Educause Security Discussion mailing list archives
Re: Conflicker/NMAP
From: "Harry E Flowers (flowers)" <flowers () MEMPHIS EDU>
Date: Tue, 31 Mar 2009 10:50:56 -0500
I have to disagree with your parenthetical statement on #2... patching is necessary even if you can protect the boot image. Some attacks take place in memory and you'll boot a nice clean system only to have it become infected because it wasn't patched. Also, solutions that allow changes to the disk but revert them on reboot are susceptible to this for disk-based infections. Sure, you only have to reboot to get rid of it, but you're also still open to immediate re-infection until you unlock the image, patch it, and re-lock it (all of which needs to be done off the network once you've gotten behind on patching). Patching is not optional if the system is on a network or even has other media (like thumb drives or CD's) inserted occasionally, which is another way Conficker (see, I got back to something related to the subject line ;-)) spreads. -- Harry Flowers Manager, Systems Software Information Technology Division The University of Memphis From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis Meharchand Sent: Tuesday, March 31, 2009 10:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Conflicker/NMAP Believing that Anti Virus/Endpoint Security Solutions can reliably detect known malware is itself a false positive. In a recent comprehensive test on known malware Symantec failed 17.6% of the time and McAfee 22.3% of the time - they failed to detect malware that they knew about. We can assume that they fail near 100% of the time on new unknown malware. Here's a revised mitigation list: 1. Lock it up (the boot image) to eliminate drive by attacks 2. Patch (not that necessary if 1. Is done but still a good thing) 3. Endpoint Software Solutions (mostly do nothing but makes folks feel good) - occasional full disk scan may have some benefit Dennis Meharchand CEO, Valt.X Technologies Inc. Cell: 416-618-4622 Tel: 1-800-361-0067, 416-746-6669 Fax: 416-746-2774 Email: dennis () valtx com Web: www.valtx.com From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jerry Sell Sent: March 31, 2009 10:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Conflicker/NMAP There are three things that mitigate the Confickr worm. 1. Up to date Virus protection. All of the major vendors and most of the small vendors have signatures that will detect and remove Confickr. 2. Up to date patches or blocking for port 445. 3. Having autorun disabled for USB devices. We have not detected anything so far using the scs scanner, but we have all three of these in place. Thank you, Jerry Sell, CISSP Security Analyst Brigham Young University (801)422-2730 Jerry_Sell () byu edu<mailto:Jerry_Sell () byu edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harris, Michael C. Sent: Tuesday, March 31, 2009 8:27 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Conflicker/NMAP Using both the Python scs scanner and the Nmap method we have had unbelievable results as well. Enough to make me question both scanning methods. I have not yet infected a machine in quarantine and scanned it to prove the false negative. if I can prove that either way I'll post again later today. Mike University of Missouri ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D Sent: Tuesday, March 31, 2009 9:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Conflicker/NMAP I realize many folks may not want to answer this, but has anyone had many positives/infections with the released nmap scan for Conflicker? So far we seem to be coming up clean and many other folks I've talked to or emailed with have come up clean as well. I'm just concerned about the possibility of false negatives. Of course, the problem may not be particularly wide-spread except in the eyes of some media outlets. Thanks, Corbett Consolvo Texas State University
Current thread:
- Re: Conflicker/NMAP, (continued)
- Re: Conflicker/NMAP John Sawyer (Mar 31)
- Re: Conflicker/NMAP Jerry Sell (Mar 31)
- Re: Conflicker/NMAP Pete Hickey (Mar 31)
- Re: Conflicker/NMAP James R. Pardonek (Mar 31)
- Re: Conflicker/NMAP Stanclift, Michael (Mar 31)
- Re: Conflicker/NMAP Dennis Meharchand (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Basgen, Brian (Mar 31)
- Re: Conflicker/NMAP Stanclift, Michael (Mar 31)
- Re: Conflicker/NMAP Bradley, Stephen W. Mr. (Mar 31)
- Re: Conflicker/NMAP Harry E Flowers (flowers) (Mar 31)
- Re: Conflicker/NMAP David Gillett (Mar 31)
- Re: Conflicker/NMAP Dennis Meharchand (Mar 31)
- Re: Conflicker/NMAP Dexter Caldwell (Mar 31)
- Re: Conflicker/NMAP Mike Iglesias (Mar 31)
- Re: Conflicker/NMAP Scott Dier (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Rowe, Ken (Mar 31)
- Re: Conflicker/NMAP Emilio Valente (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Wyman Miles (Mar 31)
(Thread continues...)