Fears of a Conficker meltdown greatly exaggerated

Worries that the notorious Conficker worm will somehow rise up and devastate the Internet on April 1 are misplaced, security experts said Friday.

Conficker is thought to have infected more than 10 million PCs worldwide, and researchers estimate that several million of these machines remain infected. If the criminals who created the network wanted to, they could use this network to launch a very powerful distributed denial of service (DDOS) attack against other computers on the Internet.

April 1 is the day that the worm is set to change the way it updates itself, moving to a system that is much harder to combat, but most security experts say that this will have little effect on most computer users' lives.

Nevertheless, many people are worried, according to Richard Howard, director of iDefense Security Intelligence. "We have been walking customers down from the ledge all day," he said. Often, the problem has been that company executives have read reports of some April 1st incident and then proceed to "get their IT and security staffs spun up," Howard said in an e-mail interview.

That hype will probably intensify when the U.S. TV newsmagazine 60 Minutes airs a report Sunday on Conficker, entitled "The Internet is Infected."

Conficker "could be triggered, maybe on April 1st ... but no one knows whether on April 1st they'll just issue an instruction that says 'Just continue sitting there' or whether it will start stealing our money or creating a spam attack," CBS reporter Lesley Stahl said in a preview interview ahead of the show. "The truth is, nobody knows what it's doing there."

April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm.

"Technically, we will see a new capability, but it complements a capability that already exists," Porras said. Conficker is currently using peer-to-peer file sharing to download updates, he added.

The worm, which has been spreading since October of last year, uses a special algorithm to determine what Internet domains it will use to download instructions.

Security researchers had tried to clamp down on Conficker by blocking criminals from accessing the 250 Internet domains that Conficker was using each day to look for instructions, but starting April 1, the algorithm will generate 50,000 random domains per day -- far too many for researchers to connect with.

Gradually, the Conficker network will get updated, but this will take time, and nothing dramatic is expected to happen on April 1, according to Porras, Howard, and researchers at Secureworks and Panda Security.

"There is no clear evidence that the Conficker botnet will do anything dramatic," said Andre DiMino, cofounder of The Shadowserver Foundation, a volunteer security group. "It will change its domain usage to the larger pool and may attempt to drop another variant, but so far, that's about it."

"Regular users just need to be sure they are patched and be extra diligent about possible new methods of infection."

The IDG News Service is a Network World affiliate.