The computer virus bounty hunters

Perhaps Microsoft’s senior management team has been watching too many old cowboy films. When they announced that the company was putting up a bounty of $250,000 for information leading to the arrest of some of the world’s most destructive virus writers, the atmosphere had more than a whiff of Wild West desperation about it.

But the $5 million anti-virus reward fund that Microsoft has established (albeit for attacks on its products only) also raises some critical questions about the underlying security of its software and, indeed, of the Internet in general. Not least of all is the question as to why Microsoft is only now trying to address a problem it has largely ignored for the best part of a decade. There is also debate over whether such a lavish informer scheme is really designed to flush out virus writers or whether it is little more than a public relations gimmick.

Announcing the fund flanked by FBI, US Secret Service and Interpol agents in Washington, DC in November, Brad Smith, Microsoft’s top lawyer declared that “these are real crimes [perpetrated by] the saboteurs of cyberspace. We are working to stamp out the criminal behaviour that causes this problem.”

The main problem facing Microsoft, and the law enforcement agencies it is working with, is that virus writers are not exactly visible figures. The online attackers who wrote the MSBlast. A worm and the Sobig virus (on whose heads Microsoft has put a price of $250,000) have never been identified. And indeed, the most successful attackers to date have not only worked alone but have, rarely, if ever, boasted of their achievements to friends, colleagues or even anonymously within online communities.

One virus writer who did leave enough of a trail was 18-year-old student Jeffrey Lee Parson. His Blaster.B worm, a variant of the original Blaster, is said to have infected half a million machines (the FBI have identified 7,000), using them as ‘drones’ to mount a distributed denial of service (DDoS) attack against Microsoft’s WindowsUpdate.com web site. Parson was arrested in August after the federal agents linked the worm to a hacker site that was mirrored on the 18-yer-old’s PC, where they allegedly found a list of infected computers and the virus source code.

Organised cyber crime

Would a reward have triggered an earlier arrest or even stopped Parson? Not necessarily, say legal experts. Mark Smith, an IT solicitor with law firm Morgan Cole, doubts that offering rewards will result in a flood of informants. “It can work in traditional law enforcement, but with mixed success and depending on the nature of the crime,” says Smith.

It also depends on who is behind the attack. Cracking organised crime through a rewards scheme, of course, is particularly challenging because the prospect of a big reward is often offset by the threat of violence. That has become a factor as organised crime gangs have increasingly moved into the area of computer hacking, says Len Hynds, head of the Metropolitan Police’s National High Tech’ Crime Unit.

Commonly, such gangs are adopting one of two techniques, he says. Either they break into major companies’ computer systems and then demand payment in return for disclosing the flaw that they have exploited; or they launch a DDoS attack, promising only to halt future attacks if an extortion demand is met.

As that suggests, viruses are by no means the preserve of maladjusted teenagers. Hemanshu Nigam, a lawyer within Microsoft’s digital integrity group, says that between 200 and 300 new viruses are discovered every month with the deliberate intention of infecting poorly protected PCs with Trojan horse software or keystroke loggers. “There is a big difference between people experimenting with writing programming code and those that are illegally launching viruses and worms and causing destruction of files, personal data and the like,” says Nigam.

Big and bad

One of the most serious viruses of recent times, the Sobig-F worm, was propagated using several mechanisms. First, the author commandeered the Windows-based PC of a home broadband Internet user and then used a stolen credit card to set up a bogus account with a news group service provider. The worm was then implanted and propagated from a pornographic news group. All of this activity was traced back to the victim, who only learnt that his PC had been compromised when the FBI raided his home several days after the worm had been released.

The author of the Sobig series of viruses is believed to be associated with spamming groups, who are exploiting the poor security of PCs in much the same way as hackers in order to anonymously send out direct marketing messages.

It is the relatively weak security of some Microsoft software that provides the key opportunity for many virus and worm writers. The Blaster and Sobig worms exploited security flaws in Windows that could have been avoided if Microsoft had shipped its operating systems with a firewall activated by default. The company is now creeping towards resolving such issues.

With ‘Longhorn’, Microsoft’s next major operating system release, it is planning a plethora of security measures, including an enhanced firewall (always-on by default), built-in anti-virus software and a comprehensive digital rights management (DRM) scheme.

In the mean time, the reward scheme may act as a stopgap. But with Longhorn not due until 2006, the company’s $5 million bounty fund may have to be topped up several times.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics