Sunday, October 09, 2011

Rid of the Conficker Worm on My Office Network

I would like to share an experience with you all that I had recently battling the conficker worm on my office network. The reason for this is because this was unlike any other experience I've ever had trying to get rid of a virus or worm from a network, it was a real nightmare. There are lots and lots of websites around telling people how to tackle this worm but not many blogs or articles that tell of successes or things to look out for etc and that's really what I want to share with you today. Hopefully there will be other network technicians who can relate to what I went through and I'd welcome any comments and feedback.

Okay, so we were all warned that the conficker was coming. It was going to be BIG, no HUGE. Of course, networks should always be ready for infections but the truth is most are not. This is a fact and the majority of people who work in IT will tell you so. Unless you are lucky enough to be in charge of a medium sized network on a full time basis, which I and most of my office aren't. Most medium sized companies these days opt for a managed service and the support of an IT company with a visiting service. Anyways all around the world network technicians made sure they were fully patched up and all antivirus was up to date. We made all the appropriate preparations and waited with baited breath to see what would happen. What would the payload be? What would the symptoms be? There were rumours of these things, rumours of an unstoppable beast programmed by satan himself. The conficker worm hit my network so I had a chance to see what would happen after it hit my office domain. Now it is worth mentioning that both my office and other branch in same company using Sophos antivirus on our domains which had been updated throughout only recently and you know what? Sophos caught it. A small message popped up on the client machines 'win32/conficker detected and quarantined'. What was all the fuss about! It seemed that the conficker worm was no more a ferocious beast again. I breathed a sigh of relief and went about my job.

For nearly a whole year nothing happened on my domains. So far I escaped unscathed. In fact if I'm honest I forgot about the conficker virus. One day one of the managers said to me, 'the network is running slow and has been for a while'. As I have already said, I am part of a visiting service - I don't use these networks on a daily basis. Most of the time the first time a tech will hear of an issue like this is when a user tell them so. The first thing did was look at the led's in the switches. Sure enough they were lit up like Christmas trees. The lights were going ten to the dozen. This was a sure sign that there was a lot of activity going on in the network. I singled out one of the PC's and ran a sophos check on it. Nothing. I started doing a bit of digging and my users started telling me other things too. Their usb sticks did not autorun anymore. Their antivirus was not updating. I later learn that conficker stops them doing this, it had mutated and this was why it had not been picked up. So sophos did not detect my intrusion. I lost a bit of faith in antivirus programs that day I can tell you. I used a program called malwarebytes and it detected conficker. So I ran malwarebytes on all of the machines, with success. But no sooner had the conficker worm been removed it appeared again. This thing was becoming a nightmare. USB sticks were not working properly, the network was still slow, Microsoft updates were not working, antivirus would not update and then things got really bad when users could not log on anymore. Conficker had spread to my server and locked users out.

So what did I do? Well my experiences from here on in were extensive and intensive. I learn so much from this worm about trying to secure a computer and a network that I decided to put my findings up on the web for all to see. I will write more on this in my next article.

1 comment:

