Feb 162009

Microsoft reached back to the days of the Old West last Thursday to battle an online worm that has infected millions of computer worldwide. It put out a bounty and assembled a “posse” to catch the bad guys.

Microsoft announced a $250,000 reward for information leading to the arrest and conviction of the author(s) of the Conficker worm, also known as Downadup. The worm first appeared late last year and has multiple ways to infect machines running Windows. Estimates range as high as 12 million computers infected, and the infections have the potential of creating a gigantic “botnet” out of those machines. This could be used for distribution of malware, spam or to launch Distributed Denial of Service (DDoS) attacks. A patch was released by Microsoft in October, but the worm has continued to spread rapidly.

The company also announced a large group of firms working together to combat Conficker. The group is made up of leading security firms, the Internet Corporation for Assigned Names and Numbers (ICANN), registries and leading operators of the Domain Name System (DNS). Microsoft’s announcement: http://tinyurl.com/am4xxg

Here’s a roundup of coverage:

Computerworld — http://tinyurl.com/bm2tok

PC World — http://tinyurl.com/bxutsa

Internetnews.com — http://tinyurl.com/bmwv84

InformationWeek — http://tinyurl.com/bg4efg

Washington Post — http://tinyurl.com/apzkjg

The posse was created to head the worm off at the pass, so to speak. The worm seeks to update itself using seemingly random lists of domain names it checks to receive new code. The algorithm used to generate those domains has been cracked by Finnish cyber security firm F-Secure. Now the companies can pre-register the domain names, preventing the worm from updating itself. And computers infected with the worm can be identified when they check in. This contains the growth of the virus, although it does not eradicate it.

Here’s a detailed description from Jose Nazario of Arbor Networks: http://tinyurl.com/c7vyu3

This is an encouraging example of industry working together to combat a common threat — much like the coordination around the DNS flaw identified by Dan Kaminsky in July of last year. Hopefully this group can remain organized in some form and continue to fight the increasingly sophisticated attacks looking to exploit the distributed nature of Internet infrastructure.

UPDATE — new variant of the worm released by the bad guys, Network World:


  One Response to “Combining to Confront Conficker”

  1. All Microsoft needs to do is use a nodel of its OS that is not infectable by design.

    It it used the Linux model there would be no more malware incidents.

    If you are infected with Conficker, a good answer is chage your operating system to Linux, and Ubuntu is as good as any, easy to install, free and updateed frequently.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>