Conficker - aarrgghh
Ok, so were are in 2013 and guess what, yep suddenly I find conficker (downadup) on my network!!
I have no idea where or even how it had managed to get a foothold on the network.
Running CC4.3 - Servers are 2008 r2 running AVG 2012 Business Edition, updates running every 4 hours and daily scans.
Workstations, Windows 7 SP1 as per servers, and scans as per servers.
AVG Management console show all up to date, etc.... (ive even check on a machine that it is using up to date defs etc)
Now, with Windows 7 and 2008 the same vulnerabilities that existed in earlier version not longer exist in these version of OS, so the patch out there doesnt apply to these OS!
All admin users use strong passwords
AVG does scan and find the virus and does remove it, but it is not stopping machines from being reinfected.
I spoke to AVG as to why the on access scanner didnt stop the infection etc but the person i spoke to just directed me to some MS KB Articles. (really helpful!!! NOT!)
So, from 3pm tomorrow I am embarking on a long weekend of work :( following various tech docs etc......
So after getting bored of read this, anyone any ideas on how Windows 7 SP1 and Windows 2008 r2 have managed to become infected etc.................
How about a vulnerable OS (eg 2003) logged on as a domain admin? In that scenario the infected machine wouldn't need to exploit an OS vulnerability on the 7/2008 target, as it would be accessing the admin$ share to propagate.
Make the root of your shared or mapped network drives read only.
Stops confiker instantly.
Ok, download and run this Conficker Detection | McAfee Free Tools
It will scan your network or range of IP addresses you want to scan and it will pick it up.
I would check or block removable media.
Originally Posted by arron
Had this issue last year, we took on a big contract following on from a Hugh IT support player, who hadn't controlled the outbreak. We banned all USB storage devices until a they had all been scanned/ disinfected. We used McAfee Stinger to remove.
I would have to agree with an earlier post: if your AV hasn't stopped the spread of conficker on a modern network, it is absolutely time to get rid of it and find something suitable. If a free product from MS can do it, why the hell can't the paid version of AVG?
If you havent done already disable your Domain Admin account (recommended by MS so should be done anyway). Conficker will keep guessing the password and you can't lock this account out.
Make sure all your other network accounts get locked out when you get the password wrong.
Not sure about Confickr specifically. But make sure UAC is enabled, it helps loads when you have dodgy unwanted software.
I would concur with FN-GB. The most likely cause is a computer (needn't even be a server) that has been infected (somehow) and the account that is logged on has domain admin rights, Conficker is picking up the rights of the account and is using the those rights to spread unhindered to all c$ and admin$ shares it finds on the network. If not dealt with it could infect all PCs and servers on your network causing a cascade affect.. any servers that are currently left logged in with a domain admin account, being used to infect PCs and servers in the same way.
In reality, AV software is limited in what can do in defense as the the worm will have had to have placed itself on to the server (via an admin share) before the active scanning picks it up and tries to remove it.
The MS update doesn't prevent the worm spreading in this way, it just patches the RPC buffer overrun bug, which is one of the other main method that it uses to spread.
One useful tip is running the Malicious Software Removal tool in your shutdown script using the quickscan option. It has a specific understanding of the worm and how to remove it.
One other thing I would check is whether the AV is picking up a actual infection or an infected file.
Sent using my Google Nexus S
This is 100% correct. I had to deal with a network a couple of years ago that had this problem for 9 months (was my predecessor not me) and it is essential to understand you need to tackle the cause of the problem and not be distracted by the machines it is copying itself to. Where is it coming from? don't bother trying to scan and remove it on the machine flagging it up as it will come straight back. Some machine has it actively running and it is spreading via the admin$ share and using domain admin permissions to authenticate. Find the culprit machine, unplug it from the network. Change all domain admin passwords. Remove the infection on any/all machines but especially the culprit. Patch the culprit with kb958644 (I know that by heart after having to deal with this). Finally bring everything back online and use wsus to deadline that patch for any and all operating systems.
Originally Posted by meastaugh1
I recall I decided upon a phase of re-imaging all clients, luckily XP unattend takes not time at all to set-up, we had a new image knocked up within hours (lots of software and FULLY patched) and rolling out that afternoon. It may well be a laborious task, but it was worth it for peace of mind. As the chaps have commented on above, updates and patches are your friend.
Oh and before I forget, AVG offer free upgrade to 2013, not sure why you're sitting with 2012... The client interface is tidier on 2013 and the footprint is way smaller.