EH-Net

I'm surprised there isn't a discussion on this yet (aside from the one there was a while ago) in light of the stuff about April 1.

Here are a few good links I saw come across the GIAC list that had some pretty good information:

Q&A: http://www.f-secure.com/weblog/archives/00001636.html

Detailed Analysis: http://mtc.sri.com/Conficker/addendumC/

Detection: http://blog.commandlinekungfu.com/2009/03/episode-16-got-that-patch.html

Everyone all patched up? Taking any other precautions? I might just un-plug my network at home for the day just to stay on the safe side in case some crazy ends up happening, lol. Fortunately (or boringly? Is that a word?) in my current/new role for work, I don't really have much to do on this :-\

BillV

Bill,

good post, I had seen the others, but had not looked at Pauls command line Fu page.
Thats probably a useful little command for the home user, who doesnt have enterprise management tooling.

I personally dont think much is going to happen. Obviously if your infected and not patched already your at the same risk level, if not I cant see a mass infection spread happening.

Time will tell I guess, I am sure the media will provide some entertainment.

Speaking of the media...  from last night's 60 minutes:

http://www.cbsnews.com/stories/2009/03/27/60minutes/main4897053.shtml

I just found out Nessus and NMAP should have updated definitions to identify the Conficker signature to identify infected machines.

So I am going to setup a machine to do some scanning.

I have not had a proper look, but I assume its going to be something like :

I really don't think it'll be a big deal at all. I think that at this point so many people have gone to such lengths to secure their networks that whatever's gonna happen won't even be worth mentioning.

However, just to be sure, my systems are fully patched ;D

dale, I saw that too about nmap/nessus/et al.

Here's the link to some useful tools (http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/).

Hats off to the guys at The Honeynet Project! :)

BillV

For those of you interested, Fyodor should be posting an NMAP update in the next few hours so keep a look out http://seclists.org/nmap-dev/2009/q1/index.html (http://seclists.org/nmap-dev/2009/q1/index.html)

If you want to do some manual tweaking, there is some availability here http://www.skullsecurity.org/blog/?p=209 (http://www.skullsecurity.org/blog/?p=209)

Guys,

just so you know NMAP has been updated:

Nmap 4.85BETA5

o Ron (in just a few hours of furious coding) added remote detection
  of the Conficker worm to smb-check-vulns. It is based on new
  research by Tillmann Werner and Felix Leder.  You can scan your
  network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
  -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

http://nmap.org/download.html (http://nmap.org/download.html)

I have these and a few others posted here on my site:

http://www.securityaegis.com/?p=262

lets see what happens tomorrow :/

Anyone know how to specify a txt file of IPs to work with this Simple Conficker Scanner?

I seem to get better results out of this than with NMAP, so wanted to do some validation, but obviously dont want to do a single IP at a time.

Using the scanner you can download from here, this is possible.
http://www.doxpara.com/scs2.zip (http://www.doxpara.com/scs2.zip)

I have tested this and it seems to be running fine. Hope it helps someone.

What timezone is conflicker set to?

Hmm, well I thought part of it syncs with UTC, which will be April 1 in about 15 minutes...

but this article makes it seem like it depends on the local system time:

Conficker worm wakes up overseas, but its quiet (http://tech.yahoo.com/news/zd/20090331/tc_zd/238737).

Also, ISC (http://isc.sans.org/) has some info up and seems to be following...


Figured that was coming soon...

All quite from here, the intertubes are still working and the sky hasn't fallen.

Anyone seen anything or has it passed by as a non-event?

As expected nothing going on today.
Still need to remain vigilant, but thats just normal operating for us paranoid InfoSec types :)

Not had a proper look yet as I am off into a meeting, but BitDefender have released a couple of cleanup tools, one for standalone, and one for networks.

Might be of use to someone.

http://www.bdtools.net/ (http://www.bdtools.net/)

Yeah, so far all is good. It will probably remain that way for the day too. They probably have something planned to attack on Friday the 3rd to throw us all off :D

I saw a comment somewhere saying how they thought it was a gov't conspiracy to create a super botnet.. could be.. lol

I don't know about you guys, but I am definitely putting on my aluminum deflector beanie. 

Hmmm, I wonder if these would be useful as protection against social engineering.

http://zapatopi.net/afdb/ (http://zapatopi.net/afdb/)

Social engineering perhaps, social skills definitely.

Seems like someone was making a experiment with these conficker worms. i mean that analysis of conficker C basically states there were numerous implications that were added that "only as little as 15% of the original B code base untouched" so it seems to me like it was a modification from a different author who found/was infected by B and decided to use it for his/her/their own ends. of course thats just a  Blind assumption   ;). Its kind of creepy how in the Analysis report the researchers added "It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level."

I don't know about the means, but it sounded to me like someone else had taken it over as well. That was quite a bit of attack power to leave idle for that long.