Security

Cheat Sheet: Microsoft's virus bounty

$250,000 to sing like a canary...
Did I hear right - Microsoft employed bounty hunters to track down virus writers?
No, you didn't hear right, though you are pretty much in the right ballpark. Microsoft has offered a bounty on information leading to the arrests of virus writers worldwide and this weekend the initiative ensnared its first catch - the writer of the Sasser virus.

So who's the lucky recipient of the reward?
That is a detail we do not know. Obviously as with any informant there is quite rightly a promise of anonymity - so it's unlikely we will ever find out.

Still it's surely good news - even if the heroes go unsung.
It is good news - though there are concerns about the bounties in general and whether some recipients are exactly "heroes".

Such as?
Well, the people who tend to know most about the identities of virus writers tend to be other virus writers. While in this instance it would be wrong to draw that assumption - as we know nothing of the informants - there are concerns that in the long term virus writers could profit from the initiative, by ratting on each other.

Is that illegal?
No, but it's seen as morally questionable by many. But that said you can't help thinking it formed part of Microsoft's strategy.

How so?
Well virus writers often work in teams, collaborating within communities and sharing their successes and code. They also close ranks and have proven to be fairly impenetrable groups in the past. Microsoft was clearly hoping by offering cash rewards for them to turn on each other it could undermine their mutual trust and break apart these malware writing communities.

So we're talking 'hire a thief to catch a thief'?
You may be, and possibly quite rightly, but I'm sure Microsoft wouldn't really like to go big on the fact that these bounties may be paid to members of virus writing teams. And anyway, it's more 'hire a thief to rat out a thief' - though some commentators have even raised the idea that communities of virus writers may willingly be setting themselves up to do some time in return for the lion's share of the bounty.

Could be a nice little earner.
Indeed, but it's still questionable whether people would really put such a relatively low price on potentially spending several months, or even years, in prison. It's far more likely the money will tempt somebody to share information with the police about somebody boasting about writing a virus on a messageboard.

They don't really do that do they?
Definitely. Virus writers have often been caught because they couldn't sit back and not try to take 'credit' for their actions. Invariably they would get stupid and go onto a messageboard and boast of their actions to other virus writers.

Now those boasts could prove very costly.

Not for the person receiving $250,000.
No quite. And it's worth noting that somebody may catch wind of such activities off line - it won't always be somebody involved in similar activities. It could be a friend, relative or neighbour who may overhear something incriminating and feel the need to go to the police.

Some friend!
Well, with 250,000 good reasons to share the information some friendships could become surprisingly shaky.

So how would somebody go about claiming the reward?
It is obviously at Microsoft's discretion. In the case of the Sasser virus the company was obviously so convinced of the validity of the information it was provided it agreed to pay out immediately.

And why is Microsoft offering this money?
On one level it's good PR to be seen to be making strides in cleaning up the internet. However, it's suggested that such an initiative is merely to redress the negative PR resulting from the fact it is often Microsoft vulnerabilities which are exploited.

Aha! Guilt you mean?
To quote Francis Urquhart: "You might well think that; I couldn't possibly comment."

And when did it start offering these rewards?
The announcement of these rewards followed the outbreaks of the MSBlast and Sobig viruses in 2003 which both targeted flaws in Microsoft's Windows operating system (there are still rewards on offer for information leading to the arrest of the authors behind those viruses). Microsoft then added MyDoom's author to the 'most wanted' list.

MyDoom - I remember that one - remind me what it did.
MyDoom created an army of compromised machines all of which were set to launch a distributed denial of service (DDoS) attack against a major website - essentially bring it down by bombarding it with traffic.

Which website was being targeted?
Originally the attack was targeted at the SCO website and proved highly effective in disrupting things for the company - so much so the controversial firm put up its own $250,000 purse for anybody who could bring them the head of the MyDoom author (so to speak).

So that's when the bounty was put up?
No. That only happened when a second iteration of the worm was released that turned the DDoS big guns on Microsoft's website.

Aha! So it's not entirely a selfless gesture.
Not entirely. And the company's clear anger at such an attack - which for the record it weathered with hardly a hitch - may be why it believes the unprecedented means justifies the ends. And to be honest there are a lot of people who will agree that as long as virus writers end up behind bars then it's job done.

0 comments

Editor's Picks