Conficker

Conficker
Conficker.svg
Common name Conficker
Aliases
  • Mal/Conficker-A(Sophos)
  • Win32/Conficker.A (CA)
  • W32.Downadup (Symantec)
  • W32/Downadup.A (F-Secure)
  • Conficker.A (Panda)
  • Net-Worm.Win32.Kido.bt (Kaspersky)
  • W32/Conficker.worm (McAfee)
  • Win32.Worm.Downadup.Gen (BitDefender)
  • Win32:Confi (avast!)
  • WORM_DOWNAD (Trend Micro)
  • Worm.Downadup (ClamAV)
Classification Unknown
Type Computer worm
Subtype Computer virus

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.[1] It uses flaws in Windows software and Dictionary attacks on administrator passwords to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer,[2] with more than seven million government, business and home computers in over 200 countries now under its control. The worm has been unusually difficult to counter because of its combined use of many advanced malware techniques.[3][4]

Contents

History

Name

The origin of the name Conficker is thought to be a portmanteau of the English term "configure" and the German word Ficker.[5][6] Microsoft analyst Joshua Phillips gives an alternate interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz,[7] which was used by early versions of Conficker to download updates.

Discovery

The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta.[8] While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008 to close the vulnerability,[9] a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009.[10] A second variant of the worm, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares.[11] Researchers believe that these were decisive factors in allowing the worm to propagate quickly: by January 2009, the estimated number of infected computers ranged from almost 9 million[12][13][14] to 15 million.[15] Antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker.[16]

Recent estimates of the number of infected computers have been more notably difficult because of changes in the propagation and update strategy of recent variants of the worm.[17]

Impact in Europe

Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.[18]

The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.[19][20]

On 2 February 2009, the Bundeswehr, the unified armed forces of the Federal Republic of Germany reported that about one hundred of their computers were infected.[21]

An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. USB flash drives have since been banned, as this was believed to be the vector for the initial infection.[22]

A memo from the British Director of Parliamentary ICT informed the users of the House of Commons on 24 March 2009 that it had been infected with the worm. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.[23]

In January 2010, the Greater Manchester Police computer network was infected, leading to its disconnection for three days from the Police National Computer as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people.[24]

Operation

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the worm's combined use of so many has made it unusually difficult to eradicate.[25] The worm's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities.[26][27]

Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.[28][29]

Variant Detection date Infection vectors Update propagation Self-defense End action
Conficker A 2008-11-21
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service[27]
  • HTTP pull
    • Downloads from trafficconverter.biz
    • Downloads daily from any of 250 pseudorandom domains over 5 TLDs[30]

None
  • Updates self to Conficker B, C or D[31]
Conficker B 2008-12-29
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service[27]
    • Dictionary attack on ADMIN$ shares[32]
  • Removable media
    • Creates DLL-based AutoRun trojan on attached removable drives[11]
  • HTTP pull
    • Downloads daily from any of 250 pseudorandom domains over 8 TLDs[30]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service[33][34]
  • Blocks DNS lookups
  • Disables AutoUpdate
  • Updates self to Conficker C or D[31]
Conficker C 2009-02-20
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service[27]
    • Dictionary attack on ADMIN$ shares[32]
  • Removable media
    • Creates DLL-based AutoRun trojan on attached removable drives[11]
  • HTTP pull
    • Downloads daily from any of 250 pseudorandom domains over 8 TLDs[30]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service[33][34]
    • Creates named pipe to receive URL from remote host, then downloads from URL
  • Blocks DNS lookups
  • Disables AutoUpdate
  • Updates self to Conficker D[31]
Conficker D 2009-03-04 None
  • HTTP pull
    • Downloads daily from any 500 of 50000 pseudorandom domains over 110 TLDs[30]
  • P2P push/pull
    • Uses custom protocol to scan for infected peers via UDP, then transfer via TCP[35]
  • Blocks DNS lookups[36]
    • Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites[36]
  • Disables Safe Mode[36]
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals[37]
  • Downloads and installs Conficker E[31]
Conficker E 2009-04-07
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service[38]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service
  • P2P push/pull
    • Uses custom protocol to scan for infected peers via UDP, then transfer via TCP[35]
  • Blocks DNS lookups
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals[39]
  • Updates local copy of Conficker C to Conficker D[40]
  • Downloads and installs malware payload:
    • Waledac spambot[38]
    • SpyProtect 2009 scareware[41]
  • Removes self on 3 May 2009 (but leaves remaining copy of Conficker D)[42]

Initial infection

To start itself at system boot, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.[27]

Payload propagation

The worm has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the worm to update itself to newer variants, and to install additional malware.

