Entrevista con Vesselin Bontchev para Virus Report.
Por Fernando Bonsembiante


Entrevista jamas terminada, jamas traducida y jamas publicada.


> What is your job in the U. of