Posted: 4/1/2009 3:06:19 AM EDT
|
Good information on what it is – and how it spreads: Removal tool – (should you need it) There are many website out there claiming to have a tool for conficker. Be careful! Please download only trusted known providers such as Symantec, homeland security or e-eye. Here are some more tool links: http://www.eeye.com/html/downloads/other/ConfickerScanner.html I see a nice write up on the free OpenDNS service about conficker and blocking all variants and phone home sites. I looked on SonicWall’s site – and found this: https://www.mysonicwall.com/SonicAlert/index.asp?ev=article&id=116 Look at Cisco’s very informative security center report on Conficker: (They do have IPS signatures to prevent this – but only available on ASA5510 and higher models with IPS module) They are “Professional Grade” See the difference? Look at the level of detail and info…. Bits of write up from Cisco: The worm starts an HTTP server by opening a randomly chosen port between 1024 and 10000 and listens for incoming connections. The worm accomplishes this by using APIs to bypass the Windows Firewall. The worm also terminates the Internet connection sharing service. This is why it is important to block all outgoing ports on firewall – and only allow the necessary ones. Good luck |
|
The patch was out in October. More bandwidth is used by people downloading detection tools (see nmap - their 100mb connection was saturated yesterday!) than by conficker. Yes, there are plenty of infected machines but this is more hype than anything. Nmap scanner http://insecure.org/ Patch from Microsoft http://technet.microsoft.com/en-us/security/dd452420.aspx |