Armoring

To prevent payloads from being hijacked, variant A payloads are first SHA1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key.[34] The payload is unpacked and executed only if its signature verifies with a public key embedded in the worm. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits.[37] Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6.[4]

Self-defense

Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[47] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[48] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.[37]

End action

Variant E of the worm was the first to use its base of infected computers for an ulterior purpose.[41] It downloads and installs, from a web server hosted in Ukraine, two additional payloads:[49]

Symptoms

Response

On 12 February 2009, Microsoft announced the formation of an industry group to collaboratively counter Conficker. The group, which has since been informally dubbed the Conficker Cabal, includes Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.[4][26][56]

From Microsoft

As of 13 February 2009, Microsoft is offering a $USD250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.[57]

From registries

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the worm's domain generator. Those which have taken action include:

By mid-April all domain names generated by Conficker A had been successfully locked or preemptively registered by April 2009, rendering its update mechanism ineffective.[63]

Origin

The precise origin of Conficker remains unknown. Working group members stated at the 2009 Black Hat Briefings that Ukraine is the probable origin of the worm, but declined to reveal further technical discoveries about the worm's internals to avoid tipping off its authors.[64] Conficker did not infect systems with Ukrainian IP addresses or with Ukrainian keyboard layouts.[4] The payload of Conficker.E was downloaded from a host in Ukraine.[49]

Removal and detection

Microsoft has released a removal guide for the worm, and recommends using the current release of its Windows Malicious Software Removal Tool[65] to remove the worm, then applying the patch to prevent re-infection.[66]

Third-party software

Third-party anti-virus software vendors AVG Technologies, McAfee,[67] Panda Security,[68] BitDefender,[69] ESET,[70] F-Secure,[71] Symantec,[72] Sophos,[73] Kaspersky Lab[74] Trend Micro[75] and Sunbelt Software have released detection updates to their products and claim to be able to remove the worm.

Automated remote detection

On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely.[34] The peer-to-peer command protocol used by variants D and E of the worm has since been partially reverse-engineered, allowing researchers to imitate the worm network's command packets and positively identify infected computers en-masse.[76][77]

Signature updates for a number of network scanning applications are now available including NMap[78] and Nessus.[79]. In addition, several commercial vendors have released dedicated scanners, namely eEye[80] and Mcafee.[81]

It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests.

US CERT

The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the worm from spreading through removable media. Prior to the release of Microsoft knowledgebase article KB967715,[82] US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively.[83] US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.[84]

