Conficker - Operation

Operation

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus' combined use of so many has made it unusually difficult to eradicate. The virus' unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus' own vulnerabilities.

Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D.

Variant	Detection date	Infection vectors	Update propagation	Self-defense	End action
Conficker A	2008-11-21	NetBIOS Exploits MS08-067 vulnerability in Server service	HTTP pull Downloads from `trafficconverter.biz` Downloads daily from any of 250 pseudorandom domains over 5 TLDs	None	Updates self to Conficker B, C or D
Conficker B	2008-12-29	NetBIOS Exploits MS08-067 vulnerability in Server service Dictionary attack on `ADMIN$` shares Removable media Creates DLL-based AutoRun trojan on attached removable drives	HTTP pull Downloads daily from any of 250 pseudorandom domains over 8 TLDs NetBIOS push Patches MS08-067 to open reinfection backdoor in Server service	Blocks certain DNS lookups Disables AutoUpdate	Updates self to Conficker C or D
Conficker C	2009-02-20	NetBIOS Exploits MS08-067 vulnerability in Server service Dictionary attack on `ADMIN$` shares Removable media Creates DLL-based AutoRun trojan on attached removable drives	HTTP pull Downloads daily from 500 of 50,000 pseudorandom domains over 8 TLDs per day NetBIOS push Patches MS08-067 to open reinfection backdoor in Server service Creates named pipe to receive URL from remote host, then downloads from URL	Blocks certain DNS lookups Disables AutoUpdate	Updates self to Conficker D
Conficker D	2009-03-04	None	HTTP pull Downloads daily from any 500 of 50,000 pseudorandom domains over 110 TLDs P2P push/pull Uses custom protocol to scan for infected peers via UDP, then transfer via TCP	Blocks certain DNS lookups Does an in-memory patch of `DNSAPI.DLL` to block lookups of anti-malware related web sites Disables Safe Mode Disables AutoUpdate Kills anti-malware Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals	Downloads and installs Conficker E
Conficker E	2009-04-07	NetBIOS Exploits MS08-067 vulnerability in Server service	NetBIOS push Patches MS08-067 to open reinfection backdoor in Server service P2P push/pull Uses custom protocol to scan for infected peers via UDP, then transfer via TCP	Blocks certain DNS lookups Disables AutoUpdate Kills anti-malware Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals	Updates local copy of Conficker C to Conficker D Downloads and installs malware payload: Waledac spambot SpyProtect 2009 scareware Removes self on 3 May 2009 (but leaves remaining copy of Conficker D)

Famous quotes containing the word operation:

“It is critical vision alone which can mitigate the unimpeded operation of the automatic.”
—Marshall McLuhan (1911–1980)

“An absolute can only be given in an intuition, while all the rest has to do with analysis. We call intuition here the sympathy by which one is transported into the interior of an object in order to coincide with what there is unique and consequently inexpressible in it. Analysis, on the contrary, is the operation which reduces the object to elements already known.”
—Henri Bergson (1859–1941)