Conficker#Operation

{{short description|Computer worm}}

{{use dmy dates |date=October 2020}}

{{Infobox computer virus

| image = Conficker.svg

| Common name =

| technical_name = * Mal/Conficker-A (Sophos)

| Aliases =

| Family =

| Classification =

| Type = Worm

| Subtype =

| IsolationDate = | OS = Windows 2000, Windows XP, Windows 2003 Server (SP2), Windows Vista, Windows 2008 Server{{cite web|url=https://support.microsoft.com/en-us/topic/virus-alert-about-the-win32-conficker-worm-73e7df59-ec59-d474-bbe8-1f06b7caef60|title=Virus alert about the Win32/Conficker worm|publisher=Microsoft}}

| Origin =

}}

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.{{citation|url = http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx|title = Protect yourself from the Conficker computer worm|publisher = Microsoft|date = 2009-04-09|access-date = 2009-04-28|archive-date = 27 June 2009|archive-url = https://web.archive.org/web/20090627012614/http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx|url-status = live}} It uses flaws in Windows OS software (MS08-067 / CVE-2008-4250){{Cite web |last=BetaFred |date=2023-06-08 |title=Microsoft Security Bulletin MS08-067 – Critical |url=https://learn.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067 |access-date=2023-09-07 |website=learn.microsoft.com}}{{Cite web |title=CVE – CVE-2008-4250 |url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 |access-date=2023-09-07 |website=cve.mitre.org}} and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques.{{cite news|url = https://www.nytimes.com/2009/08/27/technology/27compute.html|title = Defying Experts, Rogue Computer Code Still Lurks|work = The New York Times|date = 2009-08-26|access-date = 2009-08-27|first = John|last = Markoff|archive-date = 18 May 2017|archive-url = https://web.archive.org/web/20170518194901/http://www.nytimes.com/2009/08/27/technology/27compute.html|url-status = live}}{{citation|last=Bowden|first=Mark|title=The Enemy Within|date=June 2010|url=https://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/|author-link=Mark Bowden|publisher=The Atlantic|access-date=2010-05-15|archive-date=28 February 2012|archive-url=https://web.archive.org/web/20120228180715/http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/|url-status=live}} The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.{{cite news|last = Markoff|first = John|author-link = John Markoff|title = Worm Infects Millions of Computers Worldwide|newspaper = The New York Times|date = 2009-01-22|url = https://nytimes.com/2009/01/23/technology/internet/23worm.html|access-date = 2009-04-23|archive-date = 25 February 2020|archive-url = https://web.archive.org/web/20200225070916/https://www.nytimes.com/2009/01/23/technology/internet/23worm.html|url-status = live}}

Despite its wide propagation, the worm did not do much damage, perhaps because its authors – believed to have been Ukrainian citizens – did not dare use it because of the attention it drew.{{Citation needed|date=January 2024}} Four men were arrested, and one pled guilty and was sentenced to four years in prison.

Prevalence

Estimates of the number of infected computers were difficult because the virus changed its propagation and update strategy from version to version.{{citation|title = Experts bicker over Conficker numbers|date = 2009-04-15|access-date = 2009-04-23|magazine = Techworld|publisher = IDG|url = http://www.techworld.com/news/index.cfm?RSS&NewsID=114307|first = Robert|last = McMillan|archive-date = 16 April 2009|archive-url = https://web.archive.org/web/20090416043053/http://www.techworld.com/news/index.cfm?rss&newsid=114307|url-status = live}} In January 2009, the estimated number of infected computers ranged from almost 9 million{{cite news|url = http://news.bbc.co.uk/1/hi/technology/7832652.stm|title = Clock ticking on worm attack code|date = 2009-01-20|access-date = 2009-01-16|publisher = BBC News|archive-date = 16 January 2009|archive-url = https://web.archive.org/web/20090116204100/http://news.bbc.co.uk/1/hi/technology/7832652.stm|url-status = live}}{{cite web|title = Preemptive Blocklist and More Downadup Numbers|first = Sean|last = Sullivan|url = http://f-secure.com/weblog/archives/00001582.html|date = 2009-01-16|access-date = 2009-01-16|publisher = F-Secure|archive-date = 2 March 2009|archive-url = https://web.archive.org/web/20090302233124/http://www.f-secure.com/weblog/archives/00001582.html|url-status = live}}{{citation|url = http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/?iref=mpstoryview|title = Downadup Worm exposes millions of PCs to hijack|first = Barry|last = Neild|date = 2009-01-16|publisher = CNN|access-date = 2009-01-18|archive-date = 21 January 2009|archive-url = https://web.archive.org/web/20090121152237/http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/?iref=mpstoryview|url-status = live}} to 15 million.{{citation|url = http://upi.com/Top_News/2009/01/25/Virus_strikes_15_million_PCs/UPI-19421232924206|title = Virus strikes 15 million PCs|publisher = UPI|date = 2009-01-26|access-date = 2009-03-25|archive-date = 2 April 2009|archive-url = https://web.archive.org/web/20090402132901/http://www.upi.com/Top_News/2009/01/25/Virus_strikes_15_million_PCs/UPI-19421232924206|url-status = live}} Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011.{{citation|title = Microsoft Security Intelligence Report: Volume 11|issue = 11|year = 2011|access-date = 2011-11-01|publisher = Microsoft|url = http://download.microsoft.com/download/0/3/3/0331766E-3FC4-44E5-B1CA-2BDEB58211B8/Microsoft_Security_Intelligence_Report_volume_11_English.pdf|archive-date = 18 October 2011|archive-url = https://web.archive.org/web/20111018013506/http://download.microsoft.com/download/0/3/3/0331766E-3FC4-44E5-B1CA-2BDEB58211B8/Microsoft_Security_Intelligence_Report_volume_11_English.pdf|url-status = live}}{{citation|title = Microsoft Security Intelligence Report: Volume 10|issue = 10|year = 2010|access-date = 2011-11-01|publisher = Microsoft|url = http://download.microsoft.com/download/6/0/5/605BE103-9429-4493-898B-E3D50AB68236/Microsoft_Security_Intelligence_Report_volume_10_July-Dec2010_English.pdf|archive-date = 6 October 2011|archive-url = https://web.archive.org/web/20111006200002/http://download.microsoft.com/download/6/0/5/605BE103-9429-4493-898B-E3D50AB68236/Microsoft_Security_Intelligence_Report_volume_10_July-Dec2010_English.pdf|url-status = live}} By mid-2015, the total number of infections had dropped to about 400,000,{{citation|url = https://www.zdnet.com/article/opening-up-a-can-of-worms-why-wont-conficker-just-die-die-die/|title = Opening up a can of worms: Why won't Conficker just die, die, die?|publisher = ZDNet|date = 2015-06-10|access-date = 2017-01-17|archive-date = 18 January 2017|archive-url = https://web.archive.org/web/20170118053116/http://www.zdnet.com/article/opening-up-a-can-of-worms-why-wont-conficker-just-die-die-die/|url-status = live}} and it was estimated to be 500,000 in 2019.

History

= Name =

The origin of the name Conficker is thought to be a combination of the English term "configure" and the German pejorative term [https://en.m.wiktionary.org/wiki/Ficker#German Ficker] (engl. [https://en.m.wiktionary.org/wiki/fucker fucker]).{{citation|first = Richard|last = Grigonis|url = http://ipcommunications.tmcnet.com/topics/ip-communications/articles/50562-microsofts-5000000-reward-the-conficker-worm-creators.htm|title = Microsoft's US$5 million Reward for the Conficker Worm Creators|publisher = IP Communications|date = 2009-02-13|access-date = 2009-04-01|archive-date = 16 February 2009|archive-url = https://web.archive.org/web/20090216141846/http://ipcommunications.tmcnet.com/topics/ip-communications/articles/50562-microsofts-5000000-reward-the-conficker-worm-creators.htm|url-status = live}} Microsoft analyst Joshua Phillips gives an alternative interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz{{citation|url = http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.a|title = Malware Protection Center – Entry: Worm:Win32/Conficker.A|first = Joshua|last = Phillips|access-date = 2009-04-01|publisher = Microsoft|archive-date = 18 June 2009|archive-url = https://web.archive.org/web/20090618151627/http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3AWin32%2FConficker.A|url-status = live}} (with the letter k, not found in the domain name, added as in "trafficker", to avoid a "soft" c sound) which was used by early versions of Conficker to download updates.

= Discovery =

The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta.{{cite web|url = http://gcn.com/Articles/2009/01/15/Conficker-worm-still-lurks.aspx|title = Conficker worm still wreaking havoc on Windows systems|publisher = Government Computer News|date = 2009-01-15|access-date = 2009-03-29|first = Jabulani|last = Leffall|archive-date = 20 February 2009|archive-url = https://web.archive.org/web/20090220133147/http://gcn.com/Articles/2009/01/15/Conficker-worm-still-lurks.aspx|url-status = live}} While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008, to close the vulnerability,{{citation|url = http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx|title = Microsoft Security Bulletin MS08-067 – Critical; Vulnerability in Server Service Could Allow Remote Code Execution (958644)|publisher = Microsoft Corporation|access-date = 2009-04-15|archive-date = 9 April 2010|archive-url = https://web.archive.org/web/20100409022434/http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx|url-status = live}} a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009.{{citation|last = Leyden|first = John|title = Three in 10 Windows PCs still vulnerable to Conficker exploit|publisher = The Register|date = 2009-01-19|url = http://theregister.co.uk/2009/01/19/conficker_worm_feed|access-date = 2009-01-20|archive-date = 1 April 2009|archive-url = https://web.archive.org/web/20090401173111/http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/|url-status = live}} A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares.{{citation|title = The Downadup Codex|page = 32|chapter-url = http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf|chapter = Propagation by AutoPlay|first1 = Ben|last1 = Nahorney|first2 = John|last2 = Park|date = 2009-03-13|access-date = 2009-04-01|publisher = Symantec|archive-date = 24 September 2015|archive-url = https://web.archive.org/web/20150924121513/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf|url-status = live}} Researchers believe that these were decisive factors in allowing the virus to propagate quickly.

= Impact in Europe =

Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.{{citation|title = French fighter planes grounded by computer worm|first = Kim|last = Willsher|url = http://telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes-grounded-by-computer-virus.html|work = The Daily Telegraph|date = 2009-02-07|access-date = 2009-04-01|location = London|archive-date = 10 March 2009|archive-url = https://web.archive.org/web/20090310010056/http://www.telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes-grounded-by-computer-virus.html|url-status = live}}

The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The virus had spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.{{citation|url = http://theregister.co.uk/2009/01/20/mod_malware_still_going_strong|title = MoD networks still malware-plagued after two weeks|first = Chris|last = Williams|date = 2009-01-20|publisher = The Register|access-date = 2009-01-20|archive-date = 2 April 2009|archive-url = https://web.archive.org/web/20090402200753/http://www.theregister.co.uk/2009/01/20/mod_malware_still_going_strong/|url-status = live}}{{citation|url = http://theregister.co.uk/2009/01/20/sheffield_conficker|title = Conficker seizes city's hospital network|first = Chris|last = Williams|date = 2009-01-20|publisher = The Register|access-date = 2009-01-20|archive-date = 2 April 2009|archive-url = https://web.archive.org/web/20090402200758/http://www.theregister.co.uk/2009/01/20/sheffield_conficker/|url-status = live}}

On 2 February 2009, the Bundeswehr, the unified armed forces of Germany, reported that about one hundred of its computers were infected.{{citation|title = Conficker-Wurm infiziert hunderte Bundeswehr-Rechner|url = http://www.pc-professionell.de/news/2009/02/16/conficker_wurm_infiziert_hunderte_bundeswehr_rechner|date = 2009-02-16|access-date = 2009-04-01|publisher = PC Professionell|language = de|archive-url = https://web.archive.org/web/20090321171256/http://www.pc-professionell.de/news/2009/02/16/conficker_wurm_infiziert_hunderte_bundeswehr_rechner|archive-date = 2009-03-21|url-status = dead}}

An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. The use of USB flash drives was banned, as this was believed to be the vector for the initial infection.{{cite news|url = https://www.theregister.co.uk/2009/07/01/conficker_council_infection/|title = Conficker left Manchester unable to issue traffic tickets|work = The Register|first = John|last = Leyden|date = 1 July 2009|access-date = 10 August 2017|archive-date = 10 August 2017|archive-url = https://web.archive.org/web/20170810132839/https://www.theregister.co.uk/2009/07/01/conficker_council_infection/|url-status = live}}

A memo from the Director of the UK Parliamentary ICT service informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorised equipment to the network.{{citation|url = http://theregister.co.uk/2009/03/27/conficker_parliament_infection|title = Leaked memo says Conficker pwns Parliament|first = John|last = Leyden|publisher = The Register|date = 2009-03-27|access-date = 2009-03-29|archive-date = 17 December 2021|archive-url = https://web.archive.org/web/20211217231734/https://www.theregister.com/2009/03/27/conficker_parliament_infection|url-status = live}}

In January 2010, the Greater Manchester Police computer network was infected, leading to its disconnection for three days from the Police National Computer as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people.{{cite news|url = http://news.bbc.co.uk/1/hi/england/manchester/8492669.stm|title = Conficker virus hits Manchester Police computers|date = 2010-02-02|publisher = BBC News|access-date = 2010-02-02|archive-date = 17 December 2021|archive-url = https://web.archive.org/web/20211217231734/http://news.bbc.co.uk/2/hi/uk_news/england/manchester/8492669.stm|url-status = live}}

Operation

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus's combined use of so many has made it unusually difficult to eradicate.{{citation|title = The Downadup Codex|page = 2|chapter-url = http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf|chapter = Propagation by AutoPlay|first1 = Ben|last1 = Nahorney|first2 = John|last2 = Park|date = 2009-03-13|access-date = 2009-04-01|publisher = Symantec|archive-date = 24 September 2015|archive-url = https://web.archive.org/web/20150924121513/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf|url-status = live}} The virus's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus's own vulnerabilities.{{citation|title = Computer Experts Unite to Hunt Worm|url = https://www.nytimes.com/2009/03/19/technology/19worm.html?_r=1&ref=us|work = The New York Times|date = 2009-03-19|access-date = 2009-03-29|first = John|last = Markoff|author-link = John Markoff|archive-date = 4 December 2016|archive-url = https://web.archive.org/web/20161204124458/http://www.nytimes.com/2009/03/19/technology/19worm.html?_r=1&ref=us|url-status = live}}{{citation |url=http://mtc.sri.com/Conficker/ |title=An Analysis of Conficker |author1=Phillip Porras |author2=Hassen Saidi |author3=Vinod Yegneswaran |publisher=SRI International |date=2009-03-19 |access-date=2009-03-29 |url-status=dead |archive-url=https://web.archive.org/web/20090214153502/http://mtc.sri.com/Conficker/ |archive-date=2009-02-14 }}

Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.{{citation|title = Microsoft Malware Protection Center: Information about Worm:Win32/Conficker.D|url = http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx|date = 2009-03-27|access-date = 2009-03-30|first1 = Vincent|last1 = Tiu|publisher = Microsoft|archive-url = https://web.archive.org/web/20090331043154/http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx|archive-date = 2009-03-31|url-status = dead}}{{citation|title = DOWNAD/Conficker Watch: New Variant in The Mix?|url = http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/|date = 2009-04-07|access-date = 2009-04-07|first1 = Ivan|last1 = Macalintal|first2 = Joseph|last2 = Cepe|first3 = Paul|last3 = Ferguson|publisher = Trend Micro|archive-url = https://web.archive.org/web/20100131064510/http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/|archive-date = 2010-01-31|url-status = dead}} The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D.

