'This guy,' he proclaimed, 'is the best at Visual Basic.'
In the virus underground, that's love. Visual Basic is a computer language popular among malware authors for its simplicity; Phile-tOast3r has used it to create several of the two dozen viruses he's written. From this tiny tourist town, he works as an assistant in a home for the mentally disabled and in his spare time runs an international virus-writers' group called the 'Ready Rangers Liberation Front.' He founded the group three years ago with a few bored high school friends in his even tinier hometown nearby. I met him, like everyone profiled in this article, online, first e-mailing him, then chatting in an Internet Relay Chat channel where virus writers meet and trade tips and war stories.
PhiletOast3r got interested in malware the same way most virus authors do: his own computer was hit by a virus. He wanted to know how it worked and began hunting down virus-writers' Web sites. He discovered years' worth of viruses online, all easily downloadable, as well as primers full of coding tricks. He spent long evenings hanging out in online chat rooms, asking questions, and soon began writing his own worms.
One might assume PhiletOast3r would favor destructive viruses, given the fact that his apartment is decorated top-to-bottom with anticorporate stickers. But PhiletOast3r's viruses, like those of many malware writers, are often surprisingly mild things carrying goofy payloads. One worm does nothing but display a picture of a raised middle finger on your computer screen, then sheepishly apologize for the gesture. ('Hey, this is not meant to you! I just wanted to show my payload.') Another one he is currently developing will install two artificial intelligence chat-agents on your computer; they appear in a pop-up window, talking to each other nervously about whether your antivirus software is going to catch and delete them. PhiletOast3r said he was also working on something sneakier: a 'keylogger.' It's a Trojan virus that monitors every keystroke its victim types-including passwords and confidential e-mail messages-then secretly mails out copies to whoever planted the virus. Anyone who spreads this Trojan would be able to quickly harvest huge amounts of sensitive personal information.
Technically, 'viruses' and 'worms' are slightly different things. When a virus arrives on your computer, it disguises itself. It might look like an Out-Kast song ('hey_ya.mp3'), but if you look more closely, you'll see it has an unusual suffix, like 'hey_ya.mp3.exe.' That's because it isn't an MP3 file at all. It's a tiny program, and when you click on it, it will reprogram parts of your computer to do something new, like display a message. A virus cannot kick-start itself; a human needs to be fooled into clicking on it. This turns virus writers into armchair psychologists, always hunting for new tricks to dupe someone into activating a virus. ('All virus-spreading,' one virus writer said caustically, 'is based on the idiotic behavior of the users.')
Worms, in contrast, usually do not require any human intervention to spread. That means they can travel at the breakneck pace of computers themselves. Unlike a virus, a worm generally does not alter or destroy data on a computer. Its danger lies in its speed: when a worm multiplies, it often generates enough traffic to brown out Internet servers, like air conditioners bringing down the power grid on a hot summer day. The most popular worms today are 'mass mailers,' which attack a victim's computer, swipe the addresses out of Microsoft Outlook (the world's most common e-mail program), and send a copy of the worm to everyone in the victim's address book. These days, the distinction between worm and virus is breaking down. A worm will carry a virus with it, dropping it onto the victim's hard drive to do its work, then e-mailing itself off to a new target.
The most ferocious threats today are 'network worms,' which exploit a particular flaw in a software product (often one by Microsoft). The author of Slammer, for example, noticed a flaw in Microsoft's SQL Server, an online database commonly used by businesses and governments. The Slammer worm would find an unprotected SQL server, then would fire bursts of information at it, flooding the server's data 'buffer,' like a cup filled to the brim with water. Once its buffer was full, the server could be tricked into sending out thousands of new copies of the worm to other servers. Normally, a server should not allow an outside agent to control it that way, but Microsoft had neglected to defend against such an attack. Using that flaw, Slammer flooded the Internet with fifty-five million blasts of data per second and in only ten minutes colonized almost all vulnerable machines. The attacks slowed the 911 system in Belle-vue, Washington, a Seattle suburb, to such a degree that operators had to resort to a manual method of tracking calls.
PhiletOast3r said he isn't interested in producing a network worm, but he said it wouldn't be hard if he wanted to do it. He would scour the Web sites where computer-security professionals report any new software vulnerabilities they discover. Often, these security white papers will explain the flaw in such detail that they practically provide a road map on how to write a worm that exploits it. 'Then I would use it,' he concluded. 'It's that simple.'
Computer-science experts have a phrase for that type of fast-spreading epidemic: 'a Warhol worm,' in honor of Andy Warhol's prediction that everyone would be famous for fifteen minutes. 'In computer terms, fifteen minutes is a really long time,' says Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, who coined the Warhol term. 'The worm moves faster than humans can respond.' He suspects that even more damaging worms are on the way. All a worm writer needs to do is find a significant new flaw in a Microsoft product, then write some code that exploits it. Even Microsoft admits that there are flaws the company doesn't yet know about.
Virus writers are especially hostile toward Microsoft, the perennial whipping boy of the geek world. From their (somewhat self-serving) point of view, Microsoft is to blame for the worm epidemic, because the company frequently leaves flaws in its products that allow malware to spread. Microsoft markets its products to less expert computer users, cultivating precisely the sort of gullible victims who click on disguised virus attachments. But it is Microsoft's success that really makes it such an attractive target: since more than 90 percent of desktop computers run Windows, worm writers target Microsoft in order to hit the largest possible number of victims. (By relying so exclusively on Microsoft products, virus authors say, we have created a digital monoculture, a dangerous thinning of the Internet's gene pool.
Microsoft officials disagree that their programs are poor quality, of course. And it is also possible that their products are targeted because it has become cool to do so. 'There's sort of a natural tendency to go after the biggest dog,' says Phil Reitinger, senior security strategist for Microsoft. Reitinger says that the company is working to make its products more secure. But Microsoft is now so angry that it has launched a counterattack. Last fall, Microsoft set up a $5 million fund to pay for information leading to the capture of writers who target Windows machines. So far, the company has announced $250,000 bounties for the creators of Blaster, Sobig.F and Mydoom.B.
The motivations of the top virus writers can often seem paradoxical. They spend hours dreaming up new strategies to infect computers, then hours more bringing them to reality. Yet when they're done, most of them say they have little interest in turning their creations free. (In fact, 99 percent of all malware never successfully spreads in the wild, either because it expressly wasn't designed to do so or because the author was inept and misprogrammed his virus.) Though PhiletOast3r is proud of his keylogger, he said he does not intend to release it into the wild. His reason is partly one of self-protection; he wouldn't want the police to trace it back to him. But he also said he does not ethically believe in damaging someone else's computer.
So why write a worm, if you're not going to spread it?
For the sheer intellectual challenge, PhiletOast3r replied, the fun of producing something 'really cool.' For the top worm writers, the goal is to make something that's brand-new, never seen before. Replicating an existing virus is 'lame,' the worst of all possible insults. A truly innovative worm, PhiletOast3r said, 'is like art.' To allow his malware to travel swiftly online, the virus writer must keep its code short and efficient, like a poet elegantly packing as much creativity as possible into the tight format of a sonnet. 'One condition of art,' he noted, 'is doing good things with less.'
When he gets stuck on a particularly thorny problem, Phile-tOast3r will sometimes call for help from other members of the Ready Rangers Liberation Front (which includes Mario). Another friend in another country, whom PhiletOast3r has never actually met, is helping him complete his keylogger by writing a few crucial bits of code that will hide the tool from its victim's view. When they're done, they'll publish their invention in their group's zine, a semiannual anthology of the members' best work.
The virus scene is oddly gentlemanly, almost like the amateur scientist societies of Victorian Britain, where colleagues presented papers in an attempt to win that most elusive of social currencies: street cred. In fact, I didn't meet anyone who gloated about his own talent until I met Benny. He is a member of 29A, a superelite cadre within the virus underground, a handful of coders around the world whose malware is so innovative that even antivirus experts grudgingly admit they're impressed. Based in the Czech Republic, Benny, clean-cut and wide-eyed, has been writing viruses for five years, making him a veteran in the field at age twenty-one. 'The main thing that I'm most proud of, and that no one else can say, is that I always come up with a new idea,' he said, ushering me into a bedroom so neat that it looked as if he'd stacked his magazines using a ruler and level.
'Each worm shows something different, something new that hadn't been done before by anyone.'
