[nsp-sec] The DNS Changer Take Down - Please check your flows ....
Hank Nussbacher
hank at efes.iucc.ac.il
Thu Nov 10 01:55:05 EST 2011
At 19:23 09/11/2011 -0500, Tim Wilde wrote:
It would be useful to get one of those large reports sorted by ASN of all
infected systems so we can proxy it to those who don't have access to this
data.
Regards,
Hank
>----------- nsp-security Confidential --------
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 11/9/2011 4:33 PM, Barry Greene wrote:
> > 1. Remediation. The industry is now working on remediation
> > (cleaning up the malware). We're asking everyone to work to clean
> > this malware from their customers and users.
> >
> > Logs from the clean DNS resolvers with the Source/Destination IP
> > address, ports, and time stamps are being feed to groups like
> > Shadowserver.org, Team CYMRU, and other groups. The list is feed
> > into an SIE incident channel (SIE = Security Information Exchange -
> > peering for security information).
>
>Thanks Barry! That's a little less for me to write in my e-mail. :)
>Team Cymru is including the DNS Changer log data in the "bots" daily
>reports category, with the mwtype "DNSChanger". This data started
>going out with today's Daily Reports run, and will continue as long as
>we have it. We have a writeup of this malware type on our bots report
>detail page:
>
> https://www.cymru.com/nsp-sec/dailyreports/bots.html
>
>On the next generation of that page, it will also provide a link to
>that FBI resource Barry mentioned, which contains a lot of useful
>information for your customers as you work to notify them.
>
>If you're not already subscribing to Daily Reports / ASN Alerts, you
>should be! :) They're totally free for anyone on NSP-SEC, absolutely
>nothing will be asked of you, we won't market to you, etc (I'd hope
>folks here wouldn't have to worry about that from us, but hey, you
>never know). Details can be found at the following URLs:
>
> https://www.cymru.com/nsp-sec/dailyreports/
> https://www.cymru.com/nsp-sec/ASN-Alert/
>
>(Daily Reports is what we call the data, ASN Alerts is what we call
>the e-mail alerts, it's a long legacy story, they're essentially the
>same thing. :)) Use your NSP-SEC subscription e-mail and password to
>get into the site; if you don't know them, puck can help you out:
>
> https://puck.nether.net/mailman/listinfo/nsp-security
>
>Note that if you change your password it may take up to an hour to get
>replicated into our systems.
>
>If anyone has any questions, feel free to ask them on or off-list as
>appropriate, we want to make sure this data gets out to as many folks
>as possible, as Barry said.
>
>Best regards,
>Tim
>
>- --
>Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
>twilde at cymru.com | +1-847-378-3333 | http://www.team-cymru.org/
>-----BEGIN PGP SIGNATURE-----
>
>iEYEARECAAYFAk67GZsACgkQluRbRini9tjDmQCfVQehl8sH4iHVYGVMge5f1g/B
>MDsAn3CCMX7Avjck/e5ffviaD1JRWsta
>=R5IK
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security
>counter-measures.
>_______________________________________________
More information about the nsp-security
mailing list