Conficker

from Wikipedia, the free encyclopedia
Conficker
Surname Conficker
Aliases Kido, Downadup
Known since 2008
origin Ukraine
Type Network worm
Memory resident Yes
distribution Exploits, removable media
system Windows 2000, XP, 2003, Vista, 2008

Conficker is a group of computer worms , whose different versions from the end of November 2008, several million Windows - computers infected.

Among other things, the worm installed backdoors on the compressed systems and, within a few weeks, created the largest botnet that has ever existed to date (as of August 2020). It could possibly have been nine to ten million zombie computers.

Were the other functions of the worm, the suppression of security and anti-malware - Updates and the blurring of own tracks.

Later variants of Conficker also installed scareware or use the infected system for e-mail - spam .

Aliases

Conficker in the malware list of the MSR tool.

The name, established in the press and in the professional world, was given by Microsoft employees. The American software developers who dealt with the worm combined the words "con" with a German vulgar word . Perhaps one wanted to soften the offensive name a little by using the similar-sounding foreign word. "Con" stands for the domain www.trafficconverter.biz, from which Conficker downloaded additional malware.

The names of the best-known protection software companies for the worm are:

The worm is also believed to be known as the dumprep . In this context, however, there is the problem that a regular Microsoft tool is already known by this name in the IT scene.

Versions

The worm downloaded updates from various servers several times and was thus able to receive new functions or instructions. Later variants of the worm also open a P2P connection to other infected computers and thus reload new program parts. Since the servers from which Conficker obtained its updates were shut down after a short time, this was an effective method that could hardly be prevented.
According to Microsoft's nomenclature, the following Conficker derivatives are known:

  • Conficker.A : First discovered on November 21, 2008
  • Conficker.B : First discovered on December 31, 2008
  • Conficker.B ++ : First discovered on February 16, 2009
  • Conficker.C : First discovered on March 6, 2009
  • Conficker.D : First discovered on March 15, 2009
  • Conficker.E : First discovered on April 6, 2009

function

distribution

Distribution routes of Conficker, the infection route via removable media is missing on the graphic

Conficker infects computers equipped with the Microsoft Windows operating system, with the Windows XP version being mainly affected from 2008 to 2008 . In principle, however, all Windows editions up to Windows Vista or up to the server version Windows 2008 were at risk. Conficker uses several different methods to spread, depending on the version:

  • Exploits : The worm originally spread through a security hole in the Windows operating system. This is a so-called "remote code execution vulnerability" (security gap through which code injected from outside can be executed). This describes security gaps in which an attacker can use a manipulated network message to trick a computer into executing malicious code without the actually required access control taking place. There were special security updates for Windows 2000, XP, 2003, Vista and 2008. Later Windows versions or other operating systems are not vulnerable. Originally, Conficker has described Microsoft in the bulletin MS08-067 vulnerability more widespread. This is a so-called “remote code execution vulnerability” (security gap through which code injected from outside can be executed). This describes security gaps in which an attacker can use a manipulated network message to trick a computer into executing the malicious code without the actually required access control taking place.
  • File sharing : The worm uses the SMB service to spread itself via folder sharing in Windows networks. Within networks, shares on file and print services are searched for and used.
  • Autostart function : Conficker can also spread via USB sticks and other removable media . If the autostart function is activated under Windows, the worm infects the system as soon as the stick is inserted. Conficker exploits another security hole. The worm can create the autorun.inf file by itself . Switching off the autstart function prevents this path of infection.
  • Weak passwords : Conficker tries to gain access to other user accounts and tries simple passwords.

Inadequate malware protection makes it easier for the worm to spread in an indirect way. Signatures to find and remove the Conficker worm with common antivirus software were made available as an update shortly after it was first discovered. However, outdated programs or signatures offer no protection. An appropriately configured firewall prevents some of the Conficker activities.

properties

In order to prevent its own discovery and removal as far as possible, Conficker blocks the use of Windows services such as Windows Update , the calling of almost all manufacturers' pages for anti-virus and other security programs, the Windows Security Center, Windows Defender and the Windows system log. Unsuccessful attempts to log on to password-protected file shares can mean that entire computers can no longer be used, as the corresponding user account may be completely blocked. However, Conficker is able to contact servers from which the program could download malicious program parts.

History of the impact

The worm received wide media coverage when it gained popularity around the turn of 2008 to 2009.

