I know that there are probably as many answers to this question as there are people who make them, but for them to be so varied and widespread, there must be some gain on the part of the programmers, right? Is there any way to make money from malware or viruses that I do not see (other than the money made by local computer shops?)
Someone in the know - what are some of the common motivations for virus creators?
Spamming. There are far more virus-infected computers in the world than you think and the main reason for their existence is to send you and everyone in your address book information on v1agra and c1al1s.
That’s the point of it now but when plain old vanilla viruses showed up, the kind that just corrupted your files and caused all kinds of problems on your system, they did it for the same reason that trolls troll forums, because it’s fun and because they can. The same reason people vandalize public property. I’m sure some of them did it for notoriety as well. Remember back in the 90’s when there would be story’s on the news about how the [famous person’s name] virus was going to go active on such and such a date because that’s his birthday and the people at McAafee think it’s going to do this or that to your system…someone was sitting on their couching thinking “Yup, that was me!”
Actually nowadays, its CC numbers.
Many viruses masquerade themselves as antivirus apps, say “for $69 we can solve your problem” then once they have your card, charge a bunch of stuff for overnight shipping…
Computing/network power - virus controlled computers are collated by the virus writers into botnets, and the* botnet-herder* then sells access to the botnet. Botnets can have millions of computers under control.
The botnet can be set up to send spam, launch DDOS attacks on commercial websites (for blackmail purposes), run distributed processing for encryption key attacks, open websites for click-through fraud and anything else someone wants to pay for. The herder charges for access to the botnet, and a percentage of the take, and this is all funded by (and helps fund) organised crime in a variety of countries like russia, china, ukraine, albania etc. There is real violence involved, too.
This is why authorities/AV companies/Microsoft go after the control infrastructure first, rather than the individually infected PCs. If they can gain control of the botnet, they can instruct the infected PCs to clean themselves up. Of course, ISPs could also help, by applying simple rules to their own networks to restrict the ability of a botnet PC to act in certain ways (in particular, stopping port 25 traffic for spam, and preventing spoofed IP packets out of the network).
Si
It’s big business, too. The ISPs that host servers owned by the bad guys could shut them down, but often choose not to, because they are big customers.
Because some men just want to watch the world burn.
This is a bit circular, but – security. I had a particularly fun honors section once where we wrote viruses and security hacks (buffer overflows etc). The reason? If you can’t break it, you sure as hell can’t stop it. Now, when you’re a white hat hacker like that you don’t RELEASE the malware into the wild, you keep it contained in a little virus aquarium, but a big part of security is being able to break your own product before the hackers can.
Because people are dicks.
This.
I have found that this explains a lot about human behavior.
I had this paranoid image in my head, where one section of MaCafee writes anti-spam software to sell to household PC’s, while another batch of paid employess sit in the darkened basement crancking out viruses that are annoying and visible enough for the customer to sigh and head to the store to buy MaCafee protective software.
Nope. I work in anti-spam - not for Mcafee - and there’s never been a shortage of real spam, viruses and malware causing trouble.
No. Nowadays, it’s not as small time as that.
The current wave of viruses were designed for two things:
Charging you to “remove” them. People will see the alarm and send the fake antivirus your money and their credit card numbers. The fake antivirus will stop sending out alerts for a few months, then warn you again, asking for more money (I’ve had people who refused to remove these because they paid for them). And while they take your CC number, they only charge you for the “antivirus.” Using it to make fraudulent charges is a crime, which means that they will be tracked down quickly and the authorities in their country (most originate in Russia) will get on the case. It’s not worth it to them, since this is the far smaller revenue stream.
Distributed Denial of Service attacks. The malware is on thousands of computers, which are under the control of the malware makers. They can then go to a website and say, “you have a very nice website here. It’d be too bad if it was suddenly overloaded during the middle of your busy season. And for a fee, we cam make sure that doesn’t happen.” If the website doesn’t pay the fee, they get hit with thousands of requests a second (a DDoS attack is very difficult to defend again) and it can take hours, if not days, to stop it. A big site like Amazon had the staff to defend, but smaller sites could be off for a very long time. So they pay the protection money. It’s far more money that you’d get from credit card fraud and local authorities are less likely to go after you. The malware makers can earn millions from this.
modern day racketeering and ‘protection’ These guys have skills, and if they put those skills to a legitimate use they would earn an honest, decent income and not at somebody’s inconvenience …or worse than inconvenience…pain in the ass
Heh. This reminds me of a visit from a DoD background investigator, who asked “have you ever developed, distributed, or deployed malicious code?” When I said, “of course,” he pulled one of these: :eek: .
Several tense minutes of explanation either satisfied him that I wasn’t an evil ][axx0r or confused him enough to go on.
Now it’s big business, mostly from Eastern Europe- keystroke loggers, hijackers, etc- they get your personal info, then steal your funds.
I should have known that some of it came down to sex - either people thinking about their dicks (v1agr@!!) or just being dicks.
I suppose then, that most virus are not of the “melt down computer, jack everything up” variety, but that these are the most notable and apparent ones, and there a lot more of them quietly spamming away in the background?
Yep. All those dudes you know that say “I don’t bother with anti-virus protection”:rolleyes: and “I leave my computer on all the time” have their computers hijacked, sending out scads of stuff to the other idiots. Then they will wake up one day and find their bank accounts drained, their CC maxed out, and their identities stolen. Then they will blame someone else. :mad:
I think there isn’t a programmer on Earth who could answer “no” to that. If he phrased it as an AND instead of an OR, then sure-- but again we’re programmers. 
Yes, we write tons of malicious software, most of it by accident.