Profit Motives Influencing Worm/Virus Sophistication?

by Kyle Rankin

For the longest time, virus writers (I mean viruses and worms both when I say "virus" here, just for brevity's sake) have mostly been motivated by curiosity. In the "old days," with distribution methods limited primarily to floppy disks, part of the "fun" of writing a virus was to see how far it could spread, and I suppose in some cases, how much damage it could cause.

Today most viruses spread via the Internet, whether in an email, p2p network, or just by exploiting a known security hole. The primary motive for a long time has still seemed to be curiosity, with the main payoff seeing how far a virus would spread.

The payload in viruses has typically either been very destructive (infection leading to deleting some or all data on a drive or otherwise destroying a system) or fairly harmless (asking the user for a cookie in the case of Cookie Monster, or just focusing on spreading to other hosts). Most of the major viruses in the past 5 years really only did harm because of the how zealously they searched for new hosts, resulting in lots of network traffic.

Recently, I've noticed quite a few viruses with a slightly different payload. Instead of just primarily being focused on spreading, a lot of recent viruses have also starting using infected hosts as zombie machines for other purposes--either DDOSing an enemy, or (and this is becoming more and more common) using the infected host as a spam relay, or even both.

This new payload has introduced a profit motive into the virus-writing business. With spam relays being cracked down upon and blacklisted more and more, an enterprising programmer could probably make quite a bit of money through writing a successful virus that was able to send X million spam messages.

The money involved in such an enterprise is fairly predictable too. You can fairly accurately estimate how many hosts would be vulnerable to a particular exploit, and there is a baseline number of machines that are never patched, and that will almost always be infected. These machines would be able to be used for quite some time by the virus writer, and yield the most profit. Above that are the machines that will eventually get patched, but probably not until and unless the virus does something rather disruptive, like make the computer or Internet connection incredibly slow. Finally are the computers that are patched frequently, which can still possibly be used for a short time by the virus writer.

All in all, some simple math and a little research can tell an enterprising virus writer how much money could be made with a virus exploiting a random vulnerability. Take a typical machine:

seconds of infection * spam sent per second * dollars per spam = profit per machine

I say "profit" because other than time, the main "cost" of distributing the virus, bandwidth, is managed and shared by every infected machine on the Internet--the costs are negligible to the virus writer.

Now, introducing a profit motive to writing viruses really changes the landscape a bit. For one, money will attract some people that may not have been willing to accept the risk of being arrested purely for curiosity's sake. Secondly, money will attract unscrupulous people who may not even know how to write a virus, but might be willing to subcontract out that part to someone who does. Third, you might just see some spammers cut out the middleman and hire people to handle this part of the distribution themselves.

The result ends up being more people writing viruses (in some cases more talented people, or at least more dedicated people) which results in more viruses. This also means extra motivation for people to exploit security holes (especially unpatched ones) more quickly, as that means more hosts spreading the virus, which means more money.

I wouldn't be surprised if in the future, that pimply-faced teenager in a t-shirt and jeans you see the FBI hauling off to jail for writing the latest virus, is replaced by a young adult in a suit and tie.

Do you think a profit motive has changed / will change virus writing at all?


2004-07-01 12:41:33
2000-11-26: Hybris : a demo for the next generation of viruses
Worms have increased in sophistication before the profit motive.

The 2000 Hybris Worm featured a modular design that updated itself with encrypted plugins. See:
Hybris : a demo for the next generation of viruses.