Estimates of how many computers the worm had affected varied, with companies such as F-Secure arguing that up to nine million had been affected. However Jeff Williams, principal group program manager at the Microsoft Malware Protection Center, said that the figure was more like three million.
"The measurements that happened early on were flawed in some pretty significant ways," he said. "They didn't take into consideration double counting. They didn't take into account researchers manipulating the count just to see what would happen. They didn't take into account things such as whether an infected system would only report the number of infected systems in its environments once, or multiple reinfections of the same machine."
That figure is still enough for the company to have put a $250 000 bounty on the head of the Conficker author. It joined with a collection of other companies including ICANN and VeriSign and formed the 'Conficker Cabal'. "We're putting our money where our mouth is," said Williams, adding that the FBI was working on several tip-offs. "We haven't done this very many times before, but when we have in the past, we have had success."
The coalition of vendors has been busy registering domains that are due to be visited by the malware for command and control purposes. The system works by generating pseudo-random URLs which it then visits at preset dates. Researchers believe that the malware authors then use the URLs to provide further instructions to the malware, giving them a constant means of contacting infected machines, even if some sites are taken down.
Most recently, Sophos identified some of the future command and control sites as legitimate ones. These include wnsux.com, owned by Southwest Airlines, which Sophos said diverts to the airline's landing page. The worm was due to hit the site on 13th March, said the antivirus company. At the time of writing the site was down, indicating that the company may have triaged it.
At the time of writing, the worm had still not been activated. It seems to have been in the infection phase, spreading far and wide without delivering a payload. Williams couldn't predict a likely payload. "That would be pure speculation but it's safe to say there's a monetary incentive," he said. "We're into the realm where criminals are enterprise. I am sure they have software development lifecycles and testing methodologies of their own".
In the past, spam and DDoS attacks have been two popular botnet payloads, especially when large, fast-spreading network worm-based botnets are involved. More targeted attacks have generally focused on lower-profile botnets, some of which flew under the radar for years until discovered recently.
However, a new variant of the worm, which Microsoft is calling Conficker.C, had been discovered. This variant leaves open the RPC flaw which previous versions patched on their victims' machines. Patching the flaw once infected enables the original infection to fend off subsequent variants from other malware groups, and this technique has been used in the past. However, leaving the flaw open while matching it against specific shell code enables the worm to accept new payloads via the original back door while blocking other malware’s attempts to infect the target system.