Some conficker lessons learned – isc


Some conficker lessons learned – isc

The Internet Storm Center has some good lessons learned about the Conficker worm.  They’re posted from an academic institution, which ran into the infection recently.

Mainly these reiterate the need for proper patching, making sure your antivirus and antispyware are updated, and disabling autorun and autoplay.  They also point out the importance of monitoring your firewall and other logs—as conficker will trigger entries in those places.  If you’re not monitoring the logs on a regular basis, how will you recognize when something suspicious is happening?

Finally the poster points out something that is painfully obvious.  The ONLY true way to ensure that an infected system is clean, is to completely reinstall from scratch.  You may think “Well I back up regularly, so that should be good enough…” My questions to you are these:  When did you get infected?  Do you have a backup from prior to that date?  And how do you KNOW that the backup isn’t infected?

If you honestly can’t answer all of those questions, then you need to reinstall.  My suggestion is this.  Reinstall the Operating System, then update it fully.  Reinstall all of the programs that you normally use. Then make an image of that system.  That will be your “base” system from now on.  If you stop using programs, and start using new ones, then document those changes with the “base system”.  That way in the future, you can restore the image, get any updates that are released since the image was made, and make the changes.

This does not mean that you shouldn’t back up regularly. On the contrary, you should more so because of these worms.  But it means that if your need for restoring is due to a worm, you probably won’t want to trust the backups. What this means is exactly what I said.  Make a base image, so you have something to start from.  When you restore from that image, UPDATE first, CHANGE things later. 

Have a great day:)

Patrick.

Leave a comment

Your email address will not be published. Required fields are marked *