[Dshield] Conficker

[Steve.Applegate at cityutilities.net]

I don't think this is "The Big One".  However, from 2.4M to 9+ in four 
days... that is worth looking at.

A few more important points:

The patch isn't included in automatic updates.

Replication via USB autorun is a feature.

The payload hasn't triggered yet, and we can only speculate what it could 
be.

I'm taking it seriously.  There is a symantec tool for removing it.  Also, 
snort rules can be found here:

     http://www.autoshun.com/downloads/conficker.rules

Steve Applegate




Johannes Ullrich <jullrich at euclidian.com> 
Sent by: list-bounces at lists.sans.org
01/21/2009 09:55 PM
Please respond to
General DShield Discussion List <list at lists.sans.org>


To
General DShield Discussion List <list at lists.sans.org>
cc

Subject
Re: [Dshield] Conficker






Based on what I have heard, the 9M infections are accurate (as
accurate as these numbers go). It is a pretty nasty piece of malware,
in some ways a perfect mix of social engineering and technical
ability.

On Wed, Jan 21, 2009 at 12:30 PM, Paul Marsh <pmarsh at nmefdn.org> wrote:
> Been a very long time.  Not sure if the list is even alive any longer?
>
> What's the word on Conficker/Downadup?
>
> The media has latched onto it.  Not sure if the 9M infections that
> F-Secure reports is accurate or not but I think it needs to be on our
> radar.
>
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see: 
https://lists.sans.org/mailman/listinfo/list
>
_______________________________________________
Dshield mailing list
Dshield at lists.sans.org
To change your subscription options (or unsubscribe), see: 
https://lists.sans.org/mailman/listinfo/list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/list/attachments/20090122/26335371/attachment.htm