[nsp-sec] New conficker version?
Smith, Donald
Donald.Smith at qwest.com
Mon Feb 2 13:11:38 EST 2009
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> SURFcert - Peter
> Sent: Monday, February 02, 2009 9:20 AM
> To: NSP-SEC List
> Subject: [nsp-sec] New conficker version?
>
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Conficker is known to try a list of hard coded accounts and
> passwords to
> access network drives.
conficker.al (which I have seen called .b) did that or something very similar:
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml#details
Using the existing credentials of the infected user account; if this account does not have admin privileges on the target machine, this operation will not succeed.
Acquiring the list of usernames from the targeted computer using NetUserEnum API, then attempting to log on to the targeted computer using the existing user accounts and one of the following passwords:
>At the moment we seem to have found a new
> version. This one accesses Active Directory for a list of accounts and
> then uses these to try to access network drives. By brute
> forcing these
> accounts users start to complain because their accounts get
> locked out.
> That was the trigger that set us on a search for the infected system.
>
> I am promised to get the binary some time tomorrow.
>
> - --
> Peter Peters
> SURFcert Officer off Duty
> cert at surfnet.nl http://cert.surfnet.nl/
> office-hours: +31 302 305 305 emergency (24/7): +31 622 923 564
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJhx03elLo80lrIdIRAriVAJwNeano75NdOa/dJn2tiy3TbmUyVQCcDJEj
> GUgUleFR3INPvMiIfollPLQ=
> =1aR1
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list