Tag Archives: botnets

Combating Conficker C

Posted on by

defensive-wallThere is a lot of media attention being paid to the Conficker C worm due to update itself tomorrow.  Researchers have not been able to identify what exactly that update will do.  It may simply upgrade the worm to make it harder to detect or instruct it to carry out certain actions.  This lack of understanding is leading to a certain level of confusion and indeed some security companies hyping up the issue to no doubt help their bottom line.

F-Secure have a very good Questions and Answers post on their Blog that cuts through some of the hype.  Remember April 1st only impacts on machines already infected with the Conficker C variant.  If your machine is not infected nothing will happen to it.

To prevent infection by Conficker C you can follow the steps outlined in our earlier post.  Should you feel that you do not have enough time to put those measures in place,  researchers from the Univeristy of Bonn have issued a paper on how to contain Conficker C on your network.

To detect if you have any infected machines on your network Nessus has a plugin, 36036, available  and Nmap 4.85 Beta can also detect infected computers.  The US Department of Homleand Security has also released a detection tool .  Should you detect any machines infected with Conficker C, the Internet Storm Center has a list of removal tools.

Conficker C is due to activate its update at midnight GMT tonight.  So by this time tomorrow we should now exactly what all the fuss is about.

Protecting Your Windows Systems from the Conficker Worm

Posted on by

Computer security concept Subsequent to the critical out of cycle patch, MS08-067, issued by Microsoft in October 2008, the Conficker Worm was discovered which infected systems that had not applied the MS08-067 patch.

Since then the Conficker Worm has infected over an estimated 9 million PCs.

Recent reports also highlight that the Conficker Worm has been upgraded by criminals to Conficker B++ which is more resilient than the previous versions.

Microsoft has released an advisory note on how to protect your PCs from the Conficker Worm.  In summary Microsoft recommend you take the following steps;

  1. Apply the security update associated with MS08-067.
  2. Make sure you are running up-to-date antivirus software from a trusted vendor.
  3. Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems.
  4. Isolate “unpatched” or legacy systems using the methods outlined in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
  5. Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.
  6. Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 953252.  NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 953252 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.We advise that you follow the above recommendations to ensure your systems are protected from this threat.

Remember to also update your incident response plan just in case you efforts are too late.  See our free whitepaper on “Incident Handling and Management”.

When News is Not Good News

Posted on by

The old saying “no news is good news” takes a bit of a twist as criminals use fake emails from CNN to trick people into downloading malware onto their PCs.  Once downloaded this software will then make the PC part of a botnet to be used as the criminals see fit.  The emails look very convincing, see below, and will no doubt catch many users unaware.

To protect your networks you should

  • Ensure you have the most up to date Anti-Virus installed and up to date on all workstations.
  • Ensure that you have the latest browser and Operating System patches installed and applied on all workstations.  Don’t forget that some patches do not come into effect unless you reboot the system.
  • Block incoming emails into your network with the below subject line.
  • Educate and warn users about the threat and ask them not to click on any links in suspicious emails.

CyberWar Part of Georgian and Russian Conflict

Posted on by

Last year Estonia suffered a series of severe Distributed Denial of Service attacks which crippled its Internet infrastructure and made many government and press websites unavailable.  Estonia initially claimed that Russia was behind these attacks and they were subsequently dubbed as “the first Cyberwar”.  Later these accusations were retracted as there was no real evidence to prove Russian government involvement in the attacks.

The recent conflict between Georgia and Russia has also seen a number of parallel online attacks.  Apparently any sites within the .ru domain space are unavailable from within Georgia as are a number of well known pro-Russian sites.  Access to Russian TV channels are also blocked.

For its part Georgia claims that Russia has attacked a number of its websites including those of Georgian news sites, the Georgian Ministry of Defence and the Ministry of Foreign Affairs as well as the The National Bank of Georgia.  The Georgian ambassador to the UK, Giorgi Badrize, has accused Russia of being behind these attacked.   US Presidential candidate, Senator Barack Obama,  has also called on Russiato end these cyberattacks.

However, similar to the attacks against Estonia last year, it will be difficult to get hard evidence to support this claim.  As the attacks on both sides may be from sympathisers to either side.

Wikipedia has a good overview of the conflict which includes coverage of the cyberattacks affecting both sides.

These attacks are interesting in that they not only demonstrate the power of botnets and the impact they can have, but if they are being used as part of an overall offensive then we are seeing a new frontier in international conflicts.

Given the nature of the Internet it is also possible that unknown to you machines on your network may be part of the botnets that are attacking these sites.   If the online conflict should spread to other sites there may be collateral damage to sites that share the same hosting and networking environments as your sites do.

So I suggest you make sure all your machines are patched with up to date software and anti-virus signatures, that you are monitoring for any unusual traffic from your network to unusual destinations and that you review your DR plan in the event that your site suffers from online collateral damage.

Let the Games Begin

Posted on by

Today say the launch of the Olympic games and here’s hoping that the rest of the games are as good as the opening ceremony.  But what has the Olympic games got to do with information security?  Well here are some of the issues that you should consider over the duration of the event;

  • Already a number of online scams have appeared related to the games, such as websites selling fake tickets to the event.  I doubt that those criminals’ scruples would also stop them abusing the credit card details that people submit to these sites.
  • Criminals will use the Olympic Games as a ruse to get people to download malware to recruit their systems to be part of a botnet.  No doubt the Storm botnet will be sending emails with titles relating to terrorist attacks against the games or a famous athlete caught in a compromising situation or other similar ruses to get your users to download the botnet software.
  • We will also probably see a number of phishing attacks using the games as a bait to lure unsuspecting people.  Phishing emails telling users they have won tickets to the game will come as no surprise.
  • These Olympics will have a huge online presence with various sites offering live steaming media coverage of the events.  If you do not manage this properly your network could be swamped with this traffic leading to a nice self inflicted denial of service attack.
  • Numerous fake websites will no doubt be set up offering coverage of the games online to also download malware onto the unsuspecting visitor’s computer.
  • Legitimate websites will also be targetted by criminals to infect these sites with their malware so that it is downloaded to vulnarable machines that visit them.

So if you want to be able to relax and enjoy the games without becoming an unwilling competitor against the bad guys you should look at the following;

  • Increase your security awareness training amongst your users.  Make them aware of the possible threats that they may face.
  • Make sure your anti-virus software is up to date and has been distributed to all computers.
  • Ensure that all necessary patches have been applied to PCs, especially in relation to their browsers and other components such as media and flash players.
  • Ensure your perimeter defences are up to date and that you are scanning all Internet traffic, be that email or web traffic, for malicious content.
  • Ensure you have QOS (Quality of Service) enabled on your network to ensure legitimate business traffic is not impeded by those users streaming their live coverage of the net. 
  • People may use their laptops at home to access sites relating to the games so ensure that you have end point security enabled to prevent any infected devices connecting back into your network.
  • Ensure portable devices like laptops are encrypted.  Users may watch certain events in pubs, hotels or friends houses and either have their laptop with them on the way to or from work.

By considering the above you should be in a better position to be able to enjoy the spectacle that the Olympic Games are.