I've been working with folks at Sourcefire - Middle East to help me create a Snort Users Group in the gulf region, and I'm finally ready to announce the launch of GCC (Gulf Cooperation Council) Snort Users Group. Every Snort fan in GCC is welcome to join us.
For Registration:
https://lists.snort.org/mailman/listinfo/gcc_sug
Saturday, November 21, 2009
Snort IDS GCC User Group
Tuesday, March 10, 2009
Winner of Master T-Shirt in Experts-Exchange
I am glad to publish the news that I have been chosen as the winner of Master T-Shirt in Experts-Exchange. I am currently in the Master rank in Antivirus zone. For more details, you can select the 'My Experts-Exchange Profile' in the right navigation widget of this weblog.I am publishing the Experts-Recognition appreciation email that I have recieved today
Friday, February 13, 2009
Sunday, January 25, 2009
Recommended Readings: Latest security books
I recommend reading the following books, becuase they are focusing on malwares, except Nmap network scanning, I know but it's a good addition to your bookshelf.
1) Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Happy Reading :)
Thursday, January 22, 2009
Beat Downadup/Conficker like a pro: My story from the field
Since there are many websites talked for days about Conficker/Downadup. Today, I have something different especially for system admins.
I've been busy for the last three days, building defense lines around critical servers for one of my customers. The source of infection was due to one lazy user, who has no antivirus installed on his laptop. And it didn't take a long time to start spreading and attacking other systems in the network. We have responded fast, otherwise, we would spend the rest of the day, counting how many critical systems are down.
I've been busy for the last three days, building defense lines around critical servers for one of my customers. The source of infection was due to one lazy user, who has no antivirus installed on his laptop. And it didn't take a long time to start spreading and attacking other systems in the network. We have responded fast, otherwise, we would spend the rest of the day, counting how many critical systems are down.
My plan was to build a barrier around critical servers, then move forward. By making sure that every running system is already protected by the current AV software (Symantec Endpoint Protection) that was already blocking the attack successfully. It was not a big hit, because 98% of the systems were protected by SEP, which has decreased the number of infected systems. Cheer up people; I've created a windows batch that would reverse and cure side-effects of Downadup:
1) Re-enable and start the following services:
Background Intelligent Transfer Service
Windows Automatic Update Service
Windows Security Center Service
Windows Defender Service
Windows Error Reporting Service
2) Check MS WSUS for any missed updates (Due to disabling/stopping of windows update service during infection period)
3) Run Symantec FixDownadup tool
4) Install MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)
5) Reboot system
This batch covers the following OS versions:
1) Windows 2000
2) Windows XP
3) Windows 2003
4) Windows Vista SP0/SP1
Note: Some OS versions or 64-bit are not supported by this batch, may be soon.
To start working, first we need to download the required patches + fix tool:
Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE
Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe
Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu
Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe
Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users). And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.
Here is for example, the Vista OS part (from the batch):
….
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ...
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit
….
Download Batch (MSN SkyDrive Hosting, Right-click & save won't work. Follow the link then click on the white file in the left)
Good Luck
Subscribe to:
Comment Feed (RSS)