Home > Bugs & Viruses > Microsoft Paid $250,000 Bounty Microsoft Paid $250,000 Bounty Submitted by Ryan 2005-07-12 Bugs & Viruses 26 Comments Microsoft has paid two unnamed informers $250,000 for help in tracking down the author of the Sasser worm. The Sasser worm infected over 18 million computers worldwide within its first week in the wild, costing businesses estimated millions. About The Author David Adams Follow me on Twitter @david_adams 26 Comments 2005-07-12 3:46 pm Anonymous …$1,000,000 reward which emphasized bringing hte author in on a roasting spit.” to bad. 2005-07-12 3:49 pm Anonymous didnt read the article…been there done that but the question is – How did they know where to point the finger? and are they going to share with their friend who put sasser together? I think the sasser guy should be compensated for showing how insecure all those networks were… JT (first post) 2005-07-12 3:51 pm Anonymous if they would admit their track record on security is due to design. I guess it is easier to blame the worm authors than for Microsoft to accept responsiblity for designing a system so easily compromised. (http://www.realtechnews.com/posts/1511) 2005-07-12 3:53 pm JrezIN I wish I knew this guy… =-] But seriously… I hope they expend this kind of money contracting people to hack and hack-proof their products. 2005-07-12 4:21 pm StephenBeDoper if they would admit their track record on security is due to design. I guess it is easier to blame the worm authors than for Microsoft to accept responsiblity for designing a system so easily compromised. Microsoft is arguably negligent for allowing it to occur, but the the blame for the worms themselves should be placed solely on those who wrote and released them. 2005-07-12 4:32 pm ma_d No, that’s not a fair assessment. The fact is, Microsoft released the patch before Sasser: It wasn’t Microsoft’s fault like it was with blaster. I frankly blaim most of the people who didn’t run updates. Not that everyone should have had their updates run already, but I think that before Sasser hit a good 15% of machines should have been updated; and within a week 100% should have been: That would have really brought the damages waaaay down. But businesses all have so many self-inflicted barriers to running updates. And home users are just too stinkin lazy. 2005-07-12 8:49 pm Anonymous “frankly blaim most of the people who didn’t run updates. Not that everyone should have had their updates run already, but I think that before Sasser hit a good 15% of machines should have been updated; and within a week 100% should have been: That would have really brought the damages waaaay down.” From what I read, they were afraid that it will brake their MS SQL if they apply the said patch. And that it did happen before. So now we’re back to MS’s poor OS design. 2005-07-12 4:42 pm JohnMG Very nice. 😐 2005-07-12 5:23 pm janedoe …which is kind of unfortunate. Although I don’t like microsoft it’s not fair to say that _any_virus is their own fault. Sure, some of the blame lies with them, after all they’re the ones making some very stupid decisions (see: many holes in IE*). However, IMHO anyone who writes a virus that gets out into the wild (and whoever released the thing) should be hung out to dry. Microsoft is just making it easier, not making it happen. * I have no idea how sasser spreads itself. I havn’t looked into it. That was just an example. 2005-07-12 5:28 pm Anonymous Yeah, except that doesn’t take into account the fact that a piece of malware can install itself on your computer without your permission. The patch is the least they can do, but bad security by design is not excusable. That goes for any OS. Missing a patch or having to reinstall Windows and not being able to get the patch shouldn’t result in a user being punished like Sasser was able to. 2005-07-12 5:30 pm Anonymous I’d like to know, after the worm “cost them millions” which businesses STILL HELD TO THE SAME PRACTICES OF “NEVER UPDATE”. Probably nearly all of them. 2005-07-12 5:31 pm Anonymous No wonder MS were going to try and make their custumors pay for their inability to code – by charging money for security updates – That idea didn’t fly to long did it? “Gotta recoop those greenbacks – Billy only has a 100 billion left.” I frankly blaim most of the people who didn’t run updates. C’mon dude – The only thing they do more than lie is release updates. Who has the time to keep up with their swiss cheese OS? 2005-07-12 6:31 pm speel damn snitchs! 2005-07-12 6:41 pm Anonymous Bounties, anti-trust suites, patent squabbles, etc. are really paid for by the costumers of these oh so aggravating joe blows and their ” corporations”. 2005-07-12 6:50 pm Anonymous I remember the sasser fire drills. And lets not forget the 14min comprimised time on new windows installs. Script kiddies beware 2005-07-12 7:05 pm Anonymous The Sasser worm author received a suspended sentence from a German court last week. He must perform 30 hours of community service work (less than the standard work week) and will not be required to pay court costs or restitution. So if you want to write viruses without fear of reprisal, move to Germany. 2005-07-13 8:14 am Anonymous Not a correct assessment. The reason why he received the sentence he did is because companies knew how to protect themselves, and did not. Put this into a context of real life. Let’s say that it is possible to break into a car because an electronic car key is faulty and issues an immediate recall. However, you ignore the recall and keep driving and a person breaks into your car then the insurance companies will say it is your fault. It is like leaving a key in your car, with the doors open. No insurance company will insure your losses. From what I gathered the judges used this logic when applying punishment for the virus writer. 2005-07-12 7:07 pm Anonymous Police: Why did you do it? Jaschan: Needed a job Police: You could have just applied like everyone else Jaschan: I did. They said I lacked experience. Police: Did you try again? Jaschan: Why bother. I had tried so many times to get a job with so many different companies I gave up. Got tired of hearing I didn’t have enough experience. Police: So you wrote Sasser? Jaschan: yep Police: to get back at them? Jaschan: no Police: then why? Jaschan: I figured they’d hire me if I showed them what I could do Police: OK. We’ll make a deal with you. You stop writing this stuff and start writing for us. Deal? Jaschan: Deal Police: 120K a year to start OK? Jaschan: That will be fine. The only way some of these people can get a job is to do stuff like this. Surest way to life time job security you know. lol. 2005-07-12 8:09 pm Moocha Except nobody outside the snake oi^H^H^H^H^H^H^Hecurity software business will hire malware authors knowingly, and especially not expressly because they released malware, and least of all will a public institution do that. 2005-07-12 9:09 pm Anonymous snake oil software business? “… currently works for a German security software firm named Securepoint, which protects systems against worms and viruses. ” didnt know they sold snake oil… been looking for some of that! Strange that i have seen numerous people have the malformed webpage that freezes your computer on their website to show the exploit and they havent been hunted down and arrested… as well as other “look at what heppens when” kind of stuff…. He didnt spy on you, he didnt destroy data, he didnt cause you to be stoned…. he showed you a hole in your operating system…. 2005-07-12 8:04 pm Anonymous yea i wish i could blame the guy a bit more but he honestly didnt write anything horrible, in fact wasnt he the one who claimed he originally wrote it to remove some other exploit or soemthing…. There was a exploit and this guy simply wrote something that showed how bad of a hole was wide open… Yes, he could of done it in a nicer way but then M$ would of evaluated the impact for a year or more… I just think this caught people with their pants down so they wanted him fried….pitiful really I still think him and his friends made sure to claim the reward and make sure he got caught before he turned 18… I wonder what metnick thinks when he hears people getting community service and crap for this stuff….. 2005-07-12 8:09 pm Anonymous i don’t blame microsoft, neihter the sasser guy… I frankly blaim the people for using such insecure products as operating system… I mean, if you have very important data on your PC it’s quite stupid to use Windows… 2005-07-13 4:43 am Anonymous it’s about time this issue is taken seriously and virus writers aren’t treated lightly by our justice system. I kind of like the bounty hunting of virus writers so thumbs up for catching them this way. MS didn’t think of viruses back then because there was no internet and not many viruses unless they made it to dev’s box or spread thru sharing floppy disks around. Then after that it was too late to change the os from the ground up because of already existing huge user base that would be ticked off. Not to mention all the bounds checking sucking up resources that we didn’t had back then. It’s easy to criticize the past like in the case where we asked why not C++ back in 80’s. Well, because runtime was too inefficient for hw of that period. No Java back then even if it was possible to conceive it. 2005-07-13 6:08 am Anonymous From what I read, they were afraid that it will brake their MS SQL if they apply the said patch. And that it did happen before. So now we’re back to MS’s poor OS design. so none of these companies has a firewall, any routing equipment or anything. They all were just sitting there with their dicks in hand while the networks they administrated accepted RPC connections from any IP address. Any business that was taken down by sasser had/has fucking morons for an IT department bottom line. Sure MS has security issues but I’d still fire every motherfucker working in IS if I had a business that went down to due to something that was so easy to block. 2005-07-13 6:13 am Anonymous anyone interested in the truth can read this… http://radsoft.net/resources/rants/20050707,00.html 2005-07-13 9:45 am Anonymous since it is pro-active, rather than reactive.