Network Security Office

Toxic Assets: Conficker_C set to control millions of PCs on April 1

Written by Brian Allen
3/30/2009

The Conficker worm is again making big headlines.  The latest version will have infected Windows machines phoning home starting April 1, 2009 and then wait for instructions from the worm's author.

 

The Network Security Office is asking for your help to prepare our defense.  Please make sure all Windows machines inside your network satisfy the following minimum security baselines:

 

1) Installed all security updates

2) Running up-to-date antivirus software

3) Have the Windows firewall turned on

 

Other actions that should be taken include:

 

4) The Network Security Office has tools to quickly scan your network to locate machines missing critical Windows updates, so we are offering this as a service to any department on campus.  Please contact me to set up a time to scan inside your networks.

5) Departments should also make sure their network firewalls are blocking inbound Windows Netbios port 445 and 139.

6) If you are running snort or another Intrusion Detection System, please contact me to make sure you are using the latest Conficker signatures.

 

The NSO [1] will be monitoring the network and will notify appropriate personnel as necessary based on reported incidents.  If you do suspect you have a machine infected with Conficker, Microsoft's Malicious Software Removal tool is able to detect and remove it. The Internet Storm Center has the latest information on this virus [2] including 10 most recent additional removal tools [3].  Please let me know if you detect any infection on the network.

 

If you do not need the AutoRun feature on your department's machines, you can turn that off or disable USB access entirely [4].

 

Please let me know if you have any questions, comments, or concerns.

 Network Security Office

nso@wustl.edu This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

[1] http://nso.wustl.edu

[2] http://isc.sans.org/diary.html?storyid=6043

[3] http://isc.sans.org/diary.html?storyid=5860

[4] http://www.us-cert.gov/cas/techalerts/TA09-020A.html

styles are turned off