class="wikitable" style="font-size: 95%"
Variant

! Detection date

! Infection vectors

! Update propagation

! Self-defense

! End action

Conficker A2008-11-21

|

  • NetBIOS
  • Exploits MS08-067 vulnerability in Server service

|

  • HTTP pull
  • Downloads from {{mono|trafficconverter.biz}}
  • Downloads daily from any of 250 pseudorandom domains over 5 TLDs{{citation|url = https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=cd5067d0-55e0-41ee-a708-d612ec1a39a5&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments|title = W32.Downadup.C Pseudo-Random Domain Name Generation|first = John|last = Park|date = 2009-03-27|access-date = 2009-04-01|publisher = Symantec|archive-date = 16 March 2018|archive-url = https://web.archive.org/web/20180316084753/https://www.symantec.com/connect/blogs/w32downadupc-pseudo-random-domain-name-generation|url-status = live}}

|

None

|

  • Updates self to Conficker B, C or D{{cite web|title = Connecting The Dots: Downadup/Conficker Variants|first = Ben|last = Nahorney|publisher = Symantec|date = 2009-04-21|access-date = 2009-04-25|url = https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=4c2432ed-2fd7-492d-a188-5e6609350439&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments|archive-date = 14 December 2009|archive-url = https://web.archive.org/web/20091214110036/http://www.symantec.com/connect/blogs/connecting-dots-downadupconficker-variants|url-status = live}}
Conficker B2008-12-29

|

  • NetBIOS
  • Exploits MS08-067 vulnerability in Server service
  • Dictionary attack on {{mono|ADMIN$}} shares{{citation|title = Downadup: Locking Itself Out|first = Eric|last = Chien|url = https://forums2.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837|archive-url = https://archive.today/20121217181137/https://forums2.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837|url-status = dead|archive-date = 2012-12-17|date = 2009-02-18|access-date = 2009-04-03|publisher = Symantec}}
  • Removable media
  • Creates DLL-based AutoRun trojan on attached removable drives

|

  • HTTP pull
  • Downloads daily from any of 250 pseudorandom domains over 8 TLDs
  • NetBIOS push
  • Patches MS08-067 to open reinfection backdoor in Server service{{citation|first = Eric|last = Chien|title = Downadup: Peer-to-Peer Payload Distribution|url = https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/227|archive-url = https://archive.today/20121217183840/https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/227|url-status = dead|archive-date = 2012-12-17|date = 2009-01-19|access-date = 2009-04-01|publisher = Symantec}}{{citation|url = http://www.honeynet.org/files/KYE-Conficker.pdf|title = Know Your Enemy: Containing Conficker|date = 2009-04-07|access-date = 2009-04-13|first1 = Felix|last1 = Leder|first2 = Tillmann|last2 = Werner|publisher = HoneyNet Project|archive-url = https://web.archive.org/web/20100612235910/http://honeynet.org/files/KYE-Conficker.pdf|archive-date = 2010-06-12|url-status = dead}}

|

  • Blocks certain DNS lookups
  • Disables AutoUpdate

|

  • Updates self to Conficker C or D
Conficker C2009-02-20

|

  • NetBIOS
  • Exploits MS08-067 vulnerability in Server service
  • Dictionary attack on {{mono|ADMIN$}} shares
  • Removable media
  • Creates DLL-based AutoRun trojan on attached removable drives

|

  • HTTP pull
  • Downloads daily from 500 of 50,000 pseudorandom domains over 8 TLDs per day
  • NetBIOS push
  • Patches MS08-067 to open reinfection backdoor in Server service
  • Creates named pipe to receive URL from remote host, then downloads from URL

|

  • Blocks certain DNS lookups
  • Disables AutoUpdate

|

  • Updates self to Conficker D
Conficker D2009-03-04

| None

|

  • HTTP pull
  • Downloads daily from any 500 of 50,000 pseudorandom domains over 110 TLDs
  • P2P push/pull
  • Uses custom protocol to scan for infected peers via UDP, then transfer via TCP{{citation|url = https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331#A253|archive-url = https://archive.today/20121217181900/https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331%23A253|url-status = dead|archive-date = 2012-12-17|title = W32.Downadup.C Bolsters P2P|publisher = Symantec|date = 2009-03-20|access-date = 2009-04-01}}

|

  • Blocks certain DNS lookups{{citation|url = http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=2|title = W32.Downadup.C Technical Details|first1 = Ka Chun|last1 = Leung|first2 = Sean|last2 = Kiernan|date = 2009-04-06|access-date = 2009-04-10|archive-date = 2 April 2009|archive-url = https://web.archive.org/web/20090402123722/http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=2|url-status = dead}}
  • Does an in-memory patch of {{mono|DNSAPI.DLL}} to block lookups of anti-malware related web sites
  • Disables Safe Mode
  • Disables AutoUpdate
  • Kills anti-malware
  • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals{{citation |url=http://mtc.sri.com/Conficker/ |title=An Analysis of Conficker C (draft) |first1=Phillip |last1=Porras |first2=Hassen |last2=Saidi |first3=Vinod |last3=Yegneswaran |publisher=SRI International |date=2009-03-19 |access-date=2009-03-29 |url-status=dead |archive-url=https://web.archive.org/web/20090214153502/http://mtc.sri.com/Conficker/ |archive-date=2009-02-14 }}

|

  • Downloads and installs Conficker E
Conficker E2009-04-07

|

  • NetBIOS
  • Exploits MS08-067 vulnerability in Server service{{citation|url = https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-E-Back-to-Basics/ba-p/393465|archive-url = https://archive.today/20121217175903/https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-E-Back-to-Basics/ba-p/393465|url-status = dead|archive-date = 2012-12-17|title = W32.Downadup.E—Back to Basics|first = Patrick|last = Fitzgerald|date = 2009-04-09|access-date = 2009-04-10|publisher = Symantec}}

|

  • NetBIOS push
  • Patches MS08-067 to open reinfection backdoor in Server service
  • P2P push/pull
  • Uses custom protocol to scan for infected peers via UDP, then transfer via TCP

|

  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Kills anti-malware
  • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals{{citation|title = Virus Encyclopedia: Worm:Win32/Conficker.E|url = http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Conficker.E#tab=2|first = Aaron|last = Putnam|publisher = Microsoft|access-date = 2015-02-15|archive-date = 18 November 2016|archive-url = https://web.archive.org/web/20161118030416/https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3aWin32%2fConficker.E#tab=2|url-status = live}}

|

  • Updates local copy of Conficker C to Conficker D{{citation|title = The Downadup Codex|page = 47|chapter-url = http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf|chapter = Connecting The Dots: Downadup/Conficker Variants|edition = 2.0|first1 = Ben|last1 = Nahorney|first2 = John|last2 = Park|date = 2009-04-21|access-date = 2009-06-19|publisher = Symantec|archive-date = 12 March 2014|archive-url = https://web.archive.org/web/20140312023112/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf|url-status = live}}
  • Downloads and installs malware payload:
  • Waledac spambot
  • SpyProtect 2009 scareware{{citation|url = http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9131380|title = Conficker cashes in, installs spam bots and scareware|publisher = Computerworld|date = 2009-04-09|access-date = 2009-04-10|first = Gregg|last = Keizer|archive-url = https://web.archive.org/web/20090417165448/http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9131380|archive-date = 2009-04-17|url-status = dead}}
  • Removes self on 3 May 2009 (but leaves remaining copy of Conficker D){{citation|title = W32.Downadup.E Technical Details|url = http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-040823-4919-99&tabid=2|publisher = Symantec|date = 2009-04-10|access-date = 2009-04-10|first1 = Kachun|last1 = Leung|first2 = Yana|last2 = Liu|first3 = Sean|last3 = Kiernan|archive-date = 16 April 2009|archive-url = https://web.archive.org/web/20090416063649/http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-040823-4919-99&tabid=2|url-status = dead}}

= Initial infection =

  • Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer.{{citation|url = http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250|title = Cve-2008-4250|publisher = Common Vulnerabilities and Exposures, Department of Homeland Security|date = 2008-06-04|access-date = 2009-03-29|archive-url = https://web.archive.org/web/20130113193659/http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250|archive-date = 2013-01-13|url-status = dead}} On the source computer, the virus runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches to svchost.exe. Variants B and later may attach instead to a running services.exe or Windows Explorer process. Attaching to those processes might be detected by the application trust feature of an installed firewall.
  • Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.{{cite web|url=http://www.sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm/|title=Passwords used by the Conficker worm|publisher=Sophos|access-date=2009-01-16|archive-url=https://web.archive.org/web/20090121200846/http://sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm|archive-date=2009-01-21|url-status=dead}}
  • Variants B and C place a copy of their DLL form in the recycle.bin of any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism using a manipulated autorun.inf.

To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system or system32 folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.

= Payload propagation =

The virus has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the virus to update itself to newer variants, and to install additional malware.

  • Variant A generates a list of 250 domain names every day across five TLDs. The domain names are generated from a pseudo-random number generator (PRNG) seeded with the current date to ensure that every copy of the virus generates the same names each day. The virus then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.
  • Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.
  • To counter the virus's use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers (ICANN) and several TLD registries began in February 2009 a coordinated barring of transfers and registrations for these domains.{{citation|title=Microsoft Collaborates With Industry to Disrupt Conficker Worm|date=2009-02-12|access-date=2009-04-01|first=Andrew|last=Robertson|publisher=ICANN|url=http://www.icann.org/en/announcements/announcement-2-12feb09-en.htm|archive-date=19 March 2009|archive-url=https://web.archive.org/web/20090319054818/http://icann.org/en/announcements/announcement-2-12feb09-en.htm|url-status=live}} Variant D counters this by generating daily a pool of 50,000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8–11 to 4–9 characters to make them more difficult to detect with heuristics. This new pull mechanism (which was disabled until April 1, 2009) is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the virus's peer-to-peer network. The shorter generated names, however, are expected to collide with 150–200 existing domains per day, potentially causing a distributed denial-of-service attack (DDoS) on sites serving those domains. However the large number of generated domains and the fact that not every domain will be contacted for a given day will probably prevent DDoS situations.{{citation|title=Containing Conficker|url=http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/|first1=Felix|last1=Leder|first2=Tillmann|last2=Werner|date=2009-04-02|access-date=2009-04-03|publisher=Institute of Computer Science, University of Bonn|archive-date=3 April 2009|archive-url=https://web.archive.org/web/20090403062623/http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/|url-status=live}}
  • Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.
  • Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.
  • Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the virus is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.

== Armoring ==

To prevent payloads from being hijacked, variant A payloads are first SHA-1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key. The payload is unpacked and executed only if its signature verifies with a public key embedded in the virus. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits. Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6.

= Self-defense =

The DLL- Form of the virus is protected against deletion by setting its ownership to "SYSTEM", which locks it from deletion even if the user is granted with administrator privileges. The virus stores a backup copy of this DLL disguised as a .jpg image in the Internet Explorer cache of the user network services.

Variant C of the virus resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.{{citation|url = http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=77976|publisher = CA|date = 2009-03-11|access-date = 2009-03-29|title = Win32/Conficker.C|archive-date = 29 March 2009|archive-url = https://web.archive.org/web/20090329101157/http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=77976|url-status = live}} Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.{{citation|url = http://www.microsoft.com/security/portal/Entry.aspx?name=Worm:Win32/Conficker.D|title = Malware Protection Center – Entry: Worm:Win32/Conficker.D|publisher = Microsoft|access-date = 2009-03-30|archive-date = 2 June 2009|archive-url = https://web.archive.org/web/20090602040455/http://www.microsoft.com/security/portal/Entry.aspx?name=Worm%3AWin32%2FConficker.D|url-status = live}} An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.

= End action =

Variant E of the virus was the first to use its base of infected computers for an ulterior purpose. It downloads and installs, from a web server hosted in Ukraine, two additional payloads:{{citation|title = Conficker Worm Awakens, Downloads Rogue Anti-virus Software|first = Brian|last = Krebs|date = 2009-04-10|access-date = 2009-04-25|newspaper = The Washington Post|url = http://voices.washingtonpost.com/securityfix/2009/04/conficker_worm_awakens_downloa.html|archive-date = 15 May 2011|archive-url = https://web.archive.org/web/20110515191345/http://voices.washingtonpost.com/securityfix/2009/04/conficker_worm_awakens_downloa.html|url-status = dead}}

  • Waledac, a spambot otherwise known to propagate through e-mail attachments.{{citation|url = http://symantec.com/security_response/writeup.jsp?docid=2008-122308-1429-99&tabid=2|title = W32.Waledac Technical Details|first = Liam|last = O'Murchu|access-date = 2009-04-10|date = 2008-12-23|publisher = Symantec|archive-date = 22 April 2009|archive-url = https://web.archive.org/web/20090422172425/http://www.symantec.com/security_response/writeup.jsp?docid=2008-122308-1429-99&tabid=2|url-status = dead}} Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors.{{citation|title = Storm Botnet Makes A Comeback|first = Kelly Jackson|last = Higgins|date = 2009-01-14|access-date = 2009-04-11|publisher = DarkReading|url = http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212900543|archive-date = 4 February 2009|archive-url = https://web.archive.org/web/20090204220506/http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212900543|url-status = live}}{{citation|title = Waledac – Guess which one is for you?|first = Peter|last = Coogan|date = 2009-01-23|access-date = 2009-04-11|url = https://forums2.symantec.com/t5/Malicious-Code/Waledac-Guess-which-one-is-for-you/ba-p/382056|archive-url = https://archive.today/20121217182443/https://forums2.symantec.com/t5/Malicious-Code/Waledac-Guess-which-one-is-for-you/ba-p/382056|url-status = dead|archive-date = 2012-12-17|publisher = Symantec}}
  • SpyProtect 2009, a scareware rogue antivirus product.{{citation|url = http://www.viruslist.com/en/weblog?weblogid=208187654|first = Aleks|last = Gostev|publisher = Kaspersky Lab|date = 2009-04-09|access-date = 2009-04-13|title = The neverending story|archive-date = 5 February 2010|archive-url = https://web.archive.org/web/20100205232032/http://www.viruslist.com/en/weblog?weblogid=208187654|url-status = live}}

Symptoms

Symptoms of a Conficker infection include:

  • Account lockout policies being reset automatically.
  • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
  • Domain controllers responding slowly to client requests.
  • Congestion on local area networks (ARP flood as consequence of network scan).
  • Web sites related to antivirus software or the Windows Update service becoming inaccessible.{{cite web|url=http://support.microsoft.com/kb/962007|title=Virus alert about the Win32/Conficker.B worm|date=2009-01-15|publisher=Microsoft|access-date=2009-01-22|archive-date=22 January 2009|archive-url=https://web.archive.org/web/20090122181135/http://support.microsoft.com/kb/962007|url-status=live}}
  • User accounts locked out.{{cite web|url=https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Conficker|title=Virusencyclopedie: Worm:Win32/Conficker.B|publisher=Microsoft|access-date=2009-08-03|archive-date=18 May 2017|archive-url=https://web.archive.org/web/20170518033700/http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FConficker|url-status=live}}

Response

On 12 February 2009, Microsoft announced the formation of an industry group to collaboratively counter Conficker. The group, which has since been informally dubbed the Conficker Cabal, includes Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.{{citation|url = http://blogs.zdnet.com/security/?p=2572|title = Microsoft announces industry alliance, $250k reward to combat Conficker|first = Adam|last = O'Donnell|publisher = ZDNet|date = 2009-02-12|access-date = 2009-04-01|archive-date = 19 March 2009|archive-url = https://web.archive.org/web/20090319064445/http://blogs.zdnet.com/security/?p=2572|url-status = dead}}

= From Microsoft =

{{Update|inaccurate=yes|date=March 2012}}

On 13 February 2009, Microsoft offered a $USD250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.{{citation|url = http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases|archive-url = https://web.archive.org/web/20090215030330/http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases|url-status = dead|archive-date = 2009-02-15|title = Microsoft Collaborates With Industry to Disrupt Conficker Worm (Microsoft offers $250,000 reward for Conficker arrest and conviction.)|publisher = Microsoft|date = 2009-02-12|access-date = 2009-09-22}}

= From registries =

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the virus's domain generator. Those which have taken action include:

  • On 13 March 2009, NIC Chile, the .cl ccTLD registry, blocked all the domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list.{{citation|url = http://www.nic.cl/anuncios/2009-03-31.html|title = NIC Chile participa en esfuerzo mundial en contra del gusano Conficker|date = 2009-03-31|access-date = 2009-03-31|publisher = NIC Chile|language = es|archive-url = https://web.archive.org/web/20090408064117/http://nic.cl/anuncios/2009-03-31.html|archive-date = 2009-04-08|url-status = dead}}
  • On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously unregistered .ca domain names expected to be generated by the virus over the next 12 months.{{citation|url = http://cira.ca/pr-conficker-c|title = CIRA working with international partners to counter Conficker C|publisher = CIRA|date = 2009-03-24|access-date = 2009-03-31|archive-url = https://web.archive.org/web/20090429124853/http://cira.ca/pr-conficker-c|archive-date = 2009-04-29|url-status = dead}}
  • On 27 March 2009, NIC-Panama, the .pa ccTLD registry, blocked all the domain names informed by the Conficker Working Group.{{citation|url = http://www.nic.pa/paginas/anuncio1.php?numero=6|title = NIC-Panama colabora en esfuerzo mundial en contra del Gusano Conficker.|date = 2009-03-27|access-date = 2009-03-27|publisher = NIC-Panama|language = es|archive-url = https://web.archive.org/web/20110727232001/http://www.nic.pa/paginas/anuncio1.php?numero=6|archive-date = 2011-07-27|url-status = dead}}
  • On 30 March 2009, SWITCH, the Swiss ccTLD registry, announced it was "taking action to protect internet addresses with the endings .ch and .li from the Conficker computer worm."{{citation|url = http://switch.ch/about/news/2009/conficker.html|title = SWITCH taking action to protect against the Conficker computer worm|publisher = SWITCH|date = 2009-03-30|access-date = 2009-04-01|first = Marco|last = D'Alessandro|archive-date = 2 April 2009|archive-url = https://web.archive.org/web/20090402195140/http://www.switch.ch/about/news/2009/conficker.html|url-status = live}}
  • On 31 March 2009, NASK, the Polish ccTLD registry, locked over 7,000 .pl domains expected to be generated by the virus over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.{{citation|url = http://webhosting.pl/Jak.dziala.Conficker|title = Jak działa Conficker?|first = Andrzej|last = Bartosiewicz|date = 2009-03-31|access-date = 2009-03-31|publisher = Webhosting.pl|language = pl|archive-url = https://web.archive.org/web/20110725144151/http://webhosting.pl/Jak.dziala.Conficker|archive-date = 2011-07-25|url-status = dead}}
  • On 2 April 2009, Island Networks, the ccTLD registry for Guernsey and Jersey, confirmed after investigations and liaison with the IANA that no .gg or .je names were in the set of names generated by the virus.

By mid-April 2009 all domain names generated by Conficker A had been successfully locked or preemptively registered, rendering its update mechanism ineffective.{{citation|url = http://www.digitalthreat.net/?p=38|first = Jago|last = Maniscalchi|title = Conficker.A DNS Rendezvous Analysis|publisher = Digital Threat|date = 2009-06-07|access-date = 2009-06-26|archive-date = 16 August 2009|archive-url = https://web.archive.org/web/20090816234755/http://www.digitalthreat.net/?p=38|url-status = live}}

Origin

Working group members stated at the 2009 Black Hat Briefings that Ukraine is the probable origin of the virus, but declined to reveal further technical discoveries about the virus's internals to avoid tipping off its authors.{{citation|url = http://www.networkworld.com/news/2009/073109-black-hat-conficker-talk.html|first = Tim|last = Greene|title = Conficker talk sanitized at Black Hat to protect investigation|publisher = Network World|date = 2009-07-31|access-date = 2009-12-28|archive-url = https://web.archive.org/web/20100127181001/http://www.networkworld.com/news/2009/073109-black-hat-conficker-talk.html|archive-date = 2010-01-27|url-status = dead}} An initial variant of Conficker did not infect systems with Ukrainian IP addresses or with Ukrainian keyboard layouts. The payload of Conficker.E was downloaded from a host in Ukraine.

