Re: Conficker - your opion on how to determine the source of infection on a given network

["Tiflin, Conrad (ZA - Cape Town)" <ctiflin () deloitte co za>]

Quick Question to all.


I would like to identify the SOURCE computer where the "downadup.a" worm variant originated a given network which has 
been infected.

Minimal thinking tells me that I should search for the computer that's running an HTTP server between ports [1024 and 
10000] - the result may be the source.


Anyone else have better ideas to determine the source computer on a network from which conficker originated?


./CT

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of madunix
Sent: 23 February 2009 09:54 AM
To: pen-test () securityfocus com
Subject: Microsoft bounty for worm creator!

http://news.bbc.co.uk/2/hi/technology/7887577.stm
"A reward of $250,000 (£172,000) has been offered by Microsoft to find
who is behind the Downadup/Conficker virus."

--
THE MASTER



Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
that must be accessed and read by visiting our website and viewing the webpage at the following address: 
http://www.deloitte.com/za/disclaimer. The Disclaimer is deemed to form part of the content of this email in terms of 
Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, 
please obtain a copy thereof from us by sending an email to zaitservicedesk () deloitte co za.