Conficker worm aka skynet

Page 8 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Modelworks

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Originally posted by: Blain
Originally posted by: Modelworks
Originally posted by: rasczak
Originally posted by: Modelworks
It worked as expected. It is trying to download from different sites. What it downloads nobody still does not know.
Click to expand...

do you have a honeypot that you're monitoring atm? i'm actually curious enough to load it on my spare box.
Click to expand...

Using nmap I'm watching an old p3-900 pc with winxp and no firewall or AV. Just to see what happens.
Click to expand...
Is the XP "raw" or has it been updated since install?
MRT fixes lots of stuff.
Click to expand...

No the XP is sp1. Not patched. I wanted to give it every chance to show what it can do .
So far it has only contacted about 12 sites in about 3 hours of running. Conficker is small though so it doesn't take much bandwidth to spread, its only 87KB.


 
evident

evident

Lifer
Apr 5, 2005
12,131
749
126
wow, this was the biggest crock of shit i've ever seen on the interwebs. my mom heard this crap on the news on her way to work, called my dad and told her to unplug the PC, so he comes in my room and wakes me up at like 5 inthe morning . WTF :|
 
preslove

preslove

Lifer
Sep 10, 2003
16,754
64
91
Originally posted by: Modelworks
Originally posted by: Blain
Originally posted by: Modelworks
Originally posted by: rasczak
Originally posted by: Modelworks
It worked as expected. It is trying to download from different sites. What it downloads nobody still does not know.
Click to expand...

do you have a honeypot that you're monitoring atm? i'm actually curious enough to load it on my spare box.
Click to expand...

Using nmap I'm watching an old p3-900 pc with winxp and no firewall or AV. Just to see what happens.
Click to expand...
Is the XP "raw" or has it been updated since install?
MRT fixes lots of stuff.
Click to expand...

No the XP is sp1. Not patched. I wanted to give it every chance to show what it can do .
So far it has only contacted about 12 sites in about 3 hours of running. Conficker is small though so it doesn't take much bandwidth to spread, its only 87KB.
Click to expand...

How are you quarantining that box from the rest of your network. Isn't Conficker really really contagious?
 
BassBomb

BassBomb

Diamond Member
Nov 25, 2005
8,390
1
81
Originally posted by: preslove
Originally posted by: Modelworks
Originally posted by: Blain
Originally posted by: Modelworks
Originally posted by: rasczak
Originally posted by: Modelworks
It worked as expected. It is trying to download from different sites. What it downloads nobody still does not know.
Click to expand...

do you have a honeypot that you're monitoring atm? i'm actually curious enough to load it on my spare box.
Click to expand...

Using nmap I'm watching an old p3-900 pc with winxp and no firewall or AV. Just to see what happens.
Click to expand...
Is the XP "raw" or has it been updated since install?
MRT fixes lots of stuff.
Click to expand...

No the XP is sp1. Not patched. I wanted to give it every chance to show what it can do .
So far it has only contacted about 12 sites in about 3 hours of running. Conficker is small though so it doesn't take much bandwidth to spread, its only 87KB.
Click to expand...

How are you quarantining that box from the rest of your network. Isn't Conficker really really contagious?
Click to expand...

Disconnect his main pc from LAN?
 
T

TruePaige

Diamond Member
Oct 22, 2006
9,874
2
0
Originally posted by: BassBomb
Originally posted by: preslove
Originally posted by: Modelworks
Originally posted by: Blain
Originally posted by: Modelworks
Originally posted by: rasczak
Originally posted by: Modelworks
It worked as expected. It is trying to download from different sites. What it downloads nobody still does not know.
Click to expand...

do you have a honeypot that you're monitoring atm? i'm actually curious enough to load it on my spare box.
Click to expand...

Using nmap I'm watching an old p3-900 pc with winxp and no firewall or AV. Just to see what happens.
Click to expand...
Is the XP "raw" or has it been updated since install?
MRT fixes lots of stuff.
Click to expand...

No the XP is sp1. Not patched. I wanted to give it every chance to show what it can do .
So far it has only contacted about 12 sites in about 3 hours of running. Conficker is small though so it doesn't take much bandwidth to spread, its only 87KB.
Click to expand...

How are you quarantining that box from the rest of your network. Isn't Conficker really really contagious?
Click to expand...

Disconnect his main pc from LAN?
Click to expand...

Or just run properly patched systems on the rest of the LAN.
 
Modelworks

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Originally posted by: TruePaige

Or just run properly patched systems on the rest of the LAN.
Click to expand...


There is a box running fedora and a few other things , it is my router, between it and the internet so I can capture traffic and allow/disallow what it can/cannot do. Right now the infected box can't send or receive a packet without me seeing it.

 
K

KDOG

Diamond Member
Oct 9, 1999
5,525
14
81
Nothing here. My XP machine is fine. Of course it may not have actually "activated" yet.....also it may just be waiting for us to become complacent and forget about it in a week or so then SLAM!
 
James Bond

James Bond

Diamond Member
Jan 21, 2005
6,023
0
0
Nothing reported on any of our customers networks, yet. About 90% fully updated (with AV) - maybe a few hosts snuck by - still nothing though.
 
G

Goosemaster

Lifer
Apr 10, 2001
48,775
3
81
Originally posted by: Insomniator
No issues at my work in the midst of migration from Symantec Antivirus to Endpoint 11.
Click to expand...

lol...

*waits for SEP is **** thread*

<---MR4 and afraid to go to MR4a LOL
 
R

rasczak

Lifer
Jan 29, 2005
10,437
23
81
Originally posted by: Goosemaster
Originally posted by: Insomniator
No issues at my work in the midst of migration from Symantec Antivirus to Endpoint 11.
Click to expand...

lol...

*waits for SEP is **** thread*

<---MR4 and afraid to go to MR4a LOL
Click to expand...

SEP is shit.
 
sygyzy

sygyzy

Lifer
Oct 21, 2000
14,001
4
76
Can someone explain how Conflicker registers domain name? Do registrars like GoDaddy and Namecheap have API's that allow for bulk registration? How does Conflicker "pay" for these domains? And even if they are able to register them, how will they know which work.

Conficker generates a series of domain names from which it tries to download updates
Click to expand...

Conficker.C tries to
evade this defensive approach by creating 50.000 domains per day, making pre-registration logistically challenging.
Click to expand...

So first it registers a bunch of domain names (randomly) then it tries to contact them (again, randomly)? WTF? It might register aoepdp.cn successfully. What are the chances that when it generates a list of names to try to download from, it will hit on aoepdp.cn?

Also, registering a domain means nothing. Doesn't it also need hosting for the update files?

 
B

biggestmuff

Diamond Member
Mar 20, 2001
8,201
2
0
Originally posted by: sygyzy
Can someone explain how Conflicker registers domain name? Do registrars like GoDaddy and Namecheap have API's that allow for bulk registration? How does Conflicker "pay" for these domains? And even if they are able to register them, how will they know which work.

Conficker generates a series of domain names from which it tries to download updates
Click to expand...

Conficker.C tries to
evade this defensive approach by creating 50.000 domains per day, making pre-registration logistically challenging.
Click to expand...

So first it registers a bunch of domain names (randomly) then it tries to contact them (again, randomly)? WTF? It might register aoepdp.cn successfully. What are the chances that when it generates a list of names to try to download from, it will hit on aoepdp.cn?

Also, registering a domain means nothing. Doesn't it also need hosting for the update files?
Click to expand...

The domains are from free dynamic DNS service such as dyndns.com. Namecheap.com has a free dynamic DNSS.

Here's an in-depth analysis I posted in another thread Text
 
mrSHEiK124

mrSHEiK124

Lifer
Mar 6, 2004
11,488
2
0
Originally posted by: Genx87
I thought Skynet was a counter to another virus? Meaning if this thing goes crazy the govt is supposed to unleash Skynet which then decides the best way to fix the problem is start a nuclear war.
Click to expand...

If we're going by the lame T3 storyline, not entirely. Skynet itself was the virus that the government turned Skynet on to counter. It became aware way earlier and decided it "I want you guys to plug me in so I can fuck up your shit"
 
R

rasczak

Lifer
Jan 29, 2005
10,437
23
81
Originally posted by: Goosemaster
Originally posted by: NightDarker
symantec endpoint?

R O F L
Click to expand...


Originally posted by: rasczak
Originally posted by: Goosemaster
Originally posted by: Insomniator
No issues at my work in the midst of migration from Symantec Antivirus to Endpoint 11.
Click to expand...

lol...

*waits for SEP is **** thread*

<---MR4 and afraid to go to MR4a LOL
Click to expand...

SEP is shit.
Click to expand...

STFU:frown:
Click to expand...

you started it. i was simply giving you what you wanted :)
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom