使用Nmap排查W32.Downadup病毒主機

        關於W32.Downadup (Conficker)補充：Use Nmap  to Scan for infected computers http://insecure.org/

        如果安裝了SEP，SEP的IPS會偵測到針對MS08-067的***，SID 23179 ；在沒有IPS的情況下（例如只安裝了SAV，並且沒有基於網絡的IDS），可以用NMAP（4.85BETA7and newer）掃描出整個網絡中感染此worm的計算機：

nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1 [targetnetworks] (eg:192.168.114.0/24)

 

掃描後查看日誌，有

 Conficker: Likely INFECTED (by Conficker.C or lower)

內容的爲可疑***ip！

        W32.Downadup是目前所接到的非常多客戶報告的一個蠕蟲病毒類。此病毒主要是利用微軟RPC漏洞(MS08-067)、網絡共享和USB傳播。 

1)     Symantec對於W32.Downadup的說明：

Symantec針對於W32.Downadup的說明及處理辦法

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

Symantec針對於W32.Downadup.B的說明及處理辦法

http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

Symantec針對於W32.Downadup.C的說明及處理辦法

http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99

Symantec針對於W32.Downadup.E的說明及處理辦法

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-040823-4919-99

 該病毒的技術細節
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
http://en.wikipedia.org/wiki/Conficker

 2)     更新補丁MS08-067的詳細信息

http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx

            http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
            http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
            http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker
            http://support.microsoft.com/kb/962007
            http://www.securityfocus.com/bid/31874

3)     Follow the MS Kb below to create a GPO and remove write permissions to the svchost, so that we can prevent the random named malware service from being created in the netsvcs registry value

http://support.microsoft.com/kb/962007/en-us

 4)     Disable autorun

http://msdn.microsoft.com/en-us/library/cc144204(VS.85).aspx

 如何查找網絡中的非安全共享：
http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx

 5)     Symantec專殺工具

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

 6)     Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648

 7)     微軟對於此病毒的說明：

Worm:Win32/Conficker.A_from_Microsoft

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A

Worm:Win32/Conficker.B

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B

Worm:Win32/Conficker.C from Microsoft

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.C

Worm:Win32/Conficker.D_from_Microsoft

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.D

 8)     由於W32.Downadup病毒其中的部分會嘗試破解用戶的密碼，如果AD用戶設定了密碼鎖定的策略，則可能會發現AD用戶鎖定的情況。

對於此問題，建議客戶暫時關閉AD用戶鎖定的策略。對於AD用戶鎖定的技術細節，可以參考MS的KB：

Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0

http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585

User accounts are unexpectedly locked, and event ID 12294 is logged in Windows Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;887433

 9)     如果斷開網絡之後，客戶端不再報感染W32.Downadup的告警，則建議用戶使用上述網絡工具WireShark/TCPView等查找源。