Confused by Conficker

Back in October of 2008 Microsoft released MS08-067 out of cycle to patch a critical flaw in the SMB service. I got up that morning and kept waiting for the details to be released on the patch so I could make a informed decision as to what we needed to do as a company. As I read the details I felt a strange sensation spread across my body and it reminded me of the early part of this century when internet worms were all the rage. I met with my Management team and told them of my concerns and that I felt that we needed to go ahead and patch the systems now. So we called a meeting of all the key players across business systems and I pitched my theory and it was agreed that it was going to be a long night. We put a plan together quickly, ordered Pizza and went to work.

Unfortunately our network isn’t perfect and there are systems that we don’t have control over. Not everything was patched and of course the uncontrolled systems were left up to the owner to patch. All we could do was notify them of the need to patch and hope that they did. Since the NAC solution we had purchased was still not in production we didn’t have much to work with other than good faith.

In late January we started seeing a few instances of Conficker due to someone bringing it from home via USB stick. Wasn’t that nice of them. We watched the network and systems pretty closely and cleaned each system as we found it. It occurred to me that our AV wasn’t being as responsive to this as I would have liked. I then took a weeks vacation. When I got back things had taken a turn for the worse. The infections spread and we discovered that our AV vendor was less responsive than we thought. It was easily disabled by Conficker and their signatures were ineffective at detecting and cleaning the infections. It took them 5 weeks to release a updated scan engine that was remotely effective at fighting this. We called tech support and they said “Send us your logs”. We sent them our logs and they responded the next day telling us “Clean this, delete that, disconnect these systems.” All information that we already knew because we read the logs and learned all that information BEFORE sending them the logs. What is the value add here?

The decision was made to bring in another AV vendor and set up a PoC to both test their product and help fight the outbreak. Luckily it was much better at detecting and cleaning machines and it also was able to keep from being disabled by Conficker. We got a handle on the outbreak and things settled down. Logs still showed a few systems here and there that would get hit. Some were cleaned and some weren’t. They were still all systems running the original AV.

Fast forward to this week. I read about the work that has been done in being able to quickly scan your network and basically ask each system “are you infected with Conficker?” and it would tell you. I downloaded the scanner from the honeynet project and ran it. I also downloaded the latest builds of Nessus and NMap and made sure that they had the required plug ins and started scanning. I scanned several hundred systems and found only one that reported back to the scanners “Yes, I am infected”. But wait, my daily virus report showed several systems that had infected files. I then ran the scanners against the supposedly infected systems individually. Still, they came back and said “I’m Clean!!!!”. I then pulled a couple of those systems and scanned them remotely with the PoC vendor system and again no infections reported. Next I got the name and location of the infected file and went looking for it. NOTHING!!!! All but one system was really clean even though the AV logs said INFECTED!. What gives? Did they hear that I was replacing them and so they sent me a update to make it look worse than it really was? I’m confused.

So, tomorrow is D-Day for Conficker. Many are saying it will be a quiet day. Others aren’t so sure. Me? I have no clue what to expect. I just hope that what I’m seeing in my scans is really what is going on. I just don’t know who to trust or what to expect now. What I do know is that I don’t miss the “good ole days” of worms like I used to think I did. They are exciting for a day or two but that’s about it. These days the malware authors are much craftier than there were a few years ago and it makes my job that much harder.