Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Microsoft

The World of Virus Writers 505

No_Weak_Heart writes "Looking for a little weekend reading? You might try the cover story from this week's NY Times Magazine. It's titled The Virus Underground, and it takes a look at the world of malware scripters, virus writers and worm designers."
This discussion has been archived. No new comments can be posted.

The World of Virus Writers

Comments Filter:
  • by RoadkillBunny ( 662203 ) <roadkillbunny@msn.com> on Friday February 06, 2004 @04:33PM (#8206497)
    Some one should write a virus that will allow us to read NY Times without a suscribtion.
  • by swordboy ( 472941 ) on Friday February 06, 2004 @04:33PM (#8206501) Journal
    Why do they have to be underground? Would it be so bad if they could have their own magazine and perhaps some clubs/organizations?
  • Sheesh (Score:4, Funny)

    by apoplectic ( 711437 ) on Friday February 06, 2004 @04:34PM (#8206507)
    "The Virus Underground" sounds like a bad nightclub.
  • Losers (Score:5, Insightful)

    by BWJones ( 18351 ) * on Friday February 06, 2004 @04:34PM (#8206514) Homepage Journal
    it takes a look at the world of malware scripters, virus writers and worm designers.

    I guess my initial reaction was fsck 'em. Fsck 'em all. However, it could be suggested that they have made corporations and governments aware of many intrinsic insecurities in certain popular operating systems which may have prevented some larger potential catastrophe. The problem for these guys, is that we will never know and they will continue to be reviled and hated as losers. (That is unless they are talented enough to score a job with Symantec, the NSA or some other organization dealing with comp. security.)

    • Re:Losers (Score:5, Insightful)

      by Rand Al'Thor ( 69937 ) <david.hollister@comcast.net> on Friday February 06, 2004 @04:36PM (#8206537)
      That may be a side effect in very few cases, but for the most part I think it's safe to say there is no redeeming factor to any virus or its author.
      • Re:Losers (Score:5, Insightful)

        by GoodNicsTken ( 688415 ) on Friday February 06, 2004 @05:14PM (#8207054)
        That's where I think your completely wrong. I'm actually surprised more of the /. crowd doesn't agree with the following viewpoint:

        Software flaws exist PERIOD. They always have and always will. What would you rather have:

        1. A small group of 100 or so people (Govenrment, individuals, organized crime, etc) with the ability to log into your machine, do whatever they want to with it (Set up a kiddie porn ring, steal your identity, etc.)

        2. A virus that exploits the flaw, disrupts computer networks forcing people to patch the flaw. (Many still don't, as Code Red is alive and well)

        I'm all for #2. The flaws exist. Without viruses, then people would NOT patch there systems. When somebody relases a virus, they are saying, hey there's a problem here that needs immediate attention or just about anyone can take over your computer. These guys should be rewarded not punished. IMO they are performing a service letting everyone know of a flaw they discovered, and providing incentive to correct the flaw.

        As computers become a bigger part of our everyday life, they are trusted more and more. I would be a lot more concerned in a world with no viruses, and computers that are generally considered "Secure." That puts the power to ruin someones life in the hands of a few.
        • Re:Losers (Score:5, Interesting)

          by rjelks ( 635588 ) on Friday February 06, 2004 @05:18PM (#8207097) Homepage
          That sounds a lot like Bill Gates argument on why Windows is the most secure operating system available. Not that I agree with Bill about windows, but you make a pretty good point. I don't see how something can be very secure without some real-world testing. Now if I could just get my coworkers to stop opening up every attatchment in their inboxes. :) -
        • Re:Losers (Score:3, Insightful)

          by Zeinfeld ( 263942 )
          1. A small group of 100 or so people (Govenrment, individuals, organized crime, etc) with the ability to log into your machine, do whatever they want to with it (Set up a kiddie porn ring, steal your identity, etc.)

          That is the sort of thing that black hat hackers tend to do anyway.

          If you read the article you will see that the major source of exploits is the full disclosure type security forums. I am not saying full disclosure is entirely bad, just that the people writing viruses and worms are not tellin

    • Re:Losers (Score:5, Insightful)

      by Dukael_Mikakis ( 686324 ) <andrewfoerster.gmail@com> on Friday February 06, 2004 @04:46PM (#8206678)
      It's true that virus writers are malevalent and don't have pure intentions when hacking their scripts and all, but in a general sense, where would our security be without virus writers?

      If you consider computer security like the human immune system, then perhaps it may be seen that these people (while malicious) allow security to keep up with that hacks that can be done. If you kept a person in a bubble for twenty years and then promptly released him into the dirty, disease-ridden world he'd likely get sick and potentially die pretty quickly, as his body has no capacity to survive the world. However, with immunizations (i.e. intentional delivery of malicious agents in small doses, possibly on some schedule) and just general exposure to the germs in the world, most people have no problem surviving this world. Yes, MyDoom, and Trojans, and all the other viruses are more than nuisances and they cost people time, money, data, and other things, but these are in relatively small doses. If we had been in a bubble free of viruses for all this time, then whenever we're released into the "real world", anybody could take advantage of all these exploits (open sockets, DDoS, back doors, etc.) at once and perhaps bring the whole infrastructure down.

      It's the fact that virus writers are always developing viruses and releasing them that allows us to fix these problems individually, on a manageable time-scale. If they wanted to do some damage, maybe they should withhold all their viruses and unleash them all at once to cripple everything so much more.
      • Re:Losers (Score:5, Insightful)

        by BWJones ( 18351 ) * on Friday February 06, 2004 @04:53PM (#8206779) Homepage Journal
        If you consider computer security like the human immune system, then perhaps it may be seen that these people (while malicious) allow security to keep up with that hacks that can be done.

        If you make the biological systems analogy, you will also have to acknowledge that a diverse operating system ecosystem is critical to the health and well being of things, especially as the Internet becomes more widely available. We need Linux, IRIX, Solaris, Windows, OS X and embedded OS's to maintain the health of things.

