Greetings,

I am working on my monthly online webcast for April about the Web 2.0 infrastructure in preparation for the upcoming v.3.0. The drastic growth of the Web 2.0 infrastructure caught many people off guard as they jumped into it not knowing what was involved and the issues associated with it. It also created many new threat vectors many of which are still not under control today as the increase of threats/attacks specifically targeting this infrastructure is growing as rapidly as the number of people using it.

The recent Conficker issues have delayed my presentation for this month as I had to be helping out in various organizations to deal with it and so I will be doing it on the 27^th.

This presentation will address the present state of the Web 2.0 infrastructure, features, privacy (yes or no), pros, cons and the security concerns associated with it. It will also provide guidance on how to stay private and secure while maximizing the full potentials of the features and capabilities of it. More importantly, I will address the upcoming Web 3.0 realm and why resistance is futile and how can and will you be secured within its realm. Lots of good stuff so please mark this on your calendars and the meeting info will be posted soon.

My May session will be on the Breach Notification Laws and I will have a legal expert joining as a co-host to address this in more legal terms. More details will be provided soon.

This is just one of the ways in which TITSSN and the IT Security Attaché are trying to enhance the education and awareness of these technology/security issues to the general public. All are invited to join.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~

The IT Security Attaché | http://theitsecurityattache.com  | Blogs http://theitsecurityattache.com/blogs

President/CEO/Chairman/Founder/Security Architect

~TITSSN ~The IT Security Suite Network~ | http://titssn.net | TITSSN’s Blogs http://titssn.net/blogs

Good day to you,

I would like to take this opportunity to share some very critical information with the self employed and home based business owners about the state of The IT Security Threats Landscape ~TITSTL~ and how it affects you. This is a discussion I have every day as more and more people in these categories are finding out the real effects and impacts of these threats are not excluding them and that they fall very much into the mix of it. As the economy tightens its grip on our lives, those who are being laid off are turning to home based and self employed business thus sparking an increased growth in this area of business. The SMB space has grown tremendously since his recession and to that end has become a serious security issue for us security professionals as we look across the IT Security Threats Landscape horizon.

Therefore, the reality of the issue must be faced thus bringing the question of, what am I to do about it.

I have published numerous articles on these threats, preventative measures and how to deal with the security issues of today and tomorrow on my blogs but I am going to do this as a summary of those here.

First let me say this, if it requires a security patch (let’s just keep it at security for now), it is vulnerable.

What does this mean?

Simple, any operating system, Microsoft, Mac, Linux, Solaris, you name it, that requires a security patch for any reason is vulnerable. The patch is to prevent exploit of the vulnerability right so it is a security risk.

I had to get that out of the way so that we wouldn’t get into the ridiculous argument of which is more secure than the other. The way I see it is simply that, if a door is left open for anyone to come through it, the length of time left open versus the threat that comes through it is just as critical. So, any open door is a threat no matter where. What comes through it may differentiate the severity. They all have their insecurities at some point but how the vendor/developer addresses it lessens the impact and wide scale visibility of the issue. While some may announce these vulnerabilities and findings, other may patch/update them behind the scenes thus limiting the visibility and knowledge of the user.

Second, anti-virus alone is NOT going to protect you from the threats of today. It takes a multi-layered approach and as such, the various layers of protection must be enforced. So telling yourself that you have anti-virus protection on your PC is being as naïve as saying the threats doesn’t affect me and i’m not worried about them. While it is true that most anti-virus vendors are bundling multiple threat protection/prevention layers into their solutions, the proper configuration becomes the caveat to that solution. While many deploy with an out of the box config, there will be tweaks needed to customize it to your environment and needs. So one must understand what is being deployed and if it will provide the layers of protection needed.

So why is IT Security so serious for me as a self employed or home based business?

Well, ask yourself these questions,

What is it that you do and how do you do it?

Do you use email?

Do you send emails to customers/clients/partners/associates/potential clients?

Do you leverage the powers of social networking/media (Twitter, LinkedIn, MySpace, Facebook, Ning and the list goes on) today?

Do you use IM for personal and/or business use?

Do you browse the internet for data/information on whatever you’re working on or researching?

Do you do online banking or shopping?

Do you download multimedia contents from the web (music, movies, flash videos, etc)?

Do you download online presentations (PDF, PowerPoint)?

Did you know that PDF files presented one of the biggest security risks over the past 2 years but is the most widely distributed online document format?

Do you have a printer or some media player connected to you system(s) at home or in the office?

Do you have any applications running on that system aside from the operating system?

Do you know of the Breach Notification Law in your state and what it means for you?

When was the last time you downloaded a keygens or crack file to open full access to that app or game you really wanted but didn’t want to buy/pay for?

Maybe you didn’t crack/keygen it but someone did and opened a backdoor which planed a rootkit or some nefarious threats on your system(s). What happens when you use that for business purposes, what are you spreading to those you collaborate with?

Well by now i’m sure you’ve caught my drift and I don’t have to get technical for you to see how you’re affected. All these questions pose security risks in various ways and are able to be stopped, prevented and protected if the proper education, awareness and measures are put in place. Don’t ask if you’re affected or if I should be taking these things seriously, you must. You are as much a risk to me as I am to you if the proper steps are not implemented to secure your system and the data/information you have sitting on it about me, you and those you collaborate with.

That system is being used for personal and business use and at some point the access to/from or by a threat is heightened because of the lack of separation of the two. A system that is used by everyone in the home should not be the same used for doing your business. When someone in the home decides to crack that app and opens that backdoor, you’ll never know what can come through it and what your risk factor will be or are. Separate the two, business is business and personal is personal. The cost of a system today is much more affordable than a few years ago so it shouldn’t be a problem to get an extra one.

You are not a small business because you have 5 people working for you. You are not a small business because you only have 5 computers in your office or where you decide to conduct your business. To me as a security professional you are not a small business (home based or in an office) when you have records/information and access to 5000 people. A doctor who has an office with 5 employees and 8 systems managing 4000 patients’ info is not a small business in my eyes. If you’re a consultant running your own business and you manage systems or information for your clients you’re now there biggest risk because it’s your responsibility to control that. Every PC must be secured whether it is connected online or not as you never know if/when it will cross the line. This is how I see security.

When you decide to start doing business today you must consider the role you play with those in which you will be doing business and the kinds of interaction you will have with them. When sending an email from an infected system (whether you did or the resident worm) it is still coming from you and the possible effect on the recipient(s) can be adverse which may lead to legal issues.

When using social network can enhance your presence and what you do significantly, it is also an area of heightened risk both personally and professionally. Know the need and use it accordingly. Social networks are the future of collaboration but one must decide why the need and create the separation. If it’s for personal use one should always remember the impact on themselves as they are now putting themselves out there to the world. If for business, one should decide on how they want to be seen and what they would like the world to know about them and what they do. Social networking is a great thing to have and use, it’s the management and control of that presence that matters. The threats people face on social networks are the same they would face outside of it but just through a different medium. Educate yourself on these things and you will be ok.

As for the Breach Notification Law, most people didn’t even know of such laws about digital contents and its security. I strongly suggest you take a look at the law of your state and understand the legal and financial issues it presents for you. Learn it, know it, and understand it. If in doubt, reach out.

The active Conficker worm should be enough of an eye opener for you and if you don’t know what it is then you may have bigger problems that I thought. Security is not just about you, it’s about your way of life today both on and offline. I am not here to scare you but it is better to know before than after as the damage control, legal and financial issues after the fact is much worse and a very daunting issue.

As for the online scams, phishing and SPAM, it is only going to get worse and until you educate and make yourself more aware of and about them, you may fall victim to them as they are craftier than ever.

Ok so I have chatted enough and now you’re saying this is too much so I will leave a few articles of reference.  Feel free to contact me if you’d like to discuss further and in more details.

The Conficker Worm – my review

A grim day for browser security at hacker contest

State Security Breach Notification Laws as of December 16, 2008 and the Conficker worm

IT Security Education and Awareness 04-09 #1 – IT Security is a people problem, not an industry one

Apple Mac users warned of web-based malware threats RSPlug-F Mac Trojan horse distributed via HDTV website

TITSSN leverages the Twitter network for critical alerting, notification and network happenings (meetings and events) as of April 1st 2009

Security/Privacy Awareness 03-09 #1 – Do you understand the breach notification law is in your country/state, do you know what it means, all are affected.

Thank you and have a great day,

~Brett A. Scudder~

The IT Security Attaché

April 9th, 2009

Conficker wakes up, updates, drops payload

Posted by Andrew Nusca @ 4:09 am | http://blogs.zdnet.com/BTL/?p=16082&tag=nl.e019

Categories: Security

The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

CNET’s Elinor Mills reports that researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

Just yesterday, Zero Day blogger Dancho Danchev noted that a Conficker copycat was already making its rounds.

According to a post on the TrendLabs Malware blog, the awakened worm tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity. It then deletes all traces of itself in the host machine, and is scheduled to shut down on May 3.

Mills reports:

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

“After May 3, it shuts down and won’t do any replication,” Perry said. However, infected computers could still be remotely controlled to do something else, he added.

The development was found when Trend Micro researchers noticed a new file in the Windows Temp folder and a large encrypted TCP response from a known Conficker P2P IP node hosted in Korea:

Two things can be summed up from the events that transpired:

1.    As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!

2.    Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

As for the second point, researchers said the worm tries to access a known Waledac domain and download another encrypted file, but they’re still trying to examine the connection.

More Conficker news on ZDNet:

·         Dancho Danchev: Conficker worm’s copycat Neeris spreading over IM

·         Adrian Kingsley-Hughes: Friday Rant – Conficker worm hype

·         Ryan Naraine: Eyeballing Conficker with eye-charts and maps

·         Tom Espiner: Conficker an April Fool’s joke? Maybe not

Andrew J. Nusca is an assistant editor for ZDNet.com. See his full profile and disclosure of his industry affiliations.

Good day to you,

Every day I talk with people across all vertical markets, business sizes, organizations and cultures about the IT Security issues being faced in our world today and how it impacts our everyday lives, and it is becoming one of those awakening kind of issues for many. Whether they like it or not, they know they are affected in one way or another. While most people tend to try and figure out if and where they fit into this Matrix, the recent mass media explosion of the Conficker worm created somewhat of a sense of understanding as many now saw it from a non technical aspect and as what it really is, a people problem.

As a security attaché, I have relayed this message of IT Security being a people problem and not an industry one for years but it doesn’t resonate well for many because they didn’t understand the matrix and how it worked. Now that they saw and heard of it on the TV (which is an even bigger influencer on people today), the same things we IT people have been trying to tell them now makes some kind of sense. Let us take away the fact that whether the media coverage on the TV was doing much justice or help for the issue(s), it did add a well needed visibility to the scope of the problem and that was very well needed today. It would be nice if we say a segment on the news specific to The IT Security Threats Landscape ~TITSTL~ and issues in and around it. They could bring in some professionals in the field to talk about the issues and what is going on and how people can protect themselves in it. That would be a well needed thing to see at that level today as we are going into this vast technology future of ours which we’re taking head on without looking at the real implications and effects of it.

The logic behind the issue is simple, because your system(s) are up and running and have not been wiped out nor shut down by a threat doesn’t mean it is safe, secure or threat free. In many of my health assessments I have shown the owner my findings of worms, trojans and other blended threats that are sitting on their systems because of lack of proper security solutions to protect them or the improper configuration of the solution being used. The fact that they are there is one thing, what they are doing is something else and both are critical issues to ponder.

While many will refute this fact, I have seen, worked and handled enough of these cases to state as a fact that many fall into this area of The IT Security Threats Landscape. A resident rootkit, keylogger, worm or whatever the variant may be, is actively working its way through your system and causing some form of data loss/theft or compromising the state of applications, connectivity or system stability that we security professionals deem critical. Here is another way to look at this.

If you went to the doctor for a cough that has been bugging you for a while and he says to you, you have a chest or respiratory infection would you tell him no?

If he says to you that you need antibiotics and some cold medicine do you tell him no?

Why not?

Because, this is his field of expertise and study and as such he can make this assessment based on his knowledge of the issue and the facts he has from testing you.

Are you a medical person to dispute his statement and will you seek a second opinion from someone else?

The fact that you’re still alive and well (somewhat, depending on how you define well) does not negate the reality of the issue that you are infected with something that is causing some kind of issue/effect on the body resulting in that cough which in our field of IT we would call an early warning. So, this is the same way in which we look at the IT Security issues of today and how people tend not to look at it. They haven’t gotten that early warning of a cough because the system hasn’t picked up on it yet and when it does happen, because they have not fallen and can’t get up this is not a critical issue. The system becoming slow and unresponsive is that early warning and at that stage most people tend to seek professional help depending on the need/use of the system and how critical it may be for business or even personal use.

So here we stand dealing with people who are harvesters of thousands of people’s information and things about them (whether you know or like it) and they rest idle to this decadent behavior and mindset. Yet, unchecked, their systems sit comfortably hosting these blended threats which are sending/stealing critical private, personal, financial data/information to these hackers unbeknownst to them. The careless whisper of ignorance to these issues is the driving force behind the growing success of such threats today. A hacker have so much more to gain from you giving it to them than for them having to go through getting it from you and is why the botnet issue is such a growing one today. The use of keygens, crack files, peer to peer (P2P), unpatched applications and systems makes it so much easier to exploit what is available that one tends to wonder when and where does it end. It ends with user education and awareness on and about the threats landscape and what these issues are. It end when people start taking this seriously and realizes that you’re just as much a victim as anyone anywhere if you’re not protected properly.

It ends when you stop saying I have anti-virus protection and so i’m ok when you know you haven’ renewed that subscription over six months ago and so you’re missing all the latest and greatest signature based protection that it should provide. Anti-virus alone CANNOT protect you from the threats out there today, it has to be a layered approach where various solutions are in play to cover the needed layers.

It ends when you wake up from this illusion that my OS is more secure than the other and so I don’t have to worry about these security issues.

It ends when we stop underestimating the knowledge of your youths and start educating them much early on the proper use of the internet and the functions and features of it. IT Security must be a part of the school curriculum today as technology is our future for tomorrow and they are our next generation of professionals and leaders.

It ends when you start accepting the fact that you are as much a risk to me as I am to you if we’re not practicing basic IT Security best practices.

It ends when you stop taking the cheap way out of operating a business when hosting people’s private and confidential information which is priceless to them and they trust you to keep it secure. Have some respect for your customers and let them rest comfortable knowing that you have their best interests at heart in properly protecting your infrastructure.

It ends when you realize that these threats are released in the wild with no specific targets but the system(s) you’re using which unfortunately is in the homes, schools, workplaces and places of general interest.

The treats are not specific to government and their systems. It is not specific to the private or public sectors. It is not specific to the educational institutions and it certainly isn’t targeting the healthcare sector only. All are affected and are in the path of these threats because, they are all sharing the same interconnectivity transport medium, the internet and the internet respects no one and has no boundaries.

It is time that people take this as a basic part of their lives where one does not get consumed on questioning the validity or severity of the threat but questioning the readiness of themselves and their systems to face them. While our government may understand the real scope of these issues, their efforts to create effective management and policies to protect the country’s infrastructure are missing critical elements, the people and the roles they play in strengthening the protective layers or being a weak link and point of entry/compromise for what is being implemented. Unless we strengthen the people through education and awareness they will always be a weak link in the chain of protection.

When a company is hacked or they lose their data by whatever means there is, who suffers the most, the employees, the end users. The company suffers a data loss or has a breach but the actual data may be your private and confidential information. Even if the company loses its financial data, it has a much better recovery rate through insurance and such than an individual who now suffers from the loss of privacy and here in the US, credit ratings.

Think about the many places that have information about you that you consider to be private and confidential. Your employer has your social security info (and possibly family members who are covered by you), some financial info for direct depositing of your paychecks. Your 401K info. Health and life insurance info.

Your doctor has your private health records and, results. They have your family’s private info as well as some kind of visit may have been had over the years and that info is in the system.

Your bank has all your financial info and records. They may have your mortgage info as well (if you own a home). The car loan and all the info in it. Student loans and the works.

So think on these things and when you look at all of them, who is most affected in the event of a data loss or breach at any one of those kinds of organizations or businesses, you, the end user, consumer, employee.

IT Security is a people problem and must be dealt with accordingly. It is not about selling security, it’s about creating greater education and awareness about it so we can all contribute towards upholding the strengths of the protective security layers that are there for our protection.

