[nsp-sec] Conficker Timecheck Daily Reports Data
Tim Wilde
twilde at cymru.com
Wed Apr 15 16:39:26 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Good afternoon everyone,
We're turning on the spigot of a new source of Conficker data today in
Daily Reports and I wanted to draw everyone's attention to it, as it has
a slightly higher than usual chance of false positives. As many of you
know, Conficker C variants use a list of ~140 public web sites to do an
Internet time check periodically throughout their execution. We have
partnered with several of these sites to get data on the systems that
are performing this time check, and starting tomorrow, that data will be
included in Daily Reports. It will be in the "bots" category along with
our normal Conficker data, but will have an "mwtype Conficker Timecheck"
indication instead of simply "mwtype Conficker".
We would appreciate it if anyone receiving and processing Daily Reports
would keep a particularly close eye on this new time check data. We
have of course taken measures to ensure that the data is as reliable and
free of false positives as possible, including using a number of filters
on the data both at the source side and upon importing it into our
database, but it is not likely to be perfect. We're always happy to
receive false positive reports for any of our data sources, but FP
reports for this data will be particularly helpful in ensuring that our
filters are sufficient. If it turns out that they are not, and we are
not able to correct them, we will shut off this source rather than
continue plaguing all of you with FPs.
Correct positive reports are helpful as well - if the IP is already
reported with "mwtype Conficker", it's not necessary to tell us that,
but if you find an IP that is only in "mwtype Conficker Timecheck" that
does in fact appear to be infected with Conficker, this will help to
validate our efforts, and we're always happy to hear about that as well! :)
If you have any questions, concerns, or false positives to report,
please send them as always to team-cymru at cymru.com. You may think you
"always" get a reply from me on this type of issue, but don't forget, I
do take time off every once in a while, so e-mailing the team ensures
that whomever is covering for me in those times can receive and respond
to your question as well. :)
Regards,
Tim Wilde
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJ5kX+luRbRini9tgRAnuUAJ9BceBQl5JUT4fj7JytfAklWdYlXACfShJE
UI6JzzCi8AINqk3dmIi8Fs4=
=mpsi
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list