        • Re:Losers (Score:5, Funny)

          by Josuah ( 26407 ) on Friday February 06, 2004 @07:05PM (#8208142) Homepage
          If you make the biological systems analogy, you will also have to acknowledge that a diverse operating system ecosystem is critical to the health and well being of things, especially as the Internet becomes more widely available. We need Linux, IRIX, Solaris, Windows, OS X and embedded OS's to maintain the health of things.

          What we really need is for Linux, IRIX, Solaris, Windows, OS X, and embedded OS's to start fornicating with each other like crazy, "go forth and multiply", and let the best children survive, while leaving the weak to die. So, open up all your ports, send massive amounts of data between the systems, and fire your sysadmins.
    • Re:Losers (Score:5, Interesting)

      by nautical9 ( 469723 ) on Friday February 06, 2004 @04:51PM (#8206738) Homepage
      What confounds me is that there hasn't been a major virus with a real nasty payload, say a virus that spreads like MyDoom, but after sending itself out to all the email contacts found, it proceeds to nuke the drive by writing random junk through it all (preventing any way of recovering the data).

      All the major email-bourne worms we've seen to date have had very benign (IMO) payloads, typically a minor DDoS and/or backdoor. These have caused extra load on the Net, and could cause more spam or the harvesting of CC's, but their damage could be far, far worse.

      Of course, a lot of script-kiddies use these viruses as bragging-rights (I 0wn 6421 zombie machines), so it's perhaps against their interests to do true damage, but it won't be long until someone does. And then the typical media figure of $X billions just may be legit, as I suspect the people who get infected are the same ones who never backup their systems.

      • Re:Losers (Score:4, Insightful)

        by BWJones ( 18351 ) * on Friday February 06, 2004 @04:56PM (#8206819) Homepage Journal
        What confounds me is that there hasn't been a major virus with a real nasty payload, say a virus that spreads like MyDoom, but after sending itself out to all the email contacts found, it proceeds to nuke the drive by writing random junk through it all (preventing any way of recovering the data).

        Like really virulent biological virii, computer virii that work this way will limit the extent to which they can spread......unless of course.......they work out slightly more sophisticated methods of damage, or they delay the damage for a period of time before "expressing" themselves.

      • Re:Losers (Score:4, Insightful)

        by IthnkImParanoid ( 410494 ) on Friday February 06, 2004 @05:27PM (#8207211)
        If the virus nukes the drive, the DDoS and/or backdoor is suddenly no longer effective. Computer viruses, unlike the biological kind, have a goal in mind in addition to mindless reproduction. If the point is to open a backdoor to allow spammers to use it, why kill off your host?
      • blaster (Score:3, Interesting)

        by clarkie.mg ( 216696 )
        The most nasty virus/worm in the recent years was blaster which would reboot a winXP after a minute of connecting the net. That needed action.

        Most other virus, besides propagating, doesn't do anything so the infected victims doesn't need to erase it from their windows.

        Considering the speed of mydoom propagation, the next time we'll have a nasty virus/worm, we'll have some fun !
      • Re:Losers (Score:5, Insightful)

        by radish ( 98371 ) on Friday February 06, 2004 @07:00PM (#8208105) Homepage
        They did, back in the old days. I'm thinking of the bootsector viruses, and exe-infectors. These frequently had payloads to format c: on Davinci's birthday or some such thing. The thing is, now most "infections" aren't from true viruses, but trojans or worms. They also usually have a purpose, which is often backdooring a box to use it as a spamrelay or something. So kill the box, you kill the reason for writing the worm in the first place. In fact, not only that, but if you do anything which looks interesting, you increase your chances of getting discovered, and removed. The best worms get in, stay quiet, and attempt to spread. I like to think of them less as viruses and more as parasites - organisms which depend on their host for their own existence, and so have it in their best interest to preserve it not kill it.
  • NYTimes? (Score:2, Troll)

    by selfabuse ( 681350 )
    As this is slashdot, I haven't read the article, however, I find it very hard to believe that a mainstream news outlet would really describe this accurately. I mean, look at how bad the press tends to botch up tech stories on things that aren't "underground". Why would I trust that they know about things that aren't common knowledge, when they can't even get stories on simple tech issues correct?
  • Reporters.. (Score:5, Insightful)

    by grub ( 11606 ) <slashdot@grub.net> on Friday February 06, 2004 @04:35PM (#8206517) Homepage Journal

    Whenever I read of a new virus or hear of one on the radio, I wish they'd start to hammer home the fact that 99.99% (wild number I pulled from my arse) of these affect Windows machines only. The ignorant masses just assume that viruses and worms are a way of life, they don't know that it's a way of life only if you use a certain OS.

    • Re:Reporters.. (Score:5, Informative)

      by chef_raekwon ( 411401 ) on Friday February 06, 2004 @04:38PM (#8206563) Homepage
      im a bit of a zealot myself - but in fairness to other OS', not particularly MS--if one was used as much as Windows is, I could be sure there would be many more viruses than currently exist, for say, Linux, currently.

      Not the extent that exist for Windows, however.
      • Re:Reporters.. (Score:5, Insightful)

        by npsimons ( 32752 ) on Friday February 06, 2004 @07:17PM (#8208233) Homepage Journal
        if one was used as much as Windows is, I could be sure there would be many more viruses than currently exist, for say, Linux, currently.

        That, sir, is a fallacy. There is no hard evidence to support that claim, and there probably never will be. As a counterpoint, however, consider how many web servers run Linux and Apache versus how many run Windows and IIS. Then consider how many worms and security holes there are for those respective platforms.
    • Re:Reporters.. (Score:2, Insightful)

      by 1gkn1ght ( 742286 )
      The problem is, how many people actually know that there is something out there other than a Mac and Windows? Once that word gets out, and more and more programs run on Linux, BSD, or another platform, people will start to notice that they can get away from the malware and the BSOD.
      • Lots. (Score:4, Informative)

        by bludstone ( 103539 ) on Friday February 06, 2004 @04:43PM (#8206628)
        After the IBM superbowl commercials? Id say several million.
      • Re:Reporters.. (Score:5, Insightful)

        by metlin ( 258108 ) on Friday February 06, 2004 @04:59PM (#8206862) Journal
        You're right, most of these are kids who have just learnt programming on Windows. I'll quote from the article --


        ''This guy,'' he proclaimed, ''is the best at Visual Basic.''

        In the virus underground, that's love. Visual Basic is a computer language popular among malware authors for its simplicity; Philet0ast3r has used it to create several of the two dozen viruses he's written.


        This is the problem - back when I was a kid, I used to mess around with things like TSRs and assembly code to create things that had virus like behaviour to scare the crap out of my teachers in school.

        These days, these kids just pick up an odd scripting language or two, or some easy language like VB and just do malicious code simply because its easy.

        This is not programming or 'crazy skills' - its sheer adoloscence being shown in another way.

        Instead, if they spent their time tinkering with the internals of a Linux Kernel or coding other cool stuff (like, Scene graphics programs, for instance!) it would be a much better use of their time and enthusiasm.
        • Re:Reporters.. (Score:3, Interesting)

          by Reziac ( 43301 )
          Kids who feel like "outsiders" don't WANT to tinker with useful stuff like the linux kernel. Their goal is more like a gradeschooler shouting "I'll show you!!" at a bigger kid who just gave them a shove. That usually means "I'll hurt you", not "I'll do something better than you can".

          I agree it's a sad waste of talent, but once someone goes down that path, I'm not sure I *want* their talent, as I can no longer trust them not to use it maliciously if they feel wronged.

    • Re:Reporters.. (Score:4, Insightful)

      by shamilton ( 619422 ) on Friday February 06, 2004 @04:59PM (#8206854)
      I have two Windows XP boxes which I use near continuously, and neither have ever had any sort of virus, trojan, worm, etc. One of those is completely without a firewall.

      Not that I'm any sort of Windows zealot -- my two windows boxes are eclipsed by a dozen or so BSDs between home, work, and server room, which seem to require far more frequent security maintainence.
      • Re:Reporters.. (Score:5, Informative)

        by Kenja ( 541830 ) on Friday February 06, 2004 @06:58PM (#8208085)
        "I have two Windows XP boxes which I use near continuously, and neither have ever had any sort of virus, trojan, worm, etc. One of those is completely without a firewall."

        Correction. They have no virus, trojan, worm, etc that you know of. And of course you would have no way of knowing because you dont run a firewall or antivirus. For all you know your sending out tons of email and infecting other systems. Do us all a favor, turn on the freakin firewall. It came free with the OS if your too cheap to buy a hardware solution.

    • You can quibble a little bit about details and terms, but Clive Thompson is a pretty good technical reporter, and he did a very through job on this story (as do the NYTimes magazine fact-checkers).
    • Re:Reporters.. (Score:5, Interesting)

      by Strudelkugel ( 594414 ) on Friday February 06, 2004 @05:57PM (#8207573)

      affect Windows machines only

      Well, MyDoom should be an eye-opener for you then. It proved (not that there should have been any doubt) that the problem of viruses is truly OS independent. Think about it: The virus shows up as a zip file which the user has to open. Then the user has to execute the payload. In other words, the social engineering was the key, not the OS. What's to prevent a Linux user running as *cough*Lindows*cough* root from being affected the same way? An Apple user? Nothing. Don't say they wouldn't be root, because a Windows box properly configured wouldn't have this problem, either. Now we are back to social engineering.

      Guess what, Linux has a reputation of being secure, so users will probably be given a false sense of security as well. Who knows, this might make home Linux desktops more vulnerable.

  • by tsunamifirestorm ( 729508 ) on Friday February 06, 2004 @04:35PM (#8206524) Homepage
    my theory that the most dangerous people are people who are bored.
  • Virus (Score:3, Interesting)

    by SirChris ( 676927 ) on Friday February 06, 2004 @04:35PM (#8206527) Journal
    I wonder if more code contests would stop the number of virus writers. How many virus writers are just people who can program, but want it know they are good. Maybe some other outlet of demonstrating their talent would prevent them from "needing" to demonstrate it another way, such as a virus.
  • Virus writers... (Score:5, Interesting)

    by NightWulf ( 672561 ) on Friday February 06, 2004 @04:37PM (#8206541)
    Are for the time being usually kids just looking for a little attention. They're the computer geek version of the guys who soup up cars, or join the varsity team. They believe that is the way for them to make their mark. The real worry is when you start having government funded virus writers. When someone from china or russia or the middle east are writing virus to shut down systems or create havok for the intent to kill, or bring down defenses for an invasion or terrorist act. Think about what could happen if there's a standoff in taiwan or such and the chinese figure out a way to infect the navy systems with a virus, leaving our fleet defenseless off chinese shores, etc.
    • The real worry is when you start having government funded virus writers. When someone from china or russia or the middle east are writing virus to shut down systems or create havok for the intent to kill, or bring down defenses for an invasion or terrorist act.

      They already exist. (The China army's information warfare department, among others, has already been the subject of slashdot articles.)

      Interestingly, Microsoft gave these guys access to their source code. They were trying to head off the move by
  • by jfdawes ( 254678 ) on Friday February 06, 2004 @04:38PM (#8206555)
    Like a lot of virus writers, this guy is a bored teenager ... 50 years ago he would have been out vandalising his school. In somewhere between 20 and 50 years he'll have access to nanotechnology.

    Format C: ? Overwrite every file? How about rebuild your washing machine so it suddenly appreciates the taste of "cat" and has the capability of acting out it's amorous feelings for your central heating.
  • by Anonymous Coward on Friday February 06, 2004 @04:38PM (#8206556)
    NYT Random Login Generator

    http://www.majcher.com/nytview.html
  • Article Text (Score:4, Informative)

    by Anonymous Coward on Friday February 06, 2004 @04:38PM (#8206557)
    The Virus Underground
    By CLIVE THOMPSON

    Published: February 8, 2004

    his is how easy it has become.

