PhiletOast3r's friends finally arrived with a fresh case of ale, and his blue eyes lit up. He flicked open a bottle using the edge of his cigarette lighter and toasted the others. A tall blond friend in a jacket festooned with anti-Nike logos put his arm around Phile-tOast3r and beamed.
"This guy," he proclaimed, "is the best at Visual Basic."
In the virus underground, that's love. Visual Basic is a computer language popular among malware authors for its simplicity; Phile-tOast3r has used it to create several of the two dozen viruses he's written. From this tiny tourist town, he works as an assistant in a home for the mentally disabled and in his spare time runs an international virus-writers' group called the "Ready Rangers Liberation Front." He founded the group three years ago with a few bored high school friends in his even tinier hometown nearby. I met him, like everyone profiled in this article, online, first e-mailing him, then chatting in an Internet Relay Chat channel where virus writers meet and trade tips and war stories.
PhiletOast3r got interested in malware the same way most virus authors do: his own computer was hit by a virus. He wanted to know how it worked and began hunting down virus-writers' Web sites. He discovered years' worth of viruses online, all easily downloadable, as well as primers full of coding tricks. He spent long evenings hanging out in online chat rooms, asking questions, and soon began writing his own worms.
One might assume PhiletOast3r would favor destructive viruses, given the fact that his apartment is decorated top-to-bottom with anticorporate stickers. But PhiletOast3r's viruses, like those of many malware writers, are often surprisingly mild things carrying goofy payloads. One worm does nothing but display a picture of a raised middle finger on your computer screen, then sheepishly apologize for the gesture. ("Hey, this is not meant to you! I just wanted to show my payload.") Another one he is currently developing will install two artificial intelligence chat-agents on your computer; they appear in a pop-up window, talking to each other nervously about whether your antivirus software is going to catch and delete them. PhiletOast3r said he was also working on something sneakier: a "keylogger." It's a Trojan virus that monitors every keystroke its victim types-including passwords and confidential e-mail messages-then secretly mails out copies to whoever planted the virus. Anyone who spreads this Trojan would be able to quickly harvest huge amounts of sensitive personal information.
Technically, "viruses" and "worms" are slightly different things. When a virus arrives on your computer, it disguises itself. It might look like an Out-Kast song ("hey_ya.mp3"), but if you look more closely, you'll see it has an unusual suffix, like "hey_ya.mp3.exe." That's because it isn't an MP3 file at all. It's a tiny program, and when you click on it, it will reprogram parts of your computer to do something new, like display a message. A virus cannot kick-start itself; a human needs to be fooled into clicking on it. This turns virus writers into armchair psychologists, always hunting for new tricks to dupe someone into activating a virus. ("All virus-spreading," one virus writer said caustically, "is based on the idiotic behavior of the users.")
Worms, in contrast, usually do not require any human intervention to spread. That means they can travel at the breakneck pace of computers themselves. Unlike a virus, a worm generally does not alter or destroy data on a computer. Its danger lies in its speed: when a worm multiplies, it often generates enough traffic to brown out Internet servers, like air conditioners bringing down the power grid on a hot summer day. The most popular worms today are "mass mailers," which attack a victim's computer, swipe the addresses out of Microsoft Outlook (the world's most common e-mail program), and send a copy of the worm to everyone in the victim's address book. These days, the distinction between worm and virus is breaking down. A worm will carry a virus with it, dropping it onto the victim's hard drive to do its work, then e-mailing itself off to a new target.
The most ferocious threats today are "network worms," which exploit a particular flaw in a software product (often one by Microsoft). The author of Slammer, for example, noticed a flaw in Microsoft's SQL Server, an online database commonly used by businesses and governments. The Slammer worm would find an unprotected SQL server, then would fire bursts of information at it, flooding the server's data "buffer," like a cup filled to the brim with water. Once its buffer was full, the server could be tricked into sending out thousands of new copies of the worm to other servers. Normally, a server should not allow an outside agent to control it that way, but Microsoft had neglected to defend against such an attack. Using that flaw, Slammer flooded the Internet with fifty-five million blasts of data per second and in only ten minutes colonized almost all vulnerable machines. The attacks slowed the 911 system in Belle-vue, Washington, a Seattle suburb, to such a degree that operators had to resort to a manual method of tracking calls.
PhiletOast3r said he isn't interested in producing a network worm, but he said it wouldn't be hard if he wanted to do it. He would scour the Web sites where computer-security professionals report any new software vulnerabilities they discover. Often, these security white papers will explain the flaw in such detail that they practically provide a road map on how to write a worm that exploits it. "Then I would use it," he concluded. "It's that simple."
Computer-science experts have a phrase for that type of fast-spreading epidemic: "a Warhol worm," in honor of Andy Warhol's prediction that everyone would be famous for fifteen minutes. "In computer terms, fifteen minutes is a really long time," says Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, who coined the Warhol term. "The worm moves faster than humans can respond." He suspects that even more damaging worms are on the way. All a worm writer needs to do is find a significant new flaw in a Microsoft product, then write some code that exploits it. Even Microsoft admits that there are flaws the company doesn't yet know about.
Virus writers are especially hostile toward Microsoft, the perennial whipping boy of the geek world. From their (somewhat self-serving) point of view, Microsoft is to blame for the worm epidemic, because the company frequently leaves flaws in its products that allow malware to spread. Microsoft markets its products to less expert computer users, cultivating precisely the sort of gullible victims who click on disguised virus attachments. But it is Microsoft's success that really makes it such an attractive target: since more than 90 percent of desktop computers run Windows, worm writers target Microsoft in order to hit the largest possible number of victims. (By relying so exclusively on Microsoft products, virus authors say, we have created a digital monoculture, a dangerous thinning of the Internet's gene pool.
Microsoft officials disagree that their programs are poor quality, of course. And it is also possible that their products are targeted because it has become cool to do so. "There's sort of a natural tendency to go after the biggest dog," says Phil Reitinger, senior security strategist for Microsoft. Reitinger says that the company is working to make its products more secure. But Microsoft is now so angry that it has launched a counterattack. Last fall, Microsoft set up a $5 million fund to pay for information leading to the capture of writers who target Windows machines. So far, the company has announced $250,000 bounties for the creators of Blaster, Sobig.F and Mydoom.B.
The motivations of the top virus writers can often seem paradoxical. They spend hours dreaming up new strategies to infect computers, then hours more bringing them to reality. Yet when they're done, most of them say they have little interest in turning their creations free. (In fact, 99 percent of all malware never successfully spreads in the wild, either because it expressly wasn't designed to do so or because the author was inept and misprogrammed his virus.) Though PhiletOast3r is proud of his keylogger, he said he does not intend to release it into the wild. His reason is partly one of self-protection; he wouldn't want the police to trace it back to him. But he also said he does not ethically believe in damaging someone else's computer.