Conficker

Viewing 21 reply threads
  • Author
    Posts
    • #3625
      BillV
      Participant

      I’m surprised there isn’t a discussion on this yet (aside from the one there was a while ago) in light of the stuff about April 1.

      Here are a few good links I saw come across the GIAC list that had some pretty good information:

      Q&A: http://www.f-secure.com/weblog/archives/00001636.html

      Detailed Analysis: http://mtc.sri.com/Conficker/addendumC/

      Detection: http://blog.commandlinekungfu.com/2009/03/episode-16-got-that-patch.html

      Everyone all patched up? Taking any other precautions? I might just un-plug my network at home for the day just to stay on the safe side in case some crazy ends up happening, lol. Fortunately (or boringly? Is that a word?) in my current/new role for work, I don’t really have much to do on this :-

      BillV

    • #23424
      dalepearson
      Participant

      Bill,

      good post, I had seen the others, but had not looked at Pauls command line Fu page.
      Thats probably a useful little command for the home user, who doesnt have enterprise management tooling.

      I personally dont think much is going to happen. Obviously if your infected and not patched already your at the same risk level, if not I cant see a mass infection spread happening.

      Time will tell I guess, I am sure the media will provide some entertainment.

    • #23425
      hayabusa
      Participant

      Speaking of the media…  from last night’s 60 minutes:

      http://www.cbsnews.com/stories/2009/03/27/60minutes/main4897053.shtml

    • #23426
      dalepearson
      Participant

      I just found out Nessus and NMAP should have updated definitions to identify the Conficker signature to identify infected machines.

      So I am going to setup a machine to do some scanning.

      I have not had a proper look, but I assume its going to be something like :

    • #23427
      crk
      Participant

      I really don’t think it’ll be a big deal at all. I think that at this point so many people have gone to such lengths to secure their networks that whatever’s gonna happen won’t even be worth mentioning.

      However, just to be sure, my systems are fully patched ;D

    • #23428
      BillV
      Participant

      dale, I saw that too about nmap/nessus/et al.

      Here’s the link to some useful tools.

      Hats off to the guys at The Honeynet Project! 🙂

      BillV

    • #23429
      dalepearson
      Participant

      For those of you interested, Fyodor should be posting an NMAP update in the next few hours so keep a look out http://seclists.org/nmap-dev/2009/q1/index.html

      If you want to do some manual tweaking, there is some availability here http://www.skullsecurity.org/blog/?p=209

    • #23430
      dalepearson
      Participant

      Guys,

      just so you know NMAP has been updated:

      Nmap 4.85BETA5

      o Ron (in just a few hours of furious coding) added remote detection
        of the Conficker worm to smb-check-vulns. It is based on new
        research by Tillmann Werner and Felix Leder.  You can scan your
        network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
        -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]

      http://nmap.org/download.html

    • #23431
      Jhaddix
      Participant

      I have these and a few others posted here on my site:

      http://www.securityaegis.com/?p=262

      lets see what happens tomorrow :/

    • #23432
      dalepearson
      Participant

      Anyone know how to specify a txt file of IPs to work with this Simple Conficker Scanner?

      I seem to get better results out of this than with NMAP, so wanted to do some validation, but obviously dont want to do a single IP at a time.

    • #23433
      dalepearson
      Participant

      @dalepearson wrote:

      Anyone know how to specify a txt file of IPs to work with this Simple Conficker Scanner?

      I seem to get better results out of this than with NMAP, so wanted to do some validation, but obviously dont want to do a single IP at a time.

      Using the scanner you can download from here, this is possible.
      http://www.doxpara.com/scs2.zip

      I have tested this and it seems to be running fine. Hope it helps someone.

    • #23434
      ethicalhack3r
      Participant

      What timezone is conflicker set to?

    • #23435
      BillV
      Participant

      Hmm, well I thought part of it syncs with UTC, which will be April 1 in about 15 minutes…

      but this article makes it seem like it depends on the local system time:

      Conficker worm wakes up overseas, but its quiet.

    • #23436
      BillV
      Participant

      Also, ISC has some info up and seems to be following…

      There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers.

      Figured that was coming soon…

    • #23437
      RoleReversal
      Participant

      All quite from here, the intertubes are still working and the sky hasn’t fallen.

      Anyone seen anything or has it passed by as a non-event?

    • #23438
      dalepearson
      Participant

      As expected nothing going on today.
      Still need to remain vigilant, but thats just normal operating for us paranoid InfoSec types 🙂

    • #23439
      dalepearson
      Participant

      Not had a proper look yet as I am off into a meeting, but BitDefender have released a couple of cleanup tools, one for standalone, and one for networks.

      Might be of use to someone.

      http://www.bdtools.net/

    • #23440
      BillV
      Participant

      Yeah, so far all is good. It will probably remain that way for the day too. They probably have something planned to attack on Friday the 3rd to throw us all off 😀

      I saw a comment somewhere saying how they thought it was a gov’t conspiracy to create a super botnet.. could be.. lol

    • #23441
      Ketchup
      Participant

      I don’t know about you guys, but I am definitely putting on my aluminum deflector beanie. 

      Hmmm, I wonder if these would be useful as protection against social engineering.

      http://zapatopi.net/afdb/

    • #23442
      jason
      Participant

      @Ketchup wrote:

      I don’t know about you guys, but I am definitely putting on my aluminum deflector beanie. 

      Hmmm, I wonder if these would be useful as protection against social engineering.

      Social engineering perhaps, social skills definitely.

    • #23443
      Blindeyed
      Participant

      Seems like someone was making a experiment with these conficker worms. i mean that analysis of conficker C basically states there were numerous implications that were added that “only as little as 15% of the original B code base untouched” so it seems to me like it was a modification from a different author who found/was infected by B and decided to use it for his/her/their own ends. of course thats just a  Blind assumption   ;). Its kind of creepy how in the Analysis report the researchers added “It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level.”

    • #23444
      jason
      Participant

      I don’t know about the means, but it sounded to me like someone else had taken it over as well. That was quite a bit of attack power to leave idle for that long.

Viewing 21 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?