Important information about worm activity on April 1
This message is regard to upcoming activity with the Conficker.C worm. Please
distribute this message as appropriate.
PROBLEM: The Conficker.C worm, which has reportedly infected millions of Windows
systems, is scheduled to activate on April 1. During activation, infected hosts
will download and execute malicious code.
Until the worm activates, it's unclear what the new malicious code will do. Some
researchers speculate that infected hosts could be instructed to send spam e-mail,
participate in a network denial-of-service attack, or nothing at all.
To date, we have observed very minimal Conficker activity on campus. There is
no known way to proactively identify infected hosts via network scanning. McAfee
Antivirus software will identify and remove Conficker.C.
ACTION ITEMS: As a precaution, Safe Computing is monitoring the network at the campus border
to the Internet. Be aware that network entry points such as VPNs and mobile devices
like laptops may bypass our network monitoring. Security and network administrators
should increase monitoring of these networks on April 1.
While the likelihood of widespread worm outbreak is debatable, we believe that
it is better to be prepared. Therefore, we may call upon you to take urgent action
and ask that you plan accordingly by ensuring that key technical staff are available
on April 1.
Should you discover an infected host, please take the following steps:
1) Immediately unplug the host from the network (or disable the switch port).
2) Notify your unit's IT security incident response coordinator and security@umich.edu
of the infected host.
3) If the system does NOT contain sensitive information as defined by SPG 601.12
(e.g., social security numbers), run Microsoft's Conficker removal tool (listed
below). If the infected host does contain sensitive information, inform Safe Computing
and we will work with you to coordinate a response. Do not take any further actions
to remove the worm as this may destroy valuable forensic information.
4) Once you are certain the worm has been removed, ensure the host has the latest
Microsoft security patches applied, including MS08-067, and that auto-update
is enabled.
5) Reconnect the host to the network.
A link to Microsoft's Conficker removal tool and a link to technical analyses
of the worm are included below.
Please direct any questions or concerns to security@umich.edu
REFERENCES:
Microsoft Malware Protection Center
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.C
Conficker.C Technical Analysis
http://mtc.sri.com/Conficker/addendumC/
Cisco Technical Analysis
http://tools.cisco.com/security/center/viewAlert.x?alertId=17121
|
IT Alerts 