Conficker

Last updated

Conficker
Technical name
Conficker.svg
Type Worm
Technical details
Platform Windows 2000, Windows XP, Windows 2003 Server (SP2), Windows Vista, Windows 2008 Server [1]

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. [2] It uses flaws in Windows OS software (MS08-067 / CVE-2008-4250) [3] [4] and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. [5] [6] The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm. [7]

Contents

Despite its wide propagation, the worm did not do much damage, perhaps because its authors – believed to have been Ukrainian citizens – did not dare use it because of the attention it drew.[ citation needed ] Four men were arrested, and one pled guilty and was sentenced to four years in prison.

Prevalence

Estimates of the number of infected computers were difficult because the virus changed its propagation and update strategy from version to version. [8] In January 2009, the estimated number of infected computers ranged from almost 9 million [9] [10] [11] to 15 million. [12] Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011. [13] [14] By mid-2015, the total number of infections had dropped to about 400,000, [15] and it was estimated to be 500,000 in 2019. [16]

History

Name

The origin of the name Conficker is thought to be a combination of the English term "configure" and the German pejorative term Ficker (engl. fucker). [17] Microsoft analyst Joshua Phillips gives an alternative interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz [18] (with the letter k, not found in the domain name, added as in "trafficker", to avoid a "soft" c sound) which was used by early versions of Conficker to download updates.

Discovery

The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. [19] While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008, to close the vulnerability, [20] a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. [21] A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares. [22] Researchers believe that these were decisive factors in allowing the virus to propagate quickly.

Impact in Europe

Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded. [23]

The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The virus had spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers. [24] [25]

On 2 February 2009, the Bundeswehr, the unified armed forces of Germany, reported that about one hundred of its computers were infected. [26]

An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. The use of USB flash drives was banned, as this was believed to be the vector for the initial infection. [27]

A memo from the Director of the UK Parliamentary ICT service informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorised equipment to the network. [28]

In January 2010, the Greater Manchester Police computer network was infected, leading to its disconnection for three days from the Police National Computer as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people. [29]

Operation

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus's combined use of so many has made it unusually difficult to eradicate. [30] The virus's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus's own vulnerabilities. [31] [32]

Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. [33] [34] The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D.

VariantDetection date Infection vectors Update propagationSelf-defenseEnd action
Conficker A2008-11-21
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service [32]
  • HTTP pull
    • Downloads from trafficconverter.biz
    • Downloads daily from any of 250 pseudorandom domains over 5 TLDs [35]

None

  • Updates self to Conficker B, C or D [36]
Conficker B2008-12-29
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service [32]
    • Dictionary attack on ADMIN$ shares [37]
  • Removable media
    • Creates DLL-based AutoRun trojan on attached removable drives [22]
  • HTTP pull
    • Downloads daily from any of 250 pseudorandom domains over 8 TLDs [35]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service [38] [39]
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Updates self to Conficker C or D [36]
Conficker C2009-02-20
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service [32]
    • Dictionary attack on ADMIN$ shares [37]
  • Removable media
    • Creates DLL-based AutoRun trojan on attached removable drives [22]
  • HTTP pull
    • Downloads daily from 500 of 50,000 pseudorandom domains over 8 TLDs per day [32]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service [38] [39]
    • Creates named pipe to receive URL from remote host, then downloads from URL
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Updates self to Conficker D [36]
Conficker D2009-03-04None
  • HTTP pull
    • Downloads daily from any 500 of 50,000 pseudorandom domains over 110 TLDs [35]
  • P2P push/pull
    • Uses custom protocol to scan for infected peers via UDP, then transfer via TCP [40]
  • Blocks certain DNS lookups [41]
    • Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites [41]
  • Disables Safe Mode [41]
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals [42]
  • Downloads and installs Conficker E [36]
Conficker E2009-04-07
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service [43]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service
  • P2P push/pull
    • Uses custom protocol to scan for infected peers via UDP, then transfer via TCP [40]
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals [44]
  • Updates local copy of Conficker C to Conficker D [45]
  • Downloads and installs malware payload:
  • Removes self on 3 May 2009 (but leaves remaining copy of Conficker D) [47]

Initial infection

To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system or system32 folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service. [32]

Payload propagation

The virus has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the virus to update itself to newer variants, and to install additional malware.

Armoring

To prevent payloads from being hijacked, variant A payloads are first SHA-1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key. [39] The payload is unpacked and executed only if its signature verifies with a public key embedded in the virus. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits. [42] Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6. [6]

Self-defense

The DLL- Form of the virus is protected against deletion by setting its ownership to "SYSTEM", which locks it from deletion even if the user is granted with administrator privileges. The virus stores a backup copy of this DLL disguised as a .jpg image in the Internet Explorer cache of the user network services.

Variant C of the virus resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. [52] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated. [53] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service. [42]

End action

Variant E of the virus was the first to use its base of infected computers for an ulterior purpose. [46] It downloads and installs, from a web server hosted in Ukraine, two additional payloads: [54]

Symptoms

Symptoms of a Conficker infection include:

Response

On 12 February 2009, Microsoft announced the formation of an industry group to collaboratively counter Conficker. The group, which has since been informally dubbed the Conficker Cabal, includes Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence. [6] [31] [61]

From Microsoft

On 13 February 2009, Microsoft offered a $USD250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker. [62]

From registries

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the virus's domain generator. Those which have taken action include:

By mid-April 2009 all domain names generated by Conficker A had been successfully locked or preemptively registered, rendering its update mechanism ineffective. [68]

Origin

Working group members stated at the 2009 Black Hat Briefings that Ukraine is the probable origin of the virus, but declined to reveal further technical discoveries about the virus's internals to avoid tipping off its authors. [69] An initial variant of Conficker did not infect systems with Ukrainian IP addresses or with Ukrainian keyboard layouts. [6] The payload of Conficker.E was downloaded from a host in Ukraine. [54]

In 2015, Phil Porras, Vinod Yegneswaran and Hassan Saidi – who were the first to detect and reverse-engineer Conficker – wrote in the Journal of Sensitive Cyber Research and Engineering, a classified, peer-reviewed U.S. government cybersecurity publication, that they tracked the malware to a group of Ukrainian cybercriminals. Porras et al. believed that the criminals abandoned Conficker after it had spread much more widely than they assumed it would, reasoning that any attempt to use it would draw too much attention from law enforcement worldwide. This explanation is widely accepted in the cybersecurity field. [16]

In 2011, working with the FBI, Ukrainian police arrested three Ukrainians in relation to Conficker, but there are no records of them being prosecuted or convicted. A Swede, Mikael Sallnert, was sentenced to 48 months in prison in the U.S. after a guilty plea. [16]

Removal and detection

Due to the lock of the virus files against deletion as long as the system is running, the manual or automatic removal itself has to be performed during boot process or with an external system installed. Deleting any existing backup copy is a crucial step.

Microsoft released a removal guide for the virus, and recommended using the current release of its Windows Malicious Software Removal Tool [70] to remove the virus, then applying the patch to prevent re-infection. [71] Newer versions of Windows are immune to Conficker. [16]

Third-party software

Many third-party anti-virus software vendors have released detection updates to their products and claim to be able to remove the worm. The evolving process of the malware shows some adoption to the common removal software, so it is likely that some of them might remove or at least disable some variants, while others remain active or, even worse, deliver a false positive to the removal software and become active with the next reboot.

Automated remote detection

On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely. [39] The peer-to-peer command protocol used by variants D and E of the virus has since been partially reverse-engineered, allowing researchers to imitate the virus network's command packets and positively identify infected computers en-masse. [72] [73]

Signature updates for a number of network scanning applications are now available. [74] [75]

It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests.

US CERT

The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the virus from spreading through removable media. Prior to the release of Microsoft knowledgebase article KB967715, [76] US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively. [77] US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies. [78]

See also

Related Research Articles

Klez is a computer worm that propagates via e-mail. It first appeared in October 2001 and was originated in China. A number of variants of the worm exist.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

<span class="mw-page-title-main">Mydoom</span> Self-replicating malware program that spread by email

Mydoom was a computer worm that targeted computers running Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2024 has yet to be surpassed.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

Win32/Simile is a metamorphic computer virus written in assembly language for Microsoft Windows. The virus was released in its most recent version in early March 2002. It was written by the virus writer "Mental Driller". Some of his previous viruses, such as Win95/Drill, have proved very challenging to detect.

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

Brontok is a computer worm running on Microsoft Windows. It is able to disperse by e-mail. Variants include:

RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.

Stration is a family of computer worms that can affect computers running Microsoft Windows, disabling security features and propagating itself to other computers via e-mail attachments. This family of worms is unusual in that new variants are being produced at an unprecedented rate, estimated to be up to one every 30 minutes at its peak, and downloaded from remote servers by infected machines to speed propagation. This makes detection and removal a particular challenge for anti-virus software vendors, because new signature files for each variant need to be issued to allow their software to detect them.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Backdoor.Win32.IRCBot is a backdoor computer worm that is spread through MSN Messenger and Windows Live Messenger. Once installed on a PC, the worm copies itself into a Windows system folder, creates a new file displayed as "Windows Genuine Advantage Validation Notification" and becomes part of the computer's automatic startup. In addition, it attempts to send itself to all MSN contacts by offering an attachment named 'photos.zip'. Executing this file will install the worm onto the local PC. The Win32.IRCBot worm provides a backdoor server and allows a remote intruder to gain access and control over the computer via an Internet Relay Chat channel. This allows for confidential information to be transmitted to a hacker.

<span class="mw-page-title-main">Mylife (computer worm)</span> Computer worm

MyLife, discovered by MessageLabs in 2002, is a computer worm that spreads itself by sending email to the addresses found in Microsoft Outlook's contacts list. Written in Visual Basic, it displays an image of a girl holding a flower while it attempts to delete files with certain filename extensions. It is named for a phrase appearing in the subject lines of the emails it sends. A variant, MyLife.B, also called the Bill Clinton worm, instead uses a subject line "bill caricature" and displays a cartoon image of Bill Clinton playing a saxophone. Many additional variants have been reported. When the infected file is run, and the picture is closed, the worm runs its payload. MyLife checks the current date. If the minute value is higher or at 45, the worm searches the C:\ directory and deletes .SYS files, .COM files and the same in D:\ Drives.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

References

  1. "Virus alert about the Win32/Conficker worm". Microsoft.
  2. Protect yourself from the Conficker computer worm, Microsoft, 9 April 2009, archived from the original on 27 June 2009, retrieved 28 April 2009
  3. BetaFred (8 June 2023). "Microsoft Security Bulletin MS08-067 – Critical". learn.microsoft.com. Retrieved 7 September 2023.
  4. "CVE – CVE-2008-4250". cve.mitre.org. Retrieved 7 September 2023.
  5. Markoff, John (26 August 2009). "Defying Experts, Rogue Computer Code Still Lurks". The New York Times. Archived from the original on 18 May 2017. Retrieved 27 August 2009.
  6. 1 2 3 4 Bowden, Mark (June 2010), The Enemy Within, The Atlantic, archived from the original on 28 February 2012, retrieved 15 May 2010
  7. Markoff, John (22 January 2009). "Worm Infects Millions of Computers Worldwide". The New York Times. Archived from the original on 25 February 2020. Retrieved 23 April 2009.
  8. McMillan, Robert (15 April 2009), "Experts bicker over Conficker numbers", Techworld, IDG, archived from the original on 16 April 2009, retrieved 23 April 2009
  9. "Clock ticking on worm attack code". BBC News. 20 January 2009. Archived from the original on 16 January 2009. Retrieved 16 January 2009.
  10. Sullivan, Sean (16 January 2009). "Preemptive Blocklist and More Downadup Numbers". F-Secure. Archived from the original on 2 March 2009. Retrieved 16 January 2009.
  11. Neild, Barry (16 January 2009), Downadup Worm exposes millions of PCs to hijack, CNN, archived from the original on 21 January 2009, retrieved 18 January 2009
  12. Virus strikes 15 million PCs, UPI, 26 January 2009, archived from the original on 2 April 2009, retrieved 25 March 2009
  13. Microsoft Security Intelligence Report: Volume 11 (PDF), Microsoft, 2011, archived (PDF) from the original on 18 October 2011, retrieved 1 November 2011
  14. Microsoft Security Intelligence Report: Volume 10 (PDF), Microsoft, 2010, archived (PDF) from the original on 6 October 2011, retrieved 1 November 2011
  15. Opening up a can of worms: Why won't Conficker just die, die, die?, ZDNet, 10 June 2015, archived from the original on 18 January 2017, retrieved 17 January 2017
  16. 1 2 3 4 Bowden, Mark (29 June 2019). "The Worm That Nearly Ate the Internet". The New York Times. Archived from the original on 30 June 2019. Retrieved 30 June 2019.
  17. Grigonis, Richard (13 February 2009), Microsoft's US$5 million Reward for the Conficker Worm Creators, IP Communications, archived from the original on 16 February 2009, retrieved 1 April 2009
  18. Phillips, Joshua, Malware Protection Center – Entry: Worm:Win32/Conficker.A, Microsoft, archived from the original on 18 June 2009, retrieved 1 April 2009
  19. Leffall, Jabulani (15 January 2009). "Conficker worm still wreaking havoc on Windows systems". Government Computer News. Archived from the original on 20 February 2009. Retrieved 29 March 2009.
  20. Microsoft Security Bulletin MS08-067 – Critical; Vulnerability in Server Service Could Allow Remote Code Execution (958644), Microsoft Corporation, archived from the original on 9 April 2010, retrieved 15 April 2009
  21. Leyden, John (19 January 2009), Three in 10 Windows PCs still vulnerable to Conficker exploit, The Register, archived from the original on 1 April 2009, retrieved 20 January 2009
  22. 1 2 3 4 Nahorney, Ben; Park, John (13 March 2009), "Propagation by AutoPlay" (PDF), The Downadup Codex, Symantec, p. 32, archived (PDF) from the original on 24 September 2015, retrieved 1 April 2009
  23. Willsher, Kim (7 February 2009), "French fighter planes grounded by computer worm", The Daily Telegraph, London, archived from the original on 10 March 2009, retrieved 1 April 2009
  24. Williams, Chris (20 January 2009), MoD networks still malware-plagued after two weeks, The Register, archived from the original on 2 April 2009, retrieved 20 January 2009
  25. Williams, Chris (20 January 2009), Conficker seizes city's hospital network, The Register, archived from the original on 2 April 2009, retrieved 20 January 2009
  26. Conficker-Wurm infiziert hunderte Bundeswehr-Rechner (in German), PC Professionell, 16 February 2009, archived from the original on 21 March 2009, retrieved 1 April 2009
  27. Leyden, John (1 July 2009). "Conficker left Manchester unable to issue traffic tickets". The Register . Archived from the original on 10 August 2017. Retrieved 10 August 2017.
  28. Leyden, John (27 March 2009), Leaked memo says Conficker pwns Parliament, The Register, archived from the original on 17 December 2021, retrieved 29 March 2009
  29. "Conficker virus hits Manchester Police computers". BBC News. 2 February 2010. Archived from the original on 17 December 2021. Retrieved 2 February 2010.
  30. Nahorney, Ben; Park, John (13 March 2009), "Propagation by AutoPlay" (PDF), The Downadup Codex, Symantec, p. 2, archived (PDF) from the original on 24 September 2015, retrieved 1 April 2009
  31. 1 2 Markoff, John (19 March 2009), "Computer Experts Unite to Hunt Worm", The New York Times, archived from the original on 4 December 2016, retrieved 29 March 2009
  32. 1 2 3 4 5 6 7 8 9 Phillip Porras; Hassen Saidi; Vinod Yegneswaran (19 March 2009), An Analysis of Conficker, SRI International, archived from the original on 14 February 2009, retrieved 29 March 2009
  33. 1 2 Tiu, Vincent (27 March 2009), Microsoft Malware Protection Center: Information about Worm:Win32/Conficker.D, Microsoft, archived from the original on 31 March 2009, retrieved 30 March 2009
  34. Macalintal, Ivan; Cepe, Joseph; Ferguson, Paul (7 April 2009), DOWNAD/Conficker Watch: New Variant in The Mix?, Trend Micro, archived from the original on 31 January 2010, retrieved 7 April 2009
  35. 1 2 3 4 Park, John (27 March 2009), W32.Downadup.C Pseudo-Random Domain Name Generation, Symantec, archived from the original on 16 March 2018, retrieved 1 April 2009
  36. 1 2 3 4 Nahorney, Ben (21 April 2009). "Connecting The Dots: Downadup/Conficker Variants". Symantec. Archived from the original on 14 December 2009. Retrieved 25 April 2009.
  37. 1 2 Chien, Eric (18 February 2009), Downadup: Locking Itself Out, Symantec, archived from the original on 17 December 2012, retrieved 3 April 2009
  38. 1 2 3 Chien, Eric (19 January 2009), Downadup: Peer-to-Peer Payload Distribution, Symantec, archived from the original on 17 December 2012, retrieved 1 April 2009
  39. 1 2 3 4 5 Leder, Felix; Werner, Tillmann (7 April 2009), Know Your Enemy: Containing Conficker (PDF), HoneyNet Project, archived from the original (PDF) on 12 June 2010, retrieved 13 April 2009
  40. 1 2 3 W32.Downadup.C Bolsters P2P, Symantec, 20 March 2009, archived from the original on 17 December 2012, retrieved 1 April 2009
  41. 1 2 3 Leung, Ka Chun; Kiernan, Sean (6 April 2009), W32.Downadup.C Technical Details, archived from the original on 2 April 2009, retrieved 10 April 2009
  42. 1 2 3 4 5 6 Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (19 March 2009), An Analysis of Conficker C (draft), SRI International, archived from the original on 14 February 2009, retrieved 29 March 2009
  43. 1 2 Fitzgerald, Patrick (9 April 2009), W32.Downadup.E—Back to Basics, Symantec, archived from the original on 17 December 2012, retrieved 10 April 2009
  44. Putnam, Aaron, Virus Encyclopedia: Worm:Win32/Conficker.E, Microsoft, archived from the original on 18 November 2016, retrieved 15 February 2015
  45. Nahorney, Ben; Park, John (21 April 2009), "Connecting The Dots: Downadup/Conficker Variants" (PDF), The Downadup Codex (2.0 ed.), Symantec, p. 47, archived (PDF) from the original on 12 March 2014, retrieved 19 June 2009
  46. 1 2 Keizer, Gregg (9 April 2009), Conficker cashes in, installs spam bots and scareware, Computerworld, archived from the original on 17 April 2009, retrieved 10 April 2009
  47. Leung, Kachun; Liu, Yana; Kiernan, Sean (10 April 2009), W32.Downadup.E Technical Details, Symantec, archived from the original on 16 April 2009, retrieved 10 April 2009
  48. Cve-2008-4250, Common Vulnerabilities and Exposures, Department of Homeland Security, 4 June 2008, archived from the original on 13 January 2013, retrieved 29 March 2009
  49. "Passwords used by the Conficker worm". Sophos. Archived from the original on 21 January 2009. Retrieved 16 January 2009.
  50. Robertson, Andrew (12 February 2009), Microsoft Collaborates With Industry to Disrupt Conficker Worm, ICANN, archived from the original on 19 March 2009, retrieved 1 April 2009
  51. Leder, Felix; Werner, Tillmann (2 April 2009), Containing Conficker, Institute of Computer Science, University of Bonn, archived from the original on 3 April 2009, retrieved 3 April 2009
  52. Win32/Conficker.C, CA, 11 March 2009, archived from the original on 29 March 2009, retrieved 29 March 2009
  53. Malware Protection Center – Entry: Worm:Win32/Conficker.D, Microsoft, archived from the original on 2 June 2009, retrieved 30 March 2009
  54. 1 2 Krebs, Brian (10 April 2009), "Conficker Worm Awakens, Downloads Rogue Anti-virus Software", The Washington Post, archived from the original on 15 May 2011, retrieved 25 April 2009
  55. O'Murchu, Liam (23 December 2008), W32.Waledac Technical Details, Symantec, archived from the original on 22 April 2009, retrieved 10 April 2009
  56. Higgins, Kelly Jackson (14 January 2009), Storm Botnet Makes A Comeback, DarkReading, archived from the original on 4 February 2009, retrieved 11 April 2009
  57. Coogan, Peter (23 January 2009), Waledac – Guess which one is for you?, Symantec, archived from the original on 17 December 2012, retrieved 11 April 2009
  58. Gostev, Aleks (9 April 2009), The neverending story, Kaspersky Lab, archived from the original on 5 February 2010, retrieved 13 April 2009
  59. "Virus alert about the Win32/Conficker.B worm". Microsoft. 15 January 2009. Archived from the original on 22 January 2009. Retrieved 22 January 2009.
  60. "Virusencyclopedie: Worm:Win32/Conficker.B". Microsoft. Archived from the original on 18 May 2017. Retrieved 3 August 2009.
  61. O'Donnell, Adam (12 February 2009), Microsoft announces industry alliance, $250k reward to combat Conficker, ZDNet, archived from the original on 19 March 2009, retrieved 1 April 2009
  62. Microsoft Collaborates With Industry to Disrupt Conficker Worm (Microsoft offers $250,000 reward for Conficker arrest and conviction.), Microsoft, 12 February 2009, archived from the original on 15 February 2009, retrieved 22 September 2009
  63. NIC Chile participa en esfuerzo mundial en contra del gusano Conficker (in Spanish), NIC Chile, 31 March 2009, archived from the original on 8 April 2009, retrieved 31 March 2009
  64. CIRA working with international partners to counter Conficker C, CIRA, 24 March 2009, archived from the original on 29 April 2009, retrieved 31 March 2009
  65. NIC-Panama colabora en esfuerzo mundial en contra del Gusano Conficker. (in Spanish), NIC-Panama, 27 March 2009, archived from the original on 27 July 2011, retrieved 27 March 2009
  66. D'Alessandro, Marco (30 March 2009), SWITCH taking action to protect against the Conficker computer worm, SWITCH, archived from the original on 2 April 2009, retrieved 1 April 2009
  67. Bartosiewicz, Andrzej (31 March 2009), Jak działa Conficker? (in Polish), Webhosting.pl, archived from the original on 25 July 2011, retrieved 31 March 2009
  68. Maniscalchi, Jago (7 June 2009), Conficker.A DNS Rendezvous Analysis, Digital Threat, archived from the original on 16 August 2009, retrieved 26 June 2009
  69. Greene, Tim (31 July 2009), Conficker talk sanitized at Black Hat to protect investigation, Network World, archived from the original on 27 January 2010, retrieved 28 December 2009
  70. Malicious Software Removal Tool, Microsoft, 11 January 2005, archived from the original on 7 November 2012, retrieved 29 March 2009
  71. Protect yourself from the Conficker computer worm, Microsoft, 27 March 2009, archived from the original on 3 April 2009, retrieved 30 March 2009
  72. Bowes, Ron (21 April 2009), Scanning for Conficker's peer to peer, SkullSecurity, archived from the original on 24 April 2009, retrieved 25 April 2009
  73. W32.Downadup P2P Scanner Script for Nmap, Symantec, 22 April 2009, archived from the original on 17 December 2012, retrieved 25 April 2009
  74. Bowes, Ronald (30 March 2009), Scanning for Conficker with Nmap, SkullSecurity, archived from the original on 2 April 2009, retrieved 31 March 2009
  75. Asadoorian, Paul (1 April 2009), Updated Conficker Detection Plugin Released, Tenable Security, archived from the original on 26 September 2010, retrieved 2 April 2009
  76. "How to disable the Autorun functionality in Windows". Microsoft. 27 March 2009. Archived from the original on 3 March 2015. Retrieved 15 April 2009.
  77. Technical Cyber Security Alert TA09-020A: Microsoft Windows Does Not Disable AutoRun Properly, US-CERT, 29 January 2009, archived from the original on 24 February 2009, retrieved 16 February 2009
  78. DHS Releases Conficker/Downadup Computer Worm Detection Tool, Department of Homeland Security, 30 March 2009, archived from the original on 5 August 2012, retrieved 1 April 2009
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.