There certainly is a lot of attention being paid to the Conficker botnet these days.  Some of this attention is warranted.  What is its purpose?  What is it going to do?  What is it going to be used for?  Will it be split up and sold off to the highest bidders?  All valid questions, but recently most of the attention surrounding Conficker has been around what is being called the "activation" of the botnet on April 1 (April Fool's Day.  Coincidence?). 

Earlier this month a new variant of the Conficker worm, dubbed Conficker.C, was pushed out to update machines that had previously been infected with Conficker.B (the previous variant of the worm).  Several improvements were made in Conficker.C that makes it more difficult to infiltrate than its predecessor.  Firstly, it moved away from a pull model where the infected hosts would ping back to a command and control server (the URL that it would communicate with was randomly generated based on an algorithm within the malware code) to see if it had any updates to be downloaded.  In Conficker.C it has moved to a push based method of update where code changes are sent from a command and control host down to the infected client.  The malware further updated itself to include code signing techniques so that it will only accept updates from itself.  These updates are game changers as it relates to how security researchers had generally infiltrated and analyzed botnets. 

One of the other major changes that was introduced in Conficker.C was the number of domains that are registered by the botnet to distribute code updates.  In Conficker.B there were 250 random URLs being generated on a daily basis that the botnet would use to look for updates.  Researchers were able to crack the URL generation algorithm and figure out what domains were going to be used on what days so that they could register those domains in advance of the botnet attempting to use them.  In response, the Conficker authors seriously upped the ante by changing the number of URLs used by the botnet from 250 daily to 50,000.  A virtual scoff from the worm authors. 
On April 1, the botnet is said to activate its latest variant, Conficker.C, and rumors are running rampant as to what the wide scale implications will be as a result.  All we know at this point is that on April 1, Conficker.C will start using its new code and algorithms to make the botnet much more resilient to penetration by security researchers.  We have spoken several times now about how malware authors are attempting to build the next generation botnet after the McColo shutdown.  Conficker is a clear example of a proof of concept that will likely be used by malware authors until the "next big idea" comes along. 

Will it ever actually be used for anything?  Sure, it will.  Why go through all of this effort to create such a huge botnet then not utilize it for something.  In a financially motivated economy it doesn't make sense to not rent it out or sell it off.  My point is don't buy too much into the April 1 hype.  It very well could be much ado about nothing.