Thursday, January 22, 2009

Beat Downadup/Conficker like a pro: My story from the field





Since there are many websites talked for days about Conficker/Downadup. Today, I have something different especially for system admins.
I've been busy for the last three days, building defense lines around critical servers for one of my customers. The source of infection was due to one lazy user, who has no antivirus installed on his laptop. And it didn't take a long time to start spreading and attacking other systems in the network. We have responded fast, otherwise, we would spend the rest of the day, counting how many critical systems are down.

My plan was to build a barrier around critical servers, then move forward. By making sure that every running system is already protected by the current AV software (Symantec Endpoint Protection) that was already blocking the attack successfully. It was not a big hit, because 98% of the systems were protected by SEP, which has decreased the number of infected systems. Cheer up people; I've created a windows batch that would reverse and cure side-effects of Downadup:

1) Re-enable and start the following services:

Background Intelligent Transfer Service
Windows Automatic Update Service
Windows Security Center Service
Windows Defender Service
Windows Error Reporting Service

2) Check MS WSUS for any missed updates (Due to disabling/stopping of windows update service during infection period)

3) Run Symantec FixDownadup tool

5) Reboot system

This batch covers the following OS versions:

1) Windows 2000
2) Windows XP
3) Windows 2003
4) Windows Vista SP0/SP1
Note: Some OS versions or 64-bit are not supported by this batch, may be soon.

To start working, first we need to download the required patches + fix tool:

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe
Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users). And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

Here is for example, the Vista OS part (from the batch):
….
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ...
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit
….

Download Batch (MSN SkyDrive Hosting, Right-click & save won't work. Follow the link then click on the white file in the left)

Good Luck

at 9:23 AM
Subscribe to: Comment Feed (RSS)