Interesting. I can see the next episode on television already ...
Mouse the Malware Author Hunter

Cool, a bounty on the creator... I sure this person didn't tell a "friend."

That's quite an incentive for a lot of people.

Brilliant move on Microsoft's part. This may have just changed the game for miscreants.

Although Downadup is widespread its creators have yet to activate its payload to steal data or launch other attacks.

That would be a major concern and I'm sure that $250,000 bounty is a lot more than anyone may have earned from launching this attack. I know, it wasn't for the revenue but to further destroy Microsoft. It happens all the time. Just wait, once they've whittled away at the MS servers, Unix is next in line. You are not immune to this. ;)

I like the move on Microsoft's part and hope this is a new trend. That would surely change operations a bit. Are we going to see snitches turning up in the bay with concrete boots? Will the person who claims this $250,000k bounty have to go into a Witness Protection Program?

Either way, the person behind the attack has just been marked. The plot thickens. Next on MSNBC?

Internet's Most Wanted

How about MSFT looking in house first and consider their own liability for creating a system that's laughable easy to exploit in the first place ?

"Trustworthy Computing Group" IMHO is wishful thinking...

An autorun "feature" that you can't turn off without messing in the registry (which most of their paying customers are terrified of doing) and even then is a pain to be sure it's off. Add on top the vulnerability patched with MS08-067 ?

What's next: go after a user that clicked accept on the UAC prompts?

I'm by far not advocating a hacker shouldn't get his/her due for their crimes, but Microsoft should get their fair share of the liability for the broken software they sold and continue to sell. Offering a bounty feels like a distraction from that.

That would be a major concern and I'm sure that $250,000 bounty is a lot more than anyone may have earned from launching this attack. I know, it wasn't for the revenue but to further destroy Microsoft.

I'm not sure either one of those statements is correct.

Often, malware writers are now closely tied to the bot herders and spam groups that use the bot-nets. It's a big money game. If you flip through the archives at F-Secure, they've done some interesting analysis of the economics of virus writing over the years. A highly successful virus can create a bot-net with potential revenue in the millions of dollars.

If properly managed, the Downadup/Conficker bot-net would definitely be in the high value category, due to it's vast size.

It's size may work against it though. Because it's so big, there's a lot of eyes watching the activity of the bot-net, just waiting for it to become activated. The writer may be biding his time to activate, or just abandoning it now that it's become so "hot".

People don't write viruses for the hell-of-it mental excercise reason anymore. They also don't write viruses to piss off MS. They do it because there's big money involved.

Billions of dollars worth of wasted, otherwise productive, human hours - spent, invested, wasted - dealing with security patch after patch, removing malware, buying aftermarket security fixes, etc.

A $250,000 bounty to put the latest hacker out of business.

Somehow the math doesn't work for me.

Instead of a measly $250K bounty, which seems more show than substance, why not offer $5,000,000 as a bounty for submitting proof of a "~core vulnerability"?

I'm sure there are folks who just can't bring themselves to do MS any good, just as I'm sure there are those who see more value in a botnet than in $5MM. BUT IF that's the case then raise the offer to $10MM+. Make a compelling offer. Whatever the price the dollar cost has to be less than the costs incurred by those victimized by MS's endless stream of security issues.

Is there any doubt that we - MS users - have been caused to waste billions of dollars of our time and/or money dealing with security issue after security issue? All the while Microsoft Corporation has booked tens of billions of dollars of profit, year after year, profiting in large measure because MS Corporate wrote licensing agreements that immunized Microsoft from financial accountability for MS's lack of secure computing skill, planning or expertise.

[edited by: Webwork at 7:14 pm (utc) on Feb. 16, 2009]

$250,000 always gets someone to talk.

Not the first time MS has offered a bounty to find a virus creator. Results: Zero.

Yep, I'd like to pitch in for a reward for someone inside MS who comes forward with the truth. My computer WAS up-to-date and I still got conficker.

$250k is penny ante when losses are in billions worldwide.

Results: Zero.

Oops, maybe not...

"This isn't the first time Microsoft has offered such a bounty. In 2005, it paid $250,000 to two people for identifying Sven Jaschan, the teenager who wrote the Sasser worm."

I sure this person didn't tell a "friend."

No but he/she may have told a soon to be ex-friend. ;)

That $250K should be a signing bonus so the creator can come explain to MSFT how to fix their systems.

"So You Think You Can Hack"

the ideal commercial for ms could show bill gates with a white cowboy hat and gold star on his chest saying something to the effect:

"there's a new sheriff in town," with a bulge on the side of his jaw full of chewing tobacco.

then he could post profiles of the hackers and call it 'microsoft's most wanted'

$250,000 always gets someone to talk - Id hand myself in for that sort of money

My first thought is... if Microsoft can't figure out where the virus came from how is any regular Joe supposed to?

My second thought is... Microsoft is supposed to be watching our backs and not vice versa!

My third thought is... Great, now other hackers are going to try and do something that results in a bigger bounty.

The other 500 thoughts are all along the lines of "LOLZ" and "Good Luck!".