Industry gets serious about Downadup, aka Conficker

In Friday's IT Blogwatch, Richi Jennings watches an industry cabal get off their collective backsides to do something about the latest 10-million-strong botnet. Not to mention conclusive proof that Google does have a sense of humor...

Gregg Keizer reports:

Microsoft security logo
Nearly 20 technology companies and organizations are combining forces to disrupt the command-and-control infrastructure of the rapidly spreading Downadup worm ... which also goes by the name "Conficker" ... prompted by infection rates of nearly 2.2 million machines each day.

Firms, including Microsoft Corp., Symantec Corp. and VeriSign Inc., have joined ICANN, the nonprofit group that manages the Internet Domain Name System, to preemptively register and remove from circulation the [domain names] that the worm's controllers use to maintain their hold on infected machines ... Separately, Microsoft has offered a $250,000 reward for information that results in the arrest and conviction of the hackers.

John Leyden adds:

The bounty, announced Thursday, represents a revival of Microsoft's mothballed Anti-virus Reward Program, launched in 2003 and virtually moribund since 2004 ...there's only ever been one payout.
Conficker has infected 10 million computers, going by recent estimates, so it's no great surprise to find that Microsoft has reactivated the program. Even if it doesn't lead to any arrests, the possibility of betrayal will give the authors of the worm pause for thought before they activate the monster botnet their malware has established.

Jose Nazario has more deetz:

The worm seeks to update itself by using a long list of psuedo-randomly generated domain names to contact over HTTP and then grab new code. The algorithm for this domain name generation scheme has been cracked ... [and we] pre-compute the names for pre-registration to prevent hostile parties from using this update feature.
Just because the bot’s update mechanism appears to be cut off doesn’t mean that it’s no longer a problem ... The worm tries to propagate over file shares by brute forcing usernames and passwords. As it does so, it often locks people out of their accounts after X password login failures. IT admins everywhere are pretty busy with this.

Microsoft's Christopher Budd has news for you:

The Conficker worm will try every three hours to connect to specific domains over HTTP ... it may be possible to identify infected hosts on your network if you’re able to log outbound traffic and then analyze those logs.
We’ve ... made a list of domains available in a zipped text file available at the bottom of this post.

But Locke2005 worries:

If hackers can now make big bucks by writing worms then framing someone else for turning them loose on the world, doesn't that provide a powerful incentive to write more worms???

John Hasler thinks not:

They also have to successfully pull off the "framing" part. The authorities are not unfamiliar with the idea that their informants may be lying for the reward.

Gadzooks! It's gad_zuki!:

Its not too hard to figure out who did this. A lot of these trojans won't install if your default language is Russian. How odd, eh?

Essentially, this is a hand out to the Russian government because it protects and profits from its industry of malware writers, most notable The Russian Business Network. These guys arent getting caught. They have the full protection of the Russian government. MS and the rest know this, but they also know that money talks and a high profile defector would be good for the cause.

And finally...

Previously in IT Blogwatch:

Buffer overflow:

Other Computerworld bloggers:

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email:

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon