Mar 31 2009 3:32PM GMT
Posted by: Troy Tate
honeynet,
diagnostic tools,
Conficker,
ms08-067,
antivirus,
patches,
anti-virus,
detection,
scanning,
vulnerability scanning,
vulnerability
A Simple Conficker Scanner (SCS) tool has been released by members of the Honeynet Project. This tool can be run under linux or Windows. It runs a specially crafted RPC query against a host or range of IP addresses. The tool will tell if systems are clean or potentially infected. I am running this tool against hosts on my network and I found a Windows 2000 server apparently infected by Conficker. I am in the process of clean-up on that host. It looks like a couple of things contributed to the infection on this computer:
1. Out of date anti-virus. The antivirus signatures had not been updated since January 2008.
2. Microsoft patches not applied.
Folks, the advice about maintaining up-to-date AV and applying patches is good advice. Heed the warnings and save yourself some troubles of clean-up. I will be having a discussion with my operations team about this situation and make it clear that we should have been prepared for this and this situation should not have arisen.
I am also following the advice from McAfee on Combating the Conficker worm
For more details on how the Conficker worm actually works, follow the links in my blog
Thanks for reading. Let’s continue to be good network citizens.
Mar 27 2009 12:52PM GMT
Posted by: Troy Tate
Conficker,
worm,
updates,
Microsoft updates,
Microsoft patch,
patch,
patching,
patches,
asset management
There is a feeling in the infosec community that Conficker may change its behavior April 1 and wreak havoc. Headlines have included:
ComputerWorld: Conficker’s next move a mystery to researchers
Computer Reseller News: Conficker Worm to Strike April 1
USA Today: PC security forces face April 1 showdown with Conficker worm
Here’s a great analysis of the Conficker variants and some details to show what to be concerned about.
Take a look at this guidance from Microsoft on Conficker.A and Conficker.B. You need to get the MS08-067 (KB958644) patch rolled out as soon as you can to your machines.
Good luck and if there is a big outbreak on your network, break the internet connection or shutdown the machines until you get them checked & updated. Don’t be afraid to shut things down to get them cleaned up. Then… once you do get things cleaned up and can estimate the time it took… figure out how much you could have saved and look at purchasing a good asset management system like Windows Systems Center Configuration Manager to push out patches and fixes to your devices.
Thanks for reading & let’s continue to be good network citizens.