VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Notes from the virus Underground...

Kim Neely
Rolling Stone magazine
September 1999

[Back to index] [Comments]

Computer viruses are the terrorist threat of the digital age. The inside story of who creates them and why...

This article originally appeared in the Sept 16th, 1999 issue of Rolling Stone magazine. It has been transcribed into text file format, for widespread distribution. This article is contained below in it's entirety. Nothing was added, changed, or removed. This article is transcribed and released for distribution without permission nor knowledge of Rolling Stone magazine.

It's three in the morning on the internet relay chat channel #codebreakers, and Opic is waiting. It has taken a week of cryptic e-mail missives, bounced around the world and back again via a chain of anonymous remailers, to arrange this meeting, but the enigmatic twenty one-year old is here when he said he would be. "Sorry about all the confusion," he types. His welcome appears on the screen after a slight lag, a symptom of the proxy servers he's routing himself through to cloak the address of his internet service provider.

Opic is a "coder", part of a ten man internet virus-exchange (VX) group known as CodeBreakers. He writes computer viruses. In and of itself, this isn't a pursuit that would require anyone to go into hiding. Writing viruses is perfectly legal in the United States.

Intentionally spreading a virus to unwitting computer users, though -- thats a prosecutable offense. Especially if that virus turns out to be the fastest spreading piece of self-replicating code in history. You wouldn't want to be linked to someone even suspected of pulling a stunt like that. This is why Opic and other members of CodeBreakers have been so skittish lately.

Computer viruses are small, parasitic programs that attach themselves to other programs and reproduce. They've been around since the mid-Eighties, but the general public didn't become aware of them until 1992, When the data gobbling Michaelangelo became the first "celebrity" virus. Ten years ago, there were only about thirty known computer viruses. Today, according to Symantec and Network Associates, the top antivirus software companies in the United States, there are some 40,000 viruses in existance.

Anything that a virus does besides replicate is called it's payload. Some viruses contain no payload at all and can reside on a PC for years without being detected. Others display jokey screen messages, print text or play music. Some viruses cause gradual, insidious corruption of data files; others like dormant throughout the year and then destroy files or reformat hard drives when a certain date rolls around.

Viruses that permanently wipe out files or erase hard drives are the least common type. Still, virus researchers contend that there is no such thing as a benign virus. Even some "non-malicious" viruses are so sloppily programmed that they result in software malfunctions, crashes and file corruptions not intended by their authors. Theoretically, if a virus was buggy enough to disrupt the day-to-day operations of a crucial machine or network- say that of a hospital or an airtraffic control system - and happened to hit on a day when that organization's backup system was down, even the most harmless virus would have the potential to be life-threatening.

This spring Microsoft users everywhere met Melissa, a technically harmless - it contained no data destroying payload - but alarmingly prolific Word 97 macro virus. Among the viruses known to be actively spreading today, macro viruses are the most common. They are written in the Visual Basic for Applications programming language included in the popular software package Microsoft Office - the user-friendliness of which makes viruses fairly easy for even non-programmers to create - and travel via infected Microsoft Word or Excel Documents.

Melissa upped the ante for virus spreading. Instead of relying on users themselves to transfer the infected documents from machine to machine via disk or email, the virus operated like a chain letter from hell, corrupting Word documents and, if Microsoft Outlook e-mail software was installed on an infected machine, peeking into the user's address book and sending e-mails - each with an infected document attached - to the first fifty addresses found.

Melissa clogged email gateways, panicked PC users and sparked an FBI manhunt that at least initially pointed to a retired member of the CodeBreakers known as VicodinES. Vic, as he's known in the clannish virus underground, was first linked to Melissa when simularities were discovered between Melissa, and an earlier virus PSD2000, that he had created and that was available for download on his Website. The FBI began sniffing around the CodeBreakers a few days after Melissa surfaced, shutting down two Web sites containing viruses written by VicodinES:, the groups own site, and, a domain that hosted Vic's personal site.

Working from logs provided by America Online, investigators later traced the usenet post that triggered Melissa's joy ride to a thirty year old Aberdeen, New Jersey programmer named David L. Smith. Smith now faces charges that could carry a maximum penalty of fourty-years in prison and $480,000 in fines.

Authorities have yet to reveal whether Smith and VicodinES are one and the same. The CodeBreakers have maintaining from the beginning that Melissa was neither written nor spread by Vic. Rather, they say, Smith simply cobbled Melissa together out of two earlier viruses, one of them Vic's PSD2000. This is entirely possible: Files containing viruses are swapped like trading cards on the Internet, and coders often modify existing viruses to create their own new mutations.

Interest in the group on the part of law enforecement appears to have cooled in the months since Smith's arrest. So aside from the precautions they take to protect their identities, the CodeBreakers have returned to business as usual. They're still writing viruses, still making them available to anyone who cares to download them via an electronic zine, CodeBreakers VX zine, Edited by Opic. "After much internal dialogue," he explained in the zines first post-Melissa issue, the CodeBreakers had simply decided to "continue doing what they have always done: find new, innovative and interesting viral techniques."

Opic has agreed to this late night chat not because he is eager to rehash the Melissa sordidness but he because he was approached with what for him must have been a powerful lure: genuine curiosity about why he - or anyone - writes viruses.

Sarah Gordon, an anti-virus researcher with IBM who has been studying virus writers for nearly a decade, says it's impossible to tell how many coders are currently practicing, because many never tell anyone about their activities. She conservatively estimates that there are several hundred writers with a presense on the Net and that they make up roughly fifteen "active, findable" VX groups. Of those writers, only a small minority are very prolific. "There are always the little cliques and clubs that don't get the attention," she says.

Coders come in all different stripes, and their motivations and ethics vary widely. For every stereotypical fifteen year old bully who writes nothing but data destroying code that he e-mails to his enemies, there's also a middle aged Silicon Valley exec who downloads a virus from the internet, plays with it out of idle curiosity and accidentally infects his firms network.

Opic would seem to fall somewhere between those two extremes. A college student who focuses on the arts, he's been writing viruses for two years. He has no formal computer training; he's entirely self-taught. He usually reveals his interest in viruses to his girlfriends (if only to explain the long hours he spends at the keyboard), but his parents and other relatives don't know about it. ("Why involve loved ones who don't need to be involved?" he asks.)

Opic got his start by hacking into local university systems with a friend. Once he began learning about viruses, he was hooked. "I found it fascinating that I could actually make this computer do what I wanted," he types, "that I could write something that would travel from computer to computer. It's a classical art concept, playing God and all."

According to Gordon, many coders see what they do as a creative endeaver. At least one virus writer with whom she has had extensive contact, a Bulgarian coder known as Dark Avenger, channels his emotions into his code the way an artist would channel them into a painting.

"There was a certain frantic yet very deliberate way that he wrote his programs," Gordon remembers, "Some of the things that he'd put in the source code would just lead you around and around through this maze. And then there would be this part where the code was very calm, laid out very methodically. It was really interesting to see that during the times when things were really confusing in his life, he was writing code that if you looked at it, was like looking at a pile of spaghetti."

Opic is more imaginative then most coders. Instead of the requisite Iron Maiden lyrics or "Too bad, lamer!" brag messages, he salts his viruses with Fugazi lyrics and snippits of his own peotry. ("There is a path to the transcendence of the dollar: Embark rich beggars...."). Opic doesn't write data destroying viruses; a user whose pc is infected by one of his programs is more likely to be annoyed by pesky text messages that appear on a given day of the month or to be haunted by a printer with a mind of it's own. "I'm into making points through ambiguity, rather than the tried and true 'in-your-face' method," he says.

Most of the viruses he's writing these days are "proof of concept" programs, created to shine a big embarrasing spotlight on software vulnerabilities. One such virus is Caligula, the bit of code for which Opic is most widely known. A word macro virus, Caligula searches for the file containing a user's private encryption key - the key that enables users of the popular Pretty Good Privacy (PGP) utility to decode their encrypted documents and e-mail and uploads it to Opic's FTP site.

Opic says he had no intention of using the files to gain access to anyone's encoded documents. "I had no interest in impersonating or violating anyone or debunking PGP, which is a great asset to myself and millions of others," he says. "But it was vulnerable due to Microsoft's platform and some lazy or non-security conscious programmers. Had I not coded it, it's possible that someone with more malicious intentions would have."

Gordon says she's heard that argument from virus writers before. She views it as an attempt to legitimize irresponsible behavior. "if that's what you have in mind," says Gordon, "there are more responsible ways of working toward solving such problems rather than just posting something on the Internet and saying, 'Oh, here's a new problem; so that everybody in the world can go out and exploit it."

Opic concedes that in making their viruses available to anyone who's curious enough to seek them out, VXers do play a role in any damage caused by programs that fall into the hands of individuals with malicious intentions. But he counters, it's "an indirect role in the same manner that gun manufacturers play a role in thousands of murders each year." Still, why wouldn't Opic consider contacting a software manufacturer discrectly when he's written a virus aimed at vulnerabilities in that vendors product?

"Ever tried it?" he asks, "That's obviously the least intrusive route, but it doesn't work. The world is overrun by bureaucracy." He points to Caligula as an example. "What I did was nothing new," he says. "Many have known it was possible; many people in fact, have written and published papers on the problem. But no one did anything about it until I illustrated the point."

Rob Rosenberger - a security expert whose Web site, Computer Virus Myths, attempts to educate consumers about hoaxes and media hype related to viruses - says he believes that a small minority of virus writers do ultimately contribute to the greater good. "This is a controversial opinion," Says Rosenberger, "but I really think the guys who are writing at the state of the art should be left alone to do what they do, because they also force an advancement in the antivirus-world. They make the world more secure."

Not all viruses are inspired by security holes. Sometimes personal politics turn up between the lines of code. One of Opic's favorite creations, Koyyanisqati, was a macro virus that launched a "ping flood" attack - a barrage of data packets that overloads servers and disrupts internet connections - on four different websites. Two of the sites were devoted to kiddie porn; the other two were racist hangouts. Koyyanisqati Opic says, was his "attempt at a 'good' virus." Still, he can understand why someone like Sarah Gordon wouldn't see it as an achievement. "I suspect she would agree with my feelings in case, but not my methods," he says.

Gordon is one of the few people in anti-virus (AV) circles who deign to hobnob with the VXers, and though they don't always agree with her opinions, most coders who have met her view her with respect. She and Opic have been engaging in lengthy e-mail debates about virus writing lately. "She's very open," he says of her. "She's the only AVer I've met who is willing to actually discuss things rather than just sit around and mudsling." Many VXers despise those who work for anti-virus-software vendors, claiming that they exaggerate the threat virus writers represent in order to sell more software. "It's part of the deal," says Opic. "They have to demonize us in order to capitalize on the computer virus phobia that users have."

There's no question that the anti-virus-software industry - which has retail sales that are predicted to reach $1 billion by 2002 - stands to gain from nurturing virus hysteria. Anytime the threat of an especially sexy virus surfaces, the anti-virus companies race to develop fixes, issue "virus alerts" and bend the ears of quote-hungry reports. And invariable, after a virus outbreak that recieves national media attention, there is a subsequent spike in anti-virus-software sales: According to the Reston Virginia, computer-industry market research firm PC Data Inc., virus-protection-software sales increased by more than sixty-seven percent between March 28th and April 3rd, at the height of the Melissa scare. Most users know so little about the reality of viruses that it's easy for AV vendors to indulge in gloomy hyperbole to gain an edge.

"The threat of virus infection is now greater than ever!" claims the Product webpage for VirusScan at "The need to protect your PC has become vital, as there are now over 40,000 known computer viruses, with more than 300 new viruses being created each month."

Figures like that strike fear into the heart of PC users. What most of them don't realize is that of the estimated 40,000 viruses in existence, only about 150 are currently known to be actively spreading. The rest are cooped up in anti-virus research labs. And while AV firms often incorporate terms like deadly, dangerous and malicious into their sales literature, only a small minority of viruses pose any real threat to a user's data. A quick look at the July wildlist, a monthly tabulation of viruses known to be "in the wild," provides a more realistic picture. Total number of viruses known to be actively spreading: 132. And of the eighteen most common viruses reported in the July Wildlist, only three - CIH, ExploreZip and One_Half - destroy data.

There's an interesting symbiosis between VXers and AVers. The members of each group generally profess to despise the members of the other, but both groups in a sense are dependant on each other. Virus Writers need the antivirus industry to challenge them as well as to provide them with notoriety. In VX circles, having the antidote to your virus latest virus turn up in a new release of Norton AntiVirus or McAfee VirusScan entitles you to major bragging rights. In turn, virus writers are fond of pressing the notion that they keep an entire industry employed.

The friction between the two groups can be intense; frequent bickering matches erupt on Usenet newsgroups such as alt.comp.virus and comp.virus. The AVer's favorite ploy is to hit coders in the ego, accusing them of shoddy programming skills. Every once in a while, a coder strikes back. Nick Fitzgerald, a consulting editor for Virus Bulletin Magazine, once made the mistake of publicly scorning a virus writer for his "pathetic" programming abilities and later found himself on the recieving end of a creation called Cold Ape. A.k.a The Love Monkey Virus. Users infected by ColdApe unwittingly sent e-mails to Fitzgerald's address at Virus Bulletin, informing him that they wanted to make "hot monkey love" to him. Fitzgerald says that ColdApe cost him and Virus Bulletin "hundreds of hours" of work.

"If you did make this virus then first off, damn you," reads a June 2nd Usenet post by one Marcin Mirski. "And second, how can I get my infected files back?"

Messages like this turn up fairly often in the alt.comp.virus newsgroup. Mirski has come to the group to ask about the happy faces that keep showing up on his screen when he's using Windows 98. The happy faces, he reported in an eralier post, are accompanied by a message reading, "Oops! I've got such terrible munchies. TERMiTE v1.0 RAiD [SLAM]".

Withen twenty-four hours, Mirski's query has been answered with a post by RAiD, the proud papa of TERMiTE, a.k.a. HLLP.5000. "Isn't he kewl?" asks RAiD in his response. "Have you seen my graphical payload yet? Does it look like crawling termites to you? Have you seen my other payload yet? You're still here, so I guess not."

Other posters add to the thread, explaining to Mirski the steps he needs to follow to get rid of TERMiTE. before it launches the randomly triggered second payload, which will wipe his hard drive. In the midst of advice giving, David Chess, a highly respected antivirus researcher with IBM, pointedly addresses TERMiTE's author: "Just out of curiosity, RAiD, did you feel any impulse whatsoever to apologize to Mr. Mirski for having written a damaging virus in the first place?"

"None Whatsoever," RAiD fires back. "I'm rather proud of that virus, why on earth would I apologize for something it was designed to do? Mind you, I didn't expect it to get as far as it has, but that's neither here nor there."

A member of the VX group Slam and one of the loudest, most unrepentant coders on the Net, RAiD is the kind of virus writer who makes antivirus workers - and often other virus writers - gnash their teeth in frustation. He's the guy who pops into the mind of PC users as they nervously scan their disks with AV software. Not only does he write viruses with malicious payloads, he also takes a fairly obvious measure of delight in watching them spread.

What drives coders like RAiD? During an informal late-night Internet Relay Channel chat, he offered several clues. While his buddies - guys with handles like CyberYoda and VirusBust and Knowdeth - were standoffish RAiD was clearly itching for a piece of the spotlight. He expressed doubt about whether or not his comments would be accurately reported, writing that "the media have made us out to be villians," but he couldn't seem to resist sharing his views anyway. "Personally, I'm interested in exploits," he wrote, "and new ways to infect things. if it can be infected, I want to infect it. Not to cause harm to people," he added, "but to see if I can."

Two days later, an Anonymous email arrives, with a file "" - attached. "You get a sneak peak of the next virus that will be released eight hours from now," it reads. "You'll find it's a bit more complicated than a Word Macro virus, while enabling excellent worm functions."

"Because of the way it works," the missive continues, " the entire world will see it. Er, well, I hope." The message is signed, "Regards, RAiD [SLAM]"

As of yet, the entire world hasn't seen Toadie, RAiD's latest virus. But a few people have, By late July, posts under the subject header "REQ Toadie v1.0 Help" began cropping up in alt.comp.virus, and RAiD is happily holding court.

"Does anyone have any concrete reports on how far and widespread the Toadie virus is?" he asks. "We've seen four or possibly five people on Usenet infected, but has anyone been able to actually confirm any infection?"

"RAiD, I like your style," someone quips the next day. "I compare this to pissing through someone's letter box and then knocking on the door and politely asking, 'How far did it go?'"

According to Opic, RAiD is in the minority of virus writers today, one of a small number who are unapologetic about "opening [Pandora's] box and loving it." From what she's seen of RAiD's activities, Sarah Gordon agrees. "He's not very representative at all of the current crop," she says.

"There are malicious people out there, but they're not accepted around us," says Evul, a twenty-nine-year-old coder from the group Ultimate Chaos, whose members frequently associate with the CodeBreakers. "With me, it's about creating and sharing your creativity, as opposed to maliciously or subversively using it on somebody." Spooky, 17, one of Opic's compatriots in CodeBreakers, quit writing in April, when he examined the log files sent back to him by one of his viruses, marker and learned that it had infected organizations like Blue Cross- Blue Shield. "There have to be limits, and I think I have found mine," he explained on his Web site at the time.

Most people find it surprising that virus writers have any moral or ethical boundaries. When Gordon presents her research on VXers at industry conventions, she says, most of her audiences view virus writers as "Antisocial kids with no girlfriends," They're shocked to learn that in tests of ethical development, coders are usually withen the norms for their ages. "A lot of the people who do this are, in all aspects, normal, decent people," says Gordon.

Virus Writers who do happen to witness firsthand the human pain and problems wrought by a digital catastrophe often become ex-virus writers very quickly. "On a computer, you don't have contextual clues," Gordon explains. "People lose touch, and they don't realize the impact they're having on another persion. It's very possible that sometimes when virus writers say, 'Viruses don't really hurt people,' they believe that. They haven't seen that other person crying because they lost their thesis."

The most public guilt-induced defection to the VX underground has seen in recent years was that of Mike Ellison, a.k.a. Stormbringer, a former member of the Phalcon/Skism group. Ellison was fourteen and already interested in computer programming when the Stoned virus turned up on his machine. (One of the oldest known viruses, Stoned displays the message "Your PC is now Stoned!" on start-up.) At the time, he says, viruses were "mysterious, something you kinda had to learn on your own from disassembling them." He and a friend studied Stoned to see how it worked, and before long he was experimenting with a virus of his own. Ellison still remembers the day he wrote his first successful virus. "It was a bit of a rush," he says.

"Viruses are unique and quite interested in that they can travel without additional human intervention." Creating such a thing, he adds, is "a pretty neat feeling when you're that young."

By the time he was sixteen, Ellison was a card-carrying member of Phalcon/Skism as well as a second ground, the Trinity; he had a respectable rep in the underground and had written a slew of viruses. As Stormbringer, he wrote Key Kapture II, designed to capture the keystrokes made by a user and save them on any writable drive when the drive was changed. Writing for the Trinity, he produced Crucifixion, a virus that activated only when a user hit CONTROL-ALT-DELETE on Sundays in March or April; once deployed, the virus displayed a picture of Jesus on a cross, accompanied by music and animated sing along lyrics: "If your the Messiah and you know it, clap your hands." ("What can I say?" says Ellison. "I was bored.")

Ellison says that the members of Phalcon/Skism, with "one or two notable exceptions," were "very much against writing destructive code. That wasn't the point. The point was to learn and explore, and occasionally to one-up each other and other groups with skill." Although he did publish the source code for his viruses in the Phalcon/Skism zine, 40hex, he never let live viruses stray from his own machine. For the length of his tenure with the group, he believed that the only outside copies of his viruses existed in anti-virus research labs.

