What is the Conficker worm?
The Conficker or Downup or Downadup or Kido is a computer worm that infects a Microsoft Windows machine using some vulnerability in the Microsoft Windows Operating System software and creates a botnet of infected computers to steal sensitive information of users, including banking credentials, credit card information, etc using keyloggers. This malware uses advanced malware techniques and is extremely difficult to control. Since its discovery in 2008, the malware has infected millions of computers.
How does the Conficker worm infect a computer?
The Conficker worm is delivered to an infected system as a Dynamic Link Library or DLL. It cannot run as a standalone program.
The worm first infects a Windows system using certain vulnerabilities. It then exploits shellcode to inject the DLL into the running Windows server service. Finally, it creates a registry entry to ensure that it runs every time the machine reboots.
After infecting a computer, Conficker uses a list of websites to find out the IP address of the infected machine. It then uses the IP address to download a small HTTP server and opens that on the infected machine.
Once the HTTP server is up, the worm then scans for other vulnerable machines. Once it finds a vulnerable target machine to infect, it sends the URL of the currently infected machine as a payload to the target vulnerable machine. The remote target machine then downloads the worm from the URL sent and infects other vulnerable machines.
To infect a remote computer in the network, the worm first tries with the credentials of the currently logged-on user. If it is unsuccessful, it gains a list of user accounts on the target machine and tries to log in using each username and a list of commonly used weak passwords. The worm then drops a copy of itself in the target’s admin share.
Conficker then creates a remotely scheduled job to activate the copy.
Conficker can also infect a computer using removable drives or USB drives. For that, it first copies itself to the drives using a random file name. It then changes the autorun.inf file to show an additional option to “Open folder to view files” with “Publisher not specified”, when the drive connects with a computer. If a user cannot understand the trick and selects that option, a copy of the worm will start running on the computer.
After infecting a computer, the worm generates a list of domain names using a randomization function seeded with the current UTC system date. All the infected machines try to connect to the same set of domain names for updates.
Variants of the Conficker worm
There are several variants of the Conficker worm: …
0 Comments