Stop asking if this is real, ask yourself, how do I protect myself, my family, my business, my country from these elements and there effects. This is REAL.

When in doubt, reach out.

~Brett A. Scudder~

The IT Security Attaché

Hi all,

If your day went like mine then you must be beat, phew, what a week so far.

It’s 3am and i’m scanning the wires, net and blogs to see what’s up with Conficker so far. All is well and from the looks of things you still have time to get those patches loaded, get that anti-virus/anti-malware loaded, configured and run a full/deep scan.

I just completed a full scan of my network and double checked my logs and settings and everything looks ok. We’re still early into the day and so who knows.

For those who are saying it could be a joke/hoax and not preparing for it,

What if it isn’t?

Would you want to be prepared even if it isn’t?

I see that the anti-virus vendors have been busy. Some have released 4-6 new definition updates over the past 12 hrs and that’s a good sign. It means they are still working diligently on helping us stay secure. By the time it hits morning here in the US everyone should be running some April 1^st 2009 definitions as I expect there will be at least 1 or 2 within the first 8hrs. If you’re not running with an April 1^st def, then make sure you’re at least at March 31^st after running an auto update for definitions.

I haven’t slept since Saturday just from prepping for today and helping people get their systems patched, updated and secured but I am surely going to catch a few zzzzzzz in a few.

The day is young, be safe than sorry, patch and secure up and rest well.

Until later when I rise,

The IT Security Attaché

Well, it’s simple, you’re SCREWED, so just start the wiping and rebuilding process and don’t waste time trying to clean it up.  This is not one of those small time threats that you can clean up and rest well knowing that you’re ok. This is a new level of sophistication that took serious time, effort and though into creating and mapping out its deliverables.

So you scanned your system after hearing all this talk and alerts about this “serious threat” and now you’ve found something suspicious and you’re wondering what to do. Well, it’s not that you had blocked it nor was the system fully patched and the doors closed, it was already on the system and has already done its rounds of spreading and attaching itself to critical areas of the system. This kind of threat isn’t the kind that you can rest comfortably with (well I can’t/don’t) and I wouldn’t feel comfortable knowing that it is on a network of someone I converse with.

I mean, things do happen but there should be due diligence in your system security best practices and how they are handled prior to an issue like this.

Now comes April 1st and you’re wondering, oh my God, what am I going to do?

Well, you’re about to be activated and who know what your command, effects and impact will be.

I hope that this is more of a hoax than what I have concluded from my own personal analysis. Maybe it’s time you start being more proactive than reactive.

We’ll just have to wait and see.

IT Security IS a people problem, not an industry one.

The IT Security Attaché

Over the past week I have had so many requests to talk about this worm and why it is so bad and what it really means that I almost convinced myself that it was a brand new threat. Most people are so caught up on it as if it is a new threat but it really isn’t. It’s just a new level of sophistication that warrants the time and attention from the security professionals and vendors to stop whatever possibilities it may bring come April 1^st and beyond and for the general public to be aware that these are real life issues here. As I say every day, IT Security is a people problem, not an industry one because the impact and effects are felt in every area of our society and daily lives.

When CBS’s 60 minutes ran the story on Sunday March 29^th at 7pm, it’s as if the world woke up to the realization that this is serious. The very same words and things I have been telling people didn’t resonate until they heard and saw it on 60 minutes. Wow, and you wonder why the state of our security is so weak and poor, people don’t know who to listen to nor trust in these matters. So now I am talking to the same people who I talked o a year ago about the importance of properly protecting themselves from these risks and why it is needed today.

One person call me and was saying, “hey Brett, did you watch 60 minutes and see that new worm they are talking about. Man that’s serious isn’t it?”

So now i’m sitting on the other end of the line going, huh, are you serious, this is the same thing I have been talking about for years and trying to get you to understand, this is just a named threat but a threat none the less with a more sophisticated architecture and attack vector. It’s amazing.

I had more people asking which anti-virus software can stop this threat than what is this threat really about. This is one of the issues I have with a scenario like this because people need to take the time to learn and understand more about the threat and how it proliferates so they can better help to prevent the infection or spread even if they have security installed and running on their systems. We need more educated people to help maintain a strong wall of protection against the spread of these threats/risk via the internet today and tomorrow. Learn, get the facts, understand the need and activate the common sense.

Guess what, you’ve been activated. You’re now more alert, more intrigued, more prone to fighting these issues because it is in your backyard and you MUST DEAL WITH IT. How you decide to handle yourself is another issue.

I hosted an IT Security Webcast on March 22^nd and 5 people who declined to attend the session via the event invite on Facebook ended up with some form of infection two days later.

When asked how they got it, I was told,

I’m not sure or I don’t know.

The reason for declining my invite was that they have anti-virus on their system to protect them so they are ok and good to go.

What can I say?

Many will fall under these kinds of issues because they think they are good to go and not needing to learn or know more about how to protect themselves online. While they rest assured that they are protected by their AV client they still practice bad browsing, file sharing, file cracking, key generation and illegal software downloads everyday which gives systems access to these hackers via backdoors.

The next time you decide to download a keygen, password generator, cracked file, music from unknown people/sites or browse a website from an IM someone may have sent you, think twice about what you’re doing to your system, yourself and those you share and converse with. Support the developers and buy the apps. Get the real code.

The next time you decide to click ok on that pop up window without reading what it says while browsing, think again and take a minute to read it.

The next time you decide to open that chain mail and click on the link, hey, hey, hey, watch out now. You may know and trust the sender but do you know if he/she really sent it?

When in doubt, reach out.

And so we wait for April 1^st to see what Conf*ker will do to those systems already under its control.

What are you doing about it?

The IT Security Attaché

Conficker Worm: Help Protect Windows from Conficker

Published: February 6, 2009 | Updated: March 27, 2009 | http://technet.microsoft.com/en-us/security/dd452420.aspx

This page is designed to provide IT Pro customers the information they need to help protect their systems from the Conficker Worm, or to recover systems that have been infected.

If you are a consumer, please visit Protect Yourself from the Conficker Computer Worm [ http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx ] .

About Conficker

On October 23, 2008, Microsoft released a critical security update, MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] , to resolve a vulnerability in the Server service of Windows that, at the time of release, was facing targeted, limited attack. The vulnerability could allow an anonymous attacker to successfully take full control of a vulnerable system through a network-based attack, the sort of vectors typically associated with network “worms.” Since the release of MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] , the Microsoft Malware Protection Center (MMPC) has identified the following variants of Win32/Conficker [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker ] :

·         Worm:Win32/Conficker.A [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A ] : identified by the MMPC on November 21, 2008

·         Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] : identified by the MMPC on December 29, 2008

·         Worm:Win32/Conficker.C [ http://www.microsoft.com/security/portal/Entry.aspx?name=Worm:Win32/Conficker.c ] : identified by the MMPC on February 20, 2009*

·         Worm:Win32/Conficker.D [ http://www.microsoft.com/security/portal/Entry.aspx?name=Worm:Win32/Conficker.d ] : identified by the MMPC on March 4, 2009**

What Happens on April 1, 2009?

Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the “peer-to-peer” updating channel in the latest version of Conficker.

Protecting PCs from Conficker

1. Apply the security update associated with MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] . View the security bulletin for more information about the vulnerability, affected software, detection and deployment tools and guidance, and security update deployment information.
2. Make sure you are running up-to-date antivirus software from a trusted vendor, such as Microsoft’s Forefront Client Security [ http://www.microsoft.com/Forefront/clientsecurity/en/us/default.aspx ] or Windows Live OneCare [ http://onecare.live.com/standard/en-us/3/default.htm ] . Antivirus software may also be obtained from trusted third parties such as the members of the Virus Information Alliance.
3. Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. The Microsoft Active Protection Program (MAPP) provides partners with early access to Microsoft vulnerability information. For a list of partners and links to their active protections, please visit the MAPP Partners [ http://www.microsoft.com/security/msrc/mapp/partners.mspx ] page.
4. Isolate legacy systems using the methods outlined in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
5. Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.
6. Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 967715 [ http://support.microsoft.com/kb/967715.aspx ] . Microsoft released Security Advisory 967940 [ http://www.microsoft.com/technet/security/advisory/967940.mspx ] to notify users that the updates to allow users to disable AutoPlay/AutoRun capabilities have been deployed via automatic updating channels.
   NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 967715 [ http://support.microsoft.com/kb/967715.aspx ] to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 [ http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx ] to be able to successfully disable the AutoRun feature.

Cleaning Systems of Conficker

Manually download the Windows Malicious Software Removal Tool (MSRT) [ http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356 ] onto uninfected PCs and deploy to infected PCs to clean infected systems.

Conficker Timeline

·         On November 21, 2008, the MMPC identified Worm:Win32/Conficker.A [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A ] . This worm seeks to propagate itself by exploiting the vulnerability addressed in MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] through network-based attacks. The MMPC added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.

·         On November 25, 2008, the MMPC communicated information about Worm:Win32/Conficker.A [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A ] through their weblog [ http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx ] .

·         On December 29, 2008, the MMPC identified the second variant, Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] , and added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
NOTE: Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] can be successful against systems that have applied the security update associated with MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] .

·         On December 31, 2008, the MMPC communicated information about Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] through their weblog [ http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx ] .

·         On January 13, 2009, the MMPC included the ability to remove both Worm:Win32/Conficker.A [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A ] and Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] in the January 2009 release of the Windows Malicious Software Removal Tool [ http://www.microsoft.com/security/malwareremove/default.mspx ] and communicated information about this through their weblog [ http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx ] .

·         On January 22, 2009, the MMPC provided consolidated technical information about Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] on their weblog [ http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx ] .

·         On February 12, 2009, the Microsoft Security Response Center (MSRC) released information about domains that Conficker-infected systems try to connect to [ http://blogs.technet.com/msrc/archive/2009/02/12/conficker-domain-information.aspx ] . Microsoft also announced information on a partnership with technology industry and academic leaders [ http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx ] designed to disable domains targeted by Conficker.

·         On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, in accordance with the laws of that country, because Internet viruses affect the Internet community worldwide.

·         On February 20, 2009, the MMPC provided technical information about Worm:Win32/Conficker.C [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.c ] on their weblog [ http://blogs.technet.com/mmpc/archive/2009/02/20/updated-conficker-functionality.aspx ] .

·         On March 27, 2009, the MMPC provided more details about the new P2P functionality in Worm:Win32/Conficker.D [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.d ] on their weblog [ http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx ] .

Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, +1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com [ mailto://microsoft.com:25/default.aspx ] , where tips can be shared.

This is from an email I sent out to my network distribution list today at 12 noon.

Good day to you,

This is a critical issue that has been highly overlooked and is a bigger problem than most people care to think. For those of us consultants who are responsible for our client’s infrastructure, please help them to understand where these laws apply and how it affects them. I’m bringing in someone from the attorney general’s office to do a presentation on this for us in the coming month. I’m trying to work with their schedule so stay tuned for the date of the meeting.

There are some serious new threats on the loose and the more I look at them is the easier i’m seeing the rate of success in their deliverables. Our organization speaks to these issues and we must understand what they mean for those we’re helping to understand. This new variant of the Conficker worm has some nasty new tricks to it and while following its development and path, i’m more convinced that this is a new level of sophistication way above the rogue Anti-Virus/Anti-Spyware 2008/2009 threat we encountered last year that is still being a major pain point for IT today. Whether this is an April fools days joke or not, as you can see, the financial ramifications of negligence will be heavy.

Get those system (OS, applications, devices) patches updated and current. Most people tend to patch the OS and leave vulnerable applications running with system access to the OS that even fully patched is still vulnerable. Patching is an all round process that applies to the OS, applications running on it and the devices being connected to it. Even the device drivers are a point of entry to a system today so patch them if needed. Check on those security policies and rules and ensure they are up and running. We have a few days before April 1^st so talk with your people about this and let them understand the need for being prudent about it.

Make no mistake people, this is a new age where technology rules and the threats are more real than ever before. This is not someone physically walking in and taking your data, this is someone sitting anywhere in the world and having access to it (if allowed).

I posted this on LinkedIn here http://www.linkedin.com/answers/using-linkedIn/ULI/447971-3071950 for a broader visibility from the business professional’s community. More feedback and input will be found there as well. Spread the word.

Thank you and have a great day,

~Brett A. Scudder~

State Security Breach Notification Laws

As of December 16, 2008

http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm