[nsp-sec] - Conficker worm
Vidar Østmo
vidar.ostmo at ventelo.no
Sun Jan 11 13:16:44 EST 2009
No Netflow sigs, but I found this at :
http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability
.html
Seems like exploits utilizing MS08-067 are "popular" at the moment.
"
Gimmiv.A submits a maliciously crafted RPC request that instructs SRVSVC to
canonicalize a path "\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" by calling the
vulnerable RPC request NetPathCanonicalize
"
Med vennlig hilsen/Kind regards
Vidar Østmo
Engineering - Ventelo AS - asn 2116
On 1/11/09 6:39 PM, "Christoph Sprongl" <ch at it-austria.net> wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> if someone has pattern or detail infos (payload or netflow) about
> monitoring the worm conficker for outbound traffic, i would be happy.
>
> Or if the australian region see specifics of monday morning traffic about
> it ,would be also very interesting..
>
> http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
> http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-9
> 9&tabid=2
>
>
> cheers,
> christoph
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list