Electronic Information Channels
Used by Virus Programmers
Copyright (C) 12/1997 by Howard Fuhs
Bulletin Board Systems
World Wide Web
Compuserve and AOL
Also for the virus writing underground is it necessary to acquire information regarding new programming techniques, operating systems, security holes and product specifications. So, what could be more natural than using the readily available computer technology to exchange information and experiences with similar inclined? Using computers and modems, world wide information for virus programmers were erected. They made it possible to transfer viruses and virus source code to other countries in a matter of seconds, thus reaching a wider audience.
An interesting side effect of this digital information exchange was the formation of groups such as NUKE, Phalcon/Skism and YAM (Youngsters Against McAfee). This grouping of virus writers only became possible with the Information Superhighway and led to internationalisation of the internal structure of these groups, whose individual members often come from different countries.
In this article we shall take a look at
the various means of communication used by the computer underground. Since an increasing number of users inside corporations connect to international networks it is necessary to understand the danger posed by the underground.
Bulletin Board Systems
The tool first used was the BBS. The best known virus BBS'es were probably Black Axis in the US, and Arrested Development in Holland. The first underground BBS'es showed up in the US by the start of the eighties. Those that specialised in viruses were called VX-Boards (VX = Virus Exchange).
Since virus programmers considered themselves an elite privacy was a priority, and it was difficult for new members to join. Membership was not really the point, rather access to the virus libraries. People who logged on to a VX-Board for the first time would have to answer a whole catalogue of questions. These were designed so that they could only be corrrectly answered by people with connections to the computer underground. This procedure ensured that curious eyes were kept from the forbiddden files.
Only when the operator of the Bulletin Board, the Sysop, was satisfied with the quality of the answers, was it possible to be assigned a security level giving access to certain levels of viruses, source code, informations or mail boxes. There were examples of BBS'es requiring correct answers to 80 questions, many of which were impossible to answer without insider knowledge.
A further limiting measure introduced somewhat later was the requirement to upload an unknown virus to the BBS in order to gain access and be allowed to download information. Because it is not granted every third-rate virus programmer wannabe to write a completely new virus, many resorted to the trick of altering an old one so that it was no longer recognised by anti-virus software. This contributes to explaining the existence of so many trivially different variants of a number of old and widespread viruses.
As access to virus source code became easier some VX-Boards became very liberal with regard to access to virus librraries. Ultimately many BBS'es abolished access limitations altogether, the Sysop from Black Axis even offered to deliver the viruses on dikette against a payment of $100.
BBS'es now only play a limited local role in the virus underground. The reason is that they normally need to be accessed by long distance telephone connection, thus the Internet is much cheaper to use. Most of the well known VXBoards no longer exist.
Prompted by improved electronic dissemination of information and the grouping of individual virus writers into rivaling groups, the first underground magazines popped up. Initially these were distributed through the BBS'es. The best known mags were 40Hex, NUKE Info Journal and VLAD. The mags published programming tricks and virus source code or debug scripts.
Also the internationally distributed non-commercial FIDO network contained originally some niches for virus programmers. This net was the first to offer the possibility to exchange information with 'collegues' throughout the world at local call rates. Several discussion groups relating to virus writing were established and transported across the FIDO backbones. The most well known was the Virus - nfo echo (not to be confused with the anti-virus Virus_Info!). Later FIDO technology was implemented to route proprietary discussion groups outside the FIDO-Net, e.g. the NUKE - The World echo, and different networks were used to exchange viruses and utilities and send them around the globe.
The FIDO-Net plays hardly any role now. Among the reasons is the huge turn-around time (2-3 days from the US to Europe, and another two days to the Far East) and the old fashioned and difficult software required.
As the Internet became assessible that was where the underground moved. Whereas few virus programmers were to be found initially - and most of these via university accounts - it is safe to say that the virus scene now only exists on the Internet.
The Internet offered the underground some advantages. Turn-around time for new was down to a few hours rather than days, and the Net was so complicated already in the start of the nineties that it was easy to offer the curious of mind access to information and viruses without attracting undue attention from a wider audience.
The underground realised that the Internet offered access to a larger audience, and that led to commercial offerings of computer viruses.
The use of email completes the picture. This is the vehicle used by virus programmers and groups to keep in contact, and it offers the public an easy way to get in touch with virus writers. Their email address are often published, e.g. in underground magazines.
When the Internet started to boom, service providers emerged, willing to rent out disk space on the net. lt did not take long before large virus collections were offered through FTP. lt was often a time-consuming task to find all the subdirectories containing viruses, but now things are better organised and it is easier to find what you are looking for. As opposed to the virus BBS'es that did everything to attract attention, people running virus FTP sites tend not to advertise the fact. Only insider tips would bring you there.
World Wide Web
The most recent Internet development is the World Wide Web. The GUI and the ease of use has made it possible even for simple mousepushers to join in the fun. Surprise, surprise: The viruses moved to the WWW . Now you can find complete (though normally quite old) virus collections, programming tips, source code and virus production utilities on the Web. You can also find unambigous commercial offers regarding viruses, e.g. 2000 viruses on diskette for $100.
Unfortunately it is easier that it would be desirable to get at these web pages and it must most emphatically be warned against visiting such pages, or to download viruses for "test purposes" onto a company or private computer. Even if it is a question of old viruses the consequential damages caused by a widespread infection can be enormous. Particularly in case of company Internet accounts clear policies and guidelines must exist telling the user exactly what he is allowed to do on the Net. lf it is not explicitly permitted it must be regarded as prohibited for security reasons.
The Internet Relay Chat is the live talk forum on the Net. Some virus chat channels exists, allowing participants to talk directly to virus writers about programming techniques and other subjects. This facility is mainly interesting to discover which current development plans are in the minds of the virus writers and which viruses they would like to program - or which viruses they have programmed before.
With regard to the online service organisations like Compuserve and America On-Line, only individual virus writers are to be found here. This may be connected with the fact that the service providers must know who uses the service in order for the fees to be calculated and presented for payment, thus the identity of a users must be known. Furthermore, the on-line services employ staff that are responsible for the contents of the information offered through the service. It is of course not impossible that on-line services are used by virus programmers under their true names, but that they do not advertise themselves as virus writers in this forum.
It is necessary here to draw a clear line between the on-line service and the Internet. Both Internet Access Suppliers and On-line services offer access to the Internet, and it if of course impossible to control or filter the information accessed by their users through that channel!
Copyright (C) 12/97 by Howard Fuhs