The SANS Internet Storm Center noted that a Conficker outbreak on a college campus has a few lessons for us all. Apparently, the outbreak occurred despite updated patches–the lesson being, patching alone is not going to solve the problems. Before I go on, let me make it clear that keeping up-to-date on patches is always a good idea. The MS08-067 patch that is relative to Conficker should be applied, and anti-virus software should be used and kept up-to-date. However, the lesson we see from this report is that one should never be lulled into a sense of false security, and protection should always be approached on multiple levels.

The fact is, Conficker can propagate through several different methods. In addition to exploiting an unpatched machine, the SANS report notes that Conficker can propagate through removable media, by leveraging the privileges of a logged-in user, or through brute-force attack.

SANS notes that they have not discovered any single virus removal tool that is able to catch all of the payloads dropped by Conficker. Their report issues seven lessons regarding Conficker prevention that bear repeating in this space:

“1. Ensure that when an average user logs in it does not allow them to mount via RPC resources on other workstations in the domain. (i.e. When Alice logs into her workstation she cannot mount the Admin$ share on Bob’s machine without being prompted for credentials.) Using the GPO [Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network] to limit RPC logins to workstations can be very helpful in this regard. see: <http://technet.microsoft.com/en-us/library/cc740196.aspx>

2. Disable Auto-Run on all machines. This can also be accomplished via GPO.

3. Ensure that all anti-virus software is very up-to-date and is enabled to “On-Access” scan for both the reading and writing of files.

4. Ensure that all machines are patched for MS08-067, including vendor-managed machines.

5. Ensure that all privileged accounts have strong passwords. Apparently Conficker is smart enough to enumerate accounts with elevated privileges such as Domain Admins. We observed Conficker attempting to brute-force unique domain admin accounts.

6. Monitor for 445/TCP scanning, particularly off-subnet scanning.

7. Force all users to utilize a proxy to access the web.”