The security community is reacting with both incredulity and excitement to the news that
Microsoft is putting a quarter-of-a-million-dollar bounty on the heads of the virus writers
behind the highly destructive Blaster and Sobig worms.
Microsoft Corp. announced yesterday that it is offering up separate $250,000 rewards for
information leading to the arrest and conviction of the Blaster and Sobig authors. The
rewards are part of the $5 million fund that Microsoft set aside to battle malicious code
and the hackers and spammers behind it.
The software giant is working alongside the FBI, the United States Secret Service and
Interpol in its anti-virus efforts.
”This has really become the wild, wild West,” says Ken Dunham, director of malicious code
at security company iDefense, Inc. based in Reston, Va. ”You put a big enough bounty out
and sooner or later you’ll hang somebody. A hundred years from now, people will be watching
old movies about Microsoft, and a big bounty and all the hacker hangings.”
Dunham says Microsoft’s high-profile, high-priced effort is an announcement that the company
is taking viruses seriously and that people will be held accountable for their actions.
But Steve Sundermeier, a vice president with anti-virus company Central Command, Inc., based
in Medina, Ohio., says Microsoft needs to be held more accountable for its own actions.
”It’s kind of a public admission that there’s a problem that needs to be addressed with the
Microsoft software itself,” says Sundermeier, who notes that Microsoft also may be reacting
to the heat its feeling from competitor Linux. ”With a bounty, they’re trying scare tactics
instead of addressing vulnerabilities that exist in their own software.”
But while Sundermeier says Microsoft should be investing more in debugging Windows, he does
say that the bounty just may bring some informants out of the weeds.
”Money always talks,” he adds. ”The odds of somebody talking when there’s a quarter of a
million dollars on the line is much greater.”
Patrick Gray, a 20-year veteran of the FBI and currently a director at Internet Security
Systems’, a security company based in Atlanta, Ga., says experience in law enforcement
proves that money definitely talks.
”I think it’s cool. It’s a marvelous idea,” says Gray. ”Remember that there is no honor
among thieves. And $250,000 to a guy sitting in his bedroom is a lot of money… We’ve been
doing this for a hundred years in the physical sector — all the way back to Billy the Kid.
There’s no reason it shouldn’t work here.”
And Gray says the bounty just might work because virus writers like to brag. They write a
virus and then watch it wreak havoc in the wild. But where’s the fun if no one knows they
were behind it? They head to a hacker chat room or IM their friends… and they brag.
”I worked the Mafia Boy investigation — the guy who took down eBay and CNN,” says Gray.
”He was all over the chat rooms. We caught him within seven or eight days of his last hit
on CNN because he was out there talking about it.”
Microsoft and the Feds obviously are hoping this move extends beyond convicting the people
behind Sobig and Blaster. They are hoping this will be a deterrent to future virus writers.
But iDefense’s Dunham says it won’t be a deterrent if people are simply ratted on. People
need to go to jail before it will have a real effect on the hacker community.
”People will pay attention if they start to get these guys and they’re strung up,” says
Dunham. ”If they don’t hang anyone, it won’t be anything more than a marketing ploy… It’s
a complicated puzzle leading to an arrest. It’s going to be very difficult actually putting
someone away.”