Three methods to defend against the worm variant of the "fool" game

Recently, on the day of December 31, April 1, A Worm Virus Variant may have a large outbreak. In this regard, many anti-virus vendors have proposed solutions.

Tian Rongxin, who is also an information security vendor, believes that simply preventing virus users cannot completely defend against worms. What is the solution of Tian Rongxin?

Liu Yang, senior security expert of Tian Rongxin, believes that this Win32/Conficker. C broke out in last October ". a "variants and those that broke out in January this year ". B "variation based on the changes, this time. the c worm variant adds a new time trigger mechanism and generates 50 thousand random domain names randomly to avoid blocking. These domain names are basically not registered. It uses an algorithm to pick up 500 addresses each day to contact and upgrade the server controlled by hackers to ensure its survival rate. In this case, DNS service requests may be busy.

Liu Yang suggested that the first two outbreaks did not have dozens of thousands of computers infected in China, similar to those in other countries. He believes that this outbreak should be prepared in the following three aspects, there will be no major problems, so you don't have to worry.

I. Consolidate the system

1) Install patches. Since the worm is spread by exploiting Microsoft's last October MS08-067 RPC vulnerability, the most important thing is to confirm all the machines on the Intranet, including PCs, servers, install patches whether or not to connect to the Internet. The Reference Links are as follows:
Http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

2) When a computer user browses a Web page, he must enable the "Web page monitoring" function of the anti-virus software in the computer system. At the same time, computer users should promptly download and install the latest vulnerability patches or new versions of the operating system installed with application software to prevent malicious trojans from exploiting the vulnerabilities to intrude into and infect the operating system.

3) users must use anti-virus software immediately and fully. They must upgrade the software twice or more times a day to ensure that the virus database obtains the latest information.

4) Close unused services as much as possible.

5) disable the mobile media, especially the USB Flash Drive Autorun function: for personal computers or computer-savvy people, we can use the above methods to improve the system against Win32/Conficker. it is unrealistic for enterprises to have hundreds or more computers and allow network administrators to adjust their PC security policies one by one, therefore, you can deploy the TSM-TopDesk terminal Security Management System of tianrongxin to formulate security policies and take comprehensive measures to enable the following security policies:

? 6) Enable the Patch Management distribution policy TSM-TopDesk to provide the desktop system patch management function, the administrator can quickly deploy the latest important updates and security updates on Windows 2000, XP, 2003, and other machines in the network. TopDesk can detect security patches and patches to be installed on the desktop system. The administrator can issue commands to install uninstalled patches on the desktop system through the Console. The administrator can automatically download and update the patch library from the Microsoft website and check whether the desktop system is allowed to be installed. Through policy customization, the desktop system can automatically detect, download and install patches, or automatically execute the issued software according to user requirements. For this upcoming security event, we need to adopt a mandatory policy for this patch, which will ensure that each computer and server in the network will be updated in a timely manner and there is no omission.

? 7) enable anti-virus software Detection Policy TSM-TopDesk to detect anti-virus software on the host. It can detect the anti-virus software version running on the host, the anti-virus software version, and the antivirus software version and upgrade time, this service allows computers on the network to instantly update the virus database. Currently, it supports detecting the vast majority of popular antivirus software at home and abroad, including rising star, November, maca133, and Kaspersky.

? 8) When mobile media is disabled, many Trojans and viruses are automatically executed. Therefore, when you enable the mobile media device, try not to use the automatic operation function, but it is opened through a browser or resource manager, but it often runs automatically during the application process. Therefore, we use the control center to specify a policy to disable the automatic playback function in the operating system to reduce virus propagation. When you do not need or are not allowed to read mobile media through USB or Bluetooth, we enable the read/write policy for the interface to improve system security.

? 9) enable the host log audit policy TSM-TopDesk to provide audit and analysis warnings for system logs, security logs, system logs written into applications, and other services (such as DNS Server logs, set policies, analyze logs, monitor the opening and stopping of system services, and give timely warnings. For example, the Win32/Conficker. C virus will, if this service is running, the worm will invalidate this service:

· Wscsvc-Security Center
· Wuauserv-automatic update
· BITS-Background Intelligent Transfer Service
· ERSvc-Error Reporting Service
· WinDefend-Windows Defender (used in Vista)
· WerSvc-Windows Error Reporting Service (used in Vista)
......
When TSM-TopDesk finds that the above services are stopped, the terminal may be infected with this virus. The administrator can enhance the maintenance of the terminal and initiate a response policy.