Conficker - Operation

Operation

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus' combined use of so many has made it unusually difficult to eradicate. The virus' unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus' own vulnerabilities.

Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D.

Variant Detection date Infection vectors Update propagation Self-defense End action
Conficker A 2008-11-21
  • HTTP pull
    • Downloads from trafficconverter.biz
    • Downloads daily from any of 250 pseudorandom domains over 5 TLDs

None

  • Updates self to Conficker B, C or D
Conficker B 2008-12-29
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service
    • Dictionary attack on ADMIN$ shares
  • Removable media
    • Creates DLL-based AutoRun trojan on attached removable drives
  • HTTP pull
    • Downloads daily from any of 250 pseudorandom domains over 8 TLDs
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service
  • Updates self to Conficker C or D
Conficker C 2009-02-20
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service
    • Dictionary attack on ADMIN$ shares
  • Removable media
    • Creates DLL-based AutoRun trojan on attached removable drives
  • HTTP pull
    • Downloads daily from 500 of 50,000 pseudorandom domains over 8 TLDs per day
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service
    • Creates named pipe to receive URL from remote host, then downloads from URL
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Updates self to Conficker D
Conficker D 2009-03-04 None
  • HTTP pull
    • Downloads daily from any 500 of 50,000 pseudorandom domains over 110 TLDs
  • P2P push/pull
    • Uses custom protocol to scan for infected peers via UDP, then transfer via TCP
  • Blocks certain DNS lookups
    • Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites
  • Disables Safe Mode
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals
  • Downloads and installs Conficker E
Conficker E 2009-04-07
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service
  • P2P push/pull
    • Uses custom protocol to scan for infected peers via UDP, then transfer via TCP
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals
  • Updates local copy of Conficker C to Conficker D
  • Downloads and installs malware payload:
    • Waledac spambot
    • SpyProtect 2009 scareware
  • Removes self on 3 May 2009 (but leaves remaining copy of Conficker D)

Read more about this topic:  Conficker

Famous quotes containing the word operation:

    Waiting for the race to become official, he began to feel as if he had as much effect on the final outcome of the operation as a single piece of a jumbo jigsaw puzzle has to its predetermined final design. Only the addition of the missing fragments of the puzzle would reveal if the picture was as he guessed it would be.
    Stanley Kubrick (b. 1928)

    It is critical vision alone which can mitigate the unimpeded operation of the automatic.
    Marshall McLuhan (1911–1980)

    Human knowledge and human power meet in one; for where the cause is not known the effect cannot be produced. Nature to be commanded must be obeyed; and that which in contemplation is as the cause is in operation as the rule.
    Francis Bacon (1560–1626)