Conficker « Shaun Stanislaus’s Tech blog

Many still vulnerable to Conficker

Sophos has sent an alert saying many users still have yet to patch their PCs against the exploit that makes them vulnerable to the Conficker worm.

Sophos’ senior technology consultant Graham Cluley, said in a blog post Thursday, the antivirus company found 11 percent of users who had taken an endpoint assessment test at its Web site did not have the Microsoft OS08-067 patch installed.

The patch, available since October last year, fixes a vulnerability which allows the Conficker worm to infect PCs.

The Conficker saga has been broiling for the last month or so, where it received a swarm of media attention leading up to Apr. 1–when it was expected to detonate. Its real effects were seen about a week later, when it started dropping a mystery payload on infected computers.

Microsoft has also put up a US$250,000 reward for information leading to the arrest and conviction of the criminals behind the worm.

Cluley said in his blog post the 11 percent of infected PCs is “pretty depressing news”, given the press coverage the worm has received.

“It appears that the percentage of computers not patched against the exploit is holding steady,” he added.

The goal of Conficker’s creators remains unclear. While researchers have said the worm’s payload dumping activity indicates a profit motive, such as stealing passwords or spam-generation, Conficker has yet to fully reveal its intended function.

There are a number of tests and checks online, including an eye chart from the endpoint assessment test for the Microsoft patch.

Sophos is offering a tool to remove the Conficker worm from infected PCs, as well.

April 17, 2009 Posted by Shaun Stanislaus | IT News, Security | antivirus, antivirus company, Blog, computer, Conficker, Consultant, Microsoft Corp., Password, PC, Security Management, Sophos Plc., Viruses and worms, Worm | Leave a Comment

Conficker’s autorun and social engineering guide

We wrote several diaries about Conficker (or Downadup, depending on the AV tool you are using). F-Secure posted some interesting information about the number of infections which is almost certainly in millions (and who knows how many machines will stay infected as the owners will not even notice anything).

One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:

It exploits the MS08-067 vulnerability,
It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

F-Secure also blogged about the autorun.inf file where they noticed that it contained a lot of garbage (about 60 kb of random binary data). This fooled some AV programs so they didn’t scan the device properly (otherwise, they would have picked up the referenced DLL also stored on the device).

After removing garbage, one can see a nice autorun.inf file containing all important keywords. This grabbed my attention:

[Autorun]

Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
Shellexecute=.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

So, as you can see, the first part, “Install or run program” is there because Vista detected an autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) – and it’s the standard folder icon! This can easily fool a user in clicking this one and thinking it will open the USB stick in Windows Explorer instead of the second (the real one). The first option will run Conficker, of course. Very smart. For administrators among you, I would suggest that you disable AutoPlay in your environments, unless it’s really necessary. Depending on the environment you might even completely disable USB, if you don’t need it. The following article explain nicely how the AutoPlay feature works and how to disable it (http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx). Or check this article on the Autorun registry key (http://support.microsoft.com/kb/953252). UPDATE – fixed a typo in the vulnerability, it is MS08-067 (not MS08-068) – Nick Brown sent a URL to his blog where he described another method for disabling Autorun by modifying the IniFileMapping registry key, see more at http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

April 2, 2009 Posted by Shaun Stanislaus | social engineering | baseline, bruteforce, Conficker, Malware, Security, social engineering, Virus, Windows, Windows Internet Explorer, Windows Update, Windows Vista, Windows XP | 1 Comment

About

CERTIFICATIONS:

MCSE — Microsoft Certified Systems Engineer (Windows 2003)

CCNA — Cisco Certified Network Administrator (2.0)

CWNP — Certified Wireless Network Professional

CWSP — Certified Wireless Security Professional

J2ME — Sun Microsystems Module Certified in Essentials of Sun Java

CEH — Certified Ethical Hacking

Shaun is a cofounder of Curtier, and is recognized as a leader in Software Security and corporate turnarounds. He is responsible for leading teams involved in delivering high availability, wireless, intrusion detection, compliance management and policy compliance.

He had previously held various positions at Ernst & Young, Sybase, EDS and NCS. During his tenure at EDS, he was involved in the Standard Operation Environment (SOE) project with the Singapore government, where he was involved in the Network Security Architecture segments.

Shaun has attained various industry certification including, CISSP, CEH, CWSP, CWNA, CWAP, CCNA, Security +, Network + and A+.

Shaun Stanislaus Lau was an event organiser with

The YouthEmpire since 2006 which was Officially Launched on the

30th May 2006 at The Ministry Of Sound by Empress Calpurnia Soong IV, a rich and influential lady in Today’s Singapore who had a vision for the Youths and thus created The YouthEmpire as possibly the 1st Registered Youth Corporate Company in Singapore distinguishing itself above the other youth associations. Having an interest in the Youths of Today’s Society, Empress Calpurnia Soong IV ordered the creation of The YouthEmpire to aid the Youths forward in their endeavours to materialize and physicalize the IDEAS that these youths have.

Shaun has learn alot from the people at youth empire, especially Weking and Althea themselves and had contributed a number of ideas that is out of the box.

Shaun has been doing a couple of small and big scale event among clubs in Singapore and was interviewed by The Newpaper for a couple of event ever since he found that night life industry was part of his passion and sees a demand in youth clubbing as well as it is a good entertainment industry to meet new people and he love socializing and foster a good relationship with the youth and young adult and he love meeting new people.

Shaun was also appointed a founder of nEbO by Mr. Lim Eng Lee, CEO of NTUC Club. Mr Lim reports directly to minister Lim Swee Say who is the Minister in the Prime Minister’s Office of Singapore and the Secretary-General of the National Trades Union Congress. He is an elected Member of Parliament for Holland-Bukit Timah GRC. His past ministerial portfolio includes being Minister for the Environment and Water Resources, Minister of State for Communications and Information Technology and Minister of State for Trade and Industry.

Shaun is in charge of Entertainment, Game and Lifestyle Communities in nEbO.

Apart from Nightlife Industry, Shaun is also a IT Tech-Savvy blogger @ http://shaunstanislaus.typepad.com , but recently shifted to http://shaunstanislaus.wordpress.com, in wired and wireless Networking as well as Information Security and often blog about it, he studied wireless and mobile communication at Temasek Polytechnic and has attended an number of seminars and courses and obtain a number of certified certs namely; Cisco Certified Network Administrator, Certified Wireless Security Professional, Sun Microsystems Module Certificate in Essential of Sun Java and has knowledge in Virtualization, Microsoft Window Server 2000, Microsoft Windows Server 2003, Window XP Professional/Home, Linux Red Hat

He was working at A&L Computer Engineering Pte Ltd and later left when his contracted ended and he later joined NCS and was posted to Singapore Information Checkpoint Authority (ICA) to work.

He also held Singapore‘s first mega bazaar for online entrepreneurs! event name The E-biz Exhibition and gave talk on how to shop safely and create an online shop safely at The Singapore Management University on 25th and 26th July. The e-biz Exhibition was the FIRST major event that aims to provide a physical platform for online entrepreneurs to showcase and sell their products while allowing the youth and public community to find out more about how to shop online safely. Besides featuring 30-40 online retailers and their unique offerings, it will also be hosting interesting and relevant talks by prominent members of our local entrepreneurial and youth community. For more information you can visit http://ebiz.youth.sg

My Profile

Archives
del.icio.us
Recent Posts
Top Posts
- Top 13 Twitter Don'ts
- 5 reasons you should use Joomla instead of Wordpress
Tags

Adobe air force Anime Banlist book Broadband Business Communications Conference Conficker Consultant department of defense dictionary e27 Games hacker Inspirational IT Salary Job Performance Joomla Joomla CMS Leadership life Malware Microsoft Corp. Movie nasa navy new web PC phone Productivity Professional Brand Security Security Management TAC Team Member Behaviour TechPoint.tv Twitter us army Video VoIP VPN Web 2.0 Windows XP
Blog
Blogroll
- PC Magazine
- Shaun Stanislaus\’s Tech blog
Meta
Blog Stats
- 14,098 hits
Categories
- Anime
- book
- Conference
- Consulting
- Games
- Hack
- hacker
- Industry Best Practice
- IT News
- IT Salary
- Joomla
- Life skills
- Movie
- personal
- Security
- social engineering
- Technology
- Uncategorized
- Video
- VoIP
- VPN
My Twitter
- An error has occurred; the feed is probably down. Try again later.
Categories
- Anime
- book
- Conference
- Consulting
- Games
- Hack
- hacker
- Industry Best Practice
- IT News
- IT Salary
- Joomla
- Life skills
- Movie
- personal
- Security
- social engineering
- Technology
- Uncategorized
- Video
- VoIP
- VPN
Pages
- About
Twitter
- @Sillikat follow me back. can't dm you. 2 days ago
- @Ficklekisses why is twitter dangerous now? 2 weeks ago
- 10 useful libraries for JavaScript developers techrepublic.com/blog/smbit/10-… 1 month ago

Archives
- September 2009 (2)
- August 2009 (4)
- July 2009 (1)
- May 2009 (1)
- April 2009 (9)
- March 2009 (3)
- January 2009 (1)
- December 2008 (3)
- November 2008 (5)
- October 2008 (8)
- August 2008 (1)
- July 2008 (1)
Categories
- Anime
- book
- Conference
- Consulting
- Games
- Hack
- hacker
- Industry Best Practice
- IT News
- IT Salary
- Joomla
- Life skills
- Movie
- personal
- Security
- social engineering
- Technology
- Uncategorized
- Video
- VoIP
- VPN
RSS
Entries RSS
Comments RSS

Shaun Stanislaus’s Tech blog

Just another WordPress.com weblog

Many still vulnerable to Conficker

About

My Profile

Archives

del.icio.us

Recent Posts

Top Posts

Tags

Blog

Blogroll

Meta

Blog Stats

Categories

My Twitter

Categories

Pages

Twitter

Archives

Categories

RSS

Site info

Follow “Shaun Stanislaus's Tech blog”