Virus writers elude Microsoft's bounty hunt

A year on, and the company's $1 million tip-off program has nabbed just one (alleged) virus writer. Is it a bust?

Virus writers have a price on their heads--but it's done little to discourage them.

In the year since Microsoft kicked off its Anti-Virus Reward Program, it has tallied only a single success. The program has offered $1 million to informants who help close official investigations into four major viruses and worms, and has another $4 million earmarked for future rewards, but the deluge of online threats has continued to swell.

"I think it is fair to say for every time they have gone public to offer a bounty, it hasn't worked," said Graham Cluley, a senior technology consultant at Sophos, an antivirus software company.

Microsoft's most wanted

The software giant has offered four $250,000 rewards for information leading to the arrest of the culprits behind four online threats.

Sobig.F virus
Date offered: Nov. 5, 2003
Status: An anonymous analysis claims a Russian author of spam software created SoBig, but the accused person denies involvement.
MSBlast worm
Date offered: Nov. 5, 2003
Status: The author of a minor variant of the worm has been convicted.
MyDoom virus
Date offered: Jan. 30, 2004
Status: The SCO Group has also offered a $250,000 reward for those responsible for releasing the virus and causing the program to target the company's Web site with an attack.
Sasser worm
Date offered: May 8, 2004
Status: The bounty was offered after an informant came forward inquiring about a reward. German law enforcement officers arrested a high-school student who has reportedly confessed to creating and releasing Sasser and the Netsky family of viruses.

Source: CNET

Two worms and two viruses have caused Microsoft enough pain to be included on its most-wanted list: the MSBlast and Sasser worms, and the Sobig.F and MyDoom viruses. The company has offered $250,000 for information leading to the arrest and conviction of those responsible for each malicious program.

The most recent case, concerning the Sasser worm, could be counted as the program's biggest success. German authorities arrested a teenager in May after Microsoft tipped them off with details about the alleged Sasser author it had received from informants.

Cluley noted that Microsoft had not offered a public bounty in the Sasser case and decided to pay the reward only after being approached by the informant, a friend of the suspected author.

The software company points out that nevertheless, the Sasser case would not have been broken without the lure of cash.

"We are very encouraged by it; we feel it has been successful," said Rich Lamagna, the director of worldwide investigations for Microsoft and a 30-year law enforcement veteran. "Indications from our law enforcement counterparts are that it seems like more people are coming forward."

In the past, arrests in Internet crime cases have almost always resulted from the culprit making a mistake, such as leaving a digital trail or attempting to collect a payment. It's only in very few instances that accomplices turned on their online friends--making Microsoft's reward program a long shot.

Security researchers do see benefits in the program. "From my point of view, it has to be a good thing that the rewards are out there," said Sophos' Cluley. "From Microsoft's point of view, it is a win, because they are shown to be doing something, even if it doesn't end up with results."

Security threats aimed at Microsoft products have become more and more common, prompting the company to make hobbling the advance of digital pests part of its security push. A recent study also found that online threats are extremely successful against home users, with one in five PCs infected with a computer virus, and four in five PCs home to spyware.

The Sasser worm, which started spreading on May 1, has infected an estimated 500,000 to 1 million systems, security experts estimate. The worm does little damage and, unlike previous fast-spreading worms, has not caused overwhelming network disruptions. However, in many cases, the worm does cause infected Windows XP and Windows 2000 computers to repeatedly reboot.

If the alleged author of the worm, Sven Jaschan, is convicted of criminal charges, Microsoft will be on the hook to pay out the bounty. Law enforcement forces in that country believe that Jaschan, an 18-year-old resident of Waffensen in the Lower Saxony region of Germany, also coded more than two dozen versions of the mass-mailing computer virus Netsky, which is not on Microsoft's reward list.

Despite the arrest, new versions of Netsky, originally dubbed the Skynet virus, continue to be created by copycat authors. A security company has hired Jaschan, pending his conviction.

While the Sasser case works its way though German courts, an anonymous analysis released late last week has reopened the hunt for the author of the Sobig virus. Microsoft announced a reward for information on the Sobig.F virus in November 2003.

The unnamed authors of the report used digital forensics to compare the release schedules of the Sobig virus and of an application for

Featured Video