From Wikipedia, the free encyclopedia
Jump to: navigation, search

Mistake in Intro[edit]

"business and home computers in over 200 countries" There are just about 198 countries in the world today... Printf. — Preceding unsigned comment added by (talk) 13:02, 27 October 2011 (UTC)

Reuters Conficker conspiracy article, sounds like a war crimes case filing![edit]

According to a new Reuters article, Conficker was NOT a for-profit cybercriminal malware, in fact it was the early delivery vehicle for Struxnet military attack tool to Iran, and the the 9 to 11 million infected computers worldwide were just masking smoke and "collateral victims": or

It is mind-boggling that anyone would "collaterally" carpet e-bomb circa 10 million Windows PCs all around the world just to wage cyberwar. If true, it sounds like a clear-cut IWCC criminal case for The Hague, although USA and Israel are apparently untouchables, so the "Unit 8200" personnel are safe. (talk) 10:21, 5 December 2011 (UTC)

Text of the article, in case it gets "accidentally" dis-appearated by the powers that be:

Insight: Did Conficker help sabotage Iran program Friday, 02 Dec 2011 by Jim Finkle, Reuters

A cyber warfare expert claims he has linked the Stuxnet computer virus that attacked Iran's nuclear program in 2010 to Conficker, a mysterious "worm" that surfaced in late 2008 and infected millions of PCs.

Conficker was used to open back doors into computers in Iran, then infect them with Stuxnet, according to research from John Bumgarner, a retired U.S. Army special-operations veteran and former intelligence officer.

"Conficker was a door kicker," said Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a non-profit group that studies the impact of cyber threats. "It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet."

While it is widely believed that the United States and Israel were behind Stuxnet, Bumgarner wouldn't comment on whether he believes the Americans and Israelis also unleashed Conficker, one of the most virulent pieces of so-called malware ever detected. He wouldn't name the attackers he believes were behind the two programs, saying the matter was too sensitive to discuss.

The White House and the FBI declined to comment.

Prime Minister Benjamin Netanyahu's office, which oversees Israel's intelligence agencies, also declined comment.

If Bumgarner's findings, which couldn't be independently confirmed, are correct then it shows that the United States and Israel may have a far more sophisticated cyber-warfare program than previously thought. It could also be a warning to countries other than Iran that they might be vulnerable to attacks.

His account leaves unresolved several mysteries. These include the severity of the damage that the program inflicted on Iran's uranium enrichment facility, whether other facilities in Iran were targeted and the possibility that there were other as yet unidentified pieces of malware used in the same program.

Bumgarner - who wrote a highly praised analysis of Russia's 2008 cyber assault on Republic of Georgia - says he identified Conficker's link to Stuxnet only after spending more than a year researching the attack on Iran and dissecting hundreds of samples of malicious code.

He is well regarded by some in the security community. "He is a smart man," said Tom Kellermann, an advisor to the Obama Administration on cyber security policy and the chief technology officer of a company called AirPatrol.

His analysis challenges a common belief that Conficker was built by an Eastern European criminal gang to engage in financial fraud.

The worm's latent state had been a mystery for some time. It appears never to have been activated in the computers it infected, and security experts have speculated that the program was abandoned by those who created it because they feared getting caught after Conficker was subjected to intense media scrutiny.

Bumgarner's work could deepen understanding of how Stuxnet's commanders ran the cyber operation that last year sabotaged an underground facility at Natanz, where Iranian scientists are enriching uranium using thousands of gas centrifuges.

He provided Reuters with his timeline of the attack, which indicates it began earlier than previously thought. He said that it was planned using data stolen with early versions of Duqu, a data stealing tool that experts recently discovered and are still trying to understand. The operation ended earlier-than-planned after the attackers got caught because they were moving too quickly and sloppiness led to errors.


The view that Stuxnet was built by the United States and Israel was laid out in a January 2011 New York Times report that said it came from a joint program begun around 2004 to undermine Iran's efforts to build a bomb. That article said the program was originally authorized by U.S. President George W. Bush, and then accelerated by his successor, Barack Obama.

The first reports that the United States and Israel were behind Stuxnet were greeted skeptically. There are still a handful of prominent cyber security experts, including Jeffrey Carr, the author of the book "Inside Cyber Warfare: Mapping the Cyber Underworld," who dispute the U.S.-Israel idea. He says that circumstantial evidence paints a convincing case that China was behind Stuxnet.

