Interview with The Mental Driller/29A by PetiK for PetiKVX Ezine #1 Date : 21/03/2002 Q: Where do you live ? How is the situation of the virus scene in your land ? First of all, hi ;) I'm spanish and I live in Spain (naaah... :P). The viruscene here is quite extended. You know, very few years ago there was a "boom" of spanish virus writers making, maybe, the last known "territorial" domination in viruscene, as it happened in Bulgaria or Russia, but nowadays this don't happen anymore, due to Internet and the globalization of the communications. Nevertheless, we are still quite a lot of good writers (spanish powah! :P). Q: Where you get your handle ? Ween I began with this kind of hobby, back at 1998, I was doing some not malicious hacking at my university, and I was known by the handle "MindThorner", symbolizing in any way a kind of activity that is not physical, but intellectual, and giving it an unreal sensation of "incomodity" :). My activity was to crack some weak shell accounts that belonged to students and send them the password in an e-mail, telling them "This is your password and I did X and Y to get it". The fact is that I never used one of them for sniffing in accounts that weren't mine: once an account is broken, it lost the interest. Then, I started to develop viruses, and I was a handle that fit as much as possible the last one I had, so I selected "Mental Driller". With the time, I added "The" to the handle because I'm a single person, so I'm unique :). Q: How did you start out in computers ? Back at 1984 or so, my father bought me a ZX Spectrum, where I did my very first programming attempts. My father is a programmer for about 30 years, so he knew that computers were the future and he pushed me into the computers world since I had grown enough to understand some facts and begin to program (this is more or less since I was 7 or 8 years old). I started with LOGO, a great language for learning. I had good times with Spectrum, but then my father bought a flamant 8086 with 640Kb and 2 5'25 floppy units :D. That was a complete new world: MS-DOS, the command line, executing programs, etc. etc. I have to confess that it took several years for me to understand how it worked, and at first I only used the PC for playing. But, in any way, it helped me to be confident with computers. Then, some years later, I began to code with GWBASIC, until I discovered DEBUG and the assembler, so I forgot BASIC quickly and I started to code things in assembler. I got a 386 with 2 Mb of RAM (wow!) where I could code much more easily, since I got A86 and later TASM. Now, I consider assembler as my first true programming language. Q: When do you hear the first time about computer virus ? My first contact with a virus was when I got an infected diskette with Flip.Omicron. In that time I didn't know exactly what a virus was, so I thought about them as an average computer user (so when it was Friday 13th I didn't power on the computer! :)) . That changed when I managed to learn assembler and I got a sample of Barrotes.1310, which I disassembled and tried to understand what was doing. Then, I did the same with a sample of Natas.4744, and I became fascinated with it, since it was a pretty advanced virus (polymorphic, multipartite, etc. etc.). Studying Natas.4744 I learned how an EXE can be infected, and how the polymorphism was performed. My life changed in that moment. After that, I began to have contacts with the new 29A group by IRC, and I met MrSandman, GriYo, Wintermute, Super, Virusbuster and all the currently well-known individuals that were in 29A and other groups in 1997. Viruses attract me because they are the maximum exponent of abstraction in computers: they use algorithms where the only objective is to survive, or avoid detection, or perform activities that are never shown to a common user. It's an intellectual challenge. In fact, I never coded a "simple" virus, all of them were kindly advanced (with high polymorphism, etc.), because that's the challenge: to code a very complex source and demonstrate that you can code whatever idea you have. Q: What was your first virus ? When I was tired of disassembling viruses, I decided to do my own, so I coded one. I became surprised of how easy is, so I coded a DOS EXE/COM infector with DIR stealth in half an hour, more or less. Then, I named the virus "Half-an-hour" :). That virus was never released, and I lost the sources, but I didn't care about that, since it didn't suppose me an effort. Since I was amazed with Natas, I decided to code a polymorphic virus, so my second virus was Squatter.7310, where I managed to make it pretty polymorphic. It was a jewel for me, because I put in it all the knowledge about viruses I had in that time, plus new ideas I was thinking about. The version 1.2 of the virus was published in 29A#3, and it was the first virus I released in my life. Q: How did you start out in the VX scene ? As I told before, I met 29A by IRC. Along 1997 and 1998 I was speaking with them and I began to know about the viruscene, and I was meeting people that shared with me the hobby of viruses "by fun". Since they fit the same phylosophy I had about virus writing (not destructive code, intelectual challenge, etc.) I became attracted very much by the VX world. Then, in summer of 1998, 29A decided to make an VX-meeting in Madrid, so I decided to go. Here I met a lot of VX sceners, and I passed a wonderful weekend there. Q: What (virus-)groups are you/have been a member of ? How long time ? My very first group was 29A, where I entered late in 1998. I met Darkman in the VX-meeting of 1998, and after two or three months I asked him to enter in 29A, so he told