Some conficker lessons learned – isc

Some conficker lessons learned – isc

The Internet Storm Center has some good lessons learned about the Conficker worm.  They’re posted from an academic institution, which ran into the infection recently.

Mainly these reiterate the need for proper patching, making sure your antivirus and antispyware are updated, and disabling autorun and autoplay.  They also point out the importance of monitoring your firewall and other logs—as conficker will trigger entries in those places.  If you’re not monitoring the logs on a regular basis, how will you recognize when something suspicious is happening?

Finally the poster points out something that is painfully obvious.  The ONLY true way to ensure that an infected system is clean, is to completely reinstall from scratch.  You may think “Well I back up regularly, so that should be good enough…” My questions to you are these:  When did you get infected?  Do you have a backup from prior to that date?  And how do you KNOW that the backup isn’t infected?

If you honestly can’t answer all of those questions, then you need to reinstall.  My suggestion is this.  Reinstall the Operating System, then update it fully.  Reinstall all of the programs that you normally use. Then make an image of that system.  That will be your “base” system from now on.  If you stop using programs, and start using new ones, then document those changes with the “base system”.  That way in the future, you can restore the image, get any updates that are released since the image was made, and make the changes.

This does not mean that you shouldn’t back up regularly. On the contrary, you should more so because of these worms.  But it means that if your need for restoring is due to a worm, you probably won’t want to trust the backups. What this means is exactly what I said.  Make a base image, so you have something to start from.  When you restore from that image, UPDATE first, CHANGE things later. 

Have a great day:)

Patrick.

Worms, worms and more worms…

It’s been a busy week for the virus creators and the antivirus companies.  And we’re all the collateral damage.  On April 8, Conficker finally got the update that the world was dreading 8 days earlier.  As you know, the Internet didn’t end though.  Then over the Easter weekend, Twitter was attacked by a worm (along with a series of copycats the next day).

Conficker:

According to F-Secure’s weblog, Conficker.E appeared on April 8.  Some of the highlights of the new variant are:

  • It coexists along with Conficker.C (meaning you can be infected with both variants).
  • It was spread via the P2P network (not the domains that Conficker.C was checking).
  • It reintroduced the Spreading through the MS08-067 security hole, which had been removed from Conficker.C.  Apparently enough people STILL HAVE NOT PATCHED this hole, so it’s a viable method of spreading.
  • It doesn’t use domain name generation.
  • There are possible connections to Waledec and Rogue Antispyware/antivirus products due to Conficker.C computers connecting to domains that host those malware and downloading it.  Or the connection could be that it automatically downloaded when they reached the website (kind of like it does when WE go there).
  • On May 3, 2009 Conficker.E will remove itself.  However it will leave Conficker.C on the computers. 

Why the creators went this route, no one’s sure.  It could be that they are playing with the security researchers (kind of saying “We’re learning and adapting to whatever you do.”), or they are just using this as a test run to see what their options are.

Either way, update your antivirus and patch your systems.  MS08-067 has been out since October of 2008.  There is NO excuse for not having the patch installed by now.

Twitter Worms:

  Over the Easter weekend, one of Twitter’s competitors discovered a new way of promoting his site.  He found a security vulnerability in how Twitter does their profiles (using JavaScript obfuscation) and used that to spread links to his site throughout twitterland.  The next day, he openly admitted what he did.

Now, there are copycats of his worm that are infecting profiles.  As of right now, they’re just pushing links out to anyone who views the profiles—but that doesn’t mean that they can’t or won’t do something more. 

JavaScript obfuscation is a fancy way of saying that they’re hiding the commands in a way that antivirus and antispyware won’t easily catch them.  And because of the fact that there are so many ways of hiding a command, the usual methods of detection (having a set pattern or signature) don’t work.  The actual worm is a XSS (Cross Site Scripting) worm, which means that when you go to one site, the JavaScript executes commands from another site as well.

For now, the recommended precautions are to use Firefox with the No-Script addon installed (as this blocks all scripts including the JavaScript worms), and don’t surf profiles on Twitter.  Most importantly, don’t click on any links in tweets, replies, or direct messages.  Hopefully Twitter will have this hole closed up soon.

If you’re a twitter user, I would add “twitter” to your following list.  That way you can keep up to speed on what’s happening.

As I hear more, I’ll post more.  Have a great day:)

Patrick.

First Conficker Update After April 1st – Security Labs Alert

 

First Conficker Update After April 1st – Security Labs Alert

Websense Security is reporting that Conficker has received an update via P2P.  As of this reporting, they haven’t determined what the update contains, but are analyzing the file and monitoring Conficker’s communication.

I’ll keep looking into this development and update the blog as I find out more.  The important thing is to use diligence as the update could make Conficker more dangerous to everyone—or less.  Check to see if you’re infected and get your system cleaned up if you are.  If you aren’t then take whatever steps are necessary to remain clean.

Have a great day:)

Patrick.

Old Worm—New Face.

As reported by Microsoft and Websense in the past few days, an old worm called Neeris has a new look.  The people behind the worm have updated it to use some of Conficker’s methods and techniques. 

Neeris was originally (and still is) an IRC Bot that traveled through MSN Messenger.  It was also able to use the vulnerabilities in svchost.exe (MS06-040) to spread.  Around April 1 of this year, the people who are creating and updating Neeris added the MS08-067 vulnerability to the worm’s arsenal.  And they gave it the ability to spread via Autoplay or Autorun (both techniques that Conficker uses).

If your antivirus protects you against the Neeris.gen!C variant, then you’re already protected against this new face.  However if your antivirus doesn’t protect you against it, then you need to update your definitions (Auto-update or manual update) or switch to an antivirus which does.  Neeris has been around since 2005, so most, if not all of the antivirus programs should protect against this.

So, you ask, if most or all antivirus programs are already protecting against this, why should I care?  Because, quite simply, it means that people are learning from Conficker.  Other virus/worm/malware writers are realizing that Conficker did it right (and is still doing it right).  So now they’re hopping onto that bandwagon.  Which means that other worms will take on these techniques.  And SOONER OR LATER, they’ll get past your antivirus program.

This is why you need to keep everything updated (Windows, Antivirus, Antispyware, and Firewall).  This is also why you need to stay abreast of the security issues online.  You don’t need a degree in Security.  You don’t even need to take any courses.  But you do need to find some sources of Security-related information and check them on a regular basis.  It doesn’t have to be every day—although when they’re really discussing an issue like Conficker, you’ll want to check daily or more often.

Here’s more information about Neeris and Conficker.D (the new name for the Post-April 1 variant).

Websense Blog on Neeris

Microsoft Blog on Conficker.D

Microsoft Blog on New version of Neeris

As  I hear of more blogs about this worm, I’ll update this post.

Have a great day:)
Patrick.

Starting a new Term at CTU online

I was attending the University of Phoenix online, but decided to transfer over to Colorado Technical University Online instead.  Today was the first day of my classes there, and it seems like it will be similar to UOP. 

Why am I posting this today?  For two reasons.  1) to inspire people who may be considering online colleges.  and 2) because as I’m reading books for my courses, I’ll be recommending some of them to you.  I already do this on my LinkedIn profile and will be doing it here as well. 

Soon, I’ll post a topic on books that I recommend.  It will include some of the books that I’ve already had the pleasure of reading (yes it was a pleasant experience—albeit hurried) during my time at the University of Phoenix.  And it will be updated as I read books for CTU.

I will also provide links to the books on Amazon.  In the interest of full disclosure, the links will go through my affiliate ID.  While you don’t have to use my link, it will help to put a little extra change in my pocket.  And if you choose not to use my link to the book, I understand.  You’ll be able to search Amazon for the book by title and author.  I still recommend reading the books—even if you get them another way.

Have a great evening 🙂
Patrick.

Free security awareness training on-line from InfraGard – isc

 Free security awareness training on-line from InfraGard – isc

I’m posting this because it’s a good seminar for corporations to show their employees.  At one of my previous employments (Monsanto), we were required to do Computer Based Training and shortly before I left, they were just getting started on educating their employees about Cyber Security.  This awareness training would go a long ways towards that education.

The awareness training is free and aimed more at the low-level employee (as opposed to an Information Security Specialist).  The training is free, however if you want to take an examination to earn a certificate, that will cost you $24.95.  You can try to take the exam as many times as you need to pass.  The exam is 100 randomly chosen questions.

If you’re in charge of IT at a corporation, then you may want to consider this as an option for your employees.  If nothing else, you would want the training.  As an option, you could pay for the employees to take the examination.

For home users, the training would be good also.  Even though the training is geared towards the corporate employee, everything they discuss could be applied to a home environment.  Strong passwords, good antivirus protection, safer surfing habits, protecting laptop data, not leaving your financial or other important papers out for anyone to find, and shredding important documents amongst other topics are presented.

I haven’t checked out the second link that was presented in the diary.  However the handler that wrote the diary gives it high marks too.

Let me know what you think about the sites in the diary, and about the idea of the awareness training in general.  Do you think that it would be a beneficial thing to present to employees? And do you think that it would be beneficial for home-users?

Have a great day:)
Patrick.

Was April 1 a Dud?

April 1 has come and gone.  Office and friendly April Fools pranks happened and people had a good laugh about them.  The media had hyped this April 1 as the day the Conficker worm would pull the ultimate prank though.  Did it happen?  The media would say “No” but I think something did happen.

What happened is that you became a little more conscious of the need and importance of computer security.  In some cases you even extended this awareness of security to things outside of your computer.  You checked to make sure that your alarms worked, and that your doors and windows would lock properly.  And this is a good thing.

As for Conficker, it remains to be seen what exactly came of the worm.  The botnet is still alive.  As far as the security researchers know, the Conficker.C variant started to generate the 50,000 domains and check them.  To anyone’s knowledge there hasn’t been an update yet.

Register.com which is a domain name registration site claims that the “April 1 issues” are affecting them right now.  They’re under a DDoS (Distributed Denial of Service).  It started out as a minor issue, which took their site down.  Now they are admitting that it’s a major situation.  What this means is that people who use their service are having issues with keeping their websites available to surfers. 

NeuStar and Ultra DNS were hit earlier this week by DDoS attacks also.  This brought sites like Amazon, Juniper, Oracle, and Salesforce down for a period of time.  Register has been hit for at least three days now.

Some customers are blaming Register.com for not being adequately prepared for this.  Others are saying that it’s not Register’s fault—but the crackers who are pulling off the attacks (Note I said “Crackers” instead of the over-used and over-hyped “Hackers” that you hear in the media).  I tend to agree with the latter on this.  While Register should (and probably did) have contingency plans for this, if it is Conficker then I doubt ANYONE would have a contingency plan to beat it.  Not even Google or Microsoft.

Why did they go after Register.com?  Who knows.  Maybe because Register.com was assisting the security groups in trying to prevent Conficker from working.  I’m sure others have been working with them, but Register is one site that seems to be publicly referenced or alluded to.  Maybe the person who’s pulling the strings on the botnet was rejected or suspended by Register.  Or maybe, just maybe, the person pulling the strings realized that hitting A LOT of smaller businesses will do more damage to our troubled economy than hitting sites like Amazon, Google, Newegg, or Microsoft.

One thing that I want to say about this is, for all of the customers who are saying that Register should have had contingency plans, where are yours?  I’m a tiny, almost non-existent business.  I’ve got websites on two different hosting sites (freewebs and office.microsoft.com) and I have a copy of my freewebs site hosted through no-ip.com on my own servers.  If I really needed to, I have accounts at three other hosting providers.  I could easily transfer my domains and a copy of my site to any one of them.  I may be down for a day or so, while the transfer takes place, but I’d still have ways of getting through to my customers.  All I would have to do, in reality, is post a message here saying “My current site is experiencing technical difficulties.  Please try these links until the situation is resolved…”  People wouldn’t know which provider is hosting my site.  Only that they’re able to get to it.

This turned into a rant about Register.com and their customers anger.  The reality is a lot of people failed to protect themselves and their incomes against this.  Register didn’t protect it’s customers by keeping in touch with them about the situation.  They also didn’t prepare their customers by suggesting some alternatives to take in case it was attacked.  (Of course what company would suggest “Have backup hosting providers in case we’re attacked.’”?) 

The customers didn’t protect their businesses by saying “Hmmm…  No one knows what Conficker will do.  But, a botnet that’s as big as Conficker is rumored to be can do a lot.  What should I do to protect myself and my sites?”

The people who were infected (and still are) by Conficker or whatever botnet is attacking Register.com didn’t protect themselves either.  They should be taking more steps to prevent their computers from being infected. 

So, it’s time for a lot of people to stop laying blame.  The blame in all of it’s forms, will be put out and admitted to when the time comes.  It’s time for the people (in whichever category they fall) to start taking steps to make sure this never happens again. 

If you have a site, make contingency plans in case your host gets attacked.  Even if you’re not using Register.com or NeuStar or UltraDNS.  Just because they are the victims today doesn’t mean that freewebs or GoDaddy or even 1&1 hosting won’t be tomorrow.

If you are one of those who were, or are, infected with the worms, get clean.  Find a clean computer and download the removal tools.  If your computer is too far gone, then copy your pictures, music, and important documents to another place and do a complete recovery.  If your computer will allow (meaning that it doesn’t rely on a hard drive image for your recovery), wipe the hard drive with an eraser program or hard drive wiping program (DBAN is a good one to use—and free).  Then start over.  And make sure that you pay the subscription for your Security software and keep it updated.  Along with Windows.  Or find a security suite that’s free and use that.

If you’re a hosting provider you need to look at your contingency plans and decide are they adequate to protect you against what’s happening to Register.com.  If so, great.  If not, then you need to do whatever you can to make them adequate.  Granted, you probably won’t be able to completely protect yourself and your customers.  But, you’ll be in a better position if it does happen.  Learn from Register’s mistakes.

Have a great day:)

Patrick.

Privacy is important to me (Privacy Policy for my blog)

Because I’m relying on advertising and affiliations in order to generate some revenue for my blog, I believe that I need to incorporate a Privacy Policy to inform my readers of their rights.

First and foremost, I, the owner of this blog, do not collect any information about you (the readers of this blog). However there are third party entities that may generate and collect information about you.

The FeedJit tool on the right shows the information that they collect about you. It’s a location based upon a “WHOIS” of your IP address, which means it may or may not reflect your true city/location. And it checks the headers that your browser submits to it, in order to determine how you arrived on my blog, and where you left to (if you leave via a link on my blog).

FeedJit’s Privacy Policy and Terms of Service can be found here.

I use third-party advertising companies to serve ads when you visit my blog. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you.

The ad-serving sites that I use are Google’s Adsense which include the following information about Google and the DoubleClick DART cookie:

  • Google, as a third party vendor, uses cookies to serve ads on your site.
  • Google’s use of the DART cookie enables it to serve ads to your users based on their visit to your sites and other sites on the Internet.
  • Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy.

Also, I use Amazon Associates, which supplies the following link to their Privacy Policy. Their policy applies to the widgets on the side and any links to books that I’m reading and recommending in my posts and comments.

Finally, I’ll be using ScribeFire for ad serving when they resume their program. At that point in time, I will obtain and publish the information regarding their privacy policy.

I have not researched into whether the use of “Ad-blocking” software on your (the readers) systems or browsers will prevent the third-party advertisers from getting the information that they use. I would suggest checking with your Ad-blocking software to determine whether or not it prevents this collection of information.

If you don’t see your location (or a nearby location to you) in the FeedJit widget, then it may indicate that your ad-blocking software does prevent this—however it’s not a guarantee.

Your privacy is very important to me. If you find that your information is being collected regardless of whether you opt-out or your ad-blocking software is supposed to prevent this, let me know what advertisers are collecting the information. I will determine what actions I can take, and will take them as appropriate.

Thank you.

Patrick.

An interesting coincidence maybe

I’m not sure if this is connected to the Conficker worm or any worm for that matter.  However it’s definitely an interesting coincidence or a really good April Fools joke played by Twitter.

A lot of people are waking up this morning to find that they suddenly have a bunch of new followers and/or they are following a lot of new people.  There’s some confusion on the wire as they are trying to figure out what’s going on.

I sat here for four hours tonight and gained (added because I followed them as well) 57 new people in 4 hours.  And I have a feeling that I’m still adding more.

Some people are saying it’s a glitch with twitter.  Others are saying it’s something to do with tweepme (which is a site that gets you followers).  I’m not sure, since some of the new additions don’t have anything about tweepme on their profiles.  And still a few others have said that people’s accounts are hacked—so change your passwords.

Of course it could be something with Conficker or another worm, but that’s stretching things a lot. I doubt the creators would do something like this.  Although you never know.

One thing is for sure, if your account is hacked then you need to make sure your computer is clean BEFORE you change your password.  Otherwise, the hacker will have the new password and your troubles won’t end.

So, if you have twitter, check to see if you have new followers or are following someone new (like a lot of people).  And while you’re at it, check to see if you’ve sent out any spam tweets, spam replies, or spam direct messages.  And I would definitely suggest monitoring your tweets, replies, and messages closely for a few days or weeks.

As I hear/read/am tweeted more about this, I’ll update the post.  This will be interesting, if for no other reason, then to find out what happened.

Have a great day everyone:)

Patrick.

It’s April Fools Day—Are you a fool today?

Well, it’s officially April 1 in some parts of the world.  As of this posting, it’s 1:35 am GMT.  I have a monitor in my System Tray that gives me an idea what the status of the Internet is (the Internet Traffic Report widget on the sidebar).  Right now, it’s hovering around 81% which is around the same as yesterday.  Granted only a few time zones are in April 1, but it’s still a good sign.

In 2 hours 21 minutes, the US will be in April.  So, we’ll start seeing what happens here.  By 2:00 am CDT, most of the US will be in April (aside from Alaska and Hawaii) and most of North America will be in April as well.  It’s easy to stay nation-centric and simply say “The US”.  But the truth is parts of South America will be in April before we start. 

Here’s a breakdown of when certain areas will be in April:

South America:  Brazil will be in April at the time this post is published.  Central South America will be in April in 1 hour.  Western South America will be in April in 2 hours (along with Eastern US).  Central America will be in April in 3 hours (along with Central US).  Then the rest of the US will follow suit.

So, as you can see, with 10 million PC’s affected, and if a number of them are in Central or South America, then by the time we hit April, a good number will already be active.  Something else that isn’t being considered is this.  If the creators have instructions up, and decide to send an update out which propagates the update through it’s P2P mechanism, then there’s a chance that the entire net will update before parts of it reach April 1.

The point of this post is this.  It’s already April 1 in most of the world.  So, if you aren’t seeing any slowdown in the Internet, and the world isn’t ending already, then it’s probably not going to happen.  There may be slowdowns in the Internet as the day goes on, but for the most part it should have started already if it was going to.  By 6:00 am CDT, everyone should be in April and some will be heading into April 2.  So, by then everything should have happened as the last few time zones are mainly islands and ocean.

Does this mean that Conficker is a dud? No.  What it means is that as of right now, the creators still aren’t doing anything with it.  Or it means that it’s silently updating from domains that it checked.  Does it mean that it’s dead? NO.  It just means that something else is in store.

So, just because April is here doesn’t mean that we can relax.  You still need to check to see if you’re infected (because somewhere around 10 million of you are) and get the virus removed.  Otherwise when the creators are ready to do something, they’ll have plenty of unwitting assistants in their game.

Have a great day:)

Patrick.