Microsoft has $250,000 for you - some strings attached

Filed Under: Featured, Law & order, Malware, Microsoft

Recently published on Microsoft's Technet Blogs site, nestling between Haiku #154 and Bloom's Taxonomy for Learning Objectives, you will find an unassumingly erudite, if lawyerly, posting.

You probably want to read it.

It could be worth US$250,000.

To get all the money for yourself, there are, of course, conditions. You will need to rat out your buddies to the point that they get convicted in a court of law, and you'll need to be the only person who does so. You may have to pay tax on the reward, too, depending on the regulations where you live, how law-abiding you are, and how willing you are to let it be known where you got the money.

Flushed with success at disrupting the Rustock botnet by taking down its primary command and control servers earlier in the year, Microsoft is now offering the abovementioned cash prize.

A cool quarter of a million: that's the reward Microsoft is offering for "new information that results in the identification, arrest and criminal conviction" of the individuals behind the Rustock botnet.

Rewards like this aren't new to Microsoft - nearly eight years ago, the software giant announced a US$5 million fighting fund to encourage people to dob in their virus-writing chums.

What's interesting is that the reward hasn't changed since then. Microsoft offered a quarter-mil each for turning in the authors of the Blaster and Sobig worms back in 2003 (the authors were never found), and a further quarter-mil each for outing the authors of Netsky or Sasser.

The author of the Sasser worm was identified, and convicted. But German student Sven Jaschan, who was under 18 at the time he committed his crimes, ended up sentenced only to probation and community service.

At the time, I was concerned about the size of the rewards being offered. Back then, malware writing was often the beginning and the end of the creator's criminal activity.

There wasn't much, if any, money in virus writing, and outside the US and the UK, there often wasn't much criminal sanction against doing so.

(Chen Ing Hau, Taiwanese author of the infamous BIOS-destroying CIH or Chernobyl virus, got a job on the back of his malevolent creation and appears to have gone largely unpunished. Onel de Guzman, creator of the Love Bug, got away scot-free in the Philippines. Jaschan, admittedly a junior at the time, got a slap on the wrist. So did Dutchman Jan de Wit, whose home-town mayor thought his Anna Kournikova virus made him an ideal IT candidate for the local council. Even as recently as 2009, Ashley Towns, the Australian creator and disseminator of the first Apple iPhone virus, was never charged by the police, and ended up with a job for his "skills".)

So, back in the early 2000s, Microsoft's rewards seemed out-of-touch with economic reality, since two chums could easily have colluded to acquire the money - one "ratting out" the other, and the other "pleading guilty" - with possibly very minor long-term consequences. They could have even made the split of the reward conditional on the sentence, to favour the "guilty" party more heavily in the event of a harsh judgement. Indeed, when Jaschan was arrested after information allegedly received from a fellow-student, the German media speculated that the informant was himself suspiciously closely connected with the creation of the malware.

But in the 2010s - when a small gang of cybercrooks can apparently turn over $72,000,000 in a year or two just from peddling fake anti-virus software - the reward doesn't seem out-of-kilter any more.

Even more interesting is the astonishing security distance Microsoft has covered since 1995, when news emerged of the first virus to infect and spread entirely inside its Word product. Concept, as this macro virus came to be called, quickly spawned a raft of fast-spreading copycats - many of them destructive, devoted to leaking data, or both, and all of them genuinely troublesome to deal with.

But Microsoft would have none of this "Microsoft Word virus" terminology at first. WM/Concept was defined, and dismissed, as a Prank Macro. And that was that.

How Redmond has changed in the past 16 years!

, , , , , , , , , ,

You might like

2 Responses to Microsoft has $250,000 for you - some strings attached

  1. georgebutel · 1140 days ago

    If I were Microsoft, I'd be looking for them so they could find my security flaws before the other bad guys. If they're smart enough to do what they do, then find out what motivates them and hire them. It is said that every man has a price (and/or a vice).

  2. Elle Woods · 1140 days ago

    Mr. Ducklin, I am a huge fan, but after having Microsoft reject perfect evidence of counterfeit software today, I can't help exressing this.

    In my humble and obviously uninformed technical opinion Microsoft knows, and has for quite some time, exactly what their "security flaws" are (at least those in question here). Up until extremely recently, it has just been more lucrative to keep them in operation.

    Now, however, given their own complicity in, negligence toward, or even strikingly callous response to individuals' right and quality of life in the PR nightmare the world is witnessing unfold every day, Microsoft knows its legal exposure is exponential magnitudes of $250,000 in liabilities, damages, and attorneys' fees. That's why a "lawyer" wrote the reward.

    Sadly, what seems like a fortune to honest, hardworking IT professionals (and amateurs) is pathetic hush money to both employees in the legal departments of multi-billion dollar publicly-traded global conglomerates as well as any potential "opposing" counsel.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog