06.09.12

Serialization: VCL

Posted in Virus Creation Labs at 12:46 pm by George Smith

Now eighteen years old, The Virus Creation Labs, my only book still serves as a slice of history. It’s time to serialize interesting parts of it with new annotation. Today malware creation is worlds away from 1994 when the most successful viruses needed to travel on diskettes and through digital trades on telephone lines, to span the globe. This made the pace of mischief in cyberspace much slower.

However, many things have not changed. Promises and claims made then were as grandiose as those made now. Human nature, as it pertains to corrupted programming, hasn’t changed a bit. The way people look at trouble on computers, the interconnected world and interpret both hasn’t either.

So, in the the beginning…


Introduction

The book probably wouldn’t exist without the great techno-white elephant of 1991-92, the Michelangelo computer virus. As I’ll get into, the Michelangelo affair was the apotheosis of Paul Fussell’s America: An immense accumulation of not terribly acute or attentive people beaten repeatedly over the head by the cudgel of poorly understood computer technology.

Fussell put it this way: “[Americans are] obliged to operate a uniquely complex technology, which, all other things being equal, always wins. No wonder error and embarrassment lurk everywhere, and no wonder cover-up and bragging have become the favored national style.”

The Michelangelo virus was real. But the nation’s PC’s were not about to lose their datastores to it during the months leading up to March 6, 1992, it’s activation date. At least not in any noticeable way.

Most Americans seemed to figure this out instinctively — after the fact. Skeptics and some computer industry insiders certainly knew in February 1992 the virus would be a bust. But you would never have suspected as much from the panicked cries of software vendors and assorted experts in the computer press and mass media who predicted significant calamity on March 6. Predictably, error and embarrassment there were aplenty after the sixth when less successful anti-virus companies that the one founded by John McAfee turned on the software developer and blamed him for manufacturing the crisis. Bragging was in no short supply, either. USA Today’s technology reporter, John Schneidawind, insisted during an interview that “Everyone’s PC would have crashed” if the press hadn’t sounded the alarm in a timely manner.

Schneidawind attempted to cover himself in glory by comparing the Michelangelo virus threat to the BCCI bank scandal. He weirdly maintained that since the press took a hit for being asleep at the wheel for BCCI, it wasn’t going to happen again for the Michelangelo virus. All the foolishness was summed up by Carl Jensen, a journalism professor and media critic at Sonoma State in California who dubbed Michelangelo virus one of the “junk food news stories” of 1992 in the annual Project Censored Report, “The News that Didn’t Make the News — And Why.”

The Michelangelo debacle ignited a keen interest in me to find out what, precisely, computer viruses were, how they worked, and better, who was writing them. It sent me down the trail to the edge of cyberspace in search of people, who, perhaps not surprisingly, turned out to be pretty much like most Americans, except with an order of magnitude greater interest in the inner workings of the desktop personal computer. Like most of us — there wasn’t a nobleman in the lot. And there were none among the ranks of the anti-virus software developers and security consultants who considered themselves the gatekeepers at a fantasy wall of their own construction, erected between the Wild West of cyberspace and the mannered, sterile environment of safe home and business computing.

The story of computer viruses is also a tale at the vaunted apex of the Age of Information, it’s denizens mythical outliers in the new land of Nod — Information Superhighway, that country named by Vice President Al Gore and too many futurologists to mention.

However, this country isn’t much like the pretty pictures painted in the mainstream media, where ill-defined riches information screaming for freedom reward the quick, the clever or the unorthodox mind armed merely with a telecommunications line and a computer. It is, instead, a country that defines the meaning of information glut — data, data everywhere but not a thought to think. It is a world where it’s clear that pushing packets of information from point A to point Z is of little benefit to anyone except those in position to place press releases as media stories-of-the-day. Those who think the United States is on the verge of creating a new utopia where the national product, currency and sole means of reward is data would do well to pay attention …

Like the on-line world today, the characters in The Virus Creation Labs have little real interest in the revitalization of democracy or any other high-minded ideals cited as benefit of electronic interconnectivity, unless you consider the mindless accumulation of binary data a socially invigorating development. More often you’ll find relentless hucksterism, witless gossip masquerading as reason, corrosive vulgarity, petty vendettas, dirty tricks and routine invasions of personal privacy. If The Virus Creation Labs is a new world, you’ll find it bears close resemblance to the old one, only events zip by faster and with more unpredictable ferocity.


A fragment from the code of Michelangelo virus.


[We now jump ahead to deep inside the book and a chapter on one virus writer who became famous for infecting the network of the US Secret Service. Today he would be in his mid-thirties.]



A Priest Deploys His Satanic Minions

Everyone knows the best virus writers hang out on secret bulletin board systems, the bedroom bohemias of the computer underground, right? Wrong. In mid-1992, a 16-year-old hacker from San Diego who called himself Little Loc signed on to the Prodigy on-line service for his virus information needs. The experience was not quite what he expected.

Prodigy [now long gone] had a reputation in 1992 as the on-line service for middle-class Americans who could stand mind-roasting amounts of retail advertising on their computer screens as long as they had relatively free access to an almost infinite number of public electronic mail forums devoted to callers’ hobbies. Since Prodigy’s pricing scheme was ridiculously cheap per hour, it was quite seductive for callers to spend an hour or two a night sifting through endless strings of messages just to engage in a little cyberspace chit-chat.

Into this living-room atmosphere stepped Little Loc looking for anyone to talk with about computer viruses, particularly his idea of properly written computer viruses. Little Loc, you see, had written a mutating virus which infected programs on a system dangerously quickly. If you were using anti-virus software that didn’t properly recognize the virus – and at the time it was written none did – the very process of looking for it on a machine would spread it to every possible program on a computer’s hard disk. While many viruses were trivial toys, the virus — called Satan Bug, was sophisticated enough to pose a real hazard.

The trouble was, Little Loc was dying to tell people about Satan Bug. But he had no one to talk to who would understand. That’s where Prodigy came in.

Prodigy, thought Little Loc, must have some hacker discussions, even if they were feeble, centered on viruses. It was a quaintly naive assumption.

The Satan Bug was named after a Seventies telemovie starring George Maharis, Anne Francis and a sinister Richard Basehart in a race to find a planet-sterilizing super virus stolen from a U.S. bio-warfare lab.

Little Loc had never actually seen the movie, but he’d run across the name in a copy of TV Guide and it sounded cool, so he used it for his digital creation. Satan Bug was the second virus he had electronically published. The first was named Fruitfly but it was a slow, tame infector so the hacker didn’t push it.

A bigger inspiration for Satan Bug was the work of the Dark Avenger, a shadowy Bulgarian virus programmer whom anti-virus software p.r. men and others had elevated to the stature of world’s greatest writer of malware. Little Loc was fascinated by the viruses attributed to Dark Avenger. The Dark Avenger obviously knew how real computer viruses should be written, thought Little Loc. None of his programs were like the silly crap that composed most of the malware stockpiled in the computer underground. For example, his Eddie virus – also known as Dark Avenger – had gained a reputation as a program to be reckoned with. It pushed fast infection to a fine art, using the very process anti-virus programs used to examine files as an opportunity to corrupt them with its presence.

If someone suspected they had a virus, scanned for it and Eddie was not detected but in operation, the anti-virus software would be subverted, spreading Eddie to every program on the disk in one sweep. Eddie would also mangle a tiny part part of the machine’s operating system when it was in action. When this happened, the command processor, the operating shell program, would reload itself from the hard disk and promptly be infected, too.

This put the Eddie virus in total charge. From that point on, every sixteen infections, the virus would take a pot shot at a sector of the hard disk, obliterating a small piece of data. If the data were part of a never-used program, it could go unnoticed. So as long as the Eddie virus was in command, the user stood a good chance of having to deal with a slow, creeping corruption of his programs and data.

Little Loc was a good student of the Dark Avenger’s programming and although he was completely self-taught, he had more native ability than all of the other virus programmers in the more well-known hacking groups.

“[Virus writing] was something to do besides blasting furballs in Wing Commander,” he said blithely when asked about the origins of his career as a virtuoso virus writer.

Accordingly, the Satan Bug was just as fast an infector as Eddie and it, too, would immediately go after the command shell when launched into memory from an infected program. But Satan Bug was very cleverly encrypted, whereas Eddie was not, and it extended these encryption tricks so that it was cloaked in computer memory, a feature somewhat unusual in computer viruses but popularized by another program called The Whale which intrigued Little Loc.

The Whale was a German virus which – theoretically – was the most complex of all computer viruses. It was packed with code which was supposed to make it stealthy — invisible. It was armored with anti-debugging code and devilishly encrypted, designed purely to thwart analysis and flummox anti-virus software developers trying to examine it. They would often mention it as an example of a super stealth virus to mystified science and technology writers looking for good copy.

In practice, The Whale was what one might call anti-stealth.

Although it was all the things mentioned and more, when run on any machine, The Whale’s processes were so cumbersome the computer would slow to a crawl. Indeed, it was a clever fellow who could get The Whale to consent to infect even one program.

The Whale appeared to be purely an intellectual challenge for programmers. It was intended to mesmerize anti-virus software developers and suck them into spending hours analyzing it. It worked with Little Loc. He was drawn to it, poring over the disassembly of The Whale’s source code.

The hacker even made a version that wasn’t encrypted, pulling out the code which The Whale used to generate its score of mutant variations. It didn’t help. The Whale, even when disassembled, was loathe to let go of its secrets and remained a slow, obstinate puzzle.

Have you gotten the idea that Prodigy callers might not be the perfect choice as an audience to appreciate Little Loc’s Satan Bug?

Nevertheless, Little Loc landed on Prodigy with a thud. He described the Satan Bug and invited anyone who was interested to pick up a copy of its source code at a bulletin board system where he’d stashed it. Immediately, the hacker got into a rhubarb with a Prodigy member named Henri Delger. Delger, was, for want of a better description, the Prodigy network’s unpaid computer virus help desk manager. Every night, Delger would log on and look for the messages of users who had questions about computer viruses. If they just wanted general information, Delger would supply it. If they had some kind of computer glitch which they thought might be a virus, Delger would hold their hand in cyberspace until they calmed down, then tell them what to do. And, for the few who had computer virus infections, Delger would try to identify the virus and recommend software, usually McAfee Associates’ SCAN, which would remedy the problem.

Little Loc was annoyed by Delger, whom he thought was merely a shill for McAfee Associates. Since Delger answered so many questions on Prodigy, he had a set of canned answers which he would employ to make the workload lighter. The canned answers tended to antagonize Little Loc and other younger callers who fancied themselves hackers, too. Prodigy’s liberal demo account policy allowed some of these young callers to get access to the network under bizarre assumed names like “Orion Rogue.” This allowed them to be rude and truculent, at least for a few days, to paying Prodigy customers. These techno-popinjays, of course, immediately sided with Little Loc, which didn’t do much for
the virus programmer’s credibility.

There was often quite a bit of talk about viruses and Delger would patiently furnish much of the information, typing up brief summaries of virus effects embroidered with his own experiences analyzing viruses.

“You’re not a programmer!” Little Loc would storm at Delger.

If you weren’t a programmer, you couldn’t understand viruses, insisted the author of Satan Bug. Little Loc would correct minor technical errors Delger made when describing the programs. In retaliation, Delger would calmly point out the spelling mistakes made by Little Loc and his colleagues. It was quite a flame war. On one side was Little Loc, who gamely tried to get callers to appreciate the technical qualities of some viruses. On the other side was a bunch of middle-aged computer hobbyists who were convinced all virus writers were illiterate teenage nincompoops in need of serious jail time, or perhaps sound beatings.

The debates drew a big audience, including another hacker named Brian Oblivion, whose Waco, Texas, bulletin board, Caustic Contagion, would provide a brief haven for Satan Bug’s author. Little Loc, however, soon found other places that would accept his virus source code. A computer security chat board run by the Department of the Treasury, called the Security Branch system was among them. Little Loc logged on and proffered Satan Bug. The Hell Pit – a huge virus exchange in a suburb of Chicago – had its phone number posted on Prodigy, as was that of one called Dark Coffin, a system in eastern Pennsylvania. Dutifully, Little Loc couriered his virus to these systems, too.

Satan Bug was a difficult virus to detect. Although in a pinch you could find Satan Bug because of a trick change it made to an infected program, you need knowledge of what was beneath the hood on a PC to see it. For all intents and purposes Satan Bug was invisible to anti-virus scanners. And this invisibility persisted for a surprising amount of time despite the fact that Little Loc had supplied the Satan Bug to all the public virus exchanges patrolled by anti-virus industry men.

Little Loc stood apart from other virus programmers who seemed to have little interest in whether their creations made it into the public’s computers. The real travel of his virus around the world would grant him recognition like that of the Dark Avenger, he thought. So he wanted people to take Satan Bug and infect others, period.

Months later, after the virus had struck down the Secret Service network clear across the continent, I asked Little Loc how it might have gotten into the wild in large enough numbers so that it eventually found its way into such a supposedly secure system.

“I’ll tell you this once and only once: Satan Bug had help!” he said, simply.

After his Prodigy debut and before Satan Bug hit the Secret Service, Little Loc was recruited by a virus-writing group called phalcon/SKISM, changing his handle in the process to Priest. Joining phalcon/SKISM didn’t necessarily mean you were going to virus writing conventions in cyberspace with other members of the group, but it was a badge of status signifying to others in the computer underground who required such things that you had arrived, as a virus writer anyway. You might think of it as a virus-writer’s union card.

Since Priest lived on the West Coast, however, and the brain trust of phalcon/SKISM was located in the metro-NYC area, there was little concrete collaboration between the two, especially after Priest racked up a $600 telephone bill calling bulletin boards. Since Priest didn’t hack free phone service, his family had to pay the bill, which effectively cut down on much of his long distance telephone contact with the east and bulletin board systems like Caustic Contagion in Waco, Texas.

Caustic Contagion, for a short period of time, was one of the better known virus exchange bulletin board systems. Its sysop, Brian Oblivion — taken from a character in the movie Videodrome, had an extremely liberal policy with regards to virus access and carried a large number of Internet/Usenet newsgroups which gave callers a semblance of access to the Internet. Caustic Contagion’s other specialty, besides viruses, was Star Trek newsgroups and for some reason which completely eludes me, the BBS’s callers found the convergence of computer viruses and Star Trek debate extremely congenial.

Priest and another phalcon/SKISM virus writer named Memory Lapse would hang out on Caustic Contagion. Quite naturally, Oblivion’s bulletin board was one of the first places to receive the programmers’ newest creations.

Priest’s next virus was Payback and it was written to punish the mainstream computing community for the arrest of another virus writer, an English kid with the ludicrous alias, Apache Warrior, the “president” of ARCV, a rather harmless but vocal virus-writing group in the United Kingdom. The group was undone when a British anti-virus software developer was able to convince New Scotland Yard’s computer crime unit to seize its equipment and software in a series of surprise raids across the country.

Priest’s Payback virus would corrupt the hard disk in retaliation for this event.

Payback gathered little attention in the underground, mostly because few people knew much about ARCV and Apache Warrior in the first place …

All the routines to crash a computer’s hard disk and slowly corrupt data ala the Eddie virus, which Priest had designed a number of his viruses to do, made it clear the hacker cared little for any of the finer arguments over the value of computer viruses as intellectual exercises or potentials for benevolent roaming code. Viruses were for getting your name around, infecting files and destroying data, according to Priest. He just laughed when the topic of ethical or productive uses of computer viruses — such as the study of artificial life — came up.

In any case, by the fall of 1993, after Priest had retired from the Prodigy scene, Satan Bug was generating its own kind of media-fueled panic.

On the Compuserve network, hysterical government employees were posting nonsensical alarums about the virus in the McAfee Associates
virus information special interest group.

“Satan’s Bug” was part of a foreign power’s attempt to sabotage government computers! It was encrypted in nine different ways and was “eating” your data! A State Department alarm had started!

Wherever the information about “Satan’s Bug” was coming from, it was 100 percent phlogiston. Satan Bug was hardly aimed at government computer systems. It did not “eat” anything and although difficult for many anti-virus programs to scan, the virus could be found on infected systems by making good use of software designed to take a snapshot of the vital information on your files and sound an alarm when these changed, which always happened when Satan Bug added itself to programs.

Even more amusing was the suspicion that Satan Bug had been inserted on government computers by some undisclosed foreign country, from whence it originated. I suppose, however, some people might consider Southern California a foreign country.

