This is a fun cat-and-mouse story about the evolution of the Conficker worm, and the people who are trying to understand it. The story ominously concludes that while Conficker hasn’t done much that is publicly visible, there are possibly millions of zombie computers lying in wait.

RTFA: http://www.newscientist.com/article/mg20227121.500…

If every Windows user had downloaded the security patch Microsoft supplied, all would have been well. Not all home users regularly do so, however, and large companies often take weeks to install a patch. That provides windows of opportunity for criminals.

No one knows the identity of Conficker’s “patient zero” computer, or precisely when it was infected. It was probably a machine that the hackers already controlled. Once installed, the software set to work, surreptitiously scanning the internet for other vulnerable machines to send itself to.

The new worm soon ran into a listening device, a “network telescope”, housed by the San Diego Supercomputing Center at the University of California. The telescope is a collection of millions of dummy internet addresses, all of which route to a single computer. It is a useful monitor of the online underground: because there is no reason for legitimate users to reach out to these addresses, mostly only suspicious software is likely to get in touch.

The telescope’s logs show the worm spreading in a flash flood. For most of 20 November, about 3000 infected computers attempted to infiltrate the telescope’s vulnerable ports every hour – only slightly above the background noise generated by older malicious code still at large. At 6 pm, the number began to rise. By 9 am the following day, it was 115,000 an hour. Conficker was already out of control.