Re: Conflicker/NMAP

[David Harley <dharley () SMALLBLUE-GREENWORLD CO UK>]

http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci1280
028,00.html

I don't think the test supports Dennis's conclusions, but this may not be
the place for that discussion. I certainly don't want to get into a squabble
between vendors on-list: that would certainly be an argument for not
allowing access to non-academics.

--
David Harley BA CISSP FBCS CITP
ESET


________________________________

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Emilio Valente
        Sent: 31 March 2009 18:04
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] Conflicker/NMAP
        
        

        Do you have the source of those statistics?

        I would like to see the procedure of the "comprehensive test".

        Thanks.

        

        

        Emilio Valente

        Information System Security Officer

        CCNP, GCFA, GCUX, GCIH gold, GREM, GSNA, GSPA,

        GLDR, GHTQ, GWAS, SSP-MPA, GPCI, GCIA gold, GSEC gold

        San Diego Supercomputer Center www.sdsc.edu

        858.822-0928

        858.534.5191

        

        Confidentiality Notice: The foregoing message and all attachments
transmitted with it may contain legally privileged and confidential
information and is intended solely for the use of the entity or the
individual to whom it is addressed. Unless otherwise expressly written, it
is considered the confidential and privileged information of San Diego
Supercomputer Center. Any forwarding, communicating, disseminating,
distributing, copying, or otherwise using this message or its attachments is
strictly prohibited. If you believe you have received this transmission in
error and you are not the intended recipient, please notify SDSC immediately
by email at abuse () sdsc edu <mailto:abuse () pangeafoundation org>  and delete
or destroy this message, its attachments, and all electronic or hard copies
of this message and its attachments. Your cooperation is appreciated. Thank
you.

        

        

        

        

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis Meharchand
        Sent: Tuesday, March 31, 2009 8:30 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] Conflicker/NMAP

        

        Believing that Anti Virus/Endpoint Security Solutions can reliably
detect known malware is itself a false positive.

        In a recent comprehensive test on known malware Symantec failed
17.6% of the time and McAfee 22.3% of the time - they failed to detect
malware that they knew about.

        

        We can assume that they fail near 100% of the time on new unknown
malware.

        

        Here's a revised mitigation list:

        1.       Lock it up (the boot image) to eliminate drive by attacks

        2.       Patch (not that necessary if 1. Is done but still a good
thing)

        3.       Endpoint Software Solutions (mostly do nothing but makes
folks feel good) - occasional full disk scan may have some benefit

        

        Dennis Meharchand

        CEO, Valt.X Technologies Inc.

        Cell: 416-618-4622

        Tel: 1-800-361-0067, 416-746-6669

        Fax: 416-746-2774

        Email: dennis () valtx com

        Web: www.valtx.com

        

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jerry Sell
        Sent: March 31, 2009 10:50 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] Conflicker/NMAP

        

        There are three things that mitigate the Confickr worm.

        

        1.       Up to date Virus protection. All of the major vendors and
most of the small vendors have signatures that will detect and remove
Confickr.

        2.       Up to date patches or blocking for port 445.

        3.       Having autorun disabled for USB devices.

        

        We have not detected anything so far using the scs scanner, but we
have all three of these in place.

        

        Thank you,

        

        Jerry Sell, CISSP

        Security Analyst

        Brigham Young University

        (801)422-2730

        Jerry_Sell () byu edu

        

        

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Harris, Michael C.
        Sent: Tuesday, March 31, 2009 8:27 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] Conflicker/NMAP

        

        Using both the Python scs scanner and the Nmap method we have had
unbelievable results as well.  Enough to make me question both scanning
methods.  I have not yet infected a machine in quarantine and scanned it to
prove the false negative. if I can prove that either way I'll post again
later today.

        

        Mike

        University of Missouri

        

        ________________________________

                From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D
        Sent: Tuesday, March 31, 2009 9:22 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Conflicker/NMAP

        I realize many folks may not want to answer this, but has anyone had
many positives/infections with the released nmap scan for Conflicker?  So
far we seem to be coming up clean and many other folks I've talked to or
emailed with have come up clean as well.  I'm just concerned about the
possibility of false negatives.  Of course, the problem may not be
particularly wide-spread except in the eyes of some media outlets.

        

        Thanks,

        Corbett Consolvo

        Texas State University



        __________ Information from ESET Smart Security, version of virus
signature database 3977 (20090331) __________
        
        The message was checked by ESET Smart Security.
        
        http://www.eset.com