make our world a better place. As
computer professionals, we must do
our fair share to stanch malware and
Dealing with malware
The malware problem must be dealt
with on many fronts, proactively.
Ideally, we should anticipate and be
prepared for new malware. On the research front, funding agencies should
follow DARPA’s example. If synthetic
genomics—the fabrication of new genetic material—merits $50 million in
grants per year, so should exploration
of new, novel, innovative malware.
University classrooms and laboratories should serve as locations for
spreading malware literacy. Understanding is achieved only by doing.
The most effective way to comprehend something is to program it. We
cannot afford to continue conferring
degrees to computer majors who have
never seen the source code of viruses,
worms, trojans, or rootkits, never reversed any malware binaries, and never programmed their own malware.
Standard undergraduate computer science curricula offer courses
on many disparate topics, such as
artificial intelligence and database
systems. Students graduating with a
degree in computer science are expected to have a solid acquaintance
with various subjects that may not be
their chosen specialty. Some graduates will dig deeper and become adept
at these topics, but the mere fact that
these topics are routinely taught to all
undergraduate majors is in itself beneficial, because future computer professionals should not be completely
ignorant in fields outside their areas
VISUALIZATION BY ALEX DRAGULESCU
Teaching malware will not turn our
students into specialists. Malware lit-
eracy is not malware expertise. How-
ever, unlike artificial intelligence or
databases, unfortunately malware is
not a standard undergraduate course
or even a regular part of an elective
computer security course. (Syllabi of
computer security courses may pay
lip service to diverse issues, includ-
ing malware, but such courses are
overwhelmingly concerned with cryp-
tography.) This means we are matric-
ulating computer scientists whose
knowledge of malware is roughly on
a par with that of the general popula-
tion of amateur computer users.
turies. How else could aspiring physicians and surgeons learn anatomy?
Today, life science majors are not necessarily bacteriologists, parasitologists, or virologists, but all enjoy the
benefit of a standard curriculum that
offers exposure to microbiology theory and its laboratory practice. This is
not the case with computer science
majors, whose curricula omit theory
and programming of malware. Sadder
yet, undergraduates learn sorting, database, and other theories, and carry
Visualization derived from disassembled code of myDoom worm.
tion, so that students completing the
course will gain a deeper understanding of malware.
The apprehension, trepidation,
and dread will not go away easily.
Spreading viruses, worms, Trojans,
and rootkits is dirty business. Pro-
gramming them may feel like doing
something forbidden. Over the past
six years, I’ve heard many concerns
about the ethics of teaching malware.
Taboos are difficult to dispel. For ex-
ample, the prohibition of dissecting
cadavers held back medicine for cen-
out their corresponding program-
ming assignments, but do not take a
similarly rigorous course on malware.