Archive for Oh the fick you say!

Analysis of Conficker

Posted in Computer Stuff with tags on February 20, 2009 by hotpoo

In case you were curios, SRI has an excellent analysis of Conficker’s Logic and Rendezvous Points. Again, a brilliant piece of software.

Conficker Fix Script

Posted in Computer Stuff with tags on February 18, 2009 by hotpoo

The conficker worm is a remarkable piece of code. I’ve been impressed with its ability to spread and re-infect, and the drastic number of changes it makes to a system once infected. The scary part is that this particular botnet is pretty much inactive at the moment. Whatever code it was supposed to retrieve and run has not yet come online yet. Either it grew too fast and frightened the developers into keeping it inactive (there is a lot of speculation that it was supposed to be a “botnet for sale.” organized crime has been buying a lot of these of late.), or the sleeper has not yet awakend. If the latter is the case, it is going to cause some serious trouble. No one company is certain of the number of infected systems globally, but estimates range from 15 million to 50 million. I suspect the middle-ground is a safe estimate.

Anyway, it’s been kicking my ass at work for a couple of weeks now. Part of our environment is pretty well locked down: domain joined systems with strong alpha numeric admin passwords, auto updates, and regular dat updates. The other part of our environment (that which deals with the test computers, build systems, and demo microscopes) has never really been regulated. As a result, there has been nothing enforced on the systems… computers are out of date, AV isn’t updating, admin passwords are unknown (but probably blank or super-simple passwords like “password”), and a lot of the same user accounts and passwords used on all systems. This is pretty much the environment the worm was designed to exploit. The systems would be cleaned, then reinfected within minutes. Good times.

I spent a lot of time studing solutions, trying different fix utilities, and trying to elimiate common variables. It didn’t help that there is a lot of conflicting information online about this. Nor does it help that none of the removal utilities can revert the changes that the worm makes to the system (removing infected system restore points, removing scheduled tasks, re-enabling services, etc). Since we needed to roll a solution to the field that didn’t involve less than saavy service tech tinkering around in the registry, I chose to draft up a quick little “fix” batch script. It’s not perfect, but it automates some of the fix utilities and reverts a bit of the changes made to the systems. It’s not perfect, but our reinfection rate has dropped to ZERO. I’ll add some notes in italic… you may not want to use all of these… all depends on your environment.

net stop server /y (temporarily stops the server service to prevent re-infection while the system is being cleaned)

KidoKiller.exe -y (runs the sophos kidokiller and automatically removes memory resident / file resident infection… in our testing, seemed to work just as well as the MRT)

AT /Delete /Yes (deletes all AT-created scheduled tasks)

net stop “Task Scheduler” (temporarily stops the task scheduler to prevent further AT task creation until the virus has been cleared from the system)

sc stop “srservice” (stops the system restore service)

sc config “srservice” start= disabled (perminently disables the system restore service… sorry, but it sucks just for this reason)

cacls “c:\System Volume Information” /E /G %username%:F (grants full access to the “system volume information” folder on c: to the current user)
rd “c:\System Volume Information” /s /q (deletes the “system volume information” folder and any contents)

sc config “wuauserv” start= auto (resets Windows Update service to “automatic”)
sc config “bits” start= demand (resets BITS service to “manual”)
sc config “ersvc” start= auto (resets Error Reporting service to “automatic”)

net user administrator ****** (changes the admin password… use a strong alpha numeric instead of ******, of course)

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f (disables the policy that the virus adds at infection… you will be able to reselect “show hidden files / folders” after the policy is disabled)

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f (completely disables autorun / autoplay from all drives… might be a bit overkill, but you can change the reg dword value to something that suits your environment better. more information below)

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v AutoShareWks /t REG_DWORD /d 0x00 /f (this is dangerous, and probably will not be a good idea for domain environments. this will kill all the administrator shares on the system… c$ may not get much used, but admin$ is very important… it may be better to take this out of the script unless you absolutely cannot clean the virus from your network environment)

WindowsXP-KB958644-x86-ENU.exe /passive /norestart (passive install for MS08-067)

WindowsXP-KB957097-x86-ENU.exe /passive /norestart (passive install for MS08-068)

WindowsXP-KB958687-x86-ENU.exe /passive /norestart (passive install for MS09-001)

windows-kb890830-v2.7.exe (runs the microsoft malicious software removal tool… quick scan is probably fine for conflicker removal… may not find anything as kidokiller already ran)

cls

echo off

echo You need to restart your computer as soon as possible!

pause

You’ll need to put the following files in the same directory:

KidoKiller.exe (from sophos)

WindowsXP-KB958644-x86-ENU.exe (MS08-067 patch)

WindowsXP-KB957097-x86-ENU.exe (MS08-068 patch)

WindowsXP-KB958687-x86-ENU.exe (MS09-001 patch)

windows-kb890830-v2.7.exe (microsoft malicious software removal tool)

This script will only work for Windows XP. You can modify it a bit for Windows 2000… just pull the System Restore junk, and get a copy of reg.exe off the workstation cd. I don’t think the SC commands will work in 2000, so you’ll need to modify the services via reg.exe (should be pretty easy to figure out). Obviously, you’ll need specific patches for windows 2000.

Now, I know that the only patch that is supposed to be needed is MS08-067. I’ve seen some documentation that also claims that the other 2 should be installed as well. Can’t hurt, and definitely seems to have solved some of our reinfection problem.

Some other information of note about the “auto run” issue: US-Cert Security information, and a Knowledge Base article on different ways to disable via the registry and policy. Just disabling flash drives should be enough.

Good luck!

-edit-

SC.exe will work on a 2k system. Just copy over the file from an XP system.