Viruses in the Information AgeSarah GordonIBM Research

Today’s presentation should be considered an introduction to the virus writing phenomenon. It will focus on understanding how virus writers operate, how they perceive their world and the world around them, and how they think. In addition, we will present several case studies. While avoiding the often dangerous over generalization into some homogenous group, an examination of various motivations and technical abilities will be presented; trends in the virus writing communities will be explored, and future threats will be considered and possible solutions presented.

Many people assume virus writers and hackers are similar, and thus approach the problem with similar methods. However, the virus problem has developed in parallel but different routes than hacking problem. These differences are both technical and cultural. “Technologically Enabled Crime: “Shifting Paradigms for the Year 2000” can provide the reader with significant insights into some of the subtle, but important, technical and cultural differences, and provide insight into ways in which these two cultures are beginning to merge. The Generic Virus Writer, and The Generic Virus Writer II can lead the reader into a fuller understanding of virus writers themselves. These research publications are available online at:

http://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/Crime.htmlhttp://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/GenericVirusWriter.htmlhttp://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/GVWII.html

The following three part series “Virus Writers: Yesterday, Today and Tomorrow” will provide the reader a broad general overview of the virus writing phenomenon. This may be useful in formulating questions regarding today’s presentation.

PART I - Virus Writers: Yesterday, Today and Tomorrow

There are six questions that I am often asked. The first is “when will you update your research on virus writers?” The answer is “all of the time”. Several years of research produced The Generic Virus Writer study, the results of which were presented at the Virus Bulletin Conference (http://www.virusbtn.com ) in 1994. This initial qualitative research provided many valuable insights into the cognitive development of some of the world’s most prolific virus writers - at that time. These insights allowed me to show that virus writers were not, despite what some were claiming, a homogenous group. Understanding their differences and leaving the stereotypes behind, the research began play a role in helping others to understand this pressing problem - and begin developing some strategies for combating the

problem. It enabled us to realise that they, and perhaps others like them, could be expected to ‘age out’ of virus writing. This was good to know; there were not that many virus writers at that time and any leaving that particular proclivity behind would have a significantly positive effect on the problem.

The second question I am often asked is really two-fold: “what exactly is ‘aging out’”, and “how can ‘normal’ kids do things which most adults view as anti-social?” The idea behind aging out is relatively simple, and is well accepted in other areas of research into anti-social behaviours [1, 2, 3]. Let’s begin with one of the theories of moral development [4]. It’s not the only one, but it is the one chosen as an instrument for the original study. As a child begins to mature, his moral/ethical development goes through a number of stages, with ages roughly correlated to levels in these stages:

Level 1: Pre-conventional morality. Stage 1 The ‘rightness’ of an act depends upon the immediate consequence of the act. Rules are obeyed in order to avoid punishment. Stage 2 Naïve instrumental hedonism. Being good is the way to get a reward or satisfy a need

Level 2: Conventional moralityStage 3 Actions are judged on the merit of their intent. ‘Right’ is having a right motive and a concern for others. Conform to avoid disapproval or dislike of others.Stage 4 Acceptence of authority: ‘Right’ is keeping the rules of society. Conform to avoid censure by legitimate authorities, with resulting guilt.

Level 3: Post-conventional moralityStage 5 Judgements become more flexible; rules must be impartial, and ‘the welfare of the many’ becomes paramount. Abide by laws for the welfare of the community.Stage 6 Normative ethics, based upon self-chosen principles. ‘Right’ is an obligation to the universal principles of equality, justice and respect for persons.

That is the short form of this particular theory. It is not without some weaknesses, primarily it disregards significant cultural differences that determine what is moral in non-western societies, resulting in a form of moral absolutism [5]. However, strengths of this particular instrument are well-documented [6].

The existence of a normal ethical developmental stage/age relationship does not necessarily consistently moderate individual behaviour in any given situation until an individual is older, and capable of integrating thought and action in a more mature way. This brings us to the second part of the two-part question: “How can otherwise ‘normal teenagers’ do irresponsible ‘wrong’ things like ‘writing viruses’? “

I’m sure most readers can think back to a time when they, or their children, behaved in some reckless or anti-social way, perhaps as a teenager. Just as an individual could know its “wrong” to stay out after curfew when his parents have told him it is (a) illegal and (b) against the house rules, an individual can know it is ‘wrong’ to write viruses - yet, still do the ‘wrong’ thing. Usually, in people who are within ethical norms, the anti-social behaviours tend to go away as they grow up. (Whether or not those who commit the acts are labeled ‘delinquent’ often depends on whether they are caught; it can also depend on race or socio-economic status.) When these behaviours go away, it’s sometimes referred to as ‘aging out’ of the behaviour. Sometimes the behaviours may recur from time to time; usually they finally go away completely. That’s the short form of the ‘aging out’ theory.

If it were really the case that the virus writers profiled were ‘normal young people’ in terms of general development, as the research suggested, we would expect them to ‘age out’ of virus writing. Would they? I pressed on, past the usual hurdles in longitudinal study, following up on the subjects over the next several years. (The only subject with whom I was unable maintain contact was the adult employed virus writer & distributor.) To date, the original ex-virus writer has remained an ex-virus writer. The college student has aged out of virus writing. I would expect the last to follow suite, but this remains to be seen.

Over the years, we have observed this ‘aging out’ has happened time and time again, and it will probably continue to be one factor in lessening the number of active virus writers. However, they don’t all age out. Part of that follow-up study also discussed developing trends, and predicted a future that was a bit darker. Okay, a lot darker.

The Darker Venture

Question three? People ask me “how old are these guys”. I’ve talked with virus writers who claim to have started in their pre-teen years, and given their level of skill and familiarity with viruses, I see no reason to disbelieve them; however, youth does does seem to be diminishing as a primary attribute. Whereas in the early days, virus writing groups were generally populated by young men in their mid-teens to early twenties, the mean age of the virus writers in one currently active and well-known virus writing group is 23; the oldest member is 33 years old. I’ve talked with virus writers who are in their forties. This is indicative of one disturbing new trend documented in The Generic Virus Writer II: involvement of people who are older and possibly more ethically mature in general engaging in virus writing. How can this be?

As predicted, we began to see more and more of this type of involvement of older people, and predicted this would continue and increase. This involvement seems to take various shapes. Sometimes, the shape is not malicious, but rather curious. For example, it is not uncommon for some adults involved in testing of anti-virus software to

alter a virus in an ill-conceived but well-meaning attempt to see ‘how good virus detection is’. No matter how well intentioned, this can lead to problems, which are documented in [7]. Similarly, several Macro virus variants appear to owe their creation to experimentation at the hands of ordinary users. This is sometimes carried out as part of a quest to “understand” the virus; other times it is done with what appears to be no good motive, as such viruses have been released into the wild seemingly intentionally.

It is not clear whether these trends are due to a change in people (which seems unlikely), technology (possibly), or simply that experimenting with viruses in general is seen as “less wrong” as we approach the final days of this millenium. In general, when objectionable or questionable behaviours are tolerated, even tacitly, they can take on a ‘legitimate’ tinge of acceptibility [8]. Research is currently in progress to shed some light on this issue. My guess is that it is a combination of the three.

Data taken from “The Generic Virus Writer II” seemed to indicate that there is indeed a “New Age” virus writer beginning to take shape - older, more network-aware and more technologically advanced than some of their predecessors. Wait. Did I say older and network aware? I did. The fourth question people ask me is “what will be next in viruses”. Well, I hate to say I told you so, but…

Melissa magic.

There isn’t much to say about the Melissa virus that has not already been said, so I won’t repeat all of those things. However, as much attention has been given to the virus writer known as VicodinES/ David Winterspoon et. al, a few brief observations are probably in order. Several self-proclaimed virus writers have expressed sentiments along these lines:

“if Vicodines did it, I'm sure he didn't realise how many problems this would cause. I know that Vicodines spread some of his viruses, but he always said that he doesn't want to destroy anything, he said 'he just loves to annoy people arround the world'. He hates destructive payloads, but he likes simple 'annoying' and rather humorous payloads like this 'I think that [username] is a big stupid jerk.' payload. I'm sure he wouldn't have released this virus if he had known how muchproblems it would cause.”[9]

At the same time, some of the same virus writers express anger at the idea of a virus being distributed to unknowing and unwilling individuals: Many virus writers have wiped their hard drives, vowing to lay low until things cool down. In the words of one virus writer

“I hear how some vX people say that they'd kill the author of melissa as it is his fault for other vx people getting hunted now

also, for vX webpages being closed and so on., even though my own webpage has been closed also it doesn't make me feel very good when i hear others talk about my friends like that. sure all of that has been caused by melissa, but i'm sure the author (of the virus ) didn't want this to happen, he wanted to spread his virus (like many of these, now pissed off, vX people do also),and teach vX people some new things - not bring their sites down and get them arrested.” [10]

Another had this to say:

31th March - Melissa fucked us. Melissa has been tracked down to its author thanx to Micro$oft GUID... They know have a proff (sic) that VicodinES is the author. Now the media hype has sarted (sic) again, and the word virus is everywhere.... And, TOTALLY unrelated to that, sok went down as well as codbreakers.... Weird, uh ?? My server is still running and kicking asses, you can use my board communicate if you want... (It's here for that, USE IT !!) Now I really wouldn't be VicodenES, because I think media will make him an example and he WILL be bashed...[11]

Yet another had this to say:

to be honest guys,whoever wrote and spread melissa fucked all of us...to add more viruses to this thing would be lame as fuck and pointless....we would all just end up joining the now RIP authors.. for fucks sake get real people...we dont need any more grief [12]

Only time will tell the long-term impact of Melissa and her siblings.

