Microsoft Puts Up $250K Reward For Conficker Creators
In an effort to impede the spread of the Conficker malware, Microsoft is forming a coalition composed of security industry researchers and academia to tackle the problem.
And to spur the effort, the newly formed coalition is offering a $250,000 bounty for any information leading to the arrest and conviction of malware authors responsible for launching the Conficker worm over the Web. Microsoft researchers say that the reward serves as a counteracting force for what the security industry considers a criminal attack. Residents of any country are eligible for the reward, according to their national laws, due to the fact that the Conficker worm affects businesses and individuals on a global scale.
Security experts say that as worms like Conficker evolve in sophistication, a greater level of industry coordination, as well as new technologies, will be required in order to mitigate the threats and keep users safe.
"Botnets themselves have been getting more and more sophisticated. Conficker is no different," said Vincent Weafer, vice president of Symantec Security Response. "It was too big a problem for any single group or organization."
One new approach, Weafer said, will be to nip the problem in the bud by collaborating with domain registrars to ensure that they're not leveraged by botnet creators.
"What's easier, fighting 10 million spam or taking down one domain?" Weafer said. "Now, domain registrars are increasingly coming into this discussion, as well as hosting providers. It's another model. If you can cooperate and if you can share data, then you can see that collaboration continuing."
Altogether, the coalition, formed specifically to fight Conficker, is composed of Internet Corporation for Assigned Names and Numbers (ICANN), Neustar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International, MID Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.
"The best way to defeat potential botnets like Conficker/Downadup is by the security and domain-name system communities working together," said Greg Rattray, ICANN chief Internet security adviser, in a written statement. "ICANN represents a community that's all about coordinating those kinds of efforts to keep the Internet globally secure and stable."
The Conficker worm emerged last October, exploiting a critical Microsoft flaw occurring in the way the server service handles RPC requests. Since then, the worm has spread rapidly across corporate networks, infecting millions of users with multiple variations. One recent Conficker variation spread from network to network through infected USB sticks.
One of the features that distinguishes the Conficker worm is that it patches its own vulnerability on the machines that it infects, possibly to prevent the machine from being infected by competing malware, experts say.
While Microsoft issued an emergency out-of-band patch in October of 2008 repairing the vulnerability, the security update was too late to prevent attackers from exploiting the flaw in the weeks that followed.
Microsoft also warned users in its security advisory that the vulnerability "could be used in the crafting of a wormable exploit," and advised users to protect their networks from external malicious threats with updated firewalls.