preventing conficker/downadup worm

 

Overview

I am still in the process of learning this myself, but what I know I will share.

I don't believe windows 9x/me machines are affected by this worm.

according to an older article, I discovered that having file and printer sharing on, even if you have a firewall, is conficker worm bait. it breaks in through port 445/RPC and takes advantage of a flaw in the microsoft security patch ms08-067 (and here microsoft was saying they fixed it). I Have XP SP3 and recently applied this patch, though I am not sure I needed to. I found this out after having been infected by conficker (and subsequently cleaning my machine with a copy of clamwin 0.95-1 I had on my machine lying around).

antivirus packages probably won't patch your network system files to prevent the worm, according to the article, now a bit dated, since which now there are conficker c, d, and e.

prevention

I can do several things to all the machines on the network or on the internet:
  1. change the admin password and user passwords. use a random combination of upper and lowercase letters and digits, and if you can, throw in some punctuation. write it down so you don't forget it. The other program is only for Enterprise licensees of Microsoft OS's and it can actually change passwords, which is what I want.
  2. turn off file and printer sharing on your network connection: Start, Connect-to, Show all Connections. Right click on your internet connection, Properties, uncheck "File and Printer Sharing for Microsoft Networks", click OK. If you are on Vista, Start|Control Panel|Network and Internet|Network and Sharing Center|Right-click on the Local Area Connection or wireless or dialup and select Properties|turn off file and printer sharing. If you are on 7, start, control panel, View Network Status and Tasks, Change adapter settings, right click on adapter and pick properties, turn off file and printer sharing.
  3. if you have a high-end router/firewall (or a software firewall that comers with your Internet Security package) that supports 2-way port blocking, block the following ports (block them anyway even if you don't have 2-way!):
    135-139,593 NETBIOS (windows) - conficker may be using these ports too.
    445 RPC/File Printing and sharing (windows) - this is the port broken into by conficker.
    1900 Windows Messenger (optional, not always on that port, newer on port 80HTTP)
    515 lpd (unix)
    [Just for safety, I would block both TCP and UDP ports.]

your network properties should look like this after you are done (have File and Printer Sharing unchecked):
network properties

a cure

  1. [windows-logo-flag-key]-R c:\windows\system32\mrt.exe [Enter] do full scan.
  2. do full antivirus scan. if it doesn't find it,
  3. run malwarebytes' anti-malware
  4. download and run full scan and clean with clamwin, clamxav, or clamav. your antivirus package may not allow other valid antivirus packages like this package to reside on the same machine and will probably remove it. Clamav is THE antivirus package used on unix boxen, ported to other platforms. It has no "shields" or "real-time scanning" yet (so donate?).

discussion

most off the shelf routers like linksys, dlink, and netgear do not seem to support 2-way port blocking - they only support blocking incoming attacks. The problem is that by default, Windows has File and Printer Sharing turned on, which opens an outgoing port. Most routers can block this. no matter, conficker barges through the ingoing port through most firewalls (and my linksys router - it has a NAT firewall). I blocked the port specifically and I still got the worm, but a late-night Linksys tech recommended I upgrade my firmware, and I had the latest. The Linksys router I have only allows blocking of incoming traffic (according to the manual). nothing is said about letting any traffic go out! (I want more control - any suggestions? I need a 4-port). what it comes down to is this: your basic router is not going to keep conficker out.

[does anyone know if the dd-wrt firmware supports 2-way port blocking? my guess is like most routers it blocks incoming ports, but not outgoing ports.]

The version of conficker I ended up with scattered a bunch of randomly-named executeables all around (and some ended up in System Restore backups). I have an XP machine. it didn't seem to do hardly any damage to the existing files, except maybe 1(?not sure if it was mine). Other versions of the worm like B actually patch some Vista system files (networking included).

If you do get conficker, it will block the domains that belong to many antivirus packages according to this microsoft security article, including clamwin, mcafee, norton, kaspersky, etc. you can clean the vermin off by running MRT.exe, which is in \windows\system32. This program gets updated on a regular basis by microsoft. Start, Run, mrt [Enter] OR [windows-logo-key]+R mrt [Enter] (the latter is required for Vista/7 which does not have Start|Run enabled by default). MRT is the Windows Malicious Software Removal Tool.