Feeds

MS' anti-virus bounty success

But does industry encourage culprits?

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Opinion When Microsoft first announced its "bounty" program late last year, many security experts condemned the initiative as a mere publicity stunt: a marketing tactic designed to distract gullible users from the "real issue" with Microsoft products.

With a No Honor Among Thieves mindset, I predicted that the program would yield positive results and that some unlucky malware author would be ratted out by bounty-seeking friends/family/peers, and held responsible for his or her actions.

Just last week, a German 18-year-old male was arrested for (and subsequently confessed to) authoring the Sasser worm after being reported to the authorities (and Microsoft) by individuals close enough to the kid to provide source code samples of "Sasser". So, the bounty program is working.

What will ultimately happen to the teenage high school student is still up in the air, but the fact of the matter is that he confessed to the crime after being turned in, and those who dropped dime on him did so for the reward money. So, to all those who said "Nay!" back in November, I say "Ni!" today.

Armchair pundits

Many of these armchair security people will attempt to cover their chagrin by saying that the real problem is faulty software, and that offering a bounty does nothing to solve this. Well, it doesn't take Dick Tracy to figure that out, now does it? I've never heard anyone say the bounty was a solution to software vulnerabilities - it was meant to be, and has evidently turned out to be, another tool to help authorities capture criminals.

Whether he is eventually convicted, or whether those who turned him in actually get the reward money or not, doesn't really matter. Other informants will follow suit. A quarter of million dollars is just too much money to pass up. The program was never meant to replace any of the tremendous efforts Microsoft has underway in its continued commitment to security, regardless of what the critics say.

There was also talk of how the program would fail to land "professional" malicious hackers, as they would just be too good to get caught. Well, it wasn't meant for them, either. Sasser was not the work of a professional. It used exploit code that was already published, and resorted to techniques like passing command-line strings to the OS, and FTP'ing code around. Hardly l33t haxx0r skilz.

Hardened criminals

I'm not judging the author's individual computer expertise, but I am drawing a distinction between hardened criminals utilizing computers as their tool of choice and those who are more the "vandal" type. The latter is who the bounty program is meant to deter.

More programs like this will be created in the future, because they will be needed. It's clear that there's a growing number of "glory" hackers competing to outdo each other in infamy, and, perversely, the security industry's own PR mechanisms may be providing the score board for this game of one-upsmanship.

Look at the UK-based "Intelligence Unit" Mi2G, which is always ready to put a worm's name in neon behind a huge damage assessment. Even with Sasser's less-than-cutting edge coding, MI2G put it in fifth place as one the Worst Worms of All Time. In about 10 days, the "world renown" security think-tank estimated Sasser's damage at 18 billion dollars. Yes, that is a "b."

Tooth fairy

To give you some perspective, that is the total earnings Cisco reported for the entire year of 2003. Personally, I believe those figures about as much as I believe that the tooth fairy is really a homeless hermaphrodite living in an empty bottle of That Old Janx Spirit. But that doesn't mean some 18-year-old kid isn't going to take it hook, line, and sinker and try to top it.

While I've overheard some conspiracy theories of how young hackers are going to release worms only to turn themselves in for the reward money after copping a plea, I don't buy it. If Mi2G's estimates are correct, they could make $1,500 per day (MI2G's per day/ per person figure) cleaning up after themselves. That puts the average admin salary at $390,000 per year. Hell, I might even take it up myself.

With companies like this totally sensationalizing worm and virus events, the next natural step for the malware author is to write something that is actually malicious. If basic code like NetSky and Sasser gets the honor of contributing to $228bn in "damages" for this year alone, what ridiculous figure will be tagged to a worm that starts formatting drives or something? And what will some kid do to be the one who tops it?

Copyright © 2004, 0

Related stories

Police probe Sasser informant
German police raid five homes in Sasser case
German police arrest Sasser worm suspect

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.