Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Conficker Continues to Impact Networks SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Conficker Continues to Impact Networks

 

It appears that Conficker is still alive and well. 

www.abc.net.au/news/stories/2009/09/23/2694401.htm

I heard about a local company today who on Monday of this week started having some pretty strange goings on in their network and called in their consultants to try to figure out what was happening.  It turns out after much time spent trying to determine what was going, it was "just another Conficker Outbreak".   (Still working on it as a matter of fact). They do have anti virus however the infection went undetected for quite some time.  Why?  Because Conficker did what Conficker does and it over rode the security software and antivirus software to allow them to do their dastardly deeds while remaining undetected.  This company has close to 100 computers and more than 50% of them have been infected, some for a while it seems.  Conficker has continued to grow its little Botnet and the BotHerder is still spreading their damage.  If you look at the "pictorial" representation of the spread in the US alone from January to July it is pretty amazing.  

www.f-secure.com/weblog/archives/00001646.html

We also received an email today from a reader whose company was experiencing Conficker activity.  So perhaps there is a new wave of the bad guy coming.  So just a reminder - quick check -

www.confickerworkinggroup.org/infection_test/cfeyechart.html

If this Eye Chart doesn't display the logo's for 6 of the top security sites in the world, you may be infected and will be the next to fall to the plight of the Conficker Worm.

 

Deb Hale Long Lines, LLC

Deborah

278 Posts
ISC Handler
You can see the current infection tracking stats and charts as gathered by the Conficker Working Group on this page:
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking

As of yesterday, there are still over 6 million unique IPs seen for the A+B+C variants.
Anonymous
The network that I manage got hit by the conficker b/c variant this week. It seemed to start on 9/18. We run a mid-size network 1000 workstations and about 80 servers. We recently merged with another company and were unifying our anti-virus servers. During this process some PC's did not have antivirus protection and went unnoticed. We currently do not utilize any NAC/NAP services but are now looking into this. One tool that helped me to detected conficker was NMAP. It supports scanning your network for likely infected hosts. However, it did seem to break network shares to some of our fileservers. On these systems, the browser and server service needed to be restarted. Does anyone have any tips and tricks for conficker scanning using NMAP? What other tools, IDS/IPS do you guys and girls use to detect and prevent conficker?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!