Busting the Worm Writers

People problem

  • alert
  • submit to reddit

SANS - Survey on application security programs

Opinion Microsoft deserves praise for offering a cash reward to catch people who criminally exploit their bugs, argues SecurityFocus columnist Tim Mullen.

The Microsoft bounty is almost old news, but I could not let the subject slip by without throwing in my two cents worth.

For the cave dwellers out there, let me summarize: Microsoft, the US Secret Service, the FBI and Interpol announced the creation of a special fund to provide reward money to aid in the conviction of worm writers. Of an initial infusion of five million dollars, $250,000 per worm has been assigned as bounty to whoever finks out the authors of MSBlast and SoBig.

In gauging the immediate rejection of the concept by many, I can't help but think that an Anti-Microsoft-Anything template exists. It is probably structured as follows:

"Microsoft's latest announcement of (insert title here) is nothing but a PR stunt. As illustrated by the (insert name of lame worm executed via outdated e-mail reader, or long-patched vuln here) worm, Microsoft's software is horribly insecure. Everyone should immediately switch to (insert any other OS here) because according to (insert stat's source, probably Netcraft here) there are over (some number) of (confusion of servers vs. sites here) running it, which means it must be secure. Gates should be mandated to pay (me) the sum of (ridiculous amount here) because he's got more money than God anyway, and won't miss it."

It is probably submitted via a web form (running IIS, or course) and posted to an un-patched SQL server using code vulnerable to SQL injection.

There seems to be some confusion about where worms come from. Worms do not come from "bad software." Worms come from criminals authoring illegal code to exploit "bad software." For the first time, a vendor has put up cold hard cash to help combat the top-level source of a problem, and everyone immediately condemns them. Oh yes, I know--"If it were not for the crappy software, then there would be no worms." Well if my aunt had testicles, she'd be my uncle. All software has security problems. And it always will. That is just the reality of it.

Offering a cash reward to capture criminals is a good idea. Does a reward work in every case? Of course not, nothing does. But it is part of an overall strategy-- a strategy in depth. That's what bugs me about the criticism: people take it as a single action, as if it is the only thing Microsoft is doing about security. The truth is that Microsoft really is making great progress in the security of their products, while at the same time trying to make those products "idiot proof" which is indeed a difficult thing to do.

The Drug War Metaphor

In a CNET article, Robert Vamosi equated the worm bounty to the United States' War on Drugs, saying that it has failed "by not focusing on the underlying causes of drug use."

I think this is a shallow view. The underlying cause of drug use is that people want to get high. There is really not a lot we can do about that other than educate each other as to what drug use can do to your life. And though it is not the best way to combat drug abuse, making it a crime to deal drugs certainly helps cut off the supply. People turn in drug dealers all the time for a myriad of reasons, reward money being one of them. To say that arrests won't stop drugs from being sold is a cop-out. While it won't solve the problem in its entirety, it will help.

And while a reward won't stop worms, it just might help. It doesn't really matter if a virus writer thinks the bounty will do any good-- it matters if his friends and associates think it will. A quarter of a million dollars will most certainly test any honor among thieves.

More importantly, there is no downside to it. It is not as if Microsoft is pulling resources out of its security initiative to fund the bounty pool, as much as some would like you to think so.

When I write that users are responsible for their own security, I'm not finger pointing-that's the division of labor most likely to have a positive effect. I expect a vendor to provide me with a reasonable amount of secure-ability in a product, but it is really up to me to make sure that I am doing what I can to obviate security issues. I expect the government and police to provide an infrastructure where one can expect some realistic level of personal security, but I also have to make sure I don't go walking through a high-crime area in shiny-new shoes and a Benji stuck to my forehead.

I probably sound like a broken record when I say that I'm not forgiving Microsoft (or any other vendor) their responsibility to do their job, but I think that for us to totally count on someone else for our security is ultimately foolish. It is easy to place blame for bad things on other people. In reality, no one person is to blame.

Internet security is not a Microsoft problem. It is not a Linux problem. It is a people problem. Rather than making individual criticisms of perceived failure, I think we are better served to work together and celebrate our successes.

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Copyright © 2003,

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.