Having worked for anti-virus companies for over twenty years, I’m pretty used to dealing with one question in particular.
“You guys at the anti-virus companies write the malware, don’t you?”
It’s a fun conspiracy theory. And I like to imagine that John McAfee was on the grassy knoll in November 1963, sniffing bath salts and hooking up with Costa Rican prostitutes, as the Kennedy cavalcade drove past. But it’s not true, of course.
Any anti-virus company found writing and distributing malware would not only be shunned by the security community, but also be committing commercial suicide. After all, what organisation is going to be happy buying medicine from the very same people who are going around spreading the disease?
But that’s not to say that everyone working at anti-virus companies is a good guy.
Meet 20-year-old Morgan Culbertson. He has just pleaded guilty in Pittsburgh federal court to developing and selling the Dendroid malware capable of hijacking Android phones, stealing data and using the cameras to spy on innocent users.
Dendroid is a sophisticated piece of Android malware, capable of evading detection by the security measures Google has put in place on the Android app store.
Culbertson plotted to sell Dendroid for $350, and demanded $65,000 from anyone interested in buying his source code. He was caught after the FBI raided the Darkode crime forum last year, dashing his hopes of infecting almost half a million Android phones with his malware.
But what makes Culbertson’s conviction particularly noteworthy, is that - according to his LinkedIn profile - he worked as an intern at security firm FireEye for 12 weeks up until his position was unceremoniously curtailed by the law enforcement investigation.
I completed a 12 week internship at FireEye as part of the Advanced Persistent Threat team as a Mobile Malware Research intern. I improved Android malware detection by discovering new malicious malware families and using a multitude of different tools, automation techniques and decompiling analysis heuristics.
FireEye confirmed earlier this year to The Register that Culbertson had indeed been an intern working on Android malware research, and it sounds like they’re not in a hurry to have him back.
Culbertson could receive a maximum 10 year prison sentence, and a fine of $250,000, but with no prior criminal convictions I find that unlikely.
When I worked for anti-virus companies and was interviewing prospective new techies, I would always try to get a feeling for just how interested they were in malware. If they started frothing at the mouth in excitement at the thought of working with viruses, spyware and Trojans, I generally thought they might be a little *too* keen and perhaps not a safe bet…
Maybe today other security companies should try harder to ensure that they’re not taking onboard someone whose actions might fuel the crazier conspiracy theories out there.