[nsp-sec] Conficker Timecheck Daily Reports Data
Smith, Donald
Donald.Smith at qwest.com
Thu Apr 16 15:42:38 EDT 2009
Tim, I noticed that ips are NOT uniqued.
It appears the combination of ip and src port are unique.
I assume that was done on purpose. Do we know if each ip only reports to one sensor or do the individual ports represent different sensors or can we not imply anything about which sensor reported that ip/port?
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Tim Wilde
> Sent: Wednesday, April 15, 2009 2:39 PM
> To: NSP-SEC List
> Subject: [nsp-sec] Conficker Timecheck Daily Reports Data
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Good afternoon everyone,
>
> We're turning on the spigot of a new source of Conficker data today in
> Daily Reports and I wanted to draw everyone's attention to
> it, as it has
> a slightly higher than usual chance of false positives. As
> many of you
> know, Conficker C variants use a list of ~140 public web
> sites to do an
> Internet time check periodically throughout their execution. We have
> partnered with several of these sites to get data on the systems that
> are performing this time check, and starting tomorrow, that
> data will be
> included in Daily Reports. It will be in the "bots" category
> along with
> our normal Conficker data, but will have an "mwtype Conficker
> Timecheck"
> indication instead of simply "mwtype Conficker".
>
> We would appreciate it if anyone receiving and processing
> Daily Reports
> would keep a particularly close eye on this new time check data. We
> have of course taken measures to ensure that the data is as
> reliable and
> free of false positives as possible, including using a number
> of filters
> on the data both at the source side and upon importing it into our
> database, but it is not likely to be perfect. We're always happy to
> receive false positive reports for any of our data sources, but FP
> reports for this data will be particularly helpful in
> ensuring that our
> filters are sufficient. If it turns out that they are not, and we are
> not able to correct them, we will shut off this source rather than
> continue plaguing all of you with FPs.
>
> Correct positive reports are helpful as well - if the IP is already
> reported with "mwtype Conficker", it's not necessary to tell us that,
> but if you find an IP that is only in "mwtype Conficker
> Timecheck" that
> does in fact appear to be infected with Conficker, this will help to
> validate our efforts, and we're always happy to hear about
> that as well! :)
>
> If you have any questions, concerns, or false positives to report,
> please send them as always to team-cymru at cymru.com. You may think you
> "always" get a reply from me on this type of issue, but don't
> forget, I
> do take time off every once in a while, so e-mailing the team ensures
> that whomever is covering for me in those times can receive
> and respond
> to your question as well. :)
>
> Regards,
> Tim Wilde
>
> - --
> Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
> twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJ5kX+luRbRini9tgRAnuUAJ9BceBQl5JUT4fj7JytfAklWdYlXACfShJE
> UI6JzzCi8AINqk3dmIi8Fs4=
> =mpsi
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
More information about the nsp-security
mailing list