So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware.
You can find write-ups from various AV companies at the following URL’s
So the write-up’s are all pretty good some have details that the others don’t etc. We see a range of cases it seems from customers missing the patch to those who are completely patched but are still seeing this piece of malware in their environment causing issues. The interesting thing about this piece of malware is that it is really singling out organizations that have not done a good job with their security policies/procedures. The MMPC group made a post about this piece of malware http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx where they linked http://technet.microsoft.com/en-us/library/cc512606.aspx Jesper’s password paper from 2005!!! This guidance and similar guidance has been out for 3+ years now and we still have customers that aren’t following it. I sometimes wonder if we should just push out a “critical update” that applies to all DC’s and updates their Default Domain and Default Domain Controller Policies for them to something more acceptable of course we would probable pull a lot of flack for that . /Rant Off
So things you should look at doing if you are hit with this:
- Disable Account Lockouts: You are already jacked why are you making it worse by leaving the account lockout policy in place?
- If you are not patched (especially with MS08-067) do so immediately.
- Find a machine that you know is infected and see if your AV will clean it up with the latest definitions/client. If it is not cleaning it then open a case with your AV vendor as well they are going to be the ones to update definitions to properly detect/remove the malware in the environment (believe me you want this instead of manually running around cleaning off systems)
- Enable Password Complexity: Like the Account Lockouts this is in your Default Domain Policy if you don’t have it enabled odds are you have 10+% of your population using one of those weak passwords on the list from those write-ups on the malware, and if you have users with those passwords you are still going to have issues with malware spreading. Oh maybe you should get someone working on that org-wide email explaining to your users the new password policy like X characters and how they need 3/4 special characters/Upper/lower/numbers. You probably also want to look into a script/tools to expire accounts (selectively so you don’t whack things like service accounts you aren’t ready to change) Check out Joeware’s oldcmp and expire utilities at http://www.joeware.net/freetools/ you can dump selectively based on OU targeting to get lists of users’ password age and then pass the lists to the expire utility to force password changes across groups of users. Or if you’re a masochist you can just expire them all and deal with the consequences.
- Password Complexity on local accounts: Is the password on your local Administrator accounts something on that list from the writeups? If so you better get it changed.
- Share Permissions: This one is more complex to explain. Basically for any network shares that you know multiple users map drives to you need to have the permissions locked down in this fashion.. root of the share Remove Write/Modify access to Everyone.. Allow them full control to the contents of subfolders in the shares. The way the malware works is if you have say a N: drive mapped to \\FILE01\Data it will basically drop malware.exe in N: and an autorun.inf in the same N: pointing to malware.exe. The next user that is mapped to the same N: drive double clicks on drive icon and runs malware.exe (ok yes this can be mitigated by autorun settings but do you know those are set on your clients maybe a good idea for a GPO setting those as well )
- Stop logging into infected machines with Domain Admins: One characteristic of the malware is that it can use impersonation and can be in the Run key so that it runs under the logged on user’s context. So when you log in on that infected system with your DA account guess what.. you just helped spread without it needing to force passwords use a vulnerability etc because hey its all allowed under your privileges.
I may add more to this possibly as it’s getting late my time and I’m sure it’s going to be another long day tomorrow. Hopefully this helps someone.