Introduction
This is the fifth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).
- The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
- The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
- Third came Two Reasons why IPS is a "Must Have" for your Network, which illustrated how SEP's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network
- The Day After: Necessary Steps after a Virus Outbreak is for use after the attacks have ended. This fouth article intends to help admins prevent further attacks and make recovery from any future infection as painless as possible.
This fifth article hopes to give admins the techniques they need to eliminate one of their network's most persistent pests: W32.Downadup, also known as the Conficker worm.
What is Downadup and Why won't it go away?
Installing that patch alone will not make a computer invulnerable. Exploiting that vulnerability is just one of its methods of spreading.
Help! Hundreds of Computers are Infected!!
Tracking Down the Infected Computers
What is Risk Tracer?
Article URL http://www.symantec.com/docs/TECH102539
If Risk Tracer is not enabled in your organization or is not functioning, then the logs of SEP's IPS component serve as an excellent indicator. The "Identifying Unprotected Computers" section of the article Two Reasons why IPS is a "Must Have" for your Network provides an illustration of how to identify the Remote Hosts which are sending out W32.Downadup's malicious traffic. If you are seeing “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked." entries, then W32.Downadup is the cause.
[SID: 23179] Intrusion Detection alerts received on a Symantec Endpoint Protection client for ntoskrnl.exe
Article URL http://www.symantec.com/docs/TECH131438
If neither Risk Tracer nor IPS logs is a possibility, the job is more difficult. Enabling Task Scheduler logging in Windows Event Logs and hen studying their entries will let you know which remote computer has created W32.Downadup's scheduled task on a victim.
How to determine which remote computer has created a malicious scheduled task
Article URL http://www.symantec.com/docs/HOWTO95062
Effectively Cleaning Machines
Monitoring!
One positive note: if there are any lingering traces of the threat still in your network, your users will let you know! Helpdesk calls about accounts being locked out are often a sign that W32.Downadup is present and attempting to spread.
Conclusion
Many thanks for reading! Please do leave comments and feedback below.