Skip to content

S0608 Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.1 In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.2

Item Value
ID S0608
Associated Names Kido, Downadup
Version 1.0
Created 23 February 2021
Last Modified 08 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Kido 1
Downadup 1

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Conficker adds Registry Run keys to establish persistence.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Conficker copies itself into the %systemroot%\system32 directory and registers as a service.1
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.13
enterprise T1210 Exploitation of Remote Services Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Conficker terminates various services related to system security and Windows.1
enterprise T1105 Ingress Tool Transfer Conficker downloads an HTTP server to the infected machine.1
enterprise T1490 Inhibit System Recovery Conficker resets system restore points and deletes backup files.1
enterprise T1112 Modify Registry Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.13
enterprise T1046 Network Service Discovery Conficker scans for other machines to infect.1
enterprise T1027 Obfuscated Files or Information Conficker has obfuscated its code to prevent its removal from host machines.3
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Conficker variants spread through NetBIOS share propagation.1
enterprise T1091 Replication Through Removable Media Conficker variants used the Windows AUTORUN feature to spread through USB propagation.13
enterprise T1124 System Time Discovery Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.13
ics T0826 Loss of Availability A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown. 4
ics T0828 Loss of Productivity and Revenue A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. 4
ics T0847 Replication Through Removable Media Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network. 5 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant’s facility. 4