One in 10 systems still vulnerable to Conficker

Security vendor Qualys has found that a higher-than-usual proportion of businesses still have not installed Microsoft's 2008 emergency patch
Written by Matthew Broersma, Contributor

Ten percent of Windows computers still have not been patched for the Conficker worm, according to new research from security vendor Qualys.

The company's figures, collected at the beginning of April, found that about 25 in 1,000 of the systems it monitored were infected by the Conficker worm, Qualys chief technology officer Wolfgang Kandek said on Friday. The company, which provides vulnerabilty management, gathered the data from hundreds of thousands of its customers' systems.

Conficker, also known as Downandup, shuts down security services, blocks computers from connecting to security websites and downloads a Trojan. The worm caused widespread concern about a year ago, when security researchers revealed that it was programmed to begin connecting to 50,000 different domains on 1 April, 2009, to receive updated copies or other malware.

The worm exploits a bug in the service Windows uses to connect to file and print servers. The hole was patched by an emergency update from Microsoft, known as MS08-67, in October 2008. But despite the urgency of the update and the media interest around the worm, Qualys found that the proportion of machines remaining unpatched is relatively high.

On average, the percentage of systems unpatched for a given vulnerability — what Qualys calls the 'persistence' — stabilises at about 7 or 8 percent. One in 10, as is currently the case with Conficker, is on the high end of the scale, according to Kandek.

Qualys's data show that a year ago, the persistence level was at about 20 percent. On the other hand, the number of infected machines detected has remained flat over the past year, at about 25 per 1,000 systems.

Conficker-infected machines are believed to form a large botnet that can be used to relay spam or conduct distributed denial-of-service (DDoS) attacks, but the worm has also had a more direct effect on infected machines. In February, for instance, Conficker hit Greater Manchester Police computers, leaving the force without direct access to central police systems. Last year, infections included parliamentary systems and five hospitals in Sheffield.

F-Secure has warned that the worm can spread via USB drives as well as over networks. The worm also installs malware that masquerades as antivirus software.

Experts advise using the Conficker Eye Chart or the Conficker Online Infection Indicator site from the University of Bonn to find out whether a computer is infected.

Editorial standards