 All right. Are you ready? Hey. All I got to say is, I was walking into the talk and he was like dumbfounded going, all these people are here to listen to me. I was like, hey, it's all good. Okay, so I'm going to do this ice tray. He's going to give a talk today on virus worms and Trojans. Where are we going? You know, like a lot of us, he's been involved in the sea for a lot of years. He's done a lot of cool crap. So I'm going to take it away. And he isn't going to use PowerPoint. Flight to power. Actually wrote a PowerPoint. I really did. I wrote a PowerPoint for this. Actually wrote a PowerPoint for this presentation and I'm probably, not only am I not going to use it, I'm using not only just a Windows XP box, but this thing is actually infected with Sasser. So, it happened to me in the airport. I don't use Windows, so I have to use it basically just for work. And unfortunately, I got in the office and I saw the dreaded. Your machine is being shut down. Shit. And I was like, fuck. You can't hear me. Is that better? Hold it like a wrapper. Is that what you're telling me? All right, now hold on. You got to do it right. We're going to need a shot glass. No, that's not what I'm looking for. A shot? No, a shot. All right, hold on a second. Abbie here is going to help you. You were the first one up, so you get the shot glass. You can get some. All right, so basically the title of this talk, as we're playing with this stuff, is I don't want to sit here and waste a bunch of time. Somebody's stepping on my cord here. All right, the title of this talk is Viruses Worms and Trojans. Where are we going? And basically, the concept here is essentially that the concept of popping the box is boring and stupid. Quite honestly, viruses have gone along throughout time, having little to no fucking payload. They've done nothing. We can go through all the different viruses and we will, and obviously not all of them, but we're going to go through quite a few of them. And quite a few of them have done absolutely fucking nothing. Elkhorn are possibly one of the best examples of this, having literally no fucking payload whatsoever. So basically, we've gone along and we've invested all this time writing these viruses and some of them are really fucking intelligent. They're really quite beautiful. Blaster was an incredible virus. It's not, you know, incredibly coded. It's just incredibly fucking clever. Well, I use, okay, ground rules. I use the word virus generically. I don't give a fuck about worms, Trojans or anything else. I'm going to call them all viruses because that's exactly what they are. Any classification of the differences is bullshit. They all do the same thing. And I use the word viruses and not by right. Those are the ground rules. Sorry. That's to answer your question, obviously. I expected to give that answer. Anyway, so Blaster was actually an intelligent, really beautiful virus. And essentially, and I think quite intentionally, it basically shot itself in the foot. So as we've gone along throughout history, we've had all of these different viruses and absolutely none of them have done a fucking thing. Little to what the media has told you, quite honestly, they've done nothing. No tankers have capsized. We've done absolutely fucking nothing. That's the hook right there. These could. And the even more scary part, of course, is that the media in and of itself has devalued the concept of viruses in and of itself to the point where no one cares anymore. All right. Sorry, I don't think I've actually ever talked to a crowd quite this big. I'm really surprised with the turnout. I hear myself and I'm like, what the fuck? All right. So essentially, that's just a basic overview. I'm IceTrain. I'm actually not allowed to tell you who I am or what I work for because my boss sucks ass. Some of you may have actually run into this. And quite honestly, it pisses me off. But we'll say I work for a certain cable company. This cable company has a very phallic name. I'll let you figure this out. I've said nothing. Oh, and by the way, my real name is the name of the first man. If you can figure this out, I don't fucking care. So anyways, from going on, basically the next talk, and I actually wasn't going to put this in my talk. But the next point of this particular thing is morality. I actually wasn't going to give this talk. I don't particularly believe in writing viruses in this particular talk. I have actually written a concept for a virus. It will not be written. Let me rephrase this. It will not ever be written. Thank you. It will not be written. There is no code. This is not a fucking euphemism. There is no fucking code. I'm not going to write it. But the concepts that are within the virus in and of itself are very good. They're very solid. And nobody's quite thought of them before. The unfortunate thing, of course, is that about a year and a half ago is when I decided to write this. And it was a great idea about a year and a half ago. I was actually going to write a paper about it. I wrote out the outlines and a bunch of notes. Basically, the problem here was that current viruses ended up starting to do some of the things that I was talking about. It's yet another case of me being ahead of my time. Only 15 minutes, though. So I wrote this paper. Well, it wasn't really a paper. But I wrote this thing and I thought, well, that's great. Let's go ahead and present at DEF CON. And I wrote it in. I'm surprised to my fucking belief that somebody actually wanted to hear this. Hence all of you bitches are in this room. But the morality of this thing is actually quite simple. I really didn't want to talk about this because, quite honestly, many people gave me shit. And they told me that I was letting the genie out of the bottle. I was writing something that very possibly could cause a major problem. To tell you the truth, the idea that I have written out isn't really that revolutionary. I don't think it's all that interesting. But there were people who were actually scared, including my boss, and who told me not to talk. In fact, to be quite honest, I very well might not have a job when I'm done. I don't really care. Anyway. So more or less, the morality is that, quite honestly, the genie isn't in the bottle. If you think the genie is in the bottle, you're kidding yourself. Somebody else, there are what, 272 million people in the United States, somebody has fucking thought of it. And quite honestly, not only have they thought about it, they've probably come up with at least a half-ass implementation of what you've already thought about. The genie isn't in the bottle. And that's actually why I'm standing before you now. Because if it were, I probably wouldn't be talking to you because I'd be too scared that somebody would actually write this. All right. Anyway, that's enough about that bullshit. Giving you a bit of the overview, need a little more alcohol here. I've already given you a bit of the overview. Basically, past viruses were basically little neat hacks. They did cute little things. They put, you know, messages on your screen, alerting the user, of course, to their presence. And alerted everybody in the world to the fact that they exist. But the problem, of course, with that is that they shot their potential in the foot. By alerting everybody in the world that they existed, you've now, like, not only told people they existed, but now people are taking countermeasures. A lot of people think, well, that's great. That's absolutely great. Except the average user isn't going to notice exactly what I've done here. You're right. But CNN is. They are going to notice it. They're going to advertise it. And it's going to turn into a little media bitch. And basically what's going to end up happening is your virus is going to go away. That's basically what the main message of today is. The viruses of today are so ridiculously over, over, over, God, I can't even think here. The viruses today are so overzealous that basically they don't do a goddamn thing. Blaster is my absolute favorite example of this, quite honestly. I'll tell you a little story about that a little bit later. But it did nothing. It really did nothing. Look at the payload. Let's see. What was the payload of Blaster? The payload of Blaster was, oh, yeah, a cute DOS attack on Microsoft. Oh, how interesting. That's nice. Except the only problem, of course, is that Microsoft actually went about changing their DNS records and they got local ISPs to go ahead and cooperate. And the fucking attack, not one packet reached Microsoft. Not fucking one. Because not only did they change the DNS records, but they felt it was probably saying to take Windows update down. And they did. And nothing happened. It was worthless. It was a pile of fucking shit code. Great idea. Great implementation. It went nowhere. To be quite honest, most of these viruses are like that. Sasser. We've got a million, pardon me, a million different variations of Sasser. What exactly does it do? Oh, cute. It opens a proxy. Actually, it opens 72 of them. It opens a proxy, pops the box. Okay, that's great. What are we going to do with that? Well, what we're going to do with that is we're going to go ahead and allow people to say, do DOS for hire. Yay, that's fun. We'll go ahead and DOS for people. And we won't even have a real cause to this particular subject. We'll just go ahead and DOS them and we'll take money from it, from whoever the fucking highest better is. Well, it's a nice idea. It's a nice sentiment. To be quite honest, I think we could do a lot fucking better. Basically, all of this stuff is essentially boiling down quite innocently to that. We could do better. Hold on one second here. I got it. Let me down because I'm actually, I know I keep using it. All right, so that's basically the overview. We've got so many problems that I've already talked about. One of them, of course, is the fact that we shoot our potential in the foot. The other is a general lack of ambition. And yet again, we'll bring up Blaster. Blaster's main problem, of course. Yeah, a DOS attack. Yay. Real fun. Let's do something interesting. Let's... Well, I'll bring that point up later. Let's do something interesting. A DOS attack really isn't that fucking interesting. Yay, the box goes down. Big deal. The box will come back in four hours or whatever they decide to update their ACLs and change the way that you come through. So... I know I'm working on that. All right. The other problems here, of course, are lack of vision. There is absolutely no vision in viruses. They really aren't very imaginative whatsoever. And this is the basic overview, by the way. I will go into detail. I won't be done in 15 minutes. Another problem here, of course, is lack of code. This is speaking mostly about old viruses. And I don't know how many of you people out here actually know, but quite honestly, most viruses are actually based off of some of the original same code. They're all using... Not all, but quite a bit of them are using the stone viruses. Some of them are using a lot of the code from the first macro viruses for Word. They're all using the same shit over and over and over again. The entropy is so ridiculously low that they literally are the same viruses, except they're doing like a fucking search and replace on the payload. All right. So what else do we got here? Another problem with older ones is actually too many platforms. We had Amiga. We had Commodore 64. This is back in the old days, obviously, 1992 or so. We had Amiga. We had Commodore 64. We had PCs. We had Mac. We had Apple II. Way too many platforms. No real penetration of the platforms in general. Really hard to implement virus within those platforms because of course there's too many people that aren't using all the same thing. And of course not enough penetration, which I just covered. All right. How am I doing on time here? I'm a what, 12 minutes? So the methodologies are interesting, but it's because the driving force basically here is greed. And most likely the problem with that, of course, is that while greed is an interesting motivator, you don't really get anything done just looking for money. I'm talking about using viruses here to change the world. I'm talking about using viruses to change social order. I'm not talking about viruses to make $100,000 dozing Google for some fucked up reason for some Middle Eastern country. There's no fucking cause or interest in that particular point. Okay. So, hold on a second here. I think I could have used the power point. It probably would have straightened me up, but that's all right. God. So basically what happens is if somebody figures this out and somebody uses this, they could very easily screw us all. Quite honestly, if they were to figure out that the methodologies in and of themselves are shooting the virus in the foot, they could invent a virus that could very well drop everything. It really could become basically what is the media darling's vision of, say, like hackers, the Michelangelo virus tipping a fucking tanker over and all these bullshit stories that we've all heard. All these bullshit media stories that we all hear about. Quite honestly, because of the media, and I've already touched on this before, the fact is that they're underestimated and if they are underestimated, they will be used against us. We just don't quite realize it yet. So essentially, basically what I've worked up from here is I've actually worked up quite a few different viruses and I'll state this right now. I'm not necessarily an expert on this stuff. Basically the jewel of this particular talk is the fictional virus that I wrote and that particular virus, quite honestly, while interesting, it doesn't exist and it will never exist unless somebody here ends up trying to write it. Maybe I'm going too far. Anyway, all right. So basically, hold on a second here, most viruses as it comes up today are basically known as little more than a nuisance. They don't really do anything. We've already covered that. They basically cost companies money and the media covers them, ha ha ha, happy fun stuff. All right. So let me switch off here. Yay. Obviously one of the things that we have going for us in the current implementation of what things are happening is automated patching and all sorts of other fun stuff. We can actually educate the users and tell them the fun of patching. There really is no way to get around this stuff. Quite honestly, I really wish I weren't kidding, but quite honestly, if somebody does figure out what we're doing, we're fucked. So basically the problem today is that today's viruses have nothing more than simple greed driving them. Because of that, they aren't very interesting. There's very little code that's being invented because all they're trying to do is make the quick buck. It seems basically today that the only concept that you want to do is you want to go ahead and you want to get a back door open to a machine. You want to use this to spam out. You want to use this to cause some kind of harm to some website, which while fun isn't really quite that interesting. So we go along and what? Am I doing all right? Are you sure? What? I noticed that. We got a vote here. What's up? Going to the concepts. What do we want to hear? Do we want to hear about the old shit or do we want to hear what I actually wrote? The new shit. All right. So let me at least touch base on the old shit. We got all this old fucking shit. It's bullshit. It's payload blacks. Relax. Relax. Listen. Listen. It's bullshit. It's payload free. It's all the same message. I can go on and on and on about it. I don't fucking care. There's nothing there. I am saying something. All right. New shit. What if you were to use a virus to actually do something interesting? What? No. The companies out there are doing void. A bit of them doing void. Let's think about this for a second. We got quite a bit of them doing void. A significant fine if 9-1-1 goes down. If you were to say DOS a void company, you could probably DOS it right out of fucking existence. It's ideas like this that I'm talking about. This is exactly what I'm fucking talking about. This is exactly what I'm doing. We're saying what we're doing so far is we're popping the box. What the fuck fun is that? That's when you can drop a goddamn NASDAQ company into the toilet. So what? Even if they own the internet, they can't control the shit. I'm trying. I'm trying. Concepts. I'm working. I'm working. I'm working. I'm working. Hold on a second. Jesus. Okay. I'll spread to the fucking middle. Jesus. Actually, I spent a lot of time in this, but fuck the foreplay. Let's get to the fucking. All right. Get up. I'm not the one who's scheduled to talk. I just admitted it. All right. So we have a virus. We use RPC-DECOM just for fun because I love blaster. Blaster is a shit. We'll insert ourselves using RPC-DECOM. What are we going to do with this? Well, what are we going to do with this? Very fucking little. We're going to insert ourselves into the box. We're going to go ahead and spread, but the question is exactly how the fuck are we going to spread? Well, how we're going to spread is we're going to go ahead and we're going to fan out a scan over 36 hours. The scan is going to be over a slash 24. That slash 24 is going to be a remote network not attached to that machine. That network, of course, is going to be remote, obviously, and it's going to be spread over 36 hours, not tripping off the IDSs. The IDSs, of course, won't give a flying fuck of what's going on because they'll see one packet of fucking hour or less or more or whatever. It doesn't fucking matter. Now, from there, so we've already gone and we've scanned. We're going to scan the local network, obviously. Now, here's the point. We're going to scan one network. We're going to scan the remote network. We're going to look for two fucking hosts. Two. Two. That's it. Two fucking hosts. Stop. You're done. Two hosts. No, wait. How the fuck did we find Blaster? We found Blaster because of goddamn network traffic. I got called on Blaster. I shouldn't have got called on Blaster. I'm not responsible for viruses. I got called on Blaster because Blaster was a network security DOS attack. They're not called me about that. I was rather pleased. And quite honestly, when they called me, I didn't quite know what to do. I was looking at it. I had bad information. I had Arbor looking at me and saying, I don't know what the fuck this is. I see shit coming in from everywhere. Port 135, blah, blah, blah. If you were to slow that down and only infect two hosts, while you wouldn't infect the world in eight minutes, what happens if you weren't to infect the world in eight minutes, but you were to actually just go about infecting the world in, say, six weeks? If you did that, nobody would even fucking know you were there. Where I'm going with this. That's the whole concept of this talk. The rest of the shit I was talking about was fucking filler, obviously. And you didn't like it, which is fine. Trust me, I'm not insulted. The point is, spread your shit over 36 hours. Spread the scan over a small block network. Randomize that network. Don't always look for a slash 24. Look for a slash 27 some points. Look for a fucking slash 20. Look for something that nobody's going to fucking know. Spread the two hosts, two hosts. That's it. Come back out. Spread to one host locally. You've now got three hosts that are infected. Those three friends will tell three friends, tell three friends, tell three friends, and you'll have fun. Now that you've got all that out of the way, you've got your spreading. Of course this will operate in the secondary portion where basically you are going to more or less, oh my god, you are basically going to more or less come along and what? You're basically going to more or less come along and simultaneously, once you're done scanning, come through and actually start the infection. What is the infection? It doesn't fucking matter. Here's a nice example, though. How much are spam lists? Anybody know? Somebody's bought one. Come on. How much are spam lists? I can already tell you. I've done my research. It's $3,000 to $5,000 for a halfway decent one. You can pick up a piece of shit which has got no actual information on it. You can pick up a piece of shit that's got no information on it for, say, $500. Why are they so worthless? Why? They're so worthless because all of the information that's on those disks that is on spam list is garbage. They have no real information on there. Most of the spam they're going to send out are bounces. So, we now got a target. We're going to accumulate a spam list. Closer? There we go. Can you guys still hear me? Okay. We're going to accumulate a spam list. How are we going to accumulate a spam list? What we're going to do is we're going to go ahead and start up our virus. We've got the actual dump and we're going to go ahead and start actually doing something. We've spread. We've got the light portion of the virus taken care of. What we're going to do from there is we're going to go ahead and start up the actual dump. What are we going to do? Well, let's hear something off the shelf. We've already looked at Outlook fucking address books. Open it up. Join IRC. Join IRC is a clone. Attach a key. Start up. Dump the address book. It doesn't sound all that interesting, but think about it for a minute. There are global address books in companies. I can tell you right now a certain company that I know of has 45,000 addresses in that global address book. Each and every one of those addresses is more or less confirmed. How much would a virus list be worth if you were to take those global addresses, shove it off. These are confirmed addresses. These are confirmed customers. These are confirmed business customers. You can do something with this. You announce your key. You dump the list. You shove it off and you walk away. By walking away, of course, I mean you delete your holes and you walk out. You walk out of the door you came in. You close the door. You delete all fucking remnants of it. It doesn't sound very interesting, but you could infect the entire world very simply, very slowly, but who the fuck would know? Nobody. What are you going to see? Let's do a net stat on this particular thing. You're going to see a connection to 667, or our port 667. Who cares? Nobody, no user is going to know this. CNN isn't going to know this unless they happen to catch it when it's fucking coming on and dumping its info. Because it only comes on and dumps at their point, nobody is going to fucking notice what exactly you're doing. You've got your net stat. It shows port 667. You see it as a momentary connection, probably 8 to 10 seconds, and then you're gone. Nobody will know. Quite honestly, if you were to do this, you could do all sorts of shit. It's not just the, it's not a spam list. I mean you could do that too, obviously, but it's not just a spam list. You could take this further. You could change up each and every one of these particular subsections and do anything you wanted with this. The concept here is sanely scanning for what you're looking for. Instead of looking for stuff and spreading in 8 minutes, yeah, that's great. You spread in 8 minutes, except you've alerted CNN and everybody's already taken countermeasures. Your virus has just been shot in the fucking foot. There's nothing you can do. You've got 45,000 people done. What if you had everybody in the fucking world connecting and dropping their goddamn address lists off? Right there in and of itself, that is exactly what we're talking about. And the fact is, is that quite honestly the media has completely ignored the fact that viruses can do anything. We've gone ahead and said, oh yeah, they're cute. They're neat. Blaster was responsible for this many male servers going dead. This many things happened, well Blaster did that, but you know what I'm saying. Any virus was responsible for this many male servers going dead. Any virus was responsible for anything going wrong. And basically we've devalued the concept. The security professionals were sitting there staring at this stuff going, you know, there's nothing here. When they're not called me, I was not frightened. I did not realize how much my world was going to change. And quite honestly it did. That's the truly frightening part about this whole thing. My world did change. Blaster took 26 hours because I had no fucking information. I had no view. I had no T's off the router. Nobody could tell me a fucking thing other than we had port 135 coming through everywhere. Think about if you were to actually launch that attack against the growing company. I'm talking about, I work for a company that has somewhere in the area 45,000 to 60,000 employees. Think about if you were to, and millions and millions and millions of fucking dollars. Think of you were to attack a small company. Think of you were to attack a Nasdaq darling. Think of you were to attack fucking anybody. Imagine what you could actually do with this concept. It's not just the one stop shop, and it's not just for virus lists. Start up a parser. And actually, like I said, I wrote this a year and a half ago. So this has actually somewhat been done, but not quite in this fashion. The delivery mechanism is still not there. If you start up a parser, start up a shit in an IRC channel. Ain't nobody going to notice, ain't nobody going to see. And if you're smart and you scan sanely, there is nobody there that's going to see this shit. You will infect the entire world and basically you can garner a list from anywhere.