One of the youngest virus writers I visited was Stephen Math-ieson, a sixteen-year-old in Detroit whose screen name is Kefi. He also belongs to PhiletOast3r's Ready Rangers Liberation Front. A year ago, Mathieson became annoyed when he found members of another virus-writers group called Catfish_VX plagiarizing his code. So he wrote Evion, a worm specifically designed to taunt the Catfish guys. He put it up on his Web site for everyone to see. Like most of Mathieson's work, the worm had no destructive intent. It merely popped up a few cocky messages, including: Catfish_VX are lamers. This virus was constructed for them to steal.
Someone did in fact steal it, because pretty soon Mathieson heard reports of it being spotted in the wild. To this day, he does not know who circulated Evion. But he suspects it was probably a random troublemaker, a script kiddie who swiped it from his site. "The kids," he said, shaking his head, "just cut and paste."
Quite aside from the strangeness of listening to a sixteen-year-old complain about "the kids," Mathieson's rhetoric glosses over a charged ethical and legal debate. It is tempting to wonder if the leading malware authors are lying-whether they do in fact circulate their worms on the sly, obsessed with a desire to see whether they will really work. While security officials say that may occasionally happen, they also say the top virus writers are quite likely telling the truth. "If you're writing important virus code, you're probably well trained," says David Perry, global director of education for Trend Micro, an antivirus company. "You know a number of tricks to write good code, but you don't want to go to prison. You have an income and stuff. It takes someone unaware of the consequences to release a virus."
But worm authors are hardly absolved of blame. By putting their code freely on the Web, virus writers essentially dangle temptation in front of every disgruntled teenager who goes online looking for a way to rebel. A cynic might say that malware authors rely on clueless script kiddies the same way that a drug dealer uses thirteen-year-olds to carry illegal goods-passing the liability off to a hapless mule.
"You've got several levels here," says Marc Rogers, a former police officer who now researches computer forensics at Purdue University. "You've got the guys who write it, and they know they shouldn't release it because it's illegal. So they put it out there knowing that some script kiddie who wants to feel like a big shot in the virus underground will put it out. They know these neophytes will jump on it. So they're grinning ear to ear, because their baby, their creation, is out there. But they didn't officially release it, so they don't get in trouble." He says he thinks that the original authors are just as blameworthy as the spreaders.
Sarah Gordon of Symantec also says the authors are ethically naive. "If you're going to say it's an artistic statement, there are more responsible ways to be artistic than to create code that costs people millions," she says. Critics like Reitinger, the Microsoft security chief, are even harsher. "To me, it's online arson," he says. "Launching a virus is no different from burning down a building. There are people who would never toss a Molotov cocktail into a warehouse, but they wouldn't think for a second about launching a virus."
What makes this issue particularly fuzzy is the nature of computer code. It skews the traditional intellectual question about studying dangerous topics. Academics who research nuclear-fission techniques, for example, worry that their research could help a terrorist make a weapon. Many publish their findings anyway, believing that the mere knowledge of how fission works won't help Al Qaeda get access to uranium or rocket parts.
But computer code is a different type of knowledge. The code for a virus is itself the weapon. You could read it in the same way you read a book, to help educate yourself about malware. Or you could set it running, turning it instantly into an active agent. Computer code blurs the line between speech and act. "It's like taking a gun and sticking bullets in it and sitting it on the counter and saying, 'Hey, free gun!' " Rogers says.
Some academics have pondered whether virus authors could be charged under conspiracy laws. Creating a virus, they theorize, might be considered a form of abetting a crime by providing materials. Ken Dunham, the head of "malicious code intelligence" for iDefense, a computer security company, notes that there are certainly many examples of virus authors assisting newcomers. He has been in chat rooms, he says, "where I can see people saying, 'How can I find vulnerable hosts?' And another guy says, 'Oh, go here, you can use this tool.' They're helping each other out."
There are virus writers who appreciate these complexities. But they are certain that the viruses they write count as protected speech. They insist they have a right to explore their interests. Indeed, a number of them say they are making the world a better place, because they openly expose the weaknesses of computer systems. When PhiletOast3r or Mario or Mathieson finishes a new virus, they say, they will immediately e-mail a copy of it to antivirus companies. That way, they explained, the companies can program their software to recognize and delete the virus should some script kiddie ever release it into the wild. This is further proof that they mean no harm with their hobby, as Mathieson pointed out. On the contrary, he said, their virus-writing strengthens the "immune system" of the Internet.
These moral nuances fall apart in the case of virus authors who are themselves willing to release worms into the wild. They're more rare, for obvious reasons. Usually they are overseas, in countries where the police are less concerned with software crimes. One such author is Melhacker, a young man who reportedly lives in Malaysia and has expressed sympathy for Osama bin Laden. Anti-virus companies have linked him to the development of several worms, including one that claims to come from the "Al Qaeda network." Before the Iraq war, he told a computer magazine that he would release a virulent worm if the United States attacked Iraq- a threat that proved hollow. When I e-mailed him, he described his favorite type of worm payload: "Stolen information from other people." He won't say which of his viruses he has himself spread and refuses to comment on his connection to the Qaeda worm. But in December on
Mathieson wrote a critical post in response, arguing that a good virus writer shouldn't need to spread his work. Virus authors are, in fact, sometimes quite chagrined when someone puts a dangerous worm into circulation, because it can cause a public backlash that hurts the entire virus community. When the Melissa virus raged out of control in 1999, many Internet service providers immediately shut down the Web sites of malware creators. Virus writers stormed online to pillory the Melissa author for turning his creation loose. "We don't need any more grief," one wrote.
Ifyou ask cyberpolice and security experts about their greatest fears, they are not the traditional virus writers, like Mario or Phile-tOast3r or Benny. For better or worse, those authors are a known quantity. What keeps antivirus people awake at night these days is an entirely new threat: worms created for explicit criminal purposes.
These began to emerge last year. Sobig in particular alarmed virus researchers. It was released six separate times throughout 2003, and each time, the worm was programmed to shut itself off permanently after a few days or weeks. Every time the worm appeared anew, it had been altered in a way that suggested a single author had been tinkering with it, observing its behavior in the wild, then killing off his creation to prepare a new and more insidious version. "It was a set of very well-controlled experiments," says