[nsp-sec] [sec] Conficker Timecheck Daily Reports Data

Smith, Donald Donald.Smith at qwest.com
Tue Apr 21 17:04:01 EDT 2009 

Thanks Yiming, Yiming and I both see about 10% corralation. I hoped for a much higher corralation/validation %.
I don't expect 100% but normally we get somewhere in the 50++ range.

Has anyone found any known false positivies in this data set?

Tim and team cymru I am not very comfortable with this data (yet) can we keep it off the main report and make it it's own report until the data gets better validated?


TIA

(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: Yiming Gong [mailto:yiming.gong at xo.com] 
> Sent: Friday, April 17, 2009 4:04 PM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] [sec] Conficker Timecheck Daily Reports Data
> 
> For yesterday's data, of 76 XO IPs, 6 were correlated with my 
> past two 
> days' darknet data, and they show up as scanning on dark IPs on high 
> ports.  No port 445 scan though.
> 
> ip 			dport
> ++++++++++++++++
> 140.239.131.37  13916
> 207.110.38.9    26716
> 216.3.178.67    37247
> 67.91.188.107   21729
> 67.91.202.14    40708
> 67.94.26.90     7871
> 
> Regards!
> 
> Yiming
> 
> On 04/17/2009 02:48 PM, Smith, Donald wrote:
> > ----------- nsp-security Confidential --------
> >
> > I tried another approach. I looked for scanning for 445.
> > I see 9 ips out of the 100 I did a search in my flow report 
> for scanning for 445 so at least some of the identified 
> systems are showing conficker symptoms.
> > Has anyone else attempted to validate this data?
> > I know some of the ips identified in the timecheck report 
> showed up on other conficker lists but not all of the ips 
> identified. But I am a bit concerned about the possibility of FPs.
> >
> >
> > (coffee != sleep)&  (!coffee == sleep)
> >   Donald.Smith at qwest.com gcia
> > ________________________________
> > From: nsp-security-bounces at puck.nether.net 
> [nsp-security-bounces at puck.nether.net] On Behalf Of Smith, 
> Donald [Donald.Smith at qwest.com]
> > Sent: Friday, April 17, 2009 1:17 PM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] FW: [sec] Conficker Timecheck Daily Reports Data
> >
> > ----------- nsp-security Confidential --------
> >
> > I am trying to validate the conficker-time check data.
> > Here is my process so far.
> >
> > Pull the ips from the source, sort and uniq them, build an 
> flow-nfilter acl based on PART of that. I "sampled" the top 
> 100 for my acl).
> > Find packets where the src and dst port are 2k or larger 
> print and sort the unique ports.
> >
> > Grep the top ports from the src file to see if it looks 
> like conficker p2p (static high port to static high port).
> > Check the ips to see if those ports match their conficker.c 
> p2p ports.
> > python ./get_ports.py ip_address.
> > I got zero matches so far. I have only done 6 unique IPs 
> but expected to see some p2p matches on the "correct" ports.
> >
> > What did I prove?
> >
> > I didn't prove that there is anything wrong conficker 
> timecheck data. The traffic that I see looks similar to 
> conficker p2p to me in that I am seeing static high port to 
> static high port communications but my conficker p2p port 
> generation tool isn't giving me any matches.
> >
> > Do we know if what version of conficker these should be. 
> The tool I am using generates .C or .D  p2p ports:(
> > If the time-check data is just the newest version (E) then 
> I may need to go find another p2p port generation tool.
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security counter-measures.
> > _______________________________________________
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security counter-measures.
> > _______________________________________________
> >
> 
>

More information about the nsp-security mailing list