, SecurityFocus 2009-02-13
Microsoft has put the author of the Conficker worm on notice.
On Thursday, the software giant announced that it would offer a bounty of $250,000 for information leading to the arrest and conviction of the person or group responsible for the spread of the pernicious program. In addition, the company has banded together with Internet service providers and security companies to stop the spread of the worm. While the effort, dubbed the Conficker Cabal, was made public on Thursday, the ad hoc group began forming weeks ago, participants stated.
The success of the Conficker worm has made the cabal necessary, Microsoft said on Thursday.
"As cyber threats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation is required," the company said in a statement sent to SecurityFocus. "To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker."
Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.
The initial variant of the worm used a vulnerability in Microsoft's Windows operating system to spread to vulnerable computers. The second iteration of the program also spreads to open network shares and attempts to access weakly-protected systems by trying 250 common passwords. The later program, known as Conficker.B, also propagates by copying itself USB memory sticks by infecting the
autorun.inf file. Both programs block the infected computers from updating security and systems software by blacklisting the domains of Microsoft and many security firms.
"The other infection vectors — such as infecting through network shares — are the biggest pain points," said Vincent Weafer, vice president of security response for Symantec, a member of the Conficker Cabal and the owner of SecurityFocus. "It can lock out accounts, because the number of attempts made by the password cracker."
Currently, the worm does little but infect new computers. Yet, morphing into a full-fledged botnet is only a single step away. Every day each instance of the worm generates the a list of pseudo-random domain names and attempts to contact those domains. Anyone who knows the algorithm for generating the domains can reserve one ahead of time and host software that would be uploaded to every instance of the worm. This amounts to a ticking time bomb, said Thomas Cross, a researcher with IBM Internet Security Systems' X-Force group.
"It definitely is important that you get this off your network, because we don't know what it will turn into in the future," he said in a recent interview.
The Conficker Cabal has already started locking out the worm by registering the pseudo-random domains generated by the program. The tactic turns the program from a lurking danger into, mostly, a nuisance, said Jose Nazario, manager of security research for Arbor Networks.
"We should not underestimate the value of locking out the bad guys by reserving the domain space," he said.
A Whois lookup of one of the worm's domains, which was displayed on Arbor's site, showed the registrant's name to be "Conficker Cabal."
Among the companies involved in the coalition are the Internet Corporation for Assigned Names and Numbers (ICANN), Neustar, Verisign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.