VX – The Virus Underground

The German VXer and social engineer Marcell Dietl, aka SkyOut, gives a presentation at 24C3 conference organized by Chaos Computer Club (CCC) to describe the different groups of virus coders and shed light on how they are affecting the VX scene.

Ok, what shall this speech be about? Well, it shall be an introduction and overview about the whole virus scene. You will be introduced to some of the groups, some of the techniques and key woks, views in our scene, and you will learn about our ideology, that’s very important for me. You shall understand why we code viruses and why it is not our aim to harm somebody. So let’s start here with VX, the virus underground.

About me

Marcell Dietl Ok, so first of all some facts about me. My real name is Marcell Dietl, introduced as SkyOut and better known on the Internet with this name. I’m 18 years old actually, and I come from the nice city of Wiesbaden, which is in the middle of Germany.

The last two months I’ve been working for MK Mediaconcept in Wiesbaden, which is a little web design company, but starting February I will work for Daimler Technology Services and Solutions as a penetration tester in Ulm. Well, what else to say about me? I’m gothic, I’m a social engineer, and I’m an autodidact. And there are 3 major things: ‘cecurity’, cigarettes, and coffee. So, I’m addicted to CCC, of course.

The term VX

Ok, the term VX – what does it mean actually? Well, VX, of course, C11H26NO2PS – no, that’s not what we are talking about; it’s not chemistry here. VX means Virus eXchange, or in our case it means virus coding. So, originally, the term was meant for people who exchanged viruses, who sent them to each other. But nowadays most people use VX as a synonym for virus coding.

So, today we will talk about virus coding and virus coding techniques. So, VXers are the people coding or exchanging viruses, and they form groups to do this with other people, and we call those groups: the VX groups. Simple, isn’t it?

VX Groups

So, what groups do we have in the scene nowadays?

– 29A

Well, first of all we have 29A, which you can find under www.29a.net. It’s a very famous group and it has brought out many assembler viruses within the last years. It has a forum at the moment where they publish viruses, but it seems a bit like they are dying nowadays. But they have created ezines, and what an ezine is we will talk about later, don’t worry. By the way, 29A is a hex code of 666, which is quite interesting.

– rRlf

So what’s next? rRlf – stands for Ready Rangers Liberation Front. It is a German crew founded by Fire Toast and other guys 7 years ago. It has brought out about 7 or 8 E-Zines; very interesting stuff in it, check it out at www.rrlf.de.vu.

– DoomRiderz

What other groups do we have? DoomRiderz, written with Z, of course (www.doomriderz.co.nr). DoomRiderz is an American team originally founded in America by a guy named St. Flash and others, and it’s now being led by Wargame from Southern Italy. What is interesting about DoomRiderz in particular? Well, in America writing viruses is illegal, but still, they do it. They want to show that they fight for their ideology; they demonstrate to the American law: even if you make us criminals, we won’t give up our hobby.

– Purgatory

Then we have Purgatory. Purgatory is an Iranian team, which you can find on www.purgatory.net.tf.

– F-13 Labs

F-13 Labs, www.F13-labs.net: similarly to 29A labs, F-13 Labs is built out of international VXers and has quite interesting stuff on their homepage. This is just to introduce you to some groups and so you get some internal information.


EOF, www.eof-project.net, is my favorite one, because I founded it. It was founded by Radiation and me in 2006, and we brought out our fist ezine in 2007, and it’s one of the most active groups nowadays. It has a forum, which you should really check out if you’re interested in virus coding, because there are many interesting things to learn.

– NE365

Last but not least – NE365, www.vxer.cn, which is the whole VXers of China. Also, in China it is not easy to code viruses, so they are really like the underground.

The ideology behind it

Ok, so, the ideology behind it – what I told you about: we want to learn something about ideology. So, what people do we have in the scene?

– Criminals

First of all, of course, we have the criminals. They are coding viruses to harm somebody, to build botnets, to make DDoS attacks or whatever. Well, but those people are not the VXers, or at least not the VXers that I call VXers. We won’t look at criminals.

– Hobbyists

What else? Hobbyists. Hobbyists are quite interesting: they come and go. A hobbyist is someone who likes coding for many years, normally, and he wants to explore something new, and so he codes a virus. And then he’s happy and goes away. Those people don’t occupy much of the scene.

– Ideologists

What’s more important is ideologists. What is an ideologist? An ideologist is somebody who really codes viruses because it’s his ideology, he loves coding viruses and the mysterious things about coding. Those people are very important for the scene because they keep it alive.

– Whitehats

And very interesting, I like to compare the VX underground with the hacker underground, because we have whitehats and blackhats. So, what is a whitehat in the VX scene? A whitehat is somebody who does code viruses, like a hacker codes, for example, hacker tools or whatever. But he does not do this to harm somebody; he does not spread binary versions of his virus. He just codes it, exchanges the source code to conduct knowledge exchange, but never ever spreads a virus.

– Blackhats

In comparison to this, we have the blackhats who really spread viruses and often are in prison now. Yes, it’s true; most of them are in prison.

History, Present and Future

Let’s look at history, present and future of the scene.

– History

Ok, how was it in history? Well, the first worms came out on floppy disks. It was really simple: you had a floppy disk infected with a virus, you gave it to your friend, you friend inserted it into his PC – and boom, he got infected. Those were simple ones. Then the Windows OS became more and more popular, and more and more worms targeted Windows. So, the really interesting worms like Sasser, Netsky, or whatever are made for Windows. So, that was the history, simple viruses spread by floppy disks, including first worms for Windows, and mainframes as well.

– Present

Now, the present is quite interesting. What do we have at the moment? We have a rather criminal scene: we have botnets that get built up, lots of spyware and adware, and we have more viruses for Unix and Linux-based systems; of course, more viruses in scripting languages, more cross-platform. But what I want to say when I say we have many criminals: never forget we are talking about the VX scene which is not criminals.

– Future

And what will the future be like? Interesting question. Actually, my crystal ball got broken today, but I guess I saw something like Bluetooth malware and mobile device malware in it. There’s an interesting article in hacking magazine about Bluetooth malware, and I guess this will be the future: mobile device malware. I could be wrong, but I’m guessing.

Read next: VX – The Virus Underground 2: Cross-Platform Malware and Virus Spreading Techniques

Like This Article? Let Others Know!
Related Articles:


  1. Vikash Kumar Sinha says:


  2. CodeFolios says:

    Hello, great info. I want to post this to my blog. Is this possible?

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: