Conficker virus seems to have stuck its little head out in our servers and computers in our network. Help!
viernes, 12 de marzo de 2010 23:33Hey All. We ran into an interesting scenario that we never thought would happen since our network is relatively secure. We seemed to have been hit by the Conficker virus. Not sure of the variant at this moment. The users computers are all running Windows XP Pro 32 bit. They get their updates pushed regularly via our WSUS server.Our server network is a combination of Windows Server 2003 and Server 2008 (Server 2008 primarily as most servers have been migrated over the last few months). Majority of the computers have Forefront client installed.
Based on our research on the net, this should have been taken care of by a patch that was issued back in 2008. How could this virus sneak through? Is it a new variant that we got hit by? Could the original exploit have been re-opened by a conficker infected USB key? I haven't found any new or recent information indicating that the virus has been updated to use a new exploit, so we're trying to figure out how this happened since all the computers at this particular center are up to date with system updates, and those with Forefront Client installed are using the most current signatures (or so we thought). Since this is at one of our remote locations and someone is going to have to fly down there to fix the issue manually, we need to know what we're fighting. The only way we know it was conficker is that after running Forefront on one of the users' computers, it pops up that that specific computer was infected with Conficker.B, and it was removed - however right after that, Forefront gets disabled, and the service is removed. Running the Symantec conficker removal tools "appears" to have worked but only time will tell.
Help and advice would be greatly appreciated.
Todas las respuestas
martes, 16 de marzo de 2010 9:23Moderador
Thank you for your post.
According to your description, I understand that FCS not remove the malware efficiently.
As I am not sure whether this threat is part of our FCS signature or not. if you have a sample of this threat, please submit the malicious file to: https://www.microsoft.com/security/portal/Submission/Submit.aspx
Once get the sample file, our antivirus team will analysis this. If the analysis is that the software is malicious, they can then add detection for this threat.
Nick Gu - MSFT
- Propuesto como respuesta Nick Gu - MSFTMicrosoft Contingent Staff, Moderator miércoles, 17 de marzo de 2010 8:17
miércoles, 17 de marzo de 2010 23:12
We sent someone to check the systems in Toronto (infected about 150 client computers). He has determined that FCS has indeed found and removed the virus - but not until after the virus was launched and had started the infection. It didnt perform a realtime scan but only scanned durring pre-defined times. So between the time when the virus was launched and when the schedualed scan started, the virus was infecting our network (and network shares) there. As a precaution our person there started installing Spybot S&D on the systems. He found consitently on each of the formerly infected computers, that remenants were left behind such as antivirus and firewall bypass programs. We have recently noticed this happening quite a bit with other viruses such as antivir.troj and downadup, where the viruses are not detected until it's basically to late. Is this caused by a setting that we may have missed in FCS? Maybe something to do with realtime protection? Why did Spybot detect the remenants left behind by the virus but ForeFront client did not? We're trying to make sure that we have everything set up so that we can hopefully avoid these issues in the future (well - for the most part). We're 100% Microsoft across the board in this company and don't like to use to many 3rd party products unless we don't have a choice. I've requested that the technician we sent to Toronto send a screen capture of the Spybot S&D scan results so that I can see what I'm talking about.
jueves, 18 de marzo de 2010 6:34Moderador
Thank you for the update.
Please make sure Real-time protection Security Agent selected in the FCS Client UI. Go to Tools/Options, check any of the security agents under "Use real-time protection", then restart the AM service. Meanwhile, please also update the FCS.
Nick Gu - MSFT
- Marcado como respuesta Nick Gu - MSFTMicrosoft Contingent Staff, Moderator jueves, 18 de marzo de 2010 6:34
jueves, 18 de marzo de 2010 16:16Thank you for the continued and quick assistance in this matter,
I've checked the settings for the FCI client UI on my system - All systems are GPO controlled it appears and settings are set that way, or globally set by the forefront server. The FCS client shows that Realtime protection is enabled. I was asked to verify if there were certain strains of Conficker, downadup, or antivir.troj that FCS is having issues identifying.
I got a screen shot from the tech we sent to the Toronto site, of the Spybot search and destroy results. It includes registery keys that were identified as being an antivirus over ride, and firewall bypass. I'm not sure if it will help with future detection, but I'll send it if requested. However I do not seem to see an option of uploading images to this site...
lunes, 22 de marzo de 2010 13:35ModeradorDo you have a case open with us yet regarding this incident? If not please do so and post the case# back here if you could. We do not have any versions of conficker/downadup that we do not detect that I know of. Typically when you see redections with Conficker in the environment and FCS it tends to be the detection/removal of the scheduled task and the dropper file which indicates that the virus is still running under the context of some user with admin credentials on the network or that the passwords on local accounts are not strong enough.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde