 to boot up here. Look, it's booted up. Yeah, that's the ticket right there. Okay. Okay, when you have the toys and you have nothing better to do but fly on the airplane, deal with a lot of slow damn animation. Alright, this is going to be an introduction to computer viruses. I'm actually just going to ask this question up in New York, so I'm going to ask it here. By show of hands, how many people here have actually written computer viruses? Okay. Now, how many federal officers in the audience are actually keeping track of how many people wrote computer viruses? Okay, now how many hackers are keeping track of the federal officers? Alright. Hey, look, I can press the button again. Okay, this is the introduction to computer viruses. How many people made my talk last year on viruses? You don't count because you're my friend, but hey, thank you. Alright. This is actually the updated version with animation and some new information. I'm taking all the damn animation out of these slides because it's already pissing me off, okay? Alright. The things we're going to cover in this talk are boot sensor viruses, multi-par ties, file infectors, macro viruses, Trojan horses, fakes, and visual basic scripts. Why am I dealing with visual basic scripts? Well, it's obvious. How many people got hit by I Love You? Alright, now how many people aren't raising their hand because they're embarrassed that they got hit by I Love You? Okay. The I Love You virus when it hit actually was quite devastating. It did quite a bit of damage. Well, not damage per se. It just had a nice tendency of changing all your music files and your porn. Poor guys out there just lost like five gigs of JPEGs. It was like, oh damn, oh my god, I lost a whole redhead section. Jesus. Back to the news groups, down low, down low, down low. Yeah, it was pretty nasty. Not nearly as nasty as the variants that followed it the weeks later. But I'm ahead of myself. We'll get into that. Oh yeah, and computer viruses in the future. Stupid animation has to go away. That's how it was to it. At the end of this talk, when I talked about the computer viruses in the future, that's when I'm going to discuss what I discovered here by an individual. Steve in the audience? There you are. You're the man who told me the information. Okay, we're going to be talking a lot this year. You know that, right? Okay. I'll be introducing Steve here near the end of the talk here. Give me some troubling information and I'm going to be doing some serious research over the year. We're going to start with boot sector viruses. Boot sector viruses aren't seen as much as they used to be. Back in the days of DOS, boot sector viruses were extremely rampant. We're going to cover how they work, what to look for, ways to remove them and the animation. Really, boot sector viruses actually work. We have three parts of the boot sector. I've got my trusty laser pointer here. We actually have the code section here, the fat partition information, and the marker, which is 55AA. Now, what happens is the code sequence here on the boot sector, when the system works up, remember in the old DOS days, you don't see as much today as you did in the old DOS days where you type in the wrong command and it says syntax error or some type of error code or whatever. That was this right here, the code. That was telling the computer how to respond depending on what you typed in or depending on how things accessed memory, yadda, yadda, yadda. Okay? Make sense? Anybody lost? Good. Hi. The fat partition information kept track of all your directory structures. As you sat there and started going down the tree structure, it kept track of where the directories were placed on the hard drive. It kept all the memory allocations stuff up. Just everything, all your files, everything, it kept track of everything. It's a nice little database. Think of it as a database. And this is the marker, which tells it where to start. Just probably push a button. You know, just this animation stuff, man. Hey, look, it's divided into three parts. Hi. On the record, PowerPoint just pisses me off. Hello. Okay. The virus first copies the boot code onto a different sector of the media. What happens is on the hard drive itself, on the boot sectors, you actually have multiple sectors. Several of these sectors are not used by other programs. They're actually set there and kept in reserve. And what the virus writers would do is they would have the virus copy the code sequence itself, just take that whole block. And they would copy that to, like, sector 7, 9, 12, 17, 22. These are common sectors that are not commonly used. So it was a safe area to go through this code because you need this code to boot up. Okay? Without this code, the system won't boot. Yeah, I know this part. Okay, like I said. At that point, it then copies its code, the new virus code, over this code. So this on the boot section portion is gone. This is now the virus code here. At the end of the virus code here, it actually points to the different sectors that it copied to. What some of these viruses would actually do is they would sit there and say, check sector 7 and see if there's any code there. If there is, copy over to sector 9. If there's code there, go to 12. Why would they do that? Can anybody give me a guess on why they would actually check for different sectors that these sectors weren't commonly used? Well, you raise your hand so I can call on you. Didn't you go to school? Okay. Yes. Exactly. That means you can be mostly infected. What they would do is they would say, hey, there's already code in sector 7. Let's go to 9. Good rule of thumb here. If you're dealing with the boot sector virus and you boot from a clean floppy, because we would over spoof from a clean floppy and not trust an antivirus software that's infected, would we? I've actually come across machines where I've run a scan against them, found a boot sector virus, removed it and cleaned it successfully, and just for shits and giggles, ran it again and found another boot sector virus, and then again and found another one. I've been able to actually infect it four times with a single machine four times with four different boot sector viruses. The machine didn't run very well, by the way. I went for a different animation. The fat partition information of the NBR holds the data and partition information of the disk, which we covered earlier, remember? It has all your directory structure and your tree structure in there. Now, some viruses are particularly evil. Not just evil, but they're evil, right? What they'll actually do is they'll encrypt the fat and partition information. So the virus code would run and at the end of the virus code itself, it would actually de-encrypt the fat partition information and then run over to like sector seven or nine and actually run the boot sequence and then your system would boot up. So if you remove the virus incorrectly, the virus isn't there to decrypt the fat and partition information. So you go, I got rid of the virus and all of a sudden you're going, what do you mean you can't boot? You're going, oh, sure. And you boot up off a floppy disk and you hit the drive and drive not found and you're going, okay, this is bad because I'm missing all my porn now, you know, and I got all these JPEGs and they're not there anymore. I'm saying that for his benefit. Because most of us would not have porn on our hard drives, right? We'll be back in a minute. Because you can't reinstall the virus because the drive doesn't exist as far as the operating system is concerned. My absolute favorite virus is the monkey virus because that's exactly what the monkey does. Monkey bee, anybody been infected with monkey bee? All right, repeat after me. Monkey is a bitch. Yes, it is. It's a big hairy bitch. There's different ways of actually removing viruses without using antivirus software and the monkey won't let you do any of them. The monkey is just flat out evil, absolutely freaking evil. And I love it. It's just, I thought it was brilliant. What monkey does is it does that. It loads into the code, encurts the fat partition information, and it requires it to be removed. To remove it, it requires you to actually know the code key. What some of these antivirus software companies did, and I honestly was brilliant. It was a very great idea. What they did is they created something called a simulator. Anybody know what a simulator is? Good. Here, long hair. It doesn't work. What the simulator does, it says, hey, I'm going to copy to another diskette here on accessing another drive. The number one rule for a virus is you must replicate. You have to replicate or you're useless, which is how you got the virus in the first place. So the first thing monkey would do is it says, right on, I'm going to replicate. It starts going through the de-encryption scheme to de-encrypt itself, because the code itself is encrypted also. Now what happens is the simulator would be watching the code go through the de-encryption scheme on the fat partition information. It would stop the process instantaneously, grab the de-encryption scheme, de-encrypt the virus, and remove it. Now I don't know about you, but that's impressive. That's brilliant. For a long time, McAfee, you would have the McAfee antivirus product. And if you're infected with monkey, you actually had to download the monkey remover, which wasn't a damn file, it was a separate product altogether, because monkey was that complicated. I'm not really sure whether or not it's still that way, because I've only been infected with monkey once, and that was on purpose. We already covered that. Okay, we're going to go over some of the things to look for in case you think you're infected here. One of my favorite tools back in the old DOS days was Norton Utilities from Symantec. One of the reasons why I liked Norton Utilities, aside from that it had some really cool tools and people were like, hey, what's that? They had a thing called a disk editor. Anybody use it? All right. It worked. That disk editor was fantastic. It was a graphical description of your drive. I used a disk editor to go to the first boot sector, the NBR, and I would look at the code. And then I would use my right arrow key to start hitting the different sectors. And as you're going through the different sectors, those sectors should be blank, the code on the right hand, because you'll look at the box here, and then you'll have all those like hex code on the side here. And if you didn't see any code, then there was that thing on those sectors. Well, I'd go through the drive and I'd just start paging sector after sector after sector. And if I saw a copy of quote unquote code from the first sector, I knew I had a virus. The other thing to look for was changes in memory usage. If for some reason you were working away in the next thing you knew, your system is running really, really slow. And I know this is really hard to tell when you're dealing with Windows now. But for DOS, it was really obvious, you know? It's like, God, Windows is running real slow. And it's crushing a lot. Maybe I have a virus. No, you just have Windows. And the thing is, I really can't cap because I use Windows. And people are going, I'm going, hey, look, I use Windows, I use FreeBSD, I use Solaris and use Linux. Why? Because if you really, really want to know the ins and outs, you need to know all operating systems. Just a little paging. Besides PowerPoint, so the hex already leaked cool. Yeah, god damn animation. All right, look for strange behavior in the OS. I know, no jokes, we're dealing with Windows. The way I mean by strange behaviors in the OS, let's go back to the old DOS days. There was a boot sector virus that really only affected XTs and 286s, so you will never see it again, except for those of us who still have XTs and 286s in our lab because we're too damn cheap that don't need them or like using for boat anchors. This was a really cool virus. It was called the music boot virus, and it was really kind of cool. I loved it. When I worked for an antivirus company, I was testing all these different viruses, which was a blast. And I came across this one, and I was just dying to see what it did. You could not tell that you had the virus. You sit there and you'd be working on the system, typing commands, and then the whole system would just freeze, and then the PC speaker would go, do, do, do, do, do, do, do, do. And then everything would work again. And you're going, what the hell is this? Okay, I'm up late. It's no big deal, and you'd be working around, and it was random, so it just wasn't happening on a regular basis. You could go like a day or two, and nothing was happening. It was like, what the hell is this? It was like, all right, it was no big deal. There was some glitch in the program. You'd be working on something else, trying to play some type of game freeze. Do, do, do, do, do, do, do, do, do, do, do. And you're going, okay, you know, something's wrong here. God damn it. You know, what is that with that? And you're going, now, I know the speaker is not supposed to do this. And you know, you're standing back going, it's Satan. It's Bethes. It's evil. You know, we're like, you don't mind. You touch it. Make me change the garbage. You know? And it was a pretty harmless little virus. After a while, it would actually just completely and utterly crash your system, and you'd have to reboot your system, which was annoying, but it really didn't do any damage. It was just cute. So that was my favorite back then. I just thought that was kind of fun. Just something to annoy the hell out of somebody. Does anybody remember the rapid virus on Macintosh? Yeah. I remember being at a company working on your Macintosh, and this little bunny goes jumping across your screen, and you're going, no, I didn't see that. And you think to yourself, no, no, no, no, no. And I was like, hey, what the hell is this robot doing on my screen? Okay, maybe I did see that. What the hell is that? You know? And it would actually go through the network and jump around through people's screens. It was pretty cool. But you know, hey, once again, it was, you know, Macintosh. All right. Different ways to actually remove boot sector viruses. One of the easiest commands to use for like New York boot or anti-EXE, well, anti-EXE is kind of like a different story because anti-EXE is a multi-part time virus that we'll actually get into that. But anything that has a solid boot sector virus that does not encrypt, all right, everybody repeat after me, does not encrypt. That was a cue. Come on. Does not encrypt. Right. Because if you run this on a virus that encrypts like monkey, game over, thanks for playing. What fdisk slash mbr does, will anyone actually use this command? Well, you guys rock. You guys are awesome. All right. For those of you who never use this command, all it does is it says, I don't care what code is there. I don't care what it is. Just replace it with my new code. Okay, great. Game over. So the virus is there. You copy of the boot sector stuff is like another sector, and it says, I don't care about any of this. Boom. The virus is gone. Simple as that. You get up with a boot disk. Type in fdisk slash mbr. Virus gone. No problem. I mean, and it's gone. Be careful. Identify the virus first. I want to see what happened if I did it with monkey. I should have taken the data. I actually wanted off that drive first. Because I'm going, well, I picture I can still recover. I'm positive I can. And, well, you can. It was hard. Yeah. Would you be able to tell if it was encrypted based on whether or not you could access your code? Well, yes. Maybe. I don't know. I never tried it. I don't know. I don't know. I don't know. I don't know. I don't know. I never tried it. But now, damn it. I'm going to have to go try that. Yes. By theory, that would be true. Because if it's an encrypting factor, and you boot off of a clean floppy, you will not be able to see the hard drive. So, yes. Without testing, that's true. So, there's your test. Put it on a clean floppy. Try to access the C drive if you can get a directory structure. It's not encrypting. fdisk slash mbr. Woo! Get over. Man, I need more sleep. The other way to do this, if you actually want to take some time to do it, and you want to be like hax or elite kind of, you know, uberdude, and you don't feel like you want to type in fdisk slash mbr, all you have to do is find this sector that has your old code with a disk editor, copy and paste it back over the original code. So, yes. So, yes. So, yes. So, yes. So, yes. So, yes. But the original code, and that would do it also. fdisk slash mbr is a lot easier but that's the elite, slow life of time on my hands and my wife's out of town, and a way to do it. And of course, antivirus software. Honestly, antivirus software is your best friend. The viruses that we have today are a lot more destructive. A lot more plentiful, and I have a lot easier to spread than they used to be. Back in the days, I'm going to date myself here, a sneaker net. How many people here know a sneaker net? You old farts. For those of you who doesn't know what a sneaker net is, go ahead and reach your hand. The kid. We have a small kid in our line. I don't know what a sneaker net is. I don't know around since I'm God. It depends on who you think God is. In the old days of sneaker net, basically to transfer files, copy to a diskette, pull out of the drive, walk over to your buddy and go, here's the file. Get what changes and walk back over to your computer, stay in your drive and pull it up. Boot sector viruses were amazing for this because the way you can infect a diskette with a boot sector virus... I just had to, I'm sorry. It's my talk, I can do whatever I want. Back then, boot sector viruses were the most prevalent viruses there were. 80% of the virus infections were boot sector viruses. This is not true today, but back then it was. Because all you have to do is do a directory on a diskette and you infect it. If the diskette is infected, all you have to do is say, A colon, hit return, so as it access the disk, your drive is infected. And the way you can actually tell a diskette was being infected, that's great. If you put a diskette in a drive now and you say, directory A colon, and it goes, and it gives you your directory. If you have an infected diskette, you go, directory A colon, and you go, what the hell is going on? It's actually grinding down in there. It didn't make that noise a few minutes ago. That's another clue, people, if you do a directory on a diskette, and it starts grinding and it gives you this horrible grinding sound. Oops. One thing I'd like to add here real quick, some of the questions that we can to the very end, so I don't get too far over time here, but all your questions have been absolutely fantastic, especially yours, that was a really good question. Start focusing on your anti-virus software. I would say the majority of people install anti-virus software on their systems, and they never update the DAP files. Seriously. How many people here, and don't be embarrassed, I really want to see any people here who have actually had anti-virus software on their systems and did not update them in a week? How many people in over two weeks? Three a month, six months, a year, several years, never done it. You know what? You're the majority out there. You're the majority. Those people, once they install it, they think they're safe, this is called security. You're not. I didn't go to the event. I felt like I'm working on my own system. I actually got infected by the Michelangelo virus and I was so embarrassed. I mean, come on, that's an old virus. And I had a test machine, I had not updated it, that system, and well over a year. I really wasn't using it, but it's around with some old computer games on an older system, things like Wasteland and Bard's Tale and these things that ran great on 286s and 286s, and I had an old disc for a friend, and I was stuck into my system, and I was playing around, and I said, you know what, I should actually run some anti-virus software on this, because, you know, man. And I was like, oh, these demos are old. They sure were. And so I actually tracked down the disc gate and cleaned the disc gate myself, but, you know, it happens. It happens. Right now, my system is set up to update my DAT files daily. Not a joke. I update my DAT files daily. And then I look at, like, virus bolting, and I look for problems with malicious code up in the wild, and I look for updating. There's a lot of really good talks going on, because I have money. There's a lot of really good anti-virus products out there. There's a lot of really crappy ones out there. I would recommend that you guys go to a thing called the virus bolting. It's actually a publication in the UK. It's brilliant. It's absolutely fantastic. It's expensive for subscription, but it's worth it. I get them monthly, and I just read them cover to cover. It gives you all kinds of information. And they also do product evaluations and they're neutral. So they take all the top anti-virus products and basically tell you what sucks if it doesn't suck. So keep up on it, guys. Keep up on it, because it's important. I actually use two different anti-virus products right now on my system. And I had to do the H2K two weeks ago. I'm going to tell you right now. I do not receive any money or any publications. I don't even get damn t-shirts from any anti-virus company out there today. Flat out. My opinions are my own. I have no endorsements. Presently, I'm using F-prod on my system, and I'm using Fingin Safe Surfing Shield on my system. I'll tell you why. This little other anti-virus product out there right now uses one scanning engine with their DAF files. F-prod uses three different scanning engines with their DAF files. It gives you that much more of a chance to find malicious code. Makes sense. I've had problems with F-prod in the past. I still have problems every once in a while. There's some flaky issues, but all in all, it's worth it. The reason why I like Fingin is that Fingin is actually not an anti-virus product. It's an anti-malicious code product that works in conjunction with your anti-virus product. You don't use it instead. You use it with. It works with anything. What it does is it takes anything that you bring in from an email, some type of executable code, and runs it in its own little DMZ sandbox on the computer. And if it sees malicious code, it stops it in its tracks. It was the Fingin software that was actually stopping it from spreading out a lot of companies. Everything else it went streaming through. So, double up and protect it. Can we hold the questions? Thanks. Fingin, F-I-N-J-A-N. Once again, no endorsements. I just happen to like them. Next year, I'll probably like somebody else. Yes. The first year will not work in that. It may fool by your whole system depending on the virus. Okay, let's move on. We're going to go over the different types of bootsector viruses. A lot of the old school people just came up with some really intense ideas. We have self-viruses, polymorphic viruses, encrypting viruses, and any combination of these. I got really messed with the animation. I'm sorry. Self-viruses hide in the upper memory block. And even with anti-virus software running, if you put the anti-virus software in there with the virus activated in memory, it won't see it because it hides. It hides itself specifically from the antivirus systems. You have to have an emergency boot disk with you that you please, people, right-protect this disk. Okay? How many people have an emergency boot disk for their systems? How many people can actually remember whether they right-protected it or not? Okay. That's good. I'm proud of you. I may be wrong. Damn, my emergency boot disk is now infected with the damn virus. What do I do? I was like, well, drop back six yards in front. I don't know. Self-viruses. Pretty cool stuff. Polymorphic bootsector viruses. All right. What polymorphic viruses do, and the reason why they were really cool, is each time they replicate themselves, they change the code. Yes. Now, by changing the code each time, it's not quite the same signature. The way the antivirus products work is they look for a specific signature. They don't see this signature. They don't think there's a virus. So if you have polymorphic viruses that are changing their code each time, this company is going, damn, I can't find this thing. And it makes it really, really difficult. The nasty ones are when you get the polymorphic-encrypting-selfing viruses. And there's a lot of them. Or the multiparty- polymorphic-selfing-encrypting-viruses. And by then it's better just to a little top out the window and buy something new and just say, oh, this. Or go to Munich. All right. Actually, who can tell me why there's not a whole bunch of unix viruses out there? That's right. You don't have super-user privileges. There's also another reason. Anybody? Sort of the answer I'm looking for is although everything is a file, everything is inherently executable. Right? If it's not executable, you can't spread. You can't activate it. Um, can anybody tell me right now, and this is a single question, and I'll answer it if the first person doesn't get it right, why is it that there's more viruses today for windows than any other operating system? And don't make a joke. Give me a real answer. Popularity. Popularity. You're 100% correct. Windows is the dominant operating system in the world. Which is, if you're thinking about the first rule of computer viruses, you need to replicate. Why would you write a virus for macintoshes if you wanted to replicate it? You need to write it for the most popular operating system in the world, which is Windows. Windows 95, Windows 98. I'm sure I think Windows 95 is still the most popular operating system in the world. If Linux tomorrow became the most popular operating system in the world, you would see viruses for it. And, actually, there are viruses out there. And, there will probably be more. Alright, encrypting viruses will encrypt data, or themselves, or both, making it more difficult to remove. They may also make it impossible to re-travel your data if you remove them incorrectly. As we mentioned before, the monkey was such a virus. We removed the file-infectors here. Like in my artwork. My wife's the artist. I'm the computer geek. And, she looks at the end and goes, I could do better. I was like, you know you could do better. Alright, the way file-infectors work, and we're just going to hit the stupid animation thing, so I can just go through this whole thing without having to press that stupid button. Would you just go, yes, it looked really cute Oh, damn, it went back. Okay, I thought I had more. The way it works is, this is the actual file itself. Work with me, people, I know it sucks. What the virus will do is, I'll put a cap around the front, and a cap around the end. So what it does is, the very beginning of the of the file, this code now states, go over here to the very end of the actual file and run the virus code. And the end of the virus code then points to the beginning of the actual file during the actual file that you needed to do loading the virus into memory. The easiest way to identify that is, I used to have a script that I ran on my systems weekly that actually did a binary compare to my backups to the actual files that were relevant, executables, com files, so forth. And it found some files that were larger, that were executable than they were last week, that's a good indication. Can we can tell me the maximum size for a com file? What? 64K. What happens if you see a com file that's 1024? You have a problem. So start looking at these files and looking at the numbers. If you're sort of seeing, there were some actual viruses out there that would, each time you ran it, would actually increase the size of the file. And the purpose of this was to fill up your hard drives, and the next thing you knew was, kind of, I only have three programs and my whole hard drive is completely filled. These were back when there was like 10 and 20 gig, or not 10 and 20, 10 and 20 meg files, you know, hard drives out there. When people said, hey, I have a 100 meg hard drive and people were like, whoa, how much did that cost you? $2,000. What a deal! Can you get another one? Yeah, it's true, it happened. And what these files would do is each time you ran, you know, executable things, each time you boot up, it would actually start adding to the size of all your executable files, not just the files, but all of the files. So you sort of ended up as like, okay, now I've got a com file that's like 10 megs, you know, what's up with this, you know? And you ended up with the full hard drive and then nothing worked, and then you had to sit there and go in, and then the files was as they just kind of kill off part of the code. The size stays the same. Your antivirus offer didn't shrink your file back to normal. It just deactivated the code sequence, so it just ran the file normally, and all those extra code was left in the front in the end. So you still ended up with these huge files, and that was bad. Multi-partite viruses will infect both the boot sector and the files. So they got to come in and go in. So if you got a file via email and you activated it, it infected all your executables, all your other type of files, plus it infected your boot sector. And then if you got a disk from somebody, and that was infected, it did the same thing and infected the boot sector and all the files. These guys were pretty nasty. That is really an annoying animation. Just thumb me on the head after the thing. The problem increases the spreading capabilities of the virus by disk, email, or any other way to move media. The multi-partite viruses are still the most popular. The anti-EXE and the anti-CMOS are two such files, or two such viruses. Anybody ever get hit with anti-CMOS or anti-EXE? Either one. Yes. Including myself. I got hit with anti-EXE. Those two are some of the most popular ones out there, and they're still alive today. Those are particularly nasty. I happen to know of a single virus that's out there that was a type of anti-CMOS virus. I never saw it in the wild. I've only seen it actually running, and I actually don't know if it exists in the wild, and I didn't even know what the hell I named it. But someone gave me a demonstration of it, and I think he was the one who wrote it, or got it from this buddy who wrote it. And what it did is it not only did it screw up your CMOS, but it changed the admin passwords on your CMOS. So you couldn't even get into your CMOS to fix it. And I was like, oh, that's evil. Can I have a copy? No. Whatever. Wonderful research, really. Sorry, it was just proprietary. I said, you're a virus writer. We need this proprietary. You got a copyright on this shit? You want to go to these guys and go, so tell me, what do paint chips taste like? It's like, whatever. That's game script kiddies. How many people have actually been hit by macroviruses? I see a lot of the same hands going, yeah, me again. I'll try to make this damn talk. I have nothing but a huge busting PC of viruses, you know. What? On the corporate network? Are you responsible for the antivirus? And you're so employed. So you're actually not getting infected, you're just getting hit with them coming in. Okay, so you're doing your job. All right, I apologize. Good for you. You rock, man. I was saying, if you're in, you're getting hit with all these and go on. And you still work? What are you? Dad owns the company? Mess with the secretary? What's up here? You mean the president's wife? We're like this. Actually, we're like this on the one over here. Actually, you bought up a really good point. When I worked at the antivirus company, and I can't really mention who it was, and although I slipped last year and mentioned it, so anyone who was here last year actually knows. When I worked there, we would get on the average of 200 to 300 brand new viruses never before seen in the wild each month. These are not wild viruses. These are brand new, never seen, have to write debt files for. That number's increased to about 500 to 600 now. All right, the way macro viruses work is someone with a brand idea, hey, let's make life easy for all of our end users and give them programming capabilities in their Excel and Word spreadsheets and stuff like that. And we let them make everything easy. They just press one button and they'll do all this neat stuff for them, for all the lazy people. And then the virus writer stepped in and said, hey, that's a good idea. And he started looking at it and went, but we'll make it really easy. We'll use the numer.dot file. And everything will be kind of the starting place. They'll be like the MBR of your Excel spreadsheets. And the virus writers went, hey, that's a good idea. And they started using that against the problem is. Your numer.dot file is your startup. When you create a default Excel spreadsheet, it's the numer.dot file that gets run through first, looking for anything that it needs to do. So a lot of these macro viruses would just change the numer.dot file or replace it and add their own code. We were doing what it normally would do, but there's a little extra stuff there. Really popular one, actually, when the first one came out was the rainbow virus. Anybody get hit with the rainbow macro? Nobody? That was kind of cool. You know Windows, you know how you have your color scheme on Windows, where your borders are one color and the buttons are another color and the frames are another color and some flaming guy with a hard on for colors colors everywhere. Rainbow would do things like let's just make everything white. Let's make everything black or red or blue. Let's just make it, let's say with one color. You run the what and your text is like it's actually pretty funny. But it wouldn't just do like one color, sometimes they would just start randomly changing all the different colors. Every once in a while you get hit with that one color scheme, but sometimes you get hit like, you know, I want mauve, but I want piece green and I want bright yellow and you're going, whoa! Damn! Cheese! It's like, you know, rainbow puked on my screen. And they're just ugly colors. Why the colors were there in the first place? I have no idea because nobody who's not on crack would ever use them. Alright, Trojan Horses. These are programs that are put onto the system by someone or you are tricked into activating them yourself. Most often these are backdoor programs like that. Yeah. Okay. Now, when I was at H2K and I was going to do this talk, a lot of people said they wanted because I hang out with a lot of people at CDC. Do we have anybody from CDC here? Anybody? An associate member is better? Okay. CDC guys, I hang out with them every once in a while and drinking beer. Just don't tell my wife. And people said that they were like, you know, which are feelings on the CDC? And I understand you think I think they rock. I think they're brilliant, Dill Dog, Deaf Veggie, Pond, you know, Kingpin, these guys. They're brilliant programmers. Do I consider them a product of virus? No, I don't. It can be used as a Trojan Horses, yes. But what they're doing is they're trying to progress people to like secure their systems and trying to get the people who like the operating systems to, you know, make a change, you know, and make a difference. The biggest argument is like, all right, what's the difference between SMS and BOTK? One's free, one costs a couple thousand dollars. So, I have absolutely nothing against them. As a matter of fact, I think they're fantastic people. An instrument. Bakes and false alarms. That was the slowest of these animations I can have on this whole screen. Yeah. Yeah, that was pretty bad too. All right, the fake and false alarms, they're spread by email. That's the biggest one. Now, the email itself becomes the virus. How do you tell whether or not the warning you're getting is a fake or false alarm? Any arguments? I didn't think so. Read this. Next line. It's important. This is amazing. First of all, I'd like to point out Microsoft does not send out virus warnings. This just came back from Microsoft. There's a horrible virus that's out there. No. And read this in huge caps followed by this. That's using my first name. Okay, click. But the problem here is All right. I'm not going to make you raise your hand, but I know that some of you here are guilty of this. Oh my God, it's a new virus. I better send everybody on my list this whole virus information. They got to know about it. And you'll send them. I know some of you guys have sent these to your sister admins. I know you have. You know how I know people are like I know you have. Because I've read them. I get them. And it's like No, it's not a virus. No, it's not a virus. And send this to everyone you know. So I like to send to Bill Gates. And Hey, this came from your company. Is it true? I don't get a reply. One question. I didn't catch a single word. I'm so sorry. I'm trying. I think I know what you're saying is you can actually go to different places and find the hoaxes. And that's actually what I was going to point out. Because I read the hoaxes. Oh, I know what he's talking about. Yeah, if you're worried about whether or not a fake or false alarm, whether it's a fake or a false alarm. Honestly, go to the antivirus companies and they have spots there on viruses in the wild and the known fakes and false alarms out there. And virus bulletin over in the UK is also a great source for that too. So before you start spreading these out to everybody, go check there. Oh, God. Okay. You have to die. All right. Yeah, but the problem is I'm probably going to make a bumper sticker on them and put them back in my car. Okay. Yes. Uh-uh. I asked Mom and she said, damn, that was right. Did anyone actually get the joke? Yes. Okay. Actually, yes, you're correct. And I have to be corrected by a kid. How old are you? 11. I get corrected by a 11-year-old kid. I'm camera. With the person in the audience. Okay. No, you're right. That is not the correct definition of damn. I actually did it as a joke. All right. The problem we have with visual basic scripts and this is the code of virus preferences right now because anybody can write these. They're really, really simple. And it's the damn kiddies out there doing it. I talk about computer viruses but never once do I ever tell you guys to go out and write them. There's a reason for that. My personal opinions are and these are just my personal opinions writing malicious code that can actually go out there and ruin people's lives is not funny. It doesn't make you elite. It doesn't make you awesome. And you don't impress anybody but your close friends are in your only little tight circles where nothing but script kiddies anyhow. No one has to write under any circumstances. I don't care who you are. I don't care if you're the government, the guy next door, a gang banger, a script key. You don't have the right to ruin a person's lives under any circumstances. And that's why I stand on that. They all like you. Oh, damn, you got heavy. That's true. That's true. There was a difference between a virus writer and a guy who spray paints his name on the wall. Doesn't do anything to piss people off. It was making sense to me. And for the record, no, I have never written a computer virus. I can. I have chosen not to. The overview virus when that came out was actually devastating. The problem I have was the press was going, this genius kid wrote this amazing virus and they're going No, the kid was not a genius. He was smart enough to write the virus. Says my mom. And says the maid at the company I work in, the guardsman, the kid that says, would you like fries or something? I mean, this doesn't make you brilliant. Visual basic scripting is immensely easy. You can take someone who's never touched a computer and six months later they could be writing visual basic scripts. It doesn't make a lot of sense. But the problem we have now is that we're going to see a lot more coming down the pipe. Now, before we actually go into the conclusion, Steve, can you come up? Tell me what the future of computer viruses is going to