Conficker A virus reinfecting patched machines

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Can anyone shed some light on this. I recently had a client who was
infected with the Conficker A. I cleaned the machines last week and
patched them all with the related Windows MS08-67 patch. They were
fine for a few days it seems but now their AV software is again
finding the virus in the system32 folder. I thought once the patch was
installed that the virus could no longer infect the patched machine.
Any ideas why this is happening?

Thanks in advance,
Adam

Re: Conficker A virus reinfecting patched machines

Did you disable System Restore?

--
Quilly
Bookstore

http://stores.lulu.com/quilljar
Quoted text here. Click to load it


Re: Conficker A virus reinfecting patched machines

Quoted text here. Click to load it

Just to address one point, the patch only addresses the software
vulnerability that is exploited by one vector of spread.



Re: Conficker A virus reinfecting patched machines

So in a nutshell having the patch in does nothing to prevent a machine
from being infected by the configure? So essentially there is no way
to prevent infection from the conficker virus once it gets on the
network. Sounds like I have to start from scratch and clean all the
machines again.

Also Quilly mentioned disabling system restore which I did do, however
unless someone restores a system restore point that is infected the
virus should not actually be able to infect the machine and should
just linger harmlessly within the restore point. Correct? Or can it
somehow reactivate itself from inside the infected but unrestored
restore point. I've never heard of a virus being able to do that.





Quoted text here. Click to load it


Re: Conficker A virus reinfecting patched machines

So in a nutshell having the patch in does nothing to prevent a machine
from being infected by the configure?

***
That should work to keep conficker.a out initially.
***

So essentially there is no way
to prevent infection from the conficker virus once it gets on the
network. Sounds like I have to start from scratch and clean all the
machines again.

***
Maybe this will help you.

http://technet.microsoft.com/en-us/security/dd452420.aspx
***

Also Quilly mentioned disabling system restore which I did do, however
unless someone restores a system restore point that is infected the
virus should not actually be able to infect the machine and should
just linger harmlessly within the restore point. Correct?

***
Correct, but *detection* may still be possible.
***

 Or can it
somehow reactivate itself from inside the infected but unrestored
restore point. I've never heard of a virus being able to do that.

***
I haven't heard of that happening yet either.
***




Quoted text here. Click to load it



Re: Conficker A virus reinfecting patched machines


| So in a nutshell having the patch in does nothing to prevent a machine
| from being infected by the configure? So essentially there is no way
| to prevent infection from the conficker virus once it gets on the
| network. Sounds like I have to start from scratch and clean all the
| machines again.

| Also Quilly mentioned disabling system restore which I did do, however
| unless someone restores a system restore point that is infected the
| virus should not actually be able to infect the machine and should
| just linger harmlessly within the restore point. Correct? Or can it
| somehow reactivate itself from inside the infected but unrestored
| restore point. I've never heard of a virus being able to do that.


Yes.  It only means that exploitation vector of the malware has been mitgated
but there
are are infection vectors that could be in play such as an infected file on a
flash drive
and AutoPlay/AutoRun has NOT been disabled.

As for the System Restore cache, as long as you do NOT restore from an infected
restore
point your PC will not be re-infected.  Infected files will eventually cache-out.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Conficker A virus reinfecting patched machines

Well it looks like I found the cause. I tried a different nmap script
and now it told me that 4 of the 10 machines had the MS08-67 patch but
that it was likely the conficker and it was likely still infected. So
what I did is I reran the Symantec scan which found the infection on
those machines. After cleaning it I uninstalled the associated patch,
rebooted and went back to MS Windows Update and downloaded and
reinstalled the patch. I then rebooted and reran the scan and
everything was clean. I reran the nmap script on all the machines
again and now those 4 are also coming totally clean.

So what I have learned is, just because the patch is installed doesn't
mean its the real thing. In this case somehow the conficker can fool
Windows into thinking the patch is installed when it fact its a decoy.

Anyway thanks for your help guys.



wrote:
Quoted text here. Click to load it


Re: Conficker A virus reinfecting patched machines

20vtguy wrote:
Quoted text here. Click to load it

But doesn't this just return your client's systems to the way they
were when you left them last?  What plans are you and the client
making to withstand further malware attacks that weren't being done
before?  In short, what antimalware steps are in place now?

Respectfully,

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Re: Conficker A virus reinfecting patched machines


| Well it looks like I found the cause. I tried a different nmap script
| and now it told me that 4 of the 10 machines had the MS08-67 patch but
| that it was likely the conficker and it was likely still infected. So
| what I did is I reran the Symantec scan which found the infection on
| those machines. After cleaning it I uninstalled the associated patch,
| rebooted and went back to MS Windows Update and downloaded and
| reinstalled the patch. I then rebooted and reran the scan and
| everything was clean. I reran the nmap script on all the machines
| again and now those 4 are also coming totally clean.

| So what I have learned is, just because the patch is installed doesn't
| mean its the real thing. In this case somehow the conficker can fool
| Windows into thinking the patch is installed when it fact its a decoy.

| Anyway thanks for your help guys.


No, that's a faux conclusion.  The MS patch only mitigates one infection vector
that uses
ci=ode exploitation.

One the MS patch is installed, that vulnerability/exploitation vector is closed
but
Conficker has OTHER tricks up its sleeve to infect computers as Inoted,
AutoPlay/AutoRun.
To mitigate that infection vector AutopPlay/AutoRun must be DISABLED on all PCs
and all
removeable read/write media *must* be scanned.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Conficker A virus reinfecting patched machines

Well it looks like I found the cause. I tried a different nmap script
and now it told me that 4 of the 10 machines had the MS08-67 patch but
that it was likely the conficker and it was likely still infected.

***
I don't know how your script works, but that ingress vector is closed by
the worm itself once you are compromised. Other communications channels
are initiated and the patch at this time is a little like closing the
barn door *after* the livestock has escaped.
***

 So what I did is I reran the Symantec scan which found the infection on
those machines. After cleaning it I uninstalled the associated patch,
rebooted and went back to MS Windows Update and downloaded and
reinstalled the patch. I then rebooted and reran the scan and
everything was clean. I reran the nmap script on all the machines
again and now those 4 are also coming totally clean.

***
I don't know about the nmap script, but Symantec is trustworthy IMO.
***

So what I have learned is, just because the patch is installed doesn't
mean its the real thing.

***
That depends upon what is being used to determine the presence or
absence of the patch.
***

 In this case somehow the conficker can fool
Windows into thinking the patch is installed when it fact its a decoy.

***
I'm not sure it is Windows that is being fooled. The worm closes off the
ingress vector to the vulnerability out of self preservation and adds
value by keeping it exclusively available to the malware's orchestrators
for future use. *If* they were able to use it, you cannot be confident
as to the state of security of your system.
***

Anyway thanks for your help guys.

***
The "A" version is the least capable, but a backdoor is a backdoor.
****



wrote:
Quoted text here. Click to load it



Re: Conficker A virus reinfecting patched machines

20vtguy wrote:
Quoted text here. Click to load it

Hello Adam:

Reminder: *none* of the Conficker strains are virus.  True Conficker
infections are _worms_.

Almost everything the /entire/ world knows about the Conficker worm
and its detection and removal can be had through the Conficker Working
Group URL:

              <http://www.confickerworkinggroup.org/

If you've done true due diligence for your client, then your client is
bringing the infection upon themselves through faulty practices and/or
bad decisions.  This includes the installation and use of known good
antimalware.  Not pretenders.  Period.

Has AutoPlay/AutoRun been disabled everywhere?

   <http://www.microsoft.com/technet/security/advisory/967940.mspx>

Regards,

Pete
--
1PW  @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Site Timeline