Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.
[2] It uses flaws in Windows OS software (MS08-067 / CVE-2008-4250)[3][4] and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques.
Although Microsoft released an emergency out-of-band patch on October 23, 2008, to close the vulnerability,[20] a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009.
[27] A memo from the Director of the UK Parliamentary ICT service informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus.
[29] Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus's combined use of so many has made it unusually difficult to eradicate.
This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D. None To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system or system32 folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.
The virus stores a backup copy of this DLL disguised as a .jpg image in the Internet Explorer cache of the user network services.
[53] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.
The group, which has since been informally dubbed the Conficker Cabal, includes Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.
Those which have taken action include: By mid-April 2009 all domain names generated by Conficker A had been successfully locked or preemptively registered, rendering its update mechanism ineffective.
[54] In 2015, Phil Porras, Vinod Yegneswaran and Hassan Saidi – who were the first to detect and reverse-engineer Conficker – wrote in the Journal of Sensitive Cyber Research and Engineering, a classified, peer-reviewed U.S. government cybersecurity publication, that they tracked the malware to a group of Ukrainian cybercriminals.
Porras et al. believed that the criminals abandoned Conficker after it had spread much more widely than they assumed it would, reasoning that any attempt to use it would draw too much attention from law enforcement worldwide.
On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely.
The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the virus from spreading through removable media.