Penetration Testing mailing list archives
Re: Conficker - your opion on how to determine the source of infection on a given network
From: Juan Luis Susillo <susillo () gmail com>
Date: Sun, 16 Aug 2009 18:07:23 +0200
Maybe you can sniff all traffic over the entire network using Wireshark. If a computer is generating a lot of dns requests (rare domain names) surely the computer is infected by conficker worm. Regards. 2009/8/15 Fabien Vincent <fabvincent () gmail com>:
Hi Tiflin Conrad, You can check the working group website about Conficker. There's all information you need about Conficker/Kido/Downadup. http://www.confickerworkinggroup.org/wiki/ You should check first computers running HTTP Server on non reserved port (as you said), and second, check SSDP announces over UDP Multicast (kind of HTTP protocol used by UPnP on port 1900). Third, if you have captured network trafic, SMB Connections containing shellcode (with Snort Rules on Conficker and ngrep you will find it in your pcap files). There's also an HTTP/1.1 GET made by Conficker to popular servers in order to check Date/Time, but for this you have to view HTTP logs form proxy, for example. You can find a pdf from Symantec about Downadup (Conficker on Symantec AV), which explains new variants and more ... http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99 ./FV ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Conficker - your opion on how to determine the source of infection on a given network Tiflin, Conrad (ZA - Cape Town) (Aug 15)
- Re: Conficker - your opion on how to determine the source of infection on a given network Guy (Aug 15)
- Message not available
- Re: Conficker - your opion on how to determine the source of infection on a given network Fabien Vincent (Aug 15)
- Re: Conficker - your opion on how to determine the source of infection on a given network Juan Luis Susillo (Aug 16)
- Re: Conficker - your opion on how to determine the source of infection on a given network 51l3n73y3s (Aug 16)
- Message not available
- Re: Conficker - your opion on how to determine the source of infection on a given network 51l3n73y3s (Aug 17)
- Re: Conficker - your opion on how to determine the source of infection on a given network Fabien Vincent (Aug 15)
- [Suspected Spam]RE: Conficker - your opion on how to determine the source of infection on a given network Adrián Auguet (Aug 17)
- [Tools update] The Security-Database Watch Newsletter -- v20090815 SD List (Aug 16)
- RE: Conficker - your opion on how to determine the source of infection on a given network Banks, Jason (R.J.) (Aug 27)