Conficker is a computer worm first detected in October 2008 that, per MITRE ATT&CK, targeted Microsoft Windows using the MS08-067 vulnerability to spread. It infected millions of machines worldwide, spread via removable drives and weak network shares, and disabled security updates and tools. In 2016 a variant reportedly reached computers and removable drives at a nuclear power plant, illustrating its persistence.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1210 T1547.001 T1547.010 T1571
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_CONFICKER {
meta:
description = "Detects Conficker (worm)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "conficker" ascii wide nocase
$s2 = "conficker" ascii wide nocase
$s3 = "downadup" ascii wide nocase
$s4 = "kido" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Conficker Activity
id: 03d677c60b43723438a5bbfb2ac2910f
status: experimental
description: Detects generic indicators of the conficker malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*conficker*"
- "*conficker*"
- "*downadup*"
- "*kido*"
condition: selection
level: mediumCISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2009/03/29/conficker-p2p-worm
A computer worm first detected in October 2008 that spread using the Windows MS08-067 vulnerability and infected millions of machines.
Through the MS08-067 Windows vulnerability, removable USB drives, and weakly protected network shares.
It disabled security services and updates, spread through multiple methods, and used domain-generation to locate command servers.
Yes; MITRE notes a variant reached systems at a nuclear power plant as late as 2016, showing how long it persisted on unpatched machines.
Applying the MS08-067 patch and disabling autorun on removable media addressed its main infection routes.
It is also known as Downadup and Kido.
MITRE ATT&CK's Conficker entry (S0608), linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/conficker.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.