Microsoft offers $250,000 reward for Conficker arrest

Software giant offers bounty for arrest and conviction related to Conficker Internet worm that spreads via Windows hole, USB drives, and network shares.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Correction, 1:08 p.m. PST: This story initially misstated the amount of the reward. It is $250,000.

Microsoft on Thursday said it is offering a $250,000 reward for information that leads to the arrest and conviction of whoever is responsible for creating the Conficker Internet worm that has infected millions of PCs.

Microsoft said it is offering the reward because the worm constitutes a "criminal attack" and offering compensation should hasten prosecution. Residents of any country are eligible for the reward and should contact their international law enforcement authorities, the company said in a statement.

Microsoft also announced that it has partnered with security companies, domain name providers, and others on a coordinated global response to the worm, also known as Downadup. Participating are: the Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign, NeuStar, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence.

The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October.

It also spreads via removable storage devices like USB drives, and network shares by guessing passwords and usernames, which is "causing it to spread like wild fire in the enterprise," Jose Nazario, manager of security research for Arbor Networks, wrote on a company blog.

Coalition members have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.

"The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code," Nazario wrote. "The algorithm for this domain name generation scheme has been cracked (by F-Secure and others) and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated - greatly facilitated - by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in."

Over the past five days, Symantec has observed an average of 453,436 IP addresses infected per day with W32.Downadup.A and 1.7 million IP addresses infected per day with W32.Downadup.B, the company said in a blog posting.

"W32.Downadup is the first successful worm to target a vulnerability in a remote service since W32.Sasser in 2004, and in doing so it has shown that the Internet is still a successful breeding ground for worms," Symantec said.

Infected machines, of which there could be as many as 12 million according to a guesstimate by Arbor Networks, could be used to launch distributed denial-of-service attacks on Web sites or seed a new worm, according to Symantec.