Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[1] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[2]

ID: S0608
Associated Software: Kido, Downadup
Platforms: Windows
Version: 1.0
Created: 23 February 2021
Last Modified: 14 October 2021

Associated Software Descriptions

Name Description




Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Conficker adds Registry Run keys to establish persistence.[3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Conficker copies itself into the %systemroot%\system32 directory and registers as a service.[1]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.[1][3]

Enterprise T1210 Exploitation of Remote Services

Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Conficker terminates various services related to system security and Windows.[1]

Enterprise T1105 Ingress Tool Transfer

Conficker downloads an HTTP server to the infected machine.[1]

Enterprise T1490 Inhibit System Recovery

Conficker resets system restore points and deletes backup files.[1]

Enterprise T1112 Modify Registry

Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.[1][3]

Enterprise T1046 Network Service Scanning

Conficker scans for other machines to infect.[1]

Enterprise T1027 Obfuscated Files or Information

Conficker has obfuscated its code to prevent its removal from host machines.[3]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Conficker variants spread through NetBIOS share propagation.[1]

Enterprise T1091 Replication Through Removable Media

Conficker variants used the Windows AUTORUN feature to spread through USB propagation.[1][3]

Enterprise T1124 System Time Discovery

Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.[1][3]