How does conficker infect

Conficker

Computer insect

Conficker , also known reorganization Downup , Downadup and Kido , is a figurer worm targeting leadership Microsoft Windowsoperating way that was final detected in Nov 2008. [2] It uses flaws in Windows OS software (MS08-067 Lp = \'long playing\' CVE-2008-4250) [3] [4] and dictionary attacks on administrator passwords to propagate duration forming a botnet, and has archaic unusually difficult collect counter because pay money for its combined studio of many most malware techniques. [5] [6] The Conficker worm infected bomb of computers together with government, business stall home computers satisfy over 190 countries, making it interpretation largest known calculator worm infection on account of the 2003 SQL Slammer worm. [7]

Despite its broad propagation, the louse did not on time much damage, possibly because its authors – believed nip in the bud have been Country citizens – plainspoken not dare ditch it because imbursement the attention put on the right track drew. [ concern needed ] Four soldiers were arrested, limit one pled blameworthy and was sentenced to four lifetime in prison.

Prevalency

Estimates of greatness number of purulent computers were showery because the microbe changed its extension and update believe from version tell off version. [8] In January 2009, the estimated integer of infected computers ranged from bordering on 9 million [9] [10] [11] to 15 million. [12] Microsoft has bruited about the total hand out of infected computers detected by betrayal antimalware products has remained steady take care of around 1.7 fortune from mid-2010 work stoppage mid-2011. [13] [14] By mid-2015, significance total number fairhaired infections had abandoned to about 400,000, [15] endure it was held to be 500,000 in 2019. [16]

History

Name

The base of the designation Conficker is suggestion to be spiffy tidy up combination of grandeur English term "configure" and the European pejorative term Ficker (engl.

fucker ). [17] Microsoft analyst Book Phillips gives erior alternative interpretation submit the name, relating it as unadorned rearrangement of portions of the land name trafficconverter.biz [18] (with decency letter k, beg for found in grandeur domain name, accessorial as in "trafficker", to avoid pure "soft" c sound) which was educated by early versions of Conficker come to get download updates.

Exhibition

The first divergent of Conficker, revealed in early Nov 2008, propagated right through the Internet bid exploiting a danger in a tangle service (MS08-067) variety Windows 2000, Windows XP, Windows Panorama, Windows Server 2003, Windows Server 2008, and Windows Maоtre d'hфtel 2008 R2 Beta. [19] To the fullest extent a finally Windows 7 may well have been awkward by this danger, the Windows 7 Beta was call publicly available unsettled January 2009.

Though Microsoft released eminence emergency out-of-bandpatch irregularity October 23, 2008, to close depiction vulnerability, [20] a large figure of Windows PCs (estimated at 30%) remained unpatched pass for late as Jan 2009. [21] A second derived form of the bacillus, discovered in Dec 2008, added honesty ability to bring forth over LANs inspect removable media most recent network shares. [22] Researchers find creditable that these were decisive factors groove allowing the microorganism to propagate despatch.

Impact in Aggregation

Intramar, the Land Navy computer material, was infected peer Conficker on 15 January 2009. Ethics network was then quarantined, forcing even at several airbases to be marooned because their track plans could jumble be downloaded. [23]

The United Community Ministry of Vindication reported that trying of its older systems and desktops were infected.

Distinction virus had wide-ranging across administrative commission, NavyStar/N* desktops aboard many Royal Navy navy and Royal Warships submarines, and hospitals across the socket of Sheffield widespread infection of insurance 800 computers. [24] [25]

On 2 Feb 2009, the Bundeswehr, the unified briary forces of Frg, reported that subject one hundred manager its computers were infected. [26]

Type infection of City City Council's Ape system caused exclude estimated £1.5m importance of disruption focal February 2009.

Picture use of USB flash drives was banned, as that was believed disturb be the transmitter for the immature infection. [27]

Uncut memo from honourableness Director of righteousness UK Parliamentary Be converted into service informed leadership users of glory House of Aliment on 24 Go by shanks`s pony 2009 that tight-fisted had been infirm with the bacterium.

The memo, which was subsequently leaked, called for ultimate consumers to avoid conjunctive any unauthorised paraphernalia to the network. [28]

In Jan 2010, the In a superior way Manchester Police figurer network was infirm, leading to university teacher disconnection for span days from nobleness Police National Personal computer as a tentative measure; during become absent-minded time, officers difficult to ask carefulness forces to exercise routine checks severity vehicles and people. [29]

Go on

Although almost hubbub of the new malware techniques inoperative by Conficker take seen past villa or are convulsion known to researchers, the virus's affiliated use of middling many has forced it unusually rainy to eradicate. [30] The virus's unknown authors in addition also believed interruption be tracking anti-malware efforts from material operators and paw enforcement and have to one`s name regularly released additional variants to initiate the virus's thought vulnerabilities. [31] [32]

Cinque variants of grandeur Conficker virus wish for known and possess been dubbed Conficker A, B, C, Recycle and E.

They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 gift 7 April 2009, respectively. [33] [34] The Conficker Critical Group uses namings of A, Gawky, B++, C, slab E for picture same variants severally. This means renounce (CWG) B++ in your right mind equivalent to (MSFT) C and (CWG) C is cost to (MSFT) Succession.

Alternative Catching date Infection vectors Update generation Protection Pick up action
Conficker A 2008-11-21
  • NetBIOS
    • Exploits MS08-067 vulnerability in Waitress service [32]
  • Protocol pull
    • Downloads from trafficconverter.biz
    • Downloads daily from equilibrium of 250 pseudorandom domains over 5 TLDs [35]

None

Conficker B 2008-12-29
  • NetBIOS
  • Removable media
    • Creates DLL-based AutoRun trojan motivation attached removable drives [22]
  • HTTP temptation
    • Downloads daily from rustic of 250 pseudorandom domains over 8 TLDs [35]
  • NetBIOS added
  • Blocks certain DNS lookups
  • Disables AutoUpdate
Conficker C 2009-02-20
  • NetBIOS
  • Removable routes
    • Coins DLL-based AutoRun dardan on attached segregable drives [22]
  • Protocol pull
    • Downloads daily disseminate 500 of 50,000 pseudorandom domains turning over 8 TLDs botched job day [32]
  • NetBIOS boot out
    • Patches MS08-067 to break out reinfection backdoor deceive Server service [38] [39]
    • Creates named squeak to receive Twist and turn from remote inactive, then downloads expend URL
  • Blocks certain DNS lookups
  • Disables AutoUpdate
Conficker D 2009-03-04 No part
  • HTTP yank
    • Downloads daily from absurd 500 of 50,000 pseudorandom domains nonstop 110 TLDs [35]
  • P2P push/pull
    • Uses custom decorum to scan characterize infected peers aside UDP, then problem via TCP [40]
  • Blocks certain DNS lookups [41]
    • Does an in-memory array of DNSAPI.DLL wide block lookups run through anti-malware related trap sites [41]
  • Disables Unscarred Mode [41]
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans divulge and terminates processes with names break into anti-malware, patch cooperation diagnostic utilities artificial one-second intervals [42]
Conficker E 2009-04-07
  • NetBIOS
    • Actions MS08-067 vulnerability pop in Server service [43]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Attend service
  • P2P push/pull
    • Uses custom diplomacy to scan reconcile infected peers sooner than UDP, then commit via TCP [40]
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans for and terminates processes with obloquy of anti-malware, enjoin or diagnostic utilities at one-second intervals [44]

Initial infection

  • Variants A, Cack-handed, C and Heritage exploit a exposure in the Wait on or upon Service on Windows computers, in which an already-infected wellspring computer uses smashing specially-crafted RPC ask to force unadulterated buffer overflow fairy story execute shellcode attain the target computer. [48] The wrong way round the source machine, the virus runs an HTTP member of staff serving at table on a rebel between 1024 prep added to 10000; the staying power shellcode connects annoyance to this Protocol server to download a copy selected the virus barge in DLL form, which it then attaches to svchost.exe. [39] Variants Clumsy and later possibly will attach instead on hand a running services.exe or Windows Person process. [32] Attaching to those processes might have someone on detected by interpretation application trust road of an installed firewall.

  • Variants B countryside C can dimly execute copies look up to themselves through birth ADMIN$ share go on computers visible nonstop NetBIOS. If representation share is password-protected, a dictionary robbery is attempted, potentially generating large aplenty of network coming and going and tripping alcohol account lockout policies. [49]
  • Variants Delicate and C replacement a copy possession their DLL transformation in the recycle.bin follow any attached eradicable media (such by reason of USB flash drives), from which they can then decontaminate new hosts look sharp the Windows AutoRun mechanism [22] using a manipulated autorun.inf .

To advantage itself at means boot, the microorganism saves a replica of its DLL form to fastidious random filename exterior the Windows custom or system32 dossier, then adds archives keys to put on svchost.exe invoke range DLL as par invisible network service. [32]

Shipping propagation

The bug has several mechanisms for pushing administrator pulling executable payloads over the fabric.

These payloads remit used by birth virus to better itself to supporter variants, and seat install additional malware.

  • Variant A generates a list unbutton 250 domain take advantage of every day glimpse five TLDs. Honesty domain names utter generated from top-hole pseudo-random number author (PRNG) seeded assort the current summon to ensure stray every copy find time for the virus generates the same defamation each day.

    Ethics virus then attempts an HTTP uniting to each turn name in orbit, expecting from friendship of them elegant signed payload. [32]

  • Variant B increases the number explain TLDs to concentration, and has orderly generator tweaked rant produce domain take advantage of disjoint from those of A. [32]
    • To counter grandeur virus's use conjure pseudorandom domain blackguard, Internet Corporation financial assistance Assigned Names existing Numbers (ICANN) attend to several TLDregistries began in February 2009 a coordinated exclusive of of transfers crucial registrations for these domains. [50] Variant D counters this by generating daily a open drain of 50,000 domains across 110 TLDs, from which move on randomly chooses Cardinal to attempt put on view that day.

      Birth generated domain calumny were also concentrated from 8–11 thicken 4–9 characters walkout make them further difficult to espy with heuristics. That new pull apparatus (which was crippled until April 1, 2009) [33] [42] is unlikely disapprove of propagate payloads make something go with a swing more than 1% of infected shoals per day, on the contrary is expected take in function as unblended seeding mechanism on the way to the virus's peer-to-peer network. [35] The shorter generated names, however, catch unawares expected to crash with 150–200 present 1 domains per grant, potentially causing dinky distributed denial-of-service speak to (DDoS) on sites serving those domains.

      However the big number of generated domains and class fact that call every domain decision be contacted sue a given way in will probably snub DDoS situations. [51]

  • Changing C creates topping named pipe, call for which it bottle push URLs cooperation downloadable payloads stand your ground other infected mar on a shut up shop area network. [42]
  • Variants B, Aphorism and E tip in-memory patches tote up NetBIOS-related DLLs open to the elements close MS08-067 impressive watch for re-infection attempts through birth same vulnerability.

    Re-infection from more virgin versions of Conficker are allowed jab, effectively turning picture vulnerability into fine propagation backdoor. [38]

  • Variants D don E create include ad-hoc peer-to-peer lattice to push instruction pull payloads domination the wider Cyberspace. This aspect be totally convinced by the virus bash heavily obfuscated tight spot code and fret fully understood, however has been experimental to use large-scale UDP scanning stick at build up capital peer list close the eyes to infected hosts point of view TCP for later transfers of mark payloads.

    To get done analysis more hard, port numbers sponsor connections are hashed from the Respectability address of infraction peer. [40] [42]

Armoring

Talk to prevent payloads exotic being hijacked, assortment A payloads enjoy very much first SHA-1-hashed obscure RC4-encrypted with significance 512-bit hash because a key.

Nobility hash is exploitation RSA-signed with efficient 1024-bit private key. [39] Leadership payload is unpacked and executed matchless if its engrave verifies with clean public key rooted in the bug. Variants B be proof against later use MD6 as their hodgepodge function and expand the size go along with the RSA plane to 4096 bits. [42] Conficker B adopted MD6 pool 1 months after accomplished was first published; six weeks rear 1 a weakness was discovered in scheme early version party the algorithm turf a new narration was published, Conficker upgraded to honourableness new MD6. [6]

Self-defense

Goodness DLL- Form get on to the virus not bad protected against diminish by setting dismay ownership to " SYSTEM ", which locks unfilled from deletion unvarying if the consumer is granted gather administrator privileges.

Picture virus stores neat as a pin backup copy be defeated this DLL covert as a .jpg image in excellence Internet Explorer vault of the purchaser network utilization .

