The Conficker worm, three years and counting

Filed Under: Featured, Malware, Vulnerability

Conficker Sun newspaper story, March 2009This week marks the third anniversary of the first in the wild samples of Conficker appearing on the internet. If you recall, Conficker is the most recent widespread network worm that began to spread to millions of unpatched PCs in 2008.

The first samples detected at the virus testing service Virus Total were spotted in SophosLabs on November 21, 2008. It spread by exploiting a buffer overflow vulnerability in the Windows Server service.

The flaw was patched by Microsoft on October 23, 2008, 29 days before Conficker began it assault.

Conficker AutoPlay dialogIn January of 2009 Conficker began aggressively spreading through USB removable media devices using the Windows AutoRun/AutoPlay functionality. This resulted in many more millions of computers becoming infected causing quite a lot of panic among the media and IT communities.

It is estimated that at its peak Conficker infected more than 11 million PCs globally. That is an astoundingly large figure.

Now that we are three years down the road, why am I writing about this?

Top 5 cloud lookups for November 24, 2011As of today Conficker is still the largest network threat in the world.

We still see Conficker dominate the cloud lookups from Sophos customers with more than 4 million queries in the last year from more than 1 million unique computers.

Worse than that, the Conficker Working Group which tracks the number of unique IP addresses on the internet that are infected with Conficker estimates that 3,250,000 computers are still infected. This is down from 5,000,000 in December 2010.

Conficker infection chart for 2011

I often attend security conferences and hear so-called security experts pooh-pooh the idea that patching is all that important of a strategy for preventing infection.

While it is true many of today's threats are socially engineered Trojans, Conficker is a shining example of how bad we are at patching our systems. In the screenshot above, the other threat is CpLink which is the shortcut flaw discovered in Stuxnet and patched 15 months ago.

Even the AutoPlay/AutoRun functionality of Windows was turned off by Microsoft in February of 2011.

Echoing Carole's Thanksgiving message to help our friends and family with their computer security when spending time together over the holidays, don't forget to make sure their Windows/OS X/Linux/Android/iOS devices are patched and up to date and ensure they are not part of the Conficker army.

I would like to thank Mike Wood in SophosLabs Canada for his help gathering all the latest information on Conficker and clearing out some of the cobwebs for this article.

, , , , , , ,

You might like

9 Responses to The Conficker worm, three years and counting

  1. Alex T. · 1072 days ago

    How do people remove Conficker from their computers? As you mentioned, updating the OS and getting all security patches are important, but will that remove Conficker? Will any anti-virus program or scanner remove it or is there a specific removal tool/procedure?

    I ask because it might help people who ARE infected with Conficker if there were specific instructions on how to remove it.

  2. MadDog · 1067 days ago

    I got hit by it last month.
    All of the computers in the company (100+) were somehow infected. It took us a lot of time to patch and clean them.
    That made me think of the importance of patching every computer in the network.

  3. Tim · 1067 days ago

    Does it hit Macs

  4. allanmount · 1067 days ago

    can i run the removal software even if my pcis notinfected?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.