Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Interview with roy g biv

izee
Electrical Ordered Freedom #2 (EOF-DR-RRLF)
July 2007

1
[Back to index] [Comments]

EOF:We welcome you, roy g biv! First of all, many thanks for your agreement to take an interview from you for EOF issue #2. Please make a short introduction about you, roy g biv.

rgb:Hi there, I am roy g biv. I am a 28 years guy, from a city in a country in the world. Some things must be secret. :)

EOF:How many years you are interested in computer viruses?

rgb:It was 1992, so 15 years now.

EOF:Why you decided to start writing viruses?

rgb:There are many boring viruses so I thought to make some interesting ones.

EOF:It would be interesting to know a story of your handle. Why you have chosen exactly "roy g biv"? What does it's means?

rgb:Now I don't remember anymore. It is the names of the colours of the rainbow in English - Red, Orange, Yellow, Green, Blue, Indigo, Violet. Probably I saw that when I started learning English and it sounds like a real name.

EOF:What do you prefer to do except virus writing? What are your main hobbies and interests?

rgb:When I am not writing viruses, I am researching techniques for writing viruses. :) I am always thinking, trying to find something new that no-one did before. I am a machine with skin.

EOF:Tell us about your first steps, roy g biv. What was your first virus? What was your first group in which you joined? Who and what helped you? What feeling was, when you started to write viruses?

rgb:I helped Prototype on his Bad Seed virus in 1992 and his Orsam virus in 1993. They were DOS viruses and I wrote some stubs for COM and EXE files, so you could say in source what kind of file to produce. I worked on his DMA virus after he died, made the code smaller and faster. It gave me confidence to make in 1994 my first virus alone. That was HiAnMiT. My first group was Defjam. I joined officially in 1993.

No-one helped me to learn the coding directly, because internet was expensive so just for e-mail with Prototype sometimes. I looked at some virus collections of friends, but I always wanted to make something that no-one ever saw before. For that, I needed only imagination and patience to research and try things. This is still how I develop the code today.

When I started, I felt a joy like finding something that was lost. Purpose, motivation. Hard to describe. My works are security research but they also replicate. If eEye can make a PXE virus, then I think I'm okay, too. :)

EOF:We saw many of your works, roy g biv, and we have to admit that they are very great and unique. It would be great if you could list all of your works (viruses, worms, researches etc.) here. The descriptions are welcome as well. ;)

rgb:Okay, here is the list:

Old research - in Vlad #7 was published the list of strings that could make any file never detected by Thunderbyte TBScan. TBScan used for speed a list of exclusion strings. It means that any file that began with one of those strings would not be scanned further and nothing reported, even if other virus strings could be seen. TBScan even had a string for itself because otherwise it would report itself as a virus since it triggered many heuristic flags.

DOS viruses:

HiAnMiT
this was my first virus. It was a memory-resident DOS virus that infected the MBR, and COM and EXE files without looking at the suffix. The MBR code exploited the circular partition bug in MS-DOS so user could not boot from floppy to clean the system. Virus was full stealth in the MBR and the files, and for the memory size, too. If you wrote to an infected file, the virus code would be removed properly and added again on close. CHKDSK reported no errors even when the virus was active. MEM would show the original memory size as though the virus was not there. If you loaded the file in Debug, the loaded file would be clean in memory. All that in 2086 bytes. I wrote some other modules for it later - UMB residence, floppy boot sector infection, .SYS infection, piggybacking (defeated Invircible's anti-piggybacking code).
FarQRSol
this was HiAnMiT with oligomorphic decryptor. In-memory image was encrypted, too, so hard to detect.
HiAnMiT Lite
this was "light" version of HiAnMiT. It did not support infection of files after create, only on open. No debug support. This made the code smaller and less complex.
FarQRSol Lite
this was "light" version of FarQRSol, same difference for HiAnMiT Lite.

Win16 viruses:

I had ideas for Win 3.x viruses, but I never managed to finish anything. It was a terrible platform.

Win32 viruses:

W32.Shrug
this was a direct-action virus that infected PE files (EXE and DLL) without looking at the suffix. It was the first virus to use the TLS callback method to run the code before the entrypoint. It automatically selected the correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the file, then the virus would move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the end of the file.
W32.OU812
this was a direct-action virus that infected VB5 and VB6 EXE files without looking at the suffix. It was the first virus to use the language extensions to run the code. It altered Visual Basic files to require that the virus DLL was present on the system in order for the file to load. It automatically selected the correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the file, then the virus would move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the end of the file.
W32.Chthon
this was a direct-action virus that infected PE files (EXE and DLL) without looking at the suffix. It was the first native executable virus. It ran before the Windows GUI loads. Infected files used the TLS callback method to run the code, just like Shrug. It was completely Unicode internally because it ran only on Windows NT+. If the relocations were at the end of the file, then the virus would move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the end of the file.
W32.EfishNC
this was my first attempt at a super Windows virus. It was a memory-resident virus that infected Windows EXE files without looking at the suffix. It would infect files on all fixed and mapped network drives, and network shares. It looked for network shares on the local network and also using random IP addresses. It automatically selected the correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the file, then the virus would move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the end of the file. It was entrypoint-obscuring and used a tiny (<=32 bytes!) oligomorphic decryptor. It was the first virus to be encrypted using a simple substitution cipher. I thought that scanners could not break it, but I was wrong. There is an x-raying paper from Virus Bulletin 2004 which describes how they did it. It's a good paper.
W32.Gemini
this was a memory-resident virus that infected PE files (EXE and DLL) without looking at the suffix. It would infect files on all fixed and mapped network drives. It was the first virus for Windows that ran as two processes watching each other. If either one process was modified or suspended or terminated, the other would create a new process for it. It automatically selected the correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the file, then the virus would move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the end of the file.
W32.EfishNC.B
this was EfishNC updated to use a polymorphic decryptor.
W32.Junkmail
this was my second attempt at a super Windows virus. It was EfishNC with a SMTP engine so it could send mail. It was the first virus that would send e-mail using polymorphic SMTP headers. For that, I had the help of RT Fishel who came out of retirement just for that project. The subject and message body were variable. The text was all compressed to save space and also to make it hard to know what it could say. It knew all of the vulnerable IFrame types (MS01-020). It could send in .BAT, OLE2, or PE formats. The .BAT part was polymorphic, too. RT Fishel wrote a executable-ASCII base64 decoder that used no dictionary! That was 2002, and I think that still some scanners cannot detect it.
W32.EfishNC.C
this was EfishNC.B updated to use a homophonic substitution cipher. Still they were able to break it. The paper describes the weakness in my code, but I have never bothered to fix it.
W32.JunkHTMaiL
this was the first virus to use the self-executing MHTML exploit (MS03-014). It was based on Junkmail but it sent only binary files. The base64 part was polymorphic, though.
W32.Charm
this was a direct-action infector of .CHM files. It would append an object to every .HTM file inside the .CHM. The object has a codebase reference to the virus code in the .CHM. It was the first virus that could infect .CHM files.
W32.Junkmail.B
this was Junkmail updated to use more polymorphic SMTP headers, and to include the unregistered suffix exploit (MS05-016). I found a second CLSID that could be used to execute the code. I believe that this one is still unpatched...
W32.Hidan
this was a memory-resident infector of PE files (EXE) without looking at the suffix. It was the first IDA plugin virus. It would infect files that were loaded into IDA. It automatically selected the correct text-encoding method (ANSI for Windows 9x or Unicode for Windows NT+). If the relocations were at the end of the file, then the virus would move the relocations down and insert itself into the space. The virus also added random amounts of garbage to the end of the file to interfere with scanners that look at the end of the file.
W32.Hidan.B
this was Hidan updated to support IDA 4.9+.
W32.Boundary
this was a direct-action infector of PE files (EXE) without looking at the suffix. It used a polymorphic decryptor that contained no MOV instructions. All register initialisation was done using arithmetic instructions (ADD/SUB/OR/XOR) only. It was entrypoint-obscuring through an altered entry in the import table. It used the fact that if a file contains a valid Bound Import Table, then the import table can be altered on disk and Windows will not touch it.
W32.Stutter
this was a virus that can relocate almost every one of its instructions. This was done before, of course, in Ply and some others on DOS, but they used JMP to link the instructions. Stutter uses int 3 to link the instructions, so there is no obvious way to know where is the next instruction. Only the int 3 handler cannot be separated like that, so I made that oligomorphic instead - random register usage and "variable constants".
W32.Spiffy
this was the first virus that is a self-executing PIF. The structure is a PIF with the PE file that holds the virus, then the host file appended to it. When you run the PIF, it runs a debug script which extracts and runs the virus file, which extracts and runs the host. Then it searches for another file to infect in that way.
W32.WeakLNK
this was the first virus that is a self-extracting LNK. It is just Spiffy but using LNK format instead.

Macro/Script viruses:

VBS.Pretext, JS.Pretext
these were the first script viruses for Windows that could prepend to data files. The data files would still run if you clicked on them. Great for .TXT or .JPG or .DOC, etc.
VBS.Conscrypt, JS.Conscrypt
these were direct-action viruses that infected VBS or JS files. They were the first viruses to use variable skip-code encryption. The decryptor was polymorphic, too.
VBS/O97M.Macaroni
this was my first attempt at a super Office virus. It was the first virus that could infect Word, Excel, PowerPoint, Access, Project, Visio. It knew how to switch off the macro protection and allow access to the Visual Basic Object Model. It was written in 2005, but it could infect Office 2007 when it was released with no changes to the code! Best of all, it used the same code for all of the applications, and only ~130 lines.
VBS/O97M.Macaroni.B
this was Macaroni updated to infect VBS files, too. The code was written so that the VBA code was also the VBS code with no changes required, so it was easy.
VBS/O97M.Macaroni.C, JS/O97M.Macaroni.C
this was Macaroni.B, but this time without needing to access the Visual Basic Object Model anymore. The JS version could infect .JS files as well.
VBS/JS.ACDC
this was the first virus that could be executed as either VBScript or JScript, depending only on the suffix. I always wondered if this was possible because I had seen other kinds of cross-infectors, such as BAT/VBScript, etc, but I had never seen VBS/JS before.
VBS.Screed, JS.Screed
this was a direct-action infector of VBS/JS files. It used the Scripting.Encoder object to dynamically encrypt the virus body in a polymorphic way. It was the first virus to do this.
SB.Starbucks
this was an infector of all StarOffice and OpenOffice applications. It was the first virus for StarOffice and OpenOffice. Necronomikon's Stardust viruses didn't work. He must have never actually run the code. Is funny that Kaspersky guys said "we're not hyping it" even though they were, and "it infects files" even though it didn't.
IDC.ID10TiC
this was a direct-action infector of IDA IDC files. It was completely self-contained, unlike SPTH's Gattaca virus, but my code was super simple and his code was super advanced. :)
JS.Unicycle, JS.Unicycle.B
these were the first script viruses to use the Unicode escaping for polymorphism. Since the escaping is converted automatically by the scripting engines, there is no need for a decryptor. The first version had to apply some rules to avoid escaping special characters, but the second version was able to escape everything except one '(' and one ')'.

.NET viruses:

MSIL.Croissant
this was a direct-action infector of PE files (EXE) without looking at the suffix. It was inserting and entrypoint-obscuring. It appended itself to a random routine, and moved everything else down in the file. It fixed up all variables and tables. It did all this without relying on any of the built-in Compiler methods. It parsed the file format itself and updated everything on its own. It could infect 32-bit and 64-bit files. It was the first virus that could do all of that.

64-bit viruses:

W64.Shrug (IA)
this was the first 64-bit virus for Itanium. It was just a 64-bit version of Shrug. IA64 assembler is really hard to write. I won't do that anymore.
W64.Shrug (AMD)
this was the first 64-bit virus for AMD64. Also just a 64-bit version of Shrug.
W32/W64.Shrug
this was the first 32-bit/64-bit cross infector. The 64-bit part was for AMD64 only. I never made an Itanium version of it. Each part could infect both file formats.
W64.Boundary
this was the first polymorphic virus for AMD64. It was just a 64-bit version of Boundary, but it was written to show that coding for both 32- and 64-bit platforms is very easy.

OSX viruses:

OSX.MachoMan (IA), OSX.MachoMan (PPC)
these were the first viruses for OSX that could directly infect Mach-O files. Instead of OSX.Leap method, which used a resource fork, MachoMan can look inside the Mach-O format to add a new segment and append the code directly. The segment was special because it was mapped to address 0. This made GDB to crash, and IDA did not know about LC_UNIXTHREAD, so the virus code could not be seen in those tools.

New research - I can't say. I don't want to give away any hints about where I will strike next, but I have plans. ;)

EOF:Whence you take names for your viruses usually?

rgb:For some old ones, I try to play with the English sounds, because English is a funny language:

For Shrug, I could not think of a name and then was the deadline for submit to 29A zine.

For Chthon, it's an old English word that means "native", because it's a native virus. I don't know how to pronounce it.

For some, I pick a word that includes something about the behaviour:

Sometimes, I pick a word that includes the letters of the file format:

I chose "Croissant" because AV guys called Benny's virus "Donut" and mine is tastier. :)

I don't know why I chose "Stutter".

EOF:Which types of viruses you personally like? Do you have some favourite viruses except your ones?

rgb:I like the viruses that demonstrate new techniques. These are things like Zombie's MistFall and Mental Driller's Metaphor. CIH was interesting even though it was very simple. There are probably others, but there are too many viruses these days.

EOF:Which methods of infection do you prefer and which techniques do you like more? How you think, what we can expect in the future?

rgb:I like file infection that uses special methods, like insertion or multiple cavities. Perhaps all of the infection methods have been found by now. What remains are new ways to get control or new ways to decrypt the code.

EOF:How you think, what is most important in viruses or worms? New techniques, new holes or new platforms, which Anti-Virus software don't protects yet?

rgb:It depends on why the virus was written. For demonstration purposes, always new techniques or new platforms are the most important. To spread quickly, new holes must be found. I don't care about Anti-virus, since they will always detect it eventually.

EOF:How you think, what we can expect in the future from worms? What in your point of view is more interesting to code, worm or virus?

rgb:The future of worms is the same thing forever - all the worms that we see now spread over e-mail or P2P or IM or something like that, and they all look the same. When the reason for writing is to spread, then no-one thinks about new techniques so everything is a copy of everything else.

I do the work to exercise my brain, so I don't care about spreading. That's why all of my works look different. The virus is the more interesting to code because it is the harder to code, since it has to take care of more things on the system and the file. A worm needs to know only a protocol for spreading and not much more.

EOF:Which in your opinion platforms is unexplored yet? How you think, which platforms is the best for malware nowadays?

rgb:I don't know about any platforms that are unexplored and still good for demonstrations. It is mostly applications that are left, like recently WinHex supports scripts and now there is a virus for it, Maya 3D supports scripts and now there is a virus for it. In the future, there will be new interesting hardware platforms. Maybe digital photo frames could be infected and the payload could be to download our pictures instead.

The best platform for malware now is still 32-bit Windows. OSX is interesting because Safari has so many vulnerabilities, and Linux is popular, but still the users prefer Windows. The 64-bit platform will become more popular in the next years, but not yet.

EOF:Whether something has changed since you are on the scene?

rgb:Many top people quit, many top groups died. Some top people remain, some top groups, too, but the original people got old and tired and there is almost no-one to replace them. Viruses for money has changed the motivations of many people, too. It's no longer about techniques. The, how to say, finesse is lost.

EOF:Sometimes we see, that you sign your works with "/defjam". Could you tell us more about this group, roy g biv?

rgb:Defjam was my first group. When I joined, it was just one coder and one designer and me. In 1995, RT Fishel joined, and wrote one virus. Then no-one did anything after that. I used the name in 2001 when I moved to Win32 because I always liked it, and I started using it again after 29A finished, but it was just me for all that time. So if someone wants me to join their group, then I am available for that. ;)

EOF:How you think, when and who invented the first self-replicating code?

rgb:Maybe Victor Vyssotsky, Robert Morris Sr., and Douglas McIlroy with Darwin in 1961? This supported real programs that could copy themselves within the environment.

John Conway in 1970 made his Game of Life, where the code is the cell. John von Neumann described before that about self-replicating automata, but he never made any.

John Walker wrote Pervade in 1975. That might be the first program to copy itself to other machines.

EOF:What is your point of view about commercial malware?

rgb:It has destroyed the scene and it hurts real people.

EOF:What is your opinion about Anti-Virus researchers?

rgb:Some of them have incredible skills and I respect them for that. Sometimes I wish that I had found AV first, maybe they would have hired me. Now, for sure not. :) Some of them are just stupid people who love to see their name in the news.

EOF:What are your future plans as a virus writer, roy g biv?

rgb:More platforms, more file formats, more techniques. When I run out ideas then I will retire. I have a text file with a list of techniques that I want to try. That list has 15 entries right now.

EOF:This is your free space, roy g biv. Here you can send greetings and wishes for friends or someone else.

rgb:I would like to greet these friendly people that have sent me nice mails over the years:

Active - Benny - Malum - Obleak - Prototype - Ratter - Ronin - RT Fishel - sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna - VirusBuster - Whitehead

EOF:We are at the end of our interview, roy g biv. Many thanks for the great time, that you brought to us. ;) Wish you all the best from the whole Electrical Ordered Freedom team. See you!

rgb:Thank you to the EOF team for giving me the honour to be included in their zine. Also for allowing me this opportunity to talk about myself for so many lines. :D

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua