
             **********************************************
                          Interview with JPanic
                                   by
                              hh86 and SPTH
             **********************************************                                  
                                                     
JPanic is a viruswriter who started his career in the 1990. He was member of
VLAD and Immortal Riot, two legendary virus-writing groups from the early 
times :) In the late 1990s he went to sleep.

He woke up now, and has already showed his skill by creating a fantastic 
crossinfector for Windows, Linux and MacOS. More to come...                                                      
                                                     
You can reach him via jpanic.vx@gmail.com.
                                  
The interview was done in two sessions via email in September/October 2013.

Have fun :)





##############################
## Hey JPanic! Thanks alot for agreeing to talk with us. First - could you 
## please describe yourself a bit. Where are you from, how old are you, what 
## are your hobbies, what’s your favorite music and your favorite movies?


Ok. I am JPanic (J-K-Panic, J-FUQING-PANIC), who likes to be called 'Panic'. I 
am a programmer and on-and-off-again virus writer from Australia. I was born 
1979. My hobbies are limited: Programming, viruses, bible study, and some 
reading of prose/poetry. I am very interested in all things mental health 
related. I am also very interested in the old world cultures.. Egypt, 
sumarians, Mayans, Incas, Hindus etc. I love all things God. I like "body art" 
but have not had any tattoos done for a while now.

Favorite novels include "The Bell Jar" by Sylvia Plath, "1984" by George 
Orwell.

Favorite movies include "Fortress" - an Australian movies mad 1986 starring 
Rachael Ward - any one who wants to seed a high-quality rip of this movie 
contact me. "Leon: The Professional" - I wish I was Leon ;). Maybe "Ali G - In 
Da House" is my favourite comedy.

Music Artists I listen to consistently include: Garbage, Front 242, Guns N 
Roses, Kirsty MacColl, Sonic Youth, Nirvana, The Church (Australian band)
.N.W.A, Cypress Hill, Transvision Vamp, Pantera, Rollins Band + Black Flag. 
Hilltop Hoods are good too.

All time favorite songs:

Garbage - Queer: http://www.youtube.com/watch?v=EEHhBS0B3R0
Front 242 - Welcome To Paradise (Live Code Version): http://www.youtube.com/watch?v=YFMq40eM8EY
Sepultura's cover of Motorheads "Orgasmatron" - http://www.youtube.com/watch?v=pUA42GzIOpE

All time favorite music videos:

Guns'N'Roses - Welcome To The Jungle: http://www.youtube.com/watch?v=o1tj2zJ2Wvg
Guns'N'Roses - The Garden: http://www.youtube.com/watch?v=V2yomzLw62I
Sonic Youth - Dirty Boots: http://www.youtube.com/watch?v=7XdYnh729IQ
Sonic Youth - 100%: http://www.youtube.com/watch?v=N3gN9Up6hmc
Garbage - Sex Is Not The Enemy: http://www.youtube.com/watch?v=drwKU72Ikzg

Pantera "Vulgar Display of Power" is an album everybody should listen to once 
in their life time.



##############################
## How does a usual day in your life look like?


Ha! I wish you hadn't asked me this. I have some health problems. I have not 
worked as a professional coder for a long time. I mainly leave the home for 
medical appointments only and to see family once a week or so. I can not sit 
at a monitor/screen for more than 2 or 3 hours without building up to seizure, 
so I do not code much per day. I drink too much and chain smoke.



##############################
## You have used several aliases - like Sepultura or now JPanic. Can you tell
## us why you changed your handle, and what they mean?


I do not know why I change aliases - maybe when I change aliases it is because 
the new handle reflects me more accurately at that time. I would like the name 
"persona non grata" - a legal term in Latin for "an unwelcome person", but 
this name is taken by a member of "TridenT" (early 1990s Netherlands VX
group). 

I started with "Sepultura" in 1993.. I liked the band, but I liked the meaning 
of the word - "some one who puts in the grave".

From 1997 to 1998 I used the name "The Soul Manager" on 3 viruses. This comes 
from the Front 242 song "Soul Manager" (see http://www.youtube.com/watch?v=
LcU2sV7i3mQ).

Now I am using 'JPanic' - This comes from the short story by Sylvia Plath "
Johnny Panic and The Bible Of Dreams". I do not like the story that much, but 
the name seems apt.



##############################
## When did you for the first time heard about the possibility of self-
## replicating computer codes? What did you think about that?


1992 - MtE came out, there was the "Michaelangelo" scare. There was also an 
interview with The Unforgiven (head of Immortal Riot) in a local magazine. 
This is when I became fascinated with computer viruses.



##############################
## Why did you decide to code a virus yourself? What was the story behind 
## that? Did you had alot of source codes to study?

I started writing computer viruses in 1993 because I looked up to the virus 
writers that I read about - like they were rock stars. The documentation from 
the MS-DOS anti-virus "F-Prot" mentioned that viruses were written in 
assembler. I got a book "DOS: The Complete Reference" by Kris Jamsa from the 
local library. This taught me some assembler code and DOS internals. I did not 
have a modem or know any programmers at the time, so I had no tools or access 
to viruses. I had to write and disassemble code in MS-DOS 'debug.com'.

Like other virus writers, I also got into virus-writing for the sex and the 
money that comes with being a VX'er :P.

I did not have any source code to study, but I had samples of three viruses I 
found in the wild (trading warez with school friends). These were 'Stoned' (I 
do not know what strain), 'Michaelangelo' (Stoned.March6), and Slow.1721 (An 
encrypted 'Jerusalem' variant that was common in Australia at the time).



##############################
## Can you please tell us about some viruses that you have been written in the 
## past, and what they did?


I will list the first two, and some that were less trivial (they are mainly 
stone aged MS-DOS viruses).

Sepultura Boot - My first virus in 1993, a boot sector virus similar to Stoned 
written in MS-DOS DEBUG. This escaped and became quite widespread in my city 
for a while. There is a '.b' strain - the same virus but ported to A86 
assembler, published in VLAD#5.

Resvir1 - (aka Disillu.341) My first file infector written in 1993, also in 
MS-DOS DEBUG. A memory-resident MS-DOS .COM file prepender.

Disillusionist - (aka Disillu.1108). An encrypted, tunnelling, fast infecting 
prepender of MS-DOS .COM files in 1994, with an activation routine.

H8YourNMEs - (aka H8.1171) - 1994, Similar to Disillusionist but without 
encryption and with size-stealth and some other added functionality. My first 
virus published (in VLAD#5)

2FU (Too Fucked Up) - A 199 byte full stealth infector of the MBR and all 
floppy formats, written 1995 and published in IR#7.

Chaos-AD - Used my first poly engine TCE (The Chaos Engine). Not the best 
written virus, some sloppy code. Full stealth (disinfect on open), 
polymorphic, retro (anti-anti-virus) fast infector of MS-DOS .COM/.EXE files. 
Had some interesting features and anti-tunnelling code. Written 1995 and 
published in IR#7.

TotalTrash.2169 - One of my favorite of my own viruses. Full stealth (read-on-
the-fly stealth) and mirror infector of MS-DOS .EXE files. Had some retro and 
anti-heuristic code. By "mirror" I mean when certain programs were running the 
viruses modified findfirst/next, read, and lseek calls to make clean files 
look uninfected - without ever writing to disk. You could PKZIP or RAR a file 
from a write-protected floppy for example and the copy in the archive would be 
infected. Inspired by Mirror.4130 by Bit Addict/TridenT, Kaspersky got his 
description of this virus wrong. Written 1996, published in IR#7.

Win16.RedTeam - Written 1997. My other favorite of my own viruses, perhaps the 
one that got the most press/media attention. The first Windows email infector, 
infecting NE (Win16) files and the Win16 kernel as well as the 'Eudora' 
outbox. Used very reliable infection techniques. The ".a" strain had a bug (
one-letter typo :/) that was fixed in the .b strain. This bug affected the 
virus under Win32 OS's like NT and 9x/ME. Published in SGWW Infected Voice.

CSV (C Startup Virus) aka TSM.5536 - Written 1998. This viruses tricked AV 
scanners of the time by making them think infected files were Borland Turbo C 
executables and skipping them. The virus started with standard Turbo C code, 
with polymorphic routine in 'main' function. Kaspersky got his description 
wrong - the virus was written in ASM to like like a Turbo C compiled binary, 
but he wrote it was written in C using inline ASM. A polymorphic memory-
resident fast infector of MS-DOS .EXE files. Most of the 5536 bytes were taken 
by Turbo C start/library code.

RTP (RedTeam Polymorphy) - An overly large but complex and effective (for its 
day) polymorph - See "SoulManager.4838". Published in iKx Xine Issue 3.

CAPZLOQ TEKNIQ 1.0 (CLT10) - A small cross-platform Win32/Linux infector 
written 2006. This virus would be trivial except for its cross-platform 
ability. I was happy with the size - 1.2k for a Win32/Linux PE/ELF infector. 
Published in rRlf#7.

CAPZLOQ TEKNIQ 2.0 (CLT20, Clapzok) - An advanced version of CLT10 above 
written 2013. i386 OSX FAT/MACHO support was added along with some other 
features. Published in Valhalla Issue 4.



##############################
## What do you think about polymorphism? Especially, in your interview in 1999
## in asterix#1-zine, you said "Traditional polymorphism (with a static virus 
## wrapped in a highly variable decryptor) is a dying concept in my opinion. 
## With the advent of generic decryption, polymorphism is not really much of a 
## threat to the scanners any more." Do you still think that’s true? :)


Not as true. Of course, poly engines have to be smarter now to dodge 
heuristics and such. EPO technology makes a difference. Who knows if virus 
writers will ever run out of EPO ideas? There are more platforms and 
architectures - as polymorphic viruse come out for them the AV will have to 
update and extend their emulators. There are more known anti-emulator tricks 
now. Ofcourse besides emulation there are other methods such as cryptanalysis 
(not that useful now), statistical analysis and geometric analysis of the 
file.



##############################
## You have been an active virus writer in the 1990s. Can you tell us about 
## something about the spirit and the people from that time? How many active 
## people were around these days?


I can think of about 30 virus writers at least that were around in those days. 
Virus writing culture was flourishing I thought the spirit of the scene was 
good in those days, lots of people writing viruses and talking to each other 
sharing ideas. Now I have changed my mind. I think they were not good times. 
People were judged on social status, not code. If you were a great coder, but 
from the wrong country or not in an 'elite' group, you were put down - even by 
lesser coders. There was back-stabbing as well. people ripping other coders 
off, for "fame".



##############################
## You have been member of VLAD and member+organiser of Immortal Riot. Can you 
## tell us something about the groups in the 1990s? How did you communicate, 
## did you plan projects together etc?


I was only a member of VLAD for a week (:P). The rule was *all* members had to 
vote you in, but one was on holiday - when he returned he objected. I never 
had much respect for this persons technical abilities anyway.

Immortal Riot became "Immortal Riot/Genesis" soon after I joined - Genesis was 
a new, but talented VX group. Maybe Immortal Riot had the looks and Genesis 
had the brains.

Communication was pretty much by IRC and e-mail. There was not much planning 
of projects together, a little bit but not much. The majority of viruses were 
by a single author. There was more collaboration on the Zines than the 
viruses. There were some 'closed' circle for sharing of ideas.

Groups in the 1990s included: Phalcon/SKISM, NuKe, TridenT (great coders from 
the Netherlands), Immortal Riot, VLAD, iKx (international Knowledge exchange), 
SGWW (Russian/Ukrainian Stealth Group World Wide), SVL (Slovakian Virus Labs), 
TPVO (Taiwanese Power Virus Organisation), SLAM. There were groups that called 
themselves virus writers that didn't do much like ARCV. 29A started in the 
latter half of the 90s.



##############################
## Have you ever met other virus writers in person?


I have met 'DV8', the author of Win95.MrKlunky - the first memory resident 
Win95 virus, and some other viruses. But only once.



##############################
## Are you involved in some other computer-security projects, such as hacking?


I am not involved in hacking.

In the 90's when I could not get legitimate internet access, I used such 
things as 'carding', key loggers (which I wrote myself) and exploit scripts to 
get access. But that’s about it.

I could once dial out on certain types of payphones and ride the bus for free 
(problems with our public transport ticketing system). I can not do these
things now.

I still sometimes crack my own warez.



##############################
## Can you tell something about the "Ruxcon 2012 CTF"? I read some funny 
## Storyline: " JPanic, rumoured to herald from the trumpets of the digital 
## gods, who incarnated this mythical beast to dominate the digital 
## underground. Upon this immaculate conception he ruled over the 90s VX #
## Scene, sprinkling his magic, 16 bits at a time. [...]" (see
## http://exploit-exercises.com/mainsequence/storyline). :D


Ok. Every year Chris (organiser of the conference), chooses a different
Australian infosec person to be the centre of the CTF plot (I think it was
'andrewg' of The Feline Menace the year before - 2011). 2012 Chris suggested 
me and I was happy with that. Some different ideas were pitched, and I suggest 
me writing a super-virus and my cat 'Thomas' betraying  me and trying to leak 
the source to Buo. That is how Buo entered the story, but the cat wasn't used. 
Chris is the one who wrote the story.

Just FYI - 'Buo' is my favourite malware analyst. If you want to know why
Buo - "You wouldn't understand" ;).



##############################
## Did you have contact with people from the anti-virus scene? If so, how was 
## that?


I had some contact with certain AV'ers in the old days. It is a great feeling 
when you point out a flaw in their product and they compliment you for it. It 
is also a great story when they do a great analysis of one of your works.



##############################
## After Insane Reality#8, you seemed to disappear (except on an internet in 
## 1998 or 1999 for asterix#1). What was the reason? Why did you leave?


The interview for asterix#1 was in 1996 - I was still using the handle 
'Sepultura'.

Things went wrong in my life around then - physical and mental illness, 
narcotics abuse, periods of detention, homelessness. That is why I had to drop 
out of the "scene", I was in no position to be coding. Anyone who would like 
to disrespect me for these things or hold them against me... feel free.



##############################
## You released an awesome multiplatform infector (CAPZLOQ) in rRlf#7 in 2006. 
## Did anybody recognised that you are the coder from the 1990s?


CAPZLOQ TEKNIQ 1.0 was hardly awesome. I wrote it because I thought I would 
not write another virus again.

I am sure people recognised I am the coder from the 1990s because the text 
strings said so. I suspect certain AV'ers only published analysis of it 
because they remembered me.



##############################
## In 2013 you came back - what made you come back? Or didn’t you ever leave 
## but just coded very very slowly? :-)


I did leave. I do code slowly now, but not *that* slowly.

Some things have improved in my life, so I can code; but my brain is rotting. 
For this reason I decided to make use of my brain while I still can. That is 
why I have returned. I do not know how long for.



##############################
## Your CAPSLOQ v2 in 2013 (source released in this magazine Valhalla#4) got 
## quite some attention. There have been reversed codes and description in 
## VirusBulletin. What did you think about it? Did you expect that?

I expected some attention because a Win32/Linux/OSX infector (albeit limited) 
opens the door for more cross-platform malware. I did not expect that much 
attention, especially from the OSX corners of the world - there was already 
Roy G Biv's 'macho man'.



##############################
## CAPSLOQ is able to infect binaries on/for windows, linux and MacOS. It uses 
## a very special and unique design. Can you explain the idea briefly. What is 
## the difference to other multi-platform infectors?


There is an article in Valhalla 4 describing the technique. Personally I do 
not see the big deal about it.. It is something coders have been doing for a 
long time. Basically all calls to the operating system (whether Win32, Linux 
or OSX) have a standard interface, as do the routines to infect the different 
file formats. This eliminated repetition of code for different OS's and binary 
formats, making things smaller.

I guess the difference from most (but not all) cross-patform infectors is the 
lack of repeated code. It is not a virus for operating system 'A' and the same 
virus for operating system 'B' re-written and bundled together.



##############################
## Did you still have contact to VXers over all the years? Did you follow
## VX-news?


I am not in contact with the old virus writers, but a couple of AV'ers. I have 
not really kept up with the virus/malware related news much. I try to be in 
contact with the current breed of virus writers.



##############################
## What are your favorite viruses of all the time and why?


I am a 16-bit man living in a 64-bit world, but I will try and list more 
modern viruses first:

SQL.Slammer, IIS.CodeRed, Conficker family: These spread far and wide. In my 
opinion remote code execution vulnerabilities are the way to mass-propogate 
these days (if you can get your hands on one).

MetaPHOR family by Mental Driller - Excellent metamorphy, clean efficient 
code. Strain '.1d' added linux support too.

EfishNC family and ACDC by Roy G Biv: EfishNC really was efficient as the name 
said, fitting a huge amount of functionality in to a small amount of code. As 
for ACDC.. I am not into script viruses, but I think a cross-platform VBScript 
and JScript virus is a great idea in this day and age.

Mistfall/ZCME/RPME/SETG/KME engines by Z0mbie. Great engines.

I think Win32.Crypto and Happy99 were great.

As for older viruses..

I love Neurobashers work. He was ahead of his times, and seem to be the only 
person who really reverse engineered all the AV products of the time to find 
ways to bypass them. Tremor (1992) was the first virus to be both polymorphic 
and full-stealth (plus a bunch of new tricks), and all his viruses were common 
in the wild. His viruses were: Tremor, Alphastrike, Neuroquilla (Havoc) and 
the Nightfall (n8fall) family.

Dark Avenger: The 'Eddie' family laid down the ground work for the classic DOS 
virus. Most MS-DOS viruses used engineering introduced in this family. MtE and 
Commander Bomber had very complex yet optimised code. Phoenix family was 
interesting for a lot of reasons. Their encryption engines generated 204 
decryptors from a tiny engine.

DIR-II: A new paradigm in viruses: modifying the directory entry, not the 
file. Very stealthy, spreading amazingly quickly.

Dark Slayer: DSME and DSCE engines - DSCE introduced some new idea. I really 
like the 'DS' (Dark Slayer) family, DOS16/Win16 full-stealth MBR/Boot Sector/
MZ/NE (Win16)/EXE (MZ) in 3.5k.

Q the Misanthropist was good, especially 'Goldbug'.

Zhengxi, Nutcracker family, SSR, MAD were great. I wish Zhengxi didn't use 
'single stepping' (INT 01h) to find the DOS kernel - it is its weak spot.

'Natas' by Priest was good.



##############################
## What do you think are the most influential techniques that have ever been 
## developed for self-replicators?


Polymorphy and polymorphic engines. Stealth in the MS-DOS days. Residency as 
opposed to direct action. More and more attempts at EPO methods. Internet 
worms: first email worms, than others such as SQL.Slammer and IIS.CodeRed. 
Macro viruses that made the move away from just binary infectors, so we have 
script viruses and such now. Metamorphy is considered a big thing - but not 
many viruses have done it, in the scheme of things.



##############################
## What do you think about code optimisation? Do/did you use it alot in your
## codes?


I think code optimisation is a good thing and a good skill to have - but not 
the most important feature of a virus. I consider features and reliability (no 
bugs) more important.

I think the best optimisation comes when you can write optimal code as you go 
along, not writing code than optimising when you are done.

I got good at writing optimised code, but have been out of the game. I find 
x64 code especially hard to optimise, because I am not used to it.



##############################
## What do you think about machinal learning in self-replicators? How could 
## that work - any wild guess? What would be worth to learn for a self-
## replicator?


I do not know about these things. All I can think is that for a replicator to
"learn" about a new OS, it has to be able to run under that OS first anyway.
Catch 22. If you want to analyse glibc you have to be able to open glibc in 
the first place, etc.



##############################
## How would you imagine the most fantastic digital self-replicator? Be 
## creative! (Bonus question: What is missing to get that done? Would it be 
## possible some day?)


I would like to see a self-replicator become pandemic using remote exploits 
for multiple OS's.

Maybe a metamorphic virus that spreads quickly but can infect many different
file formats and rebuild itself not just for many OS's but many architectures
(x86,x64,ARM,IA-64 etc). Able to work with any combination of executable
format, OS and architecture. More infection methods and EPO methods than you
can pull out of a hat, maybe code integrating ZMist style. Able to infect 
every platform under the sun. Active over the local network on all platforms 
and maybe the internet via email attachments, network shares, etc. Back-
dooring the infected machine. MBR or BIOS infecting, loading before AV 
programs to disable them.



##############################
## What were the most surprising self-replicators that you have ever seen? 
## Which techniques made you think "crazy shit this is"? :)


MtE amazed me at the time. The code of Bomber did too. One-half by Vyvojar and
"Tremor" and "Neuroquilla" by Neurobasher. Tequilla and Gingerbread Man. Ply.
Dark Paranoid, Stainless Steel Rat (SSR). Happy 99 and the word macro
"Concept". MetaPHOR, ZMist (Mistfall engine), Lexotan, Z0mbies plugin project
virus. Definately Hybris. Win95.SK, Inca. EfishNC amazed me for its feature to
size "ratio". CyberGOD's "Tracer" engine. Definitely IIS.CodeRed.



##############################
## Do you know the work of academic researchers such as Eric Filiol and Mark 
## Stamp, and what do you think about that?


I do not know anything of their work. My interest is 95% in 'real world' 
viruses.



##############################
## What are future projects that you want to work on?


More complex Linux and OSX viruses than we have seen so far. More x64 
infectors. Worms using remote code execution vulnerabilities.  Escalation of 
Privilege exploits (I find it hard to get my hands on these last 2). Kernel 
mode viruses. More and better multi-platform viruses.



##############################
## Now let's be creative and and think about the future: How would self-
## replicators look like in 5 years from now? What about 15 years? And what’s 
## your long-term prognosis for the self-replicators in 50years?


5-years:
More viruses and worms using remote execution exploits to spread rapidly 
around the net, and escalation of privileges to have more access to resources.

Hardware infectors - we already have 'BIOS kits', now we have BIOS kits that 
can survive a BIOS update and people working on hard drive firmware infection 
that can survive an Operating System re-install. See https://ruxconbreakpoint.
com/speakers/#John%20Butterworth, https://ruxconbreakpoint.com/speakers/#
Jeroen%20Domburg and http://spritesmods.com/?art=hddhack

More multi-platform and multi-architecture malware. Multi-platform libraries 
to facilitate development of multi-platform malware.

More and more file formats infected, more script viruses.

Viruses running in kernel mode on different OS's. Rootkit like technology that 
used to be called 'stealth in VX terms' - hiding the viruses presence.

Viruses/Worms for portable devices such as Android, iOS and Windows.

Viruses/Worms facilitating data theft, cyber-espionage and so on.

More clever use of crypto.

15-years, 50-years: I have no idea. God knows what computing will look like 
than.



##############################
## Imagine a good ghost offered you three wishes - what would it be? :-)


WISH NUMBER ONE: I would like to be a more friendly, helpful, Godly person 
reducing peoples suffering.

WISH NUMBER TWO: I would like to be of good health.

WISH NUMBER THREE: I would like the following people destroyed: 

1) Nations who's media makes the people hate every person and every society 
different from theirs. Creating massive social-cleavage, poverty, crime and 
drug problems to control their people. Carrying on about how bad other 
governments are while their own government takes what their own government 
wants. Nations with the most wealth and power, with the least educated people 
and the least accountability for their actions. This means you 'America' - a 
nation that usurped the name of an entire continent.

2) People who traffic people for slavery, sexual exploitation, war and child 
soldiers.

3) Drug Dealers - They sell the seeds of misery.

4) Everyone from judges and doctors to paedophiles and criminals and abusive
care takers who prey on  the most vulnerable, least able people.

5) The false 'Church' saying they are men of God, but are really small, 
pathetic evil people. They turn people away from the light by lying about God.

6) Anyone who wants to blow themselves up with other people in the name of God 
- This is not what God wants: you will not get your 7, 70, 77 or 777 virgins.

Maybe I should forget this last wish and just wish for a happy world without 
suffering.

OF COURSE - I would not make any wishes at all.. They always come with a 
catch. Try prayer instead.



##############################
## Thanks alot for the interview - feel free to use the rest of the file for 
## whatever you like!


I would like to send warm regards to the following people
(alphabetical order):

The Australian infosec "scene" - Going on, feeling strong.

Virus Writers I have had recent contact with: Herm1t, hh86, SPTH.

Life Long AV'ers: Vesselin Bontchev, Igor Daniloff, Paul Ducklin, Peter 
Ferrie, Mikko 'Hermanni' Hypponen, Eugene Kaspersky, Stefan Kurtzhals, Fridrik 
Skulason, Peter Szor. You are more than worthy adversaries - you are my 
superiors.

Ilfak Guilfanov - Creator of Interactive Disassembler (IDA) Pro.

Groups I have been a member of: IR/G, NOP, Team MiSSiON.