The Latest in IT Security

Microsoft has $250,000 for you – some strings attached


Recently published on Microsoft’s Technet Blogs site, nestling between Haiku #154 and Bloom’s Taxonomy for Learning Objectives, you will find an unassumingly erudite, if lawyerly, posting.

You probably want to read it.

It could be worth US$250,000.

To get all the money for yourself, there are, of course, conditions. You will need to rat out your buddies to the point that they get convicted in a court of law, and you’ll need to be the only person who does so. You may have to pay tax on the reward, too, depending on the regulations where you live, how law-abiding you are, and how willing you are to let it be known where you got the money.

Flushed with success at disrupting the Rustock botnet by taking down its primary command and control servers earlier in the year, Microsoft is now offering the abovementioned cash prize.

A cool quarter of a million: that’s the reward Microsoft is offering for “new information that results in the identification, arrest and criminal conviction” of the individuals behind the Rustock botnet.

Rewards like this aren’t new to Microsoft – nearly eight years ago, the software giant announced a US$5 million fighting fund to encourage people to dob in their virus-writing chums.

What’s interesting is that the reward hasn’t changed since then. Microsoft offered a quarter-mil each for turning in the authors of the Blaster and Sobig worms back in 2003 (the authors were never found), and a further quarter-mil each for outing the authors of Netsky or Sasser.

The author of the Sasser worm was identified, and convicted. But German student Sven Jaschan, who was under 18 at the time he committed his crimes, ended up sentenced only to probation and community service.

At the time, I was concerned about the size of the rewards being offered. Back then, malware writing was often the beginning and the end of the creator’s criminal activity.

There wasn’t much, if any, money in virus writing, and outside the US and the UK, there often wasn’t much criminal sanction against doing so.

(Chen Ing Hau, Taiwanese author of the infamous BIOS-destroying CIH or Chernobyl virus, got a job on the back of his malevolent creation and appears to have gone largely unpunished. Onel de Guzman, creator of the Love Bug, got away scot-free in the Philippines. Jaschan, admittedly a junior at the time, got a slap on the wrist. So did Dutchman Jan de Wit, whose home-town mayor thought his Anna Kournikova virus made him an ideal IT candidate for the local council. Even as recently as 2009, Ashley Towns, the Australian creator and disseminator of the first Apple iPhone virus, was never charged by the police, and ended up with a job for his “skills”.)

So, back in the early 2000s, Microsoft’s rewards seemed out-of-touch with economic reality, since two chums could easily have colluded to acquire the money – one “ratting out” the other, and the other “pleading guilty” – with possibly very minor long-term consequences. They could have even made the split of the reward conditional on the sentence, to favour the “guilty” party more heavily in the event of a harsh judgement. Indeed, when Jaschan was arrested after information allegedly received from a fellow-student, the German media speculated that the informant was himself suspiciously closely connected with the creation of the malware.

But in the 2010s – when a small gang of cybercrooks can apparently turn over $72,000,000 in a year or two just from peddling fake anti-virus software – the reward doesn’t seem out-of-kilter any more.

Even more interesting is the astonishing security distance Microsoft has covered since 1995, when news emerged of the first virus to infect and spread entirely inside its Word product. Concept, as this macro virus came to be called, quickly spawned a raft of fast-spreading copycats – many of them destructive, devoted to leaking data, or both, and all of them genuinely troublesome to deal with.

But Microsoft would have none of this “Microsoft Word virus” terminology at first. WM/Concept was defined, and dismissed, as a Prank Macro. And that was that.

How Redmond has changed in the past 16 years!

Leave a reply


THURSDAY, MAY 23, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments