Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Third party information on conficker

Published: 2009-02-13
Last Updated: 2009-04-11 18:15:39 UTC
by Andre Ludwig (Version: 9)
4 comment(s)

This diary will be updated as more information becomes public. Updates are highlighted in green. Please use the URL: "http://www.dshield.org/conficker" to link to this page.

In an effort to provide YOU the end-user the ability to educate your self on this threat we will be posting as much information as possible, from as many sources as possible. This may lead to redundancies in the data that is fallible but we are hoping that this will allow you to pick and choose the information, removal tool, and more importantly your own path when mitigating Conficker. Be careful about help and removal tools offered from unknown sources.

Our own diaries to the topic can be found here: http://isc.sans.org/tag.html?tag=conficker

ALWAYS TEST IN A DEVELOPMENT OR TEST ENVIRONMENT BEFORE ROLLING OUT TO PRODUCTION!

 

Removal Instructions

Microsoft: http://support.microsoft.com/kb/962007
Kaspersky: http://support.kaspersky.com/faq/
BitDefender: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp

To be able to access Anti-Virus vendors and SANS, Microsoft and others, from an infected Conficker.C machine, TrendMicro suggests to use "net stop dnscache" from the command line.
Sophos: http://www.sophos.com/support/knowledgebase/article/51416.html

Removal Tools

Microsoft MSRT: http://www.microsoft.com/security/malwareremove/default.mspx
F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
AhnLab: link no longer valid.
Symantec: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
McAfee: http://vil.nai.com/vil/conficker_stinger/S.T.I.N.G.E.R.exe
ESET: http://download.eset.com/special/EConfickerRemover.exe
BitDefender: http://www.bdtools.net/
Kaspersky: http://data2.kaspersky-labs.com:8080/special/KidoKiller_v3.3.3.zip
TrendMicro: http://www.trendmicro.com/download/dcs.asp
Sophos: https://secure.sophos.com/products/free-tools/conficker-removal-tool-network/download (registration required)
Sunbelt: http://www.sunbeltsecurity.com/DownLoads.aspx

Conficker Remote Scanners

nmap nmap 4.85BETA5 now includes Conficker detection http://insecure.org/
nessus http://www.nessus.org/plugins/index.php?view=single&id=36036
McAfee http://www.mcafee.com/us/enterprise/confickertest.html
eEye http://www.eeye.com/html/downloads/other/ConfickerScanner.html

Conficker Working Group Information

Conficker Working Group

http://www.confickerworkinggroup.org

ShadowServer

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090212 (very good explanation of the importance of this group)

Arbor networks http://asert.arbornetworks.com/2009/02/the-conficker-cabal-announced/
ICANN http://www.icann.org/en/announcements/announcement-2-12feb09-en.htm
Symantec https://forums.symantec.com/t5/Malicious-Code/Coalition-Formed-in-Response-to-W32-Downadup/ba-p/388129

General Information

Microsoft End user/Consumer page
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
IT Security/Professional Page
http://technet.microsoft.com/en-us/security/dd452420.aspx
Centralized information about Conficker
http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx
SecureWorks http://www.secureworks.com/research/threats/downadup-removal/

Research (technical)

SRI

http://mtc.sri.com/Conficker
Scanner:  http://mtc.sri.com/Conficker/contrib/scanner.html

MNIN Security Blog http://mnin.blogspot.com/2009/01/downatool-for-downadupbconflickerb.html
This is an awesome tool that generates domains, and ips to scan using the reversed algorithms from conficker.
ThreatExpert Blog http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html
CERT.at http://www.cert.at/static/conficker/TR_Conficker_Detection.pdf
Great paper that covers setting up your local DNS server to mitigate/alert on infections.
Sample zonefiles can be downloaded here: http://www.cert.at/english/downloads/downloads.html
CA Writeup dated 3/11/09
Screenshots of April 1st Trigger
Honeynet Project A useful analysis and supporting tools from the Honeynet project can be found at:
https://www.honeynet.org/files/KYE-Conficker.pdf and
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
4 comment(s)

Canada Calling

Published: 2009-02-13
Last Updated: 2009-02-13 23:52:33 UTC
by Kevin Liston (Version: 1)
0 comment(s)

A reader wrote in to ask about the uptick in port 5060 activity (visible here: isc.sans.org/port.html?port=5060)

Looking at my own sensors, I saw the traffic yesterday for about an hour as an IP address out of Canada swept through my network with packets destined for UDP/5060.  These were SIP requests searching for an open VoIP system. 

UDP packets can be spoofed, but this appears to be scanning activity so the attacker is going to expect a reply, so I'm fairly confident that the source IP is legitimate.  This activity is likely tied to recent criminal enterprises intent on compromising vulnerable VoIP systems that can be later used to distribute vishing messages or even host vishing sites.

Keywords: SIP
0 comment(s)

Paraskavedekatriaphobia and something I haven't found a word for

Published: 2009-02-13
Last Updated: 2009-02-13 23:46:41 UTC
by Kevin Liston (Version: 2)
1 comment(s)

Today is Friday the 13th, and also the day when we reach the symbolic 1234567890th second of Unix time.  This will occur at  11:31:30pm UTC on Feb 13, 2009.

 A quick note:  To see when this time is going to occur in your locatime:

perl -e 'print scalar localtime(1234567890),"\n";'

UPDATE: thinkgeek also informed me that we pass the similarly interesting time of 1234554321 today as well. 

Keywords:
1 comment(s)

We want your logs, obfuscated even.

Published: 2009-02-13
Last Updated: 2009-02-13 03:06:14 UTC
by Joel Esler (Version: 2)
0 comment(s)

We always have a banner up on the webpage that says "We want your logs" or "How to submit your logs", however, I want to encourage you to do so.

We love Firewall logs from Cable Modems and Home Users, because they cover more end IP addresses, it allows for more diversity, however, we like to make a call out for large submissions as well.  Corporations, small business..etc..  We don't even mind if you obfuscate your logs (there is a feature in the Dshield firewall log submitter to do this!).

We'd like you to automate the logs if you want to, every 6 hours or so, do an automatic submission. 

The more logs we get, the more we can correlate, the more visibility we have into the "Bad guys" and the more reactive research we can provide to the public as well.  

We at the Internet Storm Center are currently working on a couple projects to be able to not only react to "Bad traffic" (of all kinds!) better, but enable you to be able to interact with the data so you can better protect your networks, and react to threats emerging from your networks as well.  To effectively work on this project we need more logs, not only from firewalls, but if you take notice at our "How to submit your logs" page, we want logs from things like Snort, LaBrea, and routers as well.    Again, please feel free to obfuscate.  We aren't interested in YOUR ip's.  We are interested in the IP's attacking, and the ports being attacked.

Currently we process about 10-20 million log entries a day.  I'd like to AT LEAST double it.  Triple or Quadruple it would be ideal. 

Thanks!  Please submit your logs!  Click here to see how.

But first, please, make sure you are allowed to do so!

-- Joel Esler http://www.joelesler.net

Keywords:
0 comment(s)
Diary Archives