Conficker
Associated Software Descriptions
| Name | Description |
|---|---|
| Kido | |
| Downadup |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Conficker adds Registry Run keys to establish persistence.[3] |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Conficker copies itself into the |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.[1][3] |
| Enterprise | T1210 | Exploitation of Remote Services |
Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.[1] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Conficker terminates various services related to system security and Windows.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
Conficker downloads an HTTP server to the infected machine.[1] |
|
| Enterprise | T1490 | Inhibit System Recovery |
Conficker resets system restore points and deletes backup files.[1] |
|
| Enterprise | T1112 | Modify Registry |
Conficker adds keys to the Registry at |
|
| Enterprise | T1046 | Network Service Discovery | ||
| Enterprise | T1027 | Obfuscated Files or Information |
Conficker has obfuscated its code to prevent its removal from host machines.[3] |
|
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Conficker variants spread through NetBIOS share propagation.[1] |
| Enterprise | T1091 | Replication Through Removable Media |
Conficker variants used the Windows AUTORUN feature to spread through USB propagation.[1][3] |
|
| Enterprise | T1124 | System Time Discovery |
Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.[1][3] |
|