ken, who's fiber on the ground was it after all? Roderick Beck wrote:
Probably Global Crossing.
A very strong wager.
-R. ------Original Message------ From: Ken Gilmour To: isabeldias1@yahoo.com Cc: nanog@nanog.org Subject: Re: Fiber cut on Irish Sea Sent: 29 Mar 2009 16:04
We received the report from Packet Exchange, however they are not the owners of the cable. I assume they just rent spectrum.
2009/3/29 isabel dias <isabeldias1@yahoo.com>:
affecting whom? and who's network?
--- On Sun, 3/29/09, Ken Gilmour <ken.gilmour@gmail.com> wrote:
From: Ken Gilmour <ken.gilmour@gmail.com> Subject: Fiber cut on Irish Sea To: nanog@nanog.org Date: Sunday, March 29, 2009, 4:55 PM Hi There,
Since we use a vendor of "the vendor" of two Irish sea submarine cables I am wondering if anyone has first hand information on the fiber cut this morning? Does anyone have a status update on what is happening? I am getting some Chinese whispers going on here.
Thanks!
Ken
Sent wirelessly via BlackBerry from T-Mobile.
Hi Isabel, It hasn't been confirmed to me yet but some people have mentioned that it is most likely to belong to Global Crossing. Regards, Ken 2009/3/29 isabel dias <isabeldias1@yahoo.com>:
ken, who's fiber on the ground was it after all?
Roderick Beck wrote:
Probably Global Crossing.
A very strong wager.
-R. ------Original Message------ From: Ken Gilmour To: isabeldias1@yahoo.com Cc: nanog@nanog.org Subject: Re: Fiber cut on Irish Sea Sent: 29 Mar 2009 16:04
We received the report from Packet Exchange, however they are not the owners of the cable. I assume they just rent spectrum.
2009/3/29 isabel dias <isabeldias1@yahoo.com>:
affecting whom? and who's network?
--- On Sun, 3/29/09, Ken Gilmour <ken.gilmour@gmail.com> wrote:
From: Ken Gilmour <ken.gilmour@gmail.com> Subject: Fiber cut on Irish Sea To: nanog@nanog.org Date: Sunday, March 29, 2009, 4:55 PM Hi There,
Since we use a vendor of "the vendor" of two Irish sea submarine cables I am wondering if anyone has first hand information on the fiber cut this morning? Does anyone have a status update on what is happening? I am getting some Chinese whispers going on here.
Thanks!
Ken
Sent wirelessly via BlackBerry from T-Mobile.
Anyone have a copy of this? Would like to analyze it and understand its propagation. Thanks -Joe
Visit the authority: http://www.confickerworkinggroup.org/wiki/
-----Original Message----- From: Joe Blanchard [mailto:jbfixurpc@gmail.com] Sent: Sunday, March 29, 2009 4:43 PM To: nanog@nanog.org Subject: The Confiker Virus.
Anyone have a copy of this? Would like to analyze it and understand its propagation.
Thanks -Joe
Thanks, the only thing is that these, like most, websites are very vague about the mechanics behind the infiltration. Thus the reason why I asked about finding some source code/example code. Its pretty nice that these folks (symantics/trend) offer free help regarding these items, but the facts (TCP/UDP ports, DNS poisioning methods) are buried doesn't help much. Perhaps I am missing something though. Regards
-----Original Message----- From: Barry Raveendran Greene [mailto:bgreene@senki.org] Sent: Sunday, March 29, 2009 7:48 PM To: 'Joe Blanchard'; nanog@nanog.org Subject: RE: The Confiker Virus.
Joe said earlier today:
Thanks, the only thing is that these, like most, websites are very vague about the mechanics behind the infiltration
Joe, the SRI report would be right up your alley as it is the most technical in its analysis of the variants A and B as well as an explanation of the algorithm it uses to determine domain names for future use of some kind. http://mtc.sri.com/Conficker/ Sincerely, Richard Golodner
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Mar 29, 2009 at 5:16 PM, Richard Golodner <rgolodner@infratection.com> wrote:
Joe said earlier today:
Thanks, the only thing is that these, like most, websites are very vague about the mechanics behind the infiltration
Joe, the SRI report would be right up your alley as it is the most technical in its analysis of the variants A and B as well as an explanation of the algorithm it uses to determine domain names for future use of some kind.
Something folks might be interested in -- a way to detect Conficker-infected hosts in your network: https://www.honeynet.org/node/389 FYI, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ0QDjq1pz9mNUZTMRAm7SAJ9MZo33Vok1uvyB4H7DML1gUKRlPQCggWtC bL4g6kI0sc75IDu/fYzv8yI= =HpOH -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ I have installed Impacket-0.9.6.0 library but it throws the following warning "WARNING: Crypto package not found. Some features will fail." Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning. What other library is Impacket looking for to correct that warning? -- Thanks, Joe On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Something folks might be interested in -- a way to detect Conficker-infected hosts in your network:
https://www.honeynet.org/node/389
FYI,
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ0QDjq1pz9mNUZTMRAm7SAJ9MZo33Vok1uvyB4H7DML1gUKRlPQCggWtC bL4g6kI0sc75IDu/fYzv8yI= =HpOH -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Just FYI - I had a pretty high ratio of properly conficker-infected honeypots identified vs. false positives ratio, using nessus' appropriate signature, whereas I could never get the py script to properly run on my macbook pro ... -- Stefan On 3/30/09, JoeSox <joesox@gmail.com> wrote:
Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I have installed Impacket-0.9.6.0 library but it throws the following warning "WARNING: Crypto package not found. Some features will fail."
Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning.
What other library is Impacket looking for to correct that warning?
-- Thanks, Joe
On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Something folks might be interested in -- a way to detect Conficker-infected hosts in your network:
https://www.honeynet.org/node/389
FYI,
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ0QDjq1pz9mNUZTMRAm7SAJ9MZo33Vok1uvyB4H7DML1gUKRlPQCggWtC bL4g6kI0sc75IDu/fYzv8yI= =HpOH -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
-- Sent from my mobile device ***Stefan http://twitter.com/netfortius
you need to add python-crypto with whatever package manager your OS uses, yast line in suse: │python-crypto │2.0.1 │2.0.1 │Collection of cryptographic algorithms and protocols, implemented for use from Python d
JoeSox <joesox@gmail.com> 31/03/09 8:46 am >>> Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I have installed Impacket-0.9.6.0 library but it throws the following warning "WARNING: Crypto package not found. Some features will fail." Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning. What other library is Impacket looking for to correct that warning? -- Thanks, Joe On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Something folks might be interested in -- a way to detect Conficker-infected hosts in your network:
https://www.honeynet.org/node/389
FYI,
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ0QDjq1pz9mNUZTMRAm7SAJ9MZo33Vok1uvyB4H7DML1gUKRlPQCggWtC bL4g6kI0sc75IDu/fYzv8yI= =HpOH -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Joe, Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though. -----Original Message----- From: David Tebbutt [mailto:David@sunshadeseyewear.com.au] Sent: Tuesday, March 31, 2009 2:10 AM To: Paul Ferguson; JoeSox Cc: nanog@nanog.org Subject: Re: The Confiker Virus. you need to add python-crypto with whatever package manager your OS uses, yast line in suse: |python-crypto |2.0.1 |2.0.1 |Collection of cryptographic algorithms and protocols, implemented for use from Python d
JoeSox <joesox@gmail.com> 31/03/09 8:46 am >>> Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I have installed Impacket-0.9.6.0 library but it throws the following warning "WARNING: Crypto package not found. Some features will fail." Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning. What other library is Impacket looking for to correct that warning? -- Thanks, Joe On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
Anyone try the new nmap beta that includes the ability to detect it? nmap-4.85BETA5 ? I am looking for output from a scan on a known infected machine vs what I believe is a clean machine I have. Thanks, On Tue, Mar 31, 2009 at 7:48 AM, Eric Tykwinski <eric-list@truenet.com>wrote:
Joe,
Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html
I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though.
-----Original Message----- From: David Tebbutt [mailto:David@sunshadeseyewear.com.au] Sent: Tuesday, March 31, 2009 2:10 AM To: Paul Ferguson; JoeSox Cc: nanog@nanog.org Subject: Re: The Confiker Virus.
you need to add python-crypto with whatever package manager your OS uses, yast line in suse:
|python-crypto |2.0.1 |2.0.1 |Collection of cryptographic algorithms and protocols, implemented for use from Python
d
JoeSox <joesox@gmail.com> 31/03/09 8:46 am >>> Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I have installed Impacket-0.9.6.0 library but it throws the following warning "WARNING: Crypto package not found. Some features will fail."
Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning.
What other library is Impacket looking for to correct that warning?
-- Thanks, Joe
On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-- Jason Biel
Here is a pretty good recap of all options, including some useful comments: http://it.slashdot.org/article.pl?sid=09/03/30/090224 - including the specific one addressing the py script: http://it.slashdot.org/comments.pl?sid=1180397&cid=27387085 ) Stefan On Tue, Mar 31, 2009 at 7:48 AM, Eric Tykwinski <eric-list@truenet.com> wrote:
Joe,
Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html
I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though.
-----Original Message----- From: David Tebbutt [mailto:David@sunshadeseyewear.com.au] Sent: Tuesday, March 31, 2009 2:10 AM To: Paul Ferguson; JoeSox Cc: nanog@nanog.org Subject: Re: The Confiker Virus.
you need to add python-crypto with whatever package manager your OS uses, yast line in suse:
|python-crypto |2.0.1 |2.0.1 |Collection of cryptographic algorithms and protocols, implemented for use from Python
d
JoeSox <joesox@gmail.com> 31/03/09 8:46 am >>> Has anyone tried the Python scs Network Scanner script? http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
I have installed Impacket-0.9.6.0 library but it throws the following warning "WARNING: Crypto package not found. Some features will fail."
Does anyone know if this effects the reliability of the scs script? I have it scanning but I don't like that warning.
What other library is Impacket looking for to correct that warning?
-- Thanks, Joe
On Mon, Mar 30, 2009 at 10:27 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-- ***Stefan http://twitter.com/netfortius
0n Tue, Mar 31, 2009 at 09:22:32AM -0400, Steven M. Bellovin wrote: Honeynet Project has released Know Your Enemy: Containing Conficker: Our "Know Your Enemy: Containing Conficker" whitepaper was released on March 30th as a PDF only. You can download the full paper from the link below. Paper Abstract The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domainname generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download including source code. In addition, as a result of this paper and the hard work of Dan Kaminsky, most vulnerability scanning tools (including Nmap) should now have a plugin or signatures that allow you to remotely detect infected Conficker systems on your networks. Finally, we would like to recognize and thank the tremendous help and input of the Conficker Working Group. Paper last updated March 30th 2009, 23:00 GMT (rev1) http://www.honeynet.org/files/KYE-Conficker.pdf -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
I am uncertain also. I scan a subnet on my network with Axence NetTools looking for 445 port and I receive some hits. I perform a netstat -a some of those results but don't really see any 445 activity. The SCS script doesn't find anything either. The PCs are patched and virusscan updated. One PC when I connected to it did not navigate to Windowsupdate website. I scheduled a Full McAfee scan as their documentation suggests (http://download.nai.com/products/mcafee-avert/documents/combating_w32_confic...), and sometime through the scan I was able to reach windowsupdate. I don't know if it was a coincidence or not that I was not able to reach the website. I haven't looked into the registry and any other places for evidence of conficker. I will probably today but I am afraid it maybe a waste of time since they are already patched and updated. -- Joe On Tue, Mar 31, 2009 at 5:48 AM, Eric Tykwinski <eric-list@truenet.com> wrote:
Joe,
Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html
I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though.
Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points? On Tue, Mar 31, 2009 at 9:41 AM, JoeSox <joesox@gmail.com> wrote:
I am uncertain also. I scan a subnet on my network with Axence NetTools looking for 445 port and I receive some hits. I perform a netstat -a some of those results but don't really see any 445 activity. The SCS script doesn't find anything either. The PCs are patched and virusscan updated. One PC when I connected to it did not navigate to Windowsupdate website. I scheduled a Full McAfee scan as their documentation suggests ( http://download.nai.com/products/mcafee-avert/documents/combating_w32_confic... ), and sometime through the scan I was able to reach windowsupdate. I don't know if it was a coincidence or not that I was not able to reach the website. I haven't looked into the registry and any other places for evidence of conficker. I will probably today but I am afraid it maybe a waste of time since they are already patched and updated. -- Joe
On Tue, Mar 31, 2009 at 5:48 AM, Eric Tykwinski <eric-list@truenet.com> wrote:
Joe,
Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html
I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though.
-- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy
See http://honeynet.org/node/388 for snort signatures for .a and .b variants. - d. On Tue, 31 Mar 2009, Steven Fischer wrote:
Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points?
On Tue, Mar 31, 2009 at 9:41 AM, JoeSox <joesox@gmail.com> wrote:
I am uncertain also. I scan a subnet on my network with Axence NetTools looking for 445 port and I receive some hits. I perform a netstat -a some of those results but don't really see any 445 activity. The SCS script doesn't find anything either. The PCs are patched and virusscan updated. One PC when I connected to it did not navigate to Windowsupdate website. I scheduled a Full McAfee scan as their documentation suggests ( http://download.nai.com/products/mcafee-avert/documents/combating_w32_confic... ), and sometime through the scan I was able to reach windowsupdate. I don't know if it was a coincidence or not that I was not able to reach the website. I haven't looked into the registry and any other places for evidence of conficker. I will probably today but I am afraid it maybe a waste of time since they are already patched and updated. -- Joe
On Tue, Mar 31, 2009 at 5:48 AM, Eric Tykwinski <eric-list@truenet.com> wrote:
Joe,
Here's the link for the Python Crypto toolkit: http://www.amk.ca/python/code/crypto.html
I scanned our internal network and didn't find anything, so I can't really vouch for it's reliablity though.
-- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ---------------------------------------------------------------------------- http://www.dominiceidson.com/
Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points?
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ Has snort sigs for .A and .B variants .. haven't seen one for .C yet, but there is a tool on that same site called 'downatool2' to enumerate the domain list (to run through a parallel DNS tool, etc. and then check netflow and such). I did this just now for the .C variant (using 'wine downatool2_01.exe -c' and then piping results through 'adnshost -a -f -Fi' after a little cleanup) .. results? Of the 50,000 DNS names generated for today .. 32,947 don't resolve. For the remainder .. if I sort the list .. I get 107 unique /16s 308 unique /24s 11777 unique hosts (mostly sequential within a /24 or shorter mask). Here's the top 10 /16's with count : 149.93/16 -- 8500 38.229/16 -- 2737 192.174/16 -- 404 148.81/16 -- 20 97.74/16 -- 13 75.125/16 -- 9 60.29/16 -- 7 221.130/16 -- 7 124.42/16 -- 7 118.102/16 -- 7 If anyone wants to save themselves the trouble and wants today's list of IPs (which could change quickly .. I didn't query SOA info) .. ping me off-list. Regards, Michael Holstein Cleveland State University
Of the 50,000 DNS names generated for today ..
Additional info .. Top 10 ASN by number/name : 5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc. 2820 -- 1668 AOL-ATDN - AOL Transit Data Network 2737 -- 23028 TEAM-CYMRU - Team Cymru Inc. 404 -- 760 University of Vienna, Austria 20 -- 1887 NASK-ACADEMIC NASK 10 -- 4134 CHINANET-BACKBONE No.31,Jin-rong Street 7 -- 21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc. 5 -- 8560 ONEANDONE-AS 1&1 Internet AG 4 -- 12306 PLUSLINE Plus.Line AG IP-Services 3 -- 26496 PAH-INC - GoDaddy.com, Inc. So you can tell the "good guys" are still at it pre-registering the bulk of the conflickr-related domain names. Cheers, Michael Holstein Cleveland State University
What's the virus doing with all of those domain names? On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein <michael.holstein@csuohio.edu> wrote:
Of the 50,000 DNS names generated for today ..
Additional info ..
Top 10 ASN by number/name :
5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc. 2820 -- 1668 AOL-ATDN - AOL Transit Data Network 2737 -- 23028 TEAM-CYMRU - Team Cymru Inc. 404 -- 760 University of Vienna, Austria 20 -- 1887 NASK-ACADEMIC NASK 10 -- 4134 CHINANET-BACKBONE No.31,Jin-rong Street 7 -- 21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc. 5 -- 8560 ONEANDONE-AS 1&1 Internet AG 4 -- 12306 PLUSLINE Plus.Line AG IP-Services 3 -- 26496 PAH-INC - GoDaddy.com, Inc. So you can tell the "good guys" are still at it pre-registering the bulk of the conflickr-related domain names.
Cheers,
Michael Holstein Cleveland State University
On Wed, Apr 01, 2009 at 10:01:29AM -0600, Jason Iannone wrote:
What's the virus doing with all of those domain names?
Paul Vixie gave a presentation at the IEPG meeting before IETF 74. I don't think the IEPG meeting notes are up yet (they would be very informative if they were)...I don't pretend to be an expert, but my understanding based on that presentation is that the DNS is used for C&C of the botnet. Its owner only needs one of those domain names to be registered to give out orders. If they only used one, it would be relatively easy to shut them down. They use so many so that, when the good guys bust in the door and shut down the C&C domain/hosting, they can just open up shop somewhere else like nothing happened. Not entirely unlike terrorist cells. -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins
What's the virus doing with all of those domain names?
Domain names are enumerated at random (based on date) as a way around hard-coding an IP/domain that could be easily taken down. The domain names are used for the command & control of the worm, and presumably at least one of them will be registered at some point (if not already) by the worm authors. Read up on the specifics at one of the (many) sites where research is being done on it : http://www.dshield.org/conficker ~Mike.
On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein <michael.holstein@csuohio.edu> wrote:
Of the 50,000 DNS names generated for today ..
Additional info ..
Top 10 ASN by number/name :
5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc. 2820 -- 1668 AOL-ATDN - AOL Transit Data Network 2737 -- 23028 TEAM-CYMRU - Team Cymru Inc. 404 -- 760 University of Vienna, Austria 20 -- 1887 NASK-ACADEMIC NASK 10 -- 4134 CHINANET-BACKBONE No.31,Jin-rong Street 7 -- 21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc. 5 -- 8560 ONEANDONE-AS 1&1 Internet AG 4 -- 12306 PLUSLINE Plus.Line AG IP-Services 3 -- 26496 PAH-INC - GoDaddy.com, Inc. So you can tell the "good guys" are still at it pre-registering the bulk of the conflickr-related domain names.
Cheers,
Michael Holstein Cleveland State University
On Apr 1, 2009, at 12:01 PM, Jason Iannone wrote:
What's the virus doing with all of those domain names?
http://lmgtfy.com/?q=conficker
On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein <michael.holstein@csuohio.edu> wrote:
Of the 50,000 DNS names generated for today ..
Additional info ..
Top 10 ASN by number/name :
5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc. 2820 -- 1668 AOL-ATDN - AOL Transit Data Network 2737 -- 23028 TEAM-CYMRU - Team Cymru Inc. 404 -- 760 University of Vienna, Austria 20 -- 1887 NASK-ACADEMIC NASK 10 -- 4134 CHINANET-BACKBONE No.31,Jin- rong Street 7 -- 21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc. 5 -- 8560 ONEANDONE-AS 1&1 Internet AG 4 -- 12306 PLUSLINE Plus.Line AG IP-Services 3 -- 26496 PAH-INC - GoDaddy.com, Inc. So you can tell the "good guys" are still at it pre-registering the bulk of the conflickr-related domain names.
Cheers,
Michael Holstein Cleveland State University
I forgot to mention that I have had python-crypto already installed before I posted. I was still getting the WARNING. -- Joe On Mon, Mar 30, 2009 at 11:10 PM, David Tebbutt <David@sunshadeseyewear.com.au> wrote:
you need to add python-crypto with whatever package manager your OS uses, yast line in suse:
│python-crypto │2.0.1 │2.0.1 │Collection of cryptographic algorithms and protocols, implemented for use from Python
d
From what I can find with the nmap way, You don't want to see *Conficker: LIKELY INFECTED* or *Conficker: VULNERABLE*.
2009/3/31 JoeSox <joesox@gmail.com>
I forgot to mention that I have had python-crypto already installed before I posted. I was still getting the WARNING. -- Joe
On Mon, Mar 30, 2009 at 11:10 PM, David Tebbutt <David@sunshadeseyewear.com.au> wrote:
you need to add python-crypto with whatever package manager your OS uses, yast line in suse:
│python-crypto │2.0.1 │2.0.1 │Collection of cryptographic algorithms and protocols, implemented for use from Python
d
-- Jason Biel
SRI has a detailed analysis of conflicker at http://mtc.sri.com/Conficker/ ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -----Original Message----- From: Joe Blanchard [mailto:jbfixurpc@gmail.com] Sent: Sunday, March 29, 2009 7:43 PM To: nanog@nanog.org Subject: The Confiker Virus. Anyone have a copy of this? Would like to analyze it and understand its propagation. Thanks -Joe
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Mar 29, 2009 at 4:54 PM, Matthew Huff <mhuff@ox.com> wrote:
SRI has a detailed analysis of conflicker at http://mtc.sri.com/Conficker/
The most relevant section the Conficker.C addendum -- this has been driving the April 1st hype. http://mtc.sri.com/Conficker/addendumC/index.html FYI, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ0A4Uq1pz9mNUZTMRAlJbAJ9g8PgK+ttTz193mUTRzxhdN47QgQCdEASn hKy+B8H9BHprgaVpFKGIv0I= =RSKj -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Joe Blanchard wrote:
Anyone have a copy of this? Would like to analyze it and understand its propagation.
Thanks -Joe
I'm sure someone sent you a sample by now. As to the malware itself... I haven't personally been following conficker as I've been busy with other issues (as much as possible, anyway, with all the hype it's hard to escape), but I've been asking questions. I can try and speak on the matter from what I've learned by asking. Conficker is a real problem, but will the world end on April Fools? The answer I gather to be the most accurate is: "The conficker threat will be exactly the same as it is today, on April 1st." Perhaps putting a date on the threat makes people feel more comfortable. What if something happens on April 3rd? Whether we would be warned or not, we'll all likely ignore it if April 1st comes and goes quietly. As to the unknown, the author's mind, who can really tell what they will do come the 1st? But some of the hype I've seen is truly ridiculous. I am sure some of the protected hosting companies sold quite a bit with their "we defend against conficker" products. Is conficker a problem? Yes. Can we potentially face hardship on the 1xt? Yes. Is the rest complete bull? Yes. Gadi.
To the main stream media: Please leave your tin foil hats at the door... To my fellow NANOGers: I look at this virus from two perspectives. First the home computers (and small businesses without any real IT staff). And second the larger organizations with dedicated IT staff. Home Users: Many will agree that a large percent (>50%) of home computers are infected with some sort of malware. Everything from tracking cookies, to spam drones, to botnet clients. Home users are often too cheap/lazy to get antivirus/firewall protections. And many are scared to get updates from Microsoft because of some unrealized danger this might pose. As I see it, the virus is adding at most 9(?) million to the probable 175 million (350/2 <http://en.wikipedia.org/wiki/List_of_countries_by_broadband_users> ) malware infested hosts out there. In fact, it will probably be much less than that, as the people who are getting infected by this virus, are probably already affected by other malware. Everyone Else: If SQL Slammer has taught us anything, it is the importance of patch management and firewalls. And the unending stream of new malware has also taught us the importance of anti-virus software. With all the media hype and removal tools being made, there is no good reason any IT shop should be affected in any meaningful way. Invariably we will hear the stories of places that do get affected, but I doubt it will be anything overly large. So from a network operational perspective, unless the virus author decides to launch a DDOS on a single target (and one is either that network or its upstream) I predict this will have little, if any, effect. My $0.02, Adam Stasiniewicz -----Original Message----- From: Gadi Evron [mailto:ge@linuxbox.org] Sent: Monday, March 30, 2009 7:44 AM To: Joe Blanchard Cc: nanog@nanog.org Subject: The Confiker Virus hype and measures Joe Blanchard wrote:
Anyone have a copy of this? Would like to analyze it and understand its
propagation.
Thanks
-Joe
I'm sure someone sent you a sample by now. As to the malware itself... I haven't personally been following conficker as I've been busy with other issues (as much as possible, anyway, with all the hype it's hard to escape), but I've been asking questions. I can try and speak on the matter from what I've learned by asking. Conficker is a real problem, but will the world end on April Fools? The answer I gather to be the most accurate is: "The conficker threat will be exactly the same as it is today, on April 1st." Perhaps putting a date on the threat makes people feel more comfortable. What if something happens on April 3rd? Whether we would be warned or not, we'll all likely ignore it if April 1st comes and goes quietly. As to the unknown, the author's mind, who can really tell what they will do come the 1st? But some of the hype I've seen is truly ridiculous. I am sure some of the protected hosting companies sold quite a bit with their "we defend against conficker" products. Is conficker a problem? Yes. Can we potentially face hardship on the 1xt? Yes. Is the rest complete bull? Yes. Gadi.
Stasiniewicz, Adam wrote:
So from a network operational perspective, unless the virus author decides to launch a DDOS on a single target (and one is either that network or its upstream) I predict this will have little, if any, effect.
Agreed. Although being ready to answer your abuse mail to null-route on your networks could be helpful to the community. Gadi.
The two might be related since it was reported that both happened Sunday Morning. Ken Gilmour wrote:
Hi Isabel,
It hasn't been confirmed to me yet but some people have mentioned that it is most likely to belong to Global Crossing.
Regards,
Ken
2009/3/29 isabel dias <isabeldias1@yahoo.com>:
ken, who's fiber on the ground was it after all?
Roderick Beck wrote:
Probably Global Crossing.
A very strong wager.
-R. ------Original Message------ From: Ken Gilmour To: isabeldias1@yahoo.com Cc: nanog@nanog.org Subject: Re: Fiber cut on Irish Sea Sent: 29 Mar 2009 16:04
We received the report from Packet Exchange, however they are not the owners of the cable. I assume they just rent spectrum.
2009/3/29 isabel dias <isabeldias1@yahoo.com>:
affecting whom? and who's network?
--- On Sun, 3/29/09, Ken Gilmour <ken.gilmour@gmail.com> wrote:
From: Ken Gilmour <ken.gilmour@gmail.com> Subject: Fiber cut on Irish Sea To: nanog@nanog.org Date: Sunday, March 29, 2009, 4:55 PM Hi There,
Since we use a vendor of "the vendor" of two Irish sea submarine cables I am wondering if anyone has first hand information on the fiber cut this morning? Does anyone have a status update on what is happening? I am getting some Chinese whispers going on here.
Thanks!
Ken
Sent wirelessly via BlackBerry from T-Mobile.
participants (23)
-
Barry Raveendran Greene
-
David Tebbutt
-
David W. Hankins
-
Dominic J. Eidson
-
Eric Tykwinski
-
Gadi Evron
-
isabel dias
-
Jason Biel
-
Jason Iannone
-
Joe Blanchard
-
JoeSox
-
John Martinez
-
Ken Gilmour
-
Matthew Huff
-
Michael Holstein
-
Paul Ferguson
-
Richard Golodner
-
Stasiniewicz, Adam
-
Stefan
-
Steven Fischer
-
Steven M. Bellovin
-
Warren Kumari
-
Wilkinson, Alex