Since there are many websites talked for days about Conficker/Downadup. Today, I have something different especially for system admins.
I've been busy for the last three days, building defense lines around critical servers for one of my customers. The source of infection was due to one lazy user, who has no antivirus installed on his laptop. And it didn't take a long time to start spreading and attacking other systems in the network. We have responded fast, otherwise, we would spend the rest of the day, counting how many critical systems are down.
I've been busy for the last three days, building defense lines around critical servers for one of my customers. The source of infection was due to one lazy user, who has no antivirus installed on his laptop. And it didn't take a long time to start spreading and attacking other systems in the network. We have responded fast, otherwise, we would spend the rest of the day, counting how many critical systems are down.
My plan was to build a barrier around critical servers, then move forward. By making sure that every running system is already protected by the current AV software (Symantec Endpoint Protection) that was already blocking the attack successfully. It was not a big hit, because 98% of the systems were protected by SEP, which has decreased the number of infected systems. Cheer up people; I've created a windows batch that would reverse and cure side-effects of Downadup:
1) Re-enable and start the following services:
Background Intelligent Transfer Service
Windows Automatic Update Service
Windows Security Center Service
Windows Defender Service
Windows Error Reporting Service
2) Check MS WSUS for any missed updates (Due to disabling/stopping of windows update service during infection period)
3) Run Symantec FixDownadup tool
4) Install MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)
5) Reboot system
This batch covers the following OS versions:
1) Windows 2000
2) Windows XP
3) Windows 2003
4) Windows Vista SP0/SP1
Note: Some OS versions or 64-bit are not supported by this batch, may be soon.
To start working, first we need to download the required patches + fix tool:
Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE
Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe
Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu
Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe
Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users). And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.
Download Batch (MSN SkyDrive Hosting, Right-click & save won't work. Follow the link then click on the white file in the left)
No comments:
Post a Comment