[nsp-sec] Conficker Remediation Effort (try this again)
Smith, Donald
Donald.Smith at qwest.com
Sun Mar 29 10:27:05 EDT 2009
Everyone who hasn't read the isp "conficker gopack" should do so asap.
There is a LOT of hype out there about April 1st. You want to be able to prvide real answers to your management.
There are also some good tools and resources in there. If your getting the cymru conficker feed you may also want to add arbors (atlas) feed. We are getting both and the atlas feed has more of our conficker infected customer IP addresses then the cymru list. I believe the shadowserver feed is also a bit more complete then the cymru. We will probably be adding that to our list of conficker feeds next week to increase our ability to notify customers.
The CWG is working on a way to identify conficker.c's p2p traffic via netflow.
Other tools are also being built to assist customers in identifying internal infected nodes.
4/1 should be a MAJOR non-event:) Lets make it conficker clean up day instead but without the hype.
Donald.Smith at qwest.com<mailto:Donald.Smith at qwest.com>
Please cc the handlers to keep them all in the loop.
________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Barry Greene [bgreene at juniper.net]
Sent: Friday, March 27, 2009 5:05 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Conficker Remediation Effort (try this again)
----------- nsp-security Confidential --------
[mailer strips out the PDF.]
Hi Team,
Jose, Don, and I are helping on the Conficker Working Group. As part of the
"fight" against Conficker, we using some techniques that we all know. The
attached document list out a brief description of what the Conficker Working
Group is trying to achieve along with offers to get based ASN reports on
Conficker infected machines.
I've uploaded the PDF to the NSP-Wiki (
https://puck.nether.net/nsp-security/wiki/images/0/06/Conficker_Information_
Sheet_for_Network_Providers-20090327-03.pdf
You need your nsp-sec E-mail/password from the mailing list tool to access.
Please look through the resources from Arbor Networks, Shawdowserver.org,
and Team CYMRU to insure the ASN reports are working for you.
This document is not confidential, but as mentioned, clueing in the bad guys
would warrant discretion. The intent of the document is for it to be used
inside your organizations, so it is A-OK to pass to your team, your boss,
your boss's boss, etc.
If you have any questions, please ping Jose, Don, or I. We're on-line and on
the NSP-SEC sIRC channel.
Thanks,
Barry
Barry Raveendran Greene
Director, Juniper Security Incident Response Team (SIRT)
Tel (Office): +1 408 936-6887
Tel (Cell): +1 408 218-4669
E-mail: bgreene at juniper.net
!
Chat Locations:
AIM: Barry R Greene
MSN: BarryRGreene
Yahoo: BarryRGreene
Skype: barrygreene
Jabber: barryrgreene at jabber.tisf.net
MSN: BarryRGreene at hotmail.com
PGP: 0x16BF45F3
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list