Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Conflicker/NMAP

From: Dennis Meharchand <dennis () VALTX COM>
Date: Tue, 31 Mar 2009 12:08:16 -0400
I agree - re: patching - I've just got stuck in my head that the purpose of
any real time executable is to become persistent by infecting the boot
image.

The link to the article I referred to re: stats on known malware tests is
http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci1280
028,00.html

Registration is necessary to get access.



In Canada we also had a major story on the weekend regarding Ghostnet -
targeted computers infected with spyware at embassies and NATO - apparent
link back to China. Apparently endpoint security was only able to detect 11
of 100 vectors. Here is a link to the GhostNet story at the Globe and Mail
(made front page in Canada):
http://www.theglobeandmail.com/servlet/story/RTGAM.20090329.wcomputerspy0329
/BNStory/Technology/home



CBS 60 minutes also had a Conficker piece out on Sunday: Here is a link to
the 60 minutes video an ad by Symantec plays before the video starts:
http://www.cbsnews.com/video/watch/?id=4901282n



Dennis Meharchand

CEO, Valt.X Technologies Inc.

Cell: 416-618-4622

Tel: 1-800-361-0067, 416-746-6669

Fax: 416-746-2774

Email: dennis () valtx com

Web: www.valtx.com



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harry E Flowers
(flowers)
Sent: March 31, 2009 11:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP



I have to disagree with your parenthetical statement on #2. patching is
necessary even if you can protect the boot image.  Some attacks take place
in memory and you'll boot a nice clean system only to have it become
infected because it wasn't patched.  Also, solutions that allow changes to
the disk but revert them on reboot are susceptible to this for disk-based
infections.  Sure, you only have to reboot to get rid of it, but you're also
still open to immediate re-infection until you unlock the image, patch it,
and re-lock it (all of which needs to be done off the network once you've
gotten behind on patching).  Patching is not optional if the system is on a
network or even has other media (like thumb drives or CD's) inserted
occasionally, which is another way Conficker (see, I got back to something
related to the subject line ;-)) spreads.

--

Harry Flowers

Manager, Systems Software

Information Technology Division

The University of Memphis





From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis Meharchand
Sent: Tuesday, March 31, 2009 10:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP



Believing that Anti Virus/Endpoint Security Solutions can reliably detect
known malware is itself a false positive.

In a recent comprehensive test on known malware Symantec failed 17.6% of the
time and McAfee 22.3% of the time - they failed to detect malware that they
knew about.



We can assume that they fail near 100% of the time on new unknown malware.



Here's a revised mitigation list:

1.       Lock it up (the boot image) to eliminate drive by attacks

2.       Patch (not that necessary if 1. Is done but still a good thing)

3.       Endpoint Software Solutions (mostly do nothing but makes folks feel
good) - occasional full disk scan may have some benefit



Dennis Meharchand

CEO, Valt.X Technologies Inc.

Cell: 416-618-4622

Tel: 1-800-361-0067, 416-746-6669

Fax: 416-746-2774

Email: dennis () valtx com

Web: www.valtx.com



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jerry Sell
Sent: March 31, 2009 10:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP



There are three things that mitigate the Confickr worm.



1.       Up to date Virus protection. All of the major vendors and most of
the small vendors have signatures that will detect and remove Confickr.

2.       Up to date patches or blocking for port 445.

3.       Having autorun disabled for USB devices.



We have not detected anything so far using the scs scanner, but we have all
three of these in place.



Thank you,



Jerry Sell, CISSP

Security Analyst

Brigham Young University

(801)422-2730

Jerry_Sell () byu edu





From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harris, Michael C.
Sent: Tuesday, March 31, 2009 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Conflicker/NMAP



Using both the Python scs scanner and the Nmap method we have had
unbelievable results as well.  Enough to make me question both scanning
methods.  I have not yet infected a machine in quarantine and scanned it to
prove the false negative. if I can prove that either way I'll post again
later today.



Mike

University of Missouri



  _____

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D
Sent: Tuesday, March 31, 2009 9:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Conflicker/NMAP

I realize many folks may not want to answer this, but has anyone had many
positives/infections with the released nmap scan for Conflicker?  So far we
seem to be coming up clean and many other folks I've talked to or emailed
with have come up clean as well.  I'm just concerned about the possibility
of false negatives.  Of course, the problem may not be particularly
wide-spread except in the eyes of some media outlets.



Thanks,

Corbett Consolvo

Texas State University
Previous By Date Next
Previous By Thread Next

Current thread: