7 Days Later : Confiker.C Wakes Up


Last week, on April 1st, a large proportion of the internet held it’s breath in anticipation as the Confiker worm failed to perform on it’s mooted April Fool’s Day time slot.



This led to a great deal of discussion on sites I visit, such as Twitter, where several different explanations were offered –

  • Some people suggested that Confiker was a hoax and posed no real threat at all
  • There was talk of the worm being created by anti-virus vendors in order to boost their sales
  • Mac fan-boys took the opportunity to say (wrongly) that viruses only affect Windows machines
  • A few people thought Confiker would still raise it’s head in the future

As I myself believed, the last of those options above would appear to be true – Confiker, aka Downadup, may well have entered a new stage in it’s lifecycle.


According to Trend Micro, Confiker began updating via peer-2-peer yesterday, passing around a new file in the process.

Researchers are still looking into the new software, which is heavily encrypted, but the commentary I’ve seen so far seems to indicate that it could be a keystroke logger or other similar program designed to steal personal and/or sensitive information from the computers on which it is installed.

Confiker’s ability to update via a P2P botnet rather than through HTTP is making it that much harder to contain.


Basic security measures, however, can go a long way to protecting you from this virus which relies upon unpatched Windows installations and the use of weak network controls.

Therefore, the following tips may help you avoid whatever nasty new surprises Confiker now has instore –


With the above in mind, are you concerned that your computer is infected by Confiker, or may become so in the future?

Please comment below and vote in the poll to the right.


Since I wrote this post there has been a new development in terms of Confiker’s payload, namely that it now appears to be geared towards anti-virus spam.

Kaspersky Labs’ report on the update determined that Confiker is now tempting those infected with the opportunity to buy a fake anti-virus product which, ironically, offers to remove malware.

All for the bargain price of $49.95.

Confiker also downloaded a previously identified email worm called Waledac which can steal passwords, as noted above.

Additionally, it is also capable of sending spam.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.


  1. I always thought the bottom line would be disruption or spam so this development surprised me somewhat.

  2. Saw the update: always had a feeling that the bottom line would be about money.

  3. It doesn’t appear to be conclusive that Confiker is behind those attacks but, if it is, would certainly be an interesting development.

  4. There’s a story/rumour that Conficker is launching DDOS attacks in Russia today: http://www.scmagazineuk.com/Russian-website-claims-that-Conficker-is-launching-DDoS-attacks/article/130337/


  1. […] The latest version, Confiker.E, will ensnare infected computers, placing them into the Waledec botnet. […]

Speak Your Mind