Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Conficker - Cleaning Tips for Corporate Users

Star HOW TO CLEAN CONFICKER INFECTIONS IN THE CORPORATE ENVIRONMENT

1. Research the malware threat thoroughly.  Determine how it attacks systems and the best approach for cleaning.  Check several sources to learn as much as possible prior to cleaning.  Conficker will actually apply the MS08-067 patch in MEMORY ONLY, so the best way to find infected PC/Servers is to look for high port 445 activity with a sniffer

2. Corporately, and even for home users it's always a good practice to SHUT DOWN the infected system, unplug it from the network, and stop using it completely.

3. Instead, work with the system while it is off the network.  It's recommend to burn a CD or DVD from a clean non-infected source or use a lab environment that's isolated from main network.  Cleaning tools that can be used include MS08-067 patch and multiple standalone cleaners (F-Secure, MSRT, other tools).   A CD is safer than USB due to the AUTORUN risks.

4. Bring the system back online after it's isolated from the main network.  Then use up-to-date Anti-Virus software to scan for additional malware.  If the AV Product doesn't offer good rootkit detection capabilities consider downloading F-Secure's Blacklight RK detector or other similar tools. Anti-Spyware and other malware detection products should be run to ensure the system is as clean as possible.

5. If you find additional malware, evaluate it thoroughly.  While a Conficker infection alone can be cleaned without the need to rebuild the system, additional malware infections received while the system was infected need to be evaluated in terms or damages and how successfully they can be cleaned.  In some cases, it may be beneficial to rebuild   

6. After cleaning Conficker, install the MS08-067 patch before returning the PC or Server online.

7. After installing the MS08-067 patch, it's critical to REBOOT the system, so that the patch becomes operational prior to bringing the PC or server back to the network environment. 

8. Finally, if you have weak passwords, open network shares, or the AUTORUN issues with removable media - it's important to strengthen these areas to prevent future attacks. Otherwise, Conficker or other malware could continue to reinfect vulnerable servers/PCs until the root cause is properly addressed.

9. Log all infected servers and workstations that were cleaned for future reference

10. Re-evaluate the formally infected systems periodically to ensure their defenses are holding up.  Use network sniffers, IDS, AV software and other tools to carefully monitor inbound and outbound traffic.

Comments

Conficker - Consejos para Limpiarlo para Usuarios Empresariales : Lo Mejor de la Web said:

Pingback from  Conficker - Consejos para Limpiarlo para Usuarios Empresariales : Lo Mejor de la Web

# January 28, 2009 8:29 AM

Harry Waldron - Corporate and Home Security said:

The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users

# March 20, 2009 9:38 AM

Harry Waldron - Corporate and Home Security said:

The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users

# March 20, 2009 9:38 AM

Harry Waldron - Corporate and Home Security said:

The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users

# March 20, 2009 10:04 AM

1st of april there is going to be a world-wide attack of Conficker virus - LegacyGamers/GamingSync - International Online Gaming Community said:

Pingback from  1st of april there is going to be a world-wide attack of Conficker virus - LegacyGamers/GamingSync - International Online Gaming Community

# March 31, 2009 1:53 PM

Harry Waldron - Corporate IT Security said:

After two years, I continue to be amazed as the number of Conficker infections that remain. There are

# July 10, 2010 9:21 AM