[nsp-sec] Adding Destination Address to Conficker C Reports

Tim Wilde twilde at cymru.com
Mon Jun 1 14:08:07 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good afternoon everyone,

In response to concerns about difficulties tracking down Conficker
infected systems behind NATs and proxies, we have determined that we can
safely provide destination IP addresses for Conficker reports that were
generated by our Conficker C sinkhole.  As such, we will be adding
another optional bit at the end of these reports.  We will modify our
processing to include this data next Monday, June 8th, so you will begin
to see it in the reports generated on 2009-06-09 UTC.  Please read
further for details of the new piece of information.

Currently, a Conficker C hit from our sinkhole will appear in your Daily
Reports like this:

<ASN>    | <ip>   | 2009-05-31 09:13:26 srcport 42560 mwtype Conficker |
<AS Name>

The destination address will be added as another item in the field that
includes srcport and mwtype, labeled "destaddr", and looking like this:

<ASN>    | <ip>   | 2009-05-31 09:13:26 srcport 42560 mwtype Conficker
destaddr 38.229.153.109 | <AS Name>

(I apologize for the wrapping by my mail client, these would be single
lines in the actual report file.)  This row indicates that the <ip>
(redacted from the real report in question) communicated with
38.229.153.109 at the UTC timestamp indicated, with the source port
indicated, and was deemed to be a Conficker hit.

As it is visible within the global DNS, we do not consider our Conficker
sinkhole range to be covert or confidential information, and as such you
may include this data when passing along Daily Reports information to
customers, as long as all of our other sharing guidelines (particularly
no reference to Team Cymru as the source of the reports) are followed -
they may be able to determine that the Conficker data comes from us, but
that doesn't have to imply that all of it does. :)

We hope that this will help you (and your customers) in situations where
Conficker hits occur behind NATs and proxies.  Please remember that this
data will be available only for Conficker C hits to our Conficker
sinkhole, and will not apply to Conficker data that we receive from
other sources.

If you have any questions, comments, concerns, etc, please don't
hesitate to let me know directly, or contact team-cymru at cymru.com.

Best regards,
Tim Wilde

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFKJBkHluRbRini9tgRAmNzAJ4mgKsv6sQORvjtELgULFKO3ZSwCgCfTGR9
KLoRjkDPtmOMYa7/sxY2IDA=
=yCuQ
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list