{
	"id": "c39ee6bf-c650-4321-95bc-aa9e4d710702",
	"created_at": "2026-04-06T03:36:40.377231Z",
	"updated_at": "2026-04-10T03:20:05.983309Z",
	"deleted_at": null,
	"sha1_hash": "80c9f308d77ea2fa31e6efe9a0e2048fa548c2ca",
	"title": "SANS Institute",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93080,
	"plain_text": "SANS Institute\r\nArchived: 2026-04-06 03:12:53 UTC\r\nOn October 23, 2008, Microsoft published the following critical security bulletin: MS08-067, Vulnerability in\r\nServer Service Could Allow Remote Code Execution (958644). Microsoft explained that the vulnerability in the\r\nserver service could allow remote code execution if an affected system received a specially crafted remote\r\nprocedure call (RPC) request. This could allow an attacker to exploit this vulnerability without authentication to\r\nrun arbitrary code on Windows 2000 Service Pack (SP) 4, Windows XP SP2 and SP3, Windows Server 2003 SP1\r\nand SP2, Vista Gold SP1, Windows Server 2008 and Windows 7 systems. Additionally, Microsoft warned that this\r\nvulnerability could be used in the crafting of a wormable exploit. The Common Vulnerabilities and Exposures\r\n(CVE) site references this vulnerability as CVE-2008-4250. The Common Vulnerability Scoring System (CVSS),\r\nwhich provides an open framework for communicating the characteristics and impacts of Information Technology\r\n(IT) vulnerabilities, rated this vulnerability with a 10.0, which is their most severe rating and indicates a\r\nvulnerability with high impact and high exploitability.\r\nThis wormable exploit did come into being and is known today as the Conficker worm. It has also been referred\r\nto as the Conficker virus, Downadup and Kido. Conficker became one of the fastest and largest worm infections\r\nsince the Sasser infection of 2004. It has been extremely difficult to contain and control due to its use of many\r\ndifferent advanced malware techniques. Conficker's logic includes mechanisms to generate lists of new domain\r\nnames on a daily basis to seek out Internet rendezvous points that the authors use for updates and for command\r\nand control of the machines infected. Conficker also uses binary validation techniques to ensure that updates are\r\nsigned by its authors. The use of binary encryption, digital signatures and advanced hash algorithms for its updates\r\nprevents the hijacking of infected clients. At its core, Conficker's main purpose is to provide its' authors with a\r\nsecure binary update service that allows them instant control of the millions of infected PCs worldwide (Porras,\r\nSaidi and Yegneswaran, April 2009). It is very adept at hiding its tracks and preventing its removal from host\r\nmachines by its use of code obfuscation. So far, Conficker infected machines have not been used for any nefarious\r\npurposes, but the viability of a botnet of thousands, perhaps millions of computers available for use by criminal's\r\nremains a possibility. Conficker's main impact at this time is its ability to terminate, disable, reconfigure or\r\nblackhole native operating system and third-party security services (Porras, Saidi and Yegneswaran, April 2009).\r\nConficker disables Windows systems security services as well as third-party firewalls and anti-virus products,\r\nleaving systems in a vulnerable state which can lead to more infection and infiltration. Furthermore, Conficker\r\nblocks access to security related sites such as Symantec or McAfee, thus preventing users from downloading tools\r\nto remove the infection.\r\nBackground Information\r\nA Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located\r\non another computer on a network. RPC helps with interoperability because the program using RPC does not have\r\nto understand the network protocols that are supporting communication. In RPC, the requesting program is the\r\nclient and the service-providing program is the server.\r\nhttps://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm\r\nPage 1 of 7\n\nThe Windows Server service is used to provide RPC support, file and print support and named pipe sharing over a\r\nnetwork. The server service allows for the sharing of your local resources so that other users on the network can\r\naccess them. It also allows named pipe communication between applications running on other computers and your\r\ncomputer which is used for RPC (MS08-067 Security Bulletin). This service is used by all versions of Windows,\r\ntherefore making every Windows user vulnerable unless patched.\r\nAttack Vectors\r\nThe main attack vector used by Conficker and its multiple variants is the Windows Server Service vulnerability\r\n(MS08-067) which allows attackers to execute arbitrary code via a crafted RPC request that triggers a buffer\r\noverflow during canonicalization (conversion to standard format). The B variant introduced additional attack\r\nvectors of NetBIOS Share propagation and USB propagation of the worm.\r\nOnce the specially crafted packet is sent to port 139 or port 445 on a Windows file/printer sharing session, the\r\nexploit occurs. Receipt of this package will trigger a call to the RPC application programming interface (API)\r\nNetPathCompare ( ) and NetPathCanonicalize () functions. Additionally:\r\n\"The exploit is triggered when giving a specific path to canonicalize such as \"\\c\\ ..\r\n\\..\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" to the NetPathCanonicalize( ) function, which\r\nuses _tcscpy_s macro, which in turns calls the wcscpy_s function. This function is used to copy a wide-character string from a location in memory to another. The buffer overflow is provoked by a\r\nmiscalculation in the parameters given to the _tcscpy_s macro by the NetPathCanonicalize ( ) function.\r\nThe _tcspy_s function is called like this by the NetPathCanonicalize\r\nNetPathCanonicalize contains a complex loop to check the path for dots, dot-dots, slashes while\r\nmaking a lot of pointer calculations. Once the loop is passed over a couple of time, the\r\npreviousLastSlash parameter gets an illegal value.\"(Racicot)\r\nConficker's Payload:\r\nOnce the worm is installed on a system, the following occurs:\r\n\"Conficker will copy itself with a random name into the system directory %systemroot%\\system32 and\r\nregister itself as a service. It will, of course, also add itself into the registry with the following key:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\u003cname\u003e.dll ImagePath =\r\n%SystemRoot%\\system32\\svchost.exe -k netsvcs\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\netsvcs\\Parameters\\\"ServiceDll\"\r\n= \"\u003cname\u003e.dll\"\r\nIt will then use these sites to get the newly infected machine's IP address:\r\nhttp://www.getmyip.org\r\nhttp://getmyip.co.uk\r\nhttp://checkip.dyndns.org\r\nhttps://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm\r\nPage 2 of 7\n\nWith the IP address, Downadup/Conficker can download a small HTTP server\r\n(\"http://trafficconverter.biz/4vir/antispyware/loadadv.exe\") and open a HTTP server on the current\r\nmachine with the following address:\r\nhttp://[EXTERNAL IP ADDRESS OF INFECTED MACHINE] :[ RANDOM PORT]\r\nOnce the HTTP server is set up, it will scan for other vulnerable machines and when a target is found,\r\nthe infected machine URL will be sent to the target as the payload. The remote computer will then\r\ndownload the worm from the URL given and then start to infect other machines as well. Therefore,\r\nthere is no centralized point of download. Upon successful infection, it will also patch the hole to\r\nprevent other worms to infect the machine\" (Racicot).\r\nConficker will then generate a list of 250 domain names (rendezvous points) using a randomizing function that it\r\nseeds with the current UTC system date. All Conficker infected clients will attempt to contact the same set of\r\ndomains for updates. This same list of domain names is generated every 3 hours. This update probing is done on a\r\ndaily basis and provides Conficker's authors with an effective updating mechanism that is highly mobile as its\r\nlocation is recomputed each day by all infected clients.\r\nIt should also be noted that Conficker's authors have also taken measures to ensure that no other malware authors\r\ncan hijack their client base. Conficker has incorporated binary validation mechanisms to ensure that updates\r\nprovided to infected clients have been digitally signed by the authors themselves and the clients will not accept\r\nnon-signed updates.\r\nSigns and Symptoms of Infection\r\nConficker and all of its variants perform the following to an infected system:\r\nModification of system settings\r\nDisabling of TCP/IP Tuning\r\nTermination\\disablement of the following Windows services:\r\nWindows Security Service\r\nWindows Auto Update, Background Intelligent Transfer Service (BITS)\r\nWindows Defender\r\nWindows Error Reporting Service\r\nTermination\\disablement of third-party security services/software that deal with system security (anti-virus,\r\nfirewalls, etc)\r\nResetting system restore points\r\nDeleting backup files\r\nChecking for internet connectivity and downloading arbitrary files\r\nUsers will not be able to browse certain security-related Web sites with URLs containing specific key\r\nwords and phrases.\r\nIncrease in traffic on port 445\r\nAccess to administrator shared files is denied\r\nSluggish response due to increase in network traffic\r\nhttps://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm\r\nPage 3 of 7\n\nConficker Removal\r\nThere are several conficker removal tools available for download. Most Anti-Virus vendors have developed\r\nremoval tools and/or provided instructions for removing conficker and links to some of these are listed below:\r\nSymantec\r\nSOPHOS\r\nMcAfee\r\nMicrosoft's Malicious Software Removal Tool\r\nMicrosoft also has put together a manual procedure for removing the conficker worm\r\nConficker Prevention\r\nThe Conficker worm serves as a great reminder to everyone to continually and consistently practice Defense-In-Depth and provide multiple layers of defense to protect consumer and business systems. The spread of the\r\nConficker worm is a sign that all PC users are stubborn and continue to avoid keeping their Windows installations\r\nup to date with the latest security patches. The infection has spread to computers all over the world and includes\r\nhome, business and government users. Methods of preventing this and other types of infections include the\r\nfollowing:\r\nKeep security patches up to date. This includes not only patches for the operating system, but for all\r\napplications and plug-ins as well. Remember, Downadup/Conficker spread so widely because so many\r\ncomputers simply did not have a simple security patch, released months before the infections ever started,\r\napplied. ( Weafer ).\r\nUse a robust security software suite that has multiple layers of protection. Furthermore, make sure your\r\nsecurity software is always on and up to date. Even patched systems are continuing to become infected\r\nwith the .A and .B variants. In many instances, this is occurring because the worm is being passed on via\r\ninfected removable media, such as USB thumb drives, that are essentially acting as host carriers. In nearly\r\nall cases, up-to-date security software will detect the threat before it has the chance to jump from the\r\nremovable device to the computer ( Weafer ).\r\nEnable a firewall (Windows or Third-Party) on your computer and follow industry best practices on what\r\nshould and should not be allowed through the firewall\r\nLimit user privileges on the computer. Provide access only to those who need it.(Need to Know)\r\nUse caution when opening attachments and accepting file transfers.\r\nUse caution when clicking on links to Web pages.\r\nAvoid downloading pirated software.\r\nProtect yourself against social engineering attacks.\r\nUse strong passwords.\r\nConficker and April Fool's Day - 2009\r\nResearchers at Computer Associates discovered pieces of the computer code for Conficker that tells the worm to\r\nactivate itself on April 1, 2009 (Sutter). There were a multitude of articles posted on the internet that Conficker\r\nhttps://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm\r\nPage 4 of 7\n\nwas going to deliver its payload on April 1, 2009, April Fools Day. See Appendix A for links to several of those\r\narticles as well as links to articles discussing the aftermath of the forecast.\r\nApril Fools Day 2009 came and went with no major or ill effects due to Conficker. Please take note of the\r\npublicity that conficker generated with CNN and the New York Times covering the story. However, it must be\r\nnoted that the threat of so many compromised machines still exists.\r\nAn update posted on April 1, 2010 on Symantec's web site states the following on the status of conficker\r\ninfections:\r\nApproximately 6.5 million systems are still infected with either the .A or .B variants.\r\nThe .C variant, which used a peer-to-peer method of propagating, has been slowly dying out over the past\r\nyear. From a high of nearly 1.5 million infections in April of 2009, the infection rate has steadily decreased\r\nto between 210,000 to 220,000 infections. This indicates some computer users are fixing the issue and\r\ngetting rid of the infection.\r\nSymantec also observed another variant, .E, released on April 8, 2009, but this variant deleted itself from\r\ninfected systems on or after May 3, 2009.\r\nThus far, the machines still infected with Downadup /Conficker have not been utilized for any significant\r\ncriminal activity, but with an army of nearly 6.5 million computers strong, the threat remains a viable one.\r\n(Weafer)\r\nConficker Variants\r\nSince its arrival, there have been several variants of the Conficker worm. Conficker.A was the first version of the\r\nworm and then Conficker.B, Conficker.C, Conficker.D and Conficker.E have followed. They can all be referred to\r\nas the Conficker family of malware. These variants have improved upon Conficker's code and have been released\r\nin response to attempts to stop or remove Conficker's infestation. Conficker.A relied upon the Windows Server\r\nService (MS08-067) vulnerability for its propagation while Conficker.B implemented two additional strategies to\r\nembed itself into hosts, these being NetBIOS Share propagation and USB propagation. ( Porras , Saidi and\r\nYegneswaran , February 2009). Conficker.C increased the number randomly generated domain names to 50,000+\r\ncandidates daily, which represents a direct retaliation at the security community's efforts to block all of the domain\r\nregistrations associated with the A and B variants. Conficker.C also developed a peer-to-peer (P2P) coordination\r\nchannel for its updates. Conficker.D changed the domain-name generation algorithms and now generates a larger\r\npool of domain names. It should also be noted that Conficker.D does not spread by attacking new systems and just\r\nupdates existing Conficker.C infected machines. Conficker.E performs another update to the Conficker.C code\r\nbase. See Appendix B, which contains a listing of links to Microsoft's Security Portal Threat Encyclopedia, for a\r\nfull discussion of the variants of Conficker.\r\nEnding Thoughts:\r\nConficker arrived with a bang, spreading fast and furious throughout the internet. Much has been written and\r\nspeculated on the true purpose behind conficker. Warnings have come and gone with little effect. However,\r\nConficker is still out there. Even though there are several removal tools for conficker and a patch from Microsoft\r\nhttps://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm\r\nPage 5 of 7\n\nis available for this vulnerability, the question remains, \"Are we Safe?\" Sadly, the only answer that can be given at\r\nthis time is probably not.\r\nIt may not be the biggest known botnet --for example, the Mariposa botnet reportedly infected more than 11\r\nmillion computers during its lifetime--but it's also nothing to sneeze at. As another point of reference, the well-known Rustock botnet , which sends out 32.8 percent of all spam, is estimated to sit on somewhere between 1.6\r\nand 2.4 million machines. So remember, these 6.5 million computers infected with Downadup/Conficker are still\r\nmuch like a loaded gun, waiting to be fired (Weafer ).\r\nThe information security community and law enforcement continues to monitor Conficker's activity. A Conficker\r\nWorking Group has been formed (http://www.confickerworkinggroup.org) and is ready to sound the alarm should\r\nthe worm be utilized for criminal activity. Users following the removal and prevention practices listed above will\r\ngo a long way in preventing further infections, but the reality is that until the current infections are completely\r\neradicated, Conficker must still be considered a threat.\r\nThe most frightening aspect of Conficker is its clear potential to do harm. At best, Conficker could be used for\r\nInternet fraud and theft. At worst, Conficker could be used as an offensive weapon for a coordinated information\r\nwarfare attack that could disrupt the Internet itself.\r\nAlso, the authors of Conficker must be noted for their skill sets in developing this worm. The authors have\r\ndemonstrated very advanced programming skills that include the use of advanced Cryptographic skills, code\r\nobfuscation, and an in-depth knowledge of Windows internals and other third-party security products. They were\r\namong the first to introduce the Internet rendezvous point scheme for updates, and have now integrated a peer-to-peer protocol that does not require an embedded peer list. They have continually updated their code with new\r\nvariants and have adapted Conficker to address the latest attempts of the security community to thwart this worm.\r\nThey have infiltrated systems around the world and one can only wonder what they will do next.\r\nAppendix A: April Fool's Day 2009 Conficker Articles\r\nNo joke in April Fool's Day computer worm, March 24, 2009 by John D Sutter\r\nThe Conficker Worm: April Fool's Joke or Unthinkable Disaster? March 19, 2009 By John Markoff\r\nConficker.C primed for April Fool's activation, March 16, 2009 by Joel Hruska\r\nCountdown to Conficker's April Fools Day Climax, March 25, 2009 by Byron Acohido\r\nApril Fools Fizzled, But Threat Remains April 3, 2009 by Brian Krebs\r\nApril Fools' Day Update Begins With A Yawn, March 31, 2009 by Thomas Claburn\r\nConficker worm plays no tricks on April Fools' Day (AFP), March 31, 2009\r\nAppendix B: Microsoft's Security Portal Threat Encyclopedia Conficker Links\r\nConficker A: Reported to Microsoft on November 21, 2008\r\nConficker B: Reported to Microsoft on December 29, 2008\r\nConficker C: Reported to Microsoft on February 20, 2009\r\nConficker D: Reported to Microsoft on March 4, 2009\r\nConficker E: Reported to Microsoft on April 8, 2009\r\nhttps://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm\r\nPage 6 of 7\n\nReferences\r\nFitzgibbon, Niall and Wood, Mike. \"Conficker.C A Technical Analysis.\" Sophos. April 1, 2009. Web. September\r\n22, 2010.\r\n\"Microsoft Security Bulletin MS08-067 - Critical - Vulnerability in Server Service Could Allow Remote Code\r\nExecution (958644).\" Microsoft. October 23, 2008. Web. September 20, 2010.\r\nPorras, Phillip, Saidi, Hassan, and Yegneswaran, Vinod . \"Addendum: Conficker C Analysis.\" SRI. April 4 2009.\r\nWeb. September 28, 2010.\r\nPorras, Phillip, Saidi, Hassan, and Yegneswaran, Vinod. \"An Analysis of Conficker's Logic and Rendezvous\r\nPoints.\" SRI. February 4, 2009. Web. September 28, 2010.\r\nRacicot, Jonathan. \"New Kid on the Block: Downadup .\"Cyberwarfaremag. December 2, 2008. Web, September\r\n22, 2010.\r\nSutter, John D. \"No joke in April Fool's Day computer worm.\" CNN. March 24, 2009. Web. September 20, 2010.\r\nWeafer, Vincent. \"Downadup /Conficker and April Fool's Day: One Year Later.\" Symantec. March 29, 2010. Web.\r\nSeptember 23, 2010.\r\nSource: https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm\r\nhttps://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm"
	],
	"report_names": [
		"conficker-worm"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446600,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80c9f308d77ea2fa31e6efe9a0e2048fa548c2ca.pdf",
		"text": "https://archive.orkl.eu/80c9f308d77ea2fa31e6efe9a0e2048fa548c2ca.txt",
		"img": "https://archive.orkl.eu/80c9f308d77ea2fa31e6efe9a0e2048fa548c2ca.jpg"
	}
}