The malicious Conficker Internet worm got more aggressive about trying to reach its creators Wednesday, but computer security researchers appeared correct in their predictions that the effects would be muted.
The worm's programming included a change in tactics on April 1: The estimated 3 million to 12 million computers infected by Conficker were told to step up their attempts to "phone home" for commands. But that seemed to be the only sign of life from the bug.
"One thing we're not seeing is any mass malicious activity," said Joris Evers, an analyst with McAfee. "The Internet today is working just as well as it was working yesterday."
The worm can take control of unsuspecting PCs running Microsoft's Windows operating system. But its creators likely want to use their vast "botnet" to send spam or perform other cybercrimes, and not to bring down the Internet.
That's one reason analysts say the people behind the virus will probably wait to send any commands. "Everyone who is fighting Conficker is on high alert," Evers said.
Security companies monitoring the worm have been largely successful at blocking infected machines from communicating with whoever programmed it.
Microsoft issued a software update, called a "patch," to protect PCs from vulnerability back in October. But not everyone applied the patch.
In one telltale sign of an infected machine, Conficker blocks Microsoft's site as well as those of most antivirus companies. Computer owners can work around that obstacle by having someone else e-mail them a Conficker removal tool. (Msnbc.com is a joint venture of Microsoft and NBC Universal.)
To learn more, check Microsoft's Web page on Conficker. Also, a list of the free Conficker removal programs is available on the Web site of the Conficker Working Group. The removal programs will take care of themselves, for the most part, scanning your system and purging the worm.
Computer infections now are all about making money by stealing people's personal information. And Conficker's authors stand to make more money from renting out parts of their huge "botnet" to spammers or identity thieves than by destroying parts of the Internet.
"These guys have been pretty smart until now — the worm is unfortunately very well done," said Patrik Runald, chief security advisor for F-Secure Corp. "So far they haven't been stupid. So why should they start on April 1?"
But panic over the worm had reached a frenzy. Lori Lynn Pavlovich, a mother of four from Racine, Wis., unplugged her PC and vowed to stay offline for a week after seeing a local TV news report about the worm.
"I get scared real easy when it comes to stuff like that," she said. Pavlovich, who says she keeps her antivirus software and security patches up-to-date, got back online 24 hours later after a relative assured her that her system was safe.
In the last six months, the worm has also caused sleepless nights for the technicians who maintain corporate and governmental computer systems. European media reported that the French military grounded some of its fighter planes after the Navy's network was infected over the winter.
Companies were on high alert to any change in Conficker's behavior that could affect their systems. But a lot of the heavy lifting for big corporations has already been done. Most large organizations hurried to fix the vulnerability that Conficker exploits long ago — Microsoft released a software "patch" for it in October. Many smaller businesses and consumers started worrying about the problem later, making them more vulnerable to infection.
"Consumers are very, very, very aware of this — more so than I've seen in years," said Alfred Huger, vice president of Symantec Security Response. "Enterprises are certainly aware of this, and they're treating this seriously, but no more so than other threats they're faced with."
Detecting a Conficker infection is actually very easy. One of the telltale signs is if you're able to navigate the Internet freely but can't access Microsoft's site or the sites for the major antivirus software vendors. Conficker's authors included that feature to prevent infected machines from downloading programs that remove the worm.
That makes it harder to get the Conficker removal programs, but not impossible. Security experts recommend that people with infected machines find a friend whose machine isn't infected, and have that person download the removal tool and e-mail it to them.
Many companies that have already protected their networks from Conficker have become concerned again because of the publicity the worm generated in recent weeks as the April 1 change to Conficker's programming approached.
Michael La Pilla, manager of the malicious code operations team at VeriSign's iDefense division, said some of his company's customers were asking for immediate notification about changes to Conficker's behavior, instead of the hourly updates that many receive.
The bad guys behind Conficker haven't been able to reliably communicate with the computers the worm has infected. That means they haven't been able to program the PCs to send spam, carry out identify-theft scams, or perform any other kind of cybercrime.
That has likely started changing with the dawn of April 1. Now the programming on the latest version of Conficker tells those infected machines to generate 50,000 new Internet addresses each day that they can try and "phone home" for instructions.
Previously, they had been looking for commands from just 250 sites each day. The point of the change is to make it harder for the security community to pre-register those addresses and keep them out of the bad guys' hands.
Microsoft has offered a $250,000 bounty for information leading to the arrest and conviction of the people responsible for Conficker.
The hoopla surrounding a very arcane change to Conficker's programming code was reminiscent of the doomsday fears about the Y2K bug, when the dawn of the millennium was thought to threaten computer networks by interpreting the new year as 1900 rather than 2000.
"There are a lot of people who are on standby waiting to see what happens," said George Kurtz, senior vice president of McAfee's risk and compliance division. "Ultimately, it could be a big event or Y2009 — April 1 rolls around and nothing happens. But that doesn't mean it's the end of the story."