RAM Assignment

Post on 07-Apr-2018

215 views 0 download

Transcript of RAM Assignment

  • 8/4/2019 RAM Assignment



    description: Conficker, also known as Downup, Downadup and Kido, is

    a computer worm targeting the Microsoft Windows operating system that was

    first detected in November 2008. It uses flaws in Windows software and

    dictionary attacks on administrator passwords to propagate while forming abotnet*. Conficker has since spread rapidly into what is now believed to be

    the largest computer worm infection since the 2003 SQL Slammer, with more

    than seven million government, business and home computers in over 200

    countries now under its control. The worm has been unusually difficult to

    counter because of its combined use of many advanced malware techniques.

    *[A botnet is a collection of compromised computers, termed bots, that are

    used for malicious purposes. A computer becomes a bot when it runs a file,

    typically from a drive-by download, that has bot software embedded in it.

    Botnets are controlled via protocols such as IRC and http.]

    vulnerability: INF/Conficker exploits the Microsoft Autorun feature to spread

    itself on local as well as remote computers, i.e. computers connected in a

    network. It drops an Autorun.inf file to the root of every removable media

    connected to the computer and to the mapped network drives. It then

    executes the code written inside the Autorun.inf file to download other

    malicious files on the computer to infect it with worms and viruses. The

    malicious content is downloaded with the help of remote servers that have

    already been setup for such activities.

    The size of the Autorun.inf file is of variable length and sometimes, the file

    attributes have been set to as S (system) and H (hidden). Since, the windowsdefault settings have been set to Do not show system and hidden files; this

    worm remains unnoticeable by the user and can only be detected with the

    help of an antivirus.

    The content of the Autorun.inf file is something similar to this.

    shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-x-x-xx-2819952290-8240758988-


    Upon execution of the Autorun.inf file, the computer is infected with the

    malicious content downloaded from remote servers. As the INF/Conficker

    worm is injected locally, it doesnt exploit the MS08-067 vulnerability. So, if

    you have patched the system to overcome the MS08-067 vulnerability, you

    will not be able to stop this worm from execution.


    risk: Five variants of the Conficker virus are known and have been dubbed

    Conficker A, B, C, D and E

  • 8/4/2019 RAM Assignment


    Conficker A - Downloads from trafficconverter.biz

    Updates self to Conficker B, C or D

    Conficker B- HTTP pull

    Downloads daily from any of 250 pseudorandom domains over 8TLDs[30]

    Blocks certain DNS lookups

    Disables AutoUpdate

    Updates self to Conficker C or D

    Conficker C - Creates named pipe to receive URL from remote host, then

    downloads from URL

    Updates self to Conficker D

    Conficker D - Downloads daily from any 500 of 50000 pseudorandom

    domains over 110 TLDs

    Does an in-memory patch of DNSAPI.DLL to block lookups of anti-

    malware related web sites.

    Disables Safe Mode

    Disables AutoUpdate

    Kills anti-malware

    Downloads and installs Conficker E

    Conficker E - P2P push/pull

    Uses custom protocol to scan for infected peers via UDP, then transfer

    via TCP
