Re: Conflicker/NMAP

[David Harley <dharley () SMALLBLUE-GREENWORLD CO UK>]

Staying strictly vendor agnostic, despite the fact that I work for an
anti-malware company :

* Any mainstream AV company should detect and remove known Conficker
variants, in general. Some companies have standalone removal tools, but you
guys shouldn't usually need them except as insurance: in fact no-one
-should- need them except people who don't take any precautions at all.
* The honeynet tool (and one or two similar utilities) make(s) for a nice
extra layer, especially when plugged into tools you use already: enough
security mavens with access to millions of samples, like the guys in the
Conficker Working Group, have had input to ensure they work pretty reliably.

* I'd imagine most of you have anti-malware, sound patching practice,
network & vulnerability scanning and so on, which means that you're fairly
low risk, though you probably can't lock down your systems as tight as some
corporates. But that means it doesn't surprise me you're not seeing a lot of
suspicious packets, though you might as the occasional remote device logs
in.
* If you can restrict the use of USB devices and lock down Autorun, that not
only helps with (some) Conficker, but lots of other malware that misuses
that facility. In fact, even before Conficker, that group (and it includes
all sort of miscellaneous malware -types-) has been detected in very, very
high volumes for a good while.

HTH...

--
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence, ESET
(but not in marketing)