VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Warning: Virus!

Dan Grabham
.net magazine issue 118
December 2003

[Back to index] [Comments]

Viruses are here to stay and they're more dangerous than ever. This month, Dan Grabham talks to top security firms and the virus writers themselves to find out why installing anti-virus software is futile

Even the best anti-virus software is no longer enough to protect you. Virus writers can still reduce your PC to a useless hulk within minutes, simply by downloading a toolkit. They no longer need to learn complex programming languages, either. "People who buy anti-virus software and think their job for protecting against viruses is over are seriously mistaken," rues Ken Dunham, director of malicious code for cyber-intelligence firm iDefense. Many virus writers compose simply by copying different bits of code in a language such as C++, although many do use assembly language. "The level of virus writers is increasingly falling," says self-styled virus designer, Whale. "There are ten to 20 really interesting viruses per year. The rest are 'cool' viruses written in VB and Delphi."

It's no surprise the Net is riddled with threats. "We see something like 900 new viruses every month in our labs," says Graham Cluely, senior technical consultant for Sophos Antivirus. But because a lot of them aren't very well built, only a very small proportion cause a significant problem to the public.

A real threat

How do people get involved in writing viruses? "Kids will see that an anti-virus (AV) system detects a Trojan and go on to bulletin boards, newsgroups and forums and they will ask how they can bypass some AV or another," surmises Drew Copley, research engineer at eEye Digital Security. "They often get advice much as one would get the same advice about fixing a car. The people who figure out these things get a lot of additional respect from their little communities and so the cycle goes on."

Virus history is littered with legends, and writing a virus that becomes a pain in the neck is still aspirational for many, with heroes such as Black Baron (spreader of the SMEG viruses), David L Smith (creator and distributor of Melissa in March 1999) and Chen Ing-Hau, who wrote the CIH virus which triggers on the anniversary of the Chernobyl disaster. Herm1t, the Webmaster of virus resource VX Heavens, describes himself as a "white, adult, professionally employed male from Eastern Europe" writing viruses occasionally. He describes the best virus writing as work: "It's harder to debug and test viruses than regular software. You can't call for support, you can't beta-test and you don't know in what environment your creature will run. I don't think about viruses in terms of damage, complexity of protection against them or effectiveness, but how beautiful they are. It is art and no ethical issues can be applied here..."

Only a small number of people worldwide are responsible for the huge majority of the most deadly viruses. Virus coders tend to work in teams. 29A ( - which is hexidecimal for '666' - is the most notorious and lists just nine staff. Be careful if you visit sites such as this; many contain viruses which you can download. 29A is responsible for many major viruses - or virii as it likes to call them. Z0MbiE ( and Czech writer Benny ( are two of 29A's most prolific writers - see our exclusive interview with Benny opposite. Infamous member GriYo is responsible for many successful polymorphic viruses, such as W95.Marburg and W32.CTX. The predecessors of polymorphic viruses could choose between different encryption and decryption routines. Polymorphic viruses can randomly choose their cryptography method. This makes them difficult to detect. Only the best virus writers can create these - the code and cryptography are complicated because, as Copley explains, "at their best they are able to change their size and shape."

The Mental Driller, also of 29A, is a pioneer of these viruses. Most of 29A release viruses 'full disclosure', volunteering code to those involved in virus protection. His 2002 polymorphic virus, Win32/Simile, has an incredibly long source - some 14,000 lines of assembly code of which the metamorphic engine takes up around 90 per cent. The Mental Driller originally named it MetaPHOR after Metamorphic Permutating High-Obfuscating Reassembler. In a letter to Virus Bulletin, he claimed ownership of the virus, and said of Symantec: "They have the virus in their hands because I sent it to them and, since I haven't spread the virus, I do not expect it to appear in the wild (unless any unscrupulous person unleashes it)."

Marius van Oers, senior virus research engineer for McAfee, says we're definitely seeing a movement towards worms rather than file infectors, like boot sector viruses, due to the low technical level required to write them. They exploit critical vulnerabilities in the operating system and simply require a user to connect to the Net without sufficient ant-virus protection.

2003's Blaster attempted to perform a Distributed Denial of Service attack (DDoS) on Microsoft's Windows Update redirect at The Slammer/Sapphire worm was the fastest-spreading virus in history last January, exploiting a vulnerability in Microsoft's SQL server and doubling every 8.5 seconds. But Microsoft discovered the vulnerability in July 2002 and issued a patch. Even so, it's commonly accepted that more than 75,000 hosts were affected. It caused a commotion when several sites later published the disassembled source code - it had, in fact, been available since not long after the virus had first hit - see

The worst effect of these worms is the amount of money they cost businesses. According to technical security strategists, mi2g, Slammer/Sapphire ranks only ninth with around $1bn in terms of financial damages to the computing world. Top is the Klez worm, which cost up to $9.9bn and that subscribed users to mailing lists on topics as diverse as Steely Dan and tropical fish.

David Kopp, head of European Trend Labs, says that virus writers cause business serious problems: "Malicious code causes a lot of damage and costs to companies. It's our job to... make it as ineffective as possible to limit the damage."

Klez was knocked from the number-one spot during September by the Bugbear worm which originated in Malaysia and used an Outlook vulnerability to replicate. Worryingly, it could disable firewalls and anti-virus software. It also compromised secure transactions. An amusing side effect, though, was that it confused printers with computers, making the printer spew out reams of paper.

Hunter and hunted

Anti-virus software alone is not enough to give your system adequate protection. Virus writers certainly don't rate it. "It's useless," says Herm1t. "The declared losses due to the virus and worm attacks are counted in the tens of millions of dollars. When the anti-virus update to cure the latest virus is ready, it's too late - computers are already infected... from my point of view they are all bad enough to avoid using them."

According to Whale, the virus writers will always be ahead of the game: "Anti-virus creators will never forestall virus writers. It is not difficult to make them nonplussed by a new virus or worm." Herm1t is more scathing: "They were not ready for the macro viruses - the possibility of such viruses were discussed in the early 90s, for example McMillan's thesis about TeX viruses. They were not ready for worms. They were not ready for the complex polymorphic viruses."

Cluely, who had a well-documented spat with female virus writer Gigabyte earlier in the year, doesn't agree. He says that most things virus writers come up with have been thought of a considerable time in advance: "The different anti-virus companies send their experts to regular meetings where we discuss, behind closed doors, our nightmare scenarios and how we would deal with them. A lot of the worst things a virus could do don't seem to have caught the virus writers' attention."

iDefense's Dunham says the world of virus intelligence is specialised work: "We don't just provide a rapid response to threats, but also a predictive and in-depth response. We try to piece it all together, and in some cases, have important threat assessment reports days or weeks before a significant event occurs." He cites the case of Welchia, a worm exploiting the same MS03-026 vulnerability that Blaster did. iDefense reported on it 25 days before it appeared in the wild.

And what of virus writers' claims that they are merely testing security holes? Cluely brands such assertions as laughable: "Security holes can be tested quite easily without releasing code that attempts to replicate itself around the world. It's a lame excuse - virus writing and distribution is simply indefensible."

Dunham agrees: "Virus writers almost always include a disclaimer on their Web sites and within code, such as 'for educational purposes only' or 'I'm not responsible for what you do with this code'. The reality is that they are responsible."

What you can do

There are no hard and fast ways to prevent an attack but, in conjunction with anti-virus software, there are a few things you can try.

"Users should be regularly updating all software against known vulnerabilities," warns Dunham. It might seem simple - and there are possible performance issues with some Windows downloads here - but you do need to keep your OS updated with any new security updates, particularly the security-enhancing Service Pack 2 for Windows XP when it comes out in 2004. You could also try backing up your files. It won't prevent viruses, of course, but it will mean you won't be scrabbling around when it all goes belly-up. If you haven't got a firewall, you need one. There's a firewall in Windows XP, but it's not turned on by default. For freeware versions, check out Kerio's offering or ZoneAlarm.

Kopp says more and more viruses are attempting to dupe users using 'Social Engineering'. It aims "to mislead the users with disguised information, like the name of attachments, sender spoofing and so on. So, as well as installing protection software, it's important to put a user education campaign into place."

Cluely agrees: "Our challenge is to educate more people to deploy anti-virus software as a part of their overall defence, not as the only defence. One of the best anti-virus defences of all is between your ears - if that email looks suspicious, don't be tempted into launching the attachment."

Viruses on the rise

Cluely thinks we'll see an increase in viruses over the next few years as computers become better connected but also thinks anti-virus companies can deploy defences faster than ever: "The biggest threat right now is more of the same. The most successful viruses at the moment are Windows 32 viruses like Bugbear-B and Sobig-F which mass-mail themselves, affecting desktop PCs attached to the Internet."

"It's very difficult to imagine what the future will be like," says Herm1t. "Just look back and read the predictions that were made five or six years ago and compare it with the current situation." Indeed, in writing about the future of viruses in 1997, Dr Solomon at VX Heavens placed great impetus on the growth of Macro viruses. It turned out he was right, but we're now seeing a definite movement away from these. "In the 90s, most viruses were file-infecting and spread by diskettes. Now the situation is more interesting: a lot of Internet worms have appeared as well as cross-platform viruses," says virus writer, Whale. "I think worms will dominate in the future."

mi2g suggests that we're heading towards explosive growth in the area of Distributed Intelligent Malware Agents (DIMAs) in the next few years. These agents would be able to propagate across wired or wireless networks, aided by the growth in always-on broadband connections. They would also be able to spread through open ports and device interfaces, as well as email. DIMAs may also have the ability to cause damage by downloading and executing their payloads remotely - possibly as part of a DDoS attack. They might even be able to delete their own footprints.

With increased levels of spam, email is a medium from which infections can only rise. Indeed, SoBig-F was one of this year's biggest threats, infecting over a million. It not only spread like a worm, but displayed Trojan traits, too, sending itself to the victim's address book. Unusually, it managed to obscure its origin by changing the sending email address. It also sent information back to several IP addresses.

"Sobig-F spread so ferociously by email that even those who were scanning for the virus at the gateway still felt the pain as their email systems slowed down," adds Cluely. "We noticed a drop in the amount of spam being sent during the Sobig-F outbreak - even the spammers were suffering from the deluge."

It also seems that there will be a rise in viruses being spread via instant messaging systems, as well as file-sharing networks. The rise of spyware is also ominous, with more applications able to piggy-back on the download of others, as well as downloads happening in the background. Whale says another potential playground for virus writers is the .NET Framework: "Microsoft's platform is very complex but it has a couple of weak places. It can run on different OSs: Windows, FreeBSD, MasOS X. I think viruses for .NET will appear soon."

Viruses won't only be confined to desktops, either. Handheld computers are an obvious target for platform-unspecific viruses, as are mobile phones. When the explosion of third-generation phones actually happens, their popularity and power will be difficult to resist for virus writers. Indeed, as mobiles adopt Net standards, such as always-on connections, they will become an obvious target. As Herm1t points out, "it's not necessary to be a prophet or computer expert to say that the amount of malware will continue to increase, worms will keep their leading positions and there will be viruses and worms for the hardware and software platforms which are currently immune to these threats." van Oers agrees, predicting that mobile viruses will go into overdrive once mobiles "can send HTML email which facilitates the JavaScript and VB scripts."

As most of the top viruses are worm-related, Kopp says we'll also see more complex worms with many embedded technologies in the near future. "What is becoming more apparent is the collaboration between two 'families'; those of virus writers and hackers. WORM_MSBLAST.A is a typical example of this collaboration." Symantec refers to these as blended threats, saying that they accounted for up to 60 per cent of malicious code submissions in the first half of 2003.

Pete Simpson, of ThreatLab at Clearswift, is also fearful of these threats: "We are now seeing a new evolutionary stage with the coming together of the skillsets of the virus writer, the hacker, the spammer and the fraudster," he says. And it's not all about script kiddies, either: "Hijacking PCs, as a means to various criminal ends, rather than simple infection, is the name of the new game."

The Virus Writer

Benny, of the Czech Republic, belongs to notorious virus writing group 29A. In his early 20s, he is one of the group's most active members and is already responsible for a number of viruses, claiming responsibility for W32.Winux - the first virus to be able to infect both Windows and Linux. He was also partly responsible for W2K.Stream, an extremely hard-to-detect virus which Eugene Kaspersky, head of Anti-Virus Research at Kaspersky Lab, called "a new era in computer virus creation." Benny learnt about virus writing from a book when he found the source codes for various viruses - including the Aragon boot virus.

Q: Introduce yourself and tell us a little bit about your involvement with viruses.

A: "I am Benny/29A (I use this nickname in the virus scene). I live in Czech Republic, born 1982 and I code computer worms and viruses. I am member of 29A international virus writing group, which seems to be the most productive group ever created. I want to say here that I DON'T spread my viruses, I NEVER did it and I will NOT ever do it. My work is just open researching and finding new viral technologies. You will not ever get in touch with any of my work, if you do not personally want."

Q: How do you rate the ability of those involved in virus protection to predict what virus writers are up to?

A: "It is easy to predict, but we, virus writers will always be a step further. It's not possible to make a protection for something that's not done yet ;) Every little child that is monitoring evolution of viruses for some little time can predict what will happen. The same that is happening right now."

Q: What do you think of commercially available virus protection software on the market at present?

A: "I think such products are needed, really. But I don't agree with marketing of AV companies and lies they use to spread to dig more money from users. Simply not everything they say is truth. Esets NOD32 is very good product since it has a very good emulator. I also like DrWeb because of same reason. I don't like Grisoft's AVG, because they weren't able to code [an] emulator for win32 platform, although win32 is here for about ten years! I also don't like Kaspersky, though KAV has a very good engine. I can say I like some products, but I really don't share their ideas."

Q: What do you think most users' attitude to viruses is?

A: "Most users are simply too stupid to work with computers. For instance, I DON'T USE any AV product and my computer hasn't been infected since I have it. Why? Because I use my brain, that's it."

Q: How do you see viruses developing in the future?

A: "In my opinion, the future of computers is about tighter communication, about deeper networking. The future of computer viruses will copy this evolution. You can see it even today, almost every successful worm/virus has Internet-spreading capabilities. We are waiting for new platform to be infected, because it seems everything that could be done has been done. Well, just visit Microsoft's site and look for their newest product. That will be infected very, very soon. Many times virus writers proved they can code specific platform virus even before the platform release itself."

We spread a virus

Only kidding! But we did send out a fake executable - and lots of silly people opened it!

They shouldn't have opened it! We sent a fake virus to our vast number of friends and colleagues. Stickee ( made up the executable file for us - a screensaver which, upon installation, tells people they have been stupid for executing an unknown attachment, which could easily have contained a virus. Lots of our friends opened it, as did even more of the people they sent it to. Never open attachments unless you know what they are! Best of all is that you can now see just how many of your friends fall for the same thing. Go to to get the bug and then check back here next month to see how susceptible people really are to viruses.

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka