.

Conficker

<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Mar 27, 2009 8:39 pm

Conficker

I'm surprised there isn't a discussion on this yet (aside from the one there was a while ago) in light of the stuff about April 1.

Here are a few good links I saw come across the GIAC list that had some pretty good information:

Q&A: http://www.f-secure.com/weblog/archives/00001636.html

Detailed Analysis: http://mtc.sri.com/Conficker/addendumC/

Detection: http://blog.commandlinekungfu.com/2009/ ... patch.html

Everyone all patched up? Taking any other precautions? I might just un-plug my network at home for the day just to stay on the safe side in case some crazy ends up happening, lol. Fortunately (or boringly? Is that a word?) in my current/new role for work, I don't really have much to do on this :-\

BillV
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Mar 30, 2009 7:04 am

Re: Conficker

Bill,

good post, I had seen the others, but had not looked at Pauls command line Fu page.
Thats probably a useful little command for the home user, who doesnt have enterprise management tooling.

I personally dont think much is going to happen. Obviously if your infected and not patched already your at the same risk level, if not I cant see a mass infection spread happening.

Time will tell I guess, I am sure the media will provide some entertainment.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 30, 2009 7:09 am

Re: Conficker

Speaking of the media...  from last night's 60 minutes:

http://www.cbsnews.com/stories/2009/03/ ... 7053.shtml
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Mar 30, 2009 7:34 am

Re: Conficker

I just found out Nessus and NMAP should have updated definitions to identify the Conficker signature to identify infected machines.

So I am going to setup a machine to do some scanning.

I have not had a proper look, but I assume its going to be something like :
Last edited by dalepearson on Mon Mar 30, 2009 7:39 am, edited 1 time in total.
<<

crk

Newbie
Newbie

Posts: 49

Joined: Mon Mar 23, 2009 9:32 pm

Post Mon Mar 30, 2009 10:51 am

Re: Conficker

I really don't think it'll be a big deal at all. I think that at this point so many people have gone to such lengths to secure their networks that whatever's gonna happen won't even be worth mentioning.

However, just to be sure, my systems are fully patched ;D
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Mar 30, 2009 12:17 pm

Re: Conficker

dale, I saw that too about nmap/nessus/et al.

Here's the link to some useful tools.

Hats off to the guys at The Honeynet Project! :)

BillV
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Mar 30, 2009 1:59 pm

Re: Conficker

For those of you interested, Fyodor should be posting an NMAP update in the next few hours so keep a look out http://seclists.org/nmap-dev/2009/q1/index.html

If you want to do some manual tweaking, there is some availability here http://www.skullsecurity.org/blog/?p=209
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Mar 31, 2009 3:41 am

Re: Conficker

Guys,

just so you know NMAP has been updated:

Nmap 4.85BETA5

o Ron (in just a few hours of furious coding) added remote detection
  of the Conficker worm to smb-check-vulns. It is based on new
  research by Tillmann Werner and Felix Leder.  You can scan your
  network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
  -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

http://nmap.org/download.html
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Mar 31, 2009 4:04 am

Re: Conficker

I have these and a few others posted here on my site:

http://www.securityaegis.com/?p=262

lets see what happens tomorrow :/
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Mar 31, 2009 9:21 am

Re: Conficker

Anyone know how to specify a txt file of IPs to work with this Simple Conficker Scanner?

I seem to get better results out of this than with NMAP, so wanted to do some validation, but obviously dont want to do a single IP at a time.
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Mar 31, 2009 9:30 am

Re: Conficker

dalepearson wrote:Anyone know how to specify a txt file of IPs to work with this Simple Conficker Scanner?

I seem to get better results out of this than with NMAP, so wanted to do some validation, but obviously dont want to do a single IP at a time.


Using the scanner you can download from here, this is possible.
http://www.doxpara.com/scs2.zip

I have tested this and it seems to be running fine. Hope it helps someone.
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Tue Mar 31, 2009 3:47 pm

Re: Conficker

What timezone is conflicker set to?
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 31, 2009 6:47 pm

Re: Conficker

Hmm, well I thought part of it syncs with UTC, which will be April 1 in about 15 minutes...

but this article makes it seem like it depends on the local system time:

Conficker worm wakes up overseas, but its quiet.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 31, 2009 6:49 pm

Re: Conficker

Also, ISC has some info up and seems to be following...

There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers.


Figured that was coming soon...
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Apr 01, 2009 3:41 am

Re: Conficker

All quite from here, the intertubes are still working and the sky hasn't fallen.

Anyone seen anything or has it passed by as a non-event?
Next

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software