Microsoft Going After The Creator Of Downadup Worm

Microsoft have announced $250,000 reward to anyone who can give them information that will allow the law enforcement bodies to arrest and convict the person who is responsible for creating the Conficker Internet worm. The virus infected millions of PCs.

Microsoft told IT media that the worm constitutes a “criminal attack”. Residents of any country are eligible for the reward and should contact their international law enforcement authorities, the company said in a statement.

The Windows producer partners with security companies, domain name providers, and others companies to coordinated its response to the worm, also known as Downadup.

Among organizations involved into the pursuit are Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign, NeuStar, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence.

The worm is active since 2008. It spreads through a hole in Windows OS and exploits a vulnerability that Microsoft patched in October 2008.

It also spreads via devices like USB drives, and network shares by guessing passwords and usernames.

“The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code”, said Jose Nazario, manager of security research for Arbor Networks. According to him the algorithm for this domain name generation scheme has been cracked (by F-Secure and others) and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated – greatly facilitated – by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in.

Symantec has announced that within the last 25 days it observed an average of 453,436 IP addresses infected per day with W32.Downadup.A and 1.7 million IP addresses infected per day with W32.Downadup.B, the company said in a blog posting.

Infected machines from the worm are estimated to be around as 12 million. The could be used for a launch of distributed denial-of-service attacks on web servers or for a seeding a new worm.