VX vs Commerce


Nowadays

you can hardly see messages about massive epidemy of a worm, which was spread for self-affirmation of an author, for fun, for anything else but commerce. All viruses that are actively spread now, all malware that infect users' (and not only) PCs, aimed to make profit for their creators. In general, among the big amount of "kiddie malware" we can come across with very interesting (technically new) exemplars. We can just look at "TOP 10" of the most dangerous viruses on web-sites of the most famous Antivirus companies. About more interesting exemplars employees of AV companies prefer to write in the blogs of their company with slightly deep analysis of a sample. As a matter of fact among 100% of "kiddie-malware" you can find about 10% of interesting samples, which was coded by professional coders with using of interesting, hard technologies.

It means that not only script-kiddies, but professional coders and VXers also have changed their vector from "for-fun" to profit.The matter is that now besides self-affirmation they can monetise their knowledge and skills. More over some enterprising people who have quite good knowledge in IT, manage to gather some groups of talented programmers and hackers, creating sterling projects, aimed to infection of big amount of users' PCs. All these done for monetising, which begins from selling of confidential information and substitution of search queries till setting up proxy servers on infected machines and using them as zombie networks for DDoS attacks. All this vector of attack with proper approach and qualified creators can bring quite big money and this kind of business is not a rarity but a whole industry.

Also i want to point out such attacks as attacking on governmental organizations with industrial scale. These kind of attacks are usually sponsored by security organizations of developed countries, which pay serious attention to recruiting of high qualified programmers and thorough planning of such attacks. Anyone who deals with IT, heard at least once about such trojans like Stuxnet, Duqu, Flame Gaus, Red October. All listed above, and many others that have yet to be identified by AV vendors are not widespread. Usually it is a targeted attack with the amount of 1.5k of infected Pcs in "wittingly targeted sector". Such "cyber weapon" of XXi century proves that intergovernmental cyber-attacks are not myth, but a severe reality, actuality of which will rise year by year. Sometimes in media news we can see information about gaining teams of so-called cyber-forces. Such forces exist in the USA, Israel and now in Russia too. And all these done not in vain.

Let's try to get to know why all this happen. Imagine that you are an experienced programmer who possess knowledge in several areas of programming, system administration, system security, internal system knowledge, reverse and so on. So how can you monetize your knowledge? You can be hired in some IT company where your knowledge will not be assessed financially as you want. You can work as a freelancer doing some work. But firstly, there is a lack of really interesting projects, and secondly, just a few people can pay you properly. So what do you have to do? That's it! Professional knowledge will be spent on malware business. It must be point out that this kind of earning may become sterling and instant in proper approach. That's why malware industry is replenished with new adherents day by day. As a confirmation may serve new reports of anti-virus vendors, freshly found threats and posted in their companies' blogs, do not be lazy, look for them, there are a lot of interesting things :)


A lot has changed...

If in 90-th the payload of virus was a simple message box or some destructive actions at some day of some month, but now inconvenience to users of infected PC's is fixed to zero, now malware can survive on a PC with almost any software.

Polymorphism and metamorphism has changed to server-side level (all main works happen in server side), worms are now used only for spreading and dropping decrypted main malware trojan sample.

Antiviruses has also overgrown with modern technologies such as Virtual Machines (Sandboxies), HIPS, Cloud reputation systems and so on. Bases are updated not as before one time in two days, but two times in one hour. For most popular malware trackers are created for the fast reacting and detecting them. Now you will not surprise a user with a text file or mp3 with *.exe extension. The dominant source of infections is the drive-by attacks.


What will happen next...

In nearest future both antivirus and malware industries will go to a new level. Malware coders will change their vector from mass infecting to a target infecting. Such target aims will be PCs and networks with the most interest for the attackers. Such kind of aims will be governmental organizations, departments, major technology companies, banks, etc, in short, all the PCs, the information on which can be monetized or somehow can be used. Antivirus companies will start implement algorithms based on natural DNA (for example, Avast's Evo-gen detection), thus causing a massive amount of false positives (just look for evo-gen false positive detections in google), and malware coders always will be in one step ahead, as antivirus programs, with all their code-analysers, heuristics, virtual machines have to be satisfied with samples of already successful committed attacks (just try look for in google Duqu, Red October etc).

Besides that for a long time proven rootkit and bootkit technologies (and their modifications, representing a big problems to AV industry) are actively used. They are able to create self encrypted volumes and containers inside the system and in this way AVs have no chance to detect them.

What is coming up? Let's philosophize, what will be next.

Variant 1. We are all going to die. Joke ;) Globalization and commerce will bring the scene to a state where everyone will be a coder and a reverser and a seller at the same time. It means that there will be a few specialists who create not so high quality software due to acute shortage of time and knowledge. It is impossible to cover all directions at once. I know only a few people who are capable to do it at once. It seems the fingers of one hand will suffice to count them...

Variant 2. Due to information hunger single coders will unite and work together to create malware for monetization. It seems better than the first variant, but there is one "BUT". How can one contact and join them? It seems like one needs to upgrade his/her skills and demonstrate them at any possible way to be noticed and recruited.

Variant 3. With the joint efforts the scene will move to levels significantly higher than available. Let's say, a lot of professionals will work on government and they will code only targeted malware. In such circumstances, the competition will come down to sharing out the minor share of the market such as carding and ddos. The concept of a hacker would go finally to ass. And it will be used as tag (something like kiddie or just moron). At the moment it becomes harder and harder for loners and small groups to monetize their knowledge. Trackers, AVs, sploits. All go down in quality. For instance, the traffic was not considered as a product before, but now it is being looked for by many people. If earlier successful loads on sploit-packs was about 35% and now even 10% is the matter of talk. And what next? We will send fakes? We will infect mobile devices? Oh.. I flew something. And I go to Variant 4.

Variant 4. I can't see it for now. I can't say that we can rapidly become smarter and begin to work together to upgrade our skills. Monetization is too deeply embedded and in any scenario, someone will try to get the profit with collective intelligence. We need a fundamentally new stage of evolution that would give birth to a new scene. The old one has died, a new scene is ugly.... I look forward to the third generation ... I'm afraid ..


Everything has already been done for us ? NO! :)

Many people have "pattern" mind that everything is created, written, realized! But it is not far so. XXI century is time of technologies and everyday something is created and these can help us to improve old ideas or create something new at all. Any technology can be used in vx aimes. Viruses are written in scripts (viruses for CFF Explorer), virus-scripts for MatLab and Wolfram Mathematica.


Why old-school vx-coders don't like modern malware coders?

Most of old-school vx-coders are contemptuous towards today's malware-coders, because they believes that they spoil their art with "pathetic crafts" and try to earn money, thereby changing the attitude from respect to aversion to them. Unfortunately the dominant part of malware is "dull primitive" and anyway some people manage to earn money selling them. To be honest, the vx-scene has died! But there is a hidden meaning. The very concept of the old vx has died, vx for the art's sake (an idea of 90-th and 2000-th). If we look at modern malware-scene, in fact it is the same vx-scene, where exist "pathetic crafts", and outstanding works of art. Only vector of orientation has changed from self-affirmation to receiving profit (vx with commerce). The basic idea is not that the monetization has blighted ideological VX. The idea is that the ideology of the 21st century is monetization!


Our brothers... Ms. hackers

Let's talk about vx theme, about hack-theme. What's going on there now? There is an interesting situation there. Imagine a tiny green sprout, which is again and again making its way through the thickness of the asphalt to the sun. It vividly describes what is happening on hack scene now. Let's assume green sprout is intellectuals, who devoted their lives to IT. They are not just system administrators, who don't want to develop further staying at the same level year by year, they are people who develop their skills, possess new technologies, learn new programming languages, create new concepts in IT sphere - true hackers. In turn asphalt is commerce, rippers, resellers, government bans and so on.

Many peoples have "online work" in commerce, for many of them work in the real life has changed to online mode, and this is the evolution, it should be so!

And what is concerning to those who productively support the development of new followers, and also allow them to communicate with "old men" and vx-coders of the past? Talking about russian hack-scene, we can count on fingers the number of boards, where life exists. I would like to pay tribute honor and respect to the people who donate and still support such boards, sometimes paying for hosting and anti-Ddos protection from their own pocket, at the same time arranging quests for the "most interesting article", attracting "fresh minds" to writing interesting articles and new ideas, as well as creating a pleasant environment for collective code writing, developing collective projects for Members of such boards.


The spirit and purposes of VX. Philosophy of reasoning.

