FAQ: Conficker clock ticks toward April 1 deadline

Computerworld - When a computer worm reaches the critical mass necessary to make it onto last Sunday's 60 Minutes, you know it's either a once-in-a-blue-moon threat or something that's been hyped beyond belief.

The attention that this worm has received is staggering, especially in the past few days as a deadline -- April 1 of all days -- approaches. Although the technical press has been covering Conficker since its appearance late last year, in large part because it exploited one of Microsoft Corp.'s rare "out-of-cycle" patches, the larger world only seemed to wake up to the worm in the past week.

Cue Lesley Stahl....

So is it, as the 60 Minutes segment called it, "a sleeper cell" or just another worm asleep at the wheel?

We posed some of the pressing questions about Conficker and its looming deadline, and answered them. More will undoubtedly follow as the saga continues.

I've been living in a cave since Jan. 1. What's Conficker? Also called Downadup, Conficker is the biggest worm in years as measured by infected PCs, and it began exploiting a Windows bug that Microsoft patched with an emergency update in October 2008. In January, a second variant infected millions more machines.

A third version, Conficker.c, surfaced earlier this month and is the one that has everyone twitchy. This is the edition that's been pushed to some of the PCs already infected with earlier variants -- Conficker.a and Conficker.b -- but doesn't spread on its own to new victims.

What's up with Conficker.c? This tougher strain includes a number of new defensive measures to "armor and harden the existing infections," as Vincent Weafer, vice president of Symantec Corp.'s security response group, put it last week.

What has people anxious about Wednesday, however, is that's when Conficker.c can start using a new communication scheme to establish a link to its command-and-control servers.

Earlier versions of the worm generated a list of 250 possible domains each day that the malware could use to route instructions from the hacker controllers, but Conficker.c cranks out a list of 50,000 Web addresses daily. Most researchers believe that's a direct response to work begun last month by the "Conficker Cabal," an ad hoc consortium of researchers, companies and organizations that have joined forces to disrupt the worm's communications by registering as many of the 250 daily domains as possible.

So? Worms "phone home" all the time. What's so special about Conficker.c and April 1? The April 1 date, which is hard-coded into the worm, has people spooked because of two things: the size of the infected PC pool and a lack of information about what the hackers intend to do once those victimized machines try to reach hacker HQ.

According to some estimates, as many as 12 million PCs have been infected with the worm since it first struck late last year. Symantec, however, recently pegged the number of currently infected systems at 3 million, while F-Secure Corp. said it was more likely in the 1 million-to-2 million range.

At any of those numbers, however, Conficker would be enormous by botnet standards.

What will happen Wednesday when Conficker.c switches on its new "phone home" algorithm? No one knows. And that's a problem.

"It's impossible to know until we see something that has a clear profit motive," said Joe Stewart, noted botnet researcher and director of malware research at SecureWorks Inc., in an interview last week.

Because Conficker's makers upped the ante to take on the cabal, and because security researchers really have no clue what orders they will give infected PCs, speculation has been, to put it kindly, rampant. Some have argued that the massive botnet could go on a distributed denial-of-service (DDoS) rampage, crippling huge chunks of the Web. Others, including Stewart, say the whole thing is probably one giant April Fool's joke.