💾 Archived View for spam.works › mirrors › textfiles › virus › bbinterv.iew captured on 2023-06-16 at 21:01:17.
-=-=-=-=-=-=-
ANATOMY OF A VIRUS AUTHOR
A biography of The Black Baron
By
Matthew Probert
In 1969 Neil Armstrong stepped onto the moon. It was a momentous year for the
world. But no-one at the time paid much attention to a baby boy being born in
a town in southern England. This baby boy was destined to grow into one of the
most infamous computer virus writers of all time. In 1969 The Black Baron was
born!
The Black Baron never set out to become a computer virus writer. He left
school at sixteen with a handful of CSE's and a burning desire to be a
commercial airline pilot. He enjoyed swimming and science fiction comedy
shows, such as Red Dwarf, and did all the things that any normal, healthy
young man would do. He learnt to drive, passed his driving test and settled
down to several years unemployed.
He is at pains to point out that he is not a thug, he does not have any
criminal convictions;
"I don't even have a point on my driving licence" he laughs, when asked about
criminal activities.
And yet what inspires a normal, healthy, well balanced young man to create the
ultimate in computer terrosism, a polymorphic computer virus?
In examining Black Baron's motives one must consider his state of mind. Is he
a shy, withdrawn individual who has problems with inter-personal relationships
perhaps? No is the answer. He is not the cliche of a computer programmer. He
owns a single second-hand Tandon 286 PC with an Amstrad monitor, and a rather
old and modest modem.
"I don't even like computer programming!" he says when asked about it.
Perhaps however he is upset by his unemployment? An individual with his
obvious and undeniable talent must surely feel some resentment at being
unemployed. But he doesn't blame the computer industry directly, he certainly
does resent the "old school tie" attitude which is so prevalent in England
today, and he blames the Conservative government for doing much to reinforce
this approach to employment.
"I don't wear the right colour tie" he says.
The inspiration to create a computer virus came to Black Baron after he read
Ross M. Greenberg's comments about computer virus authors. Mr Greenberg, the
American author of an anti-virus product called "Flu Shot" is very scathing
and critical of people who write computer viruses. Indeed the introduction to
the instruction manual which accompanies Flu Shot is preoccupied with
questioning the emotional stability of the people who write computer viruses.
I quote:
Introduction
What is a Trojan?
=================
Back in the good old days (before there were computers), there
was this bunch of soldiers who had no chance of beating a
superior force or of even making it into their fortress. They
had this nifty idea: present the other side with a gift. Once
the gift had been accepted, soldiers hiding within the gift would
sneak out and overtake the enemy from within.
We can only think of the intellectual giants of the day who would
accept a gift large enough to house enemy soldiers without
checking its contents. Obviously, they had little opportunity to
watch old WWII movies to see the same device used over and over
again. They probably wouldn't have appreciated Hogan's Heroes
anyway. No color TV's -- or at least not ones with reliable
reception.
Consider the types of people who would be thrilled at the concept
of owning their own rough hewn, large wooden horse! Perhaps they
wanted to be the first one on their block, or something silly
like that.
Anyway, you're all aware of the story of The Trojan Horse.
Bringing ourselves a bit closer to the reality we've all grown to
know and love, there's a modern day equivalent: getting a gift
from your BBS or user group which contains a little gem which
will attack your hard disk, destroying whatever data it contains.
In order to understand how a potentially useful program can cause
such damage when corrupted by some misguided soul, it's useful to
understand how your disk works, and how absurdly easy it is to
cause damage to the data contained thereon. So, a brief
technical discussion of the operation of your disk is in order.
For those who aren't concerned, turn the page or something.
Data is preserved on a disk in a variety of different physical
ways having to do with how the data is encoding in the actual
recording of that data. The actual *structure* of that data,
however, is the same between MS-DOS machines. Other operating
systems have a different structure, but that doesn't concern us
now.
Each disk has a number of "tracks". These are sometimes called
cylinders from the old type IBMer's. These are the same people
who call hard disks DASDs (Direct Access Storage Devices), so we
can safely ignore their techno-speak, and just call them tracks.
Tracks can be thought of as the individual little grooves on an
audio record, sort of.
Anyway, each track is subdivided into a number of sectors. Each
track has the same number of sectors. Tracks are numbered, as
are sectors. Any given area on the disk can be accessed if a
request is made to read or write data into or out of Track-X,
Sector Y. The read or write command is given to the disk
controller, which is an interface between the computer itself and
the hard disk. The controller figures out what commands to send
to the hard disk, the hard disk responds and the data is read or
written as directed.
The first track on the hard disk typically will contain a small
program which is read from the hard disk and executed when you
first power up your machine. The power up sequence is called
"booting" your machine, and therefore the first track is typical
known as the "boot track".
In order to read information from your disk in a logical
sequence, there has to be some sort of index. An unusual index
method was selected for MS-DOS. Imagine going to the card index
in a library, looking up the title you desire, and getting a
place in another index which tells you where on the racks where
the book is stored. Now, when you read the book, you discover
that only the first chapter of the book is there. In order to
find the next chapter of the book, you have to go back to that
middle index, which tells you where the next chapter is stored.
This process continues until you get to the end of the book.
Sounds pretty convoluted, right? You bet! However, this is
pretty much how MS-DOS does its "cataloguing" of files.
The directory structure of MS-DOS allows for you to look up an
item called the "first cluster". A cluster represents a set of
contiguous ("touching or in contact" according to Random House)
tracks and sectors. It is the smallest amount of information
which the file structure of MS-DOS knows how to read or write.
Based on the first cluster number as stored in the directory, the
first portion of a file can be read. When the information
contained therein is exhausted, MS-DOS goes to that secondary
index for a pointer to the next cluster. That index is called
the File Allocation Table, commonly abbreviated to "FAT". The
FAT contains an entry for each cluster on the disk. An FAT entry
can have a few values: ones which indicate that the cluster is
unused, another which indicates that the associated cluster has
been damaged somehow and that it should be marked as a "bad
cluster", and a pointer to the next cluster for a given file.
This allows for what is called a linked list: once you start
looking up clusters associated with a given file, each FAT entry
tells you what the next cluster is. At the end of the linked
list is a special indicator which indicates that there are no
more clusters associated with the file.
There are actually two copies of the FAT stored on your disk, but
no one really knows what the second copy was intended for.
Often, if the first copy of the FAT is corrupted for some reason,
a clever programmer could recover information from the second
copy to restore to the primary FAT. These clever programmers can
be called "hackers", and should not be confused with the thieves
who break into computer systems and steal things, or the "worms"
[Joanne Dow gets credit for *that* phrase!] who would get joy out
of causing you heartache!
But that heartache is exactly what can happen if the directory
(which contains the pointer to the first cluster a file uses),
the FAT (which contains that linked list to other areas on the
disk which the file uses), or other areas of the disk get
corrupted.
And that's what the little worms who create Trojan programs do:
they cause what at first appears to be a useful program to
eventually corrupt the important parts of your disk. This can be
as simple as changing a few bytes of data, or can include wiping
entire tracks clean.
Not all programs which write to your hard disk are bad ones,
obviously. Your word processor, spreadsheet, database and
utility programs have to write to the hard disk. Some of the DOS
programs (such as FORMAT), if used improperly, can also erase
portions of your hard disk causing you massive amounts of grief.
You'd be surprised what damage the simple "DEL" command can do
with just a simple typo.
But, what defines a Trojan program is its delivery mechanism: the
fact that you're running something you didn't expect. Typical
Trojan programs cause damage to your data, and were designed to
do so by the worms who writhe in delight at causing this damage.
May they rot in hell -- a mind is a terrible thing to waste!
Considering the personality required to cause such damage, you
can rest assured that they have few friends, and even their
mother doesn't like to be in the same room with them. They sit
back and chortle about the damage they do with a few other lowly
worms. This is their entire social universe. You should pity
them. I know that I do.
What is a Virus?
================
Trojan programs are but a delivery mechanism, as stated above.
They can be implemented in a clever manner, so that they only
trigger the malicious part on a certain date, when your disk
contains certain information or whatever. However they're coded,
though, they typically affect the disk only in a destructive
manner once triggered.
A new breed of programs has the capability of not only reserving
malicious damage for a given event's occurrence, but of also
replicating itself as well.
This is what people refer to when they mention the term "Virus
Program".
Typically, a virus will spread itself by replicating a portion of
itself onto another program. Later, when that normally safe
program is run it will, in part, execute a set of instructions
which will infect other programs and then potentially, trigger
the Trojan portion of the program contained within the virus.
The danger of the virus program is twofold. First, it contains a
Trojan which will cause damage to your hard disk. The second
danger is the reason why everyone is busy building bomb shelters.
This danger is that the virus program will infect other programs
and they in turn will infect other programs and so forth. Since
it can also infect programs on your floppy disks, you could
unknowingly infect other machines! Pretty dangerous stuff,
alright!
Kenneth van Wyck, one of the computer folks over at Lehigh
University, first brought a particular virus to the attention of
the computer community. This virus infects a program, which
every MS-DOS computer must have, called COMMAND.COM. This is the
Command Line Interpreter and is the interface between your
keyboard and the MS-DOS operating system itself. Whatever you
type at the C: prompt will be interpreted by it.
Well, the virus subverts this intended function, causing the
infection of neighboring COMMAND.COMs before continuing with
normal functionality of the command you typed. After a certain
number of "infections", the Trojan aspect of the program goes
off, causing you to lose data.
The programmer was clever. But still a worm. And still
deserving of contempt instead of respect. Think of what good
purposes the programmer could have put his or her talents to
instead of creating this damage. And consider what this
programmer must do, in covering up what they've done. They
certainly can't tell anyone what they've accomplished.
Justifiable homicide comes to mind, but since the worms they must
hang around are probably as disreputable as they are, they must
hold their little creation a secret.
A pity. Hopefully, the worm is losing sleep. Or getting a sore
neck looking behind them wondering which of their "friends" are
gonna turn them in for the reward I list towards the end of this
document.
The Challenge to the Worm
=========================
When I first released a program to try to thwart their demented
little efforts, I published this letter in the archive (still in
the FLU_SHOT+ archive of which this is a part of). What I say in
it still holds:
As for the designer of the virus program: most
likely an impotent adolescent, incapable of
normal social relationships, and attempting to
prove their own worth to themselves through
these type of terrorist attacks.
Never succeeding in that task (or in any
other), since they have no worth, they will one
day take a look at themselves and what they've
done in their past, and kill themselves in
disgust. This is a Good Thing, since it saves
the taxpayers' money which normally would be
wasted on therapy and treatment of this
miscreant.
If they *really* want a challenge, they'll try
to destroy *my* hard disk on my BBS, instead of
the disk of some innocent person. I challenge
them to upload a virus or other Trojan horse to
my BBS that I can't disarm. It is doubtful the
challenge will be taken: the profile of such a
person prohibits them from attacking those who
can fight back. Alas, having a go with this
lowlife would be amusing for the five minutes
it takes to disarm whatever they invent.
Go ahead, you good-for-nothing little
slimebucket: make *my* day!
Alas, somebody out there opted to do the cowardly thing and to
use the FLUSHOT programs as a vehicle for wrecking still more
destruction on people like you. The FLUSHOT3 program was
redistributed along with a companion program to aid you in
reading the documentation. It was renamed FLUSHOT4. And the
reader program was turned into a Trojan itself.
I guess the programmer involved was too cowardly to take me up on
my offer and prefers to hurt people not capable of fighting back.
I should have known that, I suppose, but I don't normally think
of people who attack innocents. Normally, I think of people to
respect, not people to pity, certainly not people who must cause
such damage in order to "get off".
They are below contempt, obviously, and can do little to help
themselves out of the mire they live in.
Still, a worm is a worm.
Insensed by what he saw as the narrow, biggoted attitude of the author, our
young man, then twenty four years old, decided to write a program which would
infect other other computer programs and more than that. One which would with
each infection change its form so as to avoid detection by Flu Shot and other
virus scanners. At christmas 1993, Pathogen was completed. One month later
SMEG 0.1 was included and the first SMEG virus hit the computer world.
In Febuary 1994 Black Baron, as the author was calling himself, released a
subsequent computer virus. Queeg. This time he updated the polymorphic engine
(SMEG) into version 0.2.
Shortly aftwerwards the Thunderbyte anti-virus software underwent a major new
release, with verion 6.20 which in fairness detects 96% of SMEG version 0.1
and version 0.2 infections. Unfortunately, the author's of Thunderbyte suffer
from the same arrogance as Mr Greenberg. They have widely boasted that their
new virus scanner can detect any polymorphic viruses. Needless to say this is
seen as a challenge by Black Baron. And being an Englishman, he can't resist a
challenge. It is not surprising to learn then, that as I write this in June
1994 Black Baron is just finishing off SMEG version 0.3 which is completely
undetectable by any current virus scanner, including Thunderbyte release 6.20.
I ask myself when is this is all going to end? Perhaps when computer users
become sufficiently educated to be able to use the equipment at their
disposal. Perhaps when computers stop attracting social inadequates, but whom
I am refering to the arrogant members of the anti-virus lobby as well as the
nefarious virus authors. But what of the Black Baron? What is he? Is he a
malicious criminal? A computer terrorist? A social inadequate trying to
reassure himself of his own inadequacies through destroying computer data? I
don't belive so. I have spoken to Black Baron on a number of occassions. He is
happy to discuss his work, and, at my request, he has even released a document
detailing the design of SMEG. He doesn't feed on the panic and fear that SMEG
viruses such as Pathogen and Queeg cause. Rather he revels in the
embarrasement and panic which his software causes the arrogant anti-virus
writers.
It is quite questionable whether Black Baron was sensible in taking this
course of action. It does appear that he has adopted a "I'll show you"
attitude. But it is equally obvious that the real villian is the person who
caused the trouble in the first place, Mr Greenberg and his arrogant and
biggoted view. You still don't believe me? Okay, as a finale let me say this.
Black Baron knows that I write anti-virus software. He knew this before he
gave me an interview. And knowing that I write anti-virus software he provided
me with the source code of Pathogen, Queeg and SMEG so that I might improve my
anti-virus software. He even supplied me with software which creats safe SMEG
encrypted programs for testing purposes. These are not the actions of a mad
man. These are the actions of a man who just wants to be respected for what he
is. A damn hot programmer.
After talking with him, I understand the Black Baron. I feel sorry for him as
well. He is a highly gifted individual who has not been given a chance by
computer society. So he has made his own chance. We all need recognition.
Mainly through employment, but we as thinking machines must receive
recognition for our abilities. Otherwise we sink into melancholy and
paranoida. Black Baron has received his recognition. We, the computer society
are responsible for the creation of Pathogen, Queeg, SMEG and all the other
computer viruses. We have no one to blame but ourselves. It is our desire to
keep the computer fraternity a closed club which has alienated so many of our
colleagues. By rubbing their noses in it, so to speak, we have begged for
trouble, and like the inhabitants of Troy, we have received it.
Matthew Probert
Servile Software