Stay Abreast
Sandeep Cheema
April 21st, 2009
Just to keep everyone upto date, Today’s topics on full-disclosure include a conficker scanner for the network.
Reference: http://security.bkis.vn/?p=560
It's developed by BKIS, The same group who had found out the vulnerability against chrome some time back amongst others
Re
Thanks Sandeep after spreading downadup to whole world this could be a very helpfull for all.
Regards,
M.R
We get scared on downloading
We get scared on downloading any software from internet, especially on the corporate network. Thogh Sandeep's name tag suggest he is a Trusted Advisor. However my point is not refering to his suggestion. I need a best practice in general.
Can someone suggest, how?
Hi, Good one sandeep, but
Hi,
Good one sandeep, but "eeye retina" also publish such tools wherein you can detect which machines are infected and which machines are having MS08-067 Vulnerability.
Rgrds,
SAM
Quite possible
Yeah, There are ways with Nmap as well to remotely detect the conficker worm
http://insecure.org/#conficker
hi sandeep,
hi sandeep this is really a good one, very helpful...
Microsoft has its own way..
I guess this should be the best one.
This is a MS-KB on the removal process/best practice of w32.downadup.B
http://support.microsoft.com/kb/962007
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626
MS Account Lockout Tools
http://www.microsoft.com/downloads/details.aspx?Fa...
MS08-67 patch download [KB 958644]
http://www.microsoft.com/technet/security/Bulletin...
Disable Auto play with GPO
http://support.microsoft.com/kb/953252
Disable Scheduled Tasks with GPO
http://support.microsoft.com/kb/310208
Enable Security Auditing with GPO
http://support.microsoft.com/kb/300549
Once you have Enable Debugging for Netlogon Service you will be able to see which clients are attacking.
Once the source is found it can be remidiated and cleaned.
By disabling Scheduled Task Service
We can stop Downadup from spreading .As it created Schduled Jobs and spread across the network.
Disable autoplay
That is the most important for every worm
Celebrating 2 years as a community member....
Good
Good one Sandeep
How to disable Auto Play?
How to disable Auto Play?
Re
Hi Tejas, pls check SAV to SEP's post.
Nice one Sandeep. @SAV to
Nice one Sandeep.
@SAV to SEP: Great references.
Disabling autoplay really did it.
thanks.
Nel Ramos
I used GPO to disable
I used GPO to disable autoplay and used SEP to block access to any autoplay.inf file. Nothing at all can possibly start automatically around here. of course most important is the MS patches!
Doesn't help much to have a guard dog if you leave all the windows and doors on a 3 story house wide open at night.
Personal sites -> http://theamcpages.com and http://antique-engines.com
Toy:
Shadow:
@ShadowsPapa: Definitely
@ShadowsPapa: Definitely agree with you on that.
By the way is there a method to disable USB devices and not disabling USB KB and mouse?
Made a test environment and USB was successfully blocked on the specific client.
the problem is the mouse was also disabled.
thanks.
Nel Ramos
Here
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/ce3a83c1ce5ca4cf492573fd005d28dc?OpenDocument
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b54beb2f46268ccc882574e80052960f?OpenDocument
@Sandeep Cheema: Nice... Now
@Sandeep Cheema: Nice... Now I have something to play in the test area... you are a life saver friend... thanks!
Nel Ramos
Would you like to reply?
Login or Register to post your comment.