Skip to content

Latest commit

 

History

History
59 lines (45 loc) · 2.91 KB

conficker.md

File metadata and controls

59 lines (45 loc) · 2.91 KB
ID X0003
Aliases Downup, Downadup, Kido
Platforms Windows
Year 2008
Associated ATT&CK Software None

Conficker

A worm targeting Microsoft Windows operations systems.

Enhanced ATT&CK Techniques

Name Use
Persistence::Registry Run Keys / Startup Folder (F0012) To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service. [1]
Persistence::Modify Existing Service (F0011) The malware copies itself into the $systemroot%\system32 directory and registers as a service. [1]
Defense Evasion::Indicator Blocking (F0006) The malware terminates various services related to system security and Windows and prevents network access to various websites related to antivirus software. [1]
Impact::Data Destruction (E1485) The malware resets system restore points and deletes backup files. [1]
Anti-Static Analysis::Software Packing::UPX (F0001.008) Conficker is propagated as a DLL which has been backed using the UPX packer. [2]

MBC Behaviors

Name Use
Command and Control::Domain Name Generation (B0031) Conficker uses a domain name generator seeded by the current date to ensure that every copy of the virus generates the same names on their respective days. [1]
Execution::Conditional Execution (B0025) Conficker A variant has a routine that causes the process to suicide exit if the keyboard language layout is set to Ukranian. [1]
Memory::Overflow Buffer (C0010) Variants A, B, C, and E exploit a vulnerability in the Server Service on Windows computers in which an already compromised computer sends a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer. [1]
Execution::Conditional Execution::Suicide Exit (B0025.001) Conficker B variant has significantly more suicide logic embedded in its code and employs anti-debugging features to avoid reverse engineering attempts. [2]

Indicators of Compromise

SHA256 Hashes

  • 1192482f9f8f87a01977b4dd3e185d4b60319175b789b3e7a60ad6554c120a0d

References

[1] https://en.wikipedia.org/wiki/Conficker

[2] http://www.csl.sri.com/users/vinod/papers/Conficker/