Skip to Content

Conficker: Frequently asked questions

What is Conficker?
Conficker, also known as Downadup, is a form of malicious Internet software program known as a worm. Worms are designed to infect computers and then spread to other computers. Conficker is a two-stage worm. The first stage infects a computer and makes it part of a network of host machines, then waits for instructions from the second stage of the worm.

Such a network is known as a botnet, with the infected computers that are part of it are known as zombies. All the infected systems within a botnet can be controlled by a so-called “bot-herder” and used for unlawful activities such as spamming, fraud and identity theft.

If security experts are aware of this threat, why hasn’t it been eliminated?
Conficker appears to be a sophisticated and evolving worm that employs a number of different techniques to compromise and infect computer systems. Since it was first detected late last year, its creators have developed three known variants, A, B and C, to counter efforts to stem its spread and reverse engineer its code. The global security community continues to deal with this threat and work to identify the parties behind it. CIRA is part of this effort.

What is Conficker attempting to do?
At present, it is not known what purpose the latest variant of this particular worm, Conficker C, is intended to serve. The first variant, Conficker A, appeared to attempt to download and install fraudulent antivirus software as its second stage, without much apparent success.

Where did it come from?
It is not known who created Conficker. Conficker was first detected by security experts in October 2008. It took advantage of a previously unknown vulnerability in a Microsoft operating system to spread itself across the world wide web. This vulnerability has been patched, but the worm has succeeded in infecting potentially millions of un-patched machines world wide.

What can I do to protect myself?
The best defence against Conficker or any other kind of malicious software is to ensure your computer system or network is protected by the most up-to-date antivirus software. Also, ensure you install the most recent security patches and updates for the operating systems and all the applications on your computers. In Conficker’s case, Microsoft issued an alert and a patch to eliminate the vulnerability exploited by the worm and commercial anti-virus applications swiftly followed with updates to identify and remove the worm. However, many computers continued to be infected because people did not act promptly, if at all, to download and install this patch, or because the applications on those computers were not legal copies and so generally were not covered by automatic security updates.

Where can I download the Microsoft security patch to block Conficker from my system?
For more information and to download the MS08-067 security patch from Microsoft, please visit http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Is there a tool I can download to detect and remove a Conficker infection from my system?
Microsoft does offer tools than can detect and remove some variants of the Conficker worm and also offers other helpful information to secure your system and inhibit the spread of the worm. For more information, please visit http://technet.microsoft.com/en-us/security/dd452420.aspx. Other commercial Internet security companies also offer tools that can be found on their websites.

What happens April 1 when Conficker activates?
The second stage of Conficker C is expected to activate April 1. At this time, infected computers may try to locate and communicate with the command computers that contain the instructions for whatever action this worm is intended to take. In an effort to shield their activities from Internet security authorities, Conficker C’s authors have programmed their worm to randomly generate domain names from 110 country-code domains around the world, including dot-ca.

How is Canada affected?
The Canadian dot-ca domain registry is one of 110 country-code domains around the world that have been targeted by Conficker C. CIRA has put in place a plan to counter this potential misuse of the dot-ca registry and to maintain its integrity as one of the most secure and robust domain registries in the world.

What is CIRA doing to mitigate this threat?
CIRA’s efforts include pre-emptively registering and isolating previously unregistered dot-ca domain names expected to be generated over the next 12 months by Conficker C. This move, which covers the vast majority of affected names during that period, will prevent registration of those domains by undesirable actors. In the small number of cases where the domain name has already been registered, CIRA will actively investigate and monitor activities at those domains and take appropriate action if suspicious activity is detected. For security reasons, CIRA is not willing to provide further details.

Why have dot-ca domains been targeted by Conficker?
The authors of Conficker have targeted 110 country-code domains worldwide presumably to test security responses and identify any weaknesses they might exploit in the future. CIRA’s response is intended to discourage future efforts of this nature.