The Conficker botnet may actually be quite smaller than what initial speculation may have suggested.  This was found after computers infected with the Conficker worm had begun updating last week using its own P2P update capabilities – downloading components pertaining to the malicious anti-malware program SpywareProtect 2009 and a bot client, Waledac.  Waledac is another worm which also enlists infected computers into a botnet and is believed to have been created by the same people behind Conficker. This latest version of Conficker has been dubbed “Downadup.E” by analysts from Symantec.

Kaspersky Lab has monitored communication between Conficker-infected machines on the P2P network using an application they have developed specifically for this job. Their analysts have observed 200,525 unique IP addresses participating in the botnet over a period of 24 hours, a far cry from the millions of infected machines initially expected.

However only machines infected with the updated versions of the Conficker worm were communicating with each other within the network as observed by the application, and according to Kaspersky, may account for the surprisingly low figure. Most of the machines that have been infected with previous versions and variants of the worm had not upgraded to this latest variant and were not monitored.

With regard to the distribution of the infection across the globe, Kaspersky's analysis indicates that most regions of the world were infected and that densely populated areas do not necessarily have higher infection rates. It was also observed that while infected machines can easily find another infection and maintain a connection, some machines do not seem to have any connections to other infections in the network.

This new version of the worm can now automatically check if the computer it has infected has internet access by trying to connect to popular websites such as CNN.com and Myspace.com. This new version can also delete itself from the infected machine to hide its trace. Conficker is set to partially shut down on May 3, but experts believe this will be performed by the worm in order to get rid of material related to earlier versions of Conficker, which were more visible than the current variant.