Educause Security Discussion mailing list archives

Re: Conflicker/NMAP

From: Emilio Valente <evalente () SDSC EDU>
Date: Tue, 31 Mar 2009 10:04:17 -0700

Do you have the source of those statistics?
I would like to see the procedure of the "comprehensive test".
Thanks.


Emilio Valente
Information System Security Officer
CCNP, GCFA, GCUX, GCIH gold, GREM, GSNA, GSPA,
GLDR, GHTQ, GWAS, SSP-MPA, GPCI, GCIA gold, GSEC gold
San Diego Supercomputer Center www.sdsc.edu
858.822-0928
858.534.5191

Confidentiality Notice: The foregoing message and all attachments transmitted with it may contain legally privileged 
and confidential information and is intended solely for the use of the entity or the individual to whom it is 
addressed. Unless otherwise expressly written, it is considered the confidential and privileged information of San 
Diego Supercomputer Center. Any forwarding, communicating, disseminating, distributing, copying, or otherwise using 
this message or its attachments is strictly prohibited. If you believe you have received this transmission in error and 
you are not the intended recipient, please notify SDSC immediately by email at abuse () sdsc edu<mailto:abuse () 
pangeafoundation org> and delete or destroy this message, its attachments, and all electronic or hard copies of this 
message and its attachments. Your cooperation is appreciated. Thank you.




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis 
Meharchand
Sent: Tuesday, March 31, 2009 8:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

Believing that Anti Virus/Endpoint Security Solutions can reliably detect known malware is itself a false positive.
In a recent comprehensive test on known malware Symantec failed 17.6% of the time and McAfee 22.3% of the time - they 
failed to detect malware that they knew about.

We can assume that they fail near 100% of the time on new unknown malware.

Here's a revised mitigation list:

1.       Lock it up (the boot image) to eliminate drive by attacks

2.       Patch (not that necessary if 1. Is done but still a good thing)

3.       Endpoint Software Solutions (mostly do nothing but makes folks feel good) - occasional full disk scan may have 
some benefit

Dennis Meharchand
CEO, Valt.X Technologies Inc.
Cell: 416-618-4622
Tel: 1-800-361-0067, 416-746-6669
Fax: 416-746-2774
Email: dennis () valtx com
Web: www.valtx.com

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jerry 
Sell
Sent: March 31, 2009 10:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

There are three things that mitigate the Confickr worm.


1.       Up to date Virus protection. All of the major vendors and most of the small vendors have signatures that will 
detect and remove Confickr.

2.       Up to date patches or blocking for port 445.

3.       Having autorun disabled for USB devices.

We have not detected anything so far using the scs scanner, but we have all three of these in place.

Thank you,

Jerry Sell, CISSP
Security Analyst
Brigham Young University
(801)422-2730
Jerry_Sell () byu edu<mailto:Jerry_Sell () byu edu>


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harris, 
Michael C.
Sent: Tuesday, March 31, 2009 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

Using both the Python scs scanner and the Nmap method we have had unbelievable results as well.  Enough to make me 
question both scanning methods.  I have not yet infected a machine in quarantine and scanned it to prove the false 
negative. if I can prove that either way I'll post again later today.

Mike
University of Missouri

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Consolvo, Corbett D
Sent: Tuesday, March 31, 2009 9:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Conflicker/NMAP
I realize many folks may not want to answer this, but has anyone had many positives/infections with the released nmap 
scan for Conflicker?  So far we seem to be coming up clean and many other folks I've talked to or emailed with have 
come up clean as well.  I'm just concerned about the possibility of false negatives.  Of course, the problem may not be 
particularly wide-spread except in the eyes of some media outlets.

Thanks,
Corbett Consolvo
Texas State University

Current thread:

Re: Conflicker/NMAP, (continued)
- Re: Conflicker/NMAP Stanclift, Michael (Mar 31)
- Re: Conflicker/NMAP Bradley, Stephen W. Mr. (Mar 31)
- Re: Conflicker/NMAP Harry E Flowers (flowers) (Mar 31)
- Re: Conflicker/NMAP David Gillett (Mar 31)
- Re: Conflicker/NMAP Dennis Meharchand (Mar 31)
- Re: Conflicker/NMAP Dexter Caldwell (Mar 31)
- Re: Conflicker/NMAP Mike Iglesias (Mar 31)
- Re: Conflicker/NMAP Scott Dier (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Rowe, Ken (Mar 31)
- Re: Conflicker/NMAP Emilio Valente (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Wyman Miles (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Roger Safian (Mar 31)
- Re: Conflicker/NMAP Dennis Meharchand (Mar 31)
- Re: Conflicker/NMAP Dean De Beer (Mar 31)
- Re: Conflicker/NMAP Jerry Sell (Mar 31)
- Re: Conflicker/NMAP Ken Connelly (Mar 31)
- Re: Conflicker/NMAP Jerry Sell (Mar 31)
- Re: Conflicker/NMAP Stanclift, Michael (Mar 31)

(Thread continues...)