💾 Archived View for spam.works › mirrors › textfiles › virus › locprst.txt captured on 2023-06-16 at 21:03:22.
-=-=-=-=-=-=-
[An excerpt from THE VIRUS CREATION LABS: A JOURNEY INTO THE UNDERGROUND] A PRIEST DEPLOYS HIS SATANIC MINIONS Everyone knows the best virus writers hang out on secret bulletin board systems, the bedroom bohemias of the computer underground, right? Wrong. In mid-1992, a 16-year-old hacker from San Diego who called himself Little Loc signed on to the Prodigy on-line service for his virus information needs. The experience was not quite what he expected. Prodigy had a reputation in 1992 as the on-line service for middle-class Americans who could stand mind-roasting amounts of retail advertising on their computer screens as long as they had relatively free access to an almost infinite number of public electronic mail forums devoted to callers' hobbies. Since Prodigy's pricing scheme was ridiculously cheap per hour, it was quite seductive for callers to spend an hour or two a night sifting through endless strings of messages just to engage in a little cyberspace chit-chat. Into this living-room atmosphere stepped Little Loc, logged on as James Gentile, looking for anyone to talk with about computer viruses, particularly his idea of properly written computer viruses. Little Loc, you see, had written a mutating virus which infected most of the programs on a system dangerously quickly. If you were using anti-virus software that didn't properly recognize the virus - and at the time it was written none did - the very process of looking for it on a machine would spread it to every possible program on a computer's hard disk. While many viruses were trivial toys, Satan Bug, which is what Little Loc called his program, was sophisticated enough to pose a real hazard. The trouble was, Little Loc was dying to tell people about Satan Bug. But he had no one to talk to who would understand. That's where Prodigy came in. Prodigy, thought Little Loc, must have some hacker discussions, even if they were feeble, centered on viruses. It was a quaintly naive assumption. The Satan Bug was named after a Seventies telemovie starring George Maharis, Anne Francis and a sinister Richard Basehart in a race to find a planet-sterilizing super virus stolen from a U.S. bio-warfare lab. Little Loc had never actually seen the movie, but he'd run across the name in a copy of TV Guide and it sounded cool, so he used it for his digital creation. Satan Bug was the second virus he had electronically published. The first was named Fruitfly but it was a slow, tame infector so the hacker didn't push it. A bigger inspiration for Satan Bug was the work of the Dark Avenger, the shadowy Bulgarian virus programmer whom anti-virus software p.r. men and others had elevated to the stature of world's greatest virus writer. Little Loc was fascinated by the viruses attributed to Dark Avenger. The Dark Avenger obviously knew how real computer viruses should be written, thought Little Loc. None of his programs were like the silly crap that composed most of the files stocked by the computer underground. For example, his Eddie virus - also known as Dark Avenger - had gained a reputation as a program to be reckoned with. It pushed fast infection to a fine art, using the very process anti-virus programs used to examine files as an opportunity to corrupt them with its presence. If someone suspected they had a virus, scanned for it and Eddie was in memory but not detected, the anti-virus software would be subverted, spreading Eddie to every program on the disk in one sweep. Eddie would also mangle a part of the machine's command shell when it jumped into memory from an infected program. When this happened, the command processor would reload itself from the hard disk and promptly be infected, too. This put the Eddie virus in total charge of the machine. From that point on, every sixteen infections, the virus would take a pot shot at a sector of the hard disk, obliterating a small piece of data. If the data were part of a never-used program, it could go unnoticed. So as long as the Eddie virus was in command, the user stood a good chance of having to deal with a slow, creeping corruption of his programs and data. Little Loc was a good student of the Dark Avenger's programming and although he was completely self-taught, he had more native ability than all of the other virus programmers in the phalcon/SKISM and NuKE hacking groups. "[Virus writing] was something to do besides blasting furballs in Wing Commander," he said blithely when asked about the origins of his career as a virtuoso virus writer. Accordingly, the Satan Bug was just as fast an infector as Eddie and it, too, would immediately go after the command shell when launched into memory from an infected program. But Satan Bug was very cleverly encrypted, whereas Eddie was not, and it extended these encryption tricks so that it was cloaked in computer memory, a feature somewhat unusual in computer viruses but popularized by another program called The Whale which intrigued Little Loc. The Whale was a German virus which - theoretically - was the most complex of all computer viruses. It was packed with code which was supposed to make it stealthy -- invisible to certain anti-virus software techniques. It was armored with anti-debugging code and devilishly encrypted, designed purely to flummox anti-virus software developers trying to examine it. They would often mention it as an example of a super stealth virus to mystified science and technology writers looking for good copy. In practice, The Whale was what one might call anti-stealth. Although it was all the things mentioned and more, when run on any machine, The Whale's processes were so cumbersome the computer would be forced to slow to a crawl. Indeed, it was a clever fellow who could get The Whale to consent to infect even one program. The Whale appeared to be purely an intellectual challenge for programmers. It was intended to mesmerize anti-virus software developers and suck them into spending hours analyzing it. Little Loc, too, was drawn to it. He pored over the German language disassembly of The Whale's source code. The hacker even made a version that wasn't encrypted, pulling out the code which The Whale used to generate its score of mutant variations. It didn't help. The Whale, even when disassembled, was loathe to let go of its secrets and remained a slow, obstinately uninfective puzzle. Have you gotten the idea that Prodigy callers might not be the perfect choice as an audience to appreciate Little Loc's Satan Bug? Nevertheless, Little Loc landed on Prodigy with a thud. He described the Satan Bug and invited anyone who was interested to pick up a copy of its source code at a bulletin board system where he'd stashed it. Immediately, the hacker got into a rhubarb with a Prodigy member named Henri Delger. Delger was, for want of a better description, the Prodigy network's unpaid computer virus help desk manager. Every night, Delger would log on and look for the messages of users who had questions about computer viruses. If they just wanted general information, Delger would supply it. If they had some kind of computer glitch which they thought might be a virus, Delger would hold their hand until they calmed down, and then tell them what to do. And, for the few who had computer virus infections, Delger would try to identify the virus and recommend software, usually McAfee Associates' SCAN, which would remedy the problem. Little Loc was annoyed by Delger, whom he thought was merely a shill for McAfee Associates. Since Delger answered so many questions on Prodigy, he had a set of canned answers which he would employ to make the workload lighter. The canned answers tended to antagonize Little Loc and other younger callers who fancied themselves hackers, too. Prodigy's liberal demo account policy allowed some of these young callers to get access to the network under assumed names like "Orion Rogue." This allowed them to be rude and truculent, at least for a few days, to paying Prodigy customers. These techno-popinjays, of course, immediately sided with Little Loc, which didn't do much for the virus programmer's credibility. There was often quite a bit of talk about viruses and Delger would supply much of the information, typing up brief summaries of virus effects embroidered with his own experiences analyzing viruses. "You're not a programmer!" Little Loc would storm at Delger. If you weren't a programmer, you couldn't understand viruses, insisted the author of Satan Bug. Little Loc would correct minor technical errors Delger made when describing the programs. In retaliation, Delger would calmly point out the spelling mistakes made by Little Loc and his colleagues. It was quite a flame war. On one side was Little Loc, who gamely tried to get callers to appreciate the technical qualities of some viruses. On the other side was a bunch of middle-aged computer hobbyists who were convinced all virus writers were illiterate teenage nincompoops in need of serious jail time, or perhaps a sound beating. The debates drew a big audience, including another hacker named Brian Oblivion, whose Waco, Texas, bulletin board, Caustic Contagion, would provide a brief haven for Satan Bug's author. Little Loc, however, soon found other places that would accept his virus source code. Kim Clancy's famous Department of the Treasury Security Branch system was among them. Little Loc logged on and proffered Satan Bug. The Hell Pit - a huge virus exchange in a suburb of Chicago - had its phone number posted on Prodigy, as was that of one called Dark Coffin, a system in eastern Pennsylvania. Dutifully, Little Loc couriered his virus to these systems, too. Satan Bug was a difficult virus to detect. Although in a pinch you could find Satan Bug because of a trick change it made to an infected program's date/time stamp, for all intents and purposes Satan Bug was transparent to anti-virus scanners. And this window of opportunity stayed open for a surprising amount of time despite the fact that Little Loc had supplied the Satan Bug to all the public virus exchanges patrolled by anti-virus moles. Little Loc stood apart from other virus programmers who seemed to have little interest in whether their creations made it into the public's computers. The real travel of his virus around the world would grant him recognition like that of the Dark Avenger, he thought. So, he wanted people to take Satan Bug and infect the software of others, period. Months later, after the virus had struck down the Secret Service network clear across the continent, I asked Little Loc how it might have gotten into the wild in large enough numbers so that it eventually found its way into such a supposedly secure system. "I'll tell you this once and only once: Satan Bug had help!" he said, simply. After his Prodigy debut and before Satan Bug hit the Secret Service, Little Loc was recruited by the virus-writing group phalcon/SKISM, changing his handle in the process to Priest. Joining phalcon/SKISM didn't necessarily mean you were going to virus writing conventions in cyberspace with other members of the group, but it was a badge of status signifying to others in the computer underground who required such things that you had arrived, as a virus writer anyway. Since Priest lived on the West Coast, however, and the brain trust of phalcon/SKISM was located in the metro-NYC area, there was little concrete collaboration between the two, especially after Priest racked up a $600 telephone bill calling bulletin boards. Since Priest didn't hack free phone service, his family had to pay the bill, which effectively cut down on much of his long distance telephone contact bulletin board systems like Caustic Contagion in Waco, Texas. Caustic Contagion, for a short period of time, was one of the better known virus exchange bulletin board systems. Its sysop, Brian Oblivion, had an extremely liberal policy with regards to virus access and carried a large number of Internet/Usenet newsgroups which gave callers a semblance of access to the Internet. Caustic Contagion's other specialty, besides viruses, was Star Trek newsgroups and for some reason which completely eludes me, the BBS's callers found the convergence of computer viruses and Star Trek debate extremely congenial. Priest and another phalcon/SKISM virus writer named Memory Lapse would hang out on Caustic Contagion. Quite naturally, Oblivion's bulletin board was one of the first places to receive the programmers' newest creations, often before they were published in phalcon/SKISM's electronic publication, 40Hex magazine. Priest's next virus was Payback and it was written to punish the mainstream computing community for the arrest of Apache Warrior, the "president" of ARCV, a rather harmless but vocal English virus-writing group which had been undone when Alan Solomon, an anti-virus software developer, was able to convince New Scotland Yard's computer crime unit to seize the hacking group's equipment and software in a series of surprise raids. Priest's Payback virus would format the hard disk in memory of this event. Payback gathered little attention in the underground, mostly because few people knew much about ARCV and Apache Warrior in the first place. Another of Priest's interests was the set of anti-virus programs issued by the Dutch company, Thunderbyte. The product of a virus researcher named Frans Veldman, the Thunderbyte programs were regarded by most virus writers as the anti-virus programs of choice. They were sophisticated, technically sweet and put to shame similar software marketed by McAfee Associates, Central Point Software, and Symantec, which manufactured the Norton Anti-virus. One of Frans Veldman's programs, called TBClean, was of particular interest to Priest and others because it claimed to be able to remove completely unknown viruses from infected files. How it did this was a neat trick. Essentially, TBClean would execute the virus-infected file in a controlled environment and try to take advantage of the fact that the virus always had to reassemble in memory an uncontaminated copy of the infected program to make it work properly. TBClean would intercept this action and write the program back to the hard disk sans virus. Priest and virus writer Rock Steady, the leader of the NuKE virus-writing group, had also noticed the phenomenon. Both tried writing viruses that would subvert the process and turn TBClean upon itself. Priest wrote Jackal, a virus which - under the proper conditions - would sense TBClean trying to execute it, step outside the Thunderbyte software's controls and format the hard disk. In theory, this made Priest's virus the worst kind of retaliating program, with the potential to destructively strip unsuspecting users' hard disks of their data when they tried to disinfect their machines. (It couldn't happen if you just manually erased the Jackal-virus-infected program, but many people who use computers as part of everyday work simply want the option of having the software remove viruses. They don't want to have to worry about the technicalities of retaliating viruses designed to smash their data if they have the temerity to use anti-virus software.) Of course, Jackal's development was deemed a great propaganda victory by the North American virus underground. Rock Steady nonsensically insisted Frans Veldman's programs were dangerous software because TBClean could be made to augment a virus infection instead of remove it. Brian Oblivion immediately tried Jackal out. It didn't work, he said, but only caused TBClean to hang up his machine. This was because Jackal was version specific, explained Priest. It would only work on certain editions of the program. In reality, this meant that Jackal's retaliating capability posed little threat to typical computer users, who had never heard of the virus-programmer's favorite software, Thunderbyte, much less TBClean. Nevertheless, Priest continued to write the TBClean subverting trick into his viruses, including it in Natas (that's Satan spelled backwards), which eventually got loose in Mexico City in the spring of 1994. All the routines to format a computer's hard disk and to slowly corrupt data ala the Eddie virus, which Priest had designed his Predator virus to do, made it clear the hacker cared little for any of the finer arguments over the value of computer viruses which were entertained from time to time by denizens of the underground as well as academics. Viruses were for getting your name around, infecting files and destroying data, according to Priest. He just laughed when the topic of ethical or productive uses of computer viruses -- such as the study of artificial life -- came up. In any case, by the fall of 1993, after Priest had retired from the Prodigy scene, Satan Bug was generating its own kind of media-fueled panic. On the Compuserve network, hysterical government employees were posting nonsensical alarums about the virus in the McAfee Associates virus information special interest group. "Satan's Bug" was part of a foreign power's attempt to sabotage government computers! It was encrypted in nine different ways and was "eating" your data! A State Department alarm had started! Wherever the information about "Satan's Bug" was coming from, it was 100 percent phlogiston. Satan Bug was hardly aimed at government computer systems. It did not "eat" anything and although difficult for many anti-virus programs to scan, the virus could be found on infected systems by making good use of software designed to take a snapshot of the vital statistics of computer files and sound an alarm when these changed, which always happened when Satan Bug added itself to programs. Even more amusing was the suspicion that Satan Bug had been inserted on government computers by some undisclosed foreign country, from whence it originated. I suppose, however, some people might consider Southern California a foreign country. Priest enjoyed reading these kinds of things. His virus was famous, an obvious source of confusion and hysteria. About the same time, the Secret Service's computer network in Washington, D.C., was infected by the virus, which knocked the infected machines off-line for approximately three days. News about the event was tough to keep secret among government employees and it leaked. The Crypt Newsletter published a short news piece in its September 1993 issue on the event and reported that the infection had been cleaned up by David Stang, formerly of the National Computer Security Association, but now providing anti-virus and security guidance for Norman Data Defense Systems in Fairfax, northern Virginia. Jack Lewis, head of the Secret Service's computer crime unit, and two other agents flew out to interrogate Priest in his San Diego home in October of 1993. Lewis and the other agents gave Priest the third degree. They shook a printed-out copy of The Crypt Newsletter containing the Satan Bug story in his face and did everything in their power to make Priest think he ought to cease and desist writing computer viruses forthwith. "About the Secret Service, they weren't too happy about [Satan Bug], and saw fit to pay me a little visit," recalled Priest ruefully. The agents wanted to know everything about Priest - his Social Security number, where he'd travelled, even who the 16-year-old worked for. But Priest didn't work for anyone. "I'm not quite sure they believed me," he said. "Apparently, they thought I worked for some anti-virus company or something to write viruses. Plus, they wanted the sources for them." The Secret Service men wanted to know, straight from the horse's mouth, what Satan Bug did. "They said some victims were worried their systems weren't completely clean because they thought it might infect data files," Priest continued. "I told them it wouldn't. They also wanted my opinion on things which surprised me, like different anti-virus programs and encryption algorithms, including Clipper. I didn't ask why. "Jack Lewis also said someone claimed I said 'All government computers will be infected by December' or some such rubbish. Apparently, they thought I wrote Satan Bug as a weapon against the government or whatever, I can't be too sure . . ." Priest told them no, Satan Bug wasn't specifically aimed at government computers, but it was hard to tell if the agents believed him. They were trained to reveal little, and to be unnerving to those interviewed. "They just stared," Priest said, "as they did in response to every question I asked, including 'what's your name?' I tried - really tried - to act cool, but my heart was pounding like a hummingbird's." The agents were keenly interested in Priest's other handles, all the viruses he had written, which, if any, computer systems he might have spread them on, the names of some phalcon/SKISM members and the structure of the virus-writing group and details of their hacking exploits. Priest declined to say anything about the identities of members of phalcon/SKISM. "I told them I knew nothing of the hackers and phreakers, and little more than you could pick up from reading an issue of 40Hex." Priest was more interested in other secretive agencies within the government. He cultivated an interest in stories about deep black intelligence agencies. Perhaps he envisioned himself writing destructive viruses as part of a covert weapons project for one of them. "Aren't there any other agencies which would be more interested in what I'm doing?" Priest asked the agents. He didn't get an answer. Eventually, the Secret Servicemen went away with a Priest-autographed printout of the source code to Satan Bug. Programming Satan Bug had turned out to be richly rewarding for Priest. Not only had it gotten him recognized immediately in the computer underground, it had made him feared in the trenches of corporate America to the point where the Secret Service had felt compelled to intervene. Since the Satan Bug panic was a golden opportunity for anti-virus vendors to once again market wares, the stories in the computing press kept coming. LAN Times put the virus on the front page of its November 1 issue with the headline, "Be on the Lookout for the Diabolical 'Satan Bug' Virus." LAN Times East Coast bureau chief Laura Didio wrote "the Satan Bug is designed to circumvent the security facilities in Novell Inc. Netware's NETX program, thereby allowing it to spread across networks." While Satan Bug may have certainly spread across networks, it had nothing to do with the virus's design. It seemed no matter the truth about Satan Bug, the story just got more pumped up with phlogiston and air as it rolled along. "What's NETX?" asked Priest when he heard about the LAN Times article. Of course, the LAN Times article accurately served as an advertisement for the Satan Bug-detecting software of Norman Data Defense Systems and McAfee Associates. Priest, meanwhile, continued to work on viruses. He had just completed Natas, which he'd turned over to the Secret Service and to phalcon/SKISM for publication in an issue of 40Hex. He also uploaded the virus to a couple of bulletin board systems in Southern California. And he finished a very small, 96-byte .COM program-infecting virus. And there were other things he was working on, he said. The most interesting fallout from the Secret Service visit was a job offer from David Stang at Norman Data Defense Systems, said Priest. Stang wanted the virus programmer to come to work for him, starting in the summer of 1994, after the hacker finished high school. Priest said Stang was interested in his opinion about the use of virus code in anti-virus software. Such code wasn't copyrighted, so it was fair game. Priest thought this was a bad idea. Too much virus code, in his opinion, was crappy anyway, so why would anyone want to use it? But Priest said he would think about the job offer. By May 1994, Priest's Natas virus had cropped up in Mexico City, where, according to one anti-virus software developer, it had been spread by a consultant providing anti-virus software services. Through ignorance and incompetence, the consultant had gotten Natas attached to a copy of the anti-virus software he was using. However, like most of Priest's viruses, Natas was a bit more than most software could handle. The software detected Natas in programs but not in an area of the hard disk known as the master boot record, where the virus also hid itself. The result was tragicomic. The consultant would search computers for viruses. The software would find Natas! Golly, the consultant would think, "Natas is here! I better check other computers, too." And so, the consultant would take his Natas-infected software to other computers where, quite naturally, it would also detect Natas as it spread the virus to the master boot record, a part of the computer where the software could not detect Priest's program. Natas had come to Mexico from Southern California. The consultant often frequented a virus exchange bulletin board system in Santa Clarita which not only stocked Natas, but also the issue of 40Hex that contained its source code. He had downloaded the virus, perhaps not fully understood what he was dealing with, and a month or so later uploaded a desperate plea for help with Priest's out-of-control program. You could tell from the date on the electronic cry for help -- May 1994 -- when Natas began being a real problem in Mexico. Natas was another typical tricky Priest program. When in computer memory, it masked itself in infected programs and made them appear uninfected. It would also retrieve a copy of the uninfected master boot record it carried encrypted in its body and fake out the user by showing it to him if he tried to go looking for it there. Natas also infected diskettes and spread quickly to programs when they were viewed, copied or looked at by anti-virus software. It was fair to say that computer services providers wielding anti-virus software in a casual manner ought not to have been allowed anywhere near Natas. Back in San Diego, Priest was still being interviewed on the telephone by David Stang and other associates at Norman Data Defense Systems. They were concerned that Priest might leak proprietary secrets to competitors after hiring, so it was a must that he be absolutely sure of the seriousness of his potential employment. By the end of the interview, Priest thought he didn't have much of a chance at the job, but by July he'd accepted an offer and moved to Fairfax to begin working for David Stang. This was the same David Stang who had written in the July 1992 issue of his Virus News and Review magazine, "In this office, we try to see things in terms of black and white, rather than gray . . . The problem is that good guys don't wear white hats. Among virus researchers are a large number of seemingly gray individuals . . . This grayness is clear to users. Last week, I asked my class if anyone in the room trusted anti-virus vendors. Not one would raise their hand . . . " But what was Priest working on at Norman Data Defense Systems? "A cure for Natas," he laughed softly one afternoon in late July, 1994, in the Norman Data office. Looking over the virus once more, Priest sardonically concluded that his disinfector made it clear the hacker had made Natas a little too easy to remove from infected systems. Norman Data Defense had clients in Mexico and at the Secret Service. You had to admire the moxie of the young American virus programmer. He'd set out in 1992 to emulate the world's greatest virus programmer, Dark Avenger, and ended up being paid cash money to cure the paintpots of computer poison he'd created. As for that poor stone fool, the legendary Dark Avenger, he never even got a handful of chewing gum for his viruses, having the misfortune to have been born in the wrong place, Bulgaria, at the wrong time, during the fall of Communism. But by the end of the summer, the blush was off the rose for Priest and Norman Data, too. Another manager in the office, Sylvia Moon, didn't like the idea of the hacker working for the company, Priest said. And when management representatives arrived from the parent corporation in Norway on an inspection tour and were appraised of Priest's status at a meeting, the hacker heard, they were not pleasantly surprised to learn there was a virus writer on the staff. Officially, said Priest, there was no reaction, but in reality, the hacker felt, the atmosphere was deeply strained. Nevertheless, said Priest, David Stang maintained that he would protect the hacker's position. And Jack Lewis, said Priest, had contacted the company to set up a luncheon date with the hacker to discuss more technical issues. However, Priest said, David Stang wanted Lewis to provide a Secret Service statement to the effect that the hiring of the hacker wasn't such a bad idea. The luncheon fell through. The Secret Service would provide no such statement because, said Priest, it might be construed as a conflict of interest. Unknown to him at the time, the agency had also started spying on his comings-and-goings in Fairfax. It all came to an end when one of Priest's acquaintances from the BBSes called the Norman Data office and left a message for "James Priest." Priest was immediately let go. David Stang, said Priest, told him the call was an indication that the hacker couldn't be trusted, that he was still in touch with the underground. Paranoia and recriminations flew. There had been an intern from William & Mary working at the company whose father was a Pentagon official, said Priest. The rumor was that Priest had been pumping the intern for information on how to penetrate Pentagon computers and siphoning it back into the underground. It was nonsense, said the hacker, but it became the official version of events. These were pretexts, thought Priest. The real reason he had to be shown the door, he said, was pressure from the higher-ups in Norway. They had been presented with him as a done-deal hire and it hadn't set well, he said. David Stang, said Priest, needed a reason to cut him loose and the phone call from the friend had been the peg to hang it on. Priest was a hot potato and he had to go. Back in San Diego once again, Priest almost sounded relieved. He had a Sylvia Moon-autographed copy of a computer book as a memento from the company and that was it. However, he had finally been able to videotape "The Satan Bug" telemovie. He shifted the VCR into replay and turned to look at his computer while it was playing. But the hacker said he still didn't know what the movie was about when it was over. He had been too busy at the PC to pay attention. Working . . . [Footnote: All the Secret Service's contact with Priest and his viruses and source code appears, in retrospect, to not have been much of a learning exercise. The organization recently awarded a large contract to Symantec, the makers of the Norton Anti-virus, to provide insurance against computer virus attack. The Norton Anti-virus has long been considered one of the worst choices imaginable for this type of service.] copyright 1994 American Eagle Publications