I work in the world if IT and just like many of my peers I was not ready to face the Conficker worm.
We all deal with malware and malicious coding on a daily basis (at least from a prevention perspective) and we do this as individuals at home and also IT professionals working in industry trying to protect critical business data.
A good anti-virus program and decent malware/spyware protection coupled with a strong backup plan will see even the most challenging situation remedied by an IT expert in next to no time.
Conficker was different.
Like most IT technicians I had used removal tools to rid my networks of various virus's and worms but when Conficker hit us back in 2008 it quickly took on the characteristics of a root kit infection although I believe it is not actually a root kit type virus.
What I mean by this is it kept on coming back, it wasn't something you could uninstall and it wasn't something that would go away easily.
I want to share my experiences with you all in this article and point out some of the mistakes that with hind sight I personally could have done differently and also having read many blogs on the subject - what other IT techs would do differently.
First of all we have to assume that most techs are working with a Microsoft Operating System because it seems that the Conficker worm targeted these and in particular the Server 2003 and also XP Professional because at the time Conficker struck these were the most prevalent systems in place.
Microsoft updates their systems regularly with security patches and a variety of other updates and the reason for this is because there are flaws in the system.
It is as simple as that.
If there were no flaws then people would not find them and take advantage of them, Microsoft need to try and keep up or stay one step ahead at all times.
It is the same with anti-virus and anti-spyware products, they too require updates on a regular basis.
The reason I am telling you this is because this approach will form the basic requirements when putting together a plan to avert disaster.
People who fail to carry out these updates are inviting trouble into their fold.
I've heard people complain that these updates are intrusive and slow the system down when they update - and they are.
I agree with them.
Updates will slow down a system, this is why a client-server model will use WSUS to roll them out locally rather than have each PC contact the Internet this just makes sense.
The problem here is that people get used to it and the first symptom of the Conficker worm is that the computer system slows down, it becomes unresponsive and sluggish.
Protection programs may or may not have picked the Conficker worm up and even if they did - as I have said previously it just came back - kind of like a root kit infection does.
The symptoms are sometimes hard to spot, users are used to a slow system, they just blame the IT guys - trust me! Pen drives (USB) fail to open, anti-virus programs fail to update these are the symptoms experienced by the computer user and to somebody who looks a little more in depth they will notice a variety of new files appearing.
IT administrators will also start to have complaints that the users cannot logon anymore.
These are the symptoms of Conficker, of course there are others but these are a dead give away.
The cure for this type of infection differs for each situation depending upon whether you are a home user or a network administrator and a full list of these can be found throughout the internet for my answers.
In short you must download a conficker removal tool and then run it, the next step which is to install three patches from Microsoft.
When you run the tool you must also disconnect the PC from the network.
This can be a nightmare for a business and especially for the technician who has a duty to keep the whole system online and running smoothly.
With hindsight what could we do? I and many others have come to the conclusion that the answer lies within having a really strong disaster recovery plan or should I say plans.
Really, a good tech will have an answer to many threats and one day their job may just depend upon it.
As well as keeping all computers completely up-to-date both with Microsoft and also anti-virus/malware updates it is important to keep images of your machines, for the home user you should take regular data backups and make regular system restore points.
With your backups it is important not to overwrite your data with infected data so you should ideally keep older backups too.
I work in schools and my solution was to temporarily disconnect the server and tackle the Conficker worm upon just that machine (most primary schools here in the UK only have one server) and to re-image the machines around the school.
This whole process took me 2 hours including testing.
All of the software was either part of the rollout image or was installed via MSI or silent install scripts - all carried out by the server which was now clean.
I made sure that the new computers were all patched and ran the conficker removal tool upon them just for good measure, again this was all done by script, easy.
Home users many have a harder time recovering their data if they had no sufficient backup but there are plenty of recovery programs freely available around the web, I guess the lesson learnt here was always be prepared for the worst case scenario.
We all deal with malware and malicious coding on a daily basis (at least from a prevention perspective) and we do this as individuals at home and also IT professionals working in industry trying to protect critical business data.
A good anti-virus program and decent malware/spyware protection coupled with a strong backup plan will see even the most challenging situation remedied by an IT expert in next to no time.
Conficker was different.
Like most IT technicians I had used removal tools to rid my networks of various virus's and worms but when Conficker hit us back in 2008 it quickly took on the characteristics of a root kit infection although I believe it is not actually a root kit type virus.
What I mean by this is it kept on coming back, it wasn't something you could uninstall and it wasn't something that would go away easily.
I want to share my experiences with you all in this article and point out some of the mistakes that with hind sight I personally could have done differently and also having read many blogs on the subject - what other IT techs would do differently.
First of all we have to assume that most techs are working with a Microsoft Operating System because it seems that the Conficker worm targeted these and in particular the Server 2003 and also XP Professional because at the time Conficker struck these were the most prevalent systems in place.
Microsoft updates their systems regularly with security patches and a variety of other updates and the reason for this is because there are flaws in the system.
It is as simple as that.
If there were no flaws then people would not find them and take advantage of them, Microsoft need to try and keep up or stay one step ahead at all times.
It is the same with anti-virus and anti-spyware products, they too require updates on a regular basis.
The reason I am telling you this is because this approach will form the basic requirements when putting together a plan to avert disaster.
People who fail to carry out these updates are inviting trouble into their fold.
I've heard people complain that these updates are intrusive and slow the system down when they update - and they are.
I agree with them.
Updates will slow down a system, this is why a client-server model will use WSUS to roll them out locally rather than have each PC contact the Internet this just makes sense.
The problem here is that people get used to it and the first symptom of the Conficker worm is that the computer system slows down, it becomes unresponsive and sluggish.
Protection programs may or may not have picked the Conficker worm up and even if they did - as I have said previously it just came back - kind of like a root kit infection does.
The symptoms are sometimes hard to spot, users are used to a slow system, they just blame the IT guys - trust me! Pen drives (USB) fail to open, anti-virus programs fail to update these are the symptoms experienced by the computer user and to somebody who looks a little more in depth they will notice a variety of new files appearing.
IT administrators will also start to have complaints that the users cannot logon anymore.
These are the symptoms of Conficker, of course there are others but these are a dead give away.
The cure for this type of infection differs for each situation depending upon whether you are a home user or a network administrator and a full list of these can be found throughout the internet for my answers.
In short you must download a conficker removal tool and then run it, the next step which is to install three patches from Microsoft.
When you run the tool you must also disconnect the PC from the network.
This can be a nightmare for a business and especially for the technician who has a duty to keep the whole system online and running smoothly.
With hindsight what could we do? I and many others have come to the conclusion that the answer lies within having a really strong disaster recovery plan or should I say plans.
Really, a good tech will have an answer to many threats and one day their job may just depend upon it.
As well as keeping all computers completely up-to-date both with Microsoft and also anti-virus/malware updates it is important to keep images of your machines, for the home user you should take regular data backups and make regular system restore points.
With your backups it is important not to overwrite your data with infected data so you should ideally keep older backups too.
I work in schools and my solution was to temporarily disconnect the server and tackle the Conficker worm upon just that machine (most primary schools here in the UK only have one server) and to re-image the machines around the school.
This whole process took me 2 hours including testing.
All of the software was either part of the rollout image or was installed via MSI or silent install scripts - all carried out by the server which was now clean.
I made sure that the new computers were all patched and ran the conficker removal tool upon them just for good measure, again this was all done by script, easy.
Home users many have a harder time recovering their data if they had no sufficient backup but there are plenty of recovery programs freely available around the web, I guess the lesson learnt here was always be prepared for the worst case scenario.