Microsoft offers $250,000 bounty for Conficker creator

Computer worm is believed to be one of the largest botnets ever created.

Problems with the Conficker worm have become so widespread that Microsoft is putting up $250,000 for information leading to the arrest of the worm's author.

Additionally, Microsoft is collaborating with other industry organizations to form a group to stop the self-replicating worm, which is said to be one of the largest botnets ever created. Among the group's members are Symantec, domain registry organization Internet Corporation for Assigned Names and Numbers (ICANN), America Online and Verisign.

"Microsoft's approach combines technology innovation and effective cross-sector partnerships to help protect people from cyber criminals," wrote George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group, in an e-mailed statement. "We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable."

Reports have suggested that as many as 10 million PCs have been infected since Conficker first surfaced in October 2008 as a vulnerability in Windows' remote procedure call (RPC) requests; Microsoft released an out-of-band patch. RPC requests are server-side commands that allow subroutine code to execute on other computers on a shared network. What is unique about the RPC vulnerability that Conficker is exploiting is that subroutines can be executed without programmer interference. This makes an autonomously sustained bug such as Conficker effective because RPC enables a virtually automatic and remote interaction between CPUs in a shared processing environment.

The group's first task, according to Microsoft and Symantec, will be to look at ways to stop the update mechanism of Conficker (also known as Downadup). The worm updates itself by daily checking a list of as many as 250 network domains for weak passwords, as well as opportunities to regenerate itself on new systems as it updates itself on already infected systems.

The group aims to reverse-engineer what it calls a "pseudo-random domain generation algorithm" inherent in Conficker code. This is where the participation of groups like ICANN, the Public Internet Registry and Global Domains International can be crucial to helping Microsoft solve the problem.

"The best way to defeat potential botnets like Conficker is by the security and domain name system communities working together," said Greg Rattray, ICANN's chief Internet security adviser, in an e-mailed statement.

Microsoft's announcement on Thursday of the $250,000 reward echoes its 2003 decision to shell out $250,000 for tips leading to information on the whereabouts of the writers of the Sobig and Blaster worms. The differences with Conficker are that Internet use has increased exponentially since then, hackers have gotten more sophisticated, and the number attacks originating in other countries have grown. To address the third issue, Microsoft has opened up the Conficker reward to residents of any country (as permitted by other countries' laws).

Vincent Weafer, senior director of development of Symantec Security Response, said in an e-mail that as attackers become increasingly competitive in the distribution of their attacks, it is necessary for a meeting of the minds similar to what Microsoft is proposing.

"As attackers leverage widespread numbers of compromised systems, it is critical for leading industry leaders to combine resources to more quickly and effectively combat widespread threats such as Conficker," he said.

Meanwhile, Microsoft says that anyone with any information about Conficker should not contact the company directly but take their case to their local law enforcement agency that handles such matters.

About the Author

Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.