+ Post New Thread
Results 1 to 12 of 12
Windows Thread, Conficker - aarrgghh in Technical; Ok, so were are in 2013 and guess what, yep suddenly I find conficker (downadup) on my network!! I have ...
  1. #1

    Join Date
    Sep 2009
    Location
    North West
    Posts
    263
    Thank Post
    27
    Thanked 22 Times in 20 Posts
    Rep Power
    19

    Exclamation Conficker - aarrgghh

    Ok, so were are in 2013 and guess what, yep suddenly I find conficker (downadup) on my network!!

    I have no idea where or even how it had managed to get a foothold on the network.

    Running CC4.3 - Servers are 2008 r2 running AVG 2012 Business Edition, updates running every 4 hours and daily scans.
    Workstations, Windows 7 SP1 as per servers, and scans as per servers.

    AVG Management console show all up to date, etc.... (ive even check on a machine that it is using up to date defs etc)

    Now, with Windows 7 and 2008 the same vulnerabilities that existed in earlier version not longer exist in these version of OS, so the patch out there doesnt apply to these OS!

    All admin users use strong passwords

    AVG does scan and find the virus and does remove it, but it is not stopping machines from being reinfected.

    I spoke to AVG as to why the on access scanner didnt stop the infection etc but the person i spoke to just directed me to some MS KB Articles. (really helpful!!! NOT!)

    So, from 3pm tomorrow I am embarking on a long weekend of work following various tech docs etc......


    So after getting bored of read this, anyone any ideas on how Windows 7 SP1 and Windows 2008 r2 have managed to become infected etc.................

  2. #2
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32
    How about a vulnerable OS (eg 2003) logged on as a domain admin? In that scenario the infected machine wouldn't need to exploit an OS vulnerability on the 7/2008 target, as it would be accessing the admin$ share to propagate.

  3. #3
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    970
    Thank Post
    41
    Thanked 80 Times in 76 Posts
    Rep Power
    20
    Avg theres your problem.

  4. #4
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,765
    Thank Post
    898
    Thanked 416 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    87
    Make the root of your shared or mapped network drives read only.

    Stops confiker instantly.
    Last edited by zag; 19th April 2013 at 08:39 AM.

  5. #5
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,017
    Thank Post
    304
    Thanked 288 Times in 200 Posts
    Rep Power
    120
    Ok, download and run this Conficker Detection | McAfee Free Tools

    It will scan your network or range of IP addresses you want to scan and it will pick it up.

  6. #6

    Join Date
    Nov 2012
    Posts
    85
    Thank Post
    4
    Thanked 13 Times in 12 Posts
    Rep Power
    6
    I would check or block removable media.

  7. #7
    Mr_Jiminy's Avatar
    Join Date
    Nov 2011
    Location
    Newcastle Upon Tyne
    Posts
    211
    Thank Post
    21
    Thanked 7 Times in 6 Posts
    Rep Power
    7
    Quote Originally Posted by arron View Post
    I would check or block removable media.
    Snap!

    Had this issue last year, we took on a big contract following on from a Hugh IT support player, who hadn't controlled the outbreak. We banned all USB storage devices until a they had all been scanned/ disinfected. We used McAfee Stinger to remove.

  8. #8

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,948
    Thank Post
    583
    Thanked 1,019 Times in 784 Posts
    Blog Entries
    15
    Rep Power
    464
    I would have to agree with an earlier post: if your AV hasn't stopped the spread of conficker on a modern network, it is absolutely time to get rid of it and find something suitable. If a free product from MS can do it, why the hell can't the paid version of AVG?

  9. #9

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,942
    Thank Post
    886
    Thanked 1,694 Times in 1,472 Posts
    Blog Entries
    12
    Rep Power
    447
    If you havent done already disable your Domain Admin account (recommended by MS so should be done anyway). Conficker will keep guessing the password and you can't lock this account out.

    Make sure all your other network accounts get locked out when you get the password wrong.

    Not sure about Confickr specifically. But make sure UAC is enabled, it helps loads when you have dodgy unwanted software.
    Last edited by FN-GM; 1st May 2013 at 12:06 AM.

  10. #10

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    222
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    I would concur with FN-GB. The most likely cause is a computer (needn't even be a server) that has been infected (somehow) and the account that is logged on has domain admin rights, Conficker is picking up the rights of the account and is using the those rights to spread unhindered to all c$ and admin$ shares it finds on the network. If not dealt with it could infect all PCs and servers on your network causing a cascade affect.. any servers that are currently left logged in with a domain admin account, being used to infect PCs and servers in the same way.

    In reality, AV software is limited in what can do in defense as the the worm will have had to have placed itself on to the server (via an admin share) before the active scanning picks it up and tries to remove it.

    The MS update doesn't prevent the worm spreading in this way, it just patches the RPC buffer overrun bug, which is one of the other main method that it uses to spread.

    One useful tip is running the Malicious Software Removal tool in your shutdown script using the quickscan option. It has a specific understanding of the worm and how to remove it.

    One other thing I would check is whether the AV is picking up a actual infection or an infected file.

    Sent using my Google Nexus S

  11. #11
    Zenden's Avatar
    Join Date
    Mar 2009
    Location
    Manchester
    Posts
    154
    Thank Post
    70
    Thanked 32 Times in 25 Posts
    Rep Power
    16
    Quote Originally Posted by meastaugh1 View Post
    How about a vulnerable OS (eg 2003) logged on as a domain admin? In that scenario the infected machine wouldn't need to exploit an OS vulnerability on the 7/2008 target, as it would be accessing the admin$ share to propagate.
    This is 100% correct. I had to deal with a network a couple of years ago that had this problem for 9 months (was my predecessor not me) and it is essential to understand you need to tackle the cause of the problem and not be distracted by the machines it is copying itself to. Where is it coming from? don't bother trying to scan and remove it on the machine flagging it up as it will come straight back. Some machine has it actively running and it is spreading via the admin$ share and using domain admin permissions to authenticate. Find the culprit machine, unplug it from the network. Change all domain admin passwords. Remove the infection on any/all machines but especially the culprit. Patch the culprit with kb958644 (I know that by heart after having to deal with this). Finally bring everything back online and use wsus to deadline that patch for any and all operating systems.

  12. #12
    Mr_Jiminy's Avatar
    Join Date
    Nov 2011
    Location
    Newcastle Upon Tyne
    Posts
    211
    Thank Post
    21
    Thanked 7 Times in 6 Posts
    Rep Power
    7
    I recall I decided upon a phase of re-imaging all clients, luckily XP unattend takes not time at all to set-up, we had a new image knocked up within hours (lots of software and FULLY patched) and rolling out that afternoon. It may well be a laborious task, but it was worth it for peace of mind. As the chaps have commented on above, updates and patches are your friend.
    Oh and before I forget, AVG offer free upgrade to 2013, not sure why you're sitting with 2012... The client interface is tidier on 2013 and the footprint is way smaller.

SHARE:
+ Post New Thread

Similar Threads

  1. Annoying Virus (confick-E)
    By GrahamWibbly in forum Windows
    Replies: 120
    Last Post: 6th June 2009, 07:54 AM
  2. Patching SIMS against conficker
    By m1ddy in forum Windows
    Replies: 17
    Last Post: 26th March 2009, 09:13 AM
  3. conficker cornficker?
    By ICT_GUY in forum General Chat
    Replies: 1
    Last Post: 22nd January 2009, 09:21 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •