How to track and find Conficker infections on your network
Sophos product and version
Sophos Anti-Virus for Windows 2000+
For details on how to clean Conficker from your network, please see the following knowledgebase article Removing W32/Confick and Mal/Conficker.
About the virus
Conficker will spread using three methods:
- Spreads via the MS08-67 exploit
- Spreads via Windows file sharing
- Spreads via removable media such as USB drives
Please see the article Removing W32/Confick and Mal/Conficker for removal and more details on how to stop the spread.
Conficker will only spread from unprotected computers. Computers with the latest version of Sophos Anti-Virus and the correct scanner settings (see article 51169) will not be able to execute the Conficker files.
You may get lots of alerts for Conficker in your Enterprise Console/Control Centre, these are not your priority, you will need to track down the unprotected computers that are physically executing and therefore spreading Conficker.
What to do
There are a few tools which you can use to track and find Conficker infected computers on your network
- Security Event logs
- Network monitoring tools
- Firewalls with logging (i.e. the Sophos Client Firewall)
Scenario A - Conficker is spreading by using the exploit
- Conficker files with a .dll extension are dropped in the System32 folder
- Buffer overflow alerts are generated by the Sophos HIPS scanner for svchost.exe
Firstly on a well managed network this should not happen. If Conficker is spreading by using the exploit you have not patched your computers with MS08-067. This patch applied to all Windows NT based operating systems regardless of the service pack. Patch your computers!
In this scenario, you can only track the source of the infection by installing Wireshark on a target computer.
Scenario B - Conficker is spreading by using file and print sharing
- Conficker files with a random extension are dropped in the System32 folder
- Patched computers are reinfected
- Account lock-outs are occurring
This is the most common method of spreading for Conficker, since it will still work even if the computers are patched with MS08-067.
There are several ways of tracking these types of infection:
1. The best way of tracking infected computers is by using the Security Event logs on your Domain Controller.
- Ensure that the Auditing has been enabled as follows:
- Start | Administrative Tools | Default Domain Control Security Policy
- Security Settings | Local Policies | Audit Policy | Audit Logon Events
- Ensure that this is set to “Success, Failure”.
- Go to your Domain Controllers and open the Event Viewer.
- Go to the Security Event logs.
- You will see lots of Failure Audits for logon attempts. The Event ID of interest is “529”.
- Open these event 529 messages and look for the line that mentions 'Workstation Name' (see screen print below).
- The “Workstation Name” field will show the IP address or machine name of the client computer that is actively running Conficker and spreading to your other computers.
- Go to this computer, ensure it is patched.
- Install Sophos Anti-Virus and then scan and clean the computer.
This method, which uses the Security Event logs to find Conficker computers is the easiest method as you can obtain a list of multiple client computers quickly.
In the example shown in the following screen shot, the workstation name is FNDPC042.
If the name of the machine is another one of your domain controllers, please ensure that the domain controller mentioned is clean, protected and patched. If it is, open the Security Event logs on this machine and look for another 529 Event ID generated at the same time as the original one. This will mention the workstation that caused the initial logon failure.
If you have more than one Domain Controller, you will need to check each of the Security Event logs for failure audits.
2. The second best method of tracking computers is to use a Network monitoring tool - in this example, Wireshark.
- Download and install Wireshark on a computer that is constantly getting dropped on by a Conficker infected computer.
- Start the logging within Wireshark.
- Within Sophos Anti-Virus make a note of the Conficker file detected in the System32 folder.
- Cleanup the Conficker files.
- Once the computer redetects Conficker, stop the Wireshark log.
- In the Wireshark log, press Ctrl-F to open the Find window.
- Select 'String' as your search location.
- Type in the name of the System32 file that is dropped by Conficker on this computer.
- This will give you the IP address of the infection source.
3. The third method of tracking computers is to use the Sophos Client Firewall (if you are licensed for it).
- Within Sophos Anti-Virus cleanup the Conficker files.
- Open the Firewall log (right click on the Sophos Client Firewall icon and 'view log').
- As the infection has returned to this computer it will be mentioned under the 'Allowed Connections' section.
- It will be NetBIOS traffic and the IP address of the offending computer will be listed in the 'Remote Address' column.
Conficker will not be able to spread if you have followed the article 51169 fully
Scenario C - Conficker is spreading by using USB pen/removable media
- W32/ConfInf-A detections
- Patched computers are reinfected
- Computers with File and Print sharing blocked are being reinfected
Sophos Anti-Virus will detect the infected USB pen with a W32/ConfInf detection. You will need to speak with the user of that computer and ask them to clean or format the USB pen