**********************************************
                               Interview with hh86
                            by Second Part To Hell
             **********************************************                                                                
                           
hh86 is one of the best and most active virus writers in recent years, and she
is also the editor of the valhalla-ezines.

The first inteview with her I did in december 2010 (released in DC#3), about
2.5 years ago. Since then, many things happened, and its interesting to talk
to hh86 again!

You can reach her via agonisthh86[at]gmail.com or https://twitter.com/hh86_

The interview was done via several e-mail sessions in june 2013.

Have fun! :)

                       
                           
                                             
##############################
## Hey hh86! First, could you please introduce yourself - such as how do you
## spend your 24h per day usually? Do you have hobbies other than virus-related
## stuff? 
        

I wake up approximately at 6 A.M. and go to work until evening.  So I work most
of the time.  Then I comeback home to spend the rest of the time on coding.

I don't consider virus writing as one of my hobbies, actually. I do have a real
hobby-- I like to play FPS games, complete them on a  single  night.  I'm  very
good at it.



##############################
## Can you tell us when you were born, where you are from and where do you spend
## your time at the moment?


I was born in 1992.  I live in Argentina.  At the moment, I am spending my time
in the room where I have my computers.  In  spite  of the heat generated by the
CPUs, this room has its own Winter.  But it is somehow pleasing right now.



##############################
## What was the best movie that you have seen since December 2010? What is your
## favorite movie in general and why?


"Dustbin Baby" is the best film I have seen since December 2010.

My favourite film is  "The End of Evangelion", because I  can  identify  myself
with two of the main female characters.  I am a rare combination  between Asuka
Langley Soryu and Rei Ayanami.  They are both opposed, but so am I with myself.



##############################
## Do you like to read? What's your favorite genre? I see from time to time
## allusions to some science fiction novels; which are your favorite ones?                                                                     


I like reading books very much. I don't have a favourite literary genre.  Books
on  my  shelf  are  science-fiction, crime, horror,  mystery, thriller  novels, 
science  books, compilations  of  short  works from different authors, and some 
computer programming books.

My  favourite  books are: Contact  by  Carl  Sagan; Carrie by Stephen King; and
Sprawl trilogy by William Gibson.

I like poetry as well. In my most recent codes, I included a fragment of a poem
written in  1916  by Marina Tsvetaeva.  You  can see it in the source code, but
it is encoded as hexadecimal data.  Only those who went so far as compiling the
source have probably read it.



##############################
## You mentioned in the last interview, that you were interested in viruses
## since you were 14. When did you had the first contact with viruswriters, and
## who were they?
 

I can't really remember when it happened.   I began researching about the topic
on several forums and other places for quite some time before I found myself in
VX Heavens and then 29A, where I learned for real.  I talked to some people who
may  or may not have been virus  writers, I never saw anything from them in the
scene.



##############################
## Imagine some clever youngster reads this text and - fascinated by your
## answeres - decided that (s)he wants to program some self-replicating
## programs. What would be your suggestion? Whats the best way to start? What
## needs to be learned?


Where there is a will there is a way.

I would suggest to learn general programming in C or C++. Having a good base of
knowledge  and  programming skills is the best before learning the concepts and
techniques of virus writing.  Then you might want to try to learn ASM.

ASM is not difficult to learn.  It requires patience, and creativity, just like
any work of art.  When you learn ASM, you are getting closer to the truth.  So,
you will spend most of your time understanding how things work.



##############################
## We have talked about 2.5years ago. Much has happened since then. What where
## your personal highlights since then regarding viruses? What has been the
## nicest developement, what was the worst?


Lots of good things have happened.

LIP project by SPTH.  Upcoming DC5.
DC  is  an  ezine which began much before Valhalla, so Valhalla itself has been 
growing next to it, which is very, very good.   DC is now going for their fifth
issue, and I'm very honored that they invited me to contribute.

The worst that happened was VX Heavens going down, my alma mater.  Others thing
too, but they are not worth mentioning.



##############################
## Since the last interview, you have been very active writing a punch of
## kick-ass viruses. Eigth of your codes have been analysed by Peter Ferrie
## and described in VirusBulletin. Thats very impressive! Can you please tell us
## about your creations from that time. What were your favorite projects? What
## have been the most difficult? For which are you most proud? What would you do
## differently with the knowlegde from today?


Thank you.
Since the last interview I wrote many new viruses.  Here  is  a  description of 
them.

Windows 32-bit:

W32.Sigrun.B -  first   virus  using  Intel  MMX  "PMOVMASKB"  instruction  for
decoding, PMOVMASKB  picks  bits  from  a  stream of bytes to generate an 8-bit
mask.  Every byte of the virus code was decoded individually.  I would not make
it any differently today, but there is still plenty of interesting things to do
using MMX.

W32.Sigrun.C - first virus using Intel AES-NI for AES128 encryption.  It had an 
encryption routine which the virus transformed  into a decryptor, so no need of
using  two  separate  routines, probably  it's the smallest AES128 algorithm in 
existence and it can be made smaller!  I  originally  intended  it to be 64-bit
code  but  somehow I ended up sticking the engine to a 32-bit virus body, maybe 
someday I can manage to make it right.

W32.Fizzy - first  virus using ENTER instruction for reordering the virus body.  
For  a  long  time  I  wanted to make a virus using the stack for "decoding", I 
decided to study what I already knew about it and found that actually I did not
know that ENTER can copy previous stack frames. I think it was the best I could
have done because so far I can't think of another way to improve on that field.

W32.Posey - first  virus  using  INT 3  for  decoding.  I  wandered  about this 
instruction for many days, had a lot of ideas and dismissed them all.   Somehow
one  night  I  thought  I  could  use  it together with "call" to calculate the
distance  from  one point to another where an exception ocurred, thus using the
Virtual Address Space  in  our  favor, every byte of the virus body was decoded
individually causing exceptions and calculating the distance.  I think I should
have used at least a simple encryption method because the result was always the
same. I think it was the best I could have done because so far I can't think of
another way to improve on that field.

W32.CFFE - first virus to infect CFF Explorer scripts. I had the opportunity to 
report some bugs to its author.

W32.Atlas -  first virus using debugging capabilities to decode the virus body.
I would  not  make  it  any  differently  today, but  there  is still plenty of 
interesting things to do.

W32.UNIT00 - first virus hosting script code in its own process.  The code made 
use of an OCX available in Windows to run a script like  Windows Script host. I
used  the  script  to  decrypt  the virus body using a simple RC4 algorithm.  A 
drawback  of  the technique is that the OCX is not available in 64-bit version,
but  I  managed  to port it to 64-bit.  If I find another interesting technique
using machine code and script together, then I would make it a 64-bit virus.

Windows 64-bit:

W64.Sigrun.A - first virus using Intel MMX "MASKMOVQ" instruction for decoding, 
MASKMOVQ uses a mask to move bytes in memory.  Every byte of the virus code was
decoded individually.   I would not make it any differently today, but there is
still plenty of interesting things to do using MMX.   Unfortunately, it seems I
made  a  mistake  while  editing  the  code before the release and caused it to 
infect no files, it was silly.

W64.Haley - first  virus  to  use Exception Directory for Entrypoint Obscuring.  
The  virus  inserted  a new Exception Directory which would set the virus as an
exception handler, then the first byte at the host entrypoint would be replaced 
by an INT 3 instruction.   I think it was the best I could have done because so
far I can't think of another way to improve on that field.

Windows 32/64-bit:

W32/64.Sofia - my  first  cross-platform  infector  on  Windows.  I  originally 
intended  it  to be a single piece of code that worked on both platforms, but I
used  parts  that were platform-dependent and I still was happy with the result 
and it was written in a single day.  I eventually wrote a version of Sofia that
is a single block of code, made it much smaller and better.  Maybe  I  find  an
interesting technique to implement using a cross-platform body someday.

As co-author:

W32.Wave.A - it was a virus that recorded noise to generate  random numbers for 
its encryption routine.  I wrote most of the code for this one, and the body of
Sigrun.C was used.

Scripts:

I wrote many script viruses, but they are not worth mentioning.  However, among 
them there is there first source code infectors for Scilab, FreeMat, Falcon and
Neko.  The  first  JScript  to  produce  .NET  executable  files for spreading. 
JScript/JS.NET cross-infector, but it's a terrible code.   JScript and VBScript
virus using exceptions to rebuild virus code.


The most difficult to code was UNIT00.  I never thought it would work. Until it
worked, of course. ;)



##############################
## For the co-operation of W32.Wave, which has been released in valhalla#3, the
## code was signed by the name "(o)". Can you tell us who this is? Do you know
## of some specific meaning of that name?
 

(o) is a very good friend of mine, computer  science  student.  I think  it was
inspired by the logo of the band "A Perfect Circle".



##############################
## What do you think in general about the quality and correctness of Peter's
## analysis? He mentioned in a few of his texts the opportunity for better
## optimization, and also explained some "bugs" - some of those bug-explanations
## sound rediculous. What do you think about them? 


Ha.  I think you can say a lot about a person by what you see on their codes, I
have seen  some  of his analysis where he does not mentions anything  regarding
the optimisation of the code.  He knows that I put some effort on it.  He likes
to critic my code, he likes to critic me when he finds that I  missed something
I shouldn't have, or I could have done better.  It's fine with me.

It's the same thing with the bugs.   Sometimes I make mistakes that I didn't in
the past, sometimes I make mistakes that given my knowledge, I shouldn't. Means
that I haven't learned my lessons well.   Bugs can cause damage to the host, so
it is quite important to describe them.  So, it's fine with me.

But sometimes he prefers to describe my mistakes rather than describe some of
the features of the code that are more important.  For example, in his analysis
of my W32.Sigrun.C virus, instead of describing that the virus  was  capable of
transforming its encryption algorithm into a decryptor, he  wrote  that I could
have used another instructions to save some bytes, while  obviously  if you use
self-modfying  code  to  avoid  having  two  separate  algorithms  it's a  more 
important optimisation feature.  Then  that's  what  I consider ridiculous from
him.



##############################
## What is your opinion on optimization of the code? What would you say against
## somebody who claims that optimization is wasting of time as the todays HDs
## have 100s of GB space and network speed is 10s of MB/sec usually. 


I only  care  about  the size of the code, and not about the speed of the code.
When I started  learning  assembly,  I  was  studying  a  paper  about  bitwise 
instructions, the author wrote that the  coolest tricks are about optimisation.
That was enlighitening for me, I think, I never forgot about it.

There are standards for quality code in all levels of development. We write POC
code that does not obeys to the stardards of companies, but they do obey to our
own standards.   I think that the quality of the code is there, in how well you
can design an algorithm, its intrincated details, there  is  a certain elegance
there.  It's hard to explain.



##############################
## How do you get new ideas about your next projects? How much time do you spend
## on researching, coding, bug-fixing, optimizing usually? What was your most
## complex code so far, and why? 


It is a funny, sometimes messy process.
I am always researching but I'm not the kind of person who likes to take notes.
Sometimes  I  remember  my  plans when  I  dream about them.   Dreams are good
incentives for me because when I wake up I feel an urge to try it.

When  I  research  and  decide  to try it right away on code,  if  it  works, I
research more about it to improve the code.  It might take just a few days days
(I work on other projects at the same time, too), when I consider I have enough
knowledge, I write the virus code to implement it.

I  don't  spend  much  time coding for my ideas, I write them little by little.
I don't spend much time fixing bugs, either.  I make mistakes while editing the
template code I use, but I don't notice the effects most of the time.

I don't think I have any complex code yet.



##############################
## What are your most favorite technique? What are the techniques that you like
## to research most?


Not  sure  whether  I have a favouritism for some techniques, or I just like to 
research on those fields because I feel comfortable working there.

I would say I am generally  just  attracted  by  techniques for file infection,
decryption  of  code,  tricks with processor instructions, cross-platform code.
These are the fields on which I have been working, and continue working on.



##############################
## I know that you like to read old zines, and feel the nostalgia aswell :) So
## what are your favorite viruses/worms from the early days until today? Maybe
## in 5years-steps, like pre-90s, early 90s, late 90s, early 2000s, late 2000s
## and 2010s? And which coders do you consider as the all-time legends? 


Here is a list of some of my favourite viruses:

1996 DOS.PLY
1997 W32.Z0mbie by Z0mbie
1997 Esperanto by MrSandman
1997 W32.Cabanas by Jacky Qwerty
1998 W32.Apparition by LordAsd
1999 W32.Regswap by Vecna
2001 W95/Resurrel by Tcp
2001 W32.ZMist by Z0mbie
2001 W32.Shrug by roy g biv
2001 W32/Linux.Winux by Benny
2002 W32.MetaPHOR by The Mental Driller
2004 MSIL.Snail by whale
2004 (IA64) W64.Shrug by roy g biv
2006 W32.Boundary by roy g biv
2010 W32.Stuxnet by ...
2010 W32.Evoris by SPTH
2011 W32/64.Heaven by roy g biv
2011 W32.Evolus by SPTH
2011 W32.Kitti by SPTH
2012 W32.Filly by SPTH
2012 JS.Transcriptase by SPTH

I'm probably missing some but those are some I can remember right now. All time
legend coders:


Benny, Dark Avenger, herm1t, roy g biv, SPTH, The Mental Driller, Vecna, Z0mbie



##############################
## Which ideas or techniques since the start of viruswriting in the late 80s
## have been most influencing and important?
 

I think  that  polymorphism was one of them, obfuscation, per-process residency,
stealth (now we have other names for it).



##############################
## What is the best and most awesome self-replicator that you can think of? What 
## might happen in the future with respect to computerviruses? What will be in
## 3-5 years? What might be possible in 2050? Be creative ;)


A metamorphic  version  of  my  cross-platform  virus.  Naturally, someone with 
greater skills would be its author, not me. ;)

In  the  future, computers viruses and virus writers will eventually disappear.

If  we  were  writing  viruses  with  spreading  capabilities, modular designs,
complex  networking,  and  on  top  of  that, new  techniques.  Not necessarily
spreading, AV companies would still mildly be onto us. 

Virus writing  community  understood  that  what they were doing was illegal in
many countries.  Some  people  left, some  people  stayed and  became POC virus
writers.  I believe  this  transition  contributed  to the disappearance of the 
virus writer generation itself.   There is no money there for AV if hobbyist do
not spread.   But some of them became malware writers.   Malware goes where the
money is, so do the AV companies, and they attract the media, which is good for
business.

Now  some say the PC is dying, being replaced by mobile equipment like tablets, 
smartphones.   Where  there is  trend, there is money, and  there  is  malware. 
Malware has already moved on to those platforms while viruses and virus writers 
have  not  yet.  There is also the security researcher, the malware researcher, 
who  is  paid  to  infect  those  platforms,  or  they  do it but present it on 
conferences or important events where the average virus writer does not access, 
and  those  people  don't  feel  like  publishing their research in ezines with
little design efforts, no advertisers, no media attention.

So, as I see it, the future looks grim.   However, I think people will continue 
to try interesting tricks on Windows, Linux, OSX.  Those platform will never be
abandoned  at  all, but  in  many, many  years  from  now, just for the sake of 
remembering the past.

In  2050  maybe biopunks try self-replicators.  And a few decades later a bored
woman will create the first self-replicator in Autoverse. ;)



##############################
## You mention mobile environments, like "smart"-phones and tablets. Do you plan
## to do research with those platforms some day? Some nice polymorphic EPO
## Android binary infector? :)


I have tried Android.  Now  for  sure I can tell it's not going to be easy, but
who knows. ;)



##############################
## What might be the coolest device to infect? Lord Yup pioneered in infecting
## the TI calculators, vallez and Ratter hit on mobile devices, VirusBuster in
## his intro to 29a#8 speculated about an infector for a coffee pot. What do you
## think (realistic and futuristic :) )?


Satellite.



##############################
## Those criminals who earn money by spreading viruses - do you follow their 
## latest projects? Do you think they could learn something by reading our
## articles and codes, or could we learn something by looking deeper into their
## creations? 


I like to read about APT attacks.  Malware  writers  know  a few good tricks of
their own-- it would be silly to understimate their skills. Still, I think they
could learn a few things from us as well. :) 



##############################
## Do you follow the projects of scientific researchers such as Eric Filiol or
## Mark Stamp? Do you read articles in "Journal in computer virology"?
 

I have seen some of their research, but most of it is not of my interest.



##############################
## In the last 2.5 years, you initiated the valhalla-magazine, a kickass ezine
## with four (valhalla0,1,2,3) issues. Could you describe the story behind it,
## and what is your intention to valhallas future? How can people contribute?


I  have  very  vague  memories  of how it began.  But here is how I remember it 
happened:  I had the idea of a new ezine, but somehow not a continuation of the 
VirusWriting Bulletin.  Back  to  the  old-school  roots, high-quality.  I told
roy g biv and  asked  him  to  contribute, I  asked  SPTH as  well.   I thought 
roy g biv unlike SPTH, never  had  himself  involved much in the creation of an
ezine  before, so  I  asked  him  to  think  of a name for it.  Some time later 
roy g biv had a name and contributions and so Valhalla was born.

I am positive that in the future we will make an historic release, maybe not in 
the near future, we need to continue researching and explore new fields.

People can contribute by sending me an email with their material:
agonisthh86[at]gmail.com

The deadline for Valhalla #4 is 1st of November.



##############################
## Ohh, "an historic release" - that sounds great. What are you thinking about?
## Why not in near future? What should we do? :)


The craziest creation you can imagine. :)  We need time, patience and hard work 
to bring things to existence.


##############################
## Last time you said you dont have much contact to other viruswriters. Now due
## to the valhalla magazine and your great codes, i guess that changed. Do you
## have alot of contact to other viruswriters now?


No.  This fact causes me great dismay.



##############################
## What was the nicest comments you got about your codes or magazines? What was
## the dumbest message? :) 


Honestly, I don't  remember  that I have received any nice comment regarding my
codes.  Yes, I have received some nice comments about the ezine.

The dumbest was from some guy who thought he was quite intelligent for pointing
me out that my W32.Sigrun.C's decryptor had the key in its body.   Obviously, I
know that, I wrote it.  The virus was not about security, you idiot. :)



##############################
## What about people from anti virus companies or other security researchers - 
## do you have contact with many of them?


Yes, but not much lately.

##############################
## OK, thats it with the virus-related questions. Let's think about something
## totally different: To which future events are you looking forward?


I'm  looking  forward  to  see  humans landing on Mars for the first time.  New
scientific discoveries (and some by myself). :) Also I'm looking forward to see
the president of Argentina go to jail.



##############################
## Very cool, good luck with science! +crossingfingers+ :) Could you give us a
## short explanation about what Cristina Kirchner (president of argentina) did?
 

Thank you.

Her husband ex-president Nestor Kirchner, some members of her  political party,
entrepreneurs, and herself, have been conducting a money laundering  operation.
Read more about it here: http://en.wikipedia.org/wiki/The_road_of_the_money_K

Some of her most prominent functionaries in the government  are linked to human
trafficking and illegal gambling.  Her son commands militant party of adepts to
the   goverment,  known  as  "La Campora",  they   make  politics  in  schools,
high-school and universities of all the country, brainwashing the youth to make
them believe that their saviors are the Kirchners.  La Campora moves across the
country  to  control and report to the president.   They remind us a lot to the
Hitler Youth.

An example: http://www.infanciahoy.com/imgnoticias/infanciahoy.com_10602_1382012_campora.JPG

Since they control most of the organism and institutions, they have a  majority
in the congress, and  they  own  most  the  judges in the country, their crimes
are not punished.  But they do punish the  people who critics them and publicly
opposes  them, people  get fired, persecuted, investigated.   Many  people have
suffered this kind of persecution, people from  the  media,  judges, members of
the opposition, people who is not affiliated to political parties, etc.

They  subdue the poor to vote for them threatening  to take away the help plans
given by the goverment.  There  is  an  on going  genocide against native "Qom"
people, police attacks them and threat them.   The  Qom people has been camping
near the house  of  government  for  many  weeks  now  trying  to  contact  the
president, and  does  not  receive  them to treat their problems.  That  is  of
course because it's the governorns  affiliated to her party who  command  those
actions.

We have seen also cases of persecution against the media who reports  the cases
against  the  government, they try to take over those TV station to censor them
as has  happened  already  with  the  TV show  who  revealed  the case of money
laundering.  They change the name of public places.  And recently the president
ordered  an  artist to change the name of her work because she didn't liked it.

This  not  even  the  tip  of the iceberg, it would take months to describe our
complete  current  situation  in the country.  We are living in a dictatorship.
La Campora has an enormous harrasing presence on internet, so  I guess I'm next
now. :)



##############################
## Something different: Imagine a good ghost visits you and offers you three
## wishes. What would it be? :)
##


- a portable time-travel device.  I would like to meet Albert Einstein.
- a ship that can travel across the universe in almost no time, and can be operated by one person.
- money, a lot of it.  I would dedicate most of my time to study if I didn't have to work.



##############################
## Cool, traveling thru the whole spacetime :) OK - its obvious that you like
## astronomy, now maybe as a final question: What are your three single most
## favorite objects in the sky? :) 


The constellation of Orion has always fascinated me since I was a child.  Those
visible stars, for what they mean to life in planets.  And the planet Neptune.



##############################
## Thanks alot hh86 for this very nice interview, was very exciting :)
## Any final thoughts?! The rest of the file is yours!


Thank you for this opportunity to talk about my codes and myself.

No final thoughts.   Just send greetings to those people who help me in so many
ways.