Why do people write viruses and other mobile malicious code? The answer isn't as simple as it used to be.
The image of virus writers as intelligent kids with too much time on their hands resorting to digital vandalism to entertain themselves persists. Years ago, making such a guess about why people write viruses might have been accurate most of the time, but the world has moved on. The writers of viruses and other mobile malicious code are many and varied, and their reasons are as wide-ranging as they are, themselves.
The forms of replicating mobile malicious code are multifarious, too. The most common forms are viruses, worms, and trojans, though non-replicating equivalents are gaining prominence as well. Cross-site scripting is an example of non-replicating code that serves much the same purpose as self-replicating malicious code; it can affect millions without having to actually "infect" the victim's computer at all.
I can't claim to know why everybody who writes malicious code does so. I haven't met them all. I can make some generalizations about reasons people might do so, though.
- Anger Issues: There are those who, for whatever reason, just do destructive things for the sake of their destructiveness. They may be malicious narcissists, psychopaths, or just so self-centered in their impression that the whole world is against them that they will blindly lash out at anyone and everyone when they get the chance. For such people, who I believe are a thankfully rare breed, the harm they cause others has no point beyond the harm itself. They are unreasoningly destructive, and that's pretty much all there is to it. They might think they're misunderstood, and want to communicate with the world by harming it in some way -- and maybe they're right, that people just don't understand them deep down. When they react to this state of affairs by maliciously setting out to harm anonymous strangers, however, I don't think I want to understand them beyond the minimum required to track them down and put a stop to their antisocial behavior. Your mileage may vary, especially if you're a criminal psychologist.
- Do It For The Lulz: Some still do it for the "fun" of destruction. They may get a thrill out of reading news items about their work causing people trouble, or they may just take a fire-and-forget approach, creating destructive, self-replicating programs for the joy of it without much caring whether they ever see the consequences themselves. Mostly, I'm sure they find it funny to read about people being inconvenienced by what they've done. In short, some people write mobile malicious code for the same reasons vandals break windows and spray paint garage doors that belong to people they don't even know.
- Espionage: I'm not talking about sabotage here; I'll address that later. By "espionage", I mean attempts to gather information through underhanded means for reasons other than identity fraud and other directly, criminally profitable purposes. Viruses, worms, trojans, and even backdoors and other malicious code slipped into your software by the vendor may serve the purposes of espionage. People worry about the potential for Chinese manufactured computers having some kind of hardware backdoor built into them; conspiracy theories about commercial software vendors being required to provide backdoor access to the NSA run rampant; the government of India famously demanded that Blackberry provide universal decryption keys for all Blackberry devices sold in the country; and the NSA's Dual_EC_DRBG NIST encryption standard may itself include a backdoor of sorts as I mentioned in What my grandmother taught me about IT security.Considering the fiasco of federal warrantless wiretapping violations of the law during the Bush Administration's tenure, and the worse violations hinted at by several officials' carefully phrased testimony that such worse violations weren't a part of this particular program, it would be foolish to assume that government agencies never spy on people via software. How many of you remember ECHELON?
- Online Gangs: It probably sounds like something out of a 1980s vintage techno-thriller like Bruce Sterling's Islands in the Net, but it is disturbingly becoming a reality -- there are actual "gangs" of angry, or just plain ignorant, kids who engage in digital vandalism as part of a misdirected urge to enhance group identity and personal pride in a fractious, underground community. Such groups may target each other or, more often, some third party whose troubles at the hands of such a gang of vandals will be easily noticed and identified. With dramatic names like "Team Holocaust" and "Phalcon SKISMs", such "cybergangs" may occasionally claim a higher purpose (like YAM), but may also have no pretentions of purpose other than claiming a strong group identity -- like being a Denver Broncos fan, except they mark their territory with digital vandalism instead of by painting their torsos orange and waving giant foam fingers in the air.
- The Hacker Instinct: Keep in mind the difference between a hacker and a security cracker. With that in mind, people with a hacker mindset usually find themselves eventually drawn to specific fields of interest. In some cases, that interest might revolve around understanding self-replicating mobile malicious code. Sometimes, the best way to understand something is to experiment with different ways to create examples of it. Sometimes, the best way to test something you've created is to see it operating under real world conditions. Some immoral or amoral hackers with an interest in self-replicating mobile malicious code may test their creations by releasing them into the wild and seeing how they do.
- Money Money Money: Most writers of malicious code in the wild these days seem to fall into this category; people who are in it for the filthy lucre. Viruses and worms often carry payloads that open up avenues of intrusion into a system, providing a means for either security crackers or their automated tools to slip past the system's defenses. Such automated tools can harvest authentication information and other sensitive data (such as for reasons of identity fraud), set themselves up as automated spam generators, or contact a centralized control mechanism of some sort such as an IRC chatroom to create a botnet of thousands, or even millions, of unwitting users' computers, all of which can be controlled simultaneously by a single security cracker. It is increasingly common for botnets to be offered for rent, for any of a vast number of reasons.
- Political Agitation: Sometimes, digital vandalism -- whether accomplished by a virus, a worm, a DDoS attack, or some other means -- can be accomplished for the purpose of making a statement. Whether the reason for something like that is directly political in the sense of addressing matters related to government or more indirectly political such as unignorably interfering with certain types of Web sites and other operations of some class of people with whom one disagrees somehow, the point is sometimes to make people who aren't directly responsible for whatever's being targeted aware of one's own disapproval of those targets. DDoS and other attacks against Microsoft or Yahoo! might fall into this category.Depending on their specific choices of targets and their motivating issues, some such political agitators (as in the case of those targeting, and protesting, Chinese and Australian national firewall policies) might even be admirable for their principles and the courage of their convictions to some degree. In extreme cases, on the other hand, such as where large numbers of innocent bystanders are materially harmed (having their checking accounts wiped out to make a political statement, perhaps), action taken on behalf of this kind of motivation might reasonably be called "terrorism".
- Romance And Drama: Some may be drawn in by the perceived romance and drama of a criminal life itself. Just as some people may start out seduced to a life of crime by the power they perceive in street pushers in their neighborhoods, the exploits of cat burglars in movies, or the rare reports of some criminals who always seem to get away with their criminal acts in the news, the artificial mystique manufactured by the media around "Computer Hackers" can inspire the aspirations of the amoral youth with technical talents. Because of the character of certain online communities, it can be much easier sometimes to feed one's own delusions of the romance and drama of being a "Computer Hacker" for a long time than in most other criminal enterprises where the physically gritty, and petty, reality of what they do becomes quickly inescapable. Once fully absorbed within such an insulated, self-reinforcing fantasy life, I don't know how easy it is to overcome the illusion and realize that one has become nothing but a criminal security cracker, that being a real hacker is about skill and not 1337 h4xx0r nicknames, without being forcibly disillusioned by getting caught, prosecuted, and imprisoned for one's crimes.
- Sabotage: Sometimes the purpose of malicious code might be directly targeted at disrupting the operations of some class of people one doesn't like. While this sort of behavior might seem superficially similar to that of "terrorism" as described in the Political Agitation paragraph above, or to vandalism as described above, it's not terrorism, and it's more personal than typical vandalism. It is a simple criminal act, aimed at a specific target, more akin to assault. People with business interests may do this not for profit or for political purposes, but to damage other businesses' ability to compete, at least temporarily. Government agencies may do so to try to bully another government into doing something it doesn't want to do, as appears to have been the case in the Estonian "cyberwar". The motivation to sabotage may even be based on something as petty as personal revenge.
If I had to guess, I'd say that the most common reasons to write viruses these days, by far, are at least somewhat profit-motivated. The I Love You email virus was kind of a watershed incident, in that it was the point where a lot of people really started noticing the growing trend in profit-generating mobile malicious code.
Any attempt to explain away all virus, worm, and other malicious code writing using a single generalization is unreasonably simplistic, though. Virus writers are people, too -- at least in that they may have any of millions of different motivations for what they do -- even if they're often subhuman in some respects as well (notably their ethical development). Most are probably motivated by some combination of more than one of the above suggestions, in fact, and perhaps by other reasons as well.