In 2015, Phil Porras, Vinod Yegneswaran and Hassan Saidi – who were the first to detect and reverse-engineer Conficker – wrote in the Journal of Sensitive Cyber Research and Engineering, a classified, peer-reviewed U.S. government cybersecurity publication, that they tracked the malware to a group of Ukrainian cybercriminals. Porras et al. believed that the criminals abandoned Conficker after it had spread much more widely than they assumed it would, reasoning that any attempt to use it would draw too much attention from law enforcement worldwide. This explanation is widely accepted in the cybersecurity field.{{cite news |last1=Bowden |first1=Mark |title=The Worm That Nearly Ate the Internet |url=https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html |access-date=30 June 2019 |work=The New York Times |date=29 June 2019 |archive-date=30 June 2019 |archive-url=https://web.archive.org/web/20190630000204/https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html |url-status=live }}

In 2011, working with the FBI, Ukrainian police arrested three Ukrainians in relation to Conficker, but there are no records of them being prosecuted or convicted. A Swede, Mikael Sallnert, was sentenced to 48 months in prison in the U.S. after a guilty plea.

Removal and detection

Due to the lock of the virus files against deletion as long as the system is running, the manual or automatic removal itself has to be performed during boot process or with an external system installed. Deleting any existing backup copy is a crucial step.

Microsoft released a removal guide for the virus, and recommended using the current release of its Windows Malicious Software Removal Tool{{citation|url = http://www.microsoft.com/security/malwareremove/default.mspx|title = Malicious Software Removal Tool|publisher = Microsoft|date = 2005-01-11|access-date = 2009-03-29|archive-date = 7 November 2012|archive-url = https://web.archive.org/web/20121107053531/http://www.microsoft.com/security/malwareremove/default.mspx/|url-status = live}} to remove the virus, then applying the patch to prevent re-infection.{{citation|url = http://microsoft.com/protect/computer/viruses/worms/conficker.mspx|title = Protect yourself from the Conficker computer worm|date = 2009-03-27|publisher = Microsoft|access-date = 2009-03-30|archive-url = https://web.archive.org/web/20090403055100/http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx|archive-date = 2009-04-03|url-status = dead}} Newer versions of Windows are immune to Conficker.

= Third-party software =

Many third-party anti-virus software vendors have released detection updates to their products and claim to be able to remove the worm. The evolving process of the malware shows some adoption to the common removal software, so it is likely that some of them might remove or at least disable some variants, while others remain active or, even worse, deliver a false positive to the removal software and become active with the next reboot.

== Automated remote detection ==

On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely. The peer-to-peer command protocol used by variants D and E of the virus has since been partially reverse-engineered, allowing researchers to imitate the virus network's command packets and positively identify infected computers en-masse.{{citation|url = http://www.skullsecurity.org/blog/?p=230|publisher = SkullSecurity|first = Ron|last = Bowes|date = 2009-04-21|access-date = 2009-04-25|title = Scanning for Conficker's peer to peer|archive-date = 24 April 2009|archive-url = https://web.archive.org/web/20090424100501/http://www.skullsecurity.org/blog/?p=230|url-status = live}}{{citation|title = W32.Downadup P2P Scanner Script for Nmap|publisher = Symantec|date = 2009-04-22|access-date = 2009-04-25|url = https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-P2P-Scanner-Script-for-Nmap/ba-p/393519#A266|archive-url = https://archive.today/20121217182318/https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-P2P-Scanner-Script-for-Nmap/ba-p/393519%23A266|url-status = dead|archive-date = 2012-12-17}}

Signature updates for a number of network scanning applications are now available.{{citation|url = http://www.skullsecurity.org/blog/?p=209|title = Scanning for Conficker with Nmap|date = 2009-03-30|publisher = SkullSecurity|access-date = 2009-03-31|first = Ronald|last = Bowes|archive-date = 2 April 2009|archive-url = https://web.archive.org/web/20090402041156/http://www.skullsecurity.org/blog/?p=209|url-status = live}}{{citation|url = http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html|title = Updated Conficker Detection Plugin Released|date = 2009-04-01|access-date = 2009-04-02|first = Paul|last = Asadoorian|publisher = Tenable Security|archive-url = https://web.archive.org/web/20100926002228/http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html|archive-date = 2010-09-26|url-status = dead}}

It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests.

= US CERT =

The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the virus from spreading through removable media. Prior to the release of Microsoft knowledgebase article KB967715,{{cite web|url=http://support.microsoft.com/kb/967715|title=How to disable the Autorun functionality in Windows|publisher=Microsoft|date=2009-03-27|access-date=2009-04-15|archive-date=3 March 2015|archive-url=https://web.archive.org/web/20150303131451/http://support.microsoft.com/kb/967715|url-status=live}} US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively.{{citation|url = http://www.us-cert.gov/cas/techalerts/TA09-020A.html|title = Technical Cyber Security Alert TA09-020A: Microsoft Windows Does Not Disable AutoRun Properly|date = 2009-01-29|publisher = US-CERT|access-date = 2009-02-16|archive-date = 24 February 2009|archive-url = https://web.archive.org/web/20090224052336/http://www.us-cert.gov/cas/techalerts/TA09-020A.html|url-status = live}} US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.{{citation|url = https://www.dhs.gov/ynews/releases/pr_1238443907751.shtm|title = DHS Releases Conficker/Downadup Computer Worm Detection Tool|publisher = Department of Homeland Security|date = 2009-03-30|access-date = 2009-04-01|archive-date = 5 August 2012|archive-url = https://web.archive.org/web/20120805074844/http://www.dhs.gov/ynews/releases/pr_1238443907751.shtm|url-status = live}}

See also

References

{{Reflist}}