Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/spthvx/spth
Second Part To Hell's artworks: artificial (life/evolution/intelligence)
https://github.com/spthvx/spth
Last synced: 3 months ago
JSON representation
Second Part To Hell's artworks: artificial (life/evolution/intelligence)
- Host: GitHub
- URL: https://github.com/spthvx/spth
- Owner: SPTHvx
- Created: 2019-08-11T23:15:43.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2024-01-21T19:54:15.000Z (10 months ago)
- Last Synced: 2024-06-15T15:36:06.137Z (5 months ago)
- Language: MATLAB
- Homepage:
- Size: 7.77 MB
- Stars: 159
- Watchers: 15
- Forks: 19
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-ChatGPT-repositories - SPTH - Second Part To Hell's artworks: artificial (life/evolution/intelligence) (Others)
README
# Second Part to Hell's artworks
**[articles](/articles) -- [viruses](/viruses) -- [23 open problems](/23problems) -- [historic e-zines](https://spthvx.github.io/ezines/) -- [twitter](https://twitter.com/SPTHvx) -- [e-mail](mailto:[email protected])**
## News:
21.01.2024: I wrote a demo for a GPT-based anti-virus program: [*LLMarshal*](https://github.com/SPTHvx/SPTH/tree/master/antivirus/LLMarshal) can detect computer-viruses that use [Large Language Models](https://github.com/SPTHvx/SPTH/blob/master/articles/files/LLMorpher.txt). I was motivated by seeing that none of the AV programs at virustotal detect the LLMorpher family, while at the same time, security researchers agree and consider it as a [huge threat](https://thenextweb.com/news/mikko-hypponen-5-biggest-ai-cybersecurity-threats-2024). It is a simple demo, but i believe using programs that are fluent in natural and computer languages might be the only robust way to detect such programs in the future.
22.11.2023: I have created a subsite about the [23 Open Problems for Digital Self-Replicators](/23problems). None of these questions is solved so far. I will update if their are new partial or full solutions. If you think you have made a contributions, contact me!
21.11.2023: Today, tmp.0ut#3 has been published. For the first time in more than 10 years, i have contributed to this old-school hacking/vxing magazine (together with many other excited hobbyists and security researchers). My contributions involve the LLMorpher series (LLMorpher I, LLMorpher II and the brand new GPT4 powered, strongly language mutating LLMorpher III) together with two articles (Using GPT to encode and mutate computer viruses entirely in natural language , Full Metamorphism of computer virus Code and Prompts via GPT4). In addition, -- in the spirit of David Hilbert -- i have written a text on 23 open problems for digital self-replicators. In addition, the tmp.0ut staff was so kind and did an interview with me.
02.03.2023: Just uploaded a new article, in which I use OpenAI's GPT to encode and mutate self-replicating code, see for concrete implementations of the self-replicating linguisto-morphic codes LLMorpher I and LLMorpher II.
11.08.2019: My old domain (spth.virii.lu) has been down now for some time (thanks a lot perforin for hosting it!). I decided to upload the news-page (basically a logbook over the past 17 years), my articles and interviews, as well as codes to github. Many links in this logbook are broken, but for reasons of nostalgia i will keep everything as it is. Please enjoy some old ideas on self-replicating codes, artificial life, artificial evolution, metamorphism, ... If you have cool idea or projects, let me know.
05.04.2014: High Hopes!
08.02.2014: Mikko Hypponen has mentioned my research in infecting biological DNA with digital Computer Code in his talk in Cambridge on "Silicon Plagues" (see minute 51++). My code was inspired and uses the ideas of Craig Venter's synthetic life research. They try to understand DNA in such a level that it becomes a tool solve important problems of humanity, such as creation of fuel, food or medicine at superfast and efficient rates. A great summary by him is given on his TEDx talk on Future Biology.
The idea is clear: Similar as we can use electronic computers to perform logical tasks, they want to control DNA in such a way that it can perform biological tasks which are unfeasible otherwise. Examples mentioned above - fuel, food, medicine, you are only bounded by your imagination.
I am a bit worried about the risk of abusing such techniques by criminals, nation states, you name it. Similar as computers are abused and can cause alot of trouble, also synthized DNA can be abused, but obviously on a much more dangerous scale. Compared to that, abusing computers seems like some kiddy games.
Per fortuna, yet we are far from the point were synthesizing DNA and booting up bacteria with it is possible on a big scale (Venter compares it with the 40s or 50s of electronic computers). Actually, afaik Craig Venter's lab is the only place where this can be done yet.
As a conclusion I think Mikko's statement "Do not write a computer virus that is able to infect DNA" is of course true, but naive.
Synthezised DNA has the potential to change our lifes in future tremendously (maybe similar or even more than computers have done), but can (and most likely will) be abused aswell - obviously in a much worse way than computers can ever be.
I wonder if somebody is thinking about serios solutions. Those bio-researchers have done some ethical studies, but I don't know how they evaluate the long-term risk. And security-people might be not be interested, as there has not been any accident yet or because the field is too different. Well, maybe it's SciFi after all.
25.11.2013: I have just announced valhalla#5 vx-magazine. It will be a special issue celebrating hh86's 5th birthday on 27.11.2014. Deadline is exactly in 365 days - so hurry up with your projects :-) I have some nice ideas for my next projects, was able to solve some things which I was thinking about for years. Hope that many people join again in this issue; i'vealready seen some of other people's project and they are wonderful; I'm excited to see the outputs :-)
05.11.2013: Finally I have uploaded my things in valhalla#4: An article that explains how a digital computer code can infect biological DNA, thus spread in the biological world as a self-replicating bacteria (and the corresponding PoC code called Mycoplasma mycoides SPTH-syn1.0). My second article was about a way to infect many different programming languages with just one code, based on a special Meta-Language, the corresponding code can infect five languages (JS, VBS, MatLab, Ruby, Python), I called it Polygamy. Furthermore, i did three very interesting interviews with roy g biv, JPanic (both together with hh86) and Jeff Dahmer.
In general, the quality of valhalla#4 was very high. We saw the source of JPanic's Windows/Linux/MacOS cross-infector and an detailed explanation of the technique behind. He also write a tutorial about Linux 64bit infection (and we believe to know what his next project will be ;-)). roy g biv submitted his collection of quine-based infectors for 32 (!) different languages - most of them you find on the Language Infection Project. M0SA showed how one can circumvent automated dynamic analysis with surprisingly simple techniques. r3s1stanc3 shows a new and unexpected technique for worms, based on GPG encryption and web-based keyservices. And hh86 analysed the deep dark corner of native GPU languages (who's binary form is undocumented!) for encryption and file-infection. Furthermore she shows how one can infect Java Class with Win32 files, and the other way round (and i wish she combines those two kitties, to get a full Java/W32 cross-infector). Another surprising and high-quality submission was a huuuge (more 7000 lines of C) metamorphic code written by Black Sun. As I said, this was a wonderful release, awesome work of many people. And - I already heared rumors of follow up projects by several of the above mentioned people, it will be awesome!! :-)
I also updated my link-section. If you think I missed somebody, please send me a message.
02.11.2013: valhalla 4 has been released by hh86!!! Also see the online viewer. :-DDD
16.10.2013: After a small break, I'm back again. Yesterday, pr0mix and others released Inception#1 e-zine: see online or download. It has very nice personalized intro-pictures to every article - that's so cool. And the content is also good/interesting. Some nice essays - haven't seen such types of texts since the very old-school e-zines in 90s or early 2000s. Nice work guys, hope you continue!
There will be another vx-magazine out very soon - valhalla#4 (read hh86's annoucement). I know that there will be some fancy stuff inside again. I have contributed aswell some things, again :-) The last one I just finished two days ago, its an idea+implementation about artificial life. I would say its my most creative thing I've done in my >11years vx-career. Maybe a bit "too creative" :-) you will see. If you want to be part of valhalla-ezine, contact hh86 before 1st of november. :-)
06.07.2013: VX Heaven is back online, after more than a year of down-time due to an incredible stupid, unfounded raid. I'm looking forward to information about what happend exactly, I guess we can hear something about this soon. Now - let's enjoy our library and discussion-platform again :-)
02.07.2013: Today, DarK-CodeZ #5 has been released. You find several nice things in it, among others, 15 source-codes of first-time infected programming languages from genetix, roy g biv, hh86, herm1t and perforin (which I have separatly mentioned on the Language Infection Project subpage). My small contributions are two interviews, one with hh86 and one with genetix. I have not read all things yet, but two things I find already pretty nice: one text by hh86 about EPO In Windows 64-bit, where she explains a technique used in a former virus by her, and one new technique - which I predict to come true soon ;-). Second interesting thing: perforin wrote a malicous program with PostScript languages, thats the native langauges of printers, and many PDF files are compiled via PS files. I guess with a bit more research, its also possible to write a self-replicator for this fine language - something I would like to see :-). OK, well done perforin and R3s1stanc3, thanks for this magazine!
19.06.2013: As she has no own homepage, hh86 gets her own corner at my page, with a collection of all her viruses and articles: hh86 corner. Welcome! Maybe I can also convince her to write some interesting guest comments some day :-)
09.06.2013: For my online ezine section, I just uploaded online versions of *-zine from 1999 (#1, #2), and 40hex from 1991-1995 (#1, #2, #3, #4, #5, #6, #7, #8, #9, #10, #11, #12, #13, #14). 40hex was one of the best and most well-known magazines from the early 90s.
Some highlights from the magazines: Interview with Sepultura/IR (who came back very recently and released a cross infector for Windows, Linux and OS-X), text about future viruses ideas from 1999, short explanation about encryption for viruses in 1991, an article about Dark Avanger that (among many other things) says that Dark Avanger created an AV (!). Some jokes that maybe nobody has seen for 20years, great texts and codes by Dark Angel such as his poly-engine DAME, texts about Self Dis-Infecting File, a virus (JUMP by Strombringer) that uses overlapping code as obfuscation (i used overlapping code in a polymorphic code W32.Kitti) and many many many more awesome stuff!
08.06.2013: Peter Ferrie has written an analysis for my JS.Transcriptase (the first metamorphic script virus) - see Read your transcript.
Due to the huge unexpected success of the Language Infection Project (there are now already 33 new infected languages), I decided to annonce a LIP-zine. Still the best codes should go to general VX magazines such as valhalla or Dark-CodeZ, however, simpler codes which infect new languages can go to this collection. I will release it someday after DarK-CodeZ#5 (which will appear in about one month), but before valhalla#4 (which was scheduled for some bright day at the end of the year). If you want to be part of LIP-zine, find a new yet uninfected language and hit it for the first time :-)
26.05.2013: So there has been this W32/Linus/OSX infector recently - most likely written by "Sepultura", a former member of Immortal Riot - one of the first virus-writing groups from the 1990s. For that reason, I have uploaded in the Online VX e-Zines-section the magazines from that group: Insane Reality#1 (07.1993), Insane Reality#2 (11.1993), Insane Reality#3 (01.1994), Insane Reality#4 (04.1994), Insane Reality#5 (07.1994), Insane Reality#6 (11.1994), Insane Reality#7 (12.1995), Insane Reality#8 (12.1996)... *nostalgia*
Beside of that, roy g biv (who actually also started to code viruses more than 20years ago in 1992) continued his series of quine-based source-code infectors. His latest creations is a self-replicator for SmallBASIC and the compiled version of Haskell. Well done! Hope more people continue joining the Language Infection Project - there are many very interesting and challanging projects yet to be done, for example - my Top7: Prolog, SAS, LabView, cT, occam, x10, VHDL (for VHDL, herm1t as well as rgb said its impossible. but I disagree with them - can you prove them wrong? :-) )
23.05.2013: Peter Ferrie has written an analysis of a new virus for VB 06.2013 - its called "Multi-platform Madness", and its about a virus called "{W32/Linux/OSX}/Clapzok". Now it seems like this virus is an advanced version of {W32/Linux}.Capzloq by JPanic in rRlf#7 from 2006 - with additional infection of OSX files. This is awesome for more reasons: First, it seems to be the first multiplatform virus for those three OSes, thats defintivly great work! Secondly, JPanic decided to code an advanced version of this great code 7 years later, so maybe one very high-skilled person found his way back. But now, who is JPanic? He writes JPanic (aka Sepultura, aka The Soul Manager). Now check out that: Sepultura in old magazines - JPanic/Sepultura is a viruswriter from the 1990s, was a principal member of "Immortal Riot". OK - I hope this great viruswriter will keep staying here for some moments - nothing more to say... (thanks to hh86 for the initial information)
08.04.2013: It seems like there is no day without a new platform hit for the first time. Today, there are two new platforms. One by psychologic for C Shell. The other one by genetix for the functional language Ocaml (the source of the OCaml virus will be released soon). Well done to both of you, and have fun on the Great Wall of LIP participations! :-)
03.04.2013: The Language Infection Project makes great progress - there are already 14 (!!!) new targets hit since its announcement 3 months ago. This is a huge success. The main-contributor was genetix, and most of the sources will be released in forthcoming magazines such as DarK-CodeZ #5 (i promised to contribute something there as well - huh, should get my hands on some good projects i guess :-) ).
It has been more than a year now that our library VX Heavens got burned down. Unfortunatly, there is still no official announcement about any progress. In any way, I have a good feeling that everything becomes solved in some time.
It seems like that one of the best and most active viruswriters - hh86 - took a break. While she took breaks also in past times, for some reason I think its a bit different this time. She has written some of the most interesting viruses in recent times (just look at Peter Ferrie's latest analysis about her W32.UNIT00). Furthermore, she was the initiator and editor of the valhalla magazine series (see v0, v1, v2, v3). Of course I hope that she comes back again some day, but I also understand that after such an highly productive VX career, one needs a break. (in any case, if you read this, drop me a mail - two proposals are left).
22.01.2013: Update of the Language Infection Project: herm1t has written the first virus infecting MySQL databases. Congratulations, and welcome on the Great Wall of LIP participations :-) The source will be released soon. He has also told me that there has been a virus written in FORTH (by Light General in Infected Voice#11 in 1996) and a virus for T-SQL virus by Joseph Gama in 2004. I'm looking for more participations soon :-)
20.01.2013: The DarK-CodeZ #5 announcement has been released recently. Great - I'm looking forward to the magazine (i expect to find some several new infected platforms there, in addition to other things ;-) ), and I will try my best to be part of it aswell.
Have continues with uploading online-versions of good old VX magazines. This time: coderz#1, coderz#2, and coderz#3, as well as Codebreakers#1, Codebreakers#2, Codebreakers#3, Codebreakers#4, Codebreakers#5. Especially codebreakers#4 and #5 are one of the best VX magazines ever, they are full of awesome stuff such as the first Java infector, the first WScript virus, the source of Win32.CIH and many many other things.
About the Language-Infection-Project: genetix did it again and wrote the first infectors for Scala (a language also used by Twitter and LinkedIn) and for R (a language for statistical computing) - sources of both will be released soon. Well done once again!! Now I'm waiting for the next successful targeted language - what will be infected next? Who will infect next? :-)
15.01.2013: Woaahh - I'm extremly amazed: Got the news that there are two new languages infected from my Language Infection Project: The one is done by Perforin who has written the first infector (prepender) for AWK script language. And genetix did it again - she infected google's new script language called Dart. Well done - congratulations to perforin and genetix!! The sources of all infectors so far (REXX, AWK, Dart) will be released soon hopefully. And that's definitivly not the end, I know of several other project that are under developement at the moment; the only thing I'm afraid of is that we ran out of languages ;-)
14.01.2013: hh86 has made an announcement for valhalla#4. Deadline is 1st of November 2013. Contribution is open to everybody (of course, stuff will be evaluated), the topics of interest are listed in the announcement. I would suggest to sit down on our devices and create the best and craziest codes that we ever made! :-) valhalla#3 was great - but its our duty to make the next issue even better! For questions, comments and contributes, please send a mail to the editor and initializer of valhalla - hh86!
Two days ago, I've started the Language Infection Project (LIP). Now there is already the first participant who finished a nice project: Genetix has written the first infector (with EPO technique) for REXX scripting language (the language of the ancient christman-tree worm)! Congratulations! (The code will be released soon I hope.) This is now genetix's 3rd entry in the list (after her AutoIt and FBSL infectors in 2007). I know of several other people who are preparing, researching, discovering new languages. (Going to join as well - already have one target in mind, but need to finish another project first :-) ). I'm looking forward to an very exciting and creative year 2013 for viruswriting!
12.01.2013: Recently I've seen the Top100 programming languages. I thought "challange accepted!" - and made this new subpage: Language Infection Project. The plan is to collect all infected languages, and have a handy list to search for new projects! Everybody who is going to write target a new language will become part of this eternal list :-) Thanks foes to herm1t and hh86 for help with the list; any comments/suggestion on the List is wellcome, just drop me an eMail!
03.01.2013: Small update today: Uploaded an online-version of DoomRiderz#1, and I got a mail (thx) with Matrix#2, VLAD#1 and VLAD#2 viewer screenshot, so now you can see that nice old viewers as well :-)
31.12.2012: Have continued with creating online versions of important ancient e-zines - today I've uploaded all iKX#1-#4, DDT#1, MATRiX#1-#3 and VLAD#1-#7 magazines, as well as screenshots of the viewers and demos in the magazines (i was not able to execute MATRiX#2, VLAD#1 and VLAD#2 viewers, so no pictures from those magazines; if you know how to do it, please send me an eMail). Among them, there are some revolutionary magazines such as VLAD#6, where Qark and Quantum explain for the first time Win95 PE file infection.
It is great to see that starting from VLAD#1 in 1994 until valhalla#3 there are overlapping groups and magazines with overlapping coders (VLAD 1994-1996, 29A 1996-2005, rRlf 2002-2007, EOF 2007-2011/today, valhalla 2011-today), which means we are actually connected to those genious coders/discoverer in the past - we could even define some sort of Erdos number for viruswriting :-). A totally crazy thing: roy g biv has contributed to all of those magazines (see his text in VLAD#7)! I will continue creating online-versions of old important magazines such as SLAM, Immortal Riot, Phalcon/Skism in 2013 (if you have suggestions or ideas, dont hesitate telling me)- see you next year!
29.12.2012: I have created a collection of online-versions of recent VX-zines as well as of some important ancient magazines: Online e-zines. This should help to preserve some parts of our history :-)
26.12.2012: The valhalla III magazine has been released 5 days ago by hh86. For convenience, I have uploaded an online version of valhalla#3. Contributors are hh86, roy g biv, (o), R3s1stanc3 and myself; herm1t wrote a nice guest comment and interviewees are Eric Filiol, Mark Stamp and VirusBuster/ex-29A. The magazine contains so many new ideas about self-replicating codes: viruses with many new methods to obfuscate themselves, by using neverused novel instruction-sets, virtual code, own debuggers or inline JScript/CFF scripts; new true RNGs in viruses, infections of JAR files using JavaCompiler, ...
I have uploaded my contributes separately on my page. My main contribute is the first metamorphic script virus, written in JavaScript and an article which describes how the metamorphism and self-compiling compiler is implemented in JavaScript. A second article is about meta-level languages used in viruses and what the highest level language could be. One text deals with past expectations of viruswriters about the future of computerviruses, there I collected quotes from 42 interviews with VXers back to 1993, and in the end give a prognosis myself. Highly interesting interviews with Eric Filiol (head of EICAR) and Mark Stamp (professor and academic reseracher in computer virology) have been done, giving clear neutral pictures of the potential advancements and problems with computer viruses and fascinating insights and opinions on military usage of malware. Together with hh86, we interviewed VirusBuster mainly about 29A.
The editor of valhalla and one of the best viruswriters has finally got a new homepage: hh86's room. Another contributor of valhalla3 and member of DarK-CodeZ has a homepage too: r3s1stanc3.
Virus-writing is obviously alive. Our main library, VX heavens maintained by herm1t, is still temporarily unavailable - but I expect it to be back soon. Meanwhile, Perforin (who is also my host) provides big parts of VXers history such as many of the most important ancient and modern e-zines, and DrWhax has mirrored VX Heavens. Due to persons such as Perforin, hh86, herm1t, DrWhax (motivated and excellent organizers) and many other contributors, the real original VXing has no chance to die! :-)
21.12.2012: VX e-zine valhalla III has been released by hh86.
08.12.2012: Finally, after about four months of planning, coding and bug-fixing, I have finished my latest project. It's one of my most complex codes, and most likely the code which was most difficult to debug. At the moment I'm writing the corresponding article - the whole project will be released soon I hope :-)
In November issue of VirusBulletin, Peter Ferrie has written a text called Is Our Viruses Learning? about my project to autonomously finding new anti-emulation tricks . If you want to understand the idea in more detail, you can read my text about it: Dynamic Anti-Emulation using Blackbox Analysis
08.10.2012: An analysis about my W32.Filly has been released in last issue of VirusBulletin, written by Peter Ferrie, called "LAHF"ing All The Way. Some quotes: Now we have a virus which decodes itself by using a much more subtle side effect of multiple instructions - the state of the CPU flags., the virus will encode the contents using a very interesting encoding method or Viruses that integrate the encoded virus body are a nuisance for static analysis, because there is no easy way to decrypt the non-existent single block of data.... :-) It seems like my W32.Addisco should have been the next target for analysis, but according to Ferrie's homepage its delayed until November.
Some news from coding side: I'm working on something new and hopefully interesting, and I underestimated its complexity and expenditure of time. However, the engine is ready and works quite fine; and the translation of the whole code is in a pretty advanced state. Hopefully the translation can be finished by the end of this week, and the whole concept be put together afterwards.
22.08.2012: A small preview - now guess what I'm doing ;-) ... Much to work now, have to get back to it.
18.08.2012: Found something funny today: Concept-Sheets for two viruses I wanted to write in 2005 and 2006: The first one (1) shows some first ideas about the implementation of Over-File Splitting , which later leaded to my most complex virus from that time: ArchiveTiger (see short description). The second one (1,2,3) is a concept for Code via Behaviour. I was not able to implement it at that time (end of 2006). But four years later when I started again, in end of 2010, I finally coded the Mimic-virus (implementation is explained in Code Mutations via Behaviour Analysis) - which is among the most complex kitties i've ever written... OK - enough history and nostalgia - I will be back very soon with some actual news :-)
09.08.2012: This news is a few days delayed, but here it is: Dark-CodeZ#4 has been released (offline version). Contains some unexpected things like a maleware that uses Samsung TVs :-o :-) Well done to the editors Perforin and R3s1stanc3!
28.07.2012: Belial has released a good technical article about implementing an PE Crypter called Hyperion: Implementation of a PE-Crypter (Slides, Source). On his russian blog, herm1t made some entries recently - one says he's free and fine (and other things google-translate cant translate), and the other he shows some code snaps. Is he coding again? :-). Perforin just told me that Dark-CodeZ#4 magazine will be released very soon, with a higher asm density - i'm looking forward :-). I wrote virus writing predicitons for 2011 and 2012 in VX Heavens forum. As the page is down currently, I copied an old google-snapshot of it: Virus Writing Predictions 2012 (some URLs are missing sorry) - several things has been done, but we have to work hard to fulfill more of them!
24.07.2012: Good news: EOF Project homepage is back, having a very active blog now, and a collection of many important vx magazines - including some awesome pictures which I've never seen due to incompability of those old magazines with todays Windows. Well done, continue like this! - Oh, and I guess somebody has to contact me as I can not contact you!
01.07.2012: Mousafa Saleh released his thesis called Towards Metamorphic Virus Recognition Using Eigenviruses. There he presents a novel way to detect metamorphic computer viruses using similar technology as used in face recognition. In the experiments, he uses G2, viruses from SnakeBytes NGVCK, Z0MBie's ZPerm, Mental Drillers MetaPHOR and my Evolus/Flibi virus - for all of hem he gets very good results. The Flibi virus used in the experiments were a beta-version of Evolus, and in fact in the conversations with him I were able to improve the stealth technology (and I hope as well he got several ideas for improving his original concept). I hope there will be follow up work on this great creative idea to detect metamorphic viruses.
30.06.2012: Apparently nic.de.vu decided to deactivate my spth.de.vu redirect. That is very sad as this addresse was active for more then 10 years. I have not got an response, but I'll try again and post here when I can find something out. At my Twitter account (SPTHvx) I'll always have an updated link to my page hope twitter won't deactive me either :-).
Herm1t has still not wrote an update about his case, but somehow I believe things will turn out well, as the whole case was rediculous and he got strong support. For supporting him and his great project, visit SavingPrivateHerm1t!
After having 7 analysis in VirusBulletin from valhalla#1; there are already three viruses analysis from valhalla#2 in VB, and several potential candidates are still waiting. And I have a good feeling that viruswriters have continued and will continue creating new ideas, finishing unfinished concepts, disovering new neverseen techniques. You might contact me for more news or if you have some additional interesting information.
15.04.2012: Virus-Writers are pretty active, there is one finished and one near to finished piece of art by hh86, other people are diligent too. And I am just at starting also a new project, something that I have mentioned in valhalla2. It will be released when the countdown hits zero...
03.04.2012: Peter Ferrie's text about my Matlab.MicrophoneFever2 is available: Not 'Mifeve'-ourite Thing. It is a very detailed 8.5 pages techniqual analysis about MF2, including especially one nice quote "The virus is extremely complex, but amazingly stable despite its size". It also seems that this code gave Peter some tough time, alluding to the "Perhaps the author of the virus became as tired of writing it as I did of reading it" and the title, which maybe stands for "Not my favourite thing" :-) In any case, after analysing he found some structural weaknesses and made a good detection routine. Now Microsoft Security Essentials is the only AV who can detect this virus (according to VirusTotal). Well done!
02.04.2012: Eric Filiol just wrote a wonderful supportive letter for herm1t. I hope other rational thinking security experts/researchers follow his great example. Peter Ferrie's text hh86's 32bit and 64bit cross infector W48.Sofia (in valhalla#1) called "'Amfibee'-ous vehicle" has been released in this month's VB. After writing three texts about evolvable viruses last year (1, 2, 3), he draws some funny conclusion to evolution again: "A virus that can run its code natively on both 32-bit and 64-bit platforms is a bit like a lungfish that can live in water or on land (but perhaps less ugly). Fortunately, this virus is in the early stages of evolution - however, we can probably expect to see future advances in this technique.". To every VXer out there, Perforin is offering hosting for you - contact him! Thanks alot perforin - again! :) And, you can follow me at twitter and subscript my RSS feeds.
28.03.2012:
VX Heavens has been shut down by urkainian police "due to the criminal investigation" (here you find the original post by herm1t). It's disgraceful to close down this clearly white-hat library, which has provided free information for all of us (academic and professional security researchers, programming enthusiasts, anti virus analysts, ...). I can't believe and it's a shame that such ignorantly closing of a library and source of knowlegde is still possible in Europe; thought this is a weapon of retarted anti-democratic regimes only. herm1t talks about a "tip-off" by somebody - now I wonder if its connected to some old or recent investigations by KAV or a different antivirus company... I wish herm1t all the best such that he can clarify all absurtities that he is faced now!!!
As you can see - I have a new host: Perforin - thanks alot for this great possibility! (As last 10 year, you can reach my homepage via www.spth.de.vu - this always links to my current host.) He decided to host also other PoC-vxers, if you are interested, write him an email. Thanks again Perforin, this is a very important offer!! (The good thing: Server is in luxembourg, which is part of the civilized liberal europe, which most likely will not investigate against libraries.)
Of course, we will not stop researching in computer virology, discovering new technologies and make this knowlegde public such as we did in recent years. We will continue, and all vxers I have talked so far said the same: They can not supress us by such inglorious soviet-methods. So many new ideas for viruses are arround, so many new fields which should be analysed, so many techniques to discover and improve. There is much to do for us - we are already working on it, and we will continue working on it.
In the end, you can download some of the important VX magazines in recent years: , MATRIX#3 (2001), 29a#6 (2002), 29a#7 (2004), 29a#8 (2005), rRlf#6 (2005), rRlf#7 (2006), coderz#3 (2003), EOF#1 (2006), EOF-DoomRiderz-rRlf zine (2007), EOF#3 (2011), VwB-2011 (2011), valhalla#1 (2011), valhalla#2 (2012), Brigada Ocho#3 (2011) - a big collection of vx-magazines is avainable here.
15.03.2012: Ladies and gentlemen: Valhalla 2!
03.03.2012: In Virus Bulletin March 2012, there is an article about my MatLab.MicrophoneFever2 virus ("Not 'Mifeve'-ourite thing") by Peter Ferrie. Unfortunatly I have not seen the article yet - in any case I presume it gave Peter some headaches. :-)
25.02.2012: Just lost a bet, so: hh86 is an extremely fast coder - congratulations! :-)
19.02.2012: Just finished a polymorphic self-replicator, whichs code appears as the shadow of some overlayed instruction-flow - you will see soon what this means :-). Do you remember my 10 Virus-Writing predictions for this year? Well - in march at least two of them will be fulfilled... and once again, if you are writing viruses, having good ideas, etc.etc. - and we have not talked last two months - you should write me an e-Mail immediatly!
29.01.2012: I have played with a semi-quantum version of the game of Life, that's a cellular automata developed by Adrian Flitney and Derek Abbott and released in the great book Quantum Aspects of Life. I've created a video which shows the difference between the classical rules, an intermediate version and the final semi-quantum game of life: Game of Life: from Classic to Semi-Quantum - hope you enjoy! More about this topic maybe another time.
15.01.2012:
If you are interested in virus-writing;
if you consider virus-writing as an artistical and intellectual challenge;
if you loathe criminals who spread malware for earning money;
if you enjoy thinking about new ways to hide and spread;
if you love seeing virgin platforms touched for the very first time;
if you want this kind of virus-writing to continue -
then you should immediatly contact me! #60days2go
14.01.2012: My Virus-Writing predictions for 2012. Hope you help to fullfill them! :-)
30.12.2011: I found this stupid behaviour of notepad.exe (at WinXP SP3 32bit and Win7 64bit) yesterday: Write "{-42,237}," (without quotes) to notepad.exe, save, close and open again. It will be interpreted as Unicode by Notepad, but in fact it is ANSI as a Hex-Editor says. It seems like notepad uses IsTextUnicode to find out whether a text is unicode. Notepad might use lpiResult-Parameter to be NULL, such that the API runs every test; now the test for IS_TEXT_UNICODE_STATISTICS and IS_TEXT_UNICODE_UNICODE_MASK returns TRUE. Dont know why the text fullfills some Unicode-Masks. Maybe some new easteregg?
18.12.2011: A very interesting paper has been released: Eigenviruses for metamorphic virus recognition by M.E.Saleh, A.B.Mohamed and A.A.Nabi in IET Information Security. The article covers the detection of metamorphic viruses using a novel and very intuitive methode called Eigenvirus. Eigenviruses are an analogon to Eigenfaces for human face recognition. The main idea is to decompose viruses into a set of eigenvectors (called eigenviruses here). At detection, the principal components of the decomposition are compared with a prepared set of known generations of a virus. This is similar to a projection to a sub-vectorspace - the hypothesis of the paper is that for each generation of a specific metamorphic virus, this sub-vectorspace is similar, thus can be used for recognizion/detection. The authors prove their hypothesis by successfully detecting G2, NGVCK, Zperm and MetaPHOR very efficiently and with low false-positive.
15.12.2011: Have been watching the trial of an austrian Bootkit writer Peter Kleissner today. He was accused of § 126c StGB - rawly translated "abuse of computer programms". This law also talks about the creation or adaptation of general malicous software - which was the case for Peter Kleissner, who created Stoned Bootkit, presented it at hacker conferences (BlackHat,...) and at his homepage. After 7-8h hearing, including two programmers from Ikarus, the sentence was one of acquittal. The reason was (and this is interesting for any austrian malware author - I wonder if there is one?! :-) ) that software has to be predominantly created for malicous reasons, which was not the case for Peter. The public prosecutor immediatly declarated nullity, such that the case goes to court of next instance. One interesting thing is, that the case was started by our friends - the KAV dolls; they informed the prosecutor that Peter is writing a bootkit and sent him preliminary data.
04.12.2011: Peter Ferrie has released his 3rd paper about my artificial evolution project: Flibi: Reloaded. From the conclusion: "W32/Flibi is more like a life-form than ever before. It looks like a heavily armoured threat whose spread might be difficult to stop [...]".
15.10.2011: Just went thru some old eMails, and discovered an MP3 about viruswriters by Sophos from 2004. Funny :-)
12.10.2011:
While finishing the article to my latest project, I realized that it might fullfill Tom Mitchell's definition of machine learning. I suspect the underlying concept to be useful for many other applications too - in fact I have already used it one time for a mutation engine, without being aware of its possible capacity :-) I'm releasing the engine and the article in future (you might speculate what this mean - if you are curious, send me an e-Mail).
In June, Evolus has been analysed using a special statistical methode called "Eigenvirus" (a wonderful technique similar to Eigenfaces, but for metamorphic virus detection; introduction article will be released in International Journal of Information Security in December 2011). The analysis helped me alot to find and correct possible weak points. The researcher promised me to prepare a public available summary of Evolus' analysis very soon, I wish he does :-)
I decided to try Twitter. As you visit my homepage, you seem to be interested in those topics, so just follow me!
09.10.2011: Recently I thought it would be of some value to learn about the PE format. So I took W32.Sigrun by hh86, printed the source and analysed it. I made a few adjustments such that the MASM code is compileable in FASM, you can find it (together with the commented off-line source :-D) here. After reading the latest issue of VirusBulletin, I suddenly got an idea what could be a subject for a virus to learn and how it can do so. The proof-of-concept code is finished (its easier than expected), an article covering the topic will be written now. :-)
01.10.2011: A third article about my Artificial Evolution project will be released in VirusBulletin November 2011 according to Peter Ferrie. :-)
28.09.2011:
While at VB2011 conference - which starts in a few days - there are several interesting topics announced, one talk is especially funny: Malware mining by Igor Muttik of McAfee, about heuristic detection methods. OK - Stop now - let's remember: McAfee Anti-Virus Causes Widespread File Damage and my old entry about them. So the company with the worst heuristic is giving a talk about it. I wish with their research they will fix their own product.
While many AV companies are pretty narrow-minded about hiring virus researchers with empirical knowledge, this is not the case for serious security researchers: TED Talk: Misha Glenny: Hire the hackers!
Found a very funny response on hh86's interview: Chick Virus Writers :-)
14.09.2011: There is a new virus-coder called c0rRuPt G3n3t!x, who is working on quite interesting virus-techniques (including Java-Infection and C# viruses) - worth to keep an eye on him :-)... Recently I stumbled upon Orr's analysis of two metamorphic viruses: The Viral Darwinism of W32.Evol and The Molecular Virology of Lexotan32: Metamorphism Illustrated - a must-read! No fancy vx-news from me yet; just a small extention to a script technique by roy g biv is finished. Some more interesting things are in my mind, but not far enough developed to present it; hopefully by the end of this month planning will be exchanged with codeing again. :-)
27.08.2011:
EOF#3 has been released today, with some cool things in it. herm1t has done a project (Advanced EPO: Deeper, longer and harder and Linux.RELx) to infect a file in the middle of its code flow graph, which is clearly the most advanced EPO technique so far. I wonder whether there is a way to improving it further - can't imagine anything. One of the best creations that I've seen in long time, well done! :-) pr0mix wrote a text called "Smart" trash: building of logic (and engine xTG 2.0), which analyses trash generators and possible weaknesses/mistakes. It's absolutly worth a read if you plan to work on similar topics.
kefi has written six pretty interesting short papers in 2009 (signed with discordian calendar). One is about spreading worms using rapidshare (i wonder whether this 2 year old technique still works today); and one is called undeletables in windows vista, which is a technique that I have talked about 9 years ago for Windows 95,98,ME, already. It's a way to abuse a weakness of Windows Vista to make your viruses undeleteable. Interestingly this bug has been fixed in Windows XP, and reintroduced in Vista. Can one still use this technique in Windows Vista and Windows 7? I will try some day :-). There is also a polymorphic python virus PY.Lame.c by him in the magazine.
Malum wrote a DOS infector which just consists of [a-z;A-Z], using (byte XYh --> word 0X0Yh+'aa') and a special decryptor (same idea as my eicART, but better :-) ), F0g wrote a FreeBSD virus that used Merging of segments to infect files, and maybe some other interesting things, too. After Brigada Ocho #3 and Valhalla #1, this is now the 3rd virus-magazine released within very short time: Good to see that still some people are working on interesting things :-)
24.08.2011: I proudly present the most awesome computer virus ever according to McAfee (its just a .txt). Check the scanning result (or original link), where McAfee team shows its skill and beats every other AV. Together with their former detection of GriYo's CTX (where McAfee destroyed massively data of their customers), this is one of their best coups. Congratulations to the genious crew!!!
16.08.2011:
I went thru Brigada Ocho#3 recently, and want to guide your attention to some pretty interesting things by alcopaul: In the text Why Did I Write Perrun.NET?, he describes the concept of his new JPGE virus: First cool trick - Perrun.NET adds itself as a ZIP archive to the JPGE file, such that it is a valid JPGE and a valid ZIP file at the same moment; in this ZIP file, there is the virus-file. Then comes the second trick: Perrun.NET writes a message into the actual picture that the user should open it with a ZIP extractor (!). Nice thing - next step: MP3-file infection (with some voice telling to open it as ZIP) or MPGE-file infection (there are nice ways to guide people to do stupid things i think hrhrr). In the text C# Random Subroutine Sequencing he shows a pretty technique how simple permutation in C# could look like. Then there is Growing Programs, where alcopaul talks about an idea (multiplying+modifying subroutines), which is non-usual, and somehow i feel this could be used for funny mutation engines :-)
herm1t has posted a pretty interesting entry about polymorphism and grammar - especially about grammar and instruction transposition. I wondered how one can find a simple algorithm about that, and wrote a very small thing: Instruction Transposition. Nothing ground breaking - just wrote it down because I didnt see the soluton immediatly.
16.08.2011:
I went thru Brigada Ocho#3 recently, and want to guide your attention to some pretty interesting things by alcopaul: In the text Why Did I Write Perrun.NET?, he describes the concept of his new JPGE virus: First cool trick - Perrun.NET adds itself as a ZIP archive to the JPGE file, such that it is a valid JPGE and a valid ZIP file at the same moment; in this ZIP file, there is the virus-file. Then comes the second trick: Perrun.NET writes a message into the actual picture that the user should open it with a ZIP extractor (!). Nice thing - next step: MP3-file infection (with some voice telling to open it as ZIP) or MPGE-file infection (there are nice ways to guide people to do stupid things i think hrhrr). In the text C# Random Subroutine Sequencing he shows a pretty technique how simple permutation in C# could look like. Then there is Growing Programs, where alcopaul talks about an idea (multiplying+modifying subroutines), which is non-usual, and somehow i feel this could be used for funny mutation engines :-)
herm1t has posted a pretty interesting entry about polymorphism and grammar - especially about grammar and instruction transposition. I wondered how one can find a simple algorithm about that, and wrote a very small thing: Instruction Transposition. Nothing ground breaking - just wrote it down because I didnt see the soluton immediatly.
05.08.2011:
hh86 has released Valhalla magazine! It contains hot new stuff: two Win32/Win64 cross-platform viruses (one by rgb using the Heavens Gate; one by hh86 using native code), two polymorphic viruses using MMX instructions for encryption (by hh86), one Cross-Infector for Win32/010 Editor Scripts (by rgb), one virus with new EPO infection technique using Exception directory (by hh86), a brief and pretty interesting overview of Statistical Detection Techniques and possible counter measurements (by m0sa), several nice script techniques, - and my stuff ;-)
I uploaded my contributes separatly: Two articles Some ideas to increase detection complexity, Imitation of Life: Advanced system for native Artificial Evolution and three viruses: Evolus (evolved version of Evoris - artificial evolution worm including several other mutation technique, polymorphism, Start- and Stop-codons), Matlab.MicrophoneFever2 (improved version of Matlab.MicrophoneFever, fixed a few weaknesses and included partial encryption with trigonometric and algebraic functions) and W32.Kitti (a polymorphic virus that can change its instructions to other instruction using overlapping code).
Now there are over 9.000 things that should be finished! Let's start! :-)
20.07.2011: herm1t has decided to give non-russian readers the chance to follow his blog (without crappy rus->eng translation engines): herm1t.vxer.org. Cool URL, btw! :-)
04.07.2011: Finished Evoris 2: Evolus, and finished an article called "Advanced native Artificial Evolution". Will be released within the next four weeks. Now I'm closing this project for a while and playing with other ideas :-)
23.06.2011: Feeling funny today, I have uploaded a collection of 350 different representations of my old JS.Cassandra. This is a highly polymorphic virus created in 2004, and still is not detected by most AVs. (Well done Microsoft for being the only program who detected all variants I've tested - would be interesting if it's actually a good detection-algorithm or just some high false-positive tolerance.)... Something more interesting is comming soon, hopefully :-)
13.06.2011: Alcopaul just made a surprise release of Brigada Ocho #3! :-) It's a very nice synthesis between novel virus technologies and (psychodelic) artworks - a blast from the past. My personal favorite is "one good thing about twitter" - genious! :-D With it, there also comes a little interview with me. - So all in all, nice move alcopaul, thank you!
03.06.2011:
There has been a second description of my artificial evolution project, released in Virus Bulletin 05.2011 - the text can be seen here: Flibi: Evolution. It is a very detailed - 10 pages (!) - analysis of the evolutionary metalanguage of the project. Peter Ferrie has used many clever/beautiful tricks to reduce the original instruction set (44 instructions) to an incredible compact set of 18+2 instructions, without the loss of functionality. I have already applied some of these tricks to the next generation of Evoris, and will analyse its effect on the overall robustness of the codes. The codes and discoverments about that topic (you can see my progress at the ArtEvol subpage) will be released in about two months.
Something else: My personal "idiots-of-the-month-Award" goes to McAfee (idiot#1) and Avira AntiVir (idiot#2), for detecting the plain html pages of my homepage and ArtEvol subpage as malware. This is an obvious sign for unbelievable incompetence (or worse: censorship) - think about that when you install/order an AV program next time. There are several free and much better alternatives out there (for instance Microsoft Security Essentials). It would be interesting whether some AVs really abuse their "power" and also block other non-malicious websites...
01.06.2011: I've uploaded a small but funny mutation engine for JScript using radix. The possibility for this technique (and any other creative input) has been discovered by hh86 some time ago, who has written a short, unpublished text about it (the text is in the .RAR file, too). The idea is that in JScript you can represent the ASCII code of a character as decimal, hex, binary, octal - or in general with any radix from 2 to 36. Per fortuna we dont have to calculate the results ourselves, but the function parseInt provides the algorithm, thus using the technique is straight forward.
01.05.2011:
Just read an article called Detection of metamorphic computer viruses using algebraic specification - an interesting methode. I wonder whether their rewriting system can be seen as some kind of formal grammar, thus can be bypassed as Eric Filiol has shown in Metamorphism, Formal Grammars and Undecidable Code Mutation?! (Btw: If you have some ideas how to solve the Tzeitsin system T1 mentioned in IV.A in his article, contact me!)
The authors of the article, Grant Malcolm and Matt Webster have a very interesting collection of publications on their pages, I'm looking forward reading more about their research.
19.04.2011:
Some days ago, fAMINE wrote a quite interesting posting. It remembers me on something Z0MBiE once wrote.
I am currently writing a second version of my artificial evolution worm. So far, I have rewritten the API hash routine and the NOP-Insertion routine, and I added START/STOP codons, a kind of horizontal gene transfer and a polymorphism that takes advantage of alphabeth redundances (and has some evolutionary advantages, too). I may write about further updates on the ArtEvol-subpage.
EOF will release their 3rd issue of the magazine at 27.07.2011, so contribute your best things to them! I offer a small prize to the two most creative contributes to that magazine, read more here. :-)
02.04.2011: My Artificial Evolution worm Evoris has been described in Virus Bulletin 03.2011, the text can be seen here: Flibi night. It seems that there will be a follow-up article about Evoris called "Flibi: Evolution" in Virus Bulletin 05.2011 - according to Peter Ferrie's latest news.
05.03.2011:
I have just finished the worlds first virus for Wolfram Mathematica. Therefore I added an article called Infecting Mathematica Notebook files and the example virus called Mathematica.Prometheus.
It was a small project, yet it needed some tricks. It seems like Wolfram has predicted some sort of malware for Mathematica long ago as they have set some security structures in the Notebook interpreter. Obviously I'm happy that now I could satisfy their prediction! :-)
25.02.2011:
I've finished my latest project: Matlab.MicrophoneFever. It is a polymorphic Matlab M-File inserter that takes use of complex functions and algorithm provided by Matlab. It aims to combine tau-obfuscation and multi-branching at the regeneration of the virus body.
Three days before the release, I have sent three infected samples to F-Secure and to Sophos. Using Jotti Malewarescanner, one can see that Sophos has added the three files to their database (as MLB/Camel-B) - but does NOT detect the virus itself, they fail to detect any other sample of the virus. OK - and F-Secure? They did not detect anything, not even the three infected samples - even they verified receiving. Some days ago, they proudly announced the winning of some AV award. Now I wonder whether Poika is proud of that result? :-)
10.02.2011:
My latest kitty is finished soon - probably this weekend (it is a combination of tau-obfuscation and multi-branch construction of the viral body - written in a language that perfectly fitts the requirements), more informations about it when it's released.
Somehow old news, in the days of twitter, however: Mikko Hypponen has released a nice video called From Brain to Stuxnet: 25 Years of Computer Viruses.
Just saw that my Artificial Evolution Evoris Worm will be described in VirusBulletin March 2011, the text is called "Flibi Night" (at least the first generation is detected by MMPC as Worm:W32/Flibi.a - it would be interesting to test later generations. I will do that one day and post the results).
18.01.2011:
I've read two very interesting papers recently:
First one by Mark Stamp called Hunting for undetectable metamorphic viruses, which deals with a methode about how to defeat the statistically detection technique Hidden-Markov-Model. The authors developed a technique to manipulate the closeness of two virus samples by including instructions and subfunction of "normal" files.
The second paper was written by Eric Filiol called Formalisation and implementation aspects of K-ary (malicious) code. K-ary viruses do not stay in one single file but are splitted to multiple files, a very similar technique I have explained in Over-File Splitting in 2005 and used in ArchiveTiger in 2006. The text formalizes the concepts and explaines the implementation of it. I wonder how one could possible create a Class 1-B K-ary virus ("No part is referring to another one. Detecting one part does not endanger the other one").
Both texts can be found in Journal in Computer Virology or at VX Heavens PDF page.
F-Secure will co-operate a course about Malware Analysis and Antivirus Technologies this year, the lecture notes will be presented here, I guess that could be interesting.
09.01.2011: I have a new host - thanks a lot to herm1t. You can also use the redirection www.spth.de.vu, which will always point to my current website - just as last nine years.
01.01.2011: hh86 has released Virus-writing Bulletin 2011. Go and get it! As I have contributed some things, I uploaded them at my page: Evoris (a worm that takes use of the Artificial Evolution technique I have descriped recently), an article called Code Mutations via Behaviour Analysis and the worm Mimic, which use this technique.
30.12.2010: A very interesting talk about Stuxnet vulnerabilities by Bruce Dang was held at the 27c3 (the research was done in cooperation with Peter Ferrie, but he got hit by a car recently, so preferes to stay in hospital rather than at the CCC; hope he gets well soon and continues his interesting researches). Mikko Hypponen twittered about the interview with hh86 - it's good to see that avers enjoy reading our stuff. ... More to come in two days, hopefully.
25.12.2010: Added an interview with hh86, released in DarK CodeZ #3. More to come in a few days...
01.11.2010: Added some pictures about the Time evolution of the Hamming Distance for this Meta-Language approach.
26.10.2010: Added a very short article called Mutational Robustness in x86 systems.
18.10.2010: Added an article called Taking the redpill: Artificial Evolution in native x86 systems.
14.07.2009: Added an article called Hiding your virus in the matrix.
28.02.2009: Added a virus called eicART.
29.10.2008: Added an article called Chomsky Hierarchy and the Word Problem in Code Mutation.
26.07.2008: The Ready Rangers Liberation Front has commited suicide. I'm looking forward to the Farewell-Party!
08.02.2007: My decision: I'm going to sleep for a number of years. Spending much time for such a hobby is not possible anymore - that has also been my reason for leaving the rRlf. The only way to do this hobby effectivly is to spend much time for it - everything else is crap. As I have worked for about five years with computerviruses, I hope that other virus writers will continue our little subculture - hopefully somebody will continue our discoverments and techniques. Hopefully viruses with new techniques, for new platforms will be written. Hopefully people will continue working together in groups, release e-magazines with great content. Hopefully, everything last 20 years has been created will continue for many many years... Hopefully, somebody will create an artificial evolving beast, which can not be stopped. I've tried to help as much as I can, but this time is over now. Anyway - who knows - maybe one day: Second Part To Hell sedet ad dexteram Patris, et iterum venturus est cum gloria.
28.01.2007: Think about it...
02.01.2007: EOF#1 has been released yesterday - it's really worth to download; nice stuff in there... I've also contributed to it and uploaded the article Hashes for Encryption.
18.12.2006: After 50 months, I'm leaving the Ready Rangers Liberation Front.
01.12.2006: Peter Ferrie has released his article Leaps and Bounds (about roy g biv's Win32 and Win64.Bound). In the conclusion he wrote: "So imagine you're a virus writer, someone who specialises in one-of-a-kind viruses, and you want to do something that's really new and different. What should it be? How about quitting?" - This are probably the most motivating sentences I've ever read by a antivirus person. Thanks!
12.11.2006: As you can see, I'm taking a break of viruswriting currently - but I presume I'll back sooner or later. Well - what I want to express: Recently I've searched and read several stuff about Dark Avenger - one of the most well-known viruswriter ever. My question: Does anybody know some facts what has happened with him the last ten years? Send me an email! Something else: roy g biv seems to be the most active POC viruswriter currently. With his two latest beasts (W64.Bound - polymorphic Win64 virus; OSX/Macarena) he rocked the virus-writing scene again: Well done - keep on working on such great stuff! Late last news: rRlf's new member has a homepage, too: mANiAC89. Next time I'll try to post brand-new stuff :-)
25.09.2006: Germany's law in connection to "computer-crime" is getting stricter. 5 days ago the BMJ has released a text to descripe the change of the "computer-crime" law. Mainly, these changes effect real criminals, but some parts (especially p202c) could also effect proof-of-concept authors, as creation and release of malicious codes are prohibited now. My suggestion for all german virus-writers: Read this and buy a gun. (Thanks to DiA for finding that story)
09.09.2006: Sex sells: Reason #1 and Reason #2. No comment, but embarrassing! (Thanks to Radiation for the pics)
08.09.2006: I've written an article called "Hashes for Encryption". I've contributed to EOF and I hope it will be released at 01.01.2007.
01.09.2006: I've written and added an article: Thoughts about Morphology in viruses.
25.08.2006: Today somebody calling himself SysSpider contact me, and we've started to talk about computer virus techniques at a more or less advanced level (which is quite unusual in IRC). SysSpider seems have advanced knowlegde in networks and Windows-programming, so it's worth to look at his Homepage: SysSpider. A very interesting article by him is Viral Propagation Hooking WinSock. I have never heared about that idea, neighter I have thought of it - but it seems to be a good practice-orientated technique.
23.08.2006: It's the end of the world as we know it... And it is true: VirusBuster, well known as the 29a-magazine-editor and member for long time, has left the group at 18th of august (5 days ago). Also vecna left the group some time ago (not officially announced) and roy g biv does not sign his viruses and articles with '29A' anymore, but with 'defjam' (see rRlf#7). Now, the "group" has three members: GriYo (who has not done virus-related stuff for long time), Z0MBiE (who does not write viruses anymore) and vallez. You will see an official announcement for VirusBuster's and Vecna's leaving soon at 29A's site. In my opinion, it can be considered as dead - hard to believe...
16.08.2006: Just found a funny posting by Peter Ferrie at Symantec's Weblog called We Could Almost See it Coming. Interpretation without a context of information. Whatever the reason was to not release the source of Gattaca - it was not the reason that he wildcatted. I don't use any Anti-Virus Program, I just check my viruses sometimes at Jotti's virusscan to know the AV names. I don't think that Peter Ferrie really believes what he wrote - he is believed to be a wise guy - I presume it was just a silly marketing-posting. But two positive aspects of the posting: They seems to visite my page very regularily and they try to put as much effort as possible in our proof-of-concept stuff.
14.08.2006: Just returned from germany, rRlf meeting 06 (80%) with DiA and philet0ast3r and some hours disk0rdia! It was really heavy - 4 days of real much alcohol (probably I've never ever drunk that much alcohol in 4 days before), weed, and so on - a great fun :-) Good descriped at DiA's blog-entry. Uhhm, i need much sleep now - over and out!
08.08.2006: As you may have seen, our latest magazin does also contain a PowerShell (Formally Monad) Worm written by sk0r alias Czybik. Several sources have already written about it - and now also Microsoft has posted about it: Windows PowerShell and the "PowerShell Worm". This is very strange in my opinion - I don't see a reason why they defend their shell-application that much - just because of some proof-of-concept viruswriters.
05.08.2006: Finally I had time to upload my contributes to rRlf #7 at my page. Uploaded 3 viruses, 4 articles and 3 interviews. Currently I'm creating the concept of my next malware (some sheets are already infront of me, and look nice). It should become a connection beween artificial life, artificial evolution and something that I have written 2 years ago - but more advanced and better ideat. In case you are interested in these topics, it would be of some value to read the Interview with Tom Ray, who is the creator of Tierra - a system for artificial life.
02.08.2006: Ivan by Trend Micro weblog-team has written the best comment about the VX-Scene that I have ever read. Read it here: E-Zine Releases New Virus Technologies. Thanks a lot for that, Ivan!
21.07.2006: The rRlf-magazine issue #7 has been released! Nothing more to say than "Get It!".
13.07.2006: I've decided to suggest you interesting articles about the virus-scene in unregular intervals. I'm thinking about short texts, which explains our motivation, our ideas of all the stuff we're doing. Please take the 15 Minutes, print the text (good idea for spending the boring way to school, university, job, ...), read and think about it. Well - the first text is 'Why I write viruses (and how not to stop me)' by MidNyte. I've really liked to read it - I wish you the same! By the way: Our magazine will be released in one week - in case you want to do a last-minute-contribute, hurry up and send your stuff to [email protected].
06.07.2006: I've finished a virus article about a very new, very unusual language developed by Microsoft over the last 2 years. Because of the reason of curiousity, I will not tell you the name of the language. This is now probably the last stuff I'll contribute to rRlf#7 - I'm just at creating a very new idea of self-morphing (by useing parts of evolution and other uncalculateable techniques) - but this will be another very big project, not to be finished within 3 weeks, of course.
04.07.2006: GATTACA will not be released.
16.06.2006: The new picture of F-Secure's cooperators at their weblog is very nice. The black heaven in the background makes the whole team very sympathic in my opinion (probably that is not too wise for a professional company, anyway). Together with Mikko H. Hypponen's finnish rap-band FSMC this team is really unusual and funny :-)
13.06.2006: A new virus-group has been formed by three very talented viruswriters: Doom Riderz. I think this is a very positive trend in the virus-writing scene - I haven't seen that much activity for long time. I'm sure these new coders and groups will have a bright future.
12.06.2006: Look at this video and think about it: Google EPIC or Google EPIC (german). Between sleeping and being drunken this weekend I found some time to work on my latest project. I've finished two more viruses and one polymorpic engine. I won't tell you which langauge it is before 21.07.2006.
06.06.06: I just want to say "HELLo" to everybody on the day of The Lord... Something informative? Let me think... Yes: I've done two more interviews with very great and intelligent persons, secret who it is, more in rRlf#7 - I'm already really looking forward to it - I (only) saw the index: great! Last days I've also written a virus for a so-far uninfected, and very unusual Platform of Microsoft. Guess where you will see it :-)
03.06.2006: XERO wants to create an e-magazine, and release it arround end of the year. If you want to contribute, send your stuff to Sky Out. Some more interesting links I've found recently: F13-Labs is a new virus-group, too. And a nice homepage of a coder called free0n - the homepage has also RSS-feeds.
01.06.2006: Today I've found a great page: Karl Sims. Look at his videos about evolution in connection with art and get inspired - his articles are also highly interesting. Advice: Check it out!
30.05.2006: I've done an interview with a very well-known person - in connection with computer viruses. No comment who it is - you will see in rRlf#7.
21.05.2006: Last few days I have coded a wikipedia-worm. You will find the source and the article about wikipedia in rRLf#7.
08.05.2006: This time I want to give you the link to two new Virus-Writing groups: Purgatory Virus Team and XERO. Both group seems to be quite active - some of the members I know are very nice and smart persons. Hopefully they continue improving their knowlegde and rock the house soon. :-)
07.05.2006: I'm really happy that I can present you now my latest artwork: ArchiveTiger! It is a highly morphic worm, which spreads to .rar archives (current directory - POC). The special thing are the two kind of morphism - but you will see. I don't want to write anything about the technique now, you will see the source+description in rRlf#7.
30.04.2006: Today another stupid bug upload for you. It seems like cmd.exe has an error at function "copy" (with and without parameter "-b") when coping files with 0x1A-Bytes. The bug leads to overwriting content in the destination file. In the example a .bat file copies an 11 byte + 6 byte file - result: 11 byte or 10 byte (with -b parameter)! Download and see the CMD.exe copy bug by yourself.
21.04.2006: I've uploaded the Winlogon DoS file. I'm curious about some comments, so just send me an e-mail when you've tested it.
18.04.2006: I'm sorry for not writing anything for that long time - I wanted to write when I've finished something new, but unfortunately my current project is not near to finish so far. So far its two out of three morphing engines are finished. It is not polymorphism or metamorphism, but something different, something strange - you will see. I have started to create the concept of that malware in summer 2005, and improved it several times. :-) Beside of coding I've read a lot about neural networks, generic algorithm, artificial life, creation of structurs, ect (for instance at David Kriesel's highly interesting page) In some delirium recently I've got fragment of new ideas - I'll try to sort them and hopefully make something useful... About rRlf#7: DiA told me that the quality AND quantity of the contributes are very good so far, anyway: We would like you to sent stuff too: DiA's mail account waits - thank you (these times, as 29A does not release and may retire, it's very important that we help together creating good output. Not only for rRlf, but for you and for me - for the whole viruswriting community - and WE will do it :-))! Something else: I want to say thanks to the 30-35 people who visit my page every day even without news! :-)
27.03.2006: I'm four years in the virus-scene now. As a present for you and for me, i've updated my picture at subsite 'contact'. Today I was able to fix some stupid bugs in a running project, now this one can continue again :-)
13.03.2006: Congratulations goes to GriYo for coding Virus.Win32.CTX (see the source in some 29a-magazine) - its highly polymorphism and other techniques leaded McAfee to produce a lot of dangerous false positives.
07.03.2006: First: I've updated the iCab.rar-archive - with the bug-fix :-). The source, the exactly explanation of the virus and of Infopath secrets, and infected .XSN files will be in rRlf#7. Something else: Today I've got an eMail by herm1t and I want to copy the body here: "Hello, I just want to inform you that due to problems with the hosting vx.netlux.org is down again. I hope that solving these problems will not take too long and site and hosted sites will be up soon, though I cannot say exactly when. Sorry for inconvenience."
06.03.2006: I've found two reports about my Infopath virus. One by Trend Micro and one by Symantec. Symantec's report has been written by Costin Ionescu, a guy who has already written virus reports about very important viruses in the past (Nimda, Klez, first MacOS X Virus, ect) - which is quite nice. Both reports mention that the virus contains a bug. This is highly problably because of a problem with debug.exe. I've tested the virus on 4 different OSes (WinXP, WinXP @ VMware, Win2000 and Win2003), and only one time it did not work. I'll fix this bug for the release of rRlf#7.
04.03.2006: Finally, my second running project has been finished. It is a binary InfoPath macro virus - the first virus which can infect Microsoft Office Infopath files. The source has more than 900 lines - and will be released in rRlf#7. You can download the binary of InfoPath.iCab. Now my primary artwork will be continued.
27.02.2006: I think I found out when the Winlogon DoS happens: When you use the debug.exe and give an input file; the input file contains a line, which's output should be quite big (i've done it with 100Bytes), WINLOGON.EXE starts using 100% of CPU-speed. If anybody else tests that, I would be happy to hear about the result.
26.02.2006: While trying to finish my second project, I've discovered a bug at a fully patched Windows XP SP2 - exactly a WINLOGON DoS. When you try to create a binary file via debug.exe, via a external file, and you write "e 0000 4D 5A 80 00 " (ect.), WINLOGON.EXE starts to use 100% of CPU-speed and the PC speaker starts to make very strange noise. This alone is not dangerous, but annoying, as you can not restart WINLOGON.exe. Maybe this could used for code injection or some other dangerous stuff too, I dont know so far (but I know that the created binary contains strange data). If you want a malicious dump file for testing that problem by yourself, send me an eMail. About my nearly finished second project: SlageHammer has helped me today very much, and now I know that it will be finished very soon (I think this week). So watch out for updates.
16.02.2006: Congratulations goes to the currently still unknown hero, who has written the first virus for MacOS X! Somehow very strange: I wanted to do exactly the same thing and release it at 23.03.2006 - one day before "5 years without a virus" :-) (already downloaded VMware + MacOS X - but per fortuna I have not started already)... OK, back to the other in-progress artworks :-)
13.02.2006: I still have no contact to darkman (I've done the co-op project with him) - hope we get in touch before July - for making a last review before the release (in rRlf#7). In case you read this: contact me! About my latest project: So far so good - 300 lines are done and now I'm looking forward to code one of the four main engines. Just for remembering: rRlf#7 will be released at 21.07.2006 - if you want to contribute, send DiA an eMail.
07.02.2006: Die, please!!! That's simply a new kind of Fahrenheit 451. Reason: All about buisness, the fat market in china and money. : (
04.02.2006: More and more papers become filled with new ideas and more advanced techniqual tricks for my new project. I've already 250 code lines written - somehow I feel this will be something very good (at least, it is 100% unusual) :-) Hope I did not missed any weakness in the concept.
03.02.2006: Today I've re-organized my homepage - as you may have already seen. I've deleted the "news" from 2005; you can see them on the bottom of the page at "archiv". I've also deleted the subpages BWG and JSG; the latest version of the program can be downloaded at subsite 'programs' now. I've made the page HTML 4.0 validated. And, the feature I'm most proud of: I've added RSS-Feeds :-). And now about viruses: I've started to code on my new project. This one has 13 parts, counted WITHOUT spreading-functionality. Five out of these 13 parts are very hard to code I think. Nevertheless, I've already finished the first small part. Next step: 2 more easy/small parts. Maybe I'll finish them this weekend - I can tell you, it was a nice feeling to use FASM again :-)
01.02.2006: My latest project has been finished, but as it's a co-op - and I do not have contact to the second coder at the moment, I can not tell you too much about it. What I can say is: It is highly polymorphic, EPO and ~ 2.500 lines Assembler. (source will be released in rRlf #7 - at 21.07.2006 - you can contribute to it by sending your stuff to DiA). Now I will take a beer and then starting the project, which's idea I'm creating since automn. I've some brain-storming papers infront of me, showing the exactly structure of it. If I can do it as I think - this will be much fun (for me as coder and - when it's finished - for AVers). :-)
16.01.2006: I've restarted the project (a co-operation work) which I've done in autumn 2005. I had some big successes recently, and I hope that I can finish it very soon. So far it is still secret. I'll tell you more when it is done - it will be released in rRlf#7. What I can tell you: It is done in assembler, and the source is >2500 lines so far :-).
09.01.2006: As some people asked me about my latest news: This does not mean in any way that I stop coding viruses or that I'll leave rRlf - moreover it means that I stop the contact to all loosers arround the virus-writing-scene :-). Uhm, yes: I also thought that stop writing news at this homepage has no sense, so I do not do it... If you are bored, read this this. (Retro found it - and it is VERY true!)
03.01.2006: I'm totally pissed of all shit that happens currently... And this time I do not talk about anything else but the virus writing scene. ([{Nearly}]) Nobody creates anything useful, goddamn stupid malware with commercial purpose ONLY fuck people out there, no more interesting stuff (as the lead-warriours, pioneers and forefathers of vxing did)... Yes, 29A did not released anything this new-year-day - and seems to retire. We seems to be the last existing group (only vx-magazine last 12 months) - that's more than sad. Newbys disappear because THIS is nothing interesting anymore. Shit all over the internet - I need a break of all that now - no more emails-reading, no more IRC and no news here for a while... (real good friends here know how to contact me) I'm just bored - Hope some day (soon or far-away future?) some cool stuff will wake me up again...
28.12.2005: LowLevel#8 has been released, and with it a (german) article by me called "Einige Optimierungstricks". You can view it also at my subsite articles.
26.12.2005: Real bad news today - REAL bad one: I've just talked to VirusBuster, and he made it true what he mentioned some weeks ago: 29A#9 will not be released at 1.1.2006, and there is no other date for it (so far???). Reason: Too few contributes by 29a-members. So we can not do anything against it - even if many of us have tried it... As I wanted to contribute my two articles in that magazine, I've desided to send it to DiA for rRlf#7.
23.12.2005: I've just seen Peter Ferrie's Homepage's news: "December 14: coming in January: VBScript/JScript exploit article". Somehow i feel he has contributed that article to 29A#9 - why else shouldn't he release it now? :-)
22.12.2005: Currently I'm reading alot about Neural-Computer-Science (like Neural Networks), Artificial Intelligence, Artificial Life, ect. Maybe I can use some of that ideas in my latest project. I really hope so. In case you know german, see this article. It's really interesting, but hard to understand. The owner of that page, David Kriesel, has several other related artikels about that topic on his page. Highly interesting topic, and maybe gives us some ideas for our future projects.
11.12.2005: Mikko Hypponen and his team has done an interesting video about the virus situation in 2005, and about several techniques which are not seen so far - I would suggest that you download it, it's worth the time.
10.12.2005: Finally I have found the quote for my last sub-page (BWG): It's by Subcomandante Marcos, a mexicans anarchistic-social revolutionary.
09.12.2005: Today again: If anybody is interested in my latest project, check it out:http://spth.host.sk/vistavirus.txt.
09.12.2005: Sorry, but i think i have to give up writing viruses because I am fully stressed with playing computergames... Well, of course, that was just a joke :-) Just wanted to comment on Eugene's stupid ideas of today's young persons! Recently I've found a very interesting computer language - highly complex, very useful for special virus technology (polymorphism, maybe even metamorphism, and who knows - maybe even good for AI), script and binary in one langauge. It has no connection to any other language I already know (and I know several languages +g+), and it is very new and will become quite popular. If you know what I mean, send me an e-Mail :-) I'll try to learn that language quite good (not just the roots of it) and do some stuff with it in the next future. More to come soon.
27.11.2005: While reading the weblog at viruslist.com I got a strange idea for malware - no techniqual one, but maybe a good one anyway. The root: A malware program is detected by AVs when they get a sample of it. They have to analyse it and write a detection routine for it. This process uses (in a very good case) at least 10minutes. Now imagine: We would have a tool which morphes a .EXE file (maybe randomly [like the technique Code Evolution] or via packers/cryptors), that there is no connection between each file. It does not matter if the .EXE file still work or not. Now, our bad tool sends the morphed .EXE file to several email adresses like [email protected], [email protected], [email protected] (yes, to that n00b too :D) and eMail adresses of other AVers too. The Subject and the body has to be different, but with the same sense (like Subject: "newvirus", "maybe new malware", ect). The filename has to be different (taking a name from a file on the HD). When the tool sent the file, it morphes the .EXE again, and sends it again to several email adresses. What would happen? The analyser has to download the file, open it and analyse it for some time. Result: We waste the worthy time of our friends, and they have less time for working on real stuff. We could also use pseudo-beagle/sober/[insert virus here] body/subject. If they would ignore the incomming files, they will ignore real malware 100%, too. Somehow i have the feeling that this would make their work way harder :-)
24.11.2005: Just finished an article called "Wikipedia: Using free knowlegde for bad stuff". It's about an idea how a computer virus could spread via wikipedia. The negative side-effect (and the reason why I've thought about deleting it again) is, that it's also very easy to destroy big parts of the free encyclopedia. Even I've written it (i HAD TO write it) - i hope it never comes true or that all my positive test were not real!
17.11.2005: I've just finished my latest project: An article called 'ASP.NET Virus Writing Guide' - which will be released soon I think. Finally one thing away from my to-do list :-) Now let's start or continue another project. I've also written two articles for LowLevel#8 (a german OS develope magazine) some time ago. Titles: 'Einige Optimierungstricks' and 'Ein OS auf einer CD-ROM'. The OS-dev magazine should be released soon, too.
03.11.2005: Well Done! For any virus writers without an idea: Look here and choose one project :-) Everything could be found on eMule or BitTorrent. I'm currently working alot (on viruses) - but it's too soon to give you more information about it - sorry...
30.10.2005: Happy Birthday Bill Gates! Thanks for the good and interesting software you have created in your 1/2 century! I hope you and your company will put more effort into creating software and less into making patents and bounty for malware creators. Thanks & cheers :-)))
24.10.2005: Well, as you can see in last news, i did not code really much for the last 2-3 months, as i had some real life problem. The reason why I'm writing this now: All these problems are solved, and I feel free again - that feeling that makes you very motivated for fucking the world again :-) My to-do list is again growing (not because I'm lazy, but because I was again able to create new ideas and think about new techniques). I know i'm also going to code and write alot again. Often I read that phrase: "See you in better times" - I think that better times just started again...
13.10.2005: From rRlf.de.vu: 13.10.2005 :: In the name of Peter Kropotkin, Retro has finally done it: The first virus for Microsoft Windows Vista (Beta 1 Build 5112) has been finished, tested and it's binary released: Idoneus! Well done, dude! The source will be released in rRlf#7!
06.10.2005: Due to dav's effort, I update my news-section. Hmm, nothing important to write - I'm still waiting for the News "First real Vista virus/worm discovered" or "Office12, which will be shipped end of 2006, infected"... I hope you do your best! I'm also working hard, but not Vista-realted, but other stuff. Well, contact me if you are working on these things (Vista and related tools, Office12 macro virus, ect) something new, something "Fuck you, M$".
22.09.2005: I just retruned from germany, where I have met cyneox. He is very cool, I can tell you. Unfortunatly the trip was very short - next time I hope it to be longer.
11.09.2005: Sorry for the long time of no news. I just had no internet connection where i could change the site. Well, currently I'm working on my new project - which will be quite nice I think. But I have very little time until mid of october - so dont wait for some breaking news until then.
24.08.2005: I've added a quote at subsite "links" - with special greets to the government of USA, EU (especially Great Britan and Austria) and every other fucking country who wants to fully control their citizen!
19.08.2005: I am very sorry, but I just recognized that I have forgot to upload the maybe most important text by me in rRlf#6: "Surrealism in viruswriting: How to create new ideas". The article is not about a certain technique, but how to create ideas for new techniques. I think it's time again to get a new idea :-)
11.08.2005: Recently I've seen 100s of web-pages about the Monad-project. There were alot of things which bother me, but the most fucking thing: Nearly 3 out of 4 articles mention that I'm from Austria. Who the hell cares? For that reason I've rewrite profile at subsite 'contact' - to give a better view of my ideas. Oh well, dav has written a MSH-VCK -> Msh(Monad) Virus Kit.
05.08.2005: As the rrlf-zine.de.vu site ran out of memory, here are some more souces for downloading the rRlf#6 magazine: dav's 1st mirror, dav's 2nd mirror and herm1t's mirror.
04.08.2005: Yesterday I've sent my five Monad viruses to several AVs, and I got a nice answere by Aleks Gostev: "It's funny but Vista do not include MSH :)". See here or here that our friend (well known from the text How BigBrother wants to get us down!) is wrong. Nevermind, I've also uploaded these five Monad Viruses from the article Monad: Microsoft Command Shell - Infection Tutorial separatly (see virii-subsite or download here). A very nice quote I've found: VISTA = Virus Infection Spyware Trojans and Adware! Let's do our best that this becomes true! :-)
23.07.2005: I've uploaded everything released in rRlf #6 by me. That means: 5 articles, 3 other texts, 2 viruses and 2 engines (sub-site programs). I hope you like them - I do ;-)
21.07.2005: Finally, rRlf #6 has been released! DOWNLOAD IT!!! :-) I'll update my page next few days - no chance to do it now. Now it's time for a beer...
02.07.2005: I've just finished an article called "Monad: Microsoft Command Shell - Infection Tutorial". The article is about the infection of the new command shell of Microsoft Windows Longhorn (or Windows 2006 - if you prefer that). The first beta-version of that command-line has been released ~1 month ago - and there are already 5 viruses for it (overwriter, prepender, appender, EPO, cross infector). :D The article will be released in rRlf#6.
28.06.2005: Due to several reasons the rRlf#6 release date is now the 21.07.2005.
07.06.2005: Oh fuck, school sucks that much! Well, I've finished a project called "File Splitting Engine" and an article called "Surrealism in viruswriting: How to create new ideas". They will be released in rRlf#6.
27.05.2005: I've finished my latest project, the "Code Evolution" idea. The result is a code named "Gloeobacter violaceus". It is neighter a real virus nor a real engine. I would descripe it as a (very?) primitive artificial life form. I tried to emulate nature's evolution with it - the rest is secret until rRlf#6 will be released. Now I'm trieng to bring the other idea to reality ("Overfile-Splitting") - hope I can finish it also that fast (<1 month) - but i dont really think so. Nevermind...
17.05.2005: My current project is, as I've already thought, bringing the idea of "Code Evolution"-article (which you have not read so far as it's not released :D) to reality. I've already finished all mutation-functions, made a semi-good pseudo-RNG and so on. As blueowl helped me today with a stupid problem (thank you alot), I can continue now and maybe finish it all very soon. What needs alot of time is the testing of the mutated output, it's behaviour and opcode. But I really like it, it's fun to look at a program which morphs itself in a way you dont know. And you dont know if it works new generation, how it will behave... ;-) Wait for rRlf#6 to see it!
12.05.2005: According to an AV-insider, many AVs have hard problems with a packer called "SVK-Protector". This has been written in wilders-forum, but deleted soon after the posting by the Administrator. Just try to use it in your future maleware!
11.05.2005: I've written an very short article for LowLevel#8, called 'Einige Optimierungstricks'. It will be uploaded, when LowLevel #8 will be released.
09.05.2005: After testing FireFox for some hours (I have not found any way to write to the HD), I became bored of JS. That was the reason to start by new project: Bringing the idea of Code Evolution-article to reality. I've already had some success (pseudo-RND, ect...), even this is my first real Win32 asm project. So far I have not got a name for the project, so if you have some nice ideas, write a mail to [email protected]. :-) I've also translated the interview with cyneox (about 2.000 words) to english that everyone can read it in rRlf#6. Ohhh, I wonder if ANYBODY reads this, as my counter says that last week there were zero (!!!) visitors +gg+. But maybe it's just a bug (at least I hope so, of course!).
30.04.2005: I've finally finished the articel "New era of boosectorviruses #2: El Torito ISO infection at FAT32" (which will be released in rRlf#6), and withit I've finished my step into the OS and bootsector development (for now, maybe I'll return some day). I thought about a new project and two things came into my mind: Bringing the idea of 'Code Evolution' to reality. Second idea was, the day after the 50 milionth download of Firefox, searching for ways of spreading, connection of scripts and Firefox and related stuff. Unfortunatly time is very expensive currently, as I'm on the way to finish school next 2 months, but I'll try to invest as much as I can! After these two months I've alot of freetime (at least I hope so), which I'll definitivly use for coding again! :-) Anyway: I'll do whatever I can to produce high-quality (hehe) stuff!
17.04.2005: Today, Lowlevel#7 was released (a OS-developer mag in german), and with it the FAT12 tutorial, which has already been uploaded some months ago. WHat is funny: See the impressum: my real name is SPerl THomas... ;-)
12.04.2005: First: Sorry for the long time of no news, but i had nothing important to say ;-) I've finally finished my SPTH-OS 2.0! It is the very first CD-ROM Bootsector infector. Unfortunatly the direcory changing does not work, but that does not matter alot, as this is just a prove-of-concept virus. You will find it in rRlf#6. I'm also going to write an article about FAT32 and ISO infection. Next project: I dont really know. Maybe bringing one of my two already-written-but-not-released-so-far ideas into reality or making a BOOTP virus (network-boot virus). Or maybe something totally different - who knows?! Something different: I've done a interview with SnakeByte for rRlf#6. I think it's quite interesting, so just wait for it.
21.03.2005: After several hours of coding I finished a major step for my project: The virus is now able to search/infect files in all directories on the partition. And: The article and the virus, which i wanted to use for xine #6, will be released in rRlf#6, as I thought this serial should be in one magazine.
19.03.2005: Finally, my 18th birthday! And I've also been in the scene for 3 years. Juppi duppi... ;-) Now let's continue drinking!
12.03.2005: I have finished IMG infection at FAT32 harddisks with my bootsectorvirus. It works really good (tested on 2 computers), I'll add .ISO and .NRB infection too as soon as possible. ISO format is much more difficult than IMG (of course), so it could use some more weeks (as i have alot to do for real life too currently). But dont worry, I'll finish that virus 100%! And it will be released in rRlf#6. Something else: I've read an EPOC virus article by Retro some days ago, which will be released in rRlf#6 too! The article is really great, I'm sure you will like it... If you want to contribute to our ezine, write a mail to DiA!
27.02.2005: I've written an interesting article called 'Code Evolution: Follow nature's example'. The article will be released in rRlf#6. My Project: I solved the next (and i hope last) major problem. I hope to release it soon.
20.02.2005: I've done an interview with Cyneox about Linux Viruses for an 30 pages article for school. The interview is german, but highly interesting. It will be released in rRlf#6. Something else: My discoverment of FAT32 and the whole shit with it has been finished. It was really difficult to get real information about that. Well, now coding phase has been started. I've already had big success. If you don't know what I'm talking about: About a CD-ROM Bootsector virus. :-)
13.02.2005: Finally, www.rrlf.de.vu is uploaded. I need some more days to get access to upload. Anyway, it's in the net :).
09.02.2005: As rrlf.host.sk is down now, we have desided to move our site to helith, as it's one of the last places where vxers can do what they want. We also made a redirection URL called http://www.rrlf.de.vu. This URL will stay our URL, even if we get kicked by hosts. Well, the site, as far as helith-network agree (we think so :D), will be uploaded as soon as possible.
01.02.2005: I've finished an text called 'rRlf's bloody weekend', which will be released in rRlf#6. It's a text about the weekend, when philet0ast3r, DiA and rastafarie came to me. Currently rrlf.host.sk is down, for some days. I really hope it will return - we will wait for some more time, and if it don't return, we'll search a new host. I've also removed the old news from 2004. You can see a summary of the last year at the bottom of the page. I really had 100% no time for more coding last 1-2 weeks because this year I want to finish school=much to do. But I'll try to do my best as soon as possible.
25.01.2005: This weekend philet0ast3r, DiA and rastafarie visited me for two days. It was totally cool, drunken, bloody, whatever - it was a great fun. You may see some pics and texts of it in rRlf#6.
16.01.2005: Today I've finished an article called 'Over-File Splitting'. It's a new technique to fuck AVs. The article will be released in rRlf #6. And I've sent my unreleased article 'New era of bootsectorviruses #1: FAT12 IMG infection at Disks' and SPTH-OS 1.0 to Lifewire and they will be released iKx's xine #6.
08.01.2005: Yesterday I've talked with Vorgon, and he told me that iKx finally wants to make/release xine#6. Well, that 'rumous' has often spread you may say. But this time I really think/hope that it's true. Vorgon and lifewire are both active, and a new member called 'ch4r_' joined recently. They started two weeks ago and want to release it in March 2005. I cross fingers for you! Something else: I've finally finished an article called 'New era of bootsectorviruses #1: FAT12 IMG infection at Disks'. The article is a full explanation of SPTH-OS 1.0 and also explaines all basic about that topic. #2 and maybe even #3 will also be written (i really hope soon), about improved techniques of that one. I dont know when they will be released, because I dont know where. But I try to do it as soon as possible!
04.01.2005: Today I've finished the first version of my latest project: SPTH-OS 1.0. It's a bootsectorvirus, which infects the bootsector of FAT12 .IMG files in the Root_Directory of the current (infected) Disk. Executeable file uploaded (projects), source of this or a following version will be in rRlf#6! Of course, now let's go on with this project - 1.0 is just the very first finished version - more will come definitivly!
01.01.2005: Again today: While checking out the 29a articles I was kind of shocked: I found an article called 'BOOT CD INFECTION' by a virus writer called LiTlLe VxW. LiTlLe VxW had 100% the same idea as me - writing a CD-ROM Boot infector. :-) Strange, hmm? (Just to make sure: He did not used any idea by me as I did not make it public [to avoid anybody writing the same as me :-D]) Now you also know what my latest project is. Ironically LiTlLe VxW has even sent 'thanks' to me in his article. (Answere: Yes, of course, it is nice :D) I could not find any virus for that so far, so LiTlLe VxW: Let's make a compedition, who can make the first CD Boot Infector? ;-) I've worked on that topic for quite long time (let's say, 2-3 month) and I've already had some success. As there was no contact: In case if you read this - please send me a mail!
01.01.2005: Happy New Year! New year could not begin better: 29A #8 has been released today (juppi!!! :D), and with it two articles by me: 'RUBY Virus Writing Guide' and 'Server -> Client Communication for Preprocessor languages (PHP)'. Therefore I've uploaded these two articles at my site. Something else: I've written an articles called 'FAT12 Dateizugriff' for the german online magzine LowLevel. The article will be released in LowLevel#7.
21.12.2004: I've uploaded Anti Virus for MenuetOS 1.1. Now the scanner also detects Menuet.Tristesse. It was not hard to code, but I nearly forgot about that program. Well, I did not have alot of time lately, therefore I have not continued my project. But as next week my holidays begin, I'll definitivly continue, and then I can also finally tell you, what my project is about. By the way: My two unreleased articles will be published in 29A#8 (I've asked VirusBuster and he said that they are accepted and will be published). Official release date should be 1st or 2nd january 2005.
15.12.2004: I've collected alot of inforation about AVs and their bad behaviour, and I've written an text about that: How BigBrother wants to get us down!. After reading you think different in some ways - I promise you! Please spread these infromations as hard as you can! Thank you!
12.12.2004: The rumous that KAV has something to do with the latest 'actions' against virus writers is no more a rumous: It's true! Once Aleks Gostev (KAV) wrote a letter to netlux.org for shutting down vx.netlux.org (over the head of herm1t). But as herm1t belongs to the netlux-team, the letter has been sent to him immediately. Also recent actions against whale have been forced by I. Sumenko (virus analyst), S. Shevchenko (head of department of anti-virus research) and N. Kaspersky (CEO).
11.12.2004: As host.sk is down again I had no homepage, but now, thanks to herm1t, I have one again. If I would believe in god, i would say "God save you herm1t"! ;-) Much thanks for hosting me!!! I've found very first AV-report by Menuet.Tristesse. It's not very detailed, but it's true what the author (Crescencio Reyes) writes. The report can be found here. Well done, Trend Micro! I'm currently working on something never seen and really interesting, but it will take much more time - it's a quite big project, which is totally secret so far! :-) News about will come soon! I've also remved most of the BWG and JSG versions, because the old once are really uninteresting.
30.11.2004: Viruslist: Benny, Ratter questioned. I have talked to Benny about that statement, and he told me that he had NO connection with Slammer (so he will get no trouble - police got his software/hardware). And about Ratter, ValleZ and dis69 he said that he (and just he) had contact with police. Anyway, dis69 left 29A. Well, the group is still active he said. Then, let's wait for first days in January 2005 for 29A#8! :-)
24.11.2004: KAV detects RUBY.Paradoxon as Ruby.Pydoxon.a. It's the first Ruby virus in their database. And a very late av-name-news: BatXP.Nihilist will be detected as VirTool.Bat.Nihi.a. Nice! But they still don't detect Menuet/COM.Tristesse, even they have the binary and the explained source! Shame on you! Well, I've also uploaded a new picture by me as the old one has been done about 10 months ago. I hope you like it :-).
22.11.2004: I have finished an article called 'Server -> Client Communication for Preprocessor Languages (PHP)'. Well, I think the title says everything. It will be released soon!
13.11.2004: rRlf #5 is out! Just download it, it's great! :-) Therefore I've uploaded 3 viruses and 4 articles. Just look at the subsites! Well, as KAV was not able to detect JS.Cassandra.b - or maybe they did, i don't care - wanted to uploaded version C, which spreads very fast! But I did not because of three reasons: 1.) I don't want to get troubles. 2.) I don't want anybody spreading a virus. 3.) I don't like JavaScript anymore, so coding it would be very boring. Sorry!
04.11.2004: I've finished my latest project: The very first virus infecting Ruby-files. It's a prepender virus whithout a payload. I've sent the files to Kaspersky, looking for a new update with the virus 'Ruby.Paradoxon' :-). It will be released in rRlf#5. Now I'm going to write a tutorial and an advanced Ruby virus.
03.11.2004: I've left my old host vx.helith.net, because many persons could not contact my site. Now i'm hosted by philet0ast3r's at host.sk. Much thanks to philet0ast3r for let me put my stuff at your domain, and thanks to vh for having hosted my for long time! Thank you!
01.11.2004: I've added a new collection of JS.cassandra.b. 21 generations (generation 1-21), because of Aleks Gostev's nice email ("Your crap dont work at 2nd generation"). I think this is a prove that you are false, my little friend! :-) I will upload JS.Cassandra.c at 13th november 2004, if KAV dont detect at least 99% of all generations (not just from that collection) until that date. The new version will contain mass-mail-routine, IRC-routine, P2P-routine, and will be at least as polymorph and encrypted as JS.Cassandra.b! A undetected (and maybe not real detectable) high-speed spreading worm. Just look at this site again in 2 weeks, and you will see what has changed :-)!
13.10.2004: Today an article called 'Todeskusse' by Kathrin Wesely came out in the german magazine STERN extra (Campus & Karriere). It's mainly about DiA and me, and there is also a picture of each one. The article is quite good beside of one thing: I do NOT listen to the music the author wrote (If you want, look at 'contact' to find out the music I like)!
09.10.2004: Yeahh, finally LowLevel#6 is out, and therefore I've uploaded 'Interview with Mike Hibbett' and 'MenuetOS - Der Weg zum Erfolg mit Assembler'. Have fun while reading, it's not virus related, anyway interesting I think.
07.10.2004: Finally, after about 5 month, rRlf's new page (rrlf.host.sk) is up again. Just look at it!
06.10.2004: DCA#1 is out. There are also some things by rRlf members (DiA, BlueOwl). So just get it. About rRlf: Philie has no time, and therefor he asked DiA, if he wants to be the new zine editor (he agreed) and me if i want to be the new webmaster (agreed too). Well, i haven't got the PWs so far, but as soon as I get it, I'll update the new site!
18.09.2004: I wrote an article for the german OS-development magazine LowLevel called 'MenuetOS - Der Weg zum Erfolg mit Assembler'. The article contains some general parts from my 'MenuetOS infection' article, but also a coding example. The article doesn't contain any virus-related infos, just coding examples and infos. It will be released in LowLevel#6, and I hope the magazine is out soon. Currently I'm working on my probalby last MenuetOS virus, a very advanced one, and I've also discover some new parts of Menuet, as last version (0.78pre3) isn't that virus-friendly as other versions were. So much work again. Something very important: You know that www.rrlf.de belongs no more to us, as the provider kicked us (now it contains a nice sex-page :D), but philie registered rrlf.host.sk, and it's up now! Just visit it!!!
08.09.2004: Great news today: I've finished my latest project: Menuet/COM.Tristesse, a multi-platform infector. Tristesse infects COM files via appending and MENUET files via prepending. The biggest problem while coding was, that MenuetOS is a 32bit based OS, and COM files uses 16bits. Well, the virus will be released soon.
04.09.2004: My old host (www.bigsitecity.com) deleted my page, so I had to search a new host, and came back to Van Helsing. Thanks guy! Another thing: I finished an article called 'Code via Behaviour', and it will be released soon I hope.
17.08.2004: Three news today: Firstly, I wrote a text called 'The weekend of rRlf meeting', which is, as you can see on the name, about the weekend when I met PhileT0ast3r, DiA and the other guys/girls. The text will be released in rRlf#5 and rumous tells that PhileT0ast3r will also write such a text and release it in rRlf#5 :-). And secondly: I've coded an Anti Virus Program for MenuetOS, which is available with source in sub-site 'programs'. It may also be included to the official Menuet-disk, depends on what Mike Hibbett thinks. And last thing: KAV detects my 'Menuet.Oxymoron' as 'Menuet.Xymo.a', but they just detect it at one static offset, so most infected files aren't detected. Well done, guys. :D Maybe you should install the OS at least one time and test it!
10.08.2004: Maybe you noticed, but www.rrlf.de has been down for some days. Today philie told me the reason: The provider kicked www.rrlf.de due to illegal content! Now philie registered rrlf.host.sk, and it will be up very soon!
09.08.2004: I interviewed Mike Hibbett, the new main-coder of MenuetOS for the german online-magazine LowLevel. The interview will be released in issue #6!
02.08.2004: That weekend I met PhileT0ast3r/rRlf with his girlfriend (3 days), Disk0rdia/rRlf (very short), dr.g0nZo/rRlf with his girlfriend (short) and DiA/rRlf (some hours) in real life. It was totally funny, and I was most time very drunken as we started our days with a 80% KORN! ;-)
18.07.2004: Today, while checking out KAV's site I had to look twice: 29a has finished three great new proof-of-concept viruses: Win64.Rugrat.a by roy g biv, Worm.SymbOS.Cabir.a by vallez and WinCE.Duts.a by Ratter! Damn, these guys are great and I'm looking forward to 31.12.2004/1.1.2005 for 29a#8!
16.07.2004: I'm sorry to bother you again today ;-), but I've a news: John Biggs released a book and I was interviewed for that. In the book there is also a screen-shot of my BWG and the full code of PHP.RainBow with a nice explanation. It's about all kinds of the underground (hackers, crackers, phreakers, virus writers, spammers, ...)
16.07.2004: I added some links to AV reports of my viruses and changed some links. Currently I'm working on a real new Menuet-virus, which will be good i think ;-)! About rRlf-page: It's not updated for more than two month, but don't worry: Philie is still alive, he's just damn busy!
29.06.2004: Finally, today I finished my latest article: MenuetOS infection. As it's a very long and detailt article, I'm very proud that I could show it to you soon. This article will also be released in rRlf#5. Another thing: KAV released a new update, and in it a virus called 'Menuet.Xymo.a'. I really hope that you will write a report about it. :-) My next project is, of course find some other secrets in that OS. That means: much work again.
24.06.2004: Again today: As I thought that I should release the executeable of my new virus, I did it (in 'project'-subsite)... Source will follow in rRlf#5!
24.06.2004: A big news: I finished my MenuetOS virus, which is the world's very first one, and it's called Menuet.Oxymoron. I sent the executeable to some AV-reasearchers, and the source will be released in rRlf#5. Now I start to write an article about MenuetOS viruses. News about that will come soon...
07.06.2004: Today I found something really interesting while searching with google: www2.coderz.net is still/again available. That means, that also some VX-homepages are available. :-) Now I want to say sorry not updating my page recently, but I haven't finished anything new, but nearly... Just wait for rRlf#5! And last thing: You can contribute to 29a#8 now, just contact VirusBuster!
20.05.2004: Being a little bit scared about Van Helsing, I got my old host. Today I read a very strange article about him, telling that he could be a very bad guy :D.
19.05.2004: Maybe you have already found out: I have a new Host... Van Helsing hosts me for about one week and everything works great so far. Much thanks, guy.
28.04.2004: DvL released Batch Zone #5, and therefor I added an article called 'Past, Present and Future of Batch' and uploaded BatXP.Nihilist, which is the first Batch EPO virus.
22.04.2004: Today's night I found a great WinXP command. It's called lsadump2.exe. Inputing that filename to cmd.exe, you will get some strange values, which I haven't foudn out what they are. But one of these value if the Password of the Local User. I have tested it on Windows XP Home Edition with FAT32 and it works. It dont work on NTFS-formated hard disk, and it also don't exist on WinXP Professional. Anyways, it is really great, and I have already collected seven Password so far :-)
19.04.2004: I changed my web-host now, because geocities.com sucks! Much thanks goes to bigsitecity.com! I hope this one is ok now!
16.04.2004: I had some problems with my host, but it seems everything is ok again. I haven't finished upload the site so far, but I'll do it as soon as possible.
12.04.2004: GoodWeekend, The Sydney Morning Harald Magazine's weekend special released Clive Thompson's article again, and I'm on the cover of it. Beside of media-shit i improved the site: I rewrote links-sub-site, and now every link work and I added some other links and I added information about a finished virus at sub-site 'projects'.
28.03.2004: Two days ago an article in the german weekly magazine "Die Zeit" called "Infiziert" by Sabine Magerl came out. The Article is mainly about PhileT0ast3r and me, and there are also pictures in it. you can find the article here. And last week there was a translated and shorted version of Clive Thompson's virus article in the german weekly magazine "WeltWoche".
19.03.2004: It's my birthday today and I'm 2 years in the virus-writing scene. Many things happened the last year.... I wanted to upload a gift for you (Cipher Text Generator), but i wasn't able to finish it. So you have to wait some days/weeks...
09.03.2004: I have a new email address: [email protected]. Every mail you sent last few days, please send it again, because the old one didn't work.
07.03.2004: I uploaded a picture of myself, because the other one sucked :-). You can find it in sub-site 'contact'...
04.03.2004: As KAV still don't detect my JS.Cassandra.b and Alexander Gostev (a KAV researcher) making jokes about it, I decided to upload a collection of different generation of the virus. You can find it here. I'm still discovering the MenuteOS Kernel and i've already found some very interesting things. You just have to wait some time...
01.03.2004: 29A issue #7 came out and with it an article by me called 'PHP Virus Writing Guide'. So I added this article. In the eZine there is a letter by Benny, who wrote that he leaves the virus-writing scene due to some reasons. One of the reasons is darkman's (a.k.a. johnlw) behavior in IRC #virus. He banned several people who are in the New York Times Magazine article like Benny, Vorgon, PhileT0ast3r and me. I don't want to write my opinion of that act here. Another news: vx.netlux.org is up again, but as it seems, no more a host for VX sites.
26.02.2004: I added JSG 1.16, because KAV added a very lame detection routine, so I also encrypted the standart code and fixed 8 bugs. To Alex: Try to work more on the Crypt.JSG, not on a standart-detetion because i can change the standart-code every time, and you can't rest in peace! :-)
18.02.2004: I found my source of JSG again, and so I finished the latest version and released it: Added dIRC/Xircon- Hard ay/Xircon - (More) Silence Way spreading, Added an extern encryption and improved the stardart encryption very much. And Batch Zone #4 is released.
17.02.2004: Gigabyte was arrested due to the fact, that she is virus writer. Now also coderz.net is down, which was a host for about 20 virus writer's homepages. Read the full article here. And now something much better: 29A magazine #7 will be released at 28th february 2004! And FormatC magazine #1 will be released at the beginning of March 2004. Let's hope that they will be good :-)
08.02.2004: Today The New York Times Magazine released an article by Clive Thompson called 'The Virus Underground'. It's really interesting, so go and read it. (I also became interviewed for the article in real life)
03.02.2004: KAV improved the detection of PHP.RainBow. Now they detect ~68%. Sorry, but that's not really enougth. :-) JS.Cassandra.a/b are still nearly undetect (that means up to generaton 3 there is nothing detect). Damn, what's up with you KAV? Well, you really increased the PHP.RaBow detection with 1200%, but that's still not enougth. And JS.Cassandra.a/b are more or less undetected (for a few month)...
26.01.2004: Added the second version of JS.Cassandra, which is definitivly my last script-virus. Well, JS.Cassandra.b is a 5-times polymorph, sometimes encrypt and very complex JS-virus. I wish the AVs much fun with detecting this virus! :-)
14.01.2004: I added a new article I made last 2 month. It's name is 'New IRC spreading' and it's about 2 new IRC-programs, which you can use to spread your worms.
13.01.2004: I removed the news from the year 2003. Now you can see them in the archiv, where you can also find a shourt resume of that year.
06.01.2004: New year begins with a very good news: It seems, some vx-people are still very interested. First thing is, that a group called BlackGate have a forum where everybody can discuss about VX related topics and new techniques and whatever. Second cool thing is, that formatC (a group founded by Knowdeth) has a homepage and also hosts VX-sites. They also want to release a eZine with old 16-bit asm stuff (Back to the roots!). Well, let's hope that you can read more good news soon. Another thing: I added a motto at my homepage. Even this sentence is very old (middle of 70s), it's very good for our time: "Let the bells of freedom ring!" (Magician's Birthday by Uriah Heep)...
24.12.2003: Well, Kaspersky worked hard and tried to detect my viruses. Result of the hard work: JS.Cassandra (1.300 Files tested): 2nd Generation-Detection: ~5,8% | 3rd Generation-Detection: ~0%, PHP.RainBow (100 Files tested): 2nd Generation-Detection: ~5%! :D Well, I hope they haven't stopped to work on these problems.
23.12.2003: AArrrggghh... I hate christmas! Why I tell you this? well, just for fun :-)! OK, a little news: I met Arzy in real life at 20th december and another guy, but so far I won't tell you who it is. You will see in January 2004 :-).
11.12.2003: Added a small article about a problem with WindowsXP's NotePad (Microsoft Editor Version 5.1).
06.12.2003: As I said, rRlf#4 is out since today. Therefore I uploaded five viruses (PHP.RainBow, JS.Cassandra, JS.Sinope, BatXP.Palindrom.b, HTML.Umbriel) and 4 articles (Exotic Morphing Techniques In JavaScript, Polymorphism in JavaScript, Cross Infection in JavaScript, Useful things in JavaScript). Well, these are the things I did last few month. I hope you like it!
01.12.2003: Well, I've a news for you: rRlf #4 will be released at 6.12.2003 if everything works as it should work. I've already seen a member pre-view version and it's cool. OK, I also uploaded a new pic by me, since the other one is about 1 year old and now i'm looking little different (of course: I have long hairs now :D).
20.11.2003: BATch Zone #3 is out since today, and available here. Therefor I also uploaded a virus called BAT.Lorelei.
16.11.2003: Maybe you know it, but vx.netlux.org is down. I wrote some mails to herm1t, but haven't got an answere (so far??). Therefor I have a new host. I hope, herm1t's page will be up again, since he's one of the few sites, who's osting vx-related stuff.
17.10.2003: From Vorgon's site: "IKX Xine #6 in the works! Its been a long time since we released our last xine, but now were pulling together to release the best issue yet. Were looking for contributions from experienced vxers. Show us your lastest virii, worms, tuts and articles. Send all contributions to: [email protected].". Hope you have success :-)
05.10.2003: OK, Whackerz ezine #1 is out, and because of PakBrain's problems with his host, available here. Go and get it!
01.10.2003: First I want to say sorry for the long time of no news. OK, let's start: I found out, that KAV isn't able to detect the overwriter generated by my 'Simple Win32ASM Overwriter Generator', which I uploaded 3 month ago, and they also don't detect any output of my 'Random Silly Batch Generator', which became released 2,5 month ago. Seems they gave up the game... :D! Something else: rRlf#4 will be out soon, so if you want to contribute something useful go and drop phileT0ast3r a mail. Maybe you wonder, why I haven't uploaded anything recently, but my things will be released in zines, and these zines aren't out so far, as you may know. OK, what I'm doing now: I'm working on some cool JavaScript techniques and on some ideas jackie gave me. Thanks again! :-)
09.09.2003: As you know, I had to pass two exams these days, I have the resuls: I passed both, and now I'm really back, less quantity but more quality! :-) OK, I also uploaded an email by a TV security specialist, who tried to explain, why we talked shit. If you're bored, read it! It's a german text.
06.09.2003: A pure VX news again (I hope, somebody likes to read that, if not: mail me :D ): CoKe, member of the old and well-known VX group VLAD (dead), came back to the VX-scene again after a 8-year-pause. He said, that he wants to write viruses again and maybe reactiv VLAD again! Anyway, I wish you much success with your future projects!
05.09.2003: A pure VX news today: Yesterday I had a talk with Knowdeth, and it seems like Metaphase is dead, because most of the members were really lazy. And as you know, they wanted to release Metaphase#3, the zine will probably never released. But now some guys reactived SLAM virus group, with new members (CyberYoda, veedee, Jackie, Lys Kovick and Knowdeth [hope I didn't forget anybody]), and they want to release SLAM#5. To contribute the zine, give CyberYode a mail, due he's the editor.
16.08.2003: I didn't upload anything this time, but I have a great news: AlcoPaul is back in the scene, and because of that, Brigada Ocho is also back! Now they are planning Brigada Ocho Zine #3. If you want to contribute, write an e-mail. Also DvL wants to release the BATch zine #3. If you want to contribute him any batch stuff, drop him a mail. Now about my site: I added some project-infos.
20.07.2003: Marcos Velasco made a program called 'Anti-BAT', and I guess it's the very best Batch detection tool ever. You will find the program here.
17.07.2003: DvL released his BATch Zine #2. It contains one generator named 'Random Silly Batch Generator' and the 'Bat|BatXP.Iaafe', which I did together with philet0ast3r. Because of that I also uploaded these things at my homepage.
02.07.2003: There is a big problem, and I think, you should know it: I missed two subjects in school and i have to learn in holidays (next nine weeks). Maybe I'll do nothing next time. If I'll pass the exams in sebtember, I'll be back, else it could be that I'll be away forever. Chance is 50/50! I hope, that you understand my oppinion. Let's see, what future brings.
30.06.2003: I added the 'Simple Win32ASM Overwriter Generator'. Philet0ast3r and me thought, that it should not be in rRlf #4. Anybody sent the beta-version of the tool to KAV, but this is the real version. Currently the viruses aren't detect (and I hope, they will not be detect for long time :p). Something else: I deleted most of my viruses at the page just because of one reason: the are lame. In future I'll just upload viruses with some special features.
14.06.2003: In the Virus Bulletin of June 2003 is a article about one of my BWG-worms. The reason is, that this BAT.BWG.a@mm use the EICAR-file to avoid AV detection, and it seems, much AVs have problems with that. Therefore the definition of the EICAR-testfile became changed. I think, that's one of the biggest success of a batch-malware ever :-). More infos here. Special Thanks goes once more to Doctor Rave for giving me the idea.
09.06.2003: Yesterday DvL released his zine. Download it here. Because of that I added my second Interview, the Batch Encrypter 2.0 and one Batch Article. Somthing else: About 1h ago Philet0ast3r and Disk0rdia left. It was a genial time :-)
08.06.2003: Yesterday PhileT0ast3r and Disk0rdia arrived at my house! wow, i was so drunken and stoned yesterday. Because of that don't wait for some breaking new things from me in the next days :-)
26.05.2003: DvL wants to release a Batch-only zine. If you want to contribute, please write him a mail.
25.05.2003: Added Batch Encrypter version 1.3. (Added trash including).
25.05.2003: I finished the the changed at site "viriis", "projects" and "programs". Now there are (better) explanation of the things.
19.05.2003: Today I got a mail by Kefi telling me, that a person named SevenC ripped my whole BWG! He haven't changed anything in he code, just the infos are changed. Also KAV detect it as Constructor.BAT.BWG.501, and the output is detect as I-Worm.BWG.d. You will find it here. Thanks lamer!
14.05.2003: Maybe you saw it: I removed sub-site "bombs" and added "projects". Here you'll find all no released or not finished viruses.
11.05.2003: coderz.net#3 is out, and there are some things from me. I also uploaded them at my page: "How To Crypt JavaScript" and "Polymorphism in BatXP".
22.04.2003: I fixed a totally silly and little bug in the JSG 1.14: Upoaded the JavaScriptGenerator 1.14 (fixed)
21.04.2003: I added a new JavaScriptGenerator: version 1.14: It's able to overwrite the autorun.inf, deleting AV programs and better encryption.
21.04.2003: Maybe you want it, maybe not: The password of the old JavaScript-Generator sources. It's dnoces !
11.04.2003: JavaScriptGenerator 1.13: I made the whole fake-variable parts new, and now they are much more variable, I think. And as you can see, I didn't added any new freature. If you know something useful to add in next version, please send me an eMail! Much Thanks!!
10.04.2003: Uploaded JSG 1.12! No new freatures, just killed KAV alarm! But you can expect something new in the next version!
06.04.2003: I made a new Win32 asm virus: Win32.Supertoys. It's another overwriter, which infects EXE, PIF, SCR, BAT, CMD and COM files!
05.04.2003: rRlf makes a contest (A polymorphic Bat and BatXP virus with 5.5KB). More information here .
05.04.2003: Added the binary of Win32.Mood because I got about 15 mail asking for the Binary!
03.04.2003: Uploaded the JavaScript Generator version 1.11. Killed the "JS.Spthgen" by KAV. It was very easy, because the detection routine is very lame. I hope, they will work harder this days. Otherwise I've to think, that they loose the game "JSG versus KAV"! ;-)
01.04.2003: Added a Win32asm Virus: Win32.Mood <-- Infecting EXE by overwriting, hooks BAT, CMD, JS, VBS and HTM
27.03.2003: I uploaded another polymorphic BatXP virus: BatXP.Palindrom! It's changing its encryption variables. And with this virus I'm leaving the land of batch-malware!
19.03.2003: Today I've birthday: I'm 16! ;-) An other thing: I have been one full year in scene. Now: Let's have a party...
17.03.2003: I uploaded my very first Win32 ASM virus: Win32.Reiop (@austrian visitors: read it from behind :D )
16.03.2003: Uploaded a new JS worm: JS.NeptunMoon. You will find more information in the code.
09.03.2003: JSG version 1.10: Added HTM-dropping and improved other things.
04.03.2003: JavaScript Generator version 1.09 added fake variables and return to the start-vars and mixed up the letter variables.
02.03.2003: A new version of JavaScript-Generator is uploaded: version 1.08!
27.02.2003: I added a string-encrypter. you can use it to encrypt your secret messages. Don't know, if it have some sence, but I think, it's cool ;-)
27.02.2003: KAV detected the viriis from JSG! now it's a much better encryption: JSG 1.07
24.02.2003: You can see a link above. I think, the name says everything! Please look at it!
23.02.2003: JS-Generator v 1.06: Added 2 new P2P spreading ways. JSG1.06 is the first program which infects these 2 programs!! Have Fun!
22.02.2003: I uninstalled FrontPage and wrote the whole HomePage new. Only with Notepad! ;-) It's really cool!
21.02.2003: JSG 1.05 is released. The worms are able to copie itself to all start-ups, not just german and english one. It can write a registry-key! and u can choose, when using eMail-spreading, that the worm shall make a crypt vbs-file to spead with it.
19.02.2003: KAV detect the virus "I-Worm.Spth.Jsg.c". It's a worm of my JSG! But, i cann't find it :-(! If you has it, pls send it to me. I'm going to send the first ppl the Constructor.BAT.Mchit.10 and Constructor.BAT.Mchit.21! These are 2 no released old VCKs. Just for collectors ;-) OK, pls search for it! thx!
16.02.2003: Perhabs you can remember the Batch Worm Generator. A program, generating Batch worms and viriis! This program has a new version! ;-) OK: Batch Worm Generator 5.03 is uploaded! Also the source of it!
16.02.2003: I uploaded the new version of the Batch Encrypter, which I'm coding since Tim Strazzere have no time. Some new things. I hope, you like it
15.02.2003: I uploaded a virus, which works as batch-file and as JS-file. The name is BAT|JS.Charon! I think it's cool! ;-)
14.02.2003: JavaScriptGenerator 1.04: Fixed 34 bugs! But now, everything should work, because I've tested them! But, if you find one, pls send me a mail! Thanks you!
12.02.2003: JSG 1.03: Added VBS dropping, much better encryption, nearly every string is encrypt, fixed a bug in vIRC
12.02.2003: I deleted the "news" from the year 2002. You'll find them in the archiv (and you'll find a short resume of that year too).
10.02.2003: JavaScriptGenerator 1.02: Fixed a bug in the P2Ps, added 3 new P2Ps and started to crypt the thing.
04.02.2003: The rRlf #3 zine is realised! Download it from here. Also new programs from me like "Special Format Generator v2.0"...
04.02.2003: Added the new version of the JSG: version 1.01! Included PIF file dropping, fixed 2 bugs and all variables and file names are randomize!
02.02.2003: Uploaded JSG1.00! Now it's coded with Visual Basic! ;-) No more (DOS) QBasic! Sorry, that I haven't uploaded something earlier, but I was to busy. And I'm also learning Win32 ASM! A Win32 ASM virus will be realised in the next 2 or 3 weeks [It doesn't work yet :-( ]!
22.01.2003: I'm hosted by vx.netlux.org. Big Thanks goes to herm1t! ;-)
22.01.2003: I stop to trade viruses because of two reasons: First, I waste too much time while uploading and downloading, searching for viruses. Second, my Mail-Account allows just 1,5MB, and i get every day about 5MB stuff, so the important eMails can't sent to me. Sorry about it!
18.01.2003: JavaScript Generator 0.07: It's realised ;-) I added BAT and CMD file dropping
15.01.2003: My provider is activ again ;-) yeah... if there was a error while this 3 days, pls send me your mail again. very thank ya!
14.01.2003: My eMail host is down since 12.01.2003! So i can't send eMails to somebody and i also can't get any mails. Sorry about it!
12.01.2003: Uploaded 8 very silly BatXP virus Samples. It's just for showing some things in BatXP
12.01.2003: Uploaded JSG 0.06: Added LNK-dropping, fixed a bug and made the P2P codes better.
09.01.2003: http://eikcaj.host.sk/files/copycat.txt: I deleted the "Perfect I-Worm via JS" article, because i forgot to thank jackie and bumblebee for there JS-viriis, and now, jackie is very angry :-(!!!! Nochmal: war wirklich keine Absicht, irgendetwas von irgendjemandem zu stehlen. Ich will einfach mit jedem gut auskommen ;-)
08.01.2003: Bug fixed, the code is much better: JavaScriptGenerator 0.05
07.01.2003: Uploaded the 4th version of the JavaScriptGenerator: JSG 0.04!
06.01.2003: I added my Virus-Log file! I think I'll update it every day.
06.01.2003: I uploaded my very first ASM virus. pls don't laugh about it, it's my first one.
01.01.2003: The next version of my JSG --> version 0.03!
30.12.2002: Uploaded the new version of the JSG: JavaScript Generator 0.02! ;-)
28.12.2002: I made a new Constructor: JavaScript Generator 0.01! I'll made this program at least as good as my BWG! ;-)
26.12.2002: AV name from BatXP.Name -> BAT.Spth.Name :-( they didn't gave BatXP viriis an other name!!!
24.12.2002: I uploaded a silly BatXP virus, because I wanna know, how AVs name this sort of viruses... Look in some days and I'll add the AV name! I think, they won't name it BAT, because BAT works only with command.com!
13.12.2002: Batch Worm Generator 5.02: Fixed 3 Bugs, killed a KAV heuristic alarm and changed thecode if you don't choose poly. I'll change the whole poly-engine in one of the next versions. The result should be that the engine is smaller, better and totally batch (no more VBS). ;-)
07.12.2002: Uploaded a encrypt VBS-IRC spreader: VBS.CryptPirch! I hope, you'll like it!
07.12.2002: Added a photo of myself ;-) You can find it here
06.12.2002: Changed the HTML.Multi-virus. I found a really silly bug: i wrote ( if { $nick!=$me} {halt} ), so the virus wouldn't spread to any other ppl beside of the infect user... Sorry, but I was really confiused last time ;-)
22.11.2002: Uploaded a BatXP-Virus. Perhabs you don't know, that WinXP uses an other DOS than Win95/95/00 Home. The virus named BatXP.Saturn, spread via infecting files and mIRC. It's encrypt with special characters and polymorph without any script language. Only Batch XP. ;-) I hope you'll like it.
18.11.2002: Added a HTML mIRC spreader, using VBS and JS: HTML.Multi
18.11.2002: Changed the false Perl.Nirvana link. Now you can download it!
15.11.2002: Uploaded my first Perl virus: Perl.Nirvana
12.11.2002: Added a VBS Tutorial: The Perfect Internet Worm via VisualBasicScript
11.11.2002: Uploaded a program, which generates crypted Batch-Formater and it's source. I think, it's really perfect crypted ;-)
06.11.2002: Added a JS tutorial: The Perfect Internet Worm via JavaScript
01.11.2002: Yeahhh... I succed! KAV is not able to detect my viruses in the right way. They detect a definitions-name, not the payload function <-- seen in Trojan.BAT.FormatCQU.j ;-) I'm sure, I'll make a program, using this techniques, so no AV will detect these viruses...
27.10.2002: Added the second version of the SpecialCharacters-Trojan...
20.10.2002: Uploaded a new article: Special Character List for Batch Encryption
20.10.2002: Added a new virus: Only a FormatC Trojan, but a fuckin' good encryption ;-)
18.10.2002: Joined rRlf, a german virus group...
18.10.2002: Uploaded BAT.Snake.i <-- crypted with Tim Strazzere's Batch Encrypt Version 1.1
13.10.2002: Uploaded Setman 7.0: Killed I-Worm.BWG.d
13.10.2002: Added BAT.Snake.h <-- more variable... +fg+
09.10.2002: Today I left eBCVG because of some special reasons. Good luck and best greets to Dr.T and the rest of the eBCVG staff...
09.10.2002: Changed links... Added Thanks and Greets
08.10.2002: Added Setman 6.0: Fixed 2 bugs and killed I-Worm.BWG.d
06.10.2002: Uploaded my latest article: "Undetelateable direction via Batch, VBS and JS"
06.10.2002: Uploaded BAT.Snake.g <-- crypted with Tim Strazzere's Batch Encrypt Version 1
30.09.2002: Added a new article: Perfect Internet Worm via batch v2.0
29.09.2002: Batch Worm Generator 5.01: Killed I-Worm.BWG.f and Trojan.BAT.KillAV.h
29.09.2002: Setman 5.0: Killed I-Worm.BWG.d and fixed a silly bug
28.09.2002: Uploaded BAT.Snake.f
27.09.2002: Uploaded my first Win32-Maleware: Trojan.Win32.Spitfire
25.09.2002: Added Batch Worm Generator 5.00!!!
25.09.2002: Added articles...
15.09.2002: Added my first JavaScript Virus...
10.09.2002: Batch Worm Generator 4.11 is uploaded...
08.09.2002: Changed links: Added some virii-groups and deleted authors (sorry, but it's impossible to write the name of every Coder)
05.09.2002: BAT.Snake.e is uploaded <-- little changes: KAV don't detect it yet
02.09.2002: Batch Worm Generator 4.10 is uploaded
01.09.2002: Uploaded Batch Trojan Generator 0.07: Killed Trojan.BAT.FormatCQU.f
01.09.2002: Uploaded Setman 4.0: Killed I-Worm.BWG.d
01.09.2002: BAT.Snake.d is uploaded <-- very nice encryption ;-)
25.08.2002: Uploaded BAT.Metamorph <-- It's the first metamorph batch virus
19.08.2002: New sub-site: virii
13.08.2002: Killed I-Worm.BWG.d <- Batch Worm Generator 4.09
11.08.2002: Batch Worm Generator 4.08: Fixed 2 bugs and killed 7 different viruses.
10.08.2002: Batch Trojan Generator 0.06: Killed Trojan.BAT.FormatCQU.f and Trojan.BAT.FormatCQ.o
10.08.2002: Upload a very silly Trojan.BAT.Looper - Generator: Looper Generator 1.0
10.08.2002: Setman 3.0 uploaded: Killed I-Worm.BWG.d
09.08.2002: KAZAA spreading and bug fixed: Batch Worm Generator 4.07
08.08.2002: Batch Trojan Generator 0.05: Fixed 16 bugs and killed Trojan.BAT.FormatCQU.f
08.08.2002: Batch Worm Generator 4.06: Choosing if polymorph and killed I-Worm.BWG.f
26.07.2002: I uploaded the Batch Trojan Generator 0.04: win.ini start and killed KAV's Trojan.BAT.BTG
26.07.2002: My Host don't like my HomePage! Because of that they deleted my Site and it was down!
18.07.2002: Batch Worm Generator 4.05: It's harder to del the worm from the system.
11.07.2002: Upload two versions of a silly Internet-worm Generator: Setman 1.0 and Setman 2.0
07.07.2002: Send Mail 2.00 is uploaded.
06.07.2002: Batch Trojan Generator 0.03 is uploaded.
05.07.2002: Added a Anti AV technique! Batch Worm Generator 4.04!
02.07.2002: Killed I-Worm.BWG.c and I-Worm.BWG.f! Fixed a bug and replaced the AV-Killing part: BWG 4.03!
27.06.2002: Batch Worm Generator 4.02: Fixed 4 bugs and killed KAV virus I-Worm.BWG.f!
21.06.2002: Fixed 13 silly bugs! BWG 4.01
21.06.2002: The first really polymorph BATCH WORM GENERATOR: version 4.00
16.06.2002: Batch Worm Generator 3.02 uploaded!
10.06.2002: Version 3.01 from Batch Worm Generator!!!
10.06.2002: Batch Trojan Generator 0.02: Added file overwriting
10.06.2002: SendSMS 2.0 uploaded (german): fixed bugs!
07.06.2002: New program: Batch Trojan Generator 0.01 -> totally random!
06.06.2002: Killed a Norton AV virus, made VBS, REG and LNK dropping random: Batch Worm Generator 2.09
06.06.2002: Deleted some dead links and added some new...
02.06.2002: Added .PIF and .LNK dropping
31.05.2002: BWG 2.07: Added VBS file dropping, and the BWG-Worms are harder to detect
25.05.2002: Virc spreading, REG file dropping, more AV programs to delete... BWG 2.06
22.05.2002: A lot of work, but I think it's good: Batch Worm Generator 2.05
18.05.2002: A really very random BWG: 2.04
13.05.2002: A new BWG is uploaded: version 2.03
05.05.2002: Batch Worm Generator 2.02 uploaded...
27.04.2002: KAV doesn't detect any worm: Batch Worm Generator 2.01
16.04.2002: Fixed five bugs! BWG 1.11
14.04.2002: Random file names and fixed two major bugs: BWG 1.10
13.04.2002: Autoupdate function and I-Worm.Pics killed: BWG 1.09
11.04.2002: A very random BWG is uploaded: BWG 1.08
09.04.2002: The new BWG is uploaded: version 1.07
09.04.2002: Send SMS 1.0 uploaded! (german)
07.04.2002: The best BWG ever is uploaded! *fg* Version 1.06!
06.04.2002: BWG 1.05 uploaded (english)! It tricks the KAV heuristic!! ;-)
04.04.2002: BWG 1.04 uploaded (english)
30.03.2002: BWG 1.03 uploaded (english)
26.03.2002: BWG 1.02 uploaded (english)
24.03.2002: English version of BWG 0.05 uploaded, german and english version of BWG 1.01 uploaded
23.03.2002: SendMail 1.00 uploaded (bombs), made the whole site
22.03.2002: BWG version 0.05 (german) uploaded
15.03.2002: BWG version 0.01 uploaded