Infected with Conficker Worm.
Some or all of the following symptoms are present:
- Network slowdown caused by infected machines hammering each other
- Heavy traffic on ports 139 and 445
- Machines trying to access many gibberish domains
- Machines constantly broadcasting (pinging) other machines
- Accounts constantly getting locked out as the worm tries to crack passwords, which results in failed logins
- Many 529, 675, 680, 681 events in security logs on servers. (All basically pointing to audit failure failed logins)
The following services may be stopped or disabled on infected machines:
- Error Reporting
- Automatic Updates
- Background Intelligent Transfer Service
- Windows Defender (if installed and not disabled by VIPRE already)
- Blocks certain DNS lookups
- Exploits MS08-067 vulnerability in Server service
- Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites
- Disables Safe Mode
- Disables AutoUpdate
- Kills anti-malware
- Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals
- VIPRE Business
- All Supported Environments
- The first step is to implement the steps in this Microsoft KB article. http://support.microsoft.com/kb/962007 This has to be accomplished first, or any fixes that are applied will be undone by the worm. (Please follow the article carefully. Modifying the permissions on the svchost key incorrectly can lead to total network outage resulting in having to fix every machine manually on the entire network.)
- Ensure that all the Windows machines on your network are protected by VIPRE. Agents must be up to at least version 3.1.2848 to be fully protected from this threat. If there are any Agents not up to that version, or if there are any machines that do not currently have VIPRE installed, they will be the likely source of continued problems in removing Conficker.
- Infected machines on the network must be located and cleaned. To do this we recommend a utility called NMAP. NMAP has built-in Conficker detection and can accurately point out infected machines by analyzing the type of network traffic that they produce. NMAP will not clean the machines identified, it simply tells you which machines need to be deep scanned and rebooted. You can download the NMAP Windows installer here: http://nmap.org/dist/nmap-5.51-setup.exe
- During installation, NMAP will install WinPCap. You will need to allow this. WinPCap may already have been installed by another network sniffer. NMAP will ask to uninstall old version and install new. This is OK. You do not need the NPF service to auto-run. It will start as needed when you run NMAP. You likely will want it to add itself to system variables so Windows knows where NMAP lives no matter where the cmd prompt is running from. The machine you install this on usually requires a reboot, so it might be a good idea not to put it on servers running business-critical services that cannot be interrupted. It should not require restart unless you want NPF service to auto start which is really not needed. After the install is complete, the following procedure will direct NMAP to go hunting for any machines exhibiting Conficker like behavior.
- The command to locate infected machines: (from an open cmd prompt) "nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 [target_networks] > outputfile.txt" Example: "nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 192.168.1.0-254 > c:\logs\conficker_scan1.txt" The resulting text files is a list of machines that will need a VIPRE deep scan. You may want to run NMAP scans in smaller sections of the network at a time so you do not have large log files to look through. ***Don't change the safe=1 switch or you may crash machines.***Other than the IP range and output log files, you can leave the rest of the string of commands "as is" for best results and highest safety. If you have more than one subnet -- you will need to scan each one separately.
- The machines showing under the "likely infected" list are the ones you are most interested in. If VIPRE is installed on the machines, scanned & nothing is found they may just need a reboot to finish removing the worm from memory. If the machines are not rebooted they will continue to generate traffic. If rebooting does not help -- it is possible that the ms08-067 patch either is not installed or has been patched by Conficker itself so will need re-installing.
- Once the identified machines have been scanned, cleaned and rebooted you will want to perform a couple more rounds of running NMAP to be certain there are no other infected machines online. Once that is done Conficker traffic should slow and then disappear as the infected machines that were causing it become clean through this process.
- Once you are comfortable that everything is cleaned up and you want to lift the restrictions set earlier, you can do so now.
- If you applied the GPO according to the Microsoft kb962007 article you cannot simply delete the GPO because doing that will leave the systems in a 'locked down' state.
- You will need to lift the restrictions set on the svchost registry key & the windows tasks folder otherwise you may run into issues down the road installing windows updates or any other software that needs write access to those objects.
- You should be able to edit the GPO & inherit the permissions from parent objects to restore the default permissions.
- The MS article you used to apply the GPO has instructions for resetting the permissions. This should be left in place for a few days to ensure all the PCs on the network get the updated GPO.
- You may consider leaving autorun disabled as an added layer of security against threats that use that method to spread.
- VIPRE policy configuration recommendations
- The policies where the general users are in I would leave the on access at half
- This should not have any performance issues yet give VIPRE the chance to react faster to incoming threats before they have a chance to try to execute
- If the servers run fine while at the 1/2 way setting It will not hurt to leave them at that
- As long as you have the recommended exclusions in place performance shouldn't be hindered
- Scanning USB devices should be left enabled across the board
- Scanning rootkits should be left enabled across the board
- If anything gets through ever again those settings should give you the earliest possible warning so it will be easier to contain to a much more limited number of machines if it does get on more than one
General infection of a worm.