© Profit_Image / Shutterstock.com
Key Points:
What is the Conficker Virus?
©Profit_Image/Shutterstock.com
The Conficker Virus is a type of malware known as a computer worm. It was first discovered in November 2008, after it had been spread through the internet by exploiting a vulnerability in-network service on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. Using a flaw in the NetBIOS (MS08-067), the Conficker worm gained access to personal computers and servers to begin a heavy dictionary attack to bypass administrator passwords and form a botnet.
Since the discovery of the Conficker malware in 2008, Microsoft has patched the vulnerability in MS08-067 in security update 958644. This has prevented the worm from spreading further, but not before it could spread to millions of computers in over 190 countries including personal, business, and government computers. While it is known to be among the most proliferate malicious code in the world, it has not been used by the original authors to do damage to systems. Some attribute this strange behavior to the hackers not wishing to draw attention.
It is also known as:
- Mal/Conficker-A
- Win32/Conficker.A
- W32.Downadup
- W32/Downadup.A
- Conficker.A
- Net-Worm.Win32.Kido.bt
- W32/Conficker.worm
- Win32.Worm.Downadup.Gen
- Win32:Confi
- WORM_DOWNAD
- Worm.Downadup
©Erik Svoboda/Shutterstock.com
How Does the Conficker Virus Work?
The Conficker worm is a malicious code that made use of a software vulnerability in Windows computer network coding. The malware circumvented proper authentication to allow the malicious code to download software payloads and spread. It is more commonly referred to as a worm due to its ability to spread on its own and deeper embed itself in Windows computers, usually by installing itself in Win32 system files as a DLL file and adding registry keys to avoid detecting and running as an invisible background application.
The payloads were retrieved by HTTP pulls that originated from trafficconverter.biz and spread across 250 pseudorandom domains over 5 TLDs (Top-Level Domains). Each series of payloads were intended to update the Conficker virus to a newer form with increased functionality. These variants have been identified as Conficker A, B, C, D, and E by Microsoft and Conficker A, B, B++, C, and D by the Conficker working group (CWG).
Conficker A to B
Conficker A refers to the original variant of the malicious code. This worm gained access to a surprising number of devices in very little time. The hackers responsible for writing the code were tracking the antivirus attempts to remove the malware and stop the spread as almost immediately after remedying the initial vulnerability, the HTTP pulls began to download an updated version of the malware to increase functionality. The second form of the virus, Conficker B, was noticed on December 29, 2008, only a little over a month after the initial discovery. It added the ability for the malicious code to perform dictionary attacks on the ADMIN$ shares and created DLL-based AutoRun trojan malware that could be used on removable storage drives. As an added method to avoid cybersecurity attempts, Conficker B increased its HTTP propagation pull from 5 TLDs to 8.
The initial fix for Conficker was an update to patch the vulnerability in Windows computers NetBIOS (MS08-067). Thus, Conficker B applied a self-defense mechanism that disabled Auto Updates to stop the patch from being applied and even prevented certain DNS lookups to avoid detection. It even attempted to patch the MS08-067 code to reopen the vulnerability for infection.
Conficker C
Microsoft, the Conficker working group, Conficker Cabal, and government cybersecurity teams were hard at work trying to remove the infection and create better detection methods as government systems were being heavily affected. On January 15, 2009, the French Navy was forced to ground several airbases due to the worm blocking aircraft from downloading flight plans. Near the end of February 2009, Conficker C was introduced. It increased the network congestion by changing from 250 pseudorandom domain downloads to anywhere between 500 and 50,000 daily downloads over eight TLDs and introducing named URL pipelines to a remote host to further increase direct payload downloads.
Conficker D
In March 2009, the Conficker worm was transformed once again. This time, the HTTP pull was increased from eight TLDs to 110 TLDs per day and P2P connections were utilized. The custom protocol was installed to scan for infected peers via UDP to then transfer the worm via TCP. Conficker D also saw a massive increase in its self-defense protocols used as a prevention method against software that attempted to get rid of the malicious code. It made use of an in-memory patch of the DNSAPI.DLL to block searches for anti-malware/antivirus-related websites, disabled Safe Mode, and began a malicious code that terminated anti-malware/antivirus software in one-second intervals.
