Malware & Spywarecritical

Conficker: 15 Million Machines, One Unpatched Windows Vulnerability

The Conficker worm exploited a Windows buffer overflow (MS08-067), infected an estimated 15 million computers — including military networks in France, Germany, and the UK — and created a resilient botnet whose true purpose was never conclusively determined.

Global Windows Networks·2008·2 min read

Background

Microsoft released a critical out-of-band patch (MS08-067) in October 2008 for a buffer overflow in Windows Server Service. The patch was urgently deployed but millions of machines — particularly in enterprise and government networks — remained unpatched. Conficker began spreading within weeks.

The Attack

Conficker.A exploited MS08-067 to spread autonomously over networks, also spreading via USB drives and network shares with weak passwords. Later variants (B, C, D, E) added increasingly sophisticated defences: it blocked access to security vendor websites, disabled Windows Automatic Updates, used domain generation algorithms (DGA) with 50,000 domains per day to make C2 blocking impractical, and used peer-to-peer communication between infected machines. Conficker reached nuclear submarines, French military aircraft, UK Ministry of Defence networks, and hospital systems.

Response

Microsoft formed the Conficker Working Group — an unprecedented public-private partnership of antivirus companies, domain registrars, and ICANN — to sinkhole Conficker's domain generation algorithm. The group registered thousands of generated domains to prevent them being used for C2. The botnet was never fully activated for an obvious criminal purpose, leading to speculation it was a nation-state tool.

Outcome

Conficker infected an estimated 15 million machines at its peak in 2009 and had approximately 1–2 million still infected as late as 2015. It pioneered domain generation algorithms, peer-to-peer C2, and botnet resilience techniques that became standard in subsequent malware. The Conficker Working Group set a precedent for public-private partnerships in botnet disruption.

Key Takeaways

  1. Critical Windows patches must be deployed within days, not months — Conficker specifically targeted the delay window
  2. USB drives are a significant infection vector in organisations where network patching is current
  3. Domain generation algorithms make traditional blacklist-based botnet disruption ineffective
  4. Public-private partnerships between security vendors, registrars, and ICANN can disrupt botnet C2 at scale

How to Prevent This

All guides
intermediate

Monitor DNS traffic — it reveals command-and-control, data exfiltration, and lateral movement

DNS is one of the most information-rich network signals available. Command-and-control malware uses DNS to communicate with its operators. Data exfiltration can be encoded in DNS queries. Lateral movement generates characteristic DNS lookup patterns. Many organisations monitor HTTP traffic but leave DNS unmonitored. Deploy DNS security services (Cisco Umbrella, Cloudflare Gateway, or a self-hosted resolver with logging) and configure alerts for: newly registered domains, unusual query volumes, queries for domains with high entropy names (DGA indicators), and DNS-over-HTTPS to unexpected resolvers.

See: Conficker WormNetwork Security
ConfickerDGAwormWindowsbotnet

More in Malware & Spyware

2021critical

Pegasus Spyware: NSO Group's Commercial Tool Used Against Journalists and Dissidents

2 min readMalware & Spyware
2021critical

Emotet: The World's Most Dangerous Malware Takedown

2 min readMalware & Spyware
2001critical

Code Red Worm Infects 359,000 Servers in 14 Hours

2 min readMalware & Spyware