On Thursday, the software giant announced that it would offer a bounty of $250,000 for information leading to the arrest and conviction of the person or group responsible for the spread of the pernicious program. In addition, the company has banded together with Internet service providers and security companies to stop the spread of the worm. While the effort, dubbed the Conficker Cabal, was made public on Thursday, the ad hoc group began forming weeks ago, participants stated.

The success of the Conficker worm has made the cabal necessary, Microsoft said on Thursday.

"As cyber threats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation is required," the company said in a statement sent to SecurityFocus. "To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker."

Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.

The initial variant of the worm used a vulnerability in Microsoft's Windows operating system to spread to vulnerable computers. The second iteration of the program also spreads to open network shares and attempts to access weakly-protected systems by trying 250 common passwords. The later program, known as Conficker.B, also propagates by copying itself USB memory sticks by infecting the autorun.inf file. Both programs block the infected computers from updating security and systems software by blacklisting the domains of Microsoft and many security firms.

"The other infection vectors — such as infecting through network shares — are the biggest pain points," said Vincent Weafer, vice president of security response for Symantec, a member of the Conficker Cabal and the owner of SecurityFocus. "It can lock out accounts, because the number of attempts made by the password cracker."

Currently, the worm does little but infect new computers. Yet, morphing into a full-fledged botnet is only a single step away. Every day each instance of the worm generates the a list of pseudo-random domain names and attempts to contact those domains. Anyone who knows the algorithm for generating the domains can reserve one ahead of time and host software that would be uploaded to every instance of the worm. This amounts to a ticking time bomb, said Thomas Cross, a researcher with IBM Internet Security Systems' X-Force group.

"It definitely is important that you get this off your network, because we don't know what it will turn into in the future," he said in a recent interview.

The Conficker Cabal has already started locking out the worm by registering the pseudo-random domains generated by the program. The tactic turns the program from a lurking danger into, mostly, a nuisance, said Jose Nazario, manager of security research for Arbor Networks.

"We should not underestimate the value of locking out the bad guys by reserving the domain space," he said.

A Whois lookup of one of the worm's domains, which was displayed on Arbor's site, showed the registrant's name to be "Conficker Cabal."

Among the companies involved in the coalition are the Internet Corporation for Assigned Names and Numbers (ICANN), Neustar, Verisign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.

The announcement comes as companies are having a hard time cleaning out the pernicious worm. Security researcher have stated that small businesses and consumers in emerging markets are the ones primarily being affected by the malicious program. SRI International's survey of IP addresses showing signs of infection found that China, Brazil and Russia accounted for almost 40 percent of the compromised nodes.

Aa'ed Alqarta, a security engineer based in Kuwait, has been fighting to eradicate the program from his company's network. While the information-technology staff for the company, which Alqarta asked not to be named, had deployed the patch for the Microsoft vulnerability used by the worm, the malicious program piggybacked on an unsecured laptop or infected USB drive and spread to the network, he said.

"The virus has infected business machines that are being used to serve customers on a daily basis," Alqarta said in a recent e-mail interview. "We had to respond fast to get them back again online and continue their tasks."

The system engineer believes that 100 out of the 2,500 computers in the company were eventually infected with the worm. On Wednesday, he stated that staff have eradicated the malicious program and have instituted security rules tough enough to keep it out of the network.

"I've heard about many companies in the Middle East which have been hit by Downadup/Conficker and it was a hard lesson for them," he said in an e-mail. "You should always be prepared for the worst."

Alqarta recommends that IT professionals patch their systems, ban the use of USB drives, use managed endpoint protection software with strict security policies and immediately quarantine any machines with signs of infection.

The announcement on Thursday also marks the first time in nearly five years, and only the fifth time ever, that Microsoft has offered a bounty for information leading to the arrest and conviction of the person responsible for creating a malicious program.

In November 2003, the company kicked off its Anti-Virus Reward Program by offering bounties for information on the people responsible for releasing the MSBlast, or Blaster, worm and the Sobig.F virus. Two months later, Microsoft added the author of the MyDoom.B virus to its Most Wanted list. All three bounties have failed to turn up any solid leads.

The program's only success came in May 2004, when it convinced two high-school students to offer to turn in another that had bragged about creating the Sasser worm.

Following the release of the worm, the two informants in Germany inquired about whether the bounty would be offered for information about the person responsible for the malicious program. Microsoft's willingness to deal netted law enforcement 17-year-old Sven Jaschan, a high-school student, who received a 21-month suspended sentenced in 2005. In the end, Jaschan — who also admitted to creating the original version of the Netsky virus — received 30 hours of community service because he was a juvenile at the time of his arrest.

While the $250,000 bounty has succeeded in luring high-school student to turn in their compatriots, it's uncertain whether the amount will be enough to cause the associates of more organized cybercriminals, such as those thought to be behind Conficker, to come forward.

Microsoft would not comment on whether the bounty is enough or whether it is consider raising the amount.

"Microsoft is following the same standard as previous AV Reward offers," the company said in a statement e-mailed to SecurityFocus. "At this time, we have no further information on higher bounty amounts."

If you have tips or insights on this topic, please contact SecurityFocus.