Feeds

MS' anti-virus bounty success

But does industry encourage culprits?

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Opinion When Microsoft first announced its "bounty" program late last year, many security experts condemned the initiative as a mere publicity stunt: a marketing tactic designed to distract gullible users from the "real issue" with Microsoft products.

With a No Honor Among Thieves mindset, I predicted that the program would yield positive results and that some unlucky malware author would be ratted out by bounty-seeking friends/family/peers, and held responsible for his or her actions.

Just last week, a German 18-year-old male was arrested for (and subsequently confessed to) authoring the Sasser worm after being reported to the authorities (and Microsoft) by individuals close enough to the kid to provide source code samples of "Sasser". So, the bounty program is working.

What will ultimately happen to the teenage high school student is still up in the air, but the fact of the matter is that he confessed to the crime after being turned in, and those who dropped dime on him did so for the reward money. So, to all those who said "Nay!" back in November, I say "Ni!" today.

Armchair pundits

Many of these armchair security people will attempt to cover their chagrin by saying that the real problem is faulty software, and that offering a bounty does nothing to solve this. Well, it doesn't take Dick Tracy to figure that out, now does it? I've never heard anyone say the bounty was a solution to software vulnerabilities - it was meant to be, and has evidently turned out to be, another tool to help authorities capture criminals.

Whether he is eventually convicted, or whether those who turned him in actually get the reward money or not, doesn't really matter. Other informants will follow suit. A quarter of million dollars is just too much money to pass up. The program was never meant to replace any of the tremendous efforts Microsoft has underway in its continued commitment to security, regardless of what the critics say.

There was also talk of how the program would fail to land "professional" malicious hackers, as they would just be too good to get caught. Well, it wasn't meant for them, either. Sasser was not the work of a professional. It used exploit code that was already published, and resorted to techniques like passing command-line strings to the OS, and FTP'ing code around. Hardly l33t haxx0r skilz.

Hardened criminals

I'm not judging the author's individual computer expertise, but I am drawing a distinction between hardened criminals utilizing computers as their tool of choice and those who are more the "vandal" type. The latter is who the bounty program is meant to deter.

More programs like this will be created in the future, because they will be needed. It's clear that there's a growing number of "glory" hackers competing to outdo each other in infamy, and, perversely, the security industry's own PR mechanisms may be providing the score board for this game of one-upsmanship.

Look at the UK-based "Intelligence Unit" Mi2G, which is always ready to put a worm's name in neon behind a huge damage assessment. Even with Sasser's less-than-cutting edge coding, MI2G put it in fifth place as one the Worst Worms of All Time. In about 10 days, the "world renown" security think-tank estimated Sasser's damage at 18 billion dollars. Yes, that is a "b."

Tooth fairy

To give you some perspective, that is the total earnings Cisco reported for the entire year of 2003. Personally, I believe those figures about as much as I believe that the tooth fairy is really a homeless hermaphrodite living in an empty bottle of That Old Janx Spirit. But that doesn't mean some 18-year-old kid isn't going to take it hook, line, and sinker and try to top it.

While I've overheard some conspiracy theories of how young hackers are going to release worms only to turn themselves in for the reward money after copping a plea, I don't buy it. If Mi2G's estimates are correct, they could make $1,500 per day (MI2G's per day/ per person figure) cleaning up after themselves. That puts the average admin salary at $390,000 per year. Hell, I might even take it up myself.

With companies like this totally sensationalizing worm and virus events, the next natural step for the malware author is to write something that is actually malicious. If basic code like NetSky and Sasser gets the honor of contributing to $228bn in "damages" for this year alone, what ridiculous figure will be tagged to a worm that starts formatting drives or something? And what will some kid do to be the one who tops it?

Copyright © 2004, 0

Related stories

Police probe Sasser informant
German police raid five homes in Sasser case
German police arrest Sasser worm suspect

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.