NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2009-08

Re: Conficker - your opion on how to determine the source of infection on a given network

From: Alexander Bas (bas.alexandergmail.com)
Date: Wed Aug 26 2009 - 04:06:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I agree...

For example, you may want to check the date and time your AV detected
the worm on a specific machine and check the username that have been
used (if available) at the time the worm was detected.

Thereafter, check the event viewer security logs and look for that
specific date and time. Check for failures or success login audits.

If you have found the logs matching the date, time and username. Check
the worsktation name and the originating source address from that
logs.

On Fri, Aug 14, 2009 at 1:55 AM, Tiflin, Conrad (ZA - Cape
Town)<ctiflindeloitte.co.za> wrote:
> Quick Question to all.
>
>
> I would like to identify the SOURCE computer where the "downadup.a" worm variant originated a given network which has been infected.
>
> Minimal thinking tells me that I should search for the computer that's running an HTTP server between ports [1024 and 10000] - the result may be the source.
>
>
> Anyone else have better ideas to determine the source computer on a network from which conficker originated?
>
>
> ./CT
>
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On Behalf Of madunix
> Sent: 23 February 2009 09:54 AM
> To: pen-testsecurityfocus.com
> Subject: Microsoft bounty for worm creator!
>
> http://news.bbc.co.uk/2/hi/technology/7887577.stm
> "A reward of $250,000 (£172,000) has been offered by Microsoft to find
> who is behind the Downadup/Conficker virus."
>
> --
> THE MASTER
>
>
>
> Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by visiting our website and viewing the webpage at the following address: http://www.deloitte.com/za/disclaimer. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to zaitservicedeskdeloitte.co.za.
>
>
>

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]