you’ve seen as much malware as O’Murchu has, you can glance at a virus or Trojan horse and know immediately what it does—this one is a keystroke logger that records everything a victim types; that one is a banking Trojan that steals login credentials to online banking accounts. It’s also easy to see whether a piece of code was slapped together sloppily or crafted skillfully with care. Stuxnet was obviously the latter. It appeared to be a dense and well-orchestrated collection of data and commands that contained an enormous amount of functionality. What those functions were was still a mystery, but O’Murchu’s interest was immediately piqued.
O’MURCHU’S FIRST ENCOUNTER with malware occurred in 1996 when he was studying computer science at University College Dublin and a fellow student unleashed a homemade virus that infected all the machines in the school’s computer labs. On the Ides of March, the virus seized control of the terminals and locked everyone out. Users could only log in after answering a series of ten questions that flashed on the screens. Most were annoyed by the interruption, but O’Murchu just wanted to get his hands on a copy of the virus to take it apart. It was part of his DNA to deconstruct things. Growing up in the country outside the small town of Athy in County Kildare, he was the kind of kid who was less interested in playing with toy cars than in tearing them apart to see how they worked.
O’Murchu didn’t set out to become a virus wrangler. He began his college career dutifully taking physics and chemistry classes for the science degree he planned to pursue, but then enrolled in a computer science course and became obsessed. He quickly abandoned the chemist’s lab for the computer lab. Hacking was a growing problem at the university, but O’Murchu never considered computer security a possible career path untilintruders began breaking into servers belonging to the school’s computer club, and a team of students was tasked with patching the servers to kick them out. O’Murchu was fascinated by the cat-and-mouse game that ensued, as he watched the intruders repeatedly outmaneuver the defenders to get back in.
That lesson in breaking digital barriers came in handy when he and a group of friends traveled to the United States after college and briefly got jobs testing internet kiosks for a San Diego start-up. They were hired to see if they could bypass the kiosk’s paywall in order to steal internet access. But instead of getting the normal computer users the company thought it was getting, it had inadvertently hired a team of skilled hackers. After half a dozen kiosks were set up in the warehouse where the systems were being assembled, O’Murchu and his friends were told to go at them. They were only supposed to test the system for two weeks before the company planned to ship the kiosks out to customers, but O’Murchu and his friends kept finding new ways to break the paywall. After two months passed and they were still finding holes, the company canceled the testing and just shipped the kiosks out.
O’Murchu spent the next couple of years traveling the world and snowboarding with a vague desire to get into security but without any plan for doing it. Then in 2002, he got a job with the anti-spam company Brightmail in Dublin. He only took it to earn money to support his traveling, but when Symantec bought the firm in 2004, he saw it as a chance to leap into security. During a tour of Symantec’s Dublin office given to the Brightmail employees, O’Murchu could barely contain his impatience at being shown around the various departments. All he wanted to see was the virus research team that he hoped to join. But when he finally met Eric Chien, the American who managed the team, his dream of being hired was dashed. O’Murchu thought Symantec had hundreds of analysts stationed around the world and that it would therefore be easy to get a job. But Chien told him only half a dozen