Newsmaker: He's got the virus-writing bug

For five years, Czech student Marek Strihavka programmed computer viruses as part of the underground group 29A.

A twist of fate, however, has led the former virus writer to take a job stopping digital pests like those he used to create. About a year after leaving 29A, which takes its name from the base-16 representation of 666, the 22-year-old resident of Brno in the Czech Republic became the main developer of Zoner Software's antivirus system.

I am glad that I can use the skills I achieved by studying viruses in practice and real life.

Now Strihavka finds himself under attack. The Czech police have raided his home and confiscated his computer equipment as part of an investigation into the Slammer worm. In addition, some antivirus companies are attacking Zoner for hiring a known virus writer.

In an interview with CNET News.com, the man who used to be "Benny" claims that he never took part in spreading his programs on the Internet and maintains that virus writers contribute to online security.

Q: Why did you join a virus-writing group like 29A? What is the purpose of the group?
A: The purpose of 29A has always been technical progress, invention and innovation of new and technically mature and interesting viruses. 29A distances itself from virus-spreading, since 29A always tried to act as a security group, not any cybergang, as has been portrayed in the media. 29A just wants to share ideas with others, and source code is a way of expression.

People that (have known me for) some time know very well that I've always distanced myself from spreading (viruses) and that I never did such a stupid thing. I am not member of 29A anymore, since I try to orient myself on my work, which I like as much as virus writing.

Who else (besides virus writers) should code antivirus programs? Who else has the experience and technical skills for fighting viruses?

How many viruses have you coded? What sort of projects did you pursue and why?
A lot. I don't know the exact number. But I always tried to come up with something new, never seen before. I coded viruses for platforms that were considered infect-resistant. I found some satisfaction in programming, just because I like logical and abstract thinking. This is not about any sort of "cyberterrorism."

Do you think that coding viruses has any ethical or moral implications?
Writing technically new and innovative viruses is like writing exploits for new programs. Coming up with new ideas advances the Internet, since it becomes more prepared against real attacks. I don't see anything wrong with saying, "Hey! This can be abused! There is a bug! You are not prepared for this!" without doing a single cent of real damage.

What has made you stop coding viruses? Do you still view the virus underground in the same way?
I am still the same. I am still interested in computer security, but now from the other side. I'm trying to fight viruses by finding better ways of detection. I am glad that I can use the skills I achieved by studying viruses in practice and real life.

Antivirus companies frequently say that no virus writer should ever have a job in security. What are your views of this opinion?
That is funny. Why? Just because a lot of skilled virus writers already have jobs in the antivirus industry. I don't want to cause any problems to my friends, so I won't give concrete examples. But believe me, this is just marketing theater for customers--the truth is a bit different.

Coming up with new ideas advances the Internet, since it becomes more prepared against real attacks.

In any event, who else should code antivirus programs? Who else has the experience and technical skills for fighting viruses? Some antivirus firms say that I have no moral right to do it, but...almost all ex-members and current members of 29A are employed in the antivirus and information technology security industry.

What sort of work do you do for Zoner? Has your virus-writing experience made your programming better?
I take care of ZAV (Zoner Antivirus) core--this means all those low-level functions for scanning, unpacking, emulation, heuristics, ZAV database maintenance and new detection patterns.

Since elementary school, I have been interested in computer viruses, and I focused on computer security. So I think I am the right person to program antivirus.

Should virus writers and releasers be tolerated on today's Internet? Does your answer depend on how the Internet has changed or the virus-writing community?
I think that source code is just a form of expression, and this should be legal, since freedom of speech is protected. I never spread any of my viruses, and I always thought doing so to be a stupid act. All that I am interested is a programming--nothing else.

The Internet is changing, and spammers and phishers should not be tolerated, of course. But people from 29A--and others who are only studying, publishing and not releasing self-replicating programs--are the last people that cause any real or virtual damage and should not be persecuted.  

More Newsmakers

Fox guarding the chicken coop

Somebody hired this guy to do computer security work!? What were they thinking? I can understand why someone might hire a repentant virus writer in order to take advantage of their uniques skills and viewpoint. Marek Strihavka thinks creating viruses is an intellectual persuit no different from creating productive programs.

You are fooling yourself

You are not thinking clearly about this... let me help you.

If he was a virus SPREADER -- someone who intentionally wrote
virus programs to damage your computer with the intent to do
so, then he should be arrested, prosecuted and jailed. His
intentions were not good and he harmed you or someone else.

But instead -- he is a virus WRITER -- someone who
intentionally looks for weaknesses in operating systems (like
Windows, Linux, Mac OS X, etc) that would allow a virus
SPREADER to inflict damage on your system. These people find
a way in and then alert the author of the operating system that
there is a problem that someone else (with bad intent) could
take advantage of and really cause serious damage.

Because he is of the latter category, I feel that he should be
fine... he's someone who is trying to prevent the harm on your
computer by coming up with innovative, creative and
extraordinary ways to prevent such harm from being done.

I hope this clears it up for you.

Some unofficial comments (I work at Zoner)

Disclaimer: I work for the same company as Marek (although in a different division, so before the media uproar surrounding his hiring, which started long after the actual hiring, I saw him just a couple of times a month).

> Somebody hired this guy to do computer security work!? What were they thinking?

They were thinking more or less the same things Marek himself said.

> I can understand why someone might hire a repentant virus writer in order to take advantage of their uniques skills and viewpoint.

In the interest of proving his "skillz" to a community (albeit a community whose behavior one might call juvenile), Marek took a critical, "Emperor's New Clothes" look at systems lauded as unattackable and found ways to attack them and published the results, just as visible to AV writers' eyes (you better believe AV writers follow the discussions of virus hobby groups) as to virus writers' eyes. He didn't do it out of charity (again, it was to gain credibility among that peer group), but he didn't do it out of malice (he never spread viruses) or for financial gain either. He may have naively thought that the information wouldn't be exploited, or he may have less naively decided that if he didn't find it and post it publicly, someone else would find it and exploit it privately. And admittedly, another option is that he simply may have been so tied up in his hunger for cred that he didn't care.

> Marek Strihavka thinks creating viruses is an intellectual persuit no different from creating productive programs.

No different? Probably not. At loggerheads with "unique skills and viewpoint"? Certainly not. Having never written viral code I can't be sure, but my impression is that, while there is plenty of shoddy viral code out there (procedures that are supposed to be called but aren't, etc.), the top-quality code provides pretty good examples of things like looking for inventive solutions, thinking ahead, and being space-efficient (perhaps not today, but at least at one time a small footprint was an advantage for a virus). Competitive groups like 29a are all about being top-quality -- being less won't earn you cred.

And of course, I think it's pretty inarguable that intimately knowing how viral attacks work is pretty helpful in knowing how to make them not-work. How much so, and how much more so than by studying existing virii and perhaps writing viral code that you keep to yourself (and which thus is never criticized), is open to question, of course. On the one hand, one of the core strengths of the powerful open source movement is in peer review. On the other hand, that's peer review of programs you're writing, not programs you're counterattacking, so I don't know.

Erik Piper
Zoner

[Al Johnsons]

repentant virus writer

http://www.analogstereo.com/vauxhall_meriva_owners_manual.htm

why not?

I am a programmer and do a lot in different operating systems like Linux and windows. I often have to come up with creative ways to get software to work with windows. This said a lot of the knowledge i have i could use to write a virus in windows. In fact when i first started programing i got a lot of my examples from virus source. Has this made me a bad programmer?..... no but it has taught me a lot on how everything interacts. See when a virus writer makes a virus they have a lot of constraints on what they can and cant do to make there program fit into a nice small package. I mean if you look at a lot of the crap that is out there now the whole reason some companies are afraid of open source is because of the fact people would know how crappy there stuff is. I for one think that my software is ultra tight and compact. THESE are tricks i learned from virus writers. It would be like forbidding a nuclear physicist from doing research in the medical field because they once made enriched uranium.... and wouldn't you want this person on your side anyways?

More on 29A (Interview with Ratter)

http://www.informit.com/articles/article.asp?p=337070

This article has an interview with Ratter of 29A and seems to be inline with this article.

Ignorant and arrogant, willful idiot despite the intelligence

In any event, who else should code antivirus programs? Who else has the experience and technical skils for fighting viruses?

That attitude is just such extreme arrogance. Who else? - Anyone competent - they do not have to come from the virus writing community. I spent my teenage years cracking protection on C64 cassette games when there was no internet to hold you hand and tell you how to do it. There are plenty of able and competent people out there. The idea that only virus writers can defend against viruses is ignorant and arrogant at the same time - quite a combination to acheive.

I think your are being ignortant

I don't think he isn't saying that ONLY virus writers can defend agaist viruses i think he is saying that people shouldn't have a problem with (ex-)virus writers defending us against visuses because they have first-hand knowledge about viruses since they used to or still are writting them so they can also know of ways to defend us against them.

[Al Johnsons]

C64 cassette games

http://www.analogstereo.com/vacuum/miele_dustbag.htm

[milette]

Who knows who's employed by whom...

It would not surprise me to hear that anti-virus companies are, and have been for a long time PAYING virus writers to CREATE new viruses to keep themselves in business.

This is a HUGE market, with BILLIONS of dollars at stake.

Don't think it could happen? Many people thought Enron and a few other scenarios couldn't happen either...

[dudleyking]

Freedom

My arugment is that if you control people to the extent that no one is allowed to write code unless its said to be safe. Well its just another form of suppresion and people allways rebel and at the same time if your code is writen so as to steal or destroy with malase its kinda a moral issue . but i belive in free speach and inovation which if people are supressed won't exist

Why is this a story ?

Definitional rhetoric aside, this guy studied viruses, how they are built, and what the latest developments are, as a passionate personal hobby for years. Then he got hired by a company to do the very same thing for a company. It's research, either way.

Personally, I feel safer knowing that this guy spent time looking at hypothetical scenarios and testing those against reality in the programmer's equivalent of a lab before the actual bad guys could get a hold of this ideas and spread them in active payloads. How else was he to communicate his ideas to the whole security industry, save by publishing those concepts ?

By analogy: Why not also condemn really passionate students of chemistry who played with chemistry sets as kids, and prevent them from getting work once they have an actual chemical engineering degree ?

[stevejobless]

Guilty by what court?

I have reservations about the idea of security firms of hiring convicted "hackers" etc, but why should the fact that someone is skilled in "hacking" or virus writing effect their ability to get a job? As long as they have not been convicted, or confessed to (boasted about) crimes, then personally I feel that they are a valuable asset to the security community due to the different type of experience that they bring. Those of you who are actively involved in any information/system security should find yourselves thinking more like the people/situations that you are guarding against, with these types of skills and thinking processes growing with the more experience that you gain.
How many of you network/os admins have activley attack your systems? If Nagios or other security scanners are being used thats what is happening, so I hope that the person running it knows what they are doing.
Basically if they haven't been convicted, then who are we to judge and sentence them?

Not sure about this guy!

I just have a hard time believing that this guy never released any of his viruses. Second of all I have a harder time believing he is still not writing them.

In my opinion, there is no way he is a new found saint! Virus writing is like a drug, He wont be able to stop, more so now that he is working for a anti-virus company. He is learning the secrets of anti-virus, now he can use them to his advantages. I have never heard of Zoner Anti-virus but im sure they will be going under soon!

Good luck with your new job!

Hiring old virus writers is the way to do it

Government constantly uses ex-criminals to catch new ones. Like that famous check forger that the FBI hired to catch new ones. Ex-Crminals know how the minds of their ex-cohorts think. Sure you have to take precautions to make sure they don't abuse their new found priveleges, but they are the greatest assets too.

[David Arbogast]

not quite

The FBI "constantly" employes criminals? No. On occasion, maybe. Not constantly.

Hey... Supposing I broke into 300 homes and was able to steal over $20K worth of property in the last year. That'd make me a perfect candidate to work for a home security company, wouldn't you agree?

Heck no. Once the customers learn who is supposed to be working on their behalf, they will stop doing business with such a company. If an entire organization of hackers released an anti-virus package, would you be ignorant enough to install it? Sorry, but I don't want one admitted hacker to author the software I use. Convicted or not. Bad image. Bad publicity. Unnecessary risk. Poor substitute for well-educated employees.

[mistermad2003]

Virus writers required to defend freedom and democracy

The reason is I am having to flee Britain because of persecution by CSC Computer Sciences and state actors Hampshire Police and High Court judges, so I have to cut all my old links.

I sued CSC and various staff for 2 counts of blackmail feeding into one tort of harassment, in 2005 at the High Court. CSC et al refused to file defences over 7 months but the court just threw the case out with me allowed only to file the case and absolutely nothing more than that happened. Under Civil Procedure Rules Part 7 you must defend or you are deemed to admit, so I won but the judge robbed me. CSC is a $70bn US corp and it is a prime contractor on big govt projects (including the NHS IT infrastructure rewrite) so it has govt protection.

Next, CSC filed a second case in High Court to stop me reporting the first case because reporting failure to defend will make staff etc feel harassed. They use the Part 8 procedure which allows you to be prosecuted for certain criminal offences on the following basis. You are not allowed representation, all allegations of fact are deemed proven at the outset and then the legal consequences must simply follow. You get an order that you are out of jail on license for life, here are the terms, each breach attracts 5 years in jail. So I could end up in jail for life because I will not shut up. Under Part 8 there has to be a trial but you can imagine it is just a show trial. Mine is set for 6 hours at end of September 2006, open and shut basically with foregone conclusion.

In 2002/3 CSC set Hampshire Police on me. A certain officer forcibly arrested and interviewed me. I turned her around with a countercomplaint of blackmail conspiracy etc, showing how their complaint fed into and made my complaint and that that in turn made my defence to their complaint. Later they refused to charge and destroyed all 4 masters of the interview. During 2005/6 civil proceedings CSC has arrogantly leaked Police leaks, whereby that same officer has been briefing the firm's Law Dept, that is tipping-off, handing over investigation file to them. The idea is that Police leave it to CSC to prosecute me in civil court by Part 8 procedure, then receive back court order to enforce, circumventing a criminal trial. That is a common law conspiracy to defraud which is indictable and attracts a ten year max term, that is public officials handing over confidential info to private persons hoping to gain something back later. High Court judges are all for this and are aiding and abetting. It is end of freedom and democracy in this country (the UK). But it also adds up to persecution by corporation and state actors in combination with failure
of judiciary, that means I qualify for political asylum so I have to go abroad and seek such. Whether you actually get asylum against the UK is another issue because everyone else assumes the UK to be 'safe'.

So to see this bizarrre stuff can really happen see following resources:

www.dca.gov.uk for Civil Procedure Rules. See Part 65 permitting Part 8 to be used for such criminal prosecutions. See normal procedure at Part 7 which incorporates Part 15 and Part 16. See Rule 15.2 in Part 15 which says a defendant who wishes to defend must file a defence and 16.5 in Part 16 consequences of not dealing with an allegation.

Also see www.csc.com and go to the English site and see that European HQ was built in Hampshire in 1999 and is a massive development so Hampshire Police give it maximum protection no matter what.

I am (almost) outta here.

BTW 'they' know I intend to do a book and 2 hour DVD docudrama on the whole conspiracy, and a website, and a law-abiding virus to spread the cases all over the internet. It is a matter of who gets who first. I will have to re-equip to be mobile and operate from underground 'on the run' if I do not get asylum.

SO HOW CAN VIRUS WRITERS HELP UPHOLD DEMOCRACY AND FREEDOM?

CSC Computer Sciences doesn't want the world to know that in case 5BI70056 at the English High Court Queens Bench Division Birkenhead District Registry it refused steadfastly to defend when being sued for amongst other things two charges of blackmail feeding into 1 tort of harassment (meaning money damages of £4m due) right? The High Court judges, the Hampshire Police and CSC want therefore to put me in jail for life in 5 year increments to shut me up, by a fake legal process that is akin to a stalinist/soviet showtrial, right? Well, lets tell the whole friggin world then! I have electronically scanned the court records. I am in the process of selling my house to leave the UK and here is a sketch plan. Lets work on it, anybody any ideas?

