vNv Gamers: Forums / Anything Goes / Conficker Worm Update

Forums

vNv Gamers :: Forums :: General Info :: Anything Goes	<< Previous thread \| Next thread >>
Conficker Worm Update


Moderators: BlackLion, NastyPuppy

Author

Post

BlackLion

Mon Mar 30 2009, 09:31AM

cdwyche

Registered Member #1

Joined: Sat Sep 02 2006, 12:59AM
Posts: 462

This is a Security Bulletin related to Microsoft Windows. If you no longer wish to receive security bulletins on this product, please reply to this communication.

We are notifying you of a recent increase in activity that may allow unauthorized system access, expose sensitive information, and lead to a domain, site or device compromise.

Name: Conficker.C Worm

Severity: Medium

Versions Affected:
Microsoft Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008

CVE Candidate:
CVE-2008-4250

Vulnerability Description:
Conficker is a widespread worm that infects computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). Conficker.C arrives as an update from B and does not spread by itself.

Vulnerability details:
Conficker.C takes the following actions against a compromised system:
Deactivates Windows Security Center notifications Prevents restart in Safe Mode Prevents Windows Defender from running at system startup Deletes all system restore points Disables various error-reporting and security services Terminates over twenty security-related processes Blocks DNS queries Blocks access to security and antivirus websites

Detection:
1. Use malware detection tools
The worm installs its main program as a Windows service to ensure it executes each time the computer is booted. A security tool that detects or blocks attempts to install software in places where it is executed on boot would be useful. You may also consider using additional anti-malware products such as Spybot Search & Destroy.

2. Implement firewall filtering
Conficker peer-to-peer traffic can be blocked by firewalls. Best practices are to always have firewalls configured so that network hosts are not allowed to connect to arbitrary TCP and UDP ports.

3. Monitor firewall connections
Some signs of Conficker.C activity include:
Devices receiving an increased volume of inbound ICMP messages. This is backscatter traffic due to failed TCP and UDP connections.
Monitor outgoing connections to high-order ports (1024-65535) going to many different random IP addresses.
DNS lookups to strange or seemingly random DNS, anywhere from 10-25 per 5 minute window.
Established connections on high order ports with encrypted network traffic.

Prevention:
1. Ensure systems are up-to-date
Install the Microsoft patch for MS08-067 which the worm exploits to spread. The patch is available here: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.
Ensure antivirus signatures are up-to-date. The worm makes it difficult to patch systems and disables many antivirus programs, however major antivirus solutions are a good solution for detecting and preventing new infections.

2. Prevent attack vectors
Disable autorun and autoplay to prevent the worm from being introduced via USB drives, memory sticks, and similar removable media.
Use strong passwords for all Windows user accounts, especially administrator-level accounts, to prevent the worm from spreading via brute force attacks on the ADMIN$ share.

Remediation:
Since variant C arrives as an update to variant B, which is still spreading in the wild, removal of older variants will prevent the upgrade to the more advanced version. Information from Microsoft regarding Conficker, including removal instructions, are available here: http://support.microsoft.com/kb/962007.

Because the worm interferes with DNS and may disable antivirus, it may be difficult to reach sites that provide assistance in detection and removal. A website designed to assist in remediation and which is not being blocked by the worm, has been set up and can be found at: -link-.

Additional Information:
http://mtc.sri.com/Conficker/addendumC/index.html
http://onecare.live.com/standard/en-us/virusenc/virusencinfo.htm?VirusName=Worm:Win32/Conficker.C

Smokeydubbs

Mon Mar 30 2009, 01:48PM

Registered Member #13

Joined: Fri Jan 26 2007, 04:50PM
Posts: 154

So am I fucked if this thing gets into KU's Resnet network?

NastyPuppy

Wed Apr 01 2009, 06:35PM

Registered Member #4

Joined: Mon Oct 02 2006, 08:31PM
Posts: 161

SAN FRANCISCO -
The Conficker Internet worm's feared April Fools' Day throwdown for control of millions of infected PCs stirred lots of panic but came and went with a whimper.

Security experts say some Conficker-infected computers — those poisoned with the latest version of the worm — started "phoning home" for instructions more aggressively Wednesday, trying 50,000 Internet addresses instead of 250. However, security companies monitoring the worm remained successful at blocking the communications.

"We didn't see anything that wasn't expected," said Paul Ferguson, a security researcher at antivirus software maker Trend Micro Inc. "I'm glad April 1 happened to be a nonevent. People got a little too caught up in the hype on that. (The infected computers) didn't go into attack mode, planes didn't fall out of the sky or anything like that."

Security researchers don't have a firm estimate of the number of Conficker-infected machines. There appear to be at least 3 million infected PCs, and possibly as many as 12 million, but tallies vary because some machines may have been counted multiple times, and the number fluctuates as PCs are scrubbed clean of the infection while other machines are compromised.


Jump: Back to top


	Victory Not Vengeance