An additional post from the Wall Street Journal and Gimlet Media on June 10, 2022. The three-part podcast mirrors this article published on September 16 1999 in Rolling Stone. It is significantly noteworthy. Though the rules of engagement in security are essentially the same, the decentralization and perimeter have grown exponentially, vanished, and largely diversified to be everywhere. This results in learning opportunities to full exploitation, anywhere.
Why ask those who see it as it is, why not ask those who see what could be?
Computer viruses are the terrorist threat of the digital age. The inside story of who creates them and why >>>>>> Kim Neely
This article originally appeared in the Sept 16th, 1999 issue of Rolling Stone magazine. It has been transcribed into text file format, for widespread distribution. This article is contained below in it’s entirety, with pictures. Nothing was added, changed, or removed. This article is transcribed and released for distribution without permission or knowledge of Rolling Stone magazine with regard to this article.
It’s three in the morning on the internet relay chat channel #codebreakers, and Opic is waiting. It has taken a week of cryptic e-mail missives, bounced around the world and back again via a chain of anonymous remailers, to arrange this meeting, but the enigmatic twenty one-year old is here when he said he would be. “Sorry about all the confusion,” he types. His welcome appears on the screen after a slight lag, a symptom of the proxy servers he’s routing himself through to cloak the address of his internet service provider.
Opic is a “coder”, part of a ten man internet virus-exchange (VX) group known as CodeBreakers. He writes computer viruses. In and of itself, this isn’t a pursuit that would require anyone to go into hiding. Writing viruses is perfectly legal in the United States.
Intentionally spreading a virus to unwitting computer users, though — that’s a prosecutable offense. Especially if that virus turns out to be the fastest spreading piece of self-replicating code in history. You wouldn’t want to be linked to someone even suspected of pulling a stunt like that. This is why Opic and other members of CodeBreakers have been so skittish lately.
Computer viruses are small, parasitic programs that attach themselves to other programs and reproduce. They’ve been around since the mid-Eighties, but the general public didn’t become aware of them until 1992, When the data gobbling Michaelangelo became the first “celebrity” virus. Ten years ago, there were only about thirty known computer viruses. Today, according to Symantec and Network Associates, the top antivirus software companies in the United States, there are some 40,000 viruses in existence.
Anything that a virus does besides replicate is called it’s payload. Some viruses contain no payload at all and can reside on a PC for years without being detected. Others display jokey screen messages, print text or play music. Some viruses cause gradual, insidious corruption of data files; others like dormant throughout the year and then destroy files or reformat hard drives when a certain date rolls around.
Viruses that permanently wipe out files or erase hard drives are the least common type. Still, virus researchers contend that there is no such thing as a benign virus. Even some “non-malicious” viruses are so sloppily programmed that they result in software malfunctions, crashes and file corruptions not intended by their authors. Theoretically, if a virus was buggy enough to disrupt the day-to-day operations of a crucial machine or network- say that of a hospital or an air-traffic-control system – and happened to hit on a day when that organization’s backup system was down, even the most harmless virus would have the potential to be life-threatening.
This spring Microsoft users everywhere met Melissa, a technically harmless – it contained no data destroying payload – but alarmingly prolific Word 97 macro virus. Among the viruses known to be actively spreading today, macro viruses are the most common. They are written in the Visual Basic for Applications programming language included in the popular software package Microsoft Office – the user-friendliness of which makes viruses fairly easy for even non-programmers to create – and travel via infected Microsoft Word or Excel Documents.
Melissa upped the ante for virus spreading. Instead of relying on users themselves to transfer the infected documents from machine to machine via disk or email, the virus operated like a chain letter from hell, corrupting Word documents and, if Microsoft Outlook e-mail software was installed on an infected machine, peeking into the user’s address book and sending e-mails – each with an infected document attached – to the first fifty addresses found.
