home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
cud
/
cud512h.txt
< prev
next >
Wrap
Text File
|
1995-01-03
|
6KB
|
107 lines
Date: 05 Feb 93 11:51:29 EST
From: The Crypt Newsletter <70743.1711@COMPUSERVE.COM>
Subject: File 8--Some Comments on "Approach Zero" (review)
Dear CuD:
I'm sure a number of your readers have, by now, browsed through the
February issue of Discover magazine and seen the excerpt from another
book on "hackers" called "Approaching Zero," to be published by Random
House. The digested portion is from a chapter dealing with what
authors' Bryan Clough and Paul Mungo call "the Bulgarian virus
connection."
While I found it interesting - outwardly a brightly written article -
to someone a little more familiar with the subject matter than the
average Discover reader, it was another flawed attempt at getting the
story right for a glossy magazine-type readership.
First, I was surprised that reporters Mungo and Clough fell short of
an interview with virus author, the Dark Avenger. Since they spent so
much time referring to him and publishing a few snippets of his mail,
it was warranted, even if he is a very tough contact.
In addition, they continually exaggerate points for the sake of
sensationalism. As for their claim that the Dark Avenger's "Mutating
Engine" maybe being the "most dangerous virus ever produced," there's
no evidence to support it. And they continue the hallowed media
tradition of calling the Mutation Engine a virus. It's not. The
Mutation Engine is a device which can be included in virus code to
grant the virus a sophisticated, variable encryption. That's all. It
does not automatically make a virus horribly destructive, that's a
feature virus-writers put into viruses separate from the Engine. And
although the first Mutation Engine viruses introduced into the U.S.
could not be detected by scanners included in commercial anti-virus
software, most of these packages included tools to monitor data
passively on any machine. These tools COULD detect Mutation Engine
viruses, a fact that can still be demonstrated with copies of the
software. It's also a fact that almost everyone covering the Mutation
Engine angle glosses over, if they bother to mention it at all. In any
case, Mutation Engine code is well understood and viruses equipped
with it are now no more hidden than viruses which don't include it.
Of greater interest, and an issue Mungo and Clough don't get to, is
the inspiration the Dark Avenger Mutation Engine supplied to virus
programmers. By the summer of 1992, disassembled versions of the
Mutation Engine were widely available on underground BBS's in this
country and abroad. It seemed only a matter of time before similar
code kernels with more sophisticated properties popped up and this has
been the case. Coffeeshop, a virus mentioned in the original Discover
piece, is just such an animal, although the authors don't get into it.
Coffeeshop utilizes a slightly more sophisticated variable encryptor -
called the Trident Polymorphic Engine - which adds a few features not
present in the Dark Avenger model. It, too, has been distributed in
this country as a device which can be utilized by virus authors
interested in shot gunning it into their own creations. It is of
Dutch origin, produced by a group of programmers operating under the
name "TridenT." They freely acknowledge the inspiration of the
Mutation Engine. Curiously, Coffeeshop is Dutch slang for a place to
pick up some marijuana. Interesting, is it not?
However, the Trident Polymorphic Engine is no more inherently
dangerous than the Mutation Engine. Viruses utilizing it can be
detected by the same tools used to detect Mutation Engine viruses
before those could be scanned.
The reporters also claim that disassembling a virus to find out what
it does is a "difficult and time-consuming process" capable of being
carried out "only by specialists." This is another myth which feeds
the perception that viruses are incredibly complicated and that one
can only be protected from them by the right combination of
super-savvy experts.
It has NO basis in reality. Almost all computer viruses can be
disassembled within 5-10 minutes by individuals with only a modest
understanding of computer programming and access to one or two common
diagnostic programs. The programs are so user-friendly they can even
print out a summary of a virus's key instructions! It's a complete
myth that anyone needs to be some kind of high-powered programming
expert to understand and analyze computer viruses.
And that's what's the most irritating about Mungo and Clough's
research. In search of the cool story, they further the dated idea
that virus-programming is some kind of arcane art, practiced by "manic
computer freaks" living in a few foreign countries where politics and
the economy are oppressive . While it's true that a few viruses are
clever, sophisticated examples of programming, the reality is that
almost anyone (from 15-year olds to middle-aged men) with a minimal
understanding of assembly language can write them from scratch or
cobble new ones together from pieces of found code.
Since everyone's computers DON'T seem to be crashing from viral
infection right and left (remember Michelangelo?), Mungo and Clough,
in my opinion, really stretch the danger of the "Bulgarian virus
factory." This is such an old story it has almost become shtick, a
routine which researcher Vesselin Bontchev (apparently Clough and
Mungo's primary source) has parlayed into an intriguing career.
A great number of the 200 or so Bulgarian viruses the reporters
mention in fear-laden terms ARE already here, too - stocked on a
score of BBS's run by programmers and computer enthusiasts. Mungo and
Clough years." That's an easy, leading call to make because no one
will remember or hold them to it in 2000. I suggest "We don't know."
Now that would have been more honest. But I doubt if it would have
sold as well.
Downloaded From P-80 International Information Systems 304-744-2253