Lost amid all of the breathless reporting on Conficker’s update mechanism this week was the fact that machines infected with the latest version of the worm, Conficker.C, have effectively stopped previous versions of the worm from spreading.
As Byron Acohido reports:
Conficker is no longer looking for unpatched Windows PCs to spread. Variant C, which appeared in the wild on March 5, scans the Internet for PCs infected with previous variants, A, B and B++.
Conficker C shut off the spreading mechanisms in these machines, and installed instructions to check in at 500 rendezvous points, selected randomly from a list of 50,000 web domains, each day, beginning yesterday, April 1.
This is an important detail, and one that has not gotten much attention yet. It’s not clear how many machines are infected with each separate variant of the worm, but the fact that the Conficker authors took the step of stopping earlier versions from spreading shows that mass infections clearly are not the endgame.