News

Microsoft Joins Group To Stop Conficker Worm, Offers Reward

• By Jabulani Leffall
• February 12, 2009

Problems with the Conficker worm have become so widespread that Microsoft is putting up $250,000 for information leading to the arrest of the worm's author.

Additionally, Microsoft is collaborating with other industry organizations to form a group to stop the self-replicating worm, which is said to be one of the largest botnets ever created. Among the group's members are Symantec, domain registry organization ICANN, AOL and Verisign.

"Microsoft's approach combines technology innovation and effective cross-sector partnerships to help protect people from cybercriminals," wrote George Stathakopoulos, general manager of Microsoft's Trustworthy Computing group, in an e-mailed statement. "We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable."

Reports have suggested that as many as 10 million PCs have been infected since Conficker first surfaced in October 2008 as a vulnerability in Windows' remote procedure call (RPC) requests; Microsoft released an out-of-band patch. RPC requests are server-side commands that allow subroutine code to execute on other computers on a shared network. What is unique about the RPC vulnerability that Conficker is exploiting is that subroutines can be executed without programmer interference. This makes an autonomously sustained bug such as Conficker effective because RPC enables a virtually automatic and remote interaction between CPUs in a shared processing environment.

The group's first task, according to Microsoft and Symantec, will be to look at ways to stop the update mechanism of Conficker (whose technical name is W32.Downadup/Conficker.B). The worm updates itself by daily checking a list of as many as 250 network domains for weak passwords, as well as opportunities to regenerate itself on new systems as it updates itself on already infected systems.

The group aims to reverse-engineer what it calls a "pseudo-random domain generation algorithm" inherent in Conficker code. This is where the participation of groups like ICANN, the Public Internet Registry and Global Domains International can be crucial to helping Microsoft solve the problem.

"The best way to defeat potential botnets like Conficker is by the security and domain name system communities working together," said Greg Rattray, ICANN's chief Internet security advisor, in an e-mailed statement.

Microsoft's announcement on Thursday of the $250,000 reward echoes its 2003 decision to shell out $250,000 for tips leading to information on the whereabouts of the writers of the SoBig and Blaster worms. The difference with Conficker is that Internet use has increased exponentially since then, hackers have gotten more sophisticated, and the number attacks originating in other countries have grown. To address the third issue, Microsoft has opened up the Conficker reward to residents of any country (inasmuch as it is permitted by other countries' laws).

Vincent Weafer, vice president of Symantec Security Response, said in an e-mail that as attackers become increasingly competitive in the distribution of their attacks, it is necessary for a meeting of the minds similar to what Microsoft is proposing.

"As attackers leverage widespread numbers of compromised systems, it is critical for leading industry leaders to combine resources to more quickly and effectively combat widespread threats such as Conficker," he said.

Meanwhile, Microsoft says that anyone with any information about Conficker should not contact the company directly but take their case to their local law enforcement agency that handles such matters.