A brief history of UK virus
programming
by E X
E - G E N C Y
[March 2000]
Although the phreaking and hacking community has always been healthy in the UK, there has never had a flourishing virus community. Those virus writers that have appeared in the past are now either retired from the scene or were arrested (and often charged) by the police. This article tells the story of the virus writers from the UK: Who they were, what they did and their fate. (Unfortunately, in most cases 'fate' is exactly the correct word to use.)
The story begins in August of 1992. About this time, a group calling themselves the Association of Really Cruel Viruses (ARCV) appeared. The group was initially small and relatively unskilled at this time. Infact it was only made up of two people: Apache warrier who the founder and leader of the group and a guy called ICE-9. Both of these people were originally electoronics hobyists and from there they had got into computers, computer hacking and telephone phreaking. I say the group were relatively unskilled because many of the virus source codes produced early in their career were not entirely original. Infact many of them were simply modified versions of viruses produced by VCL (Virus Creation Laboratory: A virus generating program written by NoWhere Man of the NuKE group) and PS-MPC (the Mass Produce Code generator written by Dark Angel of the Phalcon Skism group.) Although this slightly marred thier entry to the scene, some of the members went on the wrote some good and original virii, ICE-9 in partic ular. Over time they also gained members including SLarTiBarTfAsT and Toxic Crusader. As momentum in the group grew, they began to write better and better virus code. Apache Warrier wrote a polymorphic engine called CME (Cybertech Mutation Engine) which was included in the 'Jo' virus. The virus contained the text:
Looking Good Slimline Joanna.' Made in England by Apache Warrior, ARCV Pres.' Jo Ver. 1.11 (c) Apache Warrior 92.' I Love You Joanna, Apache..' [JO] By Apache Warrior, ARCV Pres.
It is difficult to say exactly how many viruses the group wrote during their career. Most of the viruses they wrote have been mutated and altered by other programmers so the number of virii under ARCV.* stands about 100 in most anti-virus lists. ARCV also released 2 issues of a newsletter, ARCVNews, which contained original virus source codes, disassemblies of viruses from the wild and articles on virus techniques.
The fate of the Association of Really Cruel Viruses came a year after their entry to the scene. On the forth of February 1993, members of Scotland yard computer crime squad raided four homes in Manchester, Cumbria, Staffordshire and Cornwall and arrested four men. These people were the members of the ARCV.
Strangly, the bust was not triggered because of the group's virus writing antics, but because they been using beige boxes to obtain free fonecalls. Via beige boxes, the group had been able to distribute their viruses and newsletters to Bulletin Board Systems throughout the UK and other countries. Scotland yard did not even realise the group of phone phreaks were also the UK's only virus programming group until the confiscation of their computer equiptment.
I have been unable to findout what happened to ARCV after the bust, but here is an articles written by DecimatoR of Phalcon/Skism. The article was originally published in 40HEX #10 from 13th March 1993.
Many of you who read this mag know of the ARCV, and most likely know Apache Warrior, the president of the group. In December and January, the ARCV members were raided by Scotland Yard officials, and had their computer equipment confiscated. Apparently, the bust was triggered not because of the virus writing they did, but because of the method they allegedly used to transport their creations to their friends in other countries. A contact in England recently filled me in on the events which led to the bust of the ARCV.
Apparently, a few of the ARCV members were calling long distance by use of a beige box (a device which allows tapping into phone lines to make unauthorized calls) and they got caught. This led to the confiscation of their computer equipment. The two who were arrested apparently cooperated with the police, and further examination of the confiscated equipment proved that not only had the police caught people making fraudulent phone calls, but they also caught the leaders of a large virus writing group. Further investigation resulted in more arrests of other ARCV members. Had the group not been phreaking their calls, chances are they would not be in the fix they are today. Please note, however, that there have not yet been any trials in the arrests, and the ARCV members have not been proven guilty.
The following articles were posted on UseNet, and tell the story, although all but one fail to mention the fact that illegal phone calls, and NOT virus writing was the key factor in the arrests. Only after the first arrests were made did the police pursue the avenue concerning virus authorship.
From "Computing", Feb 4, 1993:
Apache scalps virus cowboys
Police raided the homes of suspected computer virus authors across the country last week, arresting five people and seizing equipment.
The raids were carried out last Wednesdau by police in Manchester, Cumbria, Staffordshire and Devon and Cornwall.
Scotland Yard's computer crimes unit co-ordinated the raids under the codename Operation Apache.
A spokeswoman for the Greater Manchester Police said: 'The investigation began in the Mancheter area following the arrest of the self-styled president of the virus writing group in Salford last December.'
Police would not reveal the man's name, but said he had been released on bail.
Last week's raids led to the the arrest of a further two people in Manchester. Three other suspects were also arrested in Staffordshire, Cumbria and Cornwall.
PCs and floppy disks were seized in all the raids.
All those arrested have been released on police bail pending further investigations.
From the EFF.TALK newsgroup of Usenet:
Police have arrested Britain's first computer virus-writing group in an operation they hope will dampen the aspirations of any potential high-tech criminals.
Four members of the Association of Really Cruel Viruses (ARCV) were raided last Wednesday in a joint operation in four cities co-ordinated by Scotland Yard's computer crimes unit.
The arrests in Greater Manchester, Cumbria, Staffordshire and Devon and Cornwall, bring to six the members of the group that have been tracked down by police. Two others, also writing for ARCV, were arrested a month ago in Manchester.
This six are thought to have written between 30 and 50 relatively harmless viruses....
From a reposting of an unidentified newspaper, dated 4 February 1993:
UK Virus Writers Group Foiled by Scotland Yard
British police have arrested four members of a virus-writing group that calls itself the Association of Really Cruel Viruses (ARCV).
The Scotland Yard Computer Crime Unit coordinated the raids carried out on suspects in Greater Manchester, Staffordshire, Devon, and Cornwall. The arrests last Wednesday, January 27, bring to six the number of ARCV members found by police, after they initially arrested one caught "phreaking" in Manchester in December. ("Phone phreaking" is the illegal practice of obtaining free use of telephone lines.) The arrests were made under Section 3 of the Computer Misuse Act, which prohibits unauthorized modification of computer material, said Detective Sergeant Stephen Littler. The suspects, who cannot be identified at this stage under British law, have been released on bail pending inquiries and may face further charges.
The members of ARCV used PCs to write viruses, which they shared via a bulletin board operated by one suspect in Cornwall. The police confiscated hardware and software, which is being studied by virus experts to determine how many viruses were written and what the viruses were intended to do, Littler said. The British anti-virus community became aware of ARCV through the group's own publicity efforts, such as a newsletter that it had uploaded to various bulletin boards in the U.S., according to Richard Ford, editor of the monthly "Virus Bulletin," which is published in Abingdon, Oxon, England. The newsletter was described in detail in the November, 1992, issue of "Virus Bulletin."
"To the best of my knowledge, none of their viruses are in the wild, out there spreading," said Ford. "But they have been found on virus exchange bulletin board services, and we've had reports of them being uploaded rather widely in the UK." ARCV claims, in its newsletter, to have links with PHALCON/SKISM in the U.S. and other virus writers in Eastern Europe. "The world is a very small place when you've got a modem, or are on the Internet," Ford said. The newsletter invites new members to join even if they are not virus writers but prefer other "underground" activities such as hacking and phreaking. It also betrays ARCV's fears of being perceived as nerds (a term not used in Britain) saying, "Now the picture put out by the Anti- Virus Authors is that Virus writers are Sad individuals who wear Anoraks and go Train Spotting but well they are sadly mistaken, we are very intelligent, sound minded, highly trained, and we wouldn't be seen in an Anorak or near an Anorak even if dead." (Anorak is the British word for ski jacket.)
ARCV has already failed at one of the objectives mentioned in its premier newsletter issue, which said, "We will be dodging Special Branch and New Scotland Yard as we go."
-DecimatoR
That was the end of the Association of Really Cruel Viruses, but it took no time at all for someone else to take their place.
In early '93, a programmer calling himself The Black Baron emerged from the UK. His career only lasted a year, in which time he wrote a mere 3 viruses. Little did he know that by the end of his career, The Black Baron would go down in UK computer history as the best known virus programmer.
His first virus was a simple memory resident .COM infector. The virus simply hooked interrupt 21h (DOS) and infected all .COM files executed. Although this virus was not destructive, it would display the following message on some occasions:
GERM. (C) The Black Baron U.K 93
The virus also contained the message 'Better SMEG than dead', a quote from Red Dwarf that would become synonymous with his exploits. This first virus was relatively unremarkable. It was not distributed in the wild (or certainly not very well) and never came close to causing the media frenzy that his second and third viruses did.
Later in 1993, The Black Baron produced these 2 viruses. The viruses were labelled 'SMEG.Pathogen' and 'SMEG.Queeg' also after BBC2s Red Dwarf series. Although the two viruses had different names, the technical differences between the two virii were small. They both went memory resident and infected both .COM and .EXE files. TSR .COM and .EXE viruses are difficult to write but several had been written before, it was not a particularly unique virus strain. What did make the virii unique, was the use of SMEG.
SMEG was a polymorhphic engine written by The Black Baron specifically for inclusion in his 'Pathogen' and 'Queeg' viruses. SMEG stood for 'Simulated Metamorphic Encryption Generator' and was the first polymorphic engine that could generate bogus CALL and RET sub-routines. For those of you who do not know what a polymorphic engine is, I'll explain: A polymophic engine is an algorithum designed to make each generation of a virus look different to previous ones. This is accomplished by inserting 'junk' instructions (ones that have no effect on the actual running of the program) between the real ones. The Black Barons polymorphic engine was impressive piece of code and many of it's aspects have been reused in other polymorphic engine.
There was one major difference between the SMEG viruses and The Black Baron's first creation. On some monday evenings, the viruses would display the message:
Your hard-disk is being corrupted, courtesy of PATHOGEN! Programmed in the U.K. (Yes, NOT Bulgaria!) [C] The Black Baron 1993-4 Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator! 'Smoke me a kipper, I`ll be back for breakfast.....' Unfortunately some of your data won`t!!!!!
By the time the user had finished reading the message the first 256 cylinders of the harddisk had been overwritten.
The 'SMEG.pathogen' and 'SMEG.Queeg' viruses were well distributed in the UK, and many businesses lost vital data and had to spend many hours re-installing software. The cost of The Black Barons creations was huge and the pressure was on Scotland Yard's Computer Crime Squad to find the culprit.
On wednesday 13th July 1994, the Computer Crime Unit executed a search on the home of Chris Pile, a 26 year old programmer from Plymouth. Evidence was collected, and Chris Pile, A.K.A. The Black Baron, was charged. The charges included writing the viruses, distributing them, hacking into businesses with the intention of planting them and with attempting to intice others into writing and distributing viruses.
Richard Ford, editor of Virus Bulletin posted the following text shortly after the Barons arrest:
Appeal for Information
*** URGENT ***
On Wednesday 13/7/94 officers from Devon & Cornwall Constabulary Fraud Squad together with officers from the Computer Crime Unit, New Scotland Yard executed a number of search warrants under the UK Computer Misuse Act in Plymouth. The investigation was in connection with the authorship and distribution of computer viruses known as PATHOGEN, QUEEG and GERM, together with the encryption engine SMEG. 1 man was arrested. He has been bailed to return to a Police Station in Plymouth at a date in November.
The investigating officers are appealing for anyone who has suffered an attack by these viruses to contact the Computer Crime Unit at New Scotland Yard on 071 230 1177 (UK) or +44 71 230 1177 (International)
Scratch one for the good guys!
Please guys, if you have been hit by Pathogen come forward...
Regards,
Richard Ford
Editor, Virus Bulletin
Chris Pile pleaded guilty to the charges brought against him, but still received a custodial sentence. At the beginning of 1995 he began serving 18 months in prison.
After Pile's conviction, it was some time before another UK virus author was to appear. When it did occur, Genesis was born. Genesis was the first UK virus writing group for 2-3 years and was made up of merely 3 members: Rajaat, Methyl and Rogue Warrior. The group were relatively unproductive towards the beginning of their carrer and never produces a newsletter or magazine detailing their creations. Instead the members chose to submit their virus source codes for inclusion in other well established zines. Rajaat, the founder and most experianced member of the group, submitted several viruses to VLAD magazine (Virus Laboratories And Distribution) and PlasmaMag (run by the Dark Conspiracy.) All three programmers were very experianced, and their technical abilities far surpassed the skills of previous UK virus programmers (including The Black Baron.) However, the group appeared to lack direction or inclination to write virus code and never relased a zine.
In 1996, however, the group decided to merge with the Sweedish Immortal Riot team to produce the group IR/G. After a short amount of time, the IR/G released it's first zine, Insane Reality #8 (Insane Reality #1-#7 were written soley by Immortal Riot) which contained a number of impressive viruses and virus related texts. All three members of Genesis proved to be exceptionally good virus programmers and for a while the future of UK virus programming looked good.
For some strange reason, Insane Reality #9 was never released. The members of both Immortal Riot and Genesis appeared to be slowing down as neither group had the inclination to keep the group going. IR/G collapsed after just one issue.
Although this was the death of IR/G, some of the memebers went on to join other virus groups. Rajaat, who is in my opionion the best UK virus programmer ever, went on to join the prodominantly Spanish virus group 29a. In the second and third issues of 29a zine, he produced a number of good viruses written in Assembly and C as well as a number of highly unusual polymorphic engines. Once again, the UK had a great virus programmer.
That was until the beginning of 1999 when Rajaat announced that he had been suffering from depression for some time, and had decided to retire from the virus scene. Although he has made the occassional appearance in some zines, th UK scene appears to be as dead as always. Well, at least he wasn't busted like every other UK virus programmers.
Another group called 'Diffusion' has appeared, and claimed to be UK based, but I've been unable to find their zine, or any of their creations. Apparently, however, one of the members (Jerk1N) wrote the first macro virus for MS Access 97.
A bunch of other UK virus programmers have appeared relatively recently, many of which are quite talented. Rhape79 (a High-Level and scripting programmer) has begun a group called Ultimate Chaos with a number of other UK virus programmers. These include Pax (both a highlevel and Assembly programmer) Midnyte (a pure Assembly coder) and Spyda (who is also both a high level and assembly programmer.) The group has also released an impressive zine called Final Chaos which contains a wide variety of virus source code. However, since releasing the zine, many of the members have decied to pursue more security related topics rather than just viruses.
Another UK virus programmer called Ruzz` has begun another virus programming group. The so-called Shadow Virus group have yet to release a zine (although I am assured that one is on the horizon.) Ruzz is another high-level and scripting virus programmer with a wealth of programming languages and viruses already under his belt. The group recently accepted another UK virus programmer into their ranks. Dageshi is a pure Win32 ASM programmer.
That is the end of the UK virus story. It's a shame that there's so little to tell, but that's the way it is.