Re: Nmap 4.85BETA8 Released!

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 22 Apr 2009 16:03:47 -0400
Ionreflex <ionreflex () gmail com> wrote:

...snip... 
> I had the impression all the "little" worm did on April Fools was the
> "ET phone home" subroutine and nobody answered the call; than again
> I've talked with two consultants who said they've had to deal with an
> outbreak... but was it really Conficker ? Guess we'll never know!

The media always seems to make a big deal out of date triggers in
malware.  The only change between pre-April 1 and post-April 1 was that
the domain generation routine changed from 250 random domains per day
to 50,000.  People got excited/worried because it was easy to handle
250 a day but not 50k a day.

The Conficker authors have been using the P2P network to push updates
and they could have done this pre-April 1 because the P2P network was
running then too.

So updating via the random domains didn't have to happen *on* April 1
but any day then or after.  Updating via the P2P network can happen any
time.  The media thought there was going to be fireworks or something
and when nothing interesting happened on April 1 a lot of reporters and
casual followers felt let down or duped.

Conficker is still a big deal and people should make sure they don't
have any infections.  Thanks to Ron that's pretty easy to do.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEARECAAYFAknveeQACgkQqaGPzAsl94Ko8ACgoearjNLxBkHf7IF9LAMuqWAZ
IBwAoJdBIGv2775wIDT+O7qxXSm1Pj+5
=tNl3
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org