Microsoft's bounty hunter

The Sasser computer worm may mark a turning point for law enforcement's ability to catch and prosecute computer virus authors.

The reason: Enticed by a $250,000 reward, an informant came forward to leak information on the person who wrote and released Sasser. It's exactly what Microsoft, which agreed to the bounty as part of its antivirus reward program, hoped would happen, said Hemanshu Nigam, an attorney for the Microsoft branch administering the program.

Nigam, originally from India, worked as a prosecutor in the Los Angeles District Attorney's office and later in the Department of Justice.

If you have involvement in the virus or worm that has been launched, you are not eligible for a reward.

Initially, he prosecuted child pornographers and others who exploit children on the Net. He then joined the Justice Department's Computer Crime and Intellectual Property Section but left to work for the Motion Picture Association of America to help the group enforce its copyright claims against digital pirates. He moved to Microsoft to work on similar issues and also to focus on criminal complaints: For instance, when scammers use Hotmail or MSN.com to engage in criminal activity, he supports law enforcement in identifying people and providing information, as required by law.

As the lead attorney in Microsoft's Digital Integrity Group, Nigam is again on the enforcement trail. He recently spoke with CNET News.com about Microsoft's ongoing battle with virus writers.

Q: What is the aim of the antivirus reward program?
A: The antivirus reward program is designed to provide incentives for law enforcement to get information so that somebody who is a witness of a crime comes forward. At the same time, people should understand we are saying that launchers of malicious code ought to think twice before they hit that send button or release that code online. We are hoping that there are citizens who will step up and do the right thing, providing information if they have it. We are also hoping that those who are thinking about doing something that is not the right thing--that they are going to think twice and stop before doing it.

Has it been successful so far?
People have been providing leads to law enforcement ever since we launched the reward program. What law enforcement authorities are telling us is that they are pleased with the leads that they are getting.

With the Sasser worm, you did not actually say, "Hey, we are offering a reward for Sasser." It took someone to come forward and ask if you would you offer a reward. To what extent has that happened in the past?
It is the first time somebody came to Microsoft, specifically, and said, "I have information for you.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

I know about your reward program, and I want to talk to you about somebody who has done something that is malicious in nature." It is the first time that has happened. However, we have seen an increase--and this is something law enforcement has told us--in the number of citizens out there who are calling law enforcement and saying, "We have information on a cybercrime." The community out there using the Internet knows things about what is going on and is energized to step forward and do the right thing--even if it is not directly connected to a reward being offered by Microsoft. That, to us, is a success in itself.

At about the same time as the Sasser arrest, there was also an arrest of a suspected writer of Agobot. Was the reward program key in that one as well?
No. The arrest actually happened at almost exactly the same time on May 7, but the two cases resulted from two different situations and two different ways of investigating it. One was very connected to the reward being offered and somebody being aware of it and coming to us. The other was very connected to technical analyses and things that go behind that and lead to information. And then Microsoft worked with law enforcement in Germany.

What do you think the breakdown will be of crimes solved that are related to leads from technical analysis versus crimes that get leads because of an informant?
One is not exclusive of the other.

There are about two to 300 viruses that get released on any given day, but each one has a different type of impact.

There are cases where I think we will find that technical analysis is going to play a major role. At the same time, offering a reward on a particular malicious code may also have an important role in identifying the person responsible. The two can go hand in hand, but I cannot predict which one is going to take the lead.

There are reports that the informant in the Sasser case is under investigation. If that turns out to be the case, and he ended up becoming a suspect, what would be the impact on any offered reward?
If you have involvement in the virus or worm that has been launched, you are not eligible for a reward.

What if you are part of the virus underground? Does that exclude one from the reward if not directly involved in the case in hand?
I would hope that if somebody has done something criminal, and law enforcement is investigating that person, that the individual gets prosecuted. Whether or not legally that precludes them, I do not know.

There is always the suspicion of whether or not a reward program like this might entice certain people who would say, "OK, there's three of us; one of us creates a worm, one gets offered a reward, and then the other two turn him in."
The reward program is designed to provide an incentive for people to offer information that would lead to an arrest and a conviction of somebody who has done something illegal by launching some sort of malicious virus or worm. I think that law enforcement is going to engage in what I would call due diligence and examine who their witnesses are. They will examine the information provided and make a good determination on whether that information does, in fact, lead to an arrest and conviction--and whether the person providing that information is involved in some manner or not. That is something that law enforcement does daily in many, many investigations, in many different types of crimes, so it is not anything different than what they are engaging in, typically.

What about spam? With the Can-Spam Act, certain ways of sending spam are now illegal. Would Microsoft consider putting up a reward to stop that sort of activity?
Well, my focus is on viruses and other types of malicious code. All I can say about the spam area is that we are working very closely with law enforcement and also on the civil side to bring lawsuits against individuals under the Can-Spam Act.

Do you think that you are going to slowly get to a situation in which you will be approached by someone saying, "I have information on this specific threat and who did it" rather than Microsoft first announcing that it is offering a reward for information leading to whoever released this specific threat?
I cannot predict. There are about two to 300 viruses that get released on any given day, but each one has a different type of impact. We are going to continue to review the types of malicious code out there and see what kind of impact it is having--and often most importantly, what law enforcement feels about the helpfulness of a reward in any given situation.

Since you have done a lot of prosecuting in the past, how long do you think that process will normally take between someone coming to you and saying, "Here is the information" until there is generally a conviction in the case?
As I used to have to say to victims who would ask that same question, it all depends. It depends on the criminal justice system; it depends on the court that a case goes to; it depends on where in the world that crime is being prosecuted. For example, Sasser is in Germany; Blaster (or MSBlast) was in the United States. Every court system is different, and every court system moves at a different pace. We hope that justice is served as quickly and as efficiently as possible.