Can Microsoft bounty end viruses?

Microsoft claims its reward program was responsible for the arrest of the suspected author of the Sasser worm, but some experts say money alone will not clear up security problems.

Microsoft's $5 million reward for antivirus informants may help catch script kiddies such as the German teenager suspected of authoring a variant of the Sasser worm, but it is unlikely to have any effect on virus writers working for organized crime syndicates, according to security experts.

Four months after the MSBlast worm tore through the Internet, Microsoft announced it had set up a $5 million fund, the Anti-virus Reward Program, to be used for rewarding people who offer information leading to a conviction with $250,000. Since the launch of the fund, a number of suspected authors of malicious code have been arrested, but none have been convicted.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Simon Perry, the vice president of security at Computer Associates, said the rewards may lead to script kiddies informing on each other, but it won't bother the organized criminals who have started using experienced software writers to create "malware," or malicious software, designed to enable them to take control over a large number of PCs.

Perry said that there has been a transition over the past few years, in which organized crime gangs have brought the traditional protection racket to the Internet.

"This new breed of virus writers and spammers will not feel threatened by a $250,000 bounty on their heads. They are operating so far underground that there is virtually no chance of someone being compelled to give them up," Perry said.

However, Richard Starnes, the vice president of the U.K. chapter of the Information Systems Security Association, said that rewards have historically been shown to work, even in the world of organized crime. But he warned that they are only a component of the overall war against virus writers, and rewards should be combined with a complete law-enforcement program.

"I doubt there will be a difference in effectiveness between posting a reward for an electronic crime and a more traditional crime," he said.

Stuart Okin, the chief security officer at Microsoft's U.K. division, said the Sasser arrest only came about when a group of people contacted Microsoft to ask if the company was offering a reward for the Sasser author. He said that rewards are commonly used to catch organized criminals in crimes not related to the Internet, so there is no reason to think they won't have the same effect in cyberspace.

"We decided there would be a reward, if the information was reliable. We contacted the German police, and the informants came forward with a name," Okin said.

CNET Reviews
Sasser prevention and cure
How to guard systems
against the worm.

The informants' behavior was correctly anticipated by Peter Allor, director of vulnerability research for network protection provider Internet Security Systems, when Microsoft's policy was first announced. "You have a fair chance of someone turning their buddy in," Allor said.

CA's Perry said Microsoft's efforts, although positive, will not have any effect on criminals operating in countries without stringent computer crime laws.

"What if this teenager wasn't in Germany and was in Afghanistan? That country has no concept of computer crime," Perry said.

Munir Kotadia of ZDNet UK reported from London. CNET's Robert Lemos contributed to this report