toad.com mailing list postings from possible virus authors

19 Feb 1993

      This is the message I received which complained about "inappropriate
use of the Internet".  He also phoned me to complain.

I know the cyperpunks already know this, but Dave Farber's audience
might not have thought about the implications for free speech of
having the government build a multi billion dollar Internet
replacement.  Bureaucrats and random complaints from third parties on
such a network *will* cause you grief about what you are allowed to
say and do.  The company I buy networking from is Alternet, and
because they exist, I can protect myself from this sort of meddling.
They will not be able to compete with the taxpayer funded "national
information infrastructure", and my only option, if I want to be on
the net, will be to hook up under the government's rules.

If after seeing this this exchange you still don't believe me, talk to
someone at a controversial broadcast radio station.  Radio is living
under that yoke *now*, and they have some real stories to tell.

	John

Date: Tue, 16 Feb 1993 12:53:14 -0500 (EST)
To: gnu@cygnus.com (John Gilmore)
Cc: CMcDonald@WSMR-SIMTEL20.Army.Mil (Chris McDonald),
        krvw@cert.org ("Kenneth R. van Wyk")
Subject: toad.com mailing list postings from possible virus authors
From: w8sdz@TACOM-EMH1.Army.Mil (Keith Petersen - MACA WSMR)
Message-Id: <9302161253.16494.w8sdz@TACOM-EMH1.Army.Mil>

John, below is the posting I called about.  In my opinion this is
inappropriate use of the Internet.  This person appears to be a virus
author, one who knows virus authors, and/or one who encourages such
activity. 

What is the policy of toad.com concerning such postings?

Keith
--
Keith Petersen
Maintainer of the MS-DOS archive at WSMR-SIMTEL20.Army.Mil [192.88.110.20]
Internet: w8sdz@TACOM-EMH1.Army.Mil     or      w8sdz@Vela.ACS.Oakland.Edu
Uucp: uunet!umich!vela!w8sdz                         BITNET: w8sdz@OAKLAND
...
From: thug@phantom.com (Murdering Thug)
Subject: Re: Viral encryption
To: cypherpunks@toad.com
Date: Thu, 11 Feb 93 11:47:43 EST
As Mr. Ferguson pointed out, polymorphic viruses are making their way into the
DOS world.  This is a problem in the short term, but not in the long term
because people will be changing to memory-protected & file-permission based
operating systems like NT, OS/2 and Unix, where it is very difficult for
most kinds of virus to spread.
I myself am very familiar with the virus underground, so for those who are
not, let me explain the two newest and most deadly virus techniques which
are being seen in the DOS world.
The first is something called "Stealth" viruses.  Stealth viruses imbed
themselves into DOS and intercept disk read calls from applications. If
those read system calls are reading non .EXE or .COM files, then they are
processed normally.  However when an application such as virus scanning
program is reading in .COM and .EXE files (in order to scan them for virus
code), the stealth code in DOS intercepts this and returns to the application
what the .EXE or .COM file would look like if it wasn't infected by the
stealth virus.  Thus, all virus checking programs can be decieved in this
manner.  There are steps to get around this, like booting off of a
write-protected floppy disk (with a clean copy of DOS on it) and running
the virus checking program directly from that floppy.  But people seldom
do that, so the stealth technology is a worthwhile one for virus creators
to pursue.
The second is called "Polymorphic" viruses.  These are viruses which
contain a tiny encryption/decryption engine.  The great thing about
polymorphic viruses is that they encrypt themselves with a different key
each time they replicate (make a new copy of themselves).  The small
amount of virus bootstrap code which is not encrypted is changed in each
replication by dispursing random NOP's throughout the virus boostrap code.
Thus each sample of polymorphic virus looks completely different to
virus checking programs.  The virus checking programs cannot use
"signature" byte strings to detect polymorphic viruses.
I have seen something called D.A.M.E., also known as Dark Avenger
Mutation Engine.  This is a freeware polymorphic library/kernel/toolkit
which allows anyone to take an ordinary virus and wrap it in a polymorphic
shell.  Thus each new copy of the virus will look completely different
as it replicates.  D.A.M.E. is a great toolkit for those who want to
release new viruses but don't have the skills to write a virus from
scratch.  DAME works very well with Turbo Assembler and MASM.
I believe that DAME II will be coming out sometime this spring. At
least that is what the author has promised.  Among the new features
will be more powerful encryption, stealth capabilities, and compatibility
with Stacker and DR DOS compressed file systems.  I have read that the
author of DAME and DAME II will be coming out with a Virus Construction
Set, which will allow point-n-click building of new viruses using
object oriented techniques.  It works sort of like a Mr. Potatohead,
you point and click on the parts/modules you want and it builds it for
you.  You select the replication method, stealth capability,
polymorphism, and payload module (there are several payloads, varying
from playing music and showing graphics, to printing a text message on
screan, to complete wipe out of the HD). The really wonderful thing
is that you will be able to build your own modules and link them into
the virus.  I am sure a flourishing of third-party modules will occur.
With the VCS, a 9 year old can build a competely new virus just by
pointing, clicking, and dragging, popping up windows and choosing options.
My oh my, aren't we in for fun times ahead...
Thug