Well after a few days battling the conficker worm I feel the need to write about it.
Background
I work for The Wellington Academy which is yet to be built. In September we take over the existing school but for the moment I am working from a nearby office. I do spend a few hours a week down at the current school trying to help out where I can. This will make the transition into the school a smoother one and gives me the opportunity to get to know the staff.
The beginning!
I mooched into the school about 10 am in the morning and was told by the network manager that strange things where afoot. Account lockouts all over the school and it seemed to be getting worse.
The investigation
I started looking at the logs and saw that the security log was full of 644 errors. Unfortunately the logs settings on the server where fairly small so I could not go back far enough to see where it had started, but it was too late now. We where at war!
My guess is that someone inserted a USB stick in at about 8am and we where off and running, well wriggling!
Let the battle commence
After some brisk reading you can easily see that this is the fastest growing worm on the net.
It really is an amazing peice of programming! Talk about work out your market and place a product right in the middle that everyone can't resist!
The first thing you notice is that the worm spreads via different methods making it very difficult to stop. It really brings new meaning to the word wriggle!
1)A bug in Microsofts Windows that the worm exploits
2)Propogating by file shares
3)USB drives by infecting the autorun
What we quickly became aware of was that the cleanup tools where slightly misleading so we had to use a selection to make sure we kept bashing the worm
You can quickly see that closing only two out of 3 of those avenues and you are still infected.
Stage 1 -> Clean your servers
Check your AV and patches on your servers.
They where using Sophos which has a habit of not updating and letting you think all is good.
The servers however where on the latest AV as they had just been done during half term.
Just the patch then, don't forget to reboot.
NOTE:>Although the servers had the latest AV they still allowed the virus to wander across its file shares. This could still be the case if you had Linux or Mac servers running windows file sharing, Although they can not be infected they can still offer the virus a place to park itself and lie in wait for the next unsuspecting windows system to connect.
Stage 2 -> Patch the systems
I wrote a quick install script to install the patch.
+++++++++++++++++++++++++++++++++
IF EXIST c:\ms08.txt goto ms08
REM Install the patch
REM Replace servername and sharename with the share that you droped the EXE into
Start /wait \\Servername\Sharename\WindowsXP-KB921883-x86-ENU.exe /norestart /quiet
copy \\servername\fileshare\ms08.txt c:\
:ms08
+++++++++++++++++++++++++++++++++
In hindsight it may be better to force restart instead of norestart.
We started the hard work of bringing the PC's up one at a time and running the conficker cleaner from Sophos. This gave some strange results though and was not proving accurate. It was also very time consuming and with teaching deadlines we had to rethink our strategy.
I decided that we needed to make more impact faster by using the way it propogates to lop its head off.
Stage 3 -> Attack it from every angle!
+++++++++++++++++++++++++++++++++++++++++++++
Sophos specific settings
- Set the On-access scanner policy within the Enterprise Console to:
- On-Read
- On-Write
- Deselect 'Automatically Cleanup'
- Choose 'Do Nothing' as the actions
- Ensure HIPS is set to:
- Detect Suspicious Behaviour = True
- Detect Buffer Overflow = True
- Alert Only = False
- Enable the scanning of all files during on-demand scans:
- Open the Anti-Virus policy(ies) on the Enterprise Console
- Click on 'Extensions and Exclusions'
- Tick the box to scan all files
- Press ok
I was not happy that our sophos was installing all around the network and wanted to force it rather brutally to install.
if exist "C:\Program Files\Sophos\764.txt" goto _EndAll
Start /wait \\servername\sophos\ESPX\Setup.exe yes
copy "\\servername\sophos\ESPX\764.txt" "C:\Program Files\Sophos\"
:_EndAll
+++++++++++++++++++++++++++++++++++++++++++++
We then enabled a group policy suggested by Sophos to contain/quarantine any infections.
http://www.sophos.com/support/knowledgebase/article/51169.html
Basically this is created by Microsoft to clean up nasty software.
It gets updated so is worth leaving it running on the network, it only adds a few minutes on bootup.
Follow these instructions to deploy it.
http://support.microsoft.com/kb/891716
Deploying the Conflicker Cleanup
Follow thes instructions to the letter
http://www.sophos.com/support/knowledgebase/article/51416.html#options
Watch it Die!
Do all of the above before switching on your computers again.
When the connect they will get the updated policies, install the patch, run the MSRT, run the clean up tool, lock the firewall,lock the services, delete any conficker scheduled tasks.
We also tweaked the above files into one long script that could be run from a CD so that staff could take it home and run it any home computers they may have infected.
To Sum Up
As we watch the worm die you really feel that it has been part of your life for a few days and you wander what made the author do it. Could you write a worm like that for Linux or Mac OS, I doubt it. I really do feel like it was living and now its dying, its like after you step on a real worm by accident and watch it try to wriggle away.
What I find worrying is that on a closed source operating system like windows a programmer could create a virus that is this good(or bad). Makes you realise why they don't want to make it open source, I imagine the virus's would flock in at an amazing rate if they did. I guess when you have a product that is rotten at the core you dare not show the core to the world but wrap it up in steel belted cotton wool!
Guess that is why I like linux! Its open warts 'N' all.
