The software giant is offering cash for information that leads to the arrest and conviction of those responsible for unleashing the worm – the most virulent virus the world has ever seen. Plus: new infection-avoiding tips from Microsoft NZ.

The $US250,000 bounty is being offered in conjunction with a number of industry organisations, including ICANN, which closest thing the internet has to a governing body.

Antivirus company F-Secure has fingered Conficker’s author as a Ukrainian, because the first thing the worm does upon infecting a computer is check whether it has a Ukrainian-configured keyboard. If it does, it leaves it alone.

However, Symantec ANZ senior manager Peter Sparkes told NBR that Conficker was created by a slick organisation, which is likely to be financially motivated (unlike the show-off hackers of old), and would likely turn out to be a mutli-person, cross-border outfit.

Symantec is currently tracking around 2.3 million new infections per day, though the total number of infected PCs is hard to gauge as systems are being patched all the time.

Although Conficker has now infected PCs all around the world, making them vulnerable to receive its payload, it’s authors have yet to deliver any actual malware, confounding computer security experts.

Microsoft New Zealand national technology officer Brett Roberts points out his company now has a dedicated site for distributing information, and the vital Windows patch to block the virus (microsoft.com/conficker).

Windows upgrade good for your health
Conficker now has many variants, but most have targeted older versions of Windows. Vista, for all its negative press, is a more secure OS than its predecessors.

Speaking earlier, on the topic of Vista's market share ahead of Windows 7's release, Mr Roberts said, "There will always be leaders and laggards. For example, there's a certain health institution that's still got Windows 2000 on some of its PCs".

The Ministry of Health continues to be plagued by Conficker, according to Computerworld, with 90% of its computers still disconnected from the internet.

Reverse engineering Conficker
Mr Roberts has also posted advice for net admins:

“Conficker will try every three hours to connect to specific domains over HTTP (‘phoning home’) however, unlike many other worms which use a static list of domains, Conficker’s domain list is dynamically generated by an algorithm which has now been reversed engineered.

“Because of this, it may be possible to identify infected hosts on your network if you’re able to log outbound traffic and then analyse those logs. If you see an entry in your logs for one of your systems connecting to one of these domains, that system may be infected by Conficker.

“You can also use this information to block access to those domains at your network perimeter by adding these domains to any “block lists” you might have.

“The list of Conficker domains is available as a zipped file at the bottom of this Microsoft Security Response Center page.”