VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Mark A. Washburn - Walking the Research Tightrope

Jim Bates
Virus Bulletin, April 1991, pp. 19-20
ISSN 0956-9979
April 1991

[Back to index] [Comments]


The business of taking MS-DOS computer viruses apart so that they can be analysed and classified is done solely to provide information that will enable rapid identification and effective protection for computer users likely to be at risk from the malicious targeting of such code. Researchers worldwide are becoming far more accomplished in their dissections and analyses but all of them are still severely overworked trying to keep pace with new viruses as they are discovered.

The Virus Writers’ Fallacy

The whole research effort operates under the one over-riding premise that there is no such thing as a computer virus which cannot be taken apart. Since virus code (by definition) must be totally mobile, it must also be completely self-contained - including such tricks as self-modifying code, pre-fetch queue manipulation, anti-debugging code and direct hardware access.

The particular collection of selected “tricks” used, together with their respective order and location within the program provides a recognisably unique “profile” by which a virus may be identified and dealt with. Virus writers recognised this fact some time ago and in some cases have gone to extreme lengths to hide the details of this “profile” from prying eyes by introducing various layers of encryption and randomisation of their code, even varying these from infection to infection.

The fact that virus code must be self-contained and therefore must be capable of decrypting itself before execution, seems to have escaped the restricted ‘intellects’ involved in virus production.

Nevertheless, some of them still persist in attempting the impossible - a truly undetectable virus which will escape detection by virtue of its anonymity.

A Bogus Researcher

One of the most stubborn of these individuals is known to researchers since he operates under the bogus guise of being a virus “researcher” and produces live virus code which contains his name and address!

I refer to Mr. Mark Washburn of the United States, who has produced V2P1 (1260) V2P2 and latterly the V2P6 virus.

That this man is allowed to write and distribute virus code with impunity is symptomatic of just how badly legislation against computer crime has fallen behind in various countries. By no stretch of the imagination can his “work” be classified as virus research since his code has produced nothing of which responsible researchers were not already aware.

What he has achieved is to distribute virus code of a most dangerous kind, through channels which lack any security and in such a way that there is no doubt that samples of his code are (or soon will be) in the hands of virus writers who will undoubtedly use his virus vehicles to deliver destructive trigger routines.

Reports of virus analyses produced for public information must necessarily be carefully examined before publication to ensure that they do not provide technical details which could be of use to virus writers.

(Editor’s note: the encryption methods used by V2P6 will not be analysed in detail here, but a discussion of the simple structure and infection method of this virus follows and will prove informative. Anti-virus software developers and bonafide researchers requiring information on the algorithmic methods to detect V2P6 should contact VB, Bates Associates, UK (0533 883490) or Fridrik Skulason at the University of Iceland (+35 4 1 694749).

V2P6 - The ‘‘Patternless Monster’’

In the case of the V2P6 virus, the technical details are quite sparse and completely innocuous. In the original sample there is no trigger routine, the virus does not become memory-resident and only COM files are effected. The infective length is between 1801 and 2350 bytes and no attempt is made to hide the increase in length from normal DOS operations.

A single COM file is infected each time the virus code is executed (the ‘one-shot’ replication method), first in the current directory, and then by searching along the designated PATH as specified within the machine environment area.

Infected files are marked with the ubiquitous 62 second marker in the date/time field of the file’s directory entry and this is used as a recognition flag by the virus itself. There are several bugs within the code, some of which affect how the virus selects files to infect. For example, it is obvious that file lengths of 10 and 63746 respectively were intended to be minimum and maximum limits but careless coding has resulted in the virus infecting all COM files except these two file sizes.

The internal V2P6 code is unremarkable. From a researcher’s point of view, this virus must be classified as “armoured” because as well as primary encryption (and randomisation), it contains a primitive routine which is supposedly designed to make disassembly difficult.

This is a linked INT 03H/INT 01H handler which decrypts and recrypts certain sections of the virus code “on the fly”. Such routines have already been observed in other virus code and present only a minor irritation to experienced researchers.

Self-Modifying Encryption

Washburn’s main effort (as in his other viruses) has been directed at randomising the primary decryption routine in such a way as to nullify the normal pattern recognition techniques used in most virus scanners.

More than half of the virus code is taken up with the convoluted calculations and bitmapping gymnastics needed to generate a randomised decryptor for each infection of the virus. This renders V2P6 capable of producing hundreds of millions of possible combinations for the decryption routine. All of the viruses that Washburn has produced seem designed to impress the researcher with just how “clever” he is at producing randomised encryption/decryption routines.

Unfortunately for him, simple pattern recognition is only a small part of the armoury of good scanning software. His approach produces a different kind of detection profile which is paradoxically even easier to recognise than a straightforward hex pattern.

Who Has Benefited?

It is therefore apparent that Washburn’s efforts have added nothing to existing knowledge about MS-DOS computer viruses other than to increase the already heavy workload of dedicated researchers around the world who must necessarily disassemble his nonsense. Continued production of such “research” viruses can only be detrimental to the research effort and his masquerade should be stopped forthwith. If he had not already demonstrated his irresponsible attitude to the virus problem, he might be better employed in helping the rest of us in a positive way by analysing existing virus programs for the general benefit of computer users everywhere.

As it is, there can be little doubt that eventually one of his programs (or a recognisable derivative) will appear as a vehicle for a malicious trigger routine. As will be seen, evidence is accumulating which suggests that this has already happened - the destructive Casper virus (which VB has obtained as a source code listing and which includes Washburn’s name, address and copyright notice!) and the anonymous Violator virus reveal an uncanny resemblance to Washburn’s V2P1 (1260) program. (Mr. Washburn denies having developed the Casper virus and claims that this is a ‘hacked’ version of V2P1. Ed.)

In the United Kingdom, there is a substantial body of opinion which maintains that Mr. Washburn should be held personally responsible should his code (or, indeed, modified versions of it) infect personal computers in this country.

Virus Attribute Summary

Name: V2P6

Origin: U.S.A. (Mark Washburn)

This is a non-resident, ‘one-shot’ COM file infector (including COMMAND.COM) which uses multiple encryption and randomisation. No static code exists between generations of V2P6, therefore it is not possible to extract a hexadecimal search pattern for this virus. There is no trigger routine. All COM files, except those with lengths of 10 bytes and 63746 bytes, are infected. Infected files are marked with a 62 seconds marker in the directory entry Time field; this is the virus’ self-recognition signature.

Washburn’s Legacy - The Threat of Randomised Code

Hello, all anti-virus "researchers" who are reading this message...

I am glad to inform you that my friends and I are developing a new virus, that will mutate in 1 of 4,000,000,000 different ways! It will not contain any constant information, so no virus scanner could be detecting it...

The virus will have many other new features that will make it completely undetectable and very destructive!

the Dark Avenger

This typically infantile message, purportedly from the Bulgarian virus writer calling himself ‘Dark Avenger’ was uploaded to Bulgarian BBSs in March 1991. It subsequently appeared on Fidonet and we are grateful to Michael Weiner, the Austrian virus researcher, for forwarding this transcript.

Self-modifying encryption, first identified in Washburn’s 1260 virus, is now being adopted elsewhere and the threat that this method will be employed by the Bulgarian ‘virus factory’ should be taken seriously. Virus scanning software will be somewhat impeded by the appearance of such code - the development of search algorithms for each such specimen is both painstaking and time-consuming. However, no virus will ever be ‘undetectable’ - CRC and cryptographic checksums will remain effective long after virus-scanning has ceased to be practicable. Meanwhile, researchers are confident that virus-specific detection will remain viable for the foreseeable future.

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka