Conficker (also known as Downup or Downadup or Kido) was first spotted in November 2008. During the course of a year, it has gone on to become one of the most notorious Windows worms in the history.
Conficker isn’t the worst malware ever, neither is it the most dangerous. What makes Conficker remarkable is the length is goes to in order to avoid detection and disinfection. Conficker employs all standard measures like creating multiple copies and injecting itself into critical processes (e.g. explorer.exe and svchost.exe). On top of that, it disables Windows Update, blocks websites of security vendors and even disables anti-malware utilities.
Even more ingenious is the technique it uses to check for payloads (additional pieces of code which are downloaded without the user’s permission). Conficker is programmed to generate an apparently random list of URLs and download payloads from them. While the initial three variants connected to only about 250 domains, the newer modifications are capable of generating as many as 50,000 domain names. This makes preventing delivery of payloads in advance almost impossible.
Conficker is also a story of what happened, what could have happened and what may happen. The malware creators have succeeded in building a huge botnet which may be used for tasks like spamming, DDOS (distributed denial of service) attacks, pay per click fraud, key logging, identity theft and traffic logging. However, Conficker hasn’t yet created the mayhem that many believe it has the potential to.
Conficker spreads using a vulnerability in Windows RPC Server Service, which was patched by Microsoft a long time back. In spite of this, Conficker continues to spread. BitDefender suggests that the worm would continue to be a nuisance even in 2010 and may even become a bigger threat.