The benefits of inspections
The work of one of the German nuclear power plants was suspended after a computer virus was detected in the station’s fuel system .
The news in such a presentation made us choke on tea and start looking for the original source. What really happened?
According to Reuters and similar news as part of the Gundremmingen NPP information network, located in southern Germany (approximately 120 km north-west of Munich), malware was detected - despite the fact that the local network was isolated from the Internet.
Gundremmingen NPP in Germany
')
The malicious programs “W32.Ramnit” and “Conficker” were found in the computer system of the power unit B associated with the data visualization software for the movement of the rods (apparently meant the fuel assemblies) of nuclear fuel. In addition, malware was found on 8 removable drives, mainly USB drives, in office computers that are not connected to the station management.
Both W32.Ramnit and Conficker (aka Win32.HLLW.Shadow.based, Downup, Downadup, and Kido) are malware designed for Windows. Conficker is a legendary computer worm, the epidemic of which began on November 21, 2008 (just at the time when the system in which it was detected was last updated). As a result of the epidemic, about 12 million computers were infected. A detailed description of the Win32.HLLW.Shadow.based worm is available here .
Ramnit is a file virus designed to steal money, search for files in the system, remotely control an attacked computer. It has self-propagation mechanisms (like any virus), and also contains a rootkit. It was discovered in 2010. Violates the work of the protected mode of Windows by removing the registry keys that are responsible for its implementation. Perhaps that is why this virus was detected in a pair to Conficker - to remove it, you may need to switch to this mode
Note that the Conficker epidemic became possible as a result of the fact that a significant number of users did not install the critical update MS08-067. As a rule, the cause of the infection is that the machine either has no password for the administrator account or is set too simple and is not resistant to brute force.
Since this worm is still encountered - not so long ago, technical support was dealt with with the appropriate case, we remind
I apologize for such captain's advice - I cut them out from the already mentioned request for support. “How many times have they told the world” - but always the same thing ...
And yes you do not have to contact technical support for the treatment of such programs!
The news in such a presentation made us choke on tea and start looking for the original source. What really happened?
According to Reuters and similar news as part of the Gundremmingen NPP information network, located in southern Germany (approximately 120 km north-west of Munich), malware was detected - despite the fact that the local network was isolated from the Internet.
Gundremmingen NPP in Germany
')
The malicious programs “W32.Ramnit” and “Conficker” were found in the computer system of the power unit B associated with the data visualization software for the movement of the rods (apparently meant the fuel assemblies) of nuclear fuel. In addition, malware was found on 8 removable drives, mainly USB drives, in office computers that are not connected to the station management.
Both W32.Ramnit and Conficker (aka Win32.HLLW.Shadow.based, Downup, Downadup, and Kido) are malware designed for Windows. Conficker is a legendary computer worm, the epidemic of which began on November 21, 2008 (just at the time when the system in which it was detected was last updated). As a result of the epidemic, about 12 million computers were infected. A detailed description of the Win32.HLLW.Shadow.based worm is available here .
Ramnit is a file virus designed to steal money, search for files in the system, remotely control an attacked computer. It has self-propagation mechanisms (like any virus), and also contains a rootkit. It was discovered in 2010. Violates the work of the protected mode of Windows by removing the registry keys that are responsible for its implementation. Perhaps that is why this virus was detected in a pair to Conficker - to remove it, you may need to switch to this mode
Note that the Conficker epidemic became possible as a result of the fact that a significant number of users did not install the critical update MS08-067. As a rule, the cause of the infection is that the machine either has no password for the administrator account or is set too simple and is not resistant to brute force.
Since this worm is still encountered - not so long ago, technical support was dealt with with the appropriate case, we remind
- Update antivirus and do not forget to check that your license is valid! Oddly enough, but there are always systems with security systems that have not been updated for years.
- Use complex passwords. Not funny, often in tech support
- Disable Autorun from removable media - if you don’t install updates because, as of now, autorun should be disabled for everyone. You can find detailed information on disabling autorun and the link to update KB967715, necessary for correct disabling of this function in older versions of Windows, on the Microsoft website: support.microsoft.com/?kbid=967715 . Instructions for blocking a USB connection to a computer are located at support.microsoft.com/kb/823732
- Install updates! They are released not in vain. For Windows, the MS08-067 patch ( www.microsoft.com/technet/security/bulletin/ms08-067.mspx ) must be installed. Additionally, it is recommended to install patches for vulnerabilities described in MS08-068 ( www.microsoft.com/technet/security/bulletin/ms08-068.mspx ) and MS09-001 ( www.microsoft.com/technet/security/bulletin/ms09). -001.mspx )
- Periodically scan the system in search of previously unknown malware. Verification for rootkits is usually performed automatically.
I apologize for such captain's advice - I cut them out from the already mentioned request for support. “How many times have they told the world” - but always the same thing ...
And yes you do not have to contact technical support for the treatment of such programs!
Source: https://habr.com/ru/post/282672/
All Articles