Worm set to evolve on April Fool's Day

A tenacious computer worm that has wriggled its way on to machines worldwide is set to evolve on April Fool's Day, becoming harder to kill but not expected to wreak havoc.

A task force assembled by Microsoft has been working to stamp out the worm, referred to as Conficker or DownAdUP, and the software company has placed a bounty of $250,000 (Dh917,500) on the heads of those responsible for it.

The worm is programmed to modify itself on Wednesday to become harder to stop, according to Trend Micro threat researcher Paul Ferguson, who is part of the Conficker task force.

"There is no evidence of it going into attack mode or dropping any particular payload on April 1," Ferguson said in an interview.

"What people controlling the botnet are doing is building in survivability because of efforts by the good guys to lessen the harm of this thing."

The worm, a self-replicating programme, takes advantage of networks or computers that have not kept up to date with security patches for Windows RPC Server Service.

It can infect machines from the internet or by hiding on USB memory sticks carrying data from one computer to another. Once in a computer it digs deep, setting up defences that make it hard to extract.

Malware could be triggered to steal data or turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.

A troubling aspect of Conficker is that it harnesses computing power of a botnet to crack passwords. Microsoft has modified its free Malicious Software Removal Tool to detect and get rid of Conficker.

"As this threat continues to evolve, Microsoft and other collaborative companies will continue to identify new ways to disrupt the Conficker threat to give customers more time to update their systems," said Christopher Budd, security response communication lead for Microsoft.

Computer users are advised to stay current on anti-virus tools and Windows updates, and to protect computers and files with strong passwords.

Conficker is programmed to reach out to 250 websites daily to download commands from its masters.

On Wednesday, it will begin connecting with 50,000 websites daily to better hide where orders originate, according to Mikko Hypponen of F-Secure computer security firm.

"They basically upped the ante; trying to make our lives more difficult," Ferguson said. "They realised the good guys were starting to intercept their communications." The infection rate has slowed from a fierce pace earlier this year, but computers that are not updated with a software patch released by Microsoft remain vulnerable, according to security specialists.

Hypponen wrote in a message at F-Secure's website that Conficker is in one to two million computers and that most of those machines are believed to have an early version of the malicious software lacking the April 1 trigger.

Conficker was first detected in November 2008.

Among the ways one can tell if their machine is infected is that the worm will block efforts to connect with websites of security firms such as Trend Micro or Symantec where there are online tools for removing the virus.

"Once a machine is infected, it becomes very hard to clean up," Ferguson said.

"There is no indication anywhere of [Conficker] doing anything but just sitting there. We do not know whether another shoe is going to drop, or if there is another shoe at all."

Hackers have taken advantage of Conficker hype by using promises of information or cures to lure Internet users to websites booby trapped with malicious software, said security specialists.

WHAT DO YOU THINK? Have you or your company taken any measures to detect and get rid of Conficker? Have your say by posting a comment below, or emailing us at online@business24-7.ae.