Inside the Mind of a Virus Writer

sebFlyte writes "news.com.com is running a very interesting interview with 'Benny' (AKA Marek Strihavka), a former member of the famed 29A russian virus-writing group, about what drove the group among other things. He's now one of several ex-virus writers working for security companies."

That stinks...

[slavemowgli]

Who else (besides virus writers) should code antivirus programs? Who else has the experience and technical skills for fighting viruses?

He's got a point there, but still, that stinks of "create a problem, then sell the solution".

Let me summarize...

[jmcmunn]

Q: How many viruses have you written?
A: A lot

Q: Why did you write them?
A: To learn and innovate, not to harm.

Q: Should virus writers like you work for AV companies?
A: Yes, of course. We know security the best.

Why is this an "interesting interview"? There is little to no content here. It's the same crap we've heard every virus writer say to every person who interviews them. While I agree that the best security people are probably the ones who used to break the system (aka virus writers and crackers) why does this need to be considered interesting news? I was more interested in the (FALSE) story about the fish from the tsunami.

Truth?

[PhreakinPenguin]

It amazed me the way some people think. It sounds to me like he thinks he should be free to write virii because it's expression and protected under the first amendment? So by that analogy, someone who burns down a building shouoldn't be prosecuted because they are just expresssing themselves. Come on, him saying that he didn't distribute his "code" is complete crap. He wrote it and it got distributed. Anyone who thinks differently can buy some swampland from me at a steep price.

It depends

[Matt2k]

There is something to be said for learning techniques for mitigation through hands-on practice. For example, I routinely attempt to crack my own web servers in an attempt to discover potential weaknesses. You can read white papers on XSS and privledge escalation and proper filesystem permissions all day, but you don't really ever learn the application until you try it for yourself.

If I were to hire another administrator to be in charge for securing my systems, I would want them to have that same internal drive and desire to explore the system, rather than having a checklist-mentality. Go down the list and assume the server is secure.

That said, I would _not_ hire someone who was actively involved in breaking into other people's systems. It's the mindset. They did it once, they can't do it appreciably any better than if they had probed their own systems, and they're likely to do it again. Part of being a professional means a mature respect for other people's beings.

So if this guy actually wrote viruses that were released, I would consider him probably a bad canidate. Otherwise, yeah, go for it. Good choice.

Re:That stinks...

[shatfield]

It's not like that at all.

Frank Abignail did steal millions of dollars. He was a criminal. This kid didn't do anything of the sort -- he simply wrote programs that exposed insecurities in operating systems.

Sometimes those programs are called Viruses, sometimes spyware, sometimes worms.. etc. When you put them all in a pot and boil them down to their bare essentials, they all smell the same way -- programs that exploit insecurities in operating systems.

In the end, if he indeed did NOT spread the programs that he wrote, then they weren't viruses at all -- they were just programs that exposed the insecurities of operating systems.

I am of the mind that we absolutely need people like Benny -- someone MUST check the locks to ensure that we are indeed safe. If no-one is checking the locks, then we're just fooling ourselves that what we hold near and dear is safe.

Re:That stinks...

[mattyrobinson69]

Well in the case of Frank Abignail, why the hell would you put a bank robber in a bank vault?

That stinks...Anything Goes.

[Anonymous Coward]

"Frank Abignail did steal millions of dollars. He was a criminal. This kid didn't do anything of the sort -- he simply wrote programs that exposed insecurities in operating systems."

And spam writers simply write spam that exposes weaknesses in baysian filters.

"I am of the mind that we absolutely need people like Benny -- someone MUST check the locks to ensure that we are indeed safe. If no-one is checking the locks, then we're just fooling ourselves that what we hold near and dear is safe."

I'll be over to check your locks. DON'T CALL THE POLICE!

Re:What's the problem?

[Jane_Dozey]

He states that he publised his viruses. This is just as bad as actively releasing the thing.

Or maybe they're all just too stupid to think that some script kiddie will come along, compile and release the thing. Writing malicious code to see if something works is one thing, writing it and releasing/publishing it is another. One can help you understand the workings of another piece of software, the other makes a big mess of the internet and there's no excuse for it.

Re:Let me summarize...

[Geno Z Heinlein]

Why is this an "interesting interview"? There is little to no content here.

I think it's the /. equivalent of a Rolling Stone "Top 50 Albums of All Time" list. They put the Beach Boys ahead of Jimi Hendrix so people will buy the issue just to show people how stupid the editors at Rolling Stone are.

Stupid all the way to the bank. Ick.

Personal choice

[Kipsaysso]

When you get down to it, who you employ is up to you. If you think that your customers would be best served by a former virus writer, then do it. If you think they are too dangerous then don't. It comes down to your economic choice.

Close ties between virus and anti-virus industry

[Animats]

I've always suspected close ties between the virus industry and the multibillion dollar anti-virus industry. Now we know they're real.

Most viruses are designed to be friendly to the anti-virus industry.

• They rarely do anything really destructive. "Propagate for 15 days, then erase hard drive" viruses are very rare.
• They seldom do something that an anti-virus program can't undo. Think about that for a moment. Most viruses are uninstallable without having to reload applications or the operating system. That can't be entirely by accident.
• They almost never attack the users data in subtle ways. We don't seem to see viruses that, say, make small changes to numbers in spreadsheets.
• They don't even remove anti-virus programs much, which would seem to be an obvious feature.

There's always been an implicit synergy between the virus and anti-virus companies. They need each other. But now we know there's more than that.

Re:Truth?

[Morganth]

"So by that analogy, someone who burns down a building shouoldn't be prosecuted because they are just expresssing themselves. Come on, him saying that he didn't distribute his "code" is complete crap. He wrote it and it got distributed."

Nice try, but that doesn't follow. The virus writer isn't like the guy who burns down the building; he's more like the guy who came up with the formula for the molotoff cocktail your guy used to burn down the building. Coming up with the formula is a creative act, and one that is protected enough so that one has the right to actually publish the formula anywhere. One can (or at least, should) be able to publish the design for other molotoff cocktails, or bombs, or guns, or swords, or whatever harmful thing you want.

However, the second someone takes that formula and puts together the ingredients (*ahem, compiles the source code*) and throws it at the building (*ahem, distributes the executable*), then we have our criminal.

"who else" indeed.

[bani]

"Who else (besides virus writers) should code antivirus programs? Who else has the experience and technical skills for fighting viruses?"

just because you can blow up a bridge doesn't mean you should be trusted to build one.

it takes a completely different skillset to defend against viruses than it does to write them.

doctors don't have to know how to create a disease in order to know how to cure it. i would trust a doctor to treat disease far more than a bioweapons engineer.

just like i don't trust a burglar to guard a bank vault, i don't trust a virus writer to write antivirus software.

Re:That stinks...

[Anonymous Coward]

He's got a point there, but still, that stinks of "create a problem, then sell the solution".

more accurately, "expose a problem that someone else created through a flawed design or sheer incompetence, then sell a solution".

There are different kinds of virus writers. The people that are in it to learn and solve challenging problems, they possess knowledge and a drive that are very valuable.

That's consulting

[sjbe]

...that stinks of "create a problem, then sell the solution".

Sounds like every consulting gig I've been involved with. Convince them they have a problem and that you, and only you, know how to fix it. Oh, and ummm, profit!

Mod parent up!

[khasim]

Why? It takes different kind of skills to keep a system up and running nice and secure that to crack it.

Bingo! I can pick locks, but that doesn't mean I'm any good at designing better locks. From the article:

But I always tried to come up with something new, never seen before. I coded viruses for platforms that were considered infect-resistant. I found some satisfaction in programming, just because I like logical and abstract thinking. This is not about any sort of "cyberterrorism."

Yet I don't recall any submissions he's made to Open Source software on fixing exploitable holes.

THAT would tell you whether he was as good as he claimed.

As an anology : Someone very good at blowing up buildings is probably not that good at actually build one. Sure, a good demolisher need good knowledge about construction, but it's not the same. Really.

Yep. And until I see him releasing code to fix exploitable holes in Open Source, he's still just another kiddie. Again, from the article:

I take care of ZAV (Zoner Antivirus) core--this means all those low-level functions for scanning, unpacking, emulation, heuristics, ZAV database maintenance and new detection patterns.

Pattern matching is nothing. And that's all that anti-virus software is.

Rather than spending his massive talent on pattern matching viruses, why hasn't he come out with something to prevent viruses in the first place?

Anti-virus systems are all re-active, not pro-active.

Re-active is easy.
Pro-active is hard.

This story is junk. Some "journalist" saw that a "criminal" had been hired by a "security" company and decided that it would be a good story.

Re:That stinks...

[Anonymous Coward]

I agree. That's like saying "Who better to police the country than other criminals? Who else has the skills and experience for fighting theft, murder and rape?"

Just because you have committed a crime does not necessarily make you able to catch other criminals or even to protect the public from said crimes.

Re:metaphor much?

[captwheeler]

I would trust a bioweapons engineer to create a drug designed to block biological weapons far more than I would trust a doctor.

Are serious? It's common to think that being near a problem lends special insight, but lets be clear: Doctors spend years studying how to heal, a bioweapons engineer spends years studying how to kill. If the objective is to save the life, the doctor is the clear choice.

who better to blow up the bridge than a guy who builds bridges?

The person who spends years studying how to blow up bridges would be a better choice.

Its not that people on the wrong side of the problem know less then the average person, they *do* know more, but they aren't the best choice for the job. Hiring a Virus writers also is an ethical issue. Separate from their technical abilities:

Can they be trusted?

Do we encourage bad actions by rewarding the authors?

Do the companies compromise their customers trust by hiring the people they are protecting against?

Chicken or egg?

[phorm]

You're a little off here. If not for SPAM, we wouldn't need antispam programs and bays-filters. The filter is a response to the annoyance of the spam. You might argue that the SPAM is due to the lacks in SMTP et al but in that case why make new SPAMs once it's pointed out

The programs written by the kid, however, are targetted at vulnerabilities that already exist. Had he not written the code to expose the weakness, the weakness would still exist. Therefore he is responding to the weakness (and the weakness is the problem) whereas bays-filters are responding to SPAM (and SPAM is the problem).

Re:That stinks...Anything Goes.

[Anonymous Coward]

"I am of the mind that we absolutely need people like Benny -- someone MUST check the locks to ensure that we are indeed safe. If no-one is checking the locks, then we're just fooling ourselves that what we hold near and dear is safe."

I'll be over to check your locks. DON'T CALL THE POLICE!

Please don't tell me you're serious:
He's not checking your locks, he's checking the same sort of locks that you have.
As many hackers and virus writers do, he played with it to see what could be done.
And like most security researchers, that's still what he is doing.