Some also question Bumgarner's findings.

"He is making assertions that have no basis in fact. Anything is possible, but the empirical evidence doesn't show any linkage between the two," said Paul "Fergie" Ferguson, senior threat researcher with security software maker Trend Micro.

He was among a group of researchers from dozens of companies who teamed up in 2009 and spent months studying Conficker. That group concluded it was impossible to determine who was behind the worm.

Ferguson said on Friday he believed Conficker was likely the work of criminals in eastern Europe, based on similarities in the coding of Conficker and previously discovered types of malware.

According to Bumgarner's account, Stuxnet's operators started doing reconnaissance in 2007, using Duqu, which spied on makers of components used in Iran's nuclear and critical infrastructure facilities.

In November 2008, Conficker was let loose and it quickly spread, attacking millions of PCs around the world. Its initial task was to infect a machine and "phone home" with its location. If it was at a strategic facility in Iran, the attackers tagged that PC as a target. The release left millions of untagged machines infected with Conficker around the world, but no damage was done to them.

In March 2009, Bumgarner says, the attackers released a new, more powerful version of Conficker that started the next phase of the attack on April 1 by downloading Stuxnet onto the targeted PCs. After it completed that task, Conficker's mission on those machines was complete.


It took Bumgarner months to conclude that Conficker was created by the authors of Stuxnet.

First, he noticed that the two pieces of malware were both written with unprecedented sophistication, which caused him to suspect they were related. He also found that infection rates for both were far higher in Iran than the United States and that both spread by exploiting the same vulnerability in Windows.

He did more digging, comparing date and time stamps on different versions of Conficker and Stuxnet, and found a correlation -- key dates related to their development and deployment overlapped. That helped him identify April Fool's Day, April 1, 2009, as the launch date for the attack.

Bumgarner believes the attackers picked that date to send a message to Iran's leaders. It marked the 30th anniversary of the declaration of an Islamic republic by Ayatollah Khomeini after a national referendum.

He also identified two other signals hidden in the Stuxnet code, based on the dates when key modules were compiled, or translated from programming text into a piece of software that could run on a computer.

One coincided with a day when Iranian President Mahmoud Ahmadinejad said his nation would pursue its nuclear program despite international objections, and another with the day that he made a highly controversial appearance at Columbia University in New York.


The operators communicated with Stuxnet-infected computers over the Internet through servers using fake soccer websites that they built as a front for their operation: and

If Iranian authorities noticed that traffic, they would be deceived into assuming it was from soccer fans, rather than suspect that something was awry, Bumgarner said.

Once Conficker had pulled Stuxnet into computers in Iran there was still one big hurdle, he said. Those infected computers weren't yet in the target - the underground uranium enrichment facility at Natanz.

Getting the virus in there was one of the trickiest parts of the operation.

Computers controlling the rapidly rotating gas centrifuges were cut off from the Internet. The best way to attack was to put the malware on a device like a USB thumb drive, and then get somebody to connect that drive to the system controlling the centrifuges.

Stuxnet was programmed to automatically jump from an infected PC to a USB drive as soon as it was put into a computer. That was the easy part. Getting somebody to be a human "mule" by bringing that USB drive to Natanz and plugging it into the right machine was a logistical nightmare.

It was impossible to predict when somebody with an infected USB drive would visit the plant. It could take a week or it might be six months.

"It's a painstakingly slow game of chess," said Bumgarner. "They had to keep making moves and countermoves until they reached the centrifuges. Then it was checkmate."

That was probably delivered by somebody who regularly visited the facility and had reason to share information electronically - an academic affiliated with an engineering program at one of Iran's universities or a worker at a company that provided technology to the facility, according to Bumgarner. He or she was almost certainly unaware of what was happening, he said.

Bumgarner is not sure when Stuxnet first hit Natanz, but suspects that early versions only did limited damage. He believes the attackers grew impatient with the pace at which it was damaging the facility and as a result they performed the cyber equivalent of injecting steroids into Stuxnet, adding modules to make it spread faster and inflict more damage. They deployed an enhanced version in January 2010, and two months later an even more powerful one.

Bumgarner believes the juiced-up malware was effective in damaging the centrifuges. But just as steroids have side effects on humans, so the additional modules had a negative impact on the malware: They started causing infected machines to act abnormally.

A then-obscure security firm known as VirusBlokAda in Belarus reported that it discovered Stuxnet after a piece of the souped-up virus made a computer in Iran behave erratically. International investigations followed, which eventually uncovered the attacks on Natanz.

"It blew their operation wide open," says Bumgarner.

Yet its creators may still have other irons in the fire, thanks to Conficker, which lies dormant in millions of PCs around the globe in strategic locations such as Iran, China, Russia, India and Pakistan.

"Conficker represents the largest cyber army in the world," Bumgarner said. "These soldiers are just waiting for their next mission."

(Additional reporting by Andrea Shalal-Esa and Caren Bohan in Washington and Crispian Balmer in Jerusalem. Editing by Martin Howell)

Another variant?[edit]

In 2011, my college was wholly infected by a Conficker version that created none of the symptoms found here. It's one recognized by virus scanners as Kido net.worm that propagates itself mainly via USB sticks and external drives that students were plugging and unplugging in and out of college computers at a two-digit rate per day.

Its symptoms consisted of renaming all files and directories on a given disk or stick into .lnk Windows icon files all appearing as 1kB each in Windows explorer or any other program's file opening dialogue, that when clicked prompt the error message that the link was leading to a missing resource. Additionally, it creates new directories also of the .lnk type with names such as "passwords" on the root level.

Using the tried, tested, and recommended Conficker removal tools and patches, the worm could be stopped from propagation, killed and removed from the individual system or disk, but that doesn't change anything about all files and directories still being re-named into .lnk files and not available.

By experimenting, I found out that the virus had not deleted the original files and directories, but replaced them with invisible .zip files, invisible as such that not even enabling the "show invisible files and directories" option in Windows made them appear. However, when using Winzip, everything looked and worked like the normal, uninfected state would have in Windows explorer.

That way, files could be "unzipped" to a clean disk protected by updated virus scanners with proactive protection recognizing and blocking Kido net.worm. But only files, not directories (as that curiously resulted in only a fraction of the files inside were transferred), which is why a disk's complete directory system had to be manually re-created by hand.

Are there any available, authoritative sources on this behavior of a Conficker variant? I'm asking because none of its behavior itself could point one to the fact that it's really Conficker when you're looking this article up. And because I'm really looking for a simpler way to reclaim TBs of data in thousands of directories and sub-directories. -- (talk) 18:09, 26 January 2013 (UTC)

Redundant Ending in the Intro[edit]

I feel that the line "It's been involved in the activities like terrorism activities.It is considered a security risk and should be removed from the network with the help of Microsoft Certified Technician." which appears at the end of the intro is unnecessary. the fact that the worm is listed as attacking and infecting large numbers of computers makes it clear that the worm poses a security threat. Additionally the advise to employ the services of a Microsoft certified technician seems unnecessary given that removal can be now accomplished using standard tools making a Microsoft certified technician no more useful then any power user.Furthermore by suggesting the a Microsoft technician is necessary this sentence acts as an advertisement for Microsoft as it would indicate that their certificated technicians in some way possess a unique skill that any normal I.T. worker does not have. This would make a being a Microsoft technician a desirable quality which would mean Microsoft could potential make additional profits thought its certification program. 2001:470:1D:1DF:F933:358B:42FF:3660 (talk) 09:12, 3 September 2015 (UTC)


its a dangerous kin of worm.— — Preceding unsigned comment added by (talk) 09:18, 19 October 2015 (UTC)

bad links[edit]

The reference links:

Conficker Worm Scanning Utility, eEye Digital Security
Confickertest, Mcafee

No longer lead to valid pages. (talk) 21:27, 13 January 2016 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just modified 2 external links on Conficker. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

You may set the |checked=, on this template, to true or failed to let other editors know you reviewed the change. If you find any errors, please use the tools below to fix them or call an editor by setting |needhelp= to your help request.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

If you are unable to use these tools, you may set |needhelp=<your help request> on this template to request help from an experienced user. Please include details about your problem, to help other editors.

Cheers.—InternetArchiveBot (Report bug) 14:35, 29 November 2016 (UTC)