Monday, March 23, 2009 2:03 PM cmosby

Third party information on conficker – SANS Internet Storm Center – UPDATE 3/22/09

Third party information on conficker
Published: 2009-02-13,
Last Updated: 2009-03-22 16:12:17 UTC
by Andre L. (Version: 3)
3 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5860&rss'; digg_title = 'Third party information on conficker'; digg_skin='compact'; digg_topic = 'security';

(This will be updated as more information becomes public)

UPDATES ARE HIGHLIGHTED IN GREEN

In an effort to provde YOU the enduser the ability to educate your self on this threat I will be posting as much information as possible, from as many sources as possible.  This may lead to redundancies in the data that is avalible but I am hoping that this will allow you to pick and choose the information, removal tool, and more importantly your own path when mitigating Conficker.  Please do note that ISC nor SANS is verifying the validity of any of the information or tools present here (you can check our own posts on this topic, or compare against multiple sources). ALWAYS TEST IN A DEV OR TEST ENVIRONMENT BEFORE ROLLING OUT TO PRODUCTION!

Removal Instructions

Microsoft

http://support.microsoft.com/kb/962007

Kaspersky

support.kaspersky.com/faq/ 

BitDefender

www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html

TrendMicro

www.trendmicro.com/vinfo/virusencyclo/default5.asp

Sophos

http://www.sophos.com/support/knowledgebase/article/51416.html

 

Removal Tools

 

Microsoft MSRT

http://www.microsoft.com/security/malwareremove/default.mspx

F-Secure

ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

AhnLab

http://global.ahnlab.com/global/file_removeal_down.jsp?filename=12371830475821&down_filename=v3conficker.zip

Symantec

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

McAfee

vil.nai.com/vil/stinger/

ESET

download.eset.com/special/EConfickerRemover.exe

BitDefender

http://www.bdtools.net/

Kaspersky

http://data2.kaspersky-labs.com:8080/special/KidoKiller_v3.3.3.zip

TrendMicro

www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip

Sophos

secure.sophos.com/support/updates/dp/full/scct_10_sfx.exe

 

Conficker Cabal Information

ShadowServer

www.shadowserver.org/wiki/pmwiki.php

(very good explanation of the importance of this group)

Arbor networks

asert.arbornetworks.com/2009/02/the-conficker-cabal-announced/

ICANN

www.icann.org/en/announcements/announcement-2-12feb09-en.htm

Symantec

forums.symantec.com/t5/Malicious-Code/Coalition-Formed-in-Response-to-W32-Downadup/ba-p/388129

 

General Information

Microsoft

End user/Consumer page
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

IT Security/Professional Page
http://technet.microsoft.com/en-us/security/dd452420.aspx

Centralized information about Conficker
http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx
 

SecureWorks

www.secureworks.com/research/threats/downadup-removal/

 

Research (technical)

SRI

mtc.sri.com/Conficker

MNIN Security Blog

mnin.blogspot.com/2009/01/downatool-for-downadupbconflickerb.html

(This is an awesome tool that generates domains, and ips to scan using the reversed algorithms from conficker)

ThreatExpert Blog

blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html

CERT.at

www.cert.at/static/conficker/TR_Conficker_Detection.pdf

(great paper that covers setting up your local DNS server to mitigate/alert on infections)

Sample zonefiles can be downloaded here

www.cert.at/english/downloads/downloads.html

CA

Writeup dated 3/11/09

Screenshots of April 1st Trigger


And last but not least, the previous ISC articles on Conficker!


Internet Storm Center (SANS)
http://isc.sans.org/diary.html?storyid=5695
http://isc.sans.org/diary.html?storyid=5671
http://isc.sans.org/diary.html?storyid=5830
http://isc.sans.org/diary.html?storyid=5842

Filed under: , , ,

Comments

No Comments