Did anti-virus company hire convicted Chinese malware author?

Filed Under: Law & order, Malware

Panda SoftwareUpdate: Since the following article was first published, Panda Security has declared that virus writer Li Jun does not and has never worked for the company, and that the Reuters report was incorrect. A statement from the firm says it believes that the confusion has arisen because of a "marketing initiative by a distributor of Panda China where Mr. Li was involved".

It's obviously a big relief to hear that the news report was incorrect in saying that Li Jun now works for Panda Security, and we're happy to clarify the situation here. Thanks to Panda Security for helping us get to the bottom of this issue. In the spirit of openness, the original article now follows..

If you've been working in the anti-virus business for any length of time you pretty soon get used to the accusation that anti-virus firms "write all the viruses, don't they?"

To be fair, it's normally said in good humour and with a wink - but it's the kind of joke that riles the researchers who work inside anti-malware labs. The guys and girls who work in SophosLabs, for example, see something like 60,000 new malware samples every single day - aside from the moral issues around the creation of malware there simply isn't any need for us to write malware.

Historically, anti-virus companies have realised that having a virus writer as an employee is probably not a good idea. Not only have malware authors shown themselves to be of dubious morals, but there are also serious questions that have to be asked as to whether the individual will be trusted by others in the security community.

Furthermore, the skills required to write a decent anti-virus program are very different from those necessary to write malware, and it's a mistake to think that virus writers have demonstrated any skills that would be useful to a computer security lab.

You can probably imagine, therefore, how surprised I was to read in a Reuters report that Panda Software has hired Li Jun, author of the notorious Fujacks worm.

[See update below where Panda Security claims that the Reuters report is inaccurate]

Fujacks virus

In early 2007, Chinese media reported that the Fujacks worm had infected "several million" computers, changing the icons of infected programs to a picture of a panda holding joss-sticks.

Fujacks spread rapidly infecting EXE files on affected computers, and spreading via network shares and USB drives.

When Li Jun was eventually sentenced to four years in a Chinese prison, it was claimed that Li was motivated to create the virus after he failed to find a career in the computer security industry. Indeed, upon his release he reiterated his desire to work in the anti-virus field.

Well, it certainly sounds like his dreams have come true now.

28-year-old Li, and his three accomplices gained more than 200,000 yuan (over US $30,000) through their malware activities. And now Li appears to have been rewarded with a job working for Panda Security too. I can't help but feel disgusted by this.

There are plenty of decent, ethical computer programmers out there who are worthy of jobs in the computer security industry and haven't inconvenienced innocent internet users.

Virus writer Li Jun. Image source: Wall Street Journal

Li has served his time in a Chinese jail and I wish him well for the future, but a malicious hacker like this needs to understand clearly that they have forever blown their chances of working in the computer security industry.

There have been too many instances in the past where virus writers have been rewarded with jobs ("Ikee worm author gets job at iPhone app firm", "Firm hires Twitter worm author Mikeyy Mooney", "Mahalo hires botnet master"), because of their notoriety.

But when a well-known anti-virus company like Panda Security hires a convicted virus writer, I believe it sends out an even worse message to the public.

Do we really want malicious hackers to think that malware might be a shortcut to a new job? Panda Security - were you really unable to find any talented computer programmers who chose not to write malware, or is this just an ill-conceived publicity stunt?

So you may be wondering, will Sophos hire virus writers? Not on your nelly mate. That's always been our policy, and it's as true today as it was in 2003 when Sophos founder Jan Hruska went on the record on the subject saying: "Don't bother applying for a job at Sophos if you have written viruses because you will be turned away"

Update: Luis Corrons, technical director of Panda Labs, has been in touch saying that it's not true that they have hired a virus writer. Hopefully we can publish some more information - and an official statement from Panda - shortly.

It's certainly odd that the news reports are saying that Li Jun has been hired by Panda Security if the firm itself is denying it.

Here's a brief tweet on the subject from Juan Santana, CEO of Panda Security:

Update 2: Juan Santana has now updated his blog to explain that the confusion has arisen because of a "marketing initiative by a distributor of Panda China where Mr. Li was involved".

Image of virus writer Li Jun, source: Wall Street Journal

, , ,

You might like

17 Responses to Did anti-virus company hire convicted Chinese malware author?

  1. Hello,

    A similar topic regarding pentester has been discussed recently at http://blog.rapid7.com/?p=5490

    I might share your opinion. But if the applicant was able to prove very high technical skills with his malware, you may consider him as a successful employee. But the requirements for technical skills shouldn't ignore the soft skills and moral/ethical direction of a person.

    Regards,

    Marc

    • I can see the argument that someone who has previously hacked into computer systems could have useful skills to be a white hat penetration tester.

      But I think it's different with virus writing. Any bozo can write a computer virus or a Trojan horse (it's really not hard folks) but the skills needed to write decent anti-virus software which has to run silently and reliably at the very deepest level on critical computer systems, without making mistakes and on a wide variety of platforms without impacting normal operations is very different.

      Plus - what skills does a virus writer actually bring to the table that any decent programmer who /hasn't/ written viruses doesn't have?

      A surprising amount of the co-operation that goes on behind the scenes in the anti-virus world is based upon trust between researchers, and I know many malware researchers would have a serious problem trusting a former virus writer.

      • Justin · 1421 days ago

        "Any bozo can write a computer virus or a Trojan horse"

        --not a good one that can evade AV

        "Plus - what skills does a virus writer actually bring to the table that any decent programmer who /hasn't/ written viruses doesn't have?"

        --uhh a blackhat mentality maybe?

        "malware researchers would have a serious problem trusting a former virus writer."

        -- malware researchers don't trust AV because we know its pointless if someone was targeting us, and we don't double click "angelinajolienaked.exe"

        I dare say whoever the heck they hire isn't working by them self on code thats never reviewed and not version controlled. You folks are special.

  2. Paul · 1421 days ago

    Just because someone can write a virus does not mean they are a good programmer. One of the easiest things to do is write a virus. With knowledge of how operating systems work you can do just about anything to mess with a user. That being said, there are a lot of great programmers out there that are far more worthy than a criminal.

  3. Yolanda Ruiz · 1421 days ago

    Graham,

    This is the global PR director at Panda Security. The information published is not correct. The person mentions in the newstories we are seeing on this topic is not a Panda Security employee. Official statement will be published in a while. Should you have any doubt, you can contact me directly: yolanda.ruiz@pandasecurity.com. In the meantime, I would ask you to clarify this and avoid references to Panda in this regard.

    Thanks.

    • Thanks for the info Yolanda - and I've updated the article to include the brief tweet from Juan Santana, your CEO at Panda Security.

      Do you have any idea on how Reuters got the information wrong about who Li Jun is working for? Do you know who has employed him?

      • I can Google too · 1421 days ago

        Unacceptable, Graham.

        Unless you intend to be responsible for propagating a false rumor about a competitor, you need to change the title of the post, put the "correction" at the top of the page, and post appologies on all your social media accounts. You need to DO IT NOW before the splogs echo your post across the internet. (It's already started.)

        Also: Seek legal council. Immediately.

        P.S. A GoogleNews search suggests that Reuters plagiarized the story from http://english.cri.cn/6909/2010/12/10/2741s609546...

        • Hi

          I changed the title of my article at 15:57 UK time (almost three hours before you posted your comment). I've been in touch with the folks at Panda and they've said that they plan to publish an official statement. I've told them that I will link to it as soon as they publish it. There's no sign of it yet on Juan Santana's blog, but I'll add it as soon as it appears.

          I also retweeted statements from Juan Santana and Luis Corrons on my Twitter account, so everyone who follows me up there already knows that Panda have denied the claims in the Reuters report.

          In addition, before 4pm UK time, I updated my article to include all the information that Panda has shared so far. So I don't think there's any chance that people won't have seen their rebuttal by now (of course, it will be better when they publish their full statement). In total my article was live for less than an hour before Panda responded - and I instantly included the comments they've made so far.

          Trust me, I'm happier than anyone to hear that Panda Security doesn't have a virus writer working for it in China - and am eager to get to the bottom of how this rumour started!

    • Panda has now released an official statement regarding Li Jun. It appears that he was not employed by Panda Security (good!), but was connected with a Panda China distributor.
      http://www.pandainsight.com/en/panda-security-doe...

  4. Charlie · 1421 days ago

    I'm a great believer in providing second chances to people who want to change the direction of their lives but this was a big mistake on Panda's part. Anti-virus companies actually sell their customers trust and peace of mind, not technology. Panda will raise questions in the minds of its customers about whether their product is hiding some destructive capability, some hidden intent that will take advantage of its trusted place in the operating system to do harm.

    There are lots of good jobs in the computer industry open to people like Li, but jobs in computer security should be permanently closed to such people.

  5. anon · 1421 days ago

    I think it also depends on the age of the Virus Author. For example the Author of the Netsky and Sasser Worms did entensive damage, but was a 16-18 year old kid who wanted to show off...
    But he´s an author from a different time and had no personal profit of the worms. In those cases i see no problem for someone to be hired.

  6. Joe the Bob · 1421 days ago

    Bleh, I find it somewhat annoying that this reads as an attack on Panda. You build this great story with your ideals over not hiring virus writers and indicate that everyone agrees, and then go "But Panda on the other hand". Lame :/

    I guess I might have been less annoyed if the story wasn't proved false, but still :/

  7. Statement from Panda Security's CEO here:
    http://www.pandainsight.com/en/panda-security-doe...

    It appears that the virus writer was not employed by Panda Security (good!), but was connected with a Panda China distributor.

  8. Roy Jones Jr · 1420 days ago

    Instead of focusing on blasting Graham, how about focusing on the article? Part of the conversation is about hiring virus authors to anti virus companies. I most certainly would NOT hire a virus author. Anyone can see from the simple to complex factors that its a illogical idea. I'm sure there are other IT jobs that person could end up getting, just not a job near the computer security area.

  9. Fred · 1417 days ago

    I'm confused....Doesn't Graham work for Sophos? Since when is it cool to bash a competitor based on a rumor? Poor form, and it's really hurt my respect for this blog. It's always been self-serving, but I've been able to get past that until now. Credibility is a fickle mistress...

    • Sorry, you feel like that.

      The original article wasn't based so much on a rumour as a report by Reuters, a respected news agency.

      Turns out that they got the story wrong - and there's no-one more pleased than me!

      Folks in the anti-virus industry feel pretty strongly about the hiring virus authors, so I hope you understand the strong feelings associated with this one.

      Anyway, you didn't like this article. Fair enough, I'll take it on the chin. But judge us by record over a long period of time rather than just one article. Sometimes we'll goof up and make mistakes, but I hope that in the long run you'll find this site worthwhile.

  10. Seb · 1416 days ago

    First of all, about the convenience of Av's writing malware, of course, it' has a benefit, Company A writes virus 1, company A knows how it works and can detect it before company {B..Z} could possibly analyze it and so A product is better, and do not come to me telling they didn't though about it !.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.