Sept. Chinese hackers begin selling a $37 malware kit designed to tap a newly-discovered security hole in a component of Windows, called RPC-DCOM, which enables file and print sharing. RPC-DCOM is built into all PCs of Windows XP vintage and earlier, some 800 million machines worldwide.
Oct. 15. MIT?s Dr. Ronald Rivest publishes a cutting- edge security technique, called the ?MIT MD6 hashing algorithm.?
Oct. 23. Microsoft issues a rare emergency patch for the RPC-DCOM vulnerability disclosed ? and exploited by ? the $37 malware kit.
Oct. - early Nov. Isolated ?gimmev? attacks unfold against unpatched PCs in Asia. Sunbelt Software reverse engineers one of the early attacks-in-the-wild. Sunbelt researcher Eric Sites discovers that gimmev installs a new Dynamic Link Library, or DLL, so that the next time the owner restarts his or her PC, a malicious Trojan takes root and continually runs in the background. Every 10 minutes, it copies all registry information, all logons stored by the Web browser and a bunch of other information and sends it back to the attacker.
Security experts begin to worry that someone will get the bright idea to create a self-replicating worm to seek out unpatched PCs. ?If other bad people find out how to use this, we?re big trouble,? Sites predicts. ?A Blaster-type worm could be created very easily, and wreak havoc.?
Nov. 20. Conficker A, a self-replicating worm that scans Internet-wide for other unpatched PCs to infect, begins to spread.
Nov. 26. Conficker A?s ?domain generation algorithm? activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions.
late Nov. Security firm Damballa issues a Conficker A census: 500,000 infected machines.
Dec 1. Conficker A-infected machines check in at trafficconverter.biz, following instructions hard-coded into Conficker. ?This was not part of the domain generation algorithm,? says F-Secure?s Patrik Runald. ?It attempted to do a download but the file wasn?t there.?
Trafficconverter is a site well known for fake security product. It becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup.
Dec. 24 -Dec. 27. Research firm SRI issues Conficker A census: 1.5 million infected machines.
late Dec. Conficker B begins spreading. It incorporates the MIT MD6 hashing algorithm to obscure all communications moving between infected PCs and the rendezvous points. This is done to prevent rival botnet groups from taking control; it also prevents security firms from inserting instructions to disinfect PCs.
Jan. 1. Conficker B initiates its own domain generation logic; infected PCs begin checking in at different sets of 250 rendezvous points .
Jan. 15. MIT discloses security hole in its cutting-edge MIT MD6 hasing algorithm and also delivers the patch. This means the coding used to obscure communications in Conficker A and Conficker B, unless patched, are vulnerable to hacks.
mid Jan. to early Feb. Conficker A and Conficker B population of machines explodes, grabbing news headlines.
Feb. Conficker B++ begins spreading; it adds new ways to spread, as well as new techniques to preserve infected PCs.
Feb. 12. Microsoft forms the Conficker Cabal; offers $250,000 bounty.
mid Feb.-Mar. The Cabal works to stop PCs from connecting to the daily list of 250 rendezvous points. This is accomplished by registering the known set of Conficker A and Conficker B domains, at least those that aren?t already registered.
Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B++. Conficker C halts the Internet-wide scanning; it organizes the infected PCs into P2P networks; and it also embeds instructions for each infected PC, on April 1, to begin checking a random group of 500 rendezvous points selected from 50,000 domains. Finally, Conficker C also patches the security hole in the MIT MD6 hashing algorithm.
Apr. 1. All PCs updated with Conficker C are scheduled to begin checking 500 rendezvous points randomly selected from 50,000 web addresses for further instructions.
Facebook
Twitter