Conficker.c - April 1st payload still a mystery to researchers

Conficker.c - April 1st payload still a mystery to researchers
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130228

QUOTE: PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.

"So far, we haven't seen any evidence [on those machines] of what it will do April 1," added Stewart, although that's to be expected. "It's not April 1 yet, so they're not going to put something online, where it might be found. In fact, it's almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network."  Symantec Corp.'s Vincent Weafer, vice president of the company's security response group, agreed with Stewart that it's impossible to know ahead of time what stunt Conficker's controllers will pull next week. "Nobody has any real idea," said Weafer. "There's no indication of what it will do April 1."

Weafer characterized the Conficker.c update as one to "armor and harden the existing infections," and noted that the variant, unlike its predecessors, cannot spread to other PCs. "This variant is very defensive-oriented," said Weafer, "to make it less visible and more resilient." Like Weafer, Stewart sees Conficker.c as a move by the worm's maker or makers to consolidate what's already infected. "The big question is what's the end game?" he said. "Is it just as big as they want it to get?"