Profiles of individual virus writers can be interesting and provide insights which help us to understand the human facets of the problem - the first step toward solving those particular problems. Such profiles are currently under re-evaluation and development, and are scheduled for presentation at The Blackhat Briefings in July 1999. Part Two of this article will discuss the final two questions that most often arise when the topic of virus writers comes up -- as it seems to a lot these days! Question 5, “How have they changed” will contrast the similarities/differences between the virus writers of the early days, and the virus writers of today. Question 6, “WHY do they do it” will hopefully answer this (most frequently asked) question once and for all, before offering some rather dire predictions for the future.

1. Hollister, R. G. and Hill, J. Problems in the Evaluation of Community Initiatives. New York: Russell Sage Foundation. 1995.

2. Pfohl, S. Images of Deviance and Social Control: A Sociological History. 2nd ed., McGraw-Hill. 1994.

3. Keel, Robert. The Evolution of Classical Theory: Rational Choice, Deterrence, Incapacitation and Just Dessert. Rational Choice and Deterrence Theory. The Sociology of Deviant Behavior. 1999.

4. Craig, G. J. Kohlberg’s Stages of Moral Development. Human Development. Seventh Edition. Prentice Hall. 1996

5. Colby, A. & Kohlberg, et. al. A longitudinal study of moral development. Monographs of the Society for Research in Child Development, 48 (1-2 Serial 200). 1983

6. Baumrind, D. A Dialectical Materialist’s Perspective on Knowing Social Reality. New Directions for Child Development. 1978.

7. Gordon, S. Real World Anti-virus Reviews and Evaluations - the Current State of Affairs. Presentation. 19th National Information Systems Security Conference. National Institute of Standards and Technology, National Computer Security Center. Baltimore Maryland. 1996

8. Craig, G. J. Development in Modern Life: The effects of television. Human Development. Seventh Edition. Prentice Hall. 1996.

9. Private communication. Used with permission. 1999.

10.Private communication. Used with permission. 1999.

11.Publicly available communication. 1999.

12.Publicly available communication. 1999.

PART II - Is There Anything New Under the Sun?

This was supposed to be part two of a two-part article. However, as I began to examine the issues about to be discussed, I was deluged with responses from people who believed they had evidence of some “significant” changes in virus writing - thus, I will put off my discussion of why virus writers write viruses until Part III. This article will examine the question “How have they changed?” If you’ve been counting, this is question number five. Let’s begin with how things were.

In October 1993, the number of virus writers who were actively contributing to the problem of computer viruses found “In the Wild” comprised a relatively small percentage of the global computing population. The number of their viruses actually causing many problems was quite small too, especially considering the number of viruses known to exist - the number of computer viruses which were reported spreading In the Wild was 71 (13), with a total virus count of a ~3200 (14). During this time, there were virus writers known and unknown; working on their own, and working in groups like Phalcon/Skism, RABID, NuKe, Trident and SLAM. They used handles like Dark Angel, Attitude Adjuster and Aristotle. They wrote viruses,

placing them on publicly accessible Bulletin Board Systems, FTP sites, and WWW sites, and they kept viruses to themselves (15). In some cases, they sent viruses only to AV researchers, because while they wanted to show someone they could write a certain proof of concept virus, they really didn’t want to release the virus to the general public. They wrote viruses that were not released in any way into cyberspace (for lack of a better term), and never caused anyone any problem (other than necessitating their inclusion in scanners “just in case”); they wrote viruses that they did release into the cyberspace, causing all sorts of problems. They made their source code available, and they kept their source code “just for their private individual use” or “just for use within their own group”. They dedicated their viruses to various people, they used some viruses to promote their own groups or identities, and they left some viruses completely anonymous. They attended secondary schools and universities, and they were professionally employed (16). They were beginning to beta-test viruses (17).

In May 1999, there are approximately 150 viruses found In the Wild (18), with approximately ~30,000 known to exist. Some virus writers are pretty well known, signing their creations, while some prefer to do their deeds in secret. Some labor alone, while others work in groups like 29a, SLAM (all new, all revised, and not related in any way to the original), The Codebreakers, and The NoMercy Virus Team. They use names like DarkMan, VicodinES and Knowdeth. Some virus writers put their viruses up for public consumption on FTP or WWW sites; some, however, prefer to keep them for themselves. Some restrict their distribution to within their own groups. In some cases, they bestow viruses only upon AV researchers. Some virus writers today release their viruses to unsuspecting users; others do not actively release the viruses. Some virus writers make source code available, while others prefer to keep it to themselves. Some viruses are dedicated to individuals or causes; other viruses are used to self-promote. Some remain anonymously authored. Virus writers attend secondary schools and universities. Some are professionally employed. Beta-testing of viruses is pretty common. Sound pretty similar? The truth is, in many ways, things are the same as they ever were...

New Bottles, Old Wine?

Some people claim interesting “new” ideas have come out of the virus writing community. Has the “creativity” of virus writers’ actually started to take on a whole new face? The answer, as is so common when analyzing virus writers and their behaviours, is both yes and no. One purportedly new idea is something called (in its current incarnation), Project Zero. Project Zero was designed as an “experiment” which should show what would happen if nobody in the vX community would release viruses to the public anymore for an arbitrary time period of, for example, one year (19). While this may seem noble - after all, no viruses is a good thing - one goal of such a project could be to lull the antivirus developers and users into a false sense of security. And,

despite its emergence as a “novel idea”, the same idea was tossed around by NuKE affiliates in the old days (20). It was just about as successful, too. Be it vortex or vacuum, the idea is the same, just dressed up in millenium garb.

Another “new” idea is that viruses are actually “evolutionary programs.” In particular, several virus writers have recently mentioned to me (21) their belief that replicating code could be used to explore various concepts of artificial life. This is certainly true, but not a new idea; it was explored long ago in (22, 23), to cite just two examples. Additionally, these types of experiments in real artificial life concepts are worlds apart from “virus writing” and should probably not really even be mentioned in the same breath. Then there is the idea of viruses that could be good entities, also frequently cited as a “new” idea - discussed several years ago in (24,25). Padgett Peterson, well-known anti-virus and general security expert says it best: “I have never seen a virus do anything that is not easier and more reliable to do without a virus (except be a virus, of course)” (26). Well said, Padgett!

But Wait, this is NEW! Really!

One interesting and actually somewhat new idea which has come to light may show a slight change in the modus operandi of the virus writing community. In the early months of 1999, we saw alleged virus writers and distributors attempting to sow confusion by going ‘public’ on the Internet, registering such domains as datafellowes.com and vgrep.com. The Codebreakers internet site, which abruptly vanished in the midst of the Melissa investigation, was reincarnated as codebreakers.net on a site hosted by a large web hosting company in Florida. The site was no amateur-looking hodge-podge. It was particularly well done, with excellent graphics and a real “research” feel to it. It was registered to someone claiming to represent “DataFellows, Ltd” (27). At this time, the site appears to have been discontinued, for unspecified reasons. Contact information for the domain refers to an e-mail address located at a different web hosting company in Cupertino, California. Of course, according to the person we asked at DataFellows, located in Finland, neither the site nor these contact details had anything to do with the “real” DataFellows.

At the same time, the WWW site www.datafellowes.com appeared on the Internet - also hosted by the same web hosting company in Florida as the now-vanished codebreakers.net. As if registering a domain which is an obvious misspelling of an existing and well-known anti-virus software manufacturer was not enough, there have also been reports of misleading E-mail associated with this domain - and even I was not immune to this! Several weeks ago, I received an E-mail appearing to be from Mikko Hyponnen, an anti-virus researcher working for DataFellows. The mail requested quite a few viruses. As Mikko is a CARO member, such a request seemed unlikely at best, and so I gave

the message extra scrutiny. Closer inspection showed that the message reply would have gone to datafellowes.com, not datafellows.com, Hyponnen’s usual address. Several other prominent anti-virus researchers also received similar requests; they, like me, also spotted the bait and switch. Who exactly was the mystery mail sender, I don’t know - what was clear was that had I complied with the request, I would have been sending viruses to someone who was not the real Hyponnen. Once again, at the time of writing, the www.datafellowes.com site does not appear to be operational. Neither the company which hosted the site, nor DataFellows, was at liberty to discuss details of the incident; notwithstanding, the details published here should prove sufficient warning to most. Things are not always as they appear. Another example of this type of “mistaken” identity involves VGREP, a popular utility produced by Sophos, which available at www.virusbtn.com; the utility can be used to provide a quick and easy reference for virus names. Imagine my surprise, and that of V-GREP creator Ian Whalley, when I spotted Vgrep Anti-Virus Inc., using the e-mail address of vgrep@hotmail.com. Is this somehow related to the Codebreakers and Datafellowes events? Only time will tell.

Thus, it seems that the “bad guys” are indeed attempting to confuse the issue by a troublesome (but not particularly creative) manipulation of procedure. The question remains -- is this “new”? Setting up Bulletin Boards which appeared to be “legitimate research facilities” was a favorite ploy of some early virus writers (28). In the mid-1990s we saw the same sorts of attacks using e-mail when virus writers pretended to be everyone from Dark Avenger to well-known antivirus researcher Frans Veldman, and everything in-between. Confusion is the name of the game. So, while the Internet provides some novel twists to the chase, the overall ploy is unchanged: the “robbers” are pretending to be the “cops”.

Something New under the Sun…

So, with so many things remaining the same, has anything changed? Yes. The operational characteristics and demographics of virus writers have undergone some subtle shifts, which began several years ago (29). While geographic hot zones do pop up from time to time, the advent of cheap connectivity for many has resulted in more global alliances not centered around a particular BBS; the net, as it were, in action. Where groups were once relatively regionalized (30), groups that do exist seem more geographically diverse; for instance, The Codebreakers group reportedly has 7 members from Europe (Austria and Germany), 3 from the United States and one from Australia. Where there are still some strongly regionalized groups(31), these regionalizations appear to be based on language limitations.

Some virus writers are much more willing to discuss issues than in the early days. This may be due in some part to the general acceptability of “counter-culture” ideas on the Internet per se, or the increased (supposed) anonymity afforded by various forms of Internet

communication (32). However, in addition to the anonymity afforded by some Internet media, there is more willingness to debate publicly - at least on the part of some of the virus writers and those who are in favor of public availability of viruses. As I arrange a panel for the upcoming DEFCON Conference to discuss this very issue of viruses on the Internet, I find no shortage of people who are willing to speak publicly regarding their approval of such availability, in full view of their opponents, press and peers. Other than that, though, the song remains pretty much the same.

In Part Three, we will take a look at “why they do it”, examining motivations and justifications in more detail. Understanding why they do it can provide some insights which will help us take action that can slow down the viral glut.

PART III - WHY?

So far in this series we have covered five of the most frequently asked questions concerning viruses writers. In this, the final part of the series, we will examine the question that seems to raise the most heated debate of all: why do they do it?

Justifications

As a starting point, let us approach the topic from the viewpoint of the virus writers. In their own words, how do they justify their actions? Notably, the arguments outlined below have remained relatively unchanged over the last several years. Such arguments were frequently encountered upon some of the FidoNet virus echoes and BBS in the early days. Here, borrowed (and paraphrased) from the satirical commentary “Why Computer Viruses are Not and Never Were a Problem” [33], is an examination of the most prevalent justifications that appeared several years ago:

1. We are doing research. This is just our research. You can’t tell us not to do research.

2. We have the right to do it. We have the right to write viruses, too, and to make them available.

3. It’s about freedom. We have the right to do this research and the freedom to make viruses available.

4. You want to keep this “top secret” virus knowledge to yourselves, but we will set it free. We will educate the people. Information wants to be free.

5. We are not really hurting anyone, we don’t force anyone to download our viruses, and we don’t force anyone to use them. That is up to the individual.

6. You AV guys are all bad, in it for the money, you need us.7. You just don’t understand!

Of course, one need not go back through the archives to see examples of these arguments. You need only read current Usenet news posts, to see some of the same old arguments made today, by new people who believe with all their hearts that they know something the rest of us do not. Here are some more contemporary examples [34]. Note that I am unable to credit the authors due to the fact I could not authenticate them:

“The only justification my code needs is furthering education, and knowledge. These are the greatest strengths the human race has…”

“my goal is accomplished…my reaserch (sic) and making available this information to those who are interested…” .

As you can see, not a lot has changed. At this point, however, I would like to make an aside, and interject a few comments. I hear these arguments all the time, for the virus writers are reading this, take note, please.

Programming computer viruses is not some super-elite arcane art-form. It does not require some top-secret type of programming skills known only to the cognoscenti. Virtually anyone with the interest can learn how to do it, and just doing it does not make it “research”. Good research implies certain goals, guidelines and appropriate scientific technique [35]; this is a world apart from randomly injecting a small piece of self-replicating code into an unsuspecting, unconsenting and uncontrolled computer-using population. It is just plain irresponsible to experiment with viruses in such uncontrolled environments, given the potential for viral interaction with the computers of human subjects. This includes experimentation using your college or employer’s network without their consent. No matter how you look at it, it is irresponsible.

It is also irresponsible to set self-replicating programs free where this interaction is an inevitable consequence of that action. Some would argue that placing viruses on the WWW is in fact setting them “free”, that placing viruses on the Internet for other people to experiment with is irresponsible because the program’s author cannot control what someone else does with the viruses once they are made available [36,37]. This is a question with philosophical and cultural colourings beyond the scope of this article, but please think about it! However, there is certainly a potentially expensive, destructive cycle that follows the life of an ItW computer virus. There are issues of negligence and liability when it comes to making these types of programs available, with concern being shown by more and more organizations as evidenced in these examples of Membership Agreements and Disclaimers [38-41]. This is one reason why many Internet Service Providers now have “acceptable use policies” which prohibit the distribution of computer viruses [42-44]. They don’t want to risk being involved in lawsuits related to negligence. To any virus writer reading

this article: if you must experiment, keep your experiment it to yourself, or you might find yourself in the middle of such legal action.

Now that that is cleared up, let’s continue with some of the current justifications…

“If my code was used to damage someone's computer, that is the responsibility of the person who's (sic) immature behavior has resulted in damage. Open your mind, and expand your horizons... its a huge world out there, if you can just get over your fears.”

“…this is nauseating... you feel you have the right to censor, and condemn the creativity of young, brilliant minds. you fear what you dont (sic) understand…”

There are other justifications expressed from time to time. One such justification sometimes encountered is, was, and has been, and probably will be, “if it was not for us, you guys wouldn’t have a job”.

This is not quite true. There is a relationship, certainly, but a relationship does not imply the existence of a positive justification. Consider the following statement: “If it were not for people who shoplift, the store detectives would be out of a job.” Yet, shoplifters are not heroes and we do not consider new and novel ways of absconding with merchandise to be admirable or acceptable. Or: “If people didn’t throw trash on the ground at Disneyworld, the street cleaners would be out of a job”. Yet, we surely do not look upon those that throw lit cigarettes on the ground with admiration, do we? . The bottom line here is that while it is true that if virus writers did not release viruses, the users would not need antivirus software (allowing most virus researchers to shift into other, equally interesting, areas of work), attempting to paint some lovely picture of healthy symbiosis is simply not supported by the facts.

Motivating Factors

So far, we have taken a brief overview of the justifications many virus writers use for their hobby, and noted that most, if not all, of these reasons are far from new. Similarly, several of the motivational factors for virus writing are also unchanged.

Today, as yesterday, in some cases virus writers are motivated by simple intellectual curiosity. This is understandable, especially considering the free availability of viruses and the media attention given to viruses and virus writers. Virus writing continues to take place as a form of political expression; Stoned_June4th (Beijing) and Macedonia being two examples. Viruses as an expression of love and admiration for the opposite sex or for peers continue to be keyed into existence. In the early days we saw viruses like Gergana, Neuroquila and the MtE “demo virus”. More recently, we find “love” expressed a bit more directly via viruses like Ivana, which proudly proclaims

'Na kraju, samo jos da kazem: volim te, Ivana [by utik] 'And finally, I would like to say: I love you, Ivana [by utik] [45]

Another motivation behind virus creation is to designate “turf”. In the past, viruses like NPOX and Vice planted the viral flag for NuKE; today, we have such ignoble creations as WM97/Antimarc [46]. In other cases, virus writing and distribution is positively correlated with being told “thou shalt not. It is widely agreed upon by behavioral scientists that the “thou shalt not” approach may not prove very effective in situations where direct and immediate consequences cannot be observed [47]. Thus, despite much saber rattling on the part of the anti-virus industry and law-makers, legislating away the virus creation problem seems an unlikely solution.

Being “one of the boys” appears to continue in importance, too; the need for peer approval is illustrated by gravitation toward “groups”, with group affiliation providing a form of social identity [48]. While there have been several cases of female virus writers documented over the past several years [49-53], females do not appear to have made a significant contribution to the population of those viruses in the wild. Currently, while females play a minor role in the virus writing community as a whole, their presence appears to be a moderating influence in the community. There appears to be very little gender-related sexual bias within the community. Further research into gender issues related to group involvement and technology, and virus writing specifically, might provide some additional insights.

Finally, some virus writing has been the direct result of various forms of provocation by anti-virus researchers themselves. This was more common during the early days of the virus problem, when a (thankfully) small number of AV researchers would insult the virus writers, calling them names [54-59] or claim they were too stupid to create a virus that “did xyz” Shortly thereafter, we would find a virus doing or attempting to do, “xyz. In other cases, disparaging remarks were made regarding the young person’s appearance, or physical characteristics. While there is simply no point to this sort of “discussion” [60], this cycle does unfortunately repeat itself from time to time today [61,62], though with lower frequency. Such negative interactions continue to produce negative responses as well as negative impacts on users and should be avoided. Young people learn through transitive interaction, not debasement.

There recently has been a trend toward adapting the “open source” mindset for publication of viral code, and this has not been lost on the virus writing community. This is apparently done in an effort to warn users of the dangers of certain design philosophies. To quote one virus writer,

“Some good virus writers like my friend VicodinES (who retired) are here to demonstrate the vulnerability of badly written softwares, like all Microsoft offerings. They don't like destruction.”

It should be noted that it is not virus writers alone who think there may be some merit to the publication of viral source code. Some users report that online-publication facilitates a wide understanding of exactly what viruses and payloads do; some believe such publication is actually essential in keeping corporate security people up to date. However, not everyone shares this view. In particular, many in the antivirus community believe such public dissemination of information is irresponsible. David Chess of IBM’s Thomas J. Watson Research Center has this to say about the issue. “The moderators should never let such things through. Unlike bug exploits, where at least a case may be made that it's a valid last resort if a vendor has been notified of a bug and ignored it, viruses don't go away when you just fix a bug” (63).

It should be further noted that the differences between open source and availability for software in general, for security exploits and for computer viruses are substantial. Beyond the scope of this article, the effect on the user when these worldviews collide will be discussed in Vancouver at VB 99 in “When World’s Collide” [64]. For now, it should suffice to say that if virus writers are attempting to influence Microsoft or any other corporation by showing real or alleged vulnerabilities in the product line, it would seem a more responsible course of action would be to do so without the replicative mechanism. Certainly, it must be done in a private way that does not endanger other computer users’ rights to safe computing.

Some virus writers are more honest with themselves. Here is an example of the reasoning given to me recently by one active virus writer [65], who will remain anonymous:

“i fully agree with you about it being irresponsible, i don't know why irelease them on a web page. viruses have always fascinated me since igot infected myself the first time (it was parity boot b), since that i'm(lets call it) addicted to studying them by collecting and writing themmyself. i don't feel good if i have nothing to do with viruses, no matter ifVX or AV wise (AV, i'm doing alot of 'anonymous' antivirus support forpeople on alt.comp.virus and i have been active on #nohack for some timehelping people to get rid of their mIRC_worm infections.. so it doesn't make

a big difference for me, i just like the VX people more then AV's - AV's likenick fitzgerald who believe that anybody who doesn't share their opinion hasno right to exist). when someone says that he is writing viruses just for 'educational purposes'it is a lie in my opinion (i think i have said that in some interview a long timeago also, and it was a lie). i have often thought about why i'm really doingthis (i could probably spend my time with more productive things) thoughtill now i never really found out why. the best thing i came up with is thatit is a 'hobby'... you don't really know why you go play tennis, why youwatch football matches, why you collect stamps... you just like doing it,and if you can't do it for some time you feel bad

i guess you can't understand this.. do you smoke? i don't, and never did,so i really can't imagine why its so hard for people to stop smoking... ibelieve them anyway because i know that if i'd start smoking i'd alsounderstand how/why they think so.”

I don’t smoke, but I do understand.

Becoming fascinated with viruses is not an alien concept to me; like many other antivirus experts (and virus writers), I became interested because I suffered the impact of a computer virus. However, after understanding and appreciating the impact viruses can have on human beings in terms of their work and personal lives, many of which center around computers, it never occurred to me that creating and releasing more and more viruses was an acceptable way to behave. Too much depends upon the stability of computers for this sort of silly experimentation and potentially dangerous game. Yet, for some virus writers, our societal dependence on computers is exactly the motivation for virus creation and distribution, and it’s not a game to them. According to some virus writers, our society entrusts far too much importance information to computerized technologies, to the point where there is a moral responsibility to take a form of action which forces us to reconsider this dependence. To them, the end justifies the means, and while this implementation of the civil disobedience is new, the concept is ages old.

The Songs Remain the Same

Why, you might ask, are we seeing the same old arguments, over and over? This is mostly due to the replacement factor, a direct result of the aging out phenomenon I described in part I of this series. This factor has a tremendous effect on the overall virus writing subculture. By and large, the members of the virus writing community are in a constant state of flux. As mature adults exit from one side of the population, new, ethically normal but undeveloped adolescents enter at the other. In turn, this continual flux provides a certain lack of development within the community. Hence, each new batch of virus writers is essentially discovering these arguments for themselves, leading to oft-repeated debates between the “white hats” and the “black hats”. Finally, those members who remain in the community are all somewhat ethically underdeveloped, further skewing the population, and making the role models there decidedly less than perfect.

It does not appear to be the case that virus writers are becoming more malicious per se. There may be more malicious viruses circulating nowadays, but this is probably attributable not to the fact that people are more malicious as much to the fact that the number of people (some of whom by sheer chance are more malicious than the norm) having access to Internet technologies has increased dramatically. People aren’t getting worse. There is just more opportunity for those bad apples that have already rotted and fallen off the tree.

Conclusions

Despite the similarities, there are some differences in virus writing which are unfortunately becoming more and more common. These were first noted in “The Generic Virus Writer II”, presented at the Virus Bulletin Conference in 1996, where I introduced the concept of the “New Age Virus Writer”. This concept became a prime-time news headline with the introduction of the Melissa virus into hundreds of thousands of networked computers.

Today, more and more virus writers have an increased awareness of connectivity issues that simply was not present in the early days. It should not surprising that an increase in networked environments would lead to an increase in opportunities for people to learn about networks. The sorts of innovations that have come to exist in the past five years certainly add a new dimension to the problem of viruses.

Payloads now have the capacity for compromising an entire network, and more than a few virus writers are beginning to explore more general security issues. Melissa was not a one-shot-deal; ExploreZip indicates very much the shape of things to come. This trend will probably continue over the next several years, and it is likely that there will be an increased cross-over between the security and virus worlds. In light of this, response time to new viruses will become paramount, as the presence of viruses on the corporate LAN may well become more

than the current nuisance it is now and a matter of considerable urgency.

What has happened to the original groups that held all of these beliefs and had these motivations? In some cases, individuals have simply repositioned themselves, taking a “leadership” role. In most cases, however, the members of old groups have grown up, realized that creating and releasing computer viruses is not a good or admirable thing, and moved on. Some have taken jobs in various computer-related industries; some have found other professions more rewarding. In a few years, most of the current crop (at least the ethically normal ones, which we would hope would be most of them) will probably age out of this behavior and new ones will unfortunately take their places.

Those that continue writing and making viruses available to the general public will be seen as “irresponsible” at best, and criminal at worst (depending on one’s geographic location and what one does with the viruses once they are written). That said, it is interesting to note that while some have argued for stronger legal action, research into adolescent at-risk behavior finds that youths are not significantly motivated by fear of legal reprisal or involvement with the criminal justice system. They are more likely to be influenced by peers, family and other significant others whom they like and respect. Fear of the law does not appear to be a major demotivator for many virus writers and it appears that for now, the community continues to play itself out over and over again. Until we begin to tackle the root causes of virus writer motivation, this will continue to be the case; a multi-disciplinary approach is required to solve a multi-faceted problem. Anything less is oversimplification.

References

33.Gordon, S. 1994. Why Viruses are Not and Never Were a Problem. From the Proceedings of the 1994 EICAR Conference. St. Albans, U.K.

34.Public communication. 1999. alt.comp.virus 35.Lawrence Berkeley National Laboratory. (1999). ELSI in Science.

The need to KNOW vs. the need to GROW. http://www.lbl.gov/Education/ELSI/research-main.html

36.Gordon, S. 1993. Virus Exchange BBS: A Legal Crime? Legal, Ethical and Technical Aspects of Computer and Network Use and Abuse. American Association for the Advancement of Science. Irvine, California.

37.VIRUS-L Digest. 1994. Volume 7, Issue 83.38.Owens, M. 1999. Killing Two Birds With One Stone. Good To Know.

http://www.trade-attorney.com/goodtoknow.html 39.Membership Agreement. http://www.sexyclips.com/agreement.html40.Disclaimer. http://www.snapit.com/PEG_disclaimer.html 41.Disclaimer. http://www.roweandmaw.co.uk/5const.htm 42.Acceptable Use Policy. http://www.verio.com/policies/aup.shtml

43.Aceptable Use Policy. http://www.telemanage.ca/disclaimer.html 44.Acceptable Use Policy. http://www.vas.net/policies.html 45. Ivana description from: http://www.Europe.DataFellows.com/v-

descs/ivana.htm46.W97M/Antimarc description from: 47.Klein, H. 1975. Behaviorally oriented treatment for juvenile offenders

Corrective & Social Psychiatry & Journal of Behavior Technology, Methods & Therapy. Vol 2, pp. 17-21

48.Kipke, M. & Unger, J. 1997. Adolescence. Street Youth, Their Peer Group Affiliation and Differences According to Residential Status, Subsistence Patters and Use of Services. Vol. 32 Issue 12

49.Anonymous. 1995. Private e-mail and in-person communications. Used with Permission

50.Anonymous. 1996. Private in-person communication. Used with Permission

51.Anonymous. 1997. Private in-person communication. Used with Permission.

52.Anonymous. 1999. Private IRC communication. Used with Permission.

53.Anonymous. 1999. Private e-mail communication. Used with Permission

54.VIRUS-L Digest. 1991. Volume 4, Issue 12655.VIRUS-L Digest. 1992. Volume 5, Issue 174.56.Skulason, F. 1992. Virus Trends. From the Proceedings of the Virus

Bulletin Conference. Edinburgh, Scotland.57.VIRUS-L Digest. 1994. Volume 7, Issue 56.58.VIRUS-L Digest. 1994. Volume 7, Issue 459.Bennehaum, David. 1998. Heart of Darkness. WIRED60.Solomon, A. 1994. The Computer Virus Underground. From the

Proceedings of the International Virus Bulletin Conference, Jersey.61.Sterling, B. 1997. Sterling Versus Virus Writers. 62.Dufner, E. Dallas Morning News. 1999. Virus Writers make a

science of mischief63.Chess, D. 1999. Private e-mail communication. Used with

permission64.Gordon, S. & Ford, R. 1999. When Worlds Collide. Preprint65.Anonymous. 1999. Private e-mail communication. Used with

permission.

Virus Writers: Yesterday, Today and Tomorrow, Is There Anything New Under the Sun? and WHY? appear here in pre-edited form and are reprinted with kind permission of Virus Bulletin (www.virusbtn.com).

Sarah Gordon graduated from Indiana University with special projects in both UNIX system security and ethical issues in technology. She currently works with the anti-virus science and technology R&D team at IBM Thomas J. Watson Research Center. Her current research projects include development of certification standards, test criteria, and testing

models. She has been featured in publications such as Forbes, IEEE Monitor and The Wall Street Journal, and is published regularly in publications such as Computer and Security and Network Security Advisor. She has won several awards for her work in various aspects of computing technology, serves on the Virus Bulletin Advisory Board, and and The Board of Directors of The WildList Organization (www.wildlist.org) and, and The European Institute for Computer Antivirus Research (www.eicar.dk). You can contact her as sgordon@format.com or sgordon@dockmaster.ncsc.mil