Microsoft Offers Bounty for Capture of Conficker Creators

After weeks of combating the relentless spread of the Conficker worm — also known as “Downadup” — Microsoft announced a US$250,000 bounty for information leading to the arrest and conviction of the hackers behind the troublesome malware.

In addition to posting the reward, Microsoft revealed Thursday that it has formed a partnership with technology industry leaders and academia to launch a coordinated global response to Conficker. Organizations on board with the software giant’s plans include the Internet Corporation for Assigned Names and Numbers (ICANN), operators with the Domain Name System and various security researchers. An organized approach designed to disable domains targeted by the worm, they hope, will help stop its spread.

“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said George Stathakopoulos, general manager of the trustworthy computing group at Microsoft.

“By combining our expertise with that of the broader community, we can expand the boundaries of defense to better protect people worldwide,” he added.

Worm Holes

The Conficker worm spreads very easily and quickly. The malware initially began spreading via an RPC (remote procedure call) vulnerability through USB keys and hacking weak passwords. Microsoft issued a patch for it in October, but many organizations never updated their software, said Michael Argast, a security analyst at Sophos.

“There hasn’t been a payload delivery yet, so we don’t know what the author intends to do with all these infected machines. It could end up being a spam botnet used to steal confidential data — or simply sold to the highest bidder for other malicious purposes such as launching a [distributed denial of service] attack,” he told the E-Commerce Times.

The worm spreads through Windows file shares protected by weak passwords by copying itself to removable storage devices and exploiting the Windows Server service vulnerability MS08-067, according to Sophos. Once it is active, the worm will attempt to determine the public IP (Internet protocol) address of the infected computer via one of four IP address-detecting sites. It will access eBay, MySpace, MSN, CNN or AOL Web sites. And, of course, it will attempt to spread itself by accessing commonly used passwords.

“It isn’t actively doing anything other than spreading, but it is important to understand — the author can do whatever they chose to do with this. Once they’ve compromised the machine, all they need to do is register one of the thousands of domains these machines check regularly for updates and pump out any instructions they wish. If they want to delete all your data, or send it to Russia, or cause your machines to download Seti@Home and search for aliens — whatever — they can do it,” Argast said.

Faulty Towers

As is the case any time a new bit of malware emerges to exploit a flaw in Microsoft software, the company has taken it on the chin with the Conficker worm, said Graham Cluley, senior technology consultant at Sophos.

“It’s very easy to give Microsoft a hard time about the Conficker worm. Yes, it was their software that had the vulnerability that allowed the worm to spread, but companies have had a few months to patch their systems. Proper resources need to be put in place to roll out fixes whenever a critical vulnerability is found,” he told the E-Commerce Times.

“It exploits a Microsoft security hole, poorly chosen network passwords and uncontrolled USB use to spread across corporate networks. It then creates a botnet of compromised computers which could in the future do whatever the botnet’s owner wants — for instance, send spam, launch a denial-of-service attack, steal identities, etc.,” Cluley continued.

“Microsoft’s reputation, meanwhile, is badly shaken whenever a computer virus causes widespread problems for its users. It’s not been unusual in the past for prevalent malware to exploit weaknesses in the software giant’s software — as was the case with Conficker — or pretend to be messages from Microsoft technical support,” Cluley pointed out.

Globe’s Most Wanted

Putting a bounty on the head of those responsible for Conficker is a positive step, both Argast and Cluley agreed.

“Microsoft’s bounty is a way of keeping the true culprits behind the Conficker outbreak at the center of people’s minds, and might even possibly result in some positive response,” Cluley said.

Microsoft could take the reward a step further and allow other companies to pony up cash for the cause, Argast suggested.”I think the bounty is a great idea — and while it is hard to say if the amount will be sufficient, the intent is good. What might be an even better idea would be to set up some sort of organization that would allow others to pitch in to up the bounty to a truly significant amount. Conficker has cost millions of dollars of IT time and resources in cleanup, and I’m certain that others would be likely to contribute.”

Microsoft has offered rewards for malware creators before. Back in May 2004, for example, the software maker paid $250,000 to a group of informants who contacted the company about Sven Jaschan, the German teenager behind the Sasser and Netsky worms.

“Bounties are also good for drawing press attention, and this also increases the likelihood of someone being caught. A great non-bounty example was Zotob. Although there wasn’t a bounty on the head of the author, the fact that it infected CNN computers and caused an on-air outage resulted in a ton of press, and that author was caught and turned over to authorities in 48 hours,” said Argast.

“I’m very supportive of this sort of action — taking the battle to the virus authors is a critical step in turning the tide. Hopefully, if they end up being in a country like Russia or the Ukraine — which have been previously lax in prosecuting these sorts of crimes — the pressure may be enough to make changes to their laws and enforcement actions, which would have a big impact on the industry as a whole,” he added.

In the end, offering a reward costs Microsoft relatively little and may help solve the mystery of who created Conficker and why.

“Offering substantial rewards can do no harm. If a culprit isn’t found, then Microsoft hasn’t lost anything, and it may just entice some members of the computer underground to come forward with information. People considering releasing malware in the future should take careful note of this and think again.

“The big question is whether the bounty is large enough; $250,000 may have been enough to identify Sven Jaschan, the German teenager infecting computers for kicks, but is it going to be enough to encourage someone to inform on an organized criminal gang?” Cluley concluded.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels