Feb 14 2009

The China Syndrome

No Gravatar

Vmyths is the only computer security website that investigated and revealed details of the antivirus industry’s dirtiest little secret — a conspiracy among antivirus vendors to arm China with viruses. Their goal: to pave governmental inroads to China’s growing corporate market for PCs and software.

Vmyths interviewed some of the biggest players in the scandal while they were reeling from guilt, including the U.S. citizen who stood at the very center of it all. Collectively, these “deep throats” admitted to Vmyths that officials in Beijing received up to 30,000 unique virus samples, detailed source code, and reverse-engineering notes. These insiders also admitted they purposely kept U.S. federal officials in the dark.

U.S. citizens at McAfee, Symantec, and Trend Micro played key roles in the secret arming of China — all of it done while those companies advised the White House and the FBI on global cyber-threats. Richard Clarke, then a senior White House staffer, was so oblivious to it that he offered to give “STU-III” secure telephones to antivirus vendors so they could talk freely & openly with each other.

Vmyths provides the most detailed analysis & commentary on the antivirus industry’s dirtiest little secret…

“It’s a mythical fable from a long time ago that’s been blown all out of pro­por­tion — you know, like the deaths of Jesus & Mohammed…”

Investigation & analysis

Timeline of notable events

In a prophetic February editorial, the antivirus industry’s Virus Bulletin newsletter rails against the notion of turning viruses into a commodity that can be bought & sold. “Regardless of personal feelings about selling virus code, it is highly likely that this practice is here to stay,” Virus Bulletin warned. “As long as there is money to be made there will always be some ‘entrepreneur’ willing to sail close to the wind… The greatest enemy of all is apathy: if users are prepared to sit on the sidelines without comment or complaint, they should accept some of the blame for the problems they face.”

In an October editorial, Virus Bulletin warns “those users who remain silent are adding their tacit support to the gradual legitimization of the [sale of virus source code].”

Chinese officials give the national police (their equivalent to the U.S. FBI) the authority to oversee all computer security issues. A bureaucrat decides antivirus firms must (1) turn over their entire virus library to the national police and (2) cooperate with the national police in virus & hacking investigations.

In a June editorial laced with sarcasm, Virus Bulletin recognizes that antivirus vendors’ virus libraries may someday turn into a commodity. “As the trend for wider dissemination of virus code continues, it is rapidly approaching a time when anyone who wants a virus can get one. If things degenerate further, maybe the least painful route would be for the industry to offer users the viruses which it wants them to have: ‘Come on, Sir, roll up for the Virus Service. Simply send your $99.99 and receive the virus test-set of your choice. Better yet, guv’nor, for the discerning customer, why not buy the entire collection. Yours for only a dime a dozen… and I’m cutting my own throat.’ But then again, aren’t we all?”

Antivirus firms begin to see China as a huge potential market. However, the country does not yet own enough computing power to merit an expensive marketing campaign. This will change someday, of course, so the antivirus industry starts to keep tabs on Beijing.

circa early- to mid-1998:
Trend Micro wields a powerful influence in the Asian marketplace and now begins to focus their sights on China. The rest of the antivirus industry takes notice and begins to form their own expansion plans. The “Big Three firms” of Trend Micro, Symantec, and McAfee (then temporarily known as “Network Associates”) begin to open satellite offices in major Chinese cities.

circa late 1998 to early 1999:
The Chinese national police approach the Big Three to enforce their regulations. Each firm turns over a copy of a small, well-known virus library maintained by the “WildList” organization. No antivirus firm asks WildList for permission to do this.

early 1999:
The Chinese national police realize each firm coughs up only the same small virus library. Officials approach one of the firms with a deal. If they provide more viruses, China will give them better market access. An immediate secret transfer of viruses begins.

Chinese officials approach the other members of the Big Three in quick succession. “Your competitor gives us access to their entire virus library, so they will now receive preferential treatment at your expense…” Beijing is now playing each firm against the other.

Each firm begins to slowly transfer only the most ancient viruses in their libraries — but their own marketing departments keep demanding more viruses at a quicker pace. Fights soon erupt between the virus experts and the marketing teams at each of the Big Three firms. Corporate management at each firm gets involved … and sides with Marketing … and the virus floodgates open up.

McAfee will later insist they approached a low-level U.S. official around this time to “disclose” the fact they transfer the WildList’s virus library in accordance with Chinese law. This low-level official almost certainly is not an FBI agent.

China has received up to 30,000 unique virus samples, detailed source code, and reverse-engineering notes…

China has now received up to 30,000 unique virus samples, detailed source code, and reverse-engineering notes — and there’s no end in sight. Jealousy among the Big Three reaches the breaking point as more competitors look to China for expansion.

In a scene straight out of “The Godfather,” key members of the Computer Antivirus Researchers Organization (CARO) stage secret meetings to work out the problem of their marketing departments’ insatiable desire to supply China with all of their “trade secrets.” CARO’s meetings occur in person at computer security conferences; by voice over telephones; and online via encrypted emails.

Two experts at Symantec & McAfee who reside within CARO’s “inner circle” decide CARO members must collaborate. If they don’t, China will play everyone’s marketing department against each other until they possess everyone’s “trade secret” technology. CARO’s membership — which doesn’t yet include a high-ranking expert at Trend Micro — concludes it must not allow any single nation to control the antivirus industry. The organization evolves into a true cartel.

Not everyone in CARO agrees with the decision to become a cartel. At least one powerful member, Vesselin Bontchev, expresses strong bitterness in private, but all members keep their mouths shut in public. A majority of the group believes CARO members as a whole (and the Big Three in particular) will benefit if they present a united front against Chinese officials and their own marketing departments. CARO members agree they will carve up the Asian marketplace (without Trend Micro’s knowledge or consent) in order to promote “fairness” to those firms with a large monetary commitment in China.

One of the most powerful members of the “inner circle,” Jimmy Kuo, nominates himself to serve as CARO’s diplomat to China. His primary duty is to give the Chinese access to the WildList library in the name of “all” antivirus companies. He does not ask permission from WildList to do this.

September 1999:
CARO’s diplomat establishes formal relations with the Chinese government. He transfers a copy of “WildCore plus 1 or 2″ on the 15th of each month to an official within the communist apparatus. This diplomat tosses in an extra 1-2 viruses with each transfer just to increase its perceived value. (The move is an empty gesture as the “extra” viruses will soon appear in the WildList library.)

circa late 1999:
Trend Micro somehow learns of CARO’s activities and perceives it as a direct threat to their pan-Asian market shares. If CARO carves up China in the name of “fairness,” what prevents them from carving up other countries, too? Trend Micro allegedly approaches Beijing with an offer to make at least one “large” transfer of viruses to secure their governmental inroads.

At least two experts involved in the con­spiracy keep their mouths shut while standing in a “Y2K situ­a­tion room” with White House senior staffer Richard Clarke…

Y2K day (1/1/2000):
Antivirus experts without U.S. security clearances fly to Washington (at their firms’ expense) to work in a classified “Y2K situation room” operating under the auspices of the U.S. National Command Authority. CARO’s diplomat to China stands among them. U.S. officials promise to give (sell?) everyone a special embroidered sweatshirt to commemorate their involvement in saving the world from the perceived threat of Y2K viruses.

circa early 2000:
Trend Micro wins a contract to provide antivirus software to the U.S. House of Representatives.

Trend Micro approaches the FBI with an idea to hold a roundtable meeting between the U.S. government and the antivirus industry. But the agency is reeling from an international incident they caused over Y2K viruses. Trend Micro’s idea falls to the wayside.

circa mid-2000:
Trend Micro approaches the National Security Council with an idea to hold a roundtable meeting between the U.S. government and the antivirus industry. White House senior staffer Richard Clarke likes the idea; he schedules a meeting for December.

