- Rare off-topic post :)
-
It is currently MS’s giving campaign where we promote philanthropicness :). A coworker sent this out to our internal blogger alias along with some others from this site that various MS MVP’s and internal employees worth with asking if we could post one on our blogs. Since I grew up myself in Haiti for about 8 years of my life as a missionary kid I picked the one from my 2ndary home country. So if you have 10 bucks or more to give and want to help a good cause click the link. Have a great day.
- Dealing with malware that creates .exe’s on file shares
-
So lately we keep seeing variants of malware that modifies content on file servers in an environment in hopes of spreading to other users. My guess is that it is just using mapped drive letters thinking they are USB keys but the effects is the same regardless. The actions they take are usually something as follows. Hide your actual .doc/.xls etc create a new file with the same exact name as the .doc except that it is a .exe and they typically modify the icon to be a folder icon.
At first these seemed to only create havoc at the root of the file share so you could work around this by ACL’ing the root of the file share to stop creation of new files there and force your users to instead create files just in subdirectories assigned to their various workgroups etc. However later variants seem to be working their way down through subfolders and carrying out their black magic throughout the folder structure.
So what do you do when this happens to you or how you can prevent it?
Proactively
You could look at utilizing something like FSRM from 2003 R2 and 2008 and file screen filters to block .exe’s from being created on your file shares. FSRM has a built in template called “Block Executable Files” This has a large list of various executables including .exe which you can in turn easily apply to any folder/file share on your system to block creation of these files. You can also configure email notifications via SMTP to let you know when someone does try to create one of these files and it will log the event to the applog as well with the file it attempted to create and the user that tried to create it.
You could also a commenter proposed add a folder named autorun.inf to your file share and hide this so that malware could not create a new autorun.inf to start up malware.
Reactively you should probably do the following:
First and foremost get a copy of the .exe being created on the file share and get that off to your AV vendor. Open a ticket say X is being created and you are not detecting it I need signatures for this threat asap. Signatures on your file server should be able to handle this however you will still be left with AV constantly deleting the new .exe’s so realistically you should track down the offender.
Block the Read and Execute rights to the .exe’s that have been created. You can do this through the use of icacls by running the following at the root of your file share. Keep in mind if you have legitimate .exe’s in the share it will stop users from executing them/reading them.
icacls *.exe /T /deny Everyone:(RX)
Tracking down who/what/where is doing the creation of these files is more difficult. One approach is to turn on auditing but this can be complex and often doesn’t yield the IP address of the offending machine. So for this exercise we are going to go with Wireshark or Netmon and Process Monitor.
Wireshark or Netmon will yield the offending IP address and Process Monitor can tell us the User account it was created under if we are interested in that however normally we just want the machine IP so we can go find the malware on it.
So download a copy of Wireshark or Netmon and start it up. Make sure to go into your Capture Options and up your Buffer size to something larger say 50 Mb or so. In the display filter box we are going to put the following filters
For Wireshark
smb.create.action == 2 and smb.file contains “exe”
For Netmon
Property.SMBFileName.contains(“.exe”) and SMB.RNTCreateAndX.CreateAction == 0x2
This will basically filter down to creation of a new file that did not exist as well as filtering on a file that contains exe. Yes this could throw us a few false positives but we should be able to clearly identify the offending IP addresses.
My first try at this shows the following
The source IP in this case is the file server where I am running the trace and this is the response packet back to the workstation creating the .exe file stating the file did not exist but it was created. Note on Wireshark that you have to expand SMB>NT Create AndX Response to see the File ID ## which contains the name, the parser is basically filling in the file name from the previous packet which we do not see. The file name in this case is “tracelog.exe” So I would send my tech off (if I was that privileged) to the Destination IP and have them clean the malware off that system.
If I just wanted to find the user creating the files I could use Process Monitor for this. Download a copy and start running it and modify your filter to look like this
PID = 4 is for your System Process as this is the process that creates files that are created via a file share
CreateFile to try to limit this down to just creation of the files
Patch contains .exe to look for just .exe’s being created in this scenario
Since the System technically creates these files if you add the “User” column in Process Monitor all you will see is “NT AUTHORITY\SYSTEM” which doesn’t help so instead we need to look at the “Detail” column”. Within this text look for Impersonating and right after that it will show you the user that is being impersonated by the System to create the file so that it has the proper ACL’s etc. In the case shown below the user DCEXCHFSS\Administrator is the user account that is being utilized to create files on the file server.
Hopefully this helps someone if you have any improvements on filtering for either Wireshark or Process Monitor that would help here please let me know.
Edit 7-24-09 Added comments from Cd-Man regarding autoruns and acling files, Added netmon filtering usage based on comments both internally and externally :)
- How to go green with FCS
-
I’m not a treehugger but I can definitely see the $$ with power savings. Having said that I had a customer recently that wanted his computers to wake up from sleep in order to do their scheduled scans for FCS. At first I was like nope not possible we have no such feature. Then I started digging around. Apparently since about XP SP1 or later we have had a feature in Task Scheduler that allows us to wake a computer up via APM/ACPI when we need a scheduled task to run. Unfortunately FCS itself has no way to set this option for “Wake the computer to run this task” but we can work around that.
If you look back to my other article on creating custom scan schedules at http://blogs.technet.com/kfalde/archive/2008/10/23/how-to-add-extra-scheduled-scans-or-definition-updates-for-fcs.aspx we can use the same mechanism.
Once again you don’t need a 2008 domain or Vista clients to use Group Policy Preferences. You just need the client extensions installed on your XP or 2003 systems which are available via WSUS. You need a Vista or 2008 system to edit the GPO, once in place the settings will apply to any system that has Group Policy Preferences extensions installed.
So basically we follow the other article we create the custom scan schedule that we want with the right mpcmdrun options but we make sure to go to the “Settings” tab for the scan and check the “Wake the computer to run this task”
From our testing this seems to work pretty well for computers that go to sleep mode. This will not work on systems that are fully powered off. Good luck let me know if you try this out. Thanks
- Some Interesting FCS SQL Queries
-
With a recent case I have an issue where the client count of managed computers in MOM admin console was quite different then that in the FCS console so I was trying to find out exactly which computers were not in FCS so I could troubleshoot some of those more effectively. The first thing I checked was looking at Agent-Managed Systems in MOM admin just to make sure these were not computers that had not been checking in for a while (they weren’t all had heartbeats within last day or two) as I know we drop off computers from our total count in the FCS console that have not checked in in 30 days. Since this was not the case I was pointed out that it may be an issue with clients having the MOM agent but not actually having SSA or AM installed on them or corrupted in some way. Unfortunately I didn’t know a good way to check on this in MOM so I had to do some digging around to create some queries to make this happen, below are the results I have:
This one is the easiest but just dumps a list of all computers in MOM, make sure you select to use the OnePoint db when you start a New Query in SQL Server Management Studio
Select Name from Computer
This next one selects all the computers that have FCS installed on them
select Computer as FCSCLIENTS from computertocomputerruleview where [Rule] like '%Microsoft Forefront Client Security Agents%' order by FCSCLIENTS
This one does a subquery of total computers against computers that have FCS on them to give us a list of computers that for some reason do not have FCS on them.
select distinct Name as MISSINGFCS from Computer where Name not in (Select Computer from computertocomputerruleview where [Rule] like '%Microsoft Forefront Client Security Agents%')
Hopefully this helps someone else as well.. I’ll hopefully add to this over time if I find anything more that’s useful.
Update 7/10/09 Adding some more based on a request from a blog reader. Customer looking for a way to list all detection events. You could actually play around with this some as this View does have events from other sources as well as FCSAM.
SELECT [LoggedOn]
,[LoggedOnDomain]
,[Source]
,[Evtime]
,[Eventno]
,[Evttext]
FROM [OnePoint].[dbo].[EventView] where source like '%FCSAM%'
and ([Eventno]='1006' or [Eventno]='1007' or [Eventno]='3004' or [Eventno]='3005') order by [Evtime]
You could also do some filtering by date by adding an extra “and ([Evtime]>='2009-06-10' and [Evtime]<='2009-06-13')” statement to this before the order by statement.
Just as an FYI tables/views/db schema of FCS/MOM are not documented/supported in any way so if any of these break with some update :) :) that’s life.
- Update Views for FCS in WSUS
-
Nothing profound with this post just detailing out a step I typically recommend to most of our new customers with regards to making life easier when viewing updates in WSUS. In order to make your life easier viewing FCS inside of WSUS I typically recommend creating 2 new views one for FCS Definitions and another for FCS everything else. You can do this by using the following steps:
- Right click Updates>New Update View
- Select the following:
- Updates are in a specific classification (Definition Updates)
- Updates are for a specific product (Forefront Client Security)
- Give the view a name (FCS Definitions in my case)
Once the view is created and you click on it to view it make sure you go up in the Approval and Status dropdowns and change these to “Any Except Declined” and “Any”
You should end up with a view like the above which shows you typically 4 definition updates for FCSAM and a single definition update for FCSSSA.
The 2nd view should basically be the inverse of the previous:
- Right click Updates>New Update View
- Select the following:
- Updates are in a specific classification (Everything but Definition Updates)
- Updates are for a specific product (Forefront Client Security)
- Give the view a name (FCS in my case)
Again with the view make sure you go up in the Approval and Status dropdowns and change these to “Any Except Declined” and “Any” you should end up with a view like this:
Again nothing really profound here but this will give you 2 new views that allow you to easily see what updates are available to the client as well as what definitions are available. As always in WSUS if you right click on the columns in an update view there are plenty of other options that people typically do not realize exist such as “Arrival Date (to your WSUS server)” and others.
Utilize those to make things easier for yourself :) .. Thanks for reading have a great day!!
- Cheap real time monitoring for Conficker clients
-
I already did one post about using eventcomb/logparser to look for clients but found a better way to do it on a case last night which I wanted to share. The first thing you need is to enable netlogon debug logging on all of your DC’s save the following as a .reg file and import it on all your DC’s that you want to monitor:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"DBFlag"=dword:2080ffff
This will cause netlogon to start logging extended entries to %windir%\debug\netlogon.log. You may take a slight perf hit on your DC’s for this just as an FYI. You will not fill up your drives as it logs to 2 20Mb files.. netlogon.log and netlogon.bak and uses circular logging where it starts overwriting once it fills up.
What we are looking for is the value “0xC000006A” on any line which indicates “The value provided as the current password is not correct”. So we already have articles on using NLParse to look for these as well as you could use logparser etc but these are all non-realtime right, you copy all the files somewhere you parse them you look at the output etc.. wouldn’t it be nicer if you could just have a console where you just glance and see when you have a malware client acting up :).. The key to this is using a TAIL utility. In my case I used Tail for Win32 which you can find here http://tailforwin32.sourceforge.net/.
On the system you plan on monitoring from install this piece of software. Strangely you have to open a log file before you can start modifying the settings for the client so open your first netlogon.log file. The client supports network paths so you will be opening \\DCNAME\C$\Windows\Debug\Netlogon.log for each of your DC’s (yes this would stink for a large environment but hopefully if you’re that large you spent the money on a product to do this for you anyway… right??).
Once you have your netlogon files open go to Settings>Keywords and add 0xC000006A as a keyword. Also you will want to set “Show only Hot Lines” to enabled (this drops all the other netlogon junk which we don’t want to see) and set “Wrap Lines” to enabled. Basically what you end up with in the end is multiple windows open that are only looking for entries of bad password attempts and pulling those in close to real time from the netlogon logs. This allows you to easily see when a client is hammering away on user accounts and allows you to go shutdown and clean that system. Another tip is you can use the Window>Cascade or Tile option to automatically arrange the netlogon file windows to easily see when a DC is seeing a problem client.
Updated had the wrong value in the for the reg key :)
Update 2 3/11/09: This has a slight catch here apparently in that this is only for NTLM bad password attempts and you still need to use eventcomb or something else to see Kerberos bad password tried :( http://technet.microsoft.com/en-us/library/cc776964.aspx
“If the Netlogon logs from all domain controllers from the time of lockout but do not display data that pertains to any of the locked-out user accounts that you are analyzing, then NTLM authentication is not involved in the lockouts. This normally indicates that the authentication issues are between computers running Windows 2000 or later, because earlier versions of Windows used NTLM authentication exclusively. You should focus on Kerberos authentication troubleshooting by using Kerberos logging and examining the Security event logs.”
Update 3 4/9/09 http://baremetalsoft.com/baretail/ is also good actually seems better then tailforwin32, free windows gui tail utility to use with this solution.
- WSUS FCS Definitions
-
This is a follow up post to my previous FCS definitions post. The first one focused on the mpam-fe files and what is contained that you can find on the security portal at www.microsoft.com/security/portal. This one instead focuses on what is actually downloaded by your WSUS server and what is in turn downloaded by your WSUS clients normally.
Our AV group seems to typically release definitions about 3x per day although they can release more often then that if needed. From what I have seen the updates usually come out on MU (Microsoft Update this is also where WSUS gets them from) around 2am, 10am, 6pm eastern time ( 7am, 3pm, 11pm GMT).
In WSUS when you approve definitions you are approving definitions for both x86 and x64 versions of the definition set. The following represents a list of the files that are downloaded as a normal definition sync by your WSUS server with either MU or an upstream WSUS server. I’ve also added in the sizes of each download (based on this specific definition version) in the table below
| Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, X86 Full+Engine) 33.5Mb |
| Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, x86 Delta) 1.11Mb |
| Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, X86 Binary Delta +Engine) 21.1Mb |
| Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64 Full+Engine) 34.0Mb |
| Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64 Delta) 1.15Mb |
| Definition Update for Microsoft Forefront Client Security (Antimalware 1.51.677.0, AMD64 Binary Delta +Engine) 21.4Mb |
So this amounts to about 112Mb that is synced 3x daily from either MU to your WSUS server or from upstream to downstream WSUS servers.
As you may have noticed these 3 types are a little different then what is available at the Security Portal so lets break that down some more.
Full+Engine = This set is used for a brand new client which is still at rtm versions of definitions/engine, it has the complete base, current deltas to that base and this months engine .dll.
Delta = This is the delta since the last base this is what your client machines are normally downloading throughout the month. It’s an incremental since the last base was applied.
Binary Delta +Engine = This is the one you don’t see on the Security Portal. This is the more interesting file and I had to get my Escalation Engineer (Craig Wiand I told him I would give him mad props here :) ) to explain this one better to me. We apparently use binary delta patching technology here and this can be used to update a client that had last months base to the current months bases. Below is a screen shot of the files in this package:
The interesting files are the _p files with are the delta patches to last months base. Basically from what I understand it’s a bitmap level type of differencing file between last months and this months base’s and engine files that saves some size from actually having to download the complet base. The difference between the normal base and the binary delta is about 13Mb. So basically if your clients are up to date then every month when a new engine and base definitions are released instead of having to download 33Mb they only need to download approximately 21Mb.
That should cover the sizes/how it works :). Now taking this knowledge and applying to your distributed branch office/wsus environment with slow wan links is where things get complicated. Typically you tend to think that having a WSUS server in my small branch office is a good thing, download once then clients download many, however in FCS definition scenarios it gets touchy. A downstream WSUS server based on these approximate numbers will download about 112Mb 3x a day or 336Mb daily. If I have a branch office of 30 Systems with FCS that are keeping up to date regularly they should download about 30 x daily delta 1.1Mb x 3 times/day = 90Mb. As you can see for my normal daily routine I would probably be saving 240Mb downloads by NOT having a WSUS server at this branch. Of course when the monthly rebasing occurs I would have downloaded 336Mb that day to WSUS and my clients would have downloaded 30x21Mb for the Binary Delta = 630Mb in one day.
Over the long run in this scenario strictly based on FCS Definitions I would probably be better off not having a local WSUS server. This is not typically the case though and normally my WSUS server will also be used for all types of other security updates and you would need some calculations based on average past patch sizes vs bandwidth savings etc which I don’t really care to try to go into and actually would vary based on your environment as well.
- Blocking and finding Conficker and Downadup systems
-
EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES.
I’ve already created one post on finding malware systems using eventcomb however when it comes to Conficker or Downadup and realistically other malware too all that method can really show you are clients that have decided to finally put a Domain Controller on their hitlist. One of the things we know about Conficker is that it utilizes a method to based on date to generate a url that it will connect to in order to report in to its evil overlords as well as to possibly see if there is some new update/commands available to it. The guys over at F-secure have put up a list of domains that the malware would possibly use for the month of February at http://www.f-secure.com/weblog/archives/00001593.html . Now if you have a proxy server or some type of firewall server that can do blocking or redirecting based on host names this is great. Not all customers have this though so we figured we would try to put something together that would work for most of our normal Windows customers :).
Basically what I did was utilize the dnscmd command to work with MS DNS to create new zones as well as wildcard records for each domain that may be possibly used. The download for the .cmd files you can get here:
If you know anything about MS DNS you realize this is going to look pretty darn messy :) we are talking about 7k new zones in your DNS server so I would either recommend putting this on a new box and forwarding all your DNS to this before going to the internet or not opening your DNS gui to look at zones that often after you add these :). The first script blocklistfebzoneadd.cmd will create all the zones. If you just want to block connections for these zones for February you can stop there… But no that’s wussing out we want to ERADICATE this thing!!! The next script is blocklistfebrecordadd.cmd you will want to edit this doing a find/replace and change 192.168.1.100 for a new IP address for a new IIS server in your environment. The beauty of this is that for this month everytime you have a Conficker / Downadup client try to connect to their control server they will instead connect to your new IIS setup. You just need to keep checking your IIS logs for that website you setup and cleaning those client IP addresses up.
Once the month of February is over you can use the 3rd script blocklistfebzonedelete.cmd which will go through and reverse the effects of this by deleting all of the zones we created. Hopefully this should be pretty simple but if you have any questions just let me know.
Happy malware hunting.
- Understanding FCS Definitions
-
A fairly frequent question we get is how do FCS definitions work. How do I find just the delta’s for the month etc. You can always manually download the latest definitions from http://www.microsoft.com/security/portal with the links on the right. This will get you the mpam-fe.exe and the mpam-fex64.exe files.
So these are both self extracting cab files which you can easily open with your favorite unzipping utility usually. I used 7-zip to dump out a copy shown below.
The first file I’m not so sure on but if you open it appears to tell us the different products that we can update with this .exe which includes FCS, FCS2, ONECARE, ISA, Standalone System Sweeper. Makes sense as they all use the same MSAV engine right :).
The next 4 files are all .vdm files which are all variations of definition sets.
mpasbase.vdm = Last base signature set of AntiSpyware definitions
mpasdlta.vdm = Last delta signature set of AntiSpyware defintions ie if you just installed the client you need to install both mpasbase.vdm and mpasdlta.vdm to be full up to date.
mpavbase.vdm = Last base signature set of AntiVirus definitions
mpavdlta.vdm = Last delta signature set of AntiVirus definitions again you need both mpavbase and mpavdlta for a new client to update it.
The 2 Base files get updated monthly which means every month your client needs to install a new base set so that the deltas are applied to that base.
mpengine.dll is the actual AV engine :) so if there is an update to how the engine works to handle some new situation this update can actually be provided via the definition set.
mpsigstub.exe from what I know is just the .exe that is used to apply the definitions.
This is the basics :) I’ll try to do another posting soon that dives into how to download individual deltas that you can apply manually as well as how clients working with WSUS handle which exact updates they download.
- Using Logparser + Eventcomb to find malware
-
During the course of these Conficker / Downadup issues we typically see cases that started because accounts are getting locked out. I pause briefly here to point out that account lockouts are the work of the devil and are a sorry excuse for most people to not use a complex password policy. So it seems that these cases for the most part are slowing down however customers are still looking for those few machines that fall between the cracks that are still causing account lockouts when they turn back on their account lockout policy (once again because they don’t want to use complex passwords).
So the tool to turn towards is the account lockout tools. Part of this toolset is eventcombmt (mt stands for multithreaded).
Eventcombmt is cool for all sorts of things but the only thing we are interested in is the built in Account Lockout Search. Select Searches>Built In Searches>Account Lockouts. You could also change your output directory if you want, the default is C:\temp.
Once you selected this it should put in the right event id’s and locate and select all your DC’s. Click Search and it’s off searching through all your DC’s Security Event Logs and dumping all the pertinent info to DomainControllername.txt files in the c:\temp directory.
While your waiting for this go download log parser. Install that you may want to make sure it’s in your path afterwards for this to work try typing logparser from a cmd prompt. Once you have logparser in place and Eventcomb has finished and output all of your DC’s .txt files then you will want to run the following logparser query in the directory with the .txt’s
Once that’s complete run the following in the directory with all your textfile outputs from the DC’s
logparser -i:textline "SELECT SUBSTR(SUBSTR(Text, ADD(INDEX_OF(Text, 'Address: '), 8)), 1, INDEX_OF(SUBSTR(Text, ADD(INDEX_OF(Text, 'Address: '), 9)),' ')) AS IPAddr INTO addrs.csv FROM *.txt"
Revision 5/8/09 You may need to use this instead of the Addresses are all at the end of the line:
logparser -i:textline "SELECT SUBSTR(Text, LAST_INDEX_OF(Text, 'Address: ')) AS IPAddr INTO addrs.csv FROM *.txt"
This should create a file called addrs.csv which has all of the IP addresses that has caused by password attempts. There will be lines for each attempt so we need to parse this down a little more to give use a column with IP address and a column with the number of bad password attempts so we will run the following logparser query next:
logparser -i:csv -o:csv "select IPaddr, count (*) as hits into final.csv from addrs.csv group by IPaddr order by hits desc"
This should leave us with a final.csv file which has 2 columns one for the IP address and another for the amount of times we have seen that IP address causing bad password attempts in our security event logs across our DC’s. In the case below that first IP had caused 85k bad password attempts guessing that machine has a problem :) …
Seeing we’ve primarily used this for Conficker it seems the following line works well to output just a list of IP addresses with no header on the file and no hits.
logparser -i:csv -o:csv -headers:OFF "select distinct IPaddr into ips.txt from addrs.csv"
You can then take the ips.txt file and use the import function on Mcafee’s Conficker Detection Tool to scan all of these IP’s quickly to see if they are infected with Conficker or not.
Update 1: 4/9/2009 Totally reworked this thanks to Neil Carpenter and some better logparser logic to filter this better and have a much cleaner final output. Also dropped need for .csv files as we are filtering using textline input instead.
Update 2: 7/10/2009 Added new logpaser query to output just IP’s to file with no hits etc which you can then easily import to Mcafee’s Conficker Detection Tool
- How-to: Removal of Conficker in your FCS environment
-
Another Conficker post :) however this one is aimed at our FCS customers. It semi-applies to other customers however other AV vendors operated differently with regards to updates etc so this won’t necessarily be applicable to all.
So today is Patch Tuesday … Yeah!!!
With today’s releases we are finally getting some relief out for Conficker. The main piece of relief is through the MSRT or Malicious Software Removal Tool which contains an updated set of definitions and engine to handle the Conficker family of malware. There are both x86 and x64 versions of the MSRT that are released. I’ve never been a huge fan of this tool before as realistically this is a post-infection tool and it has a very limited definition set see KB890830 for the list. But when you are hurting with one of those on the list its a great thing to have around.
So you might say great my WSUS auto-approves that etc my clients are going to be all happy by tomorrow… WRONG. Part of the Conficker Modus Operandi is to disable both the Automatic Updates and BITS services. Automatic Updates (Windows Update in Vista) is your WSUS client so no joy for you.
So here’s what you should do to get things fixed in your environment. First off you need a logon script assigned to your computer accounts (user accounts would work if you knew they had admin access on the systems). The scripts need to basically call out to run the MSRT manually on the system. You will also need to get the AU/BITS services back up and functioning, you could either do this via the script and the SC command line tool (i.e. sc config wuauserv start=auto) or you could do this via GPO directly and set the startup state of AU to Automatic and BITS to Manual (default states). I’m posting in here some example code that one of our engineers put together (thanks Shain Wray I believe)
REM
REM Running MSRT locally
REM
REM
REM Checking for x86 or x64
REM To use this as part of a GPO Startup Script, change <domain.com> to your
REM domain.