Normally websites are passive and you have to get Google etc to index them then people have to know to search for them then also they are highly centralised off of 1 server that can be overloaded and anyway you have to pay for bandwidth etc.

An alternative is to actively trawl the internet with a robot that follows connections, very like a crawler, but which at each location identifies itself to the user, tells a little about the website it is promoting, takes with it a mini-website for local installation and viewing, asks permission to use that machine as a base to get to other neighbouring nodes. There is lots of unused capacity on machines and connections so this won't cripple the web or a user machine but it makes the site become known very fast and it distributes the kernel of the site and the downloading etc. So long as the robot operates legally this should be okay. Lots of people can run a webserver now off of their own PC and these PCs are now often 24-hour connected via broadband.

I have a wesite in mind to develop, I would want to propogate it fast across the internet in the form of a kernel of pages, and I would not want much central website processing except for commercial downloads of additional materials needing to be paid for. Essentially I am going to report law cases in the UK concerning a $70bn US multinational, and will give people the gist via lightweight website distributed by robot, then I would look to sell book and DVD docudrama as maybe electronic downloads. Some of that load might have to be distributed as well. (Mostly this stuff has yet to be created, but I first have to make sure of marketing and delivery methods.)

Can such a robot be done and at what cost, bearing in mind again it has to be freindly and law abiding. I think there are examples of peer-to-peer mechanisms already, I think a lot of music downloading services pioneered it, so it should be a matter of using stuff that already exists and just customising it to the particular content.

Thanks, Peter Jones, the Soviet Union of the UK.

Everyone who write AV software knows how to write one

You can't develop a vaccine without understanding the human body and the disease you are targetting.

The same goes for writing a AV program. The same goes for writing secure code in general. If you don't know what causes the flaw and why, you will only avoid it through sheer luck. A CS student learning security, learns how to take advantage of flaws, as well as stop them. The 2 concepts go hand in hand.

All this ignorant gnashing of teeth over someone who has written virus is pointless. If not for these 'white hat' hackers, crappy programs like windows and IE would be even more flawed as they are today.

Every antivirus researcher in theory should be able to write viruses

I would like to disagree with the comparison of viruses (organic) and computer viruses. Though not a trained virologist, I was trained in medicine, and I have a very strong interest in malicious code- an academic one. The generic trend of applying things across without context sentivity is not really very good. Some of the research done,such as modeling epidemic spread has a good standing. Epidemologists have done a lot of work on such models, those models are very useful in understanding the spread of malicious code. But for the rest comparing human immune system and the way it reacts to viruses, I dont beleive would be the ideal way to think about computer viruses. The simplest reason flu viruses beat your immune system regulary, a computer that gets infected like that wont be considered ideal and more over there is a factor of time scale which is hugely different.
I would also like to point out a few things, firstly any antivirus researcher worth his salt should be able to create viruses ( good ones) without virus creation engines. Its his/her ethics that prevent them from doing so. It is even possible that they do write them to test their AV engine heuristics.

Secondly there are very few educational institutions that do research or offer training on viruses. Like any other profession in its infancy, many who are active might have gained thier knowledge on viruses by being on the grey/dark side. Assuming that they are inherently evil and should not be allowed to work in antivirus industry is a very debatable topic.

[Al Johnsons]

'white hat' hackers

http://www.analogstereo.com/vacuum/miele_s291_vacuum_carmine_red.htm

Too many naive people in society

Why do some people think it is wrong for this ex-virus writer to be developing security solutions today?

It is quite normal.
The best security consultants are usually from "other side of the fence" as someone has already said.

Its not about money, thats why they make the best hackers.

I've read alot of Bennys' work, (i am against spreading viruses, i do not write them either)

But his research while in the 29a group will help him develop solutions to virus issues.

And that is not a bad thing, is it?