671 lines
31 KiB
Plaintext
671 lines
31 KiB
Plaintext
[An excerpt from THE VIRUS CREATION LABS: A JOURNEY
|
|
INTO THE UNDERGROUND]
|
|
|
|
A PRIEST DEPLOYS HIS SATANIC MINIONS
|
|
|
|
Everyone knows the best virus writers hang out on
|
|
secret bulletin board systems, the bedroom bohemias
|
|
of the computer underground, right? Wrong. In
|
|
mid-1992, a 16-year-old hacker from San Diego who called
|
|
himself Little Loc signed on to the Prodigy on-line service
|
|
for his virus information needs. The experience was
|
|
not quite what he expected.
|
|
|
|
Prodigy had a reputation in 1992 as the on-line service
|
|
for middle-class Americans who could stand mind-roasting
|
|
amounts of retail advertising on their computer screens as
|
|
long as they had relatively free access to an almost
|
|
infinite number of public electronic mail forums devoted
|
|
to callers' hobbies. Since Prodigy's pricing scheme was
|
|
ridiculously cheap per hour, it was quite seductive for
|
|
callers to spend an hour or two a night sifting through
|
|
endless strings of messages just to engage in a little
|
|
cyberspace chit-chat.
|
|
|
|
Into this living-room atmosphere stepped Little Loc, logged
|
|
on as James Gentile, looking for anyone to talk with about
|
|
computer viruses, particularly
|
|
his idea of properly written computer viruses. Little
|
|
Loc, you see, had written a mutating virus which infected
|
|
most of the programs on a system dangerously quickly.
|
|
If you were using anti-virus software that didn't properly
|
|
recognize the virus - and at the time it was written none
|
|
did - the very process of looking for it on
|
|
a machine would spread it to every possible program on
|
|
a computer's hard disk. While many viruses were trivial
|
|
toys, Satan Bug, which is what Little Loc called his
|
|
program, was sophisticated enough to pose a real hazard.
|
|
The trouble was, Little Loc was dying to tell people
|
|
about Satan Bug. But he had no one to talk to who would
|
|
understand. That's where Prodigy came in.
|
|
Prodigy, thought Little Loc, must have some hacker
|
|
discussions, even if they were feeble, centered on viruses.
|
|
It was a quaintly naive assumption.
|
|
|
|
The Satan Bug was named after a Seventies telemovie starring
|
|
George Maharis, Anne Francis and a sinister Richard
|
|
Basehart in a race to find a planet-sterilizing super
|
|
virus stolen from a U.S. bio-warfare lab.
|
|
Little Loc had never actually seen the movie, but he'd
|
|
run across the name in a copy of TV Guide
|
|
and it sounded cool, so he used it for his digital
|
|
creation. Satan Bug was the second virus he had electronically
|
|
published. The first was named Fruitfly but it was a
|
|
slow, tame infector so the hacker didn't push it.
|
|
|
|
A bigger inspiration for Satan Bug was the work of the
|
|
Dark Avenger, the shadowy Bulgarian virus programmer whom
|
|
anti-virus software p.r. men and others had elevated to
|
|
the stature of world's greatest virus writer. Little Loc was fascinated
|
|
by the viruses attributed to Dark Avenger. The Dark Avenger
|
|
obviously knew how real computer viruses should be written,
|
|
thought Little Loc. None of his programs were like the silly
|
|
crap that composed most of the files stocked by the
|
|
computer underground. For example, his Eddie virus - also
|
|
known as Dark Avenger - had gained a reputation as a program to
|
|
be reckoned with. It pushed fast infection to a fine art,
|
|
using the very process anti-virus programs used to examine
|
|
files as an opportunity to corrupt them with its presence.
|
|
If someone suspected they had a virus, scanned for it and
|
|
Eddie was in memory but not detected, the anti-virus
|
|
software would be subverted, spreading Eddie to every
|
|
program on the disk in one sweep. Eddie would also
|
|
mangle a part of the machine's command shell when it jumped
|
|
into memory from an infected program.
|
|
When this happened, the command processor would reload
|
|
itself from the hard disk and promptly be infected, too.
|
|
This put the Eddie virus in total charge of the machine.
|
|
From that point on, every sixteen infections, the virus
|
|
would take a pot shot at a sector of the hard disk,
|
|
obliterating a small piece of data. If the data were
|
|
part of a never-used program, it could go unnoticed.
|
|
So as long as the Eddie virus was in command, the
|
|
user stood a good chance of having to deal with a slow,
|
|
creeping corruption of his programs and data.
|
|
|
|
Little Loc was a good student of the Dark Avenger's
|
|
programming and although he was completely self-taught,
|
|
he had more native ability than all of the other virus
|
|
programmers in the phalcon/SKISM and NuKE hacking groups.
|
|
"[Virus writing] was something to do besides blasting furballs
|
|
in Wing Commander," he said blithely when asked about
|
|
the origins of his career as a virtuoso virus writer.
|
|
|
|
Accordingly, the Satan Bug was just as fast an infector as
|
|
Eddie and it, too, would immediately go after
|
|
the command shell when launched into memory from
|
|
an infected program. But Satan Bug was very
|
|
cleverly encrypted, whereas Eddie was not,
|
|
and it extended these encryption tricks so that it
|
|
was cloaked in computer memory, a feature somewhat
|
|
unusual in computer viruses but popularized by another
|
|
program called The Whale which intrigued Little Loc.
|
|
|
|
The Whale was a German virus which - theoretically -
|
|
was the most complex of all computer viruses. It
|
|
was packed with code which was supposed to make it
|
|
stealthy -- invisible to certain anti-virus software
|
|
techniques. It was armored with anti-debugging code
|
|
and devilishly encrypted, designed purely to
|
|
flummox anti-virus software developers trying to examine it.
|
|
They would often mention it as an example of a super
|
|
stealth virus to mystified science and technology
|
|
writers looking for good copy. In practice, The
|
|
Whale was what one might call anti-stealth.
|
|
Although it was all the things mentioned and more,
|
|
when run on any machine, The Whale's processes
|
|
were so cumbersome the computer would be forced to
|
|
slow to a crawl. Indeed, it was a clever fellow who could
|
|
get The Whale to consent to infect even one program.
|
|
|
|
The Whale appeared to be purely an intellectual
|
|
challenge for programmers. It was intended to mesmerize
|
|
anti-virus software developers and suck them into
|
|
spending hours analyzing it. Little Loc, too, was
|
|
drawn to it. He pored over the German
|
|
language disassembly of The Whale's source code.
|
|
The hacker even made a version that wasn't encrypted,
|
|
pulling out the code which The Whale used to generate
|
|
its score of mutant variations. It didn't help. The
|
|
Whale, even when disassembled, was loathe to let go of
|
|
its secrets and remained a slow, obstinately
|
|
uninfective puzzle.
|
|
|
|
Have you gotten the idea that Prodigy callers might
|
|
not be the perfect choice as an audience to
|
|
appreciate Little Loc's Satan Bug?
|
|
|
|
Nevertheless, Little Loc landed on Prodigy with a thud.
|
|
He described the Satan Bug and invited anyone who
|
|
was interested to pick up a copy of its source code at
|
|
a bulletin board system where he'd stashed it. Immediately,
|
|
the hacker got into a rhubarb with a Prodigy member named
|
|
Henri Delger. Delger was, for want of a better description,
|
|
the Prodigy network's unpaid computer virus help desk
|
|
manager. Every night, Delger would log on and look for
|
|
the messages of users who had questions about computer
|
|
viruses. If they just wanted general information, Delger
|
|
would supply it. If they had some kind of computer glitch
|
|
which they thought might be a virus, Delger would hold their
|
|
hand until they calmed down, and then tell them what to
|
|
do. And, for the few who had computer virus infections,
|
|
Delger would try to identify the virus and recommend
|
|
software, usually McAfee Associates' SCAN, which would
|
|
remedy the problem.
|
|
|
|
Little Loc was annoyed by Delger, whom he thought was merely
|
|
a shill for McAfee Associates. Since Delger
|
|
answered so many questions on Prodigy, he had a set of
|
|
canned answers which he would employ to make the workload
|
|
lighter. The canned answers tended to antagonize Little Loc
|
|
and other younger callers who fancied themselves hackers, too.
|
|
Prodigy's liberal demo account policy allowed some of
|
|
these young callers to get access to the network under
|
|
assumed names like "Orion Rogue." This allowed them to be
|
|
rude and truculent, at least for a few days, to paying
|
|
Prodigy customers. These techno-popinjays, of course,
|
|
immediately sided with Little Loc, which didn't do much for
|
|
the virus programmer's credibility.
|
|
|
|
There was often quite a bit of talk about viruses and Delger
|
|
would supply much of the information, typing up brief
|
|
summaries of virus effects embroidered with his own
|
|
experiences analyzing viruses. "You're not a
|
|
programmer!" Little Loc would storm at Delger.
|
|
If you weren't a programmer, you couldn't understand viruses,
|
|
insisted the author of Satan Bug. Little Loc would correct
|
|
minor technical errors Delger made when describing the
|
|
programs. In retaliation, Delger would calmly point out the
|
|
spelling mistakes made by Little Loc and his
|
|
colleagues. It was quite a flame war. On one side
|
|
was Little Loc, who gamely tried to get callers to appreciate
|
|
the technical qualities of some viruses. On the other side
|
|
was a bunch of middle-aged computer hobbyists who were convinced
|
|
all virus writers were illiterate teenage nincompoops in
|
|
need of serious jail time, or perhaps a sound beating.
|
|
|
|
The debates drew a big audience, including another hacker
|
|
named Brian Oblivion, whose Waco, Texas, bulletin board,
|
|
Caustic Contagion, would provide a brief haven for Satan
|
|
Bug's author. Little Loc, however, soon found other
|
|
places that would accept his virus source code. Kim
|
|
Clancy's famous Department of the Treasury Security
|
|
Branch system was among them. Little Loc logged on and proffered
|
|
Satan Bug. The Hell Pit - a huge virus exchange in
|
|
a suburb of Chicago - had its phone number posted on Prodigy,
|
|
as was that of one called Dark Coffin, a system in eastern
|
|
Pennsylvania. Dutifully, Little Loc couriered his virus to
|
|
these systems, too.
|
|
|
|
Satan Bug was a difficult virus to detect. Although in
|
|
a pinch you could find Satan Bug because of a trick
|
|
change it made to an infected program's date/time stamp,
|
|
for all intents and purposes Satan Bug was transparent
|
|
to anti-virus scanners. And this window of opportunity
|
|
stayed open for a surprising amount of time despite
|
|
the fact that Little Loc had supplied the Satan Bug to
|
|
all the public virus exchanges patrolled by anti-virus
|
|
moles.
|
|
|
|
Little Loc stood apart from other virus
|
|
programmers who seemed to have little
|
|
interest in whether their creations made it into
|
|
the public's computers. The real travel of his
|
|
virus around the world would grant him recognition
|
|
like that of the Dark Avenger, he thought. So, he
|
|
wanted people to take Satan Bug and infect
|
|
the software of others, period.
|
|
Months later, after the virus had struck down the Secret
|
|
Service network clear across the continent, I asked
|
|
Little Loc how it might have gotten into the wild
|
|
in large enough numbers so that it eventually found
|
|
its way into such a supposedly secure system.
|
|
|
|
"I'll tell you this once and only once: Satan Bug had help!"
|
|
he said, simply.
|
|
|
|
After his Prodigy debut and before Satan Bug hit the
|
|
Secret Service, Little Loc was recruited by the virus-writing
|
|
group phalcon/SKISM, changing his handle in the
|
|
process to Priest. Joining phalcon/SKISM didn't necessarily
|
|
mean you were going to virus writing conventions in cyberspace
|
|
with other members of the group, but it was a badge of
|
|
status signifying to others in the computer underground who
|
|
required such things that you had arrived, as a virus writer
|
|
anyway.
|
|
|
|
Since Priest lived on the West Coast, however, and the brain
|
|
trust of phalcon/SKISM was located in the metro-NYC area,
|
|
there was little concrete collaboration between the two,
|
|
especially after Priest racked up a $600 telephone bill
|
|
calling bulletin boards. Since Priest didn't hack free
|
|
phone service, his family had to pay the bill, which effectively
|
|
cut down on much of his long distance telephone contact
|
|
bulletin board systems like Caustic Contagion in Waco, Texas.
|
|
|
|
Caustic Contagion, for a short period of time, was one of the
|
|
better known virus exchange bulletin board systems. Its
|
|
sysop, Brian Oblivion, had an extremely liberal policy with
|
|
regards to virus access and carried a large number of
|
|
Internet/Usenet newsgroups which gave callers a semblance
|
|
of access to the Internet. Caustic Contagion's other
|
|
specialty, besides viruses, was Star Trek newsgroups and
|
|
for some reason which completely eludes me, the BBS's
|
|
callers found the convergence of computer viruses and
|
|
Star Trek debate extremely congenial.
|
|
|
|
Priest and another phalcon/SKISM virus writer named
|
|
Memory Lapse would hang out on Caustic Contagion.
|
|
Quite naturally, Oblivion's bulletin board was
|
|
one of the first places to receive the
|
|
programmers' newest creations, often
|
|
before they were published in phalcon/SKISM's electronic
|
|
publication, 40Hex magazine.
|
|
|
|
Priest's next virus was Payback and it was written to punish
|
|
the mainstream computing community for the arrest
|
|
of Apache Warrior, the "president" of ARCV, a rather
|
|
harmless but vocal English virus-writing group which had
|
|
been undone when Alan Solomon, an anti-virus software
|
|
developer, was able to convince New Scotland Yard's
|
|
computer crime unit to seize the hacking group's equipment
|
|
and software in a series of surprise raids. Priest's Payback
|
|
virus would format the hard disk in memory of this event.
|
|
Payback gathered little attention in the underground, mostly
|
|
because few people knew much about ARCV and Apache
|
|
Warrior in the first place.
|
|
|
|
Another of Priest's interests was the set of
|
|
anti-virus programs issued by the Dutch company,
|
|
Thunderbyte. The product of a virus researcher
|
|
named Frans Veldman, the Thunderbyte programs were
|
|
regarded by most virus writers as the anti-virus
|
|
programs of choice. They were sophisticated,
|
|
technically sweet and put to shame similar software
|
|
marketed by McAfee Associates, Central Point Software,
|
|
and Symantec, which manufactured the Norton Anti-virus.
|
|
|
|
One of Frans Veldman's programs, called TBClean,
|
|
was of particular interest to Priest and others
|
|
because it claimed to be able to remove
|
|
completely unknown viruses from infected files.
|
|
How it did this was a neat trick. Essentially,
|
|
TBClean would execute the virus-infected file
|
|
in a controlled environment and try to take
|
|
advantage of the fact that the virus always had
|
|
to reassemble in memory an uncontaminated copy
|
|
of the infected program to make it work
|
|
properly. TBClean would intercept this action
|
|
and write the program back to the hard disk sans
|
|
virus. Priest and virus writer Rock Steady, the
|
|
leader of the NuKE virus-writing group,
|
|
had also noticed the phenomenon. Both tried writing
|
|
viruses that would subvert the process and turn
|
|
TBClean upon itself.
|
|
|
|
Priest wrote Jackal, a virus which - under the proper
|
|
conditions - would sense TBClean trying to execute
|
|
it, step outside the Thunderbyte software's controls
|
|
and format the hard disk. In theory, this made Priest's
|
|
virus the worst kind of retaliating program, with the
|
|
potential to destructively strip unsuspecting users'
|
|
hard disks of their data when they tried to disinfect
|
|
their machines. (It couldn't happen if you just
|
|
manually erased the Jackal-virus-infected program,
|
|
but many people who use computers
|
|
as part of everyday work simply want the option of having
|
|
the software remove viruses. They don't want to
|
|
have to worry about the technicalities
|
|
of retaliating viruses designed to smash their data
|
|
if they have the temerity to use anti-virus software.)
|
|
|
|
Of course, Jackal's development was deemed
|
|
a great propaganda victory by the North
|
|
American virus underground. Rock Steady nonsensically
|
|
insisted Frans Veldman's programs were dangerous
|
|
software because TBClean could be made to augment a
|
|
virus infection instead of remove it.
|
|
|
|
Brian Oblivion immediately tried Jackal out. It didn't
|
|
work, he said, but only caused TBClean to hang up
|
|
his machine. This was because Jackal was version
|
|
specific, explained Priest. It would only work on certain
|
|
editions of the program. In reality, this meant that
|
|
Jackal's retaliating capability posed little threat
|
|
to typical computer users, who had never heard of
|
|
the virus-programmer's favorite software, Thunderbyte,
|
|
much less TBClean. Nevertheless, Priest continued to
|
|
write the TBClean subverting trick into his viruses,
|
|
including it in Natas (that's Satan spelled backwards),
|
|
which eventually got loose in Mexico City in the spring
|
|
of 1994.
|
|
|
|
All the routines to format a computer's hard disk and to
|
|
slowly corrupt data ala the Eddie virus, which
|
|
Priest had designed his Predator virus to do, made
|
|
it clear the hacker cared little for any of the finer
|
|
arguments over the value of computer viruses which were
|
|
entertained from time to time by denizens of the underground
|
|
as well as academics. Viruses were for getting your name
|
|
around, infecting files and destroying data, according
|
|
to Priest. He just laughed when the topic of ethical
|
|
or productive uses of computer viruses -- such as the study
|
|
of artificial life -- came up.
|
|
|
|
In any case, by the fall of 1993, after Priest had
|
|
retired from the Prodigy scene, Satan Bug was
|
|
generating its own kind of media-fueled panic.
|
|
|
|
On the Compuserve network, hysterical government
|
|
employees were posting nonsensical alarums
|
|
about the virus in the McAfee Associates
|
|
virus information special interest group.
|
|
|
|
"Satan's Bug" was part of a foreign power's attempt
|
|
to sabotage government computers! It was encrypted
|
|
in nine different ways and was "eating" your data!
|
|
A State Department alarm had started!
|
|
|
|
Wherever the information about "Satan's Bug" was
|
|
coming from, it was 100 percent phlogiston. Satan Bug was hardly
|
|
aimed at government computer systems. It did not "eat" anything
|
|
and although difficult for many anti-virus programs to scan, the
|
|
virus could be found on infected systems by making good use
|
|
of software designed to take a snapshot of the vital statistics
|
|
of computer files and sound an alarm when these changed, which
|
|
always happened when Satan Bug added itself to programs.
|
|
|
|
Even more amusing was the suspicion that Satan Bug had been
|
|
inserted on government computers by some undisclosed foreign
|
|
country, from whence it originated. I suppose, however,
|
|
some people might consider Southern California a foreign country.
|
|
|
|
Priest enjoyed reading these kinds of things. His virus was
|
|
famous, an obvious source of confusion and hysteria.
|
|
|
|
About the same time, the Secret Service's computer network
|
|
in Washington, D.C., was infected by the virus, which knocked
|
|
the infected machines off-line for approximately three
|
|
days. News about the event was tough to keep secret among
|
|
government employees and it leaked. The Crypt Newsletter
|
|
published a short news piece in its September 1993 issue
|
|
on the event and reported that the infection had
|
|
been cleaned up by David Stang, formerly of the National
|
|
Computer Security Association, but now providing anti-virus
|
|
and security guidance for Norman Data Defense Systems in
|
|
Fairfax, northern Virginia.
|
|
|
|
Jack Lewis, head of the Secret Service's computer crime
|
|
unit, and two other agents flew out to interrogate
|
|
Priest in his San Diego home in October of 1993.
|
|
|
|
Lewis and the other agents gave Priest the third degree.
|
|
They shook a printed-out copy of The Crypt Newsletter
|
|
containing the Satan Bug story in his face and did
|
|
everything in their power to make Priest think he ought
|
|
to cease and desist writing computer viruses forthwith.
|
|
|
|
"About the Secret Service, they weren't too happy about
|
|
[Satan Bug], and saw fit to pay me a little visit," recalled
|
|
Priest ruefully.
|
|
|
|
The agents wanted to know everything about Priest - his Social
|
|
Security number, where he'd travelled, even who the 16-year-old
|
|
worked for. But Priest didn't work for anyone.
|
|
|
|
"I'm not quite sure they believed me," he said.
|
|
"Apparently, they thought I worked for some anti-virus
|
|
company or something to write viruses. Plus, they wanted
|
|
the sources for them."
|
|
|
|
The Secret Service men wanted to know, straight from the
|
|
horse's mouth, what Satan Bug did. "They said some victims were
|
|
worried their systems weren't completely clean because they
|
|
thought it might infect data files," Priest continued. "I told
|
|
them it wouldn't. They also wanted my opinion on things which
|
|
surprised me, like different anti-virus programs and encryption
|
|
algorithms, including Clipper. I didn't ask why.
|
|
|
|
"Jack Lewis also said someone claimed I said 'All government
|
|
computers will be infected by December' or some such rubbish.
|
|
Apparently, they thought I wrote Satan Bug as a weapon against
|
|
the government or whatever, I can't be too sure . . ."
|
|
|
|
Priest told them no, Satan Bug wasn't specifically aimed at
|
|
government computers, but it was hard to tell if the
|
|
agents believed him. They were trained to reveal little,
|
|
and to be unnerving to those interviewed.
|
|
|
|
"They just stared," Priest said, "as they did in response to
|
|
every question I asked, including 'what's your name?'
|
|
I tried - really tried - to act cool, but my heart was pounding
|
|
like a hummingbird's."
|
|
|
|
The agents were keenly interested in Priest's other
|
|
handles, all the viruses he had written, which, if any,
|
|
computer systems he might have spread them on, the
|
|
names of some phalcon/SKISM members and the structure
|
|
of the virus-writing group and details of their
|
|
hacking exploits.
|
|
|
|
Priest declined to say anything about the identities of members
|
|
of phalcon/SKISM. "I told them I knew nothing of the
|
|
hackers and phreakers, and little more than you could pick up
|
|
from reading an issue of 40Hex."
|
|
|
|
Priest was more interested in other secretive agencies
|
|
within the government. He cultivated an interest in
|
|
stories about deep black intelligence agencies. Perhaps
|
|
he envisioned himself writing destructive viruses as part
|
|
of a covert weapons project for one of them.
|
|
|
|
"Aren't there any other agencies which would be more
|
|
interested in what I'm doing?" Priest asked the agents.
|
|
He didn't get an answer.
|
|
|
|
Eventually, the Secret Servicemen went away
|
|
with a Priest-autographed printout of the source code
|
|
to Satan Bug.
|
|
|
|
Programming Satan Bug had turned out to be richly rewarding
|
|
for Priest. Not only had it gotten him recognized immediately
|
|
in the computer underground, it had made him feared in the
|
|
trenches of corporate America to the point where the Secret
|
|
Service had felt compelled to intervene.
|
|
|
|
Since the Satan Bug panic was a golden opportunity for anti-virus
|
|
vendors to once again market wares, the stories in the
|
|
computing press kept coming. LAN Times put the virus on
|
|
the front page of its November 1 issue with the headline,
|
|
"Be on the Lookout for the Diabolical 'Satan Bug' Virus."
|
|
LAN Times East Coast bureau chief Laura Didio
|
|
wrote "the Satan Bug is designed
|
|
to circumvent the security facilities in Novell Inc.
|
|
Netware's NETX program, thereby allowing it to spread
|
|
across networks." While Satan Bug may have certainly
|
|
spread across networks, it had nothing to do with the
|
|
virus's design. It seemed no matter the truth about
|
|
Satan Bug, the story just got more pumped up with
|
|
phlogiston and air as it rolled along.
|
|
|
|
"What's NETX?" asked Priest when he heard about the
|
|
LAN Times article.
|
|
|
|
Of course, the LAN Times article accurately served as
|
|
an advertisement for the Satan Bug-detecting software
|
|
of Norman Data Defense Systems and McAfee Associates.
|
|
|
|
Priest, meanwhile, continued to work on viruses.
|
|
He had just completed Natas, which he'd turned over
|
|
to the Secret Service and to phalcon/SKISM for publication
|
|
in an issue of 40Hex. He also uploaded the virus to
|
|
a couple of bulletin board systems in Southern
|
|
California. And he finished a very small,
|
|
96-byte .COM program-infecting virus.
|
|
And there were other things he was working on, he said.
|
|
|
|
The most interesting fallout from the Secret Service visit was
|
|
a job offer from David Stang at Norman Data Defense
|
|
Systems, said Priest. Stang wanted the virus programmer
|
|
to come to work for him, starting in the summer of 1994,
|
|
after the hacker finished high school.
|
|
|
|
Priest said Stang was interested in his opinion
|
|
about the use of virus code in anti-virus software.
|
|
Such code wasn't copyrighted, so it was fair game.
|
|
Priest thought this was a bad idea. Too much virus
|
|
code, in his opinion, was crappy anyway, so why would
|
|
anyone want to use it? But Priest said he would think
|
|
about the job offer.
|
|
|
|
By May 1994, Priest's Natas virus had cropped up
|
|
in Mexico City, where, according to one anti-virus software
|
|
developer, it had been spread by a consultant providing
|
|
anti-virus software services. Through ignorance and
|
|
incompetence, the consultant had gotten Natas attached
|
|
to a copy of the anti-virus software he was using.
|
|
However, like most of Priest's viruses, Natas was a bit
|
|
more than most software could handle. The software detected
|
|
Natas in programs but not in an area of the hard disk known
|
|
as the master boot record, where the virus also
|
|
hid itself. The result was tragicomic. The consultant
|
|
would search computers for viruses. The software would find
|
|
Natas! Golly, the consultant would think, "Natas is here!
|
|
I better check other computers, too." And so, the
|
|
consultant would take his Natas-infected software to
|
|
other computers where, quite naturally, it would also
|
|
detect Natas as it spread the virus to the master boot
|
|
record, a part of the computer where the software could
|
|
not detect Priest's program.
|
|
|
|
Natas had come to Mexico from Southern California. The
|
|
consultant often frequented a virus exchange bulletin
|
|
board system in Santa Clarita which not only stocked Natas,
|
|
but also the issue of 40Hex that contained its source
|
|
code. He had downloaded the virus, perhaps not fully
|
|
understood what he was dealing with, and a month or so
|
|
later uploaded a desperate plea for help with Priest's
|
|
out-of-control program. You could tell from the date
|
|
on the electronic cry for help -- May 1994 -- when Natas
|
|
began being a real problem in Mexico.
|
|
|
|
Natas was another typical tricky Priest program. When in computer
|
|
memory, it masked itself in infected programs and made them
|
|
appear uninfected. It would also retrieve a copy
|
|
of the uninfected master boot record it carried encrypted in
|
|
its body and fake out the user by showing it to him if he tried
|
|
to go looking for it there. Natas also infected diskettes
|
|
and spread quickly to programs when they were viewed,
|
|
copied or looked at by anti-virus software. It was fair to
|
|
say that computer services providers wielding anti-virus
|
|
software in a casual manner ought
|
|
not to have been allowed anywhere near Natas.
|
|
|
|
Back in San Diego, Priest was still being interviewed on the
|
|
telephone by David Stang and other associates at Norman
|
|
Data Defense Systems. They were concerned that Priest
|
|
might leak proprietary secrets to competitors after hiring,
|
|
so it was a must that he be absolutely sure of the
|
|
seriousness of his potential employment.
|
|
|
|
By the end of the interview, Priest thought he didn't have
|
|
much of a chance at the job, but by July he'd accepted
|
|
an offer and moved to Fairfax to begin working for
|
|
David Stang. This was the same David Stang who had written
|
|
in the July 1992 issue of his Virus News and Review magazine,
|
|
"In this office, we try to see things in terms of black
|
|
and white, rather than gray . . . The problem is that
|
|
good guys don't wear white hats. Among virus researchers
|
|
are a large number of seemingly gray individuals . . .
|
|
This grayness is clear to users. Last week, I asked my
|
|
class if anyone in the room trusted anti-virus vendors.
|
|
Not one would raise their hand . . . "
|
|
|
|
But what was Priest working on at Norman Data Defense
|
|
Systems?
|
|
|
|
"A cure for Natas," he laughed softly one afternoon in
|
|
late July, 1994, in the Norman Data office. Looking
|
|
over the virus once more, Priest
|
|
sardonically concluded that his disinfector made it clear the
|
|
hacker had made Natas a little too easy to remove from
|
|
infected systems. Norman Data Defense had clients in Mexico
|
|
and at the Secret Service.
|
|
|
|
You had to admire the moxie of the young American
|
|
virus programmer. He'd set out in 1992 to emulate the
|
|
world's greatest virus programmer, Dark Avenger, and
|
|
ended up being paid cash money to cure the paintpots
|
|
of computer poison he'd created. As for that poor stone
|
|
fool, the legendary Dark Avenger, he never even got
|
|
a handful of chewing gum for his viruses, having the
|
|
misfortune to have been born in the wrong place, Bulgaria,
|
|
at the wrong time, during the fall of Communism.
|
|
|
|
But by the end of the summer, the blush was off the rose
|
|
for Priest and Norman Data, too. Another manager in the
|
|
office, Sylvia Moon, didn't like the idea of the hacker
|
|
working for the company, Priest said. And when management
|
|
representatives arrived from the parent corporation
|
|
in Norway on an inspection tour and were appraised of
|
|
Priest's status at a meeting, the hacker heard, they were
|
|
not pleasantly surprised to learn there was a virus writer
|
|
on the staff. Officially, said Priest, there was no
|
|
reaction, but in reality, the hacker felt, the atmosphere
|
|
was deeply strained. Nevertheless, said Priest,
|
|
David Stang maintained that he would protect the hacker's
|
|
position. And Jack Lewis, said Priest, had contacted
|
|
the company to set up a luncheon date with the hacker
|
|
to discuss more technical issues. However, Priest
|
|
said, David Stang wanted Lewis to provide a Secret Service
|
|
statement to the effect that the hiring of the hacker
|
|
wasn't such a bad idea. The luncheon fell through.
|
|
The Secret Service would provide no such statement
|
|
because, said Priest, it might be construed as a
|
|
conflict of interest. Unknown to him at the
|
|
time, the agency had also started spying on
|
|
his comings-and-goings in Fairfax.
|
|
|
|
It all came to an end when one of Priest's acquaintances
|
|
from the BBSes called the Norman Data office and left a
|
|
message for "James Priest." Priest was immediately
|
|
let go. David Stang, said Priest, told him the call was
|
|
an indication that the hacker couldn't be trusted, that
|
|
he was still in touch with the underground.
|
|
|
|
Paranoia and recriminations flew. There had been an intern
|
|
from William & Mary working at the company whose father
|
|
was a Pentagon official, said Priest. The rumor was that
|
|
Priest had been pumping the intern for information on
|
|
how to penetrate Pentagon computers and siphoning it back
|
|
into the underground. It was nonsense, said the hacker,
|
|
but it became the official version of events. These
|
|
were pretexts, thought Priest. The real reason he had to
|
|
be shown the door, he said, was pressure from the higher-ups
|
|
in Norway. They had been presented with him as a done-deal
|
|
hire and it hadn't set well, he said. David Stang, said
|
|
Priest, needed a reason to cut him loose and the phone call
|
|
from the friend had been the peg to hang it on. Priest
|
|
was a hot potato and he had to go.
|
|
|
|
Back in San Diego once again, Priest almost sounded relieved.
|
|
He had a Sylvia Moon-autographed copy of a computer book
|
|
as a memento from the company and that was it. However,
|
|
he had finally been able to videotape "The Satan Bug"
|
|
telemovie. He shifted the VCR into replay and turned
|
|
to look at his computer while it was playing. But the
|
|
hacker said he still didn't know what the movie was about
|
|
when it was over. He had been too busy at the PC to
|
|
pay attention. Working . . .
|
|
|
|
[Footnote: All the Secret Service's contact with Priest
|
|
and his viruses and source code appears, in retrospect,
|
|
to not have been much of a learning exercise. The organization
|
|
recently awarded a large contract to Symantec, the makers
|
|
of the Norton Anti-virus, to provide insurance against
|
|
computer virus attack. The Norton Anti-virus has long
|
|
been considered one of the worst choices imaginable
|
|
for this type of service.]
|
|
|
|
copyright 1994 American Eagle Publications
|