Microsoft announces $250,000 bounty for rogue software creators

14 Feb 2009

Preyed upon by hackers worldwide, Microsoft is now striking back. It has offered a bounty of $250,000 to bring the Conficker worm creators to justice. Microsoft said it is offering the reward because the worm constitutes a "criminal attack" and offering compensation should hasten prosecution.

Residents of any country are eligible for the reward and should contact their international law enforcement authorities, the company said in a statement.

The money will be paid for "information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet," Microsoft said, adding it is fostering a partnership with Internet registries and DNS providers such as ICANN, ORG, and NeuStar as well as security vendors Symantec and Arbor Networks, among others, to stop the Conficker worm once and for all.

Conficker, also called Downadup, is estimated to have infected at least 10 million PCs. It has been slowly but surely spreading since November. The worm spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October. It also spreads via removable storage devices like USB drives, and network shares by guessing passwords and user names.

Its main trick is to disable anti-malware protection and block access to anti-malware vendors web sites. But security experts are concerned about a potentially much worse second stage of the Conficker worm, as it calls home each day to more than 250 command-and-controls servers around the world as it awaits instructions on future downloads or actions.

While the unique domain names for servers used for Conficker control may constantly change on a daily basis, the anti-Conficker coalition anticipates that by the major domain-name registrars working in collaboration, it may be possible to "take out those domains," or otherwise interfere in the smooth flow of the Conficker operations.

A Microsoft spokesperson says Conficker is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend. A large percentage of these domains are being blocked from being registered. Secondly, a number of the domains are being redirected toward "sinkhole" servers that are owned by trusted research partners around the world. Sinkhole servers allow researchers to observe the worm's activity, according to Microsoft.

"By combining our expertise with the broader community, we can expand the boundaries of defence to better protect people worldwide," said George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group.