As first reported by CNET News.com, the initiative's first two bounties--to the tune of US$250,000 each--will be for information leading to the arrest and conviction of the people responsible for releasing the MSBlast worm and Sobig virus, both of which wreaked havoc online over the summer.
Microsoft executives were joined by representatives from the FBI, the Secret Service and Interpol at a press conference Wednesday that announced the new fund.
"These are not just Internet crimes, cybercrimes or virtual crimes. These are real crimes that disrupt the lives of real people," Brad Smith, general counsel at Microsoft, said in a press conference.
The rewards will be open to residents of any country, subject to that country's laws, Microsoft said. People with information can report it to law enforcement online to Interpol, to the Internet Fraud Complaint Center or to FBI, Secret Service or Interpol field offices.
Dubbed the Anti-Virus Reward Program, the initiative marks the latest move by Microsoft and law enforcement to put a stop to the repeated waves of attacks that have hit the Internet in the past decade. The two rewards posted on Wednesday could also jump-start federal law enforcement's seeming stalled investigation into the attacks that infected hundreds of thousands of computers in August and September.
The U.S. Department of Justice, the FBI and Microsoft had earlier announced the arrests of two men who are suspected of modifying and releasing minor variations of the MSBlast worm, but have made little progress in catching the original author or the person or group responsible for the Sobig virus. Those attacks were serious enough to hurt Microsoft's bottom line and help security companies post more profits.
MSBlast, also known as Blaster and Lovsan, spread to as many as 1.2 million computers, according to data from security company Symantec. The worm compromised computers by using a serious vulnerability in Windows systems for which Microsoft had released a patch a month earlier. A variant of the worm, MSBlast.D, was intended to protect machines against the original program, but it ended up being so aggressive that the avalanche of data it produced shut down networks.
The Sobig.F virus spread through e-mail on August 19, compromising users' computers with software designed to turn the systems into tools for junk e-mailers.
Calling all bounty hunters?
The rewards may motivate security researchers into becoming amateur bounty hunters, but real leads are likely to come from those close to the actual miscreants involved, Peter Nevitt, director of information systems for Interpol, said in an interview.
"It is less likely that we will have bounty hunters and more likely that we will have people that will break ranks within those in the know," he said.
Keith Lourdeau, acting deputy assistant director for the FBI's Cyber Division, said that while rewards have been used in the past to garner information, there's no quantitative measure of how successful the tactic is.
"In the cases that I know of, including bank robberies and major theft cases, offering a reward has generated a lot of information," he said. Sifting through the massive amounts of information will be the job of law enforcement.
The decision to offer rewards for only the two latest threats doesn't preclude additional bounties to be made for other Internet attacks, such as the MSBlast.D worm, also known as Nachi and Welchia.
"We wanted to earmark US$5 million so there would be ample resources for the near future," said Microsoft's Smith, who said that tapping into the fund will be done case by case. "We need to make decisions (about rewards) on a variety of criteria. The severity of the virus is one criteria; another is timeliness."
Smith said he hopes that Microsoft's move will put worm and virus writers on notice.
"These people are the saboteurs of cyberspace sitting behind their computer screens," he said. "This is a broad problem and we need to act, not only with determination, but with a long-term resolve."
Of course someone will get caught and be accused of writing an embarrassing virus that possibly put the second-to-last nail in the coffin of Microsoft.
Police officers all over town will be racking their brains about anybody that they know who may have a computer and the victim may even have shagged his daughter - making the kill a bitter sweet victory. 250k may not be enough to get the culprit, but it sure is enough to get SOMEBODY.
the police got Pauline Hanson, they took a poke at the GG and the police...well... what can you say? Evil people hide by joining the clergy and criminals join the police force.
Someone will go down...but just who will it be?