 Welcome to the annual DEF CON convention. This meeting was held in exciting Las Vegas, Nevada from July 9 through the 11th, 1999. This is videotape number 28, Introduction to Virus. I'm working with the International Networking Services for a while now, a really really great company, very happy there. They send me to fun places like this. The day I got hired I said, okay, there's a situation. I love the work for you guys, but I want to go to Black Hat and DEF CON. They said, okay, sure, I'm there. I work for you. Okay, I think it's safe to start here. I think we hear it at the three o'clock mark. One minute short, close enough. Can we dim the lights a little bit? Anybody? Bueller? Anybody? Can everybody see that okay? Is it a little lighter? Hey, thank you. I can take credit for that. They came with PowerPoint. Yeah, Karen, there's like 30 knobs back there. Like, which one takes what? No idea. Does anybody know how to dim the lights? Just like shot. Yeah, we'll just take out the lights one by one. Well, you got the back ones. That's good. Good, good, good. Thank you very much. Oh, hi, and welcome to the Introduction to Computer Viruses. My name is Robert James Lupo, aka Virus. Rockin'. Cool. Let's see if we can get through this in 50 minutes until I have left over for questions here. Introduction. At the end of this presentation, you should be able to understand the basics of computer viruses and how they affect the computer systems. Basically, I'm going to go into a rule-free basic introduction on the different types of computer viruses. I'm not going to go into a lot of depth. I'll be happy to answer questions, but this is an introduction. This is going to give you a grasp on how the computer viruses actually affect different systems. We're going to cover the types of computer viruses. I'm going to talk about fakes and false alarms in the world at this point right now. And then we'll wrap it up with the conclusion and questions at the end. These are the computer viruses. These are the basic types. We have boot sector, violin factor, multi-parti, and macro viruses. Now, I saved macros for the end because it actually happens to be the one virus I know is the least amount. But it also happens to be what's mostly getting a lot of press in the world right now. So I can tell you kind of what I know about them. I don't play with them that often. Boot sector viruses. They go out over how they work and the different types. Can you actually see that? Yeah, there we go. All right. Boot sector viruses. Attack the master boot record of the hard drive or the floppy disk. Now, to give you an idea of how easy it is to actually infect a floppy disk or a hard drive, is if I have an infected floppy disk, I can put it in the A drive. From my command prompt, if I just do a directory of that C drive, I've instantaneously infected the hard drive. Just by accessing the disk. The master boot record is divided up into three different parts. We have the code, the fat partition info, you know, and the fat allocation and the partition information, and the marker of 558, as I put right there. Now, the code portion of the master boot record is what you see, when you see like the syntax error, stuff like that, or like, you know, invalid drive or stuff like that. That stuff's all encoded in there. These are all the little error codes. This is what tells the computer how to boot up, how to access the partition information. I want you to remember that portion, how to access the partition information. So we're going to get into that in a few seconds here. What the virus does is the virus will first copy, first copies the boot code on the drive to a different sector of the media. Several viruses will copy to like sector 7, 9, 12, 17, 22. What I normally do is if I'm looking for a boot sector virus, I actually look at each sector up to about sector 25, and I actually look for an absolute duplicate of the boot code. If I see it on other sectors, that usually gives me an indication that I have a boot sector virus or have been infected at one time. A really great tool to use for this is Norton Utilities Disk Editor, was my absolute favorite tool to do. I'd actually go in and actually view the boot sector. After it copies the code over to a different sector, the thing copies the virus code over the code portion of the master boot record. At the end of the virus code, it actually points to different sectors. Now here's the really interesting factor dealing with boot sector viruses. It is completely 100% possible to have multiple infections at the same time, because different viruses will actually copy to different portions of the sector, at different sectors. I've actually been able to infect a system with three different boot sector viruses at the same time, and then I run a virus remover software, and I get rid of one virus, and then I think I'm cool, and then I run it again, and there's a second virus, and then I run it again, and there's a third virus. It has to go down layers. It's very, very important that if you end up with a boot sector virus, so re-run the software again, and verify that it has been removed correctly. On certain viruses, for instance, the New York boot virus. Anyone heard of that? Raise your hand. New York boot. Anyone been hit by it in the last year or so? No? Okay. One of the cool things with the New York boot, New York boot specifically just copies over the code, does it over to like sector 7 and 9, I think, and I think 12 also. And one of the easiest ways to get rid of a basic boot sector virus is by booting up off a clean disk and with F-disk on it and type in F-disk forward slash MBR. Anyone ever done that? Okay. And who can tell me what that does? Anybody raise your hand. Sir. Well, you know, I don't like to use the word format. All it does is says, I don't care what code is there, throw this code over it. No more virus. There's a problem with that. And we'll get into that problem right now. That that partition info and the R holds the data and partition information of the disk. Basically, it's an interpreter about like your directory string, you know, or your directory tree, on where everything is. Some virus encrypt this information, making it impossible to retrieve your data if you remove the virus incorrectly, like typing F-disk slash MBR. The monkey is such a virus. Remember what I said, monkey was my favorite virus? This is why. What monkey does is it copies over the code and then it encrypts all the fat, you know, and directory information. So you have to boot up. The virus has to de-encrypt it and then run the actual code. If you type in F-disk slash MBR, you've lost everything. It's gone. I'm sorry, what? You know what? I'm not sure. I really can't answer that. Yeah. So, as a matter of fact, I hate dropping names, but McAfee software actually has a specific remover only for virus, only for the monkey virus. This normal remover does not remove the monkey virus. You actually have to download the monkey remover. Get that monkey off your back. Yeah. Now, what it does is it actually uses a de-encrypt key and then permanently de-encrypts the fat partition information so it can remove the virus correctly. Another way to remove a basic computer virus without doing F-disk slash MBR, it takes a lot longer, but it's just as effective as by using Norton Utilities Disk Editor and actually just copy the code that the virus moved over to another sector and just copy it back over again. And then get rid of the virus also. Once again, F-disk slash MBR, awesome way to do it. But be very, very careful about what virus you have when you do this. The type of different food sector viruses are self-polymorphic, encrypting, and any combination of these. Stelf-boot sector viruses, they hide an upper memory and they try to actually hide the virus code or hide the detection capabilities of the detection software. Basically, not letting you find it, which is why it's extremely important to boot off of a clean boot disk. I've seen tons of people actually install a virus software and sit there and say, I know I have a virus, but it must be a piece of crap. Well, no, what you're dealing with is a stealth virus that's hiding itself and it's not letting the detector find it. So if you boot off of a clean disk ad, it does not let the virus move into memory, allowing it to be removed correctly. Almost all the boot sector viruses I've ever dealt with have at least a stealth capability. Because once again, what's the most important thing for a virus? It's to be able to replicate itself even better without being detected. Polymorphic boot sector viruses, another one of my favorites. All right, polymorphic viruses are actually really tricky. They change the code each time they replicate themselves. So they're never quite the same virus twice. Now, who can tell me what kind of a pain the butt that can be? Anybody have an idea of why that could be real difficult? Yeah, how about the fact that it's hard or impossible to write a specific remover for it? Because remember, a remover is used. The way a remover for a specific virus is developed is they actually decompile, reverse engineer the virus when they get it into the company. And they look for specific keys in the virus and that's how they actually set up the data file to remove it. Well, if it's never the same virus twice, you can't write a specific remover. So what the Android virus companies came up with is what they call a simulator. And this is actually brilliant. They run the specific simulator and the simulator says, hey, look, I'm accessing that disk. And what the boot sector virus will do is a, great, I'm going to replicate myself. And it watches the virus. And the moment it sees the code key, it stops the process, uses the code key to de-encrypt the virus and remove it. Now, I don't know about you, but I'm impressed. That's pretty cool. Without letting it replicate itself. That's a really nifty way. And I think I could be wrong in this and if someone knows different, you can correct me, but I believe McAfee was the one who developed that the first time. They were the first ones to come up with the simulator. I can't hear you. I'm sorry. The reverse engineer viruses, you weren't here when I was discussing the fact that when I worked at an antivirus company, we would get on an average of 300 brand new viruses every single month. And what we would do is we would take the viruses and reverse engineer them and break down the code and see how this specific version of the virus was working. Yeah. Just, you know, assembling languages and, you know, disassemblers. We just, we had a whole team of programmers who would sit there and do nothing but, you know, just rip apart viruses, just like people would rip apart different software to see how the software works. The only difference is, is you don't get in trouble for ripping apart a virus like you do software. Kind of interesting if you think about it. Encrypting boot circuit viruses. Encrypting viruses will encrypt data or themselves making it more difficult to remove. They also make it impossible to recover data without the virus being there to de-encrypt it, which goes back to monkey, which I told you about the partition information prior. When you start compiling these together, when you start dealing with stealth, polymorphic, then encrypting, you start dealing with some very, very nasty viruses because it makes it concedently and just immensely more difficult to remove. You will find that you may come across a virus where no matter what remover you have, won't remove the virus. When I worked for this company, we would actually get people calling up and saying, hey, look, I tried you guys, I tried these guys, I tried these guys, I can't get rid of this, and I'm getting this funky message that says that Wendy's a bitch, and I don't know who Wendy is. And my wife was kind of wondering who Wendy is also. And what we do is we say, okay, here, you know, send us a couple files and send us going to a diskette and form out a diskette or access a diskette, send that into us, and we would try to detect the virus and find out what's going on. A little side note here, which I thought that was actually interesting is if you walked into the company to the virus research area where they were actually doing the testing and checking the viruses, there was actually a warning sign there saying images on the screen may not be, I forgot how they basically put it, but basically not PC. You may see things on the computer screens that may be offensive to yourself than you've been newly warned because some viruses would actually show like naked pictures of people's girlfriends or very foul statements in there. So you'll sort of be working on all of a sudden like, my ex-wife's a bitch and there's like a naked picture of her. So they put that sign up there because a couple of women were walking by going, he's got naked pictures on this thing, he's doing porno things. He was like, actually, I know it's a virus, but I'm doing my job, it's cool, leave me alone. Yeah, but you've been working on that virus for six months. I like the virus, I don't know why. Are there any similarities between viruses to size and infection factors? Yeah. I get into that when we get into file infectors. Hey, look, file infectors. How am I doing on time? I'm almost half over in 15 minutes, alright. Alright, file infector viruses. Now, here's an interesting factor. When you're dealing with file infectors the majority of file infector viruses will actually vision the red portion there as just the basic file itself and what the file infector virus will do is it will sit there, ooh, hey, feedback, cool. It'll sit here and put a marker at the beginning of the file. Ooh, you got a laser pointer. Marked by a friend. This portion right here would actually be a pointer for the virus. Let's get away from the speaker. And what it will do is this portion of the code will tell it to go to the very end of the file and actually load the virus of the memory here. And the end of the virus code here actually tells it to go over here and launch the file. Now, the problem with file infector viruses is who can tell me what's really obviously a problem with file infectors? Anybody? Size, exactly size. So sometimes it's very important to actually get a disk image of your system. And then what you can do is do like a binary compare of your image against your system and actually see if there's any differences in files, specifically com files and executables. Who can tell me right off the bat what's this maximal size for a com file? 64k. 64k. So what happens if you see a com file that's 1024? You have a problem. Especially when it's command.com. Which is one of the most popular things for a virus to actually infect. Yeah, why not? It's with boots, you know? I mean it's like, let's see, that's a good one to deal. So by checking the size of the file sometimes you can detect whether or not you have a virus. Now, here's the problem. A lot of the virus remover software sends to hell off this code. What it does is it'll kill the virus itself, deactivate it. So it just basically says just run the file and stop. That it doesn't actually change the size of the file. Now, who can tell me what happens if you have a com file that's too big? What effect does that have on your system? Code gets put into another second. Yes. Which means is, yeah, you might have actually removed the virus. May have deactivated the virus. But you're hosed. You're in a lot of trouble. So, who likes backups? Anybody? Now, honestly, right now I like to have a show of hands. Who actually backs up their system? Raise your hand. Okay, now, raise your hand if you weren't lying. Okay. Backing up your system is immensely important. Not just because of virus for other reasons. Viruses will do some serious damage to your system without a proper backup. You're in a lot of trouble. Especially if you finally just got Microsoft Windows 95 working. I mean, without crashing and giving GPFs every 30 minutes and it's actually working. I thought it happened once, okay? And I was like, okay, don't touch the machine. Don't add anything. It's working. Oh, man. Starting over with scratch. You're going to want this back, aren't you? Oh, man. Yeah. The laser pointer was a wedding gift. Yeah, good wedding gift. Oops. Oh, man. Wait, stare to the light, Carol Ann. Stare to the light. Here. I've never broken a laser pointer before, man. That's something new for me. I break everything. Yeah. Okay. Hey, that's working cool. Mark here actually works with me at INS and he's actually found me here at DEF CON last year and got me hired. So I like him. He got me a real job. I had to get him out of there. I had to get me off the street, you know. I was pulling words for a buck, you know. Dude, buy my words. I need a cheeseburger. Who are white scrups for food? You know. All right. This basically goes over what I was already telling you about the beginning of the code and points to the end, the file and the beginning of the real virus story. Now, there was one slight problem also with file infectors that I didn't quite mention. Sometimes the virus will actually encrypt the file. Whoops. Which basically means you could maybe kill off the virus, but then you lose the file. And we're in that thing about backups I was talking about before. Good thing. It's really basic encryption. Mostly. That's the exclusivore. Some people get really very fancy. Right now you should be getting a kind of a concept that some of these viruses are pretty sophisticated, and some of these people who write these put a lot of time into them. Which means you could probably be using this time for other things like cooking for your spouse. Something a little more productive. But all in all, I'm still very fascinated by these. Okay. We talked about that. Which vendor would that be? I don't think so, and I'll tell you why after I take a sip of the water. I was in the entertainment software industry for seven years. In the real world software industry for several years other than the entertainment software industry. And the basic attitude is get it on the market, get it out there as quickly as possible, make the money, and move on to something else. And I'll be damned if I'm going to worry about a virus or something. Who can tell me right now what viruses are, most viruses are written for what operating system? DOS. DOS, yes. DOS has more viruses still. But keep in mind that the majority of the viruses that were written for DOS only worked up into DOS 3.3. So you really don't have to deal with them. Back in the 3.3 days my absolute favorite virus back then was the music boot virus. Which was a boot sector virus that was actually very, very cold because you'd be working away, typing away, and all of a sudden your whole system would freeze and go do-do-do-do-do-do-do-do-do. And then it would then freeze and go back to normal. And you're going, what the hell was that? You know, you have little PC speakers like going off and then you'd sit there and going okay, you just worked a little bit and you'd walk around and everything would freeze. Do-do-do-do-do-do-do-do-do-do. And then it would then freeze and you're going okay, I'm pretty sure something's wrong. And then you would work a little while and then everything would freeze and you wouldn't hear any sounds and everything would be dead. And you're going, now I'm really sure something's wrong. Most people, when you get calls, I'm going, you know, I used to do like text stuff and like have a lot of clients and every time they got infected with this virus it's like, something's wrong with my hard drive and something's wrong with my motherboard. I need a new motherboard. And I'm going, you know, I can make a lot of damn money if I just didn't fix the virus, you know. Damn it, I have ethics, I hate that. Music boot virus only affects up to DOS 3.3. Nifty little virus. All right, quick, funny story. When I worked at the virus detection you know, the company I worked for and I know I'm going to slip out and tell you where I worked, that the place I worked I actually came storming out of my office one time cursing up a storm really pissed off because I couldn't infect a machine with a virus and I had to stop and think about how really ridiculous that sounded. I was like, damn thing, we're going to infect my system. Wait a minute, this is, what's wrong with this picture? I thought that was amusing. People are going, you're mad because you can't infect a system with a virus. Oh, yeah. Multi-par-type viruses. I want to talk about this a little bit. Who can tell me what a multi-par-type virus is? I'm sorry, what? Multiple infectors. What would it infect? Yes. It infects both food sectors and files. Yes, ooh. Think about that. Now think about a virus that infects both food sectors, files, polymorphic, stealth and encrypting. Who wants to sit there and play with that? No, actually I don't think I ever ran into a single one of those when I worked at McAfee. Multi-par-types are very fascinating because they replicate faster than any other virus there are because they infect the files and they infect the boot sector themselves. Who can tell me a multi-par-type virus in the wild right now that's actually very active? All right, what else? I mentioned it earlier. Anyone see an anti-BXE? That's a multi-par-type virus. It infects both files, actually it affects the files directly and it also hits the boot sector. Now the thing with these is they replicate so fast because you can infect a file, it infects your hard drive, it infects every single file that you have on your hard drive. Some of them target specifically doc files, some of them target specifically executables and comp files, some target everything. You know, everything they have that has any type of a coded string into it. Which means you can spread them through email, you can spread them through the internet, through IRC. Who here actually downloads files through IRC from people that they don't know? Aside from this guy right here. Who's hiding his face? I'm telling you right now, do not ever, ever take a file from anybody that you don't know directly. And then if you do know them, don't take that file and let you really analyze it. At home I have a specific machine that is off my network that I transfer files to specifically, I unplug the network and then I check out the file before I ever let it go anywhere else on my network. How many times have I actually found the virus that way? Twice. One of them completely wiped out my system. And if it happened to be that Windows 95 box that I just got working real well would have been in a bad shape. You know, multi-partiary viruses are very, very nasty. Because the virus detecting software actually has to track down where it's infected in the file and remove it from the boot sector. Macro viruses. By short of hands, who here has actually been infected by a macro virus? Quite a few. Alright, who here has been infected by a macro virus on Excel only? Alright, word. PowerPoint. Ooh, nobody in PowerPoint. What if I told you that they're now coming out with multi-parti macro viruses? They infect Word, Excel, and PowerPoint. Papa 1 virus. Would that scare you? Yes? No? It scares the shit out of me. He doesn't use them. Good boy. Unfortunately, in the world, a lot of us have to use those programs at work. And these viruses are becoming more and more destructive. It used to be that they were relatively harmless. Who can name a couple macro viruses? Colors. Colors is a very interesting one. Colors is relatively harmless. If I remember right, colors actually just changes your desktop color scheme. Wait, I don't remember having pews. Oh, yeah, that's my favorite one. Yeah. You boot up a system and you look over and going, everything's white. There's no difference. Everything's white on white on white. And you're going, I can't even find this stupid box to change it. Yeah, macro viruses are very, very interesting little things. The first one that was written, was written as an experiment just to verify they could actually do it. They used a visual, the basic language that's included with Excel and Word. Because macros were designed to help speed up the process. Well, when you give somebody the power to actually give them a full programming language, you're going to find people going, hey, if I can do good things, I can also do bad things. Because I'm not limited. Um... Well, not necessarily because let's say that I never use PowerPoint, okay, but I use Excel a lot. What it does is it gives the virus a capability of spreading very rapidly through a lot of different people. Let's say Mark here uses PowerPoint, Excel and Word. Every time he's launched a program, that macro virus has not just gone to his Excel. It's hit every single document he's opened. His docs, his PowerPoint presentations and his Excel. Which basically means his PSSN, his spreadsheet to his boss for his expenses. And he's sending some slides out to a guide so he can teach a class across the country. And he's got some Word documents that he's sending to his lawyer. That virus is everywhere. And when they start doing harmful things with that replication capabilities, you're talking something very scary. This is a... It says in Microsoft you call it like Word or all slightly different than using the E. Right. So if you do that, you better have to send it on. Somebody else has to send it on. Yeah, many of the calls in each sequence is different. Some of the calls are right on the dollar. I mean, just exactly the same. Like file. Yeah. Dell. Delete all files. That's... Yeah, it's very lucky. Remember, a lot of viruses are time reframed. In other words, because a virus is useless to the creator if it can't go anywhere. So a lot of them are more like Michelangelo. Michelangelo was the one that put McAfee on the map. Literally. I almost got fired because they were talking about it at lunch. And they said, yeah, Michelangelo put McAfee on the map. It made the company what it is today. I said, really, how long did it take John to write it? They were unamused. They glared at me and I was like, it was a joke. It was a joke. I was kidding. Now, on a side note, I can contest that and one of the interesting things when I worked at this company is they would not hire anybody who had ever written a virus. They had a guy come in and the guy was amazing. He was a great coder and he made the slip and he said, so have you ever written a virus? He goes, oh, I wrote one or two and the guy just sunk his head and he goes, I can't hire you. Writing a virus, if you work at McAfee is grounds for dismissal, instantaneous. They do not joke around about it at all. Okay. Side note, I really liked working there. I was a good company. Have I ever written a virus? Never. I have never written a virus. Can I write a virus? Absolutely. But I'm more fascinated by how they work, not by causing people grief. At the bottom here, I show that several of the macroviruses used are the normal dot file. Why is this? You can tell me why most of them hit normal dot dot. Absolutely. So if we know that all new files start with normal dot dot, how can we tell if we have a macro virus? Anybody? Check out the normal dot dot. Look at it. Keep an idea of a record. If you go to a lot of the different virus websites that talk about different viruses, by the way, if you go to a virus website and it's not a well-known virus website, it's not usually a good idea to download a remover from that website. No joke. I know several people who've actually downloaded the removers and the removers themselves were infected with viruses. A lot of these sites will actually tell you the specific macro virus and how to detect through the normal dot dot, saying, hey, if you see this string and you see this string, you have this virus. So it's usually a good habit just every so often to look in there and see if you see anything different. If something looks funky, it's usually a good idea not to send any files to anybody. Not size. If you view the file itself, it actually has scripting in it. You know, little keys. It just states, you know, like, you know, it's almost in English. And you'll see something in the going, that really looks wrong. That doesn't make any sense. And then, you know, well, there's probably a reason why that doesn't make sense, because all they are is little calls. Oh, the file size. Yeah, it really depends on the box because some things will actually modify the normal dot dot and it's legitimate. Some people, you know, I do. All right, let's talk about fakes and false alarms. There are tons and tons and tons of false alarms in this in, you know, going rampant. Gee, who here actually got hit by good times? Now, the problem with a lot of the fakes is that they themselves can be considered virus. Because they cause widespread panic. They cause a lot of people to get up, you know, and hatred and fear. And one of the worst things is they chew up bandwidth because you got some person who says, oh, my God, there's this good times thing up there and I'm going to send it to 4,000 of my friends and tell them to forward it to everybody they know. Regardless if I get it back about 60 times myself and that just chews up tons of bandwidth, tons of space, you know, slows down your 566 modem, you know, it's like, oh, great, I'm getting 30,000 things saying, watch out, there's this new thing out there. Remember the worm virus that just hit the market recently, the zip thing? What was that called? It was the, yeah, explorer zip. That was an interesting, very interesting little virus there. Because that was actually an executable code that you actually had to launch. What was interesting is that you used social engineering to make you do it. It was cheesy social engineering, but I thought it was actually kind of interesting. Because it said, hey, so and so, you know, I got what you sent me and I'll get right back to you. In the meantime, check out these documents. Well, they called you by your name. People in general are very trusting. Hey, this guy knows me. I don't remember what the hell he's talking about, but it must be important. I mean, there was a day I was real drunk, but you know, maybe I should open this document or maybe I should open this code. And that's how I get nailed. I don't know anyone personally. Did anyone here actually get hit by that? Anybody? I have never met anybody who got hit by that. I know a few people did. At least it was in the media. Yeah, I trust that. But there's a lot of fakes out there, guys. You know, there's a lot of people that are going, hey, watch out for this. Hey, watch out for that. And it's crap. You cannot infect your system by reading your email. Yet. Actually, there are some variants. There are some things out there that they're only specific to specific operating systems and specific things. And they're very far between and I haven't seen anyone actually get hit. So, is not the virus a more of a crawler or a push-up theory? A push-up theory, that was opening it up. You know, in theory, um... Not everything out though. You know, PPE, everything. Right. Someday, you know, something such as a screen for feeding your Microsoft is going to have everything out. Now you're going to have truly a good time. What's only reality based on that? Um, that's possible. I mean, if you really stop and think about it, you're going to lose a lot of sleep. Why are you going to wear that? Yeah. All you can do is try to stay safe. Because you see, not everybody uses Outlook. Not everybody uses, you know, what's one I use? What do we use? You know, Eudora. You know, every... You've got to remember the one thing. For a virus to be successful, it has to replicate. If it's only good for Outlook, then it's only going to infect people with Outlook. And it's not going to infect people with Eudora or people who are reading off a Telnet or whatever. So it's not an effective virus. Unless you're going to make that virus so it will infect every single, you know, male system there is. Happy 99. I'm happy for you too. What? What do you want? Well, I'm not sure. We're talking about DLL. We're talking about... Yeah, everyone. Right. What about Happy 99? Which actually basically replicates itself by sending emails out automatically. Um... The problem with that is, is it depends on the system that you're dealing with? Yeah, that's a very, very good point. But there's also things that you have to keep in mind. Um... My mail system is not set up to send any mail until I tell it to send mail. Okay, so if I get something that's trying to send mail, the first thing I look at it is, like, hey, wait a minute, what's going on here? Yeah, yeah, that's true. Yeah, that's true. Okay. Okay. And there's ways around that, too. But... I mean, I keep... I keep, like, a little sniffer on my box to verify what's going on with my system because I get people who try to talk to my system without me knowing it, too. Yes. Ooh, I was waiting for someone to bring that up. One? No, there's more than one Unix virus. There's several Unix viruses. Believe it or not, they're not very rampant. Yeah. But there's a reason why they're not very rampant because the people who are writing the virus are usually really into Unix and really just hate, you know, big blue brother, a North kind of guy. So why would you write something for virus on something you love compared to something you hate, you know? And unfortunately, it's more of a political statement for a lot of these people, you know? I'm not implying anything. Uh-uh, not me. Nope, not me, sir. Uh, you know, I heard about that, too, that I never knew anyone who actually got it to work. Uh, the question was, was something with, uh, Netscape, was it 4.0? Yeah. Or if you, um, oh, here, you tell them. Yeah, it was the object tag over a load where it actually opened up the, uh, extension, but I know people who tried it and they couldn't get it to work. Yeah, I mean, it was reality-based, but I didn't know anyone who actually got it to work. And then, of course, with the new version out, that ends any capabilities there. Um, when you talk about something other than 95, um, something that I discovered and played around with and found out by accident that kind of bugged me is Windows NT, especially NT 4.0. If you actually format the whole drive NTFS, it is impossible for you to get a boot sector virus. Can someone tell me why? It's iPhone Mark. No. Uh, what? There's no fat file. Well, that's true. But why would it be impossible for you to be infecting a, um, the boot drive, you know, to have your hard drive with an NTFS partition? Nobody know? NT does not allow real-mode access to touch the boot record you need real-mode access. So, for years, at least I, you know, for quite a while, I was thinking, hey, I'm safe. I don't have a fat partition. You know, I don't have a boot drive that's fat. My whole drive is NTFS. I can't get a boot sector virus. Eh, wrong. The first thing I tried to do is I tried to take an infected disk at, you know, a boot disk, just a regular boot disk, put it in the drive and boot up and see if I can infect the drive that way. Guess what? No. It doesn't see the drive. The drive is completely and utterly invisible. Can't see the drive, can't infect the drive. Alright, so far I think I'm pretty safe. Well, there's one thing called an NT boot disk where you actually load the drivers onto a disk get off of a fat formatted disk get that when you put it in there and boot up, it'll actually let you see the NTFS drive. And this is good if your NT crashes and you need to need to remove files from the NT partition. The problem with this was is yes, it can see the drive and it makes the drive visible. I then infected the disk get with a boot sector virus. And I put that disk get because all I had to do was put it into a machine that was infected to a directory. It infected the boot sector of that disk get. I put it into the NT drive, I booted it up and I wiped out my machine in one fell swoop. Please don't stop me, but do I have to self-credit that you say to write protected? Yeah, but there's problems with that. Some software won't work if that is write protected. Okay? And also if that is write protected and your drive crashes, you can't get your data off with that boot disk. So now you're dealing with a cache 22, aren't you? It can need a write protected and protect it all the way. But if my drive crashes and I need to get something right now and I don't have the time to wait four hours for my backups, I have to use that disk. But you have to get into un-write protected. No. I mean, you have to get onto the hard drive to un-write protected. What are you talking about? Oh, yeah. But you know what? I can infect a floppy disk that's been write protected very easily. Oh, I thought you were talking about write protected in the hard drive. Which you can do. No, yeah, write protected floppy, sure. But you know what? There's viruses out there that will soak there and override that and infect the disk at regardless because that's what they're designed to do. I can format a write protected floppy. You think that's going to stop a virus? Most? Yes. Some? No. I'm sorry, I can't hear you. Yes. Yes. The virus makes calls. It says ignore any write protection. There's software that will specifically duplication software that's designed to duplicate write protected disk because it says ignore the write protection altogether. I mean, it's just a series of calls. And the computer says, I don't care if it's write protected or not. Just ignore it. So it happens. Anyhow, on that NT factor everybody was yelling that it's impossible to infect the NT drive with a bootstack of virus and I found out they were wrong. Sir? Bam. Sorry. I never used pot mail to help, you know... Oh, I didn't mind pot mail. No. There's a lot of virus software out there that you can throw on a server that does it for you. A lot easier. And actually a lot of the companies now what they do is they have the software that goes onto the server and what it does is it scans every piece of the email for attachments looks through the attachments and actually scans the attachments as they come in for viruses before it even hits your users. Does that mean you're safe? No. Have I had experience finding viruses on web platforms? Linux platforms? Unix platforms? No, because there's only a handful of them. I fussed with them but the thing is, most of the viruses that were written for Unix won't work today because of the version changes. Yeah. One of the people who I worked with actually was a scientist who made a professional office and he uses pot mail basically what he does is he runs filters on executable files and puts them in a save zone and he sends a message to the user saying you've got an executable file that's sitting in your save zone and you put it down so that somebody has to run that executable but as far as using the scan for viruses that's pretty labor intensive to set that stuff up just to reach that out. It sucks up a lot of curl in time. A couple of viruses that I did see for Unix wouldn't work today. They make special calls for specific versions like the old DOS viruses that won't work today. I haven't seen any new Unix viruses at all and if someone's seen some please come and talk to me about it because I'd be kind of fascinated to find out. Would you say that the vector itself has much less productivity in the end? Do you see that that the vector is slow? Yeah. I'd agree with that. This is also very true. There are a lot of people bringing discounts from home onto a Unix box. Any other questions? Go ahead. I was just saying it may be someone sending doc files across but they're actually hitting a Unix server. Right, exactly. Yeah, right now like Mark stated it's so intensive to try to actually track down the viruses that way because there's not a lot of things that are written for for automation purposes. Like for the Windows base there are so many things that are actually are written specifically to do that. It's a little bit more difficult. I know a lot of places that still use Unix servers to transfer mail because hell it's just better but it makes it a little bit more difficult which is why you put the software on the individual unit systems also. Yeah. Macs are coming back? Yeah. Oh that was an Apple company, I remember them. Right. Not a whole, well let me rephrase that. Yeah, that could be a problem. The reason why I think that could be a problem is because they used to be Macs who were on little Apple talk networks or on individual systems and now the Macs that they're coming out with are designed specifically to jump on the internet in five minutes and that could be a different problem. One of the most popular viruses way back when for Macintosh was the rabbit virus. Anybody ever heard that or seen it? Rabbit, raise your hand. It's basically store support on the hillster. And you would actually see a little rabbit running across your screen and then someone else's screen and then somebody else's screen and it would actually run through the network. It was harmless but it was like, what the hell? A little bunny did-did-did-did-did-did-did-did and I was like, nah, I didn't see that. Someone else see a rabbit? Yeah, I saw a rabbit. All right. It talks about over here. I appreciate you all coming. Is there any further questions? One last question. Yes. You don't see a whole lot of those rampant in the wild. I know of a couple cases where some viruses are designed as like sniffers where they'll actually gather data and bring it back to the developer of it. And it's- but those still require like an executable on the user's code, on the user's system. And they use- some people use them for capturing passwords or keystrokes. Java. Huh? Java. I think- You know what? I haven't investigated Java too much on the vectors dealing with viruses. I really can't give that answer. I wouldn't think so. And because it's- The thing is, is when people write viruses, most of them send them directly to the antivirus companies directly before they even send them out to the wild because it's then going, hey, yeah, try to break this one, see if you can figure out how to remove this one. So, yeah, it's ego. It's pure ego. We get tons of little packages going, yeah, bet you guys can't do this. And then we stay up 24 hours, you know, and have a remover on the network and it's like, there you go. You know. Hey, I never got overtime for that either. Well, that's it for me, people. Thank you very much. I appreciate you coming to my talk. Oh, by the way, if you-