Search this site

Real Time Web Analytics Clicky


Conficker / Downad

Conficker Eye Chart


 

How to interpret:

If you see this above: It probably means this:
First row = 3 images
Second row = 3 images
 Normal/Not Infected by Conficker (or using proxy)
First row = no images
Second row = 3 images
 Possibly Infected by Conficker (C variant or greater)
First row = only center image
Second row = 3 images
 Possibly Infected by Conficker A/B variant
no images above
 Image loading turned off in browser?
Any other combination Poor Internet connection?

 

Explanation:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

 

F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.
SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.
Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc. 

This page is based on the idea and work of the Conficker working group

Another page which simplifies this test is available here


Tools

SCS tool (original tool) + MS08-67 test  - Scan
networks and check local/remote machines for MS08-67, Source

McAfee Conficker detection tool - Based on the SCS tool above

McAfee Avert Stinger tool for removing Conficker

McAfee - Combating the Conficker (PDF)

MS08-67 (The major vulnerability the Conficker uses to attack) page with links to KB958644 to block the vulnerability

USB Security Tools - Immunize the USB storage device from autorun malware


Tips

  • MS08-67 provides KB958644 for all it's systems, systeminfo is a command line method to check if the system is protected.
Check in local system: systeminfo |find "KB958644"
Check on a remote system: systeminfo /S [computername] |find "KB958644"
Check on a remote system: systeminfo /S [computername] /u [user] /p [pwd] |find "KB958644"

  • Disabling autorun (autorun.inf)
IMPORTANT!! Read this page by US-CERT: Systems must have KB953252 (Vista/2008) or KB967715
If you do not have the KB on all systems, update them and/or use the following method recommended by US-CERT, create a .reg file with:
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"
It is critical to restart the system after updating the registry or deleting the registry key:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

If they have the KB then you can use the official Microsoft method for disabling autorun

At the bottom of this page you can find an easy to use ADM template file for use with the GPO without the Microsoft hotfix - autorunforcedisable.adm

If this is a new system with no USB storage device ever connected:

Set deny permissions for the user/s and/or group/s to:
  1. %SystemRoot%\Inf\Usbstor.pnf
  2. %SystemRoot%\Inf\Usbstor.inf
If you aren't sure or know a USB storage device was previously connected:

Either run this on the machine or do what it does, change:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Key: Start

To: 4 (Hex)

GPO ADM Template is available at the bottom of the page - usbstore.adm

  • Consider using other lockdown tools (most good ones require proper integration and are not free), if you have just a couple of public
computers you might want to look at Microsoft SteadyState which has a simple interface to perform some very nice LGPO lockdown's and even has

a feature to discard any changes made by the user on reboot.

  • USB Information tool (e.g. Find S/N, VID, PID)

USBDeview - Cached version available in file cabinet

  • Protect the USB storage device
To disable write access only to USB storage devices (XP SP2 and above only!) set:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies

add:

DWORD: WriteProtect=1

To disable remove the DWORD value or set it to 0 (zero).

Below you can find an ADM template I created named usbro.adm


Microsoft is a registered trademarks of Microsoft.
  McAfee and/or Avert and/or Stinger are registered trademarks of McAfee.
Utility's and/or names and/or knowledge in this page may be (C) and/or (R) and/or (TM) of their respective owners.
Special thanks to Felix Leder and Tillmann Werner whose original research forms the basis of these utility/s.

Attachments (3)

  • autorunforcedisable.adm - on May 12, 2009 1:17 PM by Erez Kalman (version 1)
    1k Download
  • usbro.adm - on May 17, 2009 12:10 PM by Erez Kalman (version 1)
    1k Download
  • usbstore.adm - on Apr 2, 2009 12:43 PM by Erez Kalman (version 1)
    1k Download