Tracking Down Conficker

Posted by beakersoft | Posted in IT Info | Posted on 14-04-2009

2

I have recently had the unfortunate experience of having to try and clean up a network that has been hit by the conficker virus.It is a pain to get of and caused us a lot of problems, this is a quick guide to how we went about cleaning it up. This might not work exactly the same for you but it might give you some pointers.

Accounts locking out

This was the probably the biggest pain for us. One of the way the virus spreads it’s self is on smb shares, to it tries to access these shares by using accounts it finds on the active directory/local machine. It tries to brute force password crack the accounts, and if you have an account lockout policy in place (i would imagine most places do) then the accounts it finds will become locked very quickly.

To get round this rather large issue temporally we got a script that we ran every minute or so on each of the active directory boxes, it basically just goes through the entire domain and unlocks all the accounts. We ran it in the task scheduler as two separate users in case one was locked when the task ran.

Obviously this isn’t a long term solution and should be removed once you are reasonably happy its no longer locking accounts.

You can download the script here

Finding The Infections

There are quite a few tools kicking around to find the infections, that all work with various degrees of success, the main tool we have used is one from eEye digital security, you can get it from http://www.eeye.com/html/downloads/other/ConfickerScanner.html. This one will scan a subnet and tell you what is infected and what is vulnerable (un-patched).

You can also use a beta version of nmap, this one also tells you what it thinks is infected and what is vulnerable to the virus, info about it at http://www.skullsecurity.org/blog/?p=209

We have also used an in house tool that logs all the account lock outs into a database to track down the actual machines that are locking users out, this has been the most pro-active way of finding infected machines. You can read more about the system we use in a previous post here

On the actual infected machines there are various pointers, quite a few of the services get stopped (these include server, workstation,bits,windows update), the machine can end up being completely unresponsive due to the virus hammering the processor/memory.

Also on machines that aren’t necessarily infected you might get lots of new scheduled tasks Called AT#1, other infected machines on network will have probably created these. Most of the clean up tools don’t seem to delete them you have to kill them manually.

Cleaning the Infections

Once you have identified the machines infected you will need to clean them. In theory the anti virus software should just be finding it and putting the virus into quarantine, but in a lot of cases that’s not the case. When we found an infected machine this is the process we have used.

  • First kill of the memory from memory. We have been using the Symantec  W32.Downadup Removal tool available here. Re-name the app to something random so the virus doesn’t just kill it of, then run it. Once its got passed processing the apps in memory, cancel it. It will complain its not checked all the files, but it should kill the process out of memory and remove entries to it in the registry so it wont start on next reboot. It will ask you to reboot to clean up everything else but dont yet.
  • Before rebooting make sure you have got the patch on, download it from here. Note that it appears you need to install at least service pack 2 on xp, 4 on 2000 and 1 on 2003 for the patch to install. Once you are patched reboot the machine
  • When the machine comes back, hopefully the virus wont have loaded back into memory. Update your virus software with the latest sig files (or install some if god forbid there is none installed!), then run a  full scan of your machine. This should find the files, and Quarantine them, allowing you to  delete them.
  • Look in the scheduled tasks and remove any that are called At#1 etc.

Hopefully now, even if the machine gets the virus again the anti virus software will pick it up and stop it doing any harm.

If anyone else has anymore info for detecting/cleaning this beast up feel free to email me or leave a comment and i will update this post