Endpoint Protection

Hi,

I have deteced Conficker Malware on few of machines in my network. As a troubleshooting steps all these machines are equiped with latest SEP definition and automatically getting updates from SEPM server, equipped with all MS-Patches and also euipped with conficker patch  MS08-067 (KB 958644). I have also run Conficker Removal Tool and Norton Power Eraser tool but nothing has detected. I checked that user is not having local admin access on his / her computer.

Please suggest what else I can apply to cure conficker infection.

Regards

Yogesh

Hello,

Here is the Documentation on the W32.Downadup (Symantec) aka Conficker (Microsoft)

Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

Downadup (conficker) is quite old virus. If all machines are patched and udpated with the newest virus definitions you should be safe. However, there are few things to be verified. This is well described in the following document:

Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648

Work on the Plan of Action as given below for a 100% result.

Plan of Action:

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install MS08-67 patch download [KB 958644] on ALL computer.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

3) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

8) Enable Risk Tracer

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/be1edccb0e39927280257363003a2bb3?OpenDocument

Incase, we don't have Network Threat Protection Installed on Machines, then we could try NMAP (http://insecure.org/)

NOTE: NMAP is not Supported by Symantec. However, have proved to be effective.

NOTE: *ALL means ALL client machines and server machines (make sure you don't miss any machine)

Similar Threads: 

https://www-secure.symantec.com/connect/forums/w32downadupb-how-could-you-find-source-if-there-are-1k-infected

https://www-secure.symantec.com/connect/forums/w32downadupb-5

https://www-secure.symantec.com/connect/forums/account-lockdown-pertaining-domain-controller

Hope that helps!!

When you say you are detecting downadup on your machines is it a IPS detection that is blocking it? That is what is sounds like which means that another machine on the network is trying to infect the machine you are seeing the detection on.

If this is a managed environment you can run a report of all IPS detections by going to monitors -> logs then select Network threat protection for log type and attacks for log content.

Once run you can see the machine that the IPS event happened but more importantly you should be able to see what IP address it blocked. The IP that it blocked is the machine you need to investigate for missing patches, out of date defs, etc.

Once the offending machines are cleaned the detections should stop.

One thing you should understand about Conficker / Downadup. If there is even one machine without the MS patch or the right definitons, it will be affected and it tries to affect other machines in the network.

The pop-up you receive on the machines are a result of Symantec successfully blocking these attacks (these are machines that are patched). These are not affected machines in fact.

You have to enable risk tracer / NMap (also recommended for downadup) to trace the attack. This will point you to the machine which is affected. You have to run the downadup removal tool on this machine.

This will fix your issue.

http://www.symantec.com/business/support/index?page=content&id=TECH102539

https://www-secure.symantec.com/connect/blogs/w32downadup-p2p-scanner-script-nmap

Note that traditional virus troubleshooting like LPDU and scanning may not help if effectively combating against Downadup.

Hope this helps.

Hi Mithun,

Thanks for solution you have mentioned above. I have implemented the same and few more things on my network and it seems in control.

I am hereby going to mention the steps I have taken:

1. Local Administrator rights removed from systems.
2. MS patches KB958644, KB967715 or KB953252 successfully deployed on all hosts.
3. Turn Off Autoplay functionality enabled through GPO.
4. Local administrator renamed on all systems.
5. Full scanning with SEP been performed.
6. All MS patches updated till April.2012
7. SEP definitions updated.
8. Scanning with Symantec tool (Conficker Tool) performed on reported hosts.
9. Risk tracer enabled in SEPM & also taken necessary action on risk source systems.
10. Task scheduler service stopped through GPO.

Regards

Yogesh