 |
| This is not the computer worm that we imagine |
When it comes to computer worm, most people will talk about NotPetya, Bad Rabbit, Stuxnet or WannaCry. Back when I was in college, Conficker was the hottest worm I ever heard. Although this computer infection is nearly forgotten, it has survived for nearly 15 years which is why it sparks my interest to talk about it in this blog post.
What is Conficker
The Conficker is a computer worm that is first spotted in November 2008. This worm exploited a service vulnerability in Windows 2000, XP, Vista, Server 2003, Server 2008, and Server 2008 R2 Beta to propagate throughout the internet before being found. The Conficker worm used a vulnerability in NetBIOS (MS08-067) to spread across the Internet and infect machines and servers. Once inside, it launched a massive dictionary attack to crack administrator passwords and create a botnet.
Conficker is also known as:
- Mal/Conficker-A
- Win32/Conficker.A
- W32.Downadup
- W32/Downadup.A
- Conficker.A
- Net-Worm.Win32.Kido.bt
- W32/Conficker.worm
- Win32.Worm.Downadup.Gen
- Win32:Confi
- WORM_DOWNAD
- Worm.Downadup
Conficker Variants
There are five Conficker variants, designated A through E. Each iteration is an advance over its predecessor and incorporates additional defense mechanisms against detection.
The initial version of the malware spread via the Internet by exploiting a flaw in the Windows network service. The second variant of the worm gained the ability to spread through local area networks, impermanent media, and network sharing. Subsequent variants have enhanced the worm's capacity for encryption and resistance to detection.
Researchers are familiar with Conficker's methods, but the malware's use of so many defense mechanisms makes it extremely difficult to eradicate. The constant update of the worm serves to maintain its life. When a remedy or treatment is implemented, its authors remove the vulnerability against that treatment.
Symptoms of Conficker Infection
As the Conficker worm uses a DLL file to conceal itself from running programs, it can be difficult to detect. Sometimes even the symptoms are attributed to other network-related issues. Here is a list of the most prevalent symptoms of the Conficker worm:
- Policies for account lockout are being activated. This may be the result of the dictionary brute-force attack that the Conficker worm employs to obtain access to ADMIN$ shares.
- Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services will be disabled automatically.
- The response time of domain controllers to client requests is sluggish.
- Network congestion
- Websites pertaining to security cannot be accessed.
- Antivirus, anti-malware, and other security-related applications cannot execute.
The worm, as evidenced by its symptoms, primarily affects network congestion and user account access. This is primarily due to the malware's daily installations and dictionary attacks using brute force. Only Variant E utilized the software's effects to install additional malicious software, but it was soon retired because it was programmed to delete itself one month after its release.
The Author Still in Mystery
Despite its notoriety as some of the most widely disseminated malicious code in the world, its creators have never put it to use in an attack. This peculiar conduct may be explained, according to some, by the hackers' desire to remain anonymous. Microsoft offered a $250,000 reward in 2009 (refer to this news) for information leading to the Conficker creators' arrest and conviction. No claim was ever made.
How To Get Rid of Conficker
Post a Comment
0Comments