Saturday, December 19, 2009

Are antivirus companies the main driving force behind virus writing?

I've always wondered why there is so many Windows viruses. Especially when I clean up friend's PC from malware. The number is on the order of hundreds thousands. An immense number of code lines. Awful lot of human effort. And when you think about it, the world is not so huge place. Naturally, some people suspect that some antivirus companies are somehow funding virus development, given that antivirus companies are the primary benefactors of virus development. This proposition, naturally, is commonly put down as an urban myth (no matter what).

I've figured some indirect but convincing evidence in favor of this 'conspiracy theory'. There's just far too many windows viruses and worms nowadays which replicate but do absolutely nothing besides slowing down the computer and saturating internet etc (so that antivirus speeds up the computer). Somehow, those viruses are the majority - viruses which actually do something like DDOSing a website, stealing credit card numbers, doing some evil as botnet, inserting obscenities into documents, and so on, are the minority - those worms are unusual, you read about them in the news. Even the botnets nowadays just sit doing nothing (Like conficker. A huge scare. It just penetrated into a lot of government facilities which it should not be able to penetrate into, which was quite seriously scary, and then did pretty much nothing except bringing billions into antivirus businesses).

This is very strange. That doesn't even look like vandalism or crime. Graffiti artists want their drawing to be seen; political vandals want to make damage to public property; criminals steal public property for scrap metal; all the IRL vandalism appears motivated, even if motivation is bizarre. There's always some driving force.
If you look at old dos (pre-windows) malware, nearly every virus did some original mischief - falling letters, animations and logos, inserted obscenities into the documents, wiped out hard drives, tried to say obscenities from PC speaker, messed with mouse cursor, and so on. Almost every 'harmless' virus did at least show a message about itself. There was some self expression, not unlike graffiti. You would expect most modern viruses to set something like goatse or 2girls1cup as desktop background, to scream from the speakers, to display political messages, to secretly record videos with webcam and upload those to youtube (particularly effective if combined with display of something nasty), and so on, a zillion possibilities. Indeed, that's what hackers do when they deface a popular website. But if you look at modern viruses, only a small fraction tries to do mischief or actually commit a crime. Majority seem to do nothing except supporting the antivirus manufacturers. There's almost no mischief and no graffiti. The viruses look like someone's boring daily job. Not like bored teens trolling. Okay, some nasty password stealers and such, those MAY be some criminal's daily boring job, but why harmless replicators don't even rickroll the user? (edit: actually there's a virus which rickrolls the users. It's on iphone!)

It seems to me that there is only one explanation: Development of windows viruses is nowadays heavily funded by antivirus companies - this at once explains why majority of viruses do nothing except replicating and generating scare, why amusing (when it's not your pc) virus pranks became rather uncommon, why there's very few Linux worms (mostly backdoors), and how it comes that antivirus companies 'detect' so many obscure viruses (which you would think user wouldn't notice) every day while being unable to respond promptly to real threats (which are extremely noticeable).

Antivirus company speakpeople would say that this is analogous to suspecting tire manufacturer of paying kids to knife the holes in tires. Well, firstly, that's an intentionally deceptive analogy. As matter of fact nobody's knifing tires in such a number as to sustain tire manufacturers; furthermore paying kids to knife the tires would've been far more dangerous and expensive, you can't outsource this to china or safely delegate it. That is why nobody suspects tire manufacturers, not blind trust that a big company would never commit a crime. They're making their profits by natural tire wear. Had they been making most of their profits from the tire slashing incidents, from unmotivated malice, then they would, in fact, be suspect (as the primary benefactors from the crime). The antivirus industry is more similar to heir inheriting billions from the rich uncle, who was killed by a car in hit-and-run near his house. Make that killed by a sniper shot - supposedly unmotivated sniper shot.

Secondly, as matter of fact, a lot of antivirus software is recognized to be fake - and the big brand antiviruses use pretty much same unethical tactics (popups telling you to upgrade, scaring you with numbers like '27 threats detected', reporting stuff like browser cookie files as threats, and so on) to generate revenue.

On the topic of trustworthiness of 'good guys'...
Putting aside small brand scareware, even the major 'antivirus' companies such as McAfee and Norton Antivirus engage in nearly fraudulent overcharging of credit cards of their customers (not outright illegal, but extremely close). If you did un-subscribe from Mc A Fee, they reportedly keep charging you the fee for 3 more months.
I certainly wouldn't trust such companies so much as to hold them above suspicion of virus development. There's certainly a plenty of ways to do this quite safely; e.g. a company could outsource virus identification to a separate company in a third world country, and this company in turn could hire a sweatshop of people and give 'em instructions vague enough that they could write the viruses in first place. Should this get discovered, the proxy gets blamed and liquidated, the sweatshop stays in place and keeps working (under different name). People whom were getting suckered into paying for antivirus still are getting suckered into paying for antivirus. People with a clue are 'outraged' but they would never have bought antivirus in first place.

I myself (I'm a Linux user) would not care about windows viruses and associated scareware at all if not for impact on the honest software developers. False positive rates of antivirus software are very high - the primary reason, i suppose, is that high false positives rate leads to increase in profits for antivirus companies - typical user tend to think that antivirus which found a virus is superior to antivirus which didn't find a virus. It appears as if some random short strings - which have nothing to do with any virus functionality itself and which appear in random software as much as in viruses - are consistently recognized as 'viruses' by design, resulting in credible virus scare for the customer. This is quite annoying for developers.


  1. I get where you're going with this... hehe...

  2. Developing them for "testing purposes"?
    I think you may be on to something.
    Thanks for speaking out.