Interview with Sepultura of IRG
So, in the line of this policy, I decided to interview one of
the IRG leading personalities, Sepultura. Althought I had some
technical problems in the time [ Sep knows :) ], here is the
interview. Enjoy it !
||Can you introduce yourselves ?
||Im Sepultura, born 1979, from Australia. Im a virus writer who is
a member of IRG (Immortal Riot/Genesis) and do a lot of the
organisation that go's into IRG's magazine Insane Reality. The
only thing I like more then viruses is music (Sonic Youth, Front
242, Sepultura, and Beethoven are among my favourites). Actually
I like copious amounts of buds and lsd more then viruses too.
||When and why did you start to be interestin' in computers ?
|| I was never interesting ;) (so stop reading this interview).
When I was 6 my mum bought us a Commodore64. I learnt BASIC and
by time I was 7 I was very proud of this 'guess the number' game
I made. I spent a few years playing with the C64, but as you can
imagine I got quite bored with it soon. Then, when I was 12, some
teacher let me muck around on the school's computers while the
rest of my class was doing maths (since me and a friend already
knew it.. infact all of IRG have IQ's over 200). Me and my friend
made this game to test peoples multiplication tables and stuff,
but the school never used it, as it flashed random insults and
was quite abusive to the user if you got the answer wrong. This
re-kindled my interest in computers and I nagged my mother who
bought a 386dx in that same year. (This was the computer on which
my virus writing started).
||Your first contact with virus ...
|| For some reason I cant explain, I became very interested in
viruses (aged 13, 1992). I didnt have a modem and knew no coders,
so I had no idea what I should do. I met some lame fuck who told
me viruses were written in C.. so I learnt C and after learning
C still had no idea what to do (I didnt even know what a virus
really does.. I just knew it replicates). Then I got vsum and it
seemed to describe what viruses did in some detail but I had no
idea what it meant (what the fuck is Interrupt 13h?? =)). Then
I got F-Prot and somewhere in its documentation Fridrik Skulason
mentioned any average Assembler coder could make a virus.. now
I knew I shouldn't have learned C. Finally I gota book (this is
late 1993) called 'Undocumented DOS' that told me about thing
like Interrupts, segments, file I/O, and MCB's. It also had
example programs written in ASM. I learnt ASM by studying these
programs and by playing around in DOS debug.
At this stage I was ready to write a virus. Beetween here and
when I had first become interested in virus's I had never
actually seen or had contact with a virus.
||What about your first virus ?
|| Well.. just after learning ASM (or DEBUG ASM more precisely) my
friend got his machine infected with a virus called Slow (an
encrypted 1721 byte Jerusal variant). I didnt have an assembler
or disassembler (I didnt even know you could get disassemblers)
so I studied the virus in Debug. I decided it was very badly
coded, and wanted to make some changes, but I didn't even know
how to change the length of the virus (so I had to modify it
*and* keep it at 1721 bytes). The result was a semi-polymorphic
virus with text strings and an actiation routine. That *could* be
my first virus but it was only a hack.
I didnt write a virus for a while because I didn't have an
assembler, but finally I decided to write it in Debug. This
involved writing the entire virus in Debugs (A)ssemble mode,
printing out the (D)isasm listing, looking for errors, re-doing
it over and over again until it worked. The first virus I did was
Sepultura Boot.A which I spent an entire evening working in Debug
on. Then some TSR .COM infector (I worked out how to go TSR by
reading the doc's of an AV program called Stealth Bomber). Then
my friend got a modem and I begged him to find me an assembler,
which he did, and then I was free to write viruses as much as
||You started as an independent coder, but after your massive
support for Insane Reality #7 you landed in Immortal Riot. Tell
us the whole story
|| OK.. here comes more of my life story =)
Mid '95 I got a modem and a carded OzEmail account. This is when
I was first introduced to the virus scene. I met some guy called
Qark, from VLAD magazine (which I read after FTP'n it with my
schools inet account which I 'socially engineered' the password
too). He was a nice guy and when I told him I was a virus coder
he asked to see some code, which I showed him and he ended up
sticking in VLAD#5. This is when I realised other people might
actually care to see my code. So I coded more and gave it to The
Unforgiven (TU from now on) for IR#7. It turns out I donated more
then average and people were impressed. Late in December '95
I joined VLAD but this didnt last long. There was a new group
called Genesis, but after leaving VLAD I didnt think I should ask
for membership in it as it would look like I was group hopping.
Februrary/March 1996, and TU told me IR was now an open group and
I could join, so I asked if I could, and I did. Then (perhaps cos
I nag too much) TU let me do a lot of organisation, and I ended
up organising IR#8. And thats the whole story.
||Perspectives of polymorphism
|| Traditional polymorphism (with a static virus wrapped in a highly
variable decryptor) is a dying concept in my opinion. With the
advent of generic decryption, polymorphism is not really much of
a threat to the scanners any more.
I think the future lies in the 'metamorphic' viruses. These are
viruses that are not encrypted, but the code of the virus itself
changes. These include viruses such as PLY, Win.Apparition, TMC,
and Swap. If we imagine metamorphism in the future reaching
a stage where the only thing two copies of the 'same' virus have
in common is the algorithm (or what actually they do). This can
pose some interesting problems. Lots of 'different' viruses use
exaclty the same algorithm, so if a virus that modifies its code
comes out is it just creating a new copy of the same virus, or
a new virus? And really, detecting a virus just by looking for
code to perform a certain algorithm, is what is used for
heuristic scanning today, so when detecting a truly metamorphic
virus, you are likely to detect a lot of completely unrelated
viruses - how can you identify such a virus?
|| [ TMC hex dump can be found in this issue of our zine :P The
source 'll be released only after all the major AV vendors 'll
detect it. IMHO, they should have their job as hard as possible
for their money :))))) Ed. ]
||Perspectives of stealth
|| Stealth is a problem. Stealth stops the user noticing the virus,
but to do stealth, you must be able to identify the virus and
find the nescessary info in the virus body. This defeats the
purpose of polymorphism. I think in the long run, good
polymorphism is a better option. I don't like viruses that are to
desperate to be 'stealthy' that they sacrafice compatibility,
like DIR-2, Assasin, and No. of the Beast.
||Virus as weapon ( bunch of paranoid geeks like NSA,CIA,DIA,SIS
're asked to skip this question and answer)
|| The kind of viruses we deal with (80x86) are not much of a weapon
in my opinion. But I think viruses could be used as a weapon.
Imagine a multiplatform virus (perhaps a Unix Shell Scipt), that
exploited many Unix (and Unix variants) security flaws, and
spread over a TCP/IP network. This is very similar to what the
Robert Morris internet worm did, but it would have to be updated
for newer systems, and shouldnt replicate till the machine
crashes. The virus could then perhaps act as a sniffer,
monitoring Ethernet activity looking for logins/passwords to
other systems, to continue its spread. Further more, the virus
could even search through (for example) any file, looking for the
phrase 'U.S. Intelligence', and if the phrase was found, compress
the file and send it to some barely used public-FTP site or mail
the file UUENCODED to some obscure USENET Newsgroup, for the
creator of the virus to download. Lastly, the virus could use
a public key encryption system (such as RSA) - the virus would
contain the public key, and encrypt the stolen (and compressed
information with it, so that it could only be decrypted by the
creator of the virus, and people would not realise these junk
files on the FTP site or USENET group contain anything unusual.
If this was done well, it could be quite an effective
intelligence weapon. (And we at IRG have done it, thats why we
know everything about everyone).
||As an Australian dude, can you describe local virus scene ?
|| The Australian virus scene is quite healthy. Lots of solo virus
writers have come from Australia, such as the Gingerbread Man,
aswell as quite a few members of NuKE, IRG, VLAD, and the AIH. As
far as the international virusscene go's, I think Australia is
quite prominent in it (Slovakia, Taiwain, ex-USSR, and Australia
have all extended 'virus technology' quite a bit). On a more
local level, the virus scene in my state is reasonably healthy
too. Two IRG members live in this state, aswell as a few lesser
know virus coders. There are also 5 BBS's that I know of in this
state that carry Virus related file and/or mail areas.
||The same stuff as previous but AV
|| As far as I know, Leprechaun Virus Buster, and Cybecs VET are the
only two Australian AV programs. They both suck completely and
are not even worth mentioning.
||Your favourite virus and why
|| I dont have a single favourite virus. My favourite viruses
Tremor, Havoc, N8FALL: Neurobasher was cool, if you consider the
time at which his virus were written. It is almost like he made
a list of all threats to viruses at the time, and then made
viruses to adress these threats, 1 by 1. For example, the
heuristic scanners (which were just coming out when he was
around) detected suspicious date stamps, so he started using size
padding instead, and modified his entire set of full-stealth
routines to accomodat the variable size. In my opinion he is the
king of retro-viruses - his were really the first ones to make
strategic attacks on the AV programs.
