[nsp-sec] [sec] Conficker Timecheck Daily Reports Data

Smith, Donald Donald.Smith at qwest.com
Fri Apr 17 15:48:31 EDT 2009 

I tried another approach. I looked for scanning for 445.
I see 9 ips out of the 100 I did a search in my flow report for scanning for 445 so at least some of the identified systems are showing conficker symptoms.
Has anyone else attempted to validate this data?
I know some of the ips identified in the timecheck report showed up on other conficker lists but not all of the ips identified. But I am a bit concerned about the possibility of FPs.


(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at qwest.com gcia
________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Smith, Donald [Donald.Smith at qwest.com]
Sent: Friday, April 17, 2009 1:17 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] FW: [sec] Conficker Timecheck Daily Reports Data

----------- nsp-security Confidential --------

I am trying to validate the conficker-time check data.
Here is my process so far.

Pull the ips from the source, sort and uniq them, build an flow-nfilter acl based on PART of that. I "sampled" the top 100 for my acl).
Find packets where the src and dst port are 2k or larger print and sort the unique ports.

Grep the top ports from the src file to see if it looks like conficker p2p (static high port to static high port).
Check the ips to see if those ports match their conficker.c p2p ports.
python ./get_ports.py ip_address.
I got zero matches so far. I have only done 6 unique IPs but expected to see some p2p matches on the "correct" ports.

What did I prove?

I didn't prove that there is anything wrong conficker timecheck data. The traffic that I see looks similar to conficker p2p to me in that I am seeing static high port to static high port communications but my conficker p2p port generation tool isn't giving me any matches.

Do we know if what version of conficker these should be. The tool I am using generates .C or .D  p2p ports:(
If the time-check data is just the newest version (E) then I may need to go find another p2p port generation tool.


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list