The conficker threat is growing day by day .The latest variants of Conficker has spread to over 9 million PCs and Servers worldwide as it uses multiple techniques to spread to vulnerable systems.This dangerous worm has also been named as Downadup , WORM_DOWNAD.A and even Net-Worm.Win32.Kido.l
The worm initially spread to systems unpatched against MS08-067, but has since evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.The malware first tries to use the credential of the logged-on user. If that fails, it attempts to obtain a list of user accounts on the target machine and then tries to connect using each user name and to a list of weak passwords, such as “1234” or “password.” The first variant of the Conficker worm appeared in November 2008.Security researchers began to see the second variation of the malware in late December 2008.
Many experts have compared the Conficker attack to Nimda, another bug that hit corporations in 2001, which spread quickly as well. Others have speculated the bug may be the beginning stages of a new botnet.
Downadup contains a number of features designed to make it harder for security pros to shut down.The worm, which was first reported by Panda and other security companies on Dec. 31, 2008, exploits a vulnerability in the Windows Server service that’s part of all currently supported versions of Microsoft’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.
Some of the activities is takes up once in your system :
- Connects to external sites to download additional files.
- Deletes the user’s Restore Points.
- Registers a services called Netsvcs.
- Creates it’s own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
- Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
Few reasons why conficker is spreading rapidly :
- It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.
- It exploits the MS08-067 vulnerability,
- It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares .
The major strength of Conficker is USB sticks.Downadup creates its own Autorun.inf file and transports itself to all systems where it is inserted . I would suggest that you disable AutoPlay in your environments, unless it’s really necessary.
INFECTED IPs WORLDWIDE (Source: F-Secure)
- China 38,277
- Brazil 34,814
- Russia 24,526
- India 16,497
- Ukraine 14,767
- Italy 13,115
- Argentina 11,675
- Korea 11,117
- Romania 8,861
- United States 3,958
- United Kingdom 1,789
Once interesting fact related to this worm is that, Microsoft blog noted that the variant avoids infecting computers that use Ukrainian keyboard layout, raising suspicions that the malware authors are located in the Ukraine. So the conficker worm is expected to have orginated from Ukraine .
Additional Readings :