cancel
Showing results for 
Search instead for 
Did you mean: 
msimard
Level 8

What a confliker infection would look like

Hi all, i've just deploy HIPS for a compagny. the firewall is off by demand of customer, but the IPS is detecting a lot of intrusion triggered by a bad parameter in svchost.exe.

the exact event is : Host intrusion (hip.Illegal_API_Use)

event id: 18000

threat name : 3961

action : blocked

api name: NetpwPathCanonicalize

Vulnerability in Server Service Could Allow Remote Code Execution

Now every where i look it seem to point out to confiker.

The VS is 8.7 up to date,  Os is XP SP2.

If it is realy a worm, would confiker would be clearly identify instead of that generic API stuff. ? Just wondering if im chasing ghost or this is a real deal.

thanks.

0 Kudos
1 Reply
jmcleish
Level 13

Re: What a confliker infection would look like

Sorry- don't use HIPS but,

Have a look at the info here:

http://www.mcafee.com/us/threat_center/conficker.html

and there's a detection tool too.

Also this site here:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

We had a bunch of unpatched eval thin clients that got infected with conficker when it came out and we noticed that there was multiple account logons in the security event log (we audit logons). VirusScan blocked and detected the source of it to the thin clients.

Also, we ended up disabling autorun on the domain.

I'm amazed at how many peoples home machines must be infected - still with conficker as we are still detecting it at work.

HTH

Jane

Message was edited by: jmcleish on 24/09/10 14:57:17 CDT
0 Kudos