VX – The Virus Underground

3
106

The German VXer and social engineer Marcell Dietl, aka SkyOut, gives a presentation at 24C3 conference organized by Chaos Computer Club (CCC) to describe the different groups of virus coders and shed light on how they are affecting the VX scene.

Ok, what shall this speech be about? Well, it shall be an introduction and overview about the whole virus scene. You will be introduced to some of the groups, some of the techniques and key woks, views in our scene, and you will learn about our ideology, that’s very important for me. You shall understand why we code viruses and why it is not our aim to harm somebody. So let’s start here with VX, the virus underground.

About me

Marcell Dietl Ok, so first of all some facts about me. My real name is Marcell Dietl, introduced as SkyOut and better known on the Internet with this name. I’m 18 years old actually, and I come from the nice city of Wiesbaden, which is in the middle of Germany.

The last two months I’ve been working for MK Mediaconcept in Wiesbaden, which is a little web design company, but starting February I will work for Daimler Technology Services and Solutions as a penetration tester in Ulm. Well, what else to say about me? I’m gothic, I’m a social engineer, and I’m an autodidact. And there are 3 major things: ‘cecurity’, cigarettes, and coffee. So, I’m addicted to CCC, of course.

The term VX

Ok, the term VX – what does it mean actually? Well, VX, of course, C11H26NO2PS – no, that’s not what we are talking about; it’s not chemistry here. VX means Virus eXchange, or in our case it means virus coding. So, originally, the term was meant for people who exchanged viruses, who sent them to each other. But nowadays most people use VX as a synonym for virus coding.

So, today we will talk about virus coding and virus coding techniques. So, VXers are the people coding or exchanging viruses, and they form groups to do this with other people, and we call those groups: the VX groups. Simple, isn’t it?

VX Groups

So, what groups do we have in the scene nowadays?

– 29A

Well, first of all we have 29A, which you can find under www.29a.net. It’s a very famous group and it has brought out many assembler viruses within the last years. It has a forum at the moment where they publish viruses, but it seems a bit like they are dying nowadays. But they have created ezines, and what an ezine is we will talk about later, don’t worry. By the way, 29A is a hex code of 666, which is quite interesting.

– rRlf

So what’s next? rRlf – stands for Ready Rangers Liberation Front. It is a German crew founded by Fire Toast and other guys 7 years ago. It has brought out about 7 or 8 E-Zines; very interesting stuff in it, check it out at www.rrlf.de.vu.

– DoomRiderz

What other groups do we have? DoomRiderz, written with Z, of course (www.doomriderz.co.nr). DoomRiderz is an American team originally founded in America by a guy named St. Flash and others, and it’s now being led by Wargame from Southern Italy. What is interesting about DoomRiderz in particular? Well, in America writing viruses is illegal, but still, they do it. They want to show that they fight for their ideology; they demonstrate to the American law: even if you make us criminals, we won’t give up our hobby.

– Purgatory

Then we have Purgatory. Purgatory is an Iranian team, which you can find on www.purgatory.net.tf.

– F-13 Labs

F-13 Labs, www.F13-labs.net: similarly to 29A labs, F-13 Labs is built out of international VXers and has quite interesting stuff on their homepage. This is just to introduce you to some groups and so you get some internal information.

– EOF

EOF, www.eof-project.net, is my favorite one, because I founded it. It was founded by Radiation and me in 2006, and we brought out our fist ezine in 2007, and it’s one of the most active groups nowadays. It has a forum, which you should really check out if you’re interested in virus coding, because there are many interesting things to learn.

– NE365

Last but not least – NE365, www.vxer.cn, which is the whole VXers of China. Also, in China it is not easy to code viruses, so they are really like the underground.

The ideology behind it

Ok, so, the ideology behind it – what I told you about: we want to learn something about ideology. So, what people do we have in the scene?

– Criminals

First of all, of course, we have the criminals. They are coding viruses to harm somebody, to build botnets, to make DDoS attacks or whatever. Well, but those people are not the VXers, or at least not the VXers that I call VXers. We won’t look at criminals.

– Hobbyists

What else? Hobbyists. Hobbyists are quite interesting: they come and go. A hobbyist is someone who likes coding for many years, normally, and he wants to explore something new, and so he codes a virus. And then he’s happy and goes away. Those people don’t occupy much of the scene.

– Ideologists

What’s more important is ideologists. What is an ideologist? An ideologist is somebody who really codes viruses because it’s his ideology, he loves coding viruses and the mysterious things about coding. Those people are very important for the scene because they keep it alive.

– Whitehats

And very interesting, I like to compare the VX underground with the hacker underground, because we have whitehats and blackhats. So, what is a whitehat in the VX scene? A whitehat is somebody who does code viruses, like a hacker codes, for example, hacker tools or whatever. But he does not do this to harm somebody; he does not spread binary versions of his virus. He just codes it, exchanges the source code to conduct knowledge exchange, but never ever spreads a virus.

– Blackhats

In comparison to this, we have the blackhats who really spread viruses and often are in prison now. Yes, it’s true; most of them are in prison.

History, Present and Future

Let’s look at history, present and future of the scene.

– History

Ok, how was it in history? Well, the first worms came out on floppy disks. It was really simple: you had a floppy disk infected with a virus, you gave it to your friend, you friend inserted it into his PC – and boom, he got infected. Those were simple ones. Then the Windows OS became more and more popular, and more and more worms targeted Windows. So, the really interesting worms like Sasser, Netsky, or whatever are made for Windows. So, that was the history, simple viruses spread by floppy disks, including first worms for Windows, and mainframes as well.

– Present

Now, the present is quite interesting. What do we have at the moment? We have a rather criminal scene: we have botnets that get built up, lots of spyware and adware, and we have more viruses for Unix and Linux-based systems; of course, more viruses in scripting languages, more cross-platform. But what I want to say when I say we have many criminals: never forget we are talking about the VX scene which is not criminals.

– Future

And what will the future be like? Interesting question. Actually, my crystal ball got broken today, but I guess I saw something like Bluetooth malware and mobile device malware in it. There’s an interesting article in hacking magazine about Bluetooth malware, and I guess this will be the future: mobile device malware. I could be wrong, but I’m guessing.

Cross-Platform Malware

So, let’s talk a bit about cross-platform malware, because it’s a common trend at the moment.

– Macroviruses

First of all, how can we achieve cross-platform malware? Well, we have macroviruses, for example. What is a macrovirus? First of all, let’s ask: what is macro? Let’s imagine we have an Office suite like OpenOffice or MS Office that runs on many systems; for example, OpenOffice runs on Unix, Linux, Mac OS X and Windows. MS office even runs on Mac. So, a macro is like a little automatic routine that gets executed when the document is opened and there’s no other security, like forbidding macros to run.

So, a macrovirus does nothing but execute itself when the document gets opened; and the interesting thing about it is: for example, when you are on Linux, you can find out with a macro if you’re on Linux; so you can write a dropper especially for Linux. If you’re on Mac OS X, you can write a dropper for Mac OS X.

Badbunny - the infamous OpenOffice worm
Badbunny – the infamous OpenOffice worm

Some of you may ask what a dropper is. A dropper is nothing but a simple program that gets dropped into a file and gets executed. On Windows, for example, you could drop a Bash script that kills or formats the HDD; on Linux you can write a Python script that gets dropped and spreads over X-chat or whatever; and on Mac OS X you could write a Ruby dropper, for example. And just to say it was done, there was an OpenOffice worm called Badbunny, and if you want to find out something about it, just search for Badbunny OpenOffice worm in Google and you will find some interesting stuff.

– .NET (Mono)

I won’t say that much about .Net and Mono, but it’s a common trend to use .NET at the moment. Many people like to code in C#, code in Mono and run on .NET and Mono, and therefore it runs mostly on every system. There’s a good presentation by Paul Sebastian Ziegler delivered at BlackHat conference in Las Vegas, called “Cross-platform malware within the .NET framework”. It shows perfectly how malware could spread over the .NET framework, because it runs on every system.

– Scripting Languages

Ok, scripting languages are interesting. I love scripting languages, actually. A scripting language has an interpreter. Those interpreters mostly run on many systems: Python runs on Unix, Linux, Mac, Windows. So, if you code a virus in a scripting language, you can easily execute it on different systems.

– LowLevel Languages

LowLevel languages are the most difficult ones. You could write a virus in Assembler, for example, that changes its behavior within the system. So, if it is on Linux, it acts differently than when it is on Windows. This is the most difficult one to code: a low level cross-platform virus. A good example is Winux, which is a combination of Windows and Linux. This was a very good example of how to code a virus for different systems and really hit the news.

Spreading techniques

Now we’ll talk a little bit about spreading. What spreading techniques do we actually have?

– Floppy Disks

So, floppy disks, I mean, many people use floppy disks, don’t they? No, it’s not up-to-date, but there are still viruses really going by floppy disks.

Infected CD/DVD can cause trouble
Infected CD/DVD can cause trouble

– CDs/DVDs

So, what’s more interesting is CDs and DVDs; you have to create an auto start function in system like Windows XP, we all know it and it’s so good to use it: just write an auto start virus that copies on a CD, make an auto start for this .exe file, insert it – and boom, the virus gets executed. Very nice, thanks so much to Windows for helping us, VXers.

– USB Drives

What else? USB drives. USB drives are cool. USB drives are actually like CDs and DVDs – they have auto start functions and it’s like the same with CDs – we code a virus, we check if there’s a USB inserted, we copy on it, and we spread it. But those techniques have one big disadvantage: they all need somebody who puts a stick or a CD or whatever in, so it is not really automated.

– P2P Networks

So, let’s look at some automated techniques. P2P networks – they are really great, not only for sharing porn, but also for spreading viruses. You have normally a program like Share-Zo or DC++ or whatever with a normal folder where you can put all your stuff that you want to share, and, well, the virus does nothing but copy itself at this place, and it gets shared. And you give it a great name, like ‘Windows Vista crack’, and people will really load it and it works.

– Sharehosters

What else? We have sharehosters. How can we imagine spreading a virus by sharehoster? So, sharehoster is something like RapidShare, so imagine a virus you uploaded to Rapidshare; you make some advertisement in forums and blogs, and people click on the file, download it and execute it. That’s a way to spread a virus, and it really works.

– Email

Email – the standard way to spread a virus. I think I don’t have to say much about email, we all know it, there are many examples of source code out there – how to spread a virus by email, and the Storm Worm uses this technique, by the way.

– Bluetooth

Bluetooth – there are some interesting articles about Bluetooth malware, and I bet it will be the technique in the future.

Virus infecting mIRC users
Virus infecting mIRC users

– IRC

IRC, well, that’s cool. IRC is very interesting and there are many viruses out there that spread, for example, by XChat on Linux or by mIRC on Windows, or XChat on Mac OS X works as well. And it’s very simple: you code a bot that waits in the room, and when a new person changed you DCC him and say: “Hey, I have a file, would you like to have it?” And you send it to him; he looks at the file – and that’s it, he is infected with your virus. ICQ, MSN – just like IRC: messages are sent out to all contacts in the contacts list.

– Network Shares

Network shares, that is interesting. If you’re on a LAN and you have network shares that you can write on, you can just put your virus on to the network share, and if people are stupid enough to click on it, they will get infected.

– Warez

Example of a virus landing
Fake browser update leads to infamous rvzr-a.akamaihd.net virus

Warez, of course. So, also be careful with warez; they are often infected with viruses. It’s logical because people code those warez and they don’t get money for it, so they make their money by coding viruses as well and putting them into warez.

– Exploits

What I really like is exploits. Exploits are very great for spreading. There have been big worm spreads in the last years that used exploits, for example, for servers, like the SQL server of Microsoft or similar. So, exploits are really great for coding viruses, but they are mostly used by criminals and not by the whitehats, what we call the VXers.

Types of Payloads

So, what types of payloads do we have? First of all, what’s a payload? A payload is everything else but reproduction. Reproduction is the normal thing that a virus does, and a payload is like the rest: could be closing all windows, could be changing the start page of IE or whatever.

– Conspicuous

What is a conspicuous payload? Well, I define a conspicuous payload as a payload that really wants to make the user realize that they got infected. Could be a message box telling you: “Hey, you got infected by virus XY”, that is really conspicuous.

Some payloads are a challenge to spot
Some payloads are a challenge to spot

– Inconspicuous

More interesting are inconspicuous viruses, and most criminals do inconspicuous payloads. For example, the projects by Joanna Rutkowska had very interesting examples of inconspicuous payloads, because the viruses put the whole OS into a virtual machine which is not recognized by the user, so it’s totally inconspicuous.

– Poly- and metamorphic

Poly- and metamorphic viruses are very interesting. They change the way they act every time. So you code this virus and you can’t be sure how it will act 25 reproductions later. They are really, like, the big ones.

– Anti-Debugging

Anti-debugging techniques are very interesting too. I wrote a virus; it was released in EOF magazine number 1 – remember EOF-project.net – that shows how to do anti-debugging, and you can write routines for your virus that check if they are debugged. So, this can be a payload as well.

Types of Malware

Ok, we’ve talked a bit about viruses, worms, Trojans, whatever, but I haven’t defined those yet. So, let’s define them now: what types of malware do we have?

– Virus

Well, first of all we have a virus. What is a virus? A virus is a program that starts within an affected host file and reproduce itself to other files.

– Worm

A worm is like a virus, but it spreads externally: over the Internet, over the LAN, whatnot.

– Trojan Horse

A Trojan horse is a program that simulates a normal program – could be simulating a game or whatever, but it silently executes evil code.

– Hoax

And we have a hoax – this is just a joke virus.

Ways of Communication

Ok, ways of communication. Now that we’ve talked about viruses, shall we come back to the VXers proper. So, how do they communicate with each other?

– File Servers

Well, first of all – VXers communicate over file servers. There are great file servers out there, and if you read my article on hacking, you can find a link to a file server. A good file hoster is vx.netlux.org. It has many viruses, source code, and binary viruses as well, and this is the way VXers communicate, the way they conduct knowledge exchange.

– Websites

Websites, of course; every good VXer has his own website where he shows his stuff, his source code.

– Emails

Emails are mostly used if a VXer plans a new project and they want to make it silently, they don’t want the public to realize it, so they are writing emails to each other. Same with ICQ, MSN,
Yahoo.

– IRC

So, something interesting now: IRC. IRC is the medium for XVers to communicate, and because of this I wrote down some good channels for you, which you can find in irc.undernet.org. First of all, EOF-Project channel, VXers channel, Virus, VX-Lab, and Vir. There you will find mostly every VXer in the world. But just a tip: don’t go there and spam – you will be kicked out. VXers are careful with strangers, so it would be better if you code a virus, show it to them and then they would trust you more.

– !SILC

VXers are not using SILC. Actually, I would suggest them to use SILC because it’s more secure; they still love IRC and they will always use it, I guess.

– E-Zines

E-zines are the most important platform for VXers to communicate with each other. What is an e-zine? E-zine stands for electronic magazine. Imagine an e-zine like a little folder which has different subfolders full of sources and tutorials and articles, and mostly you have an index.html file that links to every special source and article that is in the e-zine. So it’s like a really little pdf or whatever, and it comes out mostly once a year by one group.

Connection between VX and AV

So what connection do we have between VX and AV: VX – virus exchangers, and AV – antivirus companies?

– Fight

It’s a fight, it’s always a fight. VXers are coding viruses, and the AV are trying to beat those viruses. What else?

– Observation

It’s an observation; it’s like VXers are observing the AV companies, looking at what they’re doing, and AV companies are blogging about the VX scene. For example, F-Secure have a very interesting blog where they really write a lot about the VX scene.

-Infiltration

Some AVs try to put VXers in jail
Some AVs try to put VXers in jail

But the most interesting thing is infiltration. There are really AVs who are trying to infiltrate the whole VX scene, and they’ve had some success. For example, Peter Ferrie is known for such things, or other people from Kaspersky – very nice company, really likes us. And they go into the channels – I just named a few, pretend to be VXers and try to find out real names of the people sitting around there and just get them into prison. That’s the worst case – if an AV company tries to simply beat the scene and destroy it.

What is the best case in the connection between VXers and AVs? The best case is when a VXer writes a virus, just a simple virus for Windows, whatever, and sends it to the AV company. The AV company can now analyze the virus, of course. They analyze the virus, can make a string for it for their database and can save and secure the customers. And then they put a description on the page, and this is like a trophy for the VXer.

So, we have 3 little steps: the VXer writes a virus, sends it to the AV, the AV analyzes it, puts the description on the homepage, and the VXer has a trophy – it’s good for everyone. The VXer has a trophy, the AV can secure the customers. That would be the best case, but as we have seen, we have a worse case – destroying the scene.

Languages Used

– .NET Languages

Well, first of all, as I said, .NET languages are getting more and more popular: C# .NET, VB .NET, and what else .NET. They are really interesting for cross-platform malware and, as I said, cross-platform malware is the trend at the moment.

– Windows Languages

Windows languages are still the languages in the scene. Many people start writing viruses in Batch or Visual Basic – it’s simple, it’s easy, it’s good to start.

– Scripting Languages

Scripting languages, like PHP, Perl, Python, Ruby, whatever, are very nice, and the interesting thing, or the difficult thing is if you write a virus in a scripting language, you always have the binary and the source code in one. So it’s hard to only show the source code, there’s the binary as well.

– HLLs

And, of course, we have the HLLs, like C – a very good example of HLL, the high level language. I love C a lot; many people code in C and C++ nowadays.

– Assembler

But the best, or the most respected thing you can do is code your virus in Assembler, and that’s what 29A, the group I talked about a bit earlier, code their viruses in. It’s the most difficult language nowadays.

Problems of the Scene

So, what problems in the scene do we have nowadays?

– Size

We have one big problem, one of many problems, and that problem is the size. There are really not many VXers out there. You can say we have about 50, maybe a bit more, maybe a bit fewer active VXers, so we really need new VXers, so please, write viruses. We need new people. That’s a problem, because if somebody leaves, it’s really difficult.

– Continuous Change

And that’s the next problem – we have a continuous change. I talked about the hobbyists: they come and go, they code a virus once and go away. So, this continuous change really makes it difficult for the scene to stay alive, because groups die, groups come, groups die.

– Decentralization

Decentralization – that’s interesting. What is decentralization? Well, I mean every group tries to do its own thing instead of working together. For example, EOF project brought out its own forum, 29A brought out a forum, other groups make their e-zines. No group can do an e-zine for themselves, but they don’t work together. This has changed now. EOF, DoomRiderz and rRlf are doing an e-zine together, which is really great, because now things will hopefully get better and VXers will work more together. But it’s still a problem that VXers don’t work that much together. At least, it’s been a problem in the last years.

– Based on Few Hosters

And it’s based on a few hosters. I talked about vx.netlux.org, a very important VX hoster, located in Ukraine, I think. And just imagine this hoster would be shut down – many sites would go down as well. So, we have maybe about 2-3 important hosters that have hosted hundreds of viruses and source codes, which are really interesting, for the last 20 years, and if they would go down, it would be a disaster.

Social Engineering and VX

So, the relation between social engineering and VX.

– Worms

It’s mostly used for worms. Social engineering is very important if you are a criminal or if you’re a VXer who just wants to show it’s possible to code a very good worm. Imagine you’re writing an email and it must look interesting. The text must be trustworthy so that people would click on the attachment. So, social engineering is very important for VXers, because they must know how to write their worms, for example how to make a worm that spreads over P2P; the file name must be interesting, and similar things. And, of course, VXers need social engineering to stay careful and to analyze everybody in the channel, because in many countries it is illegal to code viruses, so VX-ers are very careful and they need social engineering to secure themselves.

CONCLUSION

Now, conclusion of all this. What I wanted to show here was, first of all, an example of some groups, who made this. You learned a bit about the different groups that we’ve seen, you learned a bit about the spreading techniques, which was very important. So, we had a mixture of technology, spreading techniques and similar things; and you got some internal information, for example the IRC channels where you can look now, where you can get information or you can look for Badbunny worm, or whatever.

But what I really wanted to show you, what should be clear: for VXers, coding viruses is a way of expressing themselves and it’s a way of creating art. VXers are not coding viruses to harm anyone or any system – at least, most VXers. And most VXers are whitehats, it’s like 95%. So never forget the ideology of most people in this little scene is peaceful. So, the next time you hear about a good virus that is spreading, don’t think everybody is the same. There are people who code viruses as a way of hacking, as a way of writing code in a special way. Thanks!

QUESTIONS?

Ok, we have a lot of time, so we can have a little discussion if you want.

– So, first question would be: in the beginning and the end you told us what you were going to talk about, which is, why coding viruses isn’t a bad thing, at least not necessarily. But the whole talk wasn’t about this. So I still don’t know… if you code, if you’re a hacker or something in this particular view of writing viruses, I understand that writing proper, writing good, writing elegant code shows some kind of skill, which is control of the language on a hopefully high level. But first thing I don’t get is what is the equivalent for social engineering, I mean, what skills do you show to manipulate people, to trick people, to kind of misuse the web of trust in our day-by-day interactions with a person. What are the skills you prove when you do social engineering for, like, spreading viruses?

– Well, you mean, what is the skill of doing social engineering? Well, isn’t social engineering a skill? I mean, you can use social engineering for coding viruses; your virus gets better when you’re better at social engineering.

– I’m not asking what’s the use of social engineering; I mean, what is the benefit, what personal capability do you prove when you do social engineering, besides tricking people?

– I think you prove that you understand how people think and act. Maybe I should say what I imply when I say ‘social engineering’. Social engineering is understanding how people think and act, and making yourself react to those things.

– Ok, got this one. Second one will be about your best case scenario for the interaction of writing viruses and the antivirus companies. Your best case scenario was: you write a virus, send it to the company, and the company spreads the patches and signatures to its customers. Isn’t this basically like protection money earning? Basically it means that everyone who can afford protection gets it, and the people writing viruses profit from it, and the company profits from it; but all the people not paying money for it suffer the consequences, which you put into the terms of stupidity. Of course, a lot of people have stupid behavior with computers, but those people maybe pay money too, and they don’t suffer the consequences. Are you sure this is the best case scenario?

– Don’t you think it’s the best case scenario, or what?

– Depends on whether you can afford the updates.

– More questions?

– Hello. At the beginning of your speech you mentioned that the VXers don’t want to spread viruses and you don’t even make binaries of them. So, the question is: why do you have troubles, if what you said is true, with the antivirus companies?

When in the wrong hands, virus source code can be harmful
When in the wrong hands, virus source code can be harmful

– Well, I would say it’s very simple to make a binary virus out of source code, so many AV companies think: “Hey, they show their source code and many people can just take this source code and make a binary virus.”

And that’s the problem: we, the VXers, just code a virus to show the source code and to conduct knowledge exchange; we don’t want to harm anybody. But there are those criminals who can really take our source code, put it in their viruses and spread it. It often happened in the past: like, if a great idea occurred to a VXer – how to spread a virus, he never wanted to spread it; but then a criminal took this idea, coded it into his own virus and started spreading it. So, what the AVs don’t like about us is that we show new ways to spread viruses, and thus we make their life harder: we show techniques how to hide your virus from the AV program – they really don’t like this. They don’t want to have people who show how to hide a virus. They don’t want to have people who show new techniques.

Of course, for us it means making security better. It’s like with hacking: when you show a new vulnerability, you normally, as a whitehat, want to make the system more secure. It’s like a VXer: he shows a new way to spread a virus and wants to make the AVs react, but they don’t like this. They don’t want new problems all the time. Is this what you mean?

– This sounds like some hypocritical organized crime, because you help them by giving away your source code, they make money with viruses, because if they wouldn’t, they wouldn’t have any job, but still they attack some of you. Don’t you think this is, first of all, unfair?

– Well, it’s a bit similar to the question if we should release vulnerabilities, isn’t it? I mean, if we now make a relation to hacking, we have it quite similar: in VX world we have people who write a new virus and show the source code, and others can take it to really spread it. In hacking you have found a vulnerability in whatever, e.g. Apache web server, and now it is the question: whether you really release this vulnerability and then people could take it, of course, to attack an Apache web server, or you don’t release this vulnerability.

