Your Peace of Mind is our Commitment

Contact Us English Recent Articles

The Changing Virus Writer?

A persistent myth has grown up that virus writers are all teenage males with no girlfriends doing a high-tech version of vandalism. The myth has survived and even grown stronger, despite the studies of Sarah Gordon (see The Generic Virus Writer and The Generic Virus Writer II) and mounting evidence to the contrary. Unfortunately, the myth distracts attention from an alarming development in virus writing: a trend towards organised crime.

Some anti-virus experts reinforce the myth, for example, Graham Cluley, senior technology consultant for Sophos Anti-Virus said, "Vallor's website reveals he pretty much fits the profile of a typical virus writer - he is young, techie and preoccupied with female nudity," about a virus writer convicted earlier this year. However, the profile has almost no utility - 'techie' is a pre-requisite for anything involving programming, which leaves 'young' and 'preoccupied with female nudity', well it may be news to Mr. Cluley, but approximately 50% of young adults are preoccupied with female nudity. Vallor's website leaves an impression of a 'party animal' pretty much indistinguishable from many others you might bump in to in a crowded bar on a Saturday night. The profile does nothing to help us identify potential virus writers, or narrow down a search, but it is a nice soundbite that panders to the preoccupation with sex of the Media, and the Public they serve.

The myth might even be reinforced when it is being contradicted, for example, in describing the Sobig virus, F-Secure uses the phrase; "quite obvious it’s not written by a typical teenage virus writer". Here the teenage stereotype is the accepted fact, and Sobig is apparently a rare and unusual exception.

What about the 'teenage' stereotype? Notwithstanding the 18 year old suspect connected to Blaster (see Stop Press, above), identified virus writers are usually older. Here's a list of the virus writers, and their ages, who created some of the most prolific viruses in recent years (the majority have been convicted for their crimes): Jan de Wit: 20; Simon Vallor: 21; Chen Ing-Hau: 24; Onel de Guzman: 25; Christopher Pile: 26; David L Smith: 30. Not a teenager in sight, and Mr Smith sounds positively geriatric to a typical teenager - though older commentators would probably characterise them all as 'young adults'.

There are other hints that virus writers do not fit a stereotype - the recent Welchia worm contains the text, "I love my wife & baby :)", maybe still 'young adult', but nothing like Vallor's 'party animal', more probably 'family man'. Welchia is also designed to install a security patch from Microsoft, probably intended as a benevolent act. This is not to condone Welchia, it is still a stupid idea to try to 'fix' a security problem without authorisation, using a worm.

Other recent malware shows deliberate planning: To date we have seen six variants of Sobig, and five have been released with a pre-programmed expiry date. The variants have different capabilities. There is an agenda behind the scheduled releases, and we do not know what it is. So far, some Sobig variants have been used to create open relays heavily used by spammers.

The virus Dumaru and the Trojan Graybird also show planning - they were released in messages designed to take advantage of the panic about Blaster, but developing a new program takes time. Therefore, the person or people behind them probably prepared the malware in advance, and waited for a suitable event before releasing them. Both installed backdoors on the compromised computers, again the potential for spamming is a possible motive.

Of course, unsolicited email is not a crime in most places, but a large proportion of the spam cluttering up our inboxes does show intent for dishonest gain. This may be the confidence trick - the infamous Nigerian 419 scam that offers fabulous rewards for some money laundering or other shady business, but where the victim is drawn into paying more and more up-front fees; or it may be offers of cheap software (often anti-virus software) that turn out to be pirated, or simply false marketing claims - to reduce bodyweight, or increase it in certain, specialised areas. The willingness of these spammers to use open relays without authorisation, and even to deliberately break into computers in order to create new open relays clearly demonstrates their lack of respect for others' computing resources and the law.

Computer viruses and other malware are no longer just reckless acts by irresponsible amateurs, Sobig, Dumaru and Graybird show forward planning and probable intent for dishonest gain. Mikko Hyppönen, Director of Anti-Virus Research at F-Secure already has an opinion on who is behind Sobig, “Looks like organized crime to me”, he commented. Virus writers were never a cohesive group that could be easily stereotyped, but now there is opportunity for real financial gain we can expert a lot more trouble ahead.


More Information