In October 2008, Microsoft released a security update (MS08-067) that addressed a software vulnerability in some versions of the Windows operating system. At that time, Microsoft recommended that customers install the update as soon as possible and warned that attackers could potentially exploit the vulnerability to create a worm that would affect Windows XP-based computers. Over the next few weeks, hundreds of millions of computers around the world were successfully updated.
In November 2008, the Microsoft Malware Protection Center (MMPC) detected the emergence of the first version of Win32/Conficker, an aggressive and technically complex new family of worms. Win32/Conficker targeted the vulnerability addressed by MS08-067. Although the first version of this new threat did not spread widely, it seriously challenged security responders and others charged with ensuring the safety of the worldâ€™s computer systems and data. In late December 2008 â€“ a full two months after Microsoft released the security update â€“ a second version of Win32/Conficker was detected. This version includes additional attack vectors that help the worm to spread quickly.
Microsoft created and distributed antimalware signatures for the new threats. In addition, Microsoft worked with other members of the international security community to contain much of the damage that was caused by Win32/Conficker, and in the process established a potentially groundbreaking template for future cooperative response efforts.
Win32/Conficker detections by Microsoft antimalware products, 1Q09-4Q11
Click on the Image to Enlarge.
This section of the Microsoft Security Intelligence Report, Volume 12 establishes that Conficker remains a threat, provides background information on why it is a serious threat, and what organizations can do to protect themselves. (For more information and deep technical details on Conficker, see the â€œWin32/Conficker Updateâ€ section in Microsoft Security Intelligence Report, Volume 7 (January through June 2009), available at www.microsoft.com/sir).
At its peak, Conficker infected an estimated seven million computers worldwide, according to the Conficker Working Group. Conficker was immediately recognized as dangerous because it attempts to exploit a vulnerability on Windows XP-based systems that allows remote code execution when file sharing is enabled (CVE-2008-4250, which Microsoft had addressed in October 2008 with critical update MS08-067). In addition, Conficker disables several important system services and security products and also downloads arbitrary files. The initial version (labeled Worm:Win32/Conficker.A by the MMPC) was not very successful at propagating, mostly because the MS08-067 security update had already been distributed and widely installed. However, the next variant, Worm:Win32/Conficker.B, uses two new propagation methodsâ€” abusing the Autorun feature on Windows XP and Windows VistaÂ®-based computers and guessing administrator passwords on network shares with weak or shared passwordsâ€”to quickly propagate through the Internet.
In addition to quick propagation, the newer variants of Conficker use a larger array of attack techniques than most malware families. In addition to a suite of self-defense mechanisms such as blocking access to security-related websites and disabling security software on infected computers, Conficker uses encryption and a method called HTTP rendezvous to protect its payload channel.
Because of the way Conficker uses multiple attack vectors to maximize its reach, there was a global effort to thwart its use and to determine who would try to make use of it. Worm:Win32/Conficker.E was reported to perform some downloads of the Win32/Waledac spambot and the rogue security software family Win32/FakeSpypro (which identified itself as â€œSpyProtect 2009â€). This variant was programmed to delete itself in May 2009.