Feeds

MS' anti-virus bounty success

But does industry encourage culprits?

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Opinion When Microsoft first announced its "bounty" program late last year, many security experts condemned the initiative as a mere publicity stunt: a marketing tactic designed to distract gullible users from the "real issue" with Microsoft products.

With a No Honor Among Thieves mindset, I predicted that the program would yield positive results and that some unlucky malware author would be ratted out by bounty-seeking friends/family/peers, and held responsible for his or her actions.

Just last week, a German 18-year-old male was arrested for (and subsequently confessed to) authoring the Sasser worm after being reported to the authorities (and Microsoft) by individuals close enough to the kid to provide source code samples of "Sasser". So, the bounty program is working.

What will ultimately happen to the teenage high school student is still up in the air, but the fact of the matter is that he confessed to the crime after being turned in, and those who dropped dime on him did so for the reward money. So, to all those who said "Nay!" back in November, I say "Ni!" today.

Armchair pundits

Many of these armchair security people will attempt to cover their chagrin by saying that the real problem is faulty software, and that offering a bounty does nothing to solve this. Well, it doesn't take Dick Tracy to figure that out, now does it? I've never heard anyone say the bounty was a solution to software vulnerabilities - it was meant to be, and has evidently turned out to be, another tool to help authorities capture criminals.

Whether he is eventually convicted, or whether those who turned him in actually get the reward money or not, doesn't really matter. Other informants will follow suit. A quarter of million dollars is just too much money to pass up. The program was never meant to replace any of the tremendous efforts Microsoft has underway in its continued commitment to security, regardless of what the critics say.

There was also talk of how the program would fail to land "professional" malicious hackers, as they would just be too good to get caught. Well, it wasn't meant for them, either. Sasser was not the work of a professional. It used exploit code that was already published, and resorted to techniques like passing command-line strings to the OS, and FTP'ing code around. Hardly l33t haxx0r skilz.

Hardened criminals

I'm not judging the author's individual computer expertise, but I am drawing a distinction between hardened criminals utilizing computers as their tool of choice and those who are more the "vandal" type. The latter is who the bounty program is meant to deter.

More programs like this will be created in the future, because they will be needed. It's clear that there's a growing number of "glory" hackers competing to outdo each other in infamy, and, perversely, the security industry's own PR mechanisms may be providing the score board for this game of one-upsmanship.

Look at the UK-based "Intelligence Unit" Mi2G, which is always ready to put a worm's name in neon behind a huge damage assessment. Even with Sasser's less-than-cutting edge coding, MI2G put it in fifth place as one the Worst Worms of All Time. In about 10 days, the "world renown" security think-tank estimated Sasser's damage at 18 billion dollars. Yes, that is a "b."

Tooth fairy

To give you some perspective, that is the total earnings Cisco reported for the entire year of 2003. Personally, I believe those figures about as much as I believe that the tooth fairy is really a homeless hermaphrodite living in an empty bottle of That Old Janx Spirit. But that doesn't mean some 18-year-old kid isn't going to take it hook, line, and sinker and try to top it.

While I've overheard some conspiracy theories of how young hackers are going to release worms only to turn themselves in for the reward money after copping a plea, I don't buy it. If Mi2G's estimates are correct, they could make $1,500 per day (MI2G's per day/ per person figure) cleaning up after themselves. That puts the average admin salary at $390,000 per year. Hell, I might even take it up myself.

With companies like this totally sensationalizing worm and virus events, the next natural step for the malware author is to write something that is actually malicious. If basic code like NetSky and Sasser gets the honor of contributing to $228bn in "damages" for this year alone, what ridiculous figure will be tagged to a worm that starts formatting drives or something? And what will some kid do to be the one who tops it?

Copyright © 2004, 0

Related stories

Police probe Sasser informant
German police raid five homes in Sasser case
German police arrest Sasser worm suspect

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.