**********************************************
Interview with hh86
by Second Part To Hell
**********************************************
hh86 is one of the best and most active virus writers in recent years, and she
is also the editor of the valhalla-ezines.
The first inteview with her I did in december 2010 (released in DC#3), about
2.5 years ago. Since then, many things happened, and its interesting to talk
to hh86 again!
You can reach her via agonisthh86[at]gmail.com or https://twitter.com/hh86_
The interview was done via several e-mail sessions in june 2013.
Have fun! :)
##############################
## Hey hh86! First, could you please introduce yourself - such as how do you
## spend your 24h per day usually? Do you have hobbies other than virus-related
## stuff?
I wake up approximately at 6 A.M. and go to work until evening. So I work most
of the time. Then I comeback home to spend the rest of the time on coding.
I don't consider virus writing as one of my hobbies, actually. I do have a real
hobby-- I like to play FPS games, complete them on a single night. I'm very
good at it.
##############################
## Can you tell us when you were born, where you are from and where do you spend
## your time at the moment?
I was born in 1992. I live in Argentina. At the moment, I am spending my time
in the room where I have my computers. In spite of the heat generated by the
CPUs, this room has its own Winter. But it is somehow pleasing right now.
##############################
## What was the best movie that you have seen since December 2010? What is your
## favorite movie in general and why?
"Dustbin Baby" is the best film I have seen since December 2010.
My favourite film is "The End of Evangelion", because I can identify myself
with two of the main female characters. I am a rare combination between Asuka
Langley Soryu and Rei Ayanami. They are both opposed, but so am I with myself.
##############################
## Do you like to read? What's your favorite genre? I see from time to time
## allusions to some science fiction novels; which are your favorite ones?
I like reading books very much. I don't have a favourite literary genre. Books
on my shelf are science-fiction, crime, horror, mystery, thriller novels,
science books, compilations of short works from different authors, and some
computer programming books.
My favourite books are: Contact by Carl Sagan; Carrie by Stephen King; and
Sprawl trilogy by William Gibson.
I like poetry as well. In my most recent codes, I included a fragment of a poem
written in 1916 by Marina Tsvetaeva. You can see it in the source code, but
it is encoded as hexadecimal data. Only those who went so far as compiling the
source have probably read it.
##############################
## You mentioned in the last interview, that you were interested in viruses
## since you were 14. When did you had the first contact with viruswriters, and
## who were they?
I can't really remember when it happened. I began researching about the topic
on several forums and other places for quite some time before I found myself in
VX Heavens and then 29A, where I learned for real. I talked to some people who
may or may not have been virus writers, I never saw anything from them in the
scene.
##############################
## Imagine some clever youngster reads this text and - fascinated by your
## answeres - decided that (s)he wants to program some self-replicating
## programs. What would be your suggestion? Whats the best way to start? What
## needs to be learned?
Where there is a will there is a way.
I would suggest to learn general programming in C or C++. Having a good base of
knowledge and programming skills is the best before learning the concepts and
techniques of virus writing. Then you might want to try to learn ASM.
ASM is not difficult to learn. It requires patience, and creativity, just like
any work of art. When you learn ASM, you are getting closer to the truth. So,
you will spend most of your time understanding how things work.
##############################
## We have talked about 2.5years ago. Much has happened since then. What where
## your personal highlights since then regarding viruses? What has been the
## nicest developement, what was the worst?
Lots of good things have happened.
LIP project by SPTH. Upcoming DC5.
DC is an ezine which began much before Valhalla, so Valhalla itself has been
growing next to it, which is very, very good. DC is now going for their fifth
issue, and I'm very honored that they invited me to contribute.
The worst that happened was VX Heavens going down, my alma mater. Others thing
too, but they are not worth mentioning.
##############################
## Since the last interview, you have been very active writing a punch of
## kick-ass viruses. Eigth of your codes have been analysed by Peter Ferrie
## and described in VirusBulletin. Thats very impressive! Can you please tell us
## about your creations from that time. What were your favorite projects? What
## have been the most difficult? For which are you most proud? What would you do
## differently with the knowlegde from today?
Thank you.
Since the last interview I wrote many new viruses. Here is a description of
them.
Windows 32-bit:
W32.Sigrun.B - first virus using Intel MMX "PMOVMASKB" instruction for
decoding, PMOVMASKB picks bits from a stream of bytes to generate an 8-bit
mask. Every byte of the virus code was decoded individually. I would not make
it any differently today, but there is still plenty of interesting things to do
using MMX.
W32.Sigrun.C - first virus using Intel AES-NI for AES128 encryption. It had an
encryption routine which the virus transformed into a decryptor, so no need of
using two separate routines, probably it's the smallest AES128 algorithm in
existence and it can be made smaller! I originally intended it to be 64-bit
code but somehow I ended up sticking the engine to a 32-bit virus body, maybe
someday I can manage to make it right.
W32.Fizzy - first virus using ENTER instruction for reordering the virus body.
For a long time I wanted to make a virus using the stack for "decoding", I
decided to study what I already knew about it and found that actually I did not
know that ENTER can copy previous stack frames. I think it was the best I could
have done because so far I can't think of another way to improve on that field.
W32.Posey - first virus using INT 3 for decoding. I wandered about this
instruction for many days, had a lot of ideas and dismissed them all. Somehow
one night I thought I could use it together with "call" to calculate the
distance from one point to another where an exception ocurred, thus using the
Virtual Address Space in our favor, every byte of the virus body was decoded
individually causing exceptions and calculating the distance. I think I should
have used at least a simple encryption method because the result was always the
same. I think it was the best I could have done because so far I can't think of
another way to improve on that field.
W32.CFFE - first virus to infect CFF Explorer scripts. I had the opportunity to
report some bugs to its author.
W32.Atlas - first virus using debugging capabilities to decode the virus body.
I would not make it any differently today, but there is still plenty of
interesting things to do.
W32.UNIT00 - first virus hosting script code in its own process. The code made
use of an OCX available in Windows to run a script like Windows Script host. I
used the script to decrypt the virus body using a simple RC4 algorithm. A
drawback of the technique is that the OCX is not available in 64-bit version,
but I managed to port it to 64-bit. If I find another interesting technique
using machine code and script together, then I would make it a 64-bit virus.
Windows 64-bit:
W64.Sigrun.A - first virus using Intel MMX "MASKMOVQ" instruction for decoding,
MASKMOVQ uses a mask to move bytes in memory. Every byte of the virus code was
decoded individually. I would not make it any differently today, but there is
still plenty of interesting things to do using MMX. Unfortunately, it seems I
made a mistake while editing the code before the release and caused it to
infect no files, it was silly.
W64.Haley - first virus to use Exception Directory for Entrypoint Obscuring.
The virus inserted a new Exception Directory which would set the virus as an
exception handler, then the first byte at the host entrypoint would be replaced
by an INT 3 instruction. I think it was the best I could have done because so
far I can't think of another way to improve on that field.
Windows 32/64-bit:
W32/64.Sofia - my first cross-platform infector on Windows. I originally
intended it to be a single piece of code that worked on both platforms, but I
used parts that were platform-dependent and I still was happy with the result
and it was written in a single day. I eventually wrote a version of Sofia that
is a single block of code, made it much smaller and better. Maybe I find an
interesting technique to implement using a cross-platform body someday.
As co-author:
W32.Wave.A - it was a virus that recorded noise to generate random numbers for
its encryption routine. I wrote most of the code for this one, and the body of
Sigrun.C was used.
Scripts:
I wrote many script viruses, but they are not worth mentioning. However, among
them there is there first source code infectors for Scilab, FreeMat, Falcon and
Neko. The first JScript to produce .NET executable files for spreading.
JScript/JS.NET cross-infector, but it's a terrible code. JScript and VBScript
virus using exceptions to rebuild virus code.
The most difficult to code was UNIT00. I never thought it would work. Until it
worked, of course. ;)
##############################
## For the co-operation of W32.Wave, which has been released in valhalla#3, the
## code was signed by the name "(o)". Can you tell us who this is? Do you know
## of some specific meaning of that name?
(o) is a very good friend of mine, computer science student. I think it was
inspired by the logo of the band "A Perfect Circle".
##############################
## What do you think in general about the quality and correctness of Peter's
## analysis? He mentioned in a few of his texts the opportunity for better
## optimization, and also explained some "bugs" - some of those bug-explanations
## sound rediculous. What do you think about them?
Ha. I think you can say a lot about a person by what you see on their codes, I
have seen some of his analysis where he does not mentions anything regarding
the optimisation of the code. He knows that I put some effort on it. He likes
to critic my code, he likes to critic me when he finds that I missed something
I shouldn't have, or I could have done better. It's fine with me.
It's the same thing with the bugs. Sometimes I make mistakes that I didn't in
the past, sometimes I make mistakes that given my knowledge, I shouldn't. Means
that I haven't learned my lessons well. Bugs can cause damage to the host, so
it is quite important to describe them. So, it's fine with me.
But sometimes he prefers to describe my mistakes rather than describe some of
the features of the code that are more important. For example, in his analysis
of my W32.Sigrun.C virus, instead of describing that the virus was capable of
transforming its encryption algorithm into a decryptor, he wrote that I could
have used another instructions to save some bytes, while obviously if you use
self-modfying code to avoid having two separate algorithms it's a more
important optimisation feature. Then that's what I consider ridiculous from
him.
##############################
## What is your opinion on optimization of the code? What would you say against
## somebody who claims that optimization is wasting of time as the todays HDs
## have 100s of GB space and network speed is 10s of MB/sec usually.
I only care about the size of the code, and not about the speed of the code.
When I started learning assembly, I was studying a paper about bitwise
instructions, the author wrote that the coolest tricks are about optimisation.
That was enlighitening for me, I think, I never forgot about it.
There are standards for quality code in all levels of development. We write POC
code that does not obeys to the stardards of companies, but they do obey to our
own standards. I think that the quality of the code is there, in how well you
can design an algorithm, its intrincated details, there is a certain elegance
there. It's hard to explain.
##############################
## How do you get new ideas about your next projects? How much time do you spend
## on researching, coding, bug-fixing, optimizing usually? What was your most
## complex code so far, and why?
It is a funny, sometimes messy process.
I am always researching but I'm not the kind of person who likes to take notes.
Sometimes I remember my plans when I dream about them. Dreams are good
incentives for me because when I wake up I feel an urge to try it.
When I research and decide to try it right away on code, if it works, I
research more about it to improve the code. It might take just a few days days
(I work on other projects at the same time, too), when I consider I have enough
knowledge, I write the virus code to implement it.
I don't spend much time coding for my ideas, I write them little by little.
I don't spend much time fixing bugs, either. I make mistakes while editing the
template code I use, but I don't notice the effects most of the time.
I don't think I have any complex code yet.
##############################
## What are your most favorite technique? What are the techniques that you like
## to research most?
Not sure whether I have a favouritism for some techniques, or I just like to
research on those fields because I feel comfortable working there.
I would say I am generally just attracted by techniques for file infection,
decryption of code, tricks with processor instructions, cross-platform code.
These are the fields on which I have been working, and continue working on.
##############################
## I know that you like to read old zines, and feel the nostalgia aswell :) So
## what are your favorite viruses/worms from the early days until today? Maybe
## in 5years-steps, like pre-90s, early 90s, late 90s, early 2000s, late 2000s
## and 2010s? And which coders do you consider as the all-time legends?
Here is a list of some of my favourite viruses:
1996 DOS.PLY
1997 W32.Z0mbie by Z0mbie
1997 Esperanto by MrSandman
1997 W32.Cabanas by Jacky Qwerty
1998 W32.Apparition by LordAsd
1999 W32.Regswap by Vecna
2001 W95/Resurrel by Tcp
2001 W32.ZMist by Z0mbie
2001 W32.Shrug by roy g biv
2001 W32/Linux.Winux by Benny
2002 W32.MetaPHOR by The Mental Driller
2004 MSIL.Snail by whale
2004 (IA64) W64.Shrug by roy g biv
2006 W32.Boundary by roy g biv
2010 W32.Stuxnet by ...
2010 W32.Evoris by SPTH
2011 W32/64.Heaven by roy g biv
2011 W32.Evolus by SPTH
2011 W32.Kitti by SPTH
2012 W32.Filly by SPTH
2012 JS.Transcriptase by SPTH
I'm probably missing some but those are some I can remember right now. All time
legend coders:
Benny, Dark Avenger, herm1t, roy g biv, SPTH, The Mental Driller, Vecna, Z0mbie
##############################
## Which ideas or techniques since the start of viruswriting in the late 80s
## have been most influencing and important?
I think that polymorphism was one of them, obfuscation, per-process residency,
stealth (now we have other names for it).
