Malware Win32/Conficker.B W32.Downadup.B

  • Article

So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware.

You can find write-ups from various AV companies at the following URL’s

https://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852

https://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B

https://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-123015-3826-99

https://www.symantec.com/norton/security_response/writeup.jsp?docid=2009-010717-4209-99

So the write-up’s are all pretty good some have details that the others don’t etc.  We see a range of cases it seems from customers missing the patch to those who are completely patched but are still seeing this piece of malware in their environment causing issues.  The interesting thing about this piece of malware is that it is really singling out organizations that have not done a good job with their security policies/procedures.  The MMPC group made a post about this piece of malware https://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx where they linked https://technet.microsoft.com/en-us/library/cc512606.aspx Jesper’s password paper from 2005!!! This guidance and similar guidance has been out for 3+ years now and we still have customers that aren’t following it.  I sometimes wonder if we should just push out a “critical update” that applies to all DC’s and updates their Default Domain and Default Domain Controller Policies for them to something more acceptable :) of course we would probable pull a lot of flack for that :) . /Rant Off

So things you should look at doing if you are hit with this:

  1. Disable Account Lockouts: You are already jacked why are you making it worse by leaving the account lockout policy in place?
  2. If you are not patched (especially with MS08-067) do so immediately.
  3. Find a machine that you know is infected and see if your AV will clean it up with the latest definitions/client.  If it is not cleaning it then open a case with your AV vendor as well they are going to be the ones to update definitions to properly detect/remove the malware in the environment (believe me you want this instead of manually running around cleaning off systems)
  4. Enable Password Complexity: Like the Account Lockouts this is in your Default Domain Policy if you don’t have it enabled odds are you have 10+% of your population using one of those weak passwords on the list from those write-ups on the malware, and if you have users with those  passwords you are still going to have issues with malware spreading.  Oh maybe you should get someone working on that org-wide email explaining to your users the new password policy like X characters and how they need 3/4 special characters/Upper/lower/numbers.  You probably also want to look into a script/tools to expire accounts (selectively so you don’t whack things like service accounts you aren’t ready to change) Check out Joeware’s oldcmp and expire utilities at https://www.joeware.net/freetools/ you can dump selectively based on OU targeting to get lists of users’ password age and then pass the lists to the expire utility to force password changes across groups of users.  Or if you’re a masochist you can just expire them all and deal with the consequences.
  5. Password Complexity on local accounts: Is the password on your local Administrator accounts something on that list from the writeups? If so you better get it changed.
  6. Share Permissions: This one is more complex to explain.  Basically for any network shares that you know multiple users map drives to you need to have the permissions locked down in this fashion.. root of the share Remove Write/Modify access to Everyone.. Allow them full control to the contents of subfolders in the shares.  The way the malware works is if you have say a N: drive mapped to \\FILE01\Data it will basically drop malware.exe in N: and an autorun.inf in the same N: pointing to malware.exe.  The next user that is mapped to the same N: drive double clicks on drive icon and runs malware.exe (ok yes this can be mitigated by autorun settings but do you know those are set on your clients maybe a good idea for a GPO setting those as well :) )
  7. Stop logging into infected machines with Domain Admins:  One characteristic of the malware is that it can use impersonation and can be in the Run key so that it runs under the logged on user’s context.  So when you log in on that infected system with your DA account guess what.. you just helped spread without it needing to force passwords use a vulnerability etc because hey its all allowed under your privileges.

I may add more to this possibly as it’s getting late my time and I’m sure it’s going to be another long day tomorrow.  Hopefully this helps someone.

Comments

  • Anonymous
    January 01, 2003
    Well as for FCS we were actually one of if not the first AV company to have any detection whatsoever for the .B variant of this.  In some senses our product is very 1.0ish at times :) especially in regards to areas like working hand in hand with a firewall etc.  During the last two weeks though I have worked multiple cases that included at least 4+ other major AV companies and in every case the ACL's on the files combined with the rootkit capabilities of this piece of malware were evading detection/removal.  During the end of this past week however the AV companies appear to be finally catching up.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 08, 2009
    Great article! Lots of problem trying to ID the file that's causing the behavior (if your AV isnt picking it up), since this is being repacked and redistributed to avoid detection. In most case it creates a scheduled task pointing right to the offending file. So check C:windowstask and see what file its pointing, and get that file into your AV vendor for new dat files. Thank again

  • Anonymous
    January 09, 2009
    The comment has been removed

  • Anonymous
    January 09, 2009
    It's a pity that MSFCS like other major end point security vendors doesn't protect against behavoural targeting threats such as the B worm.... maybe folks using MSFCS would then not be making the many calls to MS?

  • Anonymous
    January 09, 2009
    Great article though! I like your "context" and frankness....

  • Anonymous
    January 11, 2009
    The comment has been removed

  • Anonymous
    January 12, 2009
    The comment has been removed

  • Anonymous
    January 14, 2009
    The comment has been removed

  • Anonymous
    January 23, 2009
    Have found perhaps a variant today that nothing seems to be able to clean up.  Some AV software is cleaning up the service that gets created, but is not repairing service.exe nastly little bug.

  • Anonymous
    January 23, 2009
    Did Downadup/conficker attack your network? I've created a batch file for system administrators to clean/patch/cure infected systems in their networks. check it out here: http://extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html

  • Anonymous
    February 19, 2009
    I found that the B Variant keeps coming back even after cleanup using Symantec FixTool. I had to to erase all of the service it registered on the Registry manually.

  • Anonymous
    March 09, 2009
    You MUST disable System Restore on your PCs.  Until we did that with a group policy, it just kept coming back.  We would run the clean up tools and frequent full system scans that came back clean and it would reappear hours later.  And set your AV scan defaults to delete as first attempt/quarantine second.

  • Anonymous
    April 30, 2009
    What passwords does it attempt? Is there a pre-defined list?

  • Anonymous
    April 30, 2009
    What passwords does it attempt? Is there a pre-defined list?

  • Anonymous
    February 01, 2013
    I used the remover from goo.gl/Lmq7k and it worked great