I think MS08-67 just stops propagation from remote machines (or it should ?) but you can get infected straightly from the malware. GuidoElia HELPPC
_____ Da: Rankin, James R [mailto:[email protected]] Inviato: giovedì 24 febbraio 2011 7.59 A: NT System Admin Issues Oggetto: Re: Conficker I am looking at deploying SCOM ACS when I finish the xenapp stuff, so that should help track the lockouts Typed frustratingly slowly on my BlackBerry® wireless device _____ From: Greg Olson <[email protected]> Date: Wed, 23 Feb 2011 22:24:15 +0000 To: NT System Admin Issues<[email protected]> ReplyTo: "NT System Admin Issues" <[email protected]> Subject: RE: Conficker I can confirm that it does exactly this as it was trying to login with AD service accounts from a laptop that we're created one off for a Linux server). We got hit with it again last week on two machines, but luckily we we're running account lockout software that tracks lockouts real-time and it was really easy to trace it down to the two machines quickly and take them off-line before they got to others. Both machines had the latest and greatest MS patches and Vipre defs as well which is sad panda. If you don't have something watching your ad for lockouts they have a free 30 day trial that I'd highly recommend if you're going through a Conficker outbreak. It's fully functional and will get you a picture of what machines are doing the work really quickly. On a normal day we would have a few (maybe 4-5 lockouts) but one conficker machine would cause 30-40 in a few minutes. Times that but a ton of infected machines and uggh. http://www.netwrix.com/account_lockout_examiner.html Good luck! -Greg From: Micheal Espinola Jr [mailto:[email protected]] Sent: Wednesday, February 23, 2011 10:54 AM To: NT System Admin Issues Subject: Re: Conficker I'm sorry for what you are going through - but that's impressive if true. -- ME2 On Wed, Feb 23, 2011 at 10:52 AM, James Rankin <[email protected]> wrote: It is locking out unique userids that haven't logged on to the machines in question, ever. I can only assume it must be querying the directory in some way. On 23 February 2011 18:50, Micheal Espinola Jr <[email protected]> wrote: It attempts to brute-force common accounts with common passwords as a method of authentication in order to spread. Are you seeing something that you would consider /unique/ to your domain? I wasnt aware that it would try to attack unique accounts based on locallly chached information, but it certainly wouldnt be a far stretch for what downadup can otherwise do. -- ME2 On Wed, Feb 23, 2011 at 9:26 AM, James Rankin <[email protected]> wrote: Right, for my sins I appear to be stuck in the middle of a Conficker outbreak. I'm not here to advise about security, but five minutes into outbreak and the glaring hole of Autoplay being enabled is clearly how this thing is propagating, and they've been told. Fools - they are in the process of learning the hard way. I avoided Conficker in my last few roles thanks to good security practices, there's one question I can't work out from the Conficker write-ups though. How does this thing get it's list of accounts to attack? We have accounts locking out right left and centre, but they are clearly not just accounts that have previously logged on to the local machine. Does anyone know if this little beastie queries Active Directory in some way? TIA, JRR -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
