Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Mr. Washburn’s Explanation

Edward Wilding
Virus Bulletin, April 1991, p. 21
ISSN 0956-9979
April 1991

1
[Back to index] [Comments (0)]

The existence of numerous ‘Lab’ viruses (code written for experimental purposes to ‘assist’ the development of anti-virus software) presents both technical and ethical dilemmas to anti-virus investigators. Mark Washburn’s ‘experimental’ viruses, which are reported in this month’s edition, present particular difficulties as the programs do not appear to have been written with malicious intent. The publication or open discussion of the encryption methods employed would be unwise because these viruses effectively invalidate the hexadecimal search pattern as a reliable means to detection. Worse still, his initial methods were made available in the public domain which accounts for the ‘hacked’ Casper virus which VB reported in January 1991 (p. 24). In view of our intention to report his activities, it was decided that Mr. Washburn should have the opportunity to explain himself; with this in mind a letter was sent to him at his address in the United States.

8/2/91

Dear Mr. Washburn,

We are currently analysing the 1260, V2P2 and V2P6 computer viruses, as well as a destructive virus called Casper which formats track 0 of the hard disk on an infected PC.

From reading Patricia Hoffman's listing, it would appear that these viruses were written for experimental purposes and their distribution has been carefully limited. VB will publish a technical analysis of this series of viruses (albeit with some sensitive information removed) in the March 1991 edition.

It would be helpful to publish a statement by the author of these programs providing the rationale for their development and an insight as to how and to whom the programs were sent for analysis. The appearance, in the 'wild', of source code for the Casper virus has caused much concern - any clues as to how this source code came to be in circulation would be most welcome.

Thank you in advance for your cooperation.

Yours faithfully,

Edward Wilding Editor

February 21, 1991

Dear Mr. Wilding

I originally created V2P1 (the 1260) as a demonstration of programming technique. Specifically, my intent was to exhibit a problem of relying upon fixed scan strings as the sole method of detection. The 1260 (object) was labeled as a demonstration virus and publicly offered. V2P2 and subsequent experiments have restricted access.

I do not have a copy of the 'Casper' virus; however, it is my understanding that the object code is derived from a disassembly of the V2P1 demonstration object code.

Generally, for virus code of this type, the decryption routine is the primary target for the scanning pattern. The basic principle behing V2P1 is to pseudorandomly generate a decryption routine that is used to mask the effectual virus code. The total effect is that it appears as if every byte of code changes.

I believe the V2P6 experiments created the first true patternless viruses. To this date, I have not received contrary evidence. For example, the V2P6 derivatives can generate thousands of 4-byte (more than 6500 5-byte) GREP patterns; in contrast, the 'Ontario' virus can be detected with one 5-byte pattern.

Because my experiments have created the patternless 'monster', so to speak, I've developed a TSR monitor that effectively stops all executable file infectors. SECURE v2.22 also warns of boot sector viruses and offers basic Trojan protection.

I look forward to a transcript of your review of SECURE or my virus experiments.

Sincerely,

Mark A. Washburn

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua