[ISN] Virus Writers Here to 'Help'

From: InfoSec News (isnat_private)
Date: Tue Jan 08 2002 - 00:50:45 PST

  • Next message: InfoSec News: "[ISN] Perspectives: Time to make Pittsburgh cybersecurity center"

    By Michelle Delio 
    2:00 a.m. Jan. 7, 2002 PST  
    Although it may seem trite to fret about computer virus attacks when
    compared with larger global security concerns, a seemingly endless
    onslaught of virtual vermin plagued computer users in 2001.
    "In 1999, we were catching one virus per hour," said Alex Shipp, chief
    technology officer at Messagelabs, a security firm. "In 2000, it was
    one every three minutes and now in 2001 it is one every 30 seconds,
    and rising." Other antiviral companies have reported similar
    Anyone whose computer or network has been disrupted by a piece of
    nasty code may be surprised to learn that some who create and release
    worms and viruses look upon their work as performing community
    service. Many virus writers say their "hobby" is a charitable donation
    of their time as they provide skills to help others who are less
    fortunate -- or at least less technically inclined - to learn about
    computer security.
    "Better that you find out about a hole in your system through my
    virus, than through some unethical cracker smashing into your machine
    and stealing all your so-called private data," said a worm writer who
    asked only to be identified as CAT (for "Criminal and Anonymous
    They also contend that their malicious code helps to keep some
    computer security experts employed. And some virus coders believe that
    anonymously releasing worms is safer than reporting vulnerabilities to
    the software manufacturers themselves. They fear that companies will
    respond to a bug report with counter-charges of hacking.
    "C'mon, none of the big software companies are going to press charges
    against someone who reports a hole in their software," said Jeff
    Vondell, a copyright lawyer. "But there's a definite and growing
    attitude amongst some of my colleagues in other countries that in the
    U.S., the big corporations write the laws.... The arrest of that
    Russian programmer last summer certainly didn't help foster a feeling
    of confidence in our legal system in other countries."
    "Dmitri's (Sklyarov) case and that new U.S. law (the so-called Patriot
    bill) that classifies hackers as terrorists has forced a lot of people
    to think about whether it's safe to inform companies about security
    holes," said a virus writer who wanted to be identified only as Perro.
    "If they ask you how you found out, ask you to provide your research,
    can they then arrest you for hacking into their product?" wondered
    Perro. "Did you break their copyright when you looked at their program
    code? Some people, especially outside the U.S., think it's now safer
    to release a worm than make a bug report."
    Sklyarov and his employer, Moscow-based ElcomSoft, were charged last
    July with violating the Digital Millennium Copyright Act for selling a
    program that allows users to disable copyright restrictions on Adobe's
    e-book software. Sklyarov, who coded the eBook processor, was arrested
    at a hackers' convention in the United States and imprisoned for
    almost four weeks. The charges were later dropped.
    Sklyarov's arrest was followed by protests from those who believe the
    DMCA, a law that punishes anyone who distributes "any technology,
    product, service, device, component or part" which bypasses
    copy-protection mechanisms, will also be used against those who expose
    security flaws.
    "You (software manufacturers) declared war on us, and we have accepted
    it," CAT said, in reference to the Sklyarov case. "We are called
    criminals. We have been arrested for pinpointing vulnerabilities. So
    how else we can get your attention but by releasing worms?"
    But not everyone agrees with hackers' fears and rationalizations for
    their activities.
    "I have never heard of a company prosecuting someone who reported a
    security hole to them, but they can report these problems anonymously
    if they are worried," said Jerry Freese, intelligence officer at
    Vigilinx, a security assessment firm. "They can also alert a trusted
    member of the media or security community if action isn't taken. There
    is nothing noble about wreaking havoc in the e-world, on what has
    become a critical part of the economic and social structure."
    According to Computer Economics, the Code Red worm alone cost an
    estimated $2.6 billion in lost productivity and clean up.
    Vondell noted that Sklyarov wasn't arrested for pointing out security
    vulnerabilities, but for distributing a product that took advantage of
    those vulnerabilities. But virus writers also correctly point out that
    Sklyarov wasn't distributing the product; his employer was.
    Other virus writers are merely young adults or teens who seem to think
    that releasing a virus is nothing more than a modern version of a
    prank phone call. They just get a kick out of writing self-replicating
    code and watching how far it spreads.
    Many virus writers said they write code out of anger, although they
    maintain it's not directed at the people whose machines their code
    infects. Still, they often consider their victims as laughably
    ignorant for allowing their machines to get infected.
    CAT pointed out that a significant amount of worms and viruses exploit
    vulnerabilities that are already well known and patchable.
    "Some (of these vulnerabilities) have even been known about for
    years," CAT said. "And the biggest of them has been known for
    centuries: 'Human Stupidity.'"
    Virus writers often save their real venom for software developers,
    governments that the writers feel favor "corporations over curiosity,"  
    and the antiviral firms who they say profit off their work but condemn
    them as criminals.
    "If we all decided to stop coding and releasing tomorrow, entire
    industries would collapse," Perro said. "Admit it: None of you who
    profits off our supposed bad deeds really want us to stop releasing
    our babies into the world, do you?"
    "There are responsible ways to alert people to problems, and
    irresponsible ones," said Sarah Gordon, senior research fellow at
    Symantec Security Response. "Creating a program that makes copies of
    itself, and setting it loose to run amok amidst an unsuspecting
    population is hardly responsible. It is not research, and it is not
    acceptable in our society."
    Russ Cooper, moderator of the NTBugTraq security mailing list,
    suggested that virus writers who see themselves as educators might
    consider "finding work that benefits the public in a positive way."
    "Write a new game based on the premise of teaching the player all of
    the different insecurities in their OS. Go to work for (software)  
    vendors as quality and assurance testers, or coders, working towards
    preventing exploits," Cooper said.
    While some security experts acknowledged the frustration they feel
    when a user clicks on a virus-laden, e-mailed attachment "yet again,"  
    or doesn't stay current with security patches, they didn't feel that
    releasing viruses was a valid response to the situation.
    "Yes, you can get into an emotional state where you feel that users
    are getting what they deserve," said Steven Silverman, a systems
    administrator. "But we all know it's not fair to take advantage of
    others' stupidity. I have a pretty shitty sense of balance, but I'm
    trying hard to learn to skate. And, thankfully, the skilled skaters
    don't try to knock me down when they see me wobbling by."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 05:55:30 PST