March 19, 2009, 6:25 pm The Conficker Worm: April Fool’s Joke or Unthinkable Disaster? By John Markoff Update | 3:57 p.m. Added links to malware removal tools. The Conficker worm is scheduled to activate on April 1, and the unanswered question is: Will it prove to be the world’s biggest April Fool’s joke or is it the information age equivalent of Herman Kahn’s legendary 1962 treatise about nuclear war, “Thinking About the Unthinkable”? Conficker is a program that is spread by exploiting several weaknesses in Microsoft’s Windows operating system. Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.) An estimated 12 million or more machines have been infected. However, many have also been disinfected, so a precise census is difficult to obtain. It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft’s security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers. Given the sophisticated nature of the worm, the question remains: What is the purpose of Conficker, which could possibly become the world’s most powerful parallel computer on April 1? That is when the worm will generate 50,000 domain names and systematically try to communicate with each one. The authors then only need to register one of the domain names in order to take control of the millions of zombie computers that have been created. Speculation about Conficker’s purpose ranges from the benign — an April Fool’s Day prank — to far darker notions. One likely possibility is that the program will be used in the “rent-a-computer-crook” business, something that has been tried previously by the computer underground. Just like Amazon.com offers computing time on its network for rent, the Conficker team might rent access to its “network” for nefarious purposes like spamming. The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode. According to a research addendum to be added Thursday to an earlier paper by researchers at SRI International, in the Conficker C version of the program, the infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes. Conficker’s authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. Or perhaps the Conficker botnet’s masters have something more Machiavellian in mind. One researcher, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the idea of a “Dark Google.” What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers? Malware already does this on a focused basis using a variety of schemes that are referred to as “spear phishing,” in a reference to the widespread use of social engineering tricks on the Net. But to do something like that on a huge scale? That would be a dragnet — and a genuine horror story.