Tweet
Note: I have been lazy with my writing, so I'm just gonna push this up to one big post. Megacon and miscellaneous garbage got in the way as well, but they are weak ass excuses.
Cross posted from: http://disillusion.us
So the next day I come in. Tuesday morning, I was dreading it. Tuesday would mean that the other people in the office would come in and try to play internet super hero, and as predicted, they did. By Tuesday afternoon I had a solution for every machine while the others were still struggling on figuring out basic things about the virus. The Kid would come to me every couple of hours and be like "OH MAN I DISCOVERED THAT IT EXPLOITS SVHOST.EXE" "Yea man, I established this when we did the rolling updates last month to protect against this" "Oh..... well I found that out" -_-
My solution was simple and so basic, but it worked. I made a CD that had the Microsoft Malicious Software Removal Tool (MSRT), the patch to fix the hole. I also wrote a simple batch script that would removed scheduled tasks and some prefetch files the virus deposited (the scheduled tasks pointed to the prefetch files) and also ran all the programs we were using so that any idiot could walk up off the street and remove Downadup. I also came up with the idea to quarantine the network in sections and shut off the entire network to clear it out. I also named the CD "Final Solution" on accident, if you are wondering what that means, wikipedia it (I had to)
Wednesday we spent the whole day cleaning out everything. I came into work at 6am to get started. We worked on this till about 10am. We had thought we got every computer in the agency. We had a lot of catching up to do, so I spent the next few hours working away at my desk. Around 3pm we started having problems visiting Microsoft pages. It was back. We had not gotten every PC in the agency. Fuck.
The boss is fed up at this point, everyone is fried. He decides that we can come in on Saturday and we'll get a day off in the next week. Friday was a shitstorm again, but nothing we could do. Friday night was also Megacon, which I got shitfaced at and had to drive back in the morning :P
I got there on time, and we started the process. The thing I noticed is that not every PC was infected, in fact, most of the PCs were not infected. The reason we got reinfected is that once Downadup is in the system, it doesn't need an exploit to spread, it just uses Windows Shares, so out of the 50 computers I worked on, only 5 were infected, which a) is a surprise in itself and 2) means we didn't get them all. The deputies all brought in their laptops in to the office on Friday, so we had someone there working on it. If they didn't bring theirs in, we disabled their VPN sign on so they couldn't spread any more. We finished around 2 and everything seemed to be going great. I got a whole day off for very little work on my Saturday. I drove back to Megacon after resting and showering. I partied my ass off and met a really cute girl, who out of the blue today told me she broke up with her boyfriend after Megacon. (more on that in another post) Sunday I checked in and we were fine. I came into work on Monday and we were fine. Every day after that we were fine :) We are rid of it. From what I've read on the internet, its really not that big of a deal.
I learned a lot while doing this, I'm very happy with the results and I hate to brag, but all of the major breakthroughs we had were mine. Yea, I'm a little arrogant, I know that. I solved this problem with a little help from some other people, but it was because of my research and constant paying attention to the IT news that I got it done. I'm very happy with myself because this is where I want to go with my career. So I'm making a note here in my resume: "Huge Success:
its hard to overstate my satisfaction"
Seems the machines may not have been patched in a timely fashion.
-Congrats on the fix.
Most of the servers were patched. The problem is that one got infected and made the patch a moot point. The problem with this is our hierarchy, we have one guy in charge of network/servers/advanced stuff, and the rest of us are basically stuck doing helpdesk monkey stuff. The other problem is basically we have a CTO who is way out of touch with technology and his department as well. While I hoped that this issue would have been a good time to address this, and split responsibilities, but my naivety strikes again and things go back to "normal"
Most of the workstations were patched like I mentioned, I had brought this up in late January/early February knowing this would happen :3 I had assumed our server guy would of also patched the servers, but again, I'm naive in that thought ;/