Security

No mutiny from Microsoft's bounty

A year on, and the company's $1 million tip-off program has nabbed just one virus writer. Is it a bust?

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Robert Lemos
CNET News.com

Virus writers have a price on their heads—but it's done little to discourage them.

In the year since Microsoft kicked off its Anti-Virus Reward Program, it has tallied only a single success. The program has offered $1 million to informants who help close official investigations into four major viruses and worms, and has another $4 million earmarked for future rewards, but the deluge of online threats has continued to swell.

"I think it is fair to say for every time they have gone public to offer a bounty, it hasn't worked," said Graham Cluley, a senior technology consultant at Sophos, an antivirus software company.

Two worms and two viruses have caused Microsoft enough pain to be included on its most-wanted list: the MSBlast and Sasser worms, and the Sobig.F and MyDoom viruses. The company has offered $250,000 for information leading to the arrest and conviction of those responsible for each malicious program.

The most recent case, concerning the Sasser worm, could be counted as the program's biggest success. German authorities arrested a teenager in May after Microsoft tipped them off with details about the alleged Sasser author it had received from informants.

Cluley noted that Microsoft had not offered a public bounty in the Sasser case and decided to pay the reward only after being approached by the informant, a friend of the suspected author.

The software company points out that nevertheless, the Sasser case would not have been broken without the lure of cash.

"We are very encouraged by it; we feel it has been successful," said Rich Lamagna, the director of worldwide investigations for Microsoft and a 30-year law enforcement veteran. "Indications from our law enforcement counterparts are that it seems like more people are coming forward."

In the past, arrests in Internet crime cases have almost always resulted from the culprit making a mistake, such as leaving a digital trail or attempting to collect a payment. It's only in very few instances that accomplices turned on their online friends—making Microsoft's reward program a long shot.

Security researchers do see benefits in the program. "From my point of view, it has to be a good thing that the rewards are out there," said Sophos' Cluley. "From Microsoft's point of view, it is a win, because they are shown to be doing something, even if it doesn't end up with results."

Security threats aimed at Microsoft products have become more and more common, prompting the company to make hobbling the advance of digital pests part of its security push. A recent study also found that online threats are extremely successful against home users, with one in five PCs infected with a computer virus, and four in five PCs home to spyware.

The Sasser worm, which started spreading on May 1, has infected an estimated 500,000 to 1 million systems, security experts estimate. The worm does little damage and, unlike previous fast-spreading worms, has not caused overwhelming network disruptions. However, in many cases, the worm does cause infected Windows XP and Windows 2000 computers to repeatedly reboot.

If the alleged author of the worm, Sven Jaschan, is convicted of criminal charges, Microsoft will be on the hook to pay out the bounty. Law enforcement forces in that country believe that Jaschan, an 18-year-old resident of Waffensen in the Lower Saxony region of Germany, also coded more than two dozen versions of the mass-mailing computer virus Netsky, which is not on Microsoft's reward list.

Despite the arrest, new versions of Netsky, originally dubbed the Skynet virus, continue to be created by copycat authors. A security company has hired Jaschan, pending his conviction.

While the Sasser case works its way though German courts, an anonymous analysis released late last week has reopened the hunt for the author of the Sobig virus. Microsoft announced a reward for information on the Sobig.F virus in November 2003.

The unnamed authors of the report used digital forensics to compare the release schedules of the Sobig virus and of an application for sending bulk unsolicited e-mail. The authors claim that similarities between the two indicate that the Russian writer of the spam program created Sobig.F and other variants as a way to help and protect customers.

"Sobig appears designed specifically to assist spammers with anonymity," the 48-page report stated. The authors of the report, when contacted by CNET News.com, refused to reveal their identities, saying that the report had already been forwarded to law enforcement agencies and that the authors had identified themselves to the authorities.

"It can't do any harm to say to people in the virus underground that there are tempting awards and your friends could inform upon you."
—Graham Cluley, technology consultant, Sophos
When contacted by CNET News.com, the creator of the spam application denied any involvement in the Sobig virus. The developer acknowledged creating a spam tool, but denied making money from sending bulk e-mail.

"I have not any relations to Sobig," he wrote.

Some of the claims in the anonymous analysis—such as the contention that the same compiler had been used to build both the spam tool and the Sobig virus—appear to be mistaken, said Joe Stewart, senior security researcher for network protection firm Lurhq. However, the analysis overall makes some interesting connections, he said.

"I find the Sobig report to be pretty strong," Stewart said. "I think the time-line evidence in the paper is most compelling"

The other reward offered by Microsoft in November 2003 was for the MSBlast worm, also known as Blaster. That worm hit the Internet less than a month after Microsoft published a patch for the vulnerability that MSBlast used to spread. Many Windows users failed to vaccinate their systems, even though there was widespread expectation that a virus would be created. The result: More than 10 million computers were likely infected by the worm, and some people claim that it aggravated the circumstances surrounding a power outage that affected nearly 50 million people in the United States and Canada.

Lurhq's Stewart believes the bounty for MSBlast will likely go unclaimed, as the worm looks set to become a historical footnote. "I think we have seen the last of the creator of Blaster," he said.

He does expect the creator of the MyDoom virus, the target of a Microsoft reward announced in January this year, to be caught, noting: "With every release there is a chance that the person will slip up." The latest variant surfaced on Oct. 25.

The experience of the past year suggests that virus authors are more likely to be identified through a slip-up rather than through Microsoft's program. Despite this, the hope that it might increase the pressure on virus and worm writers makes the effort worthwhile, said Sophos' Cluley.

"It can't do any harm to say to people in the virus underground that there are tempting awards and your friends could inform upon you," he said. "It could make some of these kids and criminals think twice."

Editor's Picks

Free Newsletters, In your Inbox