Applying Wild West bounties to modern internet crimes, Microsoft Corp. set aside $5 million on Nov. 5 to pay large cash rewards to people who help authorities capture and prosecute the creators of damaging computer viruses.
Flanked by federal and international law enforcers, Microsoft executives promised to pay the first rewards of $250,000 each to anyone who helps authorities find and convict the authors of the original “Blaster” and “Sobig” internet infections unleashed this year.
The world’s largest and wealthiest software company also pledged to continue making its popular Windows operating system software, the most common target of hackers, more resistant to such threats.
“We do believe this will make a difference,” said Microsoft’s general counsel, Brad Smith. “We can’t afford to have these criminals hide behind their computer screens.”
The Blaster and Sobig programs spread rapidly among hundreds of thousands of computers running Windows, exposing weaknesses in the Microsoft software the company had billed as its most secure ever.
The FBI, Interpol, and the U.S. Secret Service said the $5 million pledge was an unprecedented figure for a corporation to set aside for payments in future criminal investigations.
Microsoft urged anyone with information about the two computer infections to contact local offices of the FBI, Secret Service, or Interpol, or send tips using the web sites for Interpol or the FBI’s Internet Fraud and Complaint Center (see links below).
Students and school district personnel are eligible for the reward money–and, given that school-age youths might be responsible for launching these attacks, it’s entirely possible that fellow students or staff members could collect on it.
In August, 18-year-old Jeffrey Lee Parson of Hopkins, Minn.–who still attended high school at the time–was arrested for allegedly launching a variation of the Blaster worm that infected at least 7,000 computers worldwide.
Microsoft said it would not pay rewards to anyone involved in creating the viruses.
Government officials and others said the $250,000 rewards were the highest in recent memory funded entirely by the private sector–akin to cash bounties paid in the late 1800s by Western banks to vigilantes who hunted robbers.
“It’s like going back to the Wild West,” said Mikko Hypponen of F-Secure Corp., an antivirus company in Finland. He predicted some computer users who chat socially with virus-writers “could easily use their contacts and skills to collect bounties like that.”
Microsoft certainly can afford to pay. Its stock is worth $283 billion–more than the value of most countries–and it has amassed cash reserves of more than $51.6 billion.
The lure of huge payouts was aimed partly at disrupting the underground community’s loosely coordinated network of web sites and chat rooms that virus-writers often use to cooperatively build and polish their destructive software.
“It introduces a massive amount of uncertainty among the hacking subculture,” said Marcus Sachs, a former cybersecurity director at the White House. “That community shares exploits among themselves, working almost in a pack. But if you don’t know who in the pack is going to turn on you, you start distrusting.”
Police around the world have been frustrated in their efforts to trace some of the most damaging attacks across the internet. Hackers easily can erase their digital footprints, crisscross electronic borders, and falsify trails to point at innocent computers.
Keith Lourdeau, acting deputy director for the FBI’s cybercrimes division, said disclosure of the cash rewards does not indicate the agency’s efforts to trace the original Blaster and Sobig infections has stalled. He declined otherwise to discuss the investigation, but some experts said it was unlikely officials were close to making arrests.
“They’re definitely frustrated,” said Richard M. Smith, a technology consultant who helped the FBI in April 1999 track down the author of the Melissa virus, which caused worldwide eMail disruptions. Smith said the $250,000 rewards were surprisingly large. “Some people would turn in their mother for that,” he said.
The Secret Service’s deputy assistant director of investigations, Bruce Townsend, said authorities understand such high rewards might produce false tips. Already, some virus-writers were speculating on internet message boards about planting evidence against rivals and turning them in to investigators.
“That’s something we face in the investigative arena every day, and we’ll address that the way we always do–through evidence and proof,” Townsend said.
Kevin Mandia, who helps train FBI computer investigators, said he believes those responsible for the viruses will be careful enough to delete, hide, or encrypt any incriminating computer files.
“By now, there’s going to be no concrete evidence,” Mandia said. “This doesn’t hurt, but I can’t see this being highly successful.”
Microsoft Corp. K-12 site
FBI’s Internet Fraud and Complaint Center