7 Things to Know about Virus Writers
by Monte Embysk
I spend a growing percentage of my time getting rid of unwanted e-mails that contain viruses. If I open one of them, it potentially could overwrite files and disable my antivirus software.
What exactly is in the heads of these virus writers? Anything?
I took my inquiry to Sarah Gordon, an expert on the psychology of hackers and virus writers. She did her best to answer an overly broad question. Gordon is a senior research fellow at Symantec’s security response unit, and previously was a researcher for the antivirus research and development team at IBM’s Thomas J. Watson Research Center.
She meets face-to-face with hackers and virus writers on occasion, to understand why they do what they do, and conducts research at international hacker conferences such as DEF CON. To see Gordon’s background and some of her research papers, visit her Web site at www.badguys.org.
She’ll tell you right away that hackers — people who devise ways to break into networks — are a different animal than virus writers, and in most cases, more advanced. Virus writers are generally younger (some as young as 10 or 11 years old), on a lower rung of the underground tech strata and not always aware of the damage that could incur. Also, she stresses, except in a few states, writing damaging viruses isn’t against the law.
All that is Gordon’s way of suggesting there truly is a low barrier to entry. She says parents and teachers need to be more assertive in teaching kids in the Internet Age that morality is as important in the virtual world as it is in the real world. In general, parents need to pay more attention to what their children are doing on the computer. She also chastises journalists for frequently overestimating the damage virus writers do, thereby glorifying their acts and power.
“While the media are starting to realize that virus writers are not geniuses, or heroes ‘helping’ us to understand security risks, there is still a long way to go — especially in countries where viruses (and virus writing) are relatively new and where ethics is not part of the curriculum,” she says in an e-mail interview.
Transferring real-world values
Courtesy of Gordon, here are seven things about virus writers that you should know.
1. They’re often kids, but not always. In general, virus writers are young people under 30 and predominantly male, Gordon says. Many are in their teens. But stereotypes can be dangerous here, because some veteran IT people have been known to write viruses on the side to “test the security” of certain networks and systems. “Often people ‘play around’ with viruses, not realizing the damage they can cause. They think that because they can’t ‘see’ them do anything, it’s all OK.” Generally, the older a virus writer is, the more that he knows what he is doing, although this varies from country to country.
2. Their goals vary, and many don’t even have goals. Some simply are exploring programming self-replicating code. Others, however, are trying to gain notoriety or make a personal, political or social statement. A few are disgruntled workers. “Generally, many young people who write viruses don’t connect the act with the damage that can occur . . . That said, some virus writers have a pretty good idea of the end result, and do it anyway. These tend to be older individuals, who write viruses with the intent of causing damage and chaos.” The media has frequently exaggerated the impact early on, encouraging others to create their own stir, Gordon says. But she recognizes the media’s role in trying to notify users early on so they can prepare their defenses.
3. Their targets are generally random. Many virus writers claim to be pointing out the vulnerabilities of a software product or manufacturer or the lack of security at a particular company, such as where they work. Gordon contends that many use that as an excuse or “cover” for an adventure gone awry, or for destruction more widespread than anticipated. She suggests that most people directing anger or actions at specific targets will use other means, such as hacking their systems, to accomplish their goals. “Most viruses don’t appear to be written with destruction in mind,” she reiterates. “Many are written to be destructive — and while there may be a political or a social statement in them, they are generally (though not always) pretty much randomly targeted.”
4. Virus writers aren’t necessarily rocket scientists. This is not a collective slam on their brainpower, but more to suggest that it doesn’t take elite technical skills to write damaging viruses — which is scary. “Virus writing is not rocket science, and it doesn’t take any special elite skill to be able to write a self-replicating program,” she says. Essentially, virus writers produce self-replicating code that includes a damaging payload. Those who create the most destructive payloads — the Klez, SirCam and Nimda viruses, for example — very well may be at the head of their class, she admits. Yet, for the most part, as virus writers advance their technical skills, they move beyond virus writing to other technical pursuits. “As virus writers ‘age out,’ new virus writers take their places,” she says in a research paper.
5. Virus writers feed off new technology and each others’ innovations. Serious virus writers don’t reinvent the wheel; they build on to what has caused havoc in the past. They also take advantage of the latest tools and technologies, Gordon says. As a result, tomorrow’s viruses are likely to be more complicated and potentially much more destructive than today’s, she says. The good news is that virus writing doesn’t seem to be a career for many.
6. Education can help stop them. Educating PC users on what attachments not to open is part of this, but not really Gordon’s point here. She believes that families and schools, in the Internet Age, have an obligation to teach children how to behave on the computer — to extend moral and ethical behavior from the real world to the virtual world. For example, children need to be taught that reading another person’s e-mail is just as wrong as opening a letter from a neighbor’s mailbox. “This technology lends itself well to depersonalization and de-sensitization,” she says. “We need to learn more about the dynamics of computer-mediated communication, and find ways to help real-world values transfer to virtual interactions.”
7. Protection needs to be fortified. Before No. 6 has measurable impact, we need to worry about No. 5. Gordon foresees more challenging viruses ahead, including viruses combined with hacking tools to beat through antivirus protection. She recommends that businesses have firewall-intrusion protection as well as antivirus software. “The solutions must be integrated too to deal with these blended threats. It is not enough to be protected from just viruses.” She adds that while viruses now target the PC, they likely will threaten mobile devices in the years ahead.
Hackers, as I’ve said, are a different breed.
Partner with Security Experts
At eMazzanti, we keep up to date on security technology and best practices so that you can focus on your core business. We will help you design and implement a cyber security strategy specifically targeted to your business needs and budget.
Reprinted with permission from the Microsoft Small Business Center