REM Notice the copy of the MRT.log up to a central location has
REM <servername>\<share with write perms>. This is on purpose.
REM In most cases, opening a share with everyone write permissions on a DC
REM is not recommended, it is suggested to use a
REM member server or workstation.
REM
if /i %PROCESSOR_ARCHITECTURE% == x86 goto x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto x64
if /i %PROCESSOR_ARCHITECTURE% == IA64 goto End
:x86
call \\<domain.com>\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\Windows-KB890830-V2.6.exe /q
copy %windir%\debug\mrt.log \\<servername>\<share with write
perms>\%computername%_%username%_mrt.log
goto End
:x64
call \\<domain.com\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\windows-kb890830-x64-v2.6.exe /q
copy %windir%\debug\mrt.log \\<servername>\<share with write
perms>\%computername%_%username%_mrt.log
:End
Exit
The sleep.exe can be found from the 2003 Resource Kit Tools. So this script should be self-explanatory for MSRT.
Once you have copied all the .exe’s to a share and assigned the script via GPO to your computers OU’s then you need to get your users to reboot their systems which will cause them to run/clean and should hopefully fix your environment. If you need help with this try posting a question here first and I’ll try to respond however if you need immediate assistance call us. As always we are here and available to help!! Malware cases are FREE as in no $250 for a ticket no hours decremented from your Premier contract etc. So get on the phone call the CSS # (800) 936-5800 I believe and let them know you have a malware issue and need a case to work with CSS Security.
So while typing this I just checked the MMPC’s blog and they have a good post and a beautiful picture that explains how the malware works as well http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx.
- More on File Shares and Autorun.inf with regards to malware
-
So in my last post I mentioned the fact that Conficker/Downad whatever can also have a component that will spread through file shares that allow everyone to write at the root level of the file share.
So a typical autorun.inf looks something like this..
[Autorun]
open=setup.exe
icon=setup.exe,0
Glancing at my dvd folder structure in this case I have
So basically with autoruns enabled if I double-click this drive explorer will process Autorun.inf and will run setup.exe in the same location as the autorun.inf. Now if you were running Vista with UAC this wouldn’t be a big deal however a lot/most enterprises probably are not. If you were running with your users as non-admins this would again not be an issue but again this is usually not the case.
So what do we do to mitigate this problem?
Well by default supposedly we should not process/execute autorun.inf from a network drive anyway on our XP/2K/Vista machine. Check out http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true which goes into detail about the NoDriveTypeAutoRun registry key setting.
The 0x10 setting for “Disables Autoplay on fixed drives” is a default that is present on all our supported OS’s so why does the issue still occur? The reason it still occurs can be found in http://support.microsoft.com/kb/953252 “How to correct “disable Autorun registry key” enforcement in Windows”. If you read through the KB you will basically see that all of our currently supported OS’s had a bug with Explorer and autoruns. The bug though was fixed and released as security bulletin MS08-038 http://support.microsoft.com/kb/950582. Odds are though if you are one of those org’s that didn’t apply MS08-067 what’s a few more months (July vs October of 08). If you are having problems with malware that is spread via autoruns on network shares then you should probably make sure to get MS08-038 installed in your environment as quickly as possible.
As part of Defense in Depth I would also recommend that you set in a Group Policy linked to your domain to disable Autorun functionality completely. The defaults should be fine once the MS08-038 is installed however in an enterprise setting you don’t want to rely on the “I hope my users didn’t change it” scenario. KB953252 also has information on where to set this, I’ve also included a picture from my test system (it’s 2008 so may look slightly different then 2003). Basically you want to set that “Turn Off Autoplay” as Enabled for “All drives”
That’s about all I have at the moment if you have any questions post them here. Thanks
- Malware Win32/Conficker.B W32.Downadup.B
-
So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware.
