ANATOMY OF A VIRUS AUTHOR A biography of The Black Baron By Matthew Probert In 1969 Neil Armstrong stepped onto the moon. It was a momentous year for the world. But no-one at the time paid much attention to a baby boy being born in a town in southern England. This baby boy was destined to grow into one of the most infamous computer virus writers of all time. In 1969 The Black Baron was born! The Black Baron never set out to become a computer virus writer. He left school at sixteen with a handful of CSE's and a burning desire to be a commercial airline pilot. He enjoyed swimming and science fiction comedy shows, such as Red Dwarf, and did all the things that any normal, healthy young man would do. He learnt to drive, passed his driving test and settled down to several years unemployed. He is at pains to point out that he is not a thug, he does not have any criminal convictions; "I don't even have a point on my driving licence" he laughs, when asked about criminal activities. And yet what inspires a normal, healthy, well balanced young man to create the ultimate in computer terrosism, a polymorphic computer virus? In examining Black Baron's motives one must consider his state of mind. Is he a shy, withdrawn individual who has problems with inter-personal relationships perhaps? No is the answer. He is not the cliche of a computer programmer. He owns a single second-hand Tandon 286 PC with an Amstrad monitor, and a rather old and modest modem. "I don't even like computer programming!" he says when asked about it. Perhaps however he is upset by his unemployment? An individual with his obvious and undeniable talent must surely feel some resentment at being unemployed. But he doesn't blame the computer industry directly, he certainly does resent the "old school tie" attitude which is so prevalent in England today, and he blames the Conservative government for doing much to reinforce this approach to employment. "I don't wear the right colour tie" he says. The inspiration to create a computer virus came to Black Baron after he read Ross M. Greenberg's comments about computer virus authors. Mr Greenberg, the American author of an anti-virus product called "Flu Shot" is very scathing and critical of people who write computer viruses. Indeed the introduction to the instruction manual which accompanies Flu Shot is preoccupied with questioning the emotional stability of the people who write computer viruses. I quote: Introduction What is a Trojan? ================= Back in the good old days (before there were computers), there was this bunch of soldiers who had no chance of beating a superior force or of even making it into their fortress. They had this nifty idea: present the other side with a gift. Once the gift had been accepted, soldiers hiding within the gift would sneak out and overtake the enemy from within. We can only think of the intellectual giants of the day who would accept a gift large enough to house enemy soldiers without checking its contents. Obviously, they had little opportunity to watch old WWII movies to see the same device used over and over again. They probably wouldn't have appreciated Hogan's Heroes anyway. No color TV's -- or at least not ones with reliable reception. Consider the types of people who would be thrilled at the concept of owning their own rough hewn, large wooden horse! Perhaps they wanted to be the first one on their block, or something silly like that. Anyway, you're all aware of the story of The Trojan Horse. Bringing ourselves a bit closer to the reality we've all grown to know and love, there's a modern day equivalent: getting a gift from your BBS or user group which contains a little gem which will attack your hard disk, destroying whatever data it contains. In order to understand how a potentially useful program can cause such damage when corrupted by some misguided soul, it's useful to understand how your disk works, and how absurdly easy it is to cause damage to the data contained thereon. So, a brief technical discussion of the operation of your disk is in order. For those who aren't concerned, turn the page or something. Data is preserved on a disk in a variety of different physical ways having to do with how the data is encoding in the actual recording of that data. The actual *structure* of that data, however, is the same between MS-DOS machines. Other operating systems have a different structure, but that doesn't concern us now. Each disk has a number of "tracks". These are sometimes called cylinders from the old type IBMer's. These are the same people who call hard disks DASDs (Direct Access Storage Devices), so we can safely ignore their techno-speak, and just call them tracks. Tracks can be thought of as the individual little grooves on an audio record, sort of. Anyway, each track is subdivided into a number of sectors. Each track has the same number of sectors. Tracks are numbered, as are sectors. Any given area on the disk can be accessed if a request is made to read or write data into or out of Track-X, Sector Y. The read or write command is given to the disk controller, which is an interface between the computer itself and the hard disk. The controller figures out what commands to send to the hard disk, the hard disk responds and the data is read or written as directed. The first track on the hard disk typically will contain a small program which is read from the hard disk and executed when you first power up your machine. The power up sequence is called "booting" your machine, and therefore the first track is typical known as the "boot track". In order to read information from your disk in a logical sequence, there has to be some sort of index. An unusual index method was selected for MS-DOS. Imagine going to the card index in a library, looking up the title you desire, and getting a place in another index which tells you where on the racks where the book is stored. Now, when you read the book, you discover that only the first chapter of the book is there. In order to find the next chapter of the book, you have to go back to that middle index, which tells you where the next chapter is stored. This process continues until you get to the end of the book. Sounds pretty convoluted, right? You bet! However, this is pretty much how MS-DOS does its "cataloguing" of files. The directory structure of MS-DOS allows for you to look up an item called the "first cluster". A cluster represents a set of contiguous ("touching or in contact" according to Random House) tracks and sectors. It is the smallest amount of information which the file structure of MS-DOS knows how to read or write. Based on the first cluster number as stored in the directory, the first portion of a file can be read. When the information contained therein is exhausted, MS-DOS goes to that secondary index for a pointer to the next cluster. That index is called the File Allocation Table, commonly abbreviated to "FAT". The FAT contains an entry for each cluster on the disk. An FAT entry can have a few values: ones which indicate that the cluster is unused, another which indicates that the associated cluster has been damaged somehow and that it should be marked as a "bad cluster", and a pointer to the next cluster for a given file. This allows for what is called a linked list: once you start looking up clusters associated with a given file, each FAT entry tells you what the next cluster is. At the end of the linked list is a special indicator which indicates that there are no more clusters associated with the file. There are actually two copies of the FAT stored on your disk, but no one really knows what the second copy was intended for. Often, if the first copy of the FAT is corrupted for some reason, a clever programmer could recover information from the second copy to restore to the primary FAT. These clever programmers can be called "hackers", and should not be confused with the thieves who break into computer systems and steal things, or the "worms" [Joanne Dow gets credit for *that* phrase!] who would get joy out of causing you heartache! But that heartache is exactly what can happen if the directory (which contains the pointer to the first cluster a file uses), the FAT (which contains that linked list to other areas on the disk which the file uses), or other areas of the disk get corrupted. And that's what the little worms who create Trojan programs do: they cause what at first appears to be a useful program to eventually corrupt the important parts of your disk. This can be as simple as changing a few bytes of data, or can include wiping entire tracks clean. Not all programs which write to your hard disk are bad ones, obviously. Your word processor, spreadsheet, database and utility programs have to write to the hard disk. Some of the DOS programs (such as FORMAT), if used improperly, can also erase portions of your hard disk causing you massive amounts of grief. You'd be surprised what damage the simple "DEL" command can do with just a simple typo. But, what defines a Trojan program is its delivery mechanism: the fact that you're running something you didn't expect. Typical Trojan programs cause damage to your data, and were designed to do so by the worms who writhe in delight at causing this damage. May they rot in hell -- a mind is a terrible thing to waste! Considering the personality required to cause such damage, you can rest assured that they have few friends, and even their mother doesn't like to be in the same room with them. They sit back and chortle about the damage they do with a few other lowly worms. This is their entire social universe. You should pity them. I know that I do. What is a Virus? ================ Trojan programs are but a delivery mechanism, as stated above. They can be implemented in a clever manner, so that they only trigger the malicious part on a certain date, when your disk contains certain information or whatever. However they're coded, though, they typically affect the disk only in a destructive manner once triggered. A new breed of programs has the capability of not only reserving malicious damage for a given event's occurrence, but of also replicating itself as well. This is what people refer to when they mention the term "Virus Program". Typically, a virus will spread itself by replicating a portion of itself onto another program. Later, when that normally safe program is run it will, in part, execute a set of instructions which will infect other programs and then potentially, trigger the Trojan portion of the program contained within the virus. The danger of the virus program is twofold. First, it contains a Trojan which will cause damage to your hard disk. The second danger is the reason why everyone is busy building bomb shelters. This danger is that the virus program will infect other programs and they in turn will infect other programs and so forth. Since it can also infect programs on your floppy disks, you could unknowingly infect other machines! Pretty dangerous stuff, alright! Kenneth van Wyck, one of the computer folks over at Lehigh University, first brought a particular virus to the attention of the computer community. This virus infects a program, which every MS-DOS computer must have, called COMMAND.COM. This is the Command Line Interpreter and is the interface between your keyboard and the MS-DOS operating system itself. Whatever you type at the C: prompt will be interpreted by it. Well, the virus subverts this intended function, causing the infection of neighboring COMMAND.COMs before continuing with normal functionality of the command you typed. After a certain number of "infections", the Trojan aspect of the program goes off, causing you to lose data. The programmer was clever. But still a worm. And still deserving of contempt instead of respect. Think of what good purposes the programmer could have put his or her talents to instead of creating this damage. And consider what this programmer must do, in covering up what they've done. They certainly can't tell anyone what they've accomplished. Justifiable homicide comes to mind, but since the worms they must hang around are probably as disreputable as they are, they must hold their little creation a secret. A pity. Hopefully, the worm is losing sleep. Or getting a sore neck looking behind them wondering which of their "friends" are gonna turn them in for the reward I list towards the end of this document. The Challenge to the Worm ========================= When I first released a program to try to thwart their demented little efforts, I published this letter in the archive (still in the FLU_SHOT+ archive of which this is a part of). What I say in it still holds: As for the designer of the virus program: most likely an impotent adolescent, incapable of normal social relationships, and attempting to prove their own worth to themselves through these type of terrorist attacks. Never succeeding in that task (or in any other), since they have no worth, they will one day take a look at themselves and what they've done in their past, and kill themselves in disgust. This is a Good Thing, since it saves the taxpayers' money which normally would be wasted on therapy and treatment of this miscreant. If they *really* want a challenge, they'll try to destroy *my* hard disk on my BBS, instead of the disk of some innocent person. I challenge them to upload a virus or other Trojan horse to my BBS that I can't disarm. It is doubtful the challenge will be taken: the profile of such a person prohibits them from attacking those who can fight back. Alas, having a go with this lowlife would be amusing for the five minutes it takes to disarm whatever they invent. Go ahead, you good-for-nothing little slimebucket: make *my* day! Alas, somebody out there opted to do the cowardly thing and to use the FLUSHOT programs as a vehicle for wrecking still more destruction on people like you. The FLUSHOT3 program was redistributed along with a companion program to aid you in reading the documentation. It was renamed FLUSHOT4. And the reader program was turned into a Trojan itself. I guess the programmer involved was too cowardly to take me up on my offer and prefers to hurt people not capable of fighting back. I should have known that, I suppose, but I don't normally think of people who attack innocents. Normally, I think of people to respect, not people to pity, certainly not people who must cause such damage in order to "get off". They are below contempt, obviously, and can do little to help themselves out of the mire they live in. Still, a worm is a worm. Insensed by what he saw as the narrow, biggoted attitude of the author, our young man, then twenty four years old, decided to write a program which would infect other other computer programs and more than that. One which would with each infection change its form so as to avoid detection by Flu Shot and other virus scanners. At christmas 1993, Pathogen was completed. One month later SMEG 0.1 was included and the first SMEG virus hit the computer world. In Febuary 1994 Black Baron, as the author was calling himself, released a subsequent computer virus. Queeg. This time he updated the polymorphic engine (SMEG) into version 0.2. Shortly aftwerwards the Thunderbyte anti-virus software underwent a major new release, with verion 6.20 which in fairness detects 96% of SMEG version 0.1 and version 0.2 infections. Unfortunately, the author's of Thunderbyte suffer from the same arrogance as Mr Greenberg. They have widely boasted that their new virus scanner can detect any polymorphic viruses. Needless to say this is seen as a challenge by Black Baron. And being an Englishman, he can't resist a challenge. It is not surprising to learn then, that as I write this in June 1994 Black Baron is just finishing off SMEG version 0.3 which is completely undetectable by any current virus scanner, including Thunderbyte release 6.20. I ask myself when is this is all going to end? Perhaps when computer users become sufficiently educated to be able to use the equipment at their disposal. Perhaps when computers stop attracting social inadequates, but whom I am refering to the arrogant members of the anti-virus lobby as well as the nefarious virus authors. But what of the Black Baron? What is he? Is he a malicious criminal? A computer terrorist? A social inadequate trying to reassure himself of his own inadequacies through destroying computer data? I don't belive so. I have spoken to Black Baron on a number of occassions. He is happy to discuss his work, and, at my request, he has even released a document detailing the design of SMEG. He doesn't feed on the panic and fear that SMEG viruses such as Pathogen and Queeg cause. Rather he revels in the embarrasement and panic which his software causes the arrogant anti-virus writers. It is quite questionable whether Black Baron was sensible in taking this course of action. It does appear that he has adopted a "I'll show you" attitude. But it is equally obvious that the real villian is the person who caused the trouble in the first place, Mr Greenberg and his arrogant and biggoted view. You still don't believe me? Okay, as a finale let me say this. Black Baron knows that I write anti-virus software. He knew this before he gave me an interview. And knowing that I write anti-virus software he provided me with the source code of Pathogen, Queeg and SMEG so that I might improve my anti-virus software. He even supplied me with software which creats safe SMEG encrypted programs for testing purposes. These are not the actions of a mad man. These are the actions of a man who just wants to be respected for what he is. A damn hot programmer. After talking with him, I understand the Black Baron. I feel sorry for him as well. He is a highly gifted individual who has not been given a chance by computer society. So he has made his own chance. We all need recognition. Mainly through employment, but we as thinking machines must receive recognition for our abilities. Otherwise we sink into melancholy and paranoida. Black Baron has received his recognition. We, the computer society are responsible for the creation of Pathogen, Queeg, SMEG and all the other computer viruses. We have no one to blame but ourselves. It is our desire to keep the computer fraternity a closed club which has alienated so many of our colleagues. By rubbing their noses in it, so to speak, we have begged for trouble, and like the inhabitants of Troy, we have received it. Matthew Probert Servile Software