Virus writers elude Microsoft's bounty hunt

(continued from previous page)

sending bulk unsolicited e-mail. The authors claim that similarities between the two indicate that the Russian writer of the spam program created Sobig.F and other variants as a way to help and protect customers.

"Sobig appears designed specifically to assist spammers with anonymity," the 48-page report stated. The authors of the report, when contacted by CNET News.com, refused to reveal their identities, saying that the report had already been forwarded to law enforcement agencies and that the authors had identified themselves to the authorities.

"It can't do any harm to say to people in the virus underground that there are tempting awards and your friends could inform upon you."

--Graham Cluley, technology consultant, Sophos

When contacted by CNET News.com, the creator of the spam application denied any involvement in the Sobig virus. The developer acknowledged creating a spam tool, but denied making money from sending bulk e-mail.

"I have not any relations to Sobig," he wrote.

Some of the claims in the anonymous analysis--such as the contention that the same compiler had been used to build both the spam tool and the Sobig virus--appear to be mistaken, said Joe Stewart, senior security researcher for network protection firm Lurhq. However, the analysis overall makes some interesting connections, he said.

"I find the Sobig report to be pretty strong," Stewart said. "I think the time-line evidence in the paper is most compelling"

The other reward offered by Microsoft in November 2003 was for the MSBlast worm, also known as Blaster. That worm hit the Internet less than a month after Microsoft published a patch for the vulnerability that MSBlast used to spread. Many Windows users failed to vaccinate their systems, even though there was widespread expectation that a virus would be created. The result: More than 10 million computers were likely infected by the worm, and some people claim that it aggravated the circumstances surrounding a power outage that affected nearly 50 million people in the United States and Canada.

Lurhq's Stewart believes the bounty for MSBlast will likely go unclaimed, as the worm looks set to become a historical footnote. "I think we have seen the last of the creator of Blaster," he said.

He does expect the creator of the MyDoom virus, the target of a Microsoft reward announced in January this year, to be caught, noting: "With every release there is a chance that the person will slip up." The latest variant surfaced on Oct. 25.

The experience of the past year suggests that virus authors are more likely to be identified through a slip-up rather than through Microsoft's program. Despite this, the hope that it might increase the pressure on virus and worm writers makes the effort worthwhile, said Sophos' Cluley.

"It can't do any harm to say to people in the virus underground that there are tempting awards and your friends could inform upon you," he said. "It could make some of these kids and criminals think twice."

[David Arbogast]

Off Point

If you offer $250,000 for information leading to the arrest of a hacker, and you receive no information, what has been lost? Who has been hurt? If the bounty produces one... just one hacker, then it has been successful and had done good. Microsoft's program may not be an overwhelming success, but it is still overall providing benefit while doing absolutely zero harm. How can anybody complain about that?

You have my reply

Check your inbox, Robert.