48

I think this forum post sums it up nicely:

I think that anti virus companies [...] are the ones who develop most of the viruses on the market today. If you think about it, it does make sence because in order to make a good product, you need to make something that wears out or needs to be refilled/recharged. [...] If nobody is writting [sic] any viruses than they are not making any money so in order to keep business going they either pay someone under the counter to develop them or develop them themselves. Hasn't it ever occured [sic] to you why the anti virus companies know exactley [sic] what to do to remedy the virus?

So, is there any known cases, or strong suspicions based on fact (as opposed to merely logic) that antivirus companies actually do this?

Disclaimer: I used to work for an antivirus company

Sklivvz
  • 78,578
  • 29
  • 321
  • 428
  • 7
    You cannot disclose whether you witnessed such crime, but the fact that you posted this question will lead many people believe that you did. – Jader Dias Apr 15 '11 at 12:42
  • This isn't directly related but you might find it interesting: http://krebsonsecurity.com/2011/03/chronopays-scareware-diaries/ The people writing the scareware that makes you pay for it to go away are also the largest credit card processor in Russia... – Supercereal Apr 15 '11 at 13:19
  • 5
    @Jader: wouldn't it be even *more* suspicious, if I *didn't* disclose it? – Sklivvz Apr 15 '11 at 16:30
  • 1
    In my opnion, regarding ownership, hackers and viruses are like guns: The best hackers and viruses are in the hands of big governments, and they will use the best resources (network security analysts and antivirus software developers) to produce them. – Jader Dias Apr 15 '11 at 16:36
  • Any AV company that did this would be killing themselves. If it ever got out that they had written something that caused mass infection thier reputation would be in tatters, would you buy AV software from a company that was in the business of infecting your machine so you buy newer versions of thier software? I think you'll find that the majority of virus' are written by organised criminal gangs and used to make lots of money nowadays (of course you'll still have the odd script kiddie trying to make a name for himself) – Ardesco Apr 18 '11 at 07:55
  • @Ardesco: this is very likely a sound argument, but it would be great to get some substance behind it (e.g. a breakdown of what the source of viruses are, according to statistics). – Sklivvz Apr 18 '11 at 08:04
  • 4
    I think this question is impossible to answer conclusively. If there were companies known to do so, the PR backlash would quickly destroy them so no active AV company would be doing it for very long. But that doesn't mean none do it, it just means that IF they do it they're very good at hiding it. Then again, there's always ex-employees who'd spill their guts, so logic says if it happened it'd likely become public knowledge relatively quickly. – jwenting Apr 18 '11 at 13:41
  • "wouldn't it be even more suspicious, if I didn't disclose it?" don't ask, don't tell? If you'd not told us we'd never have known you even worked for an AV company. – jwenting Apr 18 '11 at 13:43
  • 1
    @Sklivvz unfortuatly due to the nature of the problem it is difficult, if not impossible, to trace the origin of many virus'. The majority of writers are anonymous and don't advertise what they do, it would be very hard to prove that these anonymous writers have nothing to so with the security industry due to this. I probably ought to mention that I have worked for an anti virus company before. Whilst working there I saw no evidence of employees doing anything illegal, or of anybody writing virus' to put out in the wild. – Ardesco Apr 18 '11 at 14:23
  • @Ardesco: I agree, this is a difficult question. And I also agree with your insider look at AV companies (I worked at one too). – Sklivvz Apr 18 '11 at 14:38
  • I would say no, the company does not do it for profit. But I doubt that no worker ever did it. Some people would do anything to keep their job. So, to me, the question is if that person ever got a company approval for crossing the line. – cregox Apr 27 '11 at 17:00
  • Anecdote: I have an ex who used to work at an AV company. She explained that the company monitored some of the virus-writers' forums, and that is one of the techniques they used to have virus signatures ready before the viruses hit the wild. So, there is another explanation for how they might know "exactley [sic] what to do to remedy the virus". I tried suggesting to her that the virus-writers might, in turn, be monitoring the forums for the AV-developers, but the irony was lost on her :-( – Oddthinking May 24 '11 at 12:59
  • Have you ever noticed how hard it is to uninstall an anti-virus program, and how they usually come pre-installed? That's your virus/con-job going on right there. – Mark Rogers Jun 15 '11 at 02:04
  • 1
    Fun question - it has similarities with some conspiracy theories. I think it fails a simple profit/effort analysis. Malware creation involves: 1. Writing the software itself - requires skill and at least some effort. 2. Distributing it - even harder, requires effort and often money. 3. Breaking the law. The benefits are very small compared to the effort: 1. Having a bit more work. 2. Nothing more. Sorry. The proposition really is similar to the rather funny question: If policeman didn't rob bank occasionally, aren't they relying too much on the criminals for their job security? – Boris Jun 14 '11 at 21:09
  • The rumour may be perpetuated by the fake "malware scanners" that falsely report "your computer has problems" only to then send you to their website to buy "the full product" which does nothing except disable the warning message in the "free" scanner for a while. – jwenting May 07 '13 at 05:44
  • "If nobody is writting [sic] any viruses than they are not making any money so in order to keep business going they either pay someone under the counter to develop them or develop them themselves." The conclusion does not follow from the premise, "If nobody is writing viruses" is not evidence that nobody is writing viruses. – shieldfoss Jul 07 '13 at 07:41

1 Answers1

32

Back in the early days of the computer virus problem (the 1980s and 1990s), there was a certain plausibility to this question. Viruses began, in most cases, as mere forms of vandalism created by experimenters ("hackers") for their own amusement or bragging rights.

Multiple anti-virus vendors emerged with solutions, and eventually they started advertising their products based on various parameters including the number of virus signatures included. As these things tend to do, this briefly escalated into a "signature war" where each vendor claimed to have more signatures than the others. Vendors jealously guarded their signatures so they would have an advantage over their competitors.

It would have been easy during this era to imagine that there couldn't possibly be enough teenage hackers out there to create the thousands of viruses that the top vendors were claiming. In a search for other sources, one might assume that the anti-virus vendors themselves (who stand the most to gain) were creating the viruses.

A number of developments around this time (the early 1990s) tend to provide alternate explanations for the virus boom. One was the emergence of virus creation kits such as the Virus Creation Laboratory, which allowed someone with a very low level of expertise to create new viruses at will. Another was the emergence of polymorphic code, a technique where viruses would alter their own code specifically to evade signature-based anti-virus software. Multiple polymorphic versions of the same virus would sometimes inflate signature counts.

Because of the emergence of polymorphic code, many anti-virus vendors were forced to change their software (and their advertising messages) to get away from the idea of signature counts. Instead they used other heuristic ways to detect viruses. Frankly, trying to battle in the market over signature count is not a good long-term strategy anyway - your customers get tired of hearing the same message, it becomes costly to keep up your signature collection efforts, and so on.

This led to anti-virus vendors beginning to cooperate with each other on signature collection. For a long time the Wildlist was a one way the vendors very quickly handed over new virus samples to each other, so all vendors would be able to respond to new threats in a timely manner. This continues to this day in sites such as Offensive Computing, where millions of samples of actual malware are available to logged-in users. The standards committees have even gotten involved, with the IEEE forming a malware working group to develop standards for rapid sharing of malware samples.

Logic would tend to dictate: if the vendors are rapidly sharing samples, why create new ones themselves? And indeed, anti-virus vendors have always reacted negatively when others have publicly created malware for various purposes. Examples of such backlashes have included against a college class in 2003 and against Consumer Reports in 2006.

As the tagging on this question would suggest, it is more correct now to refer not just to the virus problem, but the more general malware problem. This includes such concepts as the botnet, something we never saw in the early pre-internet virus era. And that change in definitions leads us to the biggest alternate explanation for the explosion of malicious code. As before, the explanation involves money.

There are hundreds of ways to make money online, and many of them are well suited to abuse. This has resulted in the emergence of large numbers of cyber criminals who take advantage of these forms of abuse.

These monetary incentives include:

All of this creates a tremendous monetary incentive to evade signature-based anti-malware, so polymorphic malware and rootkits have proliferated amongst these online criminals. A current article indicates that as a result the very idea of signature-based malware detection is dying, and has been for some time.

Lone hackers still exist, they are by far a minor component of the modern malware problem.

Bottom line: no current anti-malware vendor would ever see the need to create their own viruses or malware. It is everything they can do to keep up with what's out there.

[Disclosure: I've worked for computer security software vendors, but have never worked directly on an anti-virus product. I have taught classes in how to reverse-engineer malware. The Offensive Computing site is run by a friend of mine.]

Tim Farley
  • 2,079
  • 17
  • 16
  • In your bullet list you forgot ["bundle unwanted crap with your software updates"](https://www.google.ch/search?q=java+mcafee) :) – Benjol May 07 '13 at 06:47
  • 1
    Botnets are used for a lot more than sending spam. They also sell off their computing time (since a botnet is essentially a distributed supercomputer - very useful for cracking password hashes) and bandwidth (for DDOS attacks, vulnerability scanning etc.). – BlueRaja - Danny Pflughoeft May 09 '13 at 19:59