Microsoft puts a bounty on virus writers

Stepping up its battle against computer viruses and worms, Microsoft has established a $5 million fund to pay rewards for information that leads to the arrest and conviction of those responsible for releasing malicious code, the company said.

Stepping up its battle against computer viruses and worms, Microsoft has established a $5 million fund to pay rewards for information that leads to the arrest and conviction of those responsible for releasing malicious code, the company said.

The first bounties set in the “Anti-Virus Reward Program” are two $250,000 rewards for information leading to the arrest and conviction of the creators of the Blaster and Sobig worms, Microsoft said in a statement.

Both Blaster and Sobig attacked systems running Microsoft’s Windows operating system and wreaked havoc in August.

Worms and viruses are “criminal attacks” on everyone who uses the Internet, Brad Smith, senior vice president and general counsel at Microsoft said in the statement.

Although arrests were made in connection with two variants of the Blaster worm, those responsible for the original remain at large. No arrests have been made in connection with the Sobig worm, which was first detected in January.

“Hopefully, people will see this reward announcement as reason to come forward when they have information. The more information that people can provide to law enforcement, the more likely we will have an arrest and a conviction for a malicious code launcher,” said Hemanshu Nigam, a Microsoft corporate attorney.

The bounties are also meant to deter virus and worm writers planning to unleash malicious code. “I hope that the next person who wants to launch a virus is sitting there and thinking twice because there now are more reasons they may be arrested and convicted,” Nigam said.

Microsoft announced the reward fund Wednesday at a news conference in Washington, D.C., together with representatives of the FBI, the U.S. Secret Service and Interpol. Those agencies investigate cybercrime. Information about the any worms or viruses should go to them, Microsoft said.

Patrick Gray, a director at Internet Security Systems Inc. and former cybercrime fighter at the FBI, applauded the creation of the reward program. “It is unique and fresh in the cyberarena, while it is old hat in the physical world. We have been putting out bounties and rewards for hundreds of years and they have worked,” he said.

The bounties put a spotlight on virus and worm creators and may lead to more arrests as members of the virus-writing community might start ratting on each other, Gray said. “If I can get $250,000 from Microsoft for turning in a fellow hacker, I will do it. I don’t think there is much honor among thieves,” he said.

“Our focus has been on blaming buggy software. Let’s put the focus on where it belongs, and that is the people who are committing these crimes. They have operated with impunity for too long,” Gray said.

The vendor’s move to help law enforcement bring more virus writers to justice is a proactive step it needs to take, said Roberta Domres, information systems manager at the Center for Health Training in Seattle, a Microsoft customer. However, Microsoft also needs to continue to improve its software, she said.

“I think creating worms and viruses is an act of terrorism and those people should be punished,” Domres said. The Center for Health Training, a management consulting firm, uses various Microsoft products. It has not been hit by viruses or worms thanks to updated systems, antivirus software and user training, Domres said.

Creating secure software is a top priority at Microsoft and the reward program is only part of that effort, Nigam said. “This is one aspect of our multipronged approach, securing products and writing code that is more secure is going to remain a priority as it has been for a long time now,” he said.

The rewards are payable to residents of any country, according to the laws of that country, Microsoft said.