Worm / Botnet
Conficker
aka Downadup · Kido
A 2008 worm that exploited a Windows RPC flaw to build one of the largest botnets ever, infecting millions of machines that linger to this day.
Conficker (Downadup) is a worm that appeared in November 2008 and rapidly assembled one of the largest botnets in history — estimates ran from millions to over ten million infected hosts. It exploited the MS08-067 Windows Server service RPC vulnerability, spread via removable media and weak network shares, and brute-forced admin passwords.
Resilience
Conficker was notable for its defensive engineering: a domain-generation algorithm producing hundreds of pseudo-random C2 domains daily, plus blocking of security tools and Windows Update. This prompted the formation of the Conficker Working Group, an unprecedented industry coalition to pre-register domains and contain it.
Legacy
The botnet was never meaningfully monetised, yet Conficker never fully died — it still surfaces on unpatched and embedded systems more than a decade later. The DGA is a classic reverse-engineering study on the Reverse Engineering Hub; the outbreak is profiled on Cyber Breaches.
Defense
Patch MS08-067 (long available), disable Autorun, enforce strong admin credentials, and segment legacy systems.