Forgot your password?
typodupeerror
Security Microsoft The Almighty Buck

Microsoft Reward Leads to Arrest of Sasser Suspect 287

Posted by CmdrTaco
from the thats-pretty-cool dept.
tritone writes "According to this article on CNET, it was a reward from Microsoft that led to the arrest of the perpertrator of the Sasser Windows Worm. This is the first success for Microsoft's Antivirus Award Program, a $5 million fund to reward people for coming forward with information about those who release major worms and viruses."
This discussion has been archived. No new comments can be posted.

Microsoft Reward Leads to Arrest of Sasser Suspect

Comments Filter:
  • Oh, guess what ... (Score:2, Interesting)

    by Leffe (686621)
    ... Microsoft should have used the money to audit their code or something ...
    • Priceless (Score:3, Funny)

      by ShieldW0lf (601553)
      This is the first success for Microsoft's Antivirus Award Program, a $5 million fund to reward people for coming forward with information about those who release major worms and viruses."

      Reward Money: $5,000,000.00
      Perps Pay: $5,000,000.00
      Psychological Effect: Priceless!

    • Why? (Score:3, Insightful)

      by John Seminal (698722)
      Just because the code is not secure, does that give another person a right to cause harm? It is like saying that if I leave my back door unlocked at night, I am to blame if someone breaks in. I say that is bullshit. I say I have a gun, and if someone breaks in, they are getting shot. And that is how this guy should be treated, as a criminal thug.

      How much money does Microsoft have to spend making their operating system, and how perfect and secure does it have to be?

      Maybe if it was not for the virus write

      • Re:Why? (Score:2, Insightful)

        by Anonymous Coward
        If I'm spending $300 on a piece of software, I don't want to get fucked as soon as I install it.

        Windows XP Home is $150 CAD right now. If I'm spending that much money on something, I'd like it to work at least SEMI-reliably. But, no, Microsoft isn't at fault for this horrible software.

        How much money do they have to spend on making it? As much as it takes to make a good product. Would you want these kind of flaws and errors in any of the other products you purchase? I doubt it.

        Yes, the kid is a criminal i
      • Re:Why? (Score:5, Insightful)

        by Anonymous Coward on Sunday May 09, 2004 @11:36AM (#9100055)
        Here's a better way to put it.

        If the doors in your house are falty and won't lock at all, then someone breaks in, who is to blame? The intruder, or the company that sold you the defective doors?

        I say both.

        And because the "door company" is paying to find the intruders after they have broken in does not mean it solves the problem, maybe they should fix the locks first. That sounds like a reasonable idea.
      • Re:Why? (Score:5, Insightful)

        by Waffle Iron (339739) on Sunday May 09, 2004 @11:38AM (#9100070)
        Your analogy is flawed.

        It is like saying that if I leave my back door unlocked at night, I am to blame if someone breaks in.

        It's not like a door on your house. It's more like you're a tenant in a large apartment block in a bad neighborhood, and the landlord hasn't installed working locks on any of the apartments.

        I say I have a gun, and if someone breaks in, they are getting shot.

        But in this case you don't have a gun, nor can you get one. There's just about nothing that you can do as an individual to retaliate or even track down the perpetrators.

        It's more like this: After years of complaints, the negligent landlord decided to hire a private investigator. After almost a year, this PI has managed to track down just one out of the hundreds of criminals harassing the neighborhood. BFD.

        Maybe if it was not for the virus writers, the cost of Windows would be cheaper.

        Maybe if it weren't for thieves, the cost of apartments would be cheaper. They wouldn't need security services or door locks. Unfortunately, that's a pipe dream. In the real world, you're not ever going to avoid paying for security. Deal with it.

        Microsoft, the brilliant businessmen that they are, has actually managed to avoid or push off onto others the full costs of security for quite some time. However, even they are not be able to avoid the inevitable forever.

        They are going now to pay to fix their mistakes with some fraction of their pile of cash, but more importantly, they are going to have to design security into their software up front. This is going to significantly slow down their pace of churning their software updates. This loss of some of their competetive edge is going to be the real price that they pay.

        I think it is horrible for someone to defend a criminal because the criminal had oppertunity to commit a crime.

        Likewise, it's bad to defend negligence on the part of those responsible for providing security measures by saying "Sure the security was badly flawed, but if there weren't any bad guys in this world, we wouldn't need security!"

      • if I leave my back door unlocked at night, I am to blame if someone breaks in. I say that is bullshit. I say I have a gun, and if someone breaks in, they are getting shot.

        You have a gun in the house and you still leave your back door unlocked? Think of the children!

        -a
      • Re:Why? (Score:3, Interesting)

        by PhotoBoy (684898)
        You pose a fair question about what constitutes a reasonable amount of work to ensure a system is secure. However, I'll go out on a limb and say that MS haven't done enough.

        A good example I think is a problem a friend had last week. He had just installed XP Pro and within minutes of the installer finishing he had been infected with the Blaster virus. He couldn't download the fix or install a virus scanner because the machine would always reboot itself before he could complete the installation of either! An
      • Re:Why? (Score:4, Insightful)

        by theLOUDroom (556455) on Sunday May 09, 2004 @11:52AM (#9100154)
        Just because the code is not secure, does that give another person a right to cause harm? It is like saying that if I leave my back door unlocked at night, I am to blame if someone breaks in. I say that is bullshit. I say I have a gun, and if someone breaks in, they are getting shot. And that is how this guy should be treated, as a criminal thug.

        I don't have a problem with locking up those who distribute worms and viruses, but I do have a problem with locking up someone just because you can show that they wrote it. It's more like locking up someone just for *OWNING* lockpicks. What should be illegal is using the lockpicks to break into someone's house, not owning them in the first place. Many of the early DOS/Windows viruses contain examples of extremely clever programming with all sorts of alternate applications: crypto programs, AV programs, copyprotection/anti-reverse engineering schemes, etc.

        Maybe if it was not for the virus writers, the cost of Windows would be cheaper. Maybe beacuse of the virus writers Microsoft has to spend more money?

        No, this is kind of a basic econ 101 thing. When a company has a monopoly, they start charging the "monopoly price" [sc.edu] and opposed to the fair market price. While the fair market price is tied to supply and demand, cost of production, etc, the monopoly price is dictated strictly by DEMAND. The monopolist looks at the demand curve for their product and choose the point the maximizes their revenue. Since the windows is a software product as opposed to a car, there is little incremental cost between producing 100,000 copies as opposed to 50,000. These means that the production cost aspect of the monopoly price is pretty much fixed, and the price is dictated almost entirely by demand.
        • Both lockpicks and functional viruses have very little legitamite use unless one is in a very narrow band of professions.
          • Re:Why? (Score:3, Interesting)

            by theLOUDroom (556455)
            Both lockpicks and functional viruses have very little legitamite use unless one is in a very narrow band of professions.

            Same thing with fire axes, tow trucks, arc welders, and all sorts of other things.

            Outlawing something becuase it has "little legitimate use unless one is in a very narrow band of professions" is bad law. For example, how am I going to enter that profession? What constitutes little? Does a coathangar count as a "lockpick"? What about a car antenna (I used my own to break into my c
            • Re:Why? (Score:4, Insightful)

              by wharrislv (250917) * on Sunday May 09, 2004 @01:58PM (#9100998) Homepage
              Yeah dude, totally...just like someone who makes a biological weapon to expose the weakness in the current national security infrastructure. They could just leave it out on the street marked "use me to fuck up the entire city."

              They haven't done anything wrong, right? I mean, they didn't RELEASE the poison, and their aim is noble since they really only expose all the country's physical security holes.

              FUCK virus writers. They cost people money and time. Money and time is LIFE, just because they take it from you 10 minutes at a time doesn't make it any easier to swallow.

              If you want to make people more aware of security, try community outreach. Get involved locally and make a real difference in people's lives. Take charitable contributions to buy billboards and TV commercials. Get the big players involved.

              But...wait, that would be POSITIVE. That isn't nearly underground enough for your typical virus writer. Their rhetoric is a fucking smokescreen, they're slimebag criminals and they deserve to be punished just like a CEO who jacks down stock prices. They're both doing MONETARY damage. Money is time and time is life, never forget that.
              • Re:Why? (Score:3, Insightful)

                by theLOUDroom (556455)
                Yeah dude, totally...just like someone who makes a biological weapon to expose the weakness in the current national security infrastructure. They could just leave it out on the street marked "use me to fuck up the entire city."

                They haven't done anything wrong, right? I mean, they didn't RELEASE the poison, and their aim is noble since they really only expose all the country's physical security holes.


                First off, your example is ridiculously extreme and doesn't really match the discussion at hand.
                Second
  • Good (Score:3, Insightful)

    by Omega1045 (584264) on Sunday May 09, 2004 @10:38AM (#9099731)
    Good. All anti-MS "They should have written more secure software" comments aside, I am glad they were able to catch this guy if it is him. I am glad the reward worked. In the end there is one person that is really, truly responsible for the virus and that is the virus writer. Now I wonder how much of the $5m pot the informer(s) will get.
    • by PetoskeyGuy (648788) on Sunday May 09, 2004 @10:47AM (#9099771)
      The $5 Million reward is only payable in Vouchers for Microsoft Software.
      • by Anonymous Coward
        That's almost enough for a legal copy of Windows XP and Office XP!
    • Re:Good (Score:4, Informative)

      by Night Goat (18437) on Sunday May 09, 2004 @10:47AM (#9099776) Homepage Journal
      The article discusses how much money was paid to these informants.

      "Aware of this program, individuals in Germany approached Microsoft investigators," Smith said. "We did not hesitate and made a decision to offer a reward of $250,000."

      Smith wouldn't say how many people came forward, except to indicate it was fewer than five. Moreover, while he would not comment on whether a relationship existed between the Sasser suspect and the informants, he did say that they both live in the same part of Germany.
    • Re:Good (Score:3, Insightful)

      by aaribaud (585182)
      Of course, we should keep in mind the fact that unlike with bank robbers or muggers, arresting virus/worm writers once a virus or worm is out in the wild does not stop the virus/wrom from spreading. This somehow reduces the usefulness of the MS initiative.
      • Flawed Analogy (Score:3, Insightful)

        arresting virus/worm writers once a virus or worm is out in the wild does not stop the virus/wrom from spreading.

        Arresting a murderer doesn't bring dead victims back to life. Does this reduce the usefulness of the police initiative to arrest murderers?

        (Your analogy is flawed in general. The same applies to "bank robbers or muggers" as you mentioned: Once a crime has been committed, the damage has been done; and if no damage is done, I'd have trouble calling it a "crime".)

    • Re:Good (Score:2, Informative)

      by gargan (4764) *
      $250,000 supposedly
    • Re:Good (Score:3, Insightful)

      by Draxinusom (82930)

      The suspect had been identified by acquaintances seeking a $250,000 reward.

      http://www.washingtonpost.com/wp-dyn/articles/A111 60-2004May8.html [washingtonpost.com]

      Remember, kids, no more bragging about those worms to real-life acquaintances!

    • Re:Good (Score:4, Interesting)

      by c (8461) <beauregardcp@gmail.com> on Sunday May 09, 2004 @10:51AM (#9099799)
      I am glad the reward worked.

      Well, it maybe worked once. The people turning the guy in might have done it even if the reward wasn't available.

      Microsoft announced the reward program almost a year ago and that this is the first worm actually resulting in a claim suggests, in fact, that the reward program is mostly a failure.

      c.
    • Re:Good (Score:4, Informative)

      by ATAMAH (578546) on Sunday May 09, 2004 @10:51AM (#9099801)
      $250000
      Same reward was offered for the information about the authors of Sobig, msblaster etc.
    • by Clinoti (696723) * on Sunday May 09, 2004 @10:55AM (#9099822)
      Other people are not happy that this guy was caught because you have to subtract the disappointment from the companies that profit from viruses, and adware, and spyware. Just another angle to look at.

      I wonder if MS can keep up this effort and if we'll eventually start to see sponsored virii [viruslist.com] added to the real TCO for windows OS'. Oh wait.

      • I wonder if MS can keep up this effort and if we'll eventually start to see sponsored virii added to the real TCO for windows OS'.

        You bring up an excellent point. Almost all the research methodologies for examining TCO do NOT include virii losses/downtime. However, they're starting to get far from non-trivial (like the Finnish bank that went offline for a day because of Sasser... imagine the cost) and are often the motivation for an organisation to start looking at alternatives to Windows - ie MacOS X and

  • I wish... (Score:4, Funny)

    by zaunuz (624853) on Sunday May 09, 2004 @10:39AM (#9099738)
    ...that MS would hand out those rewards to those who turned in people that used pirated versions of their software. Not that i care about Microsoft piracy at all, but I know a few assholes, and I could need the money.
    • I have a feeling they LIKE when individuals use pirated copies of Windows. The more copies they have out there on computers, the better for them.

      Pirated software helps them maintain their lead in the OS market. If they started to crack down on all the illegitimage copies of Windows out there, I'm sure there would be a lot of people looking for a free alternative to Windows, which is bad for MS.
    • I don't know about the US, but here in Malaysia, there is a RM20,000 - RM 100,000 (about US$5,200 - $26,000) to reward for turning in companies who use pirated software.

  • by ColdWetDog (752185) on Sunday May 09, 2004 @10:42AM (#9099753) Homepage
    That Sasser's writer was discovered by that very old hat and low tech method of greed. For a few moments after the alleged perpetrator had been arrested, I had thought that M$ had managed to actually do something proactive and clever.

    I suppose throwing money at the problem is proactive, but hardly clever.

    In this complex and often terrifying world, it's nice to know that some things never change.

  • by Black Parrot (19622) on Sunday May 09, 2004 @10:42AM (#9099754)


    Don't go bragging about your next virus release.

