Hoping to use cold, hard cash to crack two frustrating investigations, Microsoft has set up a US$5 million “reward fund” to pay bounties to those who track down writers of malicious code.
The company launched the program by offering to pay two $250,000 bounties for information that leads to the capture and conviction of the authors of the SoBig and Blaster worms.
This is believed to be the first time a company has offered a cash reward to help track down a computer criminal. The move underscores the software giant’s efforts to keep the public’s focus on hackers rather than on flaws in its products.
Microsoft said the Federal Bureau of Investigation (FBI), the U.S. Secret Service and Interpol, the international police organization, will help administer the bounties as part of their ongoing investigations into the worms’ origins.
Microsoft general counsel Brad Smith said worms and viruses are not attacks on a particular software system, but instead “criminal attacks on everyone who uses the Internet.”
“Even as we work to make software more secure and educate users on how to protect themselves, we are also working to stamp out the criminal behavior that causes this problem,” he said. “These are real crimes that hurt a lot of people.”
No Honor Among Thieves
Patrick Gray, a former FBI investigator who is now director of forensics and emergency response at Internet Security Systems, called the move a “fresh approach to an old problem.”
“The hacking community is a criminal community, and there’s no honor among thieves,” Gray told the E-Commerce Times. “If they can make a buck by pointing fingers, they will.”
Gray noted that hackers were helpful in leading investigators to “Mafiaboy,” the Canadian teen charged with a massive denial-of-service attack on eBay, CNN.com and others. “They want to remain cloaked in anonymity,” he said. “They don’t want to be in the spotlight.”
He applauded Microsoft’s effort to keep the focus on hackers. “We’ve been focusing on buggy software, but if the lock on my front door is weak, that doesn’t mean you can come try to push it open every day,” he added.
Although some analysts expressed skepticism about whether the reward will be enough to prompt hackers to turn each other in, they said Microsoft could gain positive publicity, which its security efforts sorely need, as a result of the move.
“Microsoft has recognized it needs to attack this problem on as many fronts as it can,” Gartner vice president John Pescatore told the E-Commerce Times. “Fixing the product is going to take a lot of time, and there’s a lot of legacy software that’s going to be out there for years to come. They need to keep reminding people that hackers are causing the problems they’re experiencing.”
In a research note, ThreatFocus Security said one possible positive side effect of the bounties could be to slow the rate of information exchange about exploits and partially written malicious code among hackers.
“Hackers may be more inclined to think twice about whom they share information with for fear of being turned in by someone they don’t know that well,” the company said. “But even if they do catch the people who wrote those two viruses with these rewards, it’s unlikely to stop the flood of exploits.”