ken, who's fiber on the ground was it after all?
Roderick Beck wrote:
Hi Isabel,
It hasn't been confirmed to me yet but some people have mentioned that
it is most likely to belong to Global Crossing.
Regards,
Ken
Anyone have a copy of this? Would like to analyze it and understand its
propagation.
Thanks
-Joe
Thanks, the only thing is that these, like most, websites are very vague
about the mechanics behind the infiltration. Thus the reason why I asked
about finding some source code/example code.
Its pretty nice that these folks (symantics/trend) offer free help
regarding these items, but the facts (TCP/UDP ports, DNS poisioning methods)
are buried doesn't help much. Perhaps I am missing something though.
Regards
The most relevant section the Conficker.C addendum -- this has been driving
the April 1st hype.
http://mtc.sri.com/Conficker/addendumC/index.html
FYI,
- - ferg
Joe said earlier today:
Thanks, the only thing is that these, like most, websites are very vague
about the mechanics behind the infiltration
Joe, the SRI report would be right up your alley as it is the most
technical in its analysis of the variants A and B as well as an explanation
of the algorithm it uses to determine domain names for future use of some
kind.
Sincerely, Richard Golodner
Joe Blanchard wrote:
Anyone have a copy of this? Would like to analyze it and understand its
propagation.Thanks
-Joe
I'm sure someone sent you a sample by now. As to the malware itself...
I haven't personally been following conficker as I've been busy with other issues (as much as possible, anyway, with all the hype it's hard to escape), but I've been asking questions. I can try and speak on the matter from what I've learned by asking.
Conficker is a real problem, but will the world end on April Fools?
The answer I gather to be the most accurate is:
"The conficker threat will be exactly the same as it is today, on April 1st."
Perhaps putting a date on the threat makes people feel more comfortable. What if something happens on April 3rd? Whether we would be warned or not, we'll all likely ignore it if April 1st comes and goes quietly.
As to the unknown, the author's mind, who can really tell what they will do come the 1st?
But some of the hype I've seen is truly ridiculous. I am sure some of the protected hosting companies sold quite a bit with their "we defend against conficker" products.
Is conficker a problem? Yes. Can we potentially face hardship on the 1xt? Yes. Is the rest complete bull? Yes.
Gadi.
The two might be related since it was reported that both happened Sunday
Morning.
Ken Gilmour wrote:
To the main stream media:
Please leave your tin foil hats at the door...
To my fellow NANOGers:
I look at this virus from two perspectives. First the home computers (and
small businesses without any real IT staff). And second the larger
organizations with dedicated IT staff.
Home Users: Many will agree that a large percent (>50%) of home computers
are infected with some sort of malware. Everything from tracking cookies,
to spam drones, to botnet clients. Home users are often too cheap/lazy to
get antivirus/firewall protections. And many are scared to get updates from
Microsoft because of some unrealized danger this might pose.
As I see it, the virus is adding at most 9(?) million to the probable 175
million (350/2
<http://en.wikipedia.org/wiki/List_of_countries_by_broadband_users> )
malware infested hosts out there. In fact, it will probably be much less
than that, as the people who are getting infected by this virus, are
probably already affected by other malware.
Everyone Else: If SQL Slammer has taught us anything, it is the importance
of patch management and firewalls. And the unending stream of new malware
has also taught us the importance of anti-virus software. With all the
media hype and removal tools being made, there is no good reason any IT shop
should be affected in any meaningful way. Invariably we will hear the
stories of places that do get affected, but I doubt it will be anything
overly large.
So from a network operational perspective, unless the virus author decides
to launch a DDOS on a single target (and one is either that network or its
upstream) I predict this will have little, if any, effect.
My $0.02,
Adam Stasiniewicz
Something folks might be interested in -- a way to detect
Conficker-infected hosts in your network:
https://www.honeynet.org/node/389
FYI,
- - ferg
Has anyone tried the Python scs Network Scanner script?
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I have installed Impacket-0.9.6.0 library but it throws the following warning
"WARNING: Crypto package not found. Some features will fail."
Does anyone know if this effects the reliability of the scs script? I
have it scanning but I don't like that warning.
What other library is Impacket looking for to correct that warning?
Just FYI - I had a pretty high ratio of properly conficker-infected
honeypots identified vs. false positives ratio, using nessus'
appropriate signature, whereas I could never get the py script to
properly run on my macbook pro ...
-- Stefan
Stasiniewicz, Adam wrote:
So from a network operational perspective, unless the virus author decides to launch a DDOS on a single target (and one is either that network or its upstream) I predict this will have little, if any, effect.
Agreed.
Although being ready to answer your abuse mail to null-route on your networks could be helpful to the community.
Gadi.
you need to add python-crypto with whatever package manager your OS
uses,
yast line in suse:
│python-crypto │2.0.1 │2.0.1
│Collection of cryptographic algorithms and protocols, implemented
for use from Python
d
JoeSox <joesox@gmail.com> 31/03/09 8:46 am >>>
Has anyone tried the Python scs Network Scanner script?
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I have installed Impacket-0.9.6.0 library but it throws the following
warning
"WARNING: Crypto package not found. Some features will fail."
Does anyone know if this effects the reliability of the scs script? I
have it scanning but I don't like that warning.
What other library is Impacket looking for to correct that warning?
Joe,
Here's the link for the Python Crypto toolkit:
http://www.amk.ca/python/code/crypto.html
I scanned our internal network and didn't find anything, so I can't really
vouch for it's reliablity though.
Anyone try the new nmap beta that includes the ability to detect it?
nmap-4.85BETA5 ?
I am looking for output from a scan on a known infected machine vs what I
believe is a clean machine I have.
Thanks,
Here is a pretty good recap of all options, including some useful comments:
http://it.slashdot.org/article.pl?sid=09/03/30/090224 - including the
specific one addressing the py script:
http://it.slashdot.org/comments.pl?sid=1180397&cid=27387085 )
Stefan