Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Additional Information on Conficker – MSRT removing Conficker

Additional Information on Conficker – MSRT removing Conficker

  • Comments 13
  • Likes

Over the last few days I blogged several times about Conficker and some of the posts caught quite some press attention. Especially when I talked about the Russian Roulette.

Today I have very, very good news: The Malicious Software Removal Tool (MSRT) which we will release today includes signatures to remove Conficker as far as we know this beast today. Let me be clear upfront: MSRT is cleaning up after the fact and is no replacement for an updated Anti-Malware solution!

The information in this post is the information as far as I have it as of today. The links below give you the ultimate guidance:

How do you realize that you are infected?

Trust me, you will know! If you have Account Lockout Policies set, your accounts will be locked as Conficker.B does a brute-force against the accounts. In parallel, you will see a significant increase of authentication requests on your DCs due to that fact. Most probably you find a significant increase of network traffic as well and last but not least your clients may behave strange.

If you have it what can you do against it?

Patch first! So, before you do anything else, deploy MS08-067. I already said once, that you played Russian Roulette if you did not. From there on, you have to clean the mess. But first, make sure you use strong passwords (Conficker is trying to break them). Here you find some good information and guidance on passwords:

 

What you should know about strong passwords:

http://www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.asp

http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_tips.asp

Password Best Practices:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/windows_password_protect.asp

Accounts Passwords and Lockout Policies:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Account Lockout and Management Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

 

 

If you want to change all your local Admin passwords and manage them, Steve Riley provided a tool called Passgen

Then clean up…

You have different options to do the clean up:

  • Forefront and OneCare have been one of the first solutions to clean Conficker since quite a while. Our free online scanner does it too (since quite a while). You can find it on http://safety.live.com
  • The updated Malicious Software Removal Tool removes it as well. However, remember that Conficker breaks Automatic Updates too. So, if you are infected you have to manually download and deploy it. Here are the relevant KBs:
    • KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 http://support.microsoft.com/kb/890830
    • KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment http://support.microsoft.com/kb/891716
  • There are definitely other AV products that remove it as well. Make sure and check back with your vendor whether it removes or just detects it.

One final thing: If you are infected, do NOT log onto the system with a Domain account, if at all possible. Especially NOT a Domain Admin account. Log on as a local user account. The malware appears to impersonate the logged on user and access network resources under those users credentials so it can spread.

So, that’s it for the moment.

I hope it helps

Roger

Comments
  • Conficker is a prime example of why account lockout is a bad idea. It's no substitute for strong passwords (= passphrases) and it creates opportunities for denial of service attacks. http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx

  • Gestern habe ich vom Worm:Win32/Conficker.B geschrieben. Einen Wurm, der eine Schwachstelle angreift,

  • Good post Roger. I have written a similar post on cleaning up and keeping Conficker off your network using NAP. I'll add the Microsoft links.

    My post is at http://www.napera.com/blog/?p=549

  • Several of the links in this article under the "What you should know about strong passwords:" line are dead

  • Thank you. Did not realize this and removed them.

    Roger

  • How do detect a Conficker attakers IP ?

    I have done it with Netmon 3.2 a MS Tool available from Microsfot download center.

  • Thanks a lot. didnt realise that there is a tool provided by MS for firefighting incase AV vendors are too lazy catching up

  • @Andy

    One thing that helped id IP addresses of machines here:

    We used wireshark, started a promiscuous capture filtered for TCP PORT 445 (SMB) then used a display filter of smb.cmd == 0xa2 and smb.file contains "\\System32\\"

    which should show the attempt to write the random file on open fileshares

  • @DougH and DR you can find more on my blog Like this

    You can detect an attacker IP with MS Netmon 3.2 from Microsoft Download Center.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&DisplayLang=en

    You made a Filter like this SMB.NTStatus.Code == 0x6d

    that locks all unsuccsessfull account logons to your server if you made port mirroring on your switch you can  get all of them like this

    21:00:33 16.01.2009        2150      97.086512                           {NbtSS:153, TCP:151, IPv4:70}   Server            10.1.1.1           SMB                SMB:R; Session Setup Andx - NT Status: System - Error, Code = (109) STATUS_LOGON_FAILURE

    In this Case 10.1.1.1 was the attackers IP. You will get a lot of this in one second on your server you can also see it in Security log with failed logon events. That means if you have a lot of these frames an attack to crack you accounts will go on.  

    If the attacker has an account it seem than like this

    21:11:57 16.01.2009        58886    781.056203                         {SMB:9476, NbtSS:9469, TCP:9468, IPv4:9467}   10.1.1.1                Server            SMB      SMB:C; Nt Create Andx, FileName = \System32\dcegzyjp.my

    21:11:57 16.01.2009        58887    781.056281                         {SMB:9476, NbtSS:9469, TCP:9468, IPv4:9467}   Server                  10.1.1.1           SMB      SMB:R; Nt Create Andx - NT Status: System - Error, Code = (52) STATUS_OBJECT_NAME_NOT_FOUND

    21:11:57 16.01.2009        58888    781.057324                         {SMB:9477, NbtSS:9469, TCP:9468, IPv4:9467}   10.1.1.1                Server          SMB      SMB:C; Nt Create Andx, FileName = \atsvc

    So when you machine get infected  with an authenticated you can also to try to build a filter here to detect the attacker

    Andy

  • I have done it with Netmon 3.2 a MS Tool available from Microsfot download center.  How do detect a Conficker attakers IP ?

  • Can anyone enlighten me how the worm gets hold of account usernames ? We've had a small outbreak & the accounts locked were not those that might have had stored profiles on the infected machine - so where were they picked up from ?

  • Useful one...

    Thank you,

    Roger

  • thank you

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment