A commentary by Christian Mairoll, CEO of Emsisoft
As the CEO of an antivirus company, my friends and acquaintances often ask me “Who writes all these viruses?” and often hidden behind this question is the serious accusation of “You write them yourself, just to drum up business!”
If only it were that simple… The reality, however, is very different. Apart from the fact that doing so would be morally reprehensible and also illegal, it is actually quite simple to prove that it’s technically impossible for antivirus companies to manufacture the sheer volume of viruses produced.
Today’s viruses, trojans and bots are the result of an enormous amount of programming work. Intentionally and unintentionally released source code only allows a rough estimate of the original effort required, but one can easily assume that every new genus of malware is the result of at least 1-3 months of programming work. New variants that are built on the foundations of existing malware are, of course, easier to produce.
At Emsisoft, we add around 300,000 – 500,000 new malware signatures (fingerprints) to our detection database every day. Research indicates that the number of new threats tends to double each year.
So, let’s break it down.
- If I were the CEO of an evil antivirus company, I would first need to hire an employee to write the virus itself.
- To protect my investment, I would also need someone for ongoing development and maintenance to ensure that the virus will still run on future operating systems.
- Once development of the virus was eventually complete, it would then be released into the wild.
- The virus would finally be entered into the detection database of our own antivirus software.
Great! In one month we have only managed to build one new virus – one single virus among the 10 million others that have been released this month.
By now, it should be clear to everyone that it simply makes no commercial sense for us to write the viruses ourselves. The advantage of being able to detect a single extra piece of malware among the mountain of malware released each month is practically non-existent.
Even when the cost of hiring programmers in low-wage countries is very cheap, it is absolutely certain that no antivirus manufacturer could afford to be an evil malware mastermind. In fact, all the antivirus manufacturers in the world combined wouldn’t have the resources to generate the current volume of new malware.
Well, who is writing all this new malware then ?
Alas, there are people who can earn much more money writing malware than the antivirus industry ever could by writing their own malware.
A decade ago, these programs were mostly written by hackers wanting to test the realms of possibility, but today an enormous amount of criminal energy and hardcore commercial enterprise lies behind most malware. A centrally controlled network of several thousand hijacked PCs (a botnet) offers a massive amount of computing power, which can be used in a variety of different ways or hired as a package for a range of devious purposes, such as:
- Sending Spam and Phishing emails.
- Coordinating webserver overload attacks (DDoS) in order to blackmail companies.
- Creating a proxy server network for hiding the traces of illegal activities.
The largest detected botnets such as Conficker, Rustock or Cutwail had over a million of these “Zombie” computers available.
Other malware authors attempt to convert their work directly into hard cash by encrypting important personal information and then demanding ransom money for decrypting the data (so-called ransomware). Some malware is directly targeted at specific companies or systems, such as the sabotage attacks on the Iranian nuclear energy program using the Stuxnet malware in late 2010.
Antivirus = virus
Another reason for the rumor that antivirus companies write the viruses is the increase in the number of fake antivirus products (so-called rogue antivirus software). The authors of this type of malware use names that are similar to well-known antivirus brands to trick users into installing software that only pretends to detect viruses. Fake detections are then used to urge the customer to purchase a “Full version”.
As you can see, there are plenty of incentives for malware authors to write new malicious programs. All of these incentives share one thing in common: they offer far greater rewards than an antivirus company could expect from writing their own viruses. Of course, looking beyond the financial aspect, it would only take one public example of this type of activity to result in a legal, commercial and media disaster for any antivirus manufacturer.
There is also the argument that antivirus companies depend on the work of the malware authors. This may be true, but our intentions lie at the opposite ends of the moral spectrum and we are always doing our best to make the Internet a safer place.
Have a nice (malware-free) day!
Christian Mairoll – CEO