Home Your Tech Home Tech Learn how to write your own malware


JUser: :_load: Unable to load user with ID: 3286

Learn how to write your own malware

  • 04 August 2008
  • Written by 
  • Published in Home Tech
As if malware is not already a big enough problem with script-kiddies and a thriving underworld market in readymade malware exploit kits adding to the agony. One university is now actively teaching students how to write viruses properly...

There is something of an 'Oh My God' feel to the Newsweek article which covers the story. It claims that Professor George Ledin is somehow trying to disrupt the IT security industry status quo: "His syllabus is partly a veiled attack on McAfee, Symantec and their ilk" it says.

The course in question, tackling computer-security issues, is conducted at the Sonoma State University, San Francisco. Professor Ledin, Newsweek proclaims, has showed his students "how to penetrate even the best antivirus software."

Security vendors are, perhaps understandably, more than a little peeved. This could well be more to do with the arguments emanating from the direction of the good Professor than the actual course itself.

Newsweek sums up the Ledin position as being, in a nutshell, that consumer antivirus products are useless in college students can work around them. They are nothing more than a $5 billion per year cash cow for the vendors.

Of course, not everyone who uses a computer is taking a college course which teaches them to evade security software protection, so the argument does have some flaws. But then so does the counter-argument that Professor Ledin is some IT Dr Evil turning geeks into cyber-criminals.

The course has actually got much more to do with churning out future computer security professionals who can join the fight against cyber-crime rather than Mini-Me miscreants. Sure, there is the potential for harm but then the same can be said of any course which teaches the relevant programming skills.

When the courses first started, the Sonoma State University said that "students are learning the intricacies of how computer viruses are constructed in much the same way biology students learn about the intricacies of bacterial organisms and other life forms that cause disease."

But what about the ethics of malware instruction, and what do the security vendors have to say about it all? Find out on page 2...


It quoted a philosophy professor, John Sullins, who was working with Ledin on the ethical perspective of the course as comparing learning about malware to learning a martial art. "Ledin's class provides students with an uncommon opportunity to learn" Sullins said "not only how to react and defend against malicious computer programs, but also how they are used and the logic behind their construction."

Perhaps most telling, Sullins claimed that "Ledin is like a sensei in a virtual dojo, he not only instructs his students in the nuts and bolts of the creation of malicious software, but he also guides their understanding of when one should, and shouldn't, use the skills they are learning in his class."

Ledin himself is adamant that his students are not in it to cause harm, and cannot do so anyway as they work within a totally sand boxed environment meaning there is no danger of their experiments leaking out into the wider networked-world.

And anyway, why the big fuss? The course has been running for some time now and was not even the first of its ilk. As far as I am aware that honour goes back to 2003 when the University of Calgary announced plans for a Computer Viruses and Malware course.

At the time, the then global director of education for security vendor Trend Micro, David Perry, said "Why not have classes in hacking? Why not have classes in all kinds of malicious computer activity? You don't send somebody out to shoot someone so they understand what happens when somebody gets shot."

No, but you do train policemen and soldiers in how to use a weapon, and they do train for shooting people in highly realistic simulation environments. Very little difference, in actual fact, from teaching the mechanics of malware within a safely sand boxed lab.

Not that this cuts the mustard with security vendors, most of whom simply do not employ anyone with a history of creating malicious code as a matter of policy. And that, it seems, would include doing so at college...


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?