Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[1] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[2]

ID: S0608
Associated Software: Kido, Downadup
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 23 February 2021
Last Modified: 08 March 2023

Associated Software Descriptions

Name Description
Kido

[1]

Downadup

[1]

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Conficker adds Registry Run keys to establish persistence.[3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Conficker copies itself into the %systemroot%\system32 directory and registers as a service.[1]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.[1][3]

Enterprise T1210 Exploitation of Remote Services

Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Conficker terminates various services related to system security and Windows.[1]

Enterprise T1105 Ingress Tool Transfer

Conficker downloads an HTTP server to the infected machine.[1]

Enterprise T1490 Inhibit System Recovery

Conficker resets system restore points and deletes backup files.[1]

Enterprise T1112 Modify Registry

Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.[1][3]

Enterprise T1046 Network Service Discovery

Conficker scans for other machines to infect.[1]

Enterprise T1027 Obfuscated Files or Information

Conficker has obfuscated its code to prevent its removal from host machines.[3]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Conficker variants spread through NetBIOS share propagation.[1]

Enterprise T1091 Replication Through Removable Media

Conficker variants used the Windows AUTORUN feature to spread through USB propagation.[1][3]

Enterprise T1124 System Time Discovery

Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.[1][3]

ICS T0826 Loss of Availability

A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown. [4]

ICS T0828 Loss of Productivity and Revenue

A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. [4]

ICS T0847 Replication Through Removable Media

Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network. [5] Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility. [4]

References