Microsoft Bounty Helps Land Worm Writer

Microsoft's $5 million reward fund that puts bounties on the heads of hackers scored its first success this weekend by leading to the arrest of an 18-year-old in Germany accused of creating the Sasser and Netsky worms, the Redmond, Wash.-based developer said Saturday.

According to Brad Smith, general counsel for Microsoft, information was provided to the firm's German investigators by informants last Wednesday. After technical analysis on the part of Microsoft and the FBI to confirm the accuracy of the claim, Microsoft contacted local officials, who on Friday arrested an unnamed teen in Waffensen, a town in the northwest section of Germany, about 20 miles east of Bremen.

"Within 48 hours, our investigators and the German police were able to identify the perpetrator of the Sasser virus and take him into custody," said Smith during a news conference Saturday. "This individual is responsible, we believe, for all four variants of the Sasser worm."

Security experts were quick to applaud the arrest.

"This arrest will hopefully curb the never-ending worm war of 2004," said Ken Dunham, the director of malicious code research at iDefense.German authorities have alleged that the man is also the hacker responsible for the nearly 30 variations of the Netsky worm, a wave which began almost three months ago.

Security analysts had speculated that the same individual or group coded both the Sasser and Netsky worms, thanks to a boast embedded in Netsky.ac, the latest version which hit the Internet a week ago. On Friday, researchers at Symantec-- independently of the analysis under way at Microsoft and the FBI -- confirmed that the two worms had such striking similarities that it was a high probability they shared the same author.

The week-old Sasser worm, which first went wild on the Internet April 30, infected Windows systems worldwide -- estimates of the number range from in the hundreds of thousands to over a million -- and plagued businesses and consumers with slow-downs and crashed networks.

The arrest is the first traced to information provided to Microsoft under its AntiVirus Award Program, a $5 million fund that Microsoft established in November 2003. The fund, designed to tempt informants to squeal on the creators of major worms and viruses, has offered three $250,000 rewards in the past without leading to an arrest.

Although Microsoft didn't post a similar bounty on Sasser, the fund was instrumental in getting the information that led to the arrest, said Smith."Aware of the program, individuals in Germany approached Microsoft investigators and offered to provide information about the creator of Sasser. They asked about their potential eligibility," said Smith.

"We did not hesitate and made a decision that we would offer a reward of $250,000," he added.

Microsoft has not yet paid the reward; the fund compensates informants only after both arrest and conviction. The latter may not be long in coming. German news outlets have reported that the man has admitted he created Sasser.

Smith wouldn't name the informants nor their number, but did say that the latter was "fewer than you can count on one hand."

"These [informants] were individuals who were aware of who the perpetrator was; they did not stumble upon this through technical analysis," Smith claimed.Smith also praised the technical analysis done by Microsoft researchers, who, he said, used anti-virus analysis techniques that the company has developed during the past year.

"In this instance our technical experts were able to utilize these new capabilities to analyze the source code of the Sasser worm, and through that analysis, connect this individual with the worm itself," said Smith.

The warning to hackers is clear, said Smith.

"The fast action does send a message to people who are thinking about creating or launching malicious viruses and worms. We, together with law enforcement, can and will identify individuals who launch malicious code on the Internet, and law enforcement can and will bring these individuals to justice, regardless of where they are in the world."