RE: Conficker - your opion on how to determine the source of infection on a given network




If you are using Cisco routers in the network and have IP cache flow turned on use this command in enable mode: sh ip cache flow | i 01BD


SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0 x.x.x.x Null x.x.x.x 06 0A60 01BD 2
| |
Source and Destination Ports 01BD is 445 in HEX

If you see the same host continually scanning IP's on port 445 across many subnets its a pretty could indication that something is going on with that device. Especially if the IP's are outside of your companies normal subnets. If you are doing any black holing with your Cisco routers, you will see a lot of this type of traffic on the router if conflicker is present.


Jason Banks
Ford Network Operations
rbanks40@xxxxxxxx





-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Alexander Bas
Sent: Wednesday, August 26, 2009 5:07 AM
To: Tiflin, Conrad (ZA - Cape Town)
Cc: pen-test@xxxxxxxxxxxxxxxxx; madunix
Subject: Re: Conficker - your opion on how to determine the source of infection on a given network

I agree...

For example, you may want to check the date and time your AV detected
the worm on a specific machine and check the username that have been
used (if available) at the time the worm was detected.

Thereafter, check the event viewer security logs and look for that
specific date and time. Check for failures or success login audits.

If you have found the logs matching the date, time and username. Check
the worsktation name and the originating source address from that
logs.

On Fri, Aug 14, 2009 at 1:55 AM, Tiflin, Conrad (ZA - Cape
Town)<ctiflin@xxxxxxxxxxxxxx> wrote:
Quick Question to all.


I would like to identify the SOURCE computer where the "downadup.a" worm variant originated a given network which has been infected.

Minimal thinking tells me that I should search for the computer that's running an HTTP server between ports [1024 and 10000] - the result may be the source.


Anyone else have better ideas to determine the source computer on a network from which conficker originated?


./CT

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of madunix
Sent: 23 February 2009 09:54 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Microsoft bounty for worm creator!

http://news.bbc.co.uk/2/hi/technology/7887577.stm
"A reward of $250,000 (£172,000) has been offered by Microsoft to find
who is behind the Downadup/Conficker virus."

--
THE MASTER



Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by visiting our website and viewing the webpage at the following address: http://www.deloitte.com/za/disclaimer. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to zaitservicedesk@xxxxxxxxxxxxxxx




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • [REVS] Curious Yellow: The First Coordinated Worm Design
    ... The Warhol worm design began the theoretical discussion of so-called ... very quick infection of the network. ... Warhol superworm is to pre-scan the network for vulnerable targets. ... The method for nominating a worm to attack a target is easy. ...
    (Securiteam)
  • CERT Advisory CA-2001-23
    ... We believe the worm will begin propagating again on ... susceptible to the vulnerability described in CA-2001-13 Buffer ... time required to infect all vulnerable IIS servers with this worm ... and egress filtering should be implemented at the network edge. ...
    (Cert)
  • RE: Increasing ICMP Echo Requests
    ... internal network. ... Bruce Martins wrote: ... MSBLAST worm did, then ... **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo ...
    (Incidents)
  • RE: help - can someone explain this to me?
    ... > every network that has Wintendo boxes in it. ... This worm cannot do any harm to your Linux box. ... >> perhaps a machine that the ISP hosts is infected with something ... Can anyone identify what sort of attack it was? ...
    (Security-Basics)
  • CERT Advisory CA-2003-04 MS-SQL Server Worm
    ... code that most likely exploits two vulnerabilities in the Resolution ... traffic generated between hosts infected with the worm targeting SQL ... Activity of this worm is readily identifiable on a network by the ... protection whatsoever against the initial infection of systems. ...
    (Cert)