Conficker - Cleaning Tips for Corporate Users
HOW TO CLEAN CONFICKER INFECTIONS IN THE CORPORATE ENVIRONMENT
1. Research the malware threat thoroughly. Determine how it attacks systems and the best approach for cleaning. Check several sources to learn as much as possible prior to cleaning. Conficker will actually apply the MS08-067 patch in MEMORY ONLY, so the best way to find infected PC/Servers is to look for high port 445 activity with a sniffer
2. Corporately, and even for home users it's always a good practice to SHUT DOWN the infected system, unplug it from the network, and stop using it completely.
3. Instead, work with the system while it is off the network. It's recommend to burn a CD or DVD from a clean non-infected source or use a lab environment that's isolated from main network. Cleaning tools that can be used include MS08-067 patch and multiple standalone cleaners (F-Secure, MSRT, other tools). A CD is safer than USB due to the AUTORUN risks.
4. Bring the system back online after it's isolated from the main network. Then use up-to-date Anti-Virus software to scan for additional malware. If the AV Product doesn't offer good rootkit detection capabilities consider downloading F-Secure's Blacklight RK detector or other similar tools. Anti-Spyware and other malware detection products should be run to ensure the system is as clean as possible.
5. If you find additional malware, evaluate it thoroughly. While a Conficker infection alone can be cleaned without the need to rebuild the system, additional malware infections received while the system was infected need to be evaluated in terms or damages and how successfully they can be cleaned. In some cases, it may be beneficial to rebuild
6. After cleaning Conficker, install the MS08-067 patch before returning the PC or Server online.
7. After installing the MS08-067 patch, it's critical to REBOOT the system, so that the patch becomes operational prior to bringing the PC or server back to the network environment.
8. Finally, if you have weak passwords, open network shares, or the AUTORUN issues with removable media - it's important to strengthen these areas to prevent future attacks. Otherwise, Conficker or other malware could continue to reinfect vulnerable servers/PCs until the root cause is properly addressed.
9. Log all infected servers and workstations that were cleaned for future reference
10. Re-evaluate the formally infected systems periodically to ensure their defenses are holding up. Use network sniffers, IDS, AV software and other tools to carefully monitor inbound and outbound traffic.