[nsp-sec] ACK 2914 Re: Conficker Data Timestamp Anomaly

Tino Steward tsteward at us.ntt.net
Tue Mar 10 07:32:52 EDT 2009 

2914 ack'd.
thx Tim,
tino

On Mon, Mar 09, 2009 at 12:40:40PM -0400, Tim Wilde wrote:
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greetings Everyone,
> 
> It has come to our attention that one of our sources of Conficker data
> in the Daily Reports "bots" category, which was just brought online late
> last week, appears to have a ~10 minute offset in its timestamps.
> Unfortunately, there is no simple way to distinguish the data with
> incorrect timestamps in the reports that have been sent out.  If you
> encounter entries in the "bots" category with a "mwtype Conficker"
> indication that do not appear to match real traffic, the timestamps may
> be approximately 10 minutes behind the actual UTC time of the event.
> That is, if the timestamp indicated 19:13:42, the actual event may have
> been closer to 19:23 UTC.  We do not yet know the precise amount of the
> offset, so I apologize that we cannot be more specific.
> 
> Again, this affects only some of the Conficker reports in the bots
> category, and only beginning with reports sent 2009-03-07 through today,
> bur unfortunately we cannot provide differentiating characteristics for
> this data.  We have suspended imports of this data source until we can
> get this timestamp issue corrected, and we sincerely apologize for the
> inconvenience.  We are also removing data that had already been imported
> from this source for sending tomorrow, so you should not see any of this
> data with incorrect timestamps after today.
> 
> Regards,
> Tim Wilde
> 
> - --
> Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
> twilde at cymru.com | +1-312-924-4033 | http://www.team-cymru.org/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFJtUaIluRbRini9tgRAvWVAKCE8pAklMYrv6XNk5GAONEykSqTHACfWcof
> WLOJQO575qBmI0Gjm6WmCIc=
> =pf/5
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 

Tino T. Steward SNA1 - Security & Abuse	                                     tsteward at us.ntt.net
NTT Communications Global IP Network Operations Center                       
214-853-7344 (Ph.)                                                           214.800.7771 (Fax) 

AUP online: http://www.nttamerica.com/legal/internet/acceptable_policy.html 
AUP online: http://www.ntt.net/library/pdf/AUP.pdf 

Check http://www.cert.org for some of the latest documented exploits and your OS manufacturer for the latest security patches.

Intruder detection: http://www.cert.org/tech_tips/intruder_detection_checklist.html

Latest viruses: http://www.cert.org

Recovering from a compromised host: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

More information about the nsp-security mailing list