Archive for March 31st, 2009

Computer Virus Update:

If you have not heard tomorrow the net could be hit by a major virus / worm that could compromise your security by taking over your machine and make you part of an evil BOTNET – The security experts over at EEYE have written this about the potential issues and given some nice ways to prevent and or detect if you are infected:

http://www.eeye.com/html/conficker/index.html

Conficker Worm Overview

Introduction

The Conficker worm is a very formidable threat to modern-day networks. The worm uses multiple methods to infect remote systems, and utilizes a very advanced P2P architecture in order to communicate with other infected systems. Furthermore, it has shown signs of an advanced update mechanism that would allow infected systems to rapidly received updates in order to evade detection or to be used in some malicious manner.

Below is a visualization of the propagation and communication mechanisms currently seen within Conficker infections.

As depicted above, Conficker is a very powerful threat utilizing a blend of exploits and functionality issues within the Microsoft Windows Operating System, while also utilizing human propagation means via thumb-drive sharing. The worm has been identified on millions of workstations, servers, and laptops throughout the world.

Suggested Actions

Administrators are strongly urged to utilize the Free Conficker / MS08-067 Detection Utility available for download here:

http://www.eeye.com/html/downloads/other/ConfickerScanner.html

This utility allows network administrators to rapidly assess their networks in order to find hosts that are infected by Conficker, or are missing the most critical patch necessary to blocking Conficker network propagation attacks.

Free Protection Utility

Users are also urged to use a powerful host-based protection suite with anti-virus, such as eEye’s Blink Personal or Professional. In addition to the detection of the Conficker worm, eEye Digital Security’s Blink Endpoint Protection Platform can effectively protect hosts, even if they are not patched, from the propagation of this worm. Using protocol based IPS analyzers, Blink can detect and stop the malicious traffic associated with MS08-067 and block the worm from self propagating. For installations that are already infected, Blink’s multi layer antivirus engine will remove the Conficker worm and provide protection until a permanent remediation is performed on the host. Free trials are available for Blink Professional here, and a free version of Blink is available for personal use here.

Maintain Microsoft Updates

Users and administrators are strongly urged to maintain all of the latest patches from Microsoft and all other software vendors with applications on endpoint systems. This can be easily maintained by using eEye’s Retina Network Security Scanner to identify all vulnerabilities on a network. Windows users can also enjoy the benefits of this vulnerability assessment by using eEye Digital Security’s Blink Endpoint Protection Platform to perform a vulnerability assessment of the host system on which it is installed.

References The HoneyNet Project:
http://www.honeynet.org/papers/conficker/
Felix Leder and Tillmann Werner Analysis:
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker
Microsoft Advisory – 967940
http://www.microsoft.com/technet/security/advisory/967940.mspx
Microsoft Malware Protection Center:
http://tinyurl.com/absz6f
Microsoft Security Bulletin MS08-067:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
SANS – Internet Storm Center:
http://isc.sans.org/diary.html?storyid=5860
Shadowserver Foundation:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090212