I can already hear a chorus of "Not ANOTHER Conficker blog?", but some of you will want to know about this development.

The Honeynet Project has announced a new scanning tool for detecting Conficker, which gives network and system administrators a very handy extra tool for detecting Conficker activity on their networks.

Furthermore, the tool is currently being integrated into mainstream vulnerability scanners like nmap, nessus, and products from ncircle, Qualys and Foundstone. It detects all current variants of Conficker by flagging changes they make to NetpwPathCanonicalize(). No doubt Conficker’s authors are already working on this loophole, but in the meantime, the new routines should seriously mitigate the worm’s impact on corporate networks.

Kudos to Honeynet’s Tillmann Werner and Felix Leder, whose forthcoming "Know your enemy" paper will give a lot more information on the worm and on the new tool, and to Dan Kaminsky, Rich Mogull, and the Conficker Working Group for all their work on this.

For those who just have one or two machines to check, we still have a free removal tool, and as James Coulter pointed out to us, so does Sophos. In fact, so do Bitdefender, Microsoft, Kaspersky and Symantec, among others, and none of us are charging for such tools. I would stress, though, that we’re making these tools available for emergency use by people who don’t have up-to-date anti-malware on their systems right now and can’t easily get to it because the worm is in memory and won’t let them. (If you can’t get to a removal tool like ours either, our suggestion is to find someone with a clean machine to download it for you and transfer it by (preferably write-protected!) removable media. I certainly wouldn’t recommend that you rely on one-shot tools like this as your primary defence against malware in general!

Incidentally, I happened upon the Wikipedia entry for Conficker a little while ago, which mentions several of these tools, and also mentions a couple of vendors who "can remove it with an on-demand scan." Don’t get confused by this: any mainstream product worth having should be able to detect and remove current Conficker variants by now. It doesn’t mean that products with a one-shot removal tool can’t detect or remove it with their for-fee products.

Our Thoughts: Keep your anti virus up to date and then you don't have to worry about these attacks.

Original Article

Posted by Nancy Pursley at 10:24

Around the end of the last decade, when I was working for a research organization in the UK, I used to write a monthly column on security for an in-house newspaper, and was rapped over the knuckles for telling this little story. I’ve probably changed the detail since then: I don’t keep everything I’ve written including shopping lists and notes to the milkman. (Unlike novelist Jack Trevor Story, or so he claimed in one of his more overtly autobiographical books.)

A man goes to collect his motor-car from a hypermarket parking lot in Helsinki. (Just trying for an international flavour here) As he walks in, he notices one of the market’s employees scattering large clumps of catnip round the car-park perimeter.

"Why are you doing that?" he asks.

"To keep the lions away," the employee answers.

"But there aren’t any lions in Helsinki!*"

"See how effective it is?"

I was talking about Y2K, of course, Common sense suggested that most of the dire prognostications of hundreds of thousands of Y2K viruses and other malicious activity were either taken out of context, misguided or intentional fearmongering, and that as long as you took every possible countermeasure against problems you could predict and anything you could think of that would mitigate what you couldn’t predict, the chances were that it would be OK. As, indeed, it mostly was. And I guess we’ll never know whether all those updates and expensive consultancies were worth the money many of us paid out, because we can’t rewind and try it again without all the outlay.

So here we are again. Another year, another round of prophecies of disaster, a few from the fringes of the AV industry, but most from outside it. Expressions of sympathy here to Graham Cluley of Sophos and Mikko Hypponen of F-Secure, who were "quoted" in a Doom and Gloom story by an English tabloid claiming that "Millions of computers around the world could go into meltdown on April 1 because of a deadly virus." Apparently the journalist concerned didn’t actually bother to contact Graham or Mikko, presumably because he knew they’d be too busy getting ready to rescue all those melting PCs.

The sad thing is that "old guard" researchers like Graham and Mikko, mindful of the over-hyped "media viruses" of the past (Friday 13th, Columbus Day), have actually gone out of their way to present a balanced view of the issue, which I’d probably define as "Take all reasonable precautions, but don’t panic." Whatever happens, it’s unlikely to be as dramatic as expected, like the comparatively few systems affected by the triggering of Michelangelo or CIH/Chernobyl. (By comparatively few, I mean hundreds or thousands rather than millions.) In this case, there may be no immediately noticeable impact at all.

What’s the betting that if there’s no drama, it will be taken as another example of hype from the very industry whose public representatives have been trying to "un-hype" the issue?

By the way, here’s a nice bit of unhyping from Joe Stewart. And it’s nice to see the industry get some credit for "calm-mongering" from Thomas Claburn and George Hulme of Information Week. To pick up on something George referred to, the reason that we don’t know exactly what, if anything, will happen on April 1st, despite having the code to analyse, is that the code doesn’t tell us. I guess that’s exactly what is piquing our curiosity.

I’ve never been to Helsinki, but yes, it does have a zoo. However, I don’t think it has any large African mammals, as they don’t do well in that climate.

** Why did I get my knuckles rapped? Because the chief librarian** objected to any hint that her team might not be in absolute control of the situation. A friend of mine was actually fired for talking about how the issue was being addressed in the same organization on a public mailing list, so I guess what saved me was the fact that the article didn’t make it to print.

*** No, I don’t know why the library were running the project rather than the IT team who looked after the computer systems, or the estates team who looked after the laboratory equipment. Feel free to make suggestions below, but there are no prizes on offer.

Our Thoughts: Don't panic but be prepared.

Original Article

Posted by Nancy Pursley at 10:17

[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.]

I’m sure you’re almost as bored with this issue as I am with the BBC. (I wonder if it’s contemplating buying the Conficker botnet to add to its collection?)

However, it seems that some people are still confused as to how to remove Conficker if it’s already on their system. So here’s a quick summary: some of it it was actually posted by our labs back in January, but it still applies.

1. Disconnect the infected computer from the network and the Internet.
2. Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 and MS09-001
3. Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
4. Download an one-off ESET application (again, using a non-infected PC) which will remove the worm.
5. Install the updated anti-virus program.
6. Re-connect the PC to the network and the Internet.

You might also want to disable Autorun.

Here’s a bit more information about using the standalone utility mentioned in step 4.

If you access that link and run it rather than save it, you might be confused by the fact that it’s a text mode application opening in a DOS box (that’s the black window that looks like an old-time DOS PC or some form of dumb terminal with a C:\ or C> prompt and text output only), not a Windows application. That’s normal for a standalone utility like this, which doesn’t need a multi-menu graphical interface (GUI).

If you have more than one PC to check/look after, or a slow connection, or any you might want to save it to the desktop rather than run it from the web site.
When you run it, it will, hopefully, tell you that "Conficker worm has not been found active in the memory" and ask you if you want to scan and clean anyway. It’s unlikely to do any harm if you do run it, but if Conficker is not in memory, it probably isn’t anyway on your system and certainly poses no immediate threat. It’s more important at this point to check that your AV is installed and updating properly.
It also mentions a couple of options (-autoclean and -reboot). If Conficker isn’t in memory these aren’t very relevant to you. If it is, you’ll probably want to carry on scanning and respond when the utility prompts you. Those options are more relevant to system administrators and power users wanting to run the application from a script and/or on more than one PC. If you want to use them, you’ll have to use them from the command-line, and if you saved it as EConfickerRemover.exe, use that name at the command line, not removaltool, as the program suggests.
It may not run with full functionality if you’re not running with administrator rights. It will detect Conficker, if it’s there, but it won’t be able to clean it properly. Of course, we normally advise people not to run as administrator routinely, but for tasks like this you have to be able to either log in as administrator or "run as" administrator.
* I’ve also had someone mention that if the DOS screen comes and goes to quickly to read if there’s no infection. I haven’t been able to replicate that, so have asked for more information.

If you have further questions on this, please visit the support pages at http://www.betterantivirus.com/nod32-support/.

Our Thoughts: There are great tools out there to get your computer clean.

Original Article

Posted by Nancy Pursley at 10:04

Brian Krebs on Computer Security

When it comes to criminal hackers, establishing motive is usually a no-brainer: In a majority of cases, computer worms and viruses are little more than tools that bad guys use to make money. But every so often, a prolific and sophisticated worm or virus emerges that isn't so obviously connected to a financial scheme.

Almost every time this happens, people start to get nervous and spin wild theories about the threat, until the hype surrounding said threat starts to reach a fever pitch. This is exactly what's happening with the latest version of the worm dubbed "Conficker," a contagion that has infected millions of PCs worldwide.

Computers already infected by the worm are supposed to be automatically updated with some unknown software component on April Fools Day. That's more or less the sum of what computer experts know about the rhyme or reason behind this worm, but it hasn't stopped pundits and the press alike from issuing ominous warnings.

Posted by Kyle Reiners at 17:17