But not seriously enough to turn off AutoRun, huh? No, too soon?
http://www.us-cert.gov/cas/techalerts/TA09-020A.html
Yes, I realize it's not the primary means of propagation, but still...
Microsoft has announced an alliance of various industry partners whose goal is to fight the Conficker worm. The announcement is short on actionable methods for stopping the worm, but it does include one gem: a $250,000 (US) bounty for information leading to the capture of those responsible for the worm.
Microsoft is taking the Conficker worm pretty seriously. They have, for the first time, coordinated a group of industry representatives from security companies, consulting firms, and registrars to actively combat the outbreak. Microsoft is not limiting itself to technical solutions; they are offering a $250,000 reward for information that leads to the arrest of the worm’s authors.
The aforementioned group does not consist of bounty hunters. They are trying a variety of operational techniques to slow down the botnet’s growth. Jose Nazario of Arbor Networks has filled in the gaps on what the group is actually planning:
One of the strategies being used by the group that has come together is to “soak up” the domain names being used by Conficker with pre-registration and lock. … That sinkhole data is being shared within the “cabal” and shared with customers: ISPs and their customers, enterprises, CERT teams, and others. This, in turn, is being used to try and clean up hosts with tools and information sheets with clear instructions.
Jose goes on to say that even though the update mechanism may be interdicted, the population of compromised machines will still be in the field. Yes, this is bad.
If you are interested in the technical analysis of how the bot works, I suggest you check out the extremely thorough writeup from SRI.
