Worming tablets required

I think our IT department learnt a very valuable lesson today!

Most of our servers are behind a fortress of firewalls, VPN connections and yet, today, we find ourselves ashamed of what has happened!

The Conficker grade E worm (Worm:Win32/Conficker.E: identified by the MMPC on April 8, 2009) made its way onto our network. It matters not how it got there, but does point the finger at our inadequate antivirus products, or perhaps it was more complacency…. no single machine is directly linked with the outside world, we use linux and unix based firewalls… it couldn’t affect us… could it?

Well it did… the investigation is on… my detective hat is on, and my finger is pointed at a small section of the network that has an un-patched server infrastructure. The reasons for not patching them almost outweigh the hassle it is to deal with today’s attack… for antiquated pieces of software/hardware that we can’t replace/rewrite* simply don’t run on operating systems with a patch! I’m sure there are other organisations out there with similar problems.

Have a read of what it does: here

It is rather nasty, and has the ability to block access to certain websites, certain applications and certain system administration tasks! (am I the only one to think it is rather clever?… not that I applaud the application of this genius in any way!)

As most of what you’ll read on the internet is about solution to it, I thought I’d share one of the most annoying symptoms

  • Account lockout policies being activated.

This one was a huge issue for us! With just under 7000 active directory users in the entire organisation, roughly 2500 were locked out… and this number kept rising all day. As you’d imagine, frustrated users were on the phone to the helpdesk, and some people, because of this issue did not deliver the service that our customers expect.

So fed up of the issue, and not being able to do our normal tasks today (the source control system went down, all our SharePoint boxes were down to be patched/checked), a colleague and I wrote a windows form application in C# that periodically queried our active directory to look for locked out accounts.

ad_accounts_locked Figure 1: Locked out user account tracker

The progress bar in Figure 1 shows the amount of users affected by this worm. A significant number!

The vet has been called, and a dose of software patches are on the way. Look in the research URLs below if you are yourself scrabbling for a solution. Good Luck :-)

SpittingCAML

* We could replace/rewrite them but it would be far too expensive and disruptive to the business!

Research:

Removing autorun might help prevent spread of the worm
F-secure FAQ on conficker
F-secure technical description of conficker
Conficker Worm: Help Protect Windows from Conficker

Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, +1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com, where tips can be shared.



You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Worming tablets required”

  1. Matt Says:

    Well to be honest I am not surprised it happened. The best layed plans of protection will also be broken…. but there again, the method of protection against this has been around for such long time, you really have to blame the people who make the decisions not to patch. A few days productivity down the pan, maybe the share price will drop….. infact that is probably the most embrassing thing given the line of work ;-) But hey, it made for a more interesting (and long) day!

    Wonder if I can log on tomorrow?! Current count is 35% of active user accounts are locked.

Leave a Reply