One in five PCs is still at risk of being attacked by the Conficker worm, despite the copious warnings about the need to patch vulnerable machines.

That's according to security company Qualys, after scans of more than 300,000 of its customers' PCs revealed that 20 percent of them were still unfiked, even though patching of the MS08-067 vulnerability picked up dramatically two weeks ago.

"The media attention about the April 1 date got people scanning like crazy," said Wolfgang Kandek, Qualys' chief technology officer, referring to the trigger date hard-coded into Conficker, the worm that used the MS08-067 vulnerability to infect millions of machines earlier this year. "We saw three to four times more scans [for the worm] than usual on March 30."

Qualys, like several other security vendors, had issued a Conficker detection tool prior to 1 April, when the worm was set to switch to a new communications scheme for instructions from its hacker overlords.
The percentage of scanned PCs vulnerable to the MS08-067 bug began falling April 1, said Kandek, and within several days had dropped from about 40 percent to just under 20 percent. "The whole thing about April 1 was a good thing," Kandek said. "Before [April 1], the number of machines still vulnerable to MS08-067 was probably comparable to other Microsoft vulnerabilities. Now it's better than average."

Kandek could offer no reason for the reticence of some sysadmins to patch their machines. "I don't know why that is," Kandek said. "They could be older machines, or machines not considered important, or even Windows running on an ATM. Whatever it is, it's hard for me to understand why they're not patched."

Qualys' scans also revealed that about 5 percent of the PCs pinged were actually infected with one of the four Conficker variants. "That's a relatively low number, but because the Conficker numbers are staggering - it's infected millions - it's really a sizable number," said Kandek.

Last week, Conficker's handlers began updating already-infected PCs, and used the opportunity to also install spam bots and phony anti-virus software on those systems. Conficker.e, as the new variant has been dubbed, restores the worm's ability to spread to machines not yet patched against the MS08-067 vulnerability.