[nsp-sec] [sec] Conficker Timecheck Daily Reports Data

Tim Wilde twilde at cymru.com
Tue Apr 21 17:35:55 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Smith, Donald wrote:
> ----------- nsp-security Confidential --------
> 
> Thanks Yiming, Yiming and I both see about 10% corralation. I hoped for a much higher corralation/validation %.
> I don't expect 100% but normally we get somewhere in the 50++ range.

Don,

Are you saying you're only able to correlate 10% total from the
timecheck data?  Or only 10% of the entries that do not already exist in
the normal "mwtype Conficker" data?  Because my data indicated that ~86%
of the "mwtype Conficker-Timecheck" entries also had corresponding
"mwtype Conficker" entries, so if you're talking overall correlation,
you should really be seeing much higher numbers.

> Has anyone found any known false positivies in this data set?

For what it's worth, we haven't received any reports of suspected or
confirmed false positives from this data set, even though we
specifically asked people to keep an eye on them.  Absence of proof is
not proof of absence, though.

Has anyone out there actually done anything with the Conficker-Timecheck
entries?  Bueller? :)

> Tim and team cymru I am not very comfortable with this data (yet) can we keep it off the main report and make it it's own report until the data gets better validated?

It's differentiable within the bots category with the mwtype
Conficker-Timecheck, I don't really want to confuse things by making it
a whole different category, especially with the theory that it might
move back once people are more comfortable with it.  If no one is using
it and everyone who is looking at it is too suspicious to use it, I'd
rather just kill it entirely.  Anyone willing to speak up?  I'm happy to
take private replies and summarize without attribution as well if you
don't want to admit to anything on-list.  We're very interested in
hearing both positive and negative experiences with this data.

Thanks,
Tim

- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ7jw7luRbRini9tgRApKtAJ937qXebP61vofFI2+jJ690lD4lsgCfahwu
sCCvvW7WKDkg+k6auXAKQ9w=
=DFSB
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list