What to Title This Post?

First, I thought of something like “Paranoia Run Amok”.  Why?  The purpose of this post originally was to serve to clarify what my opinions are (at the moment, anyhow) regarding the origin of spam and computer viruses.  In a previous post I raised the issue that possible blog comment spam might have originated from the “Word Cloud phenomena that propagated (memed?) through the blogosphere a few months ago.  In the comments that ensued from this post, I expressed a pretty strong opinion about the relationship between spam/viruses and the companies that profit from defeating the same.  Here is what I wrote:

 In my more paranoid moments, I can’t help but think that there is a connection between the growth of spamming, and the companies that profit from “defeating” it. If my paranoiac reasoning is correct, than there never has to be any sales closures for the product being hawked, as this is not the motive for the spam in the first place, but merely a pretext for the sale of anti-spam products.

Similarly, I sometimes feel the same paranoid suspicions regarding the source and motivations behind virus outbreaks. It seems that if one wanted to “follow the money trail” of these activities, one should not overlook the fact that many companies have built their entire business model on selling annual subscriptions to products and services designed to “defeat” these ever-growing threats.

Microsoft has built an empire on a simple premise: Provide a product that every computer owner perceives that they need (Windows), and then create a managed version update program to get these same owners to upgrade to the latest, greatest OS (witness Windows, Win95, Win98, WinMe, WinXP, and Vista, not to mention all the flavors of WinNT that have come down the pike). If companies such as Symantec, McAfee and others can persuade everyone that they must not only buy their products, but also constantly renew their subscriptions, than they will have effectively “one-upped” the Microsoft business model. I guess only time will tell if I am being paranoid, or if I am simply being prescient.

As I thought about this comment, I began to feel as if I might have been overreacting, even though I had so clearly peppered my remarks with words like paranoid, suspicious, and paranoiac.  And so my original intent was to somehow soften the tone of my opinion on this issue a little bit with this post.  And then something happened.

I read a computer magazine which referenced an article titled “The Antispyware Conspiracy“, which addressed a portion of this issue in a direct manner.  After reading this article, I began to feel that maybe I wasn’t being so paranoid after all.  But the author of the article began with the following statement:

“Since the release of the first antivirus products many people have believed in a conspiracy theory where antivirus companies generate their own market by paying virus writers to develop and release viruses. I don’t subscribe to that theory and trust the major security vendors, but recent trends show that there’s a fuzzy line between second-tier antispyware vendors and the malware they clean.”

This article seems to point a finger at some second-tier antispyware vendors, but is quick to absolve the major security vendors of any complicity.  And as I thought about this more, one thing kept popping to mind – maybe the major players ARE paying virus writers to develop and release viruses!  Not directly, of course.  I am not suggesting that executives within Symantec or McAfee direct any campaign to unleash viruses on the computing world.  In fact, I would be the first to suggest that the executives within these companies realize that any involvement in such schemes would be fatal to their own best interests, and I further believe that the intentions and motivations of these executives are pure.

This apparent contradiction on my part can be explained by considering the following simple observation.  Name any other industry that contains this unique dynamic – any individual employee within the “malware prevention industry” can guarantee his very own job security by propagating the malware they are hired to defeat.  Imagine this employee spending just 1 hour per week developing his malware, and you can imagine the havoc he/she could inflict.  Now multiply this dynamic by the number of employees in this industry (hundreds? thousands? tens-of-thousands?).

If you think I am too suspicious, let me tell you a true story.  Some years ago, I was called upon to render a professional opinion regarding a computer system and associated software programming for a client who owned a chain of glass companies.  The logo of this company was a little boy at play.  If you looked closely at the logo, you would see that the little boy had a slingshot hanging from his back pocket.  I asked my client about this, and he replied with the following tale.  He (I’ll call him Mr.X) began his career as an employee of a glass company.  In 1971 Southern California experienced a large earthquake, and there was more glass replacement business to go around than anyone could handle.  Mr.X decided to go into business for himself, and for a while, all was good.  Eventually, the earthquake damage in the area was repaired, and Mr.X found himself wanting for business.  Arming his son with a slingshot, ammunition, and instructions to shoot up windows in a neighborhood, Mr.X would than saturate the same neighborhood with fliers advertising his glass repair company.  No wonder I am now suspicious of business by nature!

So I now face three questions –

A) Are there any other industries that contain the same dynamics that are at play with the malware industry?

B) Am I being overly paranoid with respect to the malware industry?

C) What should I have entitled this post?

23 thoughts on “What to Title This Post?

  1. I love this post, and have often wondered/feared the same things. There have been several second-stringers caught providing “solutions” for their intentionally created plagues and infections. And like you, I also doubt the large players would involve themselves in such a fatal strategy, and not primarily because their execs posses such scruples or long-term business sense (search Sanjay Kumar or Terry Davis), but for three other reasons:

    1) They have a wide range or products outside of typical malware countered by desktop antivirus that count for large revenue streams.

    2) It is Service and Support that has the highest profit margin; enterprise companies are charged fortunes for “maintenance” when site licenses are purchased for these products. This entitles sys admins with a phone number to call for troubleshooting these very large, complex installations, software patches and upgrades. The bulk of software is sold to mid-to-large corporations, and much of that expense is for maintenance and support contracts beyond the scope of antivirus definitions.

    3) The malware culture is much like the “tagging” (graffiti) culture, with each delinquent trying to gain more notoriety than the next. The open source malware kits available on the internet used by malcontents worldwide share some of the same development motives and “feature” advancement as the good open source software (to use a good vs. evil paradigm). Most of the malware occurring today is based on very slight variants of these kits; it seems most of the hard, skilled work is done by a very small set of individuals (with the (dark) talent) and the rest by the masses of unsophisticated script kiddies, tweaking a line here or there to see how many systems they can tag, or where their names show up in the news.

    In the same vein that there is a staggeringly enormous quantity of good open-source software available, there is enough evil open source malware to keep the anti-malware vendors in business in perpetuity sans devious action on their part. I believe they simply don’t need to bother.

    So, my responses to your a-c questions:

    a) One might suspect drug companies and the medical industry (sick or ailing people are an excellent source of recurring revenue; dead or healthy ones don’t pay. Corollary: I’ve not heard a single doctor yet say “I want to make you so well, you’ll never come see us again!”.) Or the prophylactic industry? And maybe the tire industry (heck, they even conspired with the gas and auto industry once if recollection serves me).

    b) No, the baddies *are* out to get you, and they are larger than the Mongolian hordes. Software companies are *not* incented to deliver bug-free, secure software, but nor are they largely incented to provide a infect/cure lifecycle. With 9/10 of all PCs running Windows being infected with some form of malware, requiring various pay-to-fix-or-prevent solutions, I think your concerns, cautions and skepticism are absolutely warranted… but not from McAfee or Symantec, but from the masses of internet thieves who find easy prey of those unsuspecting PC users.

    c) Caveat Emptor or Malwarius Suspectus

  2. in general anti-virus vendors do not hire virus writers… there is/was one well known exception, but that was a small time operation so far removed from the anti-virus industry that they didn’t realize how much they’d be shooting themselves in the foot…

    the vendors are careful not to offer any kind of financial motivations to the virus writers because their competition will use it against them as a competitive advantage… the only way vendors could get away with helping the problem would be if they were all equally guilty…

    the anti-spyware industry is a different story, however… it’s not as mature a field – in many ways they’re going through the same kind of initial growing pains that the anti-virus industry was going through around 10-15 years ago… without really big names in the field to drown out the noise from the ‘second-tier’ vendors, rogue anti-spyware apps will continue to be a profitable business…

    however, if you really want something to be paranoid about, you should look at the so-called ‘rootkit’ domain… some of the biggest names are also responsible for some of the most widespread rootkits… i wrote something about it a while ago (http://anti-virus-rants.blogspot.com/2006/04/ethical-conflict-in-anti-rootkit.html)…

  3. MrC – The points you bring up in your comment are well taken. I appreciate all the education I can get from your expertise. Points #1 and #2 are very persuasive arguments, and I agree with you completely on these points. Again, let me stress that I do not believe that there are any corporate policies or corporate actions on the part of the big leaguers that are designed to provide incentives to virus creators. And I don’t think that AV companies hire “virus writers” for their expertise, etc. My real fear is rooted in the belief that some of their employees, without the knowledge or approval of corporate management, “moonlight” in ways that keep their services in high demand by their respective employers. The technical expertise is second to none, the risk of being caught is very low, and the rewards are significant. Your point #3 actually plays into my argument – you say “most of the hard, skilled work is done by a very small set of individuals (with the (dark) talent) and the rest by the masses of unsophisticated script kiddies” – I agree, but my suspicion is that it is moonlighting employees who make up the “small set of individuals (with the (dark) talent)”. I guess that is the skeptic in me displaying itself.

    With regard to A), I considered the medical industry, but I think an analogous situation would only occur if you suspected medical practitioners of say, deliberately infecting a patient in order to than charge to treat their infection. I’m not that skeptical or paranoid (yet), thank goodness. With regard to B), I’ll watch me a.. ,and with regard to C) Malwarius Suspectus …:lol:

    Kurt – thank you for taking the time to respond to my pleas for guidance in these areas. I have just begun to read the information you have posted on your blog, and it is obvious that you have done much research on this and other malware topics. It will take me a while to work through all of the information you have provided – it’s almost like going back to school (will I get a diploma when I’ve finally caught up?) With regard to rootkits, I have just recently learned of their existence through the Sony rootkit fiasco. The more I learn about these techniques, the more paranoid I become. On the other hand, as MrC points out in his item B), it’s not paranoia if “they” really ARE out to getcha!

  4. Thanks Hal. I suppose I have a lot more opinions than expertise!

    I had not considered the moonlighters aspect, and it is worthy of consideration. I suppose a moonlighter who worked at a larger company might undertake activities to ensure or further advance his/her position or net worth. Yet I can’t help think about the relatively insignificant roles/positions even the most senior software engineers have at large corporations; from a stock-price influence point of view, one moonlighting virus writer would seem to have very little impact on the stock price of the large players. Stranger things have happened, so anything’s a possibility. I think we’re on the same page – a small dose of skepticism and a lot of awareness keeps us malwarius immunis!

  5. Hal, this resonates with my feelings about the “connection” between the Drug Companies and the Medical Profession. One of the Editors of the New England Journal of Medicine, Dr Angel [she’s a girl] resigned over drug advertizing in that journal, and has since written a book about the problem.

    My Dad was a Chemist (Druggist). One of his pieces of advice to me was:
    “All Medicine is Mud”

    A few years back I bought a MalWare Defence Product. It turned out to be a $USD 29.95 piece of software which simply empties the cookies from my browser. I then discovered that I can do that myself, and so now spend the $29.95 on being in the air in a glider.

    There are some medical conditions around which there is an “Industry” – others are Old Hat.

    With the Old Hat conditions there is no hype, no advertizing, no reps, no promotional dinners, etc.

    The best the sellers of anti-hypertensive medication can come up with is that you need to treat 11 people for 5 years for one to benefit from their drugs.

    Would you watch an 11 horse race for 5 years to see who is the winner?

    If you are interested in the medical side of this “virus” game Google Numbers Needed to Treat.