You can find write-ups from various AV companies at the following URL’s
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B
http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-123015-3826-99
http://www.symantec.com/norton/security_response/writeup.jsp?docid=2009-010717-4209-99
So the write-up’s are all pretty good some have details that the others don’t etc. We see a range of cases it seems from customers missing the patch to those who are completely patched but are still seeing this piece of malware in their environment causing issues. The interesting thing about this piece of malware is that it is really singling out organizations that have not done a good job with their security policies/procedures. The MMPC group made a post about this piece of malware http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx where they linked http://technet.microsoft.com/en-us/library/cc512606.aspx Jesper’s password paper from 2005!!! This guidance and similar guidance has been out for 3+ years now and we still have customers that aren’t following it. I sometimes wonder if we should just push out a “critical update” that applies to all DC’s and updates their Default Domain and Default Domain Controller Policies for them to something more acceptable :) of course we would probable pull a lot of flack for that :) . /Rant Off
So things you should look at doing if you are hit with this:
- Disable Account Lockouts: You are already jacked why are you making it worse by leaving the account lockout policy in place?
- If you are not patched (especially with MS08-067) do so immediately.
- Find a machine that you know is infected and see if your AV will clean it up with the latest definitions/client. If it is not cleaning it then open a case with your AV vendor as well they are going to be the ones to update definitions to properly detect/remove the malware in the environment (believe me you want this instead of manually running around cleaning off systems)
- Enable Password Complexity: Like the Account Lockouts this is in your Default Domain Policy if you don’t have it enabled odds are you have 10+% of your population using one of those weak passwords on the list from those write-ups on the malware, and if you have users with those passwords you are still going to have issues with malware spreading. Oh maybe you should get someone working on that org-wide email explaining to your users the new password policy like X characters and how they need 3/4 special characters/Upper/lower/numbers. You probably also want to look into a script/tools to expire accounts (selectively so you don’t whack things like service accounts you aren’t ready to change) Check out Joeware’s oldcmp and expire utilities at http://www.joeware.net/freetools/ you can dump selectively based on OU targeting to get lists of users’ password age and then pass the lists to the expire utility to force password changes across groups of users. Or if you’re a masochist you can just expire them all and deal with the consequences.
- Password Complexity on local accounts: Is the password on your local Administrator accounts something on that list from the writeups? If so you better get it changed.
- Share Permissions: This one is more complex to explain. Basically for any network shares that you know multiple users map drives to you need to have the permissions locked down in this fashion.. root of the share Remove Write/Modify access to Everyone.. Allow them full control to the contents of subfolders in the shares. The way the malware works is if you have say a N: drive mapped to \\FILE01\Data it will basically drop malware.exe in N: and an autorun.inf in the same N: pointing to malware.exe. The next user that is mapped to the same N: drive double clicks on drive icon and runs malware.exe (ok yes this can be mitigated by autorun settings but do you know those are set on your clients maybe a good idea for a GPO setting those as well :) )
- Stop logging into infected machines with Domain Admins: One characteristic of the malware is that it can use impersonation and can be in the Run key so that it runs under the logged on user’s context. So when you log in on that infected system with your DA account guess what.. you just helped spread without it needing to force passwords use a vulnerability etc because hey its all allowed under your privileges.
I may add more to this possibly as it’s getting late my time and I’m sure it’s going to be another long day tomorrow. Hopefully this helps someone.
- Changes to Microsoft Anti-Malware
-
This doesn’t really affect the FCS world but it is an interesting development. https://www.microsoft.com/presspass/features/2008/Nov08/11-18AmyBarzdukasQandA.mspx apparently we are going to begin to offer a no-cost anti-malware solution in 2nd half of 2008. This is going to be more targeted at the end-user market it appears from the look of it. Check out the article for an interesting read.
- FCS .adm settings
-
I’m not really advocating using this and I can’t take credit for this as it was posted on the FCS forums by a “lofty10”. However I do know that many people are looking for something like this to manage FCS clients that do not have an FCS server infrastructure for whatever reason. Just remember that you get no reporting whatsoever doing this but you can at least control some scan/update intervals and exclusions. I have the .adm located on my SkyDrive at the following link.
