March 1st, 2002 05:56 AM
interview w/original virus writer
:: An interview with original virus writer ::
The interview was done via e-mail, with a quite well known virus coder around. He asked me to stay in anonymity, so there wen't be published any contact to him. (cube)
Q: how do the viruses spread, what kind of OS feature (or vulnerability) do they misuse to spread
A: a lot of answers really. win9x viruses often use ring-0 code to spread. a normal program is not supposed to enter ring-0 mode, but windows 9x has very little protection and viruses can enter ring-0 in 10 lines of code. once in ring-0, they hook API calls such as the once responsible for opening files for example. other types of viruses, such as true win32 compadible once simply search for files using the windows API. once found they can use a number of ways to infect the file. usually the last section is either extended or a new section is created at the end of the file.
Q: can you tell a few tricks for a virii coding from 'your virii building kitchen'
A: some little known tricks that i have used recently might be for example:
- EPO, or Entry Point Obsifucation - Usually when a file gets infected, the entry EIP gets modified to point to the viral code, or a jump get's placed at the start of the file to jump to the virus. EPO is way to mask that. my last virus would scan the soon to be infected file for a CALL statement, and maybe or maybe not skip it. keep doing that until it finds a random call in the program that than get's patched to point to the viral code. the virus would restore the original call. end result is, the virus get's executed during program execution instead of always at the start. sometimes it might not even execute at all, which can be good because it avoids detection.
- ring-0 - I'm not sure how known it is, but it's quite easy to switch a win9x system to ring-0 mode. in this mode you have complete access to everything. no more memory protection, port protection, etc. this can be done via a number of ways, including for example VxDCall backdoor and CallGates. threads - i'm currently working on a multi-thread/multi-fiber virus. i hope this will somehow evade heuristic/emulator scanners. Crypto - and of course there are a number of ways to mutate your code. simple XOR encrytion, polymorphism, and metamorphism to name the most common. currently i'm trying to create a virus that makes use of some the things i know about AI. maybe a genetic algorithm based one?
Q: how would you compare the major operating systems (NT, Win 9x, Unixes) in terms of being vulnerable to the kind of viruses you're coding on a scale from 1-5, 1 being a 5 year old kid draging a sack of gold, 5 being fort knox:
A: - NT - 5, simply put, its easy to infect. no ring-0 virus will work, but runtime infection can be just as successful. need i mention Code Red?
- 9x - 6, there's too many ways to list the possible ways to infect a win9x box. from outlook express exploits to Excel exploits. ring-0, ring-3, everything works. in addition, millions of windows users pirate or download some other software of the net that has a potential virus in it
- *Nix - 1, it's easy to infect it provided that root runs the virus. userlevel security does not allow a virus to roam around the system like in nt and 9x. in addition, almost noone downloads software from a uknown source. sure there are viruses out for *nix, but you wont get em unless you download them specifically, and they wont infect you unless you're stupid enough to run them as root.
Q: what's your opinion on fairness of building and spreading virii
A: from the view of virus creator I don't have a problem with it (as you would expect). to me its more of a game. i try to stay one step ahead of the user, or more specificaly, the AV software the user is using. sooner or later my virus will get busted anyway, so i just gotta keep comming up with new techniques. also, in my opinion destructive payloads are absolutly ****ing lame. they annoy people, give the real virus coders a bad reputation, and ruin a otherwise potentially well done virus. they alert the user and possibly destroy the virus while they're at it.
Q: oh also a question about where to start (tutorial tips, websites links) to get a basic knowledge about virii coding
A: the net is full of excellent tutorials. i would suggest you check out coderz.net and go from there. they host a ton of great sites, which link you to even more. in addition you might want to check out these:
of course this is opinionated, especially the rating on the 1-5 scale. mabeythats why he wanted to maintain anonymity.
but he does offer usefull info.
My only fear in death is comming back reincarnated.
\"Would I ever sh*t you?\"
\"Of course not you are my favorite turd.\"--E5C4P3