<p>I'm curious: what exactly makes writing malware difficult? Consider a sophisticated modern mass-mailer with a backdoor. In my experience, it consists of:</p>
<p>A) Code to inject a thread into explorer.exe; that thread then contains:<br>B) Code to report to a central server via HTTP;<br>C) A SOCKS proxy thread and/or remote file system viewer;<br>D) A routine to scour the disk for email addresses;
<br>E) An SMTP client;<br>F) Code to ensure that the worm starts every time the system boots (almost always via the registry), and maybe<br>G) Code to make sure its registry key / executable are not deleted.</p>
<div>Each component is no more than 1,000 lines of code, and each is easily testable. For good measure, the binaries is are usually packed with either FSG or UPX. </div>
<div> </div>
<div>Your standard IRC trojan is even less sophisticated. Trojan downloaders are literally less than ten lines of C code to write. BHOs, as well, are much easier to write than they are to analyze (if you don't believe me, try it). SymbianOS malware is excruciatingly difficult to analyze, while the malware authors have an emulator and an SDK with a rich collection of examples to work with.
</div>
<p>I just don't see the "incredibly hard" part in writing malware: are you referring to some other class of malware than the ones I've described? I agree with Sophos (while at the same time thinking AV is snake-oil): statically analyzing malware is substantially harder than writing it.
</p>