Conficker A virus reinfecting patched machines

[20vtguy]

Can anyone shed some light on this. I recently had a client who was
infected with the Conficker A. I cleaned the machines last week and
patched them all with the related Windows MS08-67 patch. They were
fine for a few days it seems but now their AV software is again
finding the virus in the system32 folder. I thought once the patch was
installed that the virus could no longer infect the patched machine.
Any ideas why this is happening?

Thanks in advance,
Adam

 

[FromTheRafters]

Can anyone shed some light on this. I recently had a client who was
infected with the Conficker A. I cleaned the machines last week and
patched them all with the related Windows MS08-67 patch. They were
fine for a few days it seems but now their AV software is again
finding the virus in the system32 folder. I thought once the patch was
installed that the virus could no longer infect the patched machine.
Any ideas why this is happening?

Just to address one point, the patch only addresses the software
vulnerability that is exploited by one vector of spread.

 

[20vtguy]

So in a nutshell having the patch in does nothing to prevent a machine
from being infected by the configure? So essentially there is no way
to prevent infection from the conficker virus once it gets on the
network. Sounds like I have to start from scratch and clean all the
machines again.

Also Quilly mentioned disabling system restore which I did do, however
unless someone restores a system restore point that is infected the
virus should not actually be able to infect the machine and should
just linger harmlessly within the restore point. Correct? Or can it
somehow reactivate itself from inside the infected but unrestored
restore point. I've never heard of a virus being able to do that.

 

[1PW]

Can anyone shed some light on this. I recently had a client who was
infected with the Conficker A. I cleaned the machines last week and
patched them all with the related Windows MS08-67 patch. They were
fine for a few days it seems but now their AV software is again
finding the virus in the system32 folder. I thought once the patch was
installed that the virus could no longer infect the patched machine.
Any ideas why this is happening?

Thanks in advance,
Adam

Hello Adam:

Reminder: *none* of the Conficker strains are virus. True Conficker
infections are _worms_.

Almost everything the /entire/ world knows about the Conficker worm
and its detection and removal can be had through the Conficker Working
Group URL:

<http://www.confickerworkinggroup.org/>

If you've done true due diligence for your client, then your client is
bringing the infection upon themselves through faulty practices and/or
bad decisions. This includes the installation and use of known good
antimalware. Not pretenders. Period.

Has AutoPlay/AutoRun been disabled everywhere?

<http://www.microsoft.com/technet/security/advisory/967940.mspx>

Regards,

Pete

 

[FromTheRafters]

So in a nutshell having the patch in does nothing to prevent a machine
from being infected by the configure?

***
That should work to keep conficker.a out initially.
***

So essentially there is no way
to prevent infection from the conficker virus once it gets on the
network. Sounds like I have to start from scratch and clean all the
machines again.

***
Maybe this will help you.

http://technet.microsoft.com/en-us/security/dd452420.aspx
***

Also Quilly mentioned disabling system restore which I did do, however
unless someone restores a system restore point that is infected the
virus should not actually be able to infect the machine and should
just linger harmlessly within the restore point. Correct?

***
Correct, but *detection* may still be possible.
***

Or can it
somehow reactivate itself from inside the infected but unrestored
restore point. I've never heard of a virus being able to do that.

***
I haven't heard of that happening yet either.
***

 

[20vtguy]

Well it looks like I found the cause. I tried a different nmap script
and now it told me that 4 of the 10 machines had the MS08-67 patch but
that it was likely the conficker and it was likely still infected. So
what I did is I reran the Symantec scan which found the infection on
those machines. After cleaning it I uninstalled the associated patch,
rebooted and went back to MS Windows Update and downloaded and
reinstalled the patch. I then rebooted and reran the scan and
everything was clean. I reran the nmap script on all the machines
again and now those 4 are also coming totally clean.

So what I have learned is, just because the patch is installed doesn't
mean its the real thing. In this case somehow the conficker can fool
Windows into thinking the patch is installed when it fact its a decoy.

Anyway thanks for your help guys.

 

[FromTheRafters]

Well it looks like I found the cause. I tried a different nmap script
and now it told me that 4 of the 10 machines had the MS08-67 patch but
that it was likely the conficker and it was likely still infected.

***
I don't know how your script works, but that ingress vector is closed by
the worm itself once you are compromised. Other communications channels
are initiated and the patch at this time is a little like closing the
barn door *after* the livestock has escaped.
***

So what I did is I reran the Symantec scan which found the infection on
those machines. After cleaning it I uninstalled the associated patch,
rebooted and went back to MS Windows Update and downloaded and
reinstalled the patch. I then rebooted and reran the scan and
everything was clean. I reran the nmap script on all the machines
again and now those 4 are also coming totally clean.

***
I don't know about the nmap script, but Symantec is trustworthy IMO.
***

So what I have learned is, just because the patch is installed doesn't
mean its the real thing.

***
That depends upon what is being used to determine the presence or
absence of the patch.
***

In this case somehow the conficker can fool
Windows into thinking the patch is installed when it fact its a decoy.

***
I'm not sure it is Windows that is being fooled. The worm closes off the
ingress vector to the vulnerability out of self preservation and adds
value by keeping it exclusively available to the malware's orchestrators
for future use. *If* they were able to use it, you cannot be confident
as to the state of security of your system.
***

Anyway thanks for your help guys.

***
The "A" version is the least capable, but a backdoor is a backdoor.
****