    • This depends... on what the forseeable penalties are like :) I mean, maybe someone will adopt this as a business model, to say so. Like, one writes the virus/worm, the other "tells on him", both share the reward ... :)
    • It's nothing new...people used to join #hack and brag about machines they rooted. A narc or ddrew would log what they said, and open an investigation. Teenagers are stupid.
    • Don't go bragging about your next virus release.

      Which is also why they're catching nothing but auttention-seeking teens. Professional people that have a commercial interest like spammers, indentity thieves, fraudsters, agents for industrial espionage etc. hardly ever get caught.

      That is also why so many people believe they don't exist, that they're some kind of mythic legend and that the most dangerous thing out there is a bored teen. The truth of the matter is that in 99,9% of the cases, such a person wo
    • Re:Note to self... (Score:3, Insightful)

      by chabotc (22496)
      Note to self:
      - Write major virus or worm
      - Get a trusted friend to report me and split the 5 milion $

      Thats a hell of a year income for sitting in jail a bit..
  • Microsoft Rewards (Score:5, Interesting)

    by mr_z_beeblebrox (591077) on Sunday May 09, 2004 @10:44AM (#9099759) Journal
    While I do agree that they need to do better (not more) auditing of code, I also think it is admirable that they are taking responsibility for the damage in some way. Props to Microsoft.
    Suggestion, instead of suing security companies who find and point out vulnerabilities they should implement rewards there. For example, if xyz security found a vulnerability they could either
    A: release it to the news/public and risk MS ire
    or
    B: Submit it confidentially to the MS bug track for a hefty reward
    Yes, that lacks disclosure but it is a healthier system than now exists.
    • by Peyna (14792) on Sunday May 09, 2004 @10:50AM (#9099788) Homepage
      Part of the agreement should be that when you submit the vulnerability to MS, you agree to keep quiet for X amount of time, they agree to give you some reward. After X amount of time, you should be able to then release the information to the public.

      Of course, the only problem is, if you told them and kept quiet, chances are someone else is going to find that same vulnerability who might not play as nice.
    • by Idou (572394) * on Sunday May 09, 2004 @11:03AM (#9099863) Journal
      "A: release it to the news/public and risk MS ire
      or
      B: Submit it confidentially to the MS bug track for a hefty reward"

      That system already exists.It is called "Black Mail."
  • by John Seminal (698722) on Sunday May 09, 2004 @10:45AM (#9099763) Journal
    The arrest could lead to more suspects.

    I wonder what kind of deals are being offered right now for him to turn in friends and information? I wonder what is on his computer? All it takes is one informant for the police to get warrents to search all his friends and known acquaintances computers, so I am thinking there will be a bigger fallout than just one guy. I just hope they don't let the big fish off the hook to get 10 smaller fish.

    I wonder if this will be the start of the dominos falling. He turns in his friends, who in return turn in their friends. Then next thing you know the FBI is knocking on your door asking to look at your computer. In some ways, I welcome that. It gets to be exhausting fixing computers from all the viruses and spyware and crap.

    I am just glad that with him in jail there will be more security. One less bad guy to worry about.

    • nope.

      With him in Jail, you just have one (more) guy in Jail.

      Educating users, making them patch regularly, etc + having a clean system will do the trick for more security.

      Also, using worms to auto patch the damadged and damadging machines would be ultimately the nice, if illegal, solution...

      I know this has been debated before, and that having another can of worms spreading could do some damages, but it would be faster than waiting for all the people in the world to patch their systems...and keep the init
      • Also, using worms to auto patch the damadged and damadging machines would be ultimately the nice, if illegal, solution...

        If I'm not mistaken, that was tried not too long ago and failed MISERABLY. That worm ended up doing just as much damage as the one it was trying to fix.
        • Well, first I think I said it in my previous post, so thanks for emphasis.

          secondly, just to give more clarity, maybe someone with the right skills (Microsoft itself ?) could use this and program a nice, non destructive auto-patching worm.

          Don't discard the solution because it has failed before...just learn from the errors and do it better this time....
          • The problem is that it's still a worm. ANY worm is going to be a problem just because of its nature - it infects a computer and then tries to infect other computers. Whether they're good-natured or bad-natured, a lot of the problems that come from worms stem from the fact that they're constantly trying to infect other computers.
            • 1 / I am Microsoft
              2/ I build then host a worm with an IRC channel collator thingy, cauz it's leet
              3/ the Worm has an automatic time-to-live that limits it's duration on any of the infected hosts, ie uninstalling itself after, say, the cleaning of the computer, a scan/cleaning of the local network and an additional limited scan of the open space IP adresses
              4/ The worm @ Microsoft scan perpetually the net in search for new computers to heal for a certain lengh of time, then is removed because all the systems i
    • Then next thing you know the FBI is knocking on your door asking to look at your computer.

