Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Feeling Conflicted about Conficker?

UPDATE:  Nothing significant to report (yet).  We had several readers contact us over the past 24 hours with some minor impact but so far no reports of anything newsworthy.  Many organizations have been proactive about scanning their systems and finding either unpatched or Conficker-infected computers that were subsequently removed for repair.  One reader reported that there might have been some impact on a domain controller due to Conficker brute-force password cracking efforts.  The Conficker Working Group ( is working overtime to contact owners of netblocks that show signs of Conficker infections.  Their website has been unavailable at times due to lots of interest, which I suppose is a good thing.  If you are patient it will eventually load. also suffered DoS conditions for a while when the updated nmap version was released.  Overall, this exercise has raised a lot of awareness and it's been a good opportunity for organizations to review their patching and compliance procedures.  It's also a good reason to search for and protect any embedded systems running older versions of Windows that cannot be easily updated or replaced.

In just a few minutes it will be April 1st at the International Date Line.  Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen.  There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to "help" those who are confused.  There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers.  Our official Conficker page is at, that's where we have links to all of the software and analysis that we know is trustworthy.

As always, we want to remind our readers that if you are doing what everybody considers to be best business practices (firewalls, unneeded services turned off, systems patched, current antivirus software, user education and awareness, good policies, an incident detection and response mechanism, etc.) then you have very little to worry about.

If you detect anything NEW with respect to Conficker over the next 24 hours please let us know via our contact page.  We'll sound the alarm should something bad happen.  Otherwise, back to work and Happy April Fool's Day!!

Marcus H. Sachs
Director, SANS Internet Storm Center


301 Posts
ISC Handler
Mar 31st 2009
Hysterical staff await Downadup.

32 Posts
Personally I prefer Mr. Thurott's article title "Conficker: World Prepares for April Fools Attack "

Can that be read more than one way? Yessiree.

Did anyone consider the configuration Ficker to actually be the result of sysadmins meddling with settings to block this pup?

57 Posts
I expect all Windows computers to have their default language set to Klingon tomorrow when they reboot...
I thought Alan Paller did a good job of hitting the facts for the TV interview.


Sign Up for Free or Log In to start participating in the conversation!