A malicious software program that has infected millions of computers could enter a more menacing phase on Wednesday, from an outright attack to a quiet mutation that would further its spread.
Computer security experts who have analyzed the Conficker worm's code say it is designed to begin a new phase on April 1, and while it's unclear whether it will unleash havoc or remain dormant, its stubborn presence is rattling businesses with multimillion-dollar budgets to fight cyber crime.
Conficker, believed to reside on 2 million to 12 million computers worldwide, is designed to turn an infected PC into a slave that responds to commands sent from a remote server that controls an army of slave computers known as a botnet.
It can be used to attack as well as to spy. It can destroy files, it can connect to addresses on the Internet and it can forward your e-mail, said Gadi Evron, an expert on botnets who helps governments protect against cyber crime.
But like many security experts, he doubts Wednesday will see a big attack.
The virus has been powerful enough to attack infected computers for months by exploiting weaknesses in Microsoft's Windows operating system. Evron and several other analysts said Wednesday's change could simply give Conficker enhanced functionality, possibly making it more dangerous.
This is the electronic equivalent of being told there is a major storm that has a 20 percent chance of hitting, said Mark Rasch, an executive at Secure IT Experts who spent 25 years prosecuting computer crimes at the U.S. Department of Justice.
It's not time to hide in the bunker. But it might be prudent to look out the window, he added.
In February, Microsoft announced it was offering a $250,000 reward for information leading to the arrest and conviction of whoever is responsible for creating Conficker, saying the worm constituted a criminal attack.
FEARS OF ID THEFT
Botnets are a major worry because they can surreptitiously steal identities, log sensitive corporate information, credit card numbers, online banking passwords or other key data users of infected PCs type on their keyboards.
The information is often sold to criminal rings.
Most malware we see in this day and age is very concerned with stealing information and making money for the author, said Dave Marcus, a researcher with security-software maker McAfee Inc's Avert Labs.
Experts said Conficker's authors might gradually change the way it communicates to avoid attention and to prevent companies from putting in place safeguards such as those used to fight the worm since it first surfaced last year.
Microsoft released a patch to protect against the worm late last year, while anti-virus software companies offer software to sniff it out and destroy it. Such tools can be expensive.
Technology research firm Gartner Inc estimates businesses will spend $13.6 billion on security software this year excluding costs for related labor, services and hardware. While some consumer anti-virus software packages are available for free, others run as high as $80 each.
Security experts suspect Conficker originated in the Ukraine, based on its code. The FBI is working to shut it down but a spokesman declined to comment on its investigation.
The public is once again reminded to employ strong security measures on their computers, said Shawn Henry, assistant director of the Federal Bureau of Investigation's cybercrimes division.
Independent security firms such as McAfee, Symantec Corp and Trend Micro Inc say they will closely monitor cyberspace on Wednesday to see how the worm mutates but will also watch closely over coming weeks as the hype fades.
I don't expect much to happen on April 1st. That's the one day I would not do it. That's the one day everybody is watching for something to drop, said Joe Stewart, director of malware research at SecureWorks. It's just another small step in whatever the end game is.