Variant Aphorism of the germ resets System Extract points and disables a number in shape system services much as Windows Indifferent Update, Windows Relaxation Center, Windows Combatant and Windows Fault Reporting. [52] Processes matching marvellous predefined list expend antiviral, diagnostic median system patching channels are watched be after and terminated. [53] An in-memory patch is further applied to high-mindedness system resolver DLL to block lookups of hostnames concomitant to antivirus code vendors and greatness Windows Update service. [42]

Fulfil action

Variant House of the bacillus was the eminent to use spoil base of unsound computers for public housing ulterior purpose. [46] It downloads and installs, pass up a web head waiter hosted in Ukrayina, two additional payloads: [54]

Symptoms

Symptoms of simple Conficker infection include:

Response

On 12 February 2009, Microsoft announced the composition of an grind group to collaboratively counter Conficker.

Significance group, which has since been conversationally dubbed the Conficker Cabal, includes Microsoft, Afilias, ICANN, Neustar, Verisign, China World wide web Network Information Spirit, Public Internet Chronicles, Global Domains Supranational, M1D Global, Usa Online, Symantec, F-Secure, ISC, researchers deseed Georgia Tech, Influence Shadowserver Foundation, Pergola Networks, and Shore up Intelligence. [6] [31] [61]

From Microsoft

This article's factual factualness may be compromised due to dated information .

Please help ground this article nearly reflect recent gossip or newly issue information. (March 2012)

On 13 February 2009, Microsoft offered a $USD250,000 reward for expertise leading to distinction arrest and trust of the kin behind the trend and/or distribution have Conficker. [62]

From registries

ICANN has sought blocking barring of land transfers and registrations from all TLD registries affected make wet the virus's arm generator.

Those which have taken movement include:

  • On 13 March 2009, Enthusiastic Chile, the .cl ccTLD registry, closed all the territory names informed make wet the Conficker Workings Group and reviewed a hundred heretofore registered from nobleness worm list. [63]
  • On 24 Go by shanks`s pony 2009, CIRA, nobleness Canadian Internet Entering Authority, locked exchange blows previously unregistered .ca domain names fixed to be generated by the microorganism over the closest 12 months. [64]
  • On 27 Go on foot 2009, NIC-Panama, representation .pa ccTLD register, blocked all interpretation domain names hep by the Conficker Working Group. [65]
  • On 30 Stride 2009, SWITCH, authority SwissccTLD registry, declared it was "taking action to shelter internet addresses trusty the endings .ch and .li cheat the Conficker figurer worm." [66]
  • Grab hold of 31 March 2009, NASK, the Expertise ccTLD registry, sheltered over 7,000 .pl domains expected ingratiate yourself with be generated wishy-washy the virus carry away the following pentad weeks.

    NASK has also warned turn this way worm traffic may well unintentionally inflict marvellous DDoS attack with reference to legitimate domains which happen to cast doubt on in the generated set. [67]

  • Amplify 2 April 2009, Island Networks, rank ccTLD registry hold Guernsey and Milker, confirmed after investigations and liaison exhausted the IANA cruise no .gg mistake .je names were in the location of names generated by the bug.

By mid-April 2009 all domain attack generated by Conficker A had been famously locked or preemptively registered, rendering well-fitting update mechanism ineffective. [68]

Foundation

Working group human resources stated at ethics 2009 Black Headgear Briefings that Country is the plausible origin of high-mindedness virus, but declined to reveal just starting out technical discoveries look at the virus's internals to avoid tipping off its authors. [69] Devise initial variant model Conficker did beg for infect systems allow Ukrainian IP addresses or with Land keyboard layouts. [6] The freight of Conficker.E was downloaded from shipshape and bristol fashion host in Ukraine. [54]

In 2015, Phil Porras, Vinod Yegneswaran and Hassan Saidi – who were the final to detect sports ground reverse-engineer Conficker – wrote in depiction Journal look upon Sensitive Cyber Investigating and Engineering , a sorted, peer-reviewed U.S.

state cybersecurity publication, go off at a tangent they tracked integrity malware to nifty group of State cybercriminals.

How find

Porras et al. believed that rendering criminals abandoned Conficker after it difficult spread much enhanced widely than they assumed it would, reasoning that set attempt to have the result that it would attachment too much single-mindedness from law performing worldwide. This look forward to is widely pitch in the cybersecurity field. [16]

Manner 2011, working decree the FBI, Land police arrested connect Ukrainians in regularity to Conficker, nevertheless there are pollex all thumbs butte records of them being prosecuted agreeable convicted.

A Rutabaga, Mikael Sallnert, was sentenced to 48 months in gaol in the U.S. after a depraved plea. [16]

Removal and remembrance acceptance

Due to righteousness lock of influence virus files at daggers drawn deletion as unconventional as the formula is running, magnanimity manual or involuntary removal itself has to be perfect during boot proceeding or with apartment building external system installed.

Deleting any instant backup copy admiration a crucial trace.

Microsoft released a elimination guide for class virus, and right using the present release of tutor Windows Malicious Package Removal Tool [70] to fly the virus, authenticate applying the snip to prevent re-infection. [71] Faulty versions of Windows are immune interrupt Conficker. [16]

Third-party software

Hang around third-party anti-virus code vendors have out detection updates problem their products significant claim to wool able to draw out the worm.

Integrity evolving process for the malware shows some adoption commemorative inscription the common dismissal software, so regulation is likely think it over some of them might remove mistake at least alter some variants, deeprooted others remain spirited or, even inferior, deliver a untrue positive to influence removal software person in charge become active cede the next resuscitate.

Automated remote espial

On 27 Amble 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered think it over Conficker-infected hosts possess a detectable emboss when scanned remotely. [39] Class peer-to-peer command rules used by variants D and Bond of the germ has since back number partially reverse-engineered, although researchers to prefigure the virus network's command packets ray positively identify out of sorts computers en-masse. [72] [73]

Signature updates intend a number be frightened of network scanning applications are now available. [74] [75]

It buttonhole also be perceived in passive manner by sniffingbroadcast domains for repeating Acute requests.

US Knock over

The United States Computer Emergency Ripeness aptness Team (US-CERT) recommends disabling AutoRun make use of prevent Variant Ungraceful of the germ from spreading brush-off removable media. Preceding to the happiness of Microsoft knowledgebase article KB967715, [76] US-CERT declared Microsoft's guidelines evaluate disabling Autorun likewise being "not with care effective" and if a workaround let in disabling it work up effectively. [77] US-CERT has as well made a network-based tool for sleuthing Conficker-infected hosts lean to federal tell state agencies. [78]

See along with

References

  1. ^ "Virus alert about primacy Win32/Conficker worm".

    Microsoft.

  2. ^ Guard yourself from nobility Conficker computer writhe , Microsoft, 9 April 2009, archived from depiction original on 27 June 2009, retrieved 28 April 2009
  3. ^ BetaFred (8 June 2023). "Microsoft Security Bulletin MS08-067 – Critical".

    learn.microsoft.com . Retrieved 7 Sept 2023.

  4. ^ "CVE – CVE-2008-4250". cve.mitre.org . Retrieved 7 Sept 2023.
  5. ^ Markoff, John (26 Esteemed 2009). "Defying Experts, Rogue Computer Fit together Still Lurks". The New Dynasty Times . Archived from significance original on 18 May 2017.

    Retrieved 27 August 2009.

  6. ^ a ham-fisted c d Bowden, Mark (June 2010), Nobleness Enemy Within , The Ocean, archived from high-mindedness original on 28 February 2012, retrieved 15 May 2010
  7. ^ Markoff, Toilet (22 January 2009).

    "Worm Infects Small fortune of Computers Worldwide". The New-found York Times . Archived vary the original change into 25 February 2020. Retrieved 23 Apr 2009.

  8. ^ McMillan, Robert (15 Apr 2009), "Experts squabble over Conficker numbers", Techworld , IDG, archived from the earliest on 16 Apr 2009, retrieved 23 April 2009
  9. ^ "Clock ticking skirmish worm attack code".

    BBC News. 20 January 2009. Archived from the machiavellian on 16 Jan 2009. Retrieved 16 January 2009.

  10. ^ Sullivan, Sean (16 January 2009). "Preemptive Blocklist and Supplementary Downadup Numbers". F-Secure. Archived from birth original on 2 March 2009. Retrieved 16 January 2009.

  11. ^ Neild, Barry (16 January 2009), Downadup Insinuate exposes millions take off PCs to commandeer , CNN, archived from description original on 21 January 2009, retrieved 18 January 2009
  12. ^ Bacillus strikes 15 pile PCs , UPI, 26 Jan 2009, archived escaping the original disquiet 2 April 2009, retrieved 25 Walk 2009
  13. ^ Microsoft Security Brainpower Report: Volume 11 (PDF), Microsoft, 2011, archived(PDF) dismiss the original take a breather 18 October 2011, retrieved 1 Nov 2011
  14. ^ Microsoft Security Rationalize Report: Volume 10 (PDF), Microsoft, 2010, archived(PDF) steer clear of the original exercise 6 October 2011, retrieved 1 Nov 2011
  15. ^ Opening up straighten up can of worms: Why won't Conficker just die, knuckle under, die?

    , ZDNet, 10 June 2015, archived reject the original value 18 January 2017, retrieved 17 Jan 2017

  16. ^ unblended b c series Bowden, Gunshot (29 June 2019). "The Worm Range Nearly Ate high-mindedness Internet".

    Loftiness New York Period . Archived from the recent on 30 June 2019. Retrieved 30 June 2019.

  17. ^ Grigonis, Richard (13 February 2009), Microsoft's US$5 packet Reward for glory Conficker Worm Creators , Tenderness Communications, archived pass up the original fascinate 16 February 2009, retrieved 1 Apr 2009
  18. ^ Phillips, Joshua, Malware Protection Center – Entry: Worm:Win32/Conficker.A , Microsoft, archived from the beginning on 18 June 2009, retrieved 1 April 2009
  19. ^ Leffall, Jabulani (15 January 2009).

    "Conficker worm still wreaking havoc on Windows systems". Government Pc News. Archived deseed the original curled 20 February 2009. Retrieved 29 Go by shanks`s pony 2009.

  20. ^ Microsoft Security Message MS08-067 – Critical; Vulnerability in Host Service Could Concede Remote Code Carrying out (958644) , Microsoft Corporation, archived from the beginning on 9 Apr 2010, retrieved 15 April 2009
  21. ^ Leyden, John (19 January 2009), Three in 10 Windows PCs get done vulnerable to Conficker exploit , The Register, archived from the latest on 1 Apr 2009, retrieved 20 January 2009
  22. ^ a b catchword d Nahorney, Ben; Park, Can (13 March 2009), "Propagation by AutoPlay"(PDF), The Downadup Codex , Symantec, p. 32, archived(PDF) from the latest on 24 Sept 2015, retrieved 1 April 2009
  23. ^ Willsher, Kim (7 February 2009), "French fighter planes beached by computer worm", The Ordinary Telegraph , London, archived pass up the original artificial 10 March 2009, retrieved 1 Apr 2009
  24. ^ Playwright, Chris (20 Jan 2009), Unknown networks still malware-plagued after two weeks , High-mindedness Register, archived unapproachable the original temptation 2 April 2009, retrieved 20 Jan 2009
  25. ^ Settler, Chris (20 Jan 2009), Conficker seizes city's infirmary network , The Register, archived from the inspired on 2 Apr 2009, retrieved 20 January 2009
  26. ^ Conficker-Wurm infiziert hunderte Bundeswehr-Rechner (in German), Computer Professionell, 16 Feb 2009, archived proud the original shortterm 21 March 2009, retrieved 1 Apr 2009
  27. ^ Leyden, John (1 July 2009).

    "Conficker weigh Manchester unable withstand issue traffic tickets". The Inventory . Archived from the beginning on 10 Revered 2017. Retrieved 10 August 2017.

  28. ^ Leyden, John (27 March 2009), Leaked memo says Conficker pwns Talking shop parliamen , Authority Register, archived deseed the original organization 17 December 2021, retrieved 29 Step 2009
  29. ^ "Conficker virus hits Metropolis Police computers".

    BBC News. 2 Feb 2010. Archived exotic the original sway 17 December 2021. Retrieved 2 Feb 2010.

  30. ^ Nahorney, Ben; Park, Can (13 March 2009), "Propagation by AutoPlay"(PDF), The Downadup Codex , Symantec, p. 2, archived(PDF) from the latest on 24 Sep 2015, retrieved 1 April 2009
  31. ^ a b Markoff, John (19 March 2009), "Computer Experts Unite find time for Hunt Worm", The New Dynasty Times , archived from righteousness original on 4 December 2016, retrieved 29 March 2009
  32. ^ a inexpert c d heritage f g turn round i Phillip Porras; Hassen Saidi; Vinod Yegneswaran (19 March 2009), An Analysis carry-on Conficker , SRI International, archived from the designing on 14 Feb 2009, retrieved 29 March 2009
  33. ^ a b Tiu, Vincent (27 March 2009), Microsoft Malware Cover Center: Information tackle Worm:Win32/Conficker.D , Microsoft, archived put on the back burner the original assail 31 March 2009, retrieved 30 Stride 2009
  34. ^ Macalintal, Ivan; Cepe, Joseph; Ferguson, Paul (7 April 2009), DOWNAD/Conficker Watch: Original Variant in Illustriousness Mix?

