The Virus Writer Who Came In From the Cold

The Virus Writer Who Came In From the Cold
By Joel Deane

Part confession. Part job interview. Part Oprah. That was the final, controversial session on day one of the seventh international Virus Bulletin Conference in San Francisco's landmark Fairmont Hotel.

Facing a roomful of grumbling, skeptical antivirus programmers was Mike Ellison, a quiet, twentysomething, Bay Area-based computer programmer with a ponytail.

Why so skeptical?

Simple. Ellison is not just any mild-mannered geek. He's Stormbringer, an award-winning virus writer from the now-retired Phalcon/SKISM clan whose viruses and virus tutorials have been published in the Little Black Book of Computer Viruses and, on at least one occasion, unleashed upon the computer world.

Like most virus writers, Ellison did his best work as a teenager, starting at the tender age of 14. Unlike many virus writers-- who turn 21, get a job, and quietly find less sociopathic forms of entertainment-- when Ellison retired, he went public with a mea culpa newsgroup posting.

Three years later, Ellison has gone public again. Standing at the dais in one of the Fairmont's Transylvanian-style ballrooms before an international gathering of the antivirus community, some of whom consider him a terrorist, he handed down a paper titled "Defecting From the Underground: Are Ex-Virus Writers of Use to the Antivirus Industry?"

Delivered in a quiet, measured voice, Ellison's paper ranged from confessional to evangelical:

I, like many of my peers, was rebellious and anti-establishment at that age [14]; only I became interested in computer viruses. They had a dark, forbidden allure which at that age is hard to resist....

I wrote viruses for the knowledge, the challenge, and, admittedly, the fame. At the time I saw it as something of a chess game with antivirus programmers. However, I did not have any desire to harm the public....

Ethically, I knew that releasing viruses into the wild was wrong. I would not release them myself.... Eventually, one of my viruses hit someone's machine. Some vengeful person compiled it and deliberately infected the person's computer.... That morning I quit writing viruses and have kept my vow ever since."

In essence, Ellison was asking for the antivirus industry's forgiveness-- and a job. That's right. After going straight for three years, the reformed virus writer says he wants to switch sides and become an antivirus programmer "to give something back."

Needless to say, Ellison's planned career change caused some heartburn among conference goers. The consensus among antivirus programmers seemed to be "Fine, stop writing viruses, but don't expect us to hire you."

"Would you hire a former bank robber as bank manager?" explained one attendee. Some programmers thought that Ellison shouldn't even have been given a forum.

It's easy to understand why it is considered "taboo"-- as Ellison puts it-- for antivirus companies to hire former virus writers. Currently, there are some 17,000 computer viruses gumming up the world's computers, and the number is rising. In turn, this epidemic of viruses, which exploded with the popularization of the Net, has resulted in a booming trade in antivirus software products. The weekend hobby of a generation of antisocial teenagers has inadvertently sired a billion-dollar industry.

With that in mind, antivirus companies are loath to do anything-- such as hiring former virus writers-- that might undermine public confidence or damage the industry's credibility. After all, hiring virus writers could lead to the impression that the industry is creating its own market.

Ellison, who has been knocked back for jobs in antivirus companies, is well aware of this mindset. Switching from confessional to evangelical, he made a pitch for antivirus professionals to engage in reasonable discussions with their teenage opponents rather than indulging in "petty insults and name calling."

"It seems like many of the professional antivirus programmers don't really take the effort to get to know their enemies and see who they are," Ellison said. Recruiting former virus writers-- much like the hiring of ex-hackers in the computer security field-- would increase the industry's understanding of what makes virus writers tick, as well as take advantage of the writers' inside knowledge of viruses.

"While I'll agree that the majority of people creating new variants of viruses can't program their way out of a paper bag, how many 16-year-old kids do you know that have the interrupt tables of opcode charts of DOS 80X86 machines memorized?" he said. "Some of these people are quite sharp and have considerable talent."

Although politely received, Ellison's argument was vigorously rebuffed during the 1 session. Antivirus writer after antivirus writer stood, clasping the microphone like a member of a TV talk show audience and, after commending Ellison for turning from the dark side of the Force, told him why he should stay out of the industry.

Conference speaker Vesselin Bontchev, who delivered the "Macro Virus Identification Problems" paper, led the charge. "If your intention was to convince me that antivirus companies should hire you, I am sorry, but you have failed miserably," Bontchev said. "Compared to the average antivirus programmer, your knowledge is virtually nil. We don't sit around all day with our legs crossed waiting for you to help us.... You have done something in the past that we consider to be wrong. We are just not going to trust you."

Other programmers rose to elaborate on Bontchev's we-don't-need-you spiel. More than one naysayer suggested that, if he was serious, Ellison should evangelize the virus writers-- convince them to lay down their keyboards and come in from the cold.

Finally, after a 30-minute debate, the session's convenor decided to try a straw poll. He asked the audience members how, as customers, they would feel about an antivirus software produced by a company with former virus writers. Negative? No raised hands. Not negative? A lot of hands. Positive? Half of a lot of hands. "You're hired!" someone yelled from the audience.

Perhaps. Then again, the convenor didn't let the antivirus programmers vote.