Interview with philet0ast3r [rRlf] by PetiK for PetiKVX Ezine #1 Date : 22.3.2002 Q: Where do you live ? How is the situation of the virus scene in your land ? A: I am from Germany, Bavaria (that may be an excuse for possible writing mistakes). That's where the worldwide best beer comes from ;) The virus scene here? Well, I know many German virus writers, good ones. I guess the force is strong in us ;) I know only a few personally, but they will become more, because we are planning some little German VX Con. This will be in about one week, and I'm very much looking forward to it. So you can say, scene is cool here. Q: Where you get your handle ? A: I though a lot about my handle. A handle is like a calling card. People you meet in the net will judge you with it, so better don't chose h@X0r1337. So handle is important. I wanted something you can relate to virii (I hope I managed this ;). So after my handle I am someone, who toasts philes (or files). the ph=f thing is, because I like those old phreakers. the 0 and 3 I just had to take in (I am a bit of a script-kiddie ;). I like my handle. It's unique and I think it sounds good. Just recently I realized, that phile means something else: This is a person that has a strong desire for something (like pedo-phile). So after that I would have a strong desire for toasters :( Well, I don't think of changing my handle because of that. Friend of mine, changed his handle from 7r!NT (trinity and so) to dr.g0nZo, because trint was also the name of an airplane-engine. We always made fun of him about that ;) ...Some of my friends also call me philie. Q: How did you start out in computers ? A: I must have been about ten. All of my friends had a Nintendo GameBoy (nostalgia ;) So I got on my parents nerves, until they bought me one. Soon the little GameBoy games got too boring, I wanted a computer. So I got one for christmas. It ran on good old MS-DOS ;) Some years went by and games went also boring there (and where much too expensive), so I began to learn about my OS and cacking some shareware. I guess learning a bit DOS asm was the important step. Q: When do you hear the first time about computer virus ? A: I knew there were viruses out there, but I didn't care much. Until once I realized, that my computer didn't work right anymore. I tried around a bit, but didn't get the point, until one of my friends said, I could have catched a virus. He gave me some AV program to clean up the mess. The AV found some unknown MBR-infector, but couldn't do anything against it. As I tried some other AV, the virus somehow realized, popped up a message saying something like "you shouldn't have done this" and killed my partition table :( Does anyone know this virus? I would like to contact the author :)) My second one was the one, everyone had: Good old parity.boot ;) Q: What was your first virus ? A: At first I began to play around with construction kits. But the viriis created by these kits were always immediately found by AVs. So I thought if I wanted some undetected, I must write my own. I took PS-MPC as pattern, and tried to code something similar. I guess I was way too inspired by it, so my first virus (called PhileT0a$t3r ;) also got detected as PS-MPC :[ But I learned a lot from that. Because of that, this virus has got a lot of meaning for me, although it's lame. That's also the reason, why it's still on our homepage. ... But don't look at it, at least someone calls me "ripper" ;) Q: How did you start out in the VX scene ? A: Maybe two years ago, two friends of mine (El DudErin0 & dr.g0nZo) and I started out of boredom some "computer-underground" group. Lame as it can get. The "Ready Rangers Liberation Front" (probably better known as rRlf). The name seems quite strange. Well, the Liberation Front comes from ELF, Erisian Liberation Front, yes we are all discordians ;] In search for a first part we spontanously took Ready Rangers, because El DudErin0 had (and still has ... worth millions ;) an Alien Workshop Skateboard with "Ready Rangers" printed on it (yes, we do skateboarding). I made some homepage, where we put things of our interest. Soon other people very interested in becoming members, and the whole thing developed in different ways. Mostly into computer viruses, where I was interested in. That way I also came in touch with other groups, interest grew, and we got involved to the scene. But viruses did not smash the other interests, so rRlf is not only virus oriented, but open to everything (mostly psychadelic art, like pictures, poems and weird texts). ... Like our zine to that everyone can contribute everything he wants (well, as long as we like it ;). Q: What (virus-)groups are you/have been a member of ? How long time ? A: I am still proud rRlf member. Because I am one of the three founders ;) Zoom23 (Pinoy Virus Writers owner), once said to me, I can consider myself as Pinoy Virus Writers member, which is a bit strange: 1) I am not from the Phillipines (Pinoy is slang for it). 2) Pinoy Virus Writers is not a real group, more a lose compound. 3) Pinoy Virus Writers is quite inactive. I guess Pinoy Virus Writers E-Zine #6 was the last issue. Nevertheless, I am still Pinoy Virus Writers member ;) I was also SallyOne Group member. Remember SallyOne.com virii archive? SallyOne Group was the ... yes group to SallyOne.com. BTK (former owner of SallyOne.com) was the founder of SallyOne Group. The whole thing was quite underground. We wrote some virii and wanted to release a zine. But as BTK decided to leave the scene (most of you probably noticed because SallyOne.com was suddenly down), SallyOne Group died also. Because of lack of interest of the most other members (not me ... I even hosted, and still do, the SallyOne Group homepage on my domain), in keeping the group alive. Well, SallyOne Group was a nice try. The homepage was really great ;) Q: Which programming language re you using ? What is your favourite ? A: I don't remember much of my DOS asm. I think I am a quite good batch programmer, and some average VBS programmer. Mostly I mix both languages to a batch virus/worm. Well, I also know the usual HTML and JavaScript, for I am the rRlf webmaster. At the moment I am trying to learn win32asm, because (even if optimistic) there's no much future in batch. Q: How many and wich virus (or worm) did you write ? Which do you like best and why ? A: Until now, I have written eleven virii, sorted from old to new: PhileT0a$t3r, Neusprachl3r, BlackDay phinal, Qui3tsche-Entchen, Final Fantasy 23 (full name gets too long here ;), bat.revenge, bat.kia, bat.typhus, bat.eris (will be released in rRlf #2), bat.monday (will be released in discordant opposition journal #17), and bat.windows (will be released in VX Trader #1). The first two are DOS asm, the rest is batch/VBS. Everyone of them I liked once best, because every virus is a improvement to it's "predecessor". So at the moment I like bat.windows best, but this will change, as soon as I write a new one. Q: How do you name your virus (or worm) ? A: This is a difficult question ;) ... I don't know. Different. After important people in my life, more or less important events in my life, after the payload (I am everytime trying to do some payload never-done-before-with-batch), or after something else ;) Q: Do you prefer virii or worm ? A: I prefer worm, because this is the future. Unless new file-formats are invented quite everything in file-infection has been already discovered, you can't do something new. My newest creation bat.windows is a pure worm (all before were pure virus or virus/worm). Because with file-infection, you only trigger AV heuristics. And people don't share that much executables (perhaps someone finds a way to transport virii via mp3 or mpg ;) anymore. They download it via Internet. And that's where they can catch a worm. Q: What sort of VX technics is the most interesting ? A: I like polymorphism and metamorphism. Although I can't do this (yet), I am following developments. Somehow all runs out to anti-AV, to not getting detected. And polymorphism and metamorphism are good solutions for this. And it gives virii some touch of evolution. Like being real life-forms. Q: Do you spread your works ? A: No, it's illegal in Germany, and I am no terrorist, but virus writer. Other people do this for me. I don't know if that's good. It just submits my creations to AV, for I am not doing this (many virus writers do, I wonder why). Well, that gives you a good feeling, if one of your virii gets detected (I don't think of heuristics, of course). I just wonder, why those AV guys always have to mess up the name I gave my virii to something sounding boring or technical. Q: What operating system(s) are you using to test your works ? A: Mostly Windows ME, but also Windows 98, and Windows 95. Yes, there really are differences (sometimes ;)! I must get myself a copy of Windows XP now (... did you see this? XP looks like "X-P"). But I guess there will be not much difference (at least for my works). I saw batch files still work as before ;) Q: Which ezine do you read ? A: I read all e-zines I get in my hands, of course, if they are interesting, and I got the time. My favourite is everyones favourite: 29A Q: What do you think about dangerous payload ? A: Well, most people don't like destructive payloads. I can't says this, for some of my virii contain destructive payloads, and some upcoming virii by me will also. For I don't spread my virii, there's no damage I am doing to others with this. But that's not the main reason. I think violence (in general) can not be declined completely. And todays people are so blinded by capitalistic lifestyle and the ones who rule them, they have to be beaten in the face to wake up and realize. And a virus is good for submiting a message, they don't want to hear. Q: What do you think about virus/worm generator ? A: Good for learning, lame to use. Well, if you nevertheless use a construction kit, you probably won't come far with it, for AVs (very probably) detecting it. Q: What do you think about script (HTML,VBS,VBA) ? A: Many people (especially win32asm coders) think quite bad about script virii. I wonder why? Just because they are more simple to code than an asm virus? Or because there are so many (ripps)? I don't know. I write script-virii myself, so I can't have something against it. Q: Which coder do you respect ? A: I respect every coder that takes it serious, and tries to do something unique and not just codes in using copy and paste, AND is not arrogant or considers himself as too elite for talking with you little lamer. The one I respect most is Benny of 29A. Wow, what a great person! His virii are the best out there, and his words/texts (even if I don't agree with him in all points) are so convincing and meaningfull, you hardly can do it better. Unfortunatelly I never had to do with him, but I hope this will change some time. Q: What are your favourite virus/worm and why ? A: My favourites are win2k.Installer and dotnet both by Benny [29A], because they are both first virii for a new file-format, that have been released before the official release of the file-format. Wonderful! Q: What is your favourite AV and why ? A: I got no favourite AV. I am changing them often. I haven't found my perfect AV yet (if that's possible). Q: How do you see the virus and the worm in the future ? A: Everthing improves. And the more it improves, the more difficult it gets. I think future virus scene will concentrate on a few persons or groups, inventing new things, and forcing AV to also invent something against it. It's a circle of death. If the perfect virus can't be found, the true virus scene will die some day, because old coders get too old, and things will be too complicated for most newbies to learn. Q: What piece of advice would you give to the newbies ? A: If that's really what you want to do, keep it serious and real. Learn and don't let them get you down. Perhaps join some groups and contribute to e-zines, but keep it real. Q: Where can we see your works and how can we contact you ? A: My works can be found somewhere out there in different e-zines, and most of all in our zine (I am the editor of it), called like our group ;) rRlf We got our homepage (I am webmaster there) at www.rRlf.de All I did is also available there. Next to other weird things ;] You can contact me via e-mail: philet0ast3r@rRlf.de Be sure to get an answer. And, hey, before I forget: Thanks to you, PetiK, for distributing our zine on your page! Very Thanx.