Featured Opinion: Virus writers in the wild

by Marcia J. Wilson, CCSP Staff Writer
April 27, 2004


"Reprinted from JUNE 04, 2k3"

The University of Calgary is getting a lot of attention these days. The school is offering a course on how to write computer viruses and malware. Story after story has been published in recent days about the pros and cons on the ethics and wisdom of teaching young people how to write malicious code. Chat boards have been alive with reader responses, and in some cases, a little name-calling has erupted. "You're stupid!" "No, you're stupid!" "You're stupider!"

The antivirus software developers, for the most part, are up in arms about the audacity of a university teaching people how to write harmful code. The CEO of Sophos even stated that his company would never hire anyone who had written virus code.

The raging debate seems to be evenly divided between those who are against teaching such skills in school and those who think learning to write the code, contain it and kill it is a valuable skill.

Gigabyte, a 19-year-old woman from Belgium and a somewhat infamous virus writer, wrote what's believed to be the first virus using Microsoft's C# programming language. I had the opportunity to communicate with Gigabyte via e-mail, and here is what she said:

"My opinion on the uni virus writing course is kinda twisted.. To me, it's bad and good at the same time. In short, I think that (looking at it objectively), I have to say the university's doing a 'bad' thing of course. I mean, they may say what they want, but any sane person can see the course WILL attract some potential new virus coders. ... I have to agree it does help to know how a particular type of virus infects a hostfile. ... But to say they really need to learn how to write viruses? Honestly. No. ... Nah, a theoretical introduction of how viruses can infect files, what the infected hostfile looks like then, may be useful, but I don't think learning how to write them will make them good security experts or AVers [someone who works on writing antivirus code]. Looking at things from MY point of view however, me being a VXer [someone who writes virus or malicious code], my opinion totally changes. ... I think this course may actually bring on some new successful virus writers who write more than only VBS and batch scripting crap. More REAL viruses and keep the scene alive. So I think for the pro-virus world, this may be a 'positive' thing. Or it may not, depending on what kind of virus writing they are going to teach ... to the virus 'scene' the whole university course MAY just be a positive thing."

However, no one really needs to go to school to learn how to write malicious code. It's all available for free online. In addition to Gigabyte's Web site, here are some other examples:

• 29A is a group of virus writers whose temporary Web site has this to say under their policies and goals section: "We code viruses for the fun of it, because it's our hobby, not because we want to harm other people or to get ourselves into trouble." The site includes interviews with other "coderz," white papers and virus source code. One such topic is entitled "implementing TCPIP 'addons' in your viral stuff." Most of the information on this site appears to be a few years old, but suffice it to say that these kinds of sites are out there.
• 
  
  
• VX Heavens is a site that boldly proclaims on its home page, "Viruses don't harm ignorance do!" This site is completely open about its mission: "This site contains a massive, continuously updated collection of magazines, virus samples, virus sources, polymorphic engines, virus generators, virus writing tutorials, articles, books, news archives etc. Some of you might reasonably say that it is illegal to offer such content on the net. Or that this information can be misused by 'malicious people.' I only want to ask that person: 'Is ignorance a defence?'"
• 
  
  
• The Virus Trading Center is another site devoted to the apparent dark side: "This site is dedicated to virus trading. This means if you're looking for any virus or if you're a virus collector, you will love this site. You will find here everything you need to trade with me, but you won't find any viruses, binaries or source files."

I've gathered from a minimal amount of research that it's considered a no-no to provide binaries (executable code) on a public Web site. It seems to be OK to provide written material, explanations and source code, but providing the binaries may get you into trouble.

All of the sites have a prominent disclaimer about the use of the information being the end users' responsibility. Sounds reasonable. What I didn't realize is that virus writing is such a popular hobby around the world.

So, that begs the question: Why not teach students about viruses, how they are written and how to combat them in a controlled environment with a liberal dose of ethics in a university setting? I'm all for it. Take the mystery out of it completely. Do you really think someone who wants to do harm is going to sit in a college class and pay to learn the information? I found enough information to be dangerous in about 15 minutes using the Google search engine.

My opinion doesn't matter. What matters is that all of our combined opinions can be spoken freely. It appears that the antivirus vendors are ganging up on the Calgary, Alberta-based university and refusing to hire any students who graduate from the class. The Anti-Virus Information Exchange Network has posted this letter in opposition as well. The letter states: "It is not necessary and it is not useful to write computer viruses to learn how to protect against them."

On one chat board I visited, a reader suggested that teaching virus writing was like teaching a course on Unsafe Sex 101. I thought that was a great idea. It's like reverse psychology. Take away the mystique, unveil the ugliness, face the reality, and voila, you have something you can deal with. One reader compared the building of the best in virus software (not antivirus software) to building the bigger bomb. I wasn't sure if the reader was for or against it, based on that comment alone. One person, obviously opposed, likened writing viruses to walking through a live minefield. The reader asked, "Why put yourself at such risk?" Some likened computer virus writing to health viruses. You know, like SARS. Others stated that virus writing basically exposed security flaws in various operating systems and applications and that writers were doing the entire free world a service by publishing their results.

I guess I vote for the University of Calgary, even though all of the "official" antivirus companies and organizations are voting against its course. I believe the more information, the better. Don't tell me that the university is going to be responsible for the next destruction of the Internet when people from all over the world who are extremely experienced are working on virus writing as a daily hobby. Let the kids get educated. Trust the university to be responsible.

I have a suggestion for the opponents to the Calgary program. Why not send an engineer from your company to assist the professor in writing a top-flight program and send someone else to make sure the proper security measures are in place? If you are going to whine about it, you need to do something about it. Make a difference.

*Note: Some links to stories may no longer function or now require you to register to view.




by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson, holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security assessment and risk analysis. She is also a free lance columnist for Computer World and Security Focus.

She can be reached at . Corporate website: wilsonsecure.com (see Prime Choice top left)

Copyright ©Marcia J. Wilson All Rights Reserved 2004.