Venerable Conficker Worm Survives on Obsolete Legacy Systems

Discussion in 'malware problems & news' started by ronjor, Jun 14, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Conficker is one of the most fascinating stories in the history of malware. At the time of the security release, Microsoft wrote on its blog:

    MS08-067 and the SDL
    October 22, 2008 - Michael Howard - Principal Security Program Manager
    http://blogs.microsoft.com/cybertrust/2008/10/22/ms08-067-and-the-sdl/
    Conficker was to exploit the ms08-067 vulnerability *after* a patch had been released.

    In the eweek.com article Ron cited, this comment about pirated computers was relevant 10 years ago:
    I can't find the statistic, but the estimate of pirated computers world wide back then was astounding. They could not be updated, and became a huge landing point for Conficker.

    One of the more astonishing attack methods of a later variant of Conficker used a cleverly designed AutoRun.inf file, and very clever social engineering trick.

    isc.sans.edu wrote in its Diary,
    https://isc.sans.edu/diary/Conficker's autorun and social engineering/5695
    On one AV forum, members were furious that their AV did not catch the exploit.

    (The Diary shows the Social Engineering trick.)

    You can look at the complete Autorun.inf file here in the F-Secure blog (it refers to Downadup, another name for Conficker). See if you can spot the code that does the work:

    http://www.f-secure.com/weblog/archives/00001575.html

    Very clever malware creators indeed!

    ----
    rich
     
    Last edited: Jun 14, 2016
Loading...