August 8, 2010

Conficker: A Microsoft Windows OS Worm

Image representing Windows as depicted in Crun...
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has more than five million computers now under its control — government, business and home computers in more than 200 countries, according to the New York Times. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.

Discovery
The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the worm, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares. Researchers believe that these were decisive factors in allowing the worm to propagate quickly: by January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million. Antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker.

Recent estimates of the number of infected computers have been more notably difficult because of changes in the propagation and update strategy of recent variants of the worm.

Action From registries

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the worm's domain generator. Those which have taken action include:




  • On 13 March 2009, NIC Chile, the .cl ccTLD registry, blocked all the domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list.



  • On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by the worm over the next 12 months.



  • On 27 March 2009, NIC-Panama, the .pa ccTLD registry, blocked all the domain names informed by the Conficker Working Group.



  • On 30 March 2009, SWITCH, the Swiss ccTLD registry, announced it was "taking action to protect internet addresses with the endings .ch and .li from the Conficker computer worm."



  • On 31 March 2009, NASK, the Polish ccTLD registry, locked over 7,000 .pl domains expected to be generated by the worm over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.



  • On 2 April 2009, Island Networks, the ccTLD registry for Guernsey and Jersey, confirmed after investigations and liaison with the IANA that no .gg or .je names were in the set of names generated by the worm.
By mid-April all domain names generated by the Conficker.A variant had been successfully blocked, rendering its update mechanism ineffective.


About the Author

Tomboy

Author & Editor

Has laoreet percipitur ad. Vide interesset in mei, no his legimus verterem. Et nostrum imperdiet appellantur usu, mnesarchum referrentur id vim.

Post a Comment

 
Iwebslog Blog © 2015 - Designed by Templateism.com