The Black Baron, Dark Avenger, Spanska, Nowhere Man. The names of virus authors may strike fear into the hearts of some computer users, but who are the people behind the mask? Who writes computer viruses? Are they, as some people imagine, evil, purple-haired geniuses cackling maniacally in their back bedrooms, Die Hard-style European cyberterrorists set on global domination, or a motorcycle gang of leather-clad grannies?
The truth is rather more mundane.
Anyone can write a virus - from a kid in his bedroom to the guy who delivers the mail.
Virus writers are not a homogenous group. It is not possible to stereotype them and assume that what is known about one is common to them all. In this way, there isn't really an "average" virus writer.
However, there are certain characteristics that seem to hold true for most virus writers. From my observation, the vast majority of virus writers appear to be male and are aged between 14 and 24. Girls don't seem to be very interested in writing and spreading malicious code.
Most virus writers also seem to "retire" when they reach their mid-20s or before. Unfortunately, there is a steady stream of adolescent males eager to replace them. That's not to say that all virus writers fit within this age group. David L. Smith, the author of the infamous Melissa virus, was 30 years-old when apprehended by the FBI.
Don't have to be Einstein
Viruses are remarkably easy to write -- certainly not the preserve of a genius. In particular, macro viruses (which typically infect Word documents and Excel spreadsheets) and Visual Basic Script viruses are written in an extremely simple-to-use language when compared to the viruses of the early 1990s, which were largely written in low-level machine code.
The freedom and lack of censorship on the internet has allowed virus-related web sites to spring up around the world. If you know where to look on the web, it can take less than 10 minutes to find over 10,000 viruses. Virus writers also have their own chat rooms, where they exchange information about viruses and educate "wannabe" virus writers. Some virus writers have even been known to create informal gangs such as YAM (Youth Against McAfee), 29A, ARCV (Association for Really Cruel Virus Writers) and the Beta Boys.
Virus writers also choose "handles" or pseudonyms. These not only provide anonymity, but also allow the virus writer to create a fantasy persona that may help them escape their humdrum, mundane, real existence. Just as young males are attracted to the WWF, one wonders how mature an individual who wants to call himself "Stormbringer" or "Colostomy BagBoy" can be.
But why?
Virus writers give various reasons for why they have chosen to write viruses. Some claim that they are written for educational purposes, or to illustrate the security weaknesses of an operating system. Those who claim this say that they are actually educating manufacturers and users alike by presenting them with the failings of the systems they are using. Of course, you don't need to create a problem to warn of a weakness.
Some virus writers have no sympathy for those they infect, claiming that if they are gullible enough to get caught, it is their own fault.
However, I believe most virus writers are unaware of the wide-scale damage and harm they can cause with their viruses, and are primarily motivated by curiosity, boredom and an inactive social life. Eventually they grow up, go to university, discover girls and stop writing viruses. Of course, the viruses they have released may carry on to cause problems for innocent users.
Virus writing is not illegal, and it probably should not be a crime. Anyone should be allowed to write a virus and keep it on *their* computer if they wish. They can even damage their own data if they want. But infecting other computers without the owners' permission is unacceptable, and unauthorized access and modification of computer data is a crime in many countries around the world.
Unfortunately, some countries have been slow to introduce computer crime laws. The case against Onel de Guzman, the alleged author of the LoveBug virus, was dropped in the Philippines because there was inadequate legislation at the time of his arrest.
Not all virus writers have been so lucky. The Black Baron, real name Christopher Pile, was sentenced to 18 months in a UK prison for the SMEG virus. "Smoke me a kipper, I'll be back for breakfast... unfortunately most of your data won't!!!" the virus said as it wiped hard drives in the mid 1990s.
David L. Smith, author of the Melissa virus (which he named after a stripper he had a crush on in Florida), has pleaded guilty to causing over $80 million worth of damage to businesses and is awaiting sentencing.
In Taiwan, Chen Ing Hau, the author of the so-called "Chernobyl" virus, has been detained by the authorities. However, this came after he had been paraded in the public and offered a job by Wahoo International Enterprises, a supplier of Linux software, on the back of his infamous virus that reportedly infected hundreds of millions of computers in the Far East.
Don't encourage them
There is a danger that if virus writers are not charged and are offered lucrative jobs this will encourage other people, especially children and teenagers, to take up virus writing themselves.
To stop this from happening children need to be educated about computer ethics from an early age. Nowadays, most children know how to use computers, email and the internet, but not necessarily how to do so safely and ethically. Without guidance there is always the risk that virus writing will come to be viewed as a "cool" activity. Instrumental to counteracting this is the uniform application of wider and stricter computer misuse laws. If people become aware of the penalties attached to virus writing, they will be less inclined to participate.
No, they are not geniuses or terrorists aiming to take over the world. But the viruses written by young people can have a dramatic impact on businesses. For this reason it is important to try and understand their motives, and do our best to teach young people that virus writing is wrong.
About the author:
Graham Cluley is the head of corporation communications at Sophos, a worldwide developer of anti-virus and encryption software.
