Sunday, November 15, 2009

How to remove Conficker and prevent re-infection

Symptoms of Conficker infection include the following:
- Access to security-related sites is blocked
- Users are locked out of the directory
- Traffic is sent through port 445 on non-Directory Service (DS) servers
- Access to admininistrator shared drives is denied
- Autorun.inf files are placed in the recycled directory, or trash bin

The following steps to remove W32/Conficker.worm and prevent it from spreading:

- Install Microsoft Security Update MS08-067:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

- Clean the infected systems, and reboot
Use anti-malware solutions such as McAfee VirusScan Plus or ToPS for Endpoint to clean the infection. Use behavioral detection techniques like the buffer overflow protection in Host IPS to prevent future infections. This is important because - - - Conficker can propagate via portable media such as infected USB drives. As the media are accessed, the system processes autorun.inf and executes the attack.

- Identify other systems at risk of infection
You need to identify which systems are at risk. The list includes systems that either are not patched against Microsoft vulnerability MS08-067 or do not have proactive protection controls to mitigate the vulnerability. McAfee Vulnerability Manager and ePolicy Orchestrator can identify systems that are vulnerable and not protected.

- Limit the threat’s ability to propagate
Using network IPS at strategic points in your network will quickly limit the ability of the threat to spread. This gives you time to either update your client anti-virus signatures or modify policies to block the threat using the behavioral controls.

Download McAfee

No comments:

Post a Comment