In 2009, Microsoftannounced that it was offering a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker (aka Downadup) worm on the Internet. Yesterday, Microsoft offered another $250,000 reward for anyone who can provide new information "... to identify those responsible for controlling the notorious Rustock botnet ... that results in the identification, arrest and criminal conviction of such individual(s)."
As described in a Wall Street Journal article in March, Microsoft along with federal law enforcement was able to severely disrupt - if not fatally crippled - the Rustock botnet which was responsible for sending out some 30 billion spam emails a day.
The Microsoft offer, which it posted on The Official Microsoft Blog, stated:
"This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it. While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock botherders should be held accountable for their actions."
Microsoft says, however, that while it has been able to cut the number of computers infected with the botnet by half, there are still "... hundreds of thousands of infected computers around the world yet to be cleaned of the botnet malware."
Whether anyone takes up the offer remains to be seen. In the case of the Conficker reward, no one has come forward to claim it yet.
In related Microsoft good security - bad security news, a story appearing recently in Computing.co.uk reports that security enhancements to Windows 7 and Internet Explorer 9 (IE9) have made it harder for hackers to remotely gain access to Windows machines through downloaded files containing malware. As a result, hackers have increasingly turned to social engineering techniques such as phishing to get users to download malware.
The Computing story quotes Jeb Haber, Program Manager Lead, SmartScreen, as saying:
"The easiest way to infect a computer is to ask the user to do it."
One easy way, as the US Department of Homeland Security reportedly found out in a IT security penetration test earlier this year, is to leave data disks and flash drives around agency or contractor parking lots. Some 60 percent were taken and inserted into organizational networks; if there were official logos on them, the number rose to 90 percent.
As Director of network security and privacy consulting for CSC Mark Rasch remarked in a Bloomberg Newsstory when the results of the penetration test were published:
"There’s no device known to mankind that will prevent people from being idiots."
Nor amount of security training, either, it appears.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.