In 2011 viruses were distributed globally that forced computers to use a network of DNS servers run by a malicious organisation going by the name of Rove Digital.
Although the organisation and its infrastructure was taken down by law enforcement authorities, the DNS system they set up had to be temporarily replaced with a safe alternative to prevent (potentially) millions of users effectively losing the ability to use the internet.
That temporary replacement is being switched off on Monday, 9th July 2012.
You should check your systems this weekend to see if you are affected. The number of potentially infected systems seen was last reported 11/Jun/2012 and was just over 300,000. That makes it unlikely you are infected but still worth checking.
The website DCWG has been setup to help and advise on what to do if you are worried or want to check your system.
The DNS Changer World Group is there to help. Read the rest of this entry »
EC Council && C|EH, Cisco && CCNA Sec, (ISC)2 && CISSP:
Earlier this year I was able to take and pass C|EH, Certified Ethical Hacker, from EC Council.
The insight this course, thank you Sean Hanna, and certification gave me is invaluable in my career.
Although I have been working in many small elements of Information Security for some years I have only just started directing my career that way. Read the rest of this entry »
This is by far the most common worm I see on Windows systems at the moment.
If you are watching the network traffic the symptom you will see is that there are calls to the website http://Trafficconverter.biz
The worm utilises a flaw in Windows dating back to 2008. This is a classic example of poor patching and incomplete security. Of course, also some clever programming from the worm authors.
MS08-067 basically describes a mechanism where a vulnerable system will run arbitrary code (of the assailants choice) when received from the network in a particular fashion (“carefully crafted RPC requests”). A long list of Windows (2000 SP4, XP SP2, XP SP3, XP Pro, 2003 SP1, 2003 SP2, Vista, 2008 plus x64 variants of all these) versions are vulnerable and that was the secret of the initial run of infections.
But the worm is capable of creating hooks on the system that allow it to reinstall itself and occasionally install copies on systems that are not vulnerable to the original flaw.
The only way I have so far found that is 100% effective is:
- Take every PC/Server/LapTop machine that may have been exposed off the network.
- Scan every system thoroughly through a recent Conficker Scanner.
- Run the most recent removal tool available on all infected systems.
- Do not allow any system onto that clean network unless it has been scanned/cleaned.
- Patch every single machine.
- Update antivirus on all system.
- Disable AutoRun on every system.
- Scan for unusual HTTP ports on PCs (another symptom of infection).
- Ban LapTop users from connecting to untrusted networks, including their home network.
If this isn’t done then the worm, unfortunately, keeps reappearing.
Massively disruptive beast.
On the positive side, the Russian website mentioned above is currently live but no longer serving malicious code. It is also detected by most antivirus and antimalware tools.
Sophos: Conficker removal tool
Kaspersky: Conficker removal tool
- Posted using BlogPress