funsec mailing list archives
Disabling Conficker "DNS Lookup Blocking"...
From: Paul Ferguson <fergdawgster () gmail com>
Date: Tue, 31 Mar 2009 19:44:34 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just an FYI: Regarding the "DNS Lookup Prevention" in Conficker.C: http://mtc.sri.com/Conficker/addendumC/#dns-prevention Trend Micro engineers have discovered that if you open a DOS shell window, and enter "net stop dnscache", infected sysems can then reach the domains initially blocked by Conficker. We also have a KB article on this, located here: Solution ID: EN-1053403 Title: How to restore access to Trend Micro and other security sites that have been blocked by malicious software infections http://esupport.trendmicro.com/pages/How-to-restore-access-to-Trend-Micro-a nd-other-security-sites-that-have-been-blocked-by-malware-infections.aspx See also: "How to Disable Client-Side DNS Caching in Windows XP and Windows Server 2003" http://support.microsoft.com/kb/318803 Of course, one can do this by either the command line or by accessing Windows Services. What is this designed to do, or rather, how does it help? One of the "features" of being infected with Downadup/Conficker is that it blocks the ability of infected hosts to contact a list (see above) of domains (strings found) to obtain AV updates, removal tools, etc. This is designed to disable the blocking, allow infected clients to fetch the appropriate removal tools, apply the appropriate patches (AV updates, or whatever), reboot, and get on with their lives. :-) - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ0tT9q1pz9mNUZTMRAqFbAKDY2iJgK/uN69MHFfavha/Prm7G0ACgghjS 7UQ4gBJyAdX0T9QActQKdww= =VhTg -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Disabling Conficker "DNS Lookup Blocking"... Paul Ferguson (Mar 31)
- Re: Disabling Conficker "DNS Lookup Blocking"... Richard Golodner (Mar 31)