コンテンツにスキップ

英文维基 | 中文维基 | 日文维基 | 草榴社区

利用者:Seapink/Conficker

Seapink/Conficker
正式名称 Conficker
別名

区分 不明
類型 コンピューターワーム
亜類型 コンピューターウィルス

Conficker(別名DownupあるいはDownadupKido)は2008年11月に初めて検出されたMicrosoft Windows オペレーティングシステムを標的とするコンピューターワームである[1]。Confickerは感染すると、Windowsソフトウェアの欠陥を利用して管理者のパスワードを辞書攻撃し、ウィルス製作者が命令できるネットワーク上のコンピューターと接続する。Confickerの感染は急速に拡大し現在200ヶ国以上で700万を超える数の政府、企業、家庭のコンピューターがその制御下にあり、2003年のSQL Slammer以来最も規模が大きいと考えられている[2]。また、Confickerはありとあらゆる高度なマルウェア技術を使用しているため対策が非常に難しいものとなっている[3]

歴史

[編集]

名称

[編集]

Confickerという名称の由来は英語の"configure"とドイツ語の"ficker"の混成語だと考えられている[4][5]。一方、Microsftのアナリストはドメイン名trafficconverter.bizの一部を並び替えたものだと説明している[6]。このドメインはConfickerの初期のバージョンで更新をダウンロードするのに使われた。

発見

[編集]

Confickerの最初の亜種は2008年11月初めに発見され、インターネットを通じてネットワークサービスの脆弱性を突くことで広がった。この脆弱性はWindows 2000Windows XPWindows VistaWindows Server 2003Windows Server 2008Windows Server 2008 R2 Betaに存在した[7]Windows 7もこの脆弱性の影響を受けたかもしれないが、Windows 7 Betaは2009年1月まで公開されなかった。Microsoftはその脆弱性を塞ぐ緊急不定期パッチを2008年10月23日に公開したが[8]、 多数のWindows PC(30%だと見積もられている)は2009年1月になってもこのパッチを適用していなかった[9]。 2つめの亜種は2008年12月に発見され、これはリムーバブルメディアネットワークファイル共有を通じて感染する機能が追加されたものだった[10]。 研究者はこの機能が感染が急速に拡大する決定的な要因になったと見ており、2009年1月までに900万[11][12][13]から1500万[14]台のPCがこれによって感染したと見積もられている。 アンチウィルスソフトベンダーであるPanda Securityの報告では、200万台のコンピューターがActiveScanにより解析され約115,000台(6%)がConfickerに感染していると診断された。[15]

現在どの程度の数のコンピューターが感染しているかを見積もるのは困難である。何故なら、最近の亜種では拡散と更新の方法が変更されたからである[16]

ヨーロッパでの影響

[編集]

Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.[17]

The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.[18][19]

On 2 February 2009, the Bundeswehr, the unified armed forces of the Federal Republic of Germany reported that about one hundred of their computers were infected.[20]

An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. Bosses have since banned the use of memory sticks and disabled USB drives; this is how the infection was believed to have occurred.[21]

A memo from the British Director of Parliamentary ICT informed the users of the House of Commons on 24 March 2009 that it had been infected with the worm. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.[22]

The worm infected Greater Manchester Police's computer system in January 2010, quickly spreading through the system. It led to the force's computer network being disconnected from the Police National Computer and officers having to contact other forces to run checks on vehicles and people.[23]

動作

[編集]

Confickerが使用したほとんどの高度なマルウェア技術は過去に使われたか研究者によく知られたものであった。しかし、Confickerは沢山のそれらの技術を組み合わせることで駆除を極度に困難にした[24]。 また、ワーム製作者はネットワーク管理者と司法当局によるマルウェア対策を観測し、ワームが抱える欠陥の対策を施した新しい亜種を配布していると考えられている[25][26]

Confickerは5種類の亜種が知られ、Conficker A、B、C、D、Eと呼ばれている。これらが発見されたのは2008年11月21日、2008年12月29日、2009年2月20日、2009年3月4日、2009年4月7日である[27][28]

亜種名 検出日 感染経路 更新の取得方法 自衛手段 動作目的
Conficker A 2008-11-21
  • NetBIOS
    • サーバーサービスの脆弱性MS08-067への攻撃[26]
  • HTTP pull
    • trafficconverter.bizからのダウンロード
    • 一日一回250個からランダムに選ばれたドメイン(そのTLDは5種類を超える)からのダウンロード[29]

なし

  • 自身のConficker BまたはC、Dへの更新[30]
Conficker B 2008-12-29
  • NetBIOS
    • サーバーサービスの脆弱性MS08-067への攻撃[26]
    • ADMIN$ 共有への辞書攻撃[31]
  • リムーバブルメディア
    • 接続されているリムーバブルディスクに自動実行を利用するDLLベースのトロイの木馬を作成[10]
  • HTTP pull
    • 一日一回250個からランダムに選ばれたドメイン(そのTLDは8種類を超える)からのダウンロード[29]
  • NetBIOS push
    • MS08-067へのパッチ適用。サーバーサービスへの再感染の裏口を設けるため。[32][33]
  • DNS参照の阻止
  • 自動更新の無効化
  • 自身のConficker CまたはDへの更新[30]
Conficker C 2009-02-20
  • NetBIOS
    • サーバーサービスの脆弱性MS08-067への攻撃[26]
    • ADMIN$ 共有への辞書攻撃[31]
  • リムーバブルメディア
    • 接続されているリムーバブルディスクに自動実行を利用するDLLベースのトロイの木馬を作成[10]
  • HTTP pull
    • 一日一回250個からランダムに選ばれたドメイン(そのTLDは8種類を超える)からのダウンロード[29]
  • NetBIOS push
    • MS08-067へのパッチ適用。サーバーサービスへの再感染の裏口を設けるため[32][33]
    • URLを受信しそこからダウンロードするための名前付きパイプの作成
  • DNS参照の阻止
  • 自動更新の無効化
  • 自身のConficker Dへの更新[30]
Conficker D 2009-03-04 なし
  • HTTP pull
    • 一日一回50000個からランダムに選ばれた500個のドメイン(そのTLDは110種類を超える)からのダウンロード[29]
  • P2P push/pull
    • UDPの独自プロトコルによる感染しているピアのスキャンならびにTCPでの転送[34]
  • DNS参照の阻止[35]
    • メモリ上の DNSAPI.DLL へのパッチ適用。アンチマルウェアに関連するウェブサイトのDNS参照を防ぐため[35]
  • セーフモードの無効化[35]
  • 自動更新の無効化
  • アンチマルウェアの停止
    • 1秒間隔でのアンチマルウェア、パッチまたは診断ユーティリティーの名前をもつプロセスの検出と停止[36]
  • Conficker Eのダウンロードとインストール[30]
Conficker E 2009-04-07
  • NetBIOS
    • サーバーサービスの脆弱性MS08-067への攻撃[37]
  • NetBIOS push
    • MS08-067へのパッチ適用。サーバーサービスへの再感染の裏口を設けるため
  • P2P push/pull
    • UDPの独自プロトコルによる感染しているピアのスキャンならびにTCPでの転送[34]
  • DNS参照の阻止
  • 自動更新の無効化
  • アンチマルウェアの停止
    • 1秒間隔でのアンチマルウェア、パッチまたは診断ユーティリティーの名前をもつプロセスの検出と停止[38]
  • 同一マシン上にあるConficker CのConficker Dへの更新[39]
  • 以下のマルウェアのダウンロードとインストール
  • 自身の削除(2009年5月3日に行う。但しConficker Dは残す)[41]

Initial infection

[編集]
  • Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer.[42] On the source computer, the worm runs an HTTP on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then attaches to svchost.exe.[33] Variants B and later may attach instead to a running services.exe or Windows Explorer process.[26]
  • Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.[43]
  • Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism.[10]

To start itself at system boot, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.[26]

Payload propagation

[編集]

The worm has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the worm to update itself to newer variants, and to install additional malware.

  • Variant A generates a list of 250 domain names every day across five TLDs. The domain names are generated from a pseudo-random number generator seeded with the current date to ensure that every copy of the worm generates the same names each day. The worm then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.[26]
  • Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.[26]
    • To counter the worm's use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers (ICANN) and several TLD registries began in February 2009 a coordinated barring of transfers and registrations for these domains.[44] Variant D counters this by generating daily a pool of 50000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics. This new pull mechanism (which was disabled until April 1)[27][36] is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the worm's peer-to-peer network.[29] The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a distributed denial of service attack (DDoS) on sites serving those domains.[45]
  • Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.[36]
  • Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.[32]
  • Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the worm is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.[34][36]

Armoring

[編集]

To prevent payloads from being hijacked, variant A payloads are first SHA1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key.[33] The payload is unpacked and executed only if its signature verifies with a public key embedded in the worm. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits.[36]

Self-defense

[編集]

Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[46] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[47] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.[36]

End action

[編集]

Variant E of the worm was the first to use its base of infected computers for an ulterior purpose.[40] It downloads and installs, from a web server hosted in Ukraine, two additional payloads:[48]

  • Waledac, a spambot otherwise known to propagate through e-mail attachments.[49] Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors.[50][51]
  • SpyProtect 2009, a scareware anti-virus product.[52]

Symptoms

[編集]

対応

[編集]

2009年2月12日、MicrosoftはConfickerの影響に対応するためのIT業界団体を立ち上げたことを発表した。団体に参加した組織はMicrosoftAfiliasICANNNeustarVerisignChina Internet Network Information Center、Public Internet Registry、Global Domains International、Inc.、M1D Global、America OnlineSymantecF-Secure、ISC、researchers from Georgia Tech、The Shadowserver Foundation、Arbor Networks、Support Intelligenceなどである。[25][55]

From Microsoft

[編集]

As of 13 February 2009, Microsoft is offering a $USD250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.[56] Working group members stated at the 2009 Black Hat Briefings that Ukraine is the probable origin of the worm, but declined to reveal further technical discoveries about the worm's internals to avoid tipping off its authors.[57]

From registries

[編集]

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the worm's domain generator. Those which have taken action include:

  • On 13 March 2009, NIC Chile, the .cl ccTLD registry, blocked all the domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list.[58]
  • On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by the worm over the next 12 months.[59]
  • On 27 March 2009, NIC-Panama, the .pa ccTLD registry, blocked all the domain names informed by the Conficker Working Group.[60]
  • On 30 March 2009, SWITCH, the Swiss ccTLD registry, announced it was "taking action to protect internet addresses with the endings .ch and .li from the Conficker computer worm."[61]
  • On 31 March 2009, NASK, the Polish ccTLD registry, locked over 7,000 .pl domains expected to be generated by the worm over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.[62]
  • On 2 April 2009, Island Networks, the ccTLD registry for Guernsey and Jersey, confirmed after investigations and liaison with the IANA that no .gg or .je names were in the set of names generated by the worm.

By mid-April all domain names generated by Conficker A had been successfully locked or preemptively registered by April 2009, rendering its update mechanism ineffective.[63]

Removal and detection

[編集]

Microsoft has released a removal guide for the worm, and recommends using the current release of its Windows Malicious Software Removal Tool[64] to remove the worm, then applying the patch to prevent re-infection.[65]

Third-parties

[編集]

Third-party anti-virus software vendors AVG Technologies, McAfee,[66] Panda Security,[67] BitDefender,[68] ESET,[69] F-Secure,[70] Symantec,[71] Sophos,[72] Kaspersky Lab[73] Trend Micro[74] and Sunbelt Software have released detection updates to their products and claim to be able to remove the worm.

Automated remote detection

[編集]

On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely.[33] The peer-to-peer command protocol used by variants D and E of the worm has since been partially reverse-engineered, allowing researchers to imitate the worm network's command packets and positively identify infected computers en-masse.[75][76]

Signature updates for a number of network scanning applications are now available including NMap[77] and Nessus.[78]. In addition, several commercial vendors have released dedicated scanners, namely eEye[79] and Mcafee.[80]

It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests.

US CERT

[編集]

The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the worm from spreading through removable media. Prior to the release of Microsoft knowledgebase article KB967715,[81] US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively.[82] US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.[83]


脚注

[編集]
  1. ^ Protect yourself from the Conficker computer worm, Microsoft, (2009-04-09), http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx 2009年4月28日閲覧。 
  2. ^ Markoff, John (2009年1月22日). “Worm Infects Millions of Computers Worldwide”. New York Times. http://nytimes.com/2009/01/23/technology/internet/23worm.html 2009年4月23日閲覧。 
  3. ^ Defying Experts, Rogue Computer Code Still Lurks”. New York Times (2009年8月26日). 2009年8月27日閲覧。
  4. ^ Grigonis, Richard (2009-02-13), Microsoft's US$5 million Reward for the Conficker Worm Creators, IP Communications, http://ipcommunications.tmcnet.com/topics/ip-communications/articles/50562-microsofts-5000000-reward-the-conficker-worm-creators.htm 2009年4月1日閲覧。 
  5. ^ Ficker in dict.cc English-German Dictionary;
    ^ Ficker in bab.la/ German-English Dictionary;
    ^ Ficker in pons German-English Dictionary.
  6. ^ Phillips, Joshua, Malware Protection Center - Entry: Worm:Win32/Conficker.A, Microsoft, http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.a 2009年4月1日閲覧。 
  7. ^ Leffall, Jabulani (2009年1月15日). “Conficker worm still wreaking havoc on Windows systems”. Government Computer News. 2009年3月29日閲覧。
  8. ^ Microsoft Security Bulletin MS08-067 – Critical; Vulnerability in Server Service Could Allow Remote Code Execution (958644), Microsoft Corporation, http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx 2009年4月15日閲覧。 
  9. ^ Leyden, John (2009-01-19), Three in 10 Windows PCs still vulnerable to Conficker exploit, The Register, http://theregister.co.uk/2009/01/19/conficker_worm_feed 2009年1月20日閲覧。 
  10. ^ a b c d Nahorney, Ben; Park, John (2009-03-13), “Propagation by AutoPlay”, The Downadup Codex, Symantec, pp. 32, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf 2009年4月1日閲覧。 
  11. ^ “Clock ticking on worm attack code”. BBC News Online (BBC). (2009年1月20日). http://news.bbc.co.uk/1/hi/technology/7832652.stm 2009年1月16日閲覧。 
  12. ^ Sullivan, Sean (2009年1月16日). “Preemptive Blocklist and More Downadup Numbers”. F-Secure. 2009年1月16日閲覧。
  13. ^ Neild, Barry (2009-01-16), Downadup Worm exposes millions of PCs to hijack, CNN, http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/?iref=mpstoryview 2009年1月18日閲覧。 
  14. ^ Virus strikes 15 million PCs, UPI, (2009-01-26), http://upi.com/Top_News/2009/01/25/Virus_strikes_15_million_PCs/UPI-19421232924206 2009年3月25日閲覧。 
  15. ^ Six percent of computers scanned by Panda Security are infected by the Conficker worm”. Panda Security (2009年1月21日). 2009年1月21日閲覧。
  16. ^ McMillan, Robert (2009-04-15), “Experts bicker over Conficker numbers”, Techworld (IDG), http://www.techworld.com/news/index.cfm?RSS&NewsID=114307 2009年4月23日閲覧。 
  17. ^ Willsher, Kim (2009-02-07), French fighter planes grounded by computer worm, The Daily Telegraph, http://telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes-grounded-by-computer-virus.html 2009年4月1日閲覧。 
  18. ^ Williams, Chris (2009-01-20), MoD networks still malware-plagued after two weeks, The Register, http://theregister.co.uk/2009/01/20/mod_malware_still_going_strong 2009年1月20日閲覧。 
  19. ^ Williams, Chris (2009-01-20), Conficker seizes city's hospital network, The Register, http://theregister.co.uk/2009/01/20/sheffield_conficker 2009年1月20日閲覧。 
  20. ^ (German) Conficker-Wurm infiziert hunderte Bundeswehr-Rechner, PC Professionell, (2009-02-16), http://www.pc-professionell.de/news/2009/02/16/conficker_wurm_infiziert_hunderte_bundeswehr_rechner 2009年4月1日閲覧。 
  21. ^ Leyden, John (1 July 2009). “Conficker left Manchester unable to issue traffic tickets”. The Register. http://www.theregister.co.uk/2009/07/01/conficker_council_infection/ 
  22. ^ Leyden, John (2009-03-27), Leaked memo says Conficker pwns Parliament, The Register, http://theregister.co.uk/2009/03/27/conficker_parliament_infection 2009年3月29日閲覧。 
  23. ^ “Conficker virus hits Manchester Police computers”. BBC News. (2 February 2010). http://news.bbc.co.uk/1/hi/england/manchester/8492669.stm 2 February 2010閲覧。 
  24. ^ Nahorney, Ben; Park, John (2009-03-13), “Propagation by AutoPlay”, The Downadup Codex, Symantec, pp. 2, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf 2009年4月1日閲覧。 
  25. ^ a b Markoff, John (2009-03-19), Computer Experts Unite to Hunt Worm, New York Times, http://www.nytimes.com/2009/03/19/technology/19worm.html?_r=1&ref=us 2009年3月29日閲覧。 
  26. ^ a b c d e f g h Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (2009-03-19), An Analysis of Conficker, SRI International, http://mtc.sri.com/Conficker/ 2009年3月29日閲覧。 
  27. ^ a b Tiu, Vincent (2009-03-27), Microsoft Malware Protection Center: Information about Worm:Win32/Conficker.D, Microsoft, http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx 2009年3月30日閲覧。 
  28. ^ Macalintal, Ivan; Cepe, Joseph; Ferguson, Paul (2009-04-07), DOWNAD/Conficker Watch: New Variant in The Mix?, Trend Micro, http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/ 2009年4月7日閲覧。 
  29. ^ a b c d e Park, John (2009-03-27), W32.Downadup.C Pseudo-Random Domain Name Generation, Symantec, https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Pseudo-Random-Domain-Name-Generation/ba-p/393367#A258 2009年4月1日閲覧。 
  30. ^ a b c d Nahorney, Ben (2009年4月21日). “Connecting The Dots: Downadup/Conficker Variants”. Symantec. 2009年4月25日閲覧。
  31. ^ a b Chien, Eric (2009-02-18), Downadup: Locking Itself Out, Symantec, https://forums2.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837 2009年4月3日閲覧。 
  32. ^ a b c Chien, Eric (2009-01-19), Downadup: Peer-to-Peer Payload Distribution, Symantec, https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/227 2009年4月1日閲覧。 
  33. ^ a b c d e Leder, Felix; Werner, Tillmann (2009-04-07), Know Your Enemy: Containing Conficker, HoneyNet Project, http://www.honeynet.org/files/KYE-Conficker.pdf 2009年4月13日閲覧。 
  34. ^ a b c W32.Downadup.C Bolsters P2P, Symantec, (2009-03-20), https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331#A253 2009年4月1日閲覧。 
  35. ^ a b c Leung, Ka Chun; Kiernan, Sean (2009-04-06), W32.Downadup.C Technical Details, http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=2 2009年4月10日閲覧。 
  36. ^ a b c d e f Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (2009-03-19), An Analysis of Conficker C (draft), SRI International, http://mtc.sri.com/Conficker/ 2009年3月29日閲覧。 
  37. ^ a b Fitzgerald, Patrick (2009-04-09), W32.Downadup.E—Back to Basics, Symantec, https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-E-Back-to-Basics/ba-p/393465 2009年4月10日閲覧。 
  38. ^ Putnam, Aaron, Virus Encyclopedia: Worm:Win32/Conficker.E, Microsoft, http://onecare.live.com/standard/en-us/virusenc/VirusEncInfo.htm?VirusName=Worm:Win32/Conficker.E 2009年4月18日閲覧。 
  39. ^ Nahorney, Ben; Park, John (2009-04-21), “Connecting The Dots: Downadup/Conficker Variants”, The Downadup Codex (2.0 ed.), Symantec, pp. 47, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf 2009年6月19日閲覧。 
  40. ^ a b Keizer, Gregg (2009-04-09), Conficker cashes in, installs spam bots and scareware, Computerworld, http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9131380 2009年4月10日閲覧。 
  41. ^ Leung, Kachun; Liu, Yana; Kiernan, Sean (2009-04-10), W32.Downadup.E Technical Details, Symantec, http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-040823-4919-99&tabid=2 2009年4月10日閲覧。 
  42. ^ CVE-2008-4250, Common Vulnerabilities and Exposures, Department of Homeland Security, (2008-06-04), http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 2009年3月29日閲覧。 
  43. ^ Passwords used by the Conficker worm”. Sophos. 2009年1月16日閲覧。
  44. ^ Robertson, Andrew (2009-02-12), Microsoft Collaborates With Industry to Disrupt Conficker Worm, ICANN, http://www.icann.org/en/announcements/announcement-2-12feb09-en.htm 2009年4月1日閲覧。 
  45. ^ Leder, Felix; Werner, Tillmann (2009-04-02), Containing Conficker, Institute of Computer Science, University of Bonn, http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ 2009年4月3日閲覧。 
  46. ^ Win32/Conficker.C, CA, (2009-03-11), http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=77976 2009年3月29日閲覧。 
  47. ^ Malware Protection Center - Entry: Worm:Win32/Conficker.D, Microsoft, http://www.microsoft.com/security/portal/Entry.aspx?name=Worm:Win32/Conficker.D 2009年3月30日閲覧。 
  48. ^ Krebs, Brian (2009-04-10), “Conficker Worm Awakens, Downloads Rogue Anti-virus Software”, Washington Post, http://voices.washingtonpost.com/securityfix/2009/04/conficker_worm_awakens_downloa.html 2009年4月25日閲覧。 
  49. ^ O'Murchu, Liam (2008-12-23), W32.Waledac Technical Details, Symantec, http://symantec.com/security_response/writeup.jsp?docid=2008-122308-1429-99&tabid=2 2009年4月10日閲覧。 
  50. ^ Higgins, Kelly Jackson (2009-01-14), Storm Botnet Makes A Comeback, DarkReading, http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212900543 2009年4月11日閲覧。 
  51. ^ Coogan, Peter (2009-01-23), Waledac – Guess which one is for you?, Symantec, https://forums2.symantec.com/t5/Malicious-Code/Waledac-Guess-which-one-is-for-you/ba-p/382056 2009年4月11日閲覧。 
  52. ^ Gostev, Aleks (2009-04-09), The neverending story, Kaspersky Lab, http://www.viruslist.com/en/weblog?weblogid=208187654 2009年4月13日閲覧。 
  53. ^ Virus alert about the Win32/Conficker.B worm”. Microsoft (2009年1月15日). 2009年1月22日閲覧。
  54. ^ Virusencyclopedie: Worm:Win32/Conficker.B”. Microsoft. 2009年8月3日閲覧。
  55. ^ O'Donnell, Adam (2009-02-12), Microsoft announces industry alliance, $250k reward to combat Conficker, ZDNet, http://blogs.zdnet.com/security/?p=2572 2009年4月1日閲覧。 
  56. ^ Microsoft Collaborates With Industry to Disrupt Conficker Worm (Microsoft offers $250,000 reward for Conficker arrest and conviction.), Microsoft, (2009-02-12), http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases 2009年9月22日閲覧。 
  57. ^ Greene, Tim (2009-07-31), Conficker talk sanitized at Black Hat to protect investigation, Network World, http://www.networkworld.com/news/2009/073109-black-hat-conficker-talk.html 2009年12月28日閲覧。 
  58. ^ (Spanish) NIC Chile participa en esfuerzo mundial en contra del gusano Conficker, NIC Chile, (2009-03-31), http://www.nic.cl/anuncios/2009-03-31.html 2009年3月31日閲覧。 
  59. ^ CIRA working with international partners to counter Conficker C, CIRA, (2009-03-24), http://cira.ca/pr-conficker-c 2009年3月31日閲覧。 
  60. ^ (Spanish) NIC-Panama colabora en esfuerzo mundial en contra del Gusano Conficker., NIC-Panama, (2009-03-27), http://www.nic.pa/paginas/anuncio1.php?numero=6 2009年3月27日閲覧。 
  61. ^ D'Alessandro, Marco (2009-03-30), SWITCH taking action to protect against the Conficker computer worm, SWITCH, http://switch.ch/about/news/2009/conficker.html 2009年4月1日閲覧。 
  62. ^ Bartosiewicz, Andrzej (2009-03-31) (Polish), Jak działa Conficker?, Webhosting.pl, http://webhosting.pl/Jak.dziala.Conficker 2009年3月31日閲覧。 
  63. ^ Maniscalchi, Jago (2009-06-07), Conficker.A DNS Rendezvous Analysis, Digital Threat, http://www.digitalthreat.net/?p=38 2009年6月26日閲覧。 
  64. ^ Malicious Software Removal Tool, Microsoft, (2005-01-11), http://www.microsoft.com/security/malwareremove/default.mspx 2009年3月29日閲覧。 
  65. ^ Protect yourself from the Conficker computer worm, Microsoft, (2009-03-27), http://microsoft.com/protect/computer/viruses/worms/conficker.mspx 2009年3月30日閲覧。 
  66. ^ Protecting yourself from the Conficker worm”. McAfee. 2009年7月29日閲覧。
  67. ^ Win32/Conficker.C”. Threat Encyclopedia. Panda Security. 2009年3月29日閲覧。
  68. ^ Radu, Daniel; Cimpoesu, Mihai, Win32.Worm.Downadup.Gen, BitDefender, http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html 2009年4月1日閲覧。 
  69. ^ Win32/Conficker.AA”. Threat Encyclopaedia. ESET. 2009年3月29日閲覧。
  70. ^ Worm:W32/Downadup.AL”. F-Secure. 2009年3月30日閲覧。
  71. ^ W32.Downadup - Removal”. Symantec (2008年11月24日). 2009年3月29日閲覧。
  72. ^ Conficker Removal Tool”. Sophos (2009年1月16日). 2009年3月29日閲覧。
  73. ^ How to remove network worm Net-Worm.Win32.Kido”. Kaspersky Lab (2009年3月20日). 2009年3月29日閲覧。
  74. ^ WORM_DOWNAD.E”. Trend Labs (2009年4月11日). 2009年5月5日閲覧。
  75. ^ Bowes, Ron (2009-04-21), Scanning for Conficker’s peer to peer, SkullSecurity, http://www.skullsecurity.org/blog/?p=230 2009年4月25日閲覧。 
  76. ^ W32.Downadup P2P Scanner Script for Nmap, Symantec, (2009-04-22), https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-P2P-Scanner-Script-for-Nmap/ba-p/393519#A266 2009年4月25日閲覧。 
  77. ^ Bowes, Ronald (2009-03-30), Scanning for Conficker with Nmap, SkullSecurity, http://www.skullsecurity.org/blog/?p=209 2009年3月31日閲覧。 
  78. ^ Asadoorian, Paul (2009-04-01), Updated Conficker Detection Plugin Released, Tenable Security, http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html 2009年4月2日閲覧。 
  79. ^ Conficker Worm Scanning Utility, eEye Digital Security, http://www.eeye.com/html/downloads/other/ConfickerScanner.html 
  80. ^ , Mcafee, http://www.mcafee.com/us/enterprise/confickertest.html 
  81. ^ How to disable the Autorun functionality in Windows”. Microsoft (2009年3月27日). 2009年4月15日閲覧。
  82. ^ Technical Cyber Security Alert TA09-020A: Microsoft Windows Does Not Disable AutoRun Properly, US-CERT, (2009-01-29), http://www.us-cert.gov/cas/techalerts/TA09-020A.html 2009年2月16日閲覧。 
  83. ^ DHS Releases Conficker/Downadup Computer Worm Detection Tool, Department of Homeland Security, (2009-03-30), http://www.dhs.gov/ynews/releases/pr_1238443907751.shtm 2009年4月1日閲覧。 

外部リンク

[編集]