  • November 21, 2008 : Conficker.A is discovered for the first time. This original version of the worm does not compromise computers that have Ukrainian keyboard settings installed.
  • December 31, 2008 : Conficker.A pulls an update from the Internet and evolves into Conficker.B.
  • January 8, 2009 : The worm paralyzes approx. 3000 workstation computers of the Carinthian provincial government and ensured that offices of the Carinthian government were offline for days. Central servers of the state government were not affected and official business could therefore be continued to a limited extent.
  • January 12, 2009 : Conficker has now also infected PCs from the Carinthian hospital company KABEG in at least three hospitals. As with the state government, around 3,000 computers are also affected there. In contrast to the state government, however, the hospital systems should have already installed the relevant security update. Another difference is that the worm is said to have succeeded in loading further malware onto the infected hospital computer.
  • January 19, 2009 : The software security company F-Secure reports that over nine million computers have been affected. On January 22nd, 2009 NetMediaEurope ( testticker.de ) reported that around seven percent of all German PCs were infected with the Conficker worm. A short time later, Spiegel.de reported on January 23, 2009 that there might even be 50 million infected computers. That was far more than previously assumed, but the number was not confirmed.
  • January 23, 2009 : F-Secure estimates the number of IP addresses of infected computers at one million worldwide. The spread of the worm appears to be contained, its disinfection remains a challenge, the company announced on its blog . Only one percent of infected computers are in the US , while China , Brazil and Russia together provide 41 percent of infection reports. With almost 16,000 IP addresses of the infected computers, Germany was in 16th place in the international ranking.
  • February 5, 2009 : F-Secure reported an increase in IP addresses to 1.9 million, but it is pointed out that this does not necessarily indicate an increase in infections as the security company is monitoring more domains than before. As of February 27, the number of IP addresses it records has risen to 2.1 to 2.5 million. However, according to the F-Secure blog, several companies and organizations have now teamed up to take action against the worm. For example, on February 12 (as with Mydoom ) , Microsoft suspended an amount of US $ 250,000 for information that could identify the Conficker developer.
  • February 6, 2009 : French fighter planes failed to take off after one or more military computers were infected with the Cinficker worm.
  • February 13, 2009 : It became known that several hundred computers in the Bundeswehr were infected with the worm. The French Air Force was also still affected. The computers there had already been switched off for two days.
  • February 16, 2009 : After a new update, the Conficker.B ++ variant is created and also spreads.
  • February 16, 2009 :
  • March 6, 2009 : The Conficker worms download further instructions from the Internet and upgrade to the Conficker.C version.
  • March 15, 2009 : The different Conficker versions send each other new updates via peer-to-peer connections. This creates the Conficker.D version, which is spreading rapidly among the old variants.
  • March 17, 2009 : In the newly published security newsletter Microsoft reports on the new variant Conficker.D (Microsoft) and W32.Downadup.C (Symantec). Previous variants generate 250 new domain names every day, on which they search for updates. The update mechanism was successfully blocked by preventing the registration of these domains. The new variant of the worm, on the other hand, generates 50,000 new domain names every day from April 1st, 500 of which are selected at random. It is not possible to register so many domains in advance every day. The new variant should also be able to switch off system tools and anti-virus programs.
  • April 1, 2009 : Kaspersky Lab announces that Conficker is still one of the most popular Malewares.
  • April 6th, 2009 : The upgrade to the Conficker.E version goes into circulation on the Internet. It only affects variants A, B and C. Conficker.D is not upgraded. The Conficker.E version connected to domains that were already infected with the Waledac worm . Conficker then downloaded the Waledac worm and thus infected the compressed systems as well. Waledac was suspected of having a connection to the Storm botnet .
  • April 7, 2009 : the security company Trend Micro noticed an increased P2P activity of Conficker.C, with which the worm changes itself into the Conficker.E variant. He is now trying harder to cover his tracks. Pages that offer programs to remove the worm are now also blocked. In addition, it now appears under a random file name and deletes all of its traces on the host PC. However, this variant seems to deactivate itself on May 3, 2009.
  • April 9, 2009 : Conficker.C installs Spyware Protect 2009 , a scareware that simulates a malware infection for the user and wants to force him to buy a full version. This full version can then remove the alleged malware. The download is done from a server in Ukraine. However, the server is closed by official bodies after a short time.
  • September 2010 : The Ministry of Education of Mecklenburg-Western Pomerania, based in Schwerin, disposed of 170 partly brand-new computers from the IQMV teacher training institute in Schwerin, Rostock and Greifswald that were infected by Conficker. Since an adjustment is not a problem, this behavior was a gross overreaction and a waste of tax money.
  • June 22, 2011 : Several suspects believed to be the originators of Conficker are arrested in Ukraine.
  • April 26, 2012 : The Conficker worm continues to mischief. That comes from a security report from Microsoft. Since 2009, the infection rate has increased by 225 percent and has thus more than tripled. In the fourth quarter of 2011, the worm would have been active on 1.7 million computers. The main problem is outdated versions of Windows XP and Windows 2003, which are still used in many companies. In addition, weak passwords would ensure that attackers can easily place the worm. According to Microsoft, many companies still use passwords that are too simple. Weak passwords play a decisive role in 92 percent of all infections.
  • January 2, 2013 : According to TrendMicro, a total of 2.5 million Conficker infections were reported in 2012. The numbers are decreasing and are far from what they were in early 2009
  • May 18, 2016 : The Conficker worm, which has been active since 2008, was responsible for 17 percent of all attacks on Windows systems in April. He thus leads the current threat index of the security provider Check Point. However, a patch for the vulnerability in the Microsoft operating system used by Conficker has been available since the end of 2008.
  • June 29, 2019 : The New York Times reports that there are said to be up to 15,000 PC infected with Conficker worldwide. By trying to build connections, they keep drawing attention to themselves. So the total number can be estimated relatively well.

Identification and elimination

In addition to eliminating the worm, a Windows system update is necessary to rule out the high probability of a new infection.

  • In 2008, a team called Conficker Cabal was set up to fight the worm. Two of the team members, Phil Porras and Vinod Yegneswaran , were the first to discover Conficker. A third employee, Hassan Saidi , was the first to be able to reverse engineer his code .
  • The University of Bonn, Microsoft , Symantec , F-Secure , Bitdefender and Kaspersky quickly provided software tools to remove Conficker.
  • The Panda USB Vaccine tool can create an autorun.inf on FAT or NTFS formatted data carriers , which can neither be read, edited nor deleted and thus effectively prevent Conficker from creating it.
  • An effective protection against Conficker.A could already be achieved if you also activated the Ukrainian keyboard setting on the system. Conficker.A then deleted itself from the compressed computer.
  • All free antivirus programs and scanner tools from Microsoft are able to detect and remove Conficker with the latest versions and malware definitions.
  • Today, susceptible systems should only be operated in individual cases. Windows 7 and Windows Server 2008 R2 and all newer versions are considered secure.
  • In general, the following guidelines were recommended in early 2009:
    • Patch with update KB958644.
    • Change passwords.
    • Check groups and group policies for changes.
    • Control users and user rights.
    • Remove Conficker with a suitable tool (e.g. Malicious Software Removal Tool ).
    • Delete the scareware Spyware Protect 2009, if available.
    • Remove AT tasks and check scheduled tasks.
    • Restart the system.
    • Set the "Automatic Updates", "Bits" and "Error Reporting" services back to the default values ​​(bits = manual, ERSVC and WUAUSVC to automatic).
    • Finally, a full scan with an up-to-date anti-virus program should be carried out.

See also

literature

Individual evidence

  1. Conficker worm: Support in protecting Windows from Conficker. Microsoft , February 6, 2009, accessed October 9, 2015 .
  2. https://archive.f-secure.com/weblog/archives/00001584.html F-Secure.com: Calculating the Size of the Downadup Outbreak , January 2009
  3. ^ A b Mark Bowden : The Worm That Nearly Ate the Internet . In: The New York Times . June 29, 2019 ( nytimes.com [accessed July 1, 2019]).
  4. New Downad / Conficker variant spreading over P2P. Trend Micro , April 8, 2009, accessed October 9, 2015 .
  5. Microsoft Security Bulletin MS08-067 - Critical. Microsoft, October 23, 2008, accessed October 9, 2015 .
  6. https://www.tecchannel.de/a/conficker-das-groesste-botnet-aller-zeiten,1986704 Conficker - The biggest botnet of all time by Moritz Jäger , January 5, 2010
  7. https://www.heise.de/security/meldung/Conficker-schlaegt-bei-Kaerntner-Regierung-zu-195496.html
  8. https://www.heise.de/security/meldung/Conficker-in-Kaernten-Nach-der-Landesregierung-nun-die-Spitaeler-196929.html
  9. https://apps.derstandard.at/privacywall/story/1231151587065/conficker-wurm-legte-landesregierung-und-spitaeler-in-kaernten-lahm
  10. ^ Daniel Bachfeld: F-Secure: Now nine million Windows PCs infected with the Conficker worm. Heise Newsticker , January 19, 2009, accessed October 9, 2015 .
  11. Britta Widmann: Germany: Seven percent of all PCs infected with Conficker. ZDNet , January 22, 2009, accessed October 9, 2015 .
  12. ^ Frank Patalong: Conficker / Downadup: Experts fear 50 million infected computers. Spiegel Online , January 23, 2009, accessed October 9, 2015 .
  13. https://www.f-secure.com/weblog/archives/00001589.html F-Secure: Where is Downadup? from ? , January 2009
  14. Response: Downadup Sinkhole Numbers. F-Secure, February 5, 2009; accessed October 9, 2015 .
  15. Response: Downadup, Good News / Bad News. F-Secure, February 27, 2009, accessed October 9, 2015 .
  16. https://www.telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes-grounded-by-computer-virus.html Telegraph.co.uk: French fighter planes grounded by computer virus by Kim Willsher , February 2009
  17. Conficker worm: Bundeswehr is fighting against virus infestation. Spiegel Online , February 13, 2009, accessed October 9, 2015 .
  18. ^ Letter for pilots. ORF.at , February 9, 2009, accessed October 9, 2015 .
  19. https://www.zdnet.de/41000490/wurm-conficker-infiziert-hunderte-bundeswehr-computer/ ZDNet.de: Wurm Conficker infects hundreds of Bundeswehr computers from Britta Widmann , February 2009
  20. Conficker worm is massively upgrading. (No longer available online.) Microsoft Newsletter, March 17, 2009, archived from the original on December 12, 2010 ; accessed on October 9, 2015 .
  21. Jürgen Schmidt: Conficker worm reloads - maybe. Heise Online, March 30, 2009, accessed October 9, 2015 .
  22. AntiVir does not recognize Conficker. (No longer available online.) June 1, 2009, archived from the original on February 27, 2016 ; accessed on October 9, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.frogged.de
  23. https://www.lanline.de/it-security/conficker-triebe-noch-immer-sein-unwesen.6736.html LanLine.de: Kaspersky Lab lists top 20 malicious programs for March 2009 - Conficker is still doing his Mischief , April 2009
  24. Loucif Kharouni: Waledac - Successor for Storm found. (No longer available online.) Trend Micro, archived from the original on April 19, 2009 ; accessed on October 9, 2015 .
  25. http://blog.trendmicro.com/trendlabs-security-intelligence/downadconficker-watch-new-variant-in-the-mix/ TrendMicr.com: Conficker Watch: New Variant in The Mix? , April 2009
  26. https://securelist.com/blog/virus-watch/30500/the-neverending-story/ SecureList: The neverending story by Alexander Gostev , April 2009
  27. http://www.ostsee-zeitung.de/Nachrichten/MV-aktuell/170-neue-Computer-wegen-Virus-weggeworfen Ostsee-Zeitung.de: New computers thrown away due to virus , April 29, 2013
  28. https://www.mopo.de/ratgeber/digital/in-der-ukraine--conficker--wurm--online-bande-gefasst-5749898 MoPo.de In Ukraine: Conficker worm online gang captured
  29. https://www.pcgames.de/Virus-Thema-237114/GNews/Conficker-Wurm-Microsoft-Sicherheitanalyse-warnt-vor-nach-wie-vor-grosser-Bedrohung-880080/ PCGames.de: Conficker-Wurm : Microsoft security analysis still warns of major threat by Simon Fistrich , April 2012
  30. https://www.darkreading.com/attacks-breaches/conficker-the-worm-that-wont-die/d/d-id/1330594 DarkReading.com: Conficker - The worm that wont die by Jai Vijayan , July 2017
  31. https://www.heise.de/security/meldung/AKW-Gundremmingen-Infektion-mit-Uralt-Schadsoftware-3188599.html Heise.de: AKW Gundremmingen - Infection with ancient malware from ? , April 2016
  32. https://www.reuters.com/article/us-nuclearpower-cyber-germany-idUSKCN0XN2OS Reuters.com: German nuclear plant infected with computer viruses by Christoph Steitz and Eric Auchard , April 2016
  33. https://www.zdnet.de/88269466/conficker-acht-jahre-alter-wurm-fuehrt-malware-statistik-im-april-an/ ZDNet.de: Conficker - Eight year old worm carries malware statistics in April on
  34. https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html The Worm That Nearly Ate the Internet by Mark Bowden, July 29, 2019
  35. Felix Leder, Tillmann Werner: Conficker Defusing: Information and tools. University of Bonn , January 21, 2011, accessed on October 9, 2015 .
  36. Malicious Software Removal Tool: Download. Microsoft, September 8, 2015, accessed October 9, 2015 .
  37. W32.Downadup Removal Tool. Symantec , January 13, 2009, accessed October 9, 2015 .
  38. Response: ISTP and F-Downadup Removal Tool. January 20, 2009, accessed October 9, 2015 .
  39. Free Virus Removal Tools. Bitdefender , accessed October 9, 2015 .
  40. How is the Net-Worm.Win32.Kido worm fought (other names: Conficker, Downadup). (No longer available online.) Kaspersky Lab, October 8, 2010, archived from the original on July 2, 2013 ; accessed on October 9, 2015 .
  41. Panda USB Vaccine - Antimalware and Vaccine for USB devices. Panda Security , accessed October 9, 2015 .

Web links