Level3, Onehalf: Vyvojars viruses caused many problems for the AV
aswell. Lots of scanners still cant detect these two viruses
reliably. TBAV is even stupid enough to claim you should clean
Onehalf with FDISK /MBR ;). Level3's engine is very complex yet
is very logically coded.
Natas: Priests code is very clean and error free, which is sadly,
something most viruses writers (including my self) lack.
Phoenix, Commander Bomber, MtE: DAV's code is fucking crazy.
Hardly anyone I know can even understand the structures used in
his viruses (especially MtE and Bomber). He's also the 'number
theory in viruses' king.
TPVO: The TPVO viruses are excellent, strategic, and very cleanly
coded. So are Dark Slayer's engines. Dark Slayer is one of the
best currently active virus coders in my opinion.
Level3 and DAME are both worth looking at just for their very
sturdy and logical code.
|| [ Well, as for One_Half, check out its original source code in
the mag. First time ever published stuff :-P Ed. ]
||Your favourite antivirus programm and why
|| AVP would probably be the best over all program (it has excellent
known virus detection and cure, CRC checking, good heuristics,
and good decryption).
F-Prot has good known virus detection/cure.
Dr Web and DS-AVTK have very good emmulators. I do not know what
methods ICE-NOD uses, but it is very good too.
Suspicious.. I barely consider this an anti-virus program, its
much more like a set of diagnostic tools. Apart from the fact
that it doesnt have the best decryption, the reports its
heuristic scanner SSC gives are very detailed. Often, when
I recieve a new virus sample, instead of analysing it manually,
I just run SSC over and read the result.
I use AVP, AVG, DS-AVTK, ICE-NOD, F-PROT, TBSCAN, DR WEB, and
SUSPICIOUS to test my viruses.
||Vx coder you would like to meet personally and why
|| Just because someone is a good coder, I would not want to meet
them - having a technical discussion with them over the
phone/IRC/mail is enough. I have met DV8 before (the guy who
coded Mr Klunky) and he gave me beer, so I guess I wouldnt mind
meeting him again. I also would like to meet any other virus
writer that would give me beer. I'd like to meet basically all of
||AV people you would like to meet
|| Stefan Kurtzhals, the coder of F/WIN and Suspicious is an
excellent coder and has a lot of technical knowledge, but from
the discussions I have had with him I think he's fucking crazy,
so I wouldnt mind meeting him. Also, any AV person who will give
me beer. Mikko Hyponnen/Eugene Kaspersky and occasionally Alan
Solomon seem to make amusing jokes (and like beer).
Sara Gordon/Vesselin Bontchev/Jim Bates, so I can spit in their
eye (and steel their beer ofcourse).
|| [ Sep loves beer :) , i can promise if I 'll ever meet him, he
gets some beer from me ... But basically, he should fly to Europe
.... As 4 Jim Bates ... He deserves much more than such a lenient
treatment. We should try to use Magic Bullet (tm) ... Ed. ]
||Are there in Oz some laws against viruses and their author?
|| There are no laws against writing viruses as far as I know.
Spreading them is a different story. Laws were made to be broken
||What do you think 'bout maniacs who want to bust and prosecute
us, the vx coders and would like to erase the vx scene ?
|| I dont think about them. They don't matter, and they will never
succeed. We can simply ignore them, and they will go away. (But
others will come along to take their place, so we just keep
ignoring the ignorant massess).
||Your plans 4 the future as coder and in general
|| No idea. I'm currently looking at infection of the new
executables (NE/LE/PE and LX) aswell as metamorphic viruses.
Besides viruses I like playing with cryptography and computer
security in general.
||Last but not least : can you point us to some interestin'
online resources on the internet ?
|| http://www.geocities.com/SiliconValley/Park/9595/ (IRG homepage)
http://www.ikx.org/ (Lots of Stuff)
http://www.cyberstation.net/~cicatrix (Lots of Stuff)
http://www.metro.ch/avpve (Virus Encyclopoedia)
http://www.virusbtn.com/ (Virus Bulletin)
ftp://ftp.informatik.uni-hamburg.de/pub (AV papers)
ftp://ftp.elf.stuba.sk/pub/pc (LOTS of AV Programs)
||So thanks, Sep. Was very nice you spended some time with this
|| Not a problem, good luck with *-Zine. (Was I supposed to answer
|| [ Sure, what else ? :) Ed. ]