DNS Debug Log–Enabling / Retrieving / Searching

The files you need for this: https://psasync.codeplex.com/ – psasync runspaces multi-threading PowerShell module https://github.com/kurtfalde/DNS-Debug – the DNS Debug scripts I’ve been bugged recently (@jepayneMSFT) to post some scripts I put together quite a while back so here they are.  These were written due to an onsite visit with a customer where we knew various DNS…

0

Some thoughts on Adobe Reader and malware

Not sure if anyone saw this bit of news recently where a report put out by ScanSafe indicates that PDF’s accounted for 80% of exploits in the 4th quarter of 2009.  I support both FCS our antivirus product and I also do Incident Response work.  As part of our IR work we do semi-forensics shall…

0

Some more logparser & eventcomb stuff for IR work

Counting and sorting by unique text in the strings section: As a follow on to a previous article http://blogs.technet.com/kfalde/archive/2009/01/28/using-logparser-eventcomb-to-find-malware.aspx I found some other useful queries that I figured I would post as well that came in helpful on some recent cases. We were basically looking for unique instances of event text from eventcomb logs so…

0

Dealing with malware that creates .exe’s on file shares

So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users.  My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same regardless.  The actions they take are usually something as…

5

Cheap real time monitoring for Conficker clients

I already did one post about using eventcomb/logparser to look for clients but found a better way to do it on a case last night which I wanted to share.  The first thing you need is to enable netlogon debug logging on all of your DC’s save the following as a .reg file and import…

0

Blocking and finding Conficker and Downadup systems

EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES.   I’ve already created one post on finding malware systems using eventcomb however when it comes to Conficker or Downadup and realistically other malware too…

0

Using Logparser + Eventcomb to find malware

During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out.  I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most people to not use a complex password policy.  So it seems…

5

Malware Win32/Conficker.B W32.Downadup.B

So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware. You can find write-ups from various AV companies at the following URL’s http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852 http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-123015-3826-99 http://www.symantec.com/norton/security_response/writeup.jsp?docid=2009-010717-4209-99 So the write-up’s are all pretty good some have details that the…

17

Changes to Microsoft Anti-Malware

This doesn’t really affect the FCS world but it is an interesting development. https://www.microsoft.com/presspass/features/2008/Nov08/11-18AmyBarzdukasQandA.mspx apparently we are going to begin to offer a no-cost anti-malware solution in 2nd half of 2008.  This is going to be more targeted at the end-user market it appears from the look of it.  Check out the article for an…

0