People have one more reason to celebrate the new year, according to the Shadowserver Foundation: Nearly a million Conficker-infected computers have oddly disappeared overnight.

On Jan. 1, the number of IP addresses showing signs of infection dropped by about 820,000, to 5.3 million, according to data from the Shadowserver Foundation and the Conficker Working Group. The drop continued the botnet's waning during the latter days of December: On December 29, IP addresses showing signs of Conficker infections peaked at 6.5 million before dropping to 5.3 million at the start of the new year.

Andre' DiMino, director and founder of the Shadowserver Foundation, said the group did not have enough data yet to determine the cause of the drop.

"Is it because of the holidays, because a large number of work PCs were turned off? Or did companies take the time to clean up the problem? We really don't have any conclusions yet," he said.

Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm initially spread using a vulnerability in Microsoft Windows and contacted 250 random domains to check for updates. By April, Conficker had morphed into a botnet that maintained peer-to-peer connections, but no longer spread automatically. Where the first versions of the program contacted 250 random domains, the latest version generates 50,000 random domains every day and contacts 500 of them for updates. The Conficker Working Group has blocked the software from updating itself by pre-registering domains and provides resources to companies to help detect and remove infections.

Last month, the Shadowserver Foundation started publishing the names of the network owners who continued to have a large number of infected computers. Those numbers stayed fairly consistent during the month, between 6.0 million and 6.7 million IP addresses, until it started dropping on the 29th.

The drop may not be long lived, however. By Saturday, the signs of infection had already rebounded to 5.6 million.

"It's starting to creep back up, but we are still a million off from where we were," DiMino said. "It will really be interesting come Monday and Tuesday, when machines start coming back on. That will really tell us whether this was remediation or just a blip."

If you have tips or insights on this topic, please contact SecurityFocus.