-2

Conficker infestations spread across Windows networks if not taken care of properly. It can be dealt with machine by machine, but for forensic purposes, is there a way to determine which machine it started on?

Also generalized recommendations to remove it from a network would be informative and helpful.

Questionmark
  • 321
  • 1
  • 3
  • 9
  • 6
    The real question is: why did it spread? Conficker was patched almost 6 years ago, so even if a single unprotected and infected computer made it onto your network it shouldn't have spread if you've applied security updates. – Mark Henderson Feb 26 '14 at 21:07
  • 7
    If you read the Wikipedia article you linked, you'd know where Conflicker started. It started in the Ukraine. --> `Working group members stated at the 2009 Black Hat Briefings that Ukraine is the probable origin of the virus` – HopelessN00b Feb 26 '14 at 21:08
  • 1
    @MarkHenderson Very good question. Conficker on a network spreading in 2013 is "fire the admin" style of administration. Even a handfull of unpatched machines do not make that thing "spread" and seriously, this is ancient long dead stuff. SOMeone must have a policy of NEVER applying ANY patches, security be damned. – TomTom Mar 03 '14 at 17:21

2 Answers2

7

The best way to find out what computer it initially started on is to have some kind of centralized antivirus manager that includes reporting.

Since this is tagged linux as well as Windows, I'm going to share Detecting Conficker with Nmap (an oldie but goodie). While I'm at it, here's a link to the McAfee Conficker Detection Tool ETL mentioned. Microsoft also has some anti-Conficker group policies that might help.

Also, what ETL said. There are several removal tools that might help you.

Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
5

Probably an unpatched PC with USB access and no AV...

To get rid of it rapidly:

  • Run a script to keep people's account unlocked. Otherwise they won't be able to work. (if you are in an AD environment)
  • Then use McAfee Conficker Detection Tool (or equivalent) to find the infected machines.
  • Use Bit Defender Conficker Removal Tool to fix up the machines.
ETL
  • 6,513
  • 1
  • 28
  • 48