Introduction Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta. The latest variant (Conficker.C) will begin checking for a payload to download on March 31st, 2009. Conficker.A and Conficker.B variants continue to check for payloads each with a distinct domain generation algorithm. Operation The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer. When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It receives further instructions by connecting to a server or peer and receiving a binary update. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe. ![]() Download Security Update for Windows XP (KB958644) from Official Microsoft Download Center. Security Update for Windows XP. Mar 30, 2010 Does the Conflicker Worm effect Windows 7? If it does, is there a patch available for download? My commonsense.exe says. The worm seems to implement some of the ideas presented by Fucs, Paes de Barros e Pereira at the Blackhat Briefings Europe 2007, specifically: digitally signed additional payload, use of PRNG for communication and P2P communication. Symptoms of infection • Account lockout policies being reset automatically. • Certain Microsoft Windows services such as Automatic Updates, BITS, Windows Defender, and Error Reporting Services are automatically disabled. • Domain controllers respond slowly to client requests. ![]() • System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager. • On websites related to antivirus software, Windows system updates cannot be accessed. • Launches a brute force attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable. • Port 445/TCP scanning (A/B) • Multicast UPnP requests • High-port TCP and UDP P2P Activity • Abnormal DNS lookup activty. Impact Experts say it is the worst infection since the SQL Slammer. Estimates of the number of computers infected range from almost 9 million PCs to 15 million computers, however a conservative minimum estimate is more like 3 million which is more than enough to cause great harm. Another anti-virus software vendor, Panda Security, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware. The potential scale of infection is large because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008 to block this vulnerability. Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers. On February 1, 2009, Schools in the town of Rochdale, England were infected. The virus spread to 13 schools estimated to have infected 7,500 computers. On February 13, the Bundeswehr reported that some hundred of their computers were infected. On March 27, 2009, the British Director of Parliamentary ICT released a (leaked) memo stating that the House of Commons computer network has been infected with the virus and called for all people who have access the network to use caution and to not connect any unauthorized equipment to the network.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2019
Categories |