MS' anti-virus bounty success
But does industry encourage culprits?
Opinion When Microsoft first announced its "bounty" program late last year, many security experts condemned the initiative as a mere publicity stunt: a marketing tactic designed to distract gullible users from the "real issue" with Microsoft products.
With a No Honor Among Thieves mindset, I predicted that the program would yield positive results and that some unlucky malware author would be ratted out by bounty-seeking friends/family/peers, and held responsible for his or her actions.
Just last week, a German 18-year-old male was arrested for (and subsequently confessed to) authoring the Sasser worm after being reported to the authorities (and Microsoft) by individuals close enough to the kid to provide source code samples of "Sasser". So, the bounty program is working.
What will ultimately happen to the teenage high school student is still up in the air, but the fact of the matter is that he confessed to the crime after being turned in, and those who dropped dime on him did so for the reward money. So, to all those who said "Nay!" back in November, I say "Ni!" today.
Many of these armchair security people will attempt to cover their chagrin by saying that the real problem is faulty software, and that offering a bounty does nothing to solve this. Well, it doesn't take Dick Tracy to figure that out, now does it? I've never heard anyone say the bounty was a solution to software vulnerabilities - it was meant to be, and has evidently turned out to be, another tool to help authorities capture criminals.
Whether he is eventually convicted, or whether those who turned him in actually get the reward money or not, doesn't really matter. Other informants will follow suit. A quarter of million dollars is just too much money to pass up. The program was never meant to replace any of the tremendous efforts Microsoft has underway in its continued commitment to security, regardless of what the critics say.
There was also talk of how the program would fail to land "professional" malicious hackers, as they would just be too good to get caught. Well, it wasn't meant for them, either. Sasser was not the work of a professional. It used exploit code that was already published, and resorted to techniques like passing command-line strings to the OS, and FTP'ing code around. Hardly l33t haxx0r skilz.
I'm not judging the author's individual computer expertise, but I am drawing a distinction between hardened criminals utilizing computers as their tool of choice and those who are more the "vandal" type. The latter is who the bounty program is meant to deter.
More programs like this will be created in the future, because they will be needed. It's clear that there's a growing number of "glory" hackers competing to outdo each other in infamy, and, perversely, the security industry's own PR mechanisms may be providing the score board for this game of one-upsmanship.
Look at the UK-based "Intelligence Unit" Mi2G, which is always ready to put a worm's name in neon behind a huge damage assessment. Even with Sasser's less-than-cutting edge coding, MI2G put it in fifth place as one the Worst Worms of All Time. In about 10 days, the "world renown" security think-tank estimated Sasser's damage at 18 billion dollars. Yes, that is a "b."
To give you some perspective, that is the total earnings Cisco reported for the entire year of 2003. Personally, I believe those figures about as much as I believe that the tooth fairy is really a homeless hermaphrodite living in an empty bottle of That Old Janx Spirit. But that doesn't mean some 18-year-old kid isn't going to take it hook, line, and sinker and try to top it.
While I've overheard some conspiracy theories of how young hackers are going to release worms only to turn themselves in for the reward money after copping a plea, I don't buy it. If Mi2G's estimates are correct, they could make $1,500 per day (MI2G's per day/ per person figure) cleaning up after themselves. That puts the average admin salary at $390,000 per year. Hell, I might even take it up myself.
With companies like this totally sensationalizing worm and virus events, the next natural step for the malware author is to write something that is actually malicious. If basic code like NetSky and Sasser gets the honor of contributing to $228bn in "damages" for this year alone, what ridiculous figure will be tagged to a worm that starts formatting drives or something? And what will some kid do to be the one who tops it?