A Conficker or Downup or Downadup or Kido is a computer worm that infects a Microsoft Windows machine using some vulnerability in the Microsoft Windows Operating System software and creates a botnet of infected computers to steal sensitive information of users including banking credentials, credit card information etc using keyloggers. This malware uses advanced malware techniques and is extremely difficult to control. Since its discovery in 2008, the malware has infected millions of computers.
How does Conficker malware infect a computer ?
Conficker is delivered to an infected system as a Dynamic Link Library or DLL. It cannot run as a standalone program.
The worm first infects a Windows system using certain vulnerabilities in the system and then exploits shellcode to inject the DLL into the running Windows server service. And then, it creates a registry entry to ensure that it runs everytime the machine reboots.
After infecting a computer, Conficker uses a list of websites to find out the IP address of the infected machine. It then uses the IP address to download a small HTTP server and opens that in the infected machine.
Once the HTTP server is up, the worm then scans for other vulnerable machines. Once it finds a vulnerable target machine to infect, it sends the URL of the currently infected machine as a payload to the target vulnerable machine. The remote target machine then downloads the worm from the URL sent and starts infecting other vulnerable machines.
To infect a remote computer in the network, the worm first tries with credentials of the currently logged on user. If it is unsuccessful, it gains a list of user accounts in the target machine and tries to login using each of the username and a list of commonly used weak passwords. The worm then drops a copy of itself in the admin share of the target.
Conficker then creates a remotely scheduled job to activate the copy.
Conficker can also infect a computer using removable drives or USB drives. For that, it first copies itself to the drives using a random file name. It then changes the autorun.inf file to show an additional option to “Open folder to view files” with “Publisher not specified”, when the drive connects with a computer. If a user cannot understand the trick and selects that option, a copy of the worm will start running in the computer.
After infecting a computer, the worm generates a list of domain names using a randomization function seeded with current UTC system date. All the infected machines try to connect to the same set of domain names for updates.
Variants of Conficker malware
There are a number of variants of Conficker worm.
- Conficker.A – This is the first version of the Conficker worm. It relies on Windows Server Service vunerability for its propagation.
- Conficker.B – Conficker.B uses two additional approaches of NetBIOS Share Propagation and USB propagation to infect systems.
- Conficker.C – It uses 50,000+ randomly generated domain names so that the security community cannot block all of the domain registration associated with the A & B variants. It also uses P&P coordination channel for updates.
- Conficker.D – It changed the domain name registration algorithm to generate a large pool of domain names. This variant just updates existing Conficker.C infected machines and does not spread by attacking new systems.
- Conficker.E – It is another update to the Conficker.C code base.
System changes after infection of Conficker malware
After infecting a Windows computer, the worm makes a couple of system changes.
- Conficker changes system settings of the infected computer so that the victim cannot view hidden files.
- It stops Windows Security Center Service which notifies user about security settings.
- It stops Windows Update Auto Update Service.
- It also stops Microsoft Error Reporting Service.
- Conficker resets the infected computer's system restore point and prevents recovery of the system using system restore.
- It disables TCP/IP Tuning
- It also disables third-party security software to avoid detection.
- It deletes backup files.
- It increases traffic on port 445.
- Access to administrator shared files get access denied errors.
- It checks for internet connectivity in the infected system by trying to connect to a list of websites.
- Depending on system date, it builds a URL to download files. The generated URL typically has a domain name that is based on the current system date.
- It increases network traffic in the infected computer, making the system slow.
How to remove Conficker malware from an infected system ?
There are a number of security tools provided by various anti-virus vendors. Some of the links are given below :
How to prevent Conficker malware ?
There are a number of steps we can take to prevent us from falling victims of Conficker.
- Keep your system updated with recent patches of security software.
- The malware exploits security vulnerabilities of commonly used software to infect a computer. So, always keep your computer updated with recent security patches of all the commonly used software.
- Keep your Windows system updated with the latest security patches of the Operating System.
- Turn on firewalls in the system.
- Use User Account Control to limit user privileges, so that the worm cannot run exploiting full access to the Windows system.