Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels ▼


Bad Behavior: The Conficker Worm

Erin Earley is editor of the Lavasoft News. Courtesy of Lavasoft.

It was hard to miss the headlines in March and April bringing news on Conficker, the computer worm that has received extensive media coverage, due in part to Microsoft's offer of a $250,000 bounty in return for information leading to the arrest of the malware's perpetrators. April 1, the highly anticipated date for the Conficker botnet's activation, passed by without the activation of the Armageddon-like payload that some reports touted. Yet, Conficker continues to be a threat the world is watching. Keep reading to find out what exactly Conficker is and how you can avoid it -- with information straight from the experts at Malware Labs at the online security company, Lavasoft.

Conficker, which is also known as Downup, Downadup, and Kido, is a worm that originally surfaced in the end of 2008, when it began exploiting a vulnerability in Microsoft Windows. (That means, if you update your PC with the latest security patches and keep your anti-malware software up-to-date, you have taken the necessary precautions to stay safe from this threat). Infected machines become part of a botnet which, theoretically, can be used for anything from propagating spam to denial of service attacks to pushing rogue anti-malware applications.

It was speculated in some reports that on April 1, when the malware was scheduled to check for updates, it would activate, creating havoc and damaging millions of machines. While April 1 passed quietly, the threat posed by Conficker still exists; the botnet of millions of infected PCs is capable of carrying out criminal commands, in order to make a profit for its creators. In fact, mid April saw the first attempts at this, with machines in the botnet being used to send spam and run rogue security software.

Whether or not Conficker's bad behavior matches up with the media hype surrounding it has been a subject of debate. What security researchers do know is that its reach is pervasive, the malware itself is crafty, and analysts have not had a clear handle on the full scope of what the creators have planned. "From our perspective here at Lavasoft Malware Labs, Conficker has proven to be one of the more sophisticated pieces of malware," says Andrew Browne, Lavasoft malware analyst and Malware Labs team leader.

According to Lavasoft Malware Labs, Conficker attempts to avoid being reverse engineered by employing various obfuscation techniques. It displays classic malware behavior. Once a machine is infected, Conficker scans for the presence of a firewall. If a firewall exists, the malware asks the firewall to open a backdoor to download more malware. Conficker also attempts to disable various anti-virus applications it finds on the machine and block access to security websites. The botnet of infected PCs is made up of several million machines (estimates range from 3 to 12 million).

How does Conficker worm its way onto computer users' PCs? Conficker propagates by exploiting:

  • A known vulnerability in the Windows Server service, the MS08-067 vulnerability.
  • Weak passwords. Home and corporate networks are exposed to a brute force password attack using commonly used passwords.
  • USB devices. The worm copies itself as the autorun.inf file onto the device which is executed every time the compromised USB device is inserted into a PC.

Winning Strategies

There are three specific steps that computer users can take to mitigate their chances of infection:

  1. Check for and install Windows updates. Once the latest updates have been installed, set your PC to automatically download and install these updates. The patch that fixed the MS08-067 vulnerability was published in October 2008 yet Conficker continues to thrive, meaning people are still not in the habit of installing security updates.
  2. Ensure all passwords, especially for network drive shares, are not easily guessable.
  3. Disable the Autoplay function. Instructions can be found on Microsoft's Help and Support pages.

Needless to say, users should also make sure to regularly update anti-virus and anti-spyware software with the latest threat updates.

Another point to keep in mind: repercussions of the media blitz surrounding Conficker has meant that computer users are especially sensitive to the threats posed by malware; rogue security software creators have been quick to capitalize on Conficker's extensive media coverage by offering products claiming to remove Conficker. While it's important to be aware of the latest online threats and stay proactive to keep them off of your system, blindly relying on security software will not necessarily keep you safe. For more facts on Conficker, including a simple test you can use to check for infection, visit the Conficker Working Group website, a site set up by industry experts to help combat the threat.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.