Wednesday, April 1, 2009

Protecting against Conficker Worm with Windows Essential Business Server

Despite the $250k bounty to catch the Conficker Worm (virus) authors and the guidance from Microsoft to "patch and clean, patch and clean" to to disinfect and protect computers infected by the Conficker Worm, aka Downadup, how confident are you that your company has updated all patches for Windows-based computers?  The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.

Windows Essential Business Server (enterprise-class infrastructure solution for 300 or fewer PCs) helps a company update servers and computers with System Center Essential (SCE)EBS includes wizards to help make SCE simpler, providing you the full version of SCE but also helping you with the most common tasks in SCE.  SCE's top ten benefits may be found here, and include "Simplify your patch management". 

File:Conficker.svg

The U.S. Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) recommends that Windows Operating Systems users apply Microsoft security patch MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) as quickly as possible to help protect themselves from the worm.  SCE provides a central distribution of updates and software.

Windows EBS also includes Threat Management Gateway (aka ISA).  Threat Management Gateway provides web anti-virus and anti-malware features

  1. Clean files that are found to be infected
  2. Block files with low and medium severity threats
  3. Block suspicious files
  4. Block files that are found to be corrupted
  5. Block files that cannot be scanned
  6. Block all encrypted files
  7. Block files if the scanning time exceeds the user-defined maximum scanning time
  8. Block files whose size exceeds the user-defined maximum file size in megabytes
  9. Block archives whose unpacked content size exceeds the user-defined maximum unpacked content size in megabytes
  10. Block archives whose archive depth level exceeds the user-defined maximum level
  11. Flexibility to exclude sites from inspection based on IP addresses, domain name sets, URL sets
  12. Content trickling:  malware inspection may cause some delay in the delivery of content from the server to the client.  TMG MBE trickles portions of the content as files are inspected to improve the user experience during malware inspection.  TMG MBE can send progress notifications for specified types of files to reassure the user during this delay.
  13. User friendly progress notifications informing the user that the requested content is being inspected.

Read the MVP blog about TMG: Forefront Threat Management Gateway Beta 2 - Dieters Forefront Blog.

Windows EBS also includes Forefront Security for Exchange Server (FSE).  Forefront Security for Exchange Server includes industry-leading anti-virus engines from global security firms such as Kaspersky Labs, CA and Sophos. Businesses can run up to five scan engines at once, and in different combinations across the server system. This provides rapid response to new threats regardless of where the threat originates. Forefront Security for Exchange Server automatically downloads the latest signatures and selects the optimal combination of engines to use, ensuring a high level of protection, and reducing the window of exposure to any given threat. Diversity of anti-virus engines across messaging servers and client devices protects against a single point of failure in the IT environment.   FSE protection features include:

  1. Multiple anti-virus engines for advanced protection
  2. Premium spam protection
  3. Fail-safe protection
  4. Layered protection
  5. Protection against new and hidden threats
  6. Multi-vendor response to new threats

FSE team blog: http://blogs.technet.com/forefront/default.aspx.

From DHS's CERT advisory for Conficker:

Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:
http://support.microsoft.com/kb/962007
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Home users may also call Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

McAfee:
http://www.mcafee.com/us/threat_center/default.asp

US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch, disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.

In addition, US-CERT recommends that computer users and administrators implement the following preparedness measures to protect themselves against this vulnerability, and also from future vulnerabilities:

  • Keep up-to-date on security patches and fixes for your operating system. The easiest way to do this is to set your system to receive automatic updates, which will ensure you automatically receive security updates issued by Microsoft. If your system does not allow automatic updates, we recommend that you manually install the Microsoft security patch today through Microsoft Update at http://update.microsoft.com/microsoftupdate
  • Install anti-virus and anti-spyware software and keep them up-to-date
  • Enable a firewall which will help block attacks before they can get into your computer

To access the alerts for this vulnerability and for additional information on cyber security tips and practices, please visit www.us-cert.gov.

Other blog posts about Conficker

DHS: DHS Releases Conficker/Downadup Computer Worm Detection Tool - Department of Homeland Security News

Conficker War Room! Your Front Row Seat For Cyber Armageddon ... - Wired: Threat Level

Taming Conficker, The Easy Way : DoxPara Research - DoxPara Research

2 comments:

Chris Grillone said...

Unwitting computer users installing Conficker virus while trying ... Ironically, in a conscious bid to rid their computers of the dastardly April Fool's Day Conficker virus, some people may have unwittingly installed it. ...

http://www.vancouversun.com/news/Unwitting+computer+users+installing+Conficker+virus+while+trying+remove/1452735/story.html

Chris Grillone said...

this looks a little suspicious.

http://conficker.com/