[nsp-sec] [sec] Conficker Timecheck Daily Reports Data

Smith, Donald Donald.Smith at qwest.com
Tue Apr 21 18:02:17 EDT 2009 


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: Tim Wilde [mailto:twilde at cymru.com] 
> Sent: Tuesday, April 21, 2009 3:36 PM
> To: Smith, Donald
> Cc: 'nsp-security at puck.nether.net'
> Subject: Re: [nsp-sec] [sec] Conficker Timecheck Daily Reports Data
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Smith, Donald wrote:
> > ----------- nsp-security Confidential --------
> > 
> > Thanks Yiming, Yiming and I both see about 10% corralation. 
> I hoped for a much higher corralation/validation %.
> > I don't expect 100% but normally we get somewhere in the 50++ range.
> 
> Don,
> 
> Are you saying you're only able to correlate 10% total from the
> timecheck data?  Or only 10% of the entries that do not 
> already exist in
> the normal "mwtype Conficker" data?  Because my data 
> indicated that ~86%
> of the "mwtype Conficker-Timecheck" entries also had corresponding
> "mwtype Conficker" entries, so if you're talking overall correlation,
> you should really be seeing much higher numbers.
In netflow I could only corralate about 10% of the sample ips I pulled from the time-check report.
I didn't check the entire set but did check 100 so would expect a higher rate of correlation.
I didn't check the mwtype conficker vs mwtype conficker-timecheck corralation.

> 
> > Has anyone found any known false positivies in this data set?
> 
> For what it's worth, we haven't received any reports of suspected or
> confirmed false positives from this data set, even though we
> specifically asked people to keep an eye on them.  Absence of proof is
> not proof of absence, though.
> 
> Has anyone out there actually done anything with the 
> Conficker-Timecheck
> entries?  Bueller? :)
> 
> > Tim and team cymru I am not very comfortable with this data 
> (yet) can we keep it off the main report and make it it's own 
> report until the data gets better validated?
> 
> It's differentiable within the bots category with the mwtype
> Conficker-Timecheck, I don't really want to confuse things by 
> making it
> a whole different category, especially with the theory that it might
> move back once people are more comfortable with it.  If no 
> one is using
> it and everyone who is looking at it is too suspicious to use it, I'd
> rather just kill it entirely.  
Ok that makes sense. I am not trying to cast doubts but need to feel the data is accurate before we use it to notify customers. Based on your 86% correlation between the two types I am feeling better about this data but there is still a gap.

>Anyone willing to speak up?  
> I'm happy to
> take private replies and summarize without attribution as well if you
> don't want to admit to anything on-list.  We're very interested in
> hearing both positive and negative experiences with this data.
> 
> Thanks,
> Tim
> 
> - --
> Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
> twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFJ7jw7luRbRini9tgRApKtAJ937qXebP61vofFI2+jJ690lD4lsgCfahwu
> sCCvvW7WKDkg+k6auXAKQ9w=
> =DFSB
> -----END PGP SIGNATURE-----
>

More information about the nsp-security mailing list