Stopping Conficker with OpenDNS

Conficker is quickly becoming a mainstream news story as April 1 approaches, the date that the worm is programmed to “phone home” for further instructions. It has been discussed in various news outlets, even garnering a primetime spot on 60 Minutes this past weekend. The worm has been a great source of concern for IT execs the past couple of months, though the actual severity is yet to be determined. There are several mitigating factors that are supposed to minimize the chance for compromise, and a number of ways to detect and remove the virus. Another potential weapon against Conficker that should be considered is the use of OpenDNS to block the worm from communicating with command and control servers for further instructions.

In analyzing the virus, engineers have found that Conficker uses an algorithm to determine a number of different domains to contact for further instructions beginning on April 1. The algorithm was used to determine the exact list of domains that would be used. OpenDNS recently added a feature which would block access to these domains: We’ve teamed with Kaspersky Lab to identify those domains, and stop resolving them. This means if you’re using OpenDNS, Conficker will do your network no damage. From a management perspective, this is a much less intensive solution than attempting to block the domains on your local DNS servers and dealing with the overhead involved.

While using OpenDNS might not be feasible for larger enterprises, this is a great solution for SMB’s and home users. I’ve used it personally for some time now; the amount of centralized control available and ease of use makes it extremely attractive. A wealth of reporting features are also available, including one to specifically identify requests to known malware sites (like Conficker). Steps still need to be taken to ensure that Conficker is identified and removed from your network, but this is a good way to ensure that if any instances go undiscovered, they won’t be able to cause further harm.

Related Links:

OpenDNS
In depth analysis of Conficker
Subscribe to TechScrawl.com

Personal Password Management

Question: If someone were to obtain your credentials for a “non-critical” web site, could they be used to gain access to accounts on critical sites such as email, online banking, etc? Many people would likely have to answer yes to that question, even security minded IT professionals.

Identity management can easily be a complicated subject. The average Internet user maintains dozens of accounts across an array of sites with varying levels of importance and security. Credentials for those accounts can be obtained a number of ways. Many sites still don’t use SSL login encryption, leaving passwords vulnerable to sniffing. Others store passwords in the clear, leaving them vulnerable to breach (like the recent Monster.com one). The most secure solution might be to maintain a separate password for every site, but that isn’t very user freindly. Maintaining security has always been a trade-off between security and usability. Greater minds than mine are working on this problem, trying to come up with solutions like the OpenID initiative. Until a better solution is universally adopted, here I’m presenting the technique I use for personal password management.

Continue reading

Downadup / Conficker and Disabling Autorun

Just a quick heads up related to disabling Autorun to protect against Downadup / Conficker. While the worm continues to spread and receive more media coverage, IT personnel are working to make sure their systems are protected. One of several ways this worm spreads is by taking advantage of the Autorun feature in Windows systems. Disabling this feature via Group Policy is a logical decision, but it turns out it may not actually work like it should.

Disabling Autorun via GPO currently only disables Autoplay on media insert. However, if there is an Autorun.inf file present on a CD, USB, or network drive, the program will still run when double clicking that drive in Windows Explorer. This vulnerability was announced by the U.S. CERT team on January 20, and later updated to provide patch details from Microsoft. Follow the links below for full details on the problem and where to get the patch.

US-CERT Alert
Microsoft KB953252
UPDATE: Microsoft released KB967715 on March 10 to address this autorun problem in all versions of Windows.

Enabling DNSSEC on BIND

My previous post was an overview of DNSSEC and how it secures DNS transactions. This one covers how to enable DNSSEC on zones running on the BIND DNS server. Specifically, this example will involve setting up DNSSEC on a parent and child zone, and confirming successful operation.

An important concept to grasp is that BIND sort of takes on two different roles pertaining to DNSSEC. One is that of providing signed data for a zone for which it is authoritative. The other is that of a validating resolver for external zones. If you only want to set up your BIND server as a DNSSEC validating resolver and not sign any of your own zones, you can skip down to the “Resolver Validation” section.
Continue reading

DNSSEC 101

DNSSEC is something you’ve no doubt heard of, especially this past summer with the discovery of the Kaminsky DNS bug which led to a small panic and widespread patching from vendors. DNSSEC (sometimes called DNSSECbis) has existed as a proposal for about 10 years, but has undergone significant changes as recently as March 2008, and has only lately seen a major push to implementation. This post discusses both the need for DNSSEC and tackles the complex topic of how it works, as simply as possible. Though this really only scratches the surface, it should serve as a good intro for those who want to know more. A fundamental understanding of DNS is assumed.

Continue reading

Case Study: Suspicious Network Traffic

In this post I describe a recent investigation of suspicious network traffic on an organization’s network. Although the traffic ended up not being malicious, the hope is that the basic investigation methodologies described may be helpful to those in similar situations. The tools used include Wireshark network monitor, select Sysinternals utilities, and those built into the Windows OS.

Continue reading

Review: “Schneier on Security”, for IT Professionals

Allow me to get this out of the way first, I’m not a book reviewer, as I’m sure will be evident from reading this post. However I do work in IT, and I do deal with security issues, which makes me one of the potential target audiences for Bruce Schneier’s latest book. If you don’t know who Schneier is, this description from his website sums it up well:

Schneier is an internationally renowned security technologist and author. Described by The Economist as a security guru… best known as a refreshingly candid and lucid security critic“. He is also the Chief Security Technology Officer of the BT Group.

I received a copy of Schneier on Security several weeks ago, and have read with interest since then his opinions on security. The book is a collection of previously published blog posts and print & newsletter articles written by Bruce over the past few years, so if you’ve been a regular reader of his work this may be nothing new for you.

Continue reading