Priest enjoyed reading these kinds of things. His virus was famous, an obvious source of confusion and hysteria.

About the same time, the Secret Service’s computer network in Washington, D.C., was infected by the virus, which knocked the infected machines off-line for approximately three days. News about the event was tough to keep secret among government employees and it leaked. The Crypt Newsletter, my electronic ‘zine, published a short news piece in its September 1993 issue on the event and reported that the infection had been cleaned up by David Stang, formerly of the National Computer Security Association, but now providing anti-virus and security guidance for a small security/anti-virus firm in Fairfax, northern Virginia.

Priest was not hard to track down. He hadn’t kept his identity and whereabouts much of a secret so Jack Lewis, head of the Secret Service’s computer crime unit, and two other agents flew out to interrogate him in his San Diego home in October of 1993.

Lewis and the other agents gave Priest the third degree. They shook a printed-out copy of The Crypt Newsletter containing the Satan Bug story in his face and did everything in their power to make Priest think he ought to cease and desist writing computer viruses forthwith.

“About the Secret Service, they weren’t too happy about [Satan Bug], and saw fit to pay me a little visit,” recalled Priest ruefully.

The agents wanted to know everything about Priest – his Social Security number, where he’d traveled, even who the 16-year-old worked for. But Priest didn’t work for anyone.

“I’m not quite sure they believed me,” he said. “Apparently, they thought I worked for some anti-virus company or something to write viruses. Plus, they wanted the sources for them.”

The Secret Service men wanted to know, straight from the horse’s mouth, what Satan Bug did. “They said some victims were worried their systems weren’t completely clean because they thought it might infect [text] files,” Priest continued. “I told them it wouldn’t. They also wanted my opinion on things which surprised me, like different anti-virus programs and encryption [code] … I didn’t ask why.

“Jack Lewis also said someone claimed I said ‘All government computers will be infected by December’ or some such rubbish. Apparently, they thought I wrote Satan Bug as a weapon against the government or whatever, I can’t be too sure . . .”

Priest told them no, Satan Bug wasn’t specifically aimed at government computers, but it was hard to tell if the agents believed him. They were trained to reveal little, to be unnerving to those interviewed.

“They just stared,” Priest said, “as they did in response to every question I asked, including ‘what’s your name?’

“I tried – really tried – to act cool, but my heart was pounding like a hummingbird’s.”

The agents were keenly interested in Priest’s other [aliases], all the viruses he had written, which, if any, computer systems he might have spread them on, the names of some phalcon/SKISM members and the structure of the virus-writing group and details of their hacking exploits.

Priest declined to say anything about the identities of members of phalcon/SKISM. “I told them I knew nothing of the hackers and phreakers, and little more than you could pick up from reading … issues of [their electronic magazines].”

Priest was more interested in other secretive agencies within the government. He was keen on stories about deep black intelligence agencies. Perhaps he envisioned himself writing destructive viruses as part of a covert weapons project for one of them.

“Aren’t there any other agencies which would be more interested in what I’m doing?” Priest asked the agents.

He didn’t get an answer.

Eventually, the Secret Servicemen went away with a Priest-autographed printout of the source code to Satan Bug.

Programming Satan Bug had turned out to be richly rewarding for Priest. Not only had it gotten him recognized immediately in the computer underground, it had made him feared in the trenches of corporate America to the point where the Secret Service had felt compelled to intervene.

Priest continued to work on viruses, anyway.

He had just completed Natas, which he’d turned over to the Secret Service and to phalcon/SKISM for publication in that groups electronic computer virus magazine. He also uploaded the virus to a couple of bulletin board systems in Southern California. And he finished a very small, 96-byte .COM program-infecting virus.

There were other things he was working on, too, he added cryptically …

Priest had he had finally been able to videotape “The Satan Bug”
telemovie.
He shifted his VCR into replay and turned to look at his computer while it was playing. But the hacker said he still didn’t know what the movie was about when it was over. He had been too busy at the PC to pay attention.

Working . .



Notice of Satan Bug virus on Secret Service network, Crypt Newsletter e-zine, #19.


Old timers may note that portions of the original have been dropped. This has been done for reasons of clarity, technical discussion of programs long gone now and of little interest, and pacing.


Comments are closed.