The Conficker worm, three years and counting


Conficker Sun newspaper story, March 2009This week marks the third anniversary of the first in the wild samples of Conficker appearing on the internet. If you recall, Conficker is the most recent widespread network worm that began to spread to millions of unpatched PCs in 2008.

The first samples detected at the virus testing service Virus Total were spotted in SophosLabs on November 21, 2008. It spread by exploiting a buffer overflow vulnerability in the Windows Server service.

The flaw was patched by Microsoft on October 23, 2008, 29 days before Conficker began it assault.

Conficker AutoPlay dialogIn January of 2009 Conficker began aggressively spreading through USB removable media devices using the Windows AutoRun/AutoPlay functionality. This resulted in many more millions of computers becoming infected causing quite a lot of panic among the media and IT communities.

It is estimated that at its peak Conficker infected more than 11 million PCs globally. That is an astoundingly large figure.

Now that we are three years down the road, why am I writing about this?

Top 5 cloud lookups for November 24, 2011As of today Conficker is still the largest network threat in the world.

We still see Conficker dominate the cloud lookups from Sophos customers with more than 4 million queries in the last year from more than 1 million unique computers.

Worse than that, the Conficker Working Group which tracks the number of unique IP addresses on the internet that are infected with Conficker estimates that 3,250,000 computers are still infected. This is down from 5,000,000 in December 2010.

Conficker infection chart for 2011

I often attend security conferences and hear so-called security experts pooh-pooh the idea that patching is all that important of a strategy for preventing infection.

While it is true many of today’s threats are socially engineered Trojans, Conficker is a shining example of how bad we are at patching our systems. In the screenshot above, the other threat is CpLink which is the shortcut flaw discovered in Stuxnet and patched 15 months ago.

Even the AutoPlay/AutoRun functionality of Windows was turned off by Microsoft in February of 2011.

Echoing Carole’s Thanksgiving message to help our friends and family with their computer security when spending time together over the holidays, don’t forget to make sure their Windows/OS X/Linux/Android/iOS devices are patched and up to date and ensure they are not part of the Conficker army.

I would like to thank Mike Wood in SophosLabs Canada for his help gathering all the latest information on Conficker and clearing out some of the cobwebs for this article.