1. Home
  2. Software
  3. Conficker

Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[1] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[2]

ID: S0608
Associated Software: Kido, Downadup
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 23 February 2021
Last Modified: 16 April 2025

Associated Software Descriptions

Name Description
Kido

[1]

Downadup

[1]

Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 修改注册表

Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.[1][3]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Conficker copies itself into the %systemroot%\system32 directory and registers as a service.[1]
Enterprise T1568 .002 动态解析: Domain Generation Algorithms

Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.[1][3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Conficker adds Registry Run keys to establish persistence.[3]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Conficker terminates various services related to system security and Windows.[1]
Enterprise T1027 混淆文件或信息

Conficker has obfuscated its code to prevent its removal from host machines.[3]
Enterprise T1490 系统恢复抑制

Conficker resets system restore points and deletes backup files.[1]
Enterprise T1124 系统时间发现

Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.[1][3]
Enterprise T1046 网络服务发现

Conficker scans for other machines to infect.[1]
Enterprise T1105 输入工具传输

Conficker downloads an HTTP server to the infected machine.[1]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Conficker variants spread through NetBIOS share propagation.[1]
Enterprise T1210 远程服务漏洞利用

Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.[1]
Enterprise T1091 通过可移动媒体复制

Conficker variants used the Windows AUTORUN feature to spread through USB propagation.[1][3]
ICS T0826 Loss of Availability

A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown. [4]
ICS T0828 Loss of Productivity and Revenue

A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. [4]
ICS T0847 Replication Through Removable Media

Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network. [5] Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility. [4]

References

  1. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  2. Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.
  3. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  1. Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14
  2. Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05