Monday, May 21, 2012

Learning From a Conficker Worm and How to Prevent It From Happening Again

Back in 2008 when the Conficker worm first hit, I, like many other IT Professionals was caught unprepared. We all know how to take care of malware and things like malicious coding since we do that on a daily basis, both at home and at work. Having a good anti-virus and malware/spyware programs are essential so it's important that if you don't have an antivirus, that you read up on antivirus reviews and select a program that is right for you. However, these security programs should also be complemented by a strong backup plan. The Conficker worm was different in that it seemed to just keep coming. You couldn't really just remove it and that would be the end of it. I often had to use removal tools to get rid of viruses and other worms, but this one was unique. Conficker seemed to change and it ended up looking like a root kit infection even though it actually wasn't. So I will share some of my observations on the Conficker situation and if you take these steps outlined here, you really shouldn't have much trouble in the future should you get a similar worm.

Microsoft Server 2003 and Windows XP Professional were the two systems that were most targeted by the conficker worm. This is mainly because these two where the most widely used systems at the time. You see, what you have to understand is that Microsoft systems need to be updated regularly. This is because there are holes in the Operating system that people find and exploit. So Microsoft tries to find these flaws and patch them before they are exploited by a hacker. It's the same situation with your anti-virus, spyware/malware software. Having a program that protects you doesn't do you much good if it is not updated regularly. And don't ever think you don't need an antivirus, that way of thinking could be very dangerous. So check out antivirus reviews and get the best one you can find.

Keeping everything updated is one of the best approaches to avoiding a disaster. I know one big complaint from people is that running the updates is slow and very intrusive, and these complaints are valid. Updates do take time and do slow down computers. This is why a client-server model will use WSUS to update the systems locally instead of having each computer contact the Internet.

Another problem is people sometimes get so used to their computer running slow that they are clueless if they have been infected by the Conficker worm. This is because the major symptom of the Conficker is your computer running slow. So if you're used to your computer running slowly, it is likely you won't notice if you get infected by the Conficker. It's kind of a hit and miss when it comes to protection programs being able to spot the Conficker and remove it because as I said before, it just keeps coming back. But having a strong and updated antivirus will always help! If you need help selecting which antivirus is right for you, read antivirus reviews. While Conficker symptoms include a slow system, it also includes Pen drives failing to open, antivirus programs failing to update, and if you look more closely, you may notice some new files appearing. IT professionals will then start to get complaints that the user can no longer login.

So how do we cure this kind of infection? It actually depends on whether you're an ordinary Joe using your computer at home or you are the administrator. Different situations require different solutions and many of these solutions can be found online. The first thing you have to do is to download and run a tool to remove the Conficker. Remember that when you run the Conficker removal tool you'll have to be disconnected from the Internet and any other networks that you might be connected to. The next thing you should do is install all the latest patches from Microsoft. This can be a very difficult task for a business' technician because he/she has the task of keeping the entire system up and running smoothly.

In situations like this it's important to look back at how we reacted and responded to this threat to determine what was done right and what was done wrong. What it comes down to is that most of us don't have a good enough plan in place to first, keep everything up to date and second, to keep everything properly backed up so a disaster could be prevented. We should always be ready to answer any threat because our jobs may depend on it. I can't emphasize enough the importance of keeping Microsoft, anti-virus and antispyware/anti-malware software updated.

In addition, we should backup our data and make system restore points regularly. It's also important to note that you should never overwrite your data with infected data contained in a recent backup. Keep some older backups to prevent this from happening. My fix for this involves temporarily disconnecting from the server, going after the Conficker worm on that one server and then to use the images to restore the system. This might take around 2 hours, including the testing that needs to be done. The software should come from the image or it was installed through MSI and silent install scripts. This will be done by the server itself after it's been cleaned of the worm. Afterwards, check and make sure that all the computers on the network have been properly patched. Run the tool to remove the Conficker worm on each computer just to be safe. Since everything was accomplished by the script, it was a pretty easy process.

Home users might encounter more problems recovering their data if they haven't made enough backups. However, there are many good recovery programs available for free online that can be used to help in this task. The main thing to learn from a Conficker worm attack is that one must always be ready and prepared for the absolute worst case scenario. Being ready means having the best software installed to combat these kinds of worms, including a strong antivirus software. If you have questions or you don't know which antivirus software to use, simply read antivirus reviews to find your answers.

View the original article here

No comments:

Post a Comment