
                       Interview with VirusBuster about 29A
                                       by
                                  hh86 and SPTH


This is an interview with VirusBuster mainly about 29A, done in August 2012.

VirusBuster, a former virus-collector from spain, was a member of 29A since the 
first hour. In addition he was editor of the 29A magazine from issue #5 to the 
last issue #8.

You can reach him via malware.collector@gmail.com.

Thanks alot goes to SlageHammer and VirusTrader who helped us to find
VirusBuster!


##############################
##  Hello VirusBuster! Thanks alot for accepting to answer a few questions! I'm 
##  looking forward :-) First could you please give a small introduction to 
##  yourself, for instance how do you spend your free-time/hobbies, what kind of
##  music do you listen to, ...?

My main hobby used to be virus and malware collecting but I got retired in 
january of this year because I had so much stuff that managing properly the 
collection was requiring too many resources in time and hardware terms. So after
17 years of collecting, I gave up.

I have been developing a malware behavior analyzer for almost three years. The
tool is named "Buster Sandbox Analyzer" and the official web can be reached at
http://bsa.isoftware.nl

I am married and have a son, so I spend part of my free-time with family. From
time to time I visit friends or they visit me.

Music: I love blues, specially Texas and Chicago styles. My favourite bluesman
is Stevie Ray Vaughan and I like also people like B.B. King, Buddy Guy, Albert
Collins, Albert King, Jimmy Thackery, Eric Clapton or Johnny Winter.

I like cinema a lot, specially old movies. It is quite hard to find good movies
nowadays. If you want quality you must watch TV shows like "The Sopranos", "The
wire", "Rome", "Oz", "Game of thrones", "Dexter", "Mad men", etc.

I like reading, specially epic fantasy. I like a lot Robert Jordan's "The wheel
of time" and Steven Erikson's "Malazan book of the fallen" sagas.

I used to play basketball with buddies but not anymore. Now I do some sport at
gym two or three days per week.

And that's how I spend my life when I'm not working.



##############################
##  On Friday 13th, december of 1996, 29a#1 was released - and started path of 
##  this most famous virus writing group. You have been member from the first
##  hour. Can you please explain how this group was founded? It consisted of 12
##  members, most of them from spain. Where those people already active in the
##  scene before? Did you already work together in former projects? What was
##  Dark Node?


Most of my life I have been collecting something. When I was young I used to
collect stamps with the help of my father. When I was a teenager I used to
collect games, first for Amstrad CPC 464 and later for PC.

Back in 1992 (if my memory doesn't fail), during my summer holidays, a cousin
talked me about a guy from his town that was collecting games too. He arranged a
meeting to talk about exchanging games. After the exchange he talked me about a
strange hobby he had: virus collecting and modification.

He told me he was using a few antivirus to identify the menaces and then using
an hexadecimal editor to modify binaries and produce what he called "mutations".
His technique was very rudimentary because he didn't know about opcodes and he
ignored completely what effect had the changes over the code. He just was
locating in what part of the code was placed the detection and then he was
changing one byte to avoid it. If the binary continued to work after the 
change... good!, if not, he changed byte value or other byte.

My previous experience with viruses was the typical: I had been infected a few 
times with "Ping-Pong" boot sector virus and with a file infector named "Flip" 
or "Omicron". Initially my reaction was like: what the hell are you doing
handling viruses? Is not that really dangerous? After he explained his
procedures to keep safe the computer while managing viruses, I got more
interested and asked him his collection to play with it. After a while I was
producing better mutations with the help of a disassembler named "Sourcerer".

As I told, I have been a collector all my life, so I considered that collecting
viruses was as good as collecting anything else.

In that time in Spain we didn't have Internet at home, just BBSs. Inside Fidonet
there was a channel named VIRUS.R34. I met other people interested in viruses
there, sadly virus sharing, exchange or request became a forbidden question, so 
after talking with a few VIRUS.R34 members, my friend and me decided to put 
online our own BBS dedicated to viruses. We decided to name the BBS "Dark Node".
It was 1994.

The complete freedom to talk about virus writing, the big amount of material
(sources, binaries, virus construction kits, virus magazines, ...) made "Dark 
Node" famous, even internationally. Very talented spanish coders joined the BBS 
and started to share ideas and code. Nobody had previous experience in the vx
scene.

One day Mister Sandman proposed to certain members of the BBS (the most talented
and active) to create a virus magazine with the best ideas, articles and viruses
shared in the BBS. We thought the idea was excellent so we started to collect
and select the best stuff, write our own article viewer, etc. When we considered
the magazine had enough quality to be released it went out. In that time (1996)
some "Dark Node" members had access to Internet at home, so it was released over
there.

Initially "Dark Node" was just a BBS, but after a while it became a Fidonet
style network, with several nodes. "Dark Node" was the node 66:666/1. When we
had to choose a name for the magazine someone (Mister Sandman???) proposed 29A
(it was not so obvious as 666) in reference to the network number and the
"diabolic" stuff we were releasing.

So that is how initially 29A was formed: a group of guys from all over Spain,
without any previous experience in vx scene, interested in virus coding that
used to meet in a BBS dedicated to viruses named "Dark Node".



##############################
##  Most members of 29a that time (and also later) where from spain. Did you
##  meet several of them in real life? Have there been 29a-real-life-meetings?


Between 1994 and 1996 there were three "Dark Node" meetings. Mister Sandman,
GriYo, Wintermute, Tcp, The Slug, Blade Runner, Gordon Shummway, Leugim San,
Mr. White and me, among other people, were in one or more of the meetings.

After 29A became an international group, we moved 29A meetings to Madrid. There
were two meetings in Spain's capital and people like GriYo, Wintermute, Mister
Sandman, AVV, Darkman, Reptile, Super, Mental Driller, Bumblebee, Tcp, b0z0 or 
StarZer0 from IKX assisted.

There was also a meeting in The Netherlands being Rajaat the hoster, and other
in Brno (.cz) where Benny and Ratter were the hosters.

So yes, we had several real-life-vx-meetings and not only for 29A members but
for people from other groups too. We even had some guests like Antonio Ropero
and Bernardo Quintero from Hispasec and GriYo, Darkman and me bringed our
girlfriends to some meetings.



##############################
##  How did you manage the decision-making within the group? How did you chose
##  new members? Other than membership applications, did you also send offers to
##  good coders to join your team? How did you deside which articles and viruses
##  appear in the 29a-magazines?


There were kinda three stages in 29A.

In the first stage Mister Sandman was the editor and the manager of the group.
After 29A #1 release, he took over the group, decided to kick some members and
bringed new international members. I was kicked out so I do not know much about
how things used to work internally in those times.

The first stage finished after two incidents: Mister Sandman was accused by b0z0
from IKX group of stealing a piece of code and using it in his multiplatform
virus named "Esperanto". The other incident involves GriYo and Mister Sandman:
Mister Sandman was very good at english (written and spoken) and GriYo was not
so good in that time. When BBC (I'm not sure if this is correct but it doesn't
matter) pretended to interview GriYo, he asked Mister Sandman to make the
interview for him. Mister Sandman took over the interview and talked about his
creations instead about GriYo's. When GriYo readed the interview he felt
betrayed.

After these incidents Mister Sandman left 29A and the vx scene.

In the second stage Darkman becomes the new 29A editor. Even if I was not a
virus writer the group asked me to re-join 29A because they considered it was
not fair Mister Sandman kicked me out. I accepted.

My role inside 29A was to sort and get new contributions for the magazine and
also recruit talented virus coders.

In that stage we used to manage decision-making by majority. New members had to
be accepted by all members and they were being chosen based in their virus
writing talent. Sometimes we received applications to join the group and others
we asked people to join.

Articles to be published followed similar rules. If most members agreeded to
publish something, it was being published.

The end of second stage at 29A becomes when I noticed the group was dying
slowly. To accept new members we had rules, but we had none to kick inactive
members. There was a moment when several members were not replying to 
29A-mailing list and other were not producing anything to be published on next
magazine. Darkman, the 29A editor, was one of them.

I exposed the problem to the group and suggested to kick members due inactivity.
My intention was good. I wanted idling members to wake up and start producing
again. I even proposed that kicked members may rejoin the group at any moment if 
they had new material to publish.

Darkman didn't like the idea (he was having personal problems in real-life) but
rest of members accepted.

When next 29A magazine was published, members like Darkman, Lord Julus or
SoPinky (if I remember correctly) were kicked.

The third and last 29A stage starts with me as new 29A editor.

I proposed ideas to keep the group active and communicative, but the virus
writer is an alone animal by nature and finally this is, among other factors,
what killed 29A group.

One anecdote will explain this very well: GriYo left 29A and nobody noticed it.
No member got any notification about the quit and we were working for a while
thinking GriYo was still a member.

There are other reasons to explain why 29A disappeared: pressure against virus
writers from govs, assembler becoming a lost art, old virus writers finishing
the university career and starting to work, etc.



##############################
##  How did the group change from the beginning in 1996 to the end in 2008?
##  Where there a big number of people who wanted to join?


I would say the main difference was that 29A started being a local (spanish)
group and ended being an international group.

After Immortal Riot and VLAD groups disappeared, most virus writers wanted to
join 29A. Having the "/29A" in your nick was a signal of respect.



##############################
##  29a was a very famous viruswriting-project ever. This of course attracts
##  much attentions, from media and from police. Can you tell what was the
##  relationship between 29a and the media? And did you often get into troubles 
##  with police? In end of 2004, Ratter and Benny where questioned. Whale was
##  sentenced. Do you have further informations about criminal investigations 
##  against your group?


The relationship with the media was good. They used to send interviews to 29A
members and members were glad to reply them.

As far as I know only Benny got troubles with police, but I don't know much
about that so I prefer to don't comment.

If there was any criminal investigation against 29A, I never heard of it. I
don't think there was any because one of the rules in 29A was to not spread our
creations.



##############################
##  How was your relationship to the anti virus community? What did you think 
##  when ex-members joined some AV company (such as Benny for instance)?


In my opinion the anti virus community had a double face. Publicly they were
trash talking 29A, but in private they enjoyed our releases. I would say that
there are still people in av industry missing the golden years of vx scene.

About virus writers joining AV companies: it was the natural thing and I always
considered it fine. In fact there were several virus writers working for some AV
company and being members of a virus writing group at the same time. People knew
about it and nobody complained.



##############################
##  On 1st january 2005 you released the last e-zine issue 29a#8 - just 9months 
##  after 29a#7. It was full of pioneering codes and ideas - such as the first
##  virus for win64 (and even a win32/win64 cross-infector by roy g biv), the
##  first worm for mobile phones with symbianOS (by ValleZ) and the first
##  infector for Microsoft smart phones with WinCE (by Ratter). In the intro you
##  even wrote "Probably 29A #8 is, along with 29A #3, the most technical virus 
##  magazine that any virus group released ever." - Now I can not understand why
##  after such a successful release you where not able to create another
##  magazine. What where the reasons? Did you start to collect stuff for 29a#9?


As 29A editor, I did my best to keep the group alive, but every year was more
difficult to do it. 

There was a total lack of communication between members. I requested tons of
times to members to write to 29A-mailing list at least one time per month,
commenting the state of their projects, future projects, etc. We were not
receiving news from some members for long periods of time. I think people like
Z0MBiE left the group because we were not a group anymore. A group needs
communication and we didn't have it.

One day I proposed to 29A members to kick GriYo due his inactivity. GriYo heard
about this and then he told me he had left the group already some time before.
It was the first news about that. This is a good example of the grade of 
communication we had internally.

In that moment I felt upset I decided to leave 29A, but I didn't communicate it
to the group (in fact the "group" was only ValleZ and me). I just wrote a note
in my site commenting I was leaving 29A.

Some time later I heard in #virus channel that GriYo and Slage Hammer were
collecting stuff for next 29A release. I asked myself: who the fuck is Slage
Hammer to be collecting contributions for 29A? And why is GriYo asking for
contributions if he is not a 29A member anymore?

I got so angry that decided to "rejoin" 29A. As I didn't communicate my leaving
at 29A-mailing list, oficially I was still being a 29A member.

I had a talk with ValleZ and explained what was going on. ValleZ didn't know
GriYo had left 29A so he agreeded with me that was not correct what GriYo and
Slage Hammer were doing. We decided to stop GriYo on his tracks. GriYo had a 
private talk with ValleZ (don't know what they talked) but as result of the talk
ValleZ decided to leave 29A and stop talking to me. I guess he was in the group
to write viruses, not to get involved in internal battles.

GriYo was always a talented coder but his social skills inside 29A group were
not so good. Bumblebee (one of the few friends I still keep from vx scene times)
left 29A due GriYo's attitude.

After ValleZ's quit, I was the only active member. In that moment I considered
the vx scene didn't have the talent required to keep alive a group like 29A so I
decided that was the end of 29A. I considered it was fair because 29A was born
in "Dark Node", the BBS I created, so I was like the alpha and the omega of the
group.

If I was able to get back to the past I would not change anything of what I did.



##############################
##  On 28th February 2008, you said "that 29A goes officially retired". What was
##  your feeling at that moment when you had officially to close this awesome
##  and well-known project? Years later, do you think there might have been a 
##  way to save the group?

Obviously I was sad, but I knew since some time ago that vx scene was dying and
29A would have to split up some day and that it would happen sooner than later.

No, I don't think it was possible to save the group. Nothing last forever and
you must know when to give up.



##############################
##  What did you do after the retirement of 29a? Do you still have contact to
##  some of the old viruswriters? Did you continue trading? Are you still
##  interested in virus technology?


I continued trading for years (until january 2012) but I lost contact with old
viruswriters but Bumblebee. After 29A disappeared I never exchanged a mail with
old buddies like Z0MBiE, Vecna, Wintermute, b0z0, StarZer0, ... 

Our common interest was the vx scene. When this interest disappeared, I guess we
didn't have any reason to continue the relationship.

Virus technology is dead. Nowadays rootkit and browser vulnerabilities rule the
security world.

I continue interested in security technology. As I commented I have been writing
a malware behavior analyzer for last years.