FireEye intern created and sold Dendroid malware

Grassy knoll Having worked for anti-virus companies for over twenty years, I'm pretty used to dealing with one question in particular.

"You guys at the anti-virus companies write the malware, don't you?"

It's a fun conspiracy theory. And I like to imagine that John McAfee was on the grassy knoll in November 1963, sniffing bath salts and hooking up with Costa Rican prostitutes, as the Kennedy cavalcade drove past. But it's not true, of course.

Any anti-virus company found writing and distributing malware would not only be shunned by the security community, but also be committing commercial suicide. After all, what organisation is going to be happy buying medicine from the very same people who are going around spreading the disease?

But that's not to say that everyone working at anti-virus companies is a good guy.

Morgan CulbertsonMeet 20-year-old Morgan Culbertson. He has just pleaded guilty in Pittsburgh federal court to developing and selling the Dendroid malware capable of hijacking Android phones, stealing data and using the cameras to spy on innocent users.

Dendroid is a sophisticated piece of Android malware, capable of evading detection by the security measures Google has put in place on the Android app store.

Culbertson plotted to sell Dendroid for $350, and demanded $65,000 from anyone interested in buying his source code. He was caught after the FBI raided the Darkode crime forum last year, dashing his hopes of infecting almost half a million Android phones with his malware.

But what makes Culbertson's conviction particularly noteworthy, is that - according to his LinkedIn profile - he worked as an intern at security firm FireEye for 12 weeks up until his position was unceremoniously curtailed by the law enforcement investigation.

Culberton on LinkedIn

I completed a 12 week internship at FireEye as part of the Advanced Persistent Threat team as a Mobile Malware Research intern. I improved Android malware detection by discovering new malicious malware families and using a multitude of different tools, automation techniques and decompiling analysis heuristics.

FireEye confirmed earlier this year to The Register that Culbertson had indeed been an intern working on Android malware research, and it sounds like they're not in a hurry to have him back.

Culbertson could receive a maximum 10 year prison sentence, and a fine of $250,000, but with no prior criminal convictions I find that unlikely.

When I worked for anti-virus companies and was interviewing prospective new techies, I would always try to get a feeling for just how interested they were in malware. If they started frothing at the mouth in excitement at the thought of working with viruses, spyware and Trojans, I generally thought they might be a little *too* keen and perhaps not a safe bet...

Maybe today other security companies should try harder to ensure that they're not taking onboard someone whose actions might fuel the crazier conspiracy theories out there.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

6 Responses

  1. Simon

    August 27, 2015 at 1:24 pm #

    If anything, he might be updating his LinkedIn profile soon to say that'll be be stamping license plates for a while… what a silly bloke.

  2. Patrick

    August 27, 2015 at 1:25 pm #

    Throw away the key.

  3. Publio Vestrone

    August 27, 2015 at 4:32 pm #

    We do not live in a civilization that acknowledges (let alone promotes) an absolute standard of right and wrong. So we end up with smirking little twits like Mr. Culbertson, who evidently thinks life is a zero-sum game.

    But locking him up and throwing away the key would be an injustice to the taxpayers who have to pay the bill for his imprisonment. If he gets any jail time, he should have to fund it through honest work.

    If such jerks had to pay the cost of their own apprehension, prosecution, and incarceration (plus restitution to anyone whom they've harmed), the deterrent effect would be far more potent than getting a free ride in prison at taxpayers' expense.

    • Jim in reply to Publio Vestrone.

      August 28, 2015 at 12:42 pm #

      Very true.

    • Simon in reply to Publio Vestrone.

      August 28, 2015 at 1:31 pm #

      +1, but to get blood out of a stone?

      I agree, prisoners should financially contribute their 'accommodation' costs while incarcerated by providing a service back to the community, but wouldn't that be robbing the law-abiding citizens employment in the area?

      Unless you assign them laborious/menial jobs that nobody wants to do or is too expensive to automate… That'll likely to require heavy supervision to avoid escapees. Oh, and you're likely to cause a rife of protests, complaining about human rights…

      Unfortunately it's a loose-loose situation.

    • coyote in reply to Publio Vestrone.

      August 28, 2015 at 9:10 pm #

      "But locking him up and throwing away the key would be an injustice to the taxpayers who have to pay the bill for his imprisonment.

      No one deserves to starve and if you've never seen someone starve (to death or otherwise) – or experienced severe malnutrition and/or severe dehydration then consider yourself lucky. It isn't fun (I've experienced both simultaneously and I've seen a lot worse). To even consider locking someone up and throwing the key away… says a lot. But irony: if they throw away the key, they throw away the ability to easily open the cell, which means there is no use of the cell (it becomes more like catacombs), and since there is no food to give them, there isn't any money involved.

      "the deterrent effect would be far more potent than getting a free ride in prison at taxpayers' expense."

      No, deterrents won't make a difference. That is trying to bring logic to something that doesn't involve logic. That itself is illogical.

      People in terrible living situations (e.g. homeless) will commit crimes (that can result in imprisonment) for better living conditions even for a single night (a night in jail is better than being on the street). Some homeless also prostitute themselves so they have a night (or nights) off the street (and obviously money). Some women will have an unwanted sexual partner for similar reasons. This is a well known thing but in case you don't believe me: http://www.theguardian.co.uk/society/2010/dec/23/homeless-committing-crimes-for-shelter

      The fact it comes down to that says a great deal about humanity. There is so much focus on punishing others (as you demonstrated in your last paragraph) – rather than helping – and it results in making things worse (including adding to the 'taxpayers' expense') where it could make things better. Case in point: going cold turkey on some drugs can kill you and otherwise – with some rarer exceptions – won't make someone suddenly be over – or rather work on getting past – an addition, but instead of helping them through detox they are imprisoned. It isn't limited to drug abuse, it shows a lack of compassion, it only fuels resentment and it is conducive to more offences being committed.

Leave a Reply