A disgruntled antivirus vendor approaches Vmyths with details of the virus transfers to China. The vendor is jealous at not being invited to a White House meeting…

late 2000:
A disgruntled antivirus vendor approaches Vmyths with details of the virus transfers to China. The vendor — jealous only at not being invited to the White House meeting — asks Vmyths to expose the conspiracy. After thinking it over, editor Rob Rosenberger concludes it doesn’t violate industry ethics to supply offensive virus technology to agents of any sovereign nation. But he also fears a vendor with deep pockets might SLAPP Vmyths. Rosenberger places a unilateral gag order on the story and invites the disgruntled vendor to give the scoop to another reporter.

In a stroke of genius, Trend Micro convinces the National Security Council to invite Rob Rosenberger to the roundtable meeting. The White House even offers to cover his airfare & hotel (he declines this offer). The roundtable meeting earns undeniable credibility for the mere act of inviting a staunch industry critic.

18 Dec 2000:
The roundtable meeting takes place in a White House conference room. “Big Three” experts Jimmy Kuo, Vincent Weafer, and David Perry collectively represent antivirus vendors; expert Joe Wells represents the WildList and similar organizations; and an ICSA expert represents antivirus testing groups. Trend Micro and the FBI jointly chair the meeting with Clarke’s blessing. The room is packed with representatives from the various cabinets, intelligence agencies, and the Pentagon’s new joint task force for network defense (a colonel sitting to the left of Rosenberger). The meeting is literally standing room only.

White House senior staffer Richard Clarke offers to give “secure tele­phones” (STU-IIIs) to anti­virus experts so they can talk securely with each other. McAfee’s senior expert declines, saying “we don’t want to look like a tool of the CIA…”

Rosenberger elects not to reveal CARO’s activities to anyone at the White House meeting. Instead, he chooses to observe the meeting as part of his investigation. He enters the room early, checks the name plates on the head table, and moves quickly to a chair along the wall almost directly behind McAfee senior expert Jimmy Kuo, who will be sitting at the head table directly across from White House senior staffer Richard Clarke.

Clarke naïvely proposes at the meeting to supply “secure telephones” (STU-IIIs) to antivirus experts so they can talk securely both to U.S. officials and among themselves. The Big Three decline his offer — in the words of Jimmy Kuo, “we don’t want to look like a tool of the CIA.” In fact, each of the Big Three firms is now a tool of the PRC.

early 2001:
Richard Clarke learns of the Chinese transfer of viruses at a White House intelligence briefing during the Clinton-Bush transition. Clarke is quoted as saying “oh shit!” He sits on this revelation while securing his senior staff position with the new administration.

Trend Micro’s senior management assumes Richard Clarke will lose his position after Bill Clinton leaves office, so they offer him a job as a lobbyist. Trend Micro’s California office allegedly doesn’t know of Clarke’s job offer. Instead, Clarke ends up securing his position with the incoming Bush administration. (He is the only senior Clinton appointee who survives.) It’s not clear if Clarke learned of Trend Micro’s virus transfers before or after they offered him a job.

ca.15 March 2001:
CARO’s diplomat completes a routine monthly transfer of “WildCore plus 1 or 2″ to his counterpart in the Chinese government. It will be his last effort.

latter half of March 2001:
The Wall Street Journal reporter Ted Bridis begins probing into the Chinese transfer of viruses, probably after speaking with the same disgruntled vendor that contacted Vmyths. Flustered representatives at each of the Big Three admit turning over viruses as a condition for selling antivirus software in China.

Ted Bridis calls Rob Rosenberger as part of his fact-checking. Ironically, Rosenberger wants to do the same with Bridis, but neither man will divulge his sources (an ethical necessity when two investigative reporters fact-check through each other). Rosenberger tells Bridis about Vmyths‘ unilateral gag order and reveals he is waiting in the wings with a column when the WSJ exposé hits newsstands.

CARO holds a series of emergency meetings when they learn The Wall Street Journal will publish an exposé. Rosenberger believes the cartel members will conspire to rewrite history, so he interviews a number of primary sources (and abuses some friendships) while their guilt runs extraordinarily high. He ultimately nails two eye-opening lengthy interviews with Jimmy Kuo, the U.S. antivirus expert who serves as CARO’s diplomat to China. Members of the cartel eventually overcome their guilt and shut their windows of opportunity.

30 March 2001:
The Wall Street Journal publishes its exposé. Rosenberger immediately lifts Vmyths‘ unilateral gag order and publishes his first column, dubbing it “The China Syndrome.”

April 2001:
Fearing for their ad revenue, every major English-language computer security publication chooses to ignore the WSJ exposé. With the notable exception of The Register, the major English-language technology publications refuse to carry the WSJ exposé or comment on it.

The Register, 3 Apr 01: “Chinese feds demand com­pu­ter virus samples

Two FBI agents arrange to interview CARO’s diplomat at his company’s headquarters. It is not known if he offers them a copy of the WildList virus library.

A WildList spokesman insists they never gave anyone permission to offer their virus collection to the Chinese government.

Cartel members begin to manipulate U.S. officials in an uncoordinated effort to downplay CARO’s involvement with China. The list of manipulated agencies includes the White House and the FBI. It is known that at least one of the Big Three agrees to give the FBI a copy of the WildList virus library — again, without the permission of WildList officials.

(An uncorroborated rumor says the U.S. intelligence community grew angry with {vendor}, which had a contract to do cyber-warfare research for them. According to the uncorroborated rumor, {vendor} secretly agrees to “blind CC:” a U.S. counter-intelligence agent on every email sent to China.)

(Another uncorroborated rumor says at least one antivirus vendor also turned over details of antivirus technology to help China develop their own antivirus product, possibly for Chinese-funded cyber-warfare research. Rosenberger considers the uncorroborated rumor to be plausible. After all, if {vendor} conducts cyber-warfare research for the U.S. intelligence community, then someone else might do similar research for China.)

Fall 2001:
Cartel members complete their rewrite of history. They now claim:

  • Chinese national police received only 500 unique viruses, total, from all of the vendors combined, although no one really knows how they learned of this “fact.”
  • An overwhelming majority of the unique virus samples came from the WildList library, “sadly” without WildList’s permission. No one really knows where the tiny minority of non-WildList viruses came from, nor do they care.
  • CARO’s “spokesman” nominated himself for the job.
  • Chinese officials were too naïve to demand tens of thousands of viruses. No one really knows which experts were involved besides CARO’s “spokesman,” but whoever those virus experts were, they were too smart to collectively hand over 30,000 unique virus samples, detailed source code, and reverse-engineering notes.
  • Everyone in CARO at the time insists they were among the slightly-less-than-half of the membership who opposed turning a scientific research group into a trade cartel.

Vmyths learns Richard Clarke decided to retain CARO’s diplomat as a White House advisor. One week after 9/11/01, he is included in tech­ni­cal dis­cus­sions on the cyber­space portion of the top secret “National Plan” to protect America…

September 2001:
While fact-checking an unrelated story, Rosenberger discovers Richard Clarke chose to retain CARO’s diplomat to China as a White House advisor. One week after the 9/11/01 attacks, the White House includes Jimmy Kuo in technical discussions on the cyberspace portion of the top secret “National Plan” to protect America from terrorism.

CARO’s diplomat to China immediately calls a White House staffer to discuss Rosenberger’s latest discovery. Eventually, a cadre of thoroughly confused federal authorities will end up knocking on Rosenberger’s door at 3am to sort the whole thing out. The White House staffer politely phones Rosenberger with a plea to drop both his unrelated story and his newest scoop on Clarke. Rosenberger says “be careful what you wish for…” and ends up writing about his 3am visit from the feds.

February 2002:
At a U.S. Senate subcommittee hearing, demoted White House staffer Richard Clarke lists China as a potential cyber-enemy — but he fails to divulge the fact one of his own advisors armed China with offensive network warfare technology right under his very nose.