Malware such as Conflicker uses control servers to provide fresh instructions and updated software to systems in the botnets.
Earlier versions of Conficker generated 250 possible domain names per day, and attempted to contact all of them. An informal group led by Microsoft and involving domain registrars, security companies and others have been taking up these domains before the people behind Conficker can register them.
The latest version generates 50,000 domain names per day, though any particular instance makes a random selection of 500 names from that list and attempts to contact servers with those addresses.
It also takes steps to conceal its activity. Where the original Conficker issued DNS queries at five-second intervals, the revised malware waits a random period between 10 and 50 seconds. The absence of a simple pattern makes it less likely that the activity will be detected by automated tools.
In addition, the changes mean that Conficker now only makes up to 500 DNS queries per day compared with the previous 3000.
What about the collateral damage done to domains that happen to match the names generated by Conficker? See page 2.
Once a Conficker instance manages to contact a control server and download fresh instructions, it waits three days before trying to call home again.
Mike Wood of security software specialist Sophos's Canadian operation has pointed out that a side effect of the change is that it should cause less collateral damage.
Sophos previously warned that some of the domains generated by Conficker correspond to genuine web sites that could be overloaded by millions of requests from infected PCs.
But with around 3 million Conficker infections, only 30,000 or so will try to contact any particular domain.
Wood says that would only mean an extra 21 requests per minute, and "If your site cannot handle that level of additional traffic, you might be in the wrong business."
Researchers at SRI International's Computer Science Laboratory said they have not "seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants [of Conficker] since the Storm outbreak of 2007."