Who is Writing the Viruses?

Hitler is alive in South America. Jim Morrison is alive and living in seclusion on a mountain somewhere. Conspiracy theories never die and tend to live forever in the minds of the irrational. I recently received the following question:

Some people say that the AV company itself (ESET, Kaspersky, Symantec ..) also writes viruses! How can we reply to them with rational evidences?

Well, rational evidence never killed a conspiracy theory, but I’ll provide some information anyway. Most AV companies refuse to even hire a known virus writer. It is entirely possible that at some point in history an individual who worked for an AV company wrote a virus. No company is immune from hiring a bad apple here and there, but writing viruses is not the kind of thing a legitimate antivirus company condones.

Before I go on, let’s change the word virus to malware so we are talking about malicious programs in general. Most of the malware we see today is not a virus at all.

There are several good reasons for an antivirus company not to write malware. If an antivirus company wrote malware then they would jeopardize their business. If they got caught doing this they would be out of business and face criminal charges in many countries. This isn’t a very smart business strategy.

Right now there is too much malware to keep up with. Antivirus companies struggle with the sheer volume of threats, there isn’t a need for more. I’m sure the labs at the AV companies could keep busy for a long time processing the samples that haven’t yet been added for detection.

It is a really stupid business model for an antivirus company to pay someone to write malware when there are so many people who already do it. If people come over and keep your house immaculately landscaped for free are you going to hire someone to do that as well?

Writing viruses is not that hard a thing to do. It doesn’t take much more skill than a novice programmer has to write a virus, it isn’t rocket science. While I am sure there are still some of the old school virus writers who write viruses for fun or out of malice, the bulk of the malware we see today is used to steal money, online game credentials (for money), and personal identities (for money). We see malware written and used for corporate espionage, and probably for government espionage as well. Sometimes malware is used for retaliation, however it isn’t the antivirus companies writing all of this crap.

Most antivirus companies were started by a person who encountered a virus and wanted to try to get rid of it. These people started with the intent of creating a very useful program and never lost that desire.

Now a days there are rogue antivirus products, but these are written by criminals who have no ability to write a decent antivirus product and are hiding so as not to get caught. Writing malware is what these people do for a living.

There have been some malware authors who were caught and convicted, but none of them were in the employ of an antivirus company.

Now you can show an irrational person the information, but you can’t make them think rationally. You might ask them if they believe the firemen start the fires to keep their jobs, if doctors try to make people sick to keep their jobs, if garbage collectors make all the trash to keep their jobs, and so on.

It is a ridiculous and illogical accusation that doesn’t stand up to logical scrutiny, but such is the case when you deal with paranoid conspiracy theorists.

Randy Abrams
Director of Technical Education

Author , ESET

  • Charles Jeter

    Gee Randy, I thought I could be the gunman on the grassy knoll this time… :)

    • Randy Abrams

      No silly, that one is real :)

  • Marc Ruef

    Hello Randy,
    Nice article on which I can fully agree.
    But I'd like to enhance your statement. I am co-owner of a more or less popular IT security company here in Switzerland. We have high ethical and legal requirements for our employees – So do our customers.
    But it is a requirement that our (technical) people know how to find and exploit vulnerabilities (because we are specialized in penetration testing). And if we find a 0-day vulnerability we are going to publish a co-ordinated advisory and poc/exploit. Thus, we help to increase the amount of attack vectors in a first place. But we also do help to improve the awareness of our customers and the security of their sites in a long-term view.
    I may expect that antivirus researchers also do some programming and try to improve interesting approaches (e.g. polymorphy or anti reversing) sometimes. I think this is an important part of academic and industrial improvement of security industry.

  • Charles Jeter

    Hi Marc,
    Thanks for posting – I'm sure Randy will reply as well. The short version of my reply is that it isn't unlawful to think a crime, only to put a criminal plan into action.
    The key part is always intent.
    Being fairly compartmentalized I only know of some of our researcher methods but those I know personally do not write the mal-code, they merely dissect it, which requires a bit of puzzle mastering in and of itself. Still, there's a fine line between research and unleashing a weaponized program – sometimes seen as handling pipes rather than building pipe bombs.
    Publishing a coordinated advisory of exploits is admirable. There's also a fine line between business profitability and I think security firms main competitive edge happens to be the media and how well played the exploits which are discovered are covered.
    Recently I posted an article over on securingourecity.org – which you could find at which talks about the 'Sheepdog or Wolf' concept in regards to programming. Keylogging software, in the instance I examined, was employed at a cost to a user in order to monitor what their tweens/teens were doing online. Instead, as the company began to do a different business model the keylogging was blatantly using the content it was screening in order to aggregate marketing information on the teens as an audience. You can well imagine the issues which ensued on all sides.
    Thanks again for the comments!

  • Randy Abrams

    Hi Marc, this is one area where the difference between virus and trojan becomes critical. Viruses replicate. If a mistake is made then you may never get that piece of code out of the wild until the environment has changed enough that it can no longer replicate. I think it is safe to say that boot sector viruses that could only infect 360K floppies are essentially extinct. Trojan programs require intent to be a Trojan. There is nothing wrong with exploiting a vulnerability, it is all in how you do it. Nothing wrong with creating a POC, it is all about how you use it and disclose it.

  • Cradle

    es mas que claro que las empresas antivirus contratan obreros resentidos para infectar computadores asi es el negocio de estas empresas antivirus si no fuera asi estas empresas no existirian en el mundo y no seria negocio

  • toxinon


    Pienso que es algo muy ilógico que una compañia antivirus fabrique virus por las siguientes razones:

    1-No seria algo moral / ético. Las compañias de seguridad son para eso (para brindarte seguridad), NO para fines oscuros, esto representaria cargos legales para ellos.
    1-Diariamente aparecen muestras de nuevo malware, en el orden de cientos de miles (+100,000). Esto viene a ser alrededor de varios millones al mes. Es imposible (para X organizacion, por muy grande que sea) fabricar tal cantidad de muestras en tan poco tiempo.
    2-Por qué desperdiciar tiempo en hacer eso?, si globalmente se reciben tantas muestras que incluso se necesitan de sistemas automatizados para recolectar y clasificar la mayoria de muestras, con el fin de un mejor flujo de trabajo para los analistas de malware

Follow us

Copyright © 2017 ESET, All Rights Reserved.