Slashdot Mirror
Microsoft Reward Leads to Arrest of Sasser Suspect
tritone writes "According to this article on CNET, it was a reward from Microsoft that led to the arrest of the perpertrator of the Sasser Windows Worm. This is the first success for Microsoft's Antivirus Award Program, a $5 million fund to reward people for coming forward with information about those who release major worms and viruses."
The article discusses how much money was paid to these informants.
"Aware of this program, individuals in Germany approached Microsoft investigators," Smith said. "We did not hesitate and made a decision to offer a reward of $250,000."
Smith wouldn't say how many people came forward, except to indicate it was fewer than five. Moreover, while he would not comment on whether a relationship existed between the Sasser suspect and the informants, he did say that they both live in the same part of Germany.
$250,000 supposedly
Emory: Uh..we're still..beta testing that.
Oglethorpe: What you're testing is me and my patience!
$250000
Same reward was offered for the information about the authors of Sobig, msblaster etc.
All compilers have a "pattern" in the way they generate the machine code from your originating source code. This has been known for quite some time. I'd say since the early 8088 days, if not earlier. I would think in terms of the quality of the bits in the program like oil paint vs water paint. There is a percievable difference in quality/texture.
About a decade ago, someone created a polymorphic module to be compiled into virii and worms to mask the original code so that a simple string search could not be used to detect it. But the means by which the module worked allowed a new kind of virii detection tool: heuristics to detect the resulting blob of code.
If you compile on a MS system, GNU system, etc... your code will have system calls to partiular libraries and code offsets. This kind of patterning will be able to allow people to determine the following:
Try it. Compile a program and run a debugger agsint it. A good library debugger will be able to tell you what the code is accessing.
Note: If you have the same software setup on two different machines, then your code should be almost the same. What might differ would be various CPU bit size signatures. Say you developed with two systems exactly the same software-wise, but completely different hardware-wise, ie, you cross-compiled from say... a Linux system running VMware and WinXX to create windows code... then the code will be exactly the same.
It would be fair to say that if you wanted to make code which was not possible to track, you would want to do so in a virtual environment where you can make the virtual system seem like any machine except your's, then write the code with the most standard libraries out there. Once written and tested, the development environment, since it is an "instance", can be encrypted and hidden as a large DV encoded stream(dvbackup) or any nnumber of mechanisms.
It would be like having a complete dev environment on your system which can potentially pass technical inspections.
As for being a bounty-hunter, I think your best bet would be having a high degree of luck and a low level of ethics or morals so you can turn in friends you know. In many cases, virii writers who have been caught were caught because they couldn't help bragging or talking about it. Or they do something stupid.
But I suppose if you ask along those lines, your level of ethics and morals is already low.
Thanks to MS, we can all rush towards a world where we snitch on each other for a few bucks and fawn over the KGB..er.. I mean, software police. Is this the new flavour of "democracy"?
Winged Power Photography
Why should Microsoft be any different? Because it's in their economic interest to pay the rewards. Every virus/worm writer they discourage undoubtedly saves them quite a bit of money, even if indirectly (less bad publicity, less hassle from OEMs who are sick of high support costs, etc.).
"Biped! Good cranial development. Evidently considerable human ancestry."