1993-02-19 - toad.com mailing list postings from possible virus authors

Header Data

From: gnu (John Gilmore)
To: gnu@toad.com
Message Hash: f05bd406de68c685807d540050b769ddc82191e8bac2e668561bd969065ad603
Message ID: <9302190140.AA08377@toad.com>
Reply To: N/A
UTC Datetime: 1993-02-19 01:40:18 UTC
Raw Date: Thu, 18 Feb 93 17:40:18 PST

Raw message

From: gnu (John Gilmore)
Date: Thu, 18 Feb 93 17:40:18 PST
To: gnu@toad.com
Subject: toad.com mailing list postings from possible virus authors
Message-ID: <9302190140.AA08377@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


This is the message I received which complained about "inappropriate
use of the Internet".  He also phoned me to complain.

I know the cyperpunks already know this, but Dave Farber's audience
might not have thought about the implications for free speech of
having the government build a multi billion dollar Internet
replacement.  Bureaucrats and random complaints from third parties on
such a network *will* cause you grief about what you are allowed to
say and do.  The company I buy networking from is Alternet, and
because they exist, I can protect myself from this sort of meddling.
They will not be able to compete with the taxpayer funded "national
information infrastructure", and my only option, if I want to be on
the net, will be to hook up under the government's rules.

If after seeing this this exchange you still don't believe me, talk to
someone at a controversial broadcast radio station.  Radio is living
under that yoke *now*, and they have some real stories to tell.

	John

Date: Tue, 16 Feb 1993 12:53:14 -0500 (EST)
To: gnu@cygnus.com (John Gilmore)
Cc: CMcDonald@WSMR-SIMTEL20.Army.Mil (Chris McDonald),
        krvw@cert.org ("Kenneth R. van Wyk")
Subject: toad.com mailing list postings from possible virus authors
From: w8sdz@TACOM-EMH1.Army.Mil (Keith Petersen - MACA WSMR)
Message-Id: <9302161253.16494.w8sdz@TACOM-EMH1.Army.Mil>

John, below is the posting I called about.  In my opinion this is
inappropriate use of the Internet.  This person appears to be a virus
author, one who knows virus authors, and/or one who encourages such
activity. 

What is the policy of toad.com concerning such postings?

Keith
--
Keith Petersen
Maintainer of the MS-DOS archive at WSMR-SIMTEL20.Army.Mil [192.88.110.20]
Internet: w8sdz@TACOM-EMH1.Army.Mil     or      w8sdz@Vela.ACS.Oakland.Edu
Uucp: uunet!umich!vela!w8sdz                         BITNET: w8sdz@OAKLAND

> From: thug@phantom.com (Murdering Thug)
> Subject: Re: Viral encryption
> To: cypherpunks@toad.com
> Date: Thu, 11 Feb 93 11:47:43 EST
> 
> As Mr. Ferguson pointed out, polymorphic viruses are making their way into the
> DOS world.  This is a problem in the short term, but not in the long term
> because people will be changing to memory-protected & file-permission based
> operating systems like NT, OS/2 and Unix, where it is very difficult for
> most kinds of virus to spread.
> 
> I myself am very familiar with the virus underground, so for those who are
> not, let me explain the two newest and most deadly virus techniques which
> are being seen in the DOS world.
> 
> The first is something called "Stealth" viruses.  Stealth viruses imbed
> themselves into DOS and intercept disk read calls from applications. If
> those read system calls are reading non .EXE or .COM files, then they are
> processed normally.  However when an application such as virus scanning
> program is reading in .COM and .EXE files (in order to scan them for virus
> code), the stealth code in DOS intercepts this and returns to the application
> what the .EXE or .COM file would look like if it wasn't infected by the
> stealth virus.  Thus, all virus checking programs can be decieved in this
> manner.  There are steps to get around this, like booting off of a
> write-protected floppy disk (with a clean copy of DOS on it) and running
> the virus checking program directly from that floppy.  But people seldom
> do that, so the stealth technology is a worthwhile one for virus creators
> to pursue.
> 
> The second is called "Polymorphic" viruses.  These are viruses which
> contain a tiny encryption/decryption engine.  The great thing about
> polymorphic viruses is that they encrypt themselves with a different key
> each time they replicate (make a new copy of themselves).  The small
> amount of virus bootstrap code which is not encrypted is changed in each
> replication by dispursing random NOP's throughout the virus boostrap code.
> Thus each sample of polymorphic virus looks completely different to
> virus checking programs.  The virus checking programs cannot use
> "signature" byte strings to detect polymorphic viruses.
> 
> I have seen something called D.A.M.E., also known as Dark Avenger
> Mutation Engine.  This is a freeware polymorphic library/kernel/toolkit
> which allows anyone to take an ordinary virus and wrap it in a polymorphic
> shell.  Thus each new copy of the virus will look completely different
> as it replicates.  D.A.M.E. is a great toolkit for those who want to
> release new viruses but don't have the skills to write a virus from
> scratch.  DAME works very well with Turbo Assembler and MASM.
> I believe that DAME II will be coming out sometime this spring. At
> least that is what the author has promised.  Among the new features
> will be more powerful encryption, stealth capabilities, and compatibility
> with Stacker and DR DOS compressed file systems.  I have read that the
> author of DAME and DAME II will be coming out with a Virus Construction
> Set, which will allow point-n-click building of new viruses using
> object oriented techniques.  It works sort of like a Mr. Potatohead,
> you point and click on the parts/modules you want and it builds it for
> you.  You select the replication method, stealth capability,
> polymorphism, and payload module (there are several payloads, varying
> from playing music and showing graphics, to printing a text message on
> screan, to complete wipe out of the HD). The really wonderful thing
> is that you will be able to build your own modules and link them into
> the virus.  I am sure a flourishing of third-party modules will occur.
> 
> With the VCS, a 9 year old can build a competely new virus just by
> pointing, clicking, and dragging, popping up windows and choosing options.
> 
> My oh my, aren't we in for fun times ahead...
> 
> Thug





Thread