Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.

Conficker is a worm that infects computers running the Windows operating system by using known flaws in Windows. Conficker uses dictionary attacks on administrator passwords to hijack machines and link them to a virtual machine that is remotely controlled by its creator.

How does Work Conficker worm:

Conficker is delivered to an infected system as a Dynamic-link library or DLL. It cannot run as a standalone program.

The worm Conficker worm first infects a Windows System using certain vulnerabilities in the system and then exploits shellcode to inject the DLL into the running Windows server service and then, it creates a registry entry to ensure that it runs every-time the machine reboots.

After infecting a computer, Conficker uses a list of websites to find out the IP address of the infected machine. It then uses the IP address to download a small HTTP server and opens that in the infected machine.

Once the HTTP server is up, the worm then scans for other vulnerable machines. Once it finds a vulnerable target machine to infect, it sends the URL of the currently infected machine as a payload to the target vulnerable machine. The remote target machine then downloads the worm from the URL sent and starts infecting other vulnerable machines.

To infect a remote computer in the network, the Conficker worm first tries with credentials of the currently logged on user. If it is unsuccessful, it gains a list of user accounts in the target machine and tries to log in using each of the username and a list of commonly used weak passwords. The worm then drops a copy of itself in the admin share of the target.

Conficker then creates a remotely scheduled job to activate the copy.

Conficker can also infect a computer using removable drives or USB drives. For that, it first copies itself to the drives using a random file name. it then changes the autorun.inf file to show an additional option to “Open folder to view files” with “Publisher not Specified”, when the drive connects with a computer. If a user cannot the trick and selects that option, a copy of the worm will start running in the computer.

After infecting a computer, the Conficker worm generates a list of domain names using a randomization function seeded with current UTC system date. All the infected machines try to connect to the same set of domain names for updates.

Signs and Symptoms of Infection:

Conficker and all of its variants perform the following to an infected system:

  • Modification of system settings
  • Disabling of TCP/IP Tuning
  • Termination\disablement of the following Windows services:
    • Windows Security Service
    • Windows Auto Update, Background Intelligent Transfer Service (BITS)
    • Windows Defender
    • Windows Error Reporting Service
  • Termination\disablement of third-party security services/software that deals with system security (anti-virus, firewalls, etc)
  • Resetting system restore points
  • Deleting backup files
  • Checking for internet connectivity and downloading arbitrary files
  • Users will not be able to browse certain security-related Web sites with URLs containing specific keywords and phrases.
  • Increase in traffic on port 445
  • Access to administrator shared files is denied
  • Sluggish response due to an increase in network traffic

Conficker Removal:

There are several Conficker removal tools available for download. Most Anti-Virus vendors have developed removal tools and/or provided instructions for removing Conficker and links to some of these are listed below:

  • Symantec
  • SOPHOS
  • McAfee
  • Microsoft’s Malicious Software Removal Tool
  • Microsoft also has put together a manual procedure for removing the Conficker worm

How to Prevent Conficker Worm:

  • Keep your system updated with recent patches of security software.
  • The malware exploits security vulnerabilities of commonly used software to infect a computer. So, always keep your computer updated with recent security patches of all the commonly used software.
  • Keep your windows system updated with the latest security patches of the Operating System.
  • Turn on firewalls in the system.
  • Use user account control to limit user privileges, so that the worm cannot run exploiting full access to the Windows system.