Another memo, another bulletin has arrived. This time it is from United States Computer Emergency Readiness Team (US-CERT), our security department seems to be busy lately these memos are becoming more frequent. Regardless, it is all for the good, after all it is interesting to know what actions are being taken globally.
Their alert underlines what we already know, so it is not exactly a revelation to us. However, I find it interesting that the problem has escalated to such an extent that Homeland Security has been involved. Possibly, there is the feeling of an attack at national security, cyber terrorism anyone? I had a pleasurable evening last night with some friends, and we discussed whether the Chinese government engineered Conficker. I personally feel it is most likely an independent organisation or the Russian government. However, without going into a whirlwind of skulduggery and conspiracy, we were perhaps wrong on both counts and it is some 16-year-old code monkey, which just happens to be bored for the past year or so.
On a lighter note, I am now officially on holiday and I am visiting a friend of mine in Holland next week. I managed to achieve as much as I can at work, and I have locked away all pens and Post-It notes from the prying eyes of work colleagues. Call me possessive, but I would like my desk to be intact and to have all contents unmoved when I return. I am sure I will make some sporadic blog posts on my travels; I will be taking a British Airways flight, which means my first visitation of Terminal 5 at Heathrow airport. I hope that the baggage handlers are not on strike…
Miscellaneous, Tech
conficker, US-CERT, w32.downadup
I walked into work today, with an air of anticipation on the potential torrent of problems with our servers. Fortunately, it was all quiet on the western front with not a single incident of viral infection reported. It was so anti-climatic in a way, a similar feeling you get when you pay good money to watch a mediocre film, after reading the hyperbole that came with it.
Not that any complaints were issued, myself and many others were quite relieved but we pre-empted the problem early on and thankfully our security precautions were not put to the test. Perhaps the warning of impending doom was the April Fool’s joke in itself, maybe we will never know. Nevertheless, this is perhaps not the last we will hear of this and as ever, new security vulnerabilities appear every day.
If you were not so fortunate, then you may be interested in this. As part of our research, Sophos released a newer stand-alone Conficker clean-up tool. We have not needed to use it, but I thought it prudent to share if you are still fire fighting in your I.T environment. You will need to have a MySophos account to download the tool; you can create one on their site.
Tech
conficker, Conficker.D, Sophos Conficker tool, w32.downadup
Microsoft sent a bulletin to us at work, with some additional memos internally about this. In their bulletin, they mentioned a collective (Conficker Working Group) specifically created to combat this virus and a note about the $250,000 reward for the culprits. However, the main detail here is the possibility that 1st April will be the trigger date for the Conficker.D variant, to initiate contact with internet domains. Perhaps after contact, the instructions will be to redirect you to another URL that has the real payload. But I suppose we won’t know until it actually happens. Full blog entry by Microsoft can be read here.
As stated, this behaviour is the same as Conficker.B but introduces a wider scope in terms of which domains it will try to target. This will no doubt indicate that the virus writers want to spread this as widely as possible. If you were like me, then you would have been fully security patched by now across all affected platforms. The main thing here is to:
- Update your systems with MS08-067
- Keep your AV software up to date
- Monitor port 445 traffic if possible
Taking precautions is the main thing, and if you are sensible, you will not encounter this virus at all. Given how this worm is still causing problems, mainly in enterprise environments, all system administrators should be fully up to speed with this. Our company policy of banning USB devices is still in place, and we have resorted to burning files onto CD/DVD R/W. However, in certain cases we have permitted usage of USB drives. We have separate “sheep-dip” machines, which are completely standalone, with McAfee VirusScan Enterprise 8.5 installed. It seems to do the trick, we scan the USB drives prior to usage, copy the files you need and then scan it again afterwards.
Tech
conficker, Conficker.D, ms08-067, w32.downadup
After a bit of digging around, I finally found the Conficker worm being mentioned on Kaspersky’s website. It doesn’t help that they do not use the most common monickers for this but anyway. I am now beginning to understand why our copy of Kaspersky is not detecting the one we found on our network. Here is an excerpt of the description from their site. I have highlighted in bold/underline the problem:
—————————————————————————————————————–
This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are between 155KB and 165KB in size. It is packed using UPX.
Installation
The worm copies its executable file to the Windows system directory as follows:
%System%\<rnd>.dll <rnd> is a string of random symbols
—————————————————————————————————————–
I hate to say this Kaspersky, but the infected file has varying permutations for the file extension. It is not just .DLL but it can be pretty much anything, from .txt to .png or .jpg. Basically, you cannot use the .DLL extension as the only method for detection and if this is the case, it is not going to find it. Perhaps the first variant “a” was originally a .DLL but not anymore and I believe the “b” version is much more widespread now. So how about taking a leaf out of Trend Micro’s book and look for behaviourial patterns instead of just by filename…
Kaspersky description for Net-Worm.Win32.Kido
Kaspersky method of removal. It may work on some versions of the virus
Tech
conficker, Kaspersky, kido, Net-Worm.Win32.Kido.bt, w32.downadup
Recent Comments