Cyber Eye: Wanted, dead or alive: malicious coders
- By William Jackson
- Nov 19, 2003
Microsoft this month added an arrow to the quiver in the global war against malicious code by promising a six-figure payout for information leading to the conviction of whoever coded Blaster and SoBig.
Rewards are far from a new idea. 'We've done it for decades for the whole line of criminal enterprises,' commented Patrick Gray, a 20-year FBI veteran who now works for Internet Security Systems Inc. of Atlanta. But as far as anyone knows, this is the first time rewards have been offered to expose the authors of worms and viruses.
Heaven knows Microsoft has plenty at stake. A year into its Trusted Computing Initiative, the company still is patching Windows security flaws at an alarming rate. The ill will that Blaster and SoBig generated toward Microsoft apparently makes a $5 million reward fund look like a good investment.
The question is, will it work? Gray, for one, thinks it will. Criminal rewards have produced outstanding results, he said, and 'we will get some movement within the hacking community' from the Microsoft rewards.
But the FBI's $25 million price on Osama bin Laden's head has yet to produce any results.
The motives for creating and unleashing malicious code vary greatly from author to author. Many worms and viruses apparently are written as a challenge, or to gain attention and claim bragging rights. The SoBig family of viruses, on the other hand, could be the work of an organization with a profit motive, possibly to perfect a spam delivery system.
Those two communities are likely to respond differently to rewards.
We know that crooks can't be trusted. That's why rewards work against them. A criminal motivated by profit might well be willing to turn in an accomplice if the reward is big enough, so the author or authors of SoBig could be vulnerable.
A spammer has to send out an awful lot of spam to earn $250,000, making that Microsoft reward awfully attractive. And the social stigma of being a stool pigeon probably isn't as great as that attached to spammers.
But is there honor among hackers? Turning an amateur friend over to the FBI seems cold, even for a cool quarter-million.
If the author of Blaster really did it to impress a girl, it's hard to believe she would turn the schmuck in for the reward.
So the reward might work in some cases and not in others. The good news for Microsoft is that if it doesn't work, the company won't have to pay anything. The downside is that it could backfire. If coders are writing worms and viruses for the bragging rights, they might see a glamorous, $250,000 bounty on them as a big motivator.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.