Author Topic: How Wonderful...  (Read 1846 times)

0 Members and 1 Guest are viewing this topic.

Offline Lead

  • x86
  • Hero Member
  • *****
  • Posts: 636
  • Shaman of Sexy.
    • View Profile
How Wonderful...
« on: July 06, 2009, 07:02:50 am »
Company got hit with the Conficker worm while I was on vacation. Although it is not directly my job to address it, one could only assume with all the machines we have how long it is going to take to remedy the problem.

It is causing some major havoc on our AD servers for some reason... disabling accounts randomly... weird.


Quote
Son, if you really want something in this life, you have to work for it. Now quiet! They're about to announce the lottery numbers. - Homer Simpson

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17931
  • Fnord.
    • View Profile
    • SkullSecurity
Re: How Wonderful...
« Reply #1 on: July 06, 2009, 08:38:23 am »
Conficker tries to bruteforce passwords for fileshares -- that won't disable accounts, but it'll lock them out. Is that what you're seeing?

Offline Lead

  • x86
  • Hero Member
  • *****
  • Posts: 636
  • Shaman of Sexy.
    • View Profile
Re: How Wonderful...
« Reply #2 on: July 06, 2009, 08:53:31 am »
Conficker tries to bruteforce passwords for fileshares -- that won't disable accounts, but it'll lock them out. Is that what you're seeing?


Yes. I ran your SMB checks on some of my dev machines and what do you know, infected. Lots of production machines affected too. My Company = yearsbehind.com


Quote
Son, if you really want something in this life, you have to work for it. Now quiet! They're about to announce the lottery numbers. - Homer Simpson

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17931
  • Fnord.
    • View Profile
    • SkullSecurity
Re: How Wonderful...
« Reply #3 on: July 06, 2009, 10:37:44 am »
Fun stuff!

Make sure you patch machines and create strong passwords when you fix them, otherwise they'll get infected again. Also, you might consider temporarily banning USB devices from the network, Conficker will travel on those, too. That's the most likely way it'll initially get into a network.

Offline Lead

  • x86
  • Hero Member
  • *****
  • Posts: 636
  • Shaman of Sexy.
    • View Profile
Re: How Wonderful...
« Reply #4 on: July 06, 2009, 10:54:00 am »
Fun stuff!

Make sure you patch machines and create strong passwords when you fix them, otherwise they'll get infected again. Also, you might consider temporarily banning USB devices from the network, Conficker will travel on those, too. That's the most likely way it'll initially get into a network.


Not my department. I suggested to the security team that we patch the machines months ago in fear of the worm. But listen to me? No.


Quote
Son, if you really want something in this life, you have to work for it. Now quiet! They're about to announce the lottery numbers. - Homer Simpson

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17931
  • Fnord.
    • View Profile
    • SkullSecurity
Re: How Wonderful...
« Reply #5 on: July 06, 2009, 11:25:48 am »
Even if you're unpatched, having a firewall or filtering router should still prevent the attack. Few organizations let port 445 in at the border (though you never know!)

But, if you're unpatched, all it takes is one infected machine brought onto the network (or an infected USB stick) to introduce it. :)