Company got hit with the Conficker worm while I was on vacation. Although it is not directly my job to address it, one could only assume with all the machines we have how long it is going to take to remedy the problem.
It is causing some major havoc on our AD servers for some reason... disabling accounts randomly... weird.
Conficker tries to bruteforce passwords for fileshares -- that won't disable accounts, but it'll lock them out. Is that what you're seeing?
Quote from: iago on July 06, 2009, 08:38:23 AM
Conficker tries to bruteforce passwords for fileshares -- that won't disable accounts, but it'll lock them out. Is that what you're seeing?
Yes. I ran your SMB checks on some of my dev machines and what do you know, infected. Lots of production machines affected too. My Company = yearsbehind.com
Fun stuff!
Make sure you patch machines and create strong passwords when you fix them, otherwise they'll get infected again. Also, you might consider temporarily banning USB devices from the network, Conficker will travel on those, too. That's the most likely way it'll initially get into a network.
Quote from: iago on July 06, 2009, 10:37:44 AM
Fun stuff!
Make sure you patch machines and create strong passwords when you fix them, otherwise they'll get infected again. Also, you might consider temporarily banning USB devices from the network, Conficker will travel on those, too. That's the most likely way it'll initially get into a network.
Not my department. I suggested to the security team that we patch the machines months ago in fear of the worm. But listen to me? No.
Even if you're unpatched, having a firewall or filtering router should still prevent the attack. Few organizations let port 445 in at the border (though you never know!)
But, if you're unpatched, all it takes is one infected machine brought onto the network (or an infected USB stick) to introduce it. :)