FireEye intern created and sold Dendroid malware

Graham Cluley
Graham Cluley
@[email protected]

Grassy knoll Having worked for anti-virus companies for over twenty years, I’m pretty used to dealing with one question in particular.

“You guys at the anti-virus companies write the malware, don’t you?”

It’s a fun conspiracy theory. And I like to imagine that John McAfee was on the grassy knoll in November 1963, sniffing bath salts and hooking up with Costa Rican prostitutes, as the Kennedy cavalcade drove past. But it’s not true, of course.

Any anti-virus company found writing and distributing malware would not only be shunned by the security community, but also be committing commercial suicide. After all, what organisation is going to be happy buying medicine from the very same people who are going around spreading the disease?

Sign up to our free newsletter.
Security news, advice, and tips.

But that’s not to say that everyone working at anti-virus companies is a good guy.

Morgan CulbertsonMeet 20-year-old Morgan Culbertson. He has just pleaded guilty in Pittsburgh federal court to developing and selling the Dendroid malware capable of hijacking Android phones, stealing data and using the cameras to spy on innocent users.

Dendroid is a sophisticated piece of Android malware, capable of evading detection by the security measures Google has put in place on the Android app store.

Culbertson plotted to sell Dendroid for $350, and demanded $65,000 from anyone interested in buying his source code. He was caught after the FBI raided the Darkode crime forum last year, dashing his hopes of infecting almost half a million Android phones with his malware.

But what makes Culbertson’s conviction particularly noteworthy, is that – according to his LinkedIn profile – he worked as an intern at security firm FireEye for 12 weeks up until his position was unceremoniously curtailed by the law enforcement investigation.

Culberton on LinkedIn

I completed a 12 week internship at FireEye as part of the Advanced Persistent Threat team as a Mobile Malware Research intern. I improved Android malware detection by discovering new malicious malware families and using a multitude of different tools, automation techniques and decompiling analysis heuristics.

FireEye confirmed earlier this year to The Register that Culbertson had indeed been an intern working on Android malware research, and it sounds like they’re not in a hurry to have him back.

Culbertson could receive a maximum 10 year prison sentence, and a fine of $250,000, but with no prior criminal convictions I find that unlikely.

When I worked for anti-virus companies and was interviewing prospective new techies, I would always try to get a feeling for just how interested they were in malware. If they started frothing at the mouth in excitement at the thought of working with viruses, spyware and Trojans, I generally thought they might be a little *too* keen and perhaps not a safe bet…

Maybe today other security companies should try harder to ensure that they’re not taking onboard someone whose actions might fuel the crazier conspiracy theories out there.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

6 comments on “FireEye intern created and sold Dendroid malware”

  1. Simon

    If anything, he might be updating his LinkedIn profile soon to say that'll be be stamping license plates for a while… what a silly bloke.

  2. Patrick

    Throw away the key.

  3. Publio Vestrone

    We do not live in a civilization that acknowledges (let alone promotes) an absolute standard of right and wrong. So we end up with smirking little twits like Mr. Culbertson, who evidently thinks life is a zero-sum game.

    But locking him up and throwing away the key would be an injustice to the taxpayers who have to pay the bill for his imprisonment. If he gets any jail time, he should have to fund it through honest work.

    If such jerks had to pay the cost of their own apprehension, prosecution, and incarceration (plus restitution to anyone whom they've harmed), the deterrent effect would be far more potent than getting a free ride in prison at taxpayers' expense.

    1. Jim · in reply to Publio Vestrone
    2. Simon · in reply to Publio Vestrone

      +1, but to get blood out of a stone?

      I agree, prisoners should financially contribute their 'accommodation' costs while incarcerated by providing a service back to the community, but wouldn't that be robbing the law-abiding citizens employment in the area?

      Unless you assign them laborious/menial jobs that nobody wants to do or is too expensive to automate… That'll likely to require heavy supervision to avoid escapees. Oh, and you're likely to cause a rife of protests, complaining about human rights…

      Unfortunately it's a loose-loose situation.

    3. coyote · in reply to Publio Vestrone

      "But locking him up and throwing away the key would be an injustice to the taxpayers who have to pay the bill for his imprisonment.

      No one deserves to starve and if you've never seen someone starve (to death or otherwise) – or experienced severe malnutrition and/or severe dehydration then consider yourself lucky. It isn't fun (I've experienced both simultaneously and I've seen a lot worse). To even consider locking someone up and throwing the key away… says a lot. But irony: if they throw away the key, they throw away the ability to easily open the cell, which means there is no use of the cell (it becomes more like catacombs), and since there is no food to give them, there isn't any money involved.

      "the deterrent effect would be far more potent than getting a free ride in prison at taxpayers' expense."

      No, deterrents won't make a difference. That is trying to bring logic to something that doesn't involve logic. That itself is illogical.

      People in terrible living situations (e.g. homeless) will commit crimes (that can result in imprisonment) for better living conditions even for a single night (a night in jail is better than being on the street). Some homeless also prostitute themselves so they have a night (or nights) off the street (and obviously money). Some women will have an unwanted sexual partner for similar reasons. This is a well known thing but in case you don't believe me:

      The fact it comes down to that says a great deal about humanity. There is so much focus on punishing others (as you demonstrated in your last paragraph) – rather than helping – and it results in making things worse (including adding to the 'taxpayers' expense') where it could make things better. Case in point: going cold turkey on some drugs can kill you and otherwise – with some rarer exceptions – won't make someone suddenly be over – or rather work on getting past – an addition, but instead of helping them through detox they are imprisoned. It isn't limited to drug abuse, it shows a lack of compassion, it only fuels resentment and it is conducive to more offences being committed.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.