Computer underground Digest Wed June 16 1993 Volume 5 : Issue 44 ISSN 1004-044X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copy Editor: Etaoin Shrdlu, Seniur CONTENTS, #5.44 (June 16 1993) File 1--Interview with a Virus Writer (Gray Area Excerpt) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) 203-832-8441 NUP:Conspiracy CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 16 Jun 93 22:22:43 CDT From: GRAY AREAS Subject: File 1--Interview with a Virus Writer (Gray Area Excerpt) ((MODERATORS' NOTE: The following reprint from GRAY AREAS (Issue #3, 1993) is an edited summary of an interview with a writer of computer viruses. The summary constitutes less than 20 percent of the entire interview, so considerable detail has been omitted. We apologize if we inadvertently over-truncated parts of the discussion for space constraints. GRAY AREAS is a new hard-copy magazine (see CuD 4.65 for a review) that improves with each issue. Each issue addresses topics in "cutting edge" culture, including technology, art, music, and leisure. The current issue (#3) includes an interview with controversial musician G.G. Allin. Netta Gilboa impresses us as one of the most competent interviewers on the 'Zine scene, and does for print media what Mike Wallace and Barbara Walters do for television: She brings incisive questions to bear on her topic and elicits uncompromising information (in the Wallace tradition) while never losing sight of the subjects' humanity (in the Walters tradition). In our view, it's definitely something worth looking at. A one year (four issue) subscription is available for $18 from Gray Areas, Inc. / P.O. Box 808 / Broomall, PA (19008-008). More information can be obtained from grayarea@well.sf.ca.us)) NOTE: THE FOLLOWING COPYRIGHT MATERIAL MAY NOT BE SEPARATELY RE-DISTRIBUTED OR CITED WITHOUT EXPLICIT PERMISSION FROM GRAY AREAS +++++ GETTING GRAY WITH URNST KOUCH, COMPUTER VIRUS WRITER By Netta Gilboa Many people will dismiss Urnst before they hear what he has to say. Others will hear what they want to instead of what he actually said. Those of you who are willing to listen to his reasoning will find the complex subject of viruses simplified and demystified. Viruses may never again seem as scary. I was surprised to learn writing and exchanging viruses is not illegal. I was surprised to learn virus writers (for the most part) look down on pirate files and pirate computer BBSs. I also learned about several new viruses before the anti-virus community did which seemed strange to me since it was their full time job and just one of many stories to me. Whatever you think about Urnst's actions, you'll probably agree with him that viruses are here to stay with new ones being created every day. There's material here for everyone. Whether your main interest is in how to avoid getting stung by a virus, learning how to write one, or in understanding people who do this for fun, read on. We're certainly interested in your reactions, pro and con. Did you get hit by a virus that was more than a minor inconvenience? Did your opinion about viruses change at all as a result of reading this? Would you like to hear from other, more malicious virus writers and/or from the experts who defeat these viruses? We'll print as much of your mail as we can. Viruses are surely as gray a topic as topics get... Gray Areas: What is a computer virus? Urnst Kouch: A computer virus, in simplest terms, is a small program that must generally have two features associated with it. It has to be able to find another executable program, so it has to have a search mechanism, and it has to be able to duplicate itself and attach itself to a program. So that the next time that program is executed, the virus executes first. You can think of it as a very small piece of code that when executed like any program goes out and attaches itself to another program on your computer such as your word processor. When you next fire up your word processor, the virus will execute first because it has placed an instruction at the beginning of your program. There are many more primitive forms of viruses which don't bother preserving the integrity of your original program. When they are executed the first time, they go out and search for another program and they just write themselves down on top of it. They don't care about preserving the functionality of the program that they've found. They essentially just destroy the portion that they have taken up residence in, and then the next time you would execute your word processor, it has been infected by this virus, called an overwriting virus. The virus will then execute again and then look for another program and your word processor won't execute because it's been destroyed. You will get a cryptic error message which generally is generated by the virus. GA: Oops! UK: Oops, usually there is an oops message in there. This is something people notice right away. Oh, it's not working. Occasionally, some virus programmers get a little more clever and put a little message in the virus so the virus when it's done finding other programs to infect prints a message to the screen that says out of memory or some other DOS error message. GA: Any particular reason you chose the handle Urnst Kouch? UK: No. (Laughs) Just a name. GA: So in other words, it is not someone's name from history or anything? UK: No. I got tired of seeing the same names. I've seen so many Count Zeros and Kilgore Trouts. GA: So it was an attempt to be unusual? UK: I don't know if it was an attempt to be unusual. It was just a name that popped into my head. If you really want to know where it came from, there used to be a jeans or a sneakers commercial. It said life is short so play hard, so I just thought, oh well, there's a great commercial, change it to what most Americans wish it would be, life is short, lay on the couch. So, that's how the Kouch came about. Now I needed something to go in front of that. I thought Kouch sounded vaguely dramatic. Urnst is kind of German. That's where it came from, just a name. People could almost think that it's a real name, normally. Stretching. GA: What demographics about yourself can you share with our readers? UK: I'm about 35. I have a Ph.D. in chemistry. GA: How did you personally get interested in viruses? UK: Well, part of it came out of 1992 when the general media began covering Michelangelo in such a hysterical panic. I smelled a rat. This seemed absurd so, knowing something about computers, I started researching. I eventually wound up writing on it. During my course of research I wanted to dig up some viruses so that I could have a look see for myself and, of course, the people in the anti-virus communities did not turn out to be very forthcoming when I asked for a few samples of viruses. GA: They don't even seem to want to answer theoretical questions. UK: No, they don't even like to do that. So I just went out and assumed that there was probably a lot of virus code lying around in underground channels. And this was the case. This leads to a kind of leveraging effect whereby once you accumulate certain things and start talking about them, then the more respected avenues begin to open up for you and the anti-virus researchers take you seriously which is kind of hypocritical, but it's the way things are. To get access to some of the virus archives on underground sites, you have to come up with an original virus that they don't already have. You can either go out and try and find one, which isn't that hard, or you can write one yourself and upload it. So that's what I did. It's not hard to write a virus, and I somehow found a copy of the Mutation Engine which I thought was interesting. GA: You should explain what that is, especially for people who don't own computers. UK: The Mutation Engine was briefly mentioned around the time of Michelangelo as a product by a Bulgarian programmer known as The Dark Avenger. He's famous in the virus community, well-known to anti-virus people too. He's written a series of viruses which have found their way into the West and he's known for trying to make challenging codes. I guess that would be the best way to express it. Then last year he uploaded something called Mutation Engine which was a segment of code which provided any virus that included it with variable encryption. Now when I am saying variable encryption, some viruses use encryption. All encryption does is when the virus is done doing it's thing, finding a file to infect, it will copy itself into that file at this point, and will encrypt its instructions so that it looks like a hunk of nonsense attached to the end of the file. The only part of the virus that remains constant is the decryptor which the encryption routine adds. The decryptor is the portion that the virus needs to ungarble all the instructions. When the infected file is executed, the decryptor is the first thing to begin to work in it. Now, if you hide suspicious messages in your virus, when someone is looking at a suspected infected program under a file viewer which are pretty common tools in utility programs, you don't want a dead giveaway like, "Ha, Ha, I've got you or f--- you lamer," sorry for my French but we will be blunt. That's what's in a lot of stupidly written viruses. And so a simple encryption routine allows you to hide those kinds of things. How the Mutation Engine differs is that it provides variable decryption that has a complex mechanism in which it changes the scheme of encryption so every time the virus copies itself it adds a different decryptor on a random basis. The decryptor will change the content of its instructions; it could change in size, this makes finding a constant set of instructions impossible because it's constant. It is a very sophisticated piece of programming and in comparison to the viruses that it's used in, it is much larger: about 2,000 bytes in size, where most viruses are about 200 or 300 bytes in size. Mutation Engine viruses benefit from this variable encryption since scanners, at the time of its release, could not detect viruses using it. Some still do have some difficulty doing that because a whole different approach to virus scanning had to be programmed into the utilities that the manufacturers were making. Now they had to be able to disassemble the infected file, looking for sets of instructions, characteristic of the decryptor that the Mutation Engine used. Without getting too technical, you can use statistical methods to do this. If you load it into a symbolic debugger and step through it, you can see that the decryptor follows a pattern. It always changes every generation, but there is always a constant pattern going on there. Good programmers can see this and program that into their software so that the pattern characteristic of the Mutation Engine code can be flagged. Then we know that the Mutation Engine is there. It was blown out of proportion because it has a sexy name. The significance I think of the Mutation Engine is the inspiration it has provided for virus programmers worldwide. GA: So, basically, you have been involved and interested in this for about a year? UK: Yeah. To get access to virus libraries you had to upload an original virus and the first one that I came up with was Crypt Lab virus which was a hack. I uploaded it to a couple of virus exchange BBSs in this country and then got access to their virus libraries. From there it is simple to start building. My library just kind of snowballed. It's a mistake to think that virus exchanges are a threat and run by geniuses. That's just not always the case, although some are. GA: How would you define your role presently in the virus world? UK: Just someone who publishes them in an electronic newsletter which looks at the virus community just as it would look at the anti-virus community. There are no other publications that just look at both sides of the coin rather squarely, provide real technical as well as general information. It covers a broad spectrum of the computer reading audience. Someone who is almost completely computer illiterate can at least recognize some things in the Crypt Newsletter, but not everything. That's it. As a functional part of that I have to continue to provide semi-interesting code samples that actually work as well as other things. I think it gets boring really, really fast, if you're just in the processor pumping out viruses. That's the hard part. The interesting part for me is actually putting in the other things: the analysis, the news, the commentary and that kind of stuff. GA: Do you want to mention that you are running a BBS (computer bulletin board)? UK: Yeah, sure. Call anytime. It exists for people to come and get the Crypt Newsletter if they are interested in finding it without going through the usual hassles of underground channels like the cool, elite bulletin board systems. The underground world has become very exclusive. In a sense it is cliquey, and if you are not associated with the right people you don't get entrance. It seems to be totally opposite of what the computer underground started out as, but this is what it is now. So if you don't want to go to your local pirate BBS where they stock it, and get through their new user voting screen whereby a like-minded bunch of buddies decide if a complete stranger that they've never heard of before should get entrance to this exclusive domain; if you don't want to put up with that fuss or have to come up with some virus before you get it; on my BBS, you just get it. Which is how you should get it everywhere, but I can't control that, I can't care about it that much. You don't have to be cool to get it. GA: What skills are required to write a virus? UK: Almost none. It's a myth that you have to be a programming genius to write a virus at this point. That may have been true when the idea was novel. It certainly hasn't been true for the last two or three years. There's so much source code lying about that anyone with a passing knowledge of the computer and a little bit of determination, a desire to do it, can take a stab at hacking an existing virus. This is rather common when coming up with an original virus which can be cobbled together with segments of or ideas from others. Writing one from scratch is the hardest way to do it. GA: Aren't they all written in programming languages? UK: Assembly mostly. By far most viruses are written in assembly language. GA: So you have to understand what assembly language is? UK: Yes, you have to know assembly language, be able to recognize assembly language code and have a general understanding of what assembly language instructions do. You have to be able to recognize within a sample of code what the instructions are doing, so that you can follow the virus. In that sense you do have to immerse yourself in assembly language coding. But it's not as hard as one would believe. There are good books, and there's plenty of virus source code around, so with books in hand and looking at virus code in a dedicated fashion, you can get the hang of what is going on rather quickly. Viruses all share a commonality, there's just not a lot of variability there in terms of what they do. Some people write viruses in higher languages like C or Pascal. Those are few and far between because it is difficult to make the virus agile enough in those languages for them to function efficiently on a machine. A virus has to be small and quick to do the best job. It is difficult to do that with languages like C and Pascal simply because there is a great deal of overhead involved in the languages when they are compiled. If you look at a program that is written in C to do a certain function on a computer and then you look at a program that is written in assembly, the assembly program would be much, much smaller than the program written in C. C is conversely a language that is easier for people to understand because it is closer to English. Whereas assembly language just has a bunch of, at first, what would appear cryptic instructions. GA: But it is basically the type thing that anybody with a degree in computer science can do? UK: Oh, I would think so, certainly. I don't even think you need a degree in computer science. I think fifteen year old kids who are really into computers can write viruses. GA: And I bet they do. UK: I'm sure they do. GA: So how many viruses have you made and which ones are they? UK: I don't know all of them. Well, there was the Encroacher. That was in one of the Newsletters. That was a Mutation virus that attacks Central Point Software's anti-virus program. There might have been three variants to that. There was the Insufficient virus which is another Mutation Engine companion virus. You know what a companion virus is? GA: No. UK: Most viruses function by attaching, we are talking about file infecting viruses purely here, and most of them attach themselves to those files. Companion viruses are spawning viruses. A spawning virus or a companion virus will look for a program on your computer that is an .EXE and it will make a duplicate of itself. Then it will rename itself as that program except the extension will be .COM. Because of the rules of DOS, when you call a certain program which might be your word processor or something like that, DOS will execute a .COM file before it will execute an .EXE file. Well, the virus just simply renamed itself, made a copy of itself, renamed as your word processor. The virus will execute first and then it will hand off to the word processor program or the infected target program, and things will function normally and the virus will, if it is a direct acting run time virus, it will go off and search for another program to infect. If it is a resident virus it will now be installed in memory and it won't have actually changed the infected file at all, so anti-virus software that checks for changes made in files won't detect a companion virus unless it is smart enough to look for identical file names. Very few anti-virus software programs do that. GA: Certainly when you wrote that one, they probably didn't! UK: I believe they still don't. Companion virus infections can be easily removed and the machine restored to total health, simply by looking for all the small .COM file duplicates that reside next to .EXE's and deleting them. The virus creates these files as hidden system read only files. So if you do a simple directory, uneducated people won't see them. They are going to be hidden like the system files in your root directory. You won't see them when you do a directory search. You have to change the attributes on them to see them so that they are not hidden and read only, or else you have to have some kind of file manager like X-Tree or PC Tools that automatically lets you see even the hidden files on your system. It is a minor annoyance but it does a little bit of stealthiness there. Almost all companion viruses create themselves hidden files. Eventually some people start to notice because they start losing disk space, the disk is filling up with hidden files which are the virus. GA: Then there was the Crypt Lab virus, right? UK: Yeah. GA: And that was recently mentioned in Discover magazine? UK: Yes, that was at the end of the article. I got the Virus Creation Laboratory, and I spent a lot of time going through it and creating some variants to that just to see what it could do. One of those was Diarrhea. Anyway, if you execute the virus, there are three forms to that virus. One will infect all files until it can't find anymore files to infect. It will put on a display that says, "Eat My Diarrhea," which I think it is one of his favorite phrases. Another variant of the virus goes about doing it's business and while it is infecting other files, it drops a small program onto files. That does not infect. This destroys those programs, essentially creating what I call zombies. The zombies merely display the neon "Eat My Diarrhea - GG Allin and the Texas Nazis," in neon color. As soon as you run one of those things you know you've been the victim of a prank or something like that. So that's what the Diarrhea viruses do. They are created with the Virus Creation Laboratory. And then there was another virus creation type tool that's been produced by the members of Phalcon/Skism virus programming group. There was the virus I made using code from the Virus Creation Laboratory and the Phalcon/Skism Mass Production Coder I think it's called. That was called the Mimic virus. And the Mimic virus came in a couple of flavors. It was a file infecting virus which created a mimic of the Jerusalem virus. The screen is characteristic of Jerusalem. Another one I created was the Den Zuk Mimic. With the original Den Zuk, when the person does the three finger salute (hitting control-alt-delete keys at the same time) to reboot the computer, this graphic comes up on the screen and shows Den Zuk. It's kind of a nice graphic too I must admit. I like that. I put that into Den Zuk Mimic to make programs show that graphic. GA: I thought there was some other virus. UK: Is it recent? In a recent issue of the newsletter? GA: No, I'm getting it from the VSUM listing. There were four viruses in the December 1992 issue that listed "Kouch." UK: I tend to be only really familiar with the recent ones that have been published. Maybe it will come to me. GA: What's so exciting about viruses and source codes? UK: I like the word "interesting" more. GA: Okay. UK: Well, particularly interesting because of the misinformation that goes around concerning the viruses. There's a great deal of it. There's a great deal of mystery that shrouds. I don't think there's a lot of mystery associated with viruses. Viruses, in my opinion, are rather trivial programs that, once you're thoroughly cognizant of what a virus can and can't do, become more like a pest if you ever run into one. You should be able to get rid of it rather quickly in your machine. And it might interest you to know that one of the anti-virus software programs in its own virus database in that program displays the severity of damage that viruses can do. Fully 95 percent of the viruses listed in that database, are characterized as trivial. It takes three minutes to reset the machine to proper working order. And that's fairly accurate, I think, and that's not something that's common knowledge. People think it's a major catastrophe when they are hit by a virus. I do not take seriously claims of people being set back for hours. If they are completely ignorant of a virus, yes. But someone in the department or in the household knows about viruses. No, that's just an exaggeration. So viruses are interesting to me because of that. Because of the great variations in opinions that surround them. GA: And also the myths. UK: The myths on them and the controversies associated with a virus. When anyone speaks up about viruses. GA: That's becoming very interesting to me. UK: Politically incorrect terms. There's always been a great deal of controversy surrounding this. And so for this reason alone, viruses to me are interesting. For example, on Prodigy it is okay for dozens of people to advertise adult bulletin boards, with gigs of pornographic files available for download. These are not expunged from the Prodigy computer club as inappropriate. However, if anyone posted a note on Prodigy saying they want to find a virus, can someone help them locate a virus, that is immediately spiked. Why is that? I'm not sure. But it's interesting. GA: I've had a lot of trouble getting in touch with the Virus-L Newsletter from the WELL. UK: The Virus-L publication is pretty much dogma. I've seen it a lot, I've never thought very highly of it. There are bright people that contribute to it. It is not particularly useful. GA: Well, it is a major place that people who don't know anything about viruses go to turn to when they think they've been hit. UK: Well, they won't find out a lot from that publication. (Laughs) People only talk about viruses in general terms. GA: I asked several people to contribute questions. The number one question people had for you was what gratification or satisfaction do you get from this? UK: Well, I enjoy publishing the Crypt Newsletter. It's a challenge to make it interesting to a lot of different people and I enjoy the response that comes in. Some of the people that I've met through it have been rewarding. I don't meet a lot of stumps. I wouldn't continue to do it if there was absolutely no response and people didn't show some curiosity and the desire to see more of it. I want to give them more for their trouble, so that makes it an evolving thing. You want to see if you can top yourself and make it more interesting. There is a great need for this kind of look at viruses. I don't think you can get that from Virus-L to be quite honest with you. GA: Or from anything else. UK: You'll get it from some other underground publications, of course. They are hard to find. Some people are turned off by the smoke and brimstone they come packaged with. My newsletter is a little bit different than trying to be so blatantly sociopathic. And I'm sure there are people who read it and think that I am a sociopath. I don't think I am, I think that's clear in the newsletter. GA: I think most people who think you are a sociopath wouldn't read it. UK: Probably. They would read it once and then toss it. I really like the work of Mark Ludwig. The Little Black Book of Computer Viruses, to me, was extremely interesting. It was the first book that I was able to get ahold of on computer viruses that had any good information in it and he's continued to do that kind of thing. GA: Right, he has a new edition coming out and a newsletter which prints virus code. UK: And, so, why is that interesting? Well, he explains why viruses are interesting for a number of reasons. Part of it because of the controversy that the concepts brings up. In a way, I think studying viruses gives you a good understanding of the computer on a really low level basis, and that's worthwhile. For some people that makes the computer much more enjoyable as they start to unlock some of its secrets or understand what is actually going on inside it a little better. Viruses are kind of an indirect way of getting at that information. Maybe you're bored in your computer class listening to the dogma of understanding the operating system of the PC, but maybe you are interested in computer viruses because you like the concept associated with practical jokes and want to start to look at computer viruses a little more. You become more curious, it becomes more involved and now you are starting to get a better grasp of what someone is trying to teach you in the computer course at the same time. It is an indirect method, it's not an obvious way, but I think that it does happen. GA: Nowhere Man. UK: Nowhere Man. He's an interesting individual. He spends a lot of time programming different things. GA: So basically there is a social aspect to this too. UK: Yeah, yeah. Talking to different people around the country, through the computer and meeting different people, getting their ideas. They're interesting people. GA: How much of your time does this take up in an average week? UK: It depends. I tend to do a lot of it late at night. I think it's hard to say. Right now I'm spending more time on the BBS than I have on the Crypt Newsletter. GA: And regardless of what the BBS was about there's just maintenance that takes time every week. UK: Yeah. I'm uncomfortable with quantifying things, so, as much time as it takes to do it right. GA: About how many groups are there in the virus world? Active and inactive. UK: There's Phalcon/SKISM, NuKe, there's YAM. There was Rabid. They supposedly disbanded, but I got a virus the other day that said Rabid lives again, so maybe they do. The virus doesn't work. (Laughs) You know what I mean. It's hard for me to tell. There was a British group called ARCV. The Association of Really Cruel Viruses, that's what it's called. And they pumped out a bunch of viruses over the summer and the fall. Their leader was busted by the authorities in England for a phone fraud related kind of thing. So I have no idea of what the status of that is. They certainly made quite a few viruses. They have one resident virus that they subsequently modified quite a bit and they have a model of a direct action virus which they've also modified. GA: So about a half a dozen groups more or less? UK: Yeah, but I'm sure there are smaller groups that I haven't mentioned here. GA: And individuals? UK: And individuals. I think that the lone virus programmers are actually more common than the groups because the groups are never as monolithic or as united in anything as they're portrayed. They are just a couple of individuals who have a loose association with each other. Like NuKe. One of the members of NuKe, Rock Steady, is French Canadian. Nowhere Man is from the Midwest. They may talk a lot but obviously they are separated by geographic locations. So how tight can that organization be? And then NuKe has a division in Australia and some people there who run the BBSs and do virus programming in Australia. There's a Scandinavian group, I forgot about them, called Demoralized Youth who apparently created the Hitler virus which I included in the Crypt Newsletter. And they produced things like the PC Byte Bandit which you see on a lot of bulletin boards. GA: Do such groups exist for other computer types like Mac, and Atari? UK: Well, that's a good question. I know there are a lot of Commodore viruses but I don't know if they are groups or the infrastructure is quite the same. As for Mac, I would think probably not because you know there aren't many Macintosh viruses. GA: Are any of those differences between the computer types worth noting? Like is there a reason why there are fewer Mac viruses, does it have something to do with their operating system? UK: Yeah, the operating system on a Macintosh is less open, for the simplest explanation, than the IBM PC, therefore fewer people are writing programs that will operate as viruses will on it. It's a more cryptic system shall we say. GA: Do some of these groups that you are aware of try to make money or is all this being done for free? UK: Well, Aristotle is the sysop of the Black Axis Virus Exchange. He's the fellow who informally put together, who is formally the head of what is known as the Vx, like in Rx. It's a loose network of virus exchanges around this country, about twenty, maybe a little less than that now. He has a really large collection of viruses, something like over 2,500. 600 samples of source codes, there's lots of duplications in there, so he's packaged it up rather neatly and gotten the word out in almost formal advertisements that he will sell his collection for a lump sum. I forget what it is. Somewhere between $100-250 dollars. He tells me he's gotten 40 takers. So there you have someone who is trying to sell the viruses for money. I've seen advertisements to this effect on other virus exchange bulletin board systems. Others would like to sell their virus collections, depending on what the market will bear, I guess. GA: How big would you estimate that the virus community is? Can you estimate the total number of virus exchange boards or the total number of users? UK: I can't identify the number of users. I can make a rough estimate of the virus exchange boards. At least 20. GA: In the whole world? UK: No, in this country. What do you mean by virus exchange? We've got to set some rules here. Let's count all the ones that specialize in this, that have collections of over 1,000 viruses. I'd say at least 20 BBSs. .................... GA: My interest in this comes from the Michelangelo scare, which of course we are taking in retrospect with a grain of salt, but they reported that the people in other countries such as India or wherever, had so little access to U.S. anti-virus programming. In some of those countries they don't sell anything legally to remove viruses. So if they were hit by something, they don't even know where to go to get something that will clear it up. UK: You don't need anti-virus software to get rid of something like Michelangelo or Stoned. You can do it with undocumented commands. If you've talked to someone who does know something about viruses, and you didn't have anti-virus software, you could use that and dispatch something like Michelangelo and Stoned rather quickly. GA: So you think the reports about problems in other countries are over exaggerated? UK: Well, there's an article which analyzes the media coverage of .................... Michelangelo and I think that really puts it into perspective. It really shows the people that tried to actually come up with hard data after March 6. They just weren't able to come up with anything that I consider serious data. I remember them coming up with things like South Africa was reportedly hard hit. Says who? You know what I mean. You know how journalists work. They get on the telephone for like five minutes with someone in South Africa and the guy says we've been hit by a thousand. How does he know? And there was one that was even funnier. I think it was some military computer in Uruguay or Paraguay. The virus does exist but I just don't think that it was common. I got one call from some kid and he's concerned he might have that virus because he's had floppy disks that are dying right and left on him. Well, I said, "Do you have any anti-virus software?" I'm trying to help him over the phone. He says "No." I said, "Do you use bulletin board systems?" He says "Yes." "Alright, what you want to do is call up one of these and get some anti-virus program and download it and copy it immediately to a right-protected floppy disk. Without doing anything else and once you've got it on there, execute it until it is all laid out on a diskette for you and then write protect that and then put it in your floppy drive and scan your hard drive." So that's what he did and he found out he had the Disk Killer virus, completely a bird of a different feather. Actually, it is more annoying. It is a boot sector infector like Michelangelo but once you discover it, you usually don't have much time left before it activates. It has a very short activation period after it has been first placed on a disk and then it encrypts the information on a disk which essentially makes it useless to you. So he removed it, but it wasn't Michelangelo, he had a different virus. So where were all the Michelangelo infections? Were there any? I think it was vastly overstated. .................... GA: You mentioned before that people who work for software corporations write viruses. UK: And they program viruses or collect. There just doesn't seem to be any motivation to them other than that they are what I call stamp collectors. They just like to have a large collection of viruses, like people have large collections of baseball cards. That's a big thing, baseball card collecting. Why do people want a huge collection of baseball cards? I don't know. But I have a large collection of viruses. So, there's that collecting thing and that's not the same motivation as other people who write viruses. And then there's a mischief maker, a hell raiser, an angry young man kind of guy. He wants to put his mark on the world and have revenge on his school or something like that and maybe he's going to write a virus. I just don't think that there's any common denominator. Trying to write it off to one segment of the population is idiotic. Quite frankly, you can talk about different segments of virus programmers. To judge them all based upon one set of rules, disgruntled and angry at the world, is just absurd. GA: The media does portray that whole image at the Bulgarian virus factories. UK: Another sexy story. GA: Why Bulgaria? You are basically saying it's lots of other places too and that's just a myth? UK: Well, there are a lot of viruses that came out of Bulgaria. You can't discount that fact. There were Bulgarian virus programmers and there is The Dark Avenger and you don't want to minimize that, but that's not the whole spectrum of it. Maybe they are more serious and dedicated or they were for a time. But, no, Germany has virus writers, Poland has virus writers. GA: Right, Canada. UK: There are callers to my BBS from Lisbon, South Africa, Canada. I would assume anywhere there are computers, there are virus programmers. GA: And any place there are disks, there are collectors. UK: That's right. I mean Scandinavia, India, Thailand have virus programmers. I would be hard pressed to think of a place that doesn't. .................... GA: We kind of touched on this before, but how can people best protect themselves from viruses? UK: I would say that since virus code and viruses are going to be with us just as long as computers are going to be with us and if you are really concerned about it, then you should try to find out some of the basics of virus behavior so you can rule out a lot of things that aren't going to affect you. You've got to know that a virus is dependent upon an executable program to spread on your machine. You must execute it first. Knowing that, any executable program that comes into your machine then becomes, if we are not talking about boot sector infectors here, a possible virus candidate and I would just say that you should get a perfunctory anti-virus scanner. Find the cheapest one you can. A lot of companies are now letting the scanner portion of their software go for free. Don't get a lousy scanner. You are going to have to do some reading. I can't make it easy for you. I'm not going to make product recommendations, obviously, but you can get some for extremely cheap if not free. GA: So you recommend that people have something? UK: Yeah, at this point. If you want the least amount of work involved, get a cheap scanner or an almost free scanner if you can, and by doing a little reading you will find out what the best product is. You are just going to have to go a little deeper than the glossy magazines. Be a good consumer, okay. The chances that you are going to come across a very clever and totally new virus which is going to become resident upon your machine and stay invisible for a long period of time, are exceedingly rare, and I just don't think that you should concern yourself with that. I have just never been victimized by anything. I'm more educated so I don't worry about it. I take some precaution but nothing like some. So get yourself a cheap scanner if you feel you must have something, and as you go along in your computing, try to get a good idea of what viruses do. Ignore the hype associated with them. Most viruses are not 100% transparent. They will misbehave in a manner that is repeatable. So if you have something on your machine that's going wrong and it seems to be random, it's probably not a virus because viruses are made out of discreet instructions, and they are going to do the same thing. The problem will repeat itself. So either you have buggy software that is repeating the same bug or you could have a virus. If you are going in harm's way, where you might have to worry about possibly getting a virus infection; like if you are an obsessive, compulsive downloader, if you use places or services that have a lot of public flow of disks in and out, if you buy a lot of retail software from someone that you suspect is rewrapping software that has been used in someone else's home already, there's a possibility that you could occasionally become infected, but still it's just not real common. For boot sector infectors, try to keep those diskettes from staying in the slot on the A drive at night after you turn your computer off. If you did that and then your computer starts behaving weirdly, then you might worry. .................... GA: You also mentioned the virus that attacks Central Point's software. If you don't have Central Point that virus isn't going to do anything. UK: Yeah, right, so what? And then you program to attack something that presupposes a level of technical understanding which may not be in your average disgruntled employee. You've got to have someone who has an ax to grind for a long time to think of a really finely crafted virus to destroy something. There are one or two viruses like the Dark Avenger which are extremely destructive on business systems. GA: What's the scoop with the Proto-T virus? UK: Oh, that's just a joke. This happens periodically on the networks, and I first noticed it on the Fidonet. Some prankster or a group of pranksters uploaded this completely bogus story about an unknown virus hidden in the archives of one of the numerous PKZip hacks and it was like science fiction, it described things which were impossible for viruses. GA: Destroying the video card was one. UK: That's an old one, or writing itself to video memory is completely nonsensical because the virus would crash almost immediately. Just from what I know of how people react on the networks, I knew that there would be hundreds of people beginning to think that there was some credence to it. This spread all around the world. GA: Well, with Michelangelo, the news traveled. In 24 hours everybody knew about Proto-T. UK: I was just about ready to publish an issue of the Crypt Newsletter so I had a generic resident virus that I was including in it. I thought I would just customize it and have Proto-T as the name. I figured that people would not read the documentation. The real story is that this was just a name. These Proto-T pranksters came up, whoever they are, with this stupid Proto-T story; we might as well give them something to go along with it. It spread, it really spread. I saw people on Prodigy, some of the hackers that show up on there, saying that they swore they had copies of source code of Proto-T from some virus programming newsletter, which means to me that they stripped the code right out of the Newsletter almost immediately, and didn't even bother to read the note that came with it. It didn't even come close to imitating fictitious achievements of the real Proto-T which were flatly impossible anyway. And it just spread all around. .................... GA: What about YAM (Youngsters Against McAfee), the name is used against McAfee so it kind of implies... UK: You ought to look at their stuff! They spelled McAfee wrong a couple of times. I don't know, I just don't know. What can I tell you. I wouldn't have chosen that name but I can understand perhaps why they might have. For a long time, the thing was to elude Scan. I noticed this early on. It was an achievement to create a virus that Scan couldn't catch. Actually it is not much of an achievement. GA: No, it only lasts a month or two at most until they get a copy. UK: What's the point? Why is McAfee a whipping boy? He just happens to be better at public relations than the rest of the anti-virus people. GA: That's one reason, and the other reason is that because his is shareware and so many more people have it then the other ones. UK: Well, it's not just shareware. There are quite a few of his products that are cross-licensed as retail software. He's got a really big stake in anti-virus software. He's also the best at dealing with the reporters like during the Michelangelo scare. GA: Early viruses used to attack institutions with power, now they seem to mostly affect individuals. Do you think that's true and, if so, why the change? UK: What institutions with power? GA: Colleges and corporations. UK: No, I think colleges are still pretty vulnerable, don't you? They are always going to have computer labs, where people can bring stuff in indiscriminately. That really hasn't changed and maybe it has moved a little more to the individuals because computers have moved more into the homes of individuals. GA: That's true. UK: So, before high end PCs were the domain of a small or a medium size business with one or two individuals who knew how to use them as the selected employees. Now the computer has become more of a household appliance, still not totally widespread, of course, but moving more and more into the household where people can use it as a glorified typewriter. GA: Anything that you would recommend to people who would want to read more, learn more? UK: I'll give them my sole plug for Mark Ludwig's book on computer viruses. It is not an evening's read. You get a lot out of that especially if you come back to it. It impresses upon you the idea of learning something about assembly language programming, which after you look at it a couple of times starts to make some sense to you whether you become an assembly language programmer or not. Probably not. Springer-Verlag has an academic text on computer viruses but it costs about $40, probably not something the average person is seeking to get a hold of. ------------------------------ End of Computer Underground Digest #5.44 ************************************