Virus Series: Who Writes Worms

The friends and business colleagues who send you the likes of the unloving LoveLetter virus attachments and other unpleasant e-mail surprises are unwitting messengers, of course. Who's really responsible for computer viruses? And what's their motivation, anyway?

The popular perception of virus writer as a dysfunctional, pasty-faced teenager with no girlfriend and no life, who taps out malicious code to a backbeat of trance music, is too pat and not accurate, says Sarah Gordon, a researcher at IBM's Thomas J. Watson Center who has been profiling virus writers since 1992.

Gordon became curious about viruses when she found one in a shrink-wrapped software package years ago. She recently published a survey about the effect of antivirus legislation on virus writers.

"Most virus coders are well-adjusted youths who have normal relationships with their family and friends and intend no real harm with the viruses they write," she says.

One such subject agrees.

"Most virus writers I know have girlfriends or are married," says "Doctor Owl," a 20-year-old virus writer. "I don't think we're different than anyone else."

Gordon has interviewed more than 100 virus writers since first visiting virus Web sites and chat rooms almost ten years ago in an attempt to understand the community. One writer even dedicated one of his creations to her.

The image of the virus writer as an angry social malcontent bent on destruction is generally wrong, Gordon says. Most - especially the teenagers - code for thrills and are often disconnected from the reality of what their creations can do, she says.

"They don't believe that their code can actually hurt anyone," Gordon says. It's actually a normal level of ethical development for their age group, she adds. "Most teenagers don't really think about the affect their actions will have on other people."

The community harbors a few malcontents, but virus writers come from all ages, backgrounds, countries, and skill levels, with varying motivations and intents. They are teenagers and college students and middle-aged professionals, Gordon says. Some are female.

The changing profile of the virus writerThe face of virus writers has shifted since Gordon began interviewing them nearly a decade ago. A writer can be a teenager coding in the family rec room or an undergraduate on a university system. Ten years ago, virus writers averaged 14 to 17 years old; today they're 25 to 28. David L. Smith, who was convicted of writing and distributing the Melissa virus, was 30 when he was arrested in 1999.

Usually, older virus writers work as engineers or system administrators in the computing industry. Evul is an engineer; Smith was a network programmer.

And Gordon is in touch with some of the few female writers, such as a 16-year-old European girl who goes by "Gigabyte." Female virus writers like her are generally motivated by an urge to impress boyfriends or male peers, to be accepted in a predominantly male club. But Gordon knows at least one female virus writer in her early 50s. Another, in her 40s, works at a government agency, Gordon says.

It's not simply that teen virus writers are aging. In the past, most lost interest in viruses when they began a profession around age 22. Today, they may still code viruses after entering the workforce. Some don't even start until their mid- to late 20s.

Virus Writing: Entry to the Underground

Virus writers are at the bottom of the distinct hierarchy in the computing underground, which places hackers at the top of the pyramid. Most hackers, even those who once wrote viruses, disdain the inferior skills of virus writers, especially the newbies or "script kiddies" who trade on already written exploits or put together a simple macro. "There's very little originality among virus writers today," Gordon says.

Virus writers are the wild, unpredictable younger siblings whose unleashed programs are uncontrollable. Hacking involves different, refined skills. A hacker tends to target a specific computing system and pinpoint where the program lands.

"Hacking is really about control," Gordon says, "and virus writing is about ... uncontrolled mayhem."

Like any adolescent, virus writers tend to mature and change their ways. Most quit the activity once they began to consider the consequences of a virus unleashed in the wild, Gordon finds in her study.

"Evul" is one who says he stopped spreading viruses once he saw himself in his victim's shoes. Now 30, he began coding six years ago after a hiatus and unleashed several programs with his e-mail address embedded in the code. He felt a bit chastened when recipients wrote to him and described the data they'd lost because of his creations. But he didn't stop until an Internet service provider terminated his Web site account for posting viruses at the site.

"The first thing I yelled was, 'What gives you the right to destroy my hard work!'" Evul recalls. "After a moment of reflection, it hit me like a brick wall ... what gives me the right? I decided I don't have the right to tamper in anyone else's hard work."

He still writes file and boot sector viruses, but says he posts only the source code, which he claims is too complicated for most would-be writers to cobble into a program. He says he intensely dislikes anyone who intentionally writes and spreads a virus that could destroy someone's work.

Easy Tutorials Online

The Internet makes it easy to share source code. In the early days of boot sector viruses, writers needed a certain level of programming skills. But the 1995 release of Microsoft's WordBasic, a simple, text-based programming language, opened the market to nearly any amateur. What's more, virus writers show off their source code at Web sites and distribute virus "starter kits" of tools. Any mischievous 13-year-old or curious 45-year-old can cobble together a virus and send it into the wild.

"It's like this huge candy shop has opened up on the World Wide Web," Gordon says.

The mixed message with which the public and industry regard virus writers also encourages older culprits. While authorities sought Onel de Guzman, a suspect in the LoveLetter outbreak, several computer companies were reportedly willing to offer him a job. And even press coverage, while largely negative, contained a whiff of admiration for the cunning way in which the virus spread so far so quickly.

But most older writers suffer an inadequate development of ethics, Gordon says. She maintains the twenty-somethings who start or continue writing viruses have a lower level of ethical maturity than their general peers. They simply don't view writing and releasing viruses as wrong.

What's the Message Behind the Virus?

Motivations vary among virus creators. Some code with malicious intent. Some write to develop their skills exploiting software vulnerabilities. Most don't even distribute their creations, but simply write as a hobby and experiment, Gordon says. Often the viruses are so badly programmed they're incapable of spreading anyway.

Others want acceptance in the underground fraternity of virus writers. They thrive on the thrill of shutting down a company or government e-mail system. Many enjoy the notoriety and pride of seeing their virus listed in antivirus software programs.

Evul falls into this category. He says he never releases his programs, but often sends a finished virus to antivirus vendors such as AVP and McAfee so they can add a definition to their scanning software. (Most antivirus vendors accept "submissions.") He also distributes to virus "collectors." But he's reconsidering that action after his program called Angela was unleashed by a collector.

Crusaders Speak in Code

Politics motivates some writers. A Bulgarian writer named Dark Avenger who was active in the late '80s railed to Gordon about the inequalities of the haves and have-nots in his economically and politically repressed country. Writing viruses lent him a sense of political power and freedom he was denied in Bulgaria. "I think the idea of making a program that would travel on its own, and go to places its creator could never go, was most interesting for me," he wrote.

Still others cite social injustice. LoveLetter suspect de Guzman was viewed as a hero by fellow students at the AMA Computer College in the Philippines because the Trojan horse he allegedly created was designed to steal Internet passwords. Internet access in the Philippines costs about $90 monthly, a price prohibitive to students in de Guzman's lower-class neighborhood. He was viewed as a hero for robbing from rich ISPs to give to the Internet poor.

Doctor Owl's aspirations are less altruistic. He scorns most viruses today as "worthless" because they're easily detected and destroyed. He really wants to create a long-lasting virus that will survive transparently in the wild for months, he says. Then he'll sell the technology and retire a happy man, content in knowing he created such a great program.

Learning to Take Responsibility

Gordon distinguishes between virus writers who see nothing wrong with distributing even destructive viruses and those who consider it a moral crime.

"I think the ones who unleash code intentionally are unethical," Evul says. "I think the ones who intentionally create and distribute viruses that are destructive are downright screwed."

Note, however, that Evul runs a well-known virus exchange site where writers can post source code. The site clearly states he won't allow posting of executable code; he says he can't stop anyone from stringing together a program from source code from his site--including his own code--and then sending it off.

Both he and Doctor Owl say they feel it's wrong to directly damage someone's PC, but they feel no responsibility for what happens if their virus is loosed by someone else. In their defense, they invoke the National Rifle Association argument that "guns don't kill people, people do." No one should hold them responsible for what someone else does with their creations, they say.

"I can't control what someone else does with [my code]," Evul says. "The simple fact that one other person is going to do something criminal with my code doesn't mean I am not going to enjoy my hobby. Had I known someone else would [spread my virus], I would have made a better choice of who received it."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AMA GroupIBM AustraliaMcAfee AustraliaMicrosoft

Show Comments