Feeds

A Special Needs Class

The Little Red Book of Computer Viruses

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

The University of Calgary's new course in virus-writing begs the question: is it a cheap publicity stunt or just boneheaded educating, asks SecurityFocus columnist George Smith.

Did you hear the one about the college professor and his virus-writers course? For the final exam students had to work up viruses that land them in jail for eighteen months. Ta-dump!

It's a valid requirement for getting inside the mind of the virus-writer. It sufficed for virus-writer Chris Pile and would be sure to separate the men from the boys in any such class, guaranteeing that if they talked the talk of the malicious code programmer, they could walk the walk, too.

But I doubt whether John Aycock of the University of Calgary will make his Fall semester virus-writing students do that. Angry parents, outrage, lawsuits, ejection from the academy.

Outrage alone is good, though. It means publicity, and the University of Calgary's press release on its new virus-writing course explicitly promises "[i]nterviews and photo opportunities can be made possible subject to availability."

The computing men of UCal want notice and they should have it. And not just kudos for dreaming up an exciting curriculum but admonishments, too, because real virus-writers revel in their bad notices.

The aim of the UCal course is to get a personal look through the eyes of the malware maker, the reasoning being that only by generating nasty code can one understand and fight digital disease.

"This attitude is similar to what medical researchers do to combat the latest biological viruses such as SARS," blabbers the UCal statement. Absolutely! Everyone knows that the doctors who fought smallpox invented new brands of it and that all medical students specializing in infectious disease have to spend a semester cooking up new ailments.

However, a virus-writing course shouldn't be dumbed down with only milk-liver assignments like the programming of new computer viruses.

The technique of virus-writing is only about ten percent of the mind of the virus-writer and, truth be told, it's the most easily duplicatable and boring part. In addition, the programming is ephemeral: what makes a good Klez now will be no damn good in five years, and students deserve to be given skills that will last them a lifetime.

The good professor, wishing to fathom the motivations of virus-writers first-hand, will have to reproduce in the class some true virus-writer orthodoxy. Aycock, however, may not be able to fulfill this since it is alleged that students who take their work outside the lab will flunk. He might wish to think twice about that penalty.

You see, virus-writers have traditionally been stoked to produce more by observing the success of their creations in the real world. Priest, a San Diego-based virus-writer, was particularly thrilled when anti-virus companies would include the names of his viruses in ads placed in the trades. Others gained inspiration from seeing their creations appear in the anti-virus industry's "Wild List."

As a student, Harry McBungus released his work onto the computing devices of his peers in Australia and, of course, a university presents many opportunities of this nature, too.

Midterm Worms

To build esprit de corps, the class could divide into competing virus-writing claques, with names chosen with an eye toward virus history -- like NuKE[Calg@rEe] or Northern Corrupted Programming.

A week or two could be reserved for devising means of baiting victims with virus-infected porn-loaders, or the launching of mass mailing worms from an anonymous computer in the school library.

Another portion of the class could be used to build a virus-writers' website, perhaps named The Hellacious Pit, in honor of one of the largest virus exchanges of pre-World Wide Web days. A system of digital barter would be set up so that one could download viruses only by contributing new viruses. Verification could be strict or non-existent, depending on the rigor of the exercise.

Some students, for example, might want to take a digital fingerprint of all original viruses before stocking, and then scan uploads for minor variants, duplicates, non-functional "intended" viruses or dummy files. Using the fruit of this labor, viruses could be burned to CD as a unique collection and sold, the cash collected going into a fund that could be used as hush money for angry students and administrators involuntarily enrolled in the class as logical end points of a virus-writing experiment.

Viruses written during the course could be collected and published by the university press. A good title would be "The Little Red Book of Computer Viruses." I would suggest the color black but it's already been used.

By nature, virus-writers love to imagine themselves as nemeses of the anti-virus industry. The UCal course is off to a good start with its initial press, but to fully carry out this delving into the virus-writing persona it will need to continue its bonehead boasting through the semester. The school is well-suited for this capacity because it can issue inflammatory can't-miss press releases like: "Elite Aycock group produces midterm worms that could cause [fill in the blank] billion dollars in damage to world economy if released."

Students should be prepared, with knowledge born from course experience, to also explain how virus assaults to the US economy -- $266 billion, according to the UCal press release -- are over three hundred times more destructive and dangerous than the September 11 attack on the Pentagon, which resulted in $800 million in damages. If they can't do this, they'll become the object of jests, their faculty regarded as buffoons. Perish the thought.

George Smith is Editor-at-Large for VMYTHS and founder of the Crypt Newsletter. He has written extensively on viruses, the genesis of techno-legends and the impact of both on society. His work has appeared in publications as diverse as the Wall Street Journal, the Village Voice and the National Academy of Science's Issues in Science & Technology, among others.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.