The Confiker Virus.

Dominic J. Eidson sauron at the-infinite.org
Tue Mar 31 15:43:19 CDT 2009


See http://honeynet.org/node/388 for snort signatures for .a and .b 
variants.


  - d.

On Tue, 31 Mar 2009, Steven Fischer wrote:

> Is anyone aware of any network-based signatures that could be used to
> identify and tag IP traffic, for dropping at the ingress/egress points?
>
> On Tue, Mar 31, 2009 at 9:41 AM, JoeSox <joesox at gmail.com> wrote:
>
>> I am uncertain also. I scan a subnet on my network with Axence
>> NetTools looking for 445 port and I receive some hits. I perform a
>> netstat -a some of those results but don't really see any 445
>> activity.  The SCS script doesn't find anything either.  The PCs are
>> patched and virusscan updated. One PC when I connected to it did not
>> navigate to Windowsupdate website. I scheduled a Full McAfee scan as
>> their documentation suggests
>> (
>> http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf
>> ),
>> and sometime through the scan I was able to reach windowsupdate. I
>> don't know if it was a coincidence or not that I was not able to reach
>> the website.  I haven't looked into the registry and any other places
>> for evidence of conficker. I will probably today but I am afraid it
>> maybe a waste of time since they are already patched and updated.
>> --
>> Joe
>>
>>
>>
>> On Tue, Mar 31, 2009 at 5:48 AM, Eric Tykwinski <eric-list at truenet.com>
>> wrote:
>> > Joe,
>>>
>>> Here's the link for the Python Crypto toolkit:
>>> http://www.amk.ca/python/code/crypto.html
>>>
>>> I scanned our internal network and didn't find anything, so I can't
>> really
>>> vouch for it's reliablity though.
>>
>>
>
>
>

-- 
Dominic J. Eidson
                                      "Baruk Khazad! Khazad ai-menu!" - Gimli
----------------------------------------------------------------------------
                                                http://www.dominiceidson.com/




More information about the NANOG mailing list