+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 37
Windows Thread, Conficker in Technical; Another common oversight and aid to getting ontop of this fast is changing all admin capable passwords. If a user ...
  1. #16

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,646
    Thank Post
    49
    Thanked 467 Times in 339 Posts
    Rep Power
    141
    Another common oversight and aid to getting ontop of this fast is changing all admin capable passwords.

    If a user account can open c$ on a remote machine it can use this to spread as quickly as you can clean.

    If you use the same local admin username and password on all workstations its like wasps and jam.

    Even worse on servers if the payload has hijacked an admin/tech or service account it has so many ways in.
    Check the security logs carefully and audit object access, one payload I found had used a service account with Admin rights to start deleting servers from AD and chunks out of registry keys.
    At least change the password of the account that your using to login and clean up with! In case its already been compromised.

    If you are running TS or RDP Servers make sure that the local admin accounts are locked down with a strong password these are another easy way in.

    If Sophos is sucessfully blocking and cleaning it on re-infection it sounds like you have it contained but have not yet cleaned the source.

    Increasing the Audit logging gives you a chance to catch whatever user/machine account is being used. Changing the password results in Audit Failures as the process tries to spread and these start to appear as red dots in the logs as opposed to a valid account/password that just copies the payload and deletes stuff with an Audit Sucess Message!

    Remember with these types of infections its only the virus mechanism that spreads the real damage is caused by the scripts and payloads it can download after its infected the host!
    There are some devestating variants of this type of beast and some clever people still finding ways to squeeze them into unplugged code holes out there.
    @ZeroHour 's recommendation is the one thing that Sophos tell you in the manuals that is to be avoided, because of the slight risk of Sophos deleting system files BUT it's the first thing thier support team will tell you to do when trying to fight such an outbreak so a +1 for that idea especially on your critical stuff if you cannot leave it switched off until you have cleaned everything!

    Check your firewall logs if you can for unusual outgoing connections from your clients, in Sonicwalls you can just enable the uncategorized CFS option and enable HTTPS filtering this normally flags up any machines that are trying to sneak out and phone home for a payload update.

    Best of luck.

  2. #17


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,818
    Thank Post
    231
    Thanked 890 Times in 765 Posts
    Rep Power
    302
    its worth for the duration disabling ALL access to the task scheduler folder including system granted no tasks can run but also no confiker tasks can be created/run. I once had a startup script that EVERY bootup did a full pc scan because people kept bringing it back made pcs take 10-20 mins to bootup but eventually got rid

  3. #18

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 594 Times in 446 Posts
    Rep Power
    169
    Shut everything down, check every PC, check every PC again, reconnect things slowly starting with your servers then bringing up one lab at a time. One that is done, pray it never comes back.
    Done that twice now so can't comprehend how fully patched machines with auto-run disabled that come up clean with virus sweeps can be re-infected but off to investigate shutting down task scheduler. (but why doesn't the av know about such things - where is it being re-created from?????)

    I can understand how something can spread if it exists but having trouble understanding how something is spreading without existing - where is the chicken (or the egg) hiding?????

    Of course, if I find anyone plugging in an infected pendrive, then you'll be reading about it on the 6 O'clock news!

    Simon

  4. #19
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,909
    Thank Post
    954
    Thanked 451 Times in 380 Posts
    Blog Entries
    12
    Rep Power
    93
    It doesn't really matter if the virus infects individual machines.

    The only way it spreads is through making an autorun.inf on a shared/mapped drive. Stop that and you stop the infection for good

    The file is hidden so you need to go onto the server to see it usually. I just made it a 0kb file and read only permissions for all.

  5. #20
    ascott2's Avatar
    Join Date
    Nov 2007
    Posts
    184
    Thank Post
    18
    Thanked 38 Times in 30 Posts
    Rep Power
    21
    Take a look at the scheduled tasks on you machines. once it is in, whichever way it was, in my experience it tends to repropogate itself this way.

  6. #21

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 594 Times in 446 Posts
    Rep Power
    169
    Could someone point me in the right direction to stop the task scheduler from running?

    I am assuming this is indeed the culprit as the 'ficker hasn't returned since Tuesday

    Simon
    Last edited by SimpleSi; 11th May 2012 at 05:54 PM.

  7. #22

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    9,127
    Thank Post
    351
    Thanked 1,322 Times in 907 Posts
    Blog Entries
    4
    Rep Power
    1136
    Quote Originally Posted by ZeroHour View Post
    Doesnt sophos tell you the user account that triggered the quarantine?...
    On that point I have a question:

    I get on access notifications from the station/user account:

    User: Domain\Username
    Scan: On-access
    Machine: StationName

    File "E:\Other\Emulator\Console Emulator\Visual Boy Advanace\VisualBoyAdvance.exe" of controlled application 'Nintendo Gameboy / DS emulator' (of type Game) has been detected.
    I also get notifications from the station as follows:

    User: NT AUTHORITY\SYSTEM
    Scan: On-access
    Machine: StationName

    File "E:\autorun.inf" belongs to virus/spyware 'Mal/AutoInf-C'.

    File "E:\autorun.inf" belongs to virus/spyware 'Mal/AutoInf-C'.

    File "E:\autorun.inf" belongs to virus/spyware 'Mal/AutoInf-C'.
    My question is: How do these notifications differ and what triggers this notification and what triggers another?

    Thanks.

  8. #23

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,713
    Thank Post
    950
    Thanked 1,359 Times in 830 Posts
    Blog Entries
    1
    Rep Power
    451
    The system account one is caused when someone say plugs an infected stick in before logging on. Because no one is on sophos is using system account.

  9. Thanks to ZeroHour from:

    DaveP (12th May 2012)

  10. #24

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    9,127
    Thank Post
    351
    Thanked 1,322 Times in 907 Posts
    Blog Entries
    4
    Rep Power
    1136
    Quote Originally Posted by ZeroHour View Post
    The system account one is caused when someone say plugs an infected stick in before logging on. Because no one is on sophos is using system account.
    I should have realised that myself. Makes sense now.

  11. #25

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,629
    Thank Post
    734
    Thanked 1,691 Times in 1,505 Posts
    Rep Power
    434

  12. #26
    oxide54's Avatar
    Join Date
    Mar 2009
    Posts
    798
    Thank Post
    51
    Thanked 55 Times in 54 Posts
    Rep Power
    23
    i had it pop back up last week, first indication was that machines with av installed where poping up with alerts saying that the av had detected the virus dropped in the system 32 folder.

    okay first thing i did was ensure account lockout was turned on, (default domain policy/security settings/account something settings)

    watch the domain controller logs for account lockout events, they tell you which machine is causing the lockout, if there are 100's from the same machine and its 3am you can be pretty sure its conficker. so most of my machines were protected they had the ms patch installed and av installed and the av was catching it on being dropped on those machines, i just had actually two machines one was an old laptop that had probably been at someones house for ages and the second was a test machine someone had setup and not installed av on, so i basically just nuked them by deleting hal.dll and ntoskrnl.exe via the admin share and shutdown -f -r -t 0 -m \\COMPUTER

    i'm pretty sure the laptop got brought in and then infected the second machine.

    any technicians no longer have domain admin rights, spent a lot of time delegating very specific permissions after this as the test machine was left logged in as an admin.

  13. #27

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 594 Times in 446 Posts
    Rep Power
    169
    Thanks for all the advice - I understand about 50% of it (as I'm not a domain padawan) and can implement about 20% of what I understand

    Can I try some simple questions please?

    Assuming all machines off network and server declared clean and I log on as local admin to the first computer (not net connected) and only finds 1 instance now in c:\windows\system32 - I sweep again - nothing found - I join it to the network,log on as local admin and make sure its fully windows updated (Which it was).

    1. Do I need to find some manual patches or can I rely on MrGates company to have supplied everything and not holding something back in the "techs only" store?

    If I now do another machine the same way

    2. Can Conf*cker resurrect itself out of seemingly nowhere?

    Si

  14. #28
    oxide54's Avatar
    Join Date
    Mar 2009
    Posts
    798
    Thank Post
    51
    Thanked 55 Times in 54 Posts
    Rep Power
    23
    Quote Originally Posted by SimpleSi View Post

    Assuming all machines off network and server declared clean and I log on as local admin to the first computer (not net connected) and only finds 1 instance now in c:\windows\system32 - I sweep again - nothing found - I join it to the network,log on as local admin and make sure its fully windows updated (Which it was).

    1. Do I need to find some manual patches or can I rely on MrGates company to have supplied everything and not holding something back in the "techs only" store?
    do you have wsus? and is the patch approved, is wsus working the patch number is earlier in the thread. and no you can't rely on bill gates or m$ you need antivirus software, i'm using trend and its very good we basically didn't have any problems on any machines with trend installed, it only appeared to because they were actually catching the virus as soon as it was dropped on the machine

    Quote Originally Posted by SimpleSi View Post
    2. Can Conf*cker resurrect itself out of seemingly nowhere?
    no
    it ressurects itself from someone bringing itself in again on a memory stick (and that point of entry not being secure, ie. pants antivirus and not patched) or not all machines being cleaned in the first place.

  15. #29

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 594 Times in 446 Posts
    Rep Power
    169
    @oxide54 - lets keep this simple says si

    If I take a machine,connect it to the internet and use Windows Update till nothing more is downloaded - will the machine by fully patched? (I think it will and I don't think I then need to manually apply anything but this where I stand to be corrected )

    Si

  16. #30
    oxide54's Avatar
    Join Date
    Mar 2009
    Posts
    798
    Thank Post
    51
    Thanked 55 Times in 54 Posts
    Rep Power
    23
    Quote Originally Posted by SimpleSi View Post
    @oxide54 - lets keep this simple says si

    If I take a machine,connect it to the internet and use Windows Update till nothing more is downloaded - will the machine by fully patched? (I think it will and I don't think I then need to manually apply anything but this where I stand to be corrected )

    Si
    if its using windows update and not wsus then it should be, but there is the possibility that the someone refused windows installing the update. (i'm not 100% on this as i don't use windows update directly)

    I know I keep this but you still need av as well as the patch.

    i'm pretty sure its this patch.
    MS08-067: Vulnerability in Server service could allow remote code execution

    you should also be able to check it is installed by going to add/remove programs and ticking "show updates" and look for 958644
    --------------------------------------------
    the patch only prevents the exploit in the windows server service, it won't help you with machines that are already compromised and have gained access to admin credentials, this is what makes this virus a bit of a pig because it exploits more than one method to infect machines.



SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Annoying Virus (confick-E)
    By GrahamWibbly in forum Windows
    Replies: 120
    Last Post: 6th June 2009, 08:54 AM
  2. Patching SIMS against conficker
    By m1ddy in forum Windows
    Replies: 17
    Last Post: 26th March 2009, 10:13 AM
  3. conficker cornficker?
    By ICT_GUY in forum General Chat
    Replies: 1
    Last Post: 22nd January 2009, 10:21 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •