Microsoft wants Conficker (Downadup) worm launchers arrested, convicted

Anyone knows who illegally launched the Conficker (Downandup) malicious code on the internet? A valid information can make you $250,000 richer. Doubtful? Read the whole post to believe.

In a PressPass released recently, software giant Microsoft Corporation announced a partnership with technology industry leaders and the academe to implement a coordinated, global response to the Conficker (also known as Downadup) worm. Microsoft also announced a (read) $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

"Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence," the press release read.

George Stathakopoulos, general manager of the Trustworthy Computing Group at Microsoft explained “As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers”. “We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable,” he added.

You can read more of the PressPass here.

On the other hand, Microsoft created a special page on their site dedicated to fully explain what the Conficker worm is all about. They have a "Conficker Timeline" which read as follows:
Conficker Timeline
  • On November 21, 2008 the MMPC identified Worm:Win32/Conficker.A. This worm seeks to propagate itself by exploiting the vulnerability addressed in MS08-067 through network-based attacks. The MMPC added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
  • On November 25, 2008 the MMPC communicated information about Worm:Win32/Conficker.A through their weblog.
  • On December 29, 2008 the MMPC identified the second variant, Worm:Win32/Conficker.B, and added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day. Worm:Win32/Conficker.B seeks to propagate itself by:
  1. Infecting vulnerable systems by exploiting the vulnerability addressed in MS08-067 through network-based attacks.
  2. Copying itself to the ADMIN$\System32 folder on the target machine and schedules a task to execute this file daily. It first tries to use the credentials of the logged-on user, which might work well in environments where the same user account is used for different computers on the network, and as long as that account has administrative rights. If that fails, it tries a different method: it obtains a list of user accounts on the target machine and attempts to connect using each user name and a list of weak passwords (examples: "1234", "password", or "student"). If one of these combinations work and that account has write permissions, it copies itself to the ADMIN$ folder.
  3. Copying itself to removable media such as USB drives and other portable storage using the AutoPlay feature to launch itself.
  • NOTE: The second and third attack vectors listed above do not utilize the vulnerability addressed by MS08-067. Therefore, it is possible for these vectors to be successful against systems that have applied the security update associated with MS08-067.
  • On December 31, 2008, the MMPC communicated information about Worm:Win32/Conficker.B through their weblog.
  • On January 13, 2009, the MMPC included the ability to remove both Worm:Win32/Conficker.A and Worm:Win32/Conficker.B to the January 2009 release of the Windows Malicious Software Removal Tool (MSRT) and communicated information about this through their weblog.
  • On January 22, 2009, the MMPC provided consolidated technical information about the Worm:Win32/Conficker.B on their weblog.
  • On February 12, 2009, the Microsoft Security Response Center (MSRC) released information about domains that Conficker-infected systems try to connect to. Microsoft also announced information on a partnership with technology industry and academic leaders designed to disable domains targeted by Conficker as well as a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.
  • On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide.
Here on this blog, if you can still remember, we posted an article on Conficker worm last January 22, 2009 which explained how the worm works and how it can be avoided or defeated. We gave our readers tips on how to avoid or defeat Conficker (Downadup) worm easily.

Microsoft has its own version which you can read here.

The cybercriminals must be hiding this time, don't you think so? The reward of $250,000 is big money. We should be looking for information on their whereabouts now. Let's go!