Zombie computers set to signal April 1
An extraordinary behind-the-scenes struggle is taking place between computer security groups around the world and the brazen author of a malicious software program called Conficker.
The program grabbed global attention when it began spreading late last year and quickly infected millions of computers with a software code that is intended to lash together the infected machines it controls into a powerful computer known as a botnet.
Since then, the program's author has repeatedly updated its software in a cat-and-mouse game being fought with an informal international alliance of computer security firms and a network governance group known as the Internet Corporation for Assigned Names and
Numbers. Members refer to the alliance as the Conficker Cabal.
The existence of the botnet has brought together some of the world's best computer security experts to prevent potential damage. Last month, Microsoft announced a $250,000 reward for information leading to the capture of the Conficker author.
Botnets are used to send the vast majority of e-mail spam messages. Spam in turn is the basis for shady commercial promotions including schemes that frequently involve directing unwary users to Web sites that can plant malicious software, or malware, on computers.
The inability of the world's best computer security technologists to gain the upper hand against anonymous but determined cybercriminals is viewed by a growing number of those involved in the fight as evidence of a fundamental security weakness in the global network.
"I walked up to a three-star general ... and asked him if he could help me deal with a million-node botnet," said Rick Wesson, a computer security researcher involved in combating Conficker. "I didn't get an answer."
An examination of the program reveals that the zombie computers are programmed to try to contact a control system for instructions on April 1. There has been a range of speculation about the nature of the threat posed by the botnet, from a wake-up call to a devastating attack.
The Conficker program is built so that after it takes up residence on infected computers, it can be programmed remotely by software to serve as a vast system for distributing spam or other malware.
Several people who have analyzed various versions of the program said Conficker's authors were obviously monitoring the efforts to restrict the malicious program and had repeatedly demonstrated that their skills were at the leading edge of computer technology.
For example, the Conficker worm already had been through several versions when the alliance of computer security experts seized control of 250 Internet domain names the system was planning to use to forward instructions to millions of infected computers.
Shortly thereafter, in the first week of March, the fourth known version of the program, Conficker C, expanded the number of the sites it could use to 50,000. That step made it virtually impossible to stop the Conficker authors from communicating with their botnet.
A report released last week by SRI International, a nonprofit research institute in Menlo Park, Calif., said that Conficker C gives the program added powers to disable many commercial anti-virus programs, as well as Microsoft's security update features.
"Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm," said Phillip Porras, a research director at SRI International. "In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself."