[nsp-sec] Conficker reports from the field

Russell Fulton r.fulton at auckland.ac.nz
Fri Apr 24 17:14:57 EDT 2009 

snort ?  ET sigs work well for the earlier versions.  There are also  
some rules in the VRT set but these are 'compliled' ones and I have  
not got them going yet.

I've got a similar problem with our residential network which is  
behind NAT.   I am using Argus (wwww.qosient.com) to match flow  
records across NAT but it is a PITA and I have yet to get it fully  
automated.

One thing I have observed is that during any particular day each  
conficker instance talks to a bunch of IPs all in the same /16.  The  
standard sessions are TCP to port 80 and consist of 5 packets in each  
direction with slightly less than 1100 bytes of data.  Last night (out  
time) using this info I was able to postulate that one IP was  
infected.  I'll have to wait for today's report to confirm this.

Russell

On 25/04/2009, at 3:08 AM, William Allen Simpson wrote:

> ----------- nsp-security Confidential --------
>
> One of the daily reports that I handle is for a former upstream,  
> AS10700.
> They actively pursue the infections, and do a fair amount of  
> customer hand
> holding, as a small regional ISP.
>
> All their Conficker reports lately are from a 500 bed county  
> hospital that
> hides itself behind a NAT.  It's proving hard to purge them, as  
> patients
> and visitors bring in laptops that infect the hospital machines.
>
> The hospital is finally allowing them to setup snooping inside the
> network.  Any suggestions for proactive detection that I could pass  
> on?
>
> (Other than the EyeChart and nmap, which I've already mentioned.)
>
> ===
> So far, they report:
>
>   We are seeing a TON of Limewire (P2P) connections out of the  
> network.
>
>   See lot of traffic to this possible C&C - 83.68.16.30
>
>   See limewire connections to these IPs/networks:
>
>   68.142.118.111
>   70.37.129.*
> ===
>
> AS      | IP               | AS Name
> 3265    | 83.68.16.30      | XS4ALL-NL XS4ALL
>
> AS      | IP               | AS Name
> 22822   | 68.142.118.111   | LLNW - Limelight Networks, Inc.
>
> AS      | IP               | AS Name
> 8075    | 70.37.129.*      | MICROSOFT-CORP---MSN-AS-BLOCK -  
> Microsoft Corp
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp- 
> security
> community. Confidentiality is essential for effective Internet  
> security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list