Did anti-virus company hire convicted Chinese malware author?

Panda Software hires virus writer

Panda SoftwareUpdate: Since the following article was first published, Panda Security has declared that virus writer Li Jun does not and has never worked for the company, and that the Reuters report was incorrect. A statement from the firm says it believes that the confusion has arisen because of a “marketing initiative by a distributor of Panda China where Mr. Li was involved”.

It’s obviously a big relief to hear that the news report was incorrect in saying that Li Jun now works for Panda Security, and we’re happy to clarify the situation here. Thanks to Panda Security for helping us get to the bottom of this issue. In the spirit of openness, the original article now follows..

If you’ve been working in the anti-virus business for any length of time you pretty soon get used to the accusation that anti-virus firms “write all the viruses, don’t they?”

To be fair, it’s normally said in good humour and with a wink – but it’s the kind of joke that riles the researchers who work inside anti-malware labs. The guys and girls who work in SophosLabs, for example, see something like 60,000 new malware samples every single day – aside from the moral issues around the creation of malware there simply isn’t any need for us to write malware.

Historically, anti-virus companies have realised that having a virus writer as an employee is probably not a good idea. Not only have malware authors shown themselves to be of dubious morals, but there are also serious questions that have to be asked as to whether the individual will be trusted by others in the security community.

Furthermore, the skills required to write a decent anti-virus program are very different from those necessary to write malware, and it’s a mistake to think that virus writers have demonstrated any skills that would be useful to a computer security lab.

You can probably imagine, therefore, how surprised I was to read in a Reuters report that Panda Software has hired Li Jun, author of the notorious Fujacks worm.

[See update below where Panda Security claims that the Reuters report is inaccurate]

Fujacks virus

In early 2007, Chinese media reported that the Fujacks worm had infected “several million” computers, changing the icons of infected programs to a picture of a panda holding joss-sticks.

Fujacks spread rapidly infecting EXE files on affected computers, and spreading via network shares and USB drives.

When Li Jun was eventually sentenced to four years in a Chinese prison, it was claimed that Li was motivated to create the virus after he failed to find a career in the computer security industry. Indeed, upon his release he reiterated his desire to work in the anti-virus field.

Well, it certainly sounds like his dreams have come true now.

28-year-old Li, and his three accomplices gained more than 200,000 yuan (over US $30,000) through their malware activities. And now Li appears to have been rewarded with a job working for Panda Security too. I can’t help but feel disgusted by this.

There are plenty of decent, ethical computer programmers out there who are worthy of jobs in the computer security industry and haven’t inconvenienced innocent internet users.

Virus writer Li Jun. Image source: Wall Street Journal

Li has served his time in a Chinese jail and I wish him well for the future, but a malicious hacker like this needs to understand clearly that they have forever blown their chances of working in the computer security industry.

There have been too many instances in the past where virus writers have been rewarded with jobs (“Ikee worm author gets job at iPhone app firm”, “Firm hires Twitter worm author Mikeyy Mooney”, “Mahalo hires botnet master”), because of their notoriety.

But when a well-known anti-virus company like Panda Security hires a convicted virus writer, I believe it sends out an even worse message to the public.

Do we really want malicious hackers to think that malware might be a shortcut to a new job? Panda Security – were you really unable to find any talented computer programmers who chose not to write malware, or is this just an ill-conceived publicity stunt?

So you may be wondering, will Sophos hire virus writers? Not on your nelly mate. That’s always been our policy, and it’s as true today as it was in 2003 when Sophos founder Jan Hruska went on the record on the subject saying: “Don’t bother applying for a job at Sophos if you have written viruses because you will be turned away”

Update: Luis Corrons, technical director of Panda Labs, has been in touch saying that it’s not true that they have hired a virus writer. Hopefully we can publish some more information – and an official statement from Panda – shortly.

It’s certainly odd that the news reports are saying that Li Jun has been hired by Panda Security if the firm itself is denying it.

Here’s a brief tweet on the subject from Juan Santana, CEO of Panda Security:

Update 2: Juan Santana has now updated his blog to explain that the confusion has arisen because of a “marketing initiative by a distributor of Panda China where Mr. Li was involved”.

Image of virus writer Li Jun, source: Wall Street Journal