[Dshield] Conficker

Blake McNeill mcneillb at LinkLogger.com
Fri Jan 23 01:14:50 GMT 2009


I'm having a bit of a problem buying into this worm as being a 'biggie' as
well.  First I think you need to look at where a lot of the infected
machines are and why they are infected.  As to where, according to Symantec
(as much as you believe what any AV says), China has a 28% infection rate
(https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code
/article-id/228 ) far large than any other country.  As to why China has a
much higher infection rate than any other country, remember that little
event in October where Microsoft had all the pirated copies of Windows
display a black background, well a lot of Chinese (likely most of the 82%
pirated software) turned off and stopped doing updates, hence China is now
ripe for the hacking and will likely be the site of more mass infection over
the near future at least, which no doubt the AV companies will hype as
worldwide event.  Don't think it is important to patch, ask the Chinese?

 

Blake

http://www.LinkLogger.com

 

From: list-bounces at lists.sans.org [mailto:list-bounces at lists.sans.org] On
Behalf Of Steve.Applegate at cityutilities.net
Sent: January-22-09 8:04 AM
To: General DShield Discussion List
Cc: General DShield Discussion List; list-bounces at lists.sans.org
Subject: Re: [Dshield] Conficker

 


I don't think this is "The Big One".  However, from 2.4M to 9+ in four
days... that is worth looking at. 

A few more important points: 

The patch isn't included in automatic updates. 

Replication via USB autorun is a feature. 

The payload hasn't triggered yet, and we can only speculate what it could
be. 

I'm taking it seriously.  There is a symantec tool for removing it.  Also,
snort rules can be found here: 

     http://www.autoshun.com/downloads/conficker.rules 

Steve Applegate 





Johannes Ullrich <jullrich at euclidian.com> 
Sent by: list-bounces at lists.sans.org 

01/21/2009 09:55 PM 


Please respond to
General DShield Discussion List <list at lists.sans.org>


To

General DShield Discussion List <list at lists.sans.org> 


cc

	

Subject

Re: [Dshield] Conficker

 

		




Based on what I have heard, the 9M infections are accurate (as
accurate as these numbers go). It is a pretty nasty piece of malware,
in some ways a perfect mix of social engineering and technical
ability.

On Wed, Jan 21, 2009 at 12:30 PM, Paul Marsh <pmarsh at nmefdn.org> wrote:
> Been a very long time.  Not sure if the list is even alive any longer?
>
> What's the word on Conficker/Downadup?
>
> The media has latched onto it.  Not sure if the 9M infections that
> F-Secure reports is accurate or not but I think it needs to be on our
> radar.
>
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see:
https://lists.sans.org/mailman/listinfo/list
>
_______________________________________________
Dshield mailing list
Dshield at lists.sans.org
To change your subscription options (or unsubscribe), see:
https://lists.sans.org/mailman/listinfo/list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/list/attachments/20090122/fdbfe406/attachment.htm 


More information about the Dshield mailing list