      Only if someone he turns in (turns in someone who turns in someone who turns in...) someone you know who's found to be one of those smaller fish, *and* he names you.
    • All it takes is one informant for the police to get warrents to search all his friends and known acquaintances computers....

      Mmmm, not so sure about that. Many of his friends are in his addressbook probably listed as "32ggy99", "bigbuster" or whatever. Given the use of mainly IRC for communication, chances are that this suspect is completely in the blue who his buddies are.
    • Positive thinking? (Score:5, Insightful)

      by Idou (572394) * on Sunday May 09, 2004 @11:21AM (#9099977) Journal
      Look, if an anti-social 19 year old can create such a devasting worm, I am afraid the odds are against this strategy of fighting the problem. What, there must be a 100 MILLION other kids just like him, playing away on their windows computer, looking to be more than just a pimple faced teenager.

      Let's see, ingredients to a killer windows worm:

      1. Anti-social teenager
      2. windows computer
      3. internet connection
      4. some free time (see 1.)

      Sorry, this is just not the way to resolve the problem. It is just too easy, not even worth celebrating. No wonder MS is ONLY investing 5M in this method (what is 5M to MS?).

  • by Anonymous Coward on Sunday May 09, 2004 @10:51AM (#9099796)
    Specifically: You can buy anything.
    • Specifically: You can buy anything.

      Except secure code, apparently.

      This whole reward thing is nothing more than a PR move. Microsoft comes out looking like the hero for offering the reward which led to the capture of some kid, masking the fact that their crappy code allowed this to happen.

      Two questions arise from this:
      - What will be the fallout in terms of orgs moving to non-MS platforms (MacOS, Linux, etc)?
      - By most accounts, this particular virus/worm was very poorly written. My understanding is
      • The organisations who were taken down should have taken more precautions [kenobi.it], then.

        If worms and viruses actually did real damage, I would suspect that future attacks would be less successful because of the real shock value associated with it - people might start to be more proactive in securing their machines, or not letting potentially insecure machines on their network.

        However, I suspect that viruses/worms are never going to be that destructive given that a nonfunctional computer cannot spread the infecti

  • by Leonig Mig (695104) on Sunday May 09, 2004 @10:52AM (#9099804) Homepage Journal

    i think this is utter tosh. microsoft tried to make out the blaster worm was coded by some 17 year old last time.

    they want us think 'oh all these viruses are caused by nieve kids with something to prove';

    which is less scary than the truth that worms are coded to order by people with maths degrees for criminal gangs who want to use your pc as a conduit for illegal material.

    • by bagofbeans (567926) on Sunday May 09, 2004 @11:15AM (#9099941)
      ...is that the software system design, default behaviour, and security level is so poor that a 17 year old can easily exploit it and cause so much damage.
  • by Idou (572394) * on Sunday May 09, 2004 @10:52AM (#9099806) Journal
    1. Write worm
    2. Find someone in severe financial trouble
    3. Have that person release the worm from home computer
    4. Turn that person in and collect the reward
    5. Place 75% in a high interest foreign account and keep the rest
    6. After the guy gets out of jail, send him a key to a safety deposit with all the information he needs to start a new life
    7. Profit

    • by ion++ (134665) on Sunday May 09, 2004 @11:05AM (#9099877)
      The information in the safety deposit is a note saying:

      1. Write worm
      2. Find someone in severe financial trouble
      3. Have that person release the worm from home computer
      4. Turn that person in and collect the reward
      5. Place 75% in a high interest foreign account and keep the rest
      6. After the guy gets out of jail, send him a key to a safety deposit with all the information he needs to start a new life
      7. Profit
    • My luck:

      1. Write Worm
      2. Wipe Dev machine of worm infection, toss infected backups.
      3. Write Worm
      4. Wipe Dev machine of worm infection, toss infected backups.
      5. Write Worm
      6. Wipe Dev machine of worm infection, toss infected backups.
      7. After enough repititions, give up.
  • by 3seas (184403) on Sunday May 09, 2004 @10:54AM (#9099815) Journal
    MS pays to bust Virus writters and FOSS can't afford such a reward system... so MS hires (under the table) virus writers to attack Linux...

    But FOSS doesn't pay me to turn in a virus writer.... so why should I...???

    greed..... its been a constant in teh computer industry... no doubt about it.
  • by adept256 (732470) on Sunday May 09, 2004 @10:54AM (#9099819)
    Thank you for outsourcing my debugging job to Germany.
  • by Coolmoe (416032) on Sunday May 09, 2004 @10:57AM (#9099835)
    I wonder how many people will turn in thier friends, family etc.. for cash that they they may or may not get. Seems to me like microsoft will get a flood of calls from people that have friends and stuff that like programming. Whoes to say what they were programming. What about false accusations by the technically inept?

