And so it starts...
Just helped you with some information. You didn't seem to know about the Linux AVs
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
And so it starts...
Just helped you with some information. You didn't seem to know about the Linux AVs![]()
For some reason, I am running ClamAV
I find it hysterical how people are quick to blame IT for things like this. One of our engineering libraries that HAD internet access, promptly picked up a virus, then harassed IT over it, amongst other things. So, IT investigated further, found out that they didn't actually need internet access, and promptly removed it.
B
Linux gives you internet too![]()
Yes, and no. Many viruses are written because MS are slow to release patches, so by having a virus that exposes this, then MS are forced to act and get their code in order.
Strange then, that my Ubuntu downloads kernel patches weekly...meaning there are lots of holes.
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
*deep breath*
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
*deep breath*
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
Sorry, I just find it so funny when people try to blame anything except Microsoft's shoddy operating system. I'm enjoying the view from the safety of my Kubuntu Linux computer. Who needs a virus checker?
Casting the blame is easy to do.
Now, reality.
the thing is, if you've got a real mission-critical production system (like a bank) where downtime is an absolute no-no then the sysadmins of said site will have a test system where they will first install the patches and updates from Microsoft - and if it breaks anything, that patch doesn't get installed.
Which means that that mission-critical system might never get patched, or just a few bits and bobs at best - and all is well until somebody manages to bypass all security regulations and unleashes a worm/trojan/TIALp) onto the unpatched system. Then it is night. (I personally have seen a Windows2003 server go down hard, requiring a complete reinstall from scratch after running Windowsupdates to keep it up to date).
On the other hand, you get lazy sysadmins not wanting to patch anything, and they will just leave a system unpatched, hoping for the best.
Another possible scenario is where damagement forbade the loading of patches and updates.
Also, given our exorbitant bandwidth pricing, some companies are unable to afford Windows to update itself.
In all three cases the infection could have been avoided by remaining up to date. The fourth case Telkom is partly to blame for sucking their customers dry.
In general it is also M$'s own fault for not putting in proper protection into its own OS'es. Default deny might have helped here.
Keep the latest worm infestation off your PC
Woody Leonhard By Woody Leonhard
It's been a hellacious week for security admins all over the world: the polymorphic worm known as Downadup, Conficker, and Kido has infected millions of computers.
Fortunately, you can scan, scour, and secure your systems by following four relatively simple steps.
Remember the patch that Microsoft released suddenly — "out of cycle" in the parlance — back in October 2008? Windows Secrets followed suit with an out-of-cycle news bulletin about the patch on Oct. 24. Susan Bradley recommended that readers immediately install the update described in MS08-067 (KB article 958644) to protect against "a remote-code attack that could spread wildly across the Internet."
Just as Susan predicted, the remote-code attacks started appearing shortly thereafter. On Oct. 26, Christopher Budd of the Microsoft Security Response Center posted the following in the MSRC blog:
"We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we've not seen evidence of public, reliable exploit code showing code execution."
By mid-November, the Microsoft Malware Protection Center (MMPC) said in a blog posting that it had collected "over 50 distinct exploits of this vulnerability." However, MMPC said the instances were very limited: "We're getting a very small number of customer reports for these attacks."
Then Conficker.A hit the fan. (McAfee and Microsoft call the worm "Conficker," Sophos uses the name "Confick," and Symantec and F-Secure call it "Downadup"; but it's the same virus.) By Nov. 25, MMPC was raising the alarm on its blog in an attempt to get individuals and — especially — organizations to install the MS08-067 patch, which stops Conficker.A dead in its tracks.
At this point, the Conficker furor should've died down and the worm been relegated to the history books. Two inexorable forces, however, combined in early January 2009 to give the worm new life: system admins who weren't applying key patches and a ferociously fecund variant called Conficker.B.
How Conficker differs from other worms
In the not-so-good old days, Conficker.A arrived as a Trojan: in order to infect a PC, somebody had to run an infected program on the machine. It could also try to hit your machine directly, but any sort of firewall would thwart that attack. If the infected system was attached to a network, Conficker.A used the hole (that MS08-067 closes) to spread to other computers on the network. This modus operandi is kinda boring but moderately effective.
Conficker.B uses the Conficker.A approach, plus a whole lot more — as a "blended threat," it's an equal-opportunity infecter. The MMPC's TechNet blog offers an excellent, graphical overview of the ways that Conficker.B can get into your network. Here are the main attack vectors:
* Conficker.B uses the old Conficker.A approach: simple Trojans that arrive via e-mail or by downloading an infected program.
* Once a PC on a network is infected, Conficker.B reaches across the network to see whether any of its PCs have not yet patched the MS08-067 hole. After infecting these unprotected PCs, Conficker plugs the MS08-067 hole, presumably so other, similar worms can't get in. What a sneaky buzzard!
* If Conficker.B finds that it can't get into a computer via the MS08-067 hole, it tries to break in by using the standard Windows admin account, entering each of 248 common passwords. This weak password list (which you'll find under the Analysis tab) includes such all-time favorites as admin, mypass, test, foo, 1111, and many others you may have seen before.
* Once Conficker.B gains entry to a networked machine, it drops a copy of itself onto the target's hard drive and creates a scheduled job that runs the infected file. Conficker.B also loads itself onto all accessible shared folders. Ho-hum.
* Finally, Conficker.B scans and infects all removable devices on the system, including USB drives and external hard drives.
That last step intrigues me the most because the person or persons who wrote Conficker gave the USB-drive-infection routine a diabolical little twist. As you might expect, the infection comes in the form of an autorun.inf file, which (usually) runs automatically when the USB stick gets stuck in the computer. But the social engineering in that autorun.inf file is quite remarkable.
The worm's tricky twist on autorun.inf
Bojan Zdrnja at the SANS Internet Storm Center detailed in this blog post how Conficker.B's autorun.inf file works. To see the brilliance in the deception, it helps to understand how autorun.inf files usually work.
Let's say I put an autorun.inf file on an empty USB drive that includes the following command:
[Autorun]
open=ACoolProgram.exe
Then I stick a file called ACoolProgram.exe on the USB drive. When I plug that USB drive into a bone-stock Vista machine, I get the AutoPlay notification message shown in Figure 1.
http://mybroadband.co.za/photos/data/500/W20090122-Autoruns1.jpg
Autoplay reacting to a normal autorun.inf
Figure 1. Vista's Autoplay displaying the results of a normal autorun.inf file.
On the other hand, if I wanted to get tricky, I could change autorun.inf so it takes over the default wording on Vista's Autoplay dialog. This autorun.inf file does that very thing:
[Autorun]
Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
open=ACoolProgram.exe
When this file is placed on a USB drive that's inserted into a stock Vista PC, the AutoPlay notification shown in Figure 2 appears.
http://mybroadband.co.za/photos/data/500/W20090122-Autoruns2.jpg
Autoplay reacting to a fancy autorun.inf
Figure 2. Vista's AutoPlay with a slightly altered autorun.inf file.
Note that the altered file pastes an icon into the AutoPlay notification that looks just like a folder icon. The autorun.inf file can say it's going to open a folder when in fact it's going to run an executable program.
When Conficker.B infects a USB drive, it creates just this type of autorun.inf file that pops up an AutoPlay notification identical to Figure 2. Clever — and for PC users, scary. Amazingly, this bit of autorun.inf infectious sleight-of-hand also works on the beta version of Windows 7.
Guide to cleaning and preventing Conficker
As of Jan. 16, 2009, F-Secure estimates in its blog that the number of Conficker-infected PCs jumped from 2.4 million to 8.9 million in just four days. Unfortunately, that number has been increasing by a million infections a day.
I don't blindly accept F-Secure's analysis, nor that of any other security-software vendor, but it has become quite apparent that an enormous number of PCs have caught this worm.
Even though a Conficker-infected PC may not be able to access Microsoft.com — and Conficker probably disabled the PC's automatic-update function, too — getting rid of the worm is surprisingly easy.
* Step 1: Check your passwords. If you have an administrator account with an easily guessed password, change it. Microsoft provides a guide to strong passwords that includes a link to the company's online password checker. If somebody other than you controls your computer's admin password, make sure that person understands the gravity of this situation.
* Step 2: Make sure you've installed the patch described in MS08-067. Open Control Panel's Add or Remove Programs list to ensure that KB 958644 has been installed. Click Start (plus Run in XP), type appwiz.cpl, and press Enter. In XP, make sure Show updates at the top of the window is checked. In Vista, click View installed updates on the left to see all of your PC's patches.
The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644). If this patch isn't installed, browse to Microsoft's Download Center to retrieve and install it. If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.
* Step 3: Run Microsoft's Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I've heard about. The easiest way to get MSRT is through Windows Update, but if you can't get through to that service on the infected PC, borrow a computer and download the tool from Microsoft's site.
* Step 4: Disable AutoPlay. If Figure 2 doesn't convince you of the risk of using Windows' AutoPlay feature, nothing will. Simply stated, you don't need AutoPlay that much. Follow the advice in Scott Dunn's Top Story from the Nov. 8, 2007, issue for comprehensive instructions to disable AutoPlay.
Those four steps will ensure that your PC isn't one of the million — or nine million, or 12 million — machines currently playing host to the Conficker worm and its variants.
"Microsoft's advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."
Microsoft's advice on Downadup leaves users open to attack, says US-CERT
Instructions for disabling Windows' Autorun are flawed, security group says
January 21, 2009 (Computerworld) Microsoft Corp.'s advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.
In an alert issued on Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."
The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features.
Autorun, the focus of the US-CERT warning, lets Windows automatically run any program specified in the "autorun.inf" on, for example, a CD or a flash drive, as soon as the disc or device is inserted or connected. By default, Windows has Autorun enabled.
The problem is that Downadup, which as of last week had infected nearly 9 million PCs worldwide, tries to spread using USB-based devices, typically flash drives. The worm creates an autorun.inf file at the root directory of any USB-based device it finds connected to the infected machine. Then, when that device is later connected to an uninfected computer, the autorun.inf file copies the worm to the machine without any action on the part of the user or the user even knowing.
The result: another PC hacked by Downadup.
Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector. According to US-CERT, Microsoft's advice is useless.
"The 'Autorun' and 'NoDriveTypeAutorun' registry values [specified by Microsoft] are both ineffective for fully disabling Autorun capabilities on Microsoft Windows systems," the organization said. "Setting the Autorun registry value to '0' will not prevent newly-connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed."
Likewise, the recommended "0xFF" setting for the NoDriveTypeAutorun registry entry, which Microsoft says "disables Autoplay on all drives," won't protect users from infection if they happen to double-click on the drive's icon in Windows Explorer, said US-CERT.
Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.
"Once these changes have been made, all of the Autorun code-execution scenarios described above will be mitigated because Windows will no longer parse autorun.inf files to determine which actions to take," read the US-CERT warning.
One security researcher said he was surprised that Microsoft didn't catch its recommendation errors, particularly in light of the ongoing Downadup attacks. "Seems unbecoming of Microsoft not to have been the one posting this information on a blog of theirs," said Andrew Storms, director of security operations at nCircle Network Security Inc.
He also bemoaned the need to edit the registry to disable Autorun. "Not only [is] editing the registry outside the [reach] of most people, but now we have learned that the information from the source is not complete," Storms added in an exchange via instant messaging.
Microsoft did not immediately reply to a request for comment on US-CERT's alert.
Ninja is the freeware zero-configuration program designed for guarding computers against viruses transmitted by USB pendisks.
This ninja awaits quietly in the system tray for the times whenever a USB pendisk is inserted on the computer which will be examined to uncover the commonly malicious or virulent files known as "autorun.inf" and "ctfmon.exe" amongst many others.
To keep things simple, ninja is fully portable, self-contained and requires no installation.
Besides removing known virulent files, this tool will also immunize your pendisk and create a folder called autorun.inf with special protection permissions to protect your pendisk from being infected again when plugged on contaminated computers.
I've got the virus in my possession![]()
I'm going to give it a shot on one of my virtual machines![]()