[AusNOG] Conficker virus variants and April 1st

Richard Billington richard at auscert.org.au
Tue Mar 31 10:18:23 EST 2009 

Hi Andrew and all,

Thought this may be of interest in relation to identification.

Researchers have found that Conficker leaves a fingerprint because of how
it changes the Windows network stack. This fingerprint can be checked for
with tools such as nmap.

Nmap has released a new (beta) release that enables Conficker infections
just by scanning the network.

For more information (including commands for Conficker scanning) see:
  http://insecure.org/

An original tool (before it was added into nmap) is also available:
  http://iv.cs.uni-bonn.de/uploads/media/scs.zip

And further info can be found at these sites:
  http://www.honeynet.org/
  (https://www.honeynet.org/node/389)
  http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Happy Scanning

Regards,
Richard

--
Security Analyst           |  Hotline: +61 7 3365 4417
AusCERT                    |  Fax:     +61 7 3365 7031
Australia's National CERT  |  WWW:     www.auscert.org.au
Brisbane QLD Australia     |  Email:   auscert at auscert.org.au


> Having noticed some of our guest users infected with the Conficker 
> virus, I've been working on methods to block access and identify 
> internal users of ours that are infected with the Conficker virus variants.
> Before anyone notes I should be managing these computers better with 
> virus updates etc: Note that we [AccessPlus] provide transient user 
> access.. hotspots and the like so *nyah!* :-)
> 
> Has anyone else been looking at this in their own networks?
> If not, as it stands the Current variant (Conficker.C) is poised to 
> become active on April 1st, however we have no knowledge of exactly what 
> the system will do when all computers come online.
> 
> Theres quite a bit of detail on the varients available online, including 
> a pre-predicted list of 250 domains per day that variants A and B try to 
> phone home to - 
> http://blogs.technet.com/msrc/archive/2009/02/12/conficker-domain-information.aspx
> 
> As for variant C, it generates a list of 50,000 domains each day and 
> attempts to connect to 500 of those.
> Full info on variant C can be found  - 
> http://mtc.sri.com/Conficker/addendumC/index.html
> 
> ---
> One of the most devious things I've discovered in my quest to block 
> conficker for my users is the way the DNS system on conficker.c works, 
> dropping duplicated IP's (obvious spoofing from an ISP's side) or any 
> IP's from an internal blacklist - 
> http://mtc.sri.com/Conficker/addendumC/appendix2.html
> ---
> 
> Regards,
> Andrew Cox
> AccessPlus HNA
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list