Benny-that's his handle, not his real name-is most famous for having written a virus that infected Windows 2000 two weeks before Windows 2000 was released. He'd met a Microsoft employee months earlier who boasted that the new operating system would be 'more secure than ever'; Benny wrote (but says he didn't release) the virus specifically to humiliate the company. 'Microsoft,' he said with a laugh, 'wasn't enthusiastic.' He also wrote Leviathan, the first virus to use 'multithreading,' a technique that makes the computer execute several commands at once, like a juggler handling multiple balls. It greatly speeds up the pace at which viruses can spread. Benny published that invention in his group's zine, and now many of the most virulent bugs have adopted the technique, including last summers infamous Sobig.F
For a virus author, a successful worm brings the sort of fame that a particularly daring piece of graffiti used to produce: the author's name, automatically replicating itself in cyberspace. When antivirus companies post on their Web sites a new 'alert' warning of a fresh menace, the thrill for the author is like getting a great book review: something to crow about and e-mail around to your friends. Writing malware, as one author e-mailed me, is like creating artificial life. A virus, he wrote, is 'a humble little creature with only the intention to avoid extinction and survive.'
Quite apart from the intellectual fun of programming, though, the virus scene is attractive partly because it's very social. When PhiletOast3r drops by a virus-writers chat channel late at night after work, the conversation is as likely to be about music, politics, or girls as the latest in worm technology. 'They're not talking about viruses-they're talking about relationships or ordering pizza,' says Sarah Gordon, a senior research fellow at Symantec, an antivirus company, who is one of the only researchers in the world who has interviewed hundreds of virus writers about their motivations. Very occasionally, malware authors even meet up face-to-face for a party; PhiletOast3r once took a road trip for a beer-addled weekend of coding, and when I visited Mario, we met up with another Austrian virus writer and discussed code for hours at a bar.
The virus community attracts a lot of smart but alienated young men, libertarian types who are often flummoxed by the social nuances of life. While the virus scene isn't dominated by those characters, it certainly has its share-and they are often the ones with a genuine chip on their shoulder.
'I am a social reject,' admitted Vorgon (as he called himself), a virus writer in Toronto with whom I exchanged messages one night in an online chat channel. He studied computer science in college but couldn't find a computer job after sending out four hundred resumes. With 'no friends, not much family,' and no girlfriend for years, he became depressed. He attempted suicide, he said, by walking out one frigid winter night into a nearby forest for five hours with no jacket on. But then he got into the virus-writing scene and found a community. 'I met a lot of cool people who were interested in what I did,' he wrote. 'They made me feel good again.' He called his first virus FirstBorn to celebrate his new identity. Later, he saw that one of his worms had been written up as an alert on an antivirus site, and it thrilled him. 'Kinda like when I got my first girlfriend,' he wrote. 'I was god for a couple days.' He began work on another worm, trying to recapture the feeling. 'I spent three months working on it just so I could have those couple of days of godliness.'
Vorgon is still angry about life. His next worm, he wrote, will try to specifically target the people who wouldn't hire him. It will have a 'spidering' engine that crawls Web-page links, trying to find likely e-mail addresses for human-resource managers, 'like ca-
Many people might wonder why virus writers aren't simply rounded up and arrested for producing their creations. But in most countries, writing viruses is not illegal. Indeed, in the United States some legal scholars argue that it is protected as free speech. Software is a type of language, and writing a program is akin to writing a recipe for beef stew. It is merely a bunch of instructions for the computer to follow, in the same way that a recipe is a set of instructions for a cook to follow.
A virus or worm becomes illegal only when it is activated- when someone sends it to a victim and starts it spreading in the wild, and it does measurable damage to computer systems. The top malware authors are acutely aware of this distinction. Most every virus-writer Web site includes a disclaimer stating that it exists purely for educational purposes, and that if a visitor downloads a virus to spread, the responsibility is entirely the visitor's. Benny's main virus-writing computer at home has no Internet connection at all; he has walled it off like an airlocked biological-weapons lab, so that nothing can escape, even by accident.
Virus writers argue that they shouldn't be held accountable for other people's actions. They are merely pursuing an interest in writing self-replicating computer code. 'I'm not responsible for people who do silly things and distribute them among their friends,' Benny said defiantly. 'I'm not responsible for those. What I like to do is programming, and I like to show it to people-who may then do something with it.' A young woman who goes by the handle Gigabyte told me in an online chat room that if the authorities wanted to arrest her and other virus writers, then 'they should arrest the
