By mid-January, cybersecurity specialists estimated that as many as nine million computers had been infected. More disturbingly, even today as many as a third of the vulnerable servers have not been properly patched.

Frustrated by the incomplete and ineffective response of server administrators, Microsoft is taking a more aggressive approach. On Thursday, the software giant announced the formation of a cyber posse to hunt down the worm authors. It also is offering $250,000 for information that leads to the arrest and conviction of the individuals responsible for the worm.

Broad Industry Response

The seriousness of the worm attack is illustrated by the high-profile coalition organized by Microsoft. Participating members include some of the online industry's most prestigious firms: ICANN, Neustar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, Shadowserver Foundation, Arbor Networks, and Support Intelligence.

"As cyber threats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation is required," Microsoft said in response to an e-mail query. "To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker."

George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group, said the coalition is part of Microsoft's on-going security efforts. "By combining our expertise with the broader community, we can expand the boundaries of defense to better protect people worldwide."

Greg Rattray, ICANN's chief Internet security adviser, agreed. "The best way to defeat potential botnets like Conficker/Downadup is by the security and domain-name system communities working together," he said. "ICANN represents a community that's all about coordinating those kinds of efforts to keep the Internet globally secure and stable."

Uphill Battle

Even with the coalition, it will be a challenge to completely shut down Conficker/Downadup. Coalition member Symantec told InformationWeek that it has seen a half-million infections in the last five days from worm variant W32.Downadup.A, and 1.7 million infections from W32.Downadup.B.

In a blog posting, Symantec said the worm has been successfully reverse-engineered, revealing the pseudo-random domain-generating tool that the worm uses. By preregistering the domains generated by the worm, security specialists can redirect it to secure servers that log information about other infected systems.

While the cooperation between software manufacturers, security firms, and domain registrars is a welcome step, it's only a partial solution. Variant A will be slowed as its pool of domains dries up. However, variant B uses a separate peer-to-peer propagation method that is slower but takes advantage of the fact that many computer users don't have effective security software.