|
Condor Baggins
Guest
|
 |
« on: January 20, 2009, 05:24:01 PM » |
|
Anyone else been affected by this? My college network was down today and by all reports so is : The MOD NL Council HBOS Many other big organisations. It's worrying times, particularly when there is no fix for it as yet.  |
|
|
|
|
Logged
|
|
|
|
|
Wooster
Wall Eyed Wanker
Administrator
Alcoholic
Good Guy/Gal Points. -518
 Online
Posts: 5536
'An how faust kin it ging?'
|
|
« Reply #1 on: January 20, 2009, 05:46:17 PM » |
|
They probably all bought Microsoft Forefront.  |
|
|
|
|
Logged
|
|
|
|
|
|
corroded
|
|
« Reply #2 on: January 20, 2009, 06:02:20 PM » |
|
We've taken a few precautions today, as i heard about this morning... looking at symantec stuff we found out it scans a few addresses to determine ip, so we blocked those as they aren't needed by anyone but us and we know them all anyway. Not that we don't trust our users (we don't really), but we already have them served through a proxy that scans all internet traffic for viruses before it even hits the desktop, and even then we have nod32 chundering away... so it's pretty decent.
Should be alright here tbh.
|
|
|
|
|
Logged
|
|
|
|
|
|
Grant
Guest
|
|
« Reply #3 on: January 20, 2009, 11:20:06 PM » |
|
NL Council
Is that what it was? It was unusual, as our housing system and emails went down, but the internet was still working. It usually all goes at the one time. Caused me a bit of trouble cause I had loads to do, but no systems  |
|
|
|
|
Logged
|
|
|
|
|
|
Condor Baggins
Guest
|
|
« Reply #4 on: January 21, 2009, 12:50:30 PM » |
|
I can't even do any college work at home now, my USB drive will be infected with it because I plugged it into a machine at college yesterday.  Ach bugger it, gives me an excuse as to why my log-book isn't handed in on time.  |
|
|
|
|
Logged
|
|
|
|
|
|
corroded
|
|
« Reply #5 on: January 21, 2009, 01:09:13 PM » |
|
doing alot of remote procedure calls via that usb stick  |
|
|
|
|
Logged
|
|
|
|
|
|
Condor Baggins
Guest
|
|
« Reply #6 on: January 21, 2009, 02:00:22 PM » |
|
The way the worm uses the infected USB stick is a pain in the arse, if you open the folder to view the files it will write itself into your C:drive without you ever knowing. Bastage!  |
|
|
|
|
Logged
|
|
|
|
|
|
corroded
|
|
« Reply #7 on: January 21, 2009, 02:34:42 PM » |
|
That's not a worm :P And must be something different to the actual real worm going around... the one that abuses Remote Procedure Calls http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspxDownload Knoppix, or similar Linux Distro as long as it has a Live CD, copy off the files you want... upload them to the interwibble, even email to yourself.... gmail will virus scan, virus scan as you download as well. Something might be hidden, but unless know exactly what it is and are expecting it, don't copy it. Simple. Could even use google docs, or open office to open the documents, and re-save them in alternate formats. Another thing that might work, is using Sandboxie... 100% TURN OFF AUTORUN (that's just asking for pure fail), start an instance of explorer in sandboxie... the stick should detect but not run, then access in sandboxie and don't allow it to access... virus scan, copy off what you want. Then format the memory stick... |
|
|
|
|
Logged
|
|
|
|
|
|
Condor Baggins
Guest
|
|
« Reply #8 on: January 21, 2009, 03:45:54 PM » |
|
|
|
|
|
|
Logged
|
|
|
|
|
|
corroded
|
|
« Reply #9 on: January 21, 2009, 04:59:01 PM » |
|
It's a terminology thing, you're missing the point. The secondary infections of a worm are not the worm itself.
Worms do not require user interaction any respect. Stuff like Code Red exploited a vulnerability to attack SQL Server. What you are looking at is something designed to bring a copy of the worm back, upon something like a reboot. Of course, without a patch the machine is susceptible again... with the worm back, it can be used to bring in other nasties, and it is why worms in general download other code. The worm tunnels in, basically... performs a malicious call, which infects the computer with other nasties, identity theft, to create a botnet etc. Each client then infected tries to infect more, through the same exploit.
Conficker sets up its own server on your machine, to broadcast out to attack other computers, infect and continue. That's just how it works :P
As i said, some secondary part is being used to reinitialise the worm or create a secondary infection, it is not the worm in itself. Turn off autorun, use a Linux distro and copy off what you need. If you feel so inclined disconnect your hdd first. The worm will certainly reactivate, but most often autoruns or sheduled tasks are set up to restart it. Once you remove these options, and reboot the worm goes. Until the vuln is patched, you can continue to get it however. Whilst it is possible to still get the worm this way... it's not the main method of spreading it, and technically in this state is is a virus, not a worm. Ironic!
BBC News don't know the difference because they are the kind of people who benefit from watching Click Online.
Defining characteristic of a worm is that it is spread via Networks.
|
|
|
|
« Last Edit: January 21, 2009, 05:05:51 PM by corroded »
|
Logged
|
|
|
|
|
|
