Browse by Tags

All Tags » Incident Response   (RSS)
Cheap real time monitoring for Conficker clients
I already did one post about using eventcomb/logparser to look for clients but found a better way to do it on a case last night which I wanted to share.  The first thing you need is to enable netlogon debug logging on all of your DC’s save the following Read More...
Posted 09 March 09 11:21 by kfalde | 0 Comments   
Filed under
Blocking and finding Conficker and Downadup systems
EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES.   I’ve already created one post on finding malware systems using eventcomb Read More...
Posted 09 February 09 07:47 by kfalde | 0 Comments   
Filed under
Using Logparser + Eventcomb to find malware
During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out.  I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most Read More...
Posted 28 January 09 05:04 by kfalde | 1 Comments   
Filed under
Malware Win32/Conficker.B W32.Downadup.B
So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware. You can find write-ups from various AV companies at the following URL’s http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852 Read More...
Posted 08 January 09 12:37 by kfalde | 16 Comments   
Filed under
Changes to Microsoft Anti-Malware
This doesn’t really affect the FCS world but it is an interesting development. https://www.microsoft.com/presspass/features/2008/Nov08/11-18AmyBarzdukasQandA.mspx apparently we are going to begin to offer a no-cost anti-malware solution in 2nd half of Read More...
Posted 19 November 08 12:14 by kfalde | 0 Comments   
Filed under ,

Search

This Blog

Syndication

Page view tracker