    Mario stubs out his cigarette and sits down at the desk in his bedroom. He pops into his laptop the CD of Iron Maiden's ''Number of the Beast,'' his latest favorite album. ''I really like it,'' he says. ''My girlfriend bought it for me.'' He gestures to the 15-year-old girl with straight dark hair lounging on his neatly made bed, and she throws back a shy smile. Mario, 16, is a secondary-school student in a small town in the foothills of southern Austria. (He didn't want me to use his last name.) His shiny shoulder-length hair covers half his face and his sleepy green eyes, making him look like a very young, languid Mick Jagger. On his wall he has an enormous poster of Anna Kournikova -- which, he admits sheepishly, his girlfriend is not thrilled about. Downstairs, his mother is cleaning up after dinner. She isn't thrilled these days, either. But what bothers her isn't Mario's poster. It's his hobby.

    When Mario is bored -- and out here in the countryside, surrounded by soaring snowcapped mountains and little else, he's bored a lot -- he likes to sit at his laptop and create computer viruses and worms. Online, he goes by the name Second Part to Hell, and he has written more than 150 examples of what computer experts call ''malware'': tiny programs that exist solely to self-replicate, infecting computers hooked up to the Internet. Sometimes these programs cause damage, and sometimes they don't. Mario says he prefers to create viruses that don't intentionally wreck data, because simple destruction is too easy. ''Anyone can rewrite a hard drive with one or two lines of code,'' he says. ''It makes no sense. It's really lame.'' Besides which, it's mean, he says, and he likes to be friendly.

    But still -- just to see if he could do it -- a year ago he created a rather dangerous tool: a program that autogenerates viruses. It's called a Batch Trojan Generator, and anyone can download it freely from Mario's Web site. With a few simple mouse clicks, you can use the tool to create your own malicious ''Trojan horse.'' Like its ancient namesake, a Trojan virus arrives in someone's e-mail looking like a gift, a JPEG picture or a video, for example, but actually bearing dangerous cargo.

    Mario starts up the tool to show me how it works. A little box appears on his laptop screen, politely asking me to name my Trojan. I call it the ''Clive'' virus. Then it asks me what I'd like the virus to do. Shall the Trojan Horse format drive C:? Yes, I click. Shall the Trojan Horse overwrite every file? Yes. It asks me if I'd like to have the virus activate the next time the computer is restarted, and I say yes again.

    Then it's done. The generator spits out the virus onto Mario's hard drive, a tiny 3k file. Mario's generator also displays a stern notice warning that spreading your creation is illegal. The generator, he says, is just for educational purposes, a way to help curious programmers learn how Trojans work.

    But of course I could ignore that advice. I could give this virus an enticing name, like ''britney--spears--wedding--clip.mpeg,'' to fool people into thinking it's a video. If I were to e-mail it to a victim, and if he clicked on it -- and didn't have up-to-date antivirus software, which many people don't -- then disaster would strike his computer. The virus would activate. It would quietly reach into the victim's Microsoft Windows operating system and insert new commands telling the computer to erase its own hard drive. The next time the victim started up his computer, the machine would find those new commands, assume they were part of the normal Windows operating system and guilelessly follow them. Poof: everything on his hard drive would vanish -- e-mail, pictures, documents, games.

    I've never contemplated writing a virus before. Even if I had, I wouldn't have known how to do it. But thanks to a teenager in Austria, it took me less than a minute to master the art.

    Mario drags the virus over to the trash bin on his computer's desktop and discards it. ''I don't think we should touch that,'' he says hastily.
    • Re:Article Text (Score:4, Insightful)

      by DR SoB ( 749180 ) on Friday February 06, 2004 @05:01PM (#8206887) Journal
      Thanks for posting the full article! So it's a BATCH FILE generator they are getting worked up about? LOL! Try running a search for "Virus Creation Laboratories" or "VCL", and you will see a tool that has been around since the EARLY 1990's that does a MUCH better job then a batch file creator. You can actually pick from a variety of languages and it will auto-generate the code. (is it really good to post this stuff on /. anyways? I shudder thinking of how many script kiddies are probably reading this!). A batch file Trojan, btw, is NOT a computer virus.
  • Best Quote (Score:5, Funny)

    by JohnGrahamCumming ( 684871 ) * <slashdot@ j g c . o rg> on Friday February 06, 2004 @04:38PM (#8206562) Homepage Journal
    (Philet0ast3r is an online handle; he didn't want me to use his name.)

    Really? I mean I could have sworn that Philet0ast3r was a real name. Are you sure he isn't the son of the l33t3st parents in Europe: C4ptainKaos and S3xyH3xy?

    John.
  • by Dave21212 ( 256924 ) <dav@spamcop.net> on Friday February 06, 2004 @04:38PM (#8206565) Homepage Journal

    I mean, seriously, once it hits the NYT magazine, it's not so much an underground item. I'm sure the article is interesting but it's the nature of underground "sports" that you can never really know exactly who and what is going on.

    One of my favorite phrases is, "There are no Famous Hackers" meaning simply, that the famous "super-genuius-crackers" in the news who get caught aren't really all that smart are they ?

    (I read it anyway, surprised to hear that one of my favorite bands [ironmaiden.com] is still popular ;)
  • It goes both sides (Score:5, Informative)

    by Geoffd1 ( 466931 ) on Friday February 06, 2004 @04:38PM (#8206566) Homepage
    I won't say where or whom, but there are some virus writers that work for major software corporations - not for writing AV software, but rather to put out viruses to punish software pirates. If Joe Blow stops worrying about viruses, after all, there's going to be a lot more 'liberated' software floating around.
  • by nil5 ( 538942 ) on Friday February 06, 2004 @04:41PM (#8206603) Homepage
    I would also recommend the title by the same author, "The Troll Underground", which highlights the life of the Slashdot troll
  • indeed (Score:5, Informative)

    by mix_master_mike ( 540678 ) on Friday February 06, 2004 @04:43PM (#8206634) Homepage
    Here's the kiddies website: http://www.geocities.com/spth666/main.htm [geocities.com]
  • Umnm (Score:5, Funny)

    by stratjakt ( 596332 ) on Friday February 06, 2004 @04:43PM (#8206635) Journal
    Then it asks me what I'd like the virus to do. Shall the Trojan Horse format drive C:? Yes, I click. Shall the Trojan Horse overwrite every file? Yes. It asks me if I'd like to have the virus activate the next time the computer is restarted, and I say yes again.

    Umm, once you answer yes to the first question, are the rest not redundant?

    • from the article: I've never contemplated writing a virus before. Even if I had, I wouldn't have known how to do it. But thanks to a teenager in Austria, it took me less than a minute to master the art.

      Now obviously, if he's a master of the art of computer viruses, there's a reason he chose to overwrite every file after formatting drive C:, right?
  • Master? (Score:5, Insightful)

    by sperling ( 524821 ) * on Friday February 06, 2004 @04:44PM (#8206642) Homepage
    But thanks to a teenager in Austria, it took me less than a minute to master the art.

    The author's obviously as clueless as any nontechie trying to explain or master anything technical. Such a trojan creator could be created in an hour by any competent programmer. The existing virus underground would fall over laughing if anyone dared claiming knowledge or skill after using or creating this tool.

  • by callipygian-showsyst ( 631222 ) on Friday February 06, 2004 @04:46PM (#8206680) Homepage
    This kid [nytimes.com] would make a great poster boy for birth control.
  • Metamorphic Viruses (Score:5, Interesting)

    by robyn217 ( 575679 ) on Friday February 06, 2004 @04:47PM (#8206683) Homepage
    What scares me most are metamorphic viruses -- a virus that modifies itself each time it infects a new host always attempting to avoid maintaining a constant signature. The modifications may take any or all of the following forms:
    1. Modification of the encryption/decryption algorithm (including multiple layers of encryption) - the decryption algorithm changes from infection-to-infection by basing itself on values that change from computer-to-computer (examples: size of HOSTS file, current time in milliseconds, etc.)
    2. Insertion of "junk code" into virus body or decryptor body - This is a common strategy by polymorphic viruses. It's usually accomplished by a "junk code engine" which has the ability to generate arbitrary amounts of meaningless blocks of code
      1. Noop or meaningless loops added to body of virus
      2. Entry-Point Obscuring (EPO) junk code - this is a special kind of "junk code" that specifically tries to hide the entry-point of the virus by insert loads of junk code at the beginning of an infected file.
      3. Code block permutations - random shifts of code blocks, sequential order is maintained by JMP and CALL commands.
      4. Register/Stack Variations - Use of varying registers, or even the ability to vary between register usage and storing data on the stack.

    (Older Examples: Mistfall Engine, ZMist virus.)

    When we start seeing more of these, AV companies will have a hard time keeping up.

    • When we start seeing more of these, AV companies will have a hard time keeping up. the fact that we do not see them, tells something about the relation between virus-witers and anti-virus writers...
    • Instant Worms. (Score:4, Interesting)

      by temojen ( 678985 ) on Friday February 06, 2004 @06:20PM (#8207777) Journal

      What scares me most is This Article [securityfocus.com]. Even understanding that one of the assumptions was that any two pairs of hosts communicate at the same rate, It's frightening.

      Theoretically wiping out 40 million hosts in under a minute....
      I'm guessing that a real-world implementation would probably take closer to 20 minutes, but still it's mighty frightening.

      Just about the only way I could see to stop it's spread would be to make smart routers, switches, and even hubs that quickly seal off any services on which there is a sudden surge of SYNs from random hosts.

    • by Vellmont ( 569020 ) on Friday February 06, 2004 @07:08PM (#8208165) Homepage
      Typical journalist with a little bit of knowledge gone too far. (If you truly do work for PC Magazine).

      Polymorphic/Metamorphic viruses have been around for 10 years at least, and the dumb journalists were just as scared then. I'm still waiting for the dire predictions to come true "when we start seeing more of these". As others have pointed out there's always part of the code that you can't mask, so there's always something to identify the virus with. I'm sure it takes a bit more work to identify the viruses, but the sky hasn't fallen yet.

      You should know better if your bio is true, being a grad student of computer science.. but then again grad student quality has dipped pretty low in recent years in CSCI. There's also the journalist taint factor to consider. I'm guessing the magazines/newspapers/TV networks must put lead in the watercooler.
  • Best Quote (Score:5, Funny)

    by glpierce ( 731733 ) on Friday February 06, 2004 @04:54PM (#8206788)
    "''This is a revenge worm,'' he explained -- for ''not hiring me, and hiring some loser that is not even half the programmer I am.''"

    Perhaps someone should tell him that personality counts.
  • by lambent ( 234167 ) on Friday February 06, 2004 @04:56PM (#8206820)
    I managed to read the first of 10(?!) pages before I decided it was just another alarmist (altho slitely journalistically poetic) piece of trash.

    They're trojans, not viruses. I haven't seen a respectable virus in like 5 years. Viruses are self replicating. Trojans require lusers to activate. (britney--spears--wedding--clip.mpeg, indeed). What pisses me off is this reporter's beliefe that all this terminology is synonymous (virus, trojan, worm).

    After reading the next few pages, i was surprised that the author bothered to extrapolate on the terminology "script-kiddie". (Nice job, Clive) But then he goes on about dreadlocks being the hairstyle of choice .... buh.

    After that it degenerates into political commentary.

    What the hell ever happened to ASM viruses? What happened to TINY?

    My favourite quote: "This guy is the best at Visual Basic". That's not a compliment, dude. That's like being the best at tying your shoelace.

    • I agree (Score:3, Insightful)

      by dsci ( 658278 )
      For the sheer intellectual challenge, Philet0ast3r replied, the fun of producing something ''really cool.'' For the top worm writers, the goal is to make something that's brand-new, never seen before. Replicating an existing virus is ''lame,'' the worst of all possible insults.

      and

      Philet0ast3r said he isn't interested in producing a network worm, but he said it wouldn't be hard if he wanted to do it. He would scour the Web sites where computer-security professionals report any new software vulnerabili
  • What gives. (Score:3, Funny)

    by dasMeanYogurt ( 627663 ) <texas.jake@gmai l . com> on Friday February 06, 2004 @05:05PM (#8206932) Homepage
    That guys just a lamer. All the major viruses released of late do nothing but spam or ddos evil coporations. What happened to the good ole day's when they really did format your hard drive? On a serious note, I doubt "underground" groups like this are responsible for today's major viruses. I would point the finger at dirty spammers for 99% of profilic recent virii.
  • by FrancisR ( 640455 ) on Friday February 06, 2004 @05:08PM (#8206972)
    Why is "Second Part to Hell" naked in the picture in the article?
  • by Awptimus Prime ( 695459 ) on Friday February 06, 2004 @05:08PM (#8206980)
    "Looking for a little weekend reading? You might try the cover story from this week's NY Times Magazine. It's titled The Virus Underground, and it takes a look at the world of malware scripters, virus writers and worm designers."

    It's not a "world". It's something someone does when they sit down at a desk. I really wish the things some geeks do would quit being portrayed with such silly words.

    Over-dramatized, to portray an image that is very rarely accurate. It's, most often, some boring person with a bone to pick with the system or a company. Yeah, so they used code instead of throwing a brick through a window. That doesn't make them any more interesting than a teenager bashing a mailbox.
  • by FreshFunk510 ( 526493 ) on Friday February 06, 2004 @05:21PM (#8207126)
    The method by which the virus is delivered is interesting. Quote:

    "These days, many elite writers do not spread their works at all. Instead, they ''publish'' them, posting their code on Web sites, often with detailed descriptions of how the program works."

    And, while there exists this "loophole" now, I find this disturbing. Now don't get me wrong. I grew up with Sneakers and I've always been a proponent of computer education and making the security flaws known.

    However, at some point if you're leaving material (whether tangible or electronic) out in public whose main purpose is crime and destruction I do think those people should be liable. I'll call it "hacking, in the 2nd degree" or "involuntary hacking".

    Let's take guns for example. Let's say a gun seller illegally sold guns to 12 year old children and also sold them bullets. Now let's say that the kids accidently shot each other up. Shouldn't the gun seller be liable? Maybe not liable for first-degree murder, but maybe second degree.

    I think that if the hackers want to educate others should perhaps do it in a more educational, and in a way that doesn't make it easy for script kids to copy and paste. Perhaps they can put out white papers with snipets of code... but, for the love of God, don't give the programs away. By doing that you have only yourself to blame with the script kiddies start spreading viruses like there's no tomorrow.

    To tell yourself that you're completely innocent would be denial.
    • And get some script kiddies in trouble, he'd just post the executable, and not tell anyone that it also emails authorities around the world information about the computer you run it from. While this may "brown-out" some servers as the article says, it would leave a nice trail to the luser who started the whole mess.
    • by That's Unpossible! ( 722232 ) * on Friday February 06, 2004 @08:00PM (#8208579)
      So someone takes my code I have put on my webpage and described as capable of virus activity, and that person spreads it, and now I am guilty of 2nd-degree something or another.

      So this means if I am a chemist, and I describe in detail how to create dynamite, and someone makes the dynamite and blows something up, I am 2nd-degree guilty for that as well?

      I believe ultimately that information should not be restricted in any way whatsoever, so I disagree with this idea completely.
  • The "Scene"? (Score:4, Insightful)

    by officepotato ( 723274 ) on Friday February 06, 2004 @05:26PM (#8207197) Homepage
    I have to wonder, when reading articles like this, how closely does the "scene" the article's author has discovered relate to the larger population in general. I've read a few articles that seem to be essentially interviews of some random, anonymous, highschooler, that supposedly represents the general population of computer-savvy evildoers.

    Are there actual, functioning, hacker groups, of a scale larger than Joe and his friends? It seems that the social attitude that accompanies black-hats (at least from the article that I'm questioning) doesn't lend itself to large organizations or control structures.

    On the other hand, it is kinda cool to imagine that there's a huge organized computer-crime secretly flourishing across the country. You could make a movie about that sorta thing, maybe call it "Hackers". Oh, wait...
  • Slashdot members? (Score:3, Interesting)

    by elbarrio ( 592330 ) on Friday February 06, 2004 @05:27PM (#8207207)
    Anyone else curious how many of the kids interviewed in this article are members of the slashdot community?
  • by JRHelgeson ( 576325 ) on Friday February 06, 2004 @05:28PM (#8207216) Homepage Journal
    This was a very poignant article [zone-h.org] - a pseudo interview that offers a unique commentary on the whole virus debate.
    ==================
    Why computer virus writers are useful and we should thank them.

    The title is obviously a provocation. I am considered a balanced personality but sometimes, I like to stretch things to the extreme and to provoke reactions. This article is one of my rare attempts to provoke you... or not? Today, after the alarm caused by the fast diffusion of the Sobig virus, we are all talking about the reasons why virus writers are coding more and more viruses.

    "They should stop, somebody stop them!" I hear all the time but... is this right?

    We try to answer to this question with an interview with Professor Samuel D. Forrester, one of the most famous immunologists in the world. Dr. Forrester is on the run this year to get the Nobel Prize for his recent discovery of the mechanisms of aggression of over-reacting immune cells and antibodies. He teaches at the Immunology faculty at the Konigsberg University since 1986.

    Zone-H: ZH

    Professor Samuel D. Forrester: SDF

    ZH: Thanks for having accepted to release an interview to Zone-H

    SDF: Thank you, even if it is quite unusual to be interviewed by a computer security website.

    ZH: Dr. Forrester, can you tell us what is the branch of the immunology?

    SDF: Immunology is the study of the complex and sophisticated immune system. The immune system is a network of cells and organs that work together to defend the body against attacks by "foreign" invaders or germs. The body provides an excellent environment for germs. When they do break into a system, it is the immune system's job to keep them out or to seek and destroy them.

    ZH: What is the job of the immunologist?

    SDF: Clinical immunologists research new tests and treatments involving allergic and immunologic disorders of the immune system. They work with physicians in general practice and in hospital-based specialties to treat diseases using complex and sophisticated clinical techniques. The science of clinical immunology is a fast developing area of the medical profession. The role of the immunologist is increasingly important, both in laboratory work and in patient care.

    ZH: Have you heard about the recent Sobig-F virus deployment?

    SDF: Yes, I read something on the newspapers. Even if computer science is not my science, the topic of the computer viruses is obviously of my interest. See, many aspects of the traditional immunology and the computer viruses are in common.

    ZH: And this is the reason why Zone-H wanted this interview.... Dr. Forrester, what do you think about computer viruses, what do you know about them?

    SDF: Computer viruses are exactly like the normal viruses. They can kill you if your immune system doesn't work, but at the same time, your body should thank them if your immune system is today capable to protect you from deadly illnesses.

    ZH: Can you please develop the concept?

    SDF: It's simple: every time you get a cold, you sneeze. But you could die, actually. The only reason why you don't die is because your immune system has been programmed to react to the "threat" posed by a germ. It's a paradox, but it's the same germ that could kill you that trained your immune system to react when invaded.

    ZH: And what makes the difference? How is it possible that a germ can kill you and the same germ can train your immune system making you stronger?

    SDF: It's just a matter of doses. Like with wine, one glass every day makes your heart stronger and lowers your blood pressure, one bottle every day can kill you. This is the concept on which vaccines are based.

    ZH: We understand that. Can we stretch the concept saying that a constant flow of germs, if received in the proper dose, makes the body actually stronger?

    SDF: Absolutely. If hypothetically we could take two n

  • by SoSueMe ( 263478 ) on Friday February 06, 2004 @05:31PM (#8207249)
    A tall blond friend in a jacket festooned with anti-Nike logos put his arm around Philet0ast3r and beamed.
    ''This guy,'' he proclaimed, ''is the best at Visual Basic.''


    That's the first time the New York Times made beer come out of my nose!
  • Weekend?? (Score:5, Funny)

    by belgar ( 254293 ) on Friday February 06, 2004 @05:42PM (#8207409) Homepage
    Looking for a little weekend reading?

    Why waste my weekend, when I can get paid to read it now?
  • by zeekiorage ( 545864 ) on Friday February 06, 2004 @05:49PM (#8207489)

    These days I think the virus writers are just people who assemble a virus by collecting scripts and code from the Internet. Also the viruses they come up with do very little or no actual damage to the host system, instead they just "Propagate". If you are infected, delete a few files, remove a couple of registry entries and thats it. It has been a long time since I saw a virus with some real payload.

    Virus writers used to be much more creative back in the DOS days [simplythebest.net]. If you are somewhat older you might remember Stoned, Die-Hard, Natas, One-half, etc. Each had its nasty little payload, stealth techniques and difficult to disinfect.

  • by Mandomania ( 151423 ) <mondo@mando.org> on Friday February 06, 2004 @05:50PM (#8207509) Homepage
    Until someone loses some real big money because of a virus or trojan.

    Yeah, yeah, there are "estimated" costs of every virus that comes out. And they're not small potatoes.

    But just wait until a virus comes out that silently infects machines, travels slowly enough to be barely noticed and only does one thing: randomly change values in an Excel spreadsheet. Or randomly delete one column from a randomly picked sheet.

    It'll be Armageddon: dogs and cats living together, Detroit winning the World Series AND the Super Bowl, etc.

    --
    Mando
  • Warnings (Score:3, Informative)

    by sparklingfruit ( 736978 ) on Friday February 06, 2004 @06:02PM (#8207615)
    Yeah, just like the "The doument you are opening contains macros or
    customizations. Some macros may contain viruses that could harm your
    computer. [...]" warnings prevented Word macro viruses...

    A user naive enough to click on such a link does, in some important
    sense, _want_ to visit that page. Your suggested warning is just
    another thing that such users see as "getting in the way of doing what
    I want to do". Therefore, if implemented it would become more part of
    the problem than the solution (as users will become ever more familiar
    with ignoring "warnings" and clicking through them). If you understand
    users, you will know that in helping them to not shoot themselves in
    the feet, the only useful appraoch is to remove everything capable of
    firing the bullets (and quite a few things beside!)...

    On the Word macro virus front, things got notably better _NOT_ when MS
    implemented the above warning (that the users could blithely ignore and
    even _disable_ right there on the warning dialog -- what a travesty of
    mis-design that was!) but when it released a version of Word that
    defaulted to not running macros unless they were signed with an
    acceptable (as configured by the user/admin) key (there are legion
    flaws in the design of this feature, but it was strong enough to
    significantly impact the Word macro virus problem). In IE, removing
    support for this mis-feature (read RFC 2616) will have a much greater
    impact than trying to "direct" users who don't want to be directed with
    "warnings" and other stuff that "gets in their way".
  • Maybe... (Score:3, Funny)

    by dfj225 ( 587560 ) on Friday February 06, 2004 @06:13PM (#8207724) Homepage Journal
    Maybe Mario is just pissed because he has to live in the mountains of Austria without a shirt.
  • Naive (Score:5, Insightful)

    by hackrobat ( 467625 ) <`moc.liamg' `ta' `inahtej.hsinam'> on Friday February 06, 2004 @06:17PM (#8207755) Homepage
    The Slammer worm would find an unprotected SQL server, then would fire bursts of information at it, flooding the server's data ''buffer,'' like a cup filled to the brim with water. Once its buffer was full, the server could be tricked into sending out thousands of new copies of the worm to other servers.
    Normally, a server should not allow an outside agent to control it that way, but Microsoft had neglected to defend against such an attack. [emphasis added]

    It's funny. Which software company will deliberately, knowingly leave out holes in its software? "Microsoft had neglected..." Look, every program, small and big, has bugs. When you're talking of one of the leading database products in the market, you're talking of a very complex piece of software that's bound to have holes here and there. That statement is naive.

    Even Microsoft admits that there are flaws the company doesn't yet know about.

    Really? Which company knows of all the flaws in its software?

  • by Embedded Geek ( 532893 ) on Friday February 06, 2004 @06:25PM (#8207828) Homepage
    (Apologies in advance if I'm long winded)

    In the first part of the article, the author talks to the author of "Batch Trojan Generator" and creates an infected JPEG file, one that "would quietly reach into the victim's Microsoft Windows operating system and insert new commands telling the computer to erase its own hard drive" when clicked.

    To me, this implies that the JPEG is actually executable code. On the face of it, this is patently ridiculous. I started thinking about it, though, and relaized that the actual mechanism might simply be an exploit of a buffer overflow in the code that interprets the JPEG (not the JPEG itself, which is not executing). By having the JPEG reference something outside of the boudaries of the actual JPEG file, it might go out and stick malicious machine code in some piece of RAM where it later gets executed.

    Am I correct in this assumption about JPEG trojans, or does (unpatched) Windows go out and somehow execute a file ending in .JPG as if it were ending in .EXE? For that matter, if one embedded the JPG in an HTML mail message (or just stuck it on a web page) instead of attaching it, would it execute in the same manner and infect or is there a different JPEG engine at work (i.e. the one in IE or Outlook isn't vulnerable but the one in Microsoft Photo Editor, assigned by default to file type .JPG, is)?

    Thanks in advance...

    • I'm pretty sure, from the way others have posted on this article, and from the tech skills of the reporter, that it was a double-extension trojan, i.e. "file.jpg" was actually "file.jpg.bat" or whatever.

      Although this is most likely the virus that is created by this program, it is also possible to write a program thus [nai.com] that pretends to be a JPEG, with the way Windows handles extensions.
    • by sryx ( 34524 ) on Friday February 06, 2004 @07:18PM (#8208237) Homepage
      Windows (or any operating system) needs more than an extension to execute a file. In order for a program to self execute it needs it needs to be compiled for your operating environment. If you rename Something.exe to Something.jpg Windows will first look at the extension then send your jpg file to the associated viewer to be interpreted as jpg data (which it is not, and thus cause the jpg viewer to produce an error (if it is well written), or crash (if it is not). Now if you take a jpg file and rename it to an exe and double click on it. Windows will assume that the program is executable, and it will load the boot header (collection of bytes at the start of any executable that is produced when the program is compiled) and grant all requests that the boot header asks for (things like memory, address space, etc). If this process fails in any way (like, say, the boot header is complete garbage because it's really jpg data) then the operating system (if it is good) will produce an error, or (if it is bad) crash. So JPG's cannot double as executables nor the other way around. BUT...
      It is possible that embedded in the meta data of the JPG file (usually used for embedding the date the file was created and the camera used to take it) is some compiled machine code (it would have to be small and simple otherwise the size of the JPG file would disproportionate to the actual image) and IF the JPG viewer that some unlucky user had, contained some buffer overflow error, then it might be possible to load a simple program into RAM, then by virtue of the buffer overflow get it to execute and thus enabling a larger more complex program to run.
      However this error would only exist in that specific version of that specific software, so it's ability to spread would be limited. The danger is if the program that interprets that JPG file is system wide or part of Windows standard suite of applications. Then your audience is huge. This is what makes Windows such a dangerous platform for script viruses. Because they have chosen to make their IE engine the central rendering engine of all of their applications (and they have made it easy and powerful enough to entice just about every other application developer to use it as well). Further more they have given their IE engine so many abilities, like the ability to arbitrarily execute machine code (this is how by visiting Apple.com you can install QuickTime, because the web site can download a program on your computer and execute itself, true you need to approve it, but once you say yes every subsequent visit is automatic, they REALLY need to add a "Never trust This source" checkbox) This means if there is a single flaw in the IE engine then that flaw is exploitable across every windows workstation and every application that uses IE as a rendering engine. Now why Mozilla doesn't make an ActiveX Gekko engine with the same function names as the IE ActiveX module so users have a choice which rendering engine they want, is a mystery to me yeah it would be hard, but it's not like Microsoft could pull the rug out from under them, Microsoft is very invested in their API, any change they made to it would break all the 3rd party apps.

      -Jason
    • I don't know about JPG trojans, but way back in the olden days of file infectors and boot sector viruses, there was discussion of a potential exploit using the comment field in GIF files to hold malicious code. IIRC, it was essentially a buffer overflow that would get the GIF-viewing software to execute whatever was in the comment field. While this is indeed theoretically possible, it was never seen in the wild -- if only because there was no software that paid any attention to a GIF's comment field.

      Anothe
  • by Banjonardo ( 98327 ) on Friday February 06, 2004 @07:09PM (#8208171) Homepage
    Just to show how amazingly cool these guys are, here's an excerpt:

    A tall blond friend in a jacket festooned with anti-Nike logos put his arm around Philet0ast3r and beamed.


    ''This guy,'' he proclaimed, ''is the best at Visual Basic.''

    I.... am speechless.

  • by mccrew ( 62494 ) on Friday February 06, 2004 @07:45PM (#8208452)
    ...the more they stay the same. (Sorry about the double post, folks, I hit return instead of tab)

    Back in the 1992 timeframe, there was a Dark Avenger virus toolkit that allowed Skr1p7 KidDi3z to create "encrypted, polymorphic viruses". Check out then-InfoWorld columnist Steve Gibson's alarmist article [phreak.org] (scroll down to the part entitled "Article 2") It sounds kind of funny now:

    • "It is clear that the game is forever changed; the sophistication of the Mutation Engine is amazing and staggering. Simple pattern-matching virus scanners will still reliably detect the several thousand well-known viruses; however, these scanners are completely incapable of detecting any of the growing number of viruses now being cloaked by the Dark Avenger Mutation Engine."

    That was going to be the end of the world as we knew it. Now we have a VB script engine and the world is going to end. Or not.

  • Awful (Score:3, Informative)

    by skinney ( 395862 ) on Saturday February 07, 2004 @01:23AM (#8210132) Homepage
    I read 4 of the 10 dreadful pages of this article. I finally had to stop reading after many times, stopping and thinking how much information in this article is totally false. It wasn't a totally loss, I really did get a good laugh out of the parts taht wern't 100% dreadful. Everything about the "life" or "lifestyle of a virus writer and his 9 yearold friends" is maybe true for 1% of script kids who could even come in range of being concidered a "virus writer". This artice is a sorry excuse for what you call "decent research about the subject". All of us are dumber even having read it. *AGHHH!*

    So if you asked me, "In once sentance, what did you think of that article?" I'd reply, "A compete waste of bytes."

    -mod6

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...