##############################
## What is the best and most awesome self-replicator that you can think of? What
## might happen in the future with respect to computerviruses? What will be in
## 3-5 years? What might be possible in 2050? Be creative ;)
A metamorphic version of my cross-platform virus. Naturally, someone with
greater skills would be its author, not me. ;)
In the future, computers viruses and virus writers will eventually disappear.
If we were writing viruses with spreading capabilities, modular designs,
complex networking, and on top of that, new techniques. Not necessarily
spreading, AV companies would still mildly be onto us.
Virus writing community understood that what they were doing was illegal in
many countries. Some people left, some people stayed and became POC virus
writers. I believe this transition contributed to the disappearance of the
virus writer generation itself. There is no money there for AV if hobbyist do
not spread. But some of them became malware writers. Malware goes where the
money is, so do the AV companies, and they attract the media, which is good for
business.
Now some say the PC is dying, being replaced by mobile equipment like tablets,
smartphones. Where there is trend, there is money, and there is malware.
Malware has already moved on to those platforms while viruses and virus writers
have not yet. There is also the security researcher, the malware researcher,
who is paid to infect those platforms, or they do it but present it on
conferences or important events where the average virus writer does not access,
and those people don't feel like publishing their research in ezines with
little design efforts, no advertisers, no media attention.
So, as I see it, the future looks grim. However, I think people will continue
to try interesting tricks on Windows, Linux, OSX. Those platform will never be
abandoned at all, but in many, many years from now, just for the sake of
remembering the past.
In 2050 maybe biopunks try self-replicators. And a few decades later a bored
woman will create the first self-replicator in Autoverse. ;)
##############################
## You mention mobile environments, like "smart"-phones and tablets. Do you plan
## to do research with those platforms some day? Some nice polymorphic EPO
## Android binary infector? :)
I have tried Android. Now for sure I can tell it's not going to be easy, but
who knows. ;)
##############################
## What might be the coolest device to infect? Lord Yup pioneered in infecting
## the TI calculators, vallez and Ratter hit on mobile devices, VirusBuster in
## his intro to 29a#8 speculated about an infector for a coffee pot. What do you
## think (realistic and futuristic :) )?
Satellite.
##############################
## Those criminals who earn money by spreading viruses - do you follow their
## latest projects? Do you think they could learn something by reading our
## articles and codes, or could we learn something by looking deeper into their
## creations?
I like to read about APT attacks. Malware writers know a few good tricks of
their own-- it would be silly to understimate their skills. Still, I think they
could learn a few things from us as well. :)
##############################
## Do you follow the projects of scientific researchers such as Eric Filiol or
## Mark Stamp? Do you read articles in "Journal in computer virology"?
I have seen some of their research, but most of it is not of my interest.
##############################
## In the last 2.5 years, you initiated the valhalla-magazine, a kickass ezine
## with four (valhalla0,1,2,3) issues. Could you describe the story behind it,
## and what is your intention to valhallas future? How can people contribute?
I have very vague memories of how it began. But here is how I remember it
happened: I had the idea of a new ezine, but somehow not a continuation of the
VirusWriting Bulletin. Back to the old-school roots, high-quality. I told
roy g biv and asked him to contribute, I asked SPTH as well. I thought
roy g biv unlike SPTH, never had himself involved much in the creation of an
ezine before, so I asked him to think of a name for it. Some time later
roy g biv had a name and contributions and so Valhalla was born.
I am positive that in the future we will make an historic release, maybe not in
the near future, we need to continue researching and explore new fields.
People can contribute by sending me an email with their material:
agonisthh86[at]gmail.com
The deadline for Valhalla #4 is 1st of November.
##############################
## Ohh, "an historic release" - that sounds great. What are you thinking about?
## Why not in near future? What should we do? :)
The craziest creation you can imagine. :) We need time, patience and hard work
to bring things to existence.
##############################
## Last time you said you dont have much contact to other viruswriters. Now due
## to the valhalla magazine and your great codes, i guess that changed. Do you
## have alot of contact to other viruswriters now?
No. This fact causes me great dismay.
##############################
## What was the nicest comments you got about your codes or magazines? What was
## the dumbest message? :)
Honestly, I don't remember that I have received any nice comment regarding my
codes. Yes, I have received some nice comments about the ezine.
The dumbest was from some guy who thought he was quite intelligent for pointing
me out that my W32.Sigrun.C's decryptor had the key in its body. Obviously, I
know that, I wrote it. The virus was not about security, you idiot. :)
##############################
## What about people from anti virus companies or other security researchers -
## do you have contact with many of them?
Yes, but not much lately.
##############################
## OK, thats it with the virus-related questions. Let's think about something
## totally different: To which future events are you looking forward?
I'm looking forward to see humans landing on Mars for the first time. New
scientific discoveries (and some by myself). :) Also I'm looking forward to see
the president of Argentina go to jail.
##############################
## Very cool, good luck with science! +crossingfingers+ :) Could you give us a
## short explanation about what Cristina Kirchner (president of argentina) did?
Thank you.
Her husband ex-president Nestor Kirchner, some members of her political party,
entrepreneurs, and herself, have been conducting a money laundering operation.
Read more about it here: http://en.wikipedia.org/wiki/The_road_of_the_money_K
Some of her most prominent functionaries in the government are linked to human
trafficking and illegal gambling. Her son commands militant party of adepts to
the goverment, known as "La Campora", they make politics in schools,
high-school and universities of all the country, brainwashing the youth to make
them believe that their saviors are the Kirchners. La Campora moves across the
country to control and report to the president. They remind us a lot to the
Hitler Youth.
An example: http://www.infanciahoy.com/imgnoticias/infanciahoy.com_10602_1382012_campora.JPG
Since they control most of the organism and institutions, they have a majority
in the congress, and they own most the judges in the country, their crimes
are not punished. But they do punish the people who critics them and publicly
opposes them, people get fired, persecuted, investigated. Many people have
suffered this kind of persecution, people from the media, judges, members of
the opposition, people who is not affiliated to political parties, etc.
They subdue the poor to vote for them threatening to take away the help plans
given by the goverment. There is an on going genocide against native "Qom"
people, police attacks them and threat them. The Qom people has been camping
near the house of government for many weeks now trying to contact the
president, and does not receive them to treat their problems. That is of
course because it's the governorns affiliated to her party who command those
actions.
We have seen also cases of persecution against the media who reports the cases
against the government, they try to take over those TV station to censor them
as has happened already with the TV show who revealed the case of money
laundering. They change the name of public places. And recently the president
ordered an artist to change the name of her work because she didn't liked it.
This not even the tip of the iceberg, it would take months to describe our
complete current situation in the country. We are living in a dictatorship.
La Campora has an enormous harrasing presence on internet, so I guess I'm next
now. :)
##############################
## Something different: Imagine a good ghost visits you and offers you three
## wishes. What would it be? :)
##
- a portable time-travel device. I would like to meet Albert Einstein.
- a ship that can travel across the universe in almost no time, and can be operated by one person.
- money, a lot of it. I would dedicate most of my time to study if I didn't have to work.
##############################
## Cool, traveling thru the whole spacetime :) OK - its obvious that you like
## astronomy, now maybe as a final question: What are your three single most
## favorite objects in the sky? :)
The constellation of Orion has always fascinated me since I was a child. Those
visible stars, for what they mean to life in planets. And the planet Neptune.
##############################
## Thanks alot hh86 for this very nice interview, was very exciting :)
## Any final thoughts?! The rest of the file is yours!
Thank you for this opportunity to talk about my codes and myself.
No final thoughts. Just send greetings to those people who help me in so many
ways.