April 1st coming up - conficker time
Charles Jones
charles.jones at ciscolearning.org
Mon Mar 30 22:00:11 MST 2009
On April 1st the Conficker.C virus (probably the most virulent MSWin
virus to date) is due to "activate". By activate I mean that thusfar it
has been just spreading itself, but once the host time reaches April 1,
it will begin attempting to contact 50,000 randomly generated domain
names per day, looking for a host to download an update from. What this
update will be, nobody knows. It could be anything from new improved
code, to deleting the hard disk, to popping up a picture of a LOLcat and
uninstalling itself.
Why would linux folks care about a windows virus? Because if you have
any infected windows machines on your network, this virus can cause
excessive traffic as it tries to locate a payload update, not to mention
the network scanning it does in attempts to infect other hosts.
Here is some information on this nasty bugger:
http://en.wikipedia.org/wiki/Conficker
Here you can find a python script and also a version of nmap specially
designed to located infected machines: http://www.doxpara.com/?p=1294
Here is an excellent paper on Conficker:
http://www.honeynet.org/papers/conficker/
Direct link to the PDF: http://www.honeynet.org/files/KYE-Conficker.pdf
More information about the PLUG-discuss
mailing list