David Harley

David Harley

Senior Research Fellow

Education? Academic background in modern languages, social sciences, and computer science.

Highlights of your career? I was a late starter (1986) as an IT professional, beginning at the Royal Free Hospital, then with the Human Genome Project (1989), then at Imperial Cancer Research Fund (1991-2001), where I wrote/co-wrote/edited a number of Internet FAQs and my first articles on programming and security. I presented my first conference papers in 1997 (at Virus Bulletin and SANS). In 2001 Osborne published Viruses Revealed (co-written with Robert Slade and Urs Gattiker): VR and the later AVIEN Malware Defense Guide (Syngress) – to which Andrew Lee also contributed – are probably the best known of my books. When I rejoined the UK’s National Health Service in 2001, I ran the Threat Assessment Centre and was the go-to person nationally for malware issues. I left to work as a freelance author and consultant in 2006, which is also when I began to work with ESET.

Position and history at ESET? Senior Research Fellow at ESET N. America. Primarily, I’m an author and blogger, editor, conference speaker, and commentator on a wide range of security issues. Like the rest of the industry, they put up with me because I’ve been around so long.

What malware do you hate the most? Malware is just code. It’s malicious people I detest. While I’ve no love of scammers, I can see that it’s easier to be honest in a relatively prosperous environment – if there is such a thing anymore – and that cybercrime can be driven by an economic imperative. But I have nothing but contempt for those sociopaths who cause harm to others for no reason except that they can.

Favorite activities? The guitar (I still gig and record when time allows), other people’s music. I love opera but don’t attempt to sing it. Photography, art, poetry, country walking – well, ambling is about as much as I can manage at my age – good food and wine, good television when I can find it...

What is your golden rule for cyberspace? Scepticism is a survival trait: don’t assume that anything you read online is gospel truth, even this adage.

When did you get your first computer and what kind was it? Amstrad PCW (primarily a word-processor) in 1986. What else would you expect a not-very-rich author to buy in 1986? :)

Favorite computer game/activity? Extra-curricular writing (blogging, verse and lyrics, articles). Digital photography and miscellaneous artwork.

Articles by author

Stuxnet Analysis 1.31 and TDSS article

...version 1.31 of "Stuxnet Under the Microscope" is now available on the white papers page ... Until now Rooting about in TDSS was only available to VB subscribers, but it too is now available on the ESET white papers page.

Stuxnet Information and Resources (1)

The Stuxnet analysis "Stuxnet Under the Microscope" ... has, unlike most ESET white papers, been subject to a number of revisions as we've come to know more about the malware itself, and as the purposes of its perpetrators have become clearer. However, since all the known vulnerabilities exploited by Stuxnet have now been patched, version 1.3x of the document is likely to be the last substantial revision.

Comment Spammers Welcome interesting trend in blog comment spam that I’ve noticed in recent months is that a number of comments are obviously intended to push a product or site, but contain content that is actually relevant...

New Link on White Papers Page

...This paper, presented at the Annual Computer Security Applications Conference (2010) ... discusses alternative approaches to understanding botnet mechanisms, using "in the lab" experiments involving at-scale emulated botnets...

Support Scams: Even More Personal

A recent report from Get Safe Online suggested that one in four people in the UK have received calls like this (based on a sample of 1500 adults), and my colleagues in Ireland tell me that their experience suggests comparable figures there.

MS10‑092 and Stuxnet

...among the 17 security bulletins just released by Microsoft on Patch Tuesday, MS10-092 addresses the Task Scheduler vulnerability prominently exploited by Win32/Stuxnet...

Crouching Worm, Hidden Virus Writer, Rising Damp

...poachers turned gamekeeper are not uncommon in the security industry as a whole, and it's all too common for aspirant virus-writers whose notoriety is not necessarily matched by their technical skill to be hired by companies on the remote borders of malware detection and filtering, but the "real" AV industry goes out of its way to avoid hiring the ethically challenged....

Stealing from Santa (Scammers’ Holiday Season)

My colleague Urban Schrott, from ESET Ireland, wrote a nice feature article for our monthly ThreatSense report (which should be available shortly on the Threat Center page at on seasonal scams. As the scam season is starting to get into full swing, we thought it might be good to give it a wider audience here.

Stuxnet Code: Chicken Licken or Chicken Run?

...given the amount of detailed analysis that's already available (and I mean substantial blocks of reverse-engineered code, not high-level analysis and code snippets and descriptions), I'm not sure that anyone with malicious intent and a smidgen of technical skill would need the original code...

Stuxnet Splits the Atom article suggests that "Stuxnet was developed to improve the quality of enriched uranium, so that it no longer can be used for the production of atomic bombs." It's an interesting theory, and I'm certainly not going to say it's wrong...

Fake anti‑malware

Pierre’s recent blog on fake invoices mentioned the problems we’re seeing nowadays with Trojans masquerading as anti-virus or anti-spyware programs, and this reminded me that I blogged [link removed as no longer available – DH, 2017] on that topic recently at Quanta Security, one of the external sites for whom I have sometimes done pro

Negative Values: Racing Past Zero

Well, there’s not much doubt about the SecurityFocus view of the Race to Zero event. A report by Robert Lemos is festooned with advertising that states “If you want to stop a hacker…you have to act like one.” Perhaps Symantec, who own SecurityFocus, can afford to be relaxed about the event, since their scanners weren’t represented

Adware, Spyware and Possibly Unwanted Applications

An interesting comment turned up today to my “Malware du Jour” blog entry at Securiteam ( The poster asked a couple of questions, based on content from the ESET mid-year Global Threat Report, one of which was ‘How do you define “possibly unwanted applications [PUAs]?”‘ My first thought was to refer him to the definition

Global Threat Report – Half Year

Our mid-yearly Global Threat Report looks at malware threat trends over the past six months, based on data from our ThreatSense®.net threat tracking system. This report focuses on broad trends rather than individual malware variants: this reflects better the proactive detection which is the strength of our products, but is also more useful to most readers. Here’s a

Apple Crumble?

I had an interesting query from Scientific American [unfortunately Larry Greenemeier’s blog at showing the main thrust of the discussion is no longer visible on the site – DH, 2017]. He asked, “Could Apple’s move to pull its security presentation from the Black Hat conference backfire on the company and make the company more of a target for

A Departure (sniffle)…

Alas, Andrew Lee, our beloved leader in the Research team, has left ESET for green fields and postures – er, pastures – new. He was last observed heading for the beach and muttering something about bikinis, but assures us that he isn’t leaving the antivirus industry. That’s certainly a good thing, as even before he joined

Stealth & Vulnerability

For many years, anti-malware industry developers and researchers have been waging a bitter war against malware writers. Even if the objectives of the malware writers have radically changed from fun to profit, the arms race has always continued. Malware writers are constantly trying to create programs that will evade antivirus detection. On the other side

Farewell Angelina

Kurt Wismer (whose blog at is well worth tracking, by the way) responded to my “Giving Old Viruses the Boot” blog as follows (I’ve only just seen it, hence my re-opening the topic as a fresh blog, rather than as another response to the original blog): kurt wismer Says: June 20th, 2008 at 11:39

Giving Old Viruses the Boot

Further to my recent post on the venerable (but still out there) Slammer worm, we were asked recently about a real old-timer, a boot-sector infector called Stoned.Angelina. (Oddly enough, I think this was the last BSI reported to me when I was still doing occasional 2nd-line AV support earlier in this decade.) How could such an elderly

What the Helkern is that?

In my copious free time, I sometimes answer questions on security issues on one of those “Ask the Experts”  pages. It sometimes feels a bit like stepping into a not-quite-parallel universe, where it’s still 2002-3: a strangely high proportion of those queries are about Helkern (the worm most us know as Slammer or SQL Slammer,


I run (in my copious free time) a page called Mac Virus that I inherited from Susan Lesch, who ran it as a comprehensive Mac antivirus resource. (That page has nothing to do with the later pages at or, by the way, which also refer to themselves as Mac Virus, and recently experienced infestation problems

Recreational Virus Writing

Greetings, my loyal readers. How are you both? Have you noticed that I’ve been uncharacteristically quiet for the past month or two? A combination of sheer overwork (are you listening, boss?), a much needed holiday, and some fairly serious surgery, has prevented me from sharing my prejudices with you. And look at all the things that have

Macs & Malware

These are interesting times for Mac users.And I’m not just referring to Apple’s remorseless expansion into gadgets and gizmos, or even the very occasional Proof of Concept malware intended to prove that OS X is exploitable, but to the fact that the security industry, the media and the bandits are all paying the platform much

Snopes hoax revisited.

I’ve already posted something about this chainletter, but figured it was worth expanding on which parts of it are useful and which aren’t. A friend who is a computer expert received the following directly from a system administrator for a corporate system. This kind of opening is characteristic of many hoaxes and urban legends (we

Snopes hoax

I don’t, in general, have much time for virus writers: not, at any rate, the guys who can’t keep their creations to themselves, and don’t care if they cause damage. They’re not all like that, of course: I’ve talked to virus writers who seem nice enough guys, and even to some who are almost as

The More Things Change…

…the more they remain the same. It’s sometimes too easy to forget that it’s not all about the technical analysis of malware. Often, it doesn’t matter how startlingly sophisticated or innovative malware is: if the social engineering hits the spot, and technical defences fail, as all too often they do, that’s enough. Depressingly, the engineering doesn’t have

A Little Light Reading

I’ve just found out that I have another book out. Well, a single chapter in a three volume set called The Handbook of Computer Networks. (The chapter is on E-Mail Threats and Vulnerabilities: thank you for asking.) “I’ve just found out…” probably sounds quite disingenuous. How could anyone not know they had a book published?

Storm in a D‑Cup

Bot-hunters were somewhat puzzled recently when a botnet called Mega-D suddenly started grabbing headlines as the successor to the Storm (or Nuwar) botnet. Though the Storm network does seem to have declined in overall numbers over recent months, reports of its demise still seem exaggerated, and no-one seemed quite sure what Mega-D was and where it

Less Worms than Leeches

As you might guess, the New Scientist article on the Microsoft research “friendly worms” paper excited more annoyance than admiration, not only here but elsewhere in the research community. However, when a link to the actual paper turned up (thanks to Jimmy Kuo for pointing it out), it turned out be rather less dramatic. While it does refer to

Worms and Leeches

Every so often, an old wheel is reinvented. In the anti-malware game, an old favourite is what Dr. Fred Cohen used to call the “benevolent virus” or “maintenance” virus. Dr. Cohen’s early research and commentary remains the formal basis for much of the way we think about malware and anti-malware today. Several pages in “A Short