Now here’s the question: you for yourself must be sure if you want to make it full disclosure, or not. And most VXers are for full disclosure, so they think: “By showing those viruses we make security better, and, of course, it’s fun.” Really, sometimes it’s simply just fun. They want to piss the AV off a bit and make their life harder, because the AV companies have done a lot to break us down, and so sometimes we just get angry and code viruses to make their life harder.

– I don’t think that antivirus companies are upset by you; I think, without people like you they wouldn’t exist. They depend on you.

– Yeah, that’s interesting, many people think so. Well, without us there would still be the criminals, of course, but the criminals might not find such techniques. Well, it depends; I think criminals can also find new techniques, new things to make viruses better, so I think it could work without us, but it’s more interesting with us. You make their life harder, they have something to do, you do some work – great!

– You mentioned hoaxes. You say you do viruses and you don’t want to harm anybody, but to prove that hoaxes work you need to send them out on the Internet. It does not really harm people, maybe, but it does piss off a lot of them. What do you have to say against this? It doesn’t really harm people, but pissing them off really does harm them, I guess.

– Well, hoaxes are very interesting. Actually, you could send them out, it does not harm the system, really, so it would be ok if there’s no data manipulation; I think it would also be legal, it could be legal in some way. But we normally don’t spread binary forms, and to be honest, most VXers just don’t code hoaxes. Hoaxes are mostly coded by some pupil or student who just wants to scare their neighbor a bit. So, I haven’t seen a hoax in the virus scene in the last years – from the important groups. Of course, there were hoaxes, but the important groups and their e-zines contained no hoaxes.

– So, how do you prove your social engineering skills if you don’t distribute your hoaxes?

– Ok, I see. For example, I wrote a virus, better call it a worm, that had different emails in its code, with different subjects and texts. And people saw: “Hey, if this virus would execute, it would send this, this, and this email.” So people saw I’ve got social engineering skills, my emails really look trustworthy, but I don’t have to send it to prove it. You know what I mean? If you look into the source code, you can see what the virus would do, but you don’t have to really do it.

– Yeah, but, technically, if you code a virus you can say: “Ok, you take advantage of the fault in the system.” In theory, you can say: “Ok, it will work.” In social engineering you can say: “Ok, I wrote this pseudo hoax or whatever.” But there’s no way to say if it will work or not.”

– Yes, you would have to spread it to really prove it, but we won’t do it. But you’re right: to really prove that it works, you would have to spread it and test it in real-world scenarios. But normally it should be enough to just say: “It could work, you know I wrote a hoax and it could work, but I won’t spread it.” I hope this answers your question a bit.

– Have you distributed binary viruses before?

– Never.

– You mentioned earlier that there’s an increasing number of Linux viruses. Can you go a bit into detail?

– Details about Linux viruses? Well, it’s like with Windows. Windows is very popular, so there are many viruses for Windows, of course. But Linux gets more and more popular, and there are many viruses coded for Linux. I’ll give you an example: I talked about scripting languages; scripting languages are very interesting in terms of viruses because they are run by an interpreter.

There was a nice example by one VXer who coded a PHP virus that ran on a web server and infected all the PHP files, and now if the user went to this web server, they got infected, this is an example of a new way to code a virus for Linux platform. And so, more and more people also try to target web servers and they are mostly running Unix and Linux, so it’s increasing.

Mac OS is becoming a growingly attractive target for cybercriminals
Mac OS is becoming a growingly attractive target for cybercriminals

And because of some drawbacks in the new Windows versions, more people switch to Mac OS X. I heard some statistics that 50%-60% think about switching to Mac OS X because of Windows, and you have Unix base in Mac OS X. So, writing viruses for Mac OS X would be like writing viruses for Unix-based systems. So, the more people use Linux and Unix, the more viruses they’ll have. At the moment you have, maybe, 100 viruses for Mac OS X, a few thousand for Linux, and hundreds of thousands, maybe millions, for Windows, but it gets more for Unix and Linux platforms, because more and more people are switching to those platforms.

– I have a quick comment regarding what you said – that there’s really only 50 of you in the scene. Say, I work for an antivirus company. What would it take for me to buy you all out? Because there’s 50 of you, right? And I’ll just pay you all to be my research staff, and that’s the end of the problem right there, and I have a stranglehold in the market. And you can worship me as you commercial god, sorry. It’s actually quite a valid question. What stops you guys from going into commercial business and setting up your own research shop, and actually selling on if you like the results of your own research, and keep it within a closed loop so that the techniques that you come up with don’t actually leak out into the criminal world? I’m a little surprised, if the numbers are so low, that there is no discussion or that you have not actually seriously discussed or considered this.


– Ok, just a comment and a question. I don’t think the world is black and white, like you said: 95% of good guys and 5% of bad guys. Maybe you have to include, I don’t know in which side, the information warfare? And maybe some of the people have the skill and the money. Maybe you have the skill and the money. But some of the other people have skill and no money, like in some emerging countries, I don’t want to mention them because there’s no need. And some of the people have the money and can buy that skill. So, when you need to eat, maybe you have no choice but to say: “Ok, I have morale and I won’t develop a virus for the bad things.” Or maybe you just have to get the money and you will develop the virus? So, maybe some people from emerging countries are doing this for survival? It’s not as simple as just the good guys and the bad guys. Anyway, that was a comment. And my question is: do you think there will be an increase in viruses for Mac? And will these viruses be compatible with iPhone?

– Oh, very interesting question. Well, actually, I think yes because, as I said, I guess in the future mobile device viruses will get more interesting, and the iPhone is a very interesting target for virus writers, because in the last months there have been found several vulnerabilities in Safari browser: they help execute shell code on the system, and I bet it will just be a matter of time before people code viruses that execute code precisely on the iPhone. And of course, as I said, 50%-60% consider switching to Mac; just only if 10% would really do it, this would be an enormous increase in Mac users. So, with increase in Mac users, viruses will increase as well. It’s just natural behavior.

– Hi, you mentioned that metamorphic and polymorphic viruses were very interesting, very exciting. Do the VXers use a lot of cryptography to randomly shuffle instructions and repack the code and that sort of thing?

– Many VXers use cryptography nowadays, and maybe as a good example I could mention ransomware. There was a great code by Wargame from Italy, I mentioned him earlier, he’s the leader of DoomRiderz team from America. And he coded great ransomware that enrypts all the files on the hard drive, sends an email to the person who got infected, and says: “If you want your files back, pay money.” He never executed it, he just showed it was possible. And there are many viruses nowadays in scripting languages, as well as normal languages that use simple cryptography or very advanced things. So, yes, VXers use it.

– Have you ever considered contacting the vendor before you contact the antivirus company, like Microsoft or OpenOffice.org?

– You mean if we should contact the vendor first? In the example of the Badbunny virus it was very interesting: we first contacted the AV company, who then informed the vendor, but the reaction from the OpenOffice team was quite disappointing. They just said: “Well, it’s not a real worm, it does not work, and if you’re stupid enough to click on a macro, it’s your fault.” And they really talked about it like it wouldn’t be a problem. So, we normally don’t contact the vendors because they don’t believe it could work. We contact the AV and they have the power to make a story out of it.

– What happens if somebody gets your code, makes a binary, and the BND is searching for you because the code is yours? What will happen? It’s illegal in Germany, I think.

– Well, it is still not illegal in Germany to code viruses in 2008. They wanted to make a law to really make virus coding illegal, but they haven’t made it, so I might get asked, maybe, if I had something to do with it, but normally they couldn’t make any problem to me. It’s still legal, really, in 2008.

PS:

Speaking at the Chaos Communication Congress, Marcell Dietl has decided to step out of the shadows of anonymity. He distanced himself from the hackers’ club later. After several months of practical training in the security department of the Daimler Group, he studied computer science at the University of Applied Sciences in Wiesbaden. His political ambitions led him to Pirate Party, where he met many like-minded people from the web world.

Marcell Dietl played himself in German documentary: Hacker (2010) depicting five hackers who walk different paths in life and have earned a reputation in the hacker scene. Their stories are often both curious and surprising. Marcell “Skyout” Dietl represents hackers of the present who create viruses or scan the Internet for security holes to the digital. But they have already come to the attention of the security services. How does it feel, the double life between hackers and security consultants?

3 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here