Microsoft offers $250,000 for capture of Conficker writer

The Conficker situation has to be maddening for Microsoft. The vulnerability was patched months ago, but as the infection spreads through unpatched systems, it's hitting some very high-profile networks. And so the company's offering a remarkable reward for what could be a very fragile peace of mind.

Microsoft announced on Thursday that it's prepared to hand over a quarter of a million dollars (or the equivalent sum in your local currency; the offer's worldwide) for information leading to the arrest and conviction of the person or persons who wrote Conficker. That's not a bad payday for a knowledgeable person willing to drop a dime, but a look at past arrests for alleged malware-writing reveals that usually the people who get nabbed are, to be blunt, script kiddies who tweaked up a variant and got (un)lucky. (Remember Jeffrey Lee Parson? The Blaster B variant? Anyone?)

More productive, most likely, is a cross-industry community effort to rein Conficker in. According to a press release by the company, Microsoft is working with ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence to kneecap the malware, which has infected an estimated 10 million Windows machines already.

The cross-community effort's something new and interesting, and it could be a model for tackling ultra-infectious malware episodes in the future. "The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together," said Greg Rattray, chief Internet security advisor at ICANN, in a statement Thursday.

Microsoft has published Conficker-specific information. In addition, the company has recommended, as they have recommended since October, that users apply the out-of-band patch released specifically to address this vulnerability.