Inevitably a system administrator finds him or herself face to face with a worm at some point. My latest foray into the IT battlefront happened a few weeks ago with a rather nasty worm called Conficker. The worm is a sophisticated breed and proved a worthy, albeit frustrating, adversary.

Our first contact was the detection of an RPC attack on port 445 by Kaspersky's firewall solution. A system scan revealed that several machines with a Net-Worm.Win32.Kido infection as identified by Kaspersky or Conficker as the worm is more widely known on the net. The initial infection vector was an un-patched system using the vulnerability published by Microsoft in late Oct, MS08-067. The patch addressed an RPC hole which allows the worm to infect the system via File and Print sharing.

Unfortunately most client firewalls are unable to block the RPC requests and in a matter of hours every vulnerable system becomes infected. Our initial response was to conduct an offline scan via Live CD on all machines and to apply the Microsoft patch. We also disabled file and print sharing along with several unused but now activated system services.

We found that Conflicker utilized several replication mechanisms including the installation of Apache web server and to compromise most client based anti-virus systems. Once a machine was fully "owned" the worm was allow unfettered access to infect other systems on the network. It program execution could be controlled under an authenticated Active Directory user the worm was able to copy it's self to other machines to which it had access. The worm proved rather nasty in that it quickly adapted to system scans and was able to inject automated tasks, autorun registry keys and to infect the master book record. Fortunately we were able to use several tools to avoid completely reloading most machines.

SysInternals tool set including Process Explorer, Autoruns and RootkitRevealer we immensely useful for decontamination. We also found that some anti-virus scanners were unaffected, at the time, by the worm including AVG. To prevent future infections we also identified unused or unnecessary system services and uninstalled IIS related services via Add/Remove Windows Components. Since the worm disables Automatic Update and BITS (Background Intelligent Transfer Service) we had to verify these services were once again active as well as to disable the DNS Client cache which this worm utilized to prevent Windows from acquiring MS and anti-virus updates.

In the end there were several lessons learned from this experience. First the cycle of published patches by Microsoft till exploit in the wild has dramatically decreased. In this case the first patch was issued in October and by December there was an identified worm on the net. It is of paramount importance that IT patches all systems and enforces this policy.

Second anti-virus and firewall protection is mandatory for all servers and clients. Gone are the days of the "walled garden". These days one must protect each and every asset regardless of whether or not it leaves the building. Microsoft and several vendors have solutions which will enforce anti-virus policy and not allow computers to connect to the local network if they not in compliance.

Lastly, the age old concept of least privilege and removal of non-all essential services and system access is invaluable for containing infection. The adoption of this policy may cause friction but in the long run it will help maintain system continuity as well as plug holes that can be used by malicious programs and users alike.

Only registered users can write comments.
Please login or register.

Powered by AkoComment 2.0 ( + SecureBot )