USB Security‎ > ‎

Conficker / Downad


Conficker / Downad

Conficker Eye Chart


 

How to interpret:

If you see this above: It probably means this:
First row = 3 images
Second row = 3 images
 Normal/Not Infected by Conficker (or using proxy)
First row = no images
Second row = 3 images
 Possibly Infected by Conficker (C variant or greater)
First row = only center image
Second row = 3 images
 Possibly Infected by Conficker A/B variant
no images above
 Image loading turned off in browser?
Any other combination Poor Internet connection?

 

Explanation:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

 

F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.
SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.
Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc. 

This page is based on the idea and work of the Conficker working group

Another page which simplifies this test is available here


Tools

SCS tool (original tool) + MS08-67 test  - Scan
networks and check local/remote machines for MS08-67, Source

McAfee Conficker detection tool - Based on the SCS tool above

McAfee Avert Stinger tool for removing Conficker

McAfee - Combating the Conficker (PDF)

MS08-67 (The major vulnerability the Conficker uses to attack) page with links to KB958644 to block the vulnerability

USB Security Tools - Immunize the USB storage device from autorun malware


Tips

  • MS08-67 provides KB958644 for all it's systems, systeminfo is a command line method to check if the system is protected.
Check in local system: systeminfo |find "KB958644"
Check on a remote system: systeminfo /S [computername] |find "KB958644"
Check on a remote system: systeminfo /S [computername] /u [user] /p [pwd] |find "KB958644"

  • Disabling autorun (autorun.inf)
IMPORTANT!! Read this page by US-CERT: Systems must have KB953252 (Vista/2008) or KB967715
If you do not have the KB on all systems, update them and/or use the following method recommended by US-CERT, create a .reg file with:
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"
It is critical to restart the system after updating the registry or deleting the registry key:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

If they have the KB then you can use the official Microsoft method for disabling autorun

At the bottom of this page you can find an easy to use ADM template file for use with the GPO without the Microsoft hotfix - autorunforcedisable.adm

If this is a new system with no USB storage device ever connected:

Set deny permissions for the user/s and/or group/s to:
  1. %SystemRoot%\Inf\Usbstor.pnf
  2. %SystemRoot%\Inf\Usbstor.inf
If you aren't sure or know a USB storage device was previously connected:

Either run this on the machine or do what it does, change:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Key: Start

To: 4 (Hex)

GPO ADM Template is available at the bottom of the page - usbstore.adm

  • Consider using other lockdown tools (most good ones require proper integration and are not free), if you have just a couple of public
computers you might want to look at Microsoft SteadyState which has a simple interface to perform some very nice LGPO lockdown's and even has

a feature to discard any changes made by the user on reboot.

  • USB Information tool (e.g. Find S/N, VID, PID)

USBDeview - Cached version available in file cabinet

  • Protect the USB storage device
To disable write access only to USB storage devices (XP SP2 and above only!) set:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies

add:

DWORD: WriteProtect=1

To disable remove the DWORD value or set it to 0 (zero).

Below you can find an ADM template I created named usbro.adm

  • Protect the USB storage device
Even if the computer is protected it could still become infected on other computers and have a malware autorun.inf and related files added to it, there are two ways to deal with it:

1) Use the USB Autorun Protect tool (from the File-Cabinet) - it will protect the drive (FAT/FAT32/NTFS), created by Erez Kalman

NEW! Version 1.3 has been released!!

This tool takes several steps to make it very difficult to enter/edit/remove the protection (except when using the tool) among them playing around with the file system, ACL (if NTFS) and more...




2) Create a directory called autorun.inf then add the attributes +r +s +h (Read only, System, Hidden) - this isn't full proof but is simple and works on all drives, make sure to add an autorun.inf file inside the directory and provide it with the same three attributes.

3) Use the Panda Security USB and Autorun Vaccine tool, the tool can be memory resident and provides two options:

First one: Computer Vaccination - Performs the change shown at the top of this page:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Second one: USB Drive Vaccination - Creates an unreadable/uneditable/undeletable (well, if you study how it works it can be deleted) file that unless you know how.... can only be deleted by formatting the disk - works only on FAT32 drives (no NTFS!!)

Command line usage:

USBVaccine.exe [ A|B|C…|Z ] [ +system|-system ] [ /resident [/hidetray] ]

[drive unit]:   Vaccinate drive unit
+system :    Computer vaccination
-system :     Remove computer vaccination
/resident:     Start program hidden and prompt for vaccinating every new drive 
/hidetray:     Hides tray icon when used with the /resident command

Examples:
To vaccinate USB drives F:\ and G:\, use 
   USBVaccine.exe F G

To vaccinate the computer, use
   USBVaccine.exe +system

To vaccinate computer and prompt for vaccinating every new drive without showing a tray icon, use 
   USBVaccine.exe /resident /hidetray +system

It could be very useful to create a Shortcut in the Startup folder to USBVaccine.exe with this last command line (or without the /hidetray) to make sure that every time you boot the computer USBVaccine gets loaded by the system and it vaccinates the computer and prompts the user for vaccinating any new non-vaccinated USB drive. However if you do this under Vista, UAC will block it from running at Startup as it requires admin priviledges.


Microsoft is a registered trademarks of Microsoft.
  McAfee and/or Avert and/or Stinger are registered trademarks of McAfee.
Utility's and/or names and/or knowledge in this page may be (C) and/or (R) and/or (TM) of their respective owners.
Special thanks to Felix Leder and Tillmann Werner whose original research forms the basis of these utility/s.
Č
ċ
ď
v.2
autorunforcedisable.adm
(0k)
Erez Kalman,
May 12, 2009 1:17 PM
ċ
ď
v.2
usbro.adm
(0k)
Erez Kalman,
May 17, 2009 12:10 PM
ċ
ď
v.2
usbstore.adm
(1k)
Erez Kalman,
Apr 2, 2009 12:43 PM