toad.com mailing list postings from possible virus authors
This is the message I received which complained about "inappropriate use of the Internet". He also phoned me to complain. I know the cyperpunks already know this, but Dave Farber's audience might not have thought about the implications for free speech of having the government build a multi billion dollar Internet replacement. Bureaucrats and random complaints from third parties on such a network *will* cause you grief about what you are allowed to say and do. The company I buy networking from is Alternet, and because they exist, I can protect myself from this sort of meddling. They will not be able to compete with the taxpayer funded "national information infrastructure", and my only option, if I want to be on the net, will be to hook up under the government's rules. If after seeing this this exchange you still don't believe me, talk to someone at a controversial broadcast radio station. Radio is living under that yoke *now*, and they have some real stories to tell. John Date: Tue, 16 Feb 1993 12:53:14 -0500 (EST) To: gnu@cygnus.com (John Gilmore) Cc: CMcDonald@WSMR-SIMTEL20.Army.Mil (Chris McDonald), krvw@cert.org ("Kenneth R. van Wyk") Subject: toad.com mailing list postings from possible virus authors From: w8sdz@TACOM-EMH1.Army.Mil (Keith Petersen - MACA WSMR) Message-Id: <9302161253.16494.w8sdz@TACOM-EMH1.Army.Mil> John, below is the posting I called about. In my opinion this is inappropriate use of the Internet. This person appears to be a virus author, one who knows virus authors, and/or one who encourages such activity. What is the policy of toad.com concerning such postings? Keith -- Keith Petersen Maintainer of the MS-DOS archive at WSMR-SIMTEL20.Army.Mil [192.88.110.20] Internet: w8sdz@TACOM-EMH1.Army.Mil or w8sdz@Vela.ACS.Oakland.Edu Uucp: uunet!umich!vela!w8sdz BITNET: w8sdz@OAKLAND
From: thug@phantom.com (Murdering Thug) Subject: Re: Viral encryption To: cypherpunks@toad.com Date: Thu, 11 Feb 93 11:47:43 EST
As Mr. Ferguson pointed out, polymorphic viruses are making their way into the DOS world. This is a problem in the short term, but not in the long term because people will be changing to memory-protected & file-permission based operating systems like NT, OS/2 and Unix, where it is very difficult for most kinds of virus to spread.
I myself am very familiar with the virus underground, so for those who are not, let me explain the two newest and most deadly virus techniques which are being seen in the DOS world.
The first is something called "Stealth" viruses. Stealth viruses imbed themselves into DOS and intercept disk read calls from applications. If those read system calls are reading non .EXE or .COM files, then they are processed normally. However when an application such as virus scanning program is reading in .COM and .EXE files (in order to scan them for virus code), the stealth code in DOS intercepts this and returns to the application what the .EXE or .COM file would look like if it wasn't infected by the stealth virus. Thus, all virus checking programs can be decieved in this manner. There are steps to get around this, like booting off of a write-protected floppy disk (with a clean copy of DOS on it) and running the virus checking program directly from that floppy. But people seldom do that, so the stealth technology is a worthwhile one for virus creators to pursue.
The second is called "Polymorphic" viruses. These are viruses which contain a tiny encryption/decryption engine. The great thing about polymorphic viruses is that they encrypt themselves with a different key each time they replicate (make a new copy of themselves). The small amount of virus bootstrap code which is not encrypted is changed in each replication by dispursing random NOP's throughout the virus boostrap code. Thus each sample of polymorphic virus looks completely different to virus checking programs. The virus checking programs cannot use "signature" byte strings to detect polymorphic viruses.
I have seen something called D.A.M.E., also known as Dark Avenger Mutation Engine. This is a freeware polymorphic library/kernel/toolkit which allows anyone to take an ordinary virus and wrap it in a polymorphic shell. Thus each new copy of the virus will look completely different as it replicates. D.A.M.E. is a great toolkit for those who want to release new viruses but don't have the skills to write a virus from scratch. DAME works very well with Turbo Assembler and MASM. I believe that DAME II will be coming out sometime this spring. At least that is what the author has promised. Among the new features will be more powerful encryption, stealth capabilities, and compatibility with Stacker and DR DOS compressed file systems. I have read that the author of DAME and DAME II will be coming out with a Virus Construction Set, which will allow point-n-click building of new viruses using object oriented techniques. It works sort of like a Mr. Potatohead, you point and click on the parts/modules you want and it builds it for you. You select the replication method, stealth capability, polymorphism, and payload module (there are several payloads, varying from playing music and showing graphics, to printing a text message on screan, to complete wipe out of the HD). The really wonderful thing is that you will be able to build your own modules and link them into the virus. I am sure a flourishing of third-party modules will occur.
