Re: The Confiker Virus.

["Dominic J. Eidson" <sauron () the-infinite org>]

See http://honeynet.org/node/388 for snort signatures for .a and .b 
variants.


 - d.

On Tue, 31 Mar 2009, Steven Fischer wrote:

> Is anyone aware of any network-based signatures that could be used to
> identify and tag IP traffic, for dropping at the ingress/egress points?
>
> On Tue, Mar 31, 2009 at 9:41 AM, JoeSox <joesox () gmail com> wrote:
>
> > I am uncertain also. I scan a subnet on my network with Axence
> > NetTools looking for 445 port and I receive some hits. I perform a
> > netstat -a some of those results but don't really see any 445
> > activity.  The SCS script doesn't find anything either.  The PCs are
> > patched and virusscan updated. One PC when I connected to it did not
> > navigate to Windowsupdate website. I scheduled a Full McAfee scan as
> > their documentation suggests
> > (
> > http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf
> > ),
> > and sometime through the scan I was able to reach windowsupdate. I
> > don't know if it was a coincidence or not that I was not able to reach
> > the website.  I haven't looked into the registry and any other places
> > for evidence of conficker. I will probably today but I am afraid it
> > maybe a waste of time since they are already patched and updated.
> > --
> > Joe
> >
> >
> >
> > On Tue, Mar 31, 2009 at 5:48 AM, Eric Tykwinski <eric-list () truenet com>
> > wrote:
> > > Joe,
> > > Here's the link for the Python Crypto toolkit:
> > > http://www.amk.ca/python/code/crypto.html
> > >
> > > I scanned our internal network and didn't find anything, so I can't
> > really
> > > vouch for it's reliablity though.

--
Dominic J. Eidson
                                     "Baruk Khazad! Khazad ai-menu!" - Gimli
----------------------------------------------------------------------------
                                               http://www.dominiceidson.com/