Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Ch10: Remote Access Trojans and Zombie Networks

Conficker

The Conficker worm appeared since approximately November 2008 became more prominent in 2009 and still infect computers as of April 2013. It exists in several variants (sophos.com):

Like most complex malware it contains the code to detect whether it's running inside a virtual machine.

Conficker.C have turned the millions of compromised machines from isolated infections to a network of zombies capable of rapid malware distribution and somewhat resilient against infiltration of their communication paths.

Microsoft provided clear disinfection information that can be tuned to your particular situation (Virus alert about the Win32-Conficker worm)

The information in this Knowledge Base article is intended for business environments that have system administrators who can implement the details in this article. There is no reason to use this article if your antivirus program is cleaning the virus correctly and if your systems are fully updated. To confirm that the system is clean of the Conficker virus, perform a quick scan from the following Web page: http://www.microsoft.com/security/scanner/

(http://www.microsoft.com/security/scanner/)

For detailed information about the Conficker virus, visit the following Microsoft Web page:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker

(http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker)

Back to the top | Give Feedback

Symptoms of infection

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

For more information about Win32/Conficker, visit the following Microsoft Malware Protection Center Web page:

http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker

(http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker)

Back to the top | Give Feedback

Propagation methods

Win32/Conficker has multiple propagation methods. These include the following:

Therefore, you must be careful when you clean a network so that the threat is not reintroduced to systems that have previously been cleaned.

Note The Win32/Conficker.D variant does not spread to removable drives or shared folders over a network. Win32/Conficker.D is installed by previous variants of Win32/Conficker.

Back to the top | Give Feedback

Prevention

Back to the top | Give Feedback

Mitigation steps

Stop Win32/Conficker from spreading by using Group Policy settings

Notes

Create a Group Policy object

Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.

To do this, follow these steps:

  1. Set the policy to remove write permissions to the following registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

    This prevents the randomly named malware service from being created in the netsvcs registry value.

    To do this, follow these steps:

    1. Open the Group Policy Management Console (GPMC).
    2. Create a new GPO. Give it any name that you want.
    3. Open the new GPO, and then move to the following folder:

      Computer Configuration\Windows Settings\Security Settings\Registry

    4. Right-click Registry, and then click Add Key.
    5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:

      Software\Microsoft\Windows NT\CurrentVersion\Svchost

    6. Click OK.
    7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
    8. Click OK.
    9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
    10. Click OK.
  2. Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.

    To do this, follow these steps:

    1. In the same GPO that you created earlier, move to the following folder:

      Computer Configuration\Windows Settings\Security Settings\File System

    2. Right-click File System, and then click Add File.
    3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
    4. Click OK.
    5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
    6. Click OK.
    7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
    8. Click OK.
  3. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.

    NoteDepending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:

    To set AutoPlay (Autorun) features to disabled, follow these steps:
    1. In the same GPO that you created earlier, move to one of the following folders:
      • For a Windows Server 2003 domain, move to the following folder:

        Computer Configuration\Administrative Templates\System

      • For a Windows 2008 domain, move to the following folder:

        Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies

    2. Open the Turn off Autoplay policy.
    3. In the Turn off Autoplay dialog box, click Enabled.
    4. In the drop-down menu, click All drives.
    5. Click OK.
  4. Close the Group Policy Management Console.
  5. Link the newly created GPO to the location that you want it to apply to.
  6. Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
  7. After the Group Policy settings have propagated, clean the systems of malware.

    To do this, follow these steps:

    1. Run full antivirus scans on all computers.
    2. If your antivirus software does not detect Conficker, you can use the Microsoft Safety Scanner to clean the malware. For more information, visit the following Microsoft Web page: http://www.microsoft.com/security/scanner/

      (http://www.microsoft.com/security/scanner/)

      Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.
Back to the top | Give Feedback

Recovery

Run the Microsoft Safety Scanner.

The Microsoft Malware Protection Center has updated the Microsoft Safety Scanner. This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.

Note The Microsoft Safety Scanner does not prevent reinfection because it is not a real-time antivirus program.

You can download the Microsoft Safety Scanner from the following Microsoft Web site:

http://www.microsoft.com/security/scanner/

(http://www.microsoft.com/security/scanner/)


Note The Stand-Alone System Sweeper tool will also remove this infection. This tool is available as a component of the Microsoft Desktop Optimization Pack 6.0 or through Customer Service and Support.To obtain the Microsoft Desktop Optimization Pack, visit the following Microsoft Web site:

http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx

(http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx)

If Microsoft Security Essentials or Microsoft Forefront Client Security is running on the system, these programs also block the threat before it is installed.

Manual steps to remove the Win32/Conficker virus

Notes The following detailed steps can help you manually remove Conficker from a system:
  1. Log on to the system by using a local account.

    Important Do not log on to the system by using a Domain account, if it is possible. Especially, do not log on by using a Domain Admin account. The malware impersonates the logged on user and accesses network resources by using the logged on user credentials. This behavior allows for the malware to spread.

  2. Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using this method.

    Note The Server service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on production servers because this step will affect network resource availability. As soon as the environment is cleaned up, the Server service can be re-enabled.

    To stop the Server service, use the Services Microsoft Management Console (MMC). To do this, follow these steps:

    1. Depending on your system, do the following:
      • In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
      • In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
    2. Double-click Server.
    3. Click Stop.
    4. Select Disabled in the Startup type box.
    5. Click Apply.
  3. Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
  4. Stop the Task Scheduler service.
  5. Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft Web site:

    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)

    Note This site may be blocked because of the malware infection. In this scenario, you must download the update from an uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to a CD because the burned CD is not writable. Therefore, it cannot be infected. If a recordable CD drive is not available, a removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable drive, be aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the removable drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the infected computer, check the removable drive to see whether an Autorun.inf file was written to the drive. If it was, rename the Autorun.inf file to something like Autorun.bad so that it cannot run when the removable drive is connected to a computer.

  6. Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the following Microsoft Web site:

    http://technet.microsoft.com/en-us/library/cc875814.aspx

    (http://technet.microsoft.com/en-us/library/cc875814.aspx)
  7. In Registry Editor, locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

  8. In the details pane, right-click the netsvcs entry, and then click Modify.
  9. If the computer is infected with the Win32/Conficker virus, a random service name will be listed.

    Note With Win32/Conficker.B, the service name was random letters and was at the bottom of the list. With later variants, the service name may be anywhere in the list and may seem to be more legitimate. If the random service name is not at the bottom, compare your system with the "Services table" in this procedure to determine which service name may have been added by Win32/Conficker. To verify, compare the list in the "Services table" with a similar system that is known not to be infected.

    Note the name of the malware service. You will need this information later in this procedure.

  10. Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.

    Notes about the Services table


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

German Ministry of Education Throws Away PCs For 190,000 € Due To Infection

April 30, 2013 | Slashdot

gbjbaanb

Re:Money well spent

Conficker.... suddenly it becomes clear. I know an organisation that was infected, and they ended up spending 2 weeks with a Microsoft consultant to clear everything up. The problem is that it spreads too quickly, so when you clear a PC and move on to the next, it re-infects the first one. Silly old Microsoft.

So, if they upgraded their PCs too.... makes perfect sense. I wouldn't have binned the old ones though, I'd have wiped the HDDs and sold them or given them away.

AdmV0rl0n

Re: (Score:3)

This thread is disappointing. So much hate. Hate leads to fear, and fear leads to the dark side.

Anyway. Conflicker. Nasty. Simple. Old. A clean up is not easy, but conflicker requires some bad baselines to be operating for it to get through and thrive. If you fix the baseline issues, the clean up can follow. A clean susyem thats updated properly isn't infectable via conflicker.

So frankly a system sorted put back in should be fine. You'll obviously have to do this step by step and yes, there is a price. Mos

AdmV0rl0n

Re:Money well spent (Score:4, Interesting)

No, conflicker has worm elements. So, the hard part of the clean up is not per se an individual machine. Its that you need to solve the baseline problems that allow conflicker to do its thing.

Re-installing 'stuff' won't make this go away. Doing it wrong just reinfects the machine.
So, as I said, what has to be done is the cause and baselines that allow conflicker to replicate have to be solved (harder part) - and then machines with good baselines go through clean up and go back on the network (easier part..)

http://support.microsoft.com/kb/962007 [microsoft.com]

Any tech learning about conflicker can read about it, and start to understand what needs to be fixed. Patch, correct password weakenesses, stop autorun etc etc. Today, this is somewhat simple as a lot of tools and detection tools exist.

People in threat waving around Fdisk and re-install media saying 'they could fix this' - probably in fact are clueless and need to understand the problems involved. Conflicker breeds off poor security and bad baselines. Thats how it gets in. Thats how it replicates. Thats how it hangs around and re-infects.

AmiMoJo SJHillman

bickerdyke

Re:Money well spent

well... knowing the gouvernments worldwide a bit, those 13000 were probably the cost to get the malicious software removal kit certified and getting the permission to run it on oh-so-precious office machines....


Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

Malware/Malware_defense_history/Ch10_rats_and_zombies_networks/Reprints/conficker-analysis.pdf



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019