Stopping Conficker Spread using Group Policy

This will not clean the system of the Conficker malware, it will only stop the spread of the malware. The malware should be cleaned by your anti-virus product, if not, the steps to manually clean the malware in this KB can be followed.

Create new policy that will apply to all machines in a specific OU, Site, Domain and so on. Please pay special attention to the NOTE in step 4 below.

1. Set the policy to remove permissions to write to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost . This will prevent the random named malware service from being created in the netsvcs registry value.

a. Open the Group Policy Management Editor.

b. Create a new Group Policy Object, giving it whatever name you like.

c. Open the new policy and navigate to Computer Configuration\Windows Settings\Security Settings\Registry

d. Right Click Registry and choose Add Key

e. In the Select Registry Key window, expand Machine and navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost

f. Click OK

g. In the Security window remove the check mark for Full Control for both Administrators and System

h. Click OK

i. In the Add Object window, choose “Replace existing permissions on all subkeys with inheritable permissions”

j. Click OK

2. Set the policy to remove permissions to write to %windir%\tasks. This will prevent the Conficker malware from creating the Scheduled Tasks that can re-infect the system.

a. In the same Group Policy Object created above, navigate to Computer Configuration\Windows Settings\Security Settings\File System

b. Right Click File System and choose Add File.

c. In the Add a file or folder window, browse to %windir%\tasks and highlight the Tasks folder

d. Click OK

e. In the Security window remove the check mark for Full Control for both Administrators and System.

f. Click OK

g. In the Add Object window, choose “Replace existing permissions on all subkeys with inheritable permissions”

h. Click OK

3. Set Autoplay (AKA Autorun) features to disabled. This keeps the Conficker malware from spreading via Autoplay features built into Windows.

a. In the same Group Policy Object created above perform the following -

i. For Windows 2003 Domain - navigate to Computer Configuration\Administrative Templates\System

ii. For Windows 2008 Domain – navigate to Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies

b. Open the Turn off Autoplay policy

c. In the Turn off Autoplay Properties window, Select Enabled

d. In the drop down menu choose All drives

e. Click OK.

4. Disable the local Administrator Account. This blocks the Conficker malware from using the brute force password attack against the Administrator account on the system.

Note: This step should not be implemented if linking the GPO to the Domain Controllers OU as you can potentially disable the domain “Administrator” account. If there is a need to block this you’re your Domain Controllers, create a separate GPO that does not contain this setting and link it to your Domain Controllers OU.

a. In the same Group Policy Object created above navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

b. Open the “Accounts: Administrator account status”

c. In the Accounts: Administrator account status Properties window, check Define this policy setting

d. Then select Disabled.

e. Click OK

5. Close the Group Policy Management Editor.

6. Link the newly created GPO to the location you would like it to apply.

7. Allow sufficient time for group policy to refresh to all computers

a. Generally Group Policy Replication takes 5 minutes to each DC and then 90 minutes for the systems. A couple hours should be sufficient, but may not be depending on the environment.

8. Once the Group Policy has propagated, then clean the systems of malware

a. Start a Full Antivirus scans on all computers

b. If your Antivirus software does not detect this, then the MSRT provided by Microsoft can be used to clean the malware. However, some manual steps may still be needed to clean all the effects of the malware.

c. To clean the effects left behind by the malware, please use the manual steps listed in this KB.

  • That solution is more scary than the conficker worm itself!

    Well maybe not quite ... but that's a lot of crippling taking place.

    Guess if you are infested it's too late in the day for this, if you are not already infested then getting your DATS up to date would probably be more important to stop the infection from targetting your machines. At the very least, this solution freezes out the virus, but I can see it playing all kinds of havoc on day to day operations until the GPO is lifted. Would there be massive kick back on implementing this?

    Nice find though David,