Conflicker IDP Signature

When browsing an IDP I have been monitoring I did see several occurences of conflicker.  All going out to an external address on port 80.  All the infections have been removed.  Does anyone have a sample of what the packet would look like.  I wanted to create some custom policies but I am not sure what else to look for.  If someone could provide more info on the signature I would greatly appreciate it.  
LVL 12
nsx106052Asked:
Who is Participating?
 
Mohamed OsamaConnect With a Mentor Senior IT ConsultantCommented:
This is the most extensive analysis I have seen of the Worm's behaviour
http://mtc.sri.com/Conficker/addendumC/
you will find samples of the network traffic as well as a semi complete reverse engineering write up on the malware.
0
 
Asta CuConnect With a Mentor Commented:
Variants, but his gives good overview http://en.wikipedia.org/wiki/Conficker
 
0
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
You can actually scan your lan for it: http://www.doxpara.com/?p=1285
Here are some snort conficker sig's: http://honeynet.org/node/388
-rich
0
 
Michael-BestCommented:
Got CONLICKER Worm?
If YOU cant go here:
http://onecare.live.com/site/en-US/center/cleanup.htm
And run scans
you Got Worm:Win32/Conficker.B
Microsoft is offering $250,000 to a (Worm:Win32/Conficker.B) FIX
Hope its ME
0
 
Michael-BestCommented:
Run the: "FULL SERVICE SCAN"
http://onecare.live.com/site/en-us/default.htm
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.