[nsp-sec] FW: [sec] Conficker Timecheck Daily Reports Data

Tim Wilde twilde at cymru.com
Fri Apr 17 15:43:51 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Don,

Thanks for taking the time to look at this and attempt to validate it.
As far as the Conficker version goes, Conficker versions make my head
hurt. :)  I know at least Conficker C is supposed to use the hosts we're
getting this data from, I'm not sure about other versions.  Of the hosts
I've checked by hand against our sinkhole data, most (if not all) have
matched Conficker C sinkhole data (are those same hosts still being used
for D/E?  I don't know...), while some others have ALSO matched
Conficker A/B sinkhole data we receive.  At least some of these hosts
appear to be mulitply infected, so I cannot say for certain which
Conficker infection is doing the time check.

Regards,
Tim

Smith, Donald wrote:
> ----------- nsp-security Confidential --------
> 
> I am trying to validate the conficker-time check data.
> Here is my process so far.
> 
> Pull the ips from the source, sort and uniq them, build an flow-nfilter acl based on PART of that. I "sampled" the top 100 for my acl).
> Find packets where the src and dst port are 2k or larger print and sort the unique ports.
> 
> Grep the top ports from the src file to see if it looks like conficker p2p (static high port to static high port).
> Check the ips to see if those ports match their conficker.c p2p ports.
> python ./get_ports.py ip_address.
> I got zero matches so far. I have only done 6 unique IPs but expected to see some p2p matches on the "correct" ports.
> 
> What did I prove?
> 
> I didn't prove that there is anything wrong conficker timecheck data. The traffic that I see looks similar to conficker p2p to me in that I am seeing static high port to static high port communications but my conficker p2p port generation tool isn't giving me any matches.
> 
> Do we know if what version of conficker these should be. The tool I am using generates .C or .D  p2p ports:(
> If the time-check data is just the newest version (E) then I may need to go find another p2p port generation tool.
> 


- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ6Nv3luRbRini9tgRAuXTAJ92+ln+RBKxhaEm22jvCzmRpRs4/QCfUVU9
Beimx/nqKfxtmVgNheO5nkc=
=NBpf
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list