Microsoft's $5m Reward Program may help catch script kiddies, such as the German teenager suspected of authoring a variant of the Sasser worm, but it is unlikely to have any effect on virus writers working for organised crime syndicates, say security experts.
Four months after the MSBlast worm tore through the Internet, Microsoft announced it had set up a $5m fund -- to be used for rewarding people who offer information leading to a conviction with $250,000. Since the launch of the fund, although a number of suspected malware authors have been arrested, none have yet been convicted.
Simon Perry, vice president of security at Computer Associates, said the rewards may lead to script kiddies "telling" on each other, but it won't bother the organised criminals who have started using experienced software writers to create malware that allows them to take control over a large number of PCs.
Perry said that there has been a transition over the past few years in which organised crime gangs have brought the traditional protection racket to the Internet.
"This new breed of virus writers and spammers will not feel threatened by a $250,000 bounty on their heads. They are operating so far underground that there is virtually no chance of someone being compelled to give them up," Perry said.
However, Richard Starnes, vice president of ISSA's UK Chapter, said that rewards have historically been shown to work, even in the world of organised crime. But he warned that they are only a component of the overall war against virus writers, and rewards should be combined with a complete law enforcement programme.
"I doubt there will be a difference in effectiveness between posing a reward for an electronic crime and a more traditional crime," he said.
Microsoft UK's chief security officer Stuart Okin said the Sasser arrest only came about when a group of people contacted Microsoft to ask if the company was offering a reward for the Sasser author. He said that rewards are commonly used to catch organised criminals in non-Internet-related crimes, so there is no reason to think they won't have the same effect in cyberspace.
"We decided there would be a reward if the information was reliable. We contacted the German police and the informants came forward with a name," Okin said.
The informants' behaviour was correctly anticipated by Peter Allor, director of vulnerability research for network protection provider Internet Security Systems, when Microsoft's policy was first announced.
"You have a fair chance of someone turning their buddy in," Allor said.
CA's Perry said Microsoft's efforts, although positive, will not have any affect on criminals operating in countries without stringent computer crime laws.
"What if this teenager wasn't in Germany and was in Afghanistan? That country has no concept of computer crime," Perry said.
CNET News.com's Robert Lemos contributed to my report.
Talkback
I think that rather than offering a bounty for the virus writers who obvious exploit security holes within Windows, the bounty should be put on the head of whichever Microsoft programmer let such obvious security holes aflict millions of people around the world.