With the VCS, a 9 year old can build a competely new virus just by pointing, clicking, and dragging, popping up windows and choosing options.
My oh my, aren't we in for fun times ahead...
Thug
With regard to Mr. Peterson: I think we are finally seeing the net gestapo coming out of the woodwork. We all knew they are on the net, we just couldn't pinpoint who exactly they were. This Peterson fellow seems to think he is the self-appointed protector of decency on the net. I have run across this Peterson fellow before, and he seems to have this crazed desire to call up (by voice) system administrators to complain about the net postings and mailing list postings of users at those sites, and then threaten further action if his demands are not met. My previous encounter with Mr. Peterson occurred rather indirectly. Apparently, a novice user here at phantom.com mistakenly mailed a posting about gay lifestyles to some mailing list that Mr. Peterson was on. Being a net nazi, Mr. Peterson proceeded to call up the sysadm of phantom.com and threatened to call up phantom.com's feed site (PSInet) complaining about "inappropriate use of the net" and threatened to ask PSI to cut phantom.com from the net. This would not have worked since PSI is a commercial feed provider, but I can see where this gestapo tactic would work on sites who get their feeds for free/cheap from universities and other non-commercial sites. Is this guy on a power trip or something? And who the fuck appointed him to watch over what is being said on the net? Re: my virus posting As you can read from the posting itself, there is nothing in there that technically allows anyone to write a virus based on my words. Nor is there anything in there that encourages people to write viruses. But that's not the real issue, even if my post contained such information, I think I am free to send it along to whever I wish. The fact that my post was devoid of such information, only makes Peterson look even more foolish than he already does. If anything, my post was meant to be humerous and sarcastic. Especially that part about how 9 year olds will be able to point-and-click together viruses within a year, and how overpaid underachievers like Peterson and his cronies in the virus-protection-racket are powerless to stop this from occuring. I think the other thing that made Peterson fly off the handle was the fact that I am writing under an alias, an especially offensive one like "Murdering Thug". I'm sure if my virus post came from a "respected" and "approved" individual like McAfee or John Dvorak, he wouldn't have raised an eyebrow. In fact Dvorak wrote an Editorial in PC Magazine about a year back which was VERY similar to my post. In his editorial he discussed D.A.M.E. and Stealth viruses, and explained how they worked in similar detail as I have done. Did Mr. Peterson write a letter to PC Magazine to complain? I think not. He knows that someone like Dvorak could make him look like the true idiot that he is. Mr. Peterson, I am glad your are showing your gestapo personality in front of the entire net. Your underhanded tactics of threatening system administrators with harassing voice phone calls will be exposed to the net community at large, and YOU will be the one who is mocked and censured, and rightly so. Respectfully, Murdering Thug
each time they replicate (make a new copy of themselves). The small amount of virus bootstrap code which is not encrypted is changed in each replication by dispursing random NOP's throughout the virus boostrap code. Thus each sample of polymorphic virus looks completely different to virus checking programs. The virus checking programs cannot use "signature" byte strings to detect polymorphic viruses.
Either he's explaining it wrong, or the author is actually foolish enough to
Granted the idiocy of Mr. High-and-Mighty Army Man's opinion of what people can and can't say, I couldn't help but point out two silly things in the message he's complaining about: [stuff deleted] think that people won't simply just IGNORE the randomly placed NOPs and only consider the other instruction codes in forming a signature(s). Wowie. Real programmers know that the strength of polymorphic code lies in the fact that the same instruction can be coded as numerous different opcodes on Intel processors. And...
I have seen something called D.A.M.E., also known as Dark Avenger Mutation Engine. This is a freeware polymorphic library/kernel/toolkit
Why does he keep referring to MtE, as "DAME"??? It never ceases to amaze me how such an elementary and sophomoric subject as viruses can cause the strangest reactions from some people. I think it has something to do with the noxious connotations of the word 'virus'. Maybe if we all just agreed to call them 'nuisance programs', like flies on a horse's rear-end, they wouldn't cause such fool panic. On a finer note, I know a couple more of my "non-privacy in the phone system" messages are in order, I was pleased by the response I got. I'll try and work myself into the mood.
participants (3)
-
gnu
-
Phiber Optik
-
thug@phantom.com