S0608 Conficker
Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.1 In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.2
| Item | Value |
|---|---|
| ID | S0608 |
| Associated Names | Kido, Downadup |
| Type | MALWARE |
| Version | 1.0 |
| Created | 23 February 2021 |
| Last Modified | 14 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Kido | 1 |
| Downadup | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Conficker adds Registry Run keys to establish persistence.3 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Conficker copies itself into the %systemroot%\system32 directory and registers as a service.1 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.13 |
| enterprise | T1210 | Exploitation of Remote Services | Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Conficker terminates various services related to system security and Windows.1 |
| enterprise | T1105 | Ingress Tool Transfer | Conficker downloads an HTTP server to the infected machine.1 |
| enterprise | T1490 | Inhibit System Recovery | Conficker resets system restore points and deletes backup files.1 |
| enterprise | T1112 | Modify Registry | Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.13 |
| enterprise | T1046 | Network Service Discovery | Conficker scans for other machines to infect.1 |
| enterprise | T1027 | Obfuscated Files or Information | Conficker has obfuscated its code to prevent its removal from host machines.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Conficker variants spread through NetBIOS share propagation.1 |
| enterprise | T1091 | Replication Through Removable Media | Conficker variants used the Windows AUTORUN feature to spread through USB propagation.13 |
| enterprise | T1124 | System Time Discovery | Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.13 |
References
-
Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl’s 30th Anniversary. Retrieved February 18, 2021. ↩
-
Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021. ↩↩↩↩↩↩