Re: The Confiker Virus.

2009-04-01 Thread Warren Kumari
On Apr 1, 2009, at 12:01 PM, Jason Iannone wrote: What's the virus doing with all of those domain names? http://lmgtfy.com/?q=conficker On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein wrote: Of the 50,000 DNS names generated for today .. Additional info .. Top 10 ASN by number/nam

Re: The Confiker Virus.

2009-04-01 Thread Michael Holstein
What's the virus doing with all of those domain names? Domain names are enumerated at random (based on date) as a way around hard-coding an IP/domain that could be easily taken down. The domain names are used for the command & control of the worm, and presumably at least one of them will

Re: The Confiker Virus.

2009-04-01 Thread David W. Hankins
On Wed, Apr 01, 2009 at 10:01:29AM -0600, Jason Iannone wrote: > What's the virus doing with all of those domain names? Paul Vixie gave a presentation at the IEPG meeting before IETF 74. I don't think the IEPG meeting notes are up yet (they would be very informative if they were)...I don't preten

Re: The Confiker Virus.

2009-04-01 Thread Jason Iannone
What's the virus doing with all of those domain names? On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein wrote: > >> Of the 50,000 DNS names generated for today .. > > Additional info .. > > Top 10 ASN by number/name : > > 5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc.     2820 -- 1668

Re: The Confiker Virus.

2009-04-01 Thread Michael Holstein
Of the 50,000 DNS names generated for today .. Additional info .. Top 10 ASN by number/name : 5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc. 2820 -- 1668 AOL-ATDN - AOL Transit Data Network 2737 -- 23028 TEAM-CYMRU - Team Cymru Inc. 404 -- 760 University of Vienna, A

Re: The Confiker Virus.

2009-04-01 Thread Michael Holstein
Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ Has snort sigs for .A and .B variants .. haven't seen one for .C yet, but there i

Re: The Confiker Virus.

2009-03-31 Thread Dominic J. Eidson
See http://honeynet.org/node/388 for snort signatures for .a and .b variants. - d. On Tue, 31 Mar 2009, Steven Fischer wrote: Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points? On Tue, Mar 31, 2009

Re: The Confiker Virus.

2009-03-31 Thread Steven Fischer
Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points? On Tue, Mar 31, 2009 at 9:41 AM, JoeSox wrote: > I am uncertain also. I scan a subnet on my network with Axence > NetTools looking for 445 port and I rece

Re: The Confiker Virus.

2009-03-31 Thread JoeSox
I am uncertain also. I scan a subnet on my network with Axence NetTools looking for 445 port and I receive some hits. I perform a netstat -a some of those results but don't really see any 445 activity. The SCS script doesn't find anything either. The PCs are patched and virusscan updated. One PC

Re: The Confiker Virus.

2009-03-31 Thread Jason Biel
>From what I can find with the nmap way, You don't want to see *Conficker: LIKELY INFECTED* or *Conficker: VULNERABLE*. 2009/3/31 JoeSox > I forgot to mention that I have had python-crypto already installed > before I posted. I was still getting the WARNING. > -- > Joe > > On Mon, Mar 30, 2009 a

Re: The Confiker Virus.

2009-03-31 Thread Wilkinson, Alex
0n Tue, Mar 31, 2009 at 09:22:32AM -0400, Steven M. Bellovin wrote: Honeynet Project has released Know Your Enemy: Containing Conficker: Our "Know Your Enemy: Containing Conficker" whitepaper was released on March 30th as a PDF only. You can download the full paper from the link belo

Re: The Confiker Virus.

2009-03-31 Thread JoeSox
I forgot to mention that I have had python-crypto already installed before I posted. I was still getting the WARNING. -- Joe On Mon, Mar 30, 2009 at 11:10 PM, David Tebbutt wrote: > you need to add python-crypto with whatever package manager your OS > uses, > yast line in suse: > > │python-crypto

Re: The Confiker Virus.

2009-03-31 Thread Steven M. Bellovin
Also see http://arstechnica.com/security/news/2009/03/new-method-for-detecting-conficker-discovered-debuted.ars

Re: The Confiker Virus.

2009-03-31 Thread Stefan
ginal Message- > From: David Tebbutt [mailto:da...@sunshadeseyewear.com.au] > Sent: Tuesday, March 31, 2009 2:10 AM > To: Paul Ferguson; JoeSox > Cc: nanog@nanog.org > Subject: Re: The Confiker Virus. > > you need to add python-crypto with whatever package manager your O

Re: The Confiker Virus.

2009-03-31 Thread Jason Biel
sunshadeseyewear.com.au] > Sent: Tuesday, March 31, 2009 2:10 AM > To: Paul Ferguson; JoeSox > Cc: nanog@nanog.org > Subject: Re: The Confiker Virus. > > you need to add python-crypto with whatever package manager your OS uses, > yast line in suse: > > |python-crypto

RE: The Confiker Virus.

2009-03-31 Thread Eric Tykwinski
yewear.com.au] Sent: Tuesday, March 31, 2009 2:10 AM To: Paul Ferguson; JoeSox Cc: nanog@nanog.org Subject: Re: The Confiker Virus. you need to add python-crypto with whatever package manager your OS uses, yast line in suse: |python-crypto |2.0.1 |2.0.1 |Collect

Re: The Confiker Virus.

2009-03-30 Thread David Tebbutt
you need to add python-crypto with whatever package manager your OS uses, yast line in suse: │python-crypto │2.0.1 │2.0.1 │Collection of cryptographic algorithms and protocols, implemented for use from Python d >>> JoeSox 31/03/09 8:46 am >>> Has anyone tried th

Re: The Confiker Virus hype and measures

2009-03-30 Thread Gadi Evron
Stasiniewicz, Adam wrote: So from a network operational perspective, unless the virus author decides to launch a DDOS on a single target (and one is either that network or its upstream) I predict this will have little, if any, effect. Agreed. Although being ready to answer your abuse mail t

Re: The Confiker Virus.

2009-03-30 Thread Stefan
Just FYI - I had a pretty high ratio of properly conficker-infected honeypots identified vs. false positives ratio, using nessus' appropriate signature, whereas I could never get the py script to properly run on my macbook pro ... -- Stefan On 3/30/09, JoeSox wrote: > Has anyone tried the Python

Re: The Confiker Virus.

2009-03-30 Thread JoeSox
Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ I have installed Impacket-0.9.6.0 library but it throws the following warning "WARNING: Crypto package not found. Some features will fail." Does anyone know if this effects th

RE: The Confiker Virus hype and measures

2009-03-30 Thread Skywing
o manage things). The AV folk have done that for a long time and it's been reasonably well accepted. - S -Original Message- From: Stasiniewicz, Adam Sent: Monday, March 30, 2009 09:11 To: nanog@nanog.org ; 'Gadi Evron' ; 'Joe Blanchard' Subject: RE: The Confi

Re: The Confiker Virus.

2009-03-30 Thread Paul Ferguson
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Mar 29, 2009 at 5:16 PM, Richard Golodner wrote: > >Joe said earlier today: >> Thanks, the only thing is that these, like most, websites are very vague > about the mechanics behind the infiltration > >Joe, the SRI report would

RE: The Confiker Virus hype and measures

2009-03-30 Thread Stasiniewicz, Adam
uxbox.org] Sent: Monday, March 30, 2009 7:44 AM To: Joe Blanchard Cc: nanog@nanog.org Subject: The Confiker Virus hype and measures Joe Blanchard wrote: > Anyone have a copy of this? Would like to analyze it and understand its > propagation. > > Thanks > -Joe I'm s

The Confiker Virus hype and measures

2009-03-30 Thread Gadi Evron
Joe Blanchard wrote: Anyone have a copy of this? Would like to analyze it and understand its propagation. Thanks -Joe I'm sure someone sent you a sample by now. As to the malware itself... I haven't personally been following conficker as I've been busy with other issues (as much as possible,

RE: The Confiker Virus.

2009-03-29 Thread Richard Golodner
Joe said earlier today: > Thanks, the only thing is that these, like most, websites are very vague about the mechanics behind the infiltration Joe, the SRI report would be right up your alley as it is the most technical in its analysis of the variants A and B as well as an

Re: The Confiker Virus.

2009-03-29 Thread Paul Ferguson
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Mar 29, 2009 at 4:54 PM, Matthew Huff wrote: > SRI has a detailed analysis of conflicker at > http://mtc.sri.com/Conficker/ > The most relevant section the Conficker.C addendum -- this has been driving the April 1st hype. http://mtc.sri.com

RE: The Confiker Virus.

2009-03-29 Thread Joe Blanchard
nog@nanog.org > Subject: RE: The Confiker Virus.

RE: The Confiker Virus.

2009-03-29 Thread Matthew Huff
[mailto:jbfixu...@gmail.com] Sent: Sunday, March 29, 2009 7:43 PM To: nanog@nanog.org Subject: The Confiker Virus. Anyone have a copy of this? Would like to analyze it and understand its propagation. Thanks -Joe

RE: The Confiker Virus.

2009-03-29 Thread Barry Raveendran Greene
Visit the authority: http://www.confickerworkinggroup.org/wiki/ > -Original Message- > From: Joe Blanchard [mailto:jbfixu...@gmail.com] > Sent: Sunday, March 29, 2009 4:43 PM > To: nanog@nanog.org > Subject: The Confiker Virus. > > > Anyone have a copy of thi

The Confiker Virus.

2009-03-29 Thread Joe Blanchard
Anyone have a copy of this? Would like to analyze it and understand its propagation. Thanks -Joe