Educause Security Discussion mailing list archives

Re: Conflicker/NMAP

From: Dennis Meharchand <dennis () VALTX COM>
Date: Tue, 31 Mar 2009 13:56:28 -0400

Acknowledged - should have said I am a hardware developer.
This past weekend is a turning point - the mainstream media refused to
accept the usual vendor lies - its not flaming its simply the truth from
honest researchers/

Technically we may not be vendors because we have nothing to sell - we
developed the technology - the China Military implemented pretty much all
product we have so we have nothing to sell - if we get funded that could
change.

Dennis Meharchand
CEO, Valt.X Technologies Inc.
Cell: 416-618-4622
Tel: 1-800-361-0067, 416-746-6669
Fax: 416-746-2774
Email: dennis () valtx com
Web: www.valtx.com

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stanclift, Michael
Sent: March 31, 2009 11:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

Glad to see I was not the only one who thought that when I was reading.


Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Tuesday, March 31, 2009 10:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

Dennis,

 While critiquing software security solutions, you may want to point out
that your company sells hardware security solutions.

 I don't know how many other security vendors are on this list, but your
list item #3 is flame bait. Please refrain from doing that.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College




From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis Meharchand
Sent: Tuesday, March 31, 2009 8:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

Believing that Anti Virus/Endpoint Security Solutions can reliably detect
known malware is itself a false positive.
In a recent comprehensive test on known malware Symantec failed 17.6% of the
time and McAfee 22.3% of the time - they failed to detect malware that they
knew about.

We can assume that they fail near 100% of the time on new unknown malware.

Here's a revised mitigation list:
1. Lock it up (the boot image) to eliminate drive by attacks
2. Patch (not that necessary if 1. Is done but still a good thing)
3. Endpoint Software Solutions (mostly do nothing but makes folks feel good)
- occasional full disk scan may have some benefit

Dennis Meharchand
CEO, Valt.X Technologies Inc.
Cell: 416-618-4622
Tel: 1-800-361-0067, 416-746-6669
Fax: 416-746-2774
Email: dennis () valtx com
Web: www.valtx.com

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jerry Sell
Sent: March 31, 2009 10:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

There are three things that mitigate the Confickr worm.

1. Up to date Virus protection. All of the major vendors and most of the
small vendors have signatures that will detect and remove Confickr.
2. Up to date patches or blocking for port 445.
3. Having autorun disabled for USB devices.

We have not detected anything so far using the scs scanner, but we have all
three of these in place.

Thank you,

Jerry Sell, CISSP
Security Analyst
Brigham Young University
(801)422-2730
Jerry_Sell () byu edu


From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harris, Michael C.
Sent: Tuesday, March 31, 2009 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP

Using both the Python scs scanner and the Nmap method we have had
unbelievable results as well.  Enough to make me question both scanning
methods.  I have not yet infected a machine in quarantine and scanned it to
prove the false negative. if I can prove that either way I'll post again
later today.

Mike
University of Missouri

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D
Sent: Tuesday, March 31, 2009 9:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Conflicker/NMAP
I realize many folks may not want to answer this, but has anyone had many
positives/infections with the released nmap scan for Conflicker?  So far we
seem to be coming up clean and many other folks I've talked to or emailed
with have come up clean as well.  I'm just concerned about the possibility
of false negatives.  Of course, the problem may not be particularly
wide-spread except in the eyes of some media outlets.

Thanks,
Corbett Consolvo
Texas State University

Current thread:

Re: Conflicker/NMAP, (continued)
- Re: Conflicker/NMAP Dexter Caldwell (Mar 31)
- Re: Conflicker/NMAP Mike Iglesias (Mar 31)
- Re: Conflicker/NMAP Scott Dier (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Rowe, Ken (Mar 31)
- Re: Conflicker/NMAP Emilio Valente (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Wyman Miles (Mar 31)
- Re: Conflicker/NMAP David Harley (Mar 31)
- Re: Conflicker/NMAP Roger Safian (Mar 31)
- Re: Conflicker/NMAP Dennis Meharchand (Mar 31)
- Re: Conflicker/NMAP Dean De Beer (Mar 31)
- Re: Conflicker/NMAP Jerry Sell (Mar 31)
- Re: Conflicker/NMAP Ken Connelly (Mar 31)
- Re: Conflicker/NMAP Jerry Sell (Mar 31)
- Re: Conflicker/NMAP Stanclift, Michael (Mar 31)
- Re: Conflicker/NMAP Joseph Clark (Mar 31)
- Re: Conflicker/NMAP James R. Pardonek (Mar 31)
- Re: Conflicker/NMAP John Sawyer (Mar 31)
- Re: Conflicker/NMAP Daniel Bennett (Mar 31)
- Re: Conflicker/NMAP David Boyer (Mar 31)