Conficker Worm – A History Lesson
This week’s we are going to focus on an oldie but a goodie: Conficker. Why is Conficker so important to understand?
Well, even though it is an old worm, the exploit it utilized is still the main one used in training new folks in cyber security industry.
So, what is Conficker anyway? Conficker is a computer worm that targets the Microsoft Windows operating system that was first detected in November of 2008. Conficker is also known as Downup, Downadup, and Kido. Conficker is a worm and it infected over 15 million computers around the globe, including government, business, and home computers in over 190 countries, making it the largest known computer worm infection since Welchia in 2003.
Conficker targeted a flaw in the SMB network service in Windows 2000, XP, Vista, Server 2003, Server 2008, and the Windows 7 Beta. Microsoft has found the coding error before Conficker was first detected, having issues a path on October 23, 2008, just weeks before Conficker was detected in the wild. This patch, the now infamous MS08-067, wasn’t installed by all users though, leaving them vulnerable to the Conficker worms propagation across the internet. In fact, by January 2009, nearly 30% of Windows users still had not installed the required patch to stop this worm from spreading.
Conficker is a really interesting worm to study because it utilizes a combination of many advanced malware techniques, making it harder to stop. And, the worms author, who to this day has still not been identified, continued to release new variants as law enforcement and network operators worked to get ahead of the problem by preventing the spread of the worm.
How did Conficker work so successfully? First, it relied on the exploitation of a vulnerable computer that wasn’t patched for the MS08-067 vulnerability. It would send a specially-crafted Remote Procedure Call (RPC) request to force a buffer overflow and execute shell code on the victim machine. If that sounds like I am speaking gibberish, check out my video on “Introduction to Buffer Overflows” in the Ethical Hacking/Penetration Testing playlist. Once that shell code was run, it would join a larger bonnet and be ready to receive its payload from a daily list of 250 domain names (and 50,000 daily domain names in the later variants). These payloads would update the worm with a newer variant and have the ability to install additional malware like keyloggers, root kits, and other nefarious software.
The worm itself used encryption to armor itself from detection and even reset System Restore points and disabled Windows Automatic Updates, Anti-virus updates, and more to prevent detection and removal.
Thankfully, today the Conflicker worm is not a major issue. Microsoft estimates that only 400,000 computers remain infected on the Internet today. These are mostly older servers or workstations that people have simply refused to upgrade or update, leaving them vulnerable. If you home computer is Windows 7 or newer, it is not vulnerable to attack by Conficker, though, so don’t worry. In the end, though, this is still a very interesting case study in how the industry banded together to stop the worm from spreading.
I can’t cover every detail of conficker or the fight to stop it in this short video, but if you want to get a great inside look into the world of defensive cyber operations, I would highly recommend you check out the book “Worm” by Mark Bowden. It is a fascinating read for those of us in or entering the cyber security industry, where he takes a non-technical approach to describing the spread of the worm and how the Conficker Cabal, as they were known, gathered experts around the globe to stop it. I have placed a link to the book on Amazon in the description below if you are interested in picking it up.
I hope you enjoyed this weeks Cyber Security Minute. It was a little longer than normal, but I think the discussion on Conflicker is really worth it. If you would like to exploit the MS08-067 yourself, check out my course Anatomy of a Cyber Attack on Udemy, where we use the same exploit to takeover a victim machine and wreck all kinds of havoc. I have even included a discount code below to pick up the course for only $15 for my youtube subscribers.
Visit https://www.JasonDion.com for cyber security information, certification exam prep courses, and more.
** Network+ (N10-006): Full Course on Udemy (90% off, only $10) **
** Anatomy of a Cyber Attack on Udemy (90% off, only $15) **