Conficker Statistics post April 1st

This weekend we found an interesting pattern when we polled our system-wide QualysGuard statistics around the Conficker vulnerabilities.

Since early February MS08-067, the critical Windows vulnerability that Conficker initially used to infect machines, has been oscillating between the 20 % and 40 % mark, but in general hovering around the 35 % barrier. Then on March 30th, driven by the media coverage around the April 1st wake-up date for the Conficker.C variant and the availability of the QualysGuard remote detection for Conficker, which we released that day, our scanning numbers went through the roof as customers scanned their networks for the presence of the worm.

It is encouraging that the overall numbers for Conficker infections within enterprise networks are in the low single digit percent range – we are assuming that protection by corporate firewalls kept the initial attack vector in check until patching could be performed and other secondary defense mechanisms such as anti-virus and anti-malware were updated.

The interesting pattern however is the drop in the detection rate of the MS08-067 vulnerability starting April 4th. It seems that all the media attention made IT admins either look closer or start looking at all at the underlying problem and apply the fix, as we see a reduction of 25 % in detections which is only comparable to the drop when MS08-067 was first announced.