At the end of the Q&A part, SkyOut touches upon VXer’s attitude to hoaxes, cryptography, and the blurred line between the legal and illegal in their activity.
- You mentioned hoaxes. You say you do viruses and you don’t want to harm anybody, but to prove that hoaxes work you need to send them out on the Internet. It does not really harm people, maybe, but it does piss off a lot of them. What do you have to say against this? It doesn’t really harm people, but pissing them off really does harm them, I guess.
- Well, hoaxes are very interesting. Actually, you could send them out, it does not harm the system, really, so it would be ok if there’s no data manipulation; I think it would also be legal, it could be legal in some way. But we normally don’t spread binary forms, and to be honest, most VXers just don’t code hoaxes. Hoaxes are mostly coded by some pupil or student who just wants to scare their neighbor a bit. So, I haven’t seen a hoax in the virus scene in the last years – from the important groups. Of course, there were hoaxes, but the important groups and their e-zines contained no hoaxes.
- So, how do you prove your social engineering skills if you don’t distribute your hoaxes?
- Ok, I see. For example, I wrote a virus, better call it a worm, that had different emails in its code, with different subjects and texts. And people saw: “Hey, if this virus would execute, it would send this, this, and this email.” So people saw I’ve got social engineering skills, my emails really look trustworthy, but I don’t have to send it to prove it. You know what I mean? If you look into the source code, you can see what the virus would do, but you don’t have to really do it.
- Yeah, but, technically, if you code a virus you can say: “Ok, you take advantage of the fault in the system.” In theory, you can say: “Ok, it will work.” In social engineering you can say: “Ok, I wrote this pseudo hoax or whatever.” But there’s no way to say if it will work or not.”
- Yes, you would have to spread it to really prove it, but we won’t do it. But you’re right: to really prove that it works, you would have to spread it and test it in real-world scenarios. But normally it should be enough to just say: “It could work, you know I wrote a hoax and it could work, but I won’t spread it.” I hope this answers your question a bit.
- Have you distributed binary viruses before?
- You mentioned earlier that there’s an increasing number of Linux viruses. Can you go a bit into detail?
- Details about Linux viruses? Well, it’s like with Windows. Windows is very popular, so there are many viruses for Windows, of course. But Linux gets more and more popular, and there are many viruses coded for Linux. I’ll give you an example: I talked about scripting languages; scripting languages are very interesting in terms of viruses because they are run by an interpreter.
There was a nice example by one VXer who coded a PHP virus that ran on a web server and infected all the PHP files, and now if the user went to this web server, they got infected, this is an example of a new way to code a virus for Linux platform. And so, more and more people also try to target web servers and they are mostly running Unix and Linux, so it’s increasing.And because of some drawbacks in the new Windows versions, more people switch to Mac OS X. I heard some statistics that 50%-60% think about switching to Mac OS X because of Windows, and you have Unix base in Mac OS X. So, writing viruses for Mac OS X would be like writing viruses for Unix-based systems. So, the more people use Linux and Unix, the more viruses they’ll have. At the moment you have, maybe, 100 viruses for Mac OS X, a few thousand for Linux, and hundreds of thousands, maybe millions, for Windows, but it gets more for Unix and Linux platforms, because more and more people are switching to those platforms.
- I have a quick comment regarding what you said – that there’s really only 50 of you in the scene. Say, I work for an antivirus company. What would it take for me to buy you all out? Because there’s 50 of you, right? And I’ll just pay you all to be my research staff, and that’s the end of the problem right there, and I have a stranglehold in the market. And you can worship me as you commercial god, sorry. It’s actually quite a valid question. What stops you guys from going into commercial business and setting up your own research shop, and actually selling on if you like the results of your own research, and keep it within a closed loop so that the techniques that you come up with don’t actually leak out into the criminal world? I’m a little surprised, if the numbers are so low, that there is no discussion or that you have not actually seriously discussed or considered this.
- Ok, just a comment and a question. I don’t think the world is black and white, like you said: 95% of good guys and 5% of bad guys. Maybe you have to include, I don’t know in which side, the information warfare? And maybe some of the people have the skill and the money. Maybe you have the skill and the money. But some of the other people have skill and no money, like in some emerging countries, I don’t want to mention them because there’s no need. And some of the people have the money and can buy that skill. So, when you need to eat, maybe you have no choice but to say: “Ok, I have morale and I won’t develop a virus for the bad things.” Or maybe you just have to get the money and you will develop the virus? So, maybe some people from emerging countries are doing this for survival? It’s not as simple as just the good guys and the bad guys. Anyway, that was a comment. And my question is: do you think there will be an increase in viruses for Mac? And will these viruses be compatible with iPhone?
- Oh, very interesting question. Well, actually, I think yes because, as I said, I guess in the future mobile device viruses will get more interesting, and the iPhone is a very interesting target for virus writers, because in the last months there have been found several vulnerabilities in Safari browser: they help execute shell code on the system, and I bet it will just be a matter of time before people code viruses that execute code precisely on the iPhone. And of course, as I said, 50%-60% consider switching to Mac; just only if 10% would really do it, this would be an enormous increase in Mac users. So, with increase in Mac users, viruses will increase as well. It’s just natural behavior.
- Hi, you mentioned that metamorphic and polymorphic viruses were very interesting, very exciting. Do the VXers use a lot of cryptography to randomly shuffle instructions and repack the code and that sort of thing?
- Many VXers use cryptography nowadays, and maybe as a good example I could mention ransomware. There was a great code by Wargame from Italy, I mentioned him earlier, he’s the leader of DoomRiderz team from America. And he coded great ransomware that enrypts all the files on the hard drive, sends an email to the person who got infected, and says: “If you want your files back, pay money.” He never executed it, he just showed it was possible. And there are many viruses nowadays in scripting languages, as well as normal languages that use simple cryptography or very advanced things. So, yes, VXers use it.
- Have you ever considered contacting the vendor before you contact the antivirus company, like Microsoft or OpenOffice.org?
- You mean if we should contact the vendor first? In the example of the Badbunny virus it was very interesting: we first contacted the AV company, who then informed the vendor, but the reaction from the OpenOffice team was quite disappointing. They just said: “Well, it’s not a real worm, it does not work, and if you’re stupid enough to click on a macro, it’s your fault.” And they really talked about it like it wouldn’t be a problem. So, we normally don’t contact the vendors because they don’t believe it could work. We contact the AV and they have the power to make a story out of it.
- What happens if somebody gets your code, makes a binary, and the BND is searching for you because the code is yours? What will happen? It’s illegal in Germany, I think.
- Well, it is still not illegal in Germany to code viruses in 2008. They wanted to make a law to really make virus coding illegal, but they haven’t made it, so I might get asked, maybe, if I had something to do with it, but normally they couldn’t make any problem to me. It’s still legal, really, in 2008.
Speaking at the Chaos Communication Congress, Marcell Dietl has decided to step out of the shadows of anonymity. He distanced himself from the hackers’ club later. After several months of practical training in the security department of the Daimler Group, he studied computer science at the University of Applied Sciences in Wiesbaden. His political ambitions led him to Pirate Party, where he met many like-minded people from the web world.
Marcell Dietl played himself in German documentary: Hacker (2010) depicting five hackers who walk different paths in life and have earned a reputation in the hacker scene. Their stories are often both curious and surprising. Marcell “Skyout” Dietl represents hackers of the present who create viruses or scan the Internet for security holes to the digital. But they have already come to the attention of the security services. How does it feel, the double life between hackers and security consultants?