Conficker E
In the last known iteration of the Conficker malware, the worm created a software cycle defense. The self-defense protocols and propagation techniques were seemingly already perfected as Conficker E sought to deliver malware payloads such as the Waledac spambot and SpyProtect 2009 scareware. This version updated any local copy of Conficker C to Conficker D, but strangely also removed the E variant on May 3, 2009, leaving behind a copy of the Conficker D virus.
Variant E was the only Conficker variant to use the access gained by the worm to do anything other than disrupt network bandwidth and further propagate itself. With the built-in code to remove E after a month, this variant was likely a trial run for the worm’s potential use.
©Mega Pixel/Shutterstock.com
How Does the Conficker Virus Spread?
Conficker virus initial infections were made possible by exploiting a vulnerability on Windows computers through the Server Service. Variants A, B, C, and E used specially crafted RPC requests to force a buffer overflow and execute shellcode on the target computer. The source computer would run an HTTP server on a port between 1024 and 10000. The target shellcode connected back to this HTTP server to download the virus in DLL form which would then attach to svchost.exe. Variants B and later would sometimes attach to a running services.exe or Windows Explorer process instead of the svchost.exe.
Variants B and C could remotely proliferate copies of themselves through the ADMIN$ share on computers visible over NetBIOS. In the case that the share was password-protected, the Conficker worm would perform a dictionary attack that could generate significant network traffic and enable user account lockout policies. B and C could also place a copy of the DLL form of the virus inside of recycle.bin folders of any attached, removable media which could then infect other devices using the Windows AutoRun mechanism with a custom autorun.inf.
Symptoms of a Conficker Virus infection
As the Conficker worm runs through a DLL file to remain invisible in active programs, it can be hard to detect. Even the symptoms are sometimes attributed to other network-related problems. Here’s a list of the most common symptoms attributed to the Conficker worm:
• Account lockout policies are being activated. This can be caused by the brute-force dictionary attack the Conficker worm uses to gain access to ADMIN$ shares.
• Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are being automatically disabled.
• Domain controllers respond slowly to client requests.
• Network congestion.
• Security-related websites are prevented from being accessed.
• Antivirus, anti-malware, and other security-related tools are prevented from running.
As can be noted from the symptoms, the virus mostly affects network congestion and user account access. This is mostly due to the malware’s daily downloads and brute-force dictionary attacks. Only Variant E made use of the software’s effects to install other malicious software attacks but was quickly retired as the E Variant was programmed to remove itself a month after it was launched.
How to Get Rid of the Conficker Virus?
Modern methods to get rid of Conficker are much simpler than they used to be. Microsoft Safety Scanner, Windows Defender, Webroot, Malwarebytes, AVG, and others have implemented malware removal tools that scan for and get rid of the virus. If any of the listed antivirus software isn’t doing the trick, you can also follow explicit instructions from the Microsoft Malware Protection Center to manually remove the virus.
Windows computers with Windows 10 or Windows 11 are significantly improved upon and do not have the NetBIOS vulnerability the worm requires to infect your device. However, if you are still attempting to run an outdated Windows computer or server with vulnerable systems, you can disable the autorun feature and apply the security patch manually provided by Microsoft on the official company website.
The Best Antivirus Software for the Conficker Virus
No specific antivirus or anti-malware software is more effective than another to remove the Conficker Virus. During the height of Conficker propagation, Microsoft, the Conficker Cabal, CWG, and government entities put a lot of effort into sorting out the problem. However, the single greatest method to get rid of it is updating the Microsoft Windows operating system to a newer version that lacks the vulnerability Conficker makes use of it.
As a result, Microsoft released Microsoft Safety Scanner to help clean the malware from Windows computers. As not all antiviruses had the dictionary inputs to detect Conficker, the Microsoft Malware Protection Center developed a stand-alone binary that proved useful in its efforts to remove prevalent malicious software including the Win32/Conficker malware family. Since then, AVG, Norton, Malwarebytes, Trend Micro, Comodo, Webroot, and many other antivirus software has added the ability to scan for and remove the Conficker worm.
While newer systems are significantly less vulnerable to the propagation of the Conficker worm, the virus is still out in the wild world wide web and can still find its way onto modern Windows computers.
Antivirus to Consider:
Up Next…
Here are some other great reads about security for your devices.
- WPA2 vs. WPA3: What You Need to Know to Keep Your Wi-Fi Network Secure. Released in 2018, WPA3 has many advantages that you probably need to know about.
- How to Change Passwords on Windows 10. It’s never good to keep a password very long, so read this article to find out what you need to know to change your password.
- The Conficker Virus: How It Works and How to Protect Yourself. Make sure you are aware of this virus that can damage your devices.
- Rated #1 by PC Mag for 2023
- Compatible with Windows (8.0, 8.1, 10, and 11), Mac (macOS X Yosemite 10.10 and later), iOS (11.2 and later), and Android (5.0 and later)
- Dedicated browser secures your online transactions
- Advanced features like web protection tools, parental controls, file shredder, firewall, VPN, and anti-tracker
- Will not automatically renew
- POWERFUL, LIGHTNING-FAST ANTIVIRUS: Protects your computer from viruses and malware through the cloud; Webroot scans faster, uses fewer system resources and safeguards your devices in real-time by...
- IDENTITY THEFT PROTECTION: Protects your usernames, account numbers and other personal information against keyloggers, spyware and other online threats targeting valuable personal data
- REAL-TIME ANTI-PHISHING: Proactively scans websites, emails and other communications and warns you of potential danger before you click to effectively stop malicious attempts to steal your personal...
- ALWAYS UP TO DATE: Webroot scours 95% of the Internet three times per day including billions of web pages, files and apps to determine what is safe online and enhances the software automatically...
- Protects your identity and privacy from hackers
- Prevents virus, spyware, and malware infections (PC and Mac only)
- Detects and removes malware and potentially unwanted programs from a device that has already been infected
- Protects your documents, financial files, and photos from ransomware
- Keeps you safe from malicious and fraudulent websites (PC and Android only)
![Malwarebytes | Amazon Exclusive | 18 Months, 2 Devices | PC, Mac, Android [Online Code]](https://history-computer.com/wp-content/uploads/2023/01/415vHeb2CL._SL500_.webp)
- AWARD WINNING ANTIVIRUS: Rest easy knowing McAfee’s protecting you from the latest threats
- PROTECT YOUR IDENTITY: We'll monitor your life online, from bank account numbers, credit cards, to your emails and more.
- BROWSE CONFIDENTLY AND PRIVATELY: Secure VPN keeps your info safe from prying eyes
- SEE HOW SAFE YOU ARE BEING ONLINE: Get your personalized protection score, identify weaknesses and get help to fix them.
- BANK, SHOP and CONNECT WORRY-FREE: be warned about risky websites before you click
- Protects you against all types of malware, including viruses, ransomware, rootkits, worms and spyware.
- Simple reliable protection. Protects your private data from ransomware and phishing with easy-to-use internet security.
- Light footprint & won't slow you down. Enjoy the full power of your computer. Play, work and browse the internet without slowdowns.
- Download and install instantly
- Real-time protection from malware
- Safely and securely store your passwords with password manager
- Firewall blocks unauthorized traffic
- 2GB of PC Cloud backup
![Norton AntiVirus Plus, 2023 Ready, Antivirus software for 1 Device with Auto-Renewal - Includes Password Manager, Smart Firewall and PC Cloud Backup [Download]](https://history-computer.com/wp-content/uploads/2023/05/51fCnHo94lL._SL500_.webp)
Are you interested in learning about other computer viruses? Check out our complete guide!
