Conficker Computer Worm Activates April 1 Estimates of the number of computers infected with the Conficker worm run from 1 milllion to 12 million. The malware's deadline is April 1, 2009, but no one really knows what will actually happen to the infected computers.
NPR logo

Conficker Computer Worm Activates April 1

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Conficker Computer Worm Activates April 1

Conficker Computer Worm Activates April 1

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


Tomorrow is April 1st, and depending on who you believe, it'll be a grim day for the Internet or just another April Fools. By now, you've probably heard of the Conficker worm. Estimates of the number of computers infected run from one to 12 million. And the malware contains a deadline of sorts tomorrow, which means, well, nobody really knows what it means.

Larry Magid is a tech analyst with CBS News and If you'd like to talk with him about the worm, if you work in computer security, give us a call: 800-989-8255. Email us: Or join the conversation on our Web site at Just click on TALK OF THE NATION. Larry Magid is with us now from his office in California. Nice to talk with you again.

Mr. LARRY MAGID (Tech Analyst, CBS News, Nice to talk to you, too.

CONAN: So, tomorrow should we all be concerned that the whole computer system across the country is going to freeze up?

Mr. MAGID: Yeah, I'm kind of looking forward to a day off. There'll be no Internet to bother me.

(Soundbite of laughter)

Mr. MAGID: I don't think we're going to see anything catastrophic tomorrow. In fact, I'm quite sure we won't, because even if this worm were very effective, there's no reason why they'd want to shut down the Internet or do anything massive or show-offy tomorrow because these are not hackers that are doing it for fun.

These are criminals. These are people who have a financial motive, and their goal is not to do something splashy, but to grab passwords or perhaps to turn your and my computer into a spammer, a spambot as they call it. And they're not going to do it all at once. They're not going to shut things down.

If anything, if there is a big threat - and I think there's always a threat, I mean, in a sense, this reminds us that we always have to worry about it - it's going to unfold over the coming weeks and months, not over the next day or 24 to 36 hours.

CONAN: Yet a lot of people who've looked into it say this is the most devious, cleverest worm they've ever seen.

Mr. MAGID: That's right. And by the way, the reason why we're concerned about April 1st is because when people looked at the code, they found something in there that says it will phone home, so to speak. It can get instructions, because right now, the worm has no payload.

It replicates itself, and that by itself is annoying because it can slow down networks. But it doesn't, as far as we know, steal passwords or do any damage. But on April 1st, it could get new instructions. And you're absolutely right. This worm has morphed itself. It's figured out ways, for example, to fool some of the security researchers.

Initially, it had 500 or so domains in it, the places that it would phone home, so to speak. And the security research began to buy up those domains to make sure it couldn't happen. Well, then it came up with another 50,000. I hear it keeps adding domains. So it's very clever in terms of trying to fool the good guys. But the good guys have a lot of resources as well, which is one of the reasons I think we're going to be reasonably prepared for this.

CONAN: What does Conficker stand for anyway?

Mr. MAGID: Oy, I was afraid you'd ask me that. You know, I actually don't know. Do you? That's a good question.

CONAN: I don't.

Mr. MAGID: I never looked it up.

CONAN: It's also referred to as the Upadek(ph).

Mr. MAGID: Yeah, it has all sorts of names.

CONAN: And what…

Mr. MAGID: I think what happens is that when the virus labs find it, they give it a name. And sometimes different labs give it different names. So, it's Kido, it's Downadup, different names. But the bottom line is it's similar to other worms in that it replicates itself across networks, across what are called network shares. So, for example, if you're sharing your files or folders, it can go that way.

Also, it can replicate itself on USB devices. So, if you put a USB key in your computer, for example, for data, and if autorun is turned on, it can replicate itself that way. So, a little more pernicious, but pretty much similar to the worms that we've seen before.

CONAN: Here's an email from Colleen(ph) in Jackson, Wyoming. I'm a Macintosh consultant. Many clients have been calling, concerned about the Conficker worm, especially after it was featured on "60 Minutes" last weekend. You have to do quite a bit of digging online to discover that Conficker does not affect the Mac operating system. It will, of course, affect a Mac running Windows.

I wish I had more stories about malware that would mention whether the bug in question will harm Macs and Linux computers. We're minorities, but we are not that few and far between. Is she right?

Mr. MAGID: Yeah. Well, those Mac users can be very smug this time because it's going to affect the Mac. And in fact, Macs do have fewer worms and viruses that affect them than Windows. Some people say because it's inherently safer. Most people think it's because it's just not as big a target.

But for whatever the reason, this is a Windows phenomenon. So, Mac users, you can take the day off and relax. But that doesn't mean that you don't have any threats. There have been some worms that have gone after the Mac.

CONAN: And what it does, we think - we're not quite sure what it does, but one of the things it seems to be set up to do is to form that so-called botnet we were talking about - spambots - before. In other words, it seizes however many computers it has affected, it takes them over and uses them to send out spam or something else.

Mr. MAGID: It's sometimes referred to as a zombie or a botnet, bot for robot. So you could be an innocent person online at home, doing your thing, or it could be at work, your computer could be infected. And all of a sudden your computer is spreading this to other computers. It could be perhaps sending out spam, and that's why it's not only in your self-interest to inoculate yourself. And the good news, this is very easy to protect yourself from. I think it's your civic duty, and I really do think that if you look at the national information infrastructure - sure, we can think of the big systems and all the big institutional computers, but the fact is that my PC, my laptop, sitting on a DSL line or a cable modem in my home, it's part of that infrastructure.

If I'm infected, I could then spread that infection and you could be affected. So we all have a responsibility, both for selfish reasons, and might I say patriotic or civic reasons, to patch our systems.

CONAN: Patch your system - how do you do that?

Mr. MAGID: It's actually quite easy. Windows XP and up, Windows XP Service Pack 2 and up, has an automatic update feature that should be turned on - and you can control this through the control panel - which will periodically go to Microsoft and look for security patches or fixes. And if it finds them, it will install them.

You can also manually, and I recommend you do this, even if you think you're safe, in Windows - Internet Explorer - you can't use Firefox for this - go to and it will automatically scan your machine, and if it thinks you need something, it'll install it for you.

So that is a patch that will prevent this. And in addition to that - I am not a shill for the antivirus companies, believe me. They don't need me to sell their wares this week. But make sure you've got a good up-to-date anti-malware or antivirus software. And there are even free ones out there that you can get.

In fact, if you go to my Web site,, you'll see a list of tools. At - we have other resources out there. But there's plenty of tools out there that you can use to protect yourself.

CONAN: Let's get a caller in on the story. This is Becky calling from Indiana.

BECKY (Caller): Hi.

CONAN: Hi, Becky.

BECKY: I was just calling because I don't really know anything about the origin of that name, the Conficker virus. But I assume that it was a play on configure. And also that fick root is, oh, an incredibly vulgar word in German. So I didn't know if that was it or not, but that's my guess.

Mr. MAGID: By the way, we have some guesses as to where this thing came from. And some people say Russia, some people say Ukraine. One researcher who deconstructed it saw that the first thing it does, it checks to see if you have a Ukrainian keyboard, and if it does, it leaves you alone. But that could be because you're Ukrainian or maybe it just want to throw you off and make you think it's Ukraine.

CONAN: It's Ukrainian. Yeah, that was also, I understand, only the first version of the virus.

Mr. MAGID: Right, that too. So you know, it could be anywhere. Some people were saying it might have originated in China. It kind of doesn't matter. It could even be right from here in the United States. Wherever it's from, it's all over the world right now.

CONAN: Becky, thanks for the call.

BECKY: Thank you. Bye.

CONAN: Bye-bye. Let's see if we can go - this is Rex. Rex with us from Kentucky.

REX (Caller): Hi. It already is April 1 in large parts of the world. Do we not have any reports of anything happening in Japan, other parts of Asia?

CONAN: They have been strangely quiet. No…

Mr. MAGID: If they're too quiet, we have something to worry about. Look, as I said, it's not going to - even if it is what we are most afraid of, it won't blow up on April 1st.

It's perhaps - this is theoretically - maybe these computers in Japan got instructions to do something, but they're not going to do it right away. They might do it in May or June or August or a year from now or never. But no, I don't expect to see any major blow-up as a result of…

REX: I guess I wasn't thinking of blow-up so much, but these security organizations, can they detect this calling home, so to speak? Is there a lot happening in other parts of the world where it already is April 1? Or maybe they can't detect it.

Mr. MAGID: Yeah. I don't know if they've been looking at it. I'm going to be showing up at one of the antivirus companies tomorrow morning and seeing what they find. I'm not anticipating it's going to be too much, but that's a very good point. They may be able to certainly find additional network traffic.

If millions of PCs are, quote, "phoning home," then researchers could actually see that.

CONAN: Good question.

REX: Okay. Thanks very much.

CONAN: Appreciate it, Rex. Let's see if we can go now to - this is Robert. And Robert is calling from San Jose.

ROBERT (Caller): Hi. I have worked at one of those major security companies and we've been monitoring this, so I can actually answer Rex's question for him.

Mr. MAGID: Great.

ROBERT: I can't say which company, but it is one of the major antivirus companies. And I work directly in their security response team for the company, not just for our customers. And we've been monitoring it and we don't see any detection over the networks of anything suspicious, if you will, even if it's just can get a dormant payload for later on.

And recently, IOActive just actually released better detection mechanisms for people's network monitoring solutions to be able to detect this as well. And we also know that those 50,000 domains that are unknown are all related directly to a time algorithm. So if - if it knows it's April 1st, it'll take April 1st and then the time of day and then calculate that and spit out what the domain is, so we can figure out what those domains that they'll go to are and be able to block them.

And lastly, I wanted to also comment that this thing does detect - at least the C variant - it detects if it's in a so-called virtual environment. You know, us security researchers, we spend a lot of time digging through this in a secure environment, like a virtual machine. And it can detect that and not do anything to make our job harder.

Well, that inherently protects anybody that does cloud computing or virtualization on their servers because it thinks it's in a little honey pot but it's really in the production server and it will actually protect them. So they got a little added bonus like the Apple and Linux guys at this time around.

Mr. MAGID: Cool.

CONAN: So you seem to be saying maybe not such a big deal.

ROBERT: It's really not such a big deal. And we've already predicted that the infections have gone down from a much higher level as predicted, like 20 million at the beginning of the year, down to maybe - some research places are saying one million, some are saying maybe five million. And of those, they're getting patched pretty quick or shut off by local ISPs pretty quick if they can detect if…

CONAN: So, it's…

ROBERT: …that system is actually getting hit.

CONAN: …going to turn out to be Y2K maybe.

Mr. MAGID: Well, you know, and I appreciate…

ROBERT: It really is looking that way so far.

Mr. MAGID: I appreciate security people like yourself that are not over-hyping this, because obviously there's a temptation among some of your colleagues or perhaps competitors to make a huge deal of this. And I think we ought to be aware, and we all ought to be using someone's antivirus - perhaps yours -software, but we don't need to be panicking. And I want to thank you for a voice of reason.

ROBERT: Yeah. Absolutely.

CONAN: Robert, thanks very much.

ROBERT: Thank you.

CONAN: Let's see if we can squeeze in one call quickly. This is Maryanne. Maryanne with us from St. Louis. Just have a few seconds, Maryanne.

MARYANNE (Caller): Well, I - it's probably irrelevant now, but I received an odd email from a brother of mine and I responded to it and he didn't respond back, and it was very out of character. It was a email, and I was on a list of people, and it was advertising electronics. And I opened it and then I thought, oh, this is really weird and I deleted it.

But I'm wondering, is that how it comes up? It comes up like a piece of spam from a relative, from someone that you know on your address list? Or - and what do I do now to make sure - I have Norton antivirus, I have that stuff.

CONAN: All right. Good questions. Larry Magid?

Mr. MAGID: Well, it could come via email, but you would have to do more than open it. You'd have to go to a Web site that was infected or run a program that was infected. So I have an odd brother as well. Oh, I have a regular brother with an odd email.

You know, but I don't think you have too much to worry about if you simply looked at the email. But it can come by going to infected Web sites. So either it's a site that was set up by a sleazy operator or a legitimate site that was taken over by somebody sleazy, and the purpose of those Web sites, they are called drive-by downloads.

So it sounds like you're doing the right thing by having an antivirus software. Again, make sure that Windows has the latest updates or patches from Microsoft, and then get a good night's sleep and don't worry.

CONAN: And we're sure Maryanne would never go to a sleazy Web site.


Mr. MAGID: Probably not deliberately, anyway.

CONAN: Maryanne, thanks very much.

MARYANNE: No problem. Thanks.

CONAN: Bye-bye. And Larry Magid, thanks so much for your time today.

Mr. MAGID: My pleasure.

CONAN: Larry Magid, a tech analyst with CBS News and with We have a link to his podcast on Conficker. You can get that at

And this is TALK OF THE NATION from NPR News.

Copyright © 2009 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.