S0608 Conficker
Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.1 In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.2
| Item | Value |
|---|---|
| ID | S0608 |
| Associated Names | Kido, Downadup |
| Type | MALWARE |
| Version | 1.0 |
| Created | 23 February 2021 |
| Last Modified | 08 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Kido | 1 |
| Downadup | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Conficker adds Registry Run keys to establish persistence.3 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Conficker copies itself into the %systemroot%\system32 directory and registers as a service.1 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.13 |
| enterprise | T1210 | Exploitation of Remote Services | Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Conficker terminates various services related to system security and Windows.1 |
| enterprise | T1105 | Ingress Tool Transfer | Conficker downloads an HTTP server to the infected machine.1 |
| enterprise | T1490 | Inhibit System Recovery | Conficker resets system restore points and deletes backup files.1 |
| enterprise | T1112 | Modify Registry | Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.13 |
| enterprise | T1046 | Network Service Discovery | Conficker scans for other machines to infect.1 |
| enterprise | T1027 | Obfuscated Files or Information | Conficker has obfuscated its code to prevent its removal from host machines.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Conficker variants spread through NetBIOS share propagation.1 |
| enterprise | T1091 | Replication Through Removable Media | Conficker variants used the Windows AUTORUN feature to spread through USB propagation.13 |
| enterprise | T1124 | System Time Discovery | Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.13 |
| ics | T0826 | Loss of Availability | A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown. 4 |
| ics | T0828 | Loss of Productivity and Revenue | A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. 4 |
| ics | T0847 | Replication Through Removable Media | Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network. 5 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant’s facility. 4 |
References
-
Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl’s 30th Anniversary. Retrieved February 18, 2021. ↩
-
Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021. ↩↩↩↩↩↩
-
Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl’s 30th Anniversary Retrieved. 2019/10/14 ↩↩↩
-
Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ↩