mersenneforum.org  

Go Back   mersenneforum.org > Extra Stuff > Blogorrhea > LaurV

Reply
 
Thread Tools
Old 2017-08-14, 17:17   #1
LaurV
Romulan Interpreter
 
LaurV's Avatar
 
Jun 2011
Thailand

2×3×31×47 Posts
Default Computer viruses, anyone?

This blog post related to this discussion here, about computer viruses.

We love them.

They are incipient intelligence.

When we were bacteria, millions of years ago, we were the same mean to other bacteria around us, as the computer viruses are against other programs.

But today we are people... We go to high schools and universities...

We had out graduation papers about computer viruses and data protection. We were one of the first in the world to disassembly the One-Half virus, and make an antivirus for it, able to take it out completely and decrypt the encrypted sectors of the HDD, at the time when none of the antivirus programs were able to even spot it. Even now, if you google One Half, the virus data bases on the web will tell you that the encryption can not be decrypted if you lose the keys (i.e. remove the virus before recovering the keys and the data). Which is false. I may be the only guy in the world knowing how to decrypt One Half encrypted disk sectors, without decryption keys... hehe... it is good to be unique in being able to do something futile... (no infections anymore, what a pity...)

At that time, for example, F-Prot was in its very incipient phase, there was nothing like F-Secure yet (it appeared after) and McAfee was just based on a list of signatures, which was distributed as a separate file, in clear text, with hex signatures, one per line. There were some tentatives to identify and remove viruses made by morphing machines (like Neuroquila and Tremor) but the detection results of "best antivirus programs" of the day for "true polymorphic" viruses were extremely scarce and disappointing...

At the university, we were using McAfee to forbid students playing games like Prince of Persia, and PacMan, in the labs. I mean, we were adding the respective exe "signatures" of "unwanted programs" to the list of signatures of McAfee, so the respective programs were identified as viruses and not allowed to run. "Your floppy disk is infected with PacMan virus, please notify the operator" (that was me, and few other "good students" in the terminal years, working as operators/demonstrators at the labs). A lot of fun, but completely unuseful for detecting the new polymorphic viruses.

BTW, re Tremor, this was one of the first morphing virus distributed "officially", in a TV transmission, and here there is a very nice story: after reading about it, we tried to locate Tremor for years, and ended up in ~1997 (this is years after graduation) paying about 10 dollars for the sources, in spite of the extremely large spread this virus had. The only virus in our collection (see below) for which we paid real money, haha.

All the tools, algorithms, theory, were included in the paper we presented, which was marked with high distinction at the time. Over 150 pages of assembler code, algorithms, theory, formulas, computability theory (algorithms that can reproduce their history, kinda clever Turing machines, blah blah...)

This stuff here, has a little bit of our contribution in it too. Antiviruses to detect polymorphic monsters... Now you are talking! At the time, Fred Cohen, Fridrik Skulason, and Mikko Hypponen, were our idols. We bought the books of the first, had some correspondence with the others... Mr. Skulason offered us a job in Iceland in 2000, but what a pity, we were already in Thailand for few months and we were reticent to move again before recovering the money we spent moving here... We were also a bit scared of Reykjavik, cold and ice... About the need to buy boots and gloves... Here the life is easy, all year in the same t-shirt and slippers... hehe.... Well... Sometime we think that was our second biggest mistake in our life, not taking that job...

Whatever... We have a collection of over 3000 (three thousands) families of viruses, starting with the classics, like Jelusalem, etc, mostly disassembled and commented, etc. (much of it our work, but not all, we also "exchanged" them with our colleagues when we were student, and with our students later, when we were working there as a professor assistant, you know, like kids exchanging stamps or napkins...). Mind that we said "families", not individuals, a family has between 1 (one) and few hundreds of members. Few families of viruses are really large.

We still have a copy of this collection on 1.44M, 3.5'' floppy disks, somewhere in Ro (hope they are still alive). Here we have to keep them on encrypted zip files, to avoid them being accidentally removed by the nowadays antiviruses we have in the computer.

We use a special OS image under Virtual Box, which is antivirus-free, when we want to play with them. We don't know yet a virus clever enough to pass over the VB boundary, from the guest OS into the host.

We were (and are) member and eager follower of virus bulletin site (even since they didn't have a domain, and were living inside of vbtn.com, which is now for sale), and always picking our antivirus programs from those passing vb100 there. We were friendly with nod32 for a while, until they raised the prices in spite of dropping in those graphs...

During we were teaching the labs of "operating systems" as a professor assistant at our university, before our Asian adventures, our professor, who came occasionally to check on what we were doing in class, wondered how come that the class is full, when at his lecture only a third of the students used to attend. We were always answering "because the presence at the lecture is not mandatory, but at the lab it is"... The reality was that the students were caring for my labs the same like they cared for the lectures, and the presence was not higher at the labs... Assembler for x86 was boring... Until I started to teach them to make viruses. If the professor should have count the students, he would have been surprised, because they were more than supposed to be in the whole year: few were coming from the higher years too


There are many things to say about...

Last fiddled with by LaurV on 2017-08-14 at 18:39
LaurV is offline   Reply With Quote
Old 2017-08-14, 18:08   #2
jwaltos
 
jwaltos's Avatar
 
Apr 2012

34610 Posts
Default

Any opinion on Fravia?


https://blogs.msdn.microsoft.com/mat...f-its-parents/


Interesting times.

Last fiddled with by jwaltos on 2017-08-14 at 18:27
jwaltos is offline   Reply With Quote
Old 2017-08-14, 18:26   #3
LaurV
Romulan Interpreter
 
LaurV's Avatar
 
Jun 2011
Thailand

2·3·31·47 Posts
Default

We had to google that

Is it a virus or something?

If you talk about this guy, no, we didn't know about him. Which is a pity, he seems to be an extremely interesting person... Thanks for the tip. We will have to do more research.



1:30 AM here, we are half sleeping now... going to bed...

Last fiddled with by LaurV on 2017-08-14 at 18:27
LaurV is offline   Reply With Quote
Old 2017-08-14, 18:33   #4
jwaltos
 
jwaltos's Avatar
 
Apr 2012

2×173 Posts
Default

Yes, that was the fellow. I learned a lot from him and a few others.
All I can say is that there is work product and there is art. Those who can distinguish between the two have earned this sense of appreciation. G'nite and thanks for your post!

Last fiddled with by jwaltos on 2017-08-14 at 18:41 Reason: clarified nuanced meaning
jwaltos is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Computer Viruses / Trojans / Malware rogue Lounge 13 2017-08-27 19:28
Old Computer Primeinator Information & Answers 21 2011-12-12 22:05
New computer ???s c10ck3r Hardware 12 2011-04-30 23:53
Not my computer RichardB Information & Answers 2 2010-09-04 03:21
New Computer Housemouse Hardware 16 2008-06-09 21:04

All times are UTC. The time now is 20:47.

Sun Sep 27 20:47:44 UTC 2020 up 17 days, 17:58, 0 users, load averages: 1.85, 1.75, 1.71

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.