Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Some conficker lessons learned - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Some conficker lessons learned

These are the lessons learned from a conficker outbreak at an academic campus. Thanks for writing in Jason.

The outbreak was not due to a lack of patching. The vast majority of the machines that were compromised via the worm were managed machines and were in fact patched up to date - including the patch for MS08-067 - and have actively maintained anti-virus software installed.

As a refresher, recall that conficker propagates via number of methods:

  • Removable media with auto-run.
  • Leveraging the privileges of the currently logged in user.
  • Exploiting un-patched vulnerabilities (MS08-067).
  • Brute-forcing credentials.

While we cannot currently release all relevant details regarding the outbreak at the (name removed), we'd like to share a few of the lessons learned.

  1. Ensure that when an average user logs in it does not allow them to mount via RPC resources on other workstations in the domain. (i.e. When Alice logs into her workstation she cannot mount the Admin$ share on Bob's machine without being prompted for credentials.) Using the GPO [Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network] to limit RPC logins to workstations can be very helpful in this regard. see: <http://technet.microsoft.com/en-us/library/cc740196.aspx>
  2. Disable Auto-Run on all machines. This can also be accomplished via GPO.
  3. Ensure that all anti-virus software is very up-to-date and is enabled to "On-Access" scan for both the reading and writing of files.
  4. Ensure that all machines are patched for MS08-067, including vendor managed machines.
  5. Ensure that all privileged accounts have strong passwords. Apparently conficker is smart enough to enumerate accounts with elevated privileges such as Domain Admins. We observed conficker attempting to brute-force unique domain admin accounts.
  6. Monitor for 445/TCP scanning, particularly off-subnet scanning.
  7. Force all users to utilize a proxy to access the web.

We have yet to find a single virus removal tool that catches all payload dropped by conficker. As usual, reinstalling an infected system is the only way to ensure a return to a trusted platform.Hopefully this information can be useful to you and will help you limit any outbreaks of conficker that may appear on your campus.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Adrien de Beaupre

353 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!