Date: 05 Feb 93 11:51:29 EST From: The Crypt Newsletter <70743.1711@COMPUSERVE.COM> Subject: File 8--Some Comments on "Approach Zero" (review) Dear CuD: I'm sure a number of your readers have, by now, browsed through the February issue of Discover magazine and seen the excerpt from another book on "hackers" called "Approaching Zero," to be published by Random House. The digested portion is from a chapter dealing with what authors' Bryan Clough and Paul Mungo call "the Bulgarian virus connection." While I found it interesting - outwardly a brightly written article - to someone a little more familiar with the subject matter than the average Discover reader, it was another flawed attempt at getting the story right for a glossy magazine-type readership. First, I was surprised that reporters Mungo and Clough fell short of an interview with virus author, the Dark Avenger. Since they spent so much time referring to him and publishing a few snippets of his mail, it was warranted, even if he is a very tough contact. In addition, they continually exaggerate points for the sake of sensationalism. As for their claim that the Dark Avenger's "Mutating Engine" maybe being the "most dangerous virus ever produced," there's no evidence to support it. And they continue the hallowed media tradition of calling the Mutation Engine a virus. It's not. The Mutation Engine is a device which can be included in virus code to grant the virus a sophisticated, variable encryption. That's all. It does not automatically make a virus horribly destructive, that's a feature virus-writers put into viruses separate from the Engine. And although the first Mutation Engine viruses introduced into the U.S. could not be detected by scanners included in commercial anti-virus software, most of these packages included tools to monitor data passively on any machine. These tools COULD detect Mutation Engine viruses, a fact that can still be demonstrated with copies of the software. It's also a fact that almost everyone covering the Mutation Engine angle glosses over, if they bother to mention it at all. In any case, Mutation Engine code is well understood and viruses equipped with it are now no more hidden than viruses which don't include it. Of greater interest, and an issue Mungo and Clough don't get to, is the inspiration the Dark Avenger Mutation Engine supplied to virus programmers. By the summer of 1992, disassembled versions of the Mutation Engine were widely available on underground BBS's in this country and abroad. It seemed only a matter of time before similar code kernels with more sophisticated properties popped up and this has been the case. Coffeeshop, a virus mentioned in the original Discover piece, is just such an animal, although the authors don't get into it. Coffeeshop utilizes a slightly more sophisticated variable encryptor - called the Trident Polymorphic Engine - which adds a few features not present in the Dark Avenger model. It, too, has been distributed in this country as a device which can be utilized by virus authors interested in shot gunning it into their own creations. It is of Dutch origin, produced by a group of programmers operating under the name "TridenT." They freely acknowledge the inspiration of the Mutation Engine. Curiously, Coffeeshop is Dutch slang for a place to pick up some marijuana. Interesting, is it not? However, the Trident Polymorphic Engine is no more inherently dangerous than the Mutation Engine. Viruses utilizing it can be detected by the same tools used to detect Mutation Engine viruses before those could be scanned. The reporters also claim that disassembling a virus to find out what it does is a "difficult and time-consuming process" capable of being carried out "only by specialists." This is another myth which feeds the perception that viruses are incredibly complicated and that one can only be protected from them by the right combination of super-savvy experts. It has NO basis in reality. Almost all computer viruses can be disassembled within 5-10 minutes by individuals with only a modest understanding of computer programming and access to one or two common diagnostic programs. The programs are so user-friendly they can even print out a summary of a virus's key instructions! It's a complete myth that anyone needs to be some kind of high-powered programming expert to understand and analyze computer viruses. And that's what's the most irritating about Mungo and Clough's research. In search of the cool story, they further the dated idea that virus-programming is some kind of arcane art, practiced by "manic computer freaks" living in a few foreign countries where politics and the economy are oppressive . While it's true that a few viruses are clever, sophisticated examples of programming, the reality is that almost anyone (from 15-year olds to middle-aged men) with a minimal understanding of assembly language can write them from scratch or cobble new ones together from pieces of found code. Since everyone's computers DON'T seem to be crashing from viral infection right and left (remember Michelangelo?), Mungo and Clough, in my opinion, really stretch the danger of the "Bulgarian virus factory." This is such an old story it has almost become shtick, a routine which researcher Vesselin Bontchev (apparently Clough and Mungo's primary source) has parlayed into an intriguing career. A great number of the 200 or so Bulgarian viruses the reporters mention in fear-laden terms ARE already here, too - stocked on a score of BBS's run by programmers and computer enthusiasts. Mungo and Clough years." That's an easy, leading call to make because no one will remember or hold them to it in 2000. I suggest "We don't know." Now that would have been more honest. But I doubt if it would have sold as well. Downloaded From P-80 International Information Systems 304-744-2253