See also

References

  1. Protect yourself from the Conficker computer worm, Microsoft, 2009-04-09, http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx, retrieved 2009-04-28 
  2. Markoff, John (2009-01-22). "Worm Infects Millions of Computers Worldwide". New York Times. http://nytimes.com/2009/01/23/technology/internet/23worm.html. Retrieved 2009-04-23. 
  3. Markoff, John (2009-08-26). "Defying Experts, Rogue Computer Code Still Lurks". New York Times. http://www.nytimes.com/2009/08/27/technology/27compute.html. Retrieved 2009-08-27. 
  4. 4.0 4.1 4.2 4.3 Bowden, Mark (June 2010), The Enemy Within, The Atlantic, http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/, retrieved 2010-05-15 
  5. Grigonis, Richard (2009-02-13), Microsoft's US$5 million Reward for the Conficker Worm Creators, IP Communications, http://ipcommunications.tmcnet.com/topics/ip-communications/articles/50562-microsofts-5000000-reward-the-conficker-worm-creators.htm, retrieved 2009-04-01 
  6. Ficker in dict.cc English-German Dictionary;
    ^ Ficker in bab.la/ German-English Dictionary;
    ^ Ficken in pons German-English Dictionary.
  7. Phillips, Joshua, Malware Protection Center - Entry: Worm:Win32/Conficker.A, Microsoft, http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.a, retrieved 2009-04-01 
  8. Leffall, Jabulani (2009-01-15). "Conficker worm still wreaking havoc on Windows systems". Government Computer News. http://gcn.com/Articles/2009/01/15/Conficker-worm-still-lurks.aspx. Retrieved 2009-03-29. 
  9. Microsoft Security Bulletin MS08-067 – Critical; Vulnerability in Server Service Could Allow Remote Code Execution (958644), Microsoft Corporation, http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx, retrieved 2009-04-15 
  10. Leyden, John (2009-01-19), Three in 10 Windows PCs still vulnerable to Conficker exploit, The Register, http://theregister.co.uk/2009/01/19/conficker_worm_feed, retrieved 2009-01-20 
  11. 11.0 11.1 11.2 11.3 Nahorney, Ben; Park, John (2009-03-13), "Propagation by AutoPlay", The Downadup Codex, Symantec, pp. 32, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf, retrieved 2009-04-01 
  12. "Clock ticking on worm attack code". BBC News Online (BBC). 2009-01-20. http://news.bbc.co.uk/1/hi/technology/7832652.stm. Retrieved 2009-01-16. 
  13. Sullivan, Sean (2009-01-16). "Preemptive Blocklist and More Downadup Numbers". F-Secure. http://f-secure.com/weblog/archives/00001582.html. Retrieved 2009-01-16. 
  14. Neild, Barry (2009-01-16), Downadup Worm exposes millions of PCs to hijack, CNN, http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/?iref=mpstoryview, retrieved 2009-01-18 
  15. Virus strikes 15 million PCs, UPI, 2009-01-26, http://upi.com/Top_News/2009/01/25/Virus_strikes_15_million_PCs/UPI-19421232924206, retrieved 2009-03-25 
  16. "Six percent of computers scanned by Panda Security are infected by the Conficker worm". Panda Security. 2009-01-21. http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=9526. Retrieved 2009-01-21. 
  17. McMillan, Robert (2009-04-15), "Experts bicker over Conficker numbers", Techworld (IDG), http://www.techworld.com/news/index.cfm?RSS&NewsID=114307, retrieved 2009-04-23 
  18. Willsher, Kim (2009-02-07), French fighter planes grounded by computer worm, London: The Daily Telegraph, http://telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes-grounded-by-computer-virus.html, retrieved 2009-04-01 
  19. Williams, Chris (2009-01-20), MoD networks still malware-plagued after two weeks, The Register, http://theregister.co.uk/2009/01/20/mod_malware_still_going_strong, retrieved 2009-01-20 
  20. Williams, Chris (2009-01-20), Conficker seizes city's hospital network, The Register, http://theregister.co.uk/2009/01/20/sheffield_conficker, retrieved 2009-01-20 
  21. (in German) Conficker-Wurm infiziert hunderte Bundeswehr-Rechner, PC Professionell, 2009-02-16, http://www.pc-professionell.de/news/2009/02/16/conficker_wurm_infiziert_hunderte_bundeswehr_rechner, retrieved 2009-04-01 
  22. Leyden, John (1 July 2009). "Conficker left Manchester unable to issue traffic tickets". The Register. http://www.theregister.co.uk/2009/07/01/conficker_council_infection/. 
  23. Leyden, John (2009-03-27), Leaked memo says Conficker pwns Parliament, The Register, http://theregister.co.uk/2009/03/27/conficker_parliament_infection, retrieved 2009-03-29 
  24. "Conficker virus hits Manchester Police computers". BBC News. 2010-02-02. http://news.bbc.co.uk/1/hi/england/manchester/8492669.stm. Retrieved 2010-02-02. 
  25. Nahorney, Ben; Park, John (2009-03-13), "Propagation by AutoPlay", The Downadup Codex, Symantec, pp. 2, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf, retrieved 2009-04-01 
  26. 26.0 26.1 Markoff, John (2009-03-19), Computer Experts Unite to Hunt Worm, New York Times, http://www.nytimes.com/2009/03/19/technology/19worm.html?_r=1&ref=us, retrieved 2009-03-29 
  27. 27.0 27.1 27.2 27.3 27.4 27.5 27.6 27.7 Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (2009-03-19), An Analysis of Conficker, SRI International, http://mtc.sri.com/Conficker/, retrieved 2009-03-29 
  28. 28.0 28.1 Tiu, Vincent (2009-03-27), Microsoft Malware Protection Center: Information about Worm:Win32/Conficker.D, Microsoft, http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx, retrieved 2009-03-30 
  29. Macalintal, Ivan; Cepe, Joseph; Ferguson, Paul (2009-04-07), DOWNAD/Conficker Watch: New Variant in The Mix?, Trend Micro, http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/, retrieved 2009-04-07 
  30. 30.0 30.1 30.2 30.3 30.4 Park, John (2009-03-27), W32.Downadup.C Pseudo-Random Domain Name Generation, Symantec, https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Pseudo-Random-Domain-Name-Generation/ba-p/393367#A258, retrieved 2009-04-01 
  31. 31.0 31.1 31.2 31.3 Nahorney, Ben (2009-04-21). "Connecting The Dots: Downadup/Conficker Variants". Symantec. http://www.symantec.com/connect/blogs/connecting-dots-downadupconficker-variants. Retrieved 2009-04-25. 
  32. 32.0 32.1 Chien, Eric (2009-02-18), Downadup: Locking Itself Out, Symantec, https://forums2.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837, retrieved 2009-04-03 
  33. 33.0 33.1 33.2 Chien, Eric (2009-01-19), Downadup: Peer-to-Peer Payload Distribution, Symantec, https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/227, retrieved 2009-04-01 
  34. 34.0 34.1 34.2 34.3 34.4 Leder, Felix; Werner, Tillmann (2009-04-07), Know Your Enemy: Containing Conficker, HoneyNet Project, http://www.honeynet.org/files/KYE-Conficker.pdf, retrieved 2009-04-13 
  35. 35.0 35.1 35.2 W32.Downadup.C Bolsters P2P, Symantec, 2009-03-20, https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331#A253, retrieved 2009-04-01 
  36. 36.0 36.1 36.2 Leung, Ka Chun; Kiernan, Sean (2009-04-06), W32.Downadup.C Technical Details, http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=2, retrieved 2009-04-10 
  37. 37.0 37.1 37.2 37.3 37.4 37.5 Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (2009-03-19), An Analysis of Conficker C (draft), SRI International, http://mtc.sri.com/Conficker/, retrieved 2009-03-29 
  38. 38.0 38.1 Fitzgerald, Patrick (2009-04-09), W32.Downadup.E—Back to Basics, Symantec, https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-E-Back-to-Basics/ba-p/393465, retrieved 2009-04-10 
  39. Putnam, Aaron, Virus Encyclopedia: Worm:Win32/Conficker.E, Microsoft, http://onecare.live.com/standard/en-us/virusenc/VirusEncInfo.htm?VirusName=Worm:Win32/Conficker.E, retrieved 2009-04-18 
  40. Nahorney, Ben; Park, John (2009-04-21), "Connecting The Dots: Downadup/Conficker Variants", The Downadup Codex (2.0 ed.), Symantec, pp. 47, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf, retrieved 2009-06-19 
  41. 41.0 41.1 Keizer, Gregg (2009-04-09), Conficker cashes in, installs spam bots and scareware, Computerworld, http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9131380, retrieved 2009-04-10 
  42. Leung, Kachun; Liu, Yana; Kiernan, Sean (2009-04-10), W32.Downadup.E Technical Details, Symantec, http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-040823-4919-99&tabid=2, retrieved 2009-04-10 
  43. CVE-2008-4250, Common Vulnerabilities and Exposures, Department of Homeland Security, 2008-06-04, http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250, retrieved 2009-03-29 
  44. "Passwords used by the Conficker worm". Sophos. http://www.sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm/. Retrieved 2009-01-16. 
  45. Robertson, Andrew (2009-02-12), Microsoft Collaborates With Industry to Disrupt Conficker Worm, ICANN, http://www.icann.org/en/announcements/announcement-2-12feb09-en.htm, retrieved 2009-04-01 
  46. Leder, Felix; Werner, Tillmann (2009-04-02), Containing Conficker, Institute of Computer Science, University of Bonn, http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/, retrieved 2009-04-03 
  47. Win32/Conficker.C, CA, 2009-03-11, http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=77976, retrieved 2009-03-29 
  48. Malware Protection Center - Entry: Worm:Win32/Conficker.D, Microsoft, http://www.microsoft.com/security/portal/Entry.aspx?name=Worm:Win32/Conficker.D, retrieved 2009-03-30 
  49. 49.0 49.1 Krebs, Brian (2009-04-10), "Conficker Worm Awakens, Downloads Rogue Anti-virus Software", Washington Post, http://voices.washingtonpost.com/securityfix/2009/04/conficker_worm_awakens_downloa.html, retrieved 2009-04-25 
  50. O'Murchu, Liam (2008-12-23), W32.Waledac Technical Details, Symantec, http://symantec.com/security_response/writeup.jsp?docid=2008-122308-1429-99&tabid=2, retrieved 2009-04-10 
  51. Higgins, Kelly Jackson (2009-01-14), Storm Botnet Makes A Comeback, DarkReading, http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212900543, retrieved 2009-04-11 
  52. Coogan, Peter (2009-01-23), Waledac – Guess which one is for you?, Symantec, https://forums2.symantec.com/t5/Malicious-Code/Waledac-Guess-which-one-is-for-you/ba-p/382056, retrieved 2009-04-11 
  53. Gostev, Aleks (2009-04-09), The neverending story, Kaspersky Lab, http://www.viruslist.com/en/weblog?weblogid=208187654, retrieved 2009-04-13 
  54. "Virus alert about the Win32/Conficker.B worm". Microsoft. 2009-01-15. http://support.microsoft.com/kb/962007. Retrieved 2009-01-22. 
  55. "Virusencyclopedie: Worm:Win32/Conficker.B". Microsoft. https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Conficker. Retrieved 2009-08-03. 
  56. O'Donnell, Adam (2009-02-12), Microsoft announces industry alliance, $250k reward to combat Conficker, ZDNet, http://blogs.zdnet.com/security/?p=2572, retrieved 2009-04-01 
  57. Microsoft Collaborates With Industry to Disrupt Conficker Worm (Microsoft offers $250,000 reward for Conficker arrest and conviction.), Microsoft, 2009-02-12, http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases, retrieved 2009-09-22 
  58. (in Spanish) NIC Chile participa en esfuerzo mundial en contra del gusano Conficker, NIC Chile, 2009-03-31, http://www.nic.cl/anuncios/2009-03-31.html, retrieved 2009-03-31 
  59. CIRA working with international partners to counter Conficker C, CIRA, 2009-03-24, http://cira.ca/pr-conficker-c, retrieved 2009-03-31 
  60. (in Spanish) NIC-Panama colabora en esfuerzo mundial en contra del Gusano Conficker., NIC-Panama, 2009-03-27, http://www.nic.pa/paginas/anuncio1.php?numero=6, retrieved 2009-03-27 
  61. D'Alessandro, Marco (2009-03-30), SWITCH taking action to protect against the Conficker computer worm, SWITCH, http://switch.ch/about/news/2009/conficker.html, retrieved 2009-04-01 
  62. Bartosiewicz, Andrzej (2009-03-31) (in Polish), Jak działa Conficker?, Webhosting.pl, http://webhosting.pl/Jak.dziala.Conficker, retrieved 2009-03-31 
  63. Maniscalchi, Jago (2009-06-07), Conficker.A DNS Rendezvous Analysis, Digital Threat, http://www.digitalthreat.net/?p=38, retrieved 2009-06-26 
  64. Greene, Tim (2009-07-31), Conficker talk sanitized at Black Hat to protect investigation, Network World, http://www.networkworld.com/news/2009/073109-black-hat-conficker-talk.html, retrieved 2009-12-28 
  65. Malicious Software Removal Tool, Microsoft, 2005-01-11, http://www.microsoft.com/security/malwareremove/default.mspx, retrieved 2009-03-29 
  66. Protect yourself from the Conficker computer worm, Microsoft, 2009-03-27, http://microsoft.com/protect/computer/viruses/worms/conficker.mspx, retrieved 2009-03-30 
  67. "Protecting yourself from the Conficker worm". McAfee. http://www.mcafee.com/us/threat_center/conficker.html. Retrieved 2009-07-29. 
  68. "Win32/Conficker.C". Threat Encyclopedia. Panda Security. http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=204292. Retrieved 2009-03-29. 
  69. Radu, Daniel; Cimpoesu, Mihai, Win32.Worm.Downadup.Gen, BitDefender, http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html, retrieved 2009-04-01 
  70. "Win32/Conficker.AA". Threat Encyclopaedia. ESET. http://www.eset.eu/encyclopaedia/conficker_aa_trojan_win32_agent_bbof_w32_downadup_b_w32_conficker_worm_gen_a. Retrieved 2009-03-29. 
  71. "Worm:W32/Downadup.AL". F-Secure. http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml. Retrieved 2009-03-30. 
  72. "W32.Downadup - Removal". Symantec. 2008-11-24. http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3. Retrieved 2009-03-29. 
  73. "Conficker Removal Tool". Sophos. 2009-01-16. http://www.sophos.com/products/free-tools/conficker-removal-tool.html. Retrieved 2009-03-29. 
  74. "How to remove network worm Net-Worm.Win32.Kido". Kaspersky Lab. 2009-03-20. http://support.kaspersky.com/faq/?qid=208279973. Retrieved 2009-03-29. 
  75. "WORM_DOWNAD.E". Trend Labs. 2009-04-11. http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EE&VSect=Sn. Retrieved 2009-05-05. 
  76. Bowes, Ron (2009-04-21), Scanning for Conficker’s peer to peer, SkullSecurity, http://www.skullsecurity.org/blog/?p=230, retrieved 2009-04-25 
  77. W32.Downadup P2P Scanner Script for Nmap, Symantec, 2009-04-22, https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-P2P-Scanner-Script-for-Nmap/ba-p/393519#A266, retrieved 2009-04-25 
  78. Bowes, Ronald (2009-03-30), Scanning for Conficker with Nmap, SkullSecurity, http://www.skullsecurity.org/blog/?p=209, retrieved 2009-03-31 
  79. Asadoorian, Paul (2009-04-01), Updated Conficker Detection Plugin Released, Tenable Security, http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html, retrieved 2009-04-02 
  80. Conficker Worm Scanning Utility, eEye Digital Security, http://www.eeye.com/html/downloads/other/ConfickerScanner.html 
  81. , Mcafee, http://www.mcafee.com/us/enterprise/confickertest.html 
  82. "How to disable the Autorun functionality in Windows". Microsoft. 2009-03-27. http://support.microsoft.com/kb/967715. Retrieved 2009-04-15. 
  83. Technical Cyber Security Alert TA09-020A: Microsoft Windows Does Not Disable AutoRun Properly, US-CERT, 2009-01-29, http://www.us-cert.gov/cas/techalerts/TA09-020A.html, retrieved 2009-02-16 
  84. DHS Releases Conficker/Downadup Computer Worm Detection Tool, Department of Homeland Security, 2009-03-30, http://www.dhs.gov/ynews/releases/pr_1238443907751.shtm, retrieved 2009-04-01 

External links

Botnets
Notable botnets
Akbot · Asprox · Bagle · Bredolab · Cutwail · Donbot · Grum · Gumblar  · Kraken · Lethic · Mariposa · Mega-D · Rustock · Srizbi · Storm · Torpig · Waledac · Zeus
Main articles
Computer worm · Malbot · Malware · Operation: Bot Roast