Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

[Suspected Spam]RE: Conficker - your opion on how to determine the source of infection on a given network

From: Adrián Auguet <adrco () tutopia com>
Date: Mon, 17 Aug 2009 09:48:22 -0300
Hi Tiflin, i think you may try Contest from mcaffe.

Regards.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Juan Luis Susillo
Sent: domingo, 16 de agosto de 2009 13:07
To: Tiflin, Conrad (ZA - Cape Town)
Cc: pen-test () securityfocus com; madunix
Subject: Re: Conficker - your opion on how to determine the source of
infection on a given network

Maybe you can sniff all traffic over the entire network using
Wireshark. If a computer is generating a lot of dns requests (rare
domain names) surely the computer is infected by conficker worm.

Regards.

2009/8/15 Fabien Vincent <fabvincent () gmail com>:

Hi Tiflin Conrad,

You can check the working group website about Conficker. There's all
information you need about Conficker/Kido/Downadup.
http://www.confickerworkinggroup.org/wiki/

You should check first computers running HTTP Server on non reserved
port (as you said), and second, check SSDP announces over UDP
Multicast (kind of HTTP protocol used by UPnP on port 1900).
Third, if you have captured network trafic, SMB Connections containing
shellcode (with Snort Rules on Conficker and ngrep you will find it in
your pcap files).

There's also an HTTP/1.1 GET made by Conficker to popular servers in
order to check Date/Time, but for this you have to view HTTP logs form
proxy, for example.

You can find a pdf from Symantec about Downadup (Conficker on Symantec
AV), which explains new variants and more ...


http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408
-99


./FV

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review

Board


Prove to peers and potential employers without a doubt that you can

actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.


http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------



__________ Informacin de NOD32, revisin 4341 (20090817) __________

Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: