Conficker: Difference between revisions

Spread of Conficker

Conficker (aka Downup, Downadup and Kido) is a computer worm that surfaced in October 2008.^[1] Conficker targets only Microsoft Windows software, and is mostly found on Windows XP machines. The worm exploits a known bug in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.^[2]

On October 15, 2008 Microsoft released a patch to fix the bug.^[3] Heise Online estimated that it had infected 2.5 million PCs by January 15, 2009,^[4] while The Guardian estimated 3.5 million infected PCs.^[5] By January 16, 2009, antivirus software vendor F-Secure reported that Conficker had infected almost 9 million PCs^[6] making it one of the most widespread infections in recent times.^[7] Conficker is reported to be one of the largest botnets created because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008.^[8]

Operation

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer.^[9] The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.^[10]

Removal tools are available from Microsoft^[11] and Symantec.^[12] Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.^[13] While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions, as the support period for these service packs has expired.

In addition, the worm launches a brute-force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.^[14]

Symptoms of infection

• Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
• Domain controllers respond slowly to client requests.
• System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
• On websites related with Antivirus software, Windows system updates cannot be accessed.^[15]

Origin of name

The name is a German hacker pun, meaning "program that manipulates the configuration", consisting of the abbreviation con for configuration and the nominalized form of the German verb ficken (idiom vulgar term for "fuck") and is a not at all a near homophone to the English "configure", but perhaps when said with a German accent.

Major problems caused by Conficker

• The U.K. Ministry of Defence reported that some of its major systems and desktops are infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines.^[16]
• Hospitals across the city of Sheffield reported infection of over 800 computers.^[17]

See also

• Timeline of notable computer viruses and worms

References

1. "Three million hit by Windows worm". BBC News Online. BBC. 2009-01-16. Retrieved 2009-01-16.
2. "Worst virus in years infects 6.5 mn computers". CNN-IBN. 1/18/2009. Retrieved 2009-01-18. {{cite news}}: Check date values in: |date= (help)
3. "Microsoft Security Bulletin MS08-067". 2008-10-23. Retrieved 2009-01-19.
4. "Report: 2.5 million PCs infected with Conficker worm". heise online. 2009-01-15. Retrieved 2009-01-16.
5. Schofield, Jack (2009-01-15). "Downadup worm threatens Windows". guardian.co.uk. Guardian News and Media. Retrieved 2009-01-16.
6. Sean (2009-01-16). "Preemptive Blocklist and More Downadup Numbers". F-Secure. Retrieved 2009-01-16.
7. "Downadup virus exposes millions of PCs to hijack". CNN. January 16, 2009. Retrieved 2009-01-18. {{cite news}}: |first= missing |last= (help)
8. "Three in 10 Windows PCs still vulnerable to Conficker exploit". The Register. 19th January 2009. Retrieved 2009-01-20. {{cite news}}: |first= missing |last= (help); Check date values in: |date= (help)
9. "Conficker Worm Attack Getting Worse: Here's How to Protect Yourself". PC World. Jan 17, 2009. Retrieved 2009-01-18. {{cite web}}: |first= missing |last= (help)
10. "F-Secure Malware Information Pages". F-secure. Retrieved 2009-01-18.
11. http://www.microsoft.com/security/malwareremove/default.mspx
12. http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3
13. "Removing and Repairing". Retrieved 2009-01-18.
14. "Passwords used by the Conficker worm". Sophos. Retrieved 2009-01-16.
15. "Virus alert about the Win32/Conficker.B worm". Microsoft. January 15, 2009. Retrieved 2009-01-22.
16. "MoD networks still malware-plagued after two weeks". The Register. 20th January 2009. Retrieved 2009-01-20. {{cite news}}: Check date values in: |date= (help)
17. "Conficker seizes city's hospital network". The Register. 20th January 2009. Retrieved 2009-01-20. {{cite news}}: |first= missing |last= (help); Check date values in: |date= (help)