Current events: Microsoft offers money for catching Conficker virus creator
I didn’t pay much attention to the event mentioned earlier about Conficker virus, until this new event related to that event arose – after all, is it such a rare occasion being infected by a virus.
To remind you, it is estimated that there were over 10 million computers infected with the worm, which utilizied a bug in Windows OS to infect unprotected computers, including those in government and military organizations. Creators can start issuing commands to this network of hijacked computers by simply registering one of the domain names from its big list.
So, Microsoft decided to offer $250k reward for the information on authors of the Conficker virus. Since this is the one of those rare occasions Microsoft offered a reward, it convinced me of the severity of the problem.
These rewards showed to work in the past, one of the most famous cases being sentencing a writer of the Sasser in Germany. Microsoft happens to play a good balance between stick and carrots politics in an attempt to achieve security for its products, moving more towards carrots lately (such as organizing BlueHat conference for outside security professionals, for example).
Although there is a trend in countries, such as, say, Russia to implement harsher sentencing for cybercrimes, for many countries, complexities associated with getting the reward, or reach sentencing remains to be a big obstacle to those willing to turn in creators of the viruses.
Looking at the bigger picture, offering bounties utilize trustfulness of a hacker, who shared his adventures with his colleagues, hoping they will keep it secret. But seems like there could occur an inverse relation – with more bounty given out less effective it will become. However, it is still interesting to see how some virus creators elaborately cover their tracks technologically, but fail to realize severity of risk of a human factor from their standpoints. Let’s see whether it works this time.
Comment by Saipeople
February 14, 2009 @ 6:02 am
its really an huge amount , and at the same time microsoft has indirectly accepted their defeat
Comment by Ziling Zhao
February 15, 2009 @ 4:04 pm
This isn’t the first time I’ve seen this concept. A while back there was a site that posted up exploits up for auction. Some people believed that it was the duty of the companies who write the code to buy up those exploits. This is somewhat similar, except it involves a bounty on the exploiter. The way companies deal with this has varied quite a bit, with some companies offering jobs, and some hunting them down.
Comment by Joshua Barr
February 20, 2009 @ 4:35 pm
I much prefer offering a bounty for the exploiter 😀
@saipeople: I don’t really think that’s a case of admitting defeat. Think about it this way: a criminal knocks over several banks in succession by exploiting some weakness in safe design. The safe-makers both fix their safes and offer a bounty for the criminal. Whether or not all the safes have been fixed the safe-makers still have an interest in bringing this criminal to justice.
In the same way remember that the exploit-writer is not just clever. He didn’t just defeat Microsoft (by finding a clever exploit). He committed a crime, possibly 10 million counts of a crime. If possible he should be brought to justice and his ability to cause further mayhem reduced or removed.