Disabling Conficker "DNS Lookup Blocking"...

[Paul Ferguson <fergdawgster () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just an FYI:

Regarding the "DNS Lookup Prevention" in Conficker.C:

 http://mtc.sri.com/Conficker/addendumC/#dns-prevention

Trend Micro engineers have discovered that if you open a DOS shell window,
and enter "net stop dnscache", infected sysems can then reach
the domains initially blocked by Conficker.

We also have a KB article on this, located here:

Solution ID: EN-1053403

Title: How to restore access to Trend Micro and other security sites that
have been blocked by malicious software infections
http://esupport.trendmicro.com/pages/How-to-restore-access-to-Trend-Micro-a
nd-other-security-sites-that-have-been-blocked-by-malware-infections.aspx

See also:

"How to Disable Client-Side DNS Caching in Windows XP and Windows Server
2003"
http://support.microsoft.com/kb/318803

Of course, one can do this by either the command line or by accessing
Windows Services.

What is this designed to do, or rather, how does it help?

One of the "features" of being infected with Downadup/Conficker is that it
blocks the ability of infected hosts to contact a list (see above) of
domains (strings found) to obtain AV updates, removal tools, etc.

This is designed to disable the blocking, allow infected clients to fetch
the appropriate removal tools, apply the appropriate patches (AV updates,
or whatever), reboot, and get on with their lives. :-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFJ0tT9q1pz9mNUZTMRAqFbAKDY2iJgK/uN69MHFfavha/Prm7G0ACgghjS
7UQ4gBJyAdX0T9QActQKdww=
=VhTg
-----END PGP SIGNATURE-----



-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.