"I really didn't think any of my viruses would ever be seen in the wild," he says. "At the time, I didn't worry too much about publishing the source of my viruses, either. For one thing, I wanted to provide information and techniques to other virus writers and anyone else who was interested. But also, I really didn't expect some random loser to compile one of my viruses and go off infecting machines with it."

Reality hit in 1994 when Ellison was contacted by a user whose system had been zapped by Key Kapture II. A third party had acquired Ellison's source code, compiled it and loaded the virus onto the user's machine. When Key Kapture II began filling up the hopeless user's hard drive with captured keystrokes and he discovered he had only two megs of space left on his disk, he e-mailed Ellison to find out how to get rid of the virus. Ellison phoned the fellow to help him disinfect his machine. Today he describes that conversation as "traumatic."

"It really shocked me," he says, adding that he felt "very depressed and guilty." to learn that he had "somehow unintentionally managed to hurt someone on the opposite side of the world who had done nothing to me." Even worse, as Ellison later noted in a post on the Net, the Key Kapture-infected user "was kind, almost like he didn't really blame me... For some reason, this really shook me." Ellison quit Phalcon/Skism the next day, posting a public retirement letter on the Net.

Today, Ellison, 23, works as a software developer in Texas, "I've lost quite a few weekends myself cleaning up after viruses that found their way into companies," he says. "And while I've never seen a real loss of data, the lost man-hours and trust of the users in their computers is substantial."

Ellison still believes that "writing a virus in and of itself is in no way wrong." But, he adds, "allowing it to spread into the wild, either by one's own hand, which is malicious, or by another's, which I see as negligent, is."

Asked how he views the currently active VX groups in terms of their collective ethical mind-set, Ellison says the prevalent attitude today is "rebellious but not intentionally destructive. There are a handful of people who go into it with the intent of destroying random people's hard drives and others who basically feel that they are spraying the electronic equivalent of graffiti." Still others, he adds, genuinely do feel that they are serving the greater good. "People trust computers and technology too much, when so few really understand them," Ellison points out. "Viruses, by that view provide a destablizing force to remedy such unfounded trust."

Nick Fitzgerald claims that maliciousness in virus writing circles or, as he puts it, the "screw them over and trash their data" ethic - has become increasingly common within the last two or three years. But to Opic and his friends, the public image of the "typical" virus writer as a cyberterrorist hellbent on inflicting harm is just plain passe. According to Opic, few of the writers he knows are still interested in creating viruses that destroy data; the wave of the future is programs that collect it. The PGP-key stealing capabilities of Caligula, he says, merely scratch the surface in terms of what is possible.

Virus writers he points out, would not be such a threat to the computing public if it weren't for the constant dumbing down of PC technology - a result of the ever-increasing consumer demand for more-automated, user-friendly software and the eagerness of companies like Microsoft to meet it. There are a number of unsettling advances on the horizon that play into this dynamic. The VX community is now exploring viruses that propagate via programming languages like HTML, and Java, which are commonly used to write Web pages. Executable code can be embedded into HTML files, and because some newer communications programs automatically execute HTML when it's found in an e-mail, it's conceivable that viruses could be spread simply by users' viewing their mail. Java, says Opic, presents the possibility of "remote and automatic infection" - ie, visit a Website containing infected Java files, now you're infected. New internet languages create the possibility, Opic says, for "global infection in hours. A virus can spread to millions of computers before anyone even suspects there's a problem."

Asked if he can understand why most people find that idea scary, Opic says they should find it scary. Still, he contends that virus writers and their creations are only a symptom; the problem itself is the "overall development mentality" - namely, the low priority given to security issues by software manufacturers like Microsoft - that allows them to flourish. As long as there are operating systems and software programs with vulnerabilities that can be exploited, virus writers are going to exploit them - sometimes for no better reason than the fact that they can.

It's five in the morning, and lines of text are still marching across the screen. "Humans are almost forced to open Pandora's box at times," Opic writes. A few seconds later, a server message appears in the chat window: "Opic has set the topic on channel #codebreakers to 'Curiosity Killed the cat.'"

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka