Friday, February 13, 2009

Microsoft sets a bounty on the guys that created the Conficker Worm

The Conficker worm, also known at the Downadup, Downup, or Kido virus which targets Windows computers, has become such a significant threat that Microsoft has set a bounty on whomever created the virus. Click on the title to this post to read a full report at Network World (you may have to click past an ad to get to the article). But briefly,

The money will be paid for "information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet," Microsoft said today in a statement, adding it is fostering a partnership with Internet registries and DNS providers such as ICANN, ORG, and NeuStar as well as security vendors Symantec and Arbor Networks, among others, to stop the Conficker worm once and for all. (snip)

Conficker, also called Downadup, is estimated to have infected at least 10 million PCs. It has been slowly but surely spreading since November. Its main trick is to disable anti-malware protection and block access to anti-malware vendors Web sites.

But security experts are concerned about a potentially much worse second stage of the Conficker worm, as it calls home each day to more than 250 command-and-controls servers around the world as it awaits instructions on future downloads or actions.

"The policy we have here is to target the update mechanism," says Gerry Egan, director of product management for security products and response at Symantec, a member of the stop-Conficker coalition.

While the unique domain names for servers used for Conficker control may constantly change on a daily basis, the anti-Conficker coalition anticipates that by the major domain-name registrars working in collaboration, it may be possible to "take out those domains," or otherwise interfere in the smooth flow of the Conficker operations, says Egan.

A Microsoft spokesperson says Conficker is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend. A large percentage of these domains are being blocked from being registered. Secondly, a number of the domains are being redirected toward "sinkhole" servers that are owned by trusted research partners around the world. Sinkhole servers allow researchers to observe the worm’s activity, according to Microsoft.
Apparently the malware has spread much more in Asia than in the U.S. so far, but it is beginning to show up here. There is a patch for Windows that was distributed in October, 2008. If your work or home computer is not automatically updated with Microsoft patches, now would be a really good time to update your Windows!

No comments: