Conficker

Category: worm · Aliases: Conficker, Downadup, Kido · Sample count (EMBER 2018): 11 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

Conficker is a computer worm first detected in October 2008 that, per MITRE ATT&CK, targeted Microsoft Windows using the MS08-067 vulnerability to spread. It infected millions of machines worldwide, spread via removable drives and weak network shares, and disabled security updates and tools. In 2016 a variant reportedly reached computers and removable drives at a nuclear power plant, illustrating its persistence.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1210 T1547.001 T1547.010 T1571

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_CONFICKER {
    meta:
        description = "Detects Conficker (worm)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "conficker" ascii wide nocase
        $s2 = "conficker" ascii wide nocase
        $s3 = "downadup" ascii wide nocase
        $s4 = "kido" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Conficker Activity
id: 03d677c60b43723438a5bbfb2ac2910f
status: experimental
description: Detects generic indicators of the conficker malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*conficker*"
            - "*conficker*"
            - "*downadup*"
            - "*kido*"
    condition: selection
level: medium

References & External Analysis

Authoritative Advisory

CISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2009/03/29/conficker-p2p-worm

Frequently Asked Questions

What is Conficker?

A computer worm first detected in October 2008 that spread using the Windows MS08-067 vulnerability and infected millions of machines.

How did Conficker spread?

Through the MS08-067 Windows vulnerability, removable USB drives, and weakly protected network shares.

Why was Conficker hard to eradicate?

It disabled security services and updates, spread through multiple methods, and used domain-generation to locate command servers.

Is Conficker still around?

Yes; MITRE notes a variant reached systems at a nuclear power plant as late as 2016, showing how long it persisted on unpatched machines.

How is Conficker prevented?

Applying the MS08-067 patch and disabling autorun on removable media addressed its main infection routes.

What are Conficker's other names?

It is also known as Downadup and Kido.

Where is the authoritative reference?

MITRE ATT&CK's Conficker entry (S0608), linked on this page.

Related Families (Category: worm)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/conficker.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.