Service Desk 0300 300 2212

Archive for June, 2010

JANET CSIRT Conference 2010

Tuesday, June 29th, 2010

JANET(UK) in conjunction with the JANET community are currently planning the next JANET CSIRT Security Conference to be held in the latter half of October 2010 on a date and at a venue to be confirmed.

As in previous years there will be no charge for delegates to attend this event which means that while we will make best endeavours to ensure that as much of the community as possible has a chance to attend there may have to be some restriction on numbers of delegates per institute attending depending on the response for places which will be restricted to 100 initially.

We would appreciate hearing from members of the community with ideas for content or recommendations for speakers. We would also welcome volunteers from the community to present a security based or security topical talk/presentation to like minded members of the JANET community. The conferences tend to be a fairly short day to
allow delegates to travel to and from the venue, as far as possible, on the same day therefore it is usual to have a full program of short presentations with adequate breaks for networking and discussion. This does not exclude the odd longer presentation if an abridged version might lose its punch.

The security conferences have been very well supported and accepted by the community in the past and have been an excellent forum for exchange of ideas and of course the social networking that takes place in events
such as these.

Please forward any comments or suggestions directly to wally.jackson@ja.net.

Posted in Events | Comments Off

Increase in Conficker/malware reports

Saturday, June 12th, 2010

There has been a recent increase in the number of automated Conficker/malware reports that we have been processing in recent days and the information we have suggests that it is related to a recent drive by download.

An attack started on the 7th June which involved compromising third party websites and directing visitors to the site where the payload was hosted ww.robint.us/u.js This domain has been taken over by a trusted third party Shadowserver who monitor internet wide malware infections, they have directed this domain their HTTP sinkholes for analysis. As we track traffic going to the Shadowserver HTTP sinkholes this has led to an increase in the number of false positives that may be present in our automated Conficker/malware reports.

Below is a short summary of the amount of flows we have logged to the Shadowserver HTTP sinkholes in the last 12 complete days, and it demonstrates an increase of approximately 40% to the norm occurring from the day the attack started on the 7th of June.
Date Number of flows to Shadowserver HTTP sinkhole
29th May 2687
30th May 2933
31st May 2561
1st June 3085
2nd June 2906
3rd June 2922
4th June 2789
5th June 2421
6th June 2491
7th June 4311
8th June 4922
9th June 4931

Therefore there is an increased probability that flows which we report in our automated Conficker/malware reports may not be infected hosts, but rather hosts who are visiting a compromised website and in turn attempting to download the malware payload which is inaccessible due to the Shadowserver takeover of the payload site. It would be advisable to match up the flows in these reports with the HTTP query strings if they are available in your logs to filter out some of these false positives, JANET CSIRT are unable to do this as we only record limited IP and some layer 4 details.

Posted in Advisories | Comments Off

Contact Us: irt@csirt.ja.net
PGP Key ID: 0x4EC70D66

0300 999 2340
+44 1235 822 340

Service Hours:
08:00 to 18:00 Mon-Fri
18:00 to 00:00 Mon-Fri*
09:00 to 17:00 Sat-Sun*
(*reduced service)

News:

Incident of the month: DOS Attacks? (18/4/12) more

JANET CSIRT Incident Statistics for March 2012 (1/4/12) more

Twitter: