Chat directly with me if you want. Go to my Chat page to find a web messenger!
Over the last few days I blogged several times about Conficker and some of the posts caught quite some press attention. Especially when I talked about the Russian Roulette.
Today I have very, very good news: The Malicious Software Removal Tool (MSRT) which we will release today includes signatures to remove Conficker as far as we know this beast today. Let me be clear upfront: MSRT is cleaning up after the fact and is no replacement for an updated Anti-Malware solution!
The information in this post is the information as far as I have it as of today. The links below give you the ultimate guidance:
How do you realize that you are infected?
Trust me, you will know! If you have Account Lockout Policies set, your accounts will be locked as Conficker.B does a brute-force against the accounts. In parallel, you will see a significant increase of authentication requests on your DCs due to that fact. Most probably you find a significant increase of network traffic as well and last but not least your clients may behave strange.
If you have it what can you do against it?
Patch first! So, before you do anything else, deploy MS08-067. I already said once, that you played Russian Roulette if you did not. From there on, you have to clean the mess. But first, make sure you use strong passwords (Conficker is trying to break them). Here you find some good information and guidance on passwords:
What you should know about strong passwords:
http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp
Password Best Practices: http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp
Accounts Passwords and Lockout Policies: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
Account Lockout and Management Tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en
If you want to change all your local Admin passwords and manage them, Steve Riley provided a tool called Passgen
Then clean up…
You have different options to do the clean up:
One final thing: If you are infected, do NOT log onto the system with a Domain account, if at all possible. Especially NOT a Domain Admin account. Log on as a local user account. The malware appears to impersonate the logged on user and access network resources under those users credentials so it can spread.
So, that’s it for the moment.
I hope it helps
Roger
Conficker is a prime example of why account lockout is a bad idea. It's no substitute for strong passwords (= passphrases) and it creates opportunities for denial of service attacks. http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx
Gestern habe ich vom Worm:Win32/Conficker.B geschrieben. Einen Wurm, der eine Schwachstelle angreift,
Good post Roger. I have written a similar post on cleaning up and keeping Conficker off your network using NAP. I'll add the Microsoft links.
My post is at http://www.napera.com/blog/?p=549
Several of the links in this article under the "What you should know about strong passwords:" line are dead
Thank you. Did not realize this and removed them.
How do detect a Conficker attakers IP ?
I have done it with Netmon 3.2 a MS Tool available from Microsfot download center.
Thanks a lot. didnt realise that there is a tool provided by MS for firefighting incase AV vendors are too lazy catching up
@Andy
One thing that helped id IP addresses of machines here:
We used wireshark, started a promiscuous capture filtered for TCP PORT 445 (SMB) then used a display filter of smb.cmd == 0xa2 and smb.file contains "\\System32\\"
which should show the attempt to write the random file on open fileshares
@DougH and DR you can find more on my blog Like this
You can detect an attacker IP with MS Netmon 3.2 from Microsoft Download Center.
http://www.microsoft.com/downloads/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&DisplayLang=en
You made a Filter like this SMB.NTStatus.Code == 0x6d
that locks all unsuccsessfull account logons to your server if you made port mirroring on your switch you can get all of them like this
21:00:33 16.01.2009 2150 97.086512 {NbtSS:153, TCP:151, IPv4:70} Server 10.1.1.1 SMB SMB:R; Session Setup Andx - NT Status: System - Error, Code = (109) STATUS_LOGON_FAILURE
In this Case 10.1.1.1 was the attackers IP. You will get a lot of this in one second on your server you can also see it in Security log with failed logon events. That means if you have a lot of these frames an attack to crack you accounts will go on.
If the attacker has an account it seem than like this
21:11:57 16.01.2009 58886 781.056203 {SMB:9476, NbtSS:9469, TCP:9468, IPv4:9467} 10.1.1.1 Server SMB SMB:C; Nt Create Andx, FileName = \System32\dcegzyjp.my
21:11:57 16.01.2009 58887 781.056281 {SMB:9476, NbtSS:9469, TCP:9468, IPv4:9467} Server 10.1.1.1 SMB SMB:R; Nt Create Andx - NT Status: System - Error, Code = (52) STATUS_OBJECT_NAME_NOT_FOUND
21:11:57 16.01.2009 58888 781.057324 {SMB:9477, NbtSS:9469, TCP:9468, IPv4:9467} 10.1.1.1 Server SMB SMB:C; Nt Create Andx, FileName = \atsvc
So when you machine get infected with an authenticated you can also to try to build a filter here to detect the attacker
Andy
I have done it with Netmon 3.2 a MS Tool available from Microsfot download center. How do detect a Conficker attakers IP ?
Can anyone enlighten me how the worm gets hold of account usernames ? We've had a small outbreak & the accounts locked were not those that might have had stored profiles on the infected machine - so where were they picked up from ?