Feeds

MS' anti-virus bounty success

But does industry encourage culprits?

  • alert
  • submit to reddit

High performance access to file storage

Opinion When Microsoft first announced its "bounty" program late last year, many security experts condemned the initiative as a mere publicity stunt: a marketing tactic designed to distract gullible users from the "real issue" with Microsoft products.

With a No Honor Among Thieves mindset, I predicted that the program would yield positive results and that some unlucky malware author would be ratted out by bounty-seeking friends/family/peers, and held responsible for his or her actions.

Just last week, a German 18-year-old male was arrested for (and subsequently confessed to) authoring the Sasser worm after being reported to the authorities (and Microsoft) by individuals close enough to the kid to provide source code samples of "Sasser". So, the bounty program is working.

What will ultimately happen to the teenage high school student is still up in the air, but the fact of the matter is that he confessed to the crime after being turned in, and those who dropped dime on him did so for the reward money. So, to all those who said "Nay!" back in November, I say "Ni!" today.

Armchair pundits

Many of these armchair security people will attempt to cover their chagrin by saying that the real problem is faulty software, and that offering a bounty does nothing to solve this. Well, it doesn't take Dick Tracy to figure that out, now does it? I've never heard anyone say the bounty was a solution to software vulnerabilities - it was meant to be, and has evidently turned out to be, another tool to help authorities capture criminals.

Whether he is eventually convicted, or whether those who turned him in actually get the reward money or not, doesn't really matter. Other informants will follow suit. A quarter of million dollars is just too much money to pass up. The program was never meant to replace any of the tremendous efforts Microsoft has underway in its continued commitment to security, regardless of what the critics say.

There was also talk of how the program would fail to land "professional" malicious hackers, as they would just be too good to get caught. Well, it wasn't meant for them, either. Sasser was not the work of a professional. It used exploit code that was already published, and resorted to techniques like passing command-line strings to the OS, and FTP'ing code around. Hardly l33t haxx0r skilz.

Hardened criminals

I'm not judging the author's individual computer expertise, but I am drawing a distinction between hardened criminals utilizing computers as their tool of choice and those who are more the "vandal" type. The latter is who the bounty program is meant to deter.

More programs like this will be created in the future, because they will be needed. It's clear that there's a growing number of "glory" hackers competing to outdo each other in infamy, and, perversely, the security industry's own PR mechanisms may be providing the score board for this game of one-upsmanship.

Look at the UK-based "Intelligence Unit" Mi2G, which is always ready to put a worm's name in neon behind a huge damage assessment. Even with Sasser's less-than-cutting edge coding, MI2G put it in fifth place as one the Worst Worms of All Time. In about 10 days, the "world renown" security think-tank estimated Sasser's damage at 18 billion dollars. Yes, that is a "b."

Tooth fairy

To give you some perspective, that is the total earnings Cisco reported for the entire year of 2003. Personally, I believe those figures about as much as I believe that the tooth fairy is really a homeless hermaphrodite living in an empty bottle of That Old Janx Spirit. But that doesn't mean some 18-year-old kid isn't going to take it hook, line, and sinker and try to top it.

While I've overheard some conspiracy theories of how young hackers are going to release worms only to turn themselves in for the reward money after copping a plea, I don't buy it. If Mi2G's estimates are correct, they could make $1,500 per day (MI2G's per day/ per person figure) cleaning up after themselves. That puts the average admin salary at $390,000 per year. Hell, I might even take it up myself.

With companies like this totally sensationalizing worm and virus events, the next natural step for the malware author is to write something that is actually malicious. If basic code like NetSky and Sasser gets the honor of contributing to $228bn in "damages" for this year alone, what ridiculous figure will be tagged to a worm that starts formatting drives or something? And what will some kid do to be the one who tops it?

Copyright © 2004, 0

Related stories

Police probe Sasser informant
German police raid five homes in Sasser case
German police arrest Sasser worm suspect

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.