Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system.[1] The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.[2] Linux and Macintosh systems are unaffected as the virus only targets Windows software.
Origin of name
The name "Conficker" is a German pun, meaning "program that manipulates the configuration," and pronounced like the English word "configure." "Configuration" is typically abbreviated "config." Conficker is constructed from the first five letters of "configuration," while adding four letters to the end so as to end with "ficker", a vulgar nominalized form of the German transitive verb ficken, which is common German for the English "fuck".
Operation
The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.
When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.
Payload
The A variant of Conficker will create an HTTP Server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore Points, and download files to the target computer.
Symptoms of infection
* Account lockout policies being reset automatically.
* Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
* Domain controllers respond slowly to client requests.
* System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
* On websites related with antivirus software, Windows system updates cannot be accessed.
In addition, the worm launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
Impact
By January 16, 2009, antivirus software vendor F-Secure reported that Conficker had infected almost 9 million PCs.[9][10] The New York Times reported that Conficker had infected 9 million PCs by January 22, 2009, while The Guardian estimated 3.5 million infected PCs.[11][12] As of January 26, 2009, Conficker had infected more than 15 million computers, making it one of the most widespread infections in recent times.
Another antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.
Conficker is reported to be one of the largest botnets created because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008.
The U.K. Ministry of Defence reported that some of its major systems and desktops are infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers.
Experts say it is the worst infection since the SQL Slammer.
As of February 13 2009, Microsoft is offering a $250,000 USD Reward for information leading to the arrest and conviction of hackers behind the creation and or distribution of Conficker.
[edit] Patching and removal
On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability.[20] Removal tools are available from Microsoft,[21] Symantec[22] and Kaspersky Lab while McAfee[23] can remove it with an on demand scan.[24] Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.[25] While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired.
[edit] Technology industry collaboration to combat Conficker
On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.
Microsoft is trying to put some pressure on the criminals responsible for the worst Internet worm outbreak in years, offering a $250,000 reward for information leading to the arrest and conviction of Conficker's creators.[26]
Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.
ICANN is the global coordinating body for domain names. Afilias is the registry operator for .INFO domains and the service provider for Public Interest Registry's .ORG domains worldwide. Neustar runs .BIZ, Verisign is the largest registry and runs .COM and .NET, and CNNIC runs .CN.
source: wikipedia
Top Dropper In April
16 years ago
0 comments
Post a Comment