Following Locked Accounts to Find a Conficker Infection

I recently had several users reporting that they were unable to log in because their accounts had been locked out.  This perplexed me, because we have really lax account lockout policies.  There's no way one user, much less a bunch of users, could have tried enough wrong passwords to actually lock their accounts all on the same day.  Something fishy was going on and it was going to require some investigation.

I started with the Account Lockout Tools from Microsoft.  You can find those here, http://www.microsoft.com/en-us/download/details.aspx?id=18465

After you download and install them, you'll have to go find the files, they don't add icons to the Start Menu for you.  The default install location for the files is C;\Program Files\Windows Resource Kits\Tools.  The one you'll want to run is lockoutstatus.exe.

When you run the lock out status utility you'll provide it with a username and domain of an account that has been locked out.  The utility will run against all of your domain controllers and list which one the account was locked from, it will also give you a time too.

Once you know which DC is was locked on we need to go look at the Event Viewer on that server.  Check out the security logs.  If your server logs are like mine then there are a bunch of events listed.  To make things easier filter the log to only show Event ID 4740.

If you've got a machine infected with conficker like I did you'll probably have a lot of these User Account Locked events.  Technically, it could be an individual or organization trying to hack your system too.  But in my experience and in this environment it's usually some kind of virus doing it.

Most of the events had time stamps really close together.  I looked through the logs around the time of the lock event reported from the lockoutstatus tool and found where that user account had been locked.  This event and the others were a red flag that something was going on, as this lock event and several of the others were happening in the middle of the night.  That wasn't all though, the lockout events were scattered all over the day.

Now, let's use this information to track down our conficker infected machine.  Open up one of these events and scroll down in the General tab and look for the Additional Information section at the bottom.  What you want to find is the Caller Computer Name, this will be your infected machine.

Event ID 4740, look for the Caller Computer Name

You might also want to scroll through and look at several of the events to see if they're all coming from the same machine.  In my case I actually had 3 old machines that hadn't been patched correctly and were infected.

One of the easiest and fastest ways to verify a conficker infection is to use to the Conficker Eye Chart.  Yes it has a ridiculous name, but it's simple, fast, and it works.  If you haven't used it before, it just loads a web page that pulls images from the major security vendors.  Since conficker blocks access to those domains based on what images load and which ones don't you can tell if you're infected and possibly by which variant.

Once I had confirmed that it was conficker, I ran the Microsoft Malicious Software Removal Tool to remove the infection.

This sounds like a long process but don't get discouraged, in reality it flows pretty quickly.