Some people go to amusement parks for thrills; others unleash viruses and worms on the Internet. According to some demographics reports, virus and worm authors are typically reclusive young males, obviously computer-savvy, intelligent but disrespectful of authority, and capable programmers. But regardless of the motivation behind it, this hobby ends up costing everyone time and money.
In January of 2003, Microsoft made headlines with the announcement that it would team with law enforcement to hunt down authors of worms, viruses, and other malicious code. In addition, the software giant pledged $5 million to fund the search.
Offering money for the capture of malicious coders isn't a new concept; law enforcement agencies worldwide do it all the time to apprehend criminals. Still, money certainly has a way of influencing people, and friends and enemies of hackers turn them in from time to time.
So Microsoft just became the worldwide financer of hacker vigilantism, an ironic turn of events. Before you cheer Microsoft for setting up a reward to apprehend malicious coders, consider that Microsoft's buggy software is the reason there's such a problem in the first place.
The company's actions are tantamount to issuing a challenge to hackers worldwide, and hackers like nothing better than a good contest. Microsoft could end up opening a can of worms for itself and the Internet.
What about the virus and worm authors who are coding with a specific purpose in mind? It should be no surprise to any regular readers that authors design many of the worms and viruses to turn compromised Windows PCs into drones capable of being remote controlled, which we've seen for more than two years. Simply offering a reward for the authors of the two most recent worms won't fix the problem that thousands of compromised Windows hosts exist that people can use for spam drones and distributed denial of service attacks.
So before you applaud Microsoft's funding of hacker vigilantism, remember that preventing the spread of viruses and worms depends less on finding the people exploiting software defects and more on making sure the defects don't exist in the first place. Microsoft is a private corporation—not a law enforcement agency—and it should focus its efforts on improving its software.
I predict that the offering of rewards for malicious coders will likely result in a retaliatory response from the highly skilled "black hat" hackers who write the most virulent viruses and worms. This will not defeat them—it will only serve as encouragement.
If Microsoft really wants to help improve the security of the Internet, I'll be more than happy to send them a list of several thousand compromised Windows hosts on broadband networks, free of charge. All they need to do is fix them.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.