[nsp-sec] [sec] Conficker Timecheck Daily Reports Data

Yiming Gong yiming.gong at xo.com
Fri Apr 17 18:03:38 EDT 2009 

For yesterday's data, of 76 XO IPs, 6 were correlated with my past two 
days' darknet data, and they show up as scanning on dark IPs on high 
ports.  No port 445 scan though.

ip 			dport
++++++++++++++++
140.239.131.37  13916
207.110.38.9    26716
216.3.178.67    37247
67.91.188.107   21729
67.91.202.14    40708
67.94.26.90     7871

Regards!

Yiming

On 04/17/2009 02:48 PM, Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
> I tried another approach. I looked for scanning for 445.
> I see 9 ips out of the 100 I did a search in my flow report for scanning for 445 so at least some of the identified systems are showing conficker symptoms.
> Has anyone else attempted to validate this data?
> I know some of the ips identified in the timecheck report showed up on other conficker lists but not all of the ips identified. But I am a bit concerned about the possibility of FPs.
>
>
> (coffee != sleep)&  (!coffee == sleep)
>   Donald.Smith at qwest.com gcia
> ________________________________
> From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Smith, Donald [Donald.Smith at qwest.com]
> Sent: Friday, April 17, 2009 1:17 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] FW: [sec] Conficker Timecheck Daily Reports Data
>
> ----------- nsp-security Confidential --------
>
> I am trying to validate the conficker-time check data.
> Here is my process so far.
>
> Pull the ips from the source, sort and uniq them, build an flow-nfilter acl based on PART of that. I "sampled" the top 100 for my acl).
> Find packets where the src and dst port are 2k or larger print and sort the unique ports.
>
> Grep the top ports from the src file to see if it looks like conficker p2p (static high port to static high port).
> Check the ips to see if those ports match their conficker.c p2p ports.
> python ./get_ports.py ip_address.
> I got zero matches so far. I have only done 6 unique IPs but expected to see some p2p matches on the "correct" ports.
>
> What did I prove?
>
> I didn't prove that there is anything wrong conficker timecheck data. The traffic that I see looks similar to conficker p2p to me in that I am seeing static high port to static high port communications but my conficker p2p port generation tool isn't giving me any matches.
>
> Do we know if what version of conficker these should be. The tool I am using generates .C or .D  p2p ports:(
> If the time-check data is just the newest version (E) then I may need to go find another p2p port generation tool.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list