Conficker Starts Waking Up

After a nearly silent Doomsday on April 1, Conficker's creators have started seeding new updates...and, oddly, these expire in early May.

April 1 may have come and gone without hordes of Conficker-infected zombie computers rising up from the Internet to take over the world, but that doesn’t mean the worm has gone away.

On April 7, Conficker’s authors began seeding a new version of the worm, and—as with previous versions—the update packs in new features designed to get around security patches and techniques employed to stop the worm. The new variant on Conficker, loosely dubbed Conficker.E, is apparently spreading via peer-to-peer networks (according to Trend Micro) and—very curiously—comes with an expiration date: May 3, 2009. That’s right: the latest version of the Conficker worm comes with its own shut-off date, and no one is sure why.

The goal of the Conficker updates appears to still be “scareware:” convincing unsuspecting users their computers are infected and making them pay for a software fix to remove the problem—which, of course, never happens. Fears that the Conficker worm—and the estimated 12 million computers it has infected—would be used to send massive amounts of spam or execute denial-of-service attacks so far appear unfounded. However, the new variant of the Conficker worm also seems to have a connection with the well-known Waledac malware, both connecting to a known Waledac haven site and downloading new Waledac variants. Conficker’s intention there might be to set up Waledac as a spamming operation.

The exploit Conficker uses to move between Windows machines was patched by Microsoft back in October; computers that have been updated since then should be immune to the worm. The Conficker Working Group has also posted a handy “eye chart” Web page that lets users quickly know whether their systems are infected.