Newsmaker: Microsoft's bounty hunter

The Sasser computer worm may mark a turning point for law enforcement's ability to catch and prosecute computer virus authors.

The reason: Enticed by a $250,000 reward, an informant came forward to leak information on the person who wrote and released Sasser. It's exactly what Microsoft, which agreed to the bounty as part of its antivirus reward program, hoped would happen, said Hemanshu Nigam, an attorney for the Microsoft branch administering the program.

Nigam, originally from India, worked as a prosecutor in the Los Angeles District Attorney's office and later in the Department of Justice.

If you have involvement in the virus or worm that has been launched, you are not eligible for a reward.

Initially, he prosecuted child pornographers and others who exploit children on the Net. He then joined the Justice Department's Computer Crime and Intellectual Property Section but left to work for the Motion Picture Association of America to help the group enforce its copyright claims against digital pirates. He moved to Microsoft to work on similar issues and also to focus on criminal complaints: For instance, when scammers use Hotmail or MSN.com to engage in criminal activity, he supports law enforcement in identifying people and providing information, as required by law.

As the lead attorney in Microsoft's Digital Integrity Group, Nigam is again on the enforcement trail. He recently spoke with CNET News.com about Microsoft's ongoing battle with virus writers.

Q: What is the aim of the antivirus reward program?
A: The antivirus reward program is designed to provide incentives for law enforcement to get information so that somebody who is a witness of a crime comes forward. At the same time, people should understand we are saying that launchers of malicious code ought to think twice before they hit that send button or release that code online. We are hoping that there are citizens who will step up and do the right thing, providing information if they have it. We are also hoping that those who are thinking about doing something that is not the right thing--that they are going to think twice and stop before doing it.

Has it been successful so far?
People have been providing leads to law enforcement ever since we launched the reward program. What law enforcement authorities are telling us is that they are pleased with the leads that they are getting.

With the Sasser worm, you did not actually say, "Hey, we are offering a reward for Sasser." It took someone to come forward and ask if you would you offer a reward. To what extent has that happened in the past?
It is the first time somebody came to Microsoft, specifically, and said, "I have information for you.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

I know about your reward program, and I want to talk to you about somebody who has done something that is malicious in nature." It is the first time that has happened. However, we have seen an increase--and this is something law enforcement has told us--in the number of citizens out there who are calling law enforcement and saying, "We have information on a cybercrime." The community out there using the Internet knows things about what is going on and is energized to step forward and do the right thing--even if it is not directly connected to a reward being offered by Microsoft. That, to us, is a success in itself.

At about the same time as the Sasser arrest, there was also an arrest of a suspected writer of Agobot. Was the reward program key in that one as well?
No. The arrest actually happened at almost exactly the same time on May 7, but the two cases resulted from two different situations and two different ways of investigating it. One was very connected to the reward being offered and somebody being aware of it and coming to us. The other was very connected to technical analyses and things that go behind that and lead to information. And then Microsoft worked with law enforcement in Germany.

What do you think the breakdown will be of crimes solved that are related to leads from technical analysis versus crimes that get leads because of an informant?
One is not exclusive of the other.

There are about two to 300 viruses that get released on any given day, but each one has a different type of impact.

There are cases where I think we will find that technical analysis is going to play a major role. At the same time, offering a reward on a particular malicious code may also have an important role in identifying the person responsible. The two can go hand in hand, but I cannot predict which one is going to take the lead.

There are reports that the informant in the Sasser case is under investigation. If that turns out to be the case, and he ended up becoming a suspect, what would be the impact on any offered reward?
If you have involvement in the virus or worm that has been launched, you are not eligible for a reward.

What if you are part of the virus underground? Does that exclude one from the reward if not directly involved in the case in hand?
I would hope that if somebody has done something criminal, and law enforcement is investigating that person, that the individual gets prosecuted. Whether or not legally that precludes them, I do not know.

There is always the suspicion of whether or not a reward program like this might entice certain people who would say, "OK, there's three of us; one of us creates a worm, one gets offered a reward, and then the other two turn him in."
The reward program is designed to provide an incentive for people to offer information that would lead to an arrest and a conviction of somebody who has done something illegal by launching some sort of malicious virus or worm. I think that law enforcement is going to engage in what I would call due diligence and examine who their witnesses are. They will examine the information provided and make a good determination on whether that information does, in fact, lead to an arrest and conviction--and whether the person providing that information is involved in some manner or not. That is something that law enforcement does daily in many, many investigations, in many different types of crimes, so it is not anything different than what they are engaging in, typically.

What about spam? With the Can-Spam Act, certain ways of sending spam are now illegal. Would Microsoft consider putting up a reward to stop that sort of activity?
Well, my focus is on viruses and other types of malicious code. All I can say about the spam area is that we are working very closely with law enforcement and also on the civil side to bring lawsuits against individuals under the Can-Spam Act.

Do you think that you are going to slowly get to a situation in which you will be approached by someone saying, "I have information on this specific threat and who did it" rather than Microsoft first announcing that it is offering a reward for information leading to whoever released this specific threat?
I cannot predict. There are about two to 300 viruses that get released on any given day, but each one has a different type of impact. We are going to continue to review the types of malicious code out there and see what kind of impact it is having--and often most importantly, what law enforcement feels about the helpfulness of a reward in any given situation.

Since you have done a lot of prosecuting in the past, how long do you think that process will normally take between someone coming to you and saying, "Here is the information" until there is generally a conviction in the case?
As I used to have to say to victims who would ask that same question, it all depends. It depends on the criminal justice system; it depends on the court that a case goes to; it depends on where in the world that crime is being prosecuted. For example, Sasser is in Germany; Blaster (or MSBlast) was in the United States. Every court system is different, and every court system moves at a different pace. We hope that justice is served as quickly and as efficiently as possible.  

More Newsmakers

[mercuryrising]

Try doing this sometimes too

Mr. Hemanshu,
I appreciate your way of working . But why dont you sometimes sue the record companies benifitting incorrectly by selling a 40 years old music for the same price as of the contemporary music or why dont you sue the software compaines for their monopoly or mismanaged products. Is there any social sense at all ?

social senseless

the corporation with the biggest bank account determines what is sensible or not.

Are You Serious?

Do you really feel this is the correct forum for airing your feelings on the recording industry?

That aside, I don't care if the song is 100 years old, the intellectual property owner can charge whatever the market will bear for the product they sell.

Do you see people complaining that they have to pay millions of dollars for a Van Gogh painting because it was painting in the 1800's? No, the buyer pays that money willingly.

If you don't want to pay for the music, that is fine, don't listen. It is a supply/demand equation. If music is too expensive, and people stop buying, then the record companies will have to try something else.

Just because something is digital, it doesn't mean you have a right to it. Stealing music is no different than stealing a painting, a car, or anything else that is not yours and has value. You are not "entitled" to the music that people create, you must pay for it indefinately, and companies will charge what the market will bear.

[unknown unknown]

Virus writter share source...

if not other virus writters reverse engineer the virus. I found it more than a little amusing that shortly after the author of Sesser was arrested a variant of his Sesser virus was release. These rewards might make for some nice PR in the rare case the virus author is caught, but I doubt it will do much in terms of deturance.

[wrwjpn]

Be responsible

MS should be more responsible and spend their horde of cash
on improving their software. I agree that stopping the virus
writers an important step but come on. Where would the money
best be spent? I vote for beefing up their software. Also, you
notice as they bundle more and more of their products into the
OS the more problems and security holes there are.

No system is infalliable, but there has to be a limit.
What other industry can put out such shoddy products or
services and maintain a vast market share. We have only
ourselves to blame as we believe that everytime MS says their OS
is more secure we run out and buy it. When will we learn and
stop to force them to prove it. What ever happened to truth in
advertisement?

Also, I think the EULA should be on the outside of the box so I
can read it before buying it. Open the box and then try to return
the software, see what happens? You opened the box so you can
return it.

MS spend your money more wisely and you won't need to offer
rewards or possibly spend so much on legal affairs.

[jwphillips]

If you don't like the MS Security....

If you don't like the way MS handles security issues in their software.... change it.

That can include buying another OS, installing some additional software, or fixing the problems yourself. Sounds like a daunting task? Of course it is.

Maintaining software is similar to going to war. You know what most of the problems are going to be, but you can never plan for everything.

DEVIANTS

I have observed and continue to enjoy 'fools' of a very 'high order' -- very high tech, that think that 'tunneling' is a ( clever idea )re my equipment.
Recently, I observed a very bizarre situation
wherein I captured one of my past emails being used as a 'tunneling' mechanism for that 'high tech' company to view my activities on my equipment.
Not only do I know how they do it, I have also figured out how they can do it to any one of their customers that has purchased their product.

PRAGMATIC as a word within any decent dictionary has multiple definitions.
PRAGMATIC as this email is concerned, simply relates to most definitions of that word,and especially towards security issues that have any shade or form of Global Impact.
For me to observe such, is simply a function of 'massivie hours' of learning my way this far.
Having been 'hacked' twice' within a week was a 'defining moment'.
Microsoft Research was my next contact.
This particular comm line yielded info re
previously missed OE6 items and so much more !!!!!!!!
Am I shy. NO
Do I have a problem re picking up my phone at any time and making contact with the FBI re security issues/obsevations.
NO.
Any intelligent individual should not be shy.
After 911, we all know that the U.S. is under attack.
Computer related issues rank SENIOR in any economy.
PRAGMATIC as a word can and does carry consequences.
From my side, I can and will trap any form
of 'deviant'.

[JimStiner]

Why is there so little information about what law enforcement is doing to catch people who spread viruses and trojans, and iframe and other maliious attacks.?

I person should be able to call the police and report an attack, and the police should use all of their computer geeks to find the culprit and send them away for life. The penaltly should be 10 times more severe than it is now.

Once word got around that the worse offenders had been given 20 years at hard labor, maybe that would deter others from wanting to copycat this serious crime.

If I was judge and we had positive proof you were guilty, I would order you tied between four horses and have them pull you apart.

The amount of productivity that is lost and money it cost the attacked makes this a very serious crime to me.

Jim
http://writeATrust.com