Network News

X My Profile
View More Activity

Microsoft Offers $250,000 Reward for Conficker Worm Author(s)

Microsoft Corp. today said it is offering a $250,000 reward for information that leads to the arrest and conviction of those responsible for launching the "Conficker" computer worm, a threat that has infected millions of Microsoft Windows PCs over the past two months.

The reward is the most public acknowledgment yet of the damage inflicted by the Conficker worm - known to some anti-virus companies as "Downadup" -- which wiggles into Microsoft systems primarily through a security hole in the Windows operating system.

Microsoft issued a software update in late October to help customers guard against the attack, but Conficker can spread even to systems that have already been patched, by piggybacking on removable media -- such as USB drives -- that launch the worm when connected to a Windows system.

"As part of Microsoft's ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers," said George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group. "By combining our expertise with the broader community we can expand the boundaries of defense to better protect people worldwide."

Microsoft created the reward program in 2003, funding it with $5 million to help law enforcement agencies bring computer virus and worm authors to justice. But this is the first time in four years that Microsoft has issued a reward in response to a worm outbreak.

In July 2005, Microsoft paid a $250,000 bounty to two individuals who helped identify the creator of the notorious "Sasser" worm, whose author was arrested in 2004 and subsequently sentenced to prison by German authorities. Microsoft also has offered $250,000 reward offers for information leading to the arrest and conviction of the author(s) behind three other major computer worm threats, including the "Blaster," "MyDoom," and "Sobig" worms. To date, those responsible for unleashing those worms remain at large.

Security Fix will have more coverage of the developments leading up to today's announcement. Stay tuned.

Update, Feb. 13, 6:04 p.m. ET: today published a story that looks at the unprecedented level of collaboration among industry, academic and Internet policy bodies in fighting this worm.

From that story:

The quarter-million dollar award Microsoft is offering for information that leads to the arrest and conviction of those responsibile for unleashing the "Conficker" worm may represent the culmination of what security experts say has been an unprecedented and collaborative response from industry, academia and Internet policy groups aimed at not just containing the spread of this worm, but also in creating a playbook for dealing with future digital pandemics.

Read more here.

By Brian Krebs  |  February 12, 2009; 2:10 PM ET
Categories:  Cyber Justice , Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Critical IE, Exchange Flaws in Microsoft's Patch Tuesday
Next: As Tax Season Continues, Beware of Scams


Brian, thanks--a lot--for your columns and chats. Indispensable reading and printing out too.

I run my machine 99% of the time on a limited user account, using Admin only for updates to some applications. And then only for as long as it takes to download and apply the updates. It has XP Home SP3, Norton 360, Ad-aware, Spybot and several Firefox add-ons. I regularly run Secunia's online inspector and I update what it tells me to do.

Any idea why in the last two-three weeks my modem stauts (ADSL 20 MB always-on connection) reports that I am sending many more bytes/packets than before?

I turn on the PC in the morning and Firefox loads 5 tabs. Used to be that in the first hour of use I would receive 10 times more data than I received (10 MB bytes to 1 MB). Now it's about 10 MB sent vs. 4.5 MB received.

I have never had a reported virus from Norton scans, only a random tracking cookie revealed by Ad-Aware, nothing ever by Spybot. PC speed / connection seems normal--no noticeable slow-down.

Is there a way to know what /to whom and why I'm sending all this stuff?

Appreciate any ideas from you or your readers. Thanks.

Posted by: VeronaItaly | February 12, 2009 3:22 PM | Report abuse


There are two things that you can do if your malware scanners don't pick up any bugs:

1. Do a system restore to a date earlier than when you first noticed the change in data packet statistics. This will preserve all your saved files, but will remove any new application installations and reset all associated registry settings.

2. Get a Mac.

Posted by: hisroc | February 12, 2009 5:06 PM | Report abuse

Please tell your friends at the FBI that America is hungry for more "Roast Bot"

When the FBI announced "Operation Bot Roast" I was so happy to hear that "the feds" were doing something about the SOB's who create viruses and worms.

Viruses and worms really are a form of terrorism, and they have the same effect as terrorist acts do on people.

They make people afraid to do the normal things that they do in their day-to-day lives.

I've got a question for Brian or anyone else from the WP that sees this.

Why can't the FBI threaten these guys with astronomical financial damages based on the costs the viruses or worms have on companies and individuals that are their victims?

The numbers must be staggering.

Posted by: svreader | February 12, 2009 5:38 PM | Report abuse

svreader -- For openers, you have to have a collectible source, ideally as in an automobile accident case that source is insurance coverage, hopefully in a meaningful amount.

Insurance policies routinely exclude from coverage both willful and other kinds of malicious acts. Further, even with insurance coverage based on negligence, numerous kinds of events are excluded, i.e., a heart attack behind the wheel [unless there was previous warning of heart problems] spontaneous blindness, strokes, etc. The existence of damages does not always equate to coverage even when insurance is present.

Now if the individual, or group of individuals either have no assets or are otherwise 'judgment proof,' i.e., most high school or college kids, trying to collect against even parents with assets would require a duty by the parents to know what their kids are always doing -- ugh and then have the opportunity to prevent it, which they ignored. A judge ordering 'restitution' in a criminal case presents a similar problem because in modern western legal systems, debtors prisons do not exist, nor are even legal debts inherited in the absence of assets.

Posted by: | February 13, 2009 4:43 AM | Report abuse

MAC Sucks just as much as Windows...

Apple pushed QT 7.6 which crashed my ONLY installed software.

They refuse to recognize the problem.
They won't contact the manufacture
They wont read the manufactures website which states the problem. Arrogant MF's

I have apple care, Their answer reinstall the OS (oh, I thought that such a windows answer) I could of bought a dell for 1000 bucks less and have some idiot tell me to reinstall the os. duh

I never buy another apple again....

The blamed me and the software manufacture. (it was their security update.)

I posted my compliant on apple forums , they yanked it in three minutes, Any negative feedback about apple, apple policy and you are yank -- Great ignore your customers, charge an arm and a leg, then deliver nothing.

I also had three different supervisors tell me they had no one above to refer to call to. Must be nice not to have a boss! So, how did I find three different people in charge?

Arrogant, self-righteous, blame anyone but themselves, not acknowledge the problem, The IRS treats you better than apple.

They blow, I am so disappointed.

They act like GM in the 50's - 'We are America'

Just wait apple, you attitude that customers are problems will kill your company.

Posted by: georgethornton1 | February 13, 2009 6:02 AM | Report abuse

Veronaguy's story is very common. The bad guys seem to be way ahead of many of the people who are writing anti-spyware, antivirus, and patching the inevitable holes in the operating systems and the browsers. Unlike the past, where you needed to actually click on an executable attachment, the bad programs can run on your computer just by visiting the wrong web site (porn surfers, take note. . .). The more sophisticated malware not only messes up your computer and hijacks your browser, but also can keep you from going to sites from which you can download protective software, turn off windows update, and make it almost impossible to regain control of your computer. Even if you can find the bad programs, there are multiple files that act in concert with each other, such that if you delete even several of them, new copies are simply re-created.

Sometimes, these problems can be fixed, though I haven't seen much about this in the popular media. One solution is to use an uninfected (or relatively less-infected) computer to download (directly onto a thumb drive) a more modern program like malwarebytes ( that is able to detect a larger number of these bad programs. Then install it to your computer, but also install it onto the thumb drive (instead of the default drive) because for now, at least, the bad guys assume you'll be downloading installing antimalware programs to the C: drive and can prevent a successful installation. Run the program and be amazed at how much it finds.

One additional tip-- it seems that many of these bad programs use Java (including old and defective versions). If you look at your add-remove programs directory, it's not a bad idea to remove all copies of Java before doing this. Once your machine is clean, it's easy to re-download a fresh (less exploitable) copy.

And when you are done, make sure Windows update is turned on, make sure that your browsers are completely up to date, and prepare for a continuing fight!

Posted by: Virusguy | February 13, 2009 7:42 AM | Report abuse

I thought I would share my experiences when my pc was affected with some sort of malicious software, which caused me to become more educated in this area than I wanted to be...

I noticed that when I started up my pc, that it was sending stuff on my network port as indicated by the small terminal icons located on the lower right hand portion of my screen.

This occurred even when I had not started up a browser after rebooting.

I downloaded an internet sniffer that used to be caused Ethereal and is not called wireshark, to see if I could identify the source.

I couldn't identify the source but ended up talking with the security dept of my ISP, who were now complaining that my PC was introducing questionable traffic onto their network.

They suggested some additional software to try to scan for the offending software.

I tried Microsoft Malicious software removal tool and it produced no results.

I purchased Norton AV and couldn't get it to work without crashing my pc. I then paid $100 to Norton for cleaning it and the issue was still there.

I had been told that I can re-image my PC but chose to try to identify and remove before I resorted to that.

So I kept doing google searches on 'trojan' and similar searches to learn more about the issue in general.

Finally, after about the 3rd free product that had been recommended by the security group at my ISP, I found one that located the offending software and removed it and my PC was healthy again.

I then reported my findings to Microsoft and also my ISP.

My mistake was in thinking that once a virus hits the streets, all virus detection software would find it, but that was not the case. Apparently this trojan software was smart enough to prevent Norton from installing and functioning and until I happened to stumble across software that would find it and for which the trojan had not protected itself against, I kept running into a brick wall.

As soon as it was removed, my PC was healthy again...

End to end time to identify and remove it was something like 6 weeks.

I happen to work from home on my work laptop and was free to work on my personal pc during my workday, but didn't really focus on the issue until the last two weeks.

I figured as a last resort, I could re-image my PC, but I wanted to first see if I could locate and remove it without that drastic and painful re-image and re-install of my software......

Posted by: RichRable | February 13, 2009 8:55 AM | Report abuse

One bit of information some might find useful if it is true. In trying to rid my PC of an infection I ultimately secured the services of a small operation in Gaithersburg. After cleaning my machine they told me to but Panda, which is Spanish. The Gaithersburg person said that Norton and other US-based companies program their scanning to overlook cookies and the like from companies that pay fees to be overlooked. His argument was that Panda was not in that game. I have no way of verifying this; perhaps others do.

Posted by: areader21 | February 13, 2009 9:08 AM | Report abuse


If you want to see what traffic your computer is sending and receiving, you can get some simple free programs to show you all the network connections that are open at any given time.

I use Comodo fierwall (, which has a screen that shows all active network connections. I also have GoogleDesktop with the netstats gadget installed, which displays a concise picture of network connections on the desktop all the time.

The idea is to note all the programs that have an outbound or inbound connection, and make sure you understand what each one is and agree it has a legitimate need to make network connections. I would suspect that comparing inbound and outbound packet volumes is not very indicative one way or the other of unwanted or malicious activity.

Another line of defense you can establish, in addition to a firewall and anti-spyware/anti-virus programs that look for signatures of known threats, is to install software that runs at a low level and warns you about all programs that attempt to hook your keyboard or your screen. Any malware that gets past the signature-based scans will likely have to hook your keyboard or screen to achieve its mission.

I use SnoopFree to do this (, which you can configure to allow programs you've indicated are safe, and warn you when others try to hook your keyboard or screen.

Posted by: mark51 | February 13, 2009 9:32 AM | Report abuse

RichRable, do you mind saying which software application found the offender on your machine? I realize our mileage may vary, but I'm curious. Thanks.

Posted by: Heron | February 13, 2009 9:47 AM | Report abuse

Microsoft should handle this problem differently. Microsoft should not press charges and offer the hacker a job and he or she will come out of hiding. The Conficker hacker can improve Microsoft security for the years to come

Posted by: GuiasLocal | February 13, 2009 12:12 PM | Report abuse

One thing that I keep handy is a bootable CD running bartpe with various anti-spyware and antivirus programs installed. Then boot the CD and run the various tools to clean out the gunk...

I also have a USB adapter so I can connect a hard drive to my laptop so I can scan it that way, but the bartPE thing was far more useful and didn't tie up my laptop.

There are quite a number of tools out there that you can use in this environment, but not all tools are supported. I did some initial testing using a VM and once I was satisfied I used it on the infected machine.

This environment *does* have networking enabled, and I added firefox to my bootable CD so I can update a malware database or download other tools if I have the need.

Posted by: jackrussell252521 | February 13, 2009 3:06 PM | Report abuse

To avoid problems with websites trying to push infections, I use Firefox as a browser. This automatically excludes all ActiveX attacks.

Secondly I have both AdBlock-plus and NoScript installed, which blocks all scripts unless I explicitly allow them. It can be a minor nuisance - if you were to go to for example, you would need to tweak NoScript to allow scripts or otherwise the shopping cart wouldn't work.

I suppose if I were trying to browse to sites that I knew to be highly suspect or infected, I would just use a virtual machine, and then roll the thing back when done. But to be honest I have never had the need to take those sorts of measures.

Posted by: jackrussell252521 | February 13, 2009 3:11 PM | Report abuse

If Microsoft is serious about catching the perpetrator and discouraging others they should offer a reward of $10 million. They can afford it. If it works, and the criminal is caught, the next one who is tempted to do it will think twice.

Posted by: mceaston | February 13, 2009 3:26 PM | Report abuse

Have you been monitoring the ICANN consultation on Fast Flux. I was told that the ICANN meeting in London next week is make or brka for the future of ICANN and have just blogged accordingly with references:

I'd also like to say thank you because it was your cover of McColo that started me chasing what was happening on Fast Flux

Posted by: PhilipVirgo | February 13, 2009 3:28 PM | Report abuse

I am wondering why ISPs couldn't just block DNS replies with a short TTL. That would cut off the blood supply for any infected machines in that domain..

Yeah, it would probably break some rules, but the status quo just isn't working any more.

Posted by: jackrussell252521 | February 13, 2009 4:02 PM | Report abuse

hi, I had this latest virus, believe it was anti-virus 2009 which blocked me from going to all anti-virus sites such as trend micro, bitdefender, norton, malewarebytes, etc. also, i could not download any security updates from microsoft, etc. And my search engine was redirecting me to all kinds of junk sirtes, etc. I called trend-micro and they got me to turn off something in device manager which stopped all the redirects and enabled me to get to all anti-virus sites. Once I was able to do that, I was able to download all microsoft security updates including the crucial one back in October 2008 which patched a problem concerning downadup. I also downloaded theor milicious software removal tool as well ans windows defender. Iwas able to finally get all updates to my antivirus bitdefender program and was also able to download malewarebytes software and ran everything to clear my system and also ran these programs through my usb flash drives to clean them out just in case they were infected. So far, no more problems. Also, I'd like to warn everyone about the malicious Anti-Virus XP 2009. Which is very sneaky. If you get a strange popup which says your computer has been infected, do not x it out or touch the site in any way, as if you do, you will start automatically downloading this worm. the safest thing is to quickly reboot and then for safe keeping, run Malewarebytes, your anti-virus program, MS Malicious software removal tool, etc. Im sure if trend micro could show me how to stop the redirects and inability to go to anti-virus sites, most other companies can do the same. Whatever your anti-virus program, call your manufacturer and see how they can help you.

Posted by: yankeechess | February 13, 2009 9:12 PM | Report abuse

I know people are TIRED of hearing about Apple Mac's not being such a security problem, well it's just a fact. In our company of 28 mostly accountants and staff we use Macs for almost all Internet work. We have a couple of Windows machines for use when we must access a IE only website.

Posted by: kkrimmer | February 14, 2009 1:26 AM | Report abuse

Posted by: kkrimmer | February 14, 2009 1:28 AM | Report abuse



Posted by: kkrimmer | February 14, 2009 1:31 AM | Report abuse

Does anyone see the basic problem here? Microsoft makes an inferior product with security vulnerabilities they don't fix before release. There is no amount of discussion that will fix that.

Wouldn't the $250,000 be better spent on making a better product?

Posted by: bentripn | February 15, 2009 6:38 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company