Fatma Bazargan’s blog

More on Conficker
March 30, 2009, 8:33 pm
Filed under: Security
How to detect and contain Conficker!

How to detect and contain Conficker!


So quick news about the Conficker, Honeynet Project members Tillmann Werner and Felix Leder have developed a new scanning tool for detecting Conficker and the Know Your Enemy writeup that would describe and explain on how to contain Conficker will be out shortly. The tool is now publicly available and is in the process to be integrated in major vulnerability scanning tools such as Tenable (Nessus), nCircle, Qualys, NMAP among others.


Doxpara, Dan Kaminsky has also packaged the tool by Werner and Feder in a scanner via py2exe that you can run to scan an IP range and it would detect any machine from the list that has been infected by Conficker.


Word to Spread: Ensure that your computers are patched with the latest Microsoft Patches through Windows Update and that your anti-virus engines have the latest updates.


Don’t forget to run the tools to detect Conficker infection.



HERE is a video about the Conficker (GREAT LISTEN): http://www.sophos.com/blogs/gc/g/2009/03/31/video-conficker-april-1st-fuss/ 

Qualys also have something to say about Conficker: http://laws.qualys.com/lawsblog/2009/03/taming-of-the-shrew-aka-confic.html 


The Know your Enemy Paper explain how to detect, contain and remove Conficker:  http://www.honeynet.org/papers/conficker

If you are going to use NMAP then check DAN’s post http://www.doxpara.com/?p=1294

Update 3:

 Symptoms of being infected:

  • When you find yourself not able to access the anti-virus websites or security related websites.
  • When you find your account locked out in the directory
  • When you find an autorun.inf files in the recycled directory
  • When you notice deny access to admin shares
  • When you notice malicious traffic sent through port 445

 SANS have set up a diary for updates on conficker at: http://isc.sans.org/diary.html?storyid=5860


Final word for today: even if you get infected and go looking for a removal tool for conficker, make sure you download a removal tool from a vendor that you always deal with or at least are sure of and heard of. The last thing you would ask for is downloading a bogus conficker removal tool that has been set up by cyber criminals!


(WATCH OUT THIS ENTRY, I’ll keep updating it with Conficker Info)


Happy Conficker’ing Day!

Fatma Bazargan


Firefox 3.0.8 Released
March 29, 2009, 8:37 am
Filed under: Security

The new release of Firefox 3.0.8 fixed two security issues:


MFSA 2009-13 Arbitrary code execution through XUL <tree> element
MFSA 2009-12 XSL Transformation vulnerability


Firefox 3.0.8 Release Notes and Download


IE8 and Firefox 3.0.8
March 27, 2009, 11:52 am
Filed under: Security
Firefox & IE: sweet encounter!
Firefox & IE: sweet encounter!

Last week at CanSecWest security conference in Vancouver, British Colombia, a “single-click-and-you’re-owned exploit,” was unveiled in the beta release of Microsoft’s browser, Internet Explorer 8 (IE8). Microsoft confirmed that the vulnerability exists in the official release of IE8. The exploit apparently defies Microsoft’s DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies.


On other hand, Mozilla announced that it will release next week Firefox 3.0.8 to close serious security vulnerability and this makes the second big exploit of Firefox in a week. The exploit code has been publicly posted and it provides an opening through which attackers can enter Firefox source code and modify it. If a Firefox user simply views a maliciously coded XML file on a website, in a style of attack known as a drive-by download.


By the way, the drive-by download affects Firefox running on all platforms, including Mac OS and Linux, according to Mozilla developer notes.


define: drive-by download (wikipedia)

Download of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads may happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window: the user clicks on the window in the mistaken belief that, for instance, it is an error report from his own PC or that it is an innocuous advertisement popup; in such cases, the “supplier” may claim that the user “consented” to the download though s/he was completely unaware of having initiated a malicious software download.

The main issue is that end-users run their computers with administrative privileges, which enables an attacker to run code on a victim’s machine using the victim’s current privilege level (admin).


This type of attack can be prevented and mitigated if the end-user follows some of the below methods:

  • Avoid logging to your machine with an account that has administrative privileges. Log in as a normal user (low-privilege) unless if something is really required then you can always switch to account with admin privileges.
  • For those who are into virtual machines, always run your browser sessions in a contained virtual machine (Vmware, etc.), and in this way your browser session is completely segmented from your actual machine so even if the exploit is successful, you can always revert back to an earlier snapshot and as if you were never infected.
  • Finally if you use Firefox then run it in Restricted Mode and use the NoScript add-on for Firefox. This prevents JavaScript from running until you allow it to.

Safe browsing,

Fatma Bazargan

UAE Advanced Defense & Security Technology Summit 2009
March 27, 2009, 10:43 am
Filed under: Blogging


Held under the patronage of the UAE Ministry of Defense, the Advanced Defense & Security Technology Summit is an historic event that will bring together global defense and security leaders to discuss the crucial role of advanced technological solutions in solving global issues.

Organized by Development Program Worldwide, an established provider of high quality government and business summits and essential forums for bilateral negotiation, the summit will focus on key geopolitical themes such as:

  • Regional Security
  • Maritime Security
  • Critical Infrastructure Protection
  • Energy Security
  • Border Security
  • Future Combat Systems
  • Network Centric Warfare
  • National Resilience & Security

The summit opening representatives are the UAE Ministry of Interior, Ministry of Defense and the Armed Forces. The agenda for the two days can be found here.

Good Day

March 26, 2009, 8:31 pm
Filed under: Security
hmm.. i dont think it's that pretty!

hmm.. i dont think it's that pretty!

For a while the Conficker worm has just been such a nightmare for all. Now that everyone has been talking about the April 1st where a new variant of Conficker will be released, as a heads up folks it isn’t like a doomsday, it is just that before Conficker.A and B were polling 250 domains per day to download and run an update program, the new variant will poll 50,000 domains instead to do the same thing. The security researchers have also stated that the Conficker worm has been crafted by professionals as it is considered one of the first real world cases that uses MD6 hash algorithm.


As I have mentioned before about the SRI International’s writeup about confikcer now they have also released a new technical writeup about the Conficker.C analysis. Parts of the writeup explains the Peer-to-Peer functionality and the domain name generation pseudo-code for the Conficker.C:


“Among the key changes, Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day. “


There is also a Sandbox result for running Conficker.C.


I’m sure you all may have tons of questions in regards to this worm, here you can find the April 1st Conficker questions and answers. (A MUST READ) Don’t forget to read about the peer-to-peer functionality as well.  


An F-Secure cleaning tool is available here.





Various # 09 – 103
March 9, 2009, 5:30 pm
Filed under: Security

I know it has been a long time ever since I last updated, was caught up with a lot of things lately, it was IDEX 09 in Abu Dhabi and now the SANS Orlando. As today is my last day at Orlando and before I leave to look around the Disney here just thought of updating this place with a small blog entry.

XKCD: Yeah, that's easier! LOL

XKCD: Yeah, that's easier! LOL


1. I’m sure you all know Ed Skoudis (who doesn’t?) the author of the book Counter Hack Reloaded, a SANS great instructor and the Founder of Inguardians, Inc. Ed, Hal Pomeranz and Paul Assadorian Founder of PaulDotCom have a great blog called Command Line Kung Fu where they discuss all the various command lines (kung fu) both on Windows and Linux and all the different ways you can execute them and use them for sys admin and pen testing. So much to learn from the website. P.S: Ed, it was a great experience being taught by you and meeting you.


2. SRI International has published a wonderful useful report on the Analysis of Conficker’s Logic. Worth a read.  


3. A week ago Security Researcher Didier Stevens posted a video on how acrobat reader exploit works without opening the PDF and today he explains how only by having an infected file on your hard disk can be vulnerable and how Windows Indexing Services is the cause. Follow the countermeasures.


That’s all for now.