Re: Conficker - your opion on how to determine the source of infection on a given network

["51l3n73y3s" <51l3n7 () live in>]

As far as I think, that is not possible as it uses a random name for the dll 
(%System%\[RANDOM FILE NAME].dll )

-Sandeep Cheema
--------------------------------------------------
From: "Gareth Fletcher" <gareth.fletcher () gmail com>
Sent: Monday, August 17, 2009 4:50 AM
To: "51l3n73y3s" <51l3n7 () live in>
Cc: "Juan Luis Susillo" <susillo () gmail com>; "Tiflin, Conrad (ZA - Cape 
Town)" <ctiflin () deloitte co za>; <pen-test () securityfocus com>; "madunix" 
<madunix () gmail com>
Subject: Re: Conficker - your opion on how to determine the source of 
infection on a given network

> Thanks Sandeep, that's a good idea. Will keep it in mind if I ever  have 
> to deal with conficker or another such worm! Could there be a  particular 
> infected file the OP could check the modified timestamp  using a remote 
> wmi script against all his computers or something too  see which one was 
> infected first?
>
> Best regards
> Gareth
>
> On 17/08/2009, at 6:23 AM, "51l3n73y3s" <51l3n7 () live in> wrote:
>
> > The question is about how to detect the source of infection. There  are 
> > lot of ways in which you can find what all computer's are  infected 
> > including AV's, Specially scanners for conficker (Like  BKIS , eEye)
> >
> > This is what I can think of :
> >
> > 1) Collect the security log of the machines around(Not only the  infected 
> > one's)
> > 2) Compile them into one file.
> > 3) Look for the failure audits in a line. This is where the brute  force 
> > to guess the password happens before the account gets locked  out.
> > 4) Go to the first entry as per the date and time.
> > 5) Look for the source computer. The good chances are that this is  the 
> > ignition point.
> >
> > -Sandeep Cheema
> >
> > * The more you script the farther you get.
> > --------------------------------------------------
> > From: "Juan Luis Susillo" <susillo () gmail com>
> > Sent: Sunday, August 16, 2009 9:37 PM
> > To: "Tiflin, Conrad (ZA - Cape Town)" <ctiflin () deloitte co za>
> > Cc: <pen-test () securityfocus com>; "madunix" <madunix () gmail com>
> > Subject: Re: Conficker - your opion on how to determine the source  of 
> > infection on a given network
> >
> > > Maybe you can sniff all traffic over the entire network using
> > > Wireshark. If a computer is generating a lot of dns requests (rare
> > > domain names) surely the computer is infected by conficker worm.
> > >
> > > Regards.
> > >
> > > 2009/8/15 Fabien Vincent <fabvincent () gmail com>:
> > > > Hi Tiflin Conrad,
> > > >
> > > > You can check the working group website about Conficker. There's all
> > > > information you need about Conficker/Kido/Downadup.
> > > > http://www.confickerworkinggroup.org/wiki/
> > > >
> > > > You should check first computers running HTTP Server on non reserved
> > > > port (as you said), and second, check SSDP announces over UDP
> > > > Multicast (kind of HTTP protocol used by UPnP on port 1900).
> > > > Third, if you have captured network trafic, SMB Connections  containing
> > > > shellcode (with Snort Rules on Conficker and ngrep you will find  it in
> > > > your pcap files).
> > > >
> > > > There's also an HTTP/1.1 GET made by Conficker to popular servers in
> > > > order to check Date/Time, but for this you have to view HTTP logs  form
> > > > proxy, for example.
> > > >
> > > > You can find a pdf from Symantec about Downadup (Conficker on  Symantec
> > > > AV), which explains new variants and more ...
> > > > http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
> > > >
> > > > ./FV
> > > >
> > > > --- 
> > > > --- 
> > > > ------------------------------------------------------------------
> > > > This list is sponsored by: Information Assurance Certification  Review 
> > > > Board
> > > >
> > > > Prove to peers and potential employers without a doubt that you  can 
> > > > actually do a proper penetration test. IACRB CPT and CEPT  certs 
> > > > require a full practical examination in order to become  certified.
> > > >
> > > > http://www.iacertification.org
> > > > --- 
> > > > --- 
> > > > ------------------------------------------------------------------
> > >
> > > --- 
> > > ---------------------------------------------------------------------
> > > This list is sponsored by: Information Assurance Certification  Review 
> > > Board
> > >
> > > Prove to peers and potential employers without a doubt that you can 
> > > actually do a proper penetration test. IACRB CPT and CEPT certs  require 
> > > a full practical examination in order to become certified.
> > >
> > > http://www.iacertification.org
> > > --- 
> > > ---------------------------------------------------------------------
> >
> > --- 
> > ---------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification  Review 
> > Board
> >
> > Prove to peers and potential employers without a doubt that you can 
> > actually do a proper penetration test. IACRB CPT and CEPT certs  require 
> > a full practical examination in order to become certified.
> > http://www.iacertification.org
> > --- 
> > ---------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------