Windows Thread, Conficker in Technical; Another common oversight and aid to getting ontop of this fast is changing all admin capable passwords.
If a user ...
11th May 2012, 03:52 PM #16
Another common oversight and aid to getting ontop of this fast is changing all admin capable passwords.
If a user account can open c$ on a remote machine it can use this to spread as quickly as you can clean.
If you use the same local admin username and password on all workstations its like wasps and jam.
Even worse on servers if the payload has hijacked an admin/tech or service account it has so many ways in.
Check the security logs carefully and audit object access, one payload I found had used a service account with Admin rights to start deleting servers from AD and chunks out of registry keys.
At least change the password of the account that your using to login and clean up with! In case its already been compromised.
If you are running TS or RDP Servers make sure that the local admin accounts are locked down with a strong password these are another easy way in.
If Sophos is sucessfully blocking and cleaning it on re-infection it sounds like you have it contained but have not yet cleaned the source.
Increasing the Audit logging gives you a chance to catch whatever user/machine account is being used. Changing the password results in Audit Failures as the process tries to spread and these start to appear as red dots in the logs as opposed to a valid account/password that just copies the payload and deletes stuff with an Audit Sucess Message!
Remember with these types of infections its only the virus mechanism that spreads the real damage is caused by the scripts and payloads it can download after its infected the host!
There are some devestating variants of this type of beast and some clever people still finding ways to squeeze them into unplugged code holes out there.
@ZeroHour 's recommendation is the one thing that Sophos tell you in the manuals that is to be avoided, because of the slight risk of Sophos deleting system files BUT it's the first thing thier support team will tell you to do when trying to fight such an outbreak so a +1 for that idea especially on your critical stuff if you cannot leave it switched off until you have cleaned everything!
Check your firewall logs if you can for unusual outgoing connections from your clients, in Sonicwalls you can just enable the uncategorized CFS option and enable HTTPS filtering this normally flags up any machines that are trying to sneak out and phone home for a payload update.
Best of luck.
11th May 2012, 04:15 PM #17
its worth for the duration disabling ALL access to the task scheduler folder including system granted no tasks can run but also no confiker tasks can be created/run. I once had a startup script that EVERY bootup did a full pc scan because people kept bringing it back made pcs take 10-20 mins to bootup but eventually got rid
11th May 2012, 04:31 PM #18
Done that twice now so can't comprehend how fully patched machines with auto-run disabled that come up clean with virus sweeps can be re-infected but off to investigate shutting down task scheduler. (but why doesn't the av know about such things - where is it being re-created from?????)
Shut everything down, check every PC, check every PC again, reconnect things slowly starting with your servers then bringing up one lab at a time. One that is done, pray it never comes back.
I can understand how something can spread if it exists but having trouble understanding how something is spreading without existing - where is the chicken (or the egg) hiding?????
Of course, if I find anyone plugging in an infected pendrive, then you'll be reading about it on the 6 O'clock news!
11th May 2012, 05:08 PM #19
It doesn't really matter if the virus infects individual machines.
The only way it spreads is through making an autorun.inf on a shared/mapped drive. Stop that and you stop the infection for good
The file is hidden so you need to go onto the server to see it usually. I just made it a 0kb file and read only permissions for all.
11th May 2012, 05:21 PM #20
Take a look at the scheduled tasks on you machines. once it is in, whichever way it was, in my experience it tends to repropogate itself this way.
11th May 2012, 05:48 PM #21
Could someone point me in the right direction to stop the task scheduler from running?
I am assuming this is indeed the culprit as the 'ficker hasn't returned since Tuesday
Last edited by SimpleSi; 11th May 2012 at 05:54 PM.
11th May 2012, 08:18 PM #22
On that point I have a question:
Originally Posted by ZeroHour
I get on access notifications from the station/user account:
I also get notifications from the station as follows: User: Domain\Username Scan: On-access Machine: StationName File "E:\Other\Emulator\Console Emulator\Visual Boy Advanace\VisualBoyAdvance.exe" of controlled application 'Nintendo Gameboy / DS emulator' (of type Game) has been detected.
My question is: How do these notifications differ and what triggers this notification and what triggers another? User: NT AUTHORITY\SYSTEM Scan: On-access Machine: StationName File "E:\autorun.inf" belongs to virus/spyware 'Mal/AutoInf-C'. File "E:\autorun.inf" belongs to virus/spyware 'Mal/AutoInf-C'. File "E:\autorun.inf" belongs to virus/spyware 'Mal/AutoInf-C'.
12th May 2012, 08:24 AM #23
The system account one is caused when someone say plugs an infected stick in before logging on. Because no one is on sophos is using system account.
12th May 2012, 08:29 AM #24
I should have realised that myself. Makes sense now.
Originally Posted by ZeroHour
12th May 2012, 10:33 AM #25
12th May 2012, 01:56 PM #26
i had it pop back up last week, first indication was that machines with av installed where poping up with alerts saying that the av had detected the virus dropped in the system 32 folder.
okay first thing i did was ensure account lockout was turned on, (default domain policy/security settings/account something settings)
watch the domain controller logs for account lockout events, they tell you which machine is causing the lockout, if there are 100's from the same machine and its 3am you can be pretty sure its conficker. so most of my machines were protected they had the ms patch installed and av installed and the av was catching it on being dropped on those machines, i just had actually two machines one was an old laptop that had probably been at someones house for ages and the second was a test machine someone had setup and not installed av on, so i basically just nuked them by deleting hal.dll and ntoskrnl.exe via the admin share and shutdown -f -r -t 0 -m \\COMPUTER
i'm pretty sure the laptop got brought in and then infected the second machine.
any technicians no longer have domain admin rights, spent a lot of time delegating very specific permissions after this as the test machine was left logged in as an admin.
12th May 2012, 02:09 PM #27
Thanks for all the advice - I understand about 50% of it (as I'm not a domain padawan) and can implement about 20% of what I understand
Can I try some simple questions please?
Assuming all machines off network and server declared clean and I log on as local admin to the first computer (not net connected) and only finds 1 instance now in c:\windows\system32 - I sweep again - nothing found - I join it to the network,log on as local admin and make sure its fully windows updated (Which it was).
1. Do I need to find some manual patches or can I rely on MrGates company to have supplied everything and not holding something back in the "techs only" store?
If I now do another machine the same way
2. Can Conf*cker resurrect itself out of seemingly nowhere?
12th May 2012, 03:09 PM #28
do you have wsus? and is the patch approved, is wsus working the patch number is earlier in the thread. and no you can't rely on bill gates or m$ you need antivirus software, i'm using trend and its very good we basically didn't have any problems on any machines with trend installed, it only appeared to because they were actually catching the virus as soon as it was dropped on the machine
Originally Posted by SimpleSi
Originally Posted by SimpleSi
it ressurects itself from someone bringing itself in again on a memory stick (and that point of entry not being secure, ie. pants antivirus and not patched) or not all machines being cleaned in the first place.
12th May 2012, 05:38 PM #29
@oxide54 - lets keep this simple says si
If I take a machine,connect it to the internet and use Windows Update till nothing more is downloaded - will the machine by fully patched? (I think it will and I don't think I then need to manually apply anything but this where I stand to be corrected )
12th May 2012, 05:48 PM #30
if its using windows update and not wsus then it should be, but there is the possibility that the someone refused windows installing the update. (i'm not 100% on this as i don't use windows update directly)
Originally Posted by SimpleSi
I know I keep this but you still need av as well as the patch.
i'm pretty sure its this patch.
MS08-067: Vulnerability in Server service could allow remote code execution
you should also be able to check it is installed by going to add/remove programs and ticking "show updates" and look for 958644
the patch only prevents the exploit in the windows server service, it won't help you with machines that are already compromised and have gained access to admin credentials, this is what makes this virus a bit of a pig because it exploits more than one method to infect machines.
By GrahamWibbly in forum Windows
Last Post: 6th June 2009, 08:54 AM
By m1ddy in forum Windows
Last Post: 26th March 2009, 10:13 AM
By ICT_GUY in forum General Chat
Last Post: 22nd January 2009, 10:21 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)