[OT] Got pwned by Conficker.B - Fought back & won
Craig
Executive Summary:
Our WinXP lappy (used for business & personal) was infected by
Conficker.B, rendering it a zombie-bot tethered to a botnet somewhere.
In the end, the OS is replaced with Linux & the data are preserved.
Complete functionality is restored... All while on the road.
------------------
Nightmare Road Trip;
Everything I've read about this worm says that the vulnerability was
patched back in October '08 but, on 3 February our Winxp system
(auto-update-enabled) was pwned by Conficker.B via a USB stick[1].
This happened at the beginning of nearly a month on the road in Asia.
Hence, no major tools to speak of (no slip-streamed OS install, no
cd-rom drive, no access to known IT shops, etc). We needed this lappy
to do our work and it had some personal stuff (music, pix) on there as
well.
The infection happened like this: autoplay was off. I inserted a flash
drive, Winxp opens up with the options menu. I clicked on "Open folder
to view files."
That's it and that's all it took. Conficker.B then:
- generated randomly-named copies of itself and other files,
- copied them across partitions, into the registry, recycle bins, etc,
- gave them [system|read only|hidden] attributes,
- modified registry entries related to running services,
- modified services.exe (for chrissake!),
- prevented system from visiting security-related sites[2]!
I'm sure it phoned home (or tried to) although I can't prove that. I
knew something was wrong w/in a minute or two because the (underpowered)
lappy took a performance hit almost immediately. At that point, I:
- pulled the NIC
- ran Avira
...and generally started poking around. Fascinating little fscker! It
was truly an experience in whack-a-mole. For example, explorer was
useless in even listing the files so, I went to the prompt to find the
damned things and determine their attributes. Found 'em, changed their
attribs and deleted 'em.
And the next time I used explorer, they respawned. Different names,
same attribs. Avira's scan found some of the files but then exited with
errors. First time I've seen that. Again, this happened at the
beginning of nearly a month on the road and now our business platform
was off-line.
After about a day and a half, I gave up trying to save the system and
decided to try to /replace/ it. I began by using my Nokia N810
(linux-based internet tablet[3]) to download onto its flash card:
- unetbootin[4] and
- the iso for gOS 3.1[5].
I put the card into a usb reader and plugged it back into the infected
lappy. Then, I:
- loaded and ran unetbootin & gOS iso,
- manually created some partitions via the gOS install,
- installed gOS (applied patches, etc)
- moved data from NTFS to ext3 partition
- removed NTFS partition.
At that point, we had a (trusted) computer with networking, productivity
apps and our data again. The process (excluding download time) took
about four hours.
fwiw,
-Craig
Postscript:
------------------
To "dial in" the system to make it "comfortable" took another 2 or so
hours. The malware was still on the new data partition but, by that
time, I knew what to look for and where. Although roaming seemed to
work fine, it wasn't needed since we use a travel router.
We are generally happy with gOS 3.1 "Gears." It is still on the lappy
and has very good wireless & peripheral support. As an example,
connecting with /networked/ multifunction inkjet and laser printers was
entirely a point & click operation. No cli, no scrambling for doc.
The only MSOS we're running now is a Win7 Beta box.
Notes:
------------------
[1] <http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx>
[2]
<http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B>
[3] <http://en.wikipedia.org/wiki/Nokia_N810>
[4] <http://unetbootin.sourceforge.net/>
[5] <http://www.thinkgos.com/gos/index.html>
Bob S.
"Craig" <Netbur...@gmailDOT.com> wrote in message
news:gq0ulg$6iq$1...@reader.motzarella.org...
Craig,
Excellent post....
Bob S.
Ari®
> Bob S.
*STAY THE HELL AWAY FROM ME*
--
Ari's Fun Times!
http://tr.im/hrFG
Motto: Run, rabbit, Run!
Bob S.
"AriŽ" <AriSilv...@army.com> wrote in message
news:gq14rm$15u$1...@news.motzarella.org...
How ya doing there Kinky you ole dumsomovabitch.... I knew you could
be reeled in again (and again, and again) like an old catfish to
cornbread - soooooooo friggin predictable....
I see you've cleaned up your act a bit in the past few days. Feeling ok
or did your mother make you eat the soap bar again?
So long as you can be civil, (hey, I didn't say you had to be nice)
just jump right in anytime you feel like it Kinky. We all need a good
laugh once in awhile and with you being the village idiot and all -
well, you get the idea....;-)
Bob S.
(watch for the ripples folks.... here he comes again.... feel the tug
on the line......)
Ari®
> How ya doing there Kinky you ole dumsomovabitch.
*STAY THE HELL AWAY FROM ME*
--
Ari's Fun Times!
http://tr.im/hrFG
Motto: Kill Or Be Killed!
John Stubbings
> On Fri, 20 Mar 2009 19:01:27 -0400, Bob S. wrote:
>
>> How ya doing there Kinky you ole dumsomovabitch.
>
> *STAY THE HELL AWAY FROM ME*
You told him his business model sucked...
... you just couldn't put your brain in gear and keep your gob shut
there will be no stopping him now...
--
You gotta fight, for your right, to party...
The best of the best in Freeware
http://www.pricelesswarehome.org/
Registered Linux User #485718
Zombie Elvis
wrote:
>------------------
>Executive Summary:
>
>Our WinXP lappy (used for business & personal) was infected by
>Conficker.B, rendering it a zombie-bot tethered to a botnet somewhere.
>In the end, the OS is replaced with Linux & the data are preserved.
>Complete functionality is restored... All while on the road.
[snip]
I've had good results cleaning windows systems using the Ultimate Boot
Disk for Windows which loads a clean Windows system in a
self-contained partition with a variety of troubleshooting tools which
allow you to go through the registry and clean up the hard disk. Add
Hijack This! and you can find every single piece of crap in the
registry as well. I have gotten rid of a lot of malware with this
combination and feel confident that I can get rid of just about
anything. But it's always a pain in the ass.
>After about a day and a half, I gave up trying to save the system and
>decided to try to /replace/ it. I began by using my Nokia N810
>(linux-based internet tablet[3]) to download onto its flash card:
>
>- unetbootin[4] and
>- the iso for gOS 3.1[5].
>
>I put the card into a usb reader and plugged it back into the infected
>lappy. Then, I:
>
>- loaded and ran unetbootin & gOS iso,
>- manually created some partitions via the gOS install,
>- installed gOS (applied patches, etc)
>- moved data from NTFS to ext3 partition
>- removed NTFS partition.
>
>At that point, we had a (trusted) computer with networking, productivity
>apps and our data again. The process (excluding download time) took
>about four hours.
I've played around with a number of Linux distros and really like gOS
a lot. It's clean and simple. Having said that, I've found that the
rules for Linux aren't all that different from the rules for Windows.
You really do need a clean installation to avoid problems. I've tried
wubi and it is far more limited in that it can't see your Windows
partition.
Even installing a separate Linux partition can bite you in the ass
when you try to mix and match things between the Linux and Windows
partition. For example I installed Ubuntu on an old laptop and it
worked well. I even shared my Firefox profile between the two
partitions. I could actually open tabs in Firefox under Windows,
reboot and have those same tabs open in Firefox under Ubuntu. It was
awesome! Until I had a crash and suddenly Firefox wouldn't open under
Ubuntu. I finally had to create a new (separate) Firefox profile to
get Firefox to work again.
The lesson for me is to keep Windows and Linux separate under all
circumstances. I've since installed Easy Peasy (Ubuntu Netbook Remix)
on an old Asus EeePC 4G and it works great. When I installed gOS 3 on
a spare computer, it ran perfectly. It gave me the confidence to nuke
Windows and install gOS 3.1 on my brother's often broken laptop. He's
not exactly a "power user" but he's had few problems. I've been very
impressed with the evolution of Linux distros in the past few months.
>We are generally happy with gOS 3.1 "Gears." It is still on the lappy
>and has very good wireless & peripheral support. As an example,
>connecting with /networked/ multifunction inkjet and laser printers was
>entirely a point & click operation. No cli, no scrambling for doc.
>
>The only MSOS we're running now is a Win7 Beta box.
I have the Windows 7 Beta installed on my old laptop, the one where my
Firefox profile blew up. It's very pretty.
--
Cause, really, nothing says "I'm a counter culture
rebel, fighting the establishment" like an Aibo on
a skateboard.
- Seen on Slashdot
Roberto Castillo
roberto...@ameritech.net
http://mind-grapes.blogspot.com/
http://zombie-gulch.myminicity.com/
Ari®
> On Fri, 20 Mar 2009 21:48:26 -0400, AriŽ wrote:
>
>> On Fri, 20 Mar 2009 19:01:27 -0400, Bob S. wrote:
>>
>>> How ya doing there Kinky you ole dumsomovabitch.
>>
>> *STAY THE HELL AWAY FROM ME*
>
> You told him his business model sucked...
> ... you just couldn't put your brain in gear and keep your gob shut
> there will be no stopping him now...
Indeed.
<sigh>
ARACari, Ph.D.
Kill, maim, rape, chop, slash, got get em, Bob S.
--
Doctorate from FreeBeArSciEnce University (FreeBASE U) aka FU
Motto: "We are end users with a brain...and such"
Mascot: Raindeer with tenacles
Perfesser Embearclitus: William "Billy" "Bear" Bottoms