Malware - Who and Why

Very little is known about virus writers, much less malware authors in general. The reason for this is simple: very few of them are ever found. Furthermore, the limited research that has been done does not support Hruska's quote above. The two big questions that the existing research begins to answer are who writes malware, and why do they do it?

Who?

Humans are a diverse lot, and there is always a danger when generalizing about any group of people. The work that has been done on virus writers has looked at four factors: age, sex, moral development, and technical skill. The age of virus writers is varied.

There are the stereotypical young adolescents, but also college students and employed adult professionals. The explosive growth of malware has really only taken place since the mid-1980s, and it is possible that older virus writers will be seen as time goes on. Virus writers are predominantly male, with only occasional exceptions.

Females are typically regarded as inferior in the virus community, so it wouldn't be a particularly welcoming environment for them. There is also a theory that gender differences in moral development may partially explain the lack of females.

With respect to ethical and moral development, not all virus writers are the same, and some fall within "normal" ranges. There is also a general distaste for deliberately destructive code amongst the virus writers studied, and there is no one directly targeted by viruses - with the possible exception of anti-virus researchers!

The lack of interest in destruction is borne out by the relatively small amount of malware which tries to do damage. The main reason that ethically-normal virus writers stop writing viruses is simply that they grow out of it. Finally, there are the technical skills of virus writers, which are often derided by the anti-virus community.

As with any software development, the barrier to entry is low for virus writing, and consequently a fair degree of bad programming is seen in virus writing as it is in any programming discipline.

However, virus writers with real impact must have a variety of skills to field techniques like stealth and polymorphism, or employ lateral thinking to exploit new and unguarded attack vectors. Arguably the skill level of virus writers is a direct reflection of the increasing sophistication level of anti-virus defenses.

Why?

Attributing the motivation to write malware to a single factor is a gross oversimplification. In fact, not all driving forces behind the creation of malware may even be conscious motivations. Malware may be written for a variety of reasons, including:

  • Fascination with technology. Exploring technology underpins hacker culture, and the same ideas apply to creating malware. Creating malware, like writing any software, poses an intellectual challenge.

In fact, since the anti-virus community acts as an opponent, writing malware may even have a greater draw from a game-playing point of view than other forms of software development.

  • Fame. Virus writers are known to form informal groups to exchange information and communicate with like-minded people. As with any group, people may want to achieve fame within their community which would mean creating cleverly-written malware with impact.

Having a creation appear on the "top ten" lists of malware that many anti-virus companies maintain for their customers' information can result in prestige for the creator.

  • Graffiti. Malware writing can serve as a form of expression in much the same way that graffiti does in the physical world. Arguably, this is a malicious act, but one not specifically targeted to any one person or group.
  • Revenge. Malware can be used to exact revenge for some real or imagined slight, by a disgruntled employee or ex-spouse, for instance.
  • Ideology. Ideological motivations are difficult to assess unless the malware writer is found, because what appears to be political or religious motivation may just be a red herring. Having said that, there have been some instances which suggest this underlying cause.

One version of the Code Red worm attempted a DDoS on the White House web site, for instance. The Cager Trojan horse may have been religiously-motivated, because it tried to prevent infected machines from viewing adult web sites - an offender would be presented with a quote from the Qur'an in Arabic, English, and Persian, followed by advice in Persian on how to atone for looking at naughty pictures on the Internet.

  • Commercial sabotage. Malware can be hard to target accurately, but some attempts at sabotaging a single company have been seen. This may tie in to schemes for revenge, or possibly financial gain for a malware writer who hopes to take advantage of lower stock prices, for example.
  • Extortion. On occasion, malware has been used on a large scale to try and extort money from people.
  • Warfare and espionage. Malware can be used for military or intelligence purposes, or as a complement to traditional forms of warfare. Such malware can be employed by both established armies as well as terrorist groups.
  • Malware battles. A relatively recent development, malware writers can have their creations fight one another using the Internet as their battleground. This was seen in the Mydoom/Netsky/Bagle episode in 2004.
  • Commercial gain. Malware skills may be leveraged in various ways by others, resulting in malware authors being paid for their wares. For example, use of worm-constructed botnets may be sold to spammers.

Again, humans are complicated, and their motivations may not be simple. The graffiti motivation is an interesting one which deserves further research. There is a relatively large amount of research on graffiti artists, and the parallels to virus writers are compelling.

Females are marginalized there too; it has been suggested that females express "graffiti urges" in different ways than males, and also that the graffiti subculture is an inherently masculine one. Graffiti writers have an adversarial relationship with the authorities trying to stop them, but the two groups also share a curious bond.

Motivations for graffiti writers flow from the adversarial contest, but also a desire for fame within their subculture, and a love of the art. Equivalents to malware battles and commercial gain exist in the graffiti world too.