Search This Blog

13 February 2009

Malware Prize: Drop a dime on the Conficker worm creep, win U$250,000

Click for larger, clearer.

Microsoft Collaborates
with Industry to Disrupt
Conficker Worm


Microsoft offers $250,000 reward
for Conficker arrest and conviction.

REDMOND, Wash., 12 February 2009 /PRNewswire-FirstCall/ -- Today, Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

"As part of Microsoft's ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers," said George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft. "By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide."

As cyberthreats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation are required. To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker.

Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

"The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together," said Greg Rattray, chief Internet security advisor at ICANN. "ICANN represents a community that's all about coordinating those kinds of efforts to keep the Internet globally secure and stable."

"Microsoft's approach combines technology innovation and effective cross- sector partnerships to help protect people from cybercriminals," Stathakopoulos said. "We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable."

More information about how to protect yourself from Conficker can be found at http://www.microsoft.com/conficker. Customers interested in learning more about staying safe online can visit http://www.microsoft.com/protect.

Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.

Founded in 1975, Microsoft (Nasdaq: MSFT) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

SOURCE Microsoft Corp.

=============
Wikipedia:
=============

Conficker


* Win32/Conficker.A (CA)
* W32.Downadup (Symantec)
* W32/Downadup.A (F-Secure)
* Conficker.A (Panda)
* Net-Worm.Win32.Kido.bt (Kaspersky)
* W32/Conficker.worm (McAfee)

Conficker, also known as Downup, Downadup and Kido, is a computer worm
that surfaced in October 2008 and targets the Microsoft Windows operating system.[1] The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.[2] Linux, FreeBSD, ReactOS, Haiku, Whitix, Solaris, AIX and Macintosh systems are unaffected as the virus only targets Windows software.
Contents

Origin of name

The name "Conficker" is a German pun, meaning "program that manipulates the configuration," and pronounced like the English word "configure." "Configuration" is typically abbreviated "config." Conficker is constructed from the first five letters of "configuration," while adding four letters to the end so as to end with "ficker", a vulgar nominalized form of the German transitive verb ficken, which is common German for the English "fuck".

Operation

The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.[3]

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer.[4] The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.[5]

Payload

The A variant of Conficker will create an HTTP Server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore Points, and download files to the target computer.[6]

Symptoms of infection

* Account lockout policies being reset automatically.
* Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
* Domain controllers respond slowly to client requests.
* System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
* On websites related with antivirus software, Windows system updates cannot be accessed.[7]

In addition, the worm launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.[8]

Impact

By January 16, 2009, antivirus software vendor F-Secure reported that Conficker had infected almost 9,000,000 PCs.[9][10] The New York Times reported that Conficker had infected 9,000,000 PCs by January 22, 2009, while The Guardian estimated 3,500,000 infected PCs.[11][12] As of January 26, 2009, Conficker had infected more than 15,000,000 computers, making it one of the most widespread infections in recent times.[13]

Another antivirus software vendor Panda Security reported that of the 2,000,000 computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.[14][15]

Conficker is reported to be one of the largest botnets created because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008.[16]

The U.K. Ministry of Defence reported that some of its major systems and desktops are infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers.[17][18]

Experts say it is the worst infection since the SQL Slammer.[11]

As of February 13 2009, Microsoft is offering a $250,000 USD Reward for information leading to the arrest and conviction of the criminals behind the creation and or distribution of Conficker.[19]

Patching and removal

On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability.[20] Removal tools are available from Microsoft,[21] Symantec[22] and Kaspersky Lab while McAfee[23] can remove it with an on demand scan.[24] Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.[25] While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired.

Technology industry collaboration to combat Conficker

On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.

Microsoft is trying to put some pressure on the criminals responsible for the worst Internet worm outbreak in years, offering a $250,000 reward for information leading to the arrest and conviction of Conficker's creators.[26]

Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.

8 comments:

abbas said...

well i'm certainly glad i haven't used any microsoft product for personal consumption in upwards of two years now. and then comes the news of the wonderful windows 7 starter edition, for which it seems like you have to pay more to run more than three applications!

Vleeptron Dude said...

Yeah, did you notice that about 2 months ago PatfromCH went over to the Dark Side and bought a Mac?

Malware.

When I was a kid and a young guy, I thought I knew where all the Big Threats were coming from, I thought I knew enough to get off the railroad track in time.

I never would have had the imagination to invent Malware.

(Or the inexplicable Desire to infect 1,000,000 PCs with the stuff. Most Malware isn't even an extortion plot for ransom.)

Well, okay, here I am with my new Dell Vista machine, in speed, size and power the envy of small dental practices and insurance agencies throughout North America.

Now I lose sleep over perverted 17-year-old boys who have the crude expertise to write malicious code. They don't even want my money. They just want to cause the maximum amount of Pain and Loss to millions of strangers they'll never meet.

Well -- Bill Gates got to the Future first, and so he got to shape a huge percentage of the Present in his personal vision.

Boy -- did he do it His Way.

Okay, so somebody drops a dime on Malware Boy, wins the $250k, and Malware Boy is handcuffed and dragged before some sentencing judge.

You be the sentencing judge. You can choose from any range from

* "Go, naughty child, and sin no more!"

to a full public tar-and-feathering, followed by drawing-and-quartering, followed by Life in Prison.

If you caught him, what would you do to Malware Boy?

Abbas said...

i would praise him for giving people another reason to switch over to gnu/linux.

Vleeptron Dude said...

Hmmm, I hadn't thought about rewarding him for his contributions to gnu/linux and his demonstration about how much Windows sux. I shall have to contemplate this new thing.

But when somebody he bragged to does drop a dime to claim the $250k, I don't think the judge is going to go in this direction. The mob of pissed-off Windows users outside the courthouse, for one thing. They may all be fools for using Windows, but fools can scream very persuasive mob stuff very loudly.

If Malware Boy is smart, he WON'T try to explain to the judge how he was really doing everybody a favor.

patfromch said...

Yes, I have moved over to the Dark Side. And you know why it is dark over there ? No Windows *evillaughter*.

I still have a Vista machine, MS has supplied several security updates over the last few days.
Remember Sasser and Melissa ? Sasser was programmed by a german teenager, Melissa by a disgruntled IT specialist who had a fallout with his wife. I reckon it will be something similar with Conficker.

A life without Windows and Malware and Trojans /Spyware and constantly upgrading (paying) your virus scanner is possible.

Take Ubuntu for one.

You can download it in about an hour, maybe less. burn it on a CD in a few minutes, put in into your Mac or PC, look around and, if you like it, install a new operating system in 30 minites.
It only uses about 2 GB on your HD and works on old machines as well. You'll get a fully working OS for free that looks cool and is very sexy graphicwise, no worries about virusses or leaks in the security systeem and the other BS that bothers you as a Windows user. All the software you need is free, be it music production, graphics or OpenOffice, stuff that works and kicks a. A new improved version of the OS is being released every half year or so, you can upgrade înstantly. Ubuntu is not yet perfect but it measns No More Malware. And if you don't like Ubuntu there is no need to erase the whole HD, simply uninstall it. Ya can't to all that with Windows....

And I haven't even started with the Mac...

abbas said...

Thanks for the Ubuntu plug. I love Ubuntu and it's on ALL my computers, everything from seven year old laptops to my newly upgraded desktop last christmas. Bob, you should really consider using it.

Vleeptron Dude said...

for a gazillion years i've been doing weird and deep-ish stuph on PCs -- jeez, i actually had to learn MACHINE language to get my first box to do anything.

but i just hate operating systems. like movie music scores, i think they're best when they can largely be ignored and not noticed and forgotten.

i got no problem voting that every new version of Windows is the worst OS imaginable.

but spending 30 percent of my computering life installing, nursing and mastering a new OS -- i just have a huge resistance and allergy to this idea.

if i've stayed with Windows all these years after it morphed beyond DOS, it's largely because the goofy software i want to run is always written first to run under Windows -- and often not issued or supported to run under any other OS.

That was what pissed me off about Apples and Macs to begin with -- their closed architecture, their secretive software guts. Whatever Evil you can say about Windows, its Open Architecture encouraged a gazillion coders to sell or give away programs for the Windows environment.

I know Ubuntu's really great. Maybe I'm ready to move to it. They told me I could run Vista AND Linux on this new box.

My brother's the OS fanatic, and Linux Kult guy. He has Linus Thorwald's autograph, he once touched The Man himself.

www.pontevedra-3d.com said...

Quite worthwhile info, thank you for the article.