• silicon.com
• Technology
• Security

By Elinor Mills, 16 February 2009 11:05

NEWS

Microsoft last week said it is offering a $250,000 reward for information that leads to the arrest and conviction of whoever is responsible for creating the Conficker internet worm that has infected millions of PCs.

Microsoft said it is offering the reward because the worm constitutes a "criminal attack". Residents of any country are eligible for the reward and should contact their international law enforcement authorities, the company said in a statement.

Microsoft also announced it has partnered with security companies, domain name providers, and others on a co-ordinated global response to the worm, also known as Downadup. Participants include: AOL, Arbor Networks, the Internet Corporation for Assigned Names and Numbers (Icann), F-Secure, Global Domains International, Public Internet Registry, Symantec and VeriSign.

Security A to Z

From antivirus to zero-day, click here for silicon.com's alphabetical guide to security.

The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October.

It also spreads via removable storage devices like USB drives, and network shares by guessing passwords and usernames, which is "causing it to spread like wild fire in the enterprise", Jose Nazario, manager of security research for Arbor Networks, wrote on a company blog.

Coalition members have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.

Nazario wrote: "The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code.

"The algorithm for this domain name generation scheme has been cracked (by F-Secure and others) and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature.

"This has been facilitated - greatly facilitated - by Icann, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in."

Last week, Symantec had observed an average of 453,436 IP addresses infected per day with W32.Downadup.A and 1.7 million IP addresses infected per day with W32.Downadup.B, the company said in a blog posting.

Symantec said: "W32.Downadup is the first successful worm to target a vulnerability in a remote service since W32.Sasser in 2004, and in doing so it has shown that the internet is still a successful breeding ground for worms."

Infected machines, of which there could be as many as 12 million according to Arbor Networks, could be used to launch distributed denial-of-service attacks on websites or seed a new worm, according to Symantec.