Conficker Remains a Threat

Propagation Mechanisms

Although the efforts of the Conficker Working Group and associated organizations restricted Conficker’s potential for damage, the MMPC received telemetry reports of the worm infecting or attacking 1.7 million computers in 4Q11, about 100,000 computers more than in 3Q11. A detailed analysis of MMPC telemetry can help organizations defend against Conficker variants by understanding the relative success rates of the different propagation methods that the worm uses.

Information about the propagation vectors is directly observable through data reported by Microsoft security products running on computers whose administrators or users choose to opt in to data collection. The MMPC used this data to deduce the following information about Conficker’s propagation mechanism:

Credential-based attacks. This type of attack uses the credentials of the logged-in user to access local or network resources, or else attacks password-protected resources using a built-in list of common or weak passwords. When the worm successfully infects a computer using this type of attack, it creates a scheduled task on the infected computer that attempts to re-infect the computer at regular intervals. Credential-based attacks can therefore be identified through the presence of such a scheduled task.

Autorun feature abuse attempt. Conficker can attempt to spread to a computer by abusing the Autorun feature in Windows, through the use of a malicious autorun.ini file that links to a Conficker executable. Microsoft security software detects and blocks this file, even on computers running versions of Windows that are not at risk from this form of attack. Detection of the malicious autorun.ini file is therefore not an indication of an infected computer, but indicates that an attack has been attempted.

MS08-067 exploitation. It is possible to determine this type of attack because of a detail of the worm’s implementation. After successful exploitation, Conficker calls a Windows API that in turn calls the Microsoft® IOfficeAntivirus provider, which detects and blocks the transfer of the worm’s code. The telemetry includes an indicator of whether the worm was active or not, which allows excluding partially removed or broken infection attempts.

Preexisting infection. Microsoft antimalware software also reports details about Conficker infections that were present on the computer before the antimalware software was installed. These pre-existing infections are indicated by the presence of a Windows service created by Conficker.

Featured Articles


United States Change All Microsoft Sites



Was the information in this article helpful?