  6. the fear that anti-virus vendor employees might be acting on their own to make the virus problem worse (thereby ensuring they continue to have a job) ignores the fact that there are lots and lots of virus writers out there making the virus problem worse without the help of those employees…

    people don’t understand where the viruses are coming from so they wonder if maybe the av vendors are behind it… in reality there is an entire counter culture dedicated to viruses – it’s called the vx (Virus eXchange) community… sarah gordon has done some interesting papers on viruses writers that might explain what was/is going on there…

  7. I get about 1,000 pieces of spam comment every single day. Fortunately, my Akismet software catches all but a few pieces of it and dumps it all into a bucket for me to empty (several times a day). I don’t know how much comment spam others get, but mine began as a trickle and then exploded into hundreds a day overnight. I suspect my URL was captured and sold. I have three ideas about that. One is the Word Cloud phenomenon you have so thoroughly presented. The second is by adding my blog to one of those blog directories. (I haven’t seen any appreciable increase in visits from that, so I’m guessing those folk are not in the business to give you traffic — so what else would they be collecting URLs for?) The third idea is that I am simply leaving comments at enuf sites to raise my profile.

    My son speaks loudly of the conspiracy of the AMA to perpetuate a “treating” medical culture rather than a “curing” one. More money can be made by helping you live with your condition rather than curing you of it. His twin brother, on the other hand, is now trying to get into medical school. Interesting dynamic at the house this summer.

  8. Kurt – Thanks for the lead. I have now read all that I can find regarding Dr. Gordon’s behavioral research with respect to virus authors. It seems apparent to me now that even if there are some AV industry employees moonlighting as virus authors, they would be insignificantly few in number, and only a very small subset of the various categories of virus writers that she has written about. My paranoia regarding AV software companies has thus been cured. Thanks.

    Pablo – Regarding the comment spam, I am glad that I am not receiving as much as you are. It sure is a tremendous waste of every ones resources and time. My understanding is still very fuzzy as to how it is accomplished, but at least I think that I finally understand the underlying economic motive behind the comment spam now. It is not that the creators of comment spam expect anyone to click through to purchase the product (although as MrC points out, a small percentage will automatically click on anything), but that the search engine ranking algorithms establish the rank of a site by the number of sites that link to it. By littering the blogosphere with linked comments to the underlying site, that underlying site gets elevated in the search engine rankings. Google has a page explaining the phenomena, and their response to it.


    I see that the page was created in January of 2005, so I suppose their solution hasn’t worked too well (or possibly I am still way off base as to the economic incentives to spam).

    Regarding the “treating vs. curing” medical culture, Retta always goes one step further. She complains that the economic pressures inherent in the medical establishment foster a reactive style of medicine, as opposed to a proactive (or preventative) style of medicine. Witness the slow disappearance of HMOs in favor of PPOs. The entire premise of the HMO was to promote better health through a preventative approach, and that option is rapidly disappearing to most people today.

    Tjilpi, I have read some of the sites uncovered in the Number Needed to Treat search as you suggested. This is a very interesting concept that I was totally unaware of (like an infinitely large number of others). While I was getting lost in some of the medical terminology involved, what I came away with is the feeling that various treatment regimens are nowhere near as effective as the lay person might believe.

    With respect to the “connection” between pharmaceutical companies and the medical profession, I am really ready to believe anything. In the U.S. it seems that the image of the drug companies is at an all time low. It seems to me that a sea-change in the field occurred when high-profit medications began to be marketed with the “patient demand-pull” concept, rather than the traditional “physician push” methods. Witness the TV advertising (ad infinitum) that encourages the general public to self-diagnose, and then “ask your doctor if ……. is right for you”

    MrC – a lot of typing could have been saved by several people if I had just listened to your original contentions. Stubbornness is one of my strong suits. By the way, I am still awaiting the appearance of the MrC blog (or whatever you decide to call it). Also you stated “…most of the hard, skilled work is done by a very small set of individuals (with the (dark) talent) and the rest by the masses of unsophisticated script kiddies..” Have you ever noticed that only computer scientists and mathematicians think to use nested parenthesis?

  9. The statement :

    “Virus writers and distributors have begun creating and selling new viruses to some anti-virus product developers for inclusion in the `scanner’ programs.”

    from the referenced Sarah Gordon’s paper “Technologically Enabled Crime: Shifting Paradigms for the Year 2000” contradicts Kurt’s initial statements, and is in alignment with Hal’s concerns.

  10. How funny, both Hal and I were commenting at exactly the same time. I had prepared a response yesterday morning, and then decided not to publish.

    I’ve enjoyed everyone’s comments, and by no means will I consider myself an authority on any of these topics; rather, I’ve picked up a few things along the way, and learned even more via this blog entry and its comments. Thanks for providing such an excellent venue!

    I try my best to avoid nested parenthesis, and had not noticed that one. I suppose the geek in me continues to expose itself.

  11. Nested parenthesis are great – computer science couldn’t exist without them. Just because grammarians don’t think logically doesn’t mean we all have to follow suit.

  12. “from the referenced Sarah Gordon’s paper “Technologically Enabled Crime: Shifting Paradigms for the Year 2000″ contradicts Kurt’s initial statements, and is in alignment with Hal’s concerns.”

    if you check the date on the paper, it’s from early 1994 – back then there was still a notable exception to the ‘no financial incentives’ rule reasonably fresh in people’s minds… john mcafee (who left the company that bears his name quite some time ago) supposedly purchased virus collections… that, among other less than entirely ethical moves, is why he became a pariah in the av industry… the reaction was so severe that for a time just working for that company could hurt one’s reputation…

  13. Hal and Mr C – I have to let you know I spent some years studying Linguistic Philosophy at the grammatical and logical Level.

    If my memory serves me well it must have been at the time of the “Cold War”

    I failed to be a success at that venture and so moved on to medicine. As did Wittgenstein.

    The idea within Philosophy Departments then was to try to discover an algorithm (there was no prohibitions against nested parentheses) which would translate Russian into English.

    But then computers became so fast that it was possible to compare one lexicon to another and come up with a reasonable interpretation/translation.

    Dang. I wasted 4 years of my life.

  14. Tjilpi – That brings up an interesting question – is the world better off with more physicians, or more philosophers? Physicians will medicate an illness to it’s demise, but a philosopher will talk it to death.

    Regarding language translation, if automated systems existed to perform reasonable translations between Russian/English, as in the cold war, than why hasn’t that technology been exploited in the current war on terror? My understanding is that intellegence agencies worldwide are so backed up in Arabic/English translations of comminications that they will never be able to catch up.

    And now I know that there is a field of knowledge called Linguistic Philosophy. Sometimes I long for those days of my youth when I was certain that I knew everything there was to know. It made things so much simpler.

  15. I thought I should chime in on this subject considering

    a) I got my BS in Computer Science
    b) I use the nested parenthesis all the time
    c) I hate me some spy-ware and mal-ware
    d) I work for a Fortune 500 company that deals with spy-ware and mal-ware on a daily basis

    But alas, I’ve got no great advice.

  16. Tjilpi – Very interesting. I knew next to nothing about Wittgenstein (nor Tjilpi !). I personally recall an immediate loss of interest in my college philosophy course due to the circular, seemingly pointless rhetoric and unanswerable questions. I chose another path. Upon reading the Wittgenstein biography at statements like “nonsense is nonsense” in the Internet Encyclopedia of Philosophy, I can see I made the right decision.

    25 years later, I find myself now fascinated by the the circular, seemingly pointless, and unanswerable questions of physics and the universe.

  17. Duane – I suppose if there were any *great* advice to be given regarding this topic, then we wouldn’t be having this discussion in the first place, so don’t feel badly about it.

    MrC – I empathize with you, however I find myself now fascinated by the the circular, seemingly pointless, and unanswerable questions involved in making Windows XP work as advertised! After that, I’ll tackle the universe.

Leave a Reply