Microsoft offers $250,000 reward for Conficker arrest
Correction, 1:08 p.m. PST: This story initially misstated the amount of the reward. It is $250,000.
Microsoft on Thursday said it is offering a $250,000 reward for information that leads to the arrest and conviction of whoever is responsible for creating the Conficker Internet worm that has infected millions of PCs.
Microsoft said it is offering the reward because the worm constitutes a "criminal attack" and offering compensation should hasten prosecution. Residents of any country are eligible for the reward and should contact their international law enforcement authorities, the company said in a statement.
Microsoft also announced that it has partnered with security companies, domain name providers, and others on a coordinated global response to the worm, also known as Downadup. Participating are: the Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign, NeuStar, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence.
The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October.
It also spreads via removable storage devices like USB drives, and network shares by guessing passwords and usernames, which is "causing it to spread like wild fire in the enterprise," Jose Nazario, manager of security research for Arbor Networks, wrote on a company blog.
Coalition members have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.
"The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code," Nazario wrote. "The algorithm for this domain name generation scheme has been cracked (by F-Secure and others) and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated - greatly facilitated - by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in."
Over the past five days, Symantec has observed an average of 453,436 IP addresses infected per day with W32.Downadup.A and 1.7 million IP addresses infected per day with W32.Downadup.B, the company said in a blog posting.
"W32.Downadup is the first successful worm to target a vulnerability in a remote service since W32.Sasser in 2004, and in doing so it has shown that the Internet is still a successful breeding ground for worms," Symantec said.
Infected machines, of which there could be as many as 12 million according to a guesstimate by Arbor Networks, could be used to launch distributed denial-of-service attacks on Web sites or seed a new worm, according to Symantec.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Then maybe you can explain this: http://news.netcraft.com/archives/2009/01/16/january_2009_web_server_survey.html
Seems that the vast majority of servers on the Internet run... well, obviously not Windows. A 24/7/365 connected box on the public Internet seems a much more tempting target... yet the last Linux virus died sometime in 2001. Maybe you can help clear things up a bit?
http://www.channelregister.co.uk/2008/03/28/mac_hack/
Mac is the first to fall in Pwn2Own hack contest - Safari's bad-hair week
A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off.
Under contest rules, Miller was forbidden from providing specifics of his hack. He said he chose Apple over the other machines because "I thought of the three it was the easiest".
================
This proves that no operating system / browser / software is bullet-proof. The majority of hackers aim for the OS with the biggest market share because worms spread more quickly with more potential host machines.
Explain how a Mac security researcher with a pre-discovered flaw managed to take over a machine that he had local access to? You're kidding, right? If I have local access to any x86 machine, it can be popped. Hint: you may want to read your own cite: If Miller (the researcher) had a working remote access crack, he could've won $20k and used it the first day, not by waiting for day two and losing half of the prize money.
Incidentally, the Vista box fell at the same time, and the only reason that guy took so long was that he hadn't expected SP1 (then in beta) to be installed.
Funny enough, Ubuntu held out untouched the whole time.
So maybe you might want to provide something other than a semi-contrived contest?
You said: "Seems that the vast majority of servers on the Internet run... well, obviously not Windows."
You make the assumption that just because Apache is the HTTP server most folks run that it must be hosted on a non-Windows OS. The Netcraft.com article you referenced says absolutely nothing about operating systems. It only discusses web server market share. Apache runs on Windows, Linux, Unix, Mac OSes, etc.
So despite the fact that Apache is the dominant HTTP server, that article does not prove that most machines are not running Windows.
Are you asserting that the majority (or even a quorum) of Apache installs are on Windows? This should be interesting.
(let's just say that the number of Apache/Windows installs wouldn't be enough to even count, let alone make a dent ;) ).
No - just that the article you referenced does not discuss operating system market share.
Back to the original CNET article: the key question is are these millions of infected PC's desktop machines or servers? I'll bet most of them are Windows desktops in offices and homes.
The Wikipedia article on Linux: http://en.wikipedia.org/wiki/Linux has a section on market share that states:
"Estimates for the desktop market share of Linux range from less than one percent to almost two percent. In comparison, Microsoft operating systems hold more than 90%."
So if we're talking about desktop PC's, then Microsoft is the easiest target just by sheer numbers of machines out there.
The funny thing about the marketshare argument is that it commits two fallacies:
1) it ignores servers, and the dynamics of part-time connection on desktops vs. full-time connection of servers.
2) it relies on proportion - if that proportion existed, then one would think that 10% of all viruses out there targeted OSX, when in reality that figure is a statistical zero... let alone Linux, which hasn't seen a working virus in eight years.
Windows gets attacked because it is the low hanging fruit. The easiest. Script kiddies make mincemeat out of any Windows OS.
Yes, Penguin is correct. There is a huge difference between remotely exploiting a box and breaking into a box you have physical access to. It is not even close to the same thing.
I'm gonna have to start showing this article to every MSFT sales-critter who tries to spread FUD about Linux and OSX with regards to security... it'll be a laugh riot watching 'em try to avoid eating their own words. :)
From the people I know that get infected with crap like this, most seem to come from downloading applications off p2p. Some people never learn, if you give a program keys to the kingdom you better be sure of your choice, no matter the platform. I know a guy that must reinstall Windows XP every few months but he invariably installs Limewire and gets pwned again shortly after.
When it comes to selling server software... it certainly is. ;)
Should we also print out and show every single person who uses Linux about how Walmart has tried TWICE to sell Linux equipped dektops as the cheapest computer available at their stores and FAILED twice in a row? THey offered Linux- the consumers didn't want it. That failed entirely.
Nah, I don't think I would. Nobody would be so petty and simple minded as to do soemthing like that. Well, I suppose I should take that back as you just said you might have to do that very thing.
It'll be a laugh watching you to try to cover up the truth.
Really dude, get a life. You need one.
That's really funny. I've been frequenting Wal-Mart for the past 26 years and never saw an advertisement for Linux desktops nor did I see a Linux desktop in the stores. I've looked over the information for their computers everytime I've been in the market to replace mine and never saw any mention of Linux.
If they tried, they didn't do a very good job at advertising it. What were the other specs for those machines? Were they comparable to the Windows machines? If there was a Windows machine with the same specs, did it sell better than the Linux variety?
This article actually has merit, proving that MS just can't handle some things on its own, which it tries to do quite often. It's a good place to point to and prove that, simply because Linux users get the idea of banding together and working together for a common goal, we're more secure and more capable of adapting.
The article is also a good warning for those Windows users who think that just because they might get away with not running antivirus and not keeping up with the updates for several months and not see a problem, that doesn't mean there isn't one.
Although I disagree with his reasons for doing so, I do agree that every Windows troll and in fact every Windows user needs to read this article and realize just what's at stake.
#1 Fix Windows so viruses and worms don't infect it.
#2 Offer rewards for the arrest and conviction of the people writing the viruses and worms that infect Windows?
Car have locks and alarms, yet they still get stolen.
Homes have locks and alarms, yet they still get robbed.
Banks have security and safes, yet they still get robbed.
..... If a guy robs your house do you blame the manufacturer of the doorlocks or the guy who robbed you? Should the thief be allowed to get away because he has the excuse that doorlocks are not 100% secure? That's not much different then blaming Windows for the criminal acts of the hacker.
'course not, but it would raise the barriers high enough to make it a far tougher job, thereby reducing the number of attacks, and putting the skill levels required way out of script-kiddie reach.
The trick isn't perfection, but to make the risks and effort required far larger than the benefit. Since neither Linux or OSX have seen an actual virus since, oh, 2001 or so (for Linux) and never (for OSX)? Guess who has the best record?
@penguisto The folks who don't ever bother patching in the first place are the biggest part of the problem. I'm sure there are a sizable number of business users who have some really industry related software that pretty much ******* every time they want to change their clock but by and large I wish people would be proactive about keeping up to date. I get just as many updates for OS X as I do for Windows and same deal, I go with it, you put your nickle down on an OS you might as well take it the extra step and do your best to keep it safe.
Until we start to realize that as long as ANY third party software can be installed on a machine, that it is NEVER going to be totally impossible to install viruses on it (and even then, with easy signature faking.....)..... we are not going to be having a real discussion on how to mitigate things.
Cars have locks and alarms but if you leave the locks off and don't turn on the alarm and someone "steals" your car, it's your fault. Windows users by far have left the locks open and have kept the alarms turned off.
If a guy robs my house and gets in because the security alarm was so annoying I turned it off, I'd blame the company that refused to fix it to work properly along with the guy who broke into my house.
I use Linux because it's not annoying and it still provides a good level of security without limiting functionality. Besides, it's like having a security alarm that is constantly being cared for.
I'm in for $10. Anyone else?
Really? Name some.
All that the web can cough up are oddball trojans that require a user to intentionally install the things, then enter root passwords or have root privileges.
I'd be really interested to see these "visruses" and "worms" you speak of.
Don't bother wasting your breath. When you prove Penguinisto wrong by using things like facts as you have, you're just going to have him change the subject, lie, or start quoting blogs and wiki articles.
It's really not worth the effort.
Don't feed the trolls.
I looked on Symantec and found a bunch of links to Symantec software, then I tried googling MacOS X virus and found one site offering antivirus services and the rest were combinations of the words in seperate sentences. Perhaps you could try sending a link that shows that info you were speaking of. I took half an hour and couldn't find a virus list or even a virus number anywhere.
@Vegaman_Dan
Be careful, if nobody fed the trolls you'd starve.
Better luck finding Dark Matter than the creator of this one.
Switching doesn't mean that you are 100% safe and that no viruses can be propogated via your machine, it just means that you are 99.9% safe and that viruses can not propogate themselves via your machine. In other words, if there is a virus on your machine, it won't run, but you can still send it to someone else.
Is Al-Qa'ida even a real terrorist organization? I thought it was a CIA Blackops.
Yes I know it's possible it infect a Linux system but unless you are running as Root or give a program Root privileges the damage is usually limited to the user account. User accounts can be easily nuked and redone from Root if need be.
In the end though as long people are ignorant about the computers they use malware will be a problem on any platform no matter how secure you make the OS,
No OS can compensate for an idiot at the keyboard...
It is possible to gain administrator access in Windows, even if the user only has guest privileges.
Same goes for Linux. Linux has other solid security features, unlike Windows.
So how can one gain elevated privileges? There are several ways, the most direct is to exploit a programming running with those privileges. Just because you aren't running as root/admin, doesn't mean lots of other programs are. And those programs, of course, have flaws. Since they have higher rights than you, the machine doesn't need your permission.
Of course, the best target is the kernel. Get into ring 0 and you can own the firewall and any and all AV software. This is very difficult to do in Linux. Not so hard in Windows, which MS helpfully adds routines to make it a bit easier. To be fair, MS didn't add those in the make the bad guys lives easier, but that is the end result.
Windows makes it easier to attack by design.
If you have a small amount of technical knowledge(need to understand processor architecture, assembly, and C, none of which are all that challenging freshman/sophmore level stuff) read these three books(one of which has information on attacking multiple OS's and one is purely about Linuxl) and see how bad it gets:
The Shellcoders Handbook
Hacking: The Art of Exploitation <This also has the BEST intro to C I have ever read> I wish I had this book when I started.
Rootkits: Subverting the Windows Kernel
All are top notch professional books that serve so many good purposes. In fact, if you are a real programmer these books will make you better.
You may want to read the comments above. Because of how Windows Updates typically work, applying all updates can mean that programs which are mission critical will break due to an update which also contained a security patch along with the problem software.
Either way, the company ends up with down time and either way, the company should put together all of that time and sue MS for the losses caused by it.
Until we know anything more about it than that it was spread so easily and so quickly, then we can't make any judgement calls.
- by cyberfreak13 February 23, 2009 10:19 PM PST
- WOW!! such interesting comments!! and such interesting replies!! =0
- Reply to this comment
-
Showing 1 of 2 pages (74 Comments)Man, i wonderr wot id do if i got dat 250k reward......