Inexperienced young users who experiment with hacking and virus writing are known in computer circles as “script kiddies.” But as Goh Chee Hoh warns, these kiddies can cause adult-sized trouble

It’s strange but true. Some experts claim that the number of new viruses actually increases in summer and certain other times of the year. Why? Because schools are on vacation. These experts claim that an increasing number of viruses are written by students, including children in their early teens: the so-called “script kiddies.” “It is not difficult for a student to modify existing virus code into a new variant. There’s no need for advanced skill sets,” says Isaac Lim, country manager for Trend Micro in Singapore. “Students can surf and seek information from any of the hundreds, maybe thousands of websites that post detailed lists of virus creation techniques,” he adds. “Some offer step-by-step ‘how-to’ guides. Books on virus writing are also available on some online bookstores, including the so-called virus writer’s bible: The Giant Black Book of Computer Viruses.”

For the lazy student virus writer, nothing beats an online virus creation kit, which does all the work for you! The kits, which have names like Satanic Brain Virus Tools 1.0, Instant Virus Production Kit, and Ye Olde Funky Virus Generator, make writing viruses a snap for even the most technically incompetent wannabe hacker. One such kit, the VBS Worm Generator, became famous when a 20-year-old man in Holland known as “OnTheFly” used it to write the Anna Kournikova worm. Created by an 18-year old hacker from Argentina named Kalamar—who claims it is merely a study tool—the VBS Worm Generator walks the user right through the virus writing process with an easy-to-use point-and-click interface, and clear help files. With a mouse click, the user can decide how the virus will spread (i.e. e-mail or IRC) whether to add encryption, and what the payload will be (choices include displaying a flashing message, or crashing the infected computer). “A 10-year-old could use this kit to create a worm,” says Ken Dunham, an analyst with SecurityPortal. Unfortunately for “OnTheFly,” the virus kit didn’t teach him how to hide his identity when he released his worm on the Internet, and he was tracked down. Arrested, tried and found guilty, he was given a very light sentence of 75 days in jail or 150 hours of community service.

Inexperienced young users who experiment with hacking and virus writing are known in computer circles as “script kiddies.” Since they tend to copy existing viruses, follow how-to guides, and use automated tools created by others, their actions are often amateurish and repetitive, but they can still be very destructive. Why do they do it? Some people see them as bored kids, tempted by the thrill of something forbidden. Others believe they are seeking attention and fame. In a few cases, their actions have been excused or praised by some foolish adults. However, script kiddies are certainly not respected by the general public or by other computer criminals. True hackers are said to look down on virus writers, seeing them as vandals who cause indiscriminate damage to users for no particular reason. If that’s true, then it’s easy to understand why virus-writing script kiddies rank at the very bottom of the social scale in the computer underground. They usually copy the work of others, and lack the skills to be original or even understand the tools they are using.

Owing to their lack of experience, many script kiddies who break the law are eventually caught. When that happens, security experts usually call for strict punishment, in order to send a message that will deter other young people from hacking and virus writing in the future. In the past, many young hackers have gone unpunished or have even been rewarded. But as virus incidents increase and cause more damage, there are signs that the public and governments around the world are starting to agree with security experts. As laws on cyber-crime get tougher, more and more script kiddies may find themselves with another label: convicted criminals.

Nevertheless, some media accounts still treat virus writing lightly, or even glamourise it, like these stories from 2001:

• Korea’s Chosun Ilbo newspaper reported that a 15-year-old student was the country’s “Hacker Queen” after winning a contest organised by an Internet security provider. Analysts noted that Choi Hae-ran’s hacking skills were good enough to break into almost any company’s homepage easily. Choi says that she learned about hacking by simply browsing various websites. She is now listed in an online Hall of Fame for Korean hackers, and her dream is to become “a hacker that catches hackers.”
• A 17-year-old Belgian girl known as “Gigabyte,” wrote Sharpei, the first known virus targeting Microsoft’s .NET platform, to prove that women are capable of creating computer viruses, too. In an online interview, she said that writing viruses was “a form of art, just like many other hobbies” and “...a fun way to practice programming.”

Let’s look at a few other well-known cases of computer crime by youngsters:

• The CIH virus (aka Chernobyl) infected 600,000 PCs worldwide in 1999, and on its trigger date of April 26 it wiped out entire hard drives on many machines. The damage was estimated at over $100 million, concentrated in a few countries, especially South Korea, where about 250,000 computers were hit. The virus was written by an engineering student in Taiwan, Chen Ing Hau, supposedly as a challenge to anti-virus makers. Tracked down while serving in the army, Chen apologised and claimed that he never meant to cause any damage. In the end, no charges were filed because no Taiwanese citizen filed a complaint. Surprisingly, several software firms recruited Chen when he left the army, and he took a job with one called Wahoo. He appears to have escaped punishment for his actions, although he should probably avoid visiting Korea.
• In February 1999, a series of unprecedented distributed denial of service (DDoS) attacks brought down several major websites, including CNN, Yahoo!, eBay and Amazon.com, and interfered with operations at several others. The operation used the resources of dozens of servers which had been infiltrated by Trojan horses and turned into zombies. Many people were shocked when the attacks were traced to a 15-year old boy in Canada who used a PC in his bedroom. Calling himself “MafiaBoy” he gave himself away when boasting in a chat room. He eventually pled guilty to mischief and was sentenced to eight months in detention.
• Prosecutors in China announced the country’s first criminal case against a hacker in May 2001, signalling a tougher line on Internet crime. Lu Chun, a 21-year-old sophomore in Beijing, allegedly used downloaded hacker Trojans to steal a company’s Internet account and password. He then gave out the information to schoolmates and friends, and sold it through the Internet, resulting in over 1,000 people using the company’s Internet account fraudulently.
• In December 2001, four Israeli youth aged 15 to 16 were charged with authoring the Goner worm. They apparently used viral code available from a website, and didn’t really understand what they had unleashed. In a chat room discussion before their arrest, they claimed to be surprised by the virus’ success. The youth were traced because they foolishly placed their online nicknames in the virus code. After their arrest, the students were confined to their homes and their computer equipment seized. Under Israeli law, the alleged virus writers could face three to five years in prison.
• Though not a child, 23-year-old Onel de Guzman was a student at AMA Computer College in Manila before he admitted to possibly releasing (but not to writing) the “Love Letter” virus in September 2000. “Love Letter” brought down hundreds of corporate networks and infected millions of PCs, becoming the most costly virus in history, with damages estimated at $ 8.7 billion. Guzman apparently dropped out of school after professors rejected his thesis proposal on methods for stealing computer passwords. Investigators concluded that he belonged to a hacker society, and other members also contributed to the “Love Letter” virus. However, prosecutors decided he didn’t commit any crime under Philippine law. The Philippine Congress later enacted a law specifically covering computer crimes such as virus writing.

In most countries, the legal tide seems to be turning against kids who commit cyber-crime. However, script kiddies are still releasing viruses, and adults sometimes draw the wrong lesson. In Holland, the mayor of Anna, writer OnTheFly’s home town, offered the young man a job in its IT department, commenting that the virus showed he was “capable.” The alleged Love Letter author also received job offers, and some Filipinos claimed to be proud of Guzman’s home-grown technical skills, even calling him a hero. But the Anna worm was made from an instant virus kit, and the Love Letter virus was not technically brilliant or sophisticated programming at all—it’s success resulted largely from social engineering— people wanted to know why someone was telling them “I Love You!”

Just a few miles from Guzman’s old school, there is an office park which houses the nerve centre of TrendLabs, Trend Micro’s 24x7 anti-virus research and service centre. Almost 200 young Filipinos who completed their education now work there, using their skills every day to solve problems and deliver protection to thousands of computer users around the world, making the Internet safer for everyone. Who are the real heroes?

The author is the regional sales director at Trend Micro.