Sunday, April 10, 2016

How to remove Conficker worm

Infected with Conficker Worm.

Some or all of the following symptoms are present:

    Network slowdown caused by infected machines hammering each other
    Heavy traffic on ports 139 and 445
    Machines trying to access many gibberish domains
    Machines constantly broadcasting (pinging) other machines
    Accounts constantly getting locked out as the worm tries to crack passwords, which results in failed logins
    Many 529, 675, 680, 681 events in security logs on servers. (All basically pointing to audit failure failed logins)

The following services may be stopped or disabled on infected machines:

    Error Reporting
    Automatic Updates
    Background Intelligent Transfer Service
    Windows Defender (if installed and not disabled by VIPRE already)
    Blocks certain DNS lookups
    Exploits MS08-067 vulnerability in Server service
    Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites
    Disables Safe Mode
    Disables AutoUpdate
    Kills anti-malware
    Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals


ENVIRONMENT

    VIPRE Business
    All Supported Environments


SOLUTION

    The first step is to implement the steps in this Microsoft KB article. http://support.microsoft.com/kb/962007 This has to be accomplished first, or any fixes that are applied will be undone by the worm. (Please follow the article carefully. Modifying the permissions on the svchost key incorrectly can lead to total network outage resulting in having to fix every machine manually on the entire network.)
    Ensure that all the Windows machines on your network are protected by VIPRE. Agents must be up to at least version 3.1.2848 to be fully protected from this threat. If there are any Agents not up to that version, or if there are any machines that do not currently have VIPRE installed, they will be the likely source of continued problems in removing Conficker.
    Infected machines on the network must be located and cleaned. To do this we recommend a utility called NMAP. NMAP has built-in Conficker detection and can accurately point out infected machines by analyzing the type of network traffic that they produce. NMAP will not clean the machines identified, it simply tells you which machines need to be deep scanned and rebooted. You can download the NMAP Windows installer here: http://nmap.org/dist/nmap-5.51-setup.exe
    During installation, NMAP will install WinPCap. You will need to allow this. WinPCap may already have been installed by another network sniffer. NMAP will ask to uninstall old version and install new. This is OK. You do not need the NPF service to auto-run. It will start as needed when you run NMAP. You likely will want it to add itself to system variables so Windows knows where NMAP lives no matter where the cmd prompt is running from. The machine you install this on usually requires a reboot, so it might be a good idea not to put it on servers running business-critical services that cannot be interrupted. It should not require restart unless you want NPF service to auto start which is really not needed. After the install is complete, the following procedure will direct NMAP to go hunting for any machines exhibiting Conficker like behavior.
    The command to locate infected machines: (from an open cmd prompt) "nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 [target_networks] > outputfile.txt" Example: "nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=safe=1 -T4 -vv -p445 192.168.1.0-254 > c:\logs\conficker_scan1.txt" The resulting text files is a list of machines that will need a VIPRE deep scan. You may want to run NMAP scans in smaller sections of the network at a time so you do not have large log files to look through. ***Don't change the safe=1 switch or you may crash machines.***Other than the IP range and output log files, you can leave the rest of the string of commands "as is" for best results and highest safety. If you have more than one subnet -- you will need to scan each one separately.
    The machines showing under the "likely infected" list are the ones you are most interested in. If VIPRE is installed on the machines, scanned & nothing is found they may just need a reboot to finish removing the worm from memory. If the machines are not rebooted they will continue to generate traffic. If rebooting does not help -- it is possible that the ms08-067 patch either is not installed or has been patched by Conficker itself so will need re-installing.
    Once the identified machines have been scanned, cleaned and rebooted you will want to perform a couple more rounds of running NMAP to be certain there are no other infected machines online. Once that is done Conficker traffic should slow and then disappear as the infected machines that were causing it become clean through this process.
    Once you are comfortable that everything is cleaned up and you want to lift the restrictions set earlier, you can do so now.
    If you applied the GPO according to the Microsoft kb962007 article you cannot simply delete the GPO because doing that will leave the systems in a 'locked down' state.
    You will need to lift the restrictions set on the svchost registry key & the windows tasks folder otherwise you may run into issues down the road installing windows updates or any other software that needs write access to those objects.
    You should be able to edit the GPO & inherit the permissions from parent objects to restore the default permissions.
    The MS article you used to apply the GPO has instructions for resetting the permissions. This should be left in place for a few days to ensure all the PCs on the network get the updated GPO.
    You may consider leaving autorun disabled as an added layer of security against threats that use that method to spread.
    VIPRE policy configuration recommendations

    The policies where the general users are in I would leave the on access at half
    This should not have any performance issues yet give VIPRE the chance to react faster to incoming threats before they have a chance to try to execute
    If the servers run fine while at the 1/2 way setting It will not hurt to leave them at that
    As long as you have the recommended exclusions in place performance shouldn't be hindered
    Scanning USB devices should be left enabled across the board
    Scanning rootkits should be left enabled across the board
    If anything gets through ever again those settings should give you the earliest possible warning so it will be easier to contain to a much more limited number of machines if it does get on more than one.

*https://support.threattracksecurity.com/support/solutions/articles/1000071176-threat-worm-conficker-removal-instructions

============================================================

W32.Downadup, also known as Conficker by some news agencies and antivirus vendors, is an extremely interesting piece of malicious code and one of the most prolific worms in recent years. It has an extremely large infection base – estimated to be upwards of 3 million computers - that have the potential to do a lot of damage. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution.

Infection
W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways.

It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.


Functionality
It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.

The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications. 

Download Removal tool : https://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

*https://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

No comments:

Post a Comment