By Chad Perrin, et al
The image of virus writers as intelligent kids with too much time on their hands resorting to digital vandalism to entertain themselves persists. Years ago, making such a guess about why people write viruses might have been accurate most of the time, but the world has moved on. The writers of viruses and other mobile malicious code are many and varied, and their reasons are as wide-ranging as they are themselves.
There are those who, for whatever reason, just do destructive things for the sake of their destructiveness. They may be malicious narcissists, psychopaths, or just so self-centered in their impression that the whole world is against them that they will blindly lash out at anyone and everyone when they get the chance. For such people, who I believe are a thankfully rare breed, the harm they cause others has no point beyond the harm itself. They are unreasoningly destructive, and that’s pretty much all there is to it. They might think they’re misunderstood and want to communicate with the world by harming it in some way -- and maybe they’re right, that people just don’t understand them deep down. When they react to this state of affairs by maliciously setting out to harm anonymous strangers, however, I don’t think I want to understand them beyond the minimum required to track them down and put a stop to their antisocial behavior. Your mileage may vary, especially if you’re a criminal psychologist.
Do it for the Lulz
Some still do it for the “fun” of destruction. They may get a thrill out of reading news items about their work causing people trouble, or they may just take a fire-and-forget approach, creating destructive, self-replicating programs for the joy of it without much caring whether they ever see the consequences themselves. Mostly, I’m sure they find it funny to read about people being inconvenienced by what they’ve done. In short, some people write mobile malicious code for the same reasons vandals break windows and spray paint garage doors that belong to people they don’t even know.
I’m not talking about sabotage here; I’ll address that later. By “espionage,” I mean attempts to gather information through underhanded means for reasons other than identity fraud and other directly, criminally profitable purposes. Viruses, worms, Trojans, and even backdoors and other malicious code slipped into your software by the vendor may serve the purposes of espionage. People worry about the potential for Chinese manufactured computers having some kind of hardware backdoor built into them; conspiracy theories about commercial software vendors being required to provide backdoor access to the NSA run rampant; the government of India famously demanded that Blackberry provide universal decryption keys for all Blackberry devices sold in the country; and the NSA’s Dual_EC_DRBG NIST encryption standard may itself include a backdoor of sorts, as I mentioned in What my grandmother taught me about IT security. Considering the fiasco of federal warrantless wiretapping violations of the law during the Bush administration’s tenure, and the worse violations hinted at by several officials’ carefully phrased testimony that such worse violations weren’t a part of this particular program, it would be foolish to assume that government agencies never spy on people via software. How many of you remember ECHELON?
It probably sounds like something out of a 1980s vintage techno-thriller, like Bruce Sterling’s Islands in the Net, but it is disturbingly becoming a reality -- there are actual “gangs” of angry, or just plain ignorant, kids who engage in digital vandalism as part of a misdirected urge to enhance group identity and personal pride in a fractious, underground community. Such groups may target each other or, more often, some third party whose troubles at the hands of such a gang of vandals will be easily noticed and identified. With dramatic names like “Team Holocaust” and “Phalcon SKISMs,“ such cybergangs may occasionally claim a higher purpose (like YAM), but they may also have no pretensions of purpose other than claiming a strong group identity. Like being a Denver Broncos fan, except they mark their territory with digital vandalism instead of by painting their torsos orange and waving giant foam fingers in the air.
The hacker instinct
Keep in mind the difference between a hacker and a security cracker. People with a hacker mindset usually find themselves eventually drawn to specific fields of interest. In some cases, that interest might revolve around understanding self-replicating mobile malicious code. Sometimes, the best way to understand something is to experiment with different ways to create examples of it. Sometimes, the best way to test something you’ve created is to see it operating under real world conditions. Some immoral or amoral hackers with an interest in self-replicating mobile malicious code may test their creations by releasing them into the wild and seeing how they do.
Money money money
Most writers of malicious code in the wild these days seem to fall into this category; people who are in it for the filthy lucre. Viruses and worms often carry payloads that open up avenues of intrusion into a system, providing a means for either security crackers or their automated tools to slip past the system’s defenses. Such automated tools can harvest authentication information and other sensitive data (such as for reasons of identity fraud), set themselves up as automated spam generators, or contact a centralized control mechanism of some sort, such as an IRC chat room to create a botnet of thousands, or even millions, of unwitting users’ computers, all of which can be controlled simultaneously by a single security cracker. It is increasingly common for botnets to be offered for rent, for any of a vast number of reasons.
Sometimes, digital vandalism -- whether accomplished by a virus, a worm, a DDoS attack, or some other means -- can be accomplished for the purpose of making a statement. Whether the reason for something like that is directly political in the sense of addressing matters related to government or more indirectly political, such as interfering with certain types of Web sites and other operations of some class of people with whom one disagrees somehow, the point is sometimes to make people who aren’t directly responsible for whatever’s being targeted aware of one’s own disapproval of those targets. DDoS and other attacks against Microsoft or Yahoo! might fall into this category. Depending on their specific choices of targets and their motivating issues, some such political agitators (as in the case of those targeting and protesting Chinese and Australian national firewall policies) might even be admirable for their principles and the courage of their convictions to some degree. In extreme cases, on the other hand, such as where large numbers of innocent bystanders are materially harmed (having their checking accounts wiped out to make a political statement, perhaps), action taken on behalf of this kind of motivation might reasonably be called “terrorism.
Romance and drama
Some may be drawn in by the perceived romance and drama of a criminal life itself. Just as some people may start out seduced to a life of crime by the power they perceive in street pushers in their neighborhoods, the exploits of cat burglars in movies, or the rare reports of some criminals who always seem to get away with their criminal acts in the news, the artificial mystique manufactured by the media around “Computer Hackers” can inspire the aspirations of the amoral youth with technical talents. Because of the character of certain online communities, it can be much easier sometimes to feed one’s own delusions of the romance and drama of being a “Computer Hacker” for a longer time than in most other criminal enterprises where the physically gritty, and petty, reality of what they do becomes quickly inescapable. Once fully absorbed within such an insulated, self-reinforcing fantasy life, I don’t know how easy it is to overcome the illusion and realize that one has become nothing but a criminal security cracker -- that being a real hacker is about skill and not 1337 h4xx0r nicknames -- without being forcibly disillusioned by getting caught, prosecuted, and imprisoned for one’s crimes.
Sometimes the purpose of malicious code might be directly targeted at disrupting the operations of some class of people one doesn’t like. While this sort of behavior might seem superficially similar to that of terrorism as described under "Political agitation," or to vandalism as described under "Online gangs," it’s not terrorism, and it’s more personal than typical vandalism. It is a simple criminal act, aimed at a specific target, more akin to assault. People with business interests may do this not for profit or for political purposes, but to damage other businesses’ ability to compete, at least temporarily. Government agencies may do so to try to bully another government into doing something it doesn’t want to do, as appears to have been the case in the Estonian “cyberwar.” The motivation to sabotage may even be based on something as petty as personal revenge.
The intellectual challenge (and to pass the time)
From member jim.parlett: Why do people play online games? Why do people do crosswords or play chess? It's the element of competition, pitting your wits and skill against that of others. It's a competition to see who can write the best virus, who can beat the antivirus companies, who can beat Microsoft's developers. I suspect the vast majority of virus writers are male, because competitiveness is a predominantly (but certainly not exclusively) male trait. It's not necessarily about being malicious, not always about money; it's sometimes about winning, about challenging the rest of the world and beating them. It's the cyber age version of graffiti, the Internet equivalent of the adolescent challenging the mature and making waves.
From member Dixon: Let's not leave out plain old-fashioned extortion, as with Vundo/Antivirus2009/Antivirus360. "You're infected! Give us sixty bucks and we'll fix it!"
From member Oz_Media: I knew a few guys in the early 90s who wrote viruses simply to get noticed as capable programmers. Offering up a virus, then creating a removal tool and sending it to major players (F-protect, Computer Associates, Kaspersky, etc.) put them on the map as code savvy. In fact, I remember a time when that was the key focus behind writing viruses and exploiting code -- to show off your talents compared to existing engineers. Who do you think major antivirus companies hire to write removal tools? The same criminals who exploit systems, of course. Also, if a company wouldn't hire them as programmers, they'd hack the software and send the exploit details to the engineers, offering to fix it for $$$$. Then they'd go to a competitor and show them the competition's weaknesses and use THAT to get work with the competitor. Think of Stuart from MAD TV, "Look what I can do!" NOTE: I said I knew them, I didn't say they were friends.
Follow the money
I had to guess, I’d say that the most common reasons to write viruses these days, by far, are at least somewhat profit-motivated. The I Love You email virus was kind of a watershed incident, the point where a lot of people really started noticing the growing trend in profit-generating mobile malicious code.