Cool down on Conficker panic, say experts

Security experts are playing down the 'uninformed hysteria' surrounding Conficker

Security experts are downplaying much of the speculation surrounding an expected 1 April update for the notorious Conficker malware.

Also known as 'downadup', the malware has been spreading throughout 2009 and is believed to have infected millions of PCs.

Analysis of the Conficker code suggests that the latest version will instruct infected machines on 1 April to contact an unknown domain and await further instructions. The possibility has led to reports of a possible "doomsday" infection, or a huge attack from the Conficker botnet.

These worries, however, are little more than uninformed hysteria, according to security experts. Many security researchers believe that Conficker's April Fool's Day event may in fact be laughably minor.

F-Secure researchers reassured users in a special guide posted to the company blog that in all likelihood Conficker's 1 April update would be a non-event.

"The Conficker worm is going to change its operation a bit, but that's unlikely to cause anything visible on 1 April," F-Secure said.

The company also noted that only the latest version of the malware, known as 'Conficker C', which constitutes a small percentage of total infections, would be carrying out any instructions on 1 April.

Researchers from other security firms agree. "Some people have got rather confused as to what the 1 April deadline really means," wrote Sophos senior technology consultant Graham Cluley in a blog post.

"The truth is that Conficker is not set to activate a specific payload on 1 April. Rather, Conficker will begin to attempt to contact the 50,000-a-day potential call-home web servers from which it may receive updates."

Memories of past malware infections are further stoking worries about Conficker. This week marks the 10th anniversary of the Melissa virus, which created headlines by crashing email servers across the globe.

Malware creation has evolved into a lucrative business since Melissa, and most experts believe that Conficker's update will be the first step in a spam run or other money-making activity, rather than an old-fashioned attempt at internet mayhem.

"The people behind this piece of code are very skilled, very well informed and resourced. They have invested much time and effort in the creation of this botnet, and will be aiming to see some return on that investment," wrote Trend Micro senior security advisor Rik Ferguson in a blog post.

"Making so much noise that every victim knows they're infected will have entirely the opposite effect."

Users are advised to protect against becoming part of the Conficker botnet by installing the latest security patches from Microsoft, and keeping all security and anti-virus tools installed and up to date.

Sophos is offering a free Conficker removal tool to users who believe that their Windows PCs may already be infected. Other operating systems are not believed to be vulnerable.