Stuff n Things

Yep I write about Stuff.. and Things

Browse by Tags

Related Posts
  • Blog Post: Malware Win32/Conficker.B W32.Downadup.B

    So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware. You can find write-ups from various AV companies at the following URL’s http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852 ...
  • Blog Post: Using Logparser + Eventcomb to find malware

    During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out.  I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most people to not use a complex password policy. ...
  • Blog Post: Cheap real time monitoring for Conficker clients

    I already did one post about using eventcomb/logparser to look for clients but found a better way to do it on a case last night which I wanted to share.  The first thing you need is to enable netlogon debug logging on all of your DC’s save the following as a .reg file and import it on all your DC...
  • Blog Post: Dealing with malware that creates .exe’s on file shares

    So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users.  My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same regardless.  The actions they take are usually...
  • Blog Post: Blocking and finding Conficker and Downadup systems

    EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES.   I’ve already created one post on finding malware systems using eventcomb however when it comes to Conficker or Downadup...
  • Blog Post: Some more logparser & eventcomb stuff for IR work

    Counting and sorting by unique text in the strings section: As a follow on to a previous article http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx I found some other useful queries that I figured I would post as well that came in helpful on some recent...
  • Blog Post: Some thoughts on Adobe Reader and malware

    Not sure if anyone saw this bit of news recently where a report put out by ScanSafe indicates that PDF’s accounted for 80% of exploits in the 4th quarter of 2009 .  I support both FCS our antivirus product and I also do Incident Response work.  As part of our IR work we do semi-forensics shall...
  • Blog Post: Changes to Microsoft Anti-Malware

    This doesn’t really affect the FCS world but it is an interesting development. https://www.microsoft.com/presspass/features/2008/Nov08/11-18AmyBarzdukasQandA.mspx apparently we are going to begin to offer a no-cost anti-malware solution in 2nd half of 2008. This is going to be more targeted at the end...