Conficker Update Part Deuce
UPDATE 11 Jun 2009: Locally hosted bdtools removal tools (availabe at downadup.org for single computers and network. Cheers =D
Our favorite worm got an update 8 April according to Network World. Read more here…
And of course, at downadup.org.
Conficker
If you haven’t heard about the growing population of Windows machines hosting this prolific worm, educate yourself, particularly if you run Windows networks. This worm has been spreading like the plague since at least November 2008, and is presently estimated as having infected about 10 million machines. That’s a big botnet. It’s an active one too, regularly “dialing home” to now over 50,000 domains to receive updates. Its variants spread through various mediums, and favor network shares and USB drives.
If you can stand the gripes from your users, disabling Autorun through a forced registry setting (scripts, custom built ADM) is not a bad idea in general, so what if they have to open the folder and double-click the executable that’s likely in the top-level directory anyways?. Read the Cert/CC blog for more about this work around. Of key importance is that for whatever reason, the setting in HKCU overrides the HKLM setting. It may go without saying, but your best bet is cover both fronts.
If your network is infected presently, the following site hosted by BitDefender has a good list of symptoms to look for. In addition, the company has recently published both a single-workstation tool and a network tool to remove the worm from your computers. You can find these resources at http://downadup.org/.
Multi-Factor Authentication for Cheap.
Yes, cheap as in free. Steve Gibson, the superbly geeky old man of SpinRite fame, developed a printed passcode system for multi-factor authentication. It uses a Rijndael block cipher to generate a sequence of “pseudo-random” characters that allow a Systems Administrator to effectively lock down administrative access with very little overhead. Basically, you carry around a credit-card sized printout, and every time you try to log in, you punch in your username, password, and the next passcode (it prompts you for the correct one). The nice thing is that it’s free and easy to implement, and it’s cake on Debian. It’s not ported everywhere, so it’s not ubiquitous yet. However, with enough folks pitching in and developing front-ends for this product, this system can exponentially (literally) improve the security of your internet-facing systems.
Go to the GRC website to find out more.
PS. Almost forgot. Once you install the PAM module and lock down SSH for your admin accounts, don’t forget to disable su for your normal users. They shouldn’t need it anyways, but if it is enabled, then all someone has to do is crack a normal user account and su into your admin account, without having to get a hold of your passcode card.
