The most followed and discussed thread in these days is the worm Conficker.I was reading the posts and experiences people had with this nasty worm.One thing is sure, it is dangerous and comes with a lot of worries to get rid of it.One comment on National Business Review reads as follows :
Conficker
My company was infected by Conficker, Right at Xmas. It has taken me 3 weeks to erradicate this worm infestation. I have noticed on the 20th when I had 90% of the infection removed, that there was a sudden outbreak of trojan, viral & adware/spyware on the remaining............read more.
My company was infected by Conficker, Right at Xmas. It has taken me 3 weeks to erradicate this worm infestation. I have noticed on the 20th when I had 90% of the infection removed, that there was a sudden outbreak of trojan, viral & adware/spyware on the remaining............read more.
According to several renowned internet security companies the number of infected PCs ranges from 3.5 Million up to 10 Million devices.That is a bot net with an enourmous volume.I could read in a lot of Blogs and Sites what the worm may would be able to do.But no concrete actions have been reported what kind of dirty activity the worm lunches once getting commands from a C&C server. What will be covered in the next step of this attack ?
Conficker is known to spread itself through USB devices, using an autorun.inf file.It uses Autoplay to trick the user to open files and folders.(the 2nd line in the autorun dialog box is modified.Under the file/folder icon you can read 'Execute program from this device' and not as it should be 'Open files and folders with Explorer'.
But it spreads itself through the network as well by creating a HTTP server and opening a port for it's dirty self-deployment.I found a very interesting analysis proving this, wiresharked traffic of an infected machine.You can see the packets and the sent requests here.
As so many things have been written to Conficker (also known as Downadup and some other aliases) i do not want to bore my dear readers with citations of other sources.I found a nice peace of interest published on Sophos.com.Publicized there is a fragment of the bug tracking database used by the worm’s creators.I cannot judge the authenticity of it but it is interesting to read.Find it here.
At least there are some ideas and speculations about taking preventiv actions before the next step will be lunched and the botnet recieves it's commands.These speculations are about sending own commands to the infected PCs to display warning messages and motivate the user to get rid off his/her digital parasite.
More to this on New York Times.
So there is just left to stay carefully, beeing protected, using strong passwords, disabling Auto Run,cheking this key :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\
"ServiceDll" = "[PATH OF WORM EXECUTABLE]"
(Note this has just indicator value - The ServiceDll is a dll with a randomly generated name!)
taking care for up to date virus signatures , sometimes taking a look on the network traffic and measuring if it is realistic , saying your lady you love her and monitoring the next steps from and against Conficker.
Stay Safe !
Images found on Deviant Art / hladomorko and Wikipedia.
More to this on New York Times.
So there is just left to stay carefully, beeing protected, using strong passwords, disabling Auto Run,cheking this key :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\
"ServiceDll" = "[PATH OF WORM EXECUTABLE]"
(Note this has just indicator value - The ServiceDll is a dll with a randomly generated name!)
taking care for up to date virus signatures , sometimes taking a look on the network traffic and measuring if it is realistic , saying your lady you love her and monitoring the next steps from and against Conficker.
Stay Safe !
Images found on Deviant Art / hladomorko and Wikipedia.
0 comments:
Post a Comment