Microsoft has announced that it is offering a $250,000 reward for information that leads to the capture and conviction of the authors of the Conficker worm (also known as Downadup or Confick).
This development shouldn’t surprise anyone. Microsoft’s reputation is badly shaken whenever a computer virus causes widespread problems for its users. It’s not been unusual in the past for prevalent malware to exploit weaknesses in the software giant’s software (as was the case with Conficker), or pretended to be messages from Microsoft technical support.
Offering substantial rewards can do no harm. If a culprit isn’t found then Microsoft hasn’t lost anything, and it may just entice some members of the computer underground to come forward with information. People considering releasing malware in the future should take careful note of this and think again.
Of course, this is not the first time that Microsoft has tried to tempt the computer underground with a reward for informing on virus writers – although they don’t appear to have been used as a technique for the past five years.
In November 2003 Microsoft offered a total of $500,000 for the arrest and successful prosecution of the people behind the Blaster and Sobig worms, and said that it was earmarking a further $4.5 million bounty for the purposes of capturing future virus writers.
In May 2004, as Sophos documented at the time on its website, Microsoft agreed to pay $250,000 to a group of informants who contacted the company about Sven Jaschan, the teenage German author of the rampant Sasser and Netsky worms. This was despite there being suspicions that the informants may have themselves been involved in the case.
Jaschan was ultimately found guilty, but walked free from the court with a community service sentence and nine months probation.
The only other virus bounty I can recall concerned the MyDoom virus in January 2004. The software company SCO, which suffered a prolonged distributed denial-of-service attack at the hands of the virus, offered $250,000 (that really does seem to be the going rate, doesn’t it?) for its authors capture, although no-one was every brought to justice. A few days after SCO’s press release announcing the reward, Microsoft chipped in with a further $250,000.
But the big question is whether the Conficker bounty is big enough. $250,000 may have been enough to identify Sven Jaschan, a German teenager infecting computers for kicks. But is it going to be enough to encourage someone to inform on an organised criminal gang, making large amounts of money out of malware?