Marcos Velasco, who is based in Rio de Janeiro, has admitted writing the Lasco virus, which is one of the first potentially serious viruses to target the Symbian operating system.
In a recent interview with Finnish magazine ITviikko, which has been translated into English by mobilemonday.net, Velasco admitted creating Lasco to demonstrate how a real mobile phone virus could work -- but denies he wants it to spread.
"I'm a professional programmer. Viruses, hacking and security are my favourites. Viruses are my life... I'm not trying to spread the worm... I want to demonstrate how the worm works," said Valesco.
Valesco said Lasco will be his last mobile phone virus but he claims that a potential change in Brazil's computer laws would not have stopped him from pursuing his hobby.
"At the moment I think Lasco is my last mobile virus. It's the first real mobile virus and that's enough for me... The politicians are working on new computer crime law but I'll continue my studies with viruses regardless of the outcome," said Valesco.
However, Velasco's behaviour has been severely criticised by antivirus firms and security experts.
Paul Ducklin, head of technology in Asia Pacific for Sophos, said that although publishing viral source code isn't illegal in most countries, it should be done responsibly.
"Most viral source code isn't directly malevolent on its own. But, as the cliché goes, 'with freedom comes responsibility', and Velasco shows none of the latter," said Ducklin.
Mikko Hyppönen, director of antivirus research at F-Secure, believes there should be a global agreement to prosecute virus writers that hide in countries with less friendly IT security laws.
"Valesco is openly writing viruses and making them available from his website to anyone, anywhere in the world. So any kid, any lunatic, any anarchist anywhere can download all his viruses complete with sourcecode and do whatever they want with them. Virus writing should be illegal and it should be illegal globally," said Hyppönen.
Sophos's Ducklin said one reason people write viruses is for the notoriety and in this case Valesco has received considerable attention from the media. However, Ducklin said Valesco should prove his programming skills by creating a real application rather than malware.
"Writing complete, tested and supported applications with a useful function is generally much more difficult that writing viruses. If Velasco really is -- or deserves to consider himself -- a professional programmer then he'd realise this and act professionally. I'd say that if viruses really are 'his life', as he claims, then he needs to get out more," said Ducklin.
That is very hypocritical of Paul, and surprising, considering his level of professionalism. Without security research aimed at discovering vulnerabilities, we would all have to accept the claims of any software product - just like SOPHOS.
Paul Ducklin needs to focus his attention on scanning for key loggers in Trojans, and not this pathetic commentary. If you are alive, you already have a life Paul.
As Rob Forsyth, managing director of Sophos in Australia and New Zealand, agreed that users could never be absolutely sure that their computer is Trojan-free, "Nothing is 100 percent safe. Can you ensure you are 100 percent safe crossing the road? No. but you can take a lot of precautions such as crossing at the lights and looking both ways,"
Paul apparantly still has much to do.
Meanwhile, can anyone at SOPHOS please advise why the guest speaker from the Australian High Tech Crime Centre was prevented from opening their new virus lab in North Sydney late last year?
Maybe ZDNet can then approach the AHTCC and ask the same question and a few others.
eg.
Are they really happy with Anti-Virus companies?
Is there sufficient legislation in place to protect e-consumers?
Is there an issue for the ACCC re advertising claims?