Microsoft Puts Bounty on Virus Writers

Stepping up its battle against computer viruses and worms, Microsoft has established a $5 million fund to pay rewards for information that leads to the arrest and conviction of individuals responsible for releasing malicious code, the company says.

The first bounties set under the Anti-Virus Reward Program are two $250,000 rewards for information leading to the arrest and conviction of the creators of the Blaster and Sobig worms, Microsoft says in a statement.

In August, both Blaster and Sobig attacked systems running versions of Microsoft's Windows operating system, wreaking havoc.

Crime Fighting

Worms and viruses are "criminal attacks" on everyone who uses the Internet, says Brad Smith, Microsoft's senior vice president and general counsel, in the statement.

Although arrests were made in connection with two variants of the Blaster worm, those responsible for the original version remain at large. No arrests have been made in connection with the Sobig worm, which was first detected in January.

"Hopefully, people will see this reward announcement as reason to come forward when they have information. The more information that people can provide to law enforcement, the more likely we will have an arrest and a conviction for a malicious code launcher," said Hemanshu Nigam, a Microsoft corporate attorney.

Microsoft also expects that the bounties will deter some virus and worm writers from unleashing malicious code. "I hope that the next person who wants to launch a virus is sitting there and thinking twice because there now are more reasons they may be arrested and convicted," Nigam said.

Cops Assist

Microsoft announced the reward fund Wednesday at a news conference in Washington, D.C., accompanied by representatives of the FBI, the Secret Service, and Interpol. Information about any worms or viruses should go to those agencies, which investigate cybercrime, Microsoft says.

Patrick Gray, a director at Internet Security Systems and formerly a cybercrime fighter at the FBI, applauded the creation of the reward program. "It is unique and fresh in the cyberarena, while it is old hat in the physical world. We have been putting out bounties and rewards for hundreds of years, and they have worked," he said.

The bounties shine a spotlight on virus and worm creators and may lead to more arrests by encouraging members of the virus-writing community to testify against each other, Gray said. "If I can get $250,000 from Microsoft for turning in a fellow hacker, I will do it. I don't think there is much honor among thieves," he said.

Placing Blame

"Our focus has been on blaming buggy software. Let's put the focus on where it belongs and that is the people who are committing these crimes. They have operated with impunity for too long," Gray said.

The vendor's move to help law enforcement bring more virus writers to justice is necessary, said Roberta Domres, information systems manager at the Center for Health Training in Seattle, a Microsoft customer. At the same time, however, Microsoft needs to continue to improve its software, she said.

"I think creating worms and viruses is an act of terrorism, and those people should be punished," Domres said. The Center for Health Training, a management consulting firm, uses various Microsoft products. Thanks to updated systems, antivirus software, and user training, it has not been hit by viruses or worms, Domres said.

Creating secure software is a top priority at Microsoft, and the reward program is only part of that effort, Nigam said. "This is one aspect of our multipronged approach. Securing products and writing code that is more secure is going to remain a priority, as it has been for a long time now," he said.

The rewards are payable to residents of any country, in accordance with the laws of that country, Microsoft says.

Subscribe to the Security Watch Newsletter

Comments