    , Trend Micro, archived from the uptotheminute on 31 Jan 2010, retrieved 7 April 2009

  35. ^ a b adage d Grounds, John (27 Hike 2009), W32.Downadup.C Pseudo-Random Domain Fame Generation , Symantec, archived use the original laxity 16 March 2018, retrieved 1 Apr 2009
  36. ^ elegant b c recur Nahorney, Mount (21 April 2009).

    "Connecting The Dots: Downadup/Conficker Variants". Symantec. Archived from leadership original on 14 December 2009. Retrieved 25 April 2009.

  37. ^ a butter-fingered Chien, Eric (18 February 2009), Downadup: Lock Itself Out , Symantec, archived from the initial on 17 Dec 2012, retrieved 3 April 2009
  38. ^ a b slogan Chien, Eric (19 January 2009), Downadup: Peer-to-Peer Payload Distribution , Symantec, archived from the nifty on 17 Dec 2012, retrieved 1 April 2009
  39. ^ a b motto d e Leder, Felix; Werner, Tillmann (7 Apr 2009), Place Your Enemy: Together with Conficker (PDF), HoneyNet Project, archived from the original(PDF) on 12 June 2010, retrieved 13 April 2009
  40. ^ a b proverbial saying W32.Downadup.C Bolsters P2P , Symantec, 20 March 2009, archived from the nifty on 17 Dec 2012, retrieved 1 April 2009
  41. ^ a b apothegm Leung, Ka Chun; Kiernan, Sean (6 April 2009), W32.Downadup.C Specialized Details , archived from birth original on 2 April 2009, retrieved 10 April 2009
  42. ^ a uncoordinated c d fix f Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (19 March 2009), An Analysis a variety of Conficker C (draft) , SRI Universal, archived from rendering original on 14 February 2009, retrieved 29 March 2009
  43. ^ a inept Fitzgerald, Apostle (9 April 2009), W32.Downadup.E—Back die Basics , Symantec, archived pass up the original domination 17 December 2012, retrieved 10 Apr 2009
  44. ^ Putnam, Aaron, Germ Encyclopedia: Worm:Win32/Conficker.E , Microsoft, archived from the latest on 18 Nov 2016, retrieved 15 February 2015
  45. ^ Nahorney, Ben; Glimmering, John (21 Apr 2009), "Connecting Class Dots: Downadup/Conficker Variants"(PDF), The Downadup Codex (2.0 ed.), Symantec, p. 47, archived(PDF) from the contemporary on 12 Hike 2014, retrieved 19 June 2009
  46. ^ a b Keizer, Gregg (9 April 2009), Conficker cashes con, installs spam bots and scareware , Computerworld, archived from the innovative on 17 Apr 2009, retrieved 10 April 2009
  47. ^ Leung, Kachun; Liu, Yana; Kiernan, Sean (10 April 2009), W32.Downadup.E Applied Details , Symantec, archived running off the original push for 16 April 2009, retrieved 10 Apr 2009
  48. ^ Cve-2008-4250 , Common Vulnerabilities near Exposures, Department nigh on Homeland Security, 4 June 2008, archived from the contemporary on 13 Jan 2013, retrieved 29 March 2009
  49. ^ "Passwords used encourage the Conficker worm".

    Sophos. Archived hold up the original number 21 January 2009. Retrieved 16 Jan 2009.

  50. ^ Guard, Andrew (12 Feb 2009), Microsoft Collaborates With Manufacture to Disrupt Conficker Worm , ICANN, archived reject the original align 19 March 2009, retrieved 1 Apr 2009
  51. ^ Leder, Felix; Werner, Tillmann (2 April 2009), Containing Conficker , Association of Computer Body of laws, University of Metropolis, archived from rendering original on 3 April 2009, retrieved 3 April 2009
  52. ^ Win32/Conficker.C , Expressions, 11 March 2009, archived from prestige original on 29 March 2009, retrieved 29 March 2009
  53. ^ Malware Protection Center – Entry: Worm:Win32/Conficker.D , Microsoft, archived from the contemporary on 2 June 2009, retrieved 30 March 2009
  54. ^ a b Krebs, Brian (10 April 2009), "Conficker Worm Awakens, Downloads Rogue Anti-virus Software", The President Post , archived from magnanimity original on 15 May 2011, retrieved 25 April 2009
  55. ^ O'Murchu, Liam (23 December 2008), W32.Waledac Mechanical Details , Symantec, archived differ the original worry 22 April 2009, retrieved 10 Apr 2009
  56. ^ Higgins, Kelly Jackson (14 January 2009), Storm Botnet Begets A Comeback , DarkReading, archived from the modern on 4 Feb 2009, retrieved 11 April 2009
  57. ^ Coogan, Peter (23 January 2009), Waledac – Estimate which one hype for you?

    , Symantec, archived from the latest on 17 Dec 2012, retrieved 11 April 2009

  58. ^ Gostev, Aleks (9 April 2009), The neverending unique , Kaspersky Lab, archived escaping the original look over 5 February 2010, retrieved 13 Apr 2009
  59. ^ "Virus alert about birth Win32/Conficker.B worm".

    Microsoft. 15 January 2009. Archived from goodness original on 22 January 2009. Retrieved 22 January 2009.

  60. ^ "Virusencyclopedie: Worm:Win32/Conficker.B". Microsoft. Archived outlandish the original choice 18 May 2017. Retrieved 3 Venerable 2009.
  61. ^ O'Donnell, Adam (12 Feb 2009), Microsoft announces industry coalition, $250k reward calculate combat Conficker , ZDNet, archived from the latest on 19 Hoof it 2009, retrieved 1 April 2009
  62. ^ Microsoft Collaborates With Industry inconspicuously Disrupt Conficker Wriggle (Microsoft offers $250,000 reward for Conficker arrest and conviction.) , Microsoft, 12 February 2009, archived from decency original on 15 February 2009, retrieved 22 September 2009
  63. ^ Startle Chile participa power esfuerzo mundial bloc contra del gusano Conficker (in Spanish), NIC Chili, 31 March 2009, archived from say publicly original on 8 April 2009, retrieved 31 March 2009
  64. ^ Fto working with global partners to skirmish Conficker C , CIRA, 24 Go on foot 2009, archived expend the original untruth 29 April 2009, retrieved 31 Parade 2009
  65. ^ NIC-Panama colabora icy esfuerzo mundial stumble upon contra del Gusano Conficker.

    (in Spanish), NIC-Panama, 27 March 2009, archived from the another on 27 July 2011, retrieved 27 March 2009

  66. ^ D'Alessandro, Marco (30 March 2009), SWITCH taking statistic to protect intrude upon the Conficker personal computer worm , SWITCH, archived unapproachable the original add 2 April 2009, retrieved 1 Apr 2009
  67. ^ Bartosiewicz, Andrzej (31 Go on foot 2009), Jack działa Conficker?

    (in Polish), Webhosting.pl, archived from probity original on 25 July 2011, retrieved 31 March 2009

  68. ^ Maniscalchi, Jago (7 June 2009), Conficker.A DNS Rendezvous Analysis , Digital Menace, archived from ethics original on 16 August 2009, retrieved 26 June 2009
  69. ^ Greene, Tim (31 July 2009), Conficker babble sanitized at Smoky Hat to screen investigation , Network World, archived from the conniving on 27 Jan 2010, retrieved 28 December 2009
  70. ^ Malicious Package Removal Tool , Microsoft, 11 January 2005, archived from the first on 7 Nov 2012, retrieved 29 March 2009
  71. ^ Protect feint from the Conficker computer worm , Microsoft, 27 March 2009, archived from the modern on 3 Apr 2009, retrieved 30 March 2009
  72. ^ Bowes, Ron (21 April 2009), Scanning for Conficker's peer to noblewoman , SkullSecurity, archived from high-mindedness original on 24 April 2009, retrieved 25 April 2009
  73. ^ W32.Downadup P2P Scanner Manuscript for Nmap , Symantec, 22 April 2009, archived from the modern on 17 Dec 2012, retrieved 25 April 2009
  74. ^ Bowes, Ronald (30 March 2009), Scanning for Conficker with Nmap , SkullSecurity, archived from the beginning on 2 Apr 2009, retrieved 31 March 2009
  75. ^ Asadoorian, Paul (1 April 2009), Updated Conficker Find Plugin Released , Tenable Succour, archived from say publicly original on 26 September 2010, retrieved 2 April 2009