What is Kido? Kido (
aka Conficker or Downadup) was first detected in November 2008 as a worm which spreads across local networks and removable storage media. The latest generation of Kido is unable to spread by itself, but like earlier variants, it can update itself by downloading additional code.
Kido has created a powerful botnet of infected machines. It was programmed to update itself on 1st April 2009, and the latest generation of this program is designed to generate 50,000 domain names according to a random algorithm, and then choose 500 of these domains which it can potentially contact to update itself. Kido uses very sophisticated technology. It downloads updates from constantly changing online resources; uses P2P networks as an additional source of downloads; uses strong encryption to prevent interference with its command and control center; and prevents antivirus products from receiving updates.
It remains unclear why the Kido botnet has been created, and how it may be used in the future.
Why is Kido a threat?
The huge botnet formed by computers infected by Kido potentially provides cybercriminals with the means to conduct mass DDoS attacks on any Internet resource, to steal confidential data from infected computers and to distribute unsolicited content (e.g. mass spam mailings). It is believed that around five to six million computers around the world are infected by Kido.
Kido initially spread via local networks and removable storage devices. Specifically, it exploited the critical MS08-067 vulnerability patched by Microsoft back in October 2008. However, it’s believed that a significant number of PCs had not been patched by January 2009 when the spread of Kido reached a peak.
To date, security researchers have discovered the following variants of the worm in the wild.
Win32/Conficker.A was reported to Microsoft on November 21, 2008.
Win32/Conficker.B was reported to Microsoft on December 29, 2008.
Win32/Conficker.C was reported to Microsoft on February 20, 2009.
Win32/Conficker.D was reported to Microsoft on March 4, 2009.
Win32/Conficker.E was reported to Microsoft on April 8, 2009.
Win32/Conficker.B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option.
The Conficker worm can also disable important services on your computer.
In the screenshot of the Autoplay dialog box below, the option Open folder to view files — Publisher not specified was added by the worm. The highlighted option — Open folder to view files — using Windows Explorer is the option that Windows provides and the option you should use.
If you select the first option, the worm executes and can begin to spread itself to other computers.