All Posts

33 posts

Conficker Worm: 30% Still Infected

Qualys estimates that about 30 percent of Windows-based computers remain vulnerable to infection because they have not been updated with the patch.


In December 2008, Qualys' customers performed scans on over 9 Million IP addresses. There is some duplication as some customers scan multiple times in a given month, but the majority of customers are on a 30 day cycle in their scan schedules. The majority of these scans are against Windows machines as they are the most prevalent in our customers' networks. It is safe to say that data is based on Millions of IP addresses scanned.

Conficker Worm Explained

What class of virus is it and have you seen something like it before?
This worm is a sophisticated piece of software, beyond exploiting MS08-067 it uses a number of other techniques to propagate, i.e. network shares and removable media such as USB thumb drives. It has a variety of interesting mechanisms to trick the user into executing it, such as changing the icon and message in the autorun dialog. It also uses an innovative way to assure that its control channel, where it receives its commands from, is not shutdown. It contacts a large number of dynamically named URLs for commands, making it harder to shut down the worm down. It is definitely a intelligently designed worm, demonstrating that worm writers are constantly innovating to keep their business moving.
Why is it so pervasive when the vector was supposedly patched by Microsoft?
Our scanning data indicates that many machines are not patched yet, even 2 months after the release of the patch by MSFT. We derive our numbers from enterprise customers and SMB, but in areas where non-licensed machines are in use the ratio of unpatched machines must significantly higher due to the difficulty of getting and installing patches and the fear of detection.
Is the security community responding fast enough to the threat?
The security community is doing excellent work around that vulnerability and the exploiting worm. But overall IT is not reacting fast enough, as our data reveals and as can be seen by the extent of the damage that the worm is doing. Patch cycles have to be accelerated. Machines that require longer patch cycles (due to their criticality) need to have additional security settings and/or technologies installed that can help mitigate the effects.

In general, we suggest providing general comments to the above questions hinting towards the patching data only to substantiate your claims since the last comments we provided him were very data specific.

Conficker Worm: Patching is Not Fast Enough

In our statistical data for MS08-067 we see it being patched at about the same rate as other critical patches. Over 50% of all machines are patched after approximately 30 days. After that period we see the patch rates go down and the overall number of machines that are attackable only slowly diminishing.  Unfortunately this leaves enough machines to be exploited by the "Conficker" worm types even today, over 45 days later.

We would have liked to see a faster reaction by the computer users given the significance of the patch but there still seems to be a barrier to reach everybody and make them understand the urgency of patching.