Handling large scale worm infections

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. Read “About this blog”.

We’re seeing a quite large increase in Conficker.A infections (exploiting MS08-067) in Sweden right now, and computers not sufficiently patched or secured is causing a mess.

So far, most corporate network infections are making more noise than damage as people seem to have become better at patching since 2003-2004. What is causing alarm is our protections blocking the network attack proactively when it’s delivered from an infected machine or on computers without TruPrevent, when we nail it with the signature.

Anyways, I feel like being a bit proactive and recite some of the simpler lessons from 2003 in the new light of this little worm as it feels in my gut like we’re going to get taken for a ride.

What do you do once your switches start looking like Christmas trees, all lit up and warm? Well, there’s no one single recipe and there will most certainly be a twist to your specific situation. There is however some basic things you can do, and you can start by asking yourself;

Are your machines patched?
  a) I do not know
  b) Yes they are
  c) No they are not

If A, use Microsoft Baseline Security Analyzer to get a picture of the current situation. This tool can be set up on any modern windows system and should be run using domain admin credentials in order to gain total visibility. This tool will also display a lot of other crucial security information (password complexity, security policies etc. etc.).

If B, Haha, Yeah right… But if you’re confident about it you can at least be calmed by the fact that you are probably exposing less attack surface internally to the worm. You will however have some clients that is not patched or incorrectly patched and if they’re not infected yet they’ll be in a short while.

If C, you should start finding out how you can easiest distribute the fix. If you’re running a smaller shop you might even have greater success doing the good ‘ol leggie around the office, but if you have a couple of hundreds or thousand clients you need to set up a deployment plan now. Possible deployment methods might everything from SMS, System center, Zenworks (Novell), Logonscripts with silent patch install, WSUS set-up and group policy configuration. It really doesn’t matter which technology you’ll use, it just needs to be done “yesterday”.

Do you know what machines are infected at this time?
  a) Yes.
  b) Nope, or some, but I’m guessing there’s more.

If A, set them straight. That is install the patch, install your protection, update that protection and make sure it’s as “clean” as it can be. Then move to B.

If B, install Wireshark on a patched computer (or why not use Linux?) and sniff the network for 15-30 minutes. This does not have to be done in promiscuous mode or using some kind of special networking equipment, as all that we want to see are computers trying to exploit/infect the computer that you are sniffing on. After stopping the traffic gathering you will have a lot of packets to analyze and what you’re looking for are SMB packet’s that look something like this:

Thanks Don Jackson from SecureWorks via the ThreatExpert blog.

The key here is identifying SMB packets that contain references to the NetPathCanonicalize function and to do this you should be able to use a filter expression like this in Wireshark (not tested atm so no guarantees):

smb.service contains "NetPathCanonicalize"

Note the source IP for all lines matching the above expression and try to identify the physical machine behind that. Usually it helps to identify the user first and to do that just click “Start menu“->”Run“, write “\\OFFENDING_IP_NUMBER\c$” and press OK. When you get the mapping up, go into “Documents and settings” and sort the listing by modification date and you’ll see what user last used the computer.

Of course, just having an updated inventory of all machines and their MAC-adresses before this happens is a bit easier. Doesn’t happen too often that this is available though.

After the machines has been identified you are to patch them, protect them and finally to update the protection. If you suspect that your protection doesn’t work like it should or that the infection itself persists and doesn’t get cleaned you should contact your AV-vendor as soon as possible so that they can collect the sample.

The approach mentioned above is not valid if you’re having more than 50 machines infected. If you are in that situation the following statements are probably true: You have a large network, The machines are not updated, not protected and if protected it’s with old software and/or definitions. This means that you’re going to have greater trouble than most resolving this situation and I’d suggest a more generic approach as a start.

1. Deploy the one patch needed (NOT ALL, that takes too long) through the software distribution tool of choice, logonscripts or whatever suits you in order to prevent re-infections after cleansing.
2. If available, deploy cleansing tool or script in the same way shortly after. Contact your vendor for more information, help and suggestions.
3. Deploy Anti-Malware protection using the same method that you used to deploy the patch above and make sure that all protections are turned on and updated.

These steps might be hard to follow during an ongoing infection, and if you are having trouble call your AV-vendor! We have more experience with this and will probably be able to see things that you overlooked.

After you’ve done these basic things you can move on to the manual methodology above in order to find any computers still infected.

And finally some suggestions on what you can do now to ease the burden if (when) you get hit:

* Secure your systems, not just patches but security policies, user- permissions , local administrator rights and so on. For inspiration, take a look at Microsoft’s SSLF policies. Just make sure to remember what LF in SSLF means while doing so.
* Install and manage your anti-malware and security solutions. Make sure that they are in the latest versions and that signature files/databases/ips filters are updated as they should.
* Strenghten your IT-policy in regards to connection of external units to the network. This won’t prevent much but it’s worth a shot. If you want to enforce directive’s such as these, take a look at Panda NetworkSecure, Cisco NAC or Microsoft NAP.

That’s all

If you need any help with anything, drop me a line and I’ll get back to you as soon as possible.

Cheerios,