Melissa clogged email gateways, panicked PC users and sparked an FBI manhunt that at least initially pointed to a retired member of the CodeBreakers known as VicodinES. Vic, as he’s known in the clannish virus underground, was first linked to Melissa when simularities were discovered between Melissa, and an earlier virus PSD2000, that he had created and that was available for download on his Website. The FBI began sniffing around the CodeBreakers a few days after Melissa surfaced, shutting down two Web sites containing viruses written by VicodinES: CodeBreakers.org, the groups own site, and SourceOfKaos.com, a domain that hosted Vic’s personal site.
Working from logs provided by America Online, investigators later traced the usenet post that triggered Melissa’s joy ride to a thirty year old Aberdeen, New Jersey programmer named David L. Smith. Smith now faces charges that could carry a maximum penalty of forty years in prison and $480,000 in fines.
Authorities have yet to reveal whether Smith and VicodinES are one and the same. The CodeBreakers have maintaining from the beginning that Melissa was neither written nor spread by Vic. Rather, they say, Smith simply cobbled Melissa together out of two earlier viruses, one of them Vic’s PSD2000. This is entirely possible: Files containing viruses are swapped like trading cards on the Internet, and coders often modify existing viruses to create their own new mutations.
Interest in the group on the part of law enforcement appears to have cooled in the months since Smith’s arrest. So aside from the precautions they take to protect their identities, the CodeBreakers have returned to business as usual. They’re still writing viruses, still making them available to anyone who cares to download them via an electronic zine, CodeBreakers VX zine, Edited by Opic. “After much internal dialogue,” he explained in the zines first post-Melissa issue, the CodeBreakers had simply decided to “continue doing what they have always done: find new, innovative and interesting viral techniques.”
Opic has agreed to this late night chat not because he is eager to rehash the Melissa sordidness but he because he was approached with what for him must have been a powerful lure: genuine curiosity about why he – or anyone – writes viruses.
Sarah Gordon, an anti-virus researcher with IBM who has been studying virus writers for nearly a decade, says it’s impossible to tell how many coders are currently practicing, because many never tell anyone about their activities. She conservatively estimates that there are several hundred writers with a presence on the Net and that they make up roughly fifteen “active, findable” VX groups. Of those writers, only a small minority are very prolific. “There are always the little cliques and clubs that don’t get the attention,” she says.
Coders come in all different stripes, and their motivations and ethics vary widely. For every stereotypical fifteen year old bully who writes nothing but data destroying code that he e-mails to his enemies, there’s also a middle aged Silicon Valley exec who downloads a virus from the internet, plays with it out of idle curiosity and accidentally infects his firms network.
Opic would seem to fall somewhere between those two extremes. A college student who focuses on the arts, he’s been writing viruses for two years. He has no formal computer training; he’s entirely self-taught. He usually reveals his interest in viruses to his girlfriends (if only to explain the long hours he spends at the keyboard), but his parents and other relatives don’t know about it. (“Why involve loved ones who don’t need to be involved?” he asks.)
Opic got his start by hacking into local university systems with a friend. Once he began learning about viruses, he was hooked. “I found it fascinating that I could actually make this computer do what I wanted,” he types, “that I could write something that would travel from computer to computer. It’s a classical art concept, playing God and all.”
According to Gordon, many coders see what they do as a creative endeavor. At least one virus writer with whom she has had extensive contact, a Bulgarian coder known as Dark Avenger, channels his emotions into his code the way an artist would channel them into a painting.
“There was a certain frantic yet very deliberate way that he wrote his programs,” Gordon remembers, “Some of the things that he’d put in the source code would just lead you around and around through this maze. And then there would be this part where the code was very calm, laid out very methodically. It was really interesting to see that during the times when things were really confusing in his life, he was writing code that if you looked at it, was like looking at a pile of spaghetti.”
Opic is more imaginative then most coders. Instead of the requisite Iron Maiden lyrics or “Too bad, lamer!” brag messages, he salts his viruses with Fugazi lyrics and snippits of his own poetry. (“There is a path to the transcendence of the dollar: Embark rich beggars….”). Opic doesn’t write data destroying viruses; a user whose pc is infected by one of his programs is more likely to be annoyed by pesky text messages that appear on a given day of the month or to be haunted by a printer with a mind of it’s own. “I’m into making points through ambiguity, rather than the tried and true ‘in-your-face’ method,” he says.
Most of the viruses he’s writing these days are “proof of concept” programs, created to shine a big embarrassing spotlight on software vulnerabilities. One such virus is Caligula, the bit of code for which Opic is most widely known. A word macro virus, Caligula searches for the file containing a user’s private encryption key – the key that enables users of the popular Pretty Good Privacy (PGP) utility to decode their encrypted documents and e-mail and uploads it to Opic’s FTP site.
Opic says he had no intention of using the files to gain access to anyone’s encoded documents. “I had no interest in impersonating or violating anyone or debunking PGP, which is a great asset to myself and millions of others,” he says. “But it was vulnerable due to Microsoft’s platform and some lazy or non-security conscious programmers. Had I not coded it, it’s possible that someone with more malicious intentions would have.”
Gordon says she’s heard that argument from virus writers before. She views it as an attempt to legitimize irresponsible behavior. “if that’s what you have in mind,” says Gordon, “there are more responsible ways of working toward solving such problems rather than just posting something on the Internet and saying, ‘Oh, here’s a new problem; so that everybody in the world can go out and exploit it.”
Opic concedes that in making their viruses available to anyone who’s curious enough to seek them out, VXers do play a role in any damage caused by programs that fall into the hands of individuals with malicious intentions. But he counters, it’s “an indirect role in the same manner that gun manufacturers play a role in thousands of murders each year.” Still, why wouldn’t Opic consider contacting a software manufacturer discreetly when he’s written a virus aimed at vulnerabilities in that vendors product?
“Ever tried it?” he asks, “That’s obviously the least intrusive route, but it doesn’t work. The world is overrun by bureaucracy.” He points to Caligula as an example. “What I did was nothing new,” he says. “Many have known it was possible; many people in fact, have written and published papers on the problem. But no one did anything about it until I illustrated the point.”
Rob Rosenberger – a security expert whose Web site, Computer Virus Myths, attempts to educate consumers about hoaxes and media hype related to viruses – says he believes that a small minority of virus writers do ultimately contribute to the greater good. “This is a controversial opinion,” Says Rosenberger, “but I really think the guys who are writing at the state of the art should be left alone to do what they do, because they also force an advancement in the antivirus-world. They make the world more secure.”
Not all viruses are inspired by security holes. Sometimes personal politics turn up between the lines of code. One of Opic’s favorite creations, Koyyanisqati, was a macro virus that launched a “ping flood” attack – a barrage of data packets that overloads servers and disrupts internet connections – on four different websites. Two of the sites were devoted to kiddie porn; the other two were racist hangouts. Koyyanisqati Opic says, was his “attempt at a ‘good’ virus.” Still, he can understand why someone like Sarah Gordon wouldn’t see it as an achievement. “I suspect she would agree with my feelings in case, but not my methods,” he says.
Gordon is one of the few people in anti-virus (AV) circles who deign to hobnob with the VXers, and though they don’t always agree with her opinions, most coders who have met her view her with respect. She and Opic have been engaging in lengthy e-mail debates about virus writing lately. “She’s very open,” he says of her. “She’s the only AVer I’ve met who is willing to actually discuss things rather than just sit around and mudsling.” Many VXers despise those who work for anti-virus-software vendors, claiming that they exaggerate the threat virus writers represent in order to sell more software. “It’s part of the deal,” says Opic. “They have to demonize us in order to capitalize on the computer virus phobia that users have.”
There’s no question that the anti-virus-software industry – which has retail sales that are predicted to reach $1 billion by 2002 – stands to gain from nurturing virus hysteria. Anytime the threat of an especially sexy virus surfaces, the anti-virus companies race to develop fixes, issue “virus alerts” and bend the ears of quote-hungry reports. And invariable, after a virus outbreak that receives national media attention, there is a subsequent spike in anti-virus-software sales: According to the Reston Virginia, computer-industry market research firm PC Data Inc., virus-protection-software sales increased by more than sixty-seven percent between March 28th and April 3rd, at the height of the Melissa scare. Most users know so little about the reality of viruses that it’s easy for AV vendors to indulge in gloomy hyperbole to gain an edge.
“The threat of virus infection is now greater than ever!” claims the Product webpage for VirusScan at McAfee.com. “The need to protect your PC has become vital, as there are now over 40,000 known computer viruses, with more than 300 new viruses being created each month.”
Figures like that strike fear into the heart of PC users. What most of them don’t realize is that of the estimated 40,000 viruses in existence, only about 150 are currently known to be actively spreading. The rest are cooped up in anti-virus research labs. And while AV firms often incorporate terms like deadly, dangerous and malicious into their sales literature, only a small minority of viruses pose any real threat to a user’s data. A quick look at the July wildlist, a monthly tabulation of viruses known to be “in the wild,” provides a more realistic picture. Total number of viruses known to be actively spreading: 132. And of the eighteen most common viruses reported in the July Wildlist, only three – CIH, ExploreZip and One_Half – destroy data.
There’s an interesting symbiosis between VXers and AVers. The members of each group generally profess to despise the members of the other, but both groups in a sense are dependent on each other. Virus Writers need the antivirus industry to challenge them as well as to provide them with notoriety. In VX circles, having the antidote to your virus latest virus turn up in a new release of Norton AntiVirus or McAfee VirusScan entitles you to major bragging rights. In turn, virus writers are fond of pressing the notion that they keep an entire industry employed.
The friction between the two groups can be intense; frequent bickering matches erupt on Usenet newsgroups such as alt.comp.virus and comp.virus. The AVer’s favorite ploy is to hit coders in the ego, accusing them of shoddy programming skills. Every once in a while, a coder strikes back. Nick Fitzgerald, a consulting editor for Virus Bulletin Magazine, once made the mistake of publicly scorning a virus writer for his “pathetic” programming abilities and later found himself on the recieving end of a creation called Cold Ape. A.k.a The Love Monkey Virus. Users infected by ColdApe unwittingly sent e-mails to Fitzgerald’s address at Virus Bulletin, informing him that they wanted to make “hot monkey love” to him. Fitzgerald says that ColdApe cost him and Virus Bulletin “hundreds of hours” of work.
“If you did make this virus then first off, damn you,” reads a June 2nd Usenet post by one Marcin Mirski. “And second, how can I get my infected files back?”
Messages like this turn up fairly often in the alt.comp.virus newsgroup. Mirski has come to the group to ask about the happy faces that keep showing up on his screen when he’s using Windows 98. The happy faces, he reported in an earlier post, are accompanied by a message reading, “Oops! I’ve got such terrible munchies. TERMiTE v1.0 RAiD [SLAM]”.
Withen twenty-four hours, Mirski’s query has been answered with a post by RAiD, the proud papa of TERMiTE, a.k.a. HLLP.5000. “Isn’t he kewl?” asks RAiD in his response. “Have you seen my graphical payload yet? Does it look like crawling termites to you? Have you seen my other payload yet? You’re still here, so I guess not.”
Other posters add to the thread, explaining to Mirski the steps he needs to follow to get rid of TERMiTE. before it launches the randomly triggered second payload, which will wipe his hard drive. In the midst of advice giving, David Chess, a highly respected antivirus researcher with IBM, pointedly addresses TERMiTE’s author: “Just out of curiosity, RAiD, did you feel any impulse whatsoever to apologize to Mr. Mirski for having written a damaging virus in the first place?”
“None Whatsoever,” RAiD fires back. “I’m rather proud of that virus, why on earth would I apologize for something it was designed to do? Mind you, I didn’t expect it to get as far as it has, but that’s neither here nor there.”
A member of the VX group Slam and one of the loudest, most unrepentant coders on the Net, RAiD is the kind of virus writer who makes antivirus workers – and often other virus writers – gnash their teeth in frustration. He’s the guy who pops into the mind of PC users as they nervously scan their disks with AV software. Not only does he write viruses with malicious payloads, he also takes a fairly obvious measure of delight in watching them spread.
