Re: [foxboro] "Conficker" virus,

• From: Ainuddin Ali <ainuddin@xxxxxxxxx>
• To: foxboro@xxxxxxxxxxxxx
• Date: Wed, 17 Jun 2009 19:29:48 +0800

while many so called Conficker removal tool available - none actually
removes ALL variants of Conficker / Kido worm. 2 obvious signs of this worm
activity:
1) go to Task Scheduler - if u find ATXXXX entry = u're infected (XXXX is a
random number)
2) go to services - sort all services by Description. if u find 2 services
having exactly SAME description (but having different Image Name) then u're
infected.

while control network is not supposed to be connected to internet - u still
can get infected via USB thumbdrive.

u also can get infected via 3rd party computer eg. our PI server is
connected to 1 of our AW for historian purposes. THis PI server is connected
to internet.

Regards.

On Wed, Jun 17, 2009 at 1:57 AM, Corey R Clingo <corey.clingo@xxxxxxxx>wrote:

> Conficker (I think) and other modern virus variants are using other means
> to get onto machines, i.e., "autorun" (I call it auto-hose) on CDs and USB
> sticks -- you know, that thing you thought you could disable in Windows
> but really wasn't disabled (thanks, Microsoft).  You do not have to
> connect your system to the Internet anymore to get infected.
>
> Your statements are valid, but in practical terms there are problems. Yes,
> you can scan the CDs and USB sticks on some sacrificial box and hope
> nothing gets by your scanner(s).  "Hardening" Windows is not an option on
> most systems I have dealt with because it causes massive breakage (not
> necessarily Windows' fault, but that of the entire Windows software
> development mindset).  Patching is not always as easy as it sounds;
> usually the PCS vendor must qualify them before you load them, and even
> then it is more of a "smoke test" than a comprehensive compatibility
> review.  And who has resources to test all those patches inhouse before
> loading them, potentially on a hundred or more machines?
>
>
> I feel a how-stupid-do-you-have-to-be-to-build-a-control-system-on-Windows
> rant coming on, so I'll stop now.
>
>
> Corey Clingo
> BASF Corp.
>
>
>
>
>
>
> "Toecker, Michael" <mtoecker@xxxxxxxxxxxx>
> Sent by: foxboro-bounce@xxxxxxxxxxxxx
> 06/15/2009 11:25 AM
> Please respond to
> foxboro@xxxxxxxxxxxxx
>
>
> To
> <foxboro@xxxxxxxxxxxxx>
> cc
>
> Subject
> Re: [foxboro] "Conficker" virus,
>
>
>
>
>
>
>
> ...which also begs the question why your process control systems have
> access to the internet...
>
> I haven't done a Conficker detection on a foxboro system yet.  Most of
> the ones available require that you:
> 1.  Use their product
> 2.  Currently RUN their product on the system
> 3.  Can connect to the internet or an AV system for updates.
>
> I've had a decent amount of success with Microsoft's removal tool
> (Windows Malicious Software Removal Tool) on other Windows based DCS.
> You can download it from their website.  It has all the files "onboard"
> to detect and remove conficker, you don't have to connect to the
> internet for updates.
>
> AND!  All of this is for NAUGHT if you don't PATCH YOUR SYSTEM.  If you
> remove it, and other systems are infected, you are likely to be
> reinfected within minutes of removing the virus.  I'm not sure if
> Foxboro has released an approved system patch and patch procedure for
> Conficker...
>
> You should perform this on an isolated test system before trying it in
> production to get a feel for what is gonna happen (such as required
> reboots).  And, since I'm not the one doing the removal, proceed under
> your own risk.
>
> Sincerely,
>
> Michael Toecker
> Control Systems Security Designer
> Compliance & Infrastructure Protection
> Burns & McDonnell Engineering
>
>
>
>
>
>
>
>
> _______________________________________________________________________
> This mailing list is neither sponsored nor endorsed by Invensys Process
> Systems (formerly The Foxboro Company). Use the info you obtain here at
> your own risks. Read http://www.thecassandraproject.org/disclaimer.html
>
> foxboro mailing list:             http://www.freelists.org/list/foxboro
> to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
> to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
>
>


 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

• References:
  • Re: [foxboro] "Conficker" virus,
    • From: Toecker, Michael
  • Re: [foxboro] "Conficker" virus,
    • From: Corey R Clingo

Other related posts:

• » Re: [foxboro] "Conficker" virus, - Mike_Adams
• » Re: [foxboro] "Conficker" virus, - Toecker, Michael
• » Re: [foxboro] "Conficker" virus, - Murphy, Ronald T
• » Re: [foxboro] "Conficker" virus, - Corey R Clingo
• » Re: [foxboro] "Conficker" virus, - Ainuddin Ali

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription