Microsoft Slaps $250K Bounty On Conficker Worm

alphadogg writes "The spreading Conficker/Downadup worm is now viewed as such a significant threat that it's inspired the formation of a posse to stop it, with Microsoft leading the charge by offering a $250,000 reward to bring the Conficker malware bad guys to justice. The money will be paid for 'information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet,' Microsoft said today in a statement, adding it is fostering a partnership with Internet registries and DNA providers such as ICANN, ORG, and NeuStar as well as security vendors Symantec and Arbor Networks, among others, to stop the Conficker worm once and for all. Conficker, also called Downadup, is estimated to have infected at least 10 million PCs. It has been slowly but surely spreading since November. Its main trick is to disable anti-malware protection and block access to anti-malware vendors' Web sites."

The new business plan

[140Mandak262Jamuna]

1. Write malware for windows

2. Give it to a bunch of script kiddies anonymously in bulletin boards.

3. ...

4. Turn them in to MSFT for the bounty.

5. Profit

Re:The new business plan

[Locke2005]

My thoughts exactly. If hackers can now make big bucks by writing worms then framing someone else for turning them loose on the world, doesn't that provide a powerful incentive to write more worms???

Re:The new business plan

[John+Hasler]

They also have to successfully pull off the "framing" part. The authorities are not unfamiliar with the idea that their informants may be lying for the reward.

Re:The new business plan

[binarylarry]

Yes, I highly doubt the Hans Reiser defense is going to work that well here either.

"illegally" launching?

[djce]

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's illegal. In other words, innocent until proven guilty.

Re:"illegally" launching?

[Actually,+I+do+RTFA]

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's illegal. In other words, innocent until proven guilty

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's following American conventions. In other words, guilty until proven innocent

Re:"illegally" launching?

[gad_zuki!]

First off, all politics is local. My local laws apply to what you do to me or my equipment in my jurisdiction. On top of that, in civilized countries all this shit is illegal. Remember the sasser worm? MS paid out a 250k bounty and the author was revealed to be a German who was later convicted.

Secondly, its not too hard to figure out who did this. A lot of these trojans wont install if your default language is Russian. How odd, eh? Essentially, this is a hand out to the Russian government because it protects and profits from its industry of malware writers, most notable The Russian Business Network. These guys arent getting caught. They have the full protection of the Russian government. MS and the rest know this, but they also know that money talks and a high profile defector would be good for the cause.

Perhaps its time to just firewall off Eastern Europe, Russia, and China and call it a day. Whitelist them when needed.

Re:"illegally" launching?

[ndege]

Perhaps its time to just firewall off Eastern Europe, Russia, and China and call it a day. Whitelist them when needed.

Been there, done that: At least on our email servers. In addition, I have blocked every country other than the US with an iptables deny rule ("they" can't even ping the mailserver). Before you start complaining, please be aware that I work for a small (approx 60 email accounts) US-based management company that only deals with other US companies. In the past 6-7 months that my iptables rules have been in place on the mail server, incoming spam has dropped 80-90%. In addition to blocking everything but the US IP space, we are running postfix/amavis/spamassassin/clamav/postgrey and have configured a few RBLs. Very little spam gets through these days.

I am using ipdeny.com for the lists of IP space sorted by country: http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz

If you would like my script, post a reply to this message, and I will either post the script directly in the comments or email you privately.

The solution to simply block off non-US IP space is an ugly vile hack to how the Internet was originally designed. Meanwhile back in modern-day reality, the hack works well.

-JL

Microsoft: Release a mandatory patch to stop it...

[Culture20]

Microsoft, release a mandatory update to turn off auto-run/play, and show a reoccuring opt-out prompt on login that explains that auto-run is turned off, and the risks of turning it back on.

At least make XP's version of the patch that allows GPO auto-run disable to work properly a mandatory update. If no one's in a GPO, it won't break anything. If they are in a GPO that turns autorun off, then it should be turning auto-run off!

Re:Microsoft is responsible

[The+Cisco+Kid]

Any person that has anything to do with information technology (computers) anywhere in the world, that can read and understand the language commonly used in their part of the world, that doesn't already know that most software produced by MS is riddled with "defects", is either not paying attention or is seriously brainwashed.

Re:250K is too low

[Bill+Dimm]

10 million zombie PC's are worth more than $250K

The 10 million zombies may be worth much more than $250k to the person that controls them, but they are worth nothing to the guy that lives down the hall from the person that controls them, so he might be quite happy to pick up the money if he knows something.

Re:Malicious?

[StikyPad]

Using my resources without my consent is malicious.

In separate news, Microsoft budgeting an extra

[mkcmkc]

US$398 to fix security problems with their software...

Re:Microsoft is responsible

[techno-vampire]

And I suppose all the Windows users deserve what they are getting?

Like you, I love and use Linux, but I don't think that Windows users shouldn't have an OS that's as easy to secure (and use in a secure way) as you and I do. It can be argued, however, that Windows users, in general, have never demanded a secure OS, so Microsoft's never really had any reason to give them one.

*What* providers?

[nsayer]

DNA providers such as ICANN, ORG, and NeuStar

Hey, I'm a DNA provider too, baby.

Re:Microsoft is responsible

[gad_zuki!]

>Microsoft deserves exactly what they are getting. They could have very easily allowed a power user setting in XP home.

Thats what vista does and the UAC kicks in when you need admin access. There has been nothing but complaints and bitching about this. People are surprised their 10 year old software that writes to c:\temp doesnt work anymore. Now that there's an NT ecosystem of software out there (write to profile area, not to system area when running), its easier for MS to do this. Shame that even the good changes MS does is received with the same old bellyaching.

>Also, for a project I'm working on, I was looking to secure just the ability to change some network settings

You didnt try too hard did you? Add them to the Network Config built-in group. I also believe there's a group policy setting for this.

>Again, Microsoft deserves everything they are getting.

MS is a company. It doesnt feel pain or shame. Right now the people feeling the pain are innocent users. Perhaps you should have a little sympathy for them.

oops

The worm authors made just one mistake... they were far too successful. They wanted a botnet. Maybe a few thousand computers. Maybe 10 - 20 thousand.

Instead, they wrote a fast spreading worm that infected millions of computers.

What's the difference? The guys who infect 10,000 computers are small fries, and no one is going after them. Infect millions of computers though, and every computer crime agency on the planet will be after you...

Conflicker Flavors

[pyrrhonist]

From the article:

Symantec, which is contributing its malware-analysis expertise to the group, believes there are two main versions of Conflicker, "Flavor A" and "Flavor B,"

The flavors were determined using LOLCATS. True story.

Not likely

[symbolset]

This program, which has been in place since 2003, has paid out a grand total of $250. All of it in one whopping check to the college mates of the Sasser programmer. Presumably they split it and bought some beer. The program manager must be quite proud of himself.

In related news, Microsoft is working with ICANN and others to prevent the registration of the domain this thing calls home to. It probably hasn't even occurred to them that the programmers ran their random name generator out a long way in advance, registered the domain in the name of some perfectly innocent third party long ago and that they're too late because launch day for downadup is tomorrow since they always kick these things off of the eve of a holiday weekend.

If you admin Windows desktops, I wouldn't invest too much in your plans for this weekend.