Recently, a post to the full-disclosuremailing list described an update to the well known MD5 collisionproblem. The authors - Marc Stevens, Arjen K. Lenstra, and Benne deWeger - provided a method whereby they can append only a few thousandbytes to two arbitrary files, with the result that both files have thesame MD5 value. This is known as a "chosen prefix collision." Not onlythat, but they produced their proof-of-concept files using one machinein less than two days. If you distribute the work, you can make it go faster.
While what they have achieved is not the same as producing anidentical MD5 for an existing file, it's still not a good thing. Inparticular it causes serious trouble for application white-listingimplementations. Why? Imagine this scenario: - malware author creates a harmless application. - malware author creates a malicious application. - malware author uses the chosen prefix collision method to alter these two...
There should be no question anymore that the VX scene is dying.
On the 29A forum there was a post that roy g biv has officially leftthe 29A group. Given that Vallez has been silent for over a year, itseems clear that the 29A group is really dead now. We wish the boysluck in whatever legal pursuits that they find now.
On the EOF and DoomRiderz fora, we can read that neither group hasenough material for a new zine. On the rRlf site there's a message thatthe same thing has happened to them. EOF and DoomRiderz alreadyannounced their intention to produce a combined zine and now rRlf hasannounced that they will join in, too. Of course, if people aresubmitting the same thing to multiple groups in case one of themreleases a zine, then even those three groups combined might not haveenough material for a zine. In any case, it will probably not happenthis year.
This brings us to another point - the supposed AV-VX "symbioticrelationship." It should be...
The latest news (as of January 23rd) is that the virus writing group29A is reforming, but with most of the coders missing. Gone are GriYo,Vecna, and Zombie. We knewthat Vecna had left, but that GriYo and Zombie have left as wellsuggests that the "internal issues" are a difference of opinion aboutwho should do what. A coup in a virus writing group? It's all sopolitical.
So that leaves VirusBuster, who has come out of retirement, andpresumably Vallez. It is unclear if roy g biv will join them, giventhat today he placed W32.Stutter on a popular VX website, under theDefjam label.
Ultimately, though, the point is "who cares"? A virus writing group that doesn't write viruses—that’s always a good thing.
While we probably haven't heard the last of virus writer SPTH, hisannouncement about leaving the rRlf (Ready Rangers Liberation Front )is welcome news. Further good news was the "lack of time" cited as hisreason for leaving. This suggests that he's busy doing things otherthan writing viruses, and that is to be encouraged (the "doing thingsother than" part, not the "writing viruses" part, of course).
Even though his viruses were not on the order of complexity of someothers in recent times, there is no question that he had a knack forfinding just the right target to interest the media. With mediaattention comes the associated "coolness" factor that encourages somepeople to start writing viruses in the first place. And once a virusreceives attention from the media, other virus writers will oftentarget the same platform.
It's been more than two months since thedisbanding of the 29A virus writing group, and in typical 29A fashion,we're still waiting for the official announcement. Of course, that'sfine – as long as they're no longer writing viruses we don't care ifthey tell us or not. Maybe they're waiting for January 1. ;-)
What fun we can have speculating on the “hows” and “whys”, such asthat Vecna left the group and nobody noticed, or that roy signs hisviruses with a different group name and nobody cares. Zombie's site hasbeen closed for a long time already; now the 29A site, hosted by GriYo,is gone. First it was replaced by GriYo's radio interviews and then itwas removed completely. Benny's real name is known and probablyRatter's and Vecna's are, too. They must know that they can't movefreely anymore. As for roy, I think he is actually not just one personbut several, although that's a topic for another day (although theyshould all quit).
Some time ago, the author of W32.Gatt had posted a comment on his Web site that said he read my blog entry aboutthis particular virus. From there on in he assumes that we visit hispage often. In fact, we have no need for it—customers are doing thatfor us.
We receive samples almost as soon as they appear on any Web site,anywhere in the world, and we are notified about curious comments likethat one. To quote the virus author's entry: "Interpretation without acontext of information." Well, exactly. Interestingly, while the authorclaims that Symantec was wrong about why the source was not released,he does not tell us why the source wasn’t released. It must be quitesensitive, maybe even better than my reason, but until we know, I'llstick with my...
I’ll admit right now that this entry is a tease, because I can't tell you how I did it. However, I'll start by saying that there are some people out there who are claiming that hardware-assisted hypervisors are completely undetectable and some people who are claiming that they are not.
The people claiming that hard-assisted hypervisors are undetectable are basing their argument on several things. First, the sensitive instructions that allow detection of software-based VMMs are trapped by a hardware-assisted hypervisor so that they can be emulated appropriately, if necessary. Second, some registers already have hardware-backed shadow copies; so, as an example, trying to leave paged protected mode (which is not permitted—not even in root mode) might seem like it worked, but it didn't really, because the hypervisor will simply switch the guest into v86 mode and the shadow CR0 will be lying to you. Third, the delivery of physical memory can be intercepted and...
In February of this year, Virus Bulletin published one of my articlesin which I was speculating about the meaning of a message that acertain virus was displaying. My questions were in regard to the W32.Idonus virusand more specifically, the word "Genetix" that was displayed. Whenexecuted, the virus randomly (a one in 1,983 chance) chose whether ornot to display the message “GeNeTiX is EVIL!”
In the VirusBulletin article I suggested that “Genetix” could be referring to aparticular molecular biology company, an anti-GMO food organization, orperhaps something else entirely. Well, as it turned out, the term“Genetix” was actually referring to a person. Not just any person, itseems, but the actual virus writer. In an attempt to make this clear,the virus writer has created a new virus (...
