SkyOut brings attention to the main problems of the virus underground, and summarizes the presentation’s key points with regard to the state of VX scene.
Connection between VX and AV
So what connection do we have between VX and AV: VX – virus exchangers, and AV – antivirus companies?
It’s a fight, it’s always a fight. VXers are coding viruses, and the AV are trying to beat those viruses. What else?
It’s an observation; it’s like VXers are observing the AV companies, looking at what they’re doing, and AV companies are blogging about the VX scene. For example, F-Secure have a very interesting blog where they really write a lot about the VX scene.
-InfiltrationBut the most interesting thing is infiltration. There are really AVs who are trying to infiltrate the whole VX scene, and they’ve had some success. For example, Peter Ferrie is known for such things, or other people from Kaspersky – very nice company, really likes us. And they go into the channels – I just named a few, pretend to be VXers and try to find out real names of the people sitting around there and just get them into prison. That’s the worst case – if an AV company tries to simply beat the scene and destroy it.
What is the best case in the connection between VXers and AVs? The best case is when a VXer writes a virus, just a simple virus for Windows, whatever, and sends it to the AV company. The AV company can now analyze the virus, of course. They analyze the virus, can make a string for it for their database and can save and secure the customers. And then they put a description on the page, and this is like a trophy for the VXer.
So, we have 3 little steps: the VXer writes a virus, sends it to the AV, the AV analyzes it, puts the description on the homepage, and the VXer has a trophy – it’s good for everyone. The VXer has a trophy, the AV can secure the customers. That would be the best case, but as we have seen, we have a worse case – destroying the scene.
– .NET Languages
Well, first of all, as I said, .NET languages are getting more and more popular: C# .NET, VB .NET, and what else .NET. They are really interesting for cross-platform malware and, as I said, cross-platform malware is the trend at the moment.
– Windows Languages
Windows languages are still the languages in the scene. Many people start writing viruses in Batch or Visual Basic – it’s simple, it’s easy, it’s good to start.
– Scripting Languages
Scripting languages, like PHP, Perl, Python, Ruby, whatever, are very nice, and the interesting thing, or the difficult thing is if you write a virus in a scripting language, you always have the binary and the source code in one. So it’s hard to only show the source code, there’s the binary as well.
And, of course, we have the HLLs, like C – a very good example of HLL, the high level language. I love C a lot; many people code in C and C++ nowadays.
But the best, or the most respected thing you can do is code your virus in Assembler, and that’s what 29A, the group I talked about a bit earlier, code their viruses in. It’s the most difficult language nowadays.
Problems of the Scene
So, what problems in the scene do we have nowadays?
We have one big problem, one of many problems, and that problem is the size. There are really not many VXers out there. You can say we have about 50, maybe a bit more, maybe a bit fewer active VXers, so we really need new VXers, so please, write viruses. We need new people. That’s a problem, because if somebody leaves, it’s really difficult.
– Continuous Change
And that’s the next problem – we have a continuous change. I talked about the hobbyists: they come and go, they code a virus once and go away. So, this continuous change really makes it difficult for the scene to stay alive, because groups die, groups come, groups die.
Decentralization – that’s interesting. What is decentralization? Well, I mean every group tries to do its own thing instead of working together. For example, EOF project brought out its own forum, 29A brought out a forum, other groups make their e-zines. No group can do an e-zine for themselves, but they don’t work together. This has changed now. EOF, DoomRiderz and rRlf are doing an e-zine together, which is really great, because now things will hopefully get better and VXers will work more together. But it’s still a problem that VXers don’t work that much together. At least, it’s been a problem in the last years.
– Based on Few Hosters
And it’s based on a few hosters. I talked about vx.netlux.org, a very important VX hoster, located in Ukraine, I think. And just imagine this hoster would be shut down – many sites would go down as well. So, we have maybe about 2-3 important hosters that have hosted hundreds of viruses and source codes, which are really interesting, for the last 20 years, and if they would go down, it would be a disaster.
Social Engineering and VX
So, the relation between social engineering and VX.
It’s mostly used for worms. Social engineering is very important if you are a criminal or if you’re a VXer who just wants to show it’s possible to code a very good worm. Imagine you’re writing an email and it must look interesting. The text must be trustworthy so that people would click on the attachment. So, social engineering is very important for VXers, because they must know how to write their worms, for example how to make a worm that spreads over P2P; the file name must be interesting, and similar things. And, of course, VXers need social engineering to stay careful and to analyze everybody in the channel, because in many countries it is illegal to code viruses, so VX-ers are very careful and they need social engineering to secure themselves.
Now, conclusion of all this. What I wanted to show here was, first of all, an example of some groups, who made this. You learned a bit about the different groups that we’ve seen, you learned a bit about the spreading techniques, which was very important. So, we had a mixture of technology, spreading techniques and similar things; and you got some internal information, for example the IRC channels where you can look now, where you can get information or you can look for Badbunny worm, or whatever.
But what I really wanted to show you, what should be clear: for VXers, coding viruses is a way of expressing themselves and it’s a way of creating art. VXers are not coding viruses to harm anyone or any system – at least, most VXers. And most VXers are whitehats, it’s like 95%. So never forget the ideology of most people in this little scene is peaceful. So, the next time you hear about a good virus that is spreading, don’t think everybody is the same. There are people who code viruses as a way of hacking, as a way of writing code in a special way. Thanks!
Read previous: VX – The Virus Underground 3: VXers’ Communication Channels