Welcome back!

The Conflicker is a virus that has been spreading  for about 2 months infecting an estimated 15-20 million computers worldwide.  Systems running windows 2000, server 2000, windows XP (all variations), Vista (all variations), server 2003, server 2008 and even windows 7 are susceptible.  The details of what exactly the virus does are a bit sketchy because of the way the virus is created.  At this time it appears that the virus is dormant in the computer and waiting to download the remainder of its payload code  on April 1st.  Right now it is presumed that the Conflicker spreads itsself through the RPC service and through http, network shares, USB and removable media, and even FTP.  The Conflicker has the ability to modify open port exceptions on windows firewall as well as the ability to stop svchost.exe, services.exe, and explorer.exe.  It has a built in P2P application so that the virus can both communicate code between each other and web servers and coordinate.  This is where the fear of  fast changing polymorphic code comes from as well as the ability of the virus to use host computers in a zombie like fashion to attack other computers or servers.

Symptoms of the Conflicker are expected to include and have been confirmed to include:

• Services disabling on their own. Namely windows defender, BITS, windows firewall, and some third party antivirus services such as live update.
• Massive increase in network traffic.  Up to a 10-15% increase in total network traffic is expected on infected networks. This is due to attacks on shares and accounts, as well as spreading of the virus and payload.
• Account lockouts reset.  If the virus is on a DC it will dictionary attack the admin account and admin shares, if the account locks out, it will automatically reset the lockout.
• Lastly some or all AV websites, security websites, and windows update sites are inaccessible.  they reply to ping and answer to telnet on port 80, but they are not accessible to any browser.  This appears to be done through a virtual proxy system.

What you can do to limit and prevent conflicker spread as a network administrator ?

• Follow best practice passwords.  Require password that include special characters and are at least 6 characters long.  This makes brute forcing the password very difficult.
• Turn off all unnecessary network shares.  Any computer on the network that has a opened share is a vulnerability. Check this out to discover shares.
• Turn off auto run.  You don’t need it in most cases.  Turn it off, it allows for the potential execution of code.
• Update antivirus.  Make sure you have the last definitions and scan engine.  Note that sometimes the scan engine is not an auto update and may require manual processing.  Also make sure that all of your computers are showing in the antivirus console.  If not you might have a potential issue.  Look into it ASAP before it becomes a problem.
• Windows update.  Update everything.  Every computer should have every critical rated patch, always.  Check out my past post on autopatcher, and check this out for a alternative way to investigate the security of your network.
• Be a bouncer.  Do not allow people to bring in home computers, set up wireless, connect external harddrives and other strange stuff to the network.   They are not on the domain, not subject to group policy, and they might not have AV or patches.  This is a huge vulnerability that often goes unnoticed, but it allows for another way to accidently introduce an infection into a network.

The Cornflicker strike unsecured , weaks password computer

It looks like another variant of the Cornflicker worm may be striking soon, and unfortunately, this isn’t an early April Fools  joke either. In fact, the following security advisory came directly from Symantec, so read on to find out more about Cornflicker and how to prevent the predicted April 1 Cornflicker’s  attack.

The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January.

Today the Cornflicker worm has created an infrastructure that the creators of the Cornflicker worm can use to remotely install software on infected machines. The worm will most likely create a botnet that will be rented out to criminals who want to send spam, steal identities and direct users to online scams and phishing sites.

Today the worm has created an infrastructure that the creators of the Cornflicker worm can use to remotely install software on infected machines. The worm will most likely create a botnet that will be rented out to criminals who want to send spam, steal identities and direct users to online scams and phishing sites.

As always, Symantec advises home users to make sure their security software is up to date with the latest antivirus signatures and to enable their systems’ automatic security updates.

Symantec also recommends that enterprises continue to deploy all critical security patches, ensure their security software is up to date, clean any systems that are infected with any version of Downadup using the available removal tools and guidance provided, and evaluate additional security best practices in accordance with their organizations’ policies and procedures.

For more information visit Symantec Security Response Blog at: http://tinyurl.com/d2w5es