A few thoughts on virus writing…

Once upon a time, back when everyone knew why a “floppy disk” was “floppy”, computers were not completely Windows-ized, and the black screen of DOS was the standard “desktop”, virus writers were just kids who happened to write viruses. They did it for fun, to assert themselves, to hit their friends and neighbours systems, or to get revenge on the world at large. They wrote some very silly viruses, and some very complicated viruses. They used different kinds of infection and stealth technologies, and there were lot of these “true” viruses – I remember a time when we were adding about 100 records per week to our antivirus database updates.

And now most malicious code is “commercial” – it’s designed to control infected networks and/or earn money (see more at the beginning of this article. In among these programs, we still find “true” viruses and Trojans. But surprise! Not as many as in the past. Looking at our statistics, I see that we are now adding less than 10 “true” viruses and Trojan programs a week – ten times less than ten years ago. Does this mean that virus writers have stopped creating “true” viruses? Yes. But why? The situation should be totally the opposite – there are more and more teenagers getting access to computers, so shouldn’t there be more and more “true” viruses written by them?

I think increased access to computers is actually the reason why the number of “true” viruses is decreasing. The fact is teenagers don’t have time for writing viruses – they’re busy playing online games.

They can assert their personality, they can create their own worlds, and destroy the existing one. They can find real friends, and “kill” virtual enemies in their virtual worlds. They attack and protect. They don’t need extra proof anymore.

So – the kids have left the world of “true” virus writing. This was a world which had bad, sometimes very bad, consequences, but sometimes it lead to the creation of technically interesting or sophisticated programs. In moving out of this world, they stopped training their brains by developing their own virtual creatures – now they’re lost in the virtual underworld of online computer games.

Is this good or bad, for us and for them? I don’t know. My colleague Teodor Cimpoesu, from KL Romania, has also had some thoughts about this:

“People might think that it’s good for the AV vendors if virus writers produce malicious programs, and the more numerous and more complex, the better. This is one point of view.

From a security point of view, less complex viruses mean easier intervention. But with serious virus writers moving into the commercial arena, it looks like we may start to see more complex business malware soon – and then the AV industry may end up playing a significant role in blocking or breaking cybercrime.”

A few thoughts on virus writing…

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox