Conficker (juga disebut Downup, Downandup dan Kido) adalah worm yang muncul pada Oktober 2008. Conficker menyerang Windows dan paling banyak ditemui dalam Windows XP. Microsoft merilis patch untuk menghentikan worm ini pada tanggal 15 Oktober 2008. Heinz Heise memperkirakan Conficker telah menginfeksi 2.5 juta PC pada 15 Januari 2009, sementara The Guardian memperkirakan 3.5 juta PC terinfeksi. Pada 16 Januari 2009, worm ini telah menginfeksi hampir 9 juta PC, menjadikannya salah satu infeksi yang paling cepat menyebar dalam waktu singkat.
Virus ini virus lama, tapi faktanya di kantorku masih teteb eksis, Neh gak pake panjang x lebar, bellows table is contain how kido works… hehe lihat dan basmi segera :
| Variant | Detection date | Infection vectors | Update propagation | Self-defense | End action |
| Conficker A | 21/11/2008 | NetBIOS Exploits MS08-067 vulnerability in Server Service | HTTP pull * Downloads from trafficconverter.biz * Downloads daily from any of 250 pseudorandom domains over 5 TLDs | None | Updates self to Conficker B, C or D |
| Conficker B | 29/12/2008 | # NetBIOS * Exploits MS08-067 vulnerability in Server service[27] * Dictionary attack on ADMIN$ shares[32] # Removable media * Creates DLL-based AutoRun trojan on attached removable drives | # HTTP pull * Downloads daily from any of 250 pseudorandom domains over 8 TLDs[30] # NetBIOS push * Patches MS08-067 to open reinfection backdoor in Server service | * Blocks DNS lookups * Disables AutoUpdate | Updates self to Conficker C or D |
| Conficker C | 20/02/2009 | # NetBIOS * Exploits MS08-067 vulnerability in Server service[27] * Dictionary attack on ADMIN$ shares # Removable media * Creates DLL-based AutoRun trojan on attached removable drives | * HTTP pull o Downloads daily from any of 250 pseudorandom domains over 8 TLDs * NetBIOS push o Patches MS08-067 to open reinfection backdoor in Server service o Creates named pipe to receive URL from remote host, then downloads from URL | * Blocks DNS lookups * Disables AutoUpdate | Updates self to Conficker D |
| Conficker D | 04/03/2009 | None | # HTTP pull * Downloads daily from any 500 of 50000 pseudorandom domains over 110 TLDs[30] # P2P push/pull * Uses custom protocol to scan for infected peers via UDP, then transfer via TCP | # Blocks DNS lookups * Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites # Disables Safe Mode # Disables AutoUpdate # Kills anti-malware * Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals | Downloads and installs Conficker E |
| Conficker E | 07/04/2009 | NetBIOS * Exploits MS08-067 vulnerability in Server service | # NetBIOS push * Patches MS08-067 to open reinfection backdoor in Server service # P2P push/pull * Uses custom protocol to scan for infected peers via UDP, then transfer via TCP | # Blocks DNS lookups # Disables AutoUpdate # Kills anti-malware * Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals | # Updates local copy of Conficker C to Conficker D # Downloads and installs malware payload: * Waledac spambot * SpyProtect 2009 scareware # Removes self on 3 May 2009 (but leaves remaining copy of Conficker D) |
Tidak ada komentar:
Posting Komentar