This article discusses using LANDesk Security Suite to combat the Kido/Conficker/Downadup worm.   The Kido virus has been rampant since November of 2008.  It is also known as Conficker or Downadup.   For the purposes of this article, the term "Kido" will be used.

Using an antivirus product to remediate an infection on a client computer is only one piece of the puzzle for effectively combating this worm.

There are other actions that must take place in order to ward against re-infection by Kido.   These are mandatory steps that cannot be ignored.   Effectively securing your environment against the Kido worm may also effectively secure against other types of malware.    Several of these steps, such as enforcing complex passwords, employing the use of a firewall, and Host Intrusion should be considered a best practice and essential in the war against malware.

LANDesk Security Suite provides Security Threat and Vulnerability definitions that make it easier to secure the environment.

The following Security Threat and Vulnerability definitions will be used:

These definitions can be used to ensure the proper patches, account settings, and policies are in place to effectively harden the system against the methods Kido employes to propogate itself.

This article will discuss each of these definitions and how to best utilize them.

It is suggested to create a custom group and to add this list of definitions to this group.   You could label this group "Kido Defense", or even "Malware Defense", as the behaviors and security patches enforced by this list of definitions will help effectively block many other variations of malware.

Vulnerability Definitions

MS08-067 and MS08-067_VISTA (Vulnerability in Server Service Could Allow Remote Code Execution (958644))

(Mandatory installation) - http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

This security update resolves a vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code.  Kido exploits this vulnerability to spread itself.   It is recommended to set this definition to Autofix (Right-click the definition and select "Autofix when scanning".

MS08-068 - Vulnerability in SMB Could Allow Remote Code Execution (957097)

(Mandatory installation) - http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx

This security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-001 - Vulnerabilities in SMB Could Allow Remote Code Execution (958687)

(Mandatory installation) - http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

967715, 953252 (How to correct "Disable Autorun registry key" enforcement in Windows)

(Mandatory installation) - http://support.microsoft.com/kb/967715 

The updates that this article describes fix a problem with the disable Autorun feature. Without these updates, Autorun for a network drive cannot be disabled. Also, the shortcut menu and double-click functionality of Autorun were not disabled even if the steps that were previously provided were followed.

Kido writes an autorun.inf file to removable devices and to network shares.   When a user or process accesses a removable drive or a network share, the autorun launches malware.

Security Threat Definitions

Note: Security Threat definitions are only available for installations licensed for the LANDesk Security Suite Product

These Security Threat definitions must be carefully considered and configured to meet the needs and/or policies in your environment.  Some definitions (ST000016,  ST000051, ST000056) contain a "Custom Variables" tab.   This means there are configurable options that have default values, and must be modified in order to report computers out of compliance with needs or policies.

ST000002 - Auto Logon

This check determines whether the Auto Logon feature is enabled on the scanned computer. If Auto Logon is enabled, the tool will report this as a vulnerability.

ST000016 - Local Account Passwords

This check identifies any local user accounts that are using blank or simple passwords. This check is not performed on domain controllers. As a security measure, Windows Server 2003, Windows XP, Windows 2000, and Windows NT operating systems all require user authentication through passwords. However, the security of any system depends on both technology and policy - the manner in which systems are set up and managed. This check enumerates all user accounts and checks for the following passwords: Password is blank; Password is the same as the user account name; Password is the same as the machine name; Password uses the word "password"; Password uses the word "admin" or "administrator".

ST000019 - Password Expiration

This check determines whether any local user accounts have non-expiring passwords. Passwords should be changed regularly to mitigate against password attacks. Each local user account with a non-expiring password will be listed.

ST000051 - User password policy

This checks whether or not a computer is in compliance with the currently defined policy. The following is a list of the the settings that are monitored along with the corresponding default settings:
 
  1. Maximum password age = 90
  2. Minimum password length = 6
  3. Password history = 0
  4. Use strong password = Disabled

These values should be changed to report computers that are not in compliance with a strong password policy.  The following article gives further information regarding best practices relating to strong passwords policies: http://technet.microsoft.com/en-us/library/cc875814.aspx

ST000056  - Account lockout policy

This checks whether or not a computer is in compliance with the currently defined policy. The following is a list of the the settings that are monitored along with the corresponding settings:
 
  1. Account lockout threshold is the number of times that the user, computer, service, or program can send a bad password during logon authentication before the account is locked out.If you set the this value to 0, no account lockouts occur on the domain.Valid non-zero values are between 1 and 999, with a default value of zero.
 
  2. Account lockout duration is the amount of time, in minutes, that account lockout is enforced on an account that has exceeded the Account lockout threshold value.If you set the LockoutDuration registry value to 0, the account is permanently locked out until either an administrator or a user who has a delegated account resets the account.Valid non-zero values are between 1 and 99999, with a default value of 30.
 
  3. Reset account lockout counter after is the number of minutes after which the bad password attempt is removed from the server.Valid non-zero values are between 1 and 99999, with a default value of 30.

As part of a corporate strong password policy, account lockout should be enforced.

ST000207 - System Restore

This security threat content will scan a computer to check if the System Restore option is set to, "On". If the system restore option is set to on, then the security threat will be detected on the computer. Since Microsoft recommends that this setting be configured in the UI this security threat is detect-only and cannot be remediated through LANDesk Security and Patch Manager.

System Restore can interfere with the proper function of anti-spyware and anti-malware software.   It is recommended to disable System Restore.

LANDesk Antivirus remediation of Kido variants

It is necessary to update to LANDesk Antivirus engine version 5.0.1.95 or newer.   To update to the latest LANDesk Antivirus scan engine, see this article.

Realtime protection may not be able to fully remove the virus, as files may be locked and in use and cannot be deleted until the next reboot.

If you suspect that the system may not be fully remediated, it is recommended to run a full virus scan.   If files are found that cannot be removed, a LANDesk Antivirus GUI will appear on the client prompting the user with "LANDesk Antivirus has discovered a new virus.  Your computer must be rebooted to completely remove this virus.  Please allow the virus scan to complete and then reboot this system."

The Antivirus Activity function within Security and Patch Manager should be used to check for computers that have detected a virus, but have not yet finished cleaning it.

LANDesk Host Intrusion Prevention

Even in basic protection mode, LANDesk Host Intrusion prevention is a powerful tool to protect against malware.

LANDesk Host Intrusion Prevention protects against many "Zero-Day" threats.   These are threats that are new and do not have an effective detection and/or remediation mechanism within pattern-file based antivirus programs.

Benefits of LANDesk Host Intrusion Prevention include the following:

• Protection against malicious use of FTP, TFTP, Scripts
• Protection against malware that attemps to hook into Internet Explorer
• Protection against malware that attempts to hook into Windows Explorer
• Protection of the Hosts file
• Protection of the LANDesk client directories
• Protection against processes writing to the registry
• Etc

http://www.landesk.com/Products/HIPS/Index.aspx