  • even those virii and extend them to... what?
  • Carving his niche? (Score:2, Interesting)

    by Apiakun (589521)
    Silly Germans! If he had used that knowledge and effort at something constructive instead of destructive, I'm sure he could have gone quite far. On the other hand, he's got a reputation now, which would have been more complicated to build had he taken the non malicious route. No such thing as bad publicity, or so they say.
  • show me the money (Score:3, Insightful)

    by DNS-and-BIND (461968) on Sunday May 09, 2004 @11:05AM (#9099879) Homepage
    In terms of legality, there are so many ways to weasel out of paying a reward. You can say that the information didn't actually help that much, or any other of a thousand excuses. The U.S. State Department is notorious for this. Why should Microsoft be any different? Why should they pay off...they have their man already. The best thing to do, from a corporate-profit point of view, is to set the lawyers on the problem and divine a solution such that they reward need not be paid. This is pretty common stuff.

    Oh, and MS should pay to keep up their reputation...puh-leez. Their reputation is already lower than a snake's belly in a gully. How can they go farther? Before any knee-jerk MS apologists start replying, go check out what I've said about rewards being paid off...you'll find the situation is just as depressing as I've described.

    • Microsoft paid a reward it hadn't even offered yet:

      While Microsoft had not announced any reward for information about the person or group that released, and presumably wrote, the Sasser worm, the informants approached the software giant's German office on Wednesday and inquired about whether such a cash award would be paid.

      "Aware of this program, individuals in Germany approached Microsoft investigators," Smith said. "We did not hesitate and made a decision to offer a reward of $250,000."

      Why should Micr

  • Bounty Hunter (Score:5, Insightful)

    by Ugmo (36922) on Sunday May 09, 2004 @11:05AM (#9099882)
    OK, I want some of that dough.

    The article mentions that Microsoft used some technical means to confirm the informants' information but the informants did not use technical means to identify the guy. This leads to some questions:

    Does Microsoft somehow bug your code if you use MS products to produce it? If I remember correctly some of the Word macro viruses had an ID number somewhere inside them that let MS identify the copy of Word that originally produced the virus.

    Is such a serial number/product ID what MS used to confirm the informant's information?
    It would not necessarily need to be a number. Deliberate variations in the code produced by a compiler from one machine to the next could be used as a fingerprint.

    Barring that, was there some other technical means that could have been used to locate the author?

    If I wanted to be a Anti-Virus Bounty hunter is my best bet learning to decompile code or to hang around on IRC chat channels and either encourage other users to write viruses so I can turn them in later, or make friends with real virus writers so I can turn them in?

    Maybe a piece of reference code can be made available on a website and people can compile it on a range of machines and MS compilers. The resulting code can be compared and to see if the machine/compiler pair can be identified from the executable. If two machines with the same OS and developement tools create code with slight differences I would begin to worry if I were a virus writer.
    • In a total panic virus writers flock to Borland !

      In other news MS successfully argues in court that Borland should now be declared illegal because 'all those worms and viruses are written with this tool'.

    • Re:Bounty Hunter (Score:4, Informative)

      by digital photo (635872) on Sunday May 09, 2004 @12:53PM (#9100600) Homepage Journal

      All compilers have a "pattern" in the way they generate the machine code from your originating source code. This has been known for quite some time. I'd say since the early 8088 days, if not earlier. I would think in terms of the quality of the bits in the program like oil paint vs water paint. There is a percievable difference in quality/texture.

      About a decade ago, someone created a polymorphic module to be compiled into virii and worms to mask the original code so that a simple string search could not be used to detect it. But the means by which the module worked allowed a new kind of virii detection tool: heuristics to detect the resulting blob of code.

      If you compile on a MS system, GNU system, etc... your code will have system calls to partiular libraries and code offsets. This kind of patterning will be able to allow people to determine the following:

      • What compiler you used.
      • What OS was most likely used to develope and compile the final code.
      • What libraries were used.
      • What custom libraries were used.
      • Level of optimization.
      • Efficiency of your code.

      Try it. Compile a program and run a debugger agsint it. A good library debugger will be able to tell you what the code is accessing.

      Note: If you have the same software setup on two different machines, then your code should be almost the same. What might differ would be various CPU bit size signatures. Say you developed with two systems exactly the same software-wise, but completely different hardware-wise, ie, you cross-compiled from say... a Linux system running VMware and WinXX to create windows code... then the code will be exactly the same.

      It would be fair to say that if you wanted to make code which was not possible to track, you would want to do so in a virtual environment where you can make the virtual system seem like any machine except your's, then write the code with the most standard libraries out there. Once written and tested, the development environment, since it is an "instance", can be encrypted and hidden as a large DV encoded stream(dvbackup) or any nnumber of mechanisms.

      It would be like having a complete dev environment on your system which can potentially pass technical inspections.

      As for being a bounty-hunter, I think your best bet would be having a high degree of luck and a low level of ethics or morals so you can turn in friends you know. In many cases, virii writers who have been caught were caught because they couldn't help bragging or talking about it. Or they do something stupid.

      But I suppose if you ask along those lines, your level of ethics and morals is already low.

      Thanks to MS, we can all rush towards a world where we snitch on each other for a few bucks and fawn over the KGB..er.. I mean, software police. Is this the new flavour of "democracy"?

  • access (Score:5, Insightful)

    by Beer_Smurf (700116) on Sunday May 09, 2004 @11:08AM (#9099897) Homepage
    I am amazed, with the number of open access points, that someone ever gets caught.Guess they can't help bragging to their friends.
  • by ites (600337) on Sunday May 09, 2004 @11:09AM (#9099904) Journal
    Any strategy contains the seeds of its own failure. In this case, bribing criminals to hand-over their own is a classic but short-term solution.

    Firstly, it sets the stage for blackmail. If one isolated hacker is worth $5m, how much is an unreleased worm worth? Probably much, much more. I'd not be surprised if MS regularly get asked for money upfront before worms are released. Paying out will only make this worse.

    Secondly, it is a Darwinian filter. Yes, you can pay to get hold of an isolated criminal. No, you cannot use this tactic against criminal gangs. $5m is not a lot when compared to the value of a large botnet. Setting bounties will eliminate the free-lancers and leave the stage open for more organized criminals who will probably be more agressive in using zombied PCs for criminal acts (child porn, DDoS, etc.)

    Thirdly, it is prejudicial and likely to lead to the arrest of innocent people. Given that any zombied PC can be used to launch a worm attack, how can any evidence be trusted? Confessions, too, are unreliable. Bounties are rapidly turned into lynchings.

    Lastly, it is a distraction from the real issue: Windows' fundamental security weaknesses. Microsoft must release a secure Windows within the next 12 months or risk permanent damage to their brand. Paying bounties for worm writers fools no-one: Windows remains insecure and there remain an unlimited supply of smart criminals happy to take advantage of that.

    • Firstly, it sets the stage for blackmail. If one isolated hacker is worth $5m, how much is an unreleased worm worth? Probably much, much more. I'd not be surprised if MS regularly get asked for money upfront before worms are released. Paying out will only make this worse.

      If Microsoft doesn't pay, then that blackmail value is zero. Regularly report would be blackmailers to the police. Then you've set the right incentives in place.

      Secondly, it is a Darwinian filter. Yes, you can pay to get hold of an is

    • If one isolated hacker is worth $5m,

      You need to RTFA again. The payment was $250k. The fund is $5m.
  • Payload next time? (Score:3, Insightful)

    by cdn-programmer (468978) <`terr' `at' `terralogic.net'> on Sunday May 09, 2004 @11:32AM (#9100030)
    With this purported arrest there are a few questions that enter my mind.

    (1) Do they have the right guy? I doubt it!

    (2) What of a payload. Perhaps next time there will be a real payload. IMHO dumping a worm onto the net is about the same as a prank. I somehow doubt the "authorties" will see the humour. In which case perhaps the next worm will contain a payload worthy of the punishment that this young man will suffer.

    This could be the beginning of a serious escalation.

    What people need to realise is that with a billion plus people on the net, if there is a vulnerability then it will be found. It does not matter who does it - because SOMEONE will. Punshing the pranster is not a deterant. Fixing the broken software is the only solution and fat cat Mr. Moneybags Bill Gates should be able to accomplish the later... either that or withdraw the clearly faulty software from the market.

    If we chose to attack and punish the pransters then it is we who escalate this and I would expect the reaction will be in the form of an escalation of the damages.

    • Uhmm... in case you weren't aware, the fix for this was out for quite some time before the worm's existence was publicized. Yes, in an ideal world these sorts of exploits wouldn't have existed in the first place, but wake up... we don't live in an ideal world.

      I've had a windows computer connected directly to the internet with no NAT or firewall for several years, and the only times that any viruses ever make it onto the computer are when one of my kids runs a trojan that they got from somewhere on the ne

      • Actually your power saw example is a rather good one. New industrial saws are able to sense when the operator inserts his finger under the blade - and stop! So the saw quite literally does adust its parameters.

        I also have a windows computer. It is behind an OpenBSD firewall. My son was unsuccessful with his windows 2000 system and after the 7th reload he has abandoned it. I gave him his own zone... the OpenBSD firewall blocks him and his computers from anything in my zone.

        I have Never had a virus or
        • Actually, I've had a couple of nasty trojans hit me, but their payload just hasn't gotten around to executing yet. After all, if the trojans contained a payload that went about its business too quickly, then it would not get the opportunity to spread. They need to lay low for at _least_ a few days... the only damage they do in the interim is infect local files. This doesn't affect my virus scan because that doesn't use any files on that computer.

          Oh... and that computer has never, ever, been infected by

  • what's to stop.... (Score:3, Insightful)

    by zogger (617870) on Sunday May 09, 2004 @11:34AM (#9100043) Homepage Journal
    ... a VERY good hacker releasing a virus but making it look like it came from someone else, perhaps someone the hacker is at war with, or just some random victim? And tyhen joe victim would be stuck, trying to prove they didn't do it, with the evidence all over their computer.

    sucks. It could be done JUST to get the reward for that matter, although that would be risky, but still possible.

    microsoft got a mega buhzillion dollars in the bank from not hiring coders and not insisting on great code since forever and a day. I think what is more appropriate when money is being talked about is a class action lawsuit from thousands of joe MS users, not the government, joe users large and small who have been victimised by insecure OS that they got *suckered and conned* into running, and I mean suckered by their abusive monopoly tactics and vendor lockins for OS that happened over the past decade especially. Most people didn't "choose" to run microsoft, they got faked into it by it being installed on their boxes when they bought them. Then all of microsofts profits from not doing their job, combined with the ridiculous no warranty deal that profitable software gets, turned into the victimized end user's problems, where you get borken computers, anger, frustration, and in the case of businesses, millions of dollars in actual-for real damages, probably billions, I don't know. A big ole pile of cash, call it that. I bet in a lot of cases the constant and recurring damages exceed the cost of the software installed by many factors.

    That sucks too. viruses and worms are BOTH the fault of evil hackers AND filthy rich monopolists who did NOT give a care about security until the past coupla of years, and even then it was half assed. MS as a total company gets it's corporate mindshare from william gates, always has, and he just don't and never has given a crap as long as he can rake in the dough, he's an extreme predator, and I don't care how "compassionate" and"giving" with his "foundation" some mafia don is with ill gotten gains, he's still a mafia chieftain, and made his loot by being a crook. Easy to give away free money you stole and conned people for.

    Same with MS and gates, he needs to go to JAIL as far as I am concerned,he's a chronic serial crook, a repeat offender to boot, hidng behind the corporate wall of almost near immunity, and he shows no sign of stopping being a crook, although I will grant he's apparently trying to fix security in longhorn, but that's a long ways offf and doesn't address past crimes, and I think he's only doing it because he is being forced to by market pressures.
  • just like ESR said (Score:3, Insightful)

    by ignavusincognitus (750099) on Sunday May 09, 2004 @11:41AM (#9100087)
    "given enough bounty dollars, all security vulnerabilities are shallow".

    Seriously, this is just the known "cost of doing business" mentality again. If it's cheaper to pay a reward than to develop a secure product in the first place, that's what MS will do.

    This is the exact same way they treat regulation - if it's cheapter to break the law and pay some puny court-ordered fine here and there, so be it.

  • MS needs to shape up with the security of their operating systems and office products. If Longhorn becomes a fiasco in this regard, would that be the beginning of the end for MS? Perhaps. Open Source could provide more stable and secure products. My question is this, however: how do you earn money by writing open source? Btw, regarding MS and their poor security: the problem is the lack of competition in the OS and Office markets, I think that they slacked off somehow.
  • Exactly... (Score:3, Interesting)

    by Izago909 (637084) <tauisgod@BOYSENgmail.com minus berry> on Sunday May 09, 2004 @12:17PM (#9100345)
    Who is the person that decides if a worm/virus is serious? I'm just curious because I could imagine MS being the type that could say "We don't owe you any money because we don't consider this a serious problem."
  • Microsoft, or anyone else, should make a reasonable attempt at making their product save and secure.

    Personally i dont feel they are making a reasonable attempt as of yet. They are mostly making an attempt to calm bad press, and twart potential legal/govermental issues.

    However, that doesnt mean its ok to take advantage of any security issues the software may have...

    I.e. the lock should be secure and work as advertised, but if it doesnt, someone shoudlnt fell they are allowed to break into your house...
  • Love (Score:2, Funny)

    by stefaanh (189270) *
    Can't buy me looo-ove...

    (sic the Beatles)
  • by Hanno (11981) on Sunday May 09, 2004 @01:17PM (#9100753) Homepage
    German news reports claims that the Sasser author's peer group encouraged him to write the worm, make it more effective and spread it.

    I wouldn't be surprised if one of his friends from this peer group is the one who reported him. After all, the whistleblower also sent source code as proof to Microsoft Germany before the authorities stepped in - he must have been in direct contact with the author and may even be a co-author.

    I still don't know what to make of this. I don't like bad hackers writing worms, but I don't like the reward program, either.

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis

Working...