Conficker Revisited

Conficker infected machines tend to knock on Windows boxes exposed over the network. Be it Windows boxes on your internal LAN or your Internet facing boxes with wrong ports exposed over the Internet.

Be sure to firewall your Internet facing boxes, Conficker infected machines keep trying common username and password combination in order to get into a machine. As a side effect this brute force attack can lockout users and slowdown domain authentication on a domain because of many password attempts if the box that is being attacked happens to be connected to a Windows Domain/Active Directory.

One way to detect the source of Conficker or similar malware attacks is to enable Security Audting on the Windows Servers. Infected machines try hundreds of password combination per minute on machines that they can find over the network. The only way to identify such machines to run EventCombMT on all the suspect servers.

EventCombMT is a multithreaded tool that you can use to search the event logs of several different computers (not just DCs, as we discovered later) for specific events, all from one central location. EventCombMT is part of Account Lock Tools (ALTools) from Microsoft.

EventCombMT has a pre-canned search for events related to account lockout (Event IDs 529, 644, 675, 676, and 681). To search the event logs for account lockouts, follow these steps. The final step is to open the exported .csv in Excel and generate list of offending IP addresses.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply