The combined reward of $500,000 for information leading to the conviction of the hackers behind the MyDoom computer viruses could tempt informers, experts believe.
They say the money might well entice someone acquainted with the virus writers to come forward with information. But they are more sceptical that aspiring bounty hunters could use their own technical skills to beat law enforcement agencies in tracking down the perpetrators.
The original MyDoom was released on 26 January and quickly became the fastest spreading computer virus in history. MyDoom.B, which is closely based on the original virus code, was released two days later. Both affect computers running the world’s most popular operating system, Microsoft’s Windows.
The viruses arrive via email and, if the attachment is opened, the viruses then send themselves to all the addresses in the user’s address book. They also capture keystrokes and plant a remote control program on infected machines.
Advertisement
The two US software companies that have each offered a $250,000 bounty are both targeted by the viruses. MyDoom is designed to use infected computers to launch a massive co-ordinated assault on SCO’s web servers, a so-called distributed denial of service attack. MyDoom.B uses the same trick against Microsoft’s website.
Programming quirks
Peter Sommer, a computer security researcher at the London School of Economics, UK, says it would be possible in principle for a skilled member of the public to track down the creators of the viruses.
This could be done by searching for evidence left by the perpetrators in newsgroup or website postings or by performing a forensic analysis the virus’s code in order to find tell-tale programming quirks.
“But I would question whether an amateur would have the same resources as law enforcement agencies or the big anti-virus laboratories,” he told New Scientist. He adds that someone with a close link to the hackers would be most likely to claim the reward.
It is not the first time Microsoft has placed a price on the head of virus writers who have targeted its software. In November 2003, the company announced two $250,000 rewards for information about the authors of the viruses SoBig and Blaster.
But no-one has yet come forward to claim the money. “Either the underground community is very loyal, or they were written by someone clever enough not to tell anyone else,” says Raimund Genes, president of European operations for the anti-virus company Trend Micro.
Genes adds that virus writers normally take care to cover their tracks by releasing malicious code from a hijacked computer, a web cafe or an insecure wireless network.
Red herrings
A few potential clues to the identity of the creators of MyDoom and MyDoom.B have emerged. The Russian computer security firm Kaspersky Labs said on Friday that it had traced the first few emails infected with MyDoom to addresses belonging to Russian internet service providers.
“We have special software to monitor internet traffic across the world,” said company spokesman Denis Zenkin. However, he acknowledges that someone outside of Russia might have registered the addresses in an effort to throw law enforcers off the scent. The second version of the virus also contains the following piece of text: “sync-1.01; andy; I’m just doing my job, nothing personal, sorry”. However, experts are similarly cautious about the significance of this.
“It’s very hard to say” if it is a clue, says Graham Cluley, senior technology consultant with UK anti-virus company Sophos. “It’s possible that it has been deliberately left there as a red herring.”
