Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.
Conficker is a worm that infects computers running the Windows operating system by using known flaws in Windows. Conficker uses dictionary attacks on administrator passwords to hijack machines and link them to a virtual machine that is remotely controlled by its creator.
How does Work Conficker worm:
Conficker is delivered to an infected system as a Dynamic-link library or DLL. It cannot run as a standalone program.
The worm Conficker worm first infects a Windows System using certain vulnerabilities in the system and then exploits shellcode to inject the DLL into the running Windows server service and then, it creates a registry entry to ensure that it runs every-time the machine reboots.
After infecting a computer, Conficker uses a list of websites to find out the IP address of the infected machine. It then uses the IP address to download a small HTTP server and opens that in the infected machine.
Once the HTTP server is up, the worm then scans for other vulnerable machines. Once it finds a vulnerable target machine to infect, it sends the URL of the currently infected machine as a payload to the target vulnerable machine. The remote target machine then downloads the worm from the URL sent and starts infecting other vulnerable machines.
To infect a remote computer in the network, the Conficker worm first tries with credentials of the currently logged on user. If it is unsuccessful, it gains a list of user accounts in the target machine and tries to log in using each of the username and a list of commonly used weak passwords. The worm then drops a copy of itself in the admin share of the target.
Conficker then creates a remotely scheduled job to activate the copy.
Conficker can also infect a computer using removable drives or USB drives. For that, it first copies itself to the drives using a random file name. it then changes the autorun.inf file to show an additional option to “Open folder to view files” with “Publisher not Specified”, when the drive connects with a computer. If a user cannot the trick and selects that option, a copy of the worm will start running in the computer.
After infecting a computer, the Conficker worm generates a list of domain names using a randomization function seeded with current UTC system date. All the infected machines try to connect to the same set of domain names for updates.
Signs and Symptoms of Infection:
Conficker and all of its variants perform the following to an infected system:
- Modification of system settings
- Disabling of TCP/IP Tuning
- Termination\disablement of the following Windows services:
- Windows Security Service
- Windows Auto Update, Background Intelligent Transfer Service (BITS)
- Windows Defender
- Windows Error Reporting Service
- Termination\disablement of third-party security services/software that deals with system security (anti-virus, firewalls, etc)
- Resetting system restore points
- Deleting backup files
- Checking for internet connectivity and downloading arbitrary files
- Users will not be able to browse certain security-related Web sites with URLs containing specific keywords and phrases.
- Increase in traffic on port 445
- Access to administrator shared files is denied
- Sluggish response due to an increase in network traffic
There are several Conficker removal tools available for download. Most Anti-Virus vendors have developed removal tools and/or provided instructions for removing Conficker and links to some of these are listed below:
- Microsoft’s Malicious Software Removal Tool
- Microsoft also has put together a manual procedure for removing the Conficker worm
How to Prevent Conficker Worm:
- Keep your system updated with recent patches of security software.
- The malware exploits security vulnerabilities of commonly used software to infect a computer. So, always keep your computer updated with recent security patches of all the commonly used software.
- Keep your windows system updated with the latest security patches of the Operating System.
- Turn on firewalls in the system.
- Use user account control to limit user privileges, so that the worm cannot run exploiting full access to the Windows system.