Jump to content

Conficker

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 62.189.112.129 (talk) at 12:59, 20 February 2009 (Tidied up the McAfee removal text). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Conficker
Alias

Conficker, also known as Downup, Downandup and Kido, is a computer worm which surfaced in October 2008 and targets the Microsoft Windows operating system.[1] The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and the Windows 7 Beta.[2][3]

Operation

The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.[4]

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.

It then connects to a server, where it receives further orders to propagate, gathers personal information, and downloads and installs additional malware onto the victim's computer.[5] The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.[6]

Payload

The "A" variant of Conficker will create an HTTP server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore points, and download files to the target computer.[7]

Symptoms of infection

  • Account lockout policies being reset automatically.
  • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
  • Domain controllers respond slowly to client requests.
  • System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
  • On websites related with antivirus software, Windows system updates cannot be accessed.[8]
  • Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.[9]

Impact and reaction

By January 16, 2009, antivirus software vendor F-Secure reported that Conficker had infected almost 9 million PCs.[10][11] The New York Times reported that Conficker had infected 9 million PCs by January 22, 2009, while The Guardian estimated 3.5 million infected PCs.[12][13] As of January 26, 2009, Conficker had infected more than 15 million computers, making it one of the most widespread infections in recent times.[14]

Another antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.[15][16]

Conficker is reported to be one of the largest botnets created because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008.[17]

The U.K. Ministry of Defence reported that some of its major systems and desktops are infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers.[18][19]

On February 6, 2008, the computers used by the Houston Municipal Courts were infected with Conficker. How the virus got into the system is unknown.[20]

Experts say it is the worst infection since the SQL Slammer.[12]

On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.

As of February 13 2009, Microsoft is offering a $250,000 USD Reward for information leading to the arrest and conviction of the criminals behind the creation and or distribution of Conficker.[21][22][23][24][25][26]

On February 13 the Bundeswehr reported that some hundred of their computers were infected.

Patching and removal

On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability.[27] Removal tools are available from Microsoft,[28], ESET[29], Symantec[30], Sophos[31] and Kaspersky Lab while McAfee[32] can remove it with an On-Demand Scan.[33] While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.[34] However the United States Computer Emergency Readiness Team describe Microsoft's guidelines on disabling Autorun as being "not fully effective," and they provide their own guides.[35] Microsoft have released a guide on how to remove the worm on their website.

See also

Wikinews has related news:

References

  1. ^ "Three million hit by Windows worm". BBC News Online. BBC. 2009-01-16. Retrieved 2009-01-16.
  2. ^ Conficker worm still wreaking havoc on Windows systems. Government Computer News. January 15, 2009.
  3. ^ Windows 7 Beta is not immune conficker. Digital world. January 29, 2009.
  4. ^ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
  5. ^ "Conficker Worm Attack Getting Worse: Here's How to Protect Yourself". PC World. 2009-01-17. Retrieved 2009-01-18. {{cite web}}: |first= missing |last= (help)
  6. ^ "F-Secure Malware Information Pages". F-secure. Retrieved 2009-01-18.
  7. ^ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
  8. ^ "Virus alert about the Win32/Conficker.B worm". Microsoft. 2009-01-15. Retrieved 2009-01-22.
  9. ^ "Passwords used by the Conficker worm". Sophos. Retrieved 2009-01-16.
  10. ^ Sean (2009-01-16). "Preemptive Blocklist and More Downadup Numbers". F-Secure. Retrieved 2009-01-16.
  11. ^ "Downadup virus exposes millions of PCs to hijack". CNN. 16 January 2009. Retrieved 2009-01-18. {{cite news}}: |first= missing |last= (help)
  12. ^ a b Markoff, John (2009-01-22), "Worm Infects Millions of Computers Worldwide", New York Times{{citation}}: CS1 maint: date and year (link)
  13. ^ Schofield, Jack (2009-01-15). "Downadup worm threatens Windows". guardian.co.uk. Guardian News and Media. Retrieved 2009-01-16.
  14. ^ http://www.upi.com/Top_News/2009/01/25/Virus_strikes_15_million_PCs/UPI-19421232924206/
  15. ^ http://www.activescan.com
  16. ^ Panda Security (2009-01-21). "Six percent of computers scanned by Panda Security are infected by the Conficker worm". Panda Security. Retrieved 2009-01-21.
  17. ^ "Three in 10 Windows PCs still vulnerable to Conficker exploit". The Register. 19 January 2009. Retrieved 2009-01-20. {{cite news}}: |first= missing |last= (help)
  18. ^ "MoD networks still malware-plagued after two weeks". The Register. 20 January 2009. Retrieved 2009-01-20.
  19. ^ "Conficker seizes city's hospital network". The Register. 2009-01-20. Retrieved 2009-01-20. {{cite news}}: |first= missing |last= (help)
  20. ^ http://www.chron.com/disp/story.mpl/front/6250411.html
  21. ^ http://www.cnn.com/2009/TECH/ptech/02/13/virus.downadup/index.html
  22. ^ Microsoft announces industry alliance, $250k reward to combat Conflicker. Zero Day. February 12, 2009.
  23. ^ Microsoft offers $250,000 reward for Comficker arrest. CNET News. February 12, 2009.
  24. ^ Microsoft announces a joke of $250,000 Conficker worm bounty. Network World. February 12, 2009
  25. ^ Microsoft offers $250,00 bounty for capture of Conficker worm creator. Guardian.co.uk. Februaury 13, 2009
  26. ^ "Microsoft bounty for worm creator". BBC. 2009-02-13. Retrieved 2009-02-13. {{cite news}}: |first= missing |last= (help)
  27. ^ "Microsoft Security Bulletin MS08-067". 2008-10-23. Retrieved 2009-01-19.
  28. ^ http://www.microsoft.com/security/malwareremove/default.mspx
  29. ^ http://download.eset.com/special/EConfickerRemover.exe
  30. ^ http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3
  31. ^ http://www.sophos.com/support/knowledgebase/article/51416.html
  32. ^ http://vil.nai.com/vil/content/v_153464.htm
  33. ^ http://www.viruslist.com/en/alerts?alertid=203996089
  34. ^ "MS08-067 Worm, Downadup/Conflicker". Retrieved 2009-01-08.
  35. ^ "Microsoft Windows Does Not Disable AutoRun Properly". US-CERT. January 29, 2009. Retrieved 2009-02-16.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Conficker&oldid=272062827"