length: 00:13:12

Conficker first major worm exploiting MS08-067

Once one machine is infected it will start to download other rouge application.

One machine is compromised, it will start to spread by other mean/vector for example: dictionary attack on share nearby to propagate.

It shuts down security software

It uses scheduled task, kick off attack to other hosts

Block access to security update repository

Autorun inf – method to launch, it’s very common method  (must do: disable autorun feature)

Do reverse lookup of infected machine.

When M$ release out of bad patch – it’s a big deal

It’s memory resident worm – must reboot after clean

It modifies registry permission – make is difficult to clean as security software does not have the right permission

Check vil.com , black list of IP of location

A lot of variant – on daily basis.