Clean Up Tips
Malware such as Conficker can still pose a challenge for IT administrators, despite the fact that it is a well-known threat. Even a conscientious IT department that follows responsible practices for quickly installing security updates, installing and monitoring antimalware and intrusion detection systems, and controlling access to file shares can still encounter outbreaks of a threat such as Conficker.
Malware that uses common network protocols such as Server Message Block (SMB) to replicate malware can pose a threat to locked-down file shares, because an infected computer that has write privileges to the file share can pass the infection on to it. A common scenario is one in which a file share is disinfected by server-side antimalware software, but is quickly reinfected when an infected client computer connects to it. This potential for repeated reinfection gives malware that leverages open file shares, such as Conficker, staying power in data centers. Identifying the original source of the infection within the organization is therefore essential for eradicating such malware. Finding it can require a bit of agility and creativity on the part of server administrators.Â
Microsoft provides information to help IT administrators deal with Conficker infections at www.microsoft.com/conficker. The following list provides some additional tips that may help advanced users who possess a good understanding of computer security and Windows administration find computers that are infected with Conficker in order to minimize their attack surface.
Create a â€œrogueâ€ file share, populate it with various executable files and share the directory for full control to all. However, before sharing the folder, turn on Windows monitoring to identify computers that successfully write to the share. The events captured in Windows event viewer with share monitoring enabled will capture enough information to identify the original source of the infection. Use this practice on several shares and systems in the environment and monitor as needed.
On infected computers, check the device log; by default, the Windows installation places this log in C:\Windows\inf\setupapi.dev. The log will contain information about devices such as memory sticks or other USB hardware that has been installed on the system and will help find the original source of the infection if this method was used to install Conficker or other malware that propagates through Autorun.
The original source of the infection is often determined to be a computer inside the organizationâ€™s backup infrastructure. Because of performance and other related factors, many organizations relax security controls for backup systems, which is a big mistake. It is important for the organizationâ€™s IT staff to ensure that basic security practices are in place, especially forÂ an environment in which Conficker is problematic. It isnâ€™t uncommon for malware to be stored on backup servers, because the files are usually encrypted and continuously copied back down to clean servers.
Inside the data center, implement a server administrator file share change control process that reviews and approves file share configurations; such an approach will help minimize the attack surface for malware that uses network shares to replicate. Depending on the size of the organization, it could be a daunting task to implement such a process throughout an entire data center, but at a minimum it should be requiredfor servers that have been identified as repeat offenders and/or other systems that have been deemed critical to the organizationâ€™s service.