Penetration Testing mailing list archives
Re: Conficker - your opion on how to determine the source of infection on a given network
From: "51l3n73y3s" <51l3n7 () live in>
Date: Mon, 17 Aug 2009 14:57:49 +0530
As far as I think, that is not possible as it uses a random name for the dll (%System%\[RANDOM FILE NAME].dll )
-Sandeep Cheema -------------------------------------------------- From: "Gareth Fletcher" <gareth.fletcher () gmail com> Sent: Monday, August 17, 2009 4:50 AM To: "51l3n73y3s" <51l3n7 () live in>Cc: "Juan Luis Susillo" <susillo () gmail com>; "Tiflin, Conrad (ZA - Cape Town)" <ctiflin () deloitte co za>; <pen-test () securityfocus com>; "madunix" <madunix () gmail com> Subject: Re: Conficker - your opion on how to determine the source of infection on a given network
Thanks Sandeep, that's a good idea. Will keep it in mind if I ever have to deal with conficker or another such worm! Could there be a particular infected file the OP could check the modified timestamp using a remote wmi script against all his computers or something too see which one was infected first?Best regards Gareth On 17/08/2009, at 6:23 AM, "51l3n73y3s" <51l3n7 () live in> wrote:The question is about how to detect the source of infection. There are lot of ways in which you can find what all computer's are infected including AV's, Specially scanners for conficker (Like BKIS , eEye)This is what I can think of :1) Collect the security log of the machines around(Not only the infected one's)2) Compile them into one file.3) Look for the failure audits in a line. This is where the brute force to guess the password happens before the account gets locked out.4) Go to the first entry as per the date and time.5) Look for the source computer. The good chances are that this is the ignition point.-Sandeep Cheema * The more you script the farther you get. -------------------------------------------------- From: "Juan Luis Susillo" <susillo () gmail com> Sent: Sunday, August 16, 2009 9:37 PM To: "Tiflin, Conrad (ZA - Cape Town)" <ctiflin () deloitte co za> Cc: <pen-test () securityfocus com>; "madunix" <madunix () gmail com>Subject: Re: Conficker - your opion on how to determine the source of infection on a given networkMaybe you can sniff all traffic over the entire network using Wireshark. If a computer is generating a lot of dns requests (rare domain names) surely the computer is infected by conficker worm. Regards. 2009/8/15 Fabien Vincent <fabvincent () gmail com>:Hi Tiflin Conrad, You can check the working group website about Conficker. There's all information you need about Conficker/Kido/Downadup. http://www.confickerworkinggroup.org/wiki/ You should check first computers running HTTP Server on non reserved port (as you said), and second, check SSDP announces over UDP Multicast (kind of HTTP protocol used by UPnP on port 1900). Third, if you have captured network trafic, SMB Connections containing shellcode (with Snort Rules on Conficker and ngrep you will find it in your pcap files). There's also an HTTP/1.1 GET made by Conficker to popular servers in order to check Date/Time, but for this you have to view HTTP logs form proxy, for example. You can find a pdf from Symantec about Downadup (Conficker on Symantec AV), which explains new variants and more ... http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99 ./FV--- --- ------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org--- --- --------------------------------------------------------------------- --------------------------------------------------------------------- This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org--- ------------------------------------------------------------------------ --------------------------------------------------------------------- This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org--- ---------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Conficker - your opion on how to determine the source of infection on a given network Tiflin, Conrad (ZA - Cape Town) (Aug 15)
- Re: Conficker - your opion on how to determine the source of infection on a given network Guy (Aug 15)
- Message not available
- Re: Conficker - your opion on how to determine the source of infection on a given network Fabien Vincent (Aug 15)
- Re: Conficker - your opion on how to determine the source of infection on a given network Juan Luis Susillo (Aug 16)
- Re: Conficker - your opion on how to determine the source of infection on a given network 51l3n73y3s (Aug 16)
- Message not available
- Re: Conficker - your opion on how to determine the source of infection on a given network 51l3n73y3s (Aug 17)
- Re: Conficker - your opion on how to determine the source of infection on a given network Fabien Vincent (Aug 15)
- [Suspected Spam]RE: Conficker - your opion on how to determine the source of infection on a given network Adrián Auguet (Aug 17)
- [Tools update] The Security-Database Watch Newsletter -- v20090815 SD List (Aug 16)
- RE: Conficker - your opion on how to determine the source of infection on a given network Banks, Jason (R.J.) (Aug 27)