The Conficker worm author is the latest to latest to have a bounty placed on his/her head. While I’m not inherently opposed to rewarding people who turn in criminals (it certainly has been standard practice in the non-cyber world for centuries). However, I think that in this case the organization offering the bounty is simply trying to look “tough on crime” after suffering for decades due to their lax security posture.

update On a related topic, when doing some background research on conficker, I stumbled across the following headline:

It looks like the first computer virus to cross into outer space is the W32.Gammima.AG worm.

The Race to Zero is a competition which recently wrapped up at Defcon. In it, teams of contestants are given ten known pieces of malware – viruses and exploits – and are tasked with obfuscating the malware in such a way that antivirus programs cannot detect the malware. The competition was ultimately won by Mandiant which completed the task in a little over six hours. (About 36 minutes per challenge). This contest simply serves to illustrate the point that signature based antivirus scanning is a failing proposition. As I’ve said before, there are a virtually infinite number of possible malware signature out there, and trying to write an infinite number of signatures is an exercise in futility. It makes a lot more sense to enumerate good than to enumerate bad. We figured this out years ago when we started making firewalls use a default deny – we should be doing the same for antivirus.

In the “duh” reporting on the moment, securityfocus reports that:

The number of signatures required to detect malicious code skyrocketed in the first half of 2008.

While I may mock them (gently of course) for reporting something which is obvious, the growth curve is impressive:

The data — part of the F-Secure’s IT Security Threat Summary — showed that the company currently requires nearly 900,000 different signatures, also referred to as “definitions” or “detections,” in its product to catch current threats, up from 500,000 signatures at the end of 2007.

The solution of course, is to stop writing signatures. There are a virtually infinite number of pieces of malware that can be written, and trying to write a signature for each and every one is an exercise in futility. We’ve seen it time and again – blacklisting does not work in the long run, it is not scalable, and is inherently reactive rather than proactive.

The gpcode virus has been making news of late. It’s ransom-ware that encrypted the infected machine’s files with a 1024 bit RSA key, demanding a monetary payment in exchange for the decryption key. Kaspersky labs announced that they would try to brute force the key if people would just loan them some spare CPU cycles. They took some flak for even trying this, including a rebuke from the master cryptographer himself, Bruce Schneier.

Now it appears they’ve found a solution. No, they haven’t cracked a 1024 bit RSA key this quickly, they’ve discovered that the files can be undeleted, and released a utility to assist in the endeavor. This is another example of Shamir’s third law of security. For those of you who don’t know, Adi Shamir, recipient of the turing award and the S in RSA once delivered his 3 laws of security:

1. Absolutely secure systems do not exist
2. To halve your vulnerability you need to double your expenditure
3. Cryptography is typically bypassed, not penetrated

This is about as good an example of law number three as I can think of. Kaspersky would have found it nearly impossible to break the key in a meaningful amount of time, however circumventing the cryptography proved itself to be much easier.