Since the first computer viruses appeared in
the DOS era, there’s been an ongoing digital arms race between the
authors of malicious code and the companies that write antivirus
software. Many people believe there’s a global conspiracy going on
between these two factions to benefit both groups. And for some,
increasing virus and worm outbreaks only strengthen this
belief.

It’s certainly true that antivirus software
wouldn’t exist if there were no worms and viruses, but that doesn’t
mean antivirus companies hire people to write worms and viruses. In
my opinion, there are many intelligent people in the world who
enjoy nothing better than creating malicious code and preying on
the incompetence of people using computer systems.

The majority of computer users expect computers
to work properly without any maintenance at all. These are the same
people who mindlessly click executable e-mail attachments, causing
worms and viruses to spread unchecked.

From what I’ve seen in more than 20 years of
working as an IT pro, the conspiracy argument doesn’t hold a lot of
water—because it doesn’t take into account the incompetence of the
average computer user. I think it’s safe to say that at least 90
percent of the people using computers are ignorant to the details
of how they work.

For a conspiracy to occur, there would need to
be collusion and incentive. Money is usually good enough for most
people, and companies that produce antivirus software obviously
make money. But no one has managed to locate a trail of money from
antivirus companies to the people who are writing worms and
viruses.

Let’s look at how we find out about
vulnerabilities in the first place. Security researchers, both
independent and affiliated with Internet security firms, are
usually the ones who find the vulnerability in a specific piece of
software.

While there is no formal, worldwide-sanctioned
procedure, it’s customary for security researchers to notify the
author or publisher when they find an exploitable software defect.
Whether researchers receive compensation for their work does not
justify a conspiracy.

After notification, the author of the
vulnerable software then has time to evaluate and respond to the
vulnerability with patches and a formal advisory. After determining
corrective measures and making them available, the author then
announces the vulnerability to the public. But it’s then up to
individual users to patch their systems.

Once the author publishes the information about
a vulnerability, it’s only a matter of time before someone takes
that information and writes an exploit. After the author discloses
the vulnerability, anyone with a moderate programming ability can
use the information to produce a worm or virus.

The fact that laws exist against releasing
malicious code doesn’t stop the majority of virus and worm authors
from writing them. And their incentive to write an exploit has much
more to do with bravado and bragging rights than money.

If an antivirus conspiracy existed on a global
level, I’m certain that the various law enforcement agencies around
the world would have already found a money trail leading from
antivirus companies to worm and virus authors.

Worm and virus authors simply use publicly
available details on vulnerabilities and exploits and write their
code from that information. Antivirus software companies only
benefit from this indirectly.

Would you rather have the information about
vulnerabilities kept secret? Now that would be a conspiracy—one
that makes sure that people know even less than they already do
about their computers.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden’s column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.