Over the last few days I blogged several times about Conficker and some of the posts caught quite some press attention. Especially when I talked about the Russian Roulette.

Today I have very, very good news: The Malicious Software Removal Tool (MSRT) which we will release today includes signatures to remove Conficker as far as we know this beast today. Let me be clear upfront: MSRT is cleaning up after the fact and is no replacement for an updated Anti-Malware solution!

The information in this post is the information as far as I have it as of today. The links below give you the ultimate guidance:

How do you realize that you are infected?

Trust me, you will know! If you have Account Lockout Policies set, your accounts will be locked as Conficker.B does a brute-force against the accounts. In parallel, you will see a significant increase of authentication requests on your DCs due to that fact. Most probably you find a significant increase of network traffic as well and last but not least your clients may behave strange.

If you have it what can you do against it?

Patch first! So, before you do anything else, deploy MS08-067. I already said once, that you played Russian Roulette if you did not. From there on, you have to clean the mess. But first, make sure you use strong passwords (Conficker is trying to break them). Here you find some good information and guidance on passwords:

If you want to change all your local Admin passwords and manage them, Steve Riley provided a tool called Passgen

Then clean up…

You have different options to do the clean up:

• Forefront and OneCare have been one of the first solutions to clean Conficker since quite a while. Our free online scanner does it too (since quite a while). You can find it on http://safety.live.com
• The updated Malicious Software Removal Tool removes it as well. However, remember that Conficker breaks Automatic Updates too. So, if you are infected you have to manually download and deploy it. Here are the relevant KBs:
  • KB890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 http://support.microsoft.com/kb/890830
  • KB891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment http://support.microsoft.com/kb/891716
• There are definitely other AV products that remove it as well. Make sure and check back with your vendor whether it removes or just detects it.

One final thing: If you are infected, do NOT log onto the system with a Domain account, if at all possible. Especially NOT a Domain Admin account. Log on as a local user account. The malware appears to impersonate the logged on user and access network resources under those users credentials so it can spread.

So, that’s it for the moment.

I hope it helps

Roger

First of all, before I really start, I hope that you all had a great start in 2009. Mine was actually pretty mixed. The good side was, how my year really started and what I saw when I looked out the window at January 1st (yes, I was on vacation skiing and this was how the view was almost each and every morning):

But honestly, this is not the only reason, why I wrote this post. There is another one which is much, much more serious:

Unfortunately there are still plenty of customers playing Russian Roulette with their network. This term was actually used by one of our security engineers – who was kind of upset to say the least – who had to work December 31st and January 1st because of customers still not having rolled out MS08-067 – and not just one! We ran to our limits with regards to support capacity in EMEA.

Just to remind you: This is the Out of Band security update we released back on October 23rd and which then was pretty soon attacked by Conficker.A. But it seems that a lot of customer did not care back then – they were not attacked, so why bother? In the last days of 2008 Conficker.B broke out and even though it was not spread too widely, the customers who were hit (or still are hit) are hit very, very badly. Account Lockouts all over the place, admin passwords that were grabbed (often the Domain Admins) etc – and we had some really upset engineers as they had to work instead of having off because some customers were not up to their duty (and this is what it is for me!).

And this is not the end of the story:

• For quite a while, our Anti-Malware solution was the only one, which was able to remove the thing. And without an Anti-Malware solution it is close to impossible to actually get rid of it. As always, all the information about the malware was shared amongst VIA (Virus Information Alliance) to all the partners.
• NT got infected as well and the calls came: What shall we do now? Well, there is not too much you can do. As you might know, Windows NT is out of support for a long time (since December 31st, 2004 - see our Lifecycle Page if you need more information). Isolate your Windows NT boxes (as you should have done a long time ago) and migrate away from it. I know that there are still a lot of machines with NT embedded – isolate them and work with the vendors to get to an up to date version of the OS.

Let me add a final comment: The story above is not a Microsoft-only story. The same processes and technologies around patch management have to be applied to each and every component of your environment. Back after the Blaster times, we start to tell the consumer to apply three things to their PC to protect it:

1. Switch on your Firewall
2. Keep your Software Updated
3. Run an Anti-Malware software and keep it updated

Guess what: If you would have applied 2 and 3 to your network, you would not have been hit by this problem.

Roger

You might have seen the advisory of the US-CERT titled Microsoft Windows Does Not Disable AutoRun Properly – if not, you will definitely have seen one of the articles covering this issue and telling you that our advice on how to prevent Conficker is flawed.

This statement is not quite true the way it came out initially and US-CERT in the meantime already adjusted their advisory:

Our advice in http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true works if you apply http://support.microsoft.com/kb/953252

US-CERT already updated their advisory:

Update:

Microsoft has provided support document KB953252, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as well as the workaround described above.

Wow, there are news, which we cannot cope with. Apple just announced the first laptop without keyboard:

and additionally the new Mac Tiny:

They even talk about the Mac Nano in this video

Enjoy

Roger

I want to add a few things as it is still not over: More and more enterprises are still hit. My last blog post showed you what you can do but I wanted to add two resources and a comment.

The comment first: There were some discussions about our Anti-Malware solution. We had protections in all our products (Forefront, OneCare, our Online Safety Scanner) since December 29th. Additionally MSRT (the Malicious Software Removal Tool) removes Conficker since yesterday.

A lot of infections we see at the moment are because of

• Unpatched machines
• AV-Software still not detecting this malware. So, you definitely should think about which AV-solution you are running in the future if three weeks after such a breakout you are still unprotected!

Now to the two resources:

Our Malware Protection Center published a post on Conficker yesterday with an excellent picture of the infection vectors:

And the Microsoft Security Response Center posted as well.

Roger