On October 23, 2008, Microsoft published the following critical security bulletin: MS08-067, Vulnerability in Server Service Could Allow Remote Code Execution (958644). Microsoft explained that the vulnerability in the server service could allow remote code execution if an affected system received a specially crafted remote procedure call (RPC) request.
This could allow an attacker to exploit this vulnerability without authentication to run arbitrary code on Windows 2000 Service Pack (SP) 4, Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Vista Gold SP1, Windows Server 2008 and Windows 7 systems. Additionally, Microsoft warned that this vulnerability could be used in the crafting of a wormable exploit.
The Common Vulnerabilities and Exposures (CVE) site references this vulnerability as CVE-2008-4250.
The Common Vulnerability Scoring System (CVSS), which provides an open framework for communicating the characteristics and impacts of Information Technology (IT) vulnerabilities, rated this vulnerability with a 10.0, which is their most severe rating and indicates a vulnerability with high impact and high exploitability.
When installed, Conficker / Downadup will copy itself to your C:\Windows\System32 folder as a random named DLL file. If it has problems copying itself to the System32 folder, it may instead copy itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders.
It will then create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer.
The infection will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.
Like most current malware, Conficker is a blended threat, combining features of several different approaches. Once Conficker infects a computer, it disables many security features and automatic backup settings, deletes restore points and opens connections to receive instructions from a remote computer. Once the first computer is configured, Conficker uses it to gain access to the rest of the network.
Here is a partial list of what Conficker can do:
Recent estimate of the number of infected computers have been notably difficult because the virus has changed its propagation and update strategy from version to version. In January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million.
Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011.
The following image shows how the Conficker worm works.
Conficker and all of its variants perform the following to an infected system:
There are several Conficker removal tools available for download. Most Anti-Virus vendors have developed removal tools and/or provided instructions for removing Conficker and links to some of these are listed below:
The above are examples only and do not constitute an exhaustive list.
The Conficker worm serves as a great reminder to everyone to continually and consistently practice Defense-In-Depth and provide multiple layers of defense to protect consumer and business systems.
The spread of the Conficker worm is a sign that all PC users are stubborn and continue to avoid keeping their Windows installations up to date with the latest security patches. The infection has spread to computers all over the world and includes home, business and government users. Methods of preventing this and other types of infections include the following:
Regarding the security of your computer please consider the following basic rules:
Good to know