Here I would like to quote the words of one man, who lived during those times when the hack scene was born and grew up:
"I would like to pay separate attention to cause and effect, and besides that i too long time wanted to explain my point of view about who a hacker is.
Let's try to think about what is going on now! Mass information completely substituted the notion "Hacker"! If you don't know years ago the hackers was called the people who could find complex vulnerability of an important software or gain access to the networks of important organizations by using social engineering. They just found access to secret information and then informed an admin about how they managed it to do and how to be protected. If the information was specially deleted or substituted for a joke - it was a cracker ... Cracker! There were also Vx-coders and programmers. There were script-kiddies and diligent newcomers. But a hacker - is a character of higher qualification only . And it has only positive meaning.
Due to the substitution of the meaning of hacker now a hacker is called any idiot, who managed to use a public product on a dumb user's PC. This is very sad! What is old-school? Old skull? :) Why do members of old-school cling to the concept and principles?
Everything is simple, dear readers. Old hackers have tried that none of the newcomers will and they very grieve for those times. So how was it at that time?
And it was all simple. Do not forget that the formation of forums was in the days when anti-virus companies and other remedies were at a nascent stage and developed by very small steps. There were no ready-made code examples of a functional. The guides and manuals were the first and main source of information.
And what is most important - it was just fun and interesting. The fact is that there was no such global monetization at that time. We were all young. I remember the youngest of us was around 10-11 years. Professionals were about 16. We did not bother about money. We were eager to absorb the information. And it was our drug. Any 200-300-page topic began with the words "Guys! Look what I found!". And then millions of posts came about what it could be and how it could be used. Most of us just shared information and your reputation was higher, the higher the level of your knowledge. No one deceived because commerce did not exist almost. We found malware, reversed it, made builders and went mad from our power. Then we wrote a new one or discussed the old ones. And no one worried about lost profits. The freshest bugs of super-popular cms rapidly went to public access. And why? Just for the defaces. Funny defacing was for self-affirmation. And no one thought about getting the traffic, stealing bases or sending spam's to mails. It was not necessary to anyone.
What am I talking? The fact that we have switched from an abundance of information and friendship to the dirty commerce. We began scamming and hiding our knowledge in technologies. At best case 3-5 people can share with each other and work together creating something, and then monetize and maliciously divide the profit. Fuck. It is disgusting."


Thoughts about the combination of skills of guarded and the future of old-new vx-scene

Perhaps it makes sense to develop a full-fledged framework for help to spread malware (some attempts have been made in Framework Metasploit, but it was orientated to an exploit modification). A sterling worm, which uses the latest vulnerabilities, social engineering, created with techniques of detectability complications such as meta\polymorphic, permutation and so on taking into account the latest AV technologies. Thereby having set the challenge to itself and AV industry and even provoke a revival of the former old-school in vx-scene.

Another way of revival of vx-scene, in the previous trends, can be writing of all existing, and the new material in the ordered structure, starting from "primitives for MS-DOS viruses" (admittedly at that time, some of these viruses were not considered primitive and were a big headache for AV industry), finishing by relevant today's technologies. As the material can be used some excellent articles about virus conceptualization, as well as methods of code generation, polymorphism, metamorphism, permutations and many other technologies.
The structured explanation to all young minds in one source is not a trivial work, but in the future, this effort will be rewarded by new extraordinary young talents, who can think far beyond the standard understanding of programming of viruses in general. After all, if the AV industry started using algorithms borrowed from nature, the same may do VX coders, there is a huge number of viruses and bacteria now, which can not be handled by modern medicine, only after a major epidemic for which huge funds is allocated, it begins to develop a vaccine. (an analogy with computer viruses and AV).

Nevertheless, I support the opinion that the barrier of entry for VX coder should be high, thereby returning respect to qualified VX coders, set of knowledge of whose is far superior than the knowledge of many employees of antivirus firms and employees of the Internet Security companies, thus filtering out those who should be a bus driver and a school teacher.

After all, only the most talented vx coders will be able to present to the world a radically new model of the modern concept of the virus, based on some mathematical model, which is absolutely impossible to detect by standard, existing tools in the AV industry. In fact there are viruses that do not have a body and as a payload they gather the code from system libraries. It radically changes the idea both about heuristics and about emulation as a whole, without providing even possibility to classify this kind of virus. I would call such virus as "hostless virus", which means the virus does not have body at all.

Although today's exemplars are not militant but only a Poc (proof of concept), full implementation of such a concept is not far. Next, the hardware virtualization technology I would say for VX ;), since it makes too complicated the task of detection for anti-virus. Antiviruses are inherently not ready for something radically new, and the reaction to some conceptual virus of next 2014-2020 years will be a cap, which the authors of the virus can solve in a few minutes, if this cap can be arranged at all.

Also we need to think about creating such a portal where any VX-coder will be able to express his opinion, share sources and ideas, without fear of being accused of something, as well as having a portal with Democratic administration, where a person will not be banned without obvious and clear reasons. This kind of portal should be located where it will not be closed or locked. The slogan i would say should be:

"VX - freedom of mind and thought!"
"VXER - the genius of his craft!"

Only in this way we can expected the development of the number of talented VX-coders, no matter what is their motivation let it be profit, self-assertion, conceptual written, the exposure (think of Edward Snowden, we respect him), or all together, because only together we are strong!


______________________________
d3m & Ar3s
2013

Inception E-Zine