Conficker on April 1st: Eve of destruction or big joke?

Will the Conficker worm, expected to activate on April 1, set off viral destruction or be a dud?

Slideshow: 10 of the Worst Moments in Network Security History

Security experts say Conficker.C (also called Downadup) presents a serious threat. Infected machines -- said to number from 3 million to 10 million globally, depending on estimates -- could be activated for data destruction and theft or espionage, spam relays or denial-of-service (DoS) attacks. While a "doomsday scenario" on April 1 seems unlikely, many security professionals regard Conficker.C as the malware fruit of a disciplined criminal operation out to make money off it.

"We need to take it seriously," says Chris Rodriguez, research analyst for network security at consultancy Frost & Sullivan. "The biggest concern is the effectiveness it's had in spreading."

According to Cisco, Conficker.C has infected about 10 million Windows-based computers in 150 countries, with China estimated at 3 million, Brazil at 1 million and Russia at 800,000. These are the top three Conficker infection spots, with some researchers saying the high counts in these regions are due to pirated Microsoft software that doesn't get patched and lack of antivirus software on machines. In the United States, about 200,000 infected computers are suspected.

Symantec, which says it uses a different method for estimates, puts the total Conficker infection count at more like 3 million globally. However you count, an attacker would find it "easy to point all these machines at one target for a denial-of-service attack, or use them for spam or click fraud or cyber-espionage," Rodriguez says. "I'd be surprised if something didn't happen on April 1."

"I wish I could tell you the issue is overblown but that's not the case," says Pat Peterson, Cisco fellow and chief security researcher.

Conficker.C, now under the microscope in labs, reveals "an insane amount of effort in engineering this," Peterson says.

Because Conficker debuted last fall, it hasn't done much besides concentrate on spreading and blocking access to antimalware vendor sites. But Peterson believes Conficker was designed with the intent of making money for the criminals who created it. So DoS attacks, spam, stealing data -- all of those are actions are the Conficker botnet might be used to do.

But Peterson adds that if Conficker is activated as an aggressive botnet by its masters, there will be some countermeasures from ISPs and others trying to coordinate information and actions, such as severing links to its creators.  Peterson's guess is Conficker's creators are likely Russian or Ukrainian.

Peterson says he thinks the April 1 trigger date probably won't be so much about "mass destruction" and "lighting up the Internet" that was seen by some worm ou-breaks of years past, but more about the commencement of new command-and-control capabilities.

Others also suspect something similar.

"The April 1 trigger date it will be heading to look for new updates," says Vincent Weafer, Symantec's vice president of security response. The result may be less of a massive attack than a functional update that will "over time, turn on the payload." And there may end up being another variant of Conficker.