informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/talons02.txt

539 lines
28 KiB
Plaintext
Raw Permalink Blame History

NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_N
uK Nu
KE The true story about Talon uK
E_ KE
_N By E_
Nu T a L o N _N
uK Nu
KE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuK
NuKE Info-Journal #8
April 1994
The true story about T„L”N... by T„L”N
~~~ ~~~~ ~~~~~ ~~~~~ ~~~~~
For a while I didn't have any interactions with anybody remotely
connected with either the AV or Vx worlds, because of the local scene
breakdown, and my exclusion from NuKENet for reasons unknown at the time
(which this article shows to be mostly fabrications and distortions of
truth). As a result, only my older work stood as an example of my
capabilities. This in combination with other things led to my
misrepresentation and misunderstanding among the Vx community. This
article hopes to dispel or at least straighten out some of these
problems.
This article refers to articles which aren't altogether new, but until
now I hadn't seen them, let alone have the exposure enough to reply to
them. These are, Crypt Newsletter 18 ("An incredibly complicated tale
of mystery and intrigue", September 1993) and 40Hex release
11, article 001 ("Life, the Universe, and 40Hex", June 1993).
____
I think it's about time that the story, the TRUE story, was let out for
all to read and digest. Forget everything (well most things) that
you've heard, read, eavesdropped on etc, because there's a good chance
it's bullshit.
It's a bit hard to choose where to start the tale. I guess i'll start
by rebutting some of the things which have been said about me, for
example, NuKE infojournal #7 perhaps ? Or, more recently, Crypt
Newsletter 18 ... and I quote:
"Confusion to your enemies" could be TaLon's motto and
you'll agree after reading this whopper. Originally,
the writer of the PuKE/Harry McBungus viruses, Talon created
Harry McBungus and Terminator-Z as electronic beards for a
group predominatly interested in optimizing virus code and
poking fun of the NuKE virus-programming group. But, fate took a
hand and made the PuKE virus famous down under when it infected
a company and the event was publicized in a newspaper. Talon,
according to sources, saw the article, called the newspaper and
gave them an interview, perhaps thinking editors would keep his
name secret. They didn't.
(for a start, this extract, and following extracts, were based upon old,
second-hand and whats more _incorrect_ "facts").
The above extract is essentially true. (almost).
In about 1990 I decided to teach myself assembly language, and quickly
developed an insane fascination with cracking and viruses. As
Terminator Z, when Gnarly Beast ran the Australian iNC headquarters
(Hellzone/Crime Syndicate), I was a part-time cracker for iNC and stuff
like that.
But quickly my appetite for viruses overcame, and I created my first
virus at the age of 15. Now that my previous aliases have been
released, I might as well make no secret of the fact that I wrote
X-Fungus, which did actually infect a prominent institution in Brisbane,
which made headlines. This was my first ever virus, which was TSR,
infected COM and EXE files, hid the file size increase on the directory,
and included an encrypted text message which was displayed on certain
dates. My first virus. 1422 bytes. And for which I had absolutely no
reference material to learn from. Not trying to blow my own horn, just
stating the facts, other people at the time were writing simpler viruses
which were twice the size.
I then cut that down and optimized it to create No Frills, which was to
be a 'skeleton' from which other ones could me made. A few others, such
as K-Lame Kreation, No Frills 2.0 and No Frills 3.0 were created from
this. (NF2.0 was a bug-fix of 1.0, and K-Lame Kreation was never
released).
But before all this happened, I showed a number of people my virus
sources and what the viruses could do - but never gave anybody a copy.
This is where good friendships came into effect. Sombody flogged them.
(somthing which has occurred more than once in my career unfortunately,
but more on that later). My source codes turned up on a few local BBSs.
I was spewing.
It was soon after this that I learned that X-Fungus had hit this famed
institution .. (as you can see this is a bit out of chronological
order..). But the newspaper report was full of shit, they called it the
"K-Mart" virus.. so I called the newspaper and told them they were
wankers, and he being a reporter, juiced more info out of me (not that I
cared, what could a reporter do). ... re:
Editors passed his name along to the Fraud Squad, a branch of
the Australian national crime-fighting force which focuses on
computer crime. ...
This is partly true. In the meantime, No Frills 2.0 had made the rounds
of large numbers of public & private high schools, and No Frills 3.0
actually hit the network of one of Brisbane's largest private schools.
It was then that I found out that the cops were after me, because a
friend of mine was brown-nosing the computer administrator, and he found
that they (the cops) came up to the school and asked if they were
interested in supplying evidence for their "case".
Anyway the case came to pass, I was interrogated over the course of two
days. They TOLD me that they wouldn't have bothered with the
investigation, it was so hard to prove, but they had to try since that
institution had lodged a formal complaint to the fraud squad. I NEVER
told them any names (I knew none at the time anyway). I NEVER dobbed
anyone in. Anyway read the entire article, and I will continue...
(from crypt letter 18, verbatim..)
>An incredibly complicated tale of mystery and intrigue:
Former NuKE virus-programmer Talon, of Brisbane, Australia,
makes it into Fictual Facts this month for making life just
a little more brutish than it ought to be.
"Confusion to your enemies" could be TaLon's motto and
you'll agree after reading this whopper. Originally,
the writer of the PuKE/Harry McBungus viruses, Talon created
Harry McBungus and Terminator-Z as electronic beards for a
group predominatly interested in optimizing virus code and
poking fun of the NuKE virus-programming group. But, fate took a
hand and made the PuKE virus famous down under when it infected
a company and the event was publicized in a newspaper. Talon,
according to sources, saw the article, called the newspaper and
gave them an interview, perhaps thinking editors would keep his
name secret. They didn't.
Editors passed his name along to the Fraud Squad, a branch of
the Australian national crime-fighting force which focuses on
computer crime. Agents from the Fraud Squad promptly rounded
up Talon and here's where the story gets tricky. Talon, by
adroitly using the aliases of Harry McBungus and Terminator-Z,
was able to sufficiently confuse the investigation by pushing
authorship of the PuKE virus onto people, who essentially, didn't
exit.
At this point, TaLon applied for membership to NuKE and submitted
the Daeman virus. Shortly therafter, the Daeman virus infected
a PC network belonging to Australian Telecom, sufficiently
inconveniencing the company so that it summoned the Fraud Squad.
It was "round up the usual suspects" time and Talon again went
into the bag. This time, he shifted suspicion onto two other
Australian hackers and NuKE members, Phrozen Doberman and Screaming
Radish. NuKE promptly terminated TaLon's membership for this
graceless cybersocial faux pas, but did publish the Daeman source
code in its InfoJournal #7 before wishing him luck with Australian
authorities.
TaLon promptly uploaded a fakeware archive called VCL20.ZIP
into some US virus exchange bulletin board systems. Advertised
as the Virus Creation Laboratory v. 2.0, the archive was
"password protected" with the phrase "Nowhere Man Sucks."
It was a hoax.
[NuKE Infojournal #7, with the source code to the Daeman virus,
is available on most of the systems listed at the end of this
issue.]
Now I can say a few more things.
Most people who know me or have read my posts will know my standpoint on
the creation of millions of sad-arse viruses for the pleasure of saying
"Ive written XXXXX number of viruses, I'm so cool" versus writing REAL
viruses which will actually be any good.
In its infancy, NukE was an outfit which couldn't really program
viruses, and although they'd progressed past overwriting they were still
only sad direct-infectors, and still managed to inflate their dolls over
them. At the time I was writing better viruses, smaller viruses, more
viable viruses, and thus PuKE was formed. A pretty bogus group and I
make no secret of that. I was PuKE, the only member.
Yes I eventually gave the newspaper an interview, along with 3 others,
including Storm Waterdrain (now seemingly retired). We went into the
interview with the intention of helping to educate the public on what
the whole deal was about, to help maybe reduce the crap and stigma that
surrounds the whole deal .. but nooooooooooo.. typical reporter etc etc
and I ended up getting _totally_ burnt, a maladjusted misfit hell-bent
on screwing peoples' computers up.
As if a newspaper isn't going to be sensationalistic. You can't get
sensationalism out of education. You get it out of portraying people
like me and the rest of the Vx as monsters, feeding the public exactly
what they want to hear. I was a victim of all that shit.
Anyways enough of that. Back to the Crypt article...
At this point, TaLon applied for membership to NuKE and submitted
the Daeman virus. Shortly therafter, the Daeman virus infected
a PC network belonging to Australian Telecom, sufficiently
inconveniencing the company so that it summoned the Fraud Squad.
I didn't join NuKE and just upload DaeMaen, I was conferencing with Rock
Steady for a number of weeks and mainly brainstormed new ideas and
tricks and stuff. Ask him about it. A lot of ideas came into effect
and many of them did go into the creation of Daemaen.
I did join nuke.. But under the condition that none of my previous
aliases and stuff were mentioned, for the simple reason regards the
investigation - trying to make a clean break, not get NuKE tangled up in
my previous endeavours. And also that DaeMaen wasn't to be published.
Both were violated.. not happy.. Apparently justified by the fact that
i'd dobbed people in, which was BULLSHIT. ABSOLUTE BULLSHIT.
Daemaen didn't work on dos versions above 3.3 for the simple reason that
it does a dodgey search method for the original interrupt 13 vector, and
the structure changed for higher dos versions... so it didn't matter
anyway.
So it couldn't possibly have been DaeMaen that infected Australian OTC.
I know for a fact it wasn't, because the virus that did was called the
Dudley virus, which just happens to be based around No Frills but with a
mutation engine thrown on top. I didn't write this, well not exactly,
but wrote half the mutation engine then gave it to someone else, who
then coupled it up with the unofficially-released No Frills source and
then released the resulting virus under the PuKE banner (I didn't know
this until later). ...
It was "round up the usual suspects" time and Talon again went
into the bag. This time, he shifted suspicion onto two other
Australian hackers and NuKE members, Phrozen Doberman and Screaming
Radish. NuKE promptly terminated TaLon's membership for this
graceless cybersocial faux pas, but did publish the Daeman source
code in its InfoJournal #7 before wishing him luck with Australian
authorities.
100% CRAP (except for the membership termination and the publishing of
the source code). I later learn that most of the bullshit was informed
to NuKE by none other than Phrozen Dobermann. I have no knowledge of
ever offending him, nor anyone else, but I dont care and this was told
to me by several members. Rock Steady said he found out from NuKE
Melbourne, and god knows where they heard it from.
As for the second investigation, i'm still waiting...
TaLon promptly uploaded a fakeware archive called VCL20.ZIP
into some US virus exchange bulletin board systems. Advertised
as the Virus Creation Laboratory v. 2.0, the archive was
"password protected" with the phrase "Nowhere Man Sucks."
It was a hoax.
Well well well, if the bit before was 100% crap, this is 200% absolute
bullshit. For a start I consider myself a person of some sort of common
decency (some in the public world would disagree, though :) ) and would
never resort to such pathetic, underhand "tactics". I piss on the grave
of whoever took it upon themselves to do this. Anyway, I wasn't calling
out and don't have access on ANY boards in the States, simply because I
never call there. If I did, I would have discounted this trend before
now - this is my first opportunity.
[NuKE Infojournal #7, with the source code to the Daeman virus,
is available on most of the systems listed at the end of this
issue.]
Which didn't work... and is a major embarassment to me since it's
largely crap.
Another virus was eventually built out of that, which emerged as
"1984", which also wasn't to be released. A few would find my story a
little hard to believe -- first time things were stolen ,,, but a SECOND
time ? yeah , sure. Well to all of you who think that, go shove it up
your arse, there are a number of things which point to the fact that it
was stolen :
1. 1984 was to be 1984 bytes long. The in-the-wild version is
1979 bytes long.
2. The infection counter on the SCAN trojanned with 1984 is
infection number 7.
3. There are several buggy and unoptimized bits in the virus
which I wouldn't ever have released.
4. The virus code on the disk boot sector infection isn't
encrypted, this was fixed long before I saw 1984 (without
encryption) in the wild.
5. The boot sector infection routine will bug out on
high-density disks. This reduced the bandwidth of the virus
by a large degree. This was also fixed.
Anyway I hope I've set a few things straight here and stamped out a lot
of shit rumours and speculations. Problem is, until now I haven't been
able to stamp them out because of the very fact that I was still
percieved as a narc until a very short time ago, when Screaming Radish
finally called me voice and I cleared the air. I had my banishment from
NuKENet lifted, among other things.
I'm a bit sick of the entire virus deal, but at least my faith has been
partly restored. Perhaps even the author of the above section of Crypt
Newsletter 18 will publish something now that he knows the real story ?
Who knows.
That doesn't mean to say that I've retired, mind you... there's still
stuff in the pipeline.
Hmm This reminds me of what I read in 40Hex issue 11, where a particular
Dark Angel, whom I have had no previous interaction with, but all the
while I respected him for his work, took it upon himself to make a
judgement on the little available information about me. He didn't
actually state any names, but it's pretty obvious to those who know..
Interestingly enough, my little tale was told (not the tale about the
feds etc, but my virus writing) inside an article complaining about all
the lame biting-ass virus "groups" out there. Here's the business half
of the article. (This appears in the 11th issue of 40Hex magazine, the
file 40HEX-11.001).
It is apparent to even the blindest of observers that the virus
phenomenon has caught on. Everyone and his kid brother has decided to start
a virus group, whether or not they have programmers capable of creating a
viable (read: parasitic) virus. While this in itself is merely offensive,
it is the sheer arrogance of these meta-groups which is irritating. Of
course, no names will be mentioned, as that would be mean and we all wish
for a happy world.
The most common trait of these pseudo-groups is for a member to state
that all code that was written was "developed on my own." Of course, this
is seldom the case. Often, the "original source code" to their viruses
clearly originated at some point from a Sourcer disassembly. Heck, when you
see "seg_a" or "loc_0027," you know they're just poor hacks. Of course, the
the disparate coding styles in the "source" also reveals the nature of the
virus.
If the reader reads on, about the 387-byte TSR COM/EXE infector, about
self-developed techniques, about other shit which I said, the above
reference may not be understood unless it's stated that the source code
to this 387-byte virus was lost in a HD crash, and I had to use sourcer
to recover it. (I had the .bin image of the virus in question on a
backup disk). I'd imagine the statement of the "loc_0027" above is
referring to this fact, attacking my integrity as a self-respecting
programmer.
[irrelevant paragraph skipped]
Every group goes through a phase in which they hack viruses; they
should not be proud of these viruses. But it is merely the first step and
most grow out of it. Skism-1, for example, was a Jerusalem hack. It is
ancient history. I might also point out that the Phalcon/Skism viruses
published in both the last issue and this one are far superior to Skism-1.
Phalcon/Skism does not release the source code to half-baked viruses just so
40Hex can look larger. Every virus programmer has a few experimental
viruses; yet it is not necessarily appropriate to print all of them. If I
wrote a virus which had several hundred bytes of repetitious code, I would
be ashamed to print it. It's like releasing a program which has only been
half-completed.
This I agree with, it's pointless releasing every revision of every
virus you've ever written. My standpoint on this issue is pretty clear,
I have written a fair few, and none I have actually released myself, and
I wouldn't want all of them to have been released for the simple fact
that I dont want to be seen to be writing almost identical viruses and
being "proud" to put my name to them. What's the point in that? I dont
respect people like that, and from all indications neither does the
author of this article (Dark Angel). And no, I never hacked another
virus, and didn't think about it for a second. I've borrowed some
techniques (but not code) and gained inspiration from some viruses, but
nothing of the likes of Dark Avenger or Jerusalem!
When a virus programmer additionally claims, "This virus was written
two years ago, so it sucks, but I'm going to release it anyway because it's
good to learn from," I have my doubts. When s/he further hurridly states,
"My other viruses are better," then my doubts grow. Where, pray tell, are
these superior viruses? Why publish that which you admit sucks? Of course,
anyone that makes such a claim, or one such as, "Next time, I'll release a
COM/EXE/SYS/MBR/OV?/DAT/DOC/TXT/ANS/ASC polymorphic, stealth infector that I
wrote last week," is suspicious.
As an example of the mindless boasting, observe the following: (Note:
the following should not be construed as a personal attack against either
the person or group in question.)
Now this is only _slightly_ directed towards me (not). OK then, that
source code was released - I had nothing better at the time - becuase I
was in the _middle_ of writing the super-duper
"COM/EXE/BIN/SYS/OVL/MBR/Boot Sector/Dir Stealth/Partition Stealth"
virus in question, which Dark Angel slanders me for for being
"bullshit".
So, my other viruses ARE better. Have no doubt, Dark Angel obviously
drew invalid assumptions from a poor pool of information. Mindless
boasting? hmf. Anyway i'll quote the next paragraph.
This person wrote, "As with many of my routines, stuff which took many
other virus writers a few pages of code took me one page... that's not bad!
I have many other goodies up my sleeve, like a 387-byte generic COM/EXE
parasitic infector on execution, the smallest of its kind in the WORLD...
(with room for improvement!)."
I do not deny stating this, but my I say it was mostly to burn off some
lamer in Sydney who rang me up telling me he was hot shit, so I had to
do something about it. And it's true, I squashed both the COM and the
EXE infection routines into just over a single page (24 lines),
something most viruses at the time had a good 200 bytes devoted to.
Somethign else must be said though. One must remember the time frame in
which my viruses were written. If viruses of that quality were written
today, then big deal, but they were written 2 years ago, in an
environment where 1024-byte TSR COM/EXE infectors was considered GOOD.
It must also be pointed out that at the time, the smallest TSR COM/EXE
infector was the Ontario viurs (512 bytes; mine was 387), ... Which _Just
So Happened_ to be written by Dark Angel himself.
My virus, when included with the text string "[PuKE]" hence the name
Puke393, was absolutely functionally equivalent to Ontario 512, unlike
the virus included later in Dark Angel's article.. but more on that
later.
Please do not boast if you cannot substantiate your claims. For
example, these claims are easily shredded by counterexample. Let us examine
the Voronezh-370 virus. It is a generic parasitic COM/EXE infector and it
is indeed less than 387 bytes. If 387 bytes is the smallest in the world,
then this may very well be the smallest in the universe. With only two
hours of fiddling, I came up with the following virus (278 bytes), which may
yet be the smallest of its kind in all of creation! Actually, I make no
such claim, as a smaller one _can_ be written. The point was to show that
this claim was not all that impressive and was, in fact, dead wrong. Let us
not be o'erhasty to boast next time.
As with many of my viruses, stuff which took many other virus writers
over 380 bytes took me under 280... that's not bad! Humour aside, I might
point out that this virus is _over_ 100 bytes less than the boaster's
attempt, so it is _significantly_ smaller. Gee, I wonder what those extra
109 bytes are used for.
It must be stated again, that it WAS the smallest in the world _at the
time_ - it's not as if I was lying. What's more, the above paragraphs
imply that I'd said it couldn't be beaten -- I made no such claim. I
wouldn't. That sort of thing is only for the self-important, blinded by
their own stupidity. So, when the virus was written, 387 bytes WAS the
smallest in the world for what it did.
The article goes on to list the source code of the sub-280 byte virus,
; Phalcon/Skism _Small virus
; Written by Dark Angel of Phalcon/Skism
; 278 byte generic COM/EXE infector
again written by Dark Angel. But what I failed to point out, is that
387 bytes is pretty small considering that it sacrifices absolutely NO
"safety features". The PS Small virus DOES. This makes it unstable,
and in terms of wild viability, a failure.
As I said, to make the code smaller, Dark Angel sacrificed a number of
features (hence the 109 byte deficit). I'm not saying that DA's
programming is shoddy; the opposite, he is quite a competent coder
(credit where it's due, I admit it at least).
The Small virus will not infect programs with a Read Only attribute; the
Small virus wil not disable the critical error handler; the Small virus
will infect EXE programs with internal overlays (potentially damaging
them); the Small virus will update the file's date/time to time of
infection; and what's more, the Small virus will return control to its
host with dirty registers, and considering that a lot of programs assume
clean regiters, with CS=DS=ES, this is a bad move if a viable virus is
what you want. PuKE393 sacrifices none of these important safety
features. It is a viable virus in the wild.
If I were out to make the smallest virus in the world, full stop, I too
would remove these features, and would also derive a virus of similar
size to that which Dark Angel proudly whipped up in two hours. So you
see, the statement..
I think the informed virus and anti-virus person recognises these
claims as the baseless boasts they are. Let me assure you that you will see
none of that in 40Hex.
..applies equally well to the author of the article.
I am just as capable, but prefer to have a stable virus rather than an
exceedingly small one. A decent exercise to satisfy any curiosity
perhaps, but not to try and prove the point that someone's a bad
programmer. If anything, it proves the reverse. But anyway.
I also have to mimic one of the article's paragraphs, and state that
"this article does not serve as a platform to personally attack the
person or group in question."
In fact, from all indications, Dark Angel appears to be an intelligent
and capable programmer. It's just a shame he had to draw his
conclusions from such a small source of information -- but in his
position, I probably would have done the same thing. After all, PuKE
was formed to do exactly the same thing to NuKE when they were
unwarrantedly calling themselves Kings of the Mountain. So, by this, I
mean no hard feelings towards Dark Angel (if anything, I wouldn't say No
to any mutual exchange of information with him, or at least a chat).
Anyway, DA, if it's goodies you're after, all you have to do is ask, I
do have them, they're just not on public display. It's a shame, because
you seem to abuse me for going on about them and not having done them.
I look forward to some sort of interaction, if you're interested, and
I'm sure something can be gained by all.
Actually it's pretty funny, because when I applied for NuKENet all that
time ago when I was in the process of writing the now-common 1984 virus,
I stated such on the net. "com/exe/bin/sys/ovl/mbr/bs/stealth etc" ?
Rock Steady immediately attacked me, "Piss off, and come back when
you've actually written it. Unlike you, we write the Proto-T. When VCL
2.0 comes out even you'll be able to write the k0oL viruses you say you
can". However his tune changed when he realized I actually was the
genuine article, and .. (quoted from IJ#6, nuke timeline, i believe)
__________________________________________________________________________
January 10th, 1993
T„L”N enough respect goes out to this charm... He too has succeeded the
wild-bush hunt of the Aussie, though he was never the same afterward...
<hehe> Just as Compton was put on the map by the Brothers, T„L”N is the
one to put Aussie onto the map. For that I gave him a whole paragraph
in this intro...
__________________________________________________________________________
Side note, it appears that Dark Angel and I have made around about the
same achievements, if not in viral common-ness, in viral technology.
Whether this is true or not is debatable. Both he and I can write small
TSR COM/EXE infectors. Both he and I wrote SYS infectors at around the
same time, using similar techniques (convergent evolution? great minds
think alike? :) ). Both he and I have written mutation engines of
similar calibre (perhaps DA's has slightly more features, but mine is a
fair bit smaller. I won't boast about its size this time ;) ). I'm sure
DA has written a multipartite infector by now.
Another side note, DA implies I can't write the "com/exe/bin/sys/ovl/
/mbr/bs/directory stealth/mbr-bs stealth/file stealth/polymorphic"
virus. I admit that I've never actually sat down and fully debugged a
full-stealth virus and got it 100% working, but I can and I will
eventually. I had written one which does all of the above minus the
full stealth, but can't get the i21 hooking off bootup when DOS=High
working properly yet. This will have to wait. Since 1984 I've
corrected and optimized a lot of code, and it will now do stealth on not
just partition tables but floppy disks of all capacities. If you don't
believe me, you'll probably see it in the next infojournal.
So there you have it. Hopefully a little educational to some.
Cheers
T„L”N
Reference in New Issue View Git Blame Copy Permalink