VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Minimize
Bookmark

The Generic Virus Writer II

Sarah Gordon
The 6th International Virus Bulletin Conference, Brighton, UK
September 1996

5
[Back to index] [Comments (0)]

Abstract

A brief summary of research on the ethical development of four individuals involved in the virus writing subculture is given, followed by an examination of the current virus writing "scene". A completely different type of virus writer is introduced. Recent developments, trends and forecasts are presented, and some suggestions for minimizing the impact of virus writers both globally and organizationally are considered.

The Generic Virus Writer - A Brief History

Even in areas of scientific investigation, there can be the danger of overgeneralisation and stereotyping. In the case of virus writers, one manifestation of this danger has been that of assuming that there existed some homogeneous group of people who write viruses, that they were all ethically deviant, and that it was possible to talk about the psychology of "the" virus writer. It was with this in mind that we undertook our original research, which resulted in proving that there is no such thing as the generic or homogenous virus writer. Along the way, we also learned that the virus writers we spoke with were totally within the norms for ethical development. However, we were still left with unanswered questions -- the foremost being "How do you stop people from writing viruses". Following a brief summary of earlier findings, we will examine some of the issues which may help us answer this question.

The Generic Virus Writer (TGVW) [1], completed in 1994, presented four case studies of individuals involved in the virus writing subculture. The research data was obtained in part by using surveys, and interviews, arranged via electronic mail (e-mail ), electronic chat and in-person sessions. Information relating to the subjects' relationships, perception of self and others including family and peer group, family history, and cognitive reasoning ability was collected. This data was used to examine the individuals' moral development in light of ethical and moral developmental models based on the research of Lawrence Kohlberg [2]. (Gender based issues in virus writing were examined using the model developed by Carole Gilligan [3]). The individuals were selected from four categories:

  1. early adolescent
  2. college student
  3. adult/professionally employed individual
  4. ex-writer of viruses

The first three categories appeared to be generally representative of the comparatively small [4] virus writing population. The ex-virus writer was an anomaly for reasons which we are yet unable to measure. In TGVW, we traced ethical development of one individual chosen from each of the four categories. We found these individuals to be within the norms for ethical development as defined by longitudinal studies done by Kohlberg [5]. Based on our findings, we predicted that the youngest of the virus writers would slowly begin to disassociate himself from virus writing. We showed how we expected the next oldest person to stop writing viruses very soon, and stated we expected the ex-virus writer to continue to refrain from virus writing. We felt the adult could easily continue to distribute viruses, as he had passed the age range during which one would be expected to disassociate from the behaviour. Over the past three years (two years since the presentation of the original work), we have maintained contact with three of the four subjects. Let us examine how well we managed to predict the paths they would follow, based on our research and Kohlberg's model.

The adult in our original study initially exhibited an ethical developmental model lower than average for his age. Whereas adult males typically are shown to have development on the Kohlberg scale of at least 4, and sometimes 5, our adult did not demonstrate a 5 (or 6) at any time. He has, unfortunately but unsurprisingly, continued to distribute viruses. He remains a polite and interesting, albeit controversial, individual.

The young man categorized as an adolescent [typical Level 1 Stage 2] in our earlier research is now, obviously, an older adolescent. He has apparently shifted from virus writing into virus distribution. He publicly, amongst his peers, states virus writing is "wrong". He has, however, continued to be involved in the virus writing subculture, although to a lesser degree than two years ago. He appears to be progressing quite normally for his age, into Level 2 Stage 3.

The college student has continued to exhibit an interest he expressed during our previous conversations -- programming and communications. He has indeed stopped writing viruses and has become professionally employed in the software industry, where he has held respected positions of considerable responsibility.

If research in the field of ethical development shows us anything, it shows us there are some reliable standard models and that behaviour in one setting does not typify necessarily behaviour in other settings.

Integration of morality becomes more consistent, however, as one ages. This is exemplified by the progression of this student. He initially stated virus writing was wrong, but that it was basically okay if he did it in a way he considered to be non-harmful. Specifically, he never intended for any of his viruses to affect users. "I wrote viruses for several reasons, I suppose, but primarily they were for my own personal learning." Later, after being confronted by a user who had in fact caught one of his viruses, he publicly stated that not only was virus writing harmful, but a wrong action for himself as well as others, regardless of intent. He then stated he would no longer write viruses. Upon pressure from peers, he stated he was going to live up to his words, and not do it any more. To the best of our knowledge, he has held true to this statement. We asked him why he had not gone back to virus writing despite observed pressure from peers. "There are probably four main reasons I have remained retired", he stated. "First of all, I value my word very highly, and while I made no promises when I retired, I still feel compelled to maintain what I stated". Time constraints, personal involvement and no real reason to do it were cited as the other reasons. His Level 2 Stage 4 ethical responses from two years ago appear to have progressed quite normally into Level 3, Stage 5 post-conventional morality. For those who are ethically within behavioral norms, but who are involved in the virus writing subculture, "aging out" still seems to be the main force which contributes to their stopping the actual virus writing. As they age, they are less vulnerable to peer pressure and begin to integrate what they know is right behaviour into their actions, until eventually they simply do the right things no matter what the situation is. Whether or not it will become the norm for those who age out of the behaviour of virus writing to remain as part of the subculture has not yet been determined.

The ex-virus writer from our original study has continued to maintain a good relationship with both parents and girlfriend. He has continued his non-involvement in virus writing. At the time of our original project, he stated he had worked as a volunteer in the library and hospital environments. Since that time, he has done work for a major software company, and continues to be trustworthy, talented and a positive example for the younger individuals. He has this to say regarding peer pressure:

"They know that I have stopped; it's pretty obvious, at any rate. I don't feel excluded in any way simply because coding isn't everything; most of the people never coded to any significant degree to begin with. Anyway, I'm fun to talk to :) Or not. Maybe they just tolerate me. But I think most of them like me whether or not I coded. Who I am and what I've done only gives them more incentive to talk to me when I first meet them. At this point its irrelevant; it just makes me the alpha male of the pack. So I can bully people around :)"

To reiterate our original position:

"Little reason exists to believe that crime and delinquency can be eliminated merely by the fear of legal punishment alone. More evidence exists that fear of social disapproval and informal penalties, criticisms and punishments from parents and friends may actually be a greater deterrent to crime than legal punishments"[6].

The Unanswered Questions

During any discussion of virus writers, the question can arise: "Why did they do it?" Their own answers and justifications still vary. Reasons for writing viruses which have been cited include relief from boredom, actively seeking fame, exploration, malice, and peer pressure.

There does, however, seem to be a notable absence of one reason which at one time was thought by some to be a factor in encouraging virus production: the vX BBS. According to one respondent (and this thought was mirrored by many),

"I don't think that the vX BBS was ever a real incentive for new viruses. I think that Todor's BBS was unique in this regard because of timing. At the time (forget that BBS' name; virus exchange?), very few viruses were readily available. And so it was difficult for novices who weren't proficient in assembly to learn how to write viruses. The best way to learn (at least Vesselin seems to make us think this way) was to call up the BBS and download Vienna, disassemble, and churn out new variants. By the time viruses became big in the U.S., I think that virus production had accelerated elsewhere in the world to feed the vX scene continuously. So U.S. people were lazy and didn't need to write viruses; they just needed to be good collectors. Additionally, the U.S. bbs's had a pitifully large number of non-viruses. Ambulance Car and the SPAM fiasco come to mind. I have yet to see a 'WWW virus scene' develop (is ILF on WWW?) I think the interesting thing to do on the WWW is to create a page which automates virus creation; i.e. set the parameters, run g2/ps-mpc, and return file to the user. the only thing really stopping this is the lack of source code for most virus generators. So the short answer is that the motivation for writing viruses hasn't changed much. These People write to get famous or because they're bored."

Is the way to stop them simply to allow them to grow up? This would be a viable solution if there were not new ones coming along to step into their shoes. We will now turn our attention to the current virus writing scene, i.e. the "Next Generation Virus Writers", discussing the current crop of virus writers and exploring their impact on the general computing population. We will briefly examine their responses to recent legal decisions related to virus writing, and to "acceptable use policies" of Internet service providers and universities as we consider how these young people can best be dissuaded from writing and distributing viruses.

The Next Generation

Who are the Next Generation Virus Writers? Initially, upon reentering the old haunts of what was once the virus underground, we found ourselves met by what appeared to be a violent, mouthy, nasty group of obnoxious kids who had nothing better to do than talk about ways to hurt people and destroy information. It was only a matter of a few days and a few conversations before what had been so apparent (and what has provided many journalist with sensationalistic fodder) was in fact found to be much the same type of "show" which we had observed years before. Actors, roles and scripts are used not only on stages, but in communications between adolescent peers [7].

It initially appeared that some of the new breed were much leaner, meaner and more technologically advanced, but while we eventually determined there was some evidence of a heightened awareness of technology, for the most part these virus writers' abilities were generally observed to be comparable to those of their predecessors. There are some exceptions:

"I guess people may write to be famous, but in my opinion, the better the AV programs get, the more motivated some people will be. I for example get my motivation from challenging AV programs. As they get more advanced (i.e. better behaviour blocking, heuristics, etc.,) the more of a challenge and therefore motivation there is. People in it just for the fame generally fail...there has to be some technical motivation".

The geographical hot zones had changed. Australia and Sweden/Norway now seem to dominate the virus scene. This should be no surprise: the scene was Bulgarian [8] before it was Canadian, and for a while it was American. Quoting an anonymous source: "The Internet in general -- anonymous, cheap, global communications. Better than any BBS." " The Internet has enabled us to spread the scene around. its easier to talk directly with people from around the world about viruses", said another virus writer, "though very little has gotten done in the past few years, at least from the standpoint of organized virus groups." In fact, most of the virus writers thought the good old days were gone for good. When asked for comments about the relative stability of the virus writing scene during the course of this study, we received various comments.

Rock Steady, former front man for the virus writing group known as NuKE, was said to have a "dead end job as a bank teller or parking attendant". Aristotle, sometimes NuKE, sometimes not, was frequently cited as still "on the scene", and it was suggested by many that he appears to be a permanent fixture. To quote one individual, "Aristotle never changes. He needs his own little world ... so cannot risk changing it." Few people remembered the name Masud Khafir, and many of the other FIDONet Virus and Virus_Info participants were not mentioned at all. Groups that once dominated the scene were almost a non-issue. According to one virus writer,

"There was a funny pattern that emerged from the virus scene -- rabid begat yam begat NuKE begat VLAD. The groups are all the same. They crave attention yet lack talent. They talk loudly but have no substance behind it. It's pretty sad. Damn near every one of the VLAD viruses is part of the "intended family". Another group, dc, appears to be thought of as somewhat of a successor to NuKE."

Another virus writer, used this word-play to comment on one of the Australian-based groups:

"VLAD went for total global domination. At least they INTENDED to".

The ages of the virus writers still varied, with one virus writer stating age 20 appeared to be the average age of his peers. Questioned further, he stated he had in fact asked them and that 20 was both the median and mode, with 20.74 being the mean age. We have no idea how large his sample was, but do admire his approach. The views we found on social life, society, and anti-virus software have not changed much: i.e. there was still no Generic Virus Writer.

Universities seem to be spawning more virus writers now, but this is not surprising. At the recent IFIP TC11 Conference in Samos, Greece, a workshop for Education and Information Security [9] was held, during which one professor stated he was aware of some virus writers in his University, but they were in another department, not his. This seemed to be a matter of little concern for him and in fact, he had virus writing as an acceptable "exercise" in one of his security courses. Another professor has been observed on the WWW, offering NATAS as a simple virus for new assembler students to "examine"[10]. The role of students is usually to learn, and with viruses being taught or tacitly condoned, we should not be suprised at the form of education or its outcome in these circumstances.

There was a more heightened awareness of "responsible behaviour" on the part of the people we spoke with, and they were willing to discuss this with us in depth. We found that in spite of this willingness to discuss the issue, the definition of what constitutes responsible behaviour was varied. Generally, making viruses available via CD-ROM, FTP, or BBS to the willing/knowing was seen as responsible management of viruses. While we were unable at this time to do extensive survey or study of these virus writers, the fact that the slightly-older virus writers appear to be within ethical norms, with the exception of their activities related to viruses, leads us to hypothesize that viruses are not seen as the "bad things" they once were.

The majority of virus writers we talked to have much more clearly defined goals than were found in the "good old days". Programming and other jobs in computer related fields dominate. Some of them already have such jobs. This brings us to the next topic, the Next Age Virus Writer. To be sure, there is a new breed of virus writers. However, we suggest to you that it is not merely the old breed repackaged and gently aged: not the young, bored, fame-seeking youth of the past, residing in different countries with the same general skillset which we have just discussed. Certainly, that sort of virus writer still exists. We see him embodied in viruses like Boza[11]. He is the sort of virus writer who forces software prices up by flooding the market with simple viruses which are more annoyances and irritations than real threats. Most of his creations are never even found in the wild and if the numbers game would self-destruct, his impact would be even more minimal [12]. However, the virus writers who appear to be having the real impact are those with real skills, talent and perseverance - programmers with style and elegance, who, unlike virus writers of the past, could make a living writing real software. According to an ex-virus writer who wishes to remain anonymous:

"You have to be smarter today than you had to back when the scene started simply because viruses today incorporate so many features. Polymorphism, for example, was unheard of 5 or 6 years ago (ok, not unheard of, but it was not a standard technique). Today, if you can't do poly, don't even bother. Stealth, too, is something that you simply must know how to do. Viruses are more sophisticated than ever." He continued:

"So you either have to be smarter or more experienced, i.e. older, than you had to be in the past. I think most people who were in the scene have aged out and stopped, as you say. As for people starting, I haven't heard of too many newcomers to the scene. Have you?"

While we must not underestimate the contributions of user apathy and global connectivity, we are now technologically somewhat more prepared for the types of virus virus writers we have discussed so far. However, we are not prepared for the new spawn of virus writing subculture: The New Age Virus Writer.

No More Secrets: Demystification and Legitimization

As we have shown, much of the secretive atmosphere which was pervasive throughout the virus writing underground has given way to a new openness. This openness has been facilitated in part by a the media. In WIRED, we find "Viruses Are Good for You"[13] suggesting that many of the "most promising visions of how to coordinate the far-flung communication and computing cycles .....converge on a controversial solution: the use of self-replicators that roam the Net." The individuals examined as virus writers in the article are referred to as "developers interested in harnessing the power of self-replicating programs, scientists interested in the abstract behaviours of viruses", and "unnamed renegades of the virus writing underground". The article goes on to discuss the virus as a fascinating and powerful life form, seen by the creators as useful for "the fertile creation of yet more powerful digital devices" and "reckless individual expression". The anti-virus community is described at one point as "nervously policing the boundary between the great unwashed and those trustworthy enough to handle 'live' specimens......the world of anti-virus research offered its initiates a thrill somewhere between the delightful romance of butterfly collecting and the grim camaraderie of working for the National Security Agency". Mark Ludwig, one of the subjects discussed in the article, is described as wandering the "lonely intellectual wilderness reserved for those who practice science on the fringe, outside the cozy realms of institutional affiliation, professional consensus or methodological decorum". While the article does suggest Ludwig could present his subject with a little more sober attention to devising anti-virus countermeasures, it does not draw any conclusion on his contribution to the legitimization of virus writing. It does not mention the impact of the viruses which were made available on CD-ROM by Ludwig; specifically, the fact that these CD-ROMS have helped bring the computer virus into many businesses and households as part of "anti-virus test material", despite the fact that such materials are unsuitable for testing [14]. While the article does point out that many see the virus writing books as incitement to digital vandalism, it does also state Ludwig has elevated the computer virus from the digital equivalent of a can of spray paint to an object of almost lifelike behaviour. The article states he "transformed a tool of vandals into a field of scientific study", although we would argue he has in fact given virus writers a sense of legitimacy as they carry out their own brand of unscientific "research". The article concludes with this offering: "For executable DOS virus code on disk, send a check for $US50 (payable to Virtual Life) to xxxxxxxx" (Address deleted).

The sale of viruses is but one of the ways in which the entire "virus writing underground" has become a more accepted "above ground" community (one might argue that virus writing has always gone on above ground - but that is a topic for another paper.). The "Webification" of vX sites has essentially removed the "I'll show you mine if you'll show me yours" attitude to virus collections and exchange. Infectious code is now just a point and click away. While there is deliberate flippancy here, there is an important point to be made. By allowing viruses to be made readily available via the WWW, we as a society have demystified them; some would say we have even legitimized them. Of course, it can be argued that to disallow such "information" to be distributed would constitute censorship. This, too, is beyond the scope of this paper. However, we have observed that exposure of the computing community to Web sites which contain many thousands of viruses, all available for download, tends to contribute to the desensitization of the population on the inherent dangers involved. Virus distribution is much more acceptable now than it was even two or three years ago.

Another development brought by the Internet is the somewhat curious group alt.comp.virus [15]. Here, a bizarre collection of industry experts, virus writers, and users gather to debate the latest viruses and their countermeasures. The group, which was allegedly formed to overcome the "censorship" of the more restrained virus-L (comp.virus) was initially utilized by those who wanted to distribute or exchange virus code. However, of late it has become significantly more balanced, and even has its own FAQ, credited with appropriate thanks to Dr Alan Solomon, Vesselin Bontchev, Rob Slade and other "good guys". The newsgroup has by its evolution encouraged people who do not approve of virus writing and/or distribution to say so in a public forum. However, individual differences combined with the international nature of the Internet have continued to work together to highlight one real stumbling block to agreeing on what constitutes "responsible behaviour". The interactive nature of the group is an excellent opportunity for rational positions regarding the unethical nature of virus writing and distribution to be presented, and for this reason, should be encouraged. Such interactions can only lead to eventual understanding on the part of those still forming their own value and belief systems, and may encourage others to think their positions through more carefully. Notwithstanding, in August of 1996, there could be counted a number of posts which contained either a plea for virus sites, URLs to virus sites or uuencoded virus code, both in binary and source formats. Once again, the desensitization continues. Virus writing is very definitely becoming more mainstream. Perhaps this must happen before it can be examined and determined unacceptable behaviour. Only time will tell if this is the case.

In many ways, the mainstreaming of virus writing was made more clear during the furor regarding the "discovery" of the Boza virus. The following quote is taken from an interview with the alleged author of the virus [16], and provides interesting food for thought:

"Bizatch [Boza] was completed in late November last year. We went into beta testing in early December, which basically meant handing it over to people we knew who were running odd configurations of Windows 95. Testing was completed in mid-December and I fixed a number of bugs - we found that it killed certain 'new' Windows 95 executables..."

The introduction of formal Beta test cycles for viruses should be cause for anyone who believes that we are winning the fight against computer viruses to carefully reconsider their position.

Who is the New Age Virus Writer?

"Our cultural motifs, our educational system, our communications media had failed this man. What the society permitted to trickle through was mainly pretense and confusion. It never taught him how to distinguish real science from cheap imitation. He knew nothing about how science works".

This quote from The Demon Haunted World [17] exemplifies our observation of the media and in some cases, the international educational system's approach to computer viruses. While it was written by Carl Sagan to illustrate the ways in which many New Age tenets or premises are actually pseudoscience embraced by those who had not been exposed to real science, it applies in no small portion to our observations of virus writers and more importantly to those who have a good deal of influence on potential virus writers. It is our belief that many of those who contribute to virus writing via media representation, arguments of "free speech", actions based in large part on some type of situational ethics, and calls for university "research", do so largely because they are unfamiliar with the technical scientific information related to viruses [18]. They choose instead to follow whatever the current trends are, be they vX BBSs, "research" for the most politically naughty virus, or acceptance of acts which may put them or their company at significant risk of data loss because it is easier to do these things than to examine and accept the facts about viruses. For this reason we have called our next group of virus writers "The New Age Virus Writers".

Given the sorts of influences briefly discussed above, the appearance of yet another new type of virus writer is not wholly unexpected. The New Age Virus Writer seems to have two incarnations. The first is the most familiar and is the type we will discuss in this section. This type is the product of boredom, curiosity, mixed messages and technological glut. We will consider viruses, methods and possible motivations. The second observable type of New Age Virus Writer will then be examined in the next section.

As the writers of many of the new viruses are not well known, we are forced to draw conclusions in some part from their creations. Perhaps one of the best examples of the work of the New Age Virus Writer is Zhengxi, an extremely complex virus analyzed in Virus Bulletin in early 1996 [19]. This analysis states:

"At 7K long, it [Zhengxi] is one of the most involved [viruses] I have ever seen. It is a sort of 'all-in-one' virus, which infects EXE and OBJ files, and attaches infected COM droppers to ZIP, and RAR archives (both static and self-extracting). Its very complex polymorphism resembles that of SMEG, but has loops often exceeding 2K in length, concealed by vast quantities of junk subroutines, and Int 21h and CP/M calls.

Zhengxi infects EXE files either by appending its code to the end of the file in the standard manner, or by looking through the file for C or Pascal subroutines and modifying these to execute the virus (as Lucretia). The OBJ infection technique is similar to that of Shifter [see VB March 1995, p.11], and that of archive modification was first seen in Dementia [see VB November 1995, p.12]."

Even without specialist assembly language knowledge, it is easy to see that Zhengxi is more of a programming exercise than a virus designed to spread. Its author must have known that the features which he was adding were just a display of skill. Clearly, it is not the work of a child, but of a programmer who could earn real money writing real programs in the real world. This is the world of the New Age Virus Writer.

As we have seen above, this sort of virus writer can be demonstrably more sophisticated. Consider also the WordMacro/Concept [20] virus, currently one of the most widespread viruses in existence according to some sources [21]. The source code for this virus demonstrates the use of the Hungarian naming convention; a set of detailed guidelines for naming routines and variables. While it is used within the C programming language, especially in Microsoft Windows programming, few virus writers we spoke with were aware of it. [Note: according to Code Complete , "the term "Hungarian" refers both to the fact that the names that follow the convention look like words in a foreign language and to the fact that the creator of the convention, Charles Simonyi, is originally from Hungary." [22] ]

The New Age Virus Writer may be motivated by a desire such as some consider apparent in WordMacro/Concept: to force applications designers to act in a certain manner. He may be trying to prove their point in the only way they feel the applications designers will understand. He may be motivated by a desire to use viruses in what he thinks is a "good" way, to help his company or department gather certain information in what he hopes will be an unobtrusive manner [23].

The New Age Virus Writer worships at the altar of technology, and uses other's lack of understanding of the issues and their implication as a vehicle to advance his own particular form of magic. Consider this implementation of certain techniques: WordMacro/Spoof [24], which creates its own custom dialogue box for Tools Macro, hiding the presence of its own installed macros. According to the author of this virus, the only copy he has distributed was sent directly to me; thus, the virus has not been distributed to any other researchers, in the hope of containing the technology. (This is a recognized and approved course of action within the anti-virus industry when a researcher strongly believes he or she has the only sample in existence of a particular virus.) In the world of the New Age Virus Writer, there is access to powerful computing equipment. Unlike the early days, even as recently as 2-3 years ago when the our initial study was begun, the viruses seem to indicate there is now access to various operating systems, applications, and programming tools.

You won't usually find the virus writers' names spattered all over their creations, or bandied about the Internet; you will rarely find their creations first on virus exchange or virus WWW sites. Observation shows these individuals tend to be a bit older and more cautious than the Next Generation Virus Writer. They do not share "accomplishments" with peers, perhaps because they are old enough to be held responsible for their negligence in releasing viruses.

This type of virus writer is not likely to "age out" for two reasons. One, he is already an adult, and two, the concept of "aging out" applies to behaviours which are perceived as morally unacceptable by the society and which are left behind during the natural course of individual ethical progression . As we have just shown, while virus writing may in reality be an unacceptable activity, the perception of it fostered by the media, some adults, some Universities and some ISPs combine with the "Cult of the Internet" to produce some very mixed messages.

Stopping the New Age Virus Writer

We have speculated in the above that the New Age Virus Writer is somewhat older, employed and does not make his identity known. Given this, how can we go about the job of stopping him? The suggestions given below are made to facilitate a discussion on what may or may not be acceptable. We do not in any way advocate government censorship or control of information: however, we feel that responsibility must come along with freedom and for this reason do not find public virus distribution acceptable. With this in mind, we have gathered various perspectives on controlling the problems addressed herein.

While laws to punish those who are caught intentionally spreading computer viruses to the unknowing and unwilling are one tool which can be used to discourage this sort of negligent and criminal behaviour, the nature of virus writing and distribution highlights the need for additional, more effective tools. The main tool we have at our disposal is that of communication. We must attempt to change the attitude of as many as possible regarding computer viruses. Obviously, this is the "big picture" approach. Without cooperation from educators, legal policy makers, judiciary, parents, and the media, there is little hope that the virus writing phenomenon will subside. It will continue to shift, becoming more and less, less and more acceptable to engage in the activity.

To discourage these sorts of behaviours, people may wish to consider voicing their displeasure publicly. This could include informing their Internet service providers (who lend viruses an air of credibility by allowing them to be distributed) that they consider this irresponsible and unacceptable. This could also be made evident in several other ways: it may take the form of a vendor disallowing distribution of their shareware from sites which openly allow virus distribution (such an approach has been attempted by Frisk Software) or it may involve individual or corporate users discontinuing the use of service from providers which allow users to make viruses available. Both of these suggestions have been made publicly by members of the anti-virus community, but we have no way of knowing the actual result. It has been suggested that it may prove effective to write letters voicing concern to the appropriate persons at various service providers, or writing letters thanking those who act responsibly. Universities, which in some cases are privately funded, may be open to suggestions from supporters. Publicly funded universities have been known to investigate irresponsible behaviours of other types once alerted; some people have tried informing universities which are known to have viruses on their sites. However, according to one university site which wishes to go unnamed, the person reporting the files as "unacceptable" first ftp-ed the entire virus collection before making his report. This obviously sends a real mixed message, and should be avoided.

Destructive behaviours should not be encouraged under the guise of "science": the problem with viruses we find in many universities seems to be a lack of understanding on the part of most professors of the issues involved. Taking an active role in the educational process at the university level, and clearly voicing a concern over ethically questionable methods may help avoid placing the university at risk from both a technical and PR standpoint. Vendors and users may wish to consider advising testers who may be testing anti-virus products using questionable methods which are linked to virus production or legitimization that such methods are unacceptable. It could prove effective to disallow advertising in magazines which utilize such methods, or to write letters to the editors and publishers, stating displeasure with the situation. Making a public issue out of irresponsible behaviours has sometimes worked to discourage the behaviours. However, this kind of action can have the opposite effect. Therefore, this should be considered a matter of individual discretion and should not be undertaken lightly without full regard for possible ramifications. Finally, we as a society must be willing to relay the message of responsible computing to our children, who may be encouraged and influenced by the media and Internet culture. We recognize this is a long term approach to the problem; there are no immediate solutions.

There are, however, things you can do now to lessen the impact of the second type of New Age Virus Writer, which we will now discuss. This type of virus writer has all the skills and motivations mentioned so far in this paper, with the additional contributory factors of office politics and incorrect organizational security policies. This type of virus writer may be working for you.

One action you can take now is to examine your own company. Do you have IT staff , locally or regionally, who can be found "playing around" with viruses? As we have shown, the secrecy and contraband image of viruses is gone. The viruses are easy to obtain now and there is much less stigma attached to both obtaining them and "learning". Macro viruses, written in well-documented, easier to comprehend languages such as Visual Basic for Applications (VBA) are all too easy to obtain, to understand and to modify or write. A well-intentioned IT Manager can inadvertently modify an existing Macro virus while attempting to see what it does. Adding a REM comment could create a new variant. If viruses are seen as something which can be toyed with at leisure (many e-mail messages are received by some anti-virus vendors every week which contain the dreaded line "I've played with the virus a bit and found...") there is always the danger that that exploration might be taken, intentionally or unintentionally, too far. Regardless of the intent, the impact on a company can be devastating.

When you have a virus outbreak, it is imperative to find out where the virus came from. Of course, this should be done not in a finger pointing or blaming manner, but as a routine part of your security processes [25]. It should be determined that viral infections are not the result of, for instance, in-house Web cruising of virus distribution Internet sites. Your security policies should outline acceptable practice with those viruses which are discovered, and those practices should exclude "experimentation" which can lead to accidental modification. This should apply whether the viruses are .COM and .EXE infectors, Macro viruses, or any other sort of virus. Every so often, we get reports of a new virus in the wild from a customer who has experienced a small outbreak of a "Zoo" virus. Often, these viruses are buggy, and stand little or no chance of being globally successful; they have been introduced to the company by an employee who was testing anti-virus software, or "experimenting".

Conclusion

In this paper, we have continued the work started in TGVW, following the ethical development of four virus writers. As predicted in the earlier work, those who have continued a normal ethical development have aged out of virus writing. This may well continue to be the only effective way that many of the current virus writers will stop.

However, there are two disturbing trends developing within the virus writing community, and the computing industry in general. First, there are virus writers who seem to be motivated by different reasons than the old "virus underground". We believe that some of these virus writers are older and more skilled than before. Viruses like Zhengxi and Concept point to an advanced knowledge of programming techniques; the reasons for the development of attacks may well be changing. Coupled with this is the steady legitimization of virus writing, making it "less wrong" in the eyes of the general public. This will act to prevent those involved from "aging out" even if they follow a normal ethical development, and is cause for significant concern to those in the anti-virus industry and all those concerned about data security. This legitimization and desensitization contributes to the writing or modification of viruses in companies as well as by the classic "Virus Writer". Whether we like it or not, our own actions and words communicate to the next generation what is acceptable socially, ethically, and legally and what is not. By our actions, or lack thereof, today, we ourselves are creating the virus writers of tomorrow.

Bibliography

  1. Gordon, Sarah. "The Generic Virus Writer." Proceedings, Fourth International Virus Bulletin Conference. Jersey, U.K. September 1994.
  2. Kohlberg, Lawrence. State and sequence: the cognitive-developmental approach to socialization. "Handbook of Socialization theory and research," ed. D.A. Goslin. Chicago: Rand McNally. 1969
  3. Gilligan, Carole. "In a different voice: Psychological theory and women's development." Harvard University Press. 1982.
  4. Gordon, Sarah. "Technologically Enabled Crime: Shifting Paradigms for the Year 2000." Computers and Security. Elsevier Press. December 1995.
  5. Colby, A., Kohlberg, L., Gibbs, A., and Lieberman, M. "Monographs of the society for research in child development," 1 & 2 Serial No. 200. 1983
  6. Van den Hag. "Journal of Criminal Law and Criminology."
  7. McCarthy, Bill and Hagan, John. "Mean Streets: The Theoretical Significance of Situational Delinquency among Homeless Youths."American Journal of Sociology 3.
  8. Bontchev, Vesselin. "The Bulgarian and Soviet Virus Factories." Proceedings First International Virus Bulletin Conference. 1991, pp. 11-25
  9. IFIP Sec 96 TC11. Working group 11.8 Information Security Second Workshop, Information Security Education - Current and Future Needs, Problems and Prospects. Samos Greece. May 1996.
  10. Gordon, Sarah. "Viruses on the Internet." Virus Bulletin. August 1996.
  11. Ducklin, Paul. "Boza - The First Windows 95 Virus." Sophos PLC.
  12. Gordon, Sarah. "The Viability and Cost Effectiveness of an "In the Wild" Virus Scanner in the Corporate Environment." Preprint. 1996
  13. Dibbell, Julian. "Viruses Are Good for You." WIRED 3..02
  14. Ford, Richard and Gordon, Sarah. "Real World Anti-Virus Product Reviews and Evaluation -- The Current State of Affairs." 19th National Information Systems Security Conference. Baltimore Maryland. Preprint.
  15. alt.comp.virus FAQ
  16. Secure Computing. "BOZA or Bizatch: The Hype Continues." Secure Computing. June 1996.
  17. Sagan, Carl. The Demon Haunted World. Random House. January 1996.
  18. Gordon, Sarah. Structuring Ethical Curricula in the Information Age. IFIP TC11. Capetown, South Africa. May. 1995
  19. Kaspersky, Eugene. "Zhengxi: Saucerful of Secrets." Virus Bulletin. April 1996.
  20. Gordon, Sarah. "What a (WinWord) Concept." Virus Bulletin. September 1995.
  21. National Computer Security Association. "1996 Computer Virus Prevalence Survey." April 1996.
  22. McConnell, Steve. "Code Complete." Microsoft Press. 1993.
  23. Anonymous Private Communication
  24. Anonymous Private Communication
  25. Gordon, Sarah. Create a Policy the Works for You. Government Computing News. November 1995.
  26. Acknowledgements: Megan Alexander, Dr. R.A. Ford
[Back to index] [Comments (0)]
deenesitfrplruua