the rest of the group, they voted and all them said YES, so I entered. Since then, I have been in 29A, and I hope to be here many years more. Q: Which programming language re you using ? What is your favourite ? ASM! I only use ASM to code viruses, although I know pretty well other languages, like C and C++. Maybe it's easy sometimes to use other languages, but since I see virus coding as a kind of art, I think the assembler language allows more sofistication and beauty. Q: How many and wich virus (or worm) did you write ? Which do you like best and why ? Hehe, this question can be rewritten as: "Now, let's inflate your ego and speak about what you do/did" ;). My viruses are: Squatter family --------------- Set of high-polymorphic viruses that were my very first ones. They were MS-DOS infectors with polymorphism, full-stealth, and lots of tricks, but that they didn't work very well. These viruses featured the engine "MeDriPolEn", which simulated corrupted code. That engine made its work pretty well. Win32.Nazka (aka Win32.Mental) ------------------------------ My second kind of virus, and my introduction to the Win32 world. It was a simple virus with some tricks and a polymorphic engine that I programmed in two hours. It was made to demonstrate that I could make things for Win32, and because I needed something to publish in 29A#4 :). Win32.Tuareg (aka Win32.Driller,W95/Drill) ------------------------------------------ Tuareg was "Nazka on steroids". Based on the skeleton of the Nazka virus, I began to code a massive polymorphic engine called "Tuareg" which resulted to be one of the most difficult to detect viruses (what surprises me is the fact that I begin to code something that for me is easy and results in something that all people say "it's impressive!", but that I didn't much effort to be in that way. Lately, with MetaPHOR (next one), it's just what I've expected). It also contributed to the debate about good viruses: the payload is to change the start page of IExplorer and Netscape to "http://www.thehungersite.com", so the infected people donate money to the third world when they start the navigators. Win32.MetaPHOR (aka W32/Etap,W32.Simile) ---------------------------------------- The jewel of my collection. This virus was the only one that I haven't started directly with source, but it has quite an amount of time of structuration and planification. MetaPHOR is a completely metamorphic virus, and it was made because, with Tuareg, the polymorphism had no more secrets for me. So, I wanted to do a metamorphism, the last self-mutation technique ideated and the most difficult of all viric techniques, so I accepted the auto-impossed challenge of doing such a virus. It was a great effort and I obtained a better-than-expected result. All them like me very much, because everyone has its own story, altought my favorite virus is always the last one I coded (so this time, it's MetaPHOR). Q: How do you name your virus (or worm) ? The name is something important for me, so I try to name a virus with a good one. Squatter was named in that way because it's a virus, and a virus is a squatter :). Nazka was named so because the payload was going to be a rotating message starting with "NAZKA(VS)", and after adding 1 to every letter for eight times it arrives to "VIHSI(DA)" (the spanish name for AIDS :). Since I coded it for Windows, that payload wasn't programmed, but the name remained because I liked it. The name TUAREG has a lot of story: since Squatter, I wanted to code a good polymorphic engine. Since my nick was MindThorner and I wasn't in the VX as I am now, I wanted to code an engine called MTuareg. So I changed the nick, but the idea remained. After some tries and rarities (which never saw the light) I decided to name TUAREG to my that-moment last engine, which used some pretty innovating ideas, like PRIDE (Pseudo-Random Index DEcryption) and Branching (simulation of normal code flux in a decryptor). So, at last, after many years, TUAREG saw the light :). MTUAREG meant "MindThorner's Unpredictable Anarchic Relentless Encryption Generator", but after my nick change "T" was substituted by "Tameless" :). The name MetaPHOR came from "Metamorphic Permutating High-Obfuscating Reassembler". At first the virus was going to be called "Metastasis", but then someone in my family had a beginning of a cancer. It wasn't nothing, since it could be erradicated, but then I wasn't in the mood of calling the virus in that way, because I realized that name was trivializing and joking about the suffering of many people that have this illness. So, I looked for another name starting with "Meta", and I found "metaphor", which is perfect because since the virus is metamorphic, every generation is a "metaphor" of the previous one :). Q: Do you prefer virii or worm ? By this time, virii. I never coded a worm, and I'm not sure of coding one, because lastly you can get into many troubles if the virus become widespread. Anyway, worms can be an interesting field to research. Q: What sort of VX technics is the most interesting ? Metamorphism, of course! It's the most complex technique ever ideated (besides neural nets and AI, something that we can't do yet). Basically, I like all the forms of virus coding that makes "art" from the code, like good polymorphism engines and the metamorphic ones. Metamorphism is, simply, amazing. Q: Do you spread your works ? Nope. I send samples to AV companies because I like to play "hide-and-seek", and I don't like to harm people. I never released a virus in the wild besides in VX e-zines. In fact, when I saw the virus Win32.Nazka (called Win32.Mental) in the wildlist I wondered how the virus became in the wild, until I realized that it was a variation of the original: a variation that someone did and spreaded. However, sometimes it would be better if some of my viruses were in the wild: the payload of Win32.Tuareg is to change the start page of Internet Explorer and Netscape Navigator to "www.thehungersite.com", which is GOOD (I think it was the very first payload that performed something useful). And what about the laws forbidin this? Well, my activities (and the ones of the great majority of the VX), although very unethical to many people, are not prohibited, since I don't spread my viruses, and the antivirus companies are the first one that detect my "creatures". Lastly I include a disclaimer in my viruses where I say that the source code is provided "as is", so a modification is not my fault (that's an interestin point with metamorphic viruses, because under that point of view, the virus itself is the responsible of performing a modification to evade scanners :). I can't control the modification made by other people in my code, in the same way that Nobel, when invented dynamite, couldn't control it were used to kill people. But then the detractors can say: "Then, why don't you keep that source for yourself and don't release it?". Well, in the same way that Nobel didn't occult the formula of dynamite: the knowledge must be known by all, and the education of an individual must make the rest. Q: What operating system(s) are you using to test your works ? Windows NT and 98, and lately Linux to make some tests and begin to work in this OS (just expect some Linux viruses by me in the future ;). Q: Which ezine do you read ? All the ones that fall in my hands. I like to read the point of views of the other VX coders, so I can be agree with them or blame them ;). Q: What do you think about dangerous payload ? They are laaaaaaaaame. I don't see where is the art of coding in adding two lines of code to trash a harddisk or the work of someone. Q: What do you think about virus/worm generator ? The really interesting part is the generator itself, so I respect the coder of the generator, but I hate those script-kiddies that use the generators to put their name in a virus that even they don't know how they work, and the only thing they do is making chaos and stupidities. Q: What do you think about script (HTML,VBS,VBA) ? They are interesting from the point of view of coding something, and I respect the coders that make something new, like polymorphism with these scripts and all that, and the ones that try to stress the language to extract all the runtime is capable to do. But there are others that think they are coders for making a 10-lines virus that spreads like a pair of rabbits in Wonderland. These people are really stupid, under my point of view, and they aren't capable of doing something advanced, so they are very lame, besides the high opinion they could have of themselves. Q: Which coder do you respect ? Basically, all the ones that look for innovation and new tech and don't code viruses just to take vengeance or "fuck the world". Q: What are your favourite virus/worm and why ? I like many, but my favourites (besides my own viruses :P :P) are, nowadays, Hybris by Vecna and Mistfall by Z0MBiE: just two pieces of art. Q: What is your favourite AV and why ? I haven't any favorite AV, but I like very much the work of some virus analyzers, like Peter Szor, Peter Ferrie, Eugene Kaspersky (although he doesn't analyze very much things lastly), Mikko Hypponen, and others. These people are really experts (not like other self-proclaimed ones), and you can see that they really know what they are talking about. Q: How do you see the virus and the worm in the future ? I think the threat is going to remain, mostly the threat represented by the script-kiddies and their inmaturity, since the ones like us that code viruses as proofs of concept or the like aren't a real threat (answering to the ever-in-the-air question that many people have in mind). From my point of view, the worms are the kind of self-replicating programs that will be predominant in the future, as we have them in the present, due to the massive growth of Internet and e-mail communication last years. This is also contributed by tremendous security flaws in Micro$oft apps. We'll see more and more worms that use exploits of known OSes to allow them to continue replicating. In a far future, maybe we'll see the first intelligent virus, designed with neural nets and capable of searching exploits or new ways of infection by its own, but for that we need an outstandingly process power, so we won't see this very soon. I hope I'll be there to make something like that :). Q: What piece of advice would you give to the newbies ? First, learn assembler. The assembler makes you see the other languages in an structured way the high-level languages don't bring you at first sight. Yep, it's low level, but you'll learn, for example, what a pointer really is, and not the abstraction that it seems to be (and it's better understood in this way). Second... uhmm... dunno, maybe next time :). And these aren't advices, these are rules: :) 1) Don't be lamer! 2) Destructive payloads are lame 3) Massmailing tool-generated VBS auto-replicating scripts are lame 4) Hate "Hackers" movie! (I think I'm gonna shot someone if I see again a "Zer0 c00l" or "Acid burn" on message boards or IRC!!!) Q: Where can we see your works and how can we contact you ? My works can be seen on 29A zines and other zines (like Matrix#3) where I collaborated. My e-mail: mental_driller@notrix.net . If anyone think that he/she have something clever to say me, drop me an e-mail ;). Very Thanx. To you.