On Apr 1, 2009, at 12:01 PM, Jason Iannone wrote:
What's the virus doing with all of those domain names?
http://lmgtfy.com/?q=conficker
On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein
wrote:
Of the 50,000 DNS names generated for today ..
Additional info ..
Top 10 ASN by number/nam
What's the virus doing with all of those domain names?
Domain names are enumerated at random (based on date) as a way around
hard-coding an IP/domain that could be easily taken down. The domain
names are used for the command & control of the worm, and presumably at
least one of them will
On Wed, Apr 01, 2009 at 10:01:29AM -0600, Jason Iannone wrote:
> What's the virus doing with all of those domain names?
Paul Vixie gave a presentation at the IEPG meeting before IETF 74. I
don't think the IEPG meeting notes are up yet (they would be very
informative if they were)...I don't preten
What's the virus doing with all of those domain names?
On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein
wrote:
>
>> Of the 50,000 DNS names generated for today ..
>
> Additional info ..
>
> Top 10 ASN by number/name :
>
> 5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc. 2820 -- 1668
Of the 50,000 DNS names generated for today ..
Additional info ..
Top 10 ASN by number/name :
5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc.
2820 -- 1668 AOL-ATDN - AOL Transit Data Network
2737 -- 23028 TEAM-CYMRU - Team Cymru Inc.
404 -- 760 University of Vienna, A
Is anyone aware of any network-based signatures that could be used to
identify and tag IP traffic, for dropping at the ingress/egress points?
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Has snort sigs for .A and .B variants .. haven't seen one for .C yet,
but there i
See http://honeynet.org/node/388 for snort signatures for .a and .b
variants.
- d.
On Tue, 31 Mar 2009, Steven Fischer wrote:
Is anyone aware of any network-based signatures that could be used to
identify and tag IP traffic, for dropping at the ingress/egress points?
On Tue, Mar 31, 2009
Is anyone aware of any network-based signatures that could be used to
identify and tag IP traffic, for dropping at the ingress/egress points?
On Tue, Mar 31, 2009 at 9:41 AM, JoeSox wrote:
> I am uncertain also. I scan a subnet on my network with Axence
> NetTools looking for 445 port and I rece
I am uncertain also. I scan a subnet on my network with Axence
NetTools looking for 445 port and I receive some hits. I perform a
netstat -a some of those results but don't really see any 445
activity. The SCS script doesn't find anything either. The PCs are
patched and virusscan updated. One PC
>From what I can find with the nmap way, You don't want to see *Conficker:
LIKELY INFECTED* or *Conficker: VULNERABLE*.
2009/3/31 JoeSox
> I forgot to mention that I have had python-crypto already installed
> before I posted. I was still getting the WARNING.
> --
> Joe
>
> On Mon, Mar 30, 2009 a
0n Tue, Mar 31, 2009 at 09:22:32AM -0400, Steven M. Bellovin wrote:
Honeynet Project has released Know Your Enemy: Containing Conficker:
Our "Know Your Enemy: Containing Conficker" whitepaper was released on March
30th as a PDF only. You can download the full paper from the link belo
I forgot to mention that I have had python-crypto already installed
before I posted. I was still getting the WARNING.
--
Joe
On Mon, Mar 30, 2009 at 11:10 PM, David Tebbutt
wrote:
> you need to add python-crypto with whatever package manager your OS
> uses,
> yast line in suse:
>
> │python-crypto
Also see
http://arstechnica.com/security/news/2009/03/new-method-for-detecting-conficker-discovered-debuted.ars
ginal Message-
> From: David Tebbutt [mailto:da...@sunshadeseyewear.com.au]
> Sent: Tuesday, March 31, 2009 2:10 AM
> To: Paul Ferguson; JoeSox
> Cc: nanog@nanog.org
> Subject: Re: The Confiker Virus.
>
> you need to add python-crypto with whatever package manager your O
sunshadeseyewear.com.au]
> Sent: Tuesday, March 31, 2009 2:10 AM
> To: Paul Ferguson; JoeSox
> Cc: nanog@nanog.org
> Subject: Re: The Confiker Virus.
>
> you need to add python-crypto with whatever package manager your OS uses,
> yast line in suse:
>
> |python-crypto
yewear.com.au]
Sent: Tuesday, March 31, 2009 2:10 AM
To: Paul Ferguson; JoeSox
Cc: nanog@nanog.org
Subject: Re: The Confiker Virus.
you need to add python-crypto with whatever package manager your OS uses,
yast line in suse:
|python-crypto |2.0.1 |2.0.1
|Collect
you need to add python-crypto with whatever package manager your OS
uses,
yast line in suse:
│python-crypto │2.0.1 │2.0.1
│Collection of cryptographic algorithms and protocols, implemented
for use from Python
d
>>> JoeSox 31/03/09 8:46 am >>>
Has anyone tried th
Stasiniewicz, Adam wrote:
So from a network operational perspective, unless the virus author
decides to launch a DDOS on a single target (and one is either that
network or its upstream) I predict this will have little, if any, effect.
Agreed.
Although being ready to answer your abuse mail t
Just FYI - I had a pretty high ratio of properly conficker-infected
honeypots identified vs. false positives ratio, using nessus'
appropriate signature, whereas I could never get the py script to
properly run on my macbook pro ...
-- Stefan
On 3/30/09, JoeSox wrote:
> Has anyone tried the Python
Has anyone tried the Python scs Network Scanner script?
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I have installed Impacket-0.9.6.0 library but it throws the following warning
"WARNING: Crypto package not found. Some features will fail."
Does anyone know if this effects th
o manage things). The AV folk have done that for a long
time and it's been reasonably well accepted.
- S
-Original Message-
From: Stasiniewicz, Adam
Sent: Monday, March 30, 2009 09:11
To: nanog@nanog.org ; 'Gadi Evron' ; 'Joe
Blanchard'
Subject: RE: The Confi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, Mar 29, 2009 at 5:16 PM, Richard Golodner
wrote:
>
>Joe said earlier today:
>> Thanks, the only thing is that these, like most, websites are very vague
> about the mechanics behind the infiltration
>
>Joe, the SRI report would
uxbox.org]
Sent: Monday, March 30, 2009 7:44 AM
To: Joe Blanchard
Cc: nanog@nanog.org
Subject: The Confiker Virus hype and measures
Joe Blanchard wrote:
> Anyone have a copy of this? Would like to analyze it and understand its
> propagation.
>
> Thanks
> -Joe
I'm s
Joe Blanchard wrote:
Anyone have a copy of this? Would like to analyze it and understand its
propagation.
Thanks
-Joe
I'm sure someone sent you a sample by now. As to the malware itself...
I haven't personally been following conficker as I've been busy with
other issues (as much as possible,
Joe said earlier today:
> Thanks, the only thing is that these, like most, websites are very vague
about the mechanics behind the infiltration
Joe, the SRI report would be right up your alley as it is the most
technical in its analysis of the variants A and B as well as an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sun, Mar 29, 2009 at 4:54 PM, Matthew Huff wrote:
> SRI has a detailed analysis of conflicker at
> http://mtc.sri.com/Conficker/
>
The most relevant section the Conficker.C addendum -- this has been driving
the April 1st hype.
http://mtc.sri.com
nog@nanog.org
> Subject: RE: The Confiker Virus.
[mailto:jbfixu...@gmail.com]
Sent: Sunday, March 29, 2009 7:43 PM
To: nanog@nanog.org
Subject: The Confiker Virus.
Anyone have a copy of this? Would like to analyze it and understand its
propagation.
Thanks
-Joe
Visit the authority: http://www.confickerworkinggroup.org/wiki/
> -Original Message-
> From: Joe Blanchard [mailto:jbfixu...@gmail.com]
> Sent: Sunday, March 29, 2009 4:43 PM
> To: nanog@nanog.org
> Subject: The Confiker Virus.
>
>
> Anyone have a copy of thi
Anyone have a copy of this? Would like to analyze it and understand its
propagation.
Thanks
-Joe
30 matches
Mail list logo