Once a machine is infected, the worm can download and install additional malware from attacker-controlled Web sites. a Conflicker-infected PC is essentially under the complete control of the attackers.
Conficker can spread in three ways.
- First, it attacks a vulnerability in the Microsoft Server service. Computers without the October patch can be remotely attacked and taken over.
- Second, Conficker can attempt to guess or 'brute force' Administrator passwords used by local networks and spread through network shares.
- And third, the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC.
The army of Conficker-infected machines, known as a "botnet," could be one of the greatest cybercrime tools ever assembled. On April 1, many Conficker-infected machines will generate a list of 50,000 new domains a day that they could try. Of that group, the botnet will randomly select 500 for the machines to actually query.
This page is designed to provide IT Pro customers the information they need to help protect their systems from the Conficker Worm, or to recover systems that have been infected.
If you are a consumer, please visit Protect Yourself from the Conficker Computer Worm.
On October 23, 2008, Microsoft released a critical security update, MS08-067, to resolve a vulnerability in the Server service of Windows that, at the time of release, was facing targeted, limited attack. The vulnerability could allow an anonymous attacker to successfully take full control of a vulnerable system through a network-based attack, the sort of vectors typically associated with network "worms." Since the release of MS08-067, the Microsoft Malware Protection Center (MMPC) has identified the following variants of Win32/Conficker:
- Worm:Win32/Conficker.A: identified by the MMPC on November 21, 2008
- Worm:Win32/Conficker.B: identified by the MMPC on December 29, 2008
- Worm:Win32/Conficker.C: identified by the MMPC on February 20, 2009*
- Worm:Win32/Conficker.D: identified by the MMPC on March 4, 2009**
|*Also known as Conficker B++|
|**Also known as Conficker.C and Downadup.C|
What Happens on April 1, 2009?
Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the "peer-to-peer" updating channel in the latest version of Conficker.
Protecting PCs from Conficker
- Apply the security update associated with MS08-067. View the security bulletin for more information about the vulnerability, affected software, detection and deployment tools and guidance, and security update deployment information.
- Make sure you are running up-to-date antivirus software from a trusted vendor, such as Microsoft's Forefront Client Security or Windows Live OneCare. Antivirus software may also be obtained from trusted third parties such as the members of the Virus Information Alliance.
- Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. The Microsoft Active Protection Program (MAPP) provides partners with early access to Microsoft vulnerability information. For a list of partners and links to their active protections, please visit the MAPP Partners page.
- Isolate legacy systems using the methods outlined in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
- Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.
- Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 967715. Microsoft released Security Advisory 967940 to notify users that the updates to allow users to disable AutoPlay/AutoRun capabilities have been deployed via automatic updating channels.
NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 967715 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.
Cleaning Systems of Conficker
Manually download the Windows Malicious Software Removal Tool (MSRT) onto uninfected PCs and deploy to infected PCs to clean infected systems.
- On November 21, 2008, the MMPC identified Worm:Win32/Conficker.A. This worm seeks to propagate itself by exploiting the vulnerability addressed in MS08-067 through network-based attacks. The MMPC added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
- On November 25, 2008, the MMPC communicated information about Worm:Win32/Conficker.A through their weblog.
- On December 29, 2008, the MMPC identified the second variant, Worm:Win32/Conficker.B, and added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
NOTE: Worm:Win32/Conficker.B can be successful against systems that have applied the security update associated with MS08-067.
- On December 31, 2008, the MMPC communicated information about Worm:Win32/Conficker.B through their weblog.
- On January 13, 2009, the MMPC included the ability to remove both Worm:Win32/Conficker.A and Worm:Win32/Conficker.B in the January 2009 release of the Windows Malicious Software Removal Tool and communicated information about this through their weblog.
- On January 22, 2009, the MMPC provided consolidated technical information about Worm:Win32/Conficker.B on their weblog.
- On February 12, 2009, the Microsoft Security Response Center (MSRC) released information about domains that Conficker-infected systems try to connect to. Microsoft also announced information on a partnership with technology industry and academic leaders designed to disable domains targeted by Conficker.
- On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, in accordance with the laws of that country, because Internet viruses affect the Internet community worldwide.
- On February 20, 2009, the MMPC provided technical information about Worm:Win32/Conficker.C on their weblog.
- On March 27, 2009, the MMPC provided more details about the new P2P functionality in Worm:Win32/Conficker.D on their weblog.
Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, +1-425-706-1111, and an Antivirus Reward Mailbox, email@example.com, where tips can be shared.