By Jonathan Yarden
Since the first computer viruses appeared in the DOS era, there's been an ongoing digital arms race between the authors of malicious code and the companies that write antivirus software. Many people believe there's a global conspiracy going on between these two factions to benefit both groups. And for some, increasing virus and worm outbreaks, such as MSBlast, Nachi, and SoBig.F, only strengthen this belief.
It's certainly true that antivirus software wouldn't exist if there were no worms and viruses, but that doesn't mean antivirus companies hire people to write worms and viruses. In my opinion, there are many intelligent people in the world who enjoy nothing better than creating malicious code and preying on the incompetence of people using computer systems.
The majority of computer users expect computers to work properly without any maintenance at all. These are the same people who mindlessly click executable e-mail attachments, causing worms and viruses to spread unchecked.
From what I've seen in more than 20 years of working as an IT pro, the conspiracy argument doesn't hold a lot of water—because it doesn't take into account the incompetence of the average computer user. I think it's safe to say that at least 90 percent of the people using computers are ignorant to the details of how they work.
For a conspiracy to occur, there would need to be collusion and incentive. Money is usually good enough for most people, and companies that produce antivirus software obviously make money. But no one has managed to locate a trail of money from antivirus companies to the people who are writing worms and viruses.
Let's look at how we find out about vulnerabilities in the first place. Security researchers, both independent and affiliated with Internet security firms, are usually the ones who find the vulnerability in a specific piece of software.
While there is no formal, worldwide-sanctioned procedure, it's customary for security researchers to notify the author or publisher when they find an exploitable software defect. Whether researchers receive compensation for their work does not justify a conspiracy.
After notification, the author of the vulnerable software then has time to evaluate and respond to the vulnerability with patches and a formal advisory. After determining corrective measures and making them available, the author then announces the vulnerability to the public. But it's then up to individual users to patch their systems.
Once the author publishes the information about a vulnerability, it's only a matter of time before someone takes that information and writes an exploit. After the author discloses the vulnerability, anyone with a moderate programming ability can use the information to produce a worm or virus.
The fact that laws exist against releasing malicious code doesn't stop the majority of virus and worm authors from writing them. And their incentive to write an exploit has much more to do with bravado and bragging rights than money.
If an antivirus conspiracy existed on a global level, I'm certain that the various law enforcement agencies around the world would have already found a money trail leading from antivirus companies to worm and virus authors.
Worm and virus authors simply use publicly available details on vulnerabilities and exploits and write their code from that information. Antivirus software companies only benefit from this indirectly.
Would you rather have the information about vulnerabilities kept secret? Now that would be a conspiracy—one that makes sure that people know even less than they already do about their computers.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.