I walked into work today, with an air of anticipation on the potential torrent of problems with our servers. Fortunately, it was all quiet on the western front with not a single incident of viral infection reported. It was so anti-climatic in a way, a similar feeling you get when you pay good money to watch a mediocre film, after reading the hyperbole that came with it.
Not that any complaints were issued, myself and many others were quite relieved but we pre-empted the problem early on and thankfully our security precautions were not put to the test. Perhaps the warning of impending doom was the April Fool’s joke in itself, maybe we will never know. Nevertheless, this is perhaps not the last we will hear of this and as ever, new security vulnerabilities appear every day.
If you were not so fortunate, then you may be interested in this. As part of our research, Sophos released a newer stand-alone Conficker clean-up tool. We have not needed to use it, but I thought it prudent to share if you are still fire fighting in your I.T environment. You will need to have a MySophos account to download the tool; you can create one on their site.
Tech
conficker, Conficker.D, Sophos Conficker tool, w32.downadup
Microsoft sent a bulletin to us at work, with some additional memos internally about this. In their bulletin, they mentioned a collective (Conficker Working Group) specifically created to combat this virus and a note about the $250,000 reward for the culprits. However, the main detail here is the possibility that 1st April will be the trigger date for the Conficker.D variant, to initiate contact with internet domains. Perhaps after contact, the instructions will be to redirect you to another URL that has the real payload. But I suppose we won’t know until it actually happens. Full blog entry by Microsoft can be read here.
As stated, this behaviour is the same as Conficker.B but introduces a wider scope in terms of which domains it will try to target. This will no doubt indicate that the virus writers want to spread this as widely as possible. If you were like me, then you would have been fully security patched by now across all affected platforms. The main thing here is to:
- Update your systems with MS08-067
- Keep your AV software up to date
- Monitor port 445 traffic if possible
Taking precautions is the main thing, and if you are sensible, you will not encounter this virus at all. Given how this worm is still causing problems, mainly in enterprise environments, all system administrators should be fully up to speed with this. Our company policy of banning USB devices is still in place, and we have resorted to burning files onto CD/DVD R/W. However, in certain cases we have permitted usage of USB drives. We have separate “sheep-dip” machines, which are completely standalone, with McAfee VirusScan Enterprise 8.5 installed. It seems to do the trick, we scan the USB drives prior to usage, copy the files you need and then scan it again afterwards.
Tech
conficker, Conficker.D, ms08-067, w32.downadup
Recent Comments