But you might spot a couple of obvious flaws in this rendezvous mechanism. First, if Conficker is calling up domain names, can't anyone—especially other bad guys—monitor which sites it's connecting to and then upload their own software for Conficker's infected machines to run? Conficker's authors worried about that, too, and cooked up a brilliant counter-mechanism. The worm uses one of the world's most advanced cryptographic algorithms to check all files it downloads from one of those domains; if it doesn't find a digital fingerprint from its authors, Conficker won't run the program.
The second flaw: Can't the Internet's authorities just make sure that no one registers the domain names that Conficker is checking, thereby preventing anyone from sending the worm its marching orders? Indeed, they can. In February, the worldwide team of computer security groups who've been fighting Conficker—the self-dubbed Conficker Cabal—announced that they'd worked out a way to determine the pre-generated list of domains that Conficker would connect to. Eventually the cabal got registrars around the world to prevent people from registering those sites.
But that's when researchers spotted the newest Conficker variant, which includes a much-improved updating plan. Instead of generating a list of hundreds of domains, Conficker C creates a new list of 50,000 Web sites to contact every day. Although the Conficker Cabal is trying to prevent registrations on all these domains, registrars around the world will have a much more difficult time monitoring this huge, shifting number of sites. But that's not all: The latest version of Conficker has a completely new way to coordinate the botnet's operations. Rather than contacting domain names, infected machines can band together in a massive peer-to-peer network. This way, each machine can efficiently pass files to its peers in something like the way your high-school orchestra used a phone tree to pass along next week's rehearsal change (or, to get more technical, in the same way people trade movies online via BitTorrent). We've seen peer-to-peer botnets before; in 2007, one of them, the Storm Worm, brought down several anti-spam Web sites. A peer-to-peer-enabled botnet as sophisticated as Conficker would be very difficult to thwart; if it worked well enough, it could well be impossible to shut down.
Who created Conficker? Like much else about the worm, it's completely unknown. Initial speculation settled on Eastern Europeans. The first version of Conficker included code designed to keep Ukraine free of the worm. (If it detected a Ukrainian keyboard, it shut down.) But successive versions have been free of that code. On Sunday, BKIS, a Vietnamese computer security firm, announced that it had found clues in the worm suggesting it was created in China. In February, Microsoft put up a $250,000 reward for any information leading to the arrest and conviction of people responsible for creating Conficker.
But whoever they are, they sure are dangerous. "We must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker," wrote security experts at the research group SRI International in a report last week. The researchers added: "Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next."
But Conficker is also important for what it portends about the inherent difficulties of living in a networked age. Worms feed on bugs—holes in the ever-more-complex operating systems and Web browsers where we live most of our online lives. And because we're never going to get rid of these bugs, bad guys will always be able to find a way in. It's just that now, with the entire Internet as their playground—and with the power to harness all their infected machines into a thinking network—they can cause tremendous harm. Conficker could fizzle. But you can bet that someday, something very much like it will cause a lot of pain.