[nsp-sec] conficker list ACK 8001
Smith, Donald
Donald.Smith at qwest.com
Thu Jan 15 11:37:54 EST 2009
I only processed 1 out of four lists.
2 were from the 12th and 2 from the 13th total size was about 250MB for the 4 files.
I processed the largest one from the 12th.
I suspected there would be lots of duplicates in the other files and it took nearly about 4 hours to process that one list.
I am debating processing the others (in my spare time) and providing another report later this week. Since others have validated the list it is probably worth my time to do so.
This is a real bugger to remove.
MSRT was recently updated to remove it but if a machine is infected any domain with Microsoft in it will be blocked (such as microsoft.com) along with many other antivirus and security sites. F-secure has a list of names that are blocked.
Also if anyone has a copy of conficker.B I would like a copy for testing.
TIA
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Ryan Pavely
> Sent: Thursday, January 15, 2009 7:28 AM
> To: 'nsp-security at puck.nether.net'
> Subject: Re: [nsp-sec] conficker list ACK 8001
>
> ----------- nsp-security Confidential --------
>
> Only one IP. My network feels so small lately. We haven't
> been part of
> any good worms..
>
> Wait.. that's a good thing!
>
>
> Ryan Pavely
> Director Research And Development
> Net Access Corporation
> http://www.nac.net/
>
>
>
> Smith, Donald wrote:
> > ----------- nsp-security Confidential --------
> >
> > A source that wishes to remain anonymous provided me apache
> logs for one of the systems conficker checks in with or
> downloads from. Beth Young at more.net also has a list and
> has offered to cross check these against her known infected systems.
> >
> >
> > Here are two links to the list it contains over 700K uniq
> ips so it was TOO large to upload via the cymru web gui in a
> single file I had to split it.
> >
> > I only included the first time an IP checked in.
> > Timezone is GMT -8:00
> > link 1
> > https://asn.cymru.com/nsp-sec/upload/1231957075.whois.txt
> >
> > link 2
> > https://asn.cymru.com/nsp-sec/upload/1231958296.whois.txt
> >
> > Given the way I broke the list in half there is a very good
> chance your ASN will appear on both lists.
> >
> > H8Hz
> > Donald.Smith at qwest.com gcia
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> > community. Confidentiality is essential for effective
> Internet security counter-measures.
> > _______________________________________________
> >
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list