Thursday, February 12, 2009

Why does it keep coming back?

Conficker (a.k.a Downadup) is a nasty worm, no doubt about it, but even though it's been out for ages, it would seem there's just no way to get rid of it...or is there?

A lot of our customers seem to be getting this feeling. "We've installed patch MS08-067, and removed the worm using our anti-virus or the MSRT, but we keep getting re-infected, " they say. Some even reached the (false) conclusion that 08-067 doesn't work. Well, I can assure you that the patch works, but the worm has several clever secondary infection schemes that make it very slippery.

1. If even a single machine on the network is still infected, it will attack all other machines on the subnet consistently and try to infect them, so until every machine has been cleaned, this problem won't be over.

2. The worm penetrates target machines by using accounts with weak passwords. Resetting all domain passwords and local accounts is a good step. If that's not possible, then the SERVER and TASK SCHEDULER service should also be stopped. This is drastic, but only temporary, while the machines are being cleaned up. Once there are no longer infected machines, these services can be brought back.

This sort of step is a big problem for Server Machines, which needs the Server service to do their job, but sometimes this is what needs to be done. Think of it as quarantining a sick patient until his medicine kicks in.

3. The worm infects removable drives, like USB disks, so if an admin uses a USB disk to copy a removal tool to infected machines, he may be, in fact, contributing to the spread of the worm. This can be averted by setting the removable drives to read-only, if the drive supports it. If your drive doesn't, consider getting an SD with a USB SD Reader, as SD cards all have a read-only physical switch. Another option is to burn a CD with the tools and use it instead of a removable drive.

I've heard from several IT administrators that forcing users to use strong passwords is a problem. In certain environments, where the users are very non-technical or lazy, and have a hard time remembering passwords, this is indeed hard. However, even though resetting passwords for users is an annoying chore, the solution is not to let everybody off with empty or suitcase passwords (1111, 1234 etc), as this worm is specifically designed to take advantage of such environments. An alternative is to use a self-service password reset tool. With this type of thing, a user who forgot his/her password would use another employee's computer, or a designated Kiosk computer to reset his password. Here are several products of this type:

Finally, here's a step by step, for an IT administrator in a large organization:

1) Use a Startup script ( to stop the SERVER and TASK SCHEDULER on all domain machines:
Net Stop Server
Net Stop Schedule

Or better yet: Set these services to Disabled:
SC CONFIG SERVER start= "disabled"
SC CONFIG SCHEDULE start= "disabled"

2) Use the startup script to deploy the 08-067 patch to all machines

3) Use the startup script to deploy the MSRT in QUIET mode to all machines (

4) Reboot all domain machines to make sure that the patch and MSRT run on all machines (can be automated using the SHUTDOWN command)

5) Inspect your AD security log using Event Viewer, and filter for event ID 539 - this will tell you which machines are infected and need cleaning up.

6) Once all machines are clean, and 539 events do not appear anymore, re-enable the services and open the champagne bottles!

No comments: