Skip to main content

Conficker: Media Spinning April 1 Date

With over ten million PCs infected with the Conficker worm, lying dormant as if awaiting further instructions, it seems as if its author plans to take over the world on April 1... not.

There's certainly a lot of hoopla surrounding the mysterious Conficker worm since it began to infect the world's PCs back in October 2008. As of late, speculations and rumors have surfaced in regards to April 1 and what this worm will actually do. After all, April Fool's Day is just around the corner; perhaps the Conficker is just one big prank. Then again, maybe it's a devastating piece of malware that may put an end to millions of PCs.

Both F-Secure and Sophos say that although the Conficker worm will do something on April 1, triggering a global virus attack is highly unlikely. In fact, the worm will merely contact its growing network to receive updates, perhaps even change its operation. "So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing," said F-Secure.

The security firm also said that the latest version is not the most common Conficker worm. In fact, most of the contaminated machines are infected with the B variant that became widespread back in January. According to F-Secure, the B variant will not be updating on April 1, however the new variant might do something new. "We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do," F-Secure added.

If the Conficker worm were to actually carry a devastating payload, it would not be locked into one specific date. Because of the worm's nature and how in embeds into the system, taking the reigns of administration privileges, it can download and execute a malicious program on any date, whether it's April 1, July 4, or September 11. What the Conficker will eventually do is still up in the air: it could steal data, send spam, do DDoS, or it could do absolutely nothing at all. Like the final frontier, it's the "unknown" factor that is the scary part, and probably the central focus of many articles relating to April 1.

"What we can say with certainty is that people should keep their protection up-to-date, ensure that they have firewalls and security patches in place, have a proper policy in place regarding USB usage and passwords," said Graham Cluley at Sophos. "In addition it wouldn't do any harm--if you suspect you may be infected by Conficker--to run a Conficker removal tool such as the free one from Sophos."

Cluley also mentions the news media, pointing to British tabloid newspaper The Sun as an example (although rags such as that are hardly newsworthy in the first place). He points out that news articles such as the one found in The Sun--Will your PC Be Hijacked on April 1--cause a false sense of panic. "With that kind of talk in a national newspaper (and there are plenty of other examples in the media at the moment) you could understand why some companies and home users might be worried about what might happen next Wednesday," he said.

As of this morning, Google pulled a huge load of news entries regarding the Conficker April 1 date, ranging from "Conficker Worm to Strike April 1" to "Conficker Worm: Expect New Attack April 1." However, as both F-Secure and Sophos have stated, there's nothing to panic about; the world isn't coming to an end, PCs won't begin to melt when the clock strikes 12:00 am, nor will a super AI brain take control and kill off all the humans Terminator-style.

Bottom line, the new Conficker variant will update on April 1. Outside of that, no one really knows what the overall infection will do despite doomsayers looking for page views to meet revenue quota.