If not redirected, please click here https://www.thesecuritybuddy.com/malware-prevention/what-is-conficker-worm/
A Conficker or Downup or Downadup or Kido is a computer worm that infects a Microsoft Windows machine using some vulnerability in the Microsoft Windows Operating System software and creates a botnet of infected computers to steal sensitive information of users including banking credentials, credit card information etc using keyloggers. This malware uses advanced malware techniques and is extremely difficult to control. Since its discovery in 2008, the malware has infected millions of computers.
A Conficker or Downup or Downadup or Kido is a computer worm that infects a Microsoft Windows machine using some vulnerability in the Microsoft Windows Operating System software and creates a botnet of infected computers to steal sensitive information of users including banking credentials, credit card information etc using keyloggers. This malware uses advanced malware techniques and is extremely difficult to control. Since its discovery in 2008, the malware has infected millions of computers.
How does Conficker malware infect a computer ?
Conficker is delivered to an infected
system as a Dynamic Link Library or DLL. It cannot run as a
standalone program.
The worm first infects a Windows system
using certain vulnerabilities in the system and then exploits
shellcode to inject the DLL into the running Windows server service.
And then, it creates a registry entry to ensure that it runs
everytime the machine reboots.
After infecting a computer, Conficker
uses a list of websites to find out the IP address of the infected
machine. It then uses the IP address to download a small HTTP server
and opens that in the infected machine.
Once the HTTP server is up, the worm
then scans for other vulnerable machines. Once it finds a vulnerable
target machine to infect, it sends the URL of the currently infected
machine as a payload to the target vulnerable machine. The remote
target machine then downloads the worm from the URL sent and starts
infecting other vulnerable machines.
To infect a remote computer in the
network, the worm first tries with credentials of the currently
logged on user. If it is unsuccessful, it gains a list of user
accounts in the target machine and tries to login using each of the
username and a list of commonly used weak passwords. The worm then
drops a copy of itself in the admin share of the target.
Conficker then creates a remotely
scheduled job to activate the copy.
Conficker can also infect a computer
using removable drives or USB drives. For that, it first copies
itself to the drives using a random file name. It then changes the
autorun.inf file to show an additional option to “Open folder to
view files” with “Publisher not specified”, when the drive
connects with a computer. If a user cannot understand the trick and
selects that option, a copy of the worm will start running in the
computer.
After infecting a computer, the worm
generates a list of domain names using a randomization function
seeded with current UTC system date. All the infected machines try to
connect to the same set of domain names for updates.
Variants of Conficker malware
There are a number of variants of
Conficker worm.
- Conficker.A – This is the first version of the Conficker worm. It relies on Windows Server Service vunerability for its propagation.
- Conficker.B – Conficker.B uses two additional approaches of NetBIOS Share Propagation and USB propagation to infect systems.
- Conficker.C – It uses 50,000+ randomly generated domain names so that the security community cannot block all of the domain registration associated with the A & B variants. It also uses P&P coordination channel for updates.
- Conficker.D – It changed the domain name registration algorithm to generate a large pool of domain names. This variant just updates existing Conficker.C infected machines and does not spread by attacking new systems.
- Conficker.E – It is another update to the Conficker.C code base.
System changes after infection of Conficker malware
After infecting a Windows computer, the
worm makes a couple of system changes.
- Conficker changes system settings of the infected computer so that the victim cannot view hidden files.
- It stops Windows Security Center Service which notifies user about security settings.
- It stops Windows Update Auto Update Service.
- It also stops Microsoft Error Reporting Service.
- Conficker resets the infected computer's system restore point and prevents recovery of the system using system restore.
- It disables TCP/IP Tuning
- It also disables third-party security software to avoid detection.
- It deletes backup files.
- It increases traffic on port 445.
- Access to administrator shared files get access denied errors.
- It checks for internet connectivity in the infected system by trying to connect to a list of websites.
- Depending on system date, it builds a URL to download files. The generated URL typically has a domain name that is based on the current system date.
- It increases network traffic in the infected computer, making the system slow.
How to remove Conficker malware from an infected system ?
There are a number of security tools
provided by various anti-virus vendors. Some of the links are given
below :
How to prevent Conficker malware ?
There are a number of steps we can take
to prevent us from falling victims of Conficker.
- Keep your system updated with recent patches of security software.
- The malware exploits security vulnerabilities of commonly used software to infect a computer. So, always keep your computer updated with recent security patches of all the commonly used software.
- Keep your Windows system updated with the latest security patches of the Operating System.
- Turn on firewalls in the system.
- Use User Account Control to limit user privileges, so that the worm cannot run exploiting full access to the Windows system.
thanks for d info
ReplyDelete