Virus writers are hardly ever good programmers, says David Perry, global director of education or "evangelist"* for US-based anti-virus company Trend Micro; and that works to the advantage of virus detectors and virus victims.
Many viruses have faults that limit their spread or the damaging effect of their payload. There was a time, Perry says, when virus creators were educated college students who did a better job.
"There was a virus that quoted [poet William] Blake at you and one called Cascade that made all the letters [in a page of text input] fall to the bottom of the screen. Nowadays, the writers are mostly just script kiddies."
But at the same time, the viruses no longer blatantly advertise themselves, so more damage could be done before the infection is realised.
Today's really good programmers, he says, will probably not break into virus creation, "because now they're sending virus writers to jail". The competent software developer has a good job and career prospects and will not want to jeopardise them, Perry says.
However, at the same time, he casts doubt on his or anyone's ability to predict the future of virus development. He makes only one prediction; that over the next few years, two major developments will occur that no one predicted.
Trend had to rethink its strategy after Nimda, a worm that stitched together a lot of previous exploits acting through various channels such as email, http and direct server-to-server links. The company conducted a customer survey which showed that the time from the emergence of a virus through the identification of a "signature" and the issue of a protection update – the part anti-virus companies usually concern themselves with – was only a small part of the lifecycle of a virus in a system. Users were asking for information about what they could do for themselves to prevent infection -- "we could tell them: block this port or apply this patch" – before the signature was identified. "We found we weren't in the software business, we were in the expertise business."
A remedy based on identifying a virus signature takes at least an hour to develop, Perry says, because it has to be tested against a large number of legitimate applications and files to be sure it does not uncover the same signature in them and misidentify them as viruses. So early warnings and first-cut remedies can be a great help even if they are not perfect.
Users also asked for help with cleaning up the virus, and Trend Micro has now produced tools for this, he says.
Media and public overreaction can not only exaggerate the claimed effect of a virus but encourage its spread.
"There were people who read about the Kournikova virus, deliberately downloaded and infected themselves and then phoned systems support to complain they never saw the promised picture."
Equally, hype is followed by disappointment, leading to a blasé attitude about the next virus attack. Code Red generated a lot of publicity, but when the media saw the quiet way it went about its business, "they were disappointed that it didn't make smoke and flames belch out of the PC, like they'd seen on the movies". So Code Blue, a month later, was practically ignored in the media, despite its real danger.
Perry is involved in further research into virus lifecycles. "What makes a virus expire in two hours, while another hangs around for 10 years? We hope to get some ideas on that."
One disturbing aspect of virus vulnerability, he says, is that there are still several thousand known "holes" in common software, well publicised by the vendors and virus tracking services, that have never had a virus written to exploit them. So there are still plenty of openings for new viruses and worms. "Virus writers do read Bugtraq reports."
* "Some religious people objected to my calling myself an evangelist; so I switched to 'ambassador' - until someone at a lunch started addressing me as 'your Excellency'. Then I thought up 'director of public education', and my wife said 'you do realise that spells "dope", don't you?' So now, if I'm late, you can say you were waiting for G'doe. Or perhaps not." -- Perry.