April Fool's Day WORM

An April Fool's Day computer worm was launched on Wednesday but so far has not caused problems for the millions of computers that are believed to be infected. This piece of computer code tells the worm to activate on April 1, researchers found.

"I think joke's on us a little bit, which you would have expected with having an April 1 date," said Holly Stewart, threat response manager for IBM's X-Force, a computer security service. However, that doesn't mean the much-talked-about worm, called Conficker.c, is a joke, computer security experts told CNN on Wednesday. "By no means do I think we're in the clear," said Paul Henry, a forensics and security analyst for Lumension Security, based in Phoenix, Arizona. On Wednesday, a master computer gained control of an estimated 5 million "zombie" PCs infected with the worm, experts said. Security experts fear the author of the malicious computer program essentially could do anything with those Windows-based machines. No attempts by the author to upload anything had been noted as of 8 p.m. ET Wednesday, according to Phil Porras, program director at nonprofit research institute SRI International. Conficker's motive is probably financial, security experts said. The worm's author could steal financial information, shut down Web pages, track keystrokes or send spam from infected computers.
"They have full administrative-level rights to run anything they want on all of the infected machines," said Mikko Hypponen, chief research officer for F-Secure, an Internet security company. Experts who spoke to CNN on Wednesday said it's unlikely the program's author will launch any sort of attack Wednesday or Thursday. But they said some sort of issue is likely to arise in coming weeks or months.

Experts urged computer users not to panic. The easiest way for computer users to see if they're infected is to try to access Windows updates from microsoft.com. If you can reach the site and if your system updates are working, it is unlikely your computer is infected, experts said. The worm does not affect Mac computers. A core group of about 40 computer analysts, researchers and policy experts is working to dismantle the worm, said Jose Nazario, manager of security research at Arbor Networks, and a member of the group, which some call the Conficker Cabal. Nazario said the group's unprecedented efforts may be one reason an attack hasn't happened. He said the April 1 launch date for the virus may have been a ploy by the program's author to get attention from the news media. Or it could be a twisted joke. "Either way, it suggests an interesting sense of humor, I guess," he said. The worm allows a master computer to communicate with the infected machines through Web sites the worm generates. That function became active April 1, experts said, and allows Conficker's author or authors to seize control of millions of computers around the world.

Infected machines are generating 50,000 URLs per day, which allows the master to talk with them. A previous version of Conficker created only 250 domain names per day. "What happened now, today, is that the machines started pulling 50,000 domain names in 116 countries around the world -- so that's the change," said Hypponen, another member of the Conficker Cabal. "The Conficker gang realized we could shut down 250 domain names a day, so they upped the ante," he said. Computer experts will continue to try to shut down the Web addresses that let Conficker's author communicate with infected machines, he said. Members of the Conficker Working Group have contacted security officials in all 116 affected countries and have shut down many active domain names, Hypponen said. Stewart, of IBM, said the sophistication of the worm is unprecedented. The situation has played out in the news media as an April Fools' Day joke. On a technology blog, The Washington Post mocked the hype about Conficker. "Londoners woke up to find the iconic clock tower Big Ben stopped at precisely one minute till midnight," Brian Krebs wrote. "The British tabloids blared that the giant timepiece had been felled by the Conficker worm."

The post ends with this statement: "In case you haven't guessed it yet, APRIL FOOLS!!!" Some have compared the situation to New Year's Day in 2000, when many feared the world's computers would crash but few problems were seen. Henry said that comparison doesn't fit. "Y2K was a one-time event," he said. "The update for Conficker has basically prepped it for its future. It now has the ability to gather marching orders in a way that, to date, we haven't found a way to block." Little is know about Conficker's author. A piece of code in a version of the computer worm prevents the program from harming machines in Ukraine, leading some to believe that's where the program's author lives.

Others say that could be a ploy. Many authors of previous computer viruses have come from Eastern Europe outside the jurisdiction of the European Union, experts said. Matt Watchinski, senior director of a research team at Sourcefire, a computer security company, said the author may try to split up pieces of the infected computer network -- called a botnet -- and sell them to bidders. The many unknowns about Conficker are what make it particularly concerning, said Patrick Morganelli, senior vice president of technology for Enigma Software.

"[An attack] could happen today, it could happen April 15, it could happen two months from now," he said.

Henry says an attack will happen sooner or later.

"They'll wait for the hype to subside," he said. "They'll wait for everyone to stop watching, and they'll take it for a test run. They've put together one hell of a botnet here, and they're going to want to exercise it."