Interview with Sepultura of IRG

So, in the line of this policy, I decided to interview one of the IRG leading personalities, Sepultura. Althought I had some technical problems in the time [ Sep knows :) ], here is the interview. Enjoy it !

Can you introduce yourselves ?
Im Sepultura, born 1979, from Australia. Im a virus writer who is a member of IRG (Immortal Riot/Genesis) and do a lot of the organisation that go's into IRG's magazine Insane Reality. The only thing I like more then viruses is music (Sonic Youth, Front 242, Sepultura, and Beethoven are among my favourites). Actually I like copious amounts of buds and lsd more then viruses too.

When and why did you start to be interestin' in computers ?
I was never interesting ;) (so stop reading this interview).

When I was 6 my mum bought us a Commodore64. I learnt BASIC and by time I was 7 I was very proud of this 'guess the number' game I made. I spent a few years playing with the C64, but as you can imagine I got quite bored with it soon. Then, when I was 12, some teacher let me muck around on the school's computers while the rest of my class was doing maths (since me and a friend already knew it.. infact all of IRG have IQ's over 200). Me and my friend made this game to test peoples multiplication tables and stuff, but the school never used it, as it flashed random insults and was quite abusive to the user if you got the answer wrong. This re-kindled my interest in computers and I nagged my mother who bought a 386dx in that same year. (This was the computer on which my virus writing started).

Your first contact with virus ...
For some reason I cant explain, I became very interested in viruses (aged 13, 1992). I didnt have a modem and knew no coders, so I had no idea what I should do. I met some lame fuck who told me viruses were written in C.. so I learnt C and after learning C still had no idea what to do (I didnt even know what a virus really does.. I just knew it replicates). Then I got vsum and it seemed to describe what viruses did in some detail but I had no idea what it meant (what the fuck is Interrupt 13h?? =)). Then I got F-Prot and somewhere in its documentation Fridrik Skulason mentioned any average Assembler coder could make a virus.. now I knew I shouldn't have learned C. Finally I gota book (this is late 1993) called 'Undocumented DOS' that told me about thing like Interrupts, segments, file I/O, and MCB's. It also had example programs written in ASM. I learnt ASM by studying these programs and by playing around in DOS debug.

At this stage I was ready to write a virus. Beetween here and when I had first become interested in virus's I had never actually seen or had contact with a virus.

What about your first virus ?
Well.. just after learning ASM (or DEBUG ASM more precisely) my friend got his machine infected with a virus called Slow (an encrypted 1721 byte Jerusal variant). I didnt have an assembler or disassembler (I didnt even know you could get disassemblers) so I studied the virus in Debug. I decided it was very badly coded, and wanted to make some changes, but I didn't even know how to change the length of the virus (so I had to modify it *and* keep it at 1721 bytes). The result was a semi-polymorphic virus with text strings and an actiation routine. That *could* be my first virus but it was only a hack.

I didnt write a virus for a while because I didn't have an assembler, but finally I decided to write it in Debug. This involved writing the entire virus in Debugs (A)ssemble mode, printing out the (D)isasm listing, looking for errors, re-doing it over and over again until it worked. The first virus I did was Sepultura Boot.A which I spent an entire evening working in Debug on. Then some TSR .COM infector (I worked out how to go TSR by reading the doc's of an AV program called Stealth Bomber). Then my friend got a modem and I begged him to find me an assembler, which he did, and then I was free to write viruses as much as I wanted.

You started as an independent coder, but after your massive support for Insane Reality #7 you landed in Immortal Riot. Tell us the whole story
OK.. here comes more of my life story =)

Mid '95 I got a modem and a carded OzEmail account. This is when I was first introduced to the virus scene. I met some guy called Qark, from VLAD magazine (which I read after FTP'n it with my schools inet account which I 'socially engineered' the password too). He was a nice guy and when I told him I was a virus coder he asked to see some code, which I showed him and he ended up sticking in VLAD#5. This is when I realised other people might actually care to see my code. So I coded more and gave it to The Unforgiven (TU from now on) for IR#7. It turns out I donated more then average and people were impressed. Late in December '95 I joined VLAD but this didnt last long. There was a new group called Genesis, but after leaving VLAD I didnt think I should ask for membership in it as it would look like I was group hopping. Februrary/March 1996, and TU told me IR was now an open group and I could join, so I asked if I could, and I did. Then (perhaps cos I nag too much) TU let me do a lot of organisation, and I ended up organising IR#8. And thats the whole story.

Perspectives of polymorphism
Traditional polymorphism (with a static virus wrapped in a highly variable decryptor) is a dying concept in my opinion. With the advent of generic decryption, polymorphism is not really much of a threat to the scanners any more.

I think the future lies in the 'metamorphic' viruses. These are viruses that are not encrypted, but the code of the virus itself changes. These include viruses such as PLY, Win.Apparition, TMC, and Swap. If we imagine metamorphism in the future reaching a stage where the only thing two copies of the 'same' virus have in common is the algorithm (or what actually they do). This can pose some interesting problems. Lots of 'different' viruses use exaclty the same algorithm, so if a virus that modifies its code comes out is it just creating a new copy of the same virus, or a new virus? And really, detecting a virus just by looking for code to perform a certain algorithm, is what is used for heuristic scanning today, so when detecting a truly metamorphic virus, you are likely to detect a lot of completely unrelated viruses - how can you identify such a virus?

[ TMC hex dump can be found in this issue of our zine :P The source 'll be released only after all the major AV vendors 'll detect it. IMHO, they should have their job as hard as possible for their money :))))) Ed. ]

Perspectives of stealth
Stealth is a problem. Stealth stops the user noticing the virus, but to do stealth, you must be able to identify the virus and find the nescessary info in the virus body. This defeats the purpose of polymorphism. I think in the long run, good polymorphism is a better option. I don't like viruses that are to desperate to be 'stealthy' that they sacrafice compatibility, like DIR-2, Assasin, and No. of the Beast.

Virus as weapon ( bunch of paranoid geeks like NSA,CIA,DIA,SIS 're asked to skip this question and answer)
The kind of viruses we deal with (80x86) are not much of a weapon in my opinion. But I think viruses could be used as a weapon. Imagine a multiplatform virus (perhaps a Unix Shell Scipt), that exploited many Unix (and Unix variants) security flaws, and spread over a TCP/IP network. This is very similar to what the Robert Morris internet worm did, but it would have to be updated for newer systems, and shouldnt replicate till the machine crashes. The virus could then perhaps act as a sniffer, monitoring Ethernet activity looking for logins/passwords to other systems, to continue its spread. Further more, the virus could even search through (for example) any file, looking for the phrase 'U.S. Intelligence', and if the phrase was found, compress the file and send it to some barely used public-FTP site or mail the file UUENCODED to some obscure USENET Newsgroup, for the creator of the virus to download. Lastly, the virus could use a public key encryption system (such as RSA) - the virus would contain the public key, and encrypt the stolen (and compressed information with it, so that it could only be decrypted by the creator of the virus, and people would not realise these junk files on the FTP site or USENET group contain anything unusual. If this was done well, it could be quite an effective intelligence weapon. (And we at IRG have done it, thats why we know everything about everyone).

As an Australian dude, can you describe local virus scene ?
The Australian virus scene is quite healthy. Lots of solo virus writers have come from Australia, such as the Gingerbread Man, aswell as quite a few members of NuKE, IRG, VLAD, and the AIH. As far as the international virusscene go's, I think Australia is quite prominent in it (Slovakia, Taiwain, ex-USSR, and Australia have all extended 'virus technology' quite a bit). On a more local level, the virus scene in my state is reasonably healthy too. Two IRG members live in this state, aswell as a few lesser know virus coders. There are also 5 BBS's that I know of in this state that carry Virus related file and/or mail areas.

The same stuff as previous but AV
As far as I know, Leprechaun Virus Buster, and Cybecs VET are the only two Australian AV programs. They both suck completely and are not even worth mentioning.

Your favourite virus and why
I dont have a single favourite virus. My favourite viruses include:

Tremor, Havoc, N8FALL: Neurobasher was cool, if you consider the time at which his virus were written. It is almost like he made a list of all threats to viruses at the time, and then made viruses to adress these threats, 1 by 1. For example, the heuristic scanners (which were just coming out when he was around) detected suspicious date stamps, so he started using size padding instead, and modified his entire set of full-stealth routines to accomodat the variable size. In my opinion he is the king of retro-viruses - his were really the first ones to make strategic attacks on the AV programs.

Level3, Onehalf: Vyvojars viruses caused many problems for the AV aswell. Lots of scanners still cant detect these two viruses reliably. TBAV is even stupid enough to claim you should clean Onehalf with FDISK /MBR ;). Level3's engine is very complex yet is very logically coded.

Natas: Priests code is very clean and error free, which is sadly, something most viruses writers (including my self) lack.

Phoenix, Commander Bomber, MtE: DAV's code is fucking crazy. Hardly anyone I know can even understand the structures used in his viruses (especially MtE and Bomber). He's also the 'number theory in viruses' king.

TPVO: The TPVO viruses are excellent, strategic, and very cleanly coded. So are Dark Slayer's engines. Dark Slayer is one of the best currently active virus coders in my opinion.

Level3 and DAME are both worth looking at just for their very sturdy and logical code.

[ Well, as for One_Half, check out its original source code in the mag. First time ever published stuff :-P Ed. ]

Your favourite antivirus programm and why
AVP would probably be the best over all program (it has excellent known virus detection and cure, CRC checking, good heuristics, and good decryption).

F-Prot has good known virus detection/cure.

Dr Web and DS-AVTK have very good emmulators. I do not know what methods ICE-NOD uses, but it is very good too.

Suspicious.. I barely consider this an anti-virus program, its much more like a set of diagnostic tools. Apart from the fact that it doesnt have the best decryption, the reports its heuristic scanner SSC gives are very detailed. Often, when I recieve a new virus sample, instead of analysing it manually, I just run SSC over and read the result.

I use AVP, AVG, DS-AVTK, ICE-NOD, F-PROT, TBSCAN, DR WEB, and SUSPICIOUS to test my viruses.

Vx coder you would like to meet personally and why
Just because someone is a good coder, I would not want to meet them - having a technical discussion with them over the phone/IRC/mail is enough. I have met DV8 before (the guy who coded Mr Klunky) and he gave me beer, so I guess I wouldnt mind meeting him again. I also would like to meet any other virus writer that would give me beer. I'd like to meet basically all of IRG.

AV people you would like to meet
Stefan Kurtzhals, the coder of F/WIN and Suspicious is an excellent coder and has a lot of technical knowledge, but from the discussions I have had with him I think he's fucking crazy, so I wouldnt mind meeting him. Also, any AV person who will give me beer. Mikko Hyponnen/Eugene Kaspersky and occasionally Alan Solomon seem to make amusing jokes (and like beer).

Sara Gordon/Vesselin Bontchev/Jim Bates, so I can spit in their eye (and steel their beer ofcourse).

[ Sep loves beer :) , i can promise if I 'll ever meet him, he gets some beer from me ... But basically, he should fly to Europe .... As 4 Jim Bates ... He deserves much more than such a lenient treatment. We should try to use Magic Bullet (tm) ... Ed. ]

Are there in Oz some laws against viruses and their author?
There are no laws against writing viruses as far as I know. Spreading them is a different story. Laws were made to be broken anyway.

What do you think 'bout maniacs who want to bust and prosecute us, the vx coders and would like to erase the vx scene ?
I dont think about them. They don't matter, and they will never succeed. We can simply ignore them, and they will go away. (But others will come along to take their place, so we just keep ignoring the ignorant massess).

Your plans 4 the future as coder and in general
No idea. I'm currently looking at infection of the new executables (NE/LE/PE and LX) aswell as metamorphic viruses. Besides viruses I like playing with cryptography and computer security in general.

Last but not least : can you point us to some interestin' online resources on the internet ? (IRG homepage) (Lots of Stuff) (Lots of Stuff) (Virus Encyclopoedia) (Virus Bulletin) (AV papers) (LOTS of AV Programs)

So thanks, Sep. Was very nice you spended some time with this interview.
Not a problem, good luck with *-Zine. (Was I supposed to answer that??)

[ Sure, what else ? :) Ed. ]