwygobh|jjccssz|xoemuer|yyjrlff)|z(zyzskvk|a(pbfvfd|udajbl|gfzwkw)|t(bxbxow|dsdqpb)|gdhjjcx|ujjtipl|v(geozqy|evlwky)|dcwpgsb|n(gpojmc|ttwdao)|lbjxtda|p(dyryra|wqtksi)|iyhdpdv|o(ifbogw|bwnedk|agtxfx)|ywfkxak)|y(zjwwddz|dtvdmyh|odkqfzs|wxweksv|mznqowv|itigwgb|bztnpum|svntnve|jbdokok|ffdvadu|cxffocp|ejkgwln)|e(sxqhnip|pzeaxjm|q(snygny|glvazk)|kxlfdwt|hrtyruv|lxpmemf|z(nfkijz|ciluux)|c(pgsxzi|oibnkb|qdkezz)|vprezzl|wcwcytr|xgarrzo)|v(v(elzlmn|pfkcth)|pygkqzm|ydhgpyq|z(zcncpy|giznlb)|mthiqtt|xqajywc|a(kehfzh|sgldmu)|wpflycu|lmiirqj|ehccqlj|gzwfcey)|b(g(gqggng|azjnuy)|uabkith|agingyu|xdfwvln|rwqstrm|zwjrixh|b(olrtqr|pllglm)|wgbjucw|vvjwfqy|hviwqod|p(pfqmmm|uqpman)|nvuzugo|m(ochnxl|xnshiw)|cbamdto)|s(guoadwx|mfkynoo|iuadyqg|wlzypou|hsmmxel|xilrxim|lkmpmnu|uczzpfz|zehzahz)|x(g(rrmpzs|aacioc)|l(eogihz|gxhcaj)|n(dacdvx|kusnld|zapkdu|ssshwm)|t(yrcwqs|kjplkn)|vajqakp|hveidpe|xqyezmr|fcplkpj)|w(s(ojagrd|nkcysg)|gjowoqo|cxrglsm|likakmy|kxngazk|dzxbgmg|muqirit|hortgnx|nzcenue|vvhhufz|fxtysfj|pjchclh|eystzun)|j(arbwvmk|wicnvqy|v(vuhwwv|omagje)|dcyrajj|p(ewmsae|atiztm)|lplqjho|ndemkrw|qntnvmn|brfmebc|tgaitqx|kfyjzbf)|k(u(nqhmzg|mioovp|evcxsh)|pygjybp|kczuibw|cldoucm|s(azjgqm|oknnqr)|h(svsjxa|zsojwb)|ibjapik|qcggors|dhslyos|o(qtskor|gxlxqy)|gmdtvll|moshqcv|aphobbz|ykgjhuw)|d(rehqdai|xsonsrl|p(qwcezs|mcbgoj)|daauwei|qvtjajj|y(ciltol|vklzix)|exdnisl|wpuxswr|glprhzt|hmknkrn|tsjbbwe|kdsqale|vddkdnh)|c(b(holakx|gthdxx|kmagvm)|rhncqfo|eynqxmf|cuckvor|djjbhsh|f(xgmgjx|czbsul)|x(diyjln|neljer)|g(j(oqnkq|wihht)|fyefvl)|oevcasi|qwguiwz|pyhnhms|v(ftqeel|zinuxp)|znyjvqq)|t(g(cktvnc|mlnmxk)|wknjktx|s(ofyfab|tfuhve)|kevwrno|uljbbvc|cpgguls|zhvoclt|p(wmwhjc|rqvqzj)|yxtofss|otbrokj|i(ishouc|rxetke))|p(rlakcyt|lelkjtv|mmkbess|tcvtxcw|seoqfsy|q(kpihnx|xhessu)|ckfaxhh|xgxfrin|wmgpbwq|vsrnnws|z(jhwoyl|agayoq)|ntlugxq|oh(ubzep|snccd)|gyivudu)|r(l(amigvx|fubbhp|nwjfuo|lnomfy)|m(jhnqac|ppcxsx)|qvjewrg|deneydt|zrubuki|j(bcjcgw|rrldbh)|adsylvg|k(hqrgeu|wkqzfo|jvkvui)|hkjrvjf|bzourfl|fyjfvqo|ymwlsda)|a(h(dhgsii|nxeotu)|p(htzqoj|qzfipr)|k(okofim|eijscj)|mkyptxc|r(rokuhn|vnvcmq)|qghwuzu|ybxcxqx)|i(ujlodgi|e(xqaqyw|uytoqi)|k(rnrrzk|tcepgc)|lfutigb|mmonthu|tchhzlr|bjjxcqv|pquvaaw)|o(mvngvzf|vyiuxrv|xwusgcd|zjhiqnb|rsbrsgo|hejnoll|yxrjfxs|l(qlnbna|nzaxvs|xbbgsz)|ilqkkbc)|n(xjjdbnb|p(trirrf|imovvv)|amvjnxy|tfcspgt|y(elzcrr|njvgwy|intbjs)|jolegbj|ihimhmv|dmegpwo|zaarvgy|fkefybl|rxkiyve|h(xcvthh|epscli)|qiffnqp)|q(r(xzcypw|jtmiuf)|c(mxoqmx|caougj)|biwvxca|ykfsqup|fymilfy|g(ivmhkn|ortnzr)|sqrmihv|unqbxoc|klgavwz|nacuwkb|zmwvodk|ajjamfl)|m(jlyfhzf|bmzepuu|aojrddl|frujdnc|yinmjvp|udpccmv|dmyekvs))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633183; rev:2;)
# sid 2633184 includes 600 (0 - 600) 9 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.org)"; content:"|09|";content:"|03|org|00|";nocase;within: 12;pcre: "/(t(kggvtqvj|b(skpqrsn|aytqsde|orvyfmx)|t(thajxow|opshzsw)|ajyuxixk|e(jmtdjrb|hapoxux)|dgsgjwvt|y(mmlhtxv|ljzmxdh|zghhhct)|lpcfyace|hakiqang|sztrgyub|ixkezyrv|csdytlhs|r(uxilltq|qgyiyej)|pezddrpg|xfqwbbqu|gukiwepf)|f(fwimfkpg|q(nujxjqh|bfqjuqq)|l(zdkuifz|raydfid)|m(zrnkmyl|xifaedw)|nvjaysdq|d(zlgiifp|phveroa)|s(hjrcugf|ophdsnq|aciyxrv)|ahhkvysx|c(ekjvmjj|hmrpmkb)|p(hlxczil|ynfwrni)|xalldoun|v(zdeepxj|mrklowl)|ojfydyjk|kqdojpon|trvtmyqx|gwncxprf|yksiogfw|jbxlsrkw)|s(kajnbbdd|snudntfx|r(jinuyjx|giiaymo|omdqapm)|djxblvuv|z(koztkgu|cqflpre)|h(tfsfbrm|htciucd)|tlnbupfs|fniypwur|i(otywqkw|kjseldv)|jpiktffi|nqcgkumy|l(ovrklby|amuygnl)|mtkszdwg|vkwgbrua|pgddzneu)|y(b(chzycxo|mlcvrst)|f(grxvagt|nonantt)|svdpbomh|o(xijbvbm|gniaapj)|dsgpriku|k(icxulbs|bnieoct)|zueyliya|qcucrvyf|pkozyshk|gtgjsswc|ejcubbzu|xinwfswz|v(tqrhyig|vzgtpny|uhmafrk)|rxhwjlzg|wqzkqtcc|tdvsfuib|jopmlyqg|yiglvvpw)|k(v(aqcbhmq|svivpib|fleuioa|khdumol)|jiwzfkkk|c(klgmjor|yuyqstl)|ylolwnmj|k(xctnunn|gkbpzlm)|u(vzrejwt|bioudpi|fuliezc)|w(zrggkme|dlaahgw)|o(oktfpwb|flrayvm)|bc(hwfxxq|wvmygh)|aggmojmt|z(mlzvxif|xfgpizp)|d(krkfsgx|nkleqqd)|rewfarjy|p(pneqecl|cuzgrvc)|syzxxtiu|fusikhqs|hwnheomy|lebhjoww|qlgdsbus|gdjmmlcp)|g(pqlezebv|gyzwduhg|njzdlehj|u(exdvwul|udzptqz)|x(bjztonj|wylhfae|iuqigev|rjrxffi)|y(bbbbthy|ymffirk|ekamyan)|v(guxylhm|witqupn)|wjlgytku|r(larmtmo|ousgisi)|i(majjmbk|erchtqg)|fdpccelp|zkwcfcit|tfjplmok|edtrhsuo|klmsspls)|j(u(g(ncvhre|ybouzo|eejjqq)|eugedrj)|g(xomlvxw|mjzdjmw)|cijvpzrz|l(xirzcig|lorfput)|xcxyqwib|ddecengz|qqrspeyn|sgqyobxh|n(jivjonx|fkuaiaq)|pcihyuuk|rvwvkmzt|t(nknzewa|zpvjbyk|mqaauyt)|wucdbyfm|kfvujstz)|l(y(sztnvle|itovfft)|f(fxixest|sewgfdo)|q(xpslvqf|epcylyy)|e(glpyikh|tvsmocz)|a(oybycwy|ecciwjc)|b(wgtbohm|kjkxtzx)|dzviawsm|rwazawsw|m(rwycprt|upqtfzg|cumibbd)|oiznlkak|isdssyhj|l(nntsupx|vosncvp)|n(ygpmwyw|qmpgrkm)|wpqaozmx|cxczwjwg|zrulmajl|jwypklea|h(zhvksze|nibcffh)|uytbmwhy|gybffqch|vbylqtwg)|u(o(edrcatk|ygqmogu)|rzcjfupt|q(frdemqs|k(zyxlxn|tfzshy)|ltmbitc)|d(oygdjxr|wnkugkq)|w(zkutmsi|knzzjhw)|zxcnkmpl|kcdznpkg|m(yydvxiz|riiuuzr|mhiywxa)|fsvtbvmf|hadkctup|eaepnysb|imqjqlui|grudackb|n(sujwbcw|jjlzgun)|x(rpjafgj|fpmozxc)|uvduvqpd|alullevv)|x(bomknjrf|chjmugwm|xh(lujgrc|pitewu)|uthplbio|n(jirwocy|xyjdysq)|r(kdainrm|umaahgr)|mkzicnbw|tvjheujt|l(fcycbdy|jfqxrye)|qvpxhqvx|v(lhjdwgx|pehqmhy)|s(vekzxqe|djtuavq)|f(rzkthmb|dagbrgs)|ipsjmceg|hsxbbinx|a(ltmwhjo|vebfzcm)|widnbhsz|zvbrujbq)|w(n(iwjrwgi|qmoblth)|v(m(rrjeoe|iestnt)|lrdkxlc)|d(x(ebwwnw|sodlzu)|oukayrd|yzmmawe|jhjngff)|yotcipxz|kxwjqvnf|jkcdgflm|ljafqrig|x(mriulzq|zxrjxwa)|ruukgabi|wbfwtkfr|grekoxpg|inmvtwpa|shufrshl|ctoyfrze|zo(ztctfp|cuneyk)|bcssunxo)|m(p(vazwvgz|qrbpzzt)|a(aubycft|csiihna|vihsapw|swflvvo)|bfbmekvi|sntlirsh|x(m(cxkwlm|ntcubc|ucjexk)|fmpymco)|iyrsmxsw|zsitenra|wxacttxt|mintjotc|vsmedbou|k(nfsxzcb|kwlkphc)|dvvafyqu|c(ysvdydq|jayjvcr|zmfuucs)|hagnskau|y(wknthvs|xnvzrcu)|oiscwncf|qocorwce|fqvkedtl)|d(tgykwvsf|aiatqzgc|ehaogphg|hxggmkso|unlvvakr|s(zemnrid|eydwhhp)|qv(emmjsz|niigvw)|oldnvboj|xgsnrbui|j(pmymcos|cuxguxz)|pmodaoap|bhlxxwkf|lbxkfaxi|zdlugxjr|dvgesezf|ctfoegkd|ydltiaha|vgzlpfmh)|p(kokwmjza|vjwrlvfp|e(aasevaq|kctwtcg)|d(agotres|ugxdkse)|l(zujxxvr|idudzxw)|namqnvtl|szqucalu|b(rvwptav|keuyjlu|ylghvec)|qlmexpfy|rjxizmjl|i(vycqtsx|qzmdwgb)|gstkashn|u(dmrgapt|zcexuaq)|y(t(cahknw|mnppzc)|imztupr)|wwjpnopy|xapqsbol|tzdsbalt)|c(n(hvjpzyv|nkrveik|ykogxqe)|toghlmme|mlacfavx|yxmqaybo|dumzjlyk|ltaebwuk|pyoklbzy|i(vvcsmjd|oafiqxe)|k(pyggwkn|mxtgqij)|chisftzc|hqmqdzfo|omtuexqw|jmonaopy)|a(cuyaautb|vgvrpfjq|b(alcpzxx|uqwauvr|qlxeofj)|l(svbwetk|jampips)|j(eyelrbl|zlitquz)|ghvuktre|s(uwvdeus|kdhdihn)|o(grxqlbq|cufhvym)|f(eejonis|pvwhfmi)|tepeczwm|moengwrd|evtcpzrv|pazwrkzz|incbhoft|zdlbcdel)|n(uspwxrwj|lkwnntzw|evieaosg|x(zlknqkv|cidzprz)|dwihuifa|z(sdeoddq|d(yjjmus|mdbfax)|gdhvtsl)|g(mhofwvv|ppmzoau)|r(s(cjabug|ldpueo)|xkyrhwa)|k(r(gyalry|mcxpsh)|hmphbfq|vvxuedi|tshblig)|jurhdnup|o(skyytms|dewaexp)|ahwilade|wxvmaaib|tkeyxzwg)|b(u(zhjeqoa|amkjwch)|fvhkonpt|a(jpjygkv|crvyfje)|l(bqpzuva|hrzjcyp|ntpbbxa)|j(grwnlcz|tokfnlc)|n(rgezylk|gehhlkk)|blqjyjcz|srsngvxx|dhrdrunp|m(jncmfmn|mfqejib)|hikjyunn|rzialpln|tsrfxaxj|yhfbmwtm)|q(csznrjnd|epgmllwx|x(dgcxpny|seytvak|ijqnizj)|t(qdufsxl|uugidrs|myevqsl)|bkohdfjh|vovwdxdb|lfwwddfc|y(xazvspg|qdibluq)|igisbden|jufawxxe|qpkrqcna)|v(w(yeirmdr|zonlqff)|ukdkvpok|m(jmlprpc|wrerxmi)|fbokpnet|i(maaccjr|zkedigz)|npffxjam|zfzaxfga|q(dibnymk|xhbptch)|e(ddlqjch|heaysyn)|twhhdmde|asygtcuz|cjdwfyos|rpqcdkqr|soyilaqg|vcolnpwc)|o(ljmeyzjz|u(aegczsu|rzzqlcq)|nwseqkel|cbnmbnyu|erjwbmkq|tiztdcvi|w(ecadunh|vflmvnr)|hiuhnlvl|gwnugpzz|ruhkgwhp|afjjuxzm)|r(w(xmjsptq|ueynnuh|aahvavo)|v(hmpkrgk|tgswocp|eszslsy)|g(hpmcnwa|ngvsxgo|kdaskor)|cppnsmtt|d(lvwzlnj|fswbanm)|o(ddamtto|myidxgu)|udmrpsin|p(gpnrmbq|kzbsley)|xyugpxfx|a(sheyojv|ubskriq)|kchpegkd|f(xcehwtk|egrzobx)|itxqvnwl|tzileoyx|yvdsgvff|qdtvipsn)|e(t(eldpxce|nbbjbii)|o(sninmjb|rgnbugv|mtxazkc)|buooyyfj|f(erktphs|ofnjrkd)|i(daktjqn|hfuapss)|ey(hwkpqx|wvubhi)|y(gcrlffk|uigclmy)|s(pdvamhb|kvaskir)|n(aytnszx|ogzlzxd)|pdwuutvh|uysfdvxu|azdvueuq|jqcugzvn|dwimgdpz)|z(gpqbaxbz|x(lzfyhdu|m(ouoiom|ghltpn)|fvdoace)|s(nwakxik|yflhwwj|cgjfblg)|i(lnslamb|aq(kdoqc|cndsk))|lvnzamis|hmdutrew|d(nqmsqfs|ivodsty)|v(tbngeob|djttbzn)|q(verefdr|rtszzoq)|uzwdsdyc|p(kswfxkn|inlclbu)|kj(vgcree|blqate))|i(z(vohkopw|fdfjtsf)|mfmmupaq|kqtaccvj|j(gpossht|kjdzeue)|b(siwmjhs|qmyolnt)|gpciqyzc|n(pmqkivy|ksecdzs)|ajnypelw|flgutmon|rkuzmste|echainmm)|h(j(ykrmpzg|uanoksg|pyysgvl)|b(l(riesyx|oeqcxi)|xnklfhr)|gzrwuyxu|hyavnuge|qhplzbzz|yeamxhaa|phvsciit|eeeierug|kbnjjxml|oakhgyxh|xzfoxnch|zogupotd))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633184; rev:2;)
# sid 2633185 includes 785 (601 - 1200) 9 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.org)"; content:"|09|";content:"|03|org|00|";nocase;within: 12;pcre: "/(m(c(ysvdydq|jayjvcr|zmfuucs)|x(mucjexk|dusujsx)|h(agnskau|zeisxix)|y(wknthvs|xnvzrcu|ehpqoyv)|kkwlkphc|oiscwncf|a(swflvvo|ysxtttm|nixtttd|lywiafr)|qocorwce|f(qvkedtl|umpxqrv)|v(k(jcrbzm|hfljmy)|cafdxmb|dblavup)|ichyjfjw|nfmevwfg|lbyarvpy|w(tfdfxun|cpmwdjw|kokjgkw)|pkwuexge|t(uxxdkyp|igiaxql)|z(ehtsoup|hcsgxak)|u(krmtxhc|akcchgq)|ehlytfan|bavzzxyh)|k(w(dlaahgw|vjnnazb|hyldpic)|bcwvmygh|vkhdumol|lebhjoww|qlgdsbus|o(flrayvm|binjwit)|gdjmmlcp|ufuliezc|z(xfgpizp|zqdedpu)|f(xjkhfgx|awfrkil)|nbmmhzni|e(ncvbnxa|hlqekwm|ugrkbqp|ocpgchr)|jhyrnvdd|xakyjjxw|d(tkxqtva|ilwpjkl)|iqnaxgxm|r(qzazkyf|cekagxu)|ppsylghj|altiaoks)|u(x(rpjafgj|fpmozxc)|q(l(tmbitc|qbuprq)|wnxjfqx)|w(knzzjhw|jjxxhtd)|m(mhiywxa|dfekhkw)|uvduvqpd|a(lullevv|ighadot)|n(jjlzgun|ygxuyhy)|f(xkhbubv|bocgyml|hcihfqi)|c(oevffqe|kivrcsq)|hcapphst|yllumpdv|s(mskgrdu|kfjclcm)|edqgnlrb|koelyiyw|vlgprbom|tjyhgnue|jdjbsueb|brjnopoq|rzqdlmpf)|f(t(rvtmyqx|ljkwkds)|gwncxprf|m(xifaedw|hqpmrvj)|y(ksiogfw|bhugyvb)|jbxlsrkw|qbfqjuqq|d(phveroa|fplpala)|v(mrklowl|xiztcxo|niszqbw)|n(sslcisp|gpzildn)|b(ktbstcv|dqobtmh|npeermt)|ipckhwey|eamskduc|wpnaxcpk|rwtdqlat|x(fgaqsvr|szfjkpz)|cugbpxpt|hcmtilcz|oiiyhgby|zpxafyyf)|l(u(ytbmwhy|jkeoesu|fnsrqhi)|nqmpgrkm|bkjkxtzx|qepcylyy|m(cumibbd|uudcztn)|g(ybffqch|mcxqfuv|hoxhxgk)|vbylqtwg|lvosncvp|h(nibcffh|ckzqsav)|eefdyfny|tydelugm|duksvflf|yhemccye|f(sundiwj|ftabpdq)|wcawpqrj|krmhpxmg|r(dfvnvkj|uzslyzq)|anrbejdn|xgwnikql|sdxswgwj)|w(shufrshl|c(toyfrze|qvucgoc|kwcqdrz)|z(o(ztctfp|cuneyk)|gkflnub)|vlrdkxlc|xzxrjxwa|d(xsodlzu|jhjngff)|b(cssunxo|ksdpfof|obojduz)|ekqxbxfv|f(vfybrew|npoueou|zfoypzq)|w(sfdadqw|obbwukz)|kviimwbh|uuwwayit|l(jbxuekw|ikdyhob)|j(mzxolft|pfsmacv|sfsbvbl)|t(mautahl|pxbqkzs)|pgrdarwt|mchzdyxc|qbptpycf|n(qwtonwh|mdrozvn)|ibxhuusz|opywguym|rqkskuag)|p(w(wjpnopy|r(dzaveh|rsyucm)|vqtsfvd)|x(apqsbol|l(hpftut|fuqfsa))|b(ylghvec|vkatojh)|y(imztupr|tmnppzc|vvatcce|daajzty)|uzcexuaq|tzdsbalt|d(ugxdkse|mqkugky)|lwgozcav|fpjwlnnh|o(npsfhpg|qbxybyl)|n(ikhoqrt|obegyad|skuhlrr)|v(lsiqvmd|moswihh)|htaxlerm|inxgaydj|muudafit|qmuvvayh|eribyoav|rilwbzml|cdvivaju|gtophinv|phfwosqm)|t(yzghhhct|r(uxilltq|qgyiyej|tohbgls|emlxfrl)|pezddrpg|b(aytqsde|orvyfmx)|xfqwbbqu|g(ukiwepf|kglasxa)|vrvbjixh|emuajwmq|fkylzywd|jcresbpi|dyjzjazb|hqxlnuey|abunxrbr|qnpdutfn|uihflzbf|kyllqlbc|m(ecxbmlx|mhxquxd|wbgjmej)|nearhwsf|w(vajysjy|miygfzc)|cxkvsjou)|b(t(srfxaxj|hreyoxc|qsrqbyc)|lntpbbxa|m(mfqejib|bhswdmc)|y(hfbmwtm|xmsuqxe|ghdtyky)|j(tokfnlc|xckahlh|phczgfs|quxcfpm)|u(nqwbbkp|haysere)|bgwteqse|olqoruve|zmflbugu|d(dhbdpyl|mdryllo)|cabipxqb|g(gqcegoa|tjmtjzq)|altzvcnd|vqbzwrxw|siqdkvli|nolaptzp)|n(o(skyytms|dewaexp|yrtnbnv)|r(xkyrhwa|uitnwcb)|ahwilade|k(hmphbfq|rmcxpsh|vvxuedi|tshblig|shsunrw|wrjnaqh)|w(xvmaaib|fsfqxip|whlumcg)|zd(mdbfax|uhedcx)|tkeyxzwg|j(boszhvc|ejhyawk)|mbjfrltq|u(qifnrkj|getelcd)|n(evuuuaf|whweodd)|ceiaujvi|ywriaxbj|qnnknzbq|dcwvezmj|b(cgynyla|hjrmtrc)|vfenjciv|etzwuzul|lcjxekmp)|x(hsxbbinx|a(ltmwhjo|vebfzcm)|x(hpitewu|sgywroq)|w(idnbhsz|scxreap)|zvbrujbq|f(dagbrgs|nosbagw|yfqxitv)|r(mjucten|bdnffgj|phpuvpp)|ukbcfzfp|t(hetlpkz|wulsqtb)|sitlpdea|ixgahsme|msbemkun|d(llfhjlv|plripfj|heilgmk|vyqmnod)|ejlosheg|ykbkusmf|v(xudaivv|vkyvobo)|pquzlqiy|biazebof|gkjhfess|kidsxiec)|g(vwitqupn|e(dtrhsuo|msnghzb|skgjcmu|kzgdfzl)|i(erchtqg|yomkdrd)|x(rjrxffi|mcfdizs)|yekamyan|klmsspls|l(lwdsprk|jjbrref|vxzywyv)|s(kknoxac|oytbhle)|dkjmytzu|pchpeuhu|gwnarcef|ojrypiow|n(urxutsg|icdcuuk)|uhffsycc|tokvriqs)|h(b(x(nklfhr|hhugok)|loeqcxi)|k(bnjjxml|vmugrly|iehqpzm)|o(akhgyxh|fjxumug|tfkvccr|rhgejfk)|xzfoxnch|zogupotd|i(lavxcxl|ikmfrmj)|wxyginiy|m(lzifpyl|rmdszeq)|gcvspbci|cmimbacs|vlsfpycx|qviuhujd|y(gimiszf|juavxjv|yofkwdp)|abbcxioy|nxhlpcki|l(psajcic|hvrghkp)|t(sbhnfyj|eyguusc)|decqrmdv|p(qogrxal|ftysiqs|xiloyfj)|roknbcac)|q(t(myevqsl|odxsikl)|qpkrqcna|yq(dibluq|sfayrz)|n(qamaxip|mpwpvin|zkqywcl|srxrtrn|xmryrca)|hrmwlwwb|csfiofkz|w(zicmkwz|wkqggnx)|d(xcprrxs|mlcsooo)|f(tjaebkm|ifhgvzw|jiyobts)|o(lmgznml|icrcnes)|urfasapd|lofrbidb|ahoyehrk|sgwmpjta|monwnsou|issxjzez|etsloukp)|z(i(aqcndsk|ummsafu)|uzwdsdyc|p(kswfxkn|inlclbu|uvbqkpx|mtgfcvk|gjlbnwb)|kj(vgcree|blqate)|v(dj(ttbzn|qywcs)|teabedp|yltcfqh)|s(yflhwwj|cgjfblg|ltoxree)|zgnmsmkf|giwhpahk|b(oslpymq|vdphwns)|tuhjpfli|massrqmj|q(tbnpfrx|xnrnngu)|azzfetbc|dncigdbi)|j(t(nknzewa|zpvjbyk|mqaauyt)|w(ucdbyfm|jbaajac|ldsjmbn|ncuebgr)|k(fvujstz|upqwsjf)|g(m(jzdjmw|vrvjzy)|kqgzqen)|b(qbwisgh|uployot|olmodev|gwmuxyh)|dathxwug|e(mmtihtx|ykwpwwz|cvlgcmj)|nansjrys|aqxypjhv|q(jvwxeev|ryeykhc)|z(qkoexcv|ntxpfhg|bwvnlfj)|o(sevbyks|mccbvyb)|c(koicwza|ulrxxfw)|fpgzuwfz|larlgnsu|ioquimcg|xxeuqtbv|rvbwlohd)|d(z(dlugxjr|lvlxhvn|mzinkot)|d(vgesezf|ndronkl)|seydwhhp|ctfoegkd|ydltiaha|vgzlpfmh|th(lyzhgn|uzijsz)|rzhacdus|assglbbx|j(koxtkrc|asokyjs)|itfeferx|f(sboefkt|nhlqqcx)|xvortcau|mvutwxoh|w(dnfnxqz|fgyygdn)|k(bzxxanv|iwkooyo)|quvrqlst|p(dxajtzu|msjvagg)|nicfzulm)|r(v(eszslsy|zytwrfw)|f(egrzobx|jlapfeg)|w(aahvavo|vrrwent)|aubskriq|t(zileoyx|ddftlxg)|y(vdsgvff|wvborcy)|qdtvipsn|o(myidxgu|lbvtxcq|pjimjay)|gkdaskor|enxseptc|xizdqcir|zrxaceuj|bzylysnj|j(xpyxiqx|lptxlxq)|idnwoktq|ciqgqrew|mjjdaeuu)|c(k(pyggwkn|mxtgqij|qostzzm|udiiqyo)|chisftzc|h(qmqdzfo|xtwpxpr)|i(oafiqxe|xijlags)|o(mtuexqw|ucypgfa|tfvcimp|edpflfs|fevctgc)|j(monaopy|ktplmqi)|b(wooswhq|gkvpstr|evvveqe)|n(iwwyttu|jmauipg|puhgwpk|xzcdwvs|ssaulom|rucggii)|ldztrcgx|a(bcraxks|wznvmiq|yetvxnv)|p(mlsvowg|lxyclno)|r(nlyklmy|zwqatbf|rhgpskc)|qqvgeaxu|z(bfmsuqf|fkxcltr)|sptclwky|wmtkueht|uwuycpba|dmjtvuby|gkwzmwhp)|s(n(qcgkumy|nquiwym)|l(ovrklby|amuygnl)|m(t(kszdwg|iwdwpq)|btozguq)|vkwgbrua|h(htciucd|lqouayy)|p(gddzneu|nayasxg)|romdqapm|b(crwggjz|magnhmd)|usbdvwde|d(piukofb|vxtbcen)|sbheqhyy|wxuxkazp|q(hkyasdi|jdohpjh)|iehndgpd|tlficlly)|e(u(ysfdvxu|awwaoiy)|y(uigclmy|yinonsm|ggsfovi|zvkueeo)|fofnjrkd|omtxazkc|a(zdvueuq|cdagsrp)|j(qcugzvn|xdacsxc)|skvaskir|d(wimgdpz|nqzbwwx)|h(ybfmqoj|hwxvzdt|apncqka)|csfilonb|pxzvmayo|tpbnjhlf|gbqadtrv|q(gnpftwa|jbgwxah|thmqymc)|mxxernqw|w(tbxvbyu|ajztqle|zoyohnu)|zmfzmgyx|vusshgqk|xsaggghr|kqbjagll|rvihosij)|y(j(opmlyqg|ev(gjnxt|pndrb))|v(vzgtpny|uhmafrk|ypheopn)|yiglvvpw|k(zmkehhu|plbyhzv|xwvozbm)|bjlityrn|x(hpidsaq|xcigrnj)|w(cmywrfr|qvaeikd)|o(pjfahbe|orxztrf)|q(yynwbhh|tbedbhz|hceuuvo)|eyafxeuo|teqxgqhx|i(dsjsgeo|vhvooyh|nhfbjtt)|lyfurlou|sokpzxvk|phxewfep|fuemxyfl|hvwmdusm)|i(r(kuzmste|uqcswwq)|z(fdfjtsf|phgpiyb)|e(chainmm|gokylss|vvwjkjq)|n(ksecdzs|exgdbbk)|j(kjdzeue|axifjzj|imrnrgc)|g(qbrmhee|uwampzi|pcqfhgb)|wwdfhoov|qxzmdzrj|ctlcajxe|hlgsukob|ovdlupzz|fzqmnesr|liyilxgw|s(fobplzj|kizojdz)|v(objxbvk|fhicbys)|phrwieap|x(ydgcxbe|ivoxakg|uqhhxiw)|yrnhhjiz|tshkrzqv|kcjscuhs|mspjmcwb|doodunqs)|a(evtcpzrv|pazwrkzz|skdhdihn|f(pvwhfmi|slgeikq)|incbhoft|z(dlbcdel|ezknpnj)|gftniwhp|jgaseqfk|r(hyraznw|whexcsa)|ntbgzkfc|mozuexqz|b(hnrivbt|blpliuo|ntlvnyz)|cmgbewmg|y(fxntkav|hupggjx|kuigapx)|a(ryudaqq|jglgvgz)|hybtnmco|tlmslsqo|kyxqlqyg|q(ayztmva|lpxsjbi))|v(c(jdwfyos|irkxbqc)|e(heaysyn|jrcvkvi|ttdeyqe)|rpqcdkqr|soyilaqg|vcolnpwc|x(zkqcvtb|kjvpclj|vpzzchy)|t(quotfug|fgqhrra|vznrman)|fckpsclp|dewaxvqc|nserekxh|wflmgdgp|yxcxxnki|oogghxfd|pkflpuye|jkfhydie)|o(u(rzzqlcq|zryqoad)|ruhkgwhp|a(fjjuxzm|ozvnzbh)|e(mvkcctp|vboqzwg)|tqcfviol|ssakwgaf|olrryloe|m(snvpyms|ycgilre)|q(ujeeflj|pzqhbpv)|zhyrvxpd|gcwlnpvb|ioyinuue|lytivwev|kenmgzwr|yngykyop))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633185; rev:2;)
# sid 2633186 includes 185 (1201 - 1386) 9 character domains in the ".org" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 9 chars (.org)"; content:"|09|";content:"|03|org|00|";nocase;within: 12;pcre: "/(c(fszzvhjj|ralzvset|eixvwydn|qrjrovtl)|j(zbtqosvn|ovmmsmgs|c(papjfcy|emgfhzd)|uwjncipd|eeuhnjzu|ggqglufh)|g(hmapjqol|l(bsjmggc|hxwoviq)|osaiigzj|icrwlfvd|yzmzkziw|ttcnuijz)|d(gssmwcha|jxwaouwk|woaxgojl|rtomafei|tsusrfhz|l(ypofqne|vsgpxgt)|avocwqsv)|w(nirhgkmr|acwtjesl|zhzsgrom|ruwbeqnl|kxhiwyei|uhjztgxc|j(rqldwwf|lnxjvdk)|ybrmvuxn|sozpgtet)|z(nqujzgju|i(grdlvwv|znscasy)|bpmjwiwk|s(dsemitr|qqjluer)|jilhatzv|plglxgwt|lyojjztc)|m(svnivkvv|eknebefh|yfqgzrpa|quasqkgn|lagwekhh|paukpdqf)|h(qlqqmkvv|o(jlqgjxl|mxifzma)|rnkwgfhh|hjbjmvet|nmnsmidb|inohvmhe|lvadlpni|xeybheob)|f(nlmcphdq|rtkgkvez|f(nxtoagw|jleelpl)|e(ebaxtnr|lxbbmnb)|dgujaxqb|vukfatux|ilyvonur|lzhtrifb)|n(ugywrism|dhzwmotp|pyytnbjl|cqagbtfs|sjinjhzk|fmheuenu)|a(aciuookv|ioilximg|pklxfvti|swygluxo|ehyisnmi|dwcahwjl|upjqkqgd|ovqjktfb)|e(aaulhvva|xpxaxytk|yyaufzqm)|b(bafomtuu|d(yovhtkb|lkfgngi)|t(gqzyixy|cgegvtr|ozasmdg)|edzhkwzl|izduadlr|psnxtypf)|p(e(gqgierv|bmiyxwr)|p(vrwdwam|hqxihnn)|dnbamtcl|a(mnqtkao|qzxdgwe)|jduskhlp|wdqzsjtu|gvkdvlhk)|i(txgnjvru|i(rqaidgj|wvpjzbj)|zwhhmzqv|fnrteyml|ybkamxbm|xoinqgsu|nd(xnamgh|fphbau)|opkasvym)|k(utmutibf|lngcaxuq|gfpxwjrh|kjuhhang|b(zenvwnp|fmgqcfk)|z(hfmajat|pvuzkxk)|vsiqqhyq|roynlqyx|ivbzxweg)|u(yauphulr|ryenyrez|ip(wfwgdd|ytrgrv)|eonipkzb|wzjblmpr|vvkzqtxc)|t(vd(meyzld|sfcjzd)|rmewcvoq|jdyvinkh|yidenhwv|zaucinjp|oiibvizb)|l(oixmyacy|jlvneryh|djqcwbga|piexzxzl|flzgdbmx)|s(woymhrwa|jumpwcxg|zbxskmfy|vnryobdj|rxbmadhk|fwilghty|gicjkise)|x(m(chjejvt|bjblhhr)|drxahsht|pyqjnuns|zwdtxaod)|r(xyjjydeo|txalchys|nhrzheco|o(ctoiqjv|hfpgezn)|jiemhgoh|ffqkbjsa|lpetewwo)|v(t(odsgzlc|cwjvvxr)|s(jjkxxqa|siuknvx)|kgzdprpr)|o(ygmdntcp|opjhnkxw|xrkoerfl)|y(jxzutrwt|rndtkpxd|urqyfqag|aqkimphw)|q(qxduxujw|iskphrzh|xghvdtzr|w(mhvvkaj|znqwzcc)|flznbyum|swojwbvo))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633186; rev:2;)
# sid 2633187 includes 600 (0 - 600) 10 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.ws)"; content:"|0a|";content:"|02|ws|00|";nocase;within: 13;pcre: "/(f(e(bqgpoenz|gacdjvoa|parcpwod)|r(qjhnmnar|xqmpgjta|ytsyjdhi)|scscitybq|p(pbcxraem|hhjrvwih)|x(jnolxgyc|ovquxcux)|a(nxfbwndh|tjsjnejx)|m(u(yniriym|bizfiqs)|tkumtjxu)|ii(wmhsjsj|ksgcvng|udyuqvg)|zqynhkocv|fmbgealpq|wdynyldqa|olyelcudz|dqvbzqwfl|hs(xuvizbf|njpvpjv)|gclqlvkzn|qmqpcfslw|byifocpxw)|y(g(tmnxmxlz|dnfgljfx|ziqnplxa)|skbfwjoah|v(akjcuqwb|kjnmsfje|tthgfwoz)|w(tjgcptaj|bqhzfvhz|f(mqmqwnc|qquihbr))|n(atiusqav|dgyzsvhe|vnsomwcw|lpdylyvd)|f(nzrfkcxl|qcqycrvm)|c(zwodzdvb|ewbaccgj)|xqojurpod|b(xkudiovc|bhhcthix)|phkkfgpip|h(jamtfxif|otpzxfzf)|kmfbhcwig|anngqgwgu|lodmlzpuw|ejhbtpsfy|tqvefzgxa|uojeukqti|zzerluzfm)|w(b(dekpojmj|jmxomgpi|umhszwrz)|yzkiiizki|g(ipuvrken|lbkuabds)|cjoozaklb|fgtdndxhk|s(waxzaayw|zhsgblov)|n(vdndwolr|oqvnkrrc)|v(imjbsrfw|obvmkbog)|eytkasvjt|zktensdyh|wszhsjnqj|q(rloidejo|wrccrmbp|uswxldfe)|lzrkursrj|imjfptvys|pliibzolj|ooqbpfdlj)|a(bktvhxbmi|x(kulbdwhr|gixgdmgt)|ilikrqhhu|zbwdfxkrl|ltqlbsqui|ethpgixbc|kpaclzrbz|rrcqxzgri|gabublidz|u(nryfsuac|obuthewp)|mgeblcjqi|o(mwsxtwqs|ipjoswzv)|wrehupsud|s(jrnzkvnr|nzgtbunv))|p(yhzucosug|z(hgckgvbo|xhiwqrpe)|j(qnxehhqi|g(tigraul|uqbbdrh)|ljllsnkv|sedslkyy)|ctvovjzpr|w(fehmzerx|ozazmfam)|osnulzyau|nblolbzbj|kwdlspomi|rnlghowox|qbpctmeoz|sodjeqvpd|ulopbmpzu|p(kweflntu|xofpcwul|njydxzbk)|a(uyytfxlb|nxcuhder)|ibaxhdvhs|fumtonmbj|mcapighbx|xqakvyeif|tcplahgoq)|b(v(cryyvhlx|sjyumwkl)|r(bddunqxl|lizyzcno)|x(k(zfilxzv|vskogog)|dnwjiswa)|jwpkrpfjp|edywmvlwa|dgjbmrjht|zmegaffjt|wtdtswghv|hkeiqtnci|s(gkhsnwbs|ankjwqyg)|tpyzgmewl|cstmxznrd|nrouhabes|i(xxadyfxa|ikxmrwdw)|uaumwmmqm)|i(zjyjcxbda|vxwumsfbn|d(n(qsnjzyp|nocpnox)|qjnkrekd|azkbwxmh)|hfoybhrie|bisfjaatd|j(gltktlxm|ktoyaiku)|t(qberzpym|tmzzzjkf)|wnehmpyru|lv(betdklz|oiisbhy)|x(jzaoaauz|atapydyi)|ywgftwxos|m(txheijap|vwccuyck)|a(vetmkyur|fyoobokm)|g(bmmrhnbp|wzyaknpr)|ssxjdvdag|itaxvkgsc|qqfybiqjt|rledmjycg)|v(u(fkasqkni|qztzoukn)|z(sujbxlkw|zhqylafa)|d(kwsmtken|rahmlicu)|osvjldydl|p(xrpsbent|scrollpt)|eazwfljiv|k(yyfltlvw|mvgpleni)|y(nokihllo|ewbafufb)|wrsdmgktv|m(ikicmavx|xqpscllz)|x(qvstsvor|cffeqiuk)|jxecsptae|icmzjfukk|sodejsifz|tyixpugle|b(zmjtqpwp|oxusxrrs)|ljdjfwgex)|j(l(ukgazhos|igobnmds|gzjviagn)|d(xmxmcphc|clavusnq)|k(raoitycd|omfezlko)|g(yaioslcl|jdvynkyv)|bpqhalmkl|c(jhtmyjqt|vwivffli)|sfeupqbar|o(pqqrhcih|nonbehlw)|voyaktmgr|admjwxrvc|ymjodqdcy|n(dvcxpfub|vkikdzgk)|msxdscyfh|jcznnfwbm|w(rqcjghee|vatqqpaa)|ubsjfzlos|pqukpllbx|qfsumrruv)|q(q(bxazyjku|lkrtonoc)|hkipbqhex|f(rutmjjie|vzoiialp|fmlssift)|n(jpqtvhtw|hfoaizxx)|rvjagzpze|a(yvanuzpj|nbxqbmbx)|ksnsqyxob|pojrzqhbr|gifbgcehd|wpguhvlha|ikawpqiyd|bbbnwkpmy)|r(x(oimqadtr|vetbfpug|sciuzvhn)|e(p(xzlzqbw|jygyuhm)|bfockcth)|m(twxaynmh|ujeqtgyq)|kjziayiam|wvwbspamh|l(mhlvvhfu|bhphgdrl)|v(lyvziymk|zulkifru)|hopwhupmd|q(dtdrpyjc|sxtxiheu|kwzqlebo)|jgrwvkcom|bkvlhctzg|rxjxkuayx|oakvutbjl)|e(v(dqvaovhf|iicsvkqh|gtjqxetv|jkvcajob)|gnhcbctzy|jcztvrqad|ln(mxnpbll|qtublsl)|tigqohdwq|fglcyvggh|xwragscne|w(kdlavtpl|cqryisqm|hbugaimg|uykecxdg)|evvghizsc|unauwajer|hxizuarjh|nbpmfwcbs|yyggvrugi|cxiwtfpqg|qytrxdglz)|t(e(vkknivoo|hhvgamee|tcemgncx|zuysdhga)|a(zvlwwlqh|fcosuqre)|q(fbyrhnjt|dmmiipyp)|r(yjzbpabc|fkscjxrm|titvpsjl)|tobdzjemo|bhwdhlwyf|h(fkjhujfo|ndkgjmni)|iinkhzvtu|fctltvvrj|mhnlhbrzh|x(cnvrwozv|tqztkece)|nxthnxyft|zznrzdelw|c(zzdfovuq|btnaebej)|wasvrabva|vnmdaqbpv|jmdebotyf)|g(y(dxzwijmf|rabnsrmt|hpdkxuhs|mytokgoz)|dyhmdzwul|hyvxbefup|vccxjfvjp|uukyrmyjo|nnuuoilkz|efddvsdrw|s(iswljpum|rbwnvnmh)|i(fbubnzuk|dyvcqjyg)|gfvjmqscc|jryfzgzzw|wnawievze|blsgwebyy|rmygpubxi|zscgwanhw|tkejvgruu|oclbxsjjj|lfkeockex)|d(q(qhgtrtrl|tbmikckt)|l(jhcnuerb|cytpajjr)|i(slmtuwoc|owedklmh|vrqlpnxs)|t(vxtxpper|ixhczdaf)|ucefwkpci|apajyetpw|mvrjyyfmv|ktedomqej|shvdbtqor|n(wmhtfhfn|avgqapkg)|cogdgzutf|jatnlqvue)|z(pobdtjqaq|b(vctgjuaw|slidcvit)|hcrvqbjbd|w(pwvnzsnq|wgoqvhbh)|v(vorudvqy|ujsrwucg)|fkfmamarb|roeoyoujm|uyufickwr|yofcsreqy|niwkodrri|qixsgfifw|a(hpmbqvig|admjmpph)|lbcuusnox|xegbrziao)|s(d(yywknzoi|bocdcown|lnjwmnsv)|enyqtxrmb|z(pagsqahf|bcfffbiw)|a(xarggjaq|mvqnhrtw)|hgejdfjwa|q(mjaiycws|hpswotnk|rjyesmti)|vzvgzjbld|srasnvzyt|fitydzbzj|p(gznazzmz|zigaqycd)|i(jxxhuedj|tdocoxld)|yaqbyzmnf|lytoyqoqc|oufxrbhte|jgwynycsb|mvvtenhug|tibefazww|bztuqqsst)|o(r(ofonjkqs|rafuejon)|xlmyonmyi|fnzrvvsuy|tisriggjh|qwltxpztm|l(atxkygim|qtxhidqx)|m(bxezojws|urycnumd)|efxtwszrd|u(yxmpiqhc|rniaobds)|holbaunau|z(mqvzugre|axifbsst)|alwmnqflq|k(yrjijbad|qpiplbcj)|g(jrlaoiqy|qrgiehtm)|ixzhoxqmi|cdmwgodni|n(hoefdbnp|zbmvctsx)|pktgofpye)|x(u(daqzkjgh|pkcdruir)|q(wzjiabsj|rzeujskg)|oszbfbczn|l(dlcvptgb|ljhahgva|kwjufitn)|xklaziizc|aeaxmgogo|n(pgqysahx|djkxizcr)|jlagmuevf|pfwzbmhdq|fnqftkujj|gippqgelp|vvusfrnwi|yirgzdymr|mmeeqajpf)|c(y(eekyadys|zrhrrtvf)|n(efqpaviy|tmkewynh|rdklbypn|lwfznjwu)|mrpkceodv|g(ftgrmubw|qbhdrprl|pliypldx|okdfmjfa)|h(uebzkpaq|jyytwoov)|clbxfvdjg|o(badovqvw|hayfanxy)|vifzcegrl|iydoxyxth|ayerrkltk|bwsnvxgpe|efvdybsxf)|h(slicpnscw|papmhyjcv|tkkvwitcp|wrbmaeedk|ghyomspsl|q(flwqhraj|yloajqqu)|o(ygggvaha|kitqdugu)|c(tcdmhleg|fnkzxzus)|e(vkemkjzz|pnlspasp)|vhesijgjq|a(nnpzreli|tbahwxgo)|fqrutoeej|jlewamwkq|ncwcbvktk)|l(h(uqfbkjlm|ksnqntfi|ipeseblq)|y(xygcwqgh|slqgbpni|figfdycc)|g(yasiuoii|wtlswnaa)|s(esjtcyie|bulrekch)|dxstkcpcy|z(hzqemsfk|mxbbqrpf)|xveanqygv|qauehfvwf|mlpypvzdk|p(nqwbszxw|yurbfbrn)|cylfonuih|jogzlqnrn|bgtfluuiz|a(pkitauld|vxfkvrcf)|r(wneqsfxn|zsptsdaa)|i(picwsklx|kunipuvf)|exazgqmun|vaxyyprhy|uquzzymht)|k(cwykuihig|tusqznskx|i(hirnvlft|baxwycli)|q(cbtyoxtv|hfjxcaxb)|uknqpfikl|pvjlxoguz|l(fszxwaya|xntdeypf)|mclisymtu|vdodgzdpe|dizjskxdp|kbezhzewt|heyynesoe|oliuztguu|xazyzvxyq)|u(k(udadysii|bdfotqwf|yorkbcnf)|hpnlmusmg|ruaytgvfa|a(tntmziku|exvcnqbu)|usemlujqw|v(avjmkjqi|ftoutttu|rbogstdy)|bxylumarq|xxethppik|crejklwqj|qccvalosw|tkeajxfpd|eukrkxdsj|mgrzaybbf|nvaedphyy|pqtmlxgkk)|n(jpirusbju|b(adouyagn|efdslmjk)|fuamiswnf|n(jlyesazj|wqampusw)|w(yyucfjvl|jlrztoja)|ikucggdnt|udtwogxoi|o(sansxwye|mcfmwpvd)|djpjqehke|et(ujqrzjx|qbqmake)|kieqoufoh|rrzjzvnqw|hiprvnpcy|vzjmlxnrp)|m(dyngqjoam|v(aoffeoif|vlrafaec)|k(wjcqfunq|jzjiaaio)|gslbvnuer|h(utzylgxw|jfgifpfq)|b(ielanldm|vsbjhspt|jzuyelae)|a(pvmvwrlv|nduetgun)|ultamuxaw|jkaveetdf|tmhmzudml|wzbpmvtws|z(fpkqtnvy|tmgqomik)|segigansd|mbqdwiyxd|ltrcvfywq|qeppathua))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633187; rev:2;)
# sid 2633188 includes 818 (601 - 1200) 10 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.ws)"; content:"|0a|";content:"|02|ws|00|";nocase;within: 13;pcre: "/(r(b(kvlhctzg|rtcjaqfl)|r(xjxkuayx|nhwxlmve)|o(akvutbjl|qyclrpwy|emdpsfae)|m(ujeqtgyq|jhnypwxq|dkorkbxj|qfcajefq)|i(feyictlo|mhatzief)|q(lzkapkef|dftonkoo)|xidxxareo|elljbsumy|w(rltetmvh|asjcfsnz)|swvpltdey|t(fvjfbdcw|wbcivwby)|vphxijezg|ftdcdtrut|utjagiwmh|zukgwdnxa)|j(d(clavusnq|jpcgnuni)|c(vwivffli|ulclulzu)|k(omfezlko|iuuuzppa|fkflwayr|avtmzcgk)|ubsjfzlos|pqukpllbx|q(fsumrruv|yadxyhui|rrubugxm|uzranucb)|h(cpbwdmsx|hazknfvb)|gixvtjzik|boqgtixjt|xrgsagmrn|j(bqlbflth|dywojyrd)|w(fgvanurl|bwufiqov)|o(fghcxfrq|cgofoycp|qzgceiiq)|n(umcnlvyh|vjbtjdcl)|rixxvmrda|aymnvuwwa|m(lkvjzokl|rbjegujr)|z(hfndichi|ggqiqlas)|tpevllhvy|facasmiog)|w(s(zhsgblov|wulcqjje)|q(rloidejo|wrccrmbp|uswxldfe|sbkoocyg)|v(obvmkbog|aztdpbzm)|lzrkursrj|imjfptvys|p(liibzolj|gquxgnps|jetzdxra)|o(oqbpfdlj|ntulkwrk|teqrbxnh|bmkhydav)|wbxgidixj|m(fhqozqhq|gablqigk)|z(zcyekiho|igsllsub|hbkkejor)|josfsjydu|bdccpimau|nojfkngtv|rihfsmbzx|d(mniechgn|ddnheedl)|hygtvpjxb|kathmwqrl|xyepsznwx|ymwjtatts|gylroslhs)|v(x(qvstsvor|cffeqiuk)|drahmlicu|j(xecsptae|fhplthtq)|i(cmzjfukk|fgrfwikp)|yewbafufb|sodejsifz|tyixpugle|b(zmjtqpwp|oxusxrrs)|ljdjfwgex|u(qztzoukn|xppkrdpc)|kmvgpleni|zppjsatzw|ok(swbajrl|pdqyqsu)|w(ohurludk|bcrunegx|vjzhyctm)|vsjimpvsc|g(ytyzmoxw|rkcjpgme)|f(yybvrfcj|huexwyfp))|i(afyoobokm|d(qjnkrekd|azkbwxmh)|gwzyaknpr|itaxvkgsc|m(vwccuyck|kxqxcesq)|qqfybiqjt|rledmjycg|x(atapydyi|hoqzrgmx)|vfxugharq|ptfftzulg|wqbntvfys|uhieufgzh|l(zktugbhw|gypnectj|wyitkkyo)|o(pxymynwz|fvherevh)|tbcurbozg|zalqaemxa|cjoexbukp)|k(lxntdeypf|mclisymtu|vdodgzdpe|d(izjskxdp|ewoyagit)|kbezhzewt|h(e(yynesoe|viwqicp)|mtoredqo|inzgmhjc)|o(liuztguu|ucvpjxlk|eqswngam)|x(azyzvxyq|zqtuosru)|q(hfjxcaxb|qsqpzsrh)|nbmsxxoxz|rdpmunfqb|t(gzyentfd|mwfzxkly)|s(ammlqqvr|fiuyqmpp|gmegqtgu)|ivcrtzeji|e(uwuclbbs|euwhfgjf)|y(czugkvut|iirygwjh)|u(krqeomic|procobri)|frvxrygzj|wouiiaimu|jkhqecvke)|f(hs(xuvizbf|njpvpjv)|p(hhjrvwih|ugrfntny)|e(parcpwod|wnjronxd|axqlydwt)|iiudyuqvg|gclqlvkzn|r(ytsyjdhi|zebqdend)|m(ubizfiqs|tkumtjxu)|q(mqpcfslw|bhxlnmvw)|byifocpxw|njquzvltm|z(hsufbuoa|orfzubgs)|drracrwuz|ctdiqcgwb|llncorqim|xltqgfomk|woidohtii|fglrnntzc|ovkywaxoy)|p(p(kweflntu|xofpcwul|njydxzbk)|a(uyytfxlb|nxcuhder|zjnwcyih)|w(ozazmfam|biakugaz|hfedjzrt)|ibaxhdvhs|j(ljllsnkv|sedslkyy|wvwrkxds|otmhpjgo)|fumtonmbj|mcapighbx|xqakvyeif|tcplahgoq|kiltgxled|v(lqthwjpo|fpxgmylg)|ldtiazram|y(ymdfafgt|axjpppxj)|u(ulwabfqo|ivetwoix)|nuyeudjyl|cinxrnbcf|g(mkggsjdm|bnhsbfbn)|ouieaorii)|g(jryfzgzzw|w(nawievze|cqivzvel|gmufdmzh|rirkmvhg)|blsgwebyy|rmygpubxi|z(scgwanhw|nurprlvx)|t(kejvgruu|myzefnnl)|o(clbxsjjj|buuybqhz|pnqzjdrm)|srbwnvnmh|lfkeockex|datgocmhd|u(hrsfhwub|qrocqdmt)|x(tiotjvkd|fyehpmit)|i(zxeiexac|oqewcfoz)|mjixalpht|c(qfviaoxg|ohhfaodt|stprmzqd)|e(whqwgonw|mawmofei|vvmxwwqj)|ayprddqis|kktzbzmsw|h(ufuavlem|obaeljpt)|yvweqtogr|gnkqedczb|vpcqfuuss)|n(u(dtwogxoi|pwbkhkgj|maduaylj|fzrletsj|khgpfrjh)|o(sansxwye|mcfmwpvd|vfypdrwa)|d(jpjqehke|nnjzrgvp)|e(t(ujqrzjx|qbqmake)|wkxubakn)|k(ieqoufoh|xkbishum)|befdslmjk|w(jlrztoja|tzbjszut)|rrzjzvnqw|h(iprvnpcy|ekjjsoou)|v(zjmlxnrp|usunijyt|fcqotmbq)|ltjreyduo|nfxhakoze|m(rrxwjwcn|bhahdrpt)|sapjtpdai|c(dynjtati|xoexzsqs)|xpcnwbbfb|jmfutgbug|pdbpgcffg|aatfmznec|ivpsfqjzo|zcfwstfyv)|t(zznrzdelw|q(dmmiipyp|hekwnquk|gtdgdelc)|c(zzdfovuq|b(tnaebej|hglgadg))|wasvrabva|v(nmdaqbpv|ffaklenm|bdxhsxkj)|j(mdebotyf|uartwziu|sopgmeek|cvyswzrh)|e(tcemgncx|zuysdhga)|afcosuqre|xtqztkece|r(titvpsjl|eosjbmom)|s(bxbttbjq|cniegqnm)|n(ioearxxs|jzontgrb|hrsyajno)|y(wyyzrxcx|xywzcctk)|u(jzxpbbfm|nesedkmf)|inbqgbdxs|k(ytnbeycv|sribwlsc)|l(imqjnqyg|afrdtznt)|d(kjqzxeel|djryxial)|g(ebgkkyvy|wyiamvgd)|pffrwswky)|y(wf(mqmqwnc|qquihbr)|a(nngqgwgu|bxjqqaxb)|hotpzxfzf|l(odmlzpuw|sqvapnuo)|ejhbtpsfy|t(qvefzgxa|djvbmset|rlsnygbo)|g(ziqnplxa|tntpxswk)|u(ojeukqti|zwpemuhk|vsfajrpd)|zzerluzfm|vtthgfwoz|cewbaccgj|f(qcqycrvm|tktnuhhc)|ddtjgxzks|smxknpwmj|yrninvynq|kxcugmplr|jlqxzxdfn)|c(b(wsnvxgpe|xjbtzzil)|h(jyytwoov|wuqydyda)|n(rdklbypn|lwfznjwu)|e(fvdybsxf|drbouwgg)|o(nzezhcdz|whdrbvgm)|i(nzqssehn|h(qdhzskz|ocqbndf))|j(mivbqgmd|nsikblgs)|sdttxqojj|gvmrkrcej|yb(lkkcgvb|fpcmupj)|t(rcdpabdy|nqcgacbz|onxrokuf)|u(ppycvoga|diejicvg)|v(abyejshc|fxkpmnpd)|myyynoggo|kmotjavux|z(vfjznetb|ckbyjols)|qexqunccj)|m(t(m(hmzudml|wkoiarn)|jbllkedn)|w(zbpmvtws|eqzottxx)|z(fpkqtnvy|tmgqomik|ybxipsqe)|segigansd|m(bqdwiyxd|odvlnrrz)|ltrcvfywq|b(vsbjhspt|jzuyelae|kekbykth|wuwixrqb)|q(eppathua|xbcnibfn)|y(anampafu|hnvlbkfk|ziikduek)|jcbohrrfd|ixxublmwl|nnsfroxnb|ufboxojzr|r(shzmumeb|ghnhywyh)|katxqerzp|climtkndr|dvsdyhuzn|vulovzgip)|o(c(dmwgodni|zjwdlbsl)|n(hoefdbnp|zbmvctsx)|m(urycnumd|vlhsqonq|xspsptzb)|p(ktgofpye|qhvdpiiw|yfmfwkum)|z(axifbsst|qcobezvd|cqxleipa)|kqpiplbcj|g(qrgiehtm|nhlwdunw)|xaaxyjslt|bzcyaukmw|w(gksyjzwf|cfseyhkx)|u(xhehsttt|oqkxfumm)|s(bkwaogdy|uxnjyemm)|r(bvxovlsh|msmzspnw)|ywghkolfd|e(mqsublsw|nvdydspy)|fapqsegde|q(ikxjjzgq|wjtzyrfk)|lyyesgmgv|oudfwoalk|vnftszfup)|b(cstmxznrd|n(rouhabes|omkefeya|w(cpluyut|dedorpa)|mmzozpfv|lkxkprlo)|i(xxadyfxa|ikxmrwdw)|u(aumwmmqm|mjnhlktd)|r(zhvfclwu|ykgglteq)|d(psszzpav|jdvfqfib|ehdervqq|vysbcvjx)|ydmhnmdan|kcaafvanr|tfrpuextx|whrelxvia|ffsenxciu|xoudifvqf|hupswxugj|ellswvyxg|ocovcqkps|myxuslqaz|aurtkwhaa|bdkggjrzn)|u(v(ftoutttu|rbogstdy|kqnpxojd|imdsggey)|k(yorkbcnf|ijrrarci)|mgrzaybbf|n(vaedphyy|ftofjlgc|yuavmifs)|p(qtmlxgkk|stvcecfl|xdgzpmgv)|w(thsxxnpt|mbywopgx|lvejqqts|diagmick)|srgkpkpbm|e(bpnvqsly|dzrfnodt|zlxibohh)|xcwzwecdr|y(wynrwlzq|cophbuld)|i(apjzvbsz|xzrcnfhe)|b(rbkfsmrx|knrmhsoi)|tvbqhprqr|utxtihrfi|crpuentui|hfeiwpsct|znjxseepi|gngpcyspp)|q(n(hfoaizxx|opaqxzih)|b(bbnwkpmy|ewczygtl|mxhjwwkc|nulyxwsg)|qlkrtonoc|ffmlssift|c(jueamwna|sprmmink)|p(jwfgonjh|fltprtdi)|xjremcala|r(qwbdqrdt|cxsqfmjp|zfbkekao)|e(kvpzmtvp|micaskzr)|l(gaogsywo|rftmmkeb)|txzhzggfg|vvorsnrmx|jbgxfxoae|hfpttrrqo|k(kmvlbeju|u(ztzayyt|powhety)))|l(b(gtfluuiz|ofxxqoqe|jinaqfpi|uegdplnh)|a(pkitauld|vxfkvrcf|aejylpzt)|p(yurbfbrn|zdfdohgq)|r(wneqsfxn|zsptsdaa)|zmxbbqrpf|i(picwsklx|kunipuvf)|exazgqmun|v(axyyprhy|toygvoaw)|u(quzzymht|xnbwnyzi)|c(ndsnzpcp|dophsdsx|pzrchkjy)|ysrpvfewe|kbjjfpvmt|t(vqtrxyci|rvqxdsjq|fxclaloc)|gliwdgzhv|oyssbavip|s(iqldexwt|cgoscutt)|x(evnowwpz|aagzpcqi)|hfnmzyetl|m(wxyhccgb|kztozhrx)|d(splpbjej|csogvqbj)|wedvgbhff)|z(qixsgfifw|a(hpmbqvig|admjmpph)|l(bcuusnox|atgnnhqg|jpazudhf|kzmdezep)|xegbrziao|rnpbkkktk|c(fvtlsjvr|yhxtctju|avyqnqpl|beeywhjf)|f(dxofzgwo|mocyjbic)|k(zohfxaoz|bhbjjccd)|ycasuauoc|w(vumtgoal|uzudcujb|clbkmdfh|mflyygeq)|g(npunbxuu|yuocjrib|qwomusfv)|uaywsassa|jyqucwyez|inodsanhb|zutbcquwu)|a(uobuthewp|m(geblcjqi|ciolkklw)|o(mwsxtwqs|ipjoswzv)|wrehupsud|s(jrnzkvnr|nz(gtbunv|tgehdz)|oubvinex)|yqziriohs|xgcjvyiyo|t(jvdwaxty|mpdosygj)|l(zbyanrfc|bjcqgaiu)|h(fmzmjwvr|xzeyfdvm)|i(zqlowjbw|mjbnlxqp)|gofhchrpt|kfrvzdieh|c(whnjnekk|yxujflvk)|d(uifjvdmj|jkxrzdep|vtskgbdp)|f(aapcyaar|vofgzcfd)|qqnvxwonx|zvglmtuko)|s(zbcfffbiw|j(gwynycsb|rvlsyjum)|qrjyesmti|m(vvtenhug|x(hvxgsyo|bcjaqog))|p(zigaqycd|vrvakolj)|tibefazww|b(ztuqqsst|yruwboso|slpjvucq)|v(rvgkarmx|ktdckzwg)|w(depzveaj|vklobzks)|ckhoytntx|r(bndvhidr|oaftqrym)|gttfrpulh|i(hccemszx|oguggurg)|dguhygqlq|nsjowbqai|achmfoemv|ugkuipysv|k(ozaktams|cfiuqkhc)|sl(tognlcg|avowese)|lnocynxvy)|d(i(owedklmh|vrqlpnxs|bvxhzoyj)|lcytpajjr|navgqapkg|c(ogdgzutf|vdtyvmfz)|j(atnlqvue|jllqkpuj|cmwximms)|mjstnhrwi|y(cvvjsuul|pefwxyub|freqbvxc|yajuoypc)|kqmziujxd|z(cjfniusg|dsddukgc)|fdastaycg|emrbantvy|vtrpifdjs|p(crgbmfgy|jprhrnde)|hfaprjzhy|gujjwrxjc|rlporahsz)|e(hxizuarjh|nb(pmfwcbs|hkcqzsv)|w(hbugaimg|uykecxdg|qhfjxtjf)|y(yggvrugi|egmvjtxi)|cxiwtfpqg|q(ytrxdglz|mtunczgr)|v(gtjqxetv|jkvcajob|vjgqjkrf)|sjgxqfbqb|e(yogyoxwz|vwiammgo)|xxiyohtmz|ifvmpupbc|gzfxjjjtf|mp(qimqmnl|sdcyexs)|aweuzuyhh|o(tqeibvms|dwmqqmkg)|kxltmqrky|zltwyelou|t(uxtowrtb|pqprfjlu|wewiaafy))|h(f(qrutoeej|caywpcto)|o(kitqdugu|wxqkaqye|ovlklyxo)|a(tbahwxgo|vvytjyew)|e(pnlspasp|kgxxkmtu)|j(lewamwkq|pgduscxz)|n(cwcbvktk|dtpdoykh)|q(yloajqqu|kjltyxaq)|s(idehbrlw|dmuuptsl)|m(nrtubmnb|jctbvxvf)|twncxmuwx|v(raclalgc|vwakafbs)|ubovrbbpp|r(ijidvxhg|vvbaaxmx)|hosfggfzs|xedsjiwdg|pq(bzlkppu|lfjsyvz)|bqcpqjskv|ypcdwglqc|k(yrbvqekq|pmzwudcz)|wknrbcccq|cipmorspr)|x(fnqftkujj|g(ippqgelp|loihvich)|v(vusfrnwi|ckfxkfog|uafsqkmi)|yirgzdymr|lkwjufitn|m(meeqajpf|jlbryxqp)|q(rzeujskg|q(ezvahaq|jwthlcm)|ozuwlzxu|ckoflsqx)|xslgewjim|bspfmksdj|h(btvgbzqo|mnmpypcw|engxbrij)|updkzkoot|addjqvmqd|kwhlkazdl|s(zgmcabwi|ggrltnuw)|i(okaohuyt|xddhousd|ntyojthm)|jbbxzwvgn|zlrbvfsfe|dwhgzsxkh|ckvexkcdl))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633188; rev:2;)
# sid 2633189 includes 218 (1201 - 1419) 10 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 10 chars (.ws)"; content:"|0a|";content:"|02|ws|00|";nocase;within: 13;pcre: "/(x(ewlbghlpx|p(gfquvixk|kqgggjcj)|dxubqoyak|acxedvnnf)|q(b(thaorwbw|szpwkfqs)|ykamvjqdf|zvqbmbvww|fggpjuppz|eyggmjgay|cpdmqauqg|qkggofcei)|j(xklwfylki|bwrlddxcz|sgusuakng|y(iahiayyo|mrytnddx)|mykfmdbup|dsjytlnlj|ugfzrntgr|nqcyewgse)|p(q(mxdmadzi|ujzieqnn)|oseajzjmu|imydmhoqh|axmgpuygn|zenzrpnma|kjjhygxcl|uozoqwkwp|pzvdxswbs|faroidspo|hxoznhgxk|ljehcptqb)|a(mjdbqhzls|hgaszfqwk|vefjsvffk|dsanzktms|ighmpszvq|jitxvhpqv|ezrabtbvo|kyeqznric|rirepjtvu|nkbtqhuon)|r(wonktrrif|mjcgawmiv|sbnjjrkjk|pnphywahf|zuydogwdk|dxueyrfdf|ifawutwvo)|d(fvfumedmo|npgmjfafm|biziiqllc|zdmssnuih|vujhcpagv|kjevzvzpj|jqiopguqp|m(wznbpiug|gylfxdfq)|tgxfkonjj)|u(aadruqxgv|reoztztkx|xrtqpljlr|kktvpqrtj|e(cecwjxlr|bttjrsza)|nclgakibe|t(pyrfkquf|ifaiqxul)|inkoykovs|bggmjdvcl)|o(pgkytnbuv|aabefjdmp|jvupdtgll|vwatsrwda|fizwqidwr|zgxxmukzp|ooopgvlzp|sbsefbacp)|n(kbushpsnn|jsopdmyeb|l(vtefkatw|lclwvqtm)|xvzvollgo|z(soxfrexn|bjeubifr)|mmaytvebu|oigmjcnns)|b(vcokkwiqe|qlsuhrepe|wwwvzfaaq|aikpghmqn|ucdoyhmsz|lfikyfssi)|f(ukxribtwx|w(iekekwog|hnxaqyzf)|izwsxnoas|tgpdoiefm|edbrthsab|cmlsppryq|ybenhmyvq|xibwldaod|q(hltyxaii|zrqqmnct)|fnyabyzyp|kvvkgrmih|njoujnvce)|l(munnsgpnj|sxmtqleik|tllrwvlcl|c(ugqzqvtr|pcfsbyto|tbnwjkqg)|fesyparcv|xgwreggkr|epwzgcybg|ahmkheegj|gutykhdwi|ofcmjqodr|uotfaclrq)|c(qkamaptqn|nvklkeueq|c(vfnkalqh|ugcfakqm)|taoptgskl|pxtngmmjy|oqeebzqyu|gdgmfdeeh)|k(lrcizirdu|t(hyxbynvg|dfbhuhhr|sihbkjad)|gemiofslv|v(hmekevns|vzlxpbvl)|rplcwubnh)|e(wbuzpklod|zxusyrwdr|okxtkseke|xtgetetoc|r(numsnxke|zpootrwc)|qjxoqdxgy)|h(norcjipth|rgegshkpc|kogilqznh|tuflhzzrx)|y(z(vknycwvk|cyocrbbh)|k(hjvlxjuo|kyqsciwj)|a(unqaoqnz|gnogqsko)|yiouppvqb|swhublwft|bzabysayl|wxmzdelii|ewcjifczh)|v(q(fnoazqqy|clvctqet|hmwrhkdj)|rtqvqrumu|lwgazjwyi|fozehsddk|zbxlbvmzd|ilhxmtcrl|pamkgzfbi|e(ckgtulwg|kpmqnuze)|vjovfcudh)|z(damqiqzcg|e(fkvneyre|nmpzgbau|ixusmplv)|yhacgumoy|t(rokjhuge|docgfoxv)|svkwzafpb|jrqynyhzb|uwvzegzrz|fqxiupwbn|vfwjiveir)|m(nzixtblqj|eavdocxaa|w(tcqdgyel|wmxxfeif)|abcuaymwh|krvxijmui|vwqexnpmw|fcxfktafq|xmffkzsgh)|s(w(mdscxzld|wqzdfeps)|bdokpmwhx|cwcmeifwp|z(uwnnrucs|yspgjkgb)|ndaskgqlu)|g(llvpttzao|iujpzrgfg|khrqyxeto|dlfqpdeuf|tghxgsarb)|w(nqyeibrpg|qakbfhasg)|t(s(xpwswcep|rqdxgfst)|azersnpai|jobnjenfq|ebejacpow)|i(c(zdxvwxnd|rjtmjjwv)|p(lgxyvfpr|smlzhsmi)|sjlehtjpu|rsxpgribf))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633189; rev:2;)
# sid 2633190 includes 600 (0 - 600) 11 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.ws)"; content:"|0b|";content:"|02|ws|00|";nocase;within: 14;pcre: "/(f(rdyiaosiir|y(axyfcfwbt|cszfwzmit)|t(kvechjvnn|ndschzuyr)|bqybjhhggq|i(ignxyiqbq|fcfwwrzfd|xohlqjruv)|vnbniusaoo|kwouycyjbr|dzjwbhgxii|e(pyvqoxofc|xiwfdevhh)|c(hvxywfmnv|snnfvlwxt)|lntfhqakeo|m(wubebjapq|jnmvcgsme)|ovudytyxly|u(gsrdgbocc|mtxefncno))|o(g(kxwvhovbz|jrbrvicgo|cjhogrtog)|u(tttzrfovh|kvulmdvrf)|c(i(mwddcflg|lmpsmdjw)|yviinybpv)|wqnsjysoov|v(eqstqvzog|ikhlhkajh)|y(hyropeymr|gdhkhvppl)|l(yqktobnqz|avwiycbra)|e(hknxvkkuu|zenwblzxb)|p(hvslekqkr|pknctrddk)|fqzymikmvd|kvnaasenlf|dgemmyxktr|zlzhtgrfqt)|w(xukbbublku|c(b(thbsijso|jrxoausk)|axooomvqd|kigmtfemr)|kkfibccwuw|s(cjjczgccn|bytecikca|pobpkwlxg)|yvrfujoyia|a(aqbwfzdjp|yubcblrex)|whyyjxhdff|v(abewouytg|byyfkxlur)|i(qssljqvvx|dmxfbwldl)|tclcxtedtp|ze(dwviskgu|fdogdhap)|jscodzhqdk|fodxabpmbs|nhcvheosug|uqztdwclxa|pvsmpcglpj|o(awmyffnqs|uoryvodqv)|gzvzrrrllx|blkfcfmxiv)|s(wjshypxteq|kepknlsofi|fbzphgrswm|i(kvcrtxkdi|ubuuenaae)|cgtgtqcnbt|u(tthniewpl|cfjbkkxvh)|p(enpqlnxox|vzadxtlku)|yvpyhyvenz|j(oelvbxowd|ilerfjizi)|l(sqaegkmfz|olbtzyisj)|gotallxtvy|qjjmpzjzmk|nzntrvhdju|tznbxrebcg)|t(y(agcrwilkx|lkrbxwkfs)|clxretxibo|e(iymyddgli|trgdhycpd|gjjykwbok)|dtzqqopcee|odlpznltxs|ftuqinyyrc|wnpyrhgzyl|l(kkhonbhcj|hrbhjnbcm|pbuchtrnw)|muugayxuuu|sdlncoqoxw|qpjusihzdb|vcisplzjoi|zhdeqhvnkn|b(zyasabpwn|ckxadaeqx)|x(elcobmofy|ykjfxzrhj))|y(w(vjoqazmxu|yiqzymjej)|r(bnhkdlxzt|kzsfaumsp)|h(namutbuiq|qmbgjuozt)|u(jtpmtdwoj|falnaoohm)|erfjmeyqhf|j(hfguknneo|lptdzxpjz)|l(yjyesdhxh|bisefkrup|kzkkpbxxo)|sjoqfynutb|z(lgpqjiwdj|hgqpsuzfj)|y(bbettvqfp|uwfqmfvfu)|c(oudafaums|qqeavtibb)|ivtxuoierl|nanugtegss)|j(i(efexjqtuo|ntdffgvzb|xrfsoxkjh)|r(jhdqulvct|noygzhkix|urvavzpqp|htefebikg)|xvmfqxrbot|saoaeisgai|b(xcgyozsir|uyjndzvno|voctfoenx)|gduqkptwee|wrkvitotfe|hnrgmbjkvy|u(abhvqbmof|svcisgnlk)|n(umcniwiep|gnzsvuszg)|a(vowzaalsb|unwadqaic|gbadcvdzg)|j(ccgvaxgpj|htzuluvjg)|vtyqtsihuu)|z(sedvzuzpzk|cupeestfun|y(ptyaiqmfu|hxacfqwel)|z(dvuiskptu|tdlajugdk)|w(niblxlyhw|ayosoaire|syrzeyzpx)|n(swtrgjvmd|acfysdbcf)|e(adxgjinyh|uipvnzirc)|j(xvcrhdnzv|qfcftqiyp)|pprpzhuuoh|mshkisthaw|qsdourjkqa|txuxjuidej|lndfeqtldx|glcpnxttgj|fggklfummb|aozxcviavb|iqhwoozwqo|rugrejfdjc)|c(v(fpcoecmgw|dkxovkcqa|tyhevverw)|b(wudxvluvl|hvnrfdksc)|phkhonppac|o(dyhvqehwa|m(rffcdhzd|kudcrgdc)|ajuqgwuht)|goiwakqltd|w(jpnrjlccw|imdodelko)|y(bkiiquwgk|acsfprysy)|r(vlpabnjgm|dpqzmuzbm)|l(tjwfbifua|ezfkluheh)|stmspdfuqx|ulqybignmu|fdsnwbgyeu|nmfuoigriu)|i(pvekaknnmt|eausbqyxnu|n(fjxwhwfvj|oaprtpnjg)|b(qbgyrmrho|rlsvpmhzy)|k(ycnegpuev|hvuemadpi)|wyuxmzhdab|jwqmkdexqd|akmgdmrrwk|yftpakahvh|hyctuenzgk|snadifuref|uoxqdwsrwj|lckqxutnap|zyeuxcgbwk|mwxwoembgu|cmvcezwiwk|vzugnycsyj|ijvwxpgbvl|gboziciabd)|h(t(kcrbmyyyq|xnbkjyxgn)|r(zonyxgnsw|ufdvdmfot|tvjzqjcog|ylnrjcttn)|d(yqgjpxqyt|rvbbyotwi)|l(vkeiuvjdm|gkiyogcgs)|pfbuobaize|vskoquzhyy|wxsmvxtyfz|fieohgwect|o(dtcbhrrkv|rcotnpuka)|zytmabebbv|gweoimbalz|hyfmewxqwa|u(hiooynpdh|mavvbptqb)|bgnwaopech|mkbzguherk|i(qbzyfxugg|cureugxta|fhlchmkzj)|emxdpohhcv|sksywruwdk)|u(tcfazhhldk|x(ctazspxwt|dbwifkpgm)|veeocrezti|h(cjvckxzox|skmbpjvwt)|w(zjikctvpw|amjythaqk)|c(mpzrmamks|noutekuqi)|fczyuiphdq|b(ynpxrtyhx|awxhyrhqo)|ddcubbkqum|yfznqgmbsv|pzrtyiwwka|gzvvuxazwu|ilapoxeyfl)|e(m(nkbezpwua|stnnydlfn)|z(joxyggnkf|alxcjjexi)|g(gojuvfucj|zyvsjkqmt)|jdqnnagiao|t(mtuskmksi|fbwybvodb)|qgmdgjdltu|oadqkyojbg|nsurgwrfcj|i(uqjxpduzx|vrwuvwcnp)|ksgsrpbjkk|aevfmumnfr|fsffqkjebc|wncqlzpwff|rslkqpwono|ejrtiykyhs)|b(j(tvgqlkspb|anhbpqopc)|lizclgxjls|tuczmkrztm|i(dpegefakr|tgjzhuwir|zssieesxs)|vbyzsgzcdj|brgdejsvlz|ynaxzhycxd|pttfdrggqr|f(bbwzcqezm|fhfcegdtm)|xazvmoedcy|qniqjtyhjk|c(bbbswiibx|lebqewifn)|h(vugipkkns|rpldisxfd)|ogabpocmzv|dvesixbrqu)|v(o(cwakkxtzc|jzeuqoafm|spmilebak)|l(zhuuawlot|yecylrohs)|e(kaltsirhz|whofkycch)|n(qspafwhkg|gqmbqjfya|tnkethbms|ulaxluxdv)|d(zgrjwxqjp|hunylitji)|wailbvbiiy|phrfbewywp|r(vhwtwibfr|hgbyftkrb)|b(ghxspjjij|ogaocghjc)|s(uomjgyych|hbimzaswc)|yzmfwjzsrw|m(ezgiiqujq|pizlyauym)|x(mmhzkqyhi|kcdpzgize)|alqeokzwat|fkkggwkjoq|kulbyjwfys|zgupnrtrlm)|d(bxhdbhxgxs|e(bycigxeqv|mssceqzig|ongdwdzmp)|o(nzluuvtgt|lnblbxodh)|g(mfiolunrb|fqkfcakwq)|lupdbivzhf|ysozinfxsm|k(mwdevkchr|yxluuxiux|nqtujyxlj)|srkrtlkyld|q(agthsouwq|gyatkufcd|sljwhrpui|jzvximclt)|ipldvjqpsp|jzeyfwwvsw|tcqocjbmgi|a(whrnwgvtk|gvmdkkwxy)|d(hjdzmolbk|tjavgdxuo)|zddgniuxxk|hrzqajsvxh|ugdjqxrblj|vepkdckrio)|n(r(tyxnljhme|uswatjikq)|s(dbpavsags|rlxvespcm|gxgkqfqfi|utxpdytwf)|c(ysbsyikoo|tefvmbuyu)|n(igkkjywlt|culregrjt)|wdfezifiwn|k(qloscbgig|hhorpttsi)|hynshxjlkk|e(rzxzsabdl|tabcgzelc)|puutckkqft|udbjptnaov|ohhdnluqje|vrpkckwbgw|lccvstsqlb|fgfrehzkpj|geohonwnfy|aoojoovbnh)|g(awrtegxqcw|ltjpklykaq|iqlstvqreb|weiiveqtvu|n(oaetvabcb|fpnjsvbya)|tgcjifwbpb|hgvdafiwgz|rvysuzemfr|c(iugwghfpg|gqldgvdkp)|k(z(xfharfgd|vcxhdelj)|rpdbdisrp)|o(fdsatrary|uricwnkwj)|d(cwqcqdqse|aonybflce)|y(gbmfanpiv|sggdmbvjl)|eqaszpexkf|s(qouwfopol|twacasxug))|q(b(fymucoxgw|sbjadoccu)|ylszxeipfz|h(qkmeubmpu|wccipsltr|adbvoewux)|jcxgnndotw|k(tevuzhocb|xudutisaw|uuupjzxqj|icwpssyqq)|q(csxuaypjh|fgwsshifr)|v(yvzewbqkq|hilplhfqq)|lufftkcrid|mjbyddmxyz|tmaqunmmub)|m(iu(cqtsfshk|viwtsukt)|qfckmenudy|ohpbjtfypg|t(epcsksryg|lcduqyuah|idasbifte)|d(dcwvcfree|rymynflsw)|bqnxagxaln|u(kezlnrexv|hfalfkvjn)|n(ioqumvfzr|pugcosigp|orezwaabj)|z(omkigyrjf|lblklkodz)|vodnaodtfs|k(pyligqyry|zxslosvnc)|gqgzeibgmo|mnqdobnqce|rhdhxapmtz)|x(mavnqkojsf|u(pzlxfdnmv|ovpwskhwu)|fovddzhayg|k(apcamjwfg|matawaeyd)|sodjahtnnh|d(orgerfvvg|xyqtrugbl|czllzxrij)|l(kuacxbcvv|cmtkcmnjv)|hwquzwkyiv|oyybtykpyn|gqfoanabtb|tpucjrjsie|csnhfrnwiu|wnvxwtpknp|r(gifthjcst|ehdtlgpvf))|r(gpiblggyps|p(uaracywph|tuwjffjfi|rocrmzwtj|hsvemqujk)|a(rdqqbgwya|nxiaxzfqv)|m(glvergkca|fdfypvhaf|rgrkuiuov|ozelniypz)|k(qtqfjdkxr|rcqxrkhjp|pqmixezcd)|flqmnjsfnk|negzenaqdj|omcfvnmryd|wmlxtnetta|iasgohzrtz|e(hpfajinso|mmqqvvssn)|zywrbdlerd)|a(c(kkifosnpx|jwsiiruni)|b(gojrxjugw|omoxrtjeu)|lzfvuijkby|e(qmfkbyfet|rialtldgd|hhijybjgf)|i(becwevtri|nronbzggr)|k(vcmcujqyi|qwobmgrbz)|a(shwrzllgh|qoymagumw)|d(wkeaecjsb|clnodbymb)|pqxnqaymcu|h(d(reqaehae|iyzibscv)|ezclqkhgr)|odukngojel|vqvwgeuzit|monwkzrohk|g(btjrvqcjn|yzspemyec)|r(scxagawtq|ijiquhmai)|unwyogywbi|x(qlizzamfz|cpgsqmbmd)|tntvhwijlj)|k(e(ufepbysgz|kvqebezbf|syvwkpptp)|j(vznuwbcuf|mjgeyvsyc|trfttwtoe|ncxfgumah)|whjrdmsolg|toqpmypnft|kqohgwtfpi|ofbnjgurrt|flwlilqacz|r(dbqwkaolz|rtxntjrcu)|n(fsfzpqlnm|tyynwelpw|ohisbpyez)|a(idednpdjr|fnkklubik|pnpijiegh)|mgstyfatun|iodorozrdi|gviyscspwh|pysaepqyrj|sbnccakcbq)|l(w(tdoyvodbi|pacackvdb)|o(goyviedgz|uqazgbmxh|sunieqcah)|x(fhedjntby|rjqrhshsb|ndxdphikc)|yqwdfwconq|fyvieqiohy|rtougjvvpy|sadnkomxts|ubaebmhcbf|pdojfnznwv|dxogkswtmx|htlymngdrd)|p(p(asjpqltri|endscqtbs)|jmgdbqauam|r(omgghbnnw|aumhoxlft)|a(yylzjlbbz|jeiijrewj|lnpzmebul)|x(kiqxsmbmy|ziqlcmkpx)|q(gvdspdpdp|hqlhoqdlc)|slnbaqsrkv|buvkphlewk|wdredmvyur|yeemochipr|iutkwfzgbi|mmeqfozwaj|ftjiyeiavd))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633190; rev:2;)
# sid 2633191 includes 876 (601 - 1200) 11 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.ws)"; content:"|0b|";content:"|02|ws|00|";nocase;within: 14;pcre: "/(u(b(ynpxrtyhx|awxhyrhqo|krzylmgsx|ojnoytcrh)|x(dbwifkpgm|vyuazpnek)|d(dcubbkqum|ztrcpohuy|hgauadmfe)|y(fznqgmbsv|nobabzpaf)|p(zrtyiwwka|ckorcklih)|c(noutekuqi|vstochhsf)|gzvvuxazwu|ilapoxeyfl|w(amjythaqk|yhsblfgjf)|m(grsgekfra|jdpnpbbhh)|a(ggdwnzeqt|unfrtqwab)|roanhravmx|klhgrqcsxc|ztheavytmi|fqkgbuijoz|qzkhdgcyho|tbiotqvxno)|h(mkbzguherk|drvbbyotwi|i(qbzyfxugg|cureugxta|fhlchmkzj|ingutdcwh)|u(mavvbptqb|lbwsrleje)|r(tvjzqjcog|ylnrjcttn|fvdlcabin)|orcotnpuka|t(xnbkjyxgn|deynrptbv|hlhgpuwsj|tporeljcg|uddvfxslu)|emxdpohhcv|sksywruwdk|l(gkiyogcgs|qtznvvaxr)|p(cpukpunsn|mcaqxgpdh)|ywyhvnicdy|ftchbolonw|jnupmodoyw|bssielgwan|gyasxjaetj|kwkdyciyvi|wunnztyoox|hjbqsjqdrp)|j(usvcisgnlk|r(htefebikg|csssmtnfo)|a(unwadqaic|gbadcvdzg|kldyltimp|qzzyozliq)|j(ccgvaxgpj|htzuluvjg)|b(voctfoenx|nonluxycl)|v(tyqtsihuu|dcxpierdc)|i(xrfsoxkjh|ipfdlimfg|zujppawme|lbdsocrkx)|ngnzsvuszg|c(ukiuvoidn|gpeswktsz|rvehkwkcd)|sezmssaekr|lypldtgniv|kjxigxktds|e(lbpznhhax|qbjwzxkrj)|o(oaevoibuu|xmkvgwxio)|tvfnuyytdy|zrtgjxjcoy|psxmzglyta|haxfihhppj)|s(y(vpyhyvenz|ayrwmlall|wenkkgnlo)|j(oelvbxowd|ilerfjizi)|l(sqaegkmfz|olbtzyisj|jrymbsbhv)|ucfjbkkxvh|g(o(tallxtvy|xbqexeqv)|edoroiadx)|p(vzadxtlku|yluyddcyp|ndotrpxex)|qjjmpzjzmk|n(z(ntrvhdju|dkbxznlr)|rmpiosrfn)|tznbxrebcg|h(hslnlhqic|iokbdcwsj)|v(hygkcvbzw|n(kgrckvax|miurdrku))|cckohzrpzu|i(gdfncszyf|vtyiggijt)|bevrijfwfj|d(yctkxxxki|jyfecsymb)|s(sqxvbhhim|giecqptwd)|ryawgmnngp|mjgemjhpbw)|n(hy(nshxjlkk|moknvley)|e(r(zxzsabdl|exsgxkli)|t(abcgzelc|tlaprvuf))|p(uutckkqft|v(eovamllx|bvemhfxm)|fejdgrfzr)|u(dbjptnaov|eescfnwmx|xwxydcdro)|c(tefvmbuyu|wrxodkywz)|ohhdnluqje|s(utxpdytwf|jjswpsgnk)|v(rpkckwbgw|fqlndwuao)|lccvstsqlb|f(gfrehzkpj|dvqntddou)|g(eohonwnfy|tuyqxkhhm)|k(hhorpttsi|oevycgefa)|a(oojoovbnh|jsnimnesq|ugwwpdljq|lutjyfwpu)|i(yqtrozcct|zqrgyragb)|j(ceemilqep|jjphdipqi)|wxsyzcxchl|ms(szurqpav|dcbowhsq)|d(opzavvlia|xtrahcadz|sfyxwkirm)|ydfomcyqfd|bpjlfmcqog)|o(d(gemmyxktr|erjhrrwhr)|z(lzhtgrfqt|whztmlyfk)|l(avwiycbra|cgrgnztxu|lkymaoghf)|p(pknctrddk|qemkohtsn)|g(cjhogrtog|bghjmgufv)|c(yviinybpv|ilmpsmdjw|apnbrdvij)|vikhlhkajh|bhyugymtym|ynzlqeetpe|i(iiatvhdla|malauqecq|pppcuoivl)|qxqimpylvy|t(qfefzbfqk|fjmvbpalc|dgsvoxhzj)|wkqnwdnuev|m(tgabobqhv|rjrguijyh)|o(akftvhqlv|wwxwvyzwj)|k(xlyazlfzp|zpnvipxky)|j(zcnkzvtna|turqsseqk)|ficokyatsz|e(irdellpbu|mmwhbdjub)|svmauzpmzg|unkzwcwkch)|m(uhfalfkvjn|v(odnaodtfs|vmsmbbggi|kuqbxcwad)|drymynflsw|k(p(yligqyry|ameppqns)|zxslosvnc)|n(orezwaabj|esapygema|xsstbikds)|tidasbifte|gq(gzeibgmo|tqjbsrgq)|mnqdobnqce|r(hdhxapmtz|myexymfho)|zlblklkodz|p(amdtuncoh|kuwtvsbri)|i(ecvcvpwtw|dvttnwkam)|e(chbblgiou|aertzavho)|y(qhorygjxq|eadgjwoqh)|a(gdezbqcxg|ijltrdonr)|s(nskoapoya|jsyhsjgfu)|b(vgewdvgdw|xsvqjujtp)|x(dphjofwym|jlugituug))|w(zefdogdhap|j(scodzhqdk|rxqlpmhkn|ormmgweaa|zipasjyor)|fodxabpmbs|n(hcvheosug|lasrcqdbb)|u(qztdwclxa|swkvdxdmb|xzwufyrkj)|p(vsmpcglpj|uqoxwummu)|s(pobpkwlxg|vliaafwow|yhjfomonr)|a(yubcblrex|mpyetrqwm|zmmxriymi)|o(awmyffnqs|uoryvodqv|qyjcdmsfk)|g(z(vzrrrllx|mffgqykr)|jwkdodthd)|ckigmtfemr|blkfcfmxiv|idmxfbwldl|vbyyfkxlur|l(svceqqajv|yzcsiqmqd|psjitbxkm)|x(kayzkwxid|ltmubuuvx)|w(sddegrxrh|fxqltgwwp|wlfgdnnof)|y(lbagtlltr|pxeqmfdbx)|tnulepzpwy|dunhzimvgp)|k(i(odorozrdi|xsllspigi)|n(tyynwelpw|ohisbpyez)|apnpijiegh|j(trfttwtoe|ncxfgumah)|gviyscspwh|rrtxntjrcu|esyvwkpptp|p(ysaepqyrj|qeicuegdj)|sbnccakcbq|c(sxafvnmni|ejgoyghzl|ouctkseaq)|y(mujfwaudx|edvvjovjh|xaynewvwf)|dvlzqdlfoy|mzhccicvhm|h(nzvpwacre|uxzgvehcf)|ffwcxyvekh|vejsuknboi|lfjweoxiyh|q(dxqoozork|tsfscgwhp)|uwzvynxglx)|a(e(rialtldgd|hhijybjgf|ljwatpmat)|h(ezclqkhgr|diyzibscv)|tntvhwijlj|r(i(jiquhmai|qqvsnsgy)|ykflqifbm|sczkhoezy)|a(qoymagumw|apcxqiqgg)|xcpgsqmbmd|i(nronbzggr|k(loiytwss|wllayxzz)|xwgucjsqi)|gyzspemyec|sfupylvsxm|k(qledpitgl|xbsksblvc)|zygetlvwml|dbtiruduxr|yhkveefehz|uqwxwgvsvv|mrsudgvwwm|crxqqpkavj|vvuvykmuyk)|q(v(yvzewbqkq|hilplhfqq)|h(wccipsltr|adbvoewux|coxstsdsb)|lufftkcrid|m(jbyddmxyz|vnyercvrb)|k(uuupjzxqj|icwpssyqq|fxgtkiaus)|t(maqunmmub|fkeqiqvph)|q(fgwsshifr|bxtdlyhhd|txlgnwwjx|sptxevpwd)|w(menrlwuso|oslnwwbbs)|d(lauaouiwt|wrgbdkitm|vjpqdbego)|imzephnitq|zeizvbhlfm|cggsceezne|oknzsjhbln|f(ymhtdcilp|awyonmfti)|ngdvuzdvpc|rqvxkijkro|bcsllrdysi|jjqviuxcph|xhmxsjdxyo|yewvzbxhmk)|d(q(gyatkufcd|sljwhrpui|jzvximclt|drcvxkgdk)|d(hjdzmolbk|tjavgdxuo|ewsuxwarm)|z(ddgniuxxk|srlcyziub)|e(mssceqzig|ongdwdzmp|biinevixp)|k(yxluuxiux|nqtujyxlj)|h(rzqajsvxh|sorjnfvfl)|a(gvmdkkwxy|k(kamjlnqx|swzoqqtf|fljgopmq)|xcbrldalb|cifjbqhyd|bsaqtsifs)|u(gdjqxrblj|dwolwxopr)|v(epkdckrio|vcyjavjmi)|m(bdkafxfgt|svfyxwvim)|orilizhriw|s(slesqpphg|ivctmjulc)|rnrxospixs|wedbzgkuov|xbslkhwpib|ynturlvuwd|fwkyxzvwbb)|v(m(pizlyauym|qbvzhvzrw|uznmtxtqf)|n(gqmbqjfya|tnkethbms|ulaxluxdv)|x(mmhzkqyhi|kcdpzgize|ubnayovrj)|d(hunylitji|ujtbfvcpe)|alqeokzwat|lyecylrohs|f(kkggwkjoq|citavqtzb)|bogaocghjc|kulbyjwfys|zgupnrtrlm|j(upizerifc|bsshlzmwi)|euigwkcqip|tjikqdvedt|gzuggjrucd|yrldkzwady|h(fhykkuxkr|nnyegcndf)|c(wljpqbpdo|ytssedley|mpwtqiwdr)|sawbinrwvy)|z(w(syrzeyzpx|yagplxjmp)|jqfcftqiyp|e(uipvnzirc|rzwmfzimo)|g(lcpnxttgj|wzponkxie|bfafdbule|kjygdxzbo)|fggklfummb|aozxcviavb|i(qhwoozwqo|glrbsfcje|yzegzkpsl)|rugrejfdjc|l(pwuciymbv|rszahniyn)|umumxerebj|czleeumcgf|ywcssgagox|h(yzvapzcjp|jiigeghhh)|n(amzjefiyz|mxgoqwoqa)|bztnwyamye|qlxephwtqm|xphjfwyexu|v(mzmezkwut|w(eyknvihg|yuwzttum)|citahvxxv)|zaojmeoujh|djhsapetjx)|r(p(tuwjffjfi|rocrmzwtj|h(svemqujk|wuarspha))|anxiaxzfqv|e(hpfajinso|mmqqvvssn|psjloqocs)|k(rcqxrkhjp|pqmixezcd)|zywrbdlerd|g(kfyxjttln|vknstjndy|mwssjwnvw)|w(jzfjpfqgf|ydrmamykp|bxnmvkjsc)|i(qbrpzyiyn|oepddxamj)|b(zjkswmaov|ewwjnzmbi|tvvoknbjn)|l(xbexxchjx|izqnyejnq)|ofhezrxdjg|n(zjfcdydvx|pqehnpjdo|ededucsdp)|mueqbknriq|tazfgzqvia|cysmwituxm|vtxrlzyjip|sxntfeicqz)|c(o(ajuqgwuht|m(kudcrgdc|frymsuuh|piwucikb))|vtyhevverw|u(lqybignmu|noypematm)|f(dsnwbgyeu|jcmpwwqob)|w(imdodelko|sxwvszaph)|yacsfprysy|b(hvnrfdksc|pmmnrwjsl)|nmfuoigriu|rdpqzmuzbm|g(vgfdpypmz|dwnemyvfr)|t(xbxcloaqd|gvvrwtsls)|apxsejhypi|mv(cieoekba|qqvpegel)|j(fifkhjfec|pgwvkyost|qbtpjquux)|hovcbvumqo|s(xmuppfjfq|vvzwnoipg)|qjgpkwrjwc|e(oqewsdlqd|trcypbywk)|zjisxmuhyd)|f(e(pyvqoxofc|xiwfdevhh|llqoyukdg)|c(hvxywfmnv|snnfvlwxt|dachwflzy)|l(ntfhqakeo|anytmkyok)|m(wubebjapq|jnmvcgsme|nehlergxv)|i(xohlqjruv|gkehhmwlm|uxbpxwddu|kgiwlxncs)|o(vudytyxly|fofuihonp)|u(gsrdgbocc|mtxefncno|dwnbobxgd)|gvybydxere|vcnboqtyjc|qlnzcpgddu|p(mvowcyydy|lhgliegpo)|t(eprdhswru|vmsbhngvz)|j(dhbqpugfj|beehamlkn)|s(owuecqvep|eipdcjnmr)|ymeelayvtt|b(qgvhogygn|ewzizyfgz)|afcmubnmpl|rvxosxumdi|nokkbvwznh|zulioabkgi|wdowxhnlcc)|b(c(bbbswiibx|lebqewifn)|j(anhbpqopc|kbnextbde)|h(vugipkkns|rpldisxfd|hmtqjorak)|i(z(ssieesxs|kbzxdxrz|wbkzytbf|tetwgzni)|xgjnhbjfx|hhrzsrbcu)|ogabpocmzv|dvesixbrqu|f(fhfcegdtm|lequgvypk|hxxsobnyr)|l(gwufgouxb|m(pmhyzdtr|rqibwkwz))|azlyrgakop|ercucrfbcd|v(exbluddnv|ibilbxtku|hyznxrvhy)|p(edygmscec|gyszwhwlm)|xcmqqyaceh|g(hliouhigp|osoznvmly|tcdbdinnh)|yqabhgxpzp|zdovreicnh|sagoouldnq|ujhhdjllxh|bsktpcnfes)|g(o(fdsatrary|uricwnkwj|evzlroqql|obszbtlqc)|d(cwqcqdqse|aonybflce|pojeocbmd)|y(gbmfanpiv|sggdmbvjl|nmtjsaggb|rmtfeiauk)|e(qaszpexkf|ibrcxajyj|eijnhxmoc)|k(rpdbdisrp|zvcxhdelj)|s(qouwfopol|twacasxug)|zycaeymtxp|m(igprbzhuf|uflwxnaqy|gphzzceuc)|ckxpsfkxed|n(bahiimzwc|elrboaymv)|p(fkhothoij|evdedyzcb)|hwefqyuvqv|j(ffowmmkyv|bhzgfriho)|aruncqpqtz|xpkodzdyes|ryuhlqvlki|vzjscsinog)|e(oadqkyojbg|n(surgwrfcj|fgfubcewb)|i(uqjxpduzx|vrwuvwcnp|nqpubrjmn|psudrqgtl|tecepyfsc)|ksgsrpbjkk|tfbwybvodb|a(evfmumnfr|ckjzdahxo)|f(s(ffqkjebc|ojsgexke)|teevzpfgb)|w(ncqlzpwff|qlqmaryai|hfqdryszx)|r(slkqpwono|yqugjxkmv)|e(jrtiykyhs|dmaieavct|txzmodvib)|ykhtnpsdka|z(gyokygcql|vpolyokhx|nwhofweev|oygwiwuxa)|pbnubgnutn|llatbyeuoq|bzqjhuylrn|uhzsifhgzq|x(lgjasgqye|cfwbxcxqc)|hmzwpvqoxt|smxskezgpm)|y(h(qmbgjuozt|ypectspyf)|rkzsfaumsp|c(oudafaums|qqeavtibb|trwkuwrdo)|w(yiqzymjej|bewcsgctd|wpykrwvgv)|z(hgqpsuzfj|nngzisqty|mbqaahwak)|yuwfqmfvfu|i(vtxuoierl|l(jcbnhdif|wcejiaqa))|u(falnaoohm|juyopltml|mnevhwdiz|dvzhupcww)|nanugtegss|lkzkkpbxxo|f(hnyctsngk|gcvibbeod)|x(petpqwrmi|vpevtjyld|trhtfaemf|mpkuckyiq)|s(qrrcrdfwm|ohqcitsoc|sbzrbgqhs)|klfcrkuuji|garvhnybsx|pwbcvbbbhg|dyeydlvqyl|oxknoxgibt|e(zaehwwaxh|iduescfsw)|bzwjmtznfw)|l(rtougjvvpy|o(uqazgbmxh|sunieqcah)|sadnkomxts|xndxdphikc|ubaebmhcbf|pdojfnznwv|d(xogkswtmx|gfgowjovw)|htlymngdrd|w(pacackvdb|rdihtfbcz|okwyaaisa|kapnkleyq)|k(llifvguvq|ynnqadrqx|sbarhymfn)|m(ivirulrzi|kxdiehzlx)|g(hsgwbznwh|bakbwlxog)|qgzofknnon|lmdjbbajjg|juanmbxsrs|b(umwsgbeou|hvkkdqoov)|tpasotqdwc|cjjnaxofbl)|t(l(hrbhjnbcm|pbuchtrnw)|b(zyasabpwn|ckxadaeqx)|x(elcobmofy|ykjfxzrhj)|cenptwgcwx|k(xcgxnpolp|zhjybppxa|jcgitlpzc)|q(jtsudyyrj|weeirukwr|redsnhjqj)|fpzvxxvsed|ifqdfwxmfv|s(hvbknsfsp|pvtecvwpw)|dclqrvyslh|jzcdducwpl|hhityvzlia|uukzkomruc|grmbeadctj|ppiyhdyxim|zxnmlgetry)|p(a(jeiijrewj|lnpzmebul|ifsjewbyr)|s(lnbaqsrkv|xxbmvgmcw)|b(uvkphlewk|rnfdmbfac)|w(dredmvyur|jbbnpulla|egevwyeke)|y(eemochipr|cibmnrguk)|iutkwfzgbi|m(meqfozwaj|o(oaxgnjto|wynfbsdi)|ljqybhkni)|q(hqlhoqdlc|rmtwarzgo)|f(tjiyeiavd|ljqbxrdim|useaiilqd)|t(cvfnceoum|dknugpdrm)|ravubzhpdj|jdgutbkbie|e(zyizikjuq|cwjjjuoqs)|xjupimbiwh|vdwksiunpq|zffoeqhbqo)|i(uoxqdwsrwj|brlsvpmhzy|l(ckqxutnap|pttebnupn|icgiyxhxe)|z(yeuxcgbwk|mqmkrueyn|hwuqvelyh)|n(oaprtpnjg|fogaktchr|uoywdrbig)|mwxwoembgu|c(mvcezwiwk|nmukbbqpo)|k(hvuemadpi|kuzjvnqzq)|vzugnycsyj|i(jvwxpgbvl|nqkqbkzur|mlnsggqlb)|gboziciabd|dkvlhovvnu|h(qmcbbuamj|ppohmgfod|gaflxnjwr|ufloojqhi)|pkgpuczrgw|w(ljwfcopdd|yjiswrgrn)|ylerxrwwrv|tkvczkylil|oepmlcynjv|egokwqlexa)|x(uovpwskhwu|tp(ucjrjsie|gyvardjb)|l(cmtkcmnjv|eveqtotfn)|c(snhfrnwiu|fhpgbvpau)|w(nvxwtpknp|rxzisyfql|eqpjlzcdv)|dczllzxrij|kmatawaeyd|r(gifthjcst|ehdtlgpvf|mujflezfj|nvsaowgym)|mswaxpskyd|ogvokloijt|aftcqfjbzs|ivjndcvujg|jcjqbxachx|execddwkun|qtjmwkqrsf|xwhvycvydq|vnniucrrdv|n(ljoeskvxb|dmxdtquuf)|sbqwrtxizl|g(vcjcvpxho|lnytmwnlt)|ztdinoumyy|pegzzzuwmx|h(xvsmnngna|zjonpceuz)|bwdhaqvtao))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633191; rev:2;)
# sid 2633192 includes 276 (1201 - 1477) 11 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 11 chars (.ws)"; content:"|0b|";content:"|02|ws|00|";nocase;within: 14;pcre: "/(v(d(utvnlucdx|dxnvzqjks)|thujmbhyyj|etlfsmovcq|qutikysvrn|vcssavvbmh|cswmqkhsew|m(d(oyrhjvid|inwuzdxl)|bmamagdrf)|a(radxmgfja|dionoplvy)|xpjbsacjeq|ugyusxsvdi|rdlihzrcwc|jemdrrnvcs)|j(efefibcdvi|x(jdmhwulcm|rdvurilzg)|zsgcxxzjzx|y(juxxyjpgb|zkgsxjegt)|km(wqywmikp|kixqqizb)|f(ctztlsbkr|zpgpmyjjc)|binwggpawj|duudtgtiaz|huphuvqwpf|ivykhuyqtf|jakeyhjywv|wtxejddyaf)|w(spewanwwiu|zisocfoefc|g(fcjadahlz|nwurpxcoc)|tbuctzsmwh|posvhfzjhe|nlwvywoycg|c(ixtwgezdc|mggjzugio|vvdqynvmp)|wdtuvjesap|bfzlbqulgr|qodadxelgk|d(bjetqiztt|tgbyipdqy)|hlmsyewtcp)|e(ndoysrdugm|y(cqwxhnbww|hqabiiril)|axwvftfyjx|cfyrqjjnug|hmkfjymjnd|zbfzyhvfpu|t(lwwekmmap|tizcalnyf)|sumugngzed|qxbvjsjmpa)|z(dkknzdojbz|fiygrrbjjp|vxlqagtbru|b(ldcjvbnha|iewrmmzep)|wxgnqdvwkv|mpysjqhryn|tstvjpvyjp)|g(zvlmcbaedz|vqsjrhzqeg|prfufxnlsa|xiuudqgksa|k(obijwqopl|rgzdplgcu|lvidocqyk)|uy(pfackvup|wiibcetg)|nqxmckidsi|enhqmbtjai|wqbmuwcrcw|oyyqyqhfou|fopjyavlqs|bdcmwkoegz|jfifyyfetl|rzbmetkuwt|suxkgtwjaz|mkbrzqxtax|dkjdhjhpzr)|a(czzxuixmwg|u(mpxljdtsk|jzfgzteln)|q(rctkrfdqe|bgokeqafm)|absylygion|sphrrzucpw|ozvtuqzoel|wrlvmmhndi|rxvwsfgzox|fviouqcnjl|xopazhymjm|dddtyqkaoc|yvfygrqjlk)|x(fnjlixgkzh|lhhrwsbooe|iwghvbrefp|mttddoxwhd|grbdjukcvb|kttulsegsy|uwcbxllkks)|p(g(tzriogejx|zjsgiirpg)|atecirlzjr|mbizvvxrdg|cbhkevecqk|zrazqeylzg|l(axammkhxy|czphflvlx)|skpfngiemd|iohrfywvjj|tvlvcmwxip)|r(a(tjbssjgbh|sxnhocxfu)|w(phreudvap|cdymqncta)|vfgmivkmnw|j(ebyllaium|kvvlwdzif)|uyouagiich|gbdnnjktth|dopannezle|xxvjeanxsg|spabhfqevn|rxybpeqnti)|i(v(vkerqquxs|upcnzmapi)|xzobdsxgoz|szgjjssevz|irybwhxqxy|eoxqljtpno|fuymwajrbw|ttccfteifd|ylaiekinli|widzapqpzu)|h(xfhgdjhwhi|k(wbgdgieet|umdwmezkq)|m(nfkgsvjuh|pusburuaf)|gbdpwawgem|ralxzedcyz|lnppuuslpu|hhbjeuccch|abxvxyrfst|eqalpwxmmi)|k(zzevvnpgao|lcakwhpbyf|jzujmpwxai|a(lewcfmnxe|uruzkfzdu)|wenwxayuhc|h(tyaiyafbu|kjupmluhl)|ktinjrwlfz|fxbblhwpcw|ikarrqcasn)|b(a(whbrutpqn|mkawhgjml)|ukapxqrcbc|gnagdeoroc|jwxxlvtmww|bhbscfkmpv|wiqltnzyuv|vmpzaghwad)|d(qejwyenlmm|nxjbsrytxa|ejhexyecrl|wctfjvwbfi|yuvhovvoay|psgpgugwni|fvgecoliap|hiimqxdwlh|detbvllhci)|l(r(gshwtryau|cekwimylk)|icdlulsdso|mjogibyqzv|xswwcxignx|ukphvvnxnw|zcfulquatc|sepqvhandf|gqlplmbpka|wcpkxolbbm|yglqlevsxm)|t(cnggiaajuv|vtqkggnkyf|hyqwwprmtt|xsqmzagssb|aldcomkxol|jpxumbnojr|kvupwfiqzj|sbanfeikau|yjacflgzui|ofsezkxprj)|s(a(tzwzyewju|odyhjybvn|vxvcfoxvs)|pjcrowlmzx|w(hoqbxrmza|yeewclmua)|bkssqdittq|cjxhbfkzmi)|m(i(vdyetgbsg|giintuydb|ecahnhloh)|zsqsmjptpb|uxkugksgqy|knbvehbyfa|abctqydone|hwnckcdtxv|eokbtfxpxx|reuorwzkom)|n(vvqoeeycdp|thhyjwvrwd|ohnetibkwk|wtsonnmvja|jreiyllvru|s(ivbmwltzk|tilvyjril)|howiioztto|dviyhuovxf|ftlfpfbxgh|rkkhzwsruz)|f(i(awcfzefml|bibkvrkei|gmrkhpfbs)|ezrcdkojxd|blwlgrnjjv|lszwmbisef|wbgiajugna|gatayuirsb|yajwimyfsl|p(ydphshjfb|zgaobpqds)|rbvyaitnlk)|q(hyltqtefjp|pdvhpxqpwb|qriucmecze|ufymnuvzzk|milftuepse|xoyadudtgz)|y(qkadszruks|ovzazboxva)|o(cahvzyccjm|lvmupdfopn|hmrkclzydd|dajeqtddjs|fitamlaefv|p(sjnsbvuli|qfzrkskkw)|xbxoyengzm|btfoshcnwy|jupsxmeger|wcgaolmcog|ildarsymst|ycjgipyutf)|u(vjgddghofd|jwuihpwyue|s(eorazlxag|rogqwjeke)|tozjlhuvrv|peamdggqys|wyzqtwyawl)|c(vlpbozmbxh|leegcpdqht|i(bmhgysaqf|jobyugoxv)|mklvnluoor))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633192; rev:2;)
# sid 2633193 includes 12 (0 - 12) 12 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 12 chars (.ws)"; content:"|0c|";content:"|02|ws|00|";nocase;within: 15;pcre: "/(biznkqwtvugp|c(c(xdqnaymwcg|ggwynimsai|btqjzzmqbd)|n(cqorgyxhic|absphsbqeu)|omnykqphkrl)|orghsfhbnevt|infof(fygcnwj|rvdbvca)|wsirsvtmmzzb|netplxnmaiqt)/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633193; rev:2;)
# sid 2633194 includes 7 (0 - 7) 13 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 13 chars (.ws)"; content:"|0d|";content:"|02|ws|00|";nocase;within: 16;pcre: "/(infoaivolrtgw|netabvkeehxte|biz(lvqvejiflj|hmsqoyrsst)|c(c(udkoifvufcw|oyebqcxjdni)|nuaufljmzbrf))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633194; rev:2;)
# sid 2633195 includes 1 (0 - 1) 14 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 14 chars (.ws)"; content:"|0e|";content:"|02|ws|00|";nocase;within: 17;pcre: "/comwulhfvenqbh/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633195; rev:2;)
# sid 2633196 includes 600 (0 - 600) 5 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.ws)"; content:"|05|";content:"|02|ws|00|";nocase;within: 8;pcre: "/(m(zrgz|w(dhu|gts)|o(gwn|abe)|urxe|kcvo|yvyp|mdui|d(mvw|glq)|c(rmr|krr)|toan|qbbt|f(edc|aun)|nssx|b(quk|vyz)|s(rit|vim)|hcaf|xfyq|vxow)|v(rqhb|u(jup|uwp)|w(vlm|edg)|jucb|i(fuy|rmb|nth|agb)|e(phi|dxe)|c(czr|uno)|n(nvv|qyh)|s(nkr|ydm)|y(noz|cyb)|ppaq|tsjt|dnej|hiov)|x(w(fxr|jsq)|r(vmv|flx)|z(jvm|ssp|tpl)|ukwf|cwjg|b(sye|cie|tym)|p(xqi|jbd|our)|a(ihj|xmb)|gmoj|s(prp|bnx)|xzbe|j(wyp|uxf)|vtgq|myiw|lagq|i(ykf|zeh)|fvcj|nxsb|edue|tryp)|e(pvpk|u(mso|yip)|d(wuz|ajn|rwr)|ypla|rmzx|akkb|q(pll|ugz)|ckjk|x(eea|jgr|sqm)|mqak|o(iut|yzi)|vygw|ecxb)|p(ndkr|lmbv|j(qid|yde)|y(kim|ysh)|oxen|h(pwn|hxy)|z(exr|wzy)|w(qau|jyb|ryr|sci)|u(dyq|bse)|avbh|qrtb|rtoo|gxao|e(ndk|esf)|ckdk|b(uyp|ovh)|t(eag|mmj|cpk)|vsmv)|b(z(gpn|nfn|yvr)|sj(ju|sl)|ccaw|j(v(qf|au)|zol)|q(njx|gyz)|yzbv|p(zzq|rrl)|fdvc|nugm|bafu|vkev|akri|djgc)|l(oomp|itss|akry|n(mjx|kyh)|ctjk|m(zcd|ucw)|pcws|bszk|jkxu|z(umk|atb)|gcqu)|s(x(sfa|eci)|q(jjg|nvy|kka)|a(a(qa|mp)|wnp)|t(pee|kso)|h(zpp|rtc)|g(xts|yqv)|wjwn|zeze|igdc|dbvb|biae|kmla|nwcx|llxt|varp|sujv)|j(m(nqu|lbb|ddm|zkj)|noxc|i(dho|sei)|c(ndh|kbd)|b(ivl|kcl)|ehqb|pdcc|vdnn|h(tpl|puq)|thht|s(kou|wze)|ogvw|xxji|gqpa|zfvl)|t(crqq|dyxa|vtsv|r(mgd|ldn|vxg)|kxrb|s(oaj|uqr)|mvaw|nwjw|o(lbe|kkt)|lmzk|g(ree|jfv)|pszx|jvvr)|d(n(jan|ejp|gcr|kwi)|teaq|svcb|x(dea|xue)|cabv|h(lzg|ayn)|m(esn|ayq)|k(uqe|gmw|lvi)|l(yib|wkk)|qqmm|gcwr|bvsc|eyba|zlyk|pmks|ysyk|dmkh)|h(llnm|e(bwt|fin)|y(fxx|opb)|p(moa|lqx|vcc)|rsxc|s(nmz|kje)|qmig|h(lbl|sut)|btvm|u(wab|aur)|x(ztm|woq)|i(owx|cgd)|vxkc|mlks|azsd|zidx|fykm|tcug|oehx)|c(q(quk|ugw|ndi|dpt)|ziui|t(jgs|vye)|nqjo|s(auv|vrw|fyj)|aojl|fphk|u(xle|sbs)|bkfo|c(mcw|xns)|htpj|gyyn|ljac|xstp|peue)|z(p(ktf|mob)|f(fru|awg)|izpp|vxzd|rjjr|ewgd|b(ecv|arl)|g(yjo|qrz)|cgkb|ywse|lyjz|u(psh|tjo)|sowq|nnlc)|a(g(mad|ktf|ufx|qcb)|d(eyh|hmt|svh)|zzbo|bbnc|k(vck|d(rg|le))|f(kcc|ubp|gkc)|t(rkc|qsd)|xffr|ibpq|rqof)|y(qhkf|h(log|kko|srt)|u(fsj|odp|qju)|ztgx|w(vse|mcb)|j(vit|jar)|ffve|xktb|p(tuq|jsq|hvv|map)|i(skl|daz)|gabw|r(hol|zyf)|bvxy|dfjm|llqi|c(ygs|rto|fey|hwn|ogy)|onxc|nkmm)|g(fyho|s(rov|leb)|z(nvo|qbh)|l(suu|xpx)|xfqr|t(qzd|jom|mkl)|u(why|uhk)|b(grd|xns)|v(kcp|wot)|rnbs|kulx|dmll)|n(b(fya|rzh)|ufml|stkn|culy|v(ixb|hsi)|hnbv|a(yoq|urc)|epze|z(esx|jma|bsd)|n(zoq|vub)|tpdd)|f(bqfv|w(osc|dkj)|q(tfy|fra)|v(hzu|wlp|jtj)|d(qik|fmv)|kgrv|yymi|iday|eeor|zeqv|plzp|tybm|j(uzn|jmh)|gawl)|w(kvxr|v(btq|x(mt|vx))|ynaw|i(x(wm|qs)|kay)|qziy|ohbv|blvr|wjnh|xfiq|znxl|ggil|d(dkf|boo)|nowb)|k(dayl|m(ree|son|w(jd|na))|vtrl|w(wct|lbm)|b(hgv|ksw)|rmhm|y(gae|nif)|neyu|jbbo|g(kla|vlr)|uqmv|fhsv|ikjj|k(wht|lcn)|a(sst|gao)|etuu|tiep|hwus|zscx)|q(gecd|rnfs|qjnh|nvnr|x(uxg|gcw)|o(whc|fhk)|b(lew|xfa)|a(zwa|ghq)|j(hzj|vdh|zvx)|suub|cshh|z(nfy|cut)|ujgd|pvvh|lczv|ecqs|dyho)|r(d(nmn|qmq)|xeyw|lhct|v(idt|sjp)|n(obp|qvv)|z(zwh|pqg|lam)|t(dmr|upz)|s(jgf|pcs)|jwlt|f(fbk|yed)|gsfm|exik|u(cia|twq))|i(n(mkf|ena)|v(cxg|ltx)|o(fgk|hpu|yll)|evni|joiq|z(mri|zis)|x(xpe|zbo)|rzfh|qrao|t(pyg|dcp|awj|vyy|fuc)|czeb|scgk|mnry|ungu|aujz|wksl|h(srh|pvq))|u(mvyc|s(ghe|djf)|r(qkh|cwl)|qxst|y(vug|ndt)|o(gbe|ylv|qvv)|acei|d(xzs|zuo|mer)|k(acc|kjn|xzw)|jmjl|cgqy|t(vgq|bah)|fmrd)|o(kqbl|d(uoq|yny)|g(ldv|hnr|zmw)|uemm|f(liz|fek)|smfe|c(git|ben)|n(yjn|gzu)|b(vmj|xms)|mgrd|ygqj|jggo|hdca|vcud))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633196; rev:2;)
# sid 2633197 includes 871 (601 - 1200) 5 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.ws)"; content:"|05|";content:"|02|ws|00|";nocase;within: 8;pcre: "/(p(j(yde|pgt)|b(uyp|ovh)|t(eag|mmj|cpk)|zwzy|ubse|v(smv|tnr)|e(esf|tue|wwq)|w(s(ci|fg)|yym|vli)|hsur|aglo|x(kqg|dvh)|i(ncp|sfp)|o(vdk|klk|isf)|k(ahh|bco)|p(mjp|bbr|waw))|y(p(hvv|map|gpx)|w(mcb|gzr)|b(vxy|fmj)|dfjm|l(lqi|eil|vqn|orq)|j(jar|vhs)|hsrt|c(ygs|rto|fey|hwn|ogy)|o(nxc|miw)|uqju|r(zyf|kvf)|n(kmm|nxl)|kdry|itrg|g(kou|zpw|fpz)|fvcf|vwxz|qvin|aclq|efrt|zijd)|k(m(son|w(jd|na)|pla)|fhsv|ikjj|k(wht|lcn)|a(sst|gao|ngh)|e(tuu|jgj)|tiep|wlbm|h(wus|zke)|ynif|zscx|od(zb|tw)|cync|x(adu|nqs)|qfbd|bkio|dzbo|p(owp|ius)|vcwq)|u(o(ylv|qvv|tlh)|j(mjl|ewp)|r(cwl|uqz|pim)|c(gqy|yoc)|d(zuo|mer)|t(vgq|b(ah|pv)|kdy)|kxzw|f(mrd|syk)|l(zpr|gyl)|iipr|manl|sgkk|pyxd|v(irp|art)|wkmh|nzdr|hsyj|qwgy)|e(x(eea|jgr|sqm)|m(qak|obf)|o(iut|yzi|tgs|fpw|hjo)|v(ygw|cml|ktd)|qugz|e(cxb|ypz|nxp|zuj|wvw)|drwr|k(lan|csz)|s(eyh|rij)|t(imm|hcf|xmc)|rofu|h(oqf|nvv)|ahzc|n(sny|hrw)|w(wil|uwb)|brej|ppbm|y(uvs|yey|ggt)|uqge|cmme|gzyo)|r(gsfm|v(sjp|epl)|zlam|tupz|e(xik|pls)|dqmq|s(pcs|bor|tsd)|u(cia|twq|okx)|yqzq|o(uvw|xrf)|r(tbh|iqv|lhq)|q(ydf|xbr)|hzcb|x(rmn|jxb)|fxpf|b(tdx|xyw)|kzmh|j(ivp|dkb)|nzhg)|s(b(iae|wom|lss)|x(eci|tcn)|km(la|rs)|gyqv|q(nvy|kka|fge|lea)|t(kso|ttu)|nwcx|llxt|hrtc|varp|s(ujv|ixb|zoq)|r(yno|ajq)|i(ifd|dbf)|fofk|o(sis|ysp|lkb)|d(hdv|rar)|uhug|ylhd|morq|wcsk|agng)|d(g(cwr|wua|uli)|k(lvi|odq)|bv(sc|hn)|eyba|z(lyk|czb)|lwkk|p(mks|jdh)|mayq|ysyk|d(mkh|dgv)|a(twn|kae)|jzwz|w(qpd|ghz)|x(pde|foy|yie)|o(kga|jwc|nyo)|s(sjf|pvv|xkk)|vmdh|iuii|qlse|ujml|ngke|febc|hcym|rddm)|j(p(dcc|nqj|mpo)|v(dnn|pvu)|h(tpl|puq|s(dm|fv))|t(hht|jvl|inc)|bk(cl|jl)|s(kou|wze)|m(lbb|ddm|zkj)|o(gvw|cvj)|x(xji|yrp)|g(qpa|zjq|cez)|i(sei|gcq|fqp)|zfvl|dood|q(rpc|gzj)|rhiw|wljx|exqb|y(ogm|jrz)|j(yos|axg)|lyfv|kgnd|ujlz)|h(m(lks|ozp)|i(cgd|ilq)|a(zsd|mmj)|pvcc|zidx|f(ykm|jlf|ney)|t(cug|vxa)|u(a(ur|vx)|ptb)|x(woq|pri)|oehx|e(fin|jnp)|lmha|wagx|hbmj|bzls|dmyj|jwwd|vnly|rnot|sthz|nnml)|f(q(f(ra|lg)|add)|z(eqv|uim|amn)|p(lzp|udf)|v(jtj|noj)|t(y(bm|ou)|jlm)|j(uzn|jmh|zho|fmi|oql)|dfmv|g(awl|keo)|wdkj|c(uqb|g(ze|eo)|qyx)|s(alc|vep|cxi)|xupu|k(jfg|luc)|oisy|njop|yzdr|auyi|luel|mneo|holb)|w(ikay|wjnh|xfiq|vxvx|z(nxl|blf|lau)|g(gil|how)|d(dkf|boo)|n(owb|rar|gxj)|anqe|m(uhx|jil)|ewqr|ofya|k(yae|hhc)|chzv|rcak|lqxa|pcjo|joim|snlp|b(ndm|smg))|m(s(rit|vim)|ckrr|w(gt(s|d)|lzp)|h(caf|ebm|apk|jaw)|x(fyq|ifa)|f(aun|srm|zza)|vxow|d(glq|pnh)|o(dwg|nim)|rgfu|n(cah|vjr|qpa)|j(rkn|cgv)|k(jfc|sgr)|u(itq|jww)|i(mwi|bhk)|m(xht|iuk)|apwk|qmwg|gxfv|esrz)|o(c(git|ben|e(tp|wb))|n(yjn|gzu|cpb)|gzmw|b(vmj|xms|juc)|m(grd|oyt|jgt)|ygqj|j(ggo|lck|fey)|hdca|dyny|vcud|oqoz|k(juy|ujh)|eeff|r(bzc|cjv)|wybi|qsmh|iitv|swia|t(ico|vqc)|fnpw)|z(ywse|l(yjz|wph)|u(psh|tjo)|g(qrz|d(bp|jl)|thi)|pmob|sowq|n(nlc|dvf)|igdz|x(cbp|agf|xot|jrm)|m(vpi|qud|ruw|sfn)|a(vmb|dhu)|q(s(az|wc)|hzh|psy|zui)|theo|bjiz|c(bgk|uab)|j(jtf|eed)|fbjo)|g(t(jom|mkl)|l(x(px|fk)|cgt|ujx)|v(kcp|wot)|rnbs|s(leb|cwr)|uuhk|k(ulx|hpo|bxm)|d(mll|nsz|wqe|vyt)|peyl|i(qok|kem)|cstz|nrtz|mwgx|j(ceh|wyx)|opac|zxvl|ed(id|cv)|ffzo|xowu|yseu)|x(p(our|cwe)|fvcj|n(xsb|zzm)|edue|i(zeh|jee)|b(tym|rxo)|sbnx|t(ryp|qxk)|v(vrk|xum)|u(ffr|ndv)|rczk|wnwb|l(okv|hbq)|c(zur|noe)|zmuv|glws|hhie|dpkf|myae|kuyq)|n(b(rzh|zhm|oqh)|vhsi|z(jma|bsd)|n(zoq|vub|fvj)|t(pdd|qpc|j(sx|nu))|aurc|j(lmz|qae|pmv)|dzaa|kbgc|cjcj|xnoj|h(tib|jyl)|g(cov|nob|lkh)|o(mrh|ehv)|pxly|syhr|wacl|izvc|ynys)|q(z(cut|ysq|klw)|u(jgd|q(tc|iq))|aghq|p(vvh|ybn)|l(czv|azo)|ecqs|dyho|j(zvx|tzh|yzl)|bxfa|s(wex|ehd)|c(yee|awf|kch)|r(iyj|nrm)|vnaj|wbga|ibcn|tltr|ylnt|muxm)|b(j(vau|zol|tgo|pct|ivh)|n(ugm|hro)|bafu|vkev|p(rrl|sun)|a(kri|hka)|z(yvr|upo)|djgc|qgyz|umyh|x(gil|yaf)|c(qko|lvf)|hecc|y(gyi|krp)|sqqn|oqgk|gyem)|a(kd(rg|le)|t(rkc|qsd|jai)|f(ubp|gkc)|xffr|i(bpq|hmz)|g(ufx|qcb)|rqof|d(hmt|svh|rzp)|s(huq|puz)|egfb|j(sdg|zvm)|p(sks|qcn)|vtyr|hajy|ulcr|l(puv|hns)|ctbd|nucm|qpsy|olcm)|l(mucw|z(umk|atb|iep|kzx)|gc(qu|ef)|nkyh|wuol|ukge|ynkg|alpg|x(ydc|ilt)|etyf|iduo|t(dqw|j(xv|nq)|wmt)|d(h(eg|rh)|enh)|rdku|hzwq|k(xjj|bsx)|fcsq)|t(g(ree|jfv|dtz|ypd|kpl)|pszx|jvvr|rvxg|u(pog|vpn|jgk|ciu|ryc)|b(kcf|pys|hvt)|ykmu|h(afy|bgu|eat|pie)|l(rcx|aor)|fwhf|vdla|eqge|a(hhb|mjd))|i(t(awj|vyy|fuc|ckr)|vltx|u(ngu|ike|hrr)|z(zis|rwj)|a(ujz|nwg)|w(ksl|pgx|jbw)|o(yll|fkd)|h(srh|pvq|ncx)|xzbo|burc|m(ddk|nyv)|jrgx|k(acn|hhu|qzv)|l(ytv|add|bdd)|puwy|rdki|d(yzl|zxo|blo)|gbyf|icje|sjhh|eorc|fhgl)|v(i(rmb|nth|agb)|edxe|y(noz|cyb)|ppaq|c(uno|wwy)|tsjt|s(ydm|qso|ruf)|nqyh|wedg|dnej|hiov|z(kyh|tsn)|o(xnt|emg|mam)|u(wap|hol)|anum|mhcg|gbdx|qqhs|khzj|vxht|xxkb|buvj)|c(q(dpt|tcq)|u(sbs|p(hz|ri))|sfyj|c(xns|kiu)|x(stp|kbo|fps)|p(eue|opp)|jwyi|nbiz|k(igz|fas|xhj)|dqxn|f(cus|aoi)|gdfh|oysh|mfbp|tvyy))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633197; rev:2;)
# sid 2633198 includes 271 (1201 - 1472) 5 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 5 chars (.ws)"; content:"|05|";content:"|02|ws|00|";nocase;within: 8;pcre: "/(p(y(tye|pvg)|zrav|ilmd|ojtu|thfu|serr)|v(ngjn|h(sdh|dwo|qij)|dnuz|gbpx|tagj|ucqi|vnff)|c(nnjh|ydid|dpxe|mzvp|viqg|k(dpr|ndz)|xxzz|ejwu|pgsh)|b(ulhn|rpkh|niqb|tudp|pexi|lier|dnkh)|f(taal|quhl|nwqu|c(hdn|djs)|usps|xxif|evxa|occk)|t(nhxm|w(lyr|ahs|wdi|zpe)|yzdc|c(kyn|hxv|tqp)|kjpa|mafp|l(flr|hne)|ppee|hied|uaph|jpre)|y(turb|bfle|v(wag|dmc)|uwws|izbk|x(ahs|gju)|pn(wv|ls)|esyn|dune|rbjv|zjgu|cenc|ksbx)|l(p(euq|lpx)|e(auu|kfq|lld)|fhkc|tlqq|yjjt|swbk|i(rnc|wae)|abep|kggp|gqei|mngm)|k(gxfd|ugnh|jqmc|iism|d(njp|kdu)|t(lpb|gsq)|lboi|bzaa|zugz)|h(acag|tcbi|jyyq|egnu|s(hkn|gcu|fzb)|mfcn|b(mnu|lwr)|xsqx|ijza|kqsf|dhib|lhdo|ubnw)|o(meua|rmbn|wjkg|frwx|ewnb|vpfx|hdpi|bdsx)|x(dful|opvr|kttu|uolp|wvat|s(uwx|riv)|fqly)|e(asib|cgbj|onye|sqka|wvjr|p(kiu|ffu)|rmlf)|s(w(puw|otw)|p(fwf|hmm)|x(vhx|lqa)|hjsr|tsgs|zpgq|c(qjn|eta|uph)|ondl|gzrb)|a(lees|c(hsa|waw)|bsuz|glgu|yzae|ebpu|xhoc)|r(l(muw|rzq|hik)|qlzd|f(ymw|mfk)|o(ccg|fpx)|ntqe|r(uyw|iez)|ugqg|gfav)|m(jnyt|g(pjb|srh)|oitz|bnyh|dxzp|sbnl|meuz|zxwo|ylsr)|j(xinp|h(xjp|hhi)|qhrg|i(zru|wfs)|umtc|jlkz|avlm|oyvt)|z(dnzn|lxnf|fwrl|qhgb|cn(hq|fk)|yvmf|nxjn|uxnx|edtt|ttrm|iuny|mxme|ppfq|hkxs)|n(exwz|b(xqv|ckj)|issl|a(cnt|lvs)|uwlb|x(jrm|esn)|v(bdi|dji)|hrpi|mbdc)|g(mmqq|ekcg|fmgf|vwej|kqbs)|u(m(dxj|pjz)|gunl|pdje|uy(hs|qy)|amvk|ebbo|ycdr)|w(n(lqt|khf)|k(nwr|jbt)|egbf|lbiw|onsc|c(zgl|ypz)|utdx|spfw|hfji|fblz)|d(oztd|purc|ruwe|zgrs|juif|nhwi|gihd)|q(ihnr|t(ldh|dvx)|fvgl|vyur|qsle|uptj|lxcm)|i(eghi|jwhs|mapc|x(hen|esz)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633198; rev:2;)
# sid 2633199 includes 600 (0 - 600) 6 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.ws)"; content:"|06|";content:"|02|ws|00|";nocase;within: 9;pcre: "/(u(i(xaky|jagt)|agyli|kxmvi|x(jaur|mptg)|mojvr|e(juoj|orco)|y(uojp|hgly)|n(fkdv|eoge)|dvgsl|v(spxo|vqqx)|t(uadl|alpx)|s(nnvs|xblv|eeuy)|jfbwh|wqxdg|q(nlhr|plze))|q(o(crpt|tucc)|a(ieqd|twbc)|qruyq|h(gmwc|nuxn)|sxlvv|d(vjcy|wzcq|xsjx)|c(qhen|njga|fgqq)|v(ivyd|nslk)|mlunf|j(eqan|myvm)|p(cpyq|pmqk)|rphpy|thpia|gihrw)|o(rxdze|e(mizd|knyt)|q(lfpn|fahw)|i(zkxg|aarw)|k(lyxj|focy)|utxmx|gsjxb|o(gtso|wesq)|aqnde|dnzoy|bjkig|fpawk|hcbse)|f(kxyuq|rcvsb|w(afdl|zcyv)|h(dxav|lvxn)|yoiqz|a(oaki|uvsf)|t(lvwj|psrv)|sidhu|m(klah|vqsi)|dftpu|znsqv|enipi|c(dmuj|cnmu)|vlrxf)|c(h(ksee|bigp)|jfvea|i(qudz|jink)|xxiso|gwfls|dwkuq|vckqb|rcgjv|z(sllg|oaxn)|ppskp|b(nqcp|zpxx))|r(zysrm|j(nwou|sffr|vall)|o(tssq|xvqz|vjrd)|ecrnw|k(qeiz|yhuc)|mjsoz|hajsi|ukehy|p(iezh|nhvj)|vwfjk|i(rlhb|vrwi|fmjf)|cgpko|bqnvr|frqxx|wfchb|xyugb|qkhfb)|h(g(uuwx|zokq)|tiqko|m(ndkl|pjgs)|rs(hno|skk)|psywd|ewafh|vwjnv|oemmu|d(envg|xxlx|yakp)|jhcac|ydzpe|k(dooi|ocsi|vnwf)|sezbs|wuzpt|nszdf)|j(tvczx|c(nljz|xzjh|iffs)|kbtgt|mapzm|stoyp|e(xioa|vosm)|x(hcrn|zjur)|z(xmym|krki)|f(odpj|rhxp)|v(joya|gwnr)|w(xarr|rzjw)|ytkzg|ixerp|okxwo|avnbh|uxmbw)|b(wmkrv|yyvat|f(llqo|piue)|jbuel|asaqv|d(dfgv|zuyn)|ebdll|xdzms|kpqhj|vkrvl|tkuzz|hslef|lezcc|bdgbt|z(q(tmo|zxl)|pykq)|qdfos|pgugq|nvfkd|gyjvr|meqcb)|v(q(czjx|zcbl)|meexj|kucyj|ckapb|gjmad|sgjoa|o(ophr|ejxm)|pazff|n(xkmb|lare)|w(xcpp|guec)|t(npys|ruon)|d(upkn|fuvw|bjgj)|y(mlzi|bwxf|sqsb)|iojld|zpjgx|awuvd|bbckm)|m(rvtte|z(egbd|jrld)|w(vvkn|ltjm|amnd)|l(nakm|cmds|ofiv)|eciok|skryy|cduar|gkfms|xklmt|avpaa)|k(u(wynx|cnab)|r(tgrc|ojek)|d(aurf|frcs|wnpo)|v(yads|eczm)|leomw|ihulk|cqixj|tskli|h(bnyi|daoq)|x(kjel|dkak)|k(xcoy|sxhj|rguv)|e(hxtm|opqe)|yxswm|b(umpx|niyu)|mqmxe|jnoih|pcogk|o(ystq|wjuy)|qblwi)|a(b(reqo|i(zud|lwo)|fiju)|t(bpfz|ohkf|tnyk)|qiwpc|gmtdq|o(xlzv|hhnh|oedy)|z(zqef|hqdh)|d(gjvc|uinw)|mqfsc|iukwl|uvvsa|khxah|cyrys|pflaf|e(lmtq|ewmw)|nchna|hkwnf|auyga)|w(ydktp|hilbj|vs(rnt|eki)|sozzb|ghtuo|xgfsu|o(koza|auil)|mbkdu|qxzcj|e(sdnb|azmg)|wqyyd|bgshl|ttqmz)|l(jdbur|c(qfea|jxlr|ceeb)|miftk|xrtmj|v(fqok|ifcn|wump|bjma)|exgln|wccir|nrjcc|ftpsu|gzexg|df(zdi|xva)|imtxh|zgpzz|tohzi)|g(c(jruq|vvxk|rzaf)|k(chfg|icyl)|njpjx|f(mdrm|qvbq)|mxdsk|oksiq|t(faqj|hdmb)|hozls|r(uudk|ccro)|d(gqga|ytcx)|e(adqs|lgwr)|wpujr|zntqd|vcrip|lhxoz|y(y(yzf|uwu)|rnit)|gtuoy)|p(znbax|i(umow|ovvc)|v(jnve|hihu)|nhbjx|csocn|o(daxg|pnjq|cpmp)|jylqv|g(dobl|lqbj)|f(sght|pkea)|saola|q(egsy|rdno)|dtkfk|uiorw|a(jbpp|zncw)|htjtk)|e(a(cvgh|zkcb|hvov)|v(ldgv|ospi)|pklhv|iqfpk|z(jeis|qwjw|stee)|fsvvi|s(ebdu|fgnd|skhb|qadf)|nxhlr|llvnv|gyeay|jvzmf|rokxx|unwkg|oulcw|kyfbm|cpfsm|xvgvv|mbwgw)|s(biuci|z(icju|gqoj)|y(pflf|kxtj)|f(ofex|m(pka|wrh))|cqhto|d(nkrx|kijr|ibet)|o(nsib|ukjz)|poues|ayorg|g(b(jbm|bvk)|lrnu)|nkbfl|xzlrx|kkxqs|tnkma|w(pezr|ufyz)|maitl|ucson)|z(cqdkc|a(cmgz|gtmm)|swduk|k(bojf|mmuv)|qcxej|opdwi|w(mckv|opdn|hllx)|juhmu|p(lqix|nhsw|kghr)|u(ntwu|baei)|mmzhl|dlatq|rmtnv|ibrbk)|y(jstxj|c(mbly|rwyi)|deyns|f(ppur|lnlr)|xksjp|yvibk|tdxnk|grsrw|bgpfr|mbqzg|vzecl|zsgpp|nryjw|l(uzbt|tokv)|w(owsp|q(lqx|njk))|iyqfm)|i(f(stds|qkgl)|vmuxs|h(wejg|hayw)|kvenp|lgacg|n(ieok|pbkn)|qwvko|y(gqdk|qqun)|p(olxy|pytz)|rhqut|tpqfi|xqaok|uhgjs|oantt|cgsqe|ssgst|msnsf|iwypk|aynjm)|d(y(wmwe|rwhp|fuzx)|jsdeu|xmcwo|h(mtyo|isxe)|t(fdwr|qzed)|b(stek|know)|g(kgxw|modf)|s(ygwl|rdfx|fpke)|cjnem|l(zggl|vckc|tqqe)|nswgf|mbqvx|omzrn|dvjtt|ziwho|kedmx)|n(yo(ojq|zyl)|ovhcw|d(oyfc|unxf|teut)|jbsoe|klwri|f(egkb|lsjz)|q(pgjq|uvxh)|anprq|prqui|v(lcot|sqsw)|xtvbq|nhbpo|mvrgt|uriqd|ehnmz|bldvi|gqvtq|hgpus|ryltq|iieyf)|t(h(b(keg|sip)|ytcd|mxcm)|yboow|p(zzxm|nayp|uuju)|jz(dpb|lwo)|b(oecp|uoif)|duyjb|t(zknd|ppyc)|njucf|v(bfgt|wjjz)|i(cjic|iltd)|z(ooed|dvsk)|mssbs|saurw)|x(z(fola|lqnf)|ojaho|n(tohf|eyqf|ohcn|d(xwa|wcw))|x(ovje|zkhj)|h(kadg|yhms|pkmj)|c(trqf|etea|krqm|vxpf)|euskc|w(gdqe|qoyc)|yolym|p(zkne|flei)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633199; rev:2;)
# sid 2633200 includes 810 (601 - 1200) 6 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.ws)"; content:"|06|";content:"|02|ws|00|";nocase;within: 9;pcre: "/(t(i(cjic|iltd)|z(ooed|dvsk)|h(ytcd|mxcm)|p(nayp|uuju|yhdh|rvtx)|m(ssbs|njrm|lqav)|tppyc|saurw|jzlwo|qoxsf|a(bfps|cexy)|vrwoa|u(hysx|vkvi)|cjyft|krdbt|e(khzm|djpv)|nkxpc)|y(w(owsp|q(lqx|njk))|iyqfm|l(tokv|ghke)|efddv|v(ksak|vbus|ojza)|t(ksem|ssxd|zimr)|rdcwi|cxdjq|s(wbgj|boen)|m(ydzy|qjjp)|bqhhp|a(cxvb|poxd|ipmu)|p(bsno|ufpg)|njotk|fyesx|dqdkr|hqizz|yhmyk)|w(wqyyd|oauil|bgshl|e(azmg|lxmk)|ttqmz|u(lezk|ptuj)|a(bvqn|zrxr)|iafrn|qgjvv|d(jdmg|wnar)|kjttt|lzmgu|y(mspw|tjec)|nyols|mlxcs)|b(lezcc|b(dgbt|cdyf)|z(q(tmo|zxl)|pykq|apui|rodv|syvw)|qdfos|p(gugq|hcos|irwq)|nvfkd|g(yjvr|rrvp)|meqcb|iphvk|equxi|w(vcwg|czwc)|knhsf|a(secd|pzdo)|y(uzdn|k(shq|hzr))|umlke|oagvb|hahgx|jlkhd)|v(iojld|q(z(cbl|uws)|qnev|glsm|bavx)|y(bwxf|sqsb|idis)|d(fuvw|bjgj|rouv)|z(pjgx|rspx)|n(lare|wyjk)|a(wuvd|fgrz)|wguec|bbckm|o(ejxm|taex)|gotiw|x(amxl|fhzj)|f(focw|zczc)|p(oqhe|jpjz)|lsnnh|uwxhn)|i(yqqun|c(gsqe|dxpa)|ppytz|s(sgst|cmcz)|m(snsf|wwdh)|i(wypk|apqu)|aynjm|o(rntw|bmwd|nqtv)|gxpya|h(tzwa|vzsp)|bfzng|q(njgb|fjdt)|t(feia|pbpu)|r(fntt|hxpr|ienu)|dngmn|vydyd|jtovx|zeklr|xnafg|fiexo)|l(df(zdi|xva)|i(mtxh|wrqe)|zgpzz|tohzi|j(ykxh|hkiq|mgac|umoy)|o(nkii|fwot|mjzv|bbsr)|l(aiug|fcne|ilcc)|w(fifn|sbov|pkcm)|k(wlwk|iocn|tasv)|m(ryqf|cjel)|hwzke|y(gimp|bhur)|q(bwbv|tfrr)|pwqjf|ckgew|n(nhou|qhyd)|gtfra|vizng)|g(dytcx|e(lgwr|esqf)|zntqd|vcrip|f(qvbq|lmqu)|c(rzaf|ikeh)|lhxoz|y(y(yzf|uwu|bym)|rnit)|g(tuoy|glqp)|r(ccro|ehyp)|tuuag|m(hmcc|glsn)|xwkbs|p(zsea|iasp|otkk|fnoq)|utlln|hffdc|bqsmw|owmyn|iefhy)|h(sezbs|k(ocsi|vnwf)|wuzpt|rs(skk|nki)|g(zokq|plmu)|dyakp|n(szdf|duoz)|h(shdd|avsh)|lzfzn|bhepm|iomhb|ckdxl|qnhrh|x(yptq|elpe)|uxrda|fbpzb|ynnvs)|n(q(uvxh|pkds)|gqvtq|v(sqsw|wvqz|vzah|ukzg)|hgpus|ryltq|i(ieyf|aoag|mfzc)|f(lsjz|cicq)|t(sfib|lzhn|icxn)|u(lqyo|mjge)|acsrm|pvzys|n(rqun|p(yes|xss))|c(nvkl|tsqc)|epnir|mprpk|xpkgi|jawwq)|e(ahvov|sqadf|u(nwkg|qxrk)|oulcw|kyfbm|cpfsm|z(qwjw|stee)|xvgvv|m(bwgw|rztf)|t(oroj|buqj)|rycpe|pprgu|fevwf|hazbe|eonkq|wzhbc|b(yxxt|xvtz)|jsupp|grjal|ybjjp|desvp|vlxow|nvbwe|lcqoe)|d(hisxe|l(vckc|tqqe|mfob)|omzrn|t(qzed|c(zcv|mmc)|xong|yans)|dvjtt|gmodf|ziwho|k(edmx|fmgg|ohcj)|p(zazv|immn|gpud|miil)|scugf|xapwv|ejnac|u(hkbt|rilc)|f(zlrz|jlfu)|r(uxrk|dlbo)|mltsh|vrsry|creyl|jwvwr|bgoze|abyap)|p(q(rdno|zuoz)|dtkfk|u(iorw|ggue|ripe)|a(jbpp|zncw|cvqo)|h(tjtk|idya|kdsr)|glqbj|r(rlyf|fubt)|jdkfp|xwpfa|w(vamx|zqbz)|fwino|kemjy)|s(f(mwrh|etpw|ppwn)|w(pezr|ufyz)|zgqoj|d(ibet|jbcc|yyrg)|g(bbvk|lrnu)|maitl|ucson|o(ukjz|ybeq|esfl|blcs)|b(clsb|pynq)|a(rqrj|piqa)|e(efdr|b(fiz|wfj))|kffos|yijgk|cnlze|n(xfem|onko|svkc)|pnywu|xqchc|ttojg|smhnp|huoqb)|q(o(tucc|xqta|reqq)|p(cpyq|pmqk|aypb|hrqw)|cfgqq|r(phpy|emco|onev|jtzy|karh)|t(hpia|edmd)|d(wzcq|xsjx|cgjb)|j(myvm|fvui)|gihrw|ivtol|q(dggb|coif)|yclob|l(mvyk|e(fbl|ajd)|hvcw)|w(zqfm|haci)|u(nxrz|squa)|a(vgpn|ikxw)|v(fjsi|nmvo)|znefr)|z(ubaei|w(hllx|khvi)|m(mzhl|eowf)|dlatq|r(mtnv|zdag|vkvs)|ibrbk|a(gtmm|jwlz|zpfu|bnhw)|kmmuv|sfiph|zkqst|e(aodk|lgxo|pyiu)|t(nupa|lguc)|jgaqb|bwgnm|qvryi|hpxoq|f(zkou|amom)|c(qkca|zeco)|yxaam|oysqg)|r(p(n(hvj|trd)|ftqa)|bqnvr|f(rqxx|vvai)|w(fchb|wwba|tlnl)|xyugb|q(khfb|hjet)|d(xlki|wthm)|tfkqz|ggcsl|jwuzk|hhuwb|i(kzzn|iraz)|n(spgz|eplz)|smzxv|e(obsn|vfpq|beun)|u(tqwr|drxy)|cknpa|maoqd)|k(pcogk|k(sxhj|rguv|lsfk|gnhh)|o(ystq|wjuy)|bniyu|qblwi|d(wnpo|zzph)|anreu|l(crct|teha)|gdcsu|jamks|yflol|ztshc|h(mfdq|xwem)|fzhnw|r(odjk|bxhx)|u(ulgg|jcls|rgpr)|vahfu|mtrnv|cfmaw|tmnkp)|u(n(eoge|woob|zcjf)|s(nnvs|xblv|eeuy)|j(fbwh|ofrk)|w(qxdg|jldv)|i(jagt|lzic|wrla)|t(alpx|zerq)|q(nlhr|plze|ckya|srfz|hqcn)|y(hgly|zgog|vqgk|agmo)|v(vqqx|enam|ugln)|p(olgh|dlzv|wbuu|fudl)|x(cmzo|trsv|qnne|rjbt)|l(fnee|cgmf)|g(felf|cmau|xvcs)|bgujz|kyrtt|m(wdgg|nmrv)|aohpx|osiqu|d(zohs|cuhb))|a(o(hhnh|oedy|mjyn)|khxah|cyrys|p(flaf|lfkd|yimc)|e(lmtq|ewmw|ubvc)|b(fiju|vrwm)|n(chna|igmv|hoht)|duinw|h(kwnf|fksj|avzz)|auyga|zhqdh|wmygf|snxib|xqaip|uugiw|qhadl|g(roxo|pejq)|r(axou|brcv)|fxpek|y(eokj|wsbh|uqsa|quhr)|t(eodr|lnws|hodt)|vrcmb)|m(lofiv|x(klmt|pqia|hhgn)|avpaa|wamnd|ghjnz|e(jqyr|guse|cmuh)|t(qzbv|oaxs|lyns)|jp(tgf|yht)|smajz|d(fhcd|xoyy|vmws)|m(zgge|wylm)|zqzid|u(oxke|iqgf)|y(lray|atam)|hpaes|k(pqxp|sgju)|c(nlma|rade))|j(i(xerp|owjn|pojf|mrly)|evosm|z(krki|zxrk)|o(kxwo|jlmm)|a(vnbh|mbyy|wwvc|rygd)|xzjur|wrzjw|u(xmbw|mdcd)|t(qrdt|aytu)|c(oygc|tsvm)|q(zhgj|lxzx)|dtiah|l(ipvf|vezj)|j(uhak|kudo|cfyr)|f(ohnr|kztj)|sqlzm|h(fcad|kowv)|pbbbg|rqfku|nfggs)|x(h(pkmj|sfvc)|c(krqm|vxpf)|w(qoyc|fqxv|iumh)|p(zkne|flei|stks)|q(xnug|qxqn)|laarm|k(yxym|slwl)|r(trwt|paxv|oexi)|silad|z(cmwo|ogtx)|jaehd|fvfkd|ydjcq|xywhw)|f(h(lvxn|shaq)|d(f(tpu|hab)|njvc)|z(nsqv|hpkt)|enipi|c(dmuj|cnmu|jeei|fpal|niiy)|tpsrv|v(lrxf|tgcq|dwdy|hfsv)|auvsf|q(vgqo|mjbh|xpdw)|gkxiz|woivo|f(dmub|vyjk)|xamkm|uzgwv|mtlwg|sdrwt|ojghz|bmzln)|c(ppskp|i(jink|melw)|b(nqcp|zpxx|gmfw)|aorih|wp(hlm|xyz)|d(tyam|njnk)|u(djbf|pyyy)|fjdvk|vmamk|jzsgu|z(fkhc|gztv)|rlpmr|g(wuuf|tjvw)|njkxb|hcury|mclzc)|o(owesq|h(cbse|n(cwp|wjn)|onvv|eers)|k(focy|yshm|witr)|tqwhd|qcral|c(sngf|fbjc|koow)|m(wqhy|pgvp)|v(dvtv|bgjg)|d(ebcq|mhqp)|npfrv|e(kiyv|ogev)|b(ytnn|alod)|akfpx|fqveu|p(kjlr|ftlo)|w(eryt|urvm)|sqoyk|yihms))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633200; rev:2;)
# sid 2633201 includes 210 (1201 - 1411) 6 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 6 chars (.ws)"; content:"|06|";content:"|02|ws|00|";nocase;within: 9;pcre: "/(k(f(nssy|ylcp)|aydve|sfvqx|ddlco|mbrpm|qtcra|uptsv|ytgms|oqwiy)|i(jmyjw|ylazp|ezswo|vxtel|lxxxi)|j(g(qgbl|gsqq)|zwodc|mtuzg|sbhuu|wdndi|bpepp)|p(immke|zylfq|dlvlx|akymw|f(gabq|zvle)|qxmtb|begrg|chsqr|vvwhn|oygze)|e(vrovq|oybgh|iojsc|rcveb|bsawx|mrfpa|xzaja|hcxby|fvkeq|npowi)|m(glxjh|k(fluo|gjjt)|bpook|mgygb|jlbfz|fsmao|nfrcb|lawpf|cnqcg|hyugc)|z(lkqpt|fkneb|x(svmo|xzmh|hywr)|mvjpg|hlfrt|bjheq|oogxg)|n(owxdv|fwbsg|q(gpmj|ywma)|jmcns|bhsft|ehmsc)|u(ajzgl|ejfzr|oqxmt|s(xkmm|eyap))|d(abycw|cklyn|swnui|zzvvp|wlekv|dxuhp)|h(quxhi|tswia|gnshw|mrxec|odnoj|udumd)|l(ybyuz|ipsdz|rvctm|trfbd|dxccz|womqg|qsgaa)|t(hunic|ncvsj|zfmrh|ymijh|ebons)|q(qijdo|j(wkry|yxof)|bchdl|i(ddad|vfpn)|easin|yydii|ciwbn|spted|dgynb)|w(jprak|n(spnj|qpjd)|mlzmo|rbvtc|qkedw|ftckg|usndq|annwx|tdhza|lywyq|xjetw|ctaff)|x(lwcfq|fvnnk|iptnn|kqrmv)|r(s(nazj|otwu)|xvmna|yjkte|tpnnm|pminx|f(alqj|rrkw)|odhtg|nyhve)|b(yorvx|gkvkn|wzfzl|uwful|n(wsft|upju))|y(i(x(bis|kid)|toow)|w(qvac|paeb|unyv)|pwjta|njuep|ohzyq|h(vpbr|etyi)|xorgj)|c(mtumn|yfcbl|hffpn|wasvm|ownhk|digrr)|s(ulcsq|b(xhyi|axys|iusz)|ohqme|kynml|aeesw|elugs|duwaq|j(oqwm|zlka)|iyzyf|xuuxq|rzwwm)|g(x(atvk|noju)|eraju|jshea|ajvko|o(oijc|lnmd)|ljsws|ghhec)|f(mrywg|thvbn|hdvcs|kdble|fibpy|xqxrc|apkuk)|a(qrvol|h(mmyx|uyxd)|roois|fzima|zrigq|ycduq)|o(ykwgq|etkan|khvqw|whxfk|vlcsv|oscoh)|v(oalon|g(byln|tjmo)|cgufx|m(lyzq|zpfe)))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633201; rev:2;)
# sid 2633202 includes 600 (0 - 600) 7 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.ws)"; content:"|07|";content:"|02|ws|00|";nocase;within: 10;pcre: "/(q(e(giche|kyiaj)|i(xzpja|z(omrz|aivi))|j(bhksb|uhuzt)|t(g(wrex|unnw)|yuvfs)|rplvbq|vnjbpf|p(mmukm|cydsx)|gqlegd|bnfkta|qimfkn|hvbitt|k(gltcd|sqgel)|cfibzq|n(hkgzv|mjitm)|mmqyxo|o(nsmby|fbsuq)|uqdlmu|xvzpky|s(badjy|gipxe))|y(fhnwct|j(n(rehc|tvzs)|prxmk)|txsidl|b(cqhct|swvzv)|ppdlkq|iisehx|s(nvyuc|wrcee)|wovudn|o(jacjp|pvqoj)|gcwqhx|a(iugrx|y(swhm|lamh))|e(swjiu|iyazp)|rggmrt|y(tojeg|xqxbl)|n(amezh|ijsvu)|uhlmkv|hkxqwy)|e(x(zxtem|uafox)|lzrmku|djxixg|g(sjzzt|wkgjw|pfkqq)|yoecqy|betaeo|tspbtb|z(wsonh|fysxp)|q(blsht|pooor)|foqvns|wfyizv|csrlbi|ehpoym)|x(y(jjopp|hcfvo)|ksksni|g(aukgd|kzydo|cnkti|vtzwl)|m(buqay|qgjnc)|q(dknea|wphrq|mnndy)|iolrjr|v(ptrjk|hpxjh)|a(uarzq|cazmx|dxgqs)|d(qhazd|fxidv|liuri)|n(ulzkd|fvmtl|dwvlx)|jwvins|h(afqrf|qoypx)|c(jikzf|hcmvk)|zqhtod|uttiet|lhtaly|ezevhf|b(dlqef|iulzo))|v(kvhuwf|edjrxs|sjkxok|yaommh|a(efxnh|mumvc)|l(rhdyo|pwurl|gmlag|ahutr)|xgdfdh|bdmpdt|qimard|dnxwpa|pdejfh|hzdmgn)|d(y(heelg|dmrmi)|g(iynjg|qdszh|fezta)|v(gvffe|mpzwp)|c(vqntv|udkvf|wearl)|qjgfxq|d(fnktc|sonyh)|hpqzqk|l(mukmj|rrrms)|z(fxrsc|rvxuq)|r(ezlnz|fzvyp)|k(nzkvj|pexul)|aptmfu|upcazi|mxpjvf|pvxdua|t(fagxf|roqlw))|i(fvyujy|w(htagf|vnrsj|mdykd)|n(opsuf|fyybf|johvp)|q(bffpx|dtvmu)|k(snpls|xhwcr|dcsup)|e(sqdiv|trsxj)|j(wpdvr|ndbyf)|a(pagfv|aytoh)|g(ekmgu|fgcaw)|hvjjxy|iwxtce|svrjuv|btriqi|xdkica|pvawvj|tqfiha)|k(q(nwlqc|gmdei|uakjc)|e(bkrhr|msdih)|z(zlset|qrjqj)|aodhbm|vrazqg|sxjfop|bdgvax|pskabi|ifphma|uzqawi|j(ucfni|durvo)|ypqulg)|m(g(hzbrm|rvunm|wgwrp|ehlyv)|xz(rxjw|psng)|ontjzg|h(hzfoy|jrfxw|aepxl)|qboqoa|m(piije|iaufl)|t(gcxwg|yupsu)|s(gvkmt|wvsps)|n(xazne|zebzg)|kqkvsb|dlbzsw|zwqwtt|uqmmqc|bkibov|cbiobq)|f(q(xwsmw|eobuj|zsloc)|o(glvrw|xtjtd)|gastpv|w(reacu|eripx)|th(flgx|oqzf)|ijwtci|n(nlbvh|msypb|chrzp)|c(gfhrd|bueah)|r(xdrap|qrfeu)|x(ulfat|ycqzp|lcmqx)|a(zlulb|ocbdq)|e(rgyrh|qkwnm)|jaawiz|dchmgz|lmlolm|uregqp|mbfotn)|j(c(golzd|tlzzc)|q(yrmla|aewxd)|b(ketee|xhgqm)|owjbed|ecjklx|gdsjtk|n(rqmrd|kyzyx)|rfnqmr|z(ocvik|vsgzz)|fftzcc|anbuhp|xdmxju|pvvcmr|tn(mfyp|cyxr)|knrpkc|ug(pimf|asdg))|h(u(onyxi|fzkgg|kdbzd|uugln)|cmuhoi|p(gfkjk|ebchb)|o(xvdoj|ynwfh|nybca)|wptxtl|k(ekohs|ydqdl)|agropy|looklo|xlomch|ianhrp|y(empnx|sywwg)|mmyktk|tolari|n(wxnwm|tgkbd))|a(p(talhn|ennpy|ngqdw)|g(owquk|dowut)|vhjoui|bsizef|o(ierre|jzyfn)|zcmlhm|f(rrbnz|fzwso)|jmwomh|ktjdil|qgflxn|xakbnd|lgbbgp|ckmlhq|ntqipv)|s(cxbckb|z(vdced|qfhns)|nfrlfe|p(ucdvy|sylew|ynorb)|rfgnrp|lwoecx|aimilz|hppkis)|t(ndzokb|o(yfwhb|jadjg)|eierkp|bevfke|fkosrk|rcubzv|mskzgv|h(gyckn|zvhgt|vdqft|ihdlf|rvjge|jgjjv)|t(npowa|qbalk)|v(vesgk|xfntn|lfjyq)|jghacw|qanfiw|ksfyfo|y(zafup|xweax|yesgw))|o(o(hjffp|mfonr)|r(axecd|iwxvb)|i(izhvb|qnrne)|g(qrlou|lscge)|v(omhyx|s(frww|dyic))|d(jsfnv|ydqmw|cwsqr)|z(hvtlk|wrktu)|sxuinj|b(cnezt|kydjk)|luhiwp|x(nedao|evnpk|hachl)|tqqioe|kgglqo|f(kppxi|yiqov)|hikuqa|qlbfsg|u(nwskf|kmeds)|aoygqf|cjaccv|jtnarx|motuth)|r(qssznx|l(omcdz|yddoe|lbhcz)|b(ijzkp|fstdc|hundk|nwhqa)|c(hqqod|jmdjm)|x(oykzx|dxfei)|hqgpcv|n(llsya|jeqxq)|igmcwm|rqhevz|k(slqrz|hhurv)|aujmxc|d(rfrie|jiagc)|wgkdei|eibnlu|siqcss|ulgasm|ykdfnk)|l(udbnhd|d(brpoa|kfbym)|k(lwgao|fjgma|suvvj)|x(luptp|ihsjy|ghuhb|momfd)|vhmsgf|aavtvp|y(gamij|buphv)|l(mfwmz|vbscv)|gjjxvk|ryqydo|jsuigu|tzigsq|iwbvel|wwhjsl)|c(wfkwsu|gfbblh|swtgnk|ontglz|a(sbjgv|nevka)|c(dmgzf|zntux|wfbse)|tnlmws|n(eadps|yhdln)|dhuvln|pnlacy|b(xlejd|rwuoz))|p(zmycgu|odglgk|hjnaxu|d(tkzbw|pukoe)|w(vdfjw|uqcye|brvsl)|bvgdwl|quxbej|ffvrhs|k(ftnye|cpvgm)|caifeb|nxlefy|l(wuolm|ytqiu)|p(vedbv|bovpx)|apionq|ukkbgl|tnrqja|xbdbdp)|z(c(xzcqy|voycn|ixznd)|itvjeg|ttxtuq|daetnz|nmyzcl|j(kbapk|asxuw)|vzbrak|lg(awvn|tdkb)|zeunej|bciucu|kgqzaj|fhvmnb|siptht|ejgati|avclje)|g(j(qjgjq|ohxln|zsiio)|n(ddenq|yswfc|foqhn)|q(lbydk|uyspb)|r(dgedz|iwkkq)|l(goboe|crumn)|pakbah|swkhnk|ihoxhr|amlamc|tohepa|v(nzlma|bzhfw)|epggft|kfjdzd|dhufkc)|b(p(iblsj|cnwxa)|f(ufotl|mtdyn)|b(qljsr|mgzun)|d(hrzlt|cuawb)|u(ehekp|ybsqx)|y(ablzs|fudep)|o(tqaed|uankv)|eaybhf|cgcxwh|mwewsi|rgeipw|alkvut|xfpbqw)|u(cxeesb|akcfhc|q(xbdcz|ihcac)|waykmd|s(lxhuq|xxedd)|vyixmy|e(ltnbl|kzbbh|jwlug)|rbvdin|u(tmnzk|uysls|wcpwu)|inemkb|dfkgut)|w(uuvmyl|w(rwaby|ztwbb)|l(rspsr|jtavu)|qmpydk|nkeqzh|rrtxyx|s(spuno|brkim)|ta(ouae|gebw)|vothiy|kaqqjc|m(vgkue|foqqc)|g(rrqcm|pqbpy)|dbdysh|b(rrjzq|tomhn)|h(kyzjj|xbkbd)|alsmfh)|n(n(vmxqw|rklea)|o(zdyzd|pugga)|iulrsn|jwnzml|p(fatzs|zoouz)|zhfsld|w(lbotk|wlszv)|m(iazwh|btsmx)|r(wsufd|kdeur)|qiljju|y(ueewe|cewjf)|cgvspu|fhxsia|axcjpg))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633202; rev:2;)
# sid 2633203 includes 819 (601 - 1200) 7 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.ws)"; content:"|07|";content:"|02|ws|00|";nocase;within: 10;pcre: "/(x(v(hpxjh|ssksp|dkntc)|g(vtzwl|uwxay|ojvoa|acizu)|uttiet|l(htaly|jbazu|keujc|vlehv)|dliuri|c(hc(mvk|dos)|kijqf)|a(dxgqs|iznll)|ezevhf|h(qoypx|eaugh|dnjxm)|ndwvlx|b(dlqef|iulzo)|k(yzlgx|ouivs)|jfzxdi|p(facdi|ivxeb)|zjlzqm|rczhfv|i(rboqv|cdjgn)|yenxle|mkjifj)|a(l(gbbgp|jrthq|bxqdy|fecut)|ckmlhq|p(ngqdw|c(teda|kyql)|fdwes)|n(tqipv|geurr)|f(stpia|nujwx)|evhdtb|m(xfzor|dbuwl)|u(beqvb|zahmr)|y(mnuuz|wfgwc|vshhp)|g(nvmch|tfmmy|fvobo)|x(lqkya|xfqno)|b(ehvei|qrshq)|k(eatot|viajs)|tqpria|d(xiptu|ldrra)|jzgwne|vpctbt)|q(n(mjitm|benin)|i(z(omrz|aivi)|bncyi)|mmqyxo|o(nsmby|fbsuq)|ksqgel|pcydsx|juhuzt|tyuvfs|u(qdlmu|woebu)|xvzpky|s(badjy|gipxe|kpkic)|z(yckqi|hxppx|chygz)|ybnjwf|aulvko|ezhpux|lebwkn|dhtyfp|g(wgyhb|kmcny)|c(megyi|lnabe)|f(jwaxp|wzesq))|e(csrlbi|ehpoym|g(pfkqq|hgoph)|fdolbo|dmionh|y(cbqqp|diton)|iehpwi|w(dasam|bsgtl|iuqdg)|lhvkxm|n(pxeho|qyzmg)|r(teweg|hwpll)|o(womru|hhzgc)|t(nwxmc|gmzer)|u(mrpwi|eidli)|pidjdt|xbzwge|ajfhye|bgyzks|qjksvl|sxayho|vglexd)|n(m(btsmx|clwou)|r(kdeur|njlcu|qeabr)|p(zoouz|pvhqw)|c(gvspu|ejsgq)|o(pugga|fxkfn)|f(hxsia|fbtha|noxwl)|a(xcjpg|acwrb)|y(cewjf|eqcbm)|lpizoq|q(jlvvc|alddx)|b(nbhgj|ojena)|xhsbnt|zhcpsv|w(zjeuz|jlwdf)|dzxxrs|h(ijvun|umyzv)|e(nrfjg|tfgkm)|jlpdiw)|y(s(wrcee|ebebh|tilno)|rggmrt|y(tojeg|xqxbl|cjmgm|otbbb)|j(prxmk|ntvzs|rvglh|vnxwo|htxqs)|a(ylamh|jbzyh)|n(amezh|ijsvu)|e(iyazp|ftond)|u(hlmkv|pashh)|hkxqwy|fdhlsg|dxqowb|bhpoca|lgaxwy|ptvouu|omukhd|inhvme|wbyrnn)|r(d(rfrie|jiagc)|w(gkdei|zolid)|eibnlu|k(hhurv|lsoav)|b(hundk|nwhqa)|s(iqcss|uwete|cgdgt|oitgo|gnzph)|ulgasm|n(jeqxq|qyaja)|y(kdfnk|ekcmp)|qldxpu|a(fogip|ddirf|qszss)|j(rbrik|bdvfh)|t(tropm|mtown)|ll(jbiq|ityv)|cnqweq|gaoctr|zwzjkt|v(zidbw|nvann))|c(d(huvln|wjloo|xzyhm)|c(zntux|wfbse|ckmfu|vcezd)|nyhdln|pnlacy|b(xlejd|rwuoz)|i(rrzmb|ykxle)|h(yjyhf|viczy)|r(acnif|nyrno|xvtsl)|swwqiy|orfpgu|agheuh|g(sexjt|bbncz)|edeksg|qnxnfv|k(vpeoo|hivux)|lpekku|y(orfpw|azjzx)|foervh)|u(u(tmnzk|uysls|wcpwu)|i(nemkb|bdqsw)|e(kzbbh|jwlug|dnhug|zzscv)|q(ihcac|xvxaj|odmev)|dfkgut|s(xxedd|apgbd)|f(iuias|gyawo)|z(zgvgw|dzjxf)|kfuduz|w(ilgqf|mkzpt)|gqlicm|chhjyh|orujqm|a(yptez|xblgr)|m(trihr|jeuov)|l(yxbyx|hdscz)|b(dzxnh|sreky)|pqeljp|yorhor|vbtwaa)|i(b(triqi|butrr|hmqke)|e(trsxj|zigwi)|x(dkica|zyrko)|n(johvp|dpmmi)|aaytoh|pvawvj|w(vnrsj|mdykd)|k(dcsup|jbybd)|t(qfiha|cvlor)|g(lyaff|hzikv|fkjyv)|zxrbiz|qpjrxr|hwglpf|dbklow|u(aeuhg|gphda)|vczuzy|ybcivs|lodkgu|rfswdd)|g(r(iwkkq|wuqvr|mkfom)|s(wkhnk|xxaqs|lyjxf)|i(hoxhr|mmbsf|teqdu|vahva)|a(mlamc|kbota)|quyspb|t(ohepa|gtfmy)|v(nzlma|bzhfw|qzrwp)|e(pggft|qwqnh|wassn)|n(foqhn|z(emoa|bowa))|kfjdzd|d(hufkc|eulxw)|zivsyp|h(mdlwk|cylxq)|y(vskjw|uiiow|i(yrrf|xwrl))|o(yhnqs|xnmxw)|fwyyca|uohrzv|mtrfnm|wqycjd|jbdfqb|b(emund|fnogz)|lhfwkv|gxvzwp)|z(kgqzaj|fhvmnb|siptht|e(jgati|hxdzf)|avclje|q(qayjm|nucnk|jfmdf)|zusjgi|l(rkhkw|mcjiq)|c(lptxo|olerd|hbzqv|itvip)|redhbn|mlsauc|tdxuyh|xrjkxy|wyd(ved|uga)|yimyim|peoobw)|l(l(vbscv|xwuyr|eddck)|ryqydo|ybuphv|j(suigu|ypsnr)|t(zigsq|whghb)|d(kfbym|sqedf)|xmomfd|k(suvvj|gekgn|rqahl)|iwbvel|w(whjsl|gztdi|jmnpt|zsfhd)|e(tijbj|okkxe|ukhhw|pzeak)|afbzbs|oqanlp|bnipkc|u(wgrya|przhe)|coaxfr|piblgv|mmdotj|vfmopm|fdsvxv)|f(d(chmgz|otowj|drxux|fwtwq)|t(hoqzf|djufw)|lmlolm|uregqp|c(bueah|rnusl)|xlcmqx|e(qkwnm|ocumg)|w(eripx|ptnhc)|nc(hrzp|uqwl)|m(bfotn|imhcx|rivyo)|fyvoxd|zlsetm|r(xwgpm|litkv|dyabh)|jnehae|s(tfvdv|kxqcj|qeqzb)|k(pwzzh|onxug|gsqfx)|qcmdgz|b(zcgjt|fgcjn|bsnvp|syanf)|yhxwwo|pdujeh|amxvrn)|h(t(olari|yewwa|valht)|n(wxnwm|tgkbd|qqwrp)|u(uugln|cyuub)|k(ydqdl|wntxl)|h(nmoxj|amhei|xdelq)|r(hafaq|fdetk|ubaxe)|ozzfuj|muflov|fufmin|esenvn|quhguv|b(zbvwv|wshgi)|csiyww|iv(ktyd|ueyx)|jebnrj|ghsmch)|t(q(anfiw|burdw)|ksfyfo|y(zafup|xweax|yesgw)|h(ihdlf|rvjge|jgjjv)|v(lfjyq|iujbn)|grwsfl|zqomuq|egndzr|p(byixi|cjdgi)|sgtbvs|wvuzes|ogwmfg|ckcvdi|rdnlep|aktahn|inmmkp|tijahn|nwmsgq)|k(z(qrjqj|dtits)|q(gmdei|uakjc)|p(skabi|jxzqr)|i(fphma|osswc)|emsdih|u(zqawi|rygph|kijpd|qeshu)|j(ucfni|durvo)|y(pqulg|krdpc)|ovbbgo|mwfxdm|s(bnpgv|rgawt|azotk|mdiqw)|g(xkyks|jfoky)|k(nsxcf|rzebm)|nctavs|wllaci|vwlnur|xfeqpd)|j(t(n(mfyp|cyxr)|stpic)|q(aewxd|twgha)|knrpkc|b(xhgqm|upewp)|ug(pimf|asdg)|i(yxyhy|anlwo)|a(lylxi|rmdeg|enouz)|g(analy|fpwrk|knidn)|z(tdvyt|hfbtx|lvxce|yeqxe)|rfetjm|yqupsl|xldqmi|pxnffr|s(zywzu|sbxrj))|w(mfoqqc|w(ztwbb|rvguf|vtcwp)|h(kyzjj|xbkbd)|alsmfh|gpqbpy|b(tomhn|ceimw)|jjcdrq|d(fjfzo|clkbh)|qpcgig|v(nohnu|izfrx)|icppmr|stwawu|oabskh|nxmtnn|rmaeil)|p(wbrvsl|u(kkbgl|cuxbq|ofnaw)|tnrqja|pbovpx|x(bdbdp|ijksp|ouvdt)|goihpo|lycxep|e(ofmww|yshby|advsd)|hdtnot|a(mxpag|bznfl)|chbegd|knzkby|v(pczrq|jvqmw)|ixenic|fbnewy|bzupcb|s(snvji|naxiu|awsfu)|nwxyhc|yytwbc|dzdete)|s(p(sylew|ynorb|hjidv)|aimilz|h(ppkis|leorw|gcnqu)|xrmbat|bfhflk|l(ebpoy|nivfs)|q(qahaq|soiri)|d(yijjm|kagdc)|kjlzdi|jvxeix|yylmlu|wnaoxq|rimfjf|spfwzg|gwgxbr|ixetjt)|v(l(ahutr|ioexg)|d(nxwpa|crrha|befpd)|pdejfh|amumvc|hzdmgn|ifxrpc|g(r(cycb|yosc)|qxwtt|zqgab|jauiw)|z(yvbpp|uefsg)|o(qizwn|znmoh)|s(g(txoi|crvp)|wyaky)|k(ngpfe|whqtj)|x(zubwy|ajqep|uqzkf)|n(puchc|gpufi)|eqknif|qmtvie|rshzcn|m(pbxzi|bdpnf)|uliero|ypgsry)|d(aptmfu|vmpzwp|u(pcazi|qehof|swihe|nnfza)|m(xpjvf|oywgu|vftgl)|zrvxuq|g(fezta|rcfoc)|p(vxdua|cwvak)|t(fagxf|roqlw)|rfzvyp|c(wearl|azxae|gahct)|kpexul|ydmrmi|wpwxaq|eebwes|o(fayzi|mxrau)|i(rcchi|gmncr)|n(c(kseg|xjhh)|lzlow)|xgezxe|slelmc)|o(aoygqf|riwxvb|u(kmeds|dtpfo|zpfcr)|vsdyic|g(lscge|alwmb|mdyxx)|c(jaccv|rbnns|fzpyf)|x(hachl|syugm)|j(tnarx|avhnj)|fyiqov|dc(wsqr|iyhk)|b(kydjk|ilxss|syrtt)|m(otuth|yeetb)|obllhc|hzrpuu|l(lsluq|ibxau)|txlbtd|prqszt|ezqfdv|ktffyc|w(furln|qiloh)|zhaicv|nfcfqb)|m(z(wqwtt|qmhqf)|u(qmmqc|fbimx|svjgl)|miaufl|g(ehlyv|lfibe)|x(zpsng|qmrqj)|b(kibov|laqel)|c(biobq|qwrhh|geuwl)|e(kxqaw|twejc|cbyya)|ynshqv|whcnzr|virshx|aabsca|suzctc|t(ltidj|thqxl))|b(o(u(ankv|tegx)|atram)|b(mgzun|iwcws|vvspg)|cgcxwh|m(w(ewsi|lysa)|kdcon)|fmtdyn|r(geipw|tvbxd|kloiq)|alkvut|xfpbqw|sqhbka|yhzddp|zayvid|e(xzjsi|monch)|ntwcrm|d(zvjhg|hamwq)|tjzrog|gjiedk|k(rmxni|otern)|w(oeklo|pqsui)|itzpfa|pqowdy|uckdnu|veziak))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633203; rev:2;)
# sid 2633204 includes 219 (1201 - 1420) 7 character domains in the ".ws" top level domain
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"CONFICKER-DNS  DNS lookup 7 chars (.ws)"; content:"|07|";content:"|02|ws|00|";nocase;within: 10;pcre: "/(c(qojpcj|z(ptwtn|xcnlk)|l(aenvo|zeymg)|p(gmpra|cuwdn)|crzaht|wwkifa|azrgpq|o(awaes|klcvk))|e(otxehh|exnrup|xepvtc)|r(ptmztn|xbxowg|ubgzgf|qyhelc|ahomgs|cmhxwz|oitlmg)|t(oefxtv|wupyml|bugkij|pqlnhu|fuviur|dhmlme)|o(wdjjpp|c(hrrkp|egurz)|joaqno|kypbpq|d(rlmje|qxvvy|hfdsf)|rqnbsq|xyypdi)|b(atpzyu|j(dvnsu|shvon)|rsursd|owyhfm|sgmdly|ewxhlw|l(ydlrk|wfkni)|tahpym|qaofhp)|y(u(cajok|rauoo)|vrmznz|kqferx|eudgug|x(pigow|eqhpz)|qttwkk|ikfbel|d(cigpe|qkmzo)|anjqwt|okyfup)|u(dnxrux|zrimay|thwalg|ppqfia|ayvzjv|jcnxfn)|v(iqqtkp|v(tqkcx|evbel)|lnozhk|hnyyca|ognyna|x(tybkk|lunwr)|txzqwu|emjujk)|m(ssxfjx|ixliwh|chclim|v(asqer|ephsh)|nhmtcx|pkjnui|ehxguv|mljztg|k(lbook|kccwg)|uyuagu|obgwgx|r(emgci|nqdgr)|tfxpiw)|f(irhkol|vairpa|hxsvyz|rocber|dibabg|bdvtwo|fnibgt|llqdzv|qolkkn|xzaknf|tnkrfa)|q(pfossf|cquvln|t(qymhw|emkch)|eejxxk|oqggxq|w(ailla|vepct)|agwszm|yacuum)|n(nkwuhy|q(kgzjs|igsvi)|itjjih|epymoj|mvosmy|kpfphy|uikfyk)|d(ypbhpx|r(rukwx|spnow)|t(sdsky|znbxx)|digoqk|grqzsx)|w(raqfvy|hbdskp|l(wztzn|oijcy)|cqfrct|sstdip)|x(xsaoch|p(cwkct|yrugy)|e(xeeob|eoueb)|iebajd|mtwzhl|jdeuuh|oqaqpt|ljuufi|fakojz|zgtaei)|k(h(bunxn|uzaig)|xvaykx|yqmenr|thnnhc|n(goyei|wmvhn)|uxklfp|lpoyvy)|a(puprow|zphxwt|w(clsum|pxoft)|mxvdbx|opyold|huanja|unpjkw)|s(kdjlkj|jnbmft|mahpyy|agdjse|etqosj|inbyjh|cztlho|dwseyo)|h(ieiknf|kvdsdb|rdaciz)|j(u(ydzoq|zhwyc)|bwquup|gkcojf|fweubt|s(wtiay|yszvh)|kthbqn|itrfmg|degikb|arqvcg|qmvgby|wvfnoe)|i(wqlrxk|lszqcb|pjbnqu|kgcgki)|p(ecqlpx|vfvpwe)|z(edhfbv|gkrsrh|wuubqo|vvntfg|xslmzu|tnbmgc|rmhcjx)|g(lnbyvz|b(bxujt|fexhd)|s(pzjzx|hjvkh)|h(ukogg|wtzjp)|i(grejz|cibja))|l(fmmdlk|stqdxg|vebpnh|a(azgau|tebyb)|lxswbw|mwakdw|wnjpcd))/i"; classtype:trojan-activity; reference:url,www.cert.at/static/conficker/all_domains.txt; sid:2633204; rev:2;)
# sid 2633205