This is the fifth in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.
This fifth article hopes to give admins the techniques they need to eliminate one of their network's most persistent pests: W32.Downadup, also known as the Conficker worm.
What is Downadup, and Why Won't it Go Away?
W32.Downadup is one of the most sophisticated threats to have emerged in recent years. It appeared in November 2008, and has been resident in thousands of organizations ever since.
Luckily, this is one threat that Symantec knows inside and out. There have been a few variations (W32.Downadup.B, W32.Downadup.C, W32.Downadup.E), but this is not a threat like Trojan.Zbot which is constantly evolving. W32.Downadup has stayed more or less the same since 2009. For full details, please see The Downadup Codex.
W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), but installing that patch alone will not make a computer invulnerable. Exploiting that vulnerability is just one of its methods of spreading. An infected computer has several methods of infecting its neighbors and then staying there.
Help! Hundreds of Computers are Infected!!
Each infected machine will attempt to spread W32.Downadup to other computers that it can reach. If Symantec Endpoint Protection (SEP) is installed on those computers and is running with signatures newer than 2009, the Auto-Protect capabilities should be able to stop it from falling victim. However, it will log a successful detection of W32.Downadup- and that detection will be forwarded to the Symantec Endpoint Protection Manager (SEPM) to be displayed there. New admins running a Risk Report can give themselves a heart attack by seeing hundreds of W32.Downadup events from all across their company.
Examining the action taken for all those events will show the great majority of Actual Actions are successful protections against attempted infection.
The solution to a persistent W32.Downadup outbreak is to identify and clean the handful of computers in the network that are actually infected.
This will require action by the network admins. Having SEP installed on some of the computers in the network will not be enough to automatically safeguard the security of the organization. SEP is a good tool, but it is only one tool- it is up to the network admins to use it. SEP is also not a replacement for following best practices and proven computer security techniques.
The following article is full of good advice- it will be invaluable for fighting W32.Downadup and other outbreaks. The steps within may not be convenient, but they are necessary. Following these procedures will work.
Best Practices for Troubleshooting Viruses on a Network
Tracking Down the Infected Computers, Part 1: Downadup "Left Alone"
In certain circumstances, SEP can identify the malicious files but cannot delete or quarantine them. Search your Risk Report logs for W32.Downadup detections that are "left alone" or "partially repaired." The computers which are identified (two, in this illustration below) should be taken offline until properly cleaned of the threat- otherwise, the worm there will keep attempting to spread indefinitely.
Tracking Down the Infected Computers, Part 2: Risk Tracer
The SEPM's Risk Reports can also tell admins which computers are highly likely to have attempted to infect their peers. All details can be found in the following article:
What is Risk Tracer?
Article URL http://www.symantec.com/docs/TECH102539
Enable and use Risk Tracer to locate those computers in the organization that are infected with W32.Downadup- then isolate them! Only let them back onto the network when they are completely clean and secure.
In many cases, W32.Downadup remains in a network for years because there is an old server or desktop in a corner somewhere which has no functioning AntiVirus program on it at all. To completely eliminate this threat (and close a big hole in your company's overall security) all computers that can communicate with the network must have working AV defenses- no exceptions!
Tracking Down the Infected Computers, Part 3: IPS Attack Logs
If Risk Tracer is not enabled in your organization or is not functioning, then the logs of SEP's optional IPS component serve as an excellent indicator. The "Identifying Unprotected Computers" section of the article Two Reasons why IPS is a "Must Have" for your Network provides an illustration of how to identify the Remote Hosts which are sending out W32.Downadup's malicious traffic.
If you are seeing “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked." entries, then W32.Downadup is the cause.
[SID: 23179] Intrusion Detection alerts received on a Symantec Endpoint Protection client for ntoskrnl.exe
Article URL http://www.symantec.com/docs/TECH131438
Tracking Down the Infected Computers, Part 4: Windows Event Viewer
If neither Risk Tracer nor IPS logs is a possibility, the job is more difficult. Enabling Task Scheduler logging in Windows Event Logs and then studying their entries will let you know which remote computer has created W32.Downadup's scheduled task on a victim.
How to determine which remote computer has created a malicious scheduled task
Article URL http://www.symantec.com/docs/HOWTO95062
Tracking Down the Infected Computers, Part 5: NMap
NMap is a great tool for spotting which computers have Downadup on them. As it is not a Symantec tool, it will get a nod here but not an elaborate set of instructions on how to use it. I'll leave that to the experts at SANS.
Detecting Conficker with NMap
Ready, Set, GPO...
There are domain-wide policies that can be effective against W32.Downadup's attempts to spread. Use Group Policy objects (GPOs) to close the ADMIN$ share or to disable the creation of scheduled tasks. Either of these measures will prevent the creation of AT jobs. Microsoft's Virus alert about the Win32/Conficker worm is a very helpful article: the section with instructions to Stop Win32/Conficker from spreading by using Group Policy settings will be of interest.
W32.Downadup attempts to gain access to administrator accounts by guessing common passwords. Make sure to change all passwords throughout the organization to make them strong and complex. It's possible to create a GPO which requires a complex password, with a minimum number of characters. The following Microsoft article is quite good:
Creating a Strong Password Policy
Effectively Cleaning Machines
Now! We have identified the computers in the network which are infected with W32.Downadup and attempting to spread. Let's clean them! There is a Downadup Removal Tool, but it is often not necessary to use it. If SEP is installed:
- Isolate the computer from the network (pull out the network cable), then reboot into Safe Mode.
- Perform a full system scan and then reboot again.
- Check the logs to confirm that W32.Downadup was detected and completely removed!
- Apply all missing Microsoft patches and ensure that autorun is disabled on the computer.
When the user who will be logging in to that machine has a new, strong password, it's good to be added back to the network.
One positive note: if there are any lingering traces of the threat still in your network, your users will let you know! Helpdesk calls about accounts being locked out are often a sign that W32.Downadup is present and attempting to spread.
Also, the following article is a must-read:
Simple steps to protect yourself from the Conficker Worm
Following the steps above, W32.Downadup should finally be eradicated! Now it is time to ensure that defenses across the network are robust enough to withstand other attacks. It is inevitable that your company will encounter malware: be prepared for it!
The Day After: Necessary Steps after a Virus Outbreak
Many thanks for reading! Please do leave comments and feedback below.