Why Hackers Write Computer Viruses

Why do hackers hack? Why create a worm that sends out an email to everyone in your contact list, or a Trojan that deletes your term papers? Is it mischief, malice, money, or something else entirely?

This is the question that was on my mind when I met with Mikko Hypponen, a legendary computer security heavyweight who has been hunting viruses for 25 years—since Brain.a, the first PC computer virus.

From the plaza, I walked out to a seat by the water facing the San Francisco Bay. Hypponen was there, waiting for me. I sat down next to him. I felt like we needed code phrases.

"What makes this a New Orleans iced coffee," he asked, as he accepted his drink.

"It's the chicory," I replied.

"Did you know the Finns drink more coffee per capita than any other nation?"

"I did know that," I replied. "I know a lot about coffee."

Okay! I guess we had our code phrases after all.

Hypponen is the lead security researcher for F-Secure in Finland. His takedowns and diagnosis include some of the nastiest, biggest computer viruses out there: Sobig.F, Sasser, Storm Worm. PC World called him one of the 50 most important people on the Web. Hypponen was on his way to a black hat conference in Las Vegas.

We met at the Ferry Plaza in San Francisco, sitting by the pier as commuter boats came and went. I wanted to ask him about the long history of personal computer viruses, now in their 25th year, from the simple to Stuxnet, and the shifting motivations that inspire virus writers to act. We had an hour.

The Hobbyists

2011 is the 25th anniversary of the first PC virus. In September, 1986, two brothers from Lahore, Pakistan, Amjad Farooq Alvi and Basit Farooq Alvi, released Brain.a into the wild. Brain.a infected the boot section of computers running PC-DOS. Its authors claimed they were simply trying to target people who were infringing on their own software. But the virus spread wide across the world, and marked the beginning of the malware era in computing.

Late last year, Hypponen was going through his records at F-Secure. He found a box with the 100 first computer viruses, all on floppy disks. "These are probably from five years or more," says Hypponen, "now more than that are written in one hour."


He realized that the first of these, Brain, was approaching its birthday. He had a long history with it, having studied it when it was first unleashed. To mark the anniversary, he travelled to Lahore, Pakistan, in an attempt to track the Alvi brothers down. Amazingly, they still had a business at the same address they had listed in the original Brain.a virus code. So he knocked on the door. They answered.

"They wanted to demonstrate that the PC system was not as secure as Microsoft and IBM said it was," he explains. "They thought it was weak, and [wrote Brain] to demonstrate that."

The Alvi brothers were Unix guys. DOS seemed like a weaker system, and they thought they might be able to exploit it. They wanted to see if they could move code from one system to another, on its own. They wanted to see if it could be transmitted, like a virus.

It worked! Before long the brothers (who had helpfully included their phone number in the code) were getting calls from universities and businesses all over the world, wanting to know what it was.

Others began tinkering with Brain.a, releasing variants. And as time passed, more and more people began writing distinct viruses. These were for the most part, however, more of annoyances than real problems. They might mess up your system but they would not (for most people at least) ruin your life.

And then came email. And that was bad.

"It has changed completely now," says Hypponen. "It changed from hobbyists and old school hackers around 2002 or 2003 when the hobbyists realized they could make money."

The Criminals

By the turn of the century, spam was big business. But in order to send out a lot of spam, you needed a lot of computers. And to keep from getting caught, they shouldn't be your own. Enter botnets.

Viruses allowed spammers to capture and control users' computers remotely. They could use infected machines to ensnare other computers, sending out not just offers for herbal viagra, but phishing attacks and keystroke loggers that give them access to bank and financial data and personal information. By 2005, the point of malware writing had largely changed. Fuck proof of concept. Now it's for money.

There's also another reason that malware writers have surged: Microsoft Windows XP. That ancient system is, unbelievably, still the most widely used operating system on the planet. It's installed on more than 50 percent of all machines connected to the Internet, and it's very insecure.

"XP is the weakest of all systems," says Hypponen, " and it is installed on the most computers. Of course you will target that."

"The source of malware today is 99 percent criminal gangs, and that's a pretty nasty development," says Hypponen. "We didn't used to have to worry in the real world. But now there are organized criminal gangs, making millions from their attacks. When we shut down their operations, they know who we are."

It's not just a hypothetical fear. Ivan Eugene Kaspersky, who owns one of the world's leading anti-virus security labs, had his son Ivan snatched off the streets of Moscow earlier this year. Whether there was a revenge motivation, in addition to the ransom, is still unclear. But the fact remains that anti-virus guys are now effectively standing between the mob and big piles of money. Which is never a very safe place to be.

And if that wasn't bad enough, now there's a new, potentially deadlier, source of viruses: governments.

The Spies

"I have Stuxnet right here with me in my bag! Do you want it?"

He leans over and slaps his computer bag on the side. I decline. I know it's not, say, smallpox, but sitting next to the most sophisticated computer virus ever created is oddly worrisome.

Stuxnet upped the ante. It targeted only a certain programming environment, with a certain PLC, with a certain configuration, in a certain location—which turned out to be a nuclear plant in Iran. When it went active, it recorded the normal plant operations for a few days, and then began playing them back to monitors, like a closed circuit tv camera in a bank heist film, while in actuality it was modifying the speed centrifuges spun at, causing them to break apart, most likely in violent fashion. Stuxnet, for now at least, ended Iran's nuclear ambitions.

But where did it come from?

"It was done by your government!" The Finn doesn't have any proof of this, but like most security researchers, he takes it as accepted wisdom.

"I do believe that when in 2008, George W. Bush signed the [Comprehensive National Cybersecurity Initiative] that the end result of that was Stuxnet."

Unlike most viruses, Stuxnet didn't spread over the Internet. Instead, it spreads from one machine to another on infected USB sticks. Which means that somehow, someone had to get an infected stick into physical contact with Iran's nuclear facility in Bushier.

"We don't know how it was originally planted, says Hypponen. "My guess is that they pick-pocketed workers, or broke into their homes and planted them."

Stuxnet has heralded a new era. Today's sophisticated malware attacks might now just target one machine in the entire world. An employee at a certain company could get a virus targeted just to that specific person. Governments, corporations, and extremist groups are already engaged in this. As Hypponen points out, Stuxnet had been in the wild for more than a year before anyone discovered it.

What's out there now is an open question.

Hypponen was late for another appointment. And so as we finished our coffees, I stood to leave, and began walking away from the water, back into the plaza. Hypponen stopped me. He reached out his hand, and gave me my iPod, which I'd carelessly left in my seat.

He looked disappointed.


You can keep up with Mat Honan, the author of this post, on Twitter, Facebook, or Google+.