Who ARE these virus writers?

There are a number of "script kiddies" out there creating viruses and worms. Just what do they get out of this exercise and why aren't they punished appropriately?

Who takes the time and effort to pull off malicious stunts, like viruses, malware, worms, Trojans, or any other deliberately damaging actions? And why? After all, there are risks involved. Who are these people and what do they gain?

The common stereotype is a bored but brilliant teenager from a dysfunctional family. The very name "script kiddies" implies that. And the latest (as of this writing) virus writer caught seems to reflect that stereotype. Go to any news search engine and enter "Jeffrey Lee Parson" and there he is, the alleged author of a variant of the LovSan/Blaster worm. Yes, he's 18, probably smart, possibly maladjusted, and instead of writing an original chunk of code, he (allegedly) chose to modify an existing worm. Part of his (alleged) modification was to insert a backdoor Trojan to enable (in theory) the remote control of any infected box. His motive is at this time unclear—the best current guess is that he merely wanted to prove that he could do it and gain some status or notoriety. He also left a clear trail back to himself as the author, which strikes the investigators who caught him as being careless.

One would think that anyone technically competent enough to modify code would have to have at least a basic understanding of how the Internet works.

The case of the "LovSan" worm
This cute little piece of prankishness in its original form contained the message:
"Billy Gates, why do you make this possible? Stop making money and fix your software!"

This is ironic. The LovSan worm was so poorly written and executed as to be laughable. Not only did it announce its presence by causing spontaneous shutdowns (not an event that could be classified as "subtle"), but its payload—supposed to be a Trojan that would launch a simultaneous DDoS attack on the Microsoft update site—was a miserable failure. Not only was the embedded URL inaccurate (it "almost" led to a page that merely forwarded the visitor to the real page) but once alerted, Microsoft was able to disable the page long before any damage was done.

It's difficult to see just where this kind of stunt results in any accolades for the author. What presumably began as a grand scheme to "send a message" to Microsoft merely caused minor aggravation nearly everywhere else—by any standard, that can't be rated as a "successful" exploit.

"Minor aggravation?"
The total number of viruses unleashed upon the Internet in its relatively short history is about 63,000. The total cost of these acts is estimated at $65 billion. Some, of course, have been very destructive, while many have been weak and harmless. Still, in any other field, an act of premeditated vandalism that results in a million bucks worth of damage (intended or unintended) usually carries a seriously stiff penalty. Over the Web it seems not to. Consider this:
  • Robert Tappan Morris: Created and let loose a worm that infected 6,000 systems for $15 million worth of damage. He was placed on three years' probation and fined $10,000, plus 400 hours of community service.
  • Christopher Pile: Wrote and sent out two viruses. Sentenced to 18 months.
  • Chen Ing-hau: Responsible for the Chernobyl virus, which caused hundreds of millions of dollars damage and repair costs worldwide. Released upon first arrest because "no one had filed a complaint." A year later, someone did. The most he could serve in prison is three years.
  • Onel de Guzman: Sent out the ILOVEYOU virus, which cost $7 billion. Arrested and then released for lack of an existing Philippine law to prosecute him.
  • Jan De Wit: Received 150 hours of community service for authoring the Anna Kournikova virus.
  • David Smith: Received 20 months in prison and paid $5,000 in fines for the Melissa virus. Small price to pay for an estimated $80 million in damages, huh?
  • Simon Vallor: Wrote and distributed three separate viruses, and received a two-year sentence.

There are problems to overcome in order for the prosecuting authorities to act, at least in the U.S. There must be demonstrable evidence of intent to damage, and that damage must be over $5,000 for the U.S. Feds to pick it up at all. That's assuming they even know who to investigate. The writer(s) of many of the more infamous viruses, such as Code Red, Slammer, Nimda, and SirCam, are still unidentified. Laws and legal attitudes are changing, but slowly. These folks are still seen as popular antiheroes by many. Rage against The Establishment and the Military-Industrial Complex, you know.

So then, why?
So why do these people write and spread viruses and other malware? Because they CAN—and that can be reason enough. In the large majority of cases, the authors are not caught. When caught, they go relatively unpunished. So the deal is, "Hey, let's do something cool and be on the news and watch everybody freak out." All that fun and very low risk. Do it right and you won't get caught. If you are, make some "bad childhood, your Honor!" sniveling excuse at trial, and it won't be much worse on you than if you got caught breaking schoolhouse windows.

It's a fact that most of the above-named culprits were in the 18-22-years-old age range when they did their dirty deeds. That does little or nothing to shatter the "dysfunctional teenager/1337 hax0r" image. However, "kid" vandalism of any sort, though often flashy and newsworthy, is usually not the greatest danger to any particular property. And why should this be different digitally? It isn't. While most people are watching out for the kids trying to spray-paint the walls, the real damage is often being done silently and on the inside.

Enter another stereotype: Think Dennis Nedry in the movie/book "Jurassic Park." This one is in his/her 30s or so, technically competent, and with passwords to get nice and deep into the system from the get-go. She or he could be a "disgruntled employee," in debt for whatever reasons, and/or needing extra cash, or even just doing a friend a favor. These people when (or IF!) caught are often handled "discreetly" for various reasons; it's much the same as any other white-collar criminal.

Recently, another "type" has been detected: the deliberate saboteur/thief with an organization or even a government behind him or her. This was the case with the China/U.S. "hacker wars" that raged in connection with the spy plane getting shot down a couple of years ago, and it very well may be the motive behind the wave of SoBig variants.

Some digital security experts believe that there are criminal elements attempting to gain control over high numbers of random PCs connected to the Internet, and the "home user" is actually being targeted for this purpose, rather than corporations.

Storm clouds on the horizon?
After years of "cat-and-mouse" with enterprise-level networks, either corporate or governmental, it has become clear that these large networks are becoming mostly well defended. The home user, on the other hand, has been fairly ignored for having less to plunder, even in large numbers. But the “zombie” has changed the attitude that home users aren’t worth attacking.

A simple denial of service (DoS) attack would be when a few misguided losers get together and all set their machines to "PING -T" a specific host. There are a few problems with this. First, it's hard to make a dent in the capacity of modern firewalls and networks. Second, they all get caught. An improvement is the distributed denial of service (DDoS), in which perhaps thousands of machines target a specific host. A way to do this is to spread a worm Internet-wide and leverage the attack by a huge factor by inserting a Trojan as a payload, set to activate simultaneously at a certain time and at a certain target. Machines so enlisted are called "zombies," and a horde of them can make a dent. With a little IP spoofing, even the unwitting accomplices can be masked. Since the proliferation of broadband service out to home users (who often don't worry about securing their machines much), a lot of packets can be thrown over a short time.

It makes for a great prank, in theory, but it's still just that—a prank. And, as Microsoft demonstrated against Blaster/LovSan, a simple configuration change can be made (with or without advance warning), removing the target entirely. Improvements are possible, such as not designating the time or the target URL in the code, relying instead upon a message that activates the zombie and passes that information on. Of course, this technique could be used to harass and diminish business competitors' connectivity, but there are serious legal risks attached to that.

And you thought POPUPS were bad...
Oh, the poor spammers. Once upon a time, they were able to sneak unsolicited advertisements out to everyone on the Internet. Then, things got tougher. Not only were tools developed to filter out these ads, but the legal system got involved too. Uncontrolled spamming can now land an outfit in the soup. After all, it's difficult, even undesirable, to remain anonymous when you're trying to ship products and provide services over the wire. You'd like customers to be able to send you money, and your identity/location is then pegged. You have to play by the rules. That's no fun. So, enter the zombie recruits.

By sending off e-mails that Joe Beercan is almost guaranteed to check out (“Naked Wife!” “Free Movie!” “Jackpot Winner!”), large numbers of Trojans can be placed on random home-user machines and fired off on command to large numbers of random e-mail addresses leeched from files on those millions of home PCs. If the invader isn't too greedy or too whimsical, and doesn't send out so many packets that the machine's performance is degraded (and avoids little tricks like a barrage of dialog boxes saying, "Ha Ha lam0r i 0wnz j00!"), that home machine can quietly and efficiently be co-opted as an advertising device—one not difficult to find at all, and one that is near-impossible to trace back to the spammer source.

Obviously, that's a tough "happy medium" to hit. One would need to run many field experiments to fine-tune the technique. That's exactly what the "SoBig" strain is suspected of being, a purposeful series of experiments, conducted in the largest computer lab in the world—the Internet.

The bad news is that this is bad
The worse news is that the cure could wind up being worse. When government regulations get involved, that's usually what happens.