Microsoft: Bring Us The Heads Of Hackers

Welcome Guest. | Log In| Register | Membership Benefits

November 05, 2003 (11:22 AM EST)

Microsoft on Wednesday announced a first-ever public bounty on virus writers in the hope that associates of malicious code makers will rat out their comrades.

The Redmond, Wash.-based developer, which has been plagued by a wave of virus and worm attacks on its software since this summer, pledged $5 million to fund what it's dubbing the Anti-Virus Reward Program.

Under the program, Microsoft will post rewards that lead to the arrest and conviction of hackers who create viruses and worms, said Brad Smith, Microsoft's general counsel.

Microsoft posted two $250,000 rewards Wednesday, with the first to be paid to anyone who leads authorities to the person or persons responsible for the MSBlast.A worm. The second virtual wanted poster is for the individual or group which created the Sobig mass-mailed virus.

"Malicious worms and viruses are criminal attacks on everyone who uses the Internet," said Smith. These are not Internet crimes, cyber crimes, or virtual crimes. These are real crimes that hurt a lot of people.

"Those who release viruses on the Internet are essentially the saboteurs of cyberspace," he added.

MSBlast.A, the first of several worms that exploited a widespread vulnerability in Microsoft Windows, hammered the Internet in August, and forced Microsoft to take the unusual step of de-linking a URL that led to its WindowsUpdate Web site, which is used by Windows customers to download and install security patches.

Sobig, which first surfaced in January, has been a particularly-troublesome virus, with numerous variations, and as recently as late August, clogged business and consumer e-mail systems as it rapidly propagated by stealing e-mail addresses from Microsoft software and re-mailing itself to other unsuspecting users.

Anyone with information about the creators of MSBlast.A and Sobig, said Smith, should contact a local office of the FBI or Secret Service in the U.S., or local law enforcement or Interpol overseas. Tips can also be sent to agencies via the Web, to the Internet Fraud Complaint Center, for instance, or to Interpol.

Smith stressed that these first two rewards are only the beginning, and said that, in consultation with law enforcement officials both in the U.S. and overseas, the company would offer similar bounties in the future.

"We've created the $5 million fund so that as new cases arise, we'll address them on a case by case basis, and focus on the prevalence of the worm as well as its severity as we make our decision," said Smith. Other attorneys for Microsoft added that the company will consult with law enforcement and anti-virus companies to determine which, if any, future worms will be assigned rewards.

"We are determined to address this as a long term solution," Smith promised. "If we need to spend more money [beyond the initial $5 million] we'll spend more money."

Analysts noted that the move toward offering rewards was a new tactic in the battle against hackers, and were cautiously optimistic that the tactic would actually put a dent into exploits against Microsoft's software.

"Microsoft is turning up the heat," said Ken Dunham, a security analyst with iDefense, a Reston, Va.-based security intelligence firm that tracks developing exploits.

"Friends will rat out friends for money," he predicted, saying that the rewards may put the fear of God into hackers. In fact, said Dunham, his firm noticed a dramatic drop in back chatter among hackers -- and a decline in worm development -- after several arrests of creators of MSBlast variants this summer and fall. He expects that these rewards will provide some of the same kind of deterrence.

"This isn't going to change the heart of every bad guy," he said, "but if this makes hackers feel more accountable, it may curb their activity."

Patrick Gray, the director of Internet Security Systems' (ISS) X-Force emergency response team, agreed. "This is blazing a new trail in the cyber world," said Gray, a 20-year veteran of the FBI's cyber crime division prior to joining ISS. "It would have been great to have this [reward] tool when I worked for the FBI.

"I think this will have an impact on attacks. It will definitely start some conversations in the hacking community, and hopefully give law enforcement some additional traction," he said.

But enterprises shouldn't expect that by simply offering rewards, Microsoft, or any other organization, will put a stop to attacks.

"Enterprises need to understand that the security landscape changes every day. They can't hope that nothing more happens, but have to remain resolute in their defenses," Gray said.