be and I'm going to tell you right now what the future of computer viruses are. And Steve, actually I met Steve here at H2K. He's a great guy, really brilliant man. Not a script kitty, a brilliant guy. And we were talking during the conference here. And I'll give you the description I gave at H2K. I met him the whole world staring at this big huge fan going really fast. And above that, this big truckload of crap and it's tilting towards the fan. That's your future. Followed shortly by a shower. What Steve brought to my attention is research has been done to show that you can actually create a binary hostile code like boot sector viruses inside embedded into visual basic scripts. Where you don't even have to read the e-mail you just have to receive it and you could be hit with a boot sector virus or a Trojan horse like B2K and get nailed. Now I meet people here how many, does that scare the living hell out of you? Yeah. It's actually live right now. You don't even have to read the e-mail. Now there was a thing with Microsoft where they actually had the vulnerability with Outlook and IE Explorer and for anyone who's curious the fix is real simple. It was just Upgrade IE Explorer 5.5 with the Outlook attachments unless you're running Windows 2000 and with Windows 2000 it's Windows 2000 Service Pack 1 which is released tomorrow I believe. And that's the fix and they're supposed to be coming out with a patch. But even with that version fixed you can still get nailed with some of these things coming down the pipe. So you could actually be working your system it used to be like hey don't worry go ahead and read the e-mails as long as you don't activate the attachments you're safe. This is not the case anymore. You want to go into more detail? Sure. Oh you're live. Basically inside a VBScript and some of the more advanced programming features that are available to you there you can treat a binary file like a boot sector or a Trojan horse as a blob of binary data saved to an array and you have the VBScript could save that information to a disk and then execute it like it would execute any other command. So the binary itself isn't executed within the VBScript it's carried there as a random blob. The VBScript itself doesn't know anything about it but it will write it to your disk and then execute it like it can execute any other type of DLL or command running on the system and actuate by the boot sector or BOTK but spread at the speed we saw I Love You and Melissa. Imagine hundreds of thousands of systems hit with like BOTK that's cool that's cruel I was like that's cool I guess it would be cool if you were the guy sending it but I'll give you an update for those who just a little spot here when the I Love You virus hit F secure identified the virus within two hours of it hitting the U.S. and within three hours traced it all the way back to the person who wrote it. So if you think they can't find you you are so dead wrong. Anyhow, that's my talk. Thank you very much and we'll take questions. That's a really brilliant question. The question here is why won't they detect compressed executable code because it doesn't follow the signature file which is why I said use the FINGEN software if they ever go to a security conference other than something like this and FINGEN's there their demonstration is actually very brilliant what they do is they take BOTK and they have an antivirus product software and they try to activate BOTK and the antivirus software detects it in a heartbeat well then they run it through a compression process which doesn't decompress when it executes and then they run it and the antivirus software completely misses it and then they activate their software and they do it and boom their software hits it because it runs it in a ZMZ. It says hey what? This is a malicious code we'll stop it. That's why I said back yourself up but the reason why is because it changes drastically and once they figure out the signature for that one you can compress on these 3, 9, 12, 60 times and change the signature sorry how do they track it? I don't know I wasn't involved with that but I got to see some of the white papers you know so they weren't lying do you think that's the only vulnerability? yeah that's the only one that's been released yeah right the thing is that's exactly right the problem that we deal with right now is we'll discover our vulnerability but the moment someone else discovers another vulnerability it gets exploited immediately myself look out I like to go into the device mangler myself and play around in there too so next question anybody? I'm having when the scripting test is uninstalled we don't know yet it gets reinstalled it gets reinstalled I haven't heard anything but it wouldn't surprise me it sounds like a cool idea I'm going to research it if there's any viruses that attack the antivirus the antivirus software yeah the multiply tie yes the file infectors yes they'll actually attack the thing but the antivirus software products themselves actually checked their own executable before executing to see if they're actually done so I don't know if any viruses directly that actually prevent that how much time do we have I think I got about four minutes no? yes? I'll be off here in a second one more question then we're gone there are the products you can set it up in here like you said you can set it up in your send mail what I do is I actually I block viruses at the firewall using fsecures antivirus software at the firewall level so it hits the firewall and says hey you're out of here you're out of here also by the way for something like that with a firewall antivirus product really fast machine lots of memory lots of CPUs trust me yes it does yes it does anyway that's my talk thank you much