> http://mtc.sri.com/Conficker/
Most interesting.
"First, it checks for the presence of a firewall. If a firewall exists,
the agent sends a UPNP message to open a local random high-order port
(i.e., it asks the firewall to open its backdoor port to the Internet).
Next, it opens the same high-order port on its local host: its binary
upload backdoor. This backdoor is used during propagation, to allow
newly infected victims to retrieve the Conficker binary. "
There's nothing quite like a "pants down!" command to the
firewall...
Except maybe replicating via the older-than-dirt Windows Naughty Port,
TCP/445.
> http://mtc.sri.com:80/Conficker/addendumC/index.html
Oh look:
http://mtc.sri.com/Conficker/contrib/Conficker_C_P2P_Scanner.C
author: Vinod Yegneswaran
compiled and tested on - Gnu gcc ver 4.2.2, running Linux, little
endian only
Maybe I could find a copy. Don't forget to rename the extension
correctly (.c), else gcc will think it's the wrong type of source file,
since .C means something special.
./Conficker_C_P2P_Scanner -v 64.179.12.2 64.179.12.254
There don't seem to be any on my subnet at the moment:
Number of suspected Conficker hosts found: 0
Remote
Penetration
Call
|
Don't
Count
On
Mitigation
The cloudlike distribution of possible update repositories seems new to
me, but I have been away for some number of years.
"FromTheRafters" <err...@nomail.afraid.org> wrote in message
news:gnn718$iv6$1...@reader.motzarella.org...
> http://mtc.sri.com/Conficker/
>