S0608: Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[1] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[2]

EnterpriseS0608MalwareObject v1.0 Modified Apr 16, 2025, 20:38 UTC (UTC+00:00)

Conficker matters because it is an older Windows worm tied to MS08-067 that demonstrates how unpatched systems, SMB exposure, and removable media can keep legacy malware relevant long after first discovery. The ATT&CK relationships also connect it to availability and productivity impacts in ICS contexts, including a reported 2016 case involving computers and removable drives at a nuclear power plant.

Executive priority

Treat this as a resilience and hygiene test: can the organization prove legacy Windows vulnerabilities are remediated, SMB/admin share exposure is controlled, removable media use is governed, and critical operations are segmented from routine IT infection paths? For leaders, the value is not panic about Conficker specifically, but evidence that old wormable conditions cannot still disrupt operations, audits, incident response, or cyber-physical environments.

Technical view

For SOC, IR, and detection engineering teams, validate coverage around the supplied Windows behaviors and related techniques: SMB/Windows admin shares, exploitation of remote services, network service discovery, removable media replication, registry modification, service creation or modification, Run keys/startup persistence, ingress tool transfer, DGA-like command-and-control, and attempts to impair recovery or security tooling. Because ATT&CK provides no official detection text for this malware object, detections should be built from the related techniques and confirmed against local Windows, network, DNS, removable media, and endpoint telemetry.

Likely telemetry

Windows endpoint process, service, and registry events
SMB/admin share access logs and lateral movement evidence
Windows security events for remote logon and administrative share use
Network flow data showing scanning or service discovery behavior
DNS telemetry suitable for identifying unusual or algorithmic domain lookups

Detection direction

Confirm whether Windows hosts still expose SMB paths that could support lateral movement through admin shares or remote service exploitation.
Tune for combinations of scanning, SMB access, remote execution, registry modification, and Windows service persistence rather than relying on a single indicator.
Validate visibility for removable media use, especially in segmented, operational, or air-gapped environments where network controls may not see the initial transfer.
Use DNS monitoring to look for suspicious high-volume or patterned domain lookups consistent with DGA-related command-and-control behavior, while accounting for false positives from legitimate dynamic services.
Review alerting for attempts to disable, modify, or degrade security tools and recovery mechanisms, since related techniques include defense impairment and inhibit system recovery.

Mitigation priorities

Prioritize verification that Windows systems are patched against the MS08-067 vulnerability referenced in the official description, especially legacy and operational technology-adjacent assets.
Restrict and monitor SMB/admin share access, remote administration paths, and unnecessary network service exposure.
Enforce removable media controls, scanning, and approval workflows for environments with critical operations or disconnected systems.
Harden Windows persistence locations such as services, Registry Run keys, and startup folders with monitoring and change control.
Maintain segmentation between enterprise IT and critical operational environments to reduce the chance that IT malware creates ICS availability or productivity consequences.

Analyst notes and limits

This take is based on the supplied ATT&CK malware object for Conficker, its official description, external references, and listed relationships. The most decision-relevant context is the combination of Windows worm behavior, MS08-067, removable media replication, SMB/lateral movement, persistence, command-and-control, and ICS availability/productivity relationships.

ATT&CK provides no official detection text, no tactics directly on the malware object, and no aliases in the supplied object fields. Some related technique descriptions are generic or truncated, and several related technique platform lists extend beyond Windows; the malware platform supplied here is Windows. Local asset inventory, patch state, segmentation design, and telemetry availability are required to assess actual exposure or coverage.

Official MITRE ATT&CK definition

Conficker

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 13 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1112	Modify Registry	Conficker adds keys to the Registry at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services` and various other Registry locations.CitationSANS ConfickerCitationTrend Micro Conficker
Enterprise	T1543.003	Windows Service Sub-technique	Conficker copies itself into the `%systemroot%\system32` directory and registers as a service.CitationSANS Conficker
Enterprise	T1124	System Time Discovery	Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.CitationSANS ConfickerCitationTrend Micro Conficker
Enterprise	T1021.002	SMB/Windows Admin Shares Sub-technique	Conficker variants spread through NetBIOS share propagation.CitationSANS Conficker
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	Conficker adds Registry Run keys to establish persistence.CitationTrend Micro Conficker
Enterprise	T1568.002	Domain Generation Algorithms Sub-technique	Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.CitationSANS ConfickerCitationTrend Micro Conficker
Enterprise	T1210	Exploitation of Remote Services	Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.CitationSANS Conficker
Enterprise	T1027	Obfuscated Files or Information	Conficker has obfuscated its code to prevent its removal from host machines.CitationTrend Micro Conficker
Enterprise	T1046	Network Service Discovery	Conficker scans for other machines to infect.CitationSANS Conficker
Enterprise	T1685	Disable or Modify Tools	Conficker terminates various services related to system security and Windows.CitationSANS Conficker
Enterprise	T1490	Inhibit System Recovery	Conficker resets system restore points and deletes backup files.CitationSANS Conficker
Enterprise	T1091	Replication Through Removable Media	Conficker variants used the Windows AUTORUN feature to spread through USB propagation.CitationSANS ConfickerCitationTrend Micro Conficker
Enterprise	T1105	Ingress Tool Transfer	Conficker downloads an HTTP server to the infected machine.CitationSANS Conficker

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Feb 23, 2021, 20:50 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:38 UTC (UTC+00:00)
Raw hash: c553520e1c1b1110...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 16, 2025, 20:38 UTC (UTC+00:00)	Current bundle	`c553520e1c1b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
SANS Conficker

Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
Open source URL
[2]
Conficker Nuclear Power Plant

Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.
Open source URL
[3]
Downadup

(Citation: SANS Conficker)
[4]
Kido

(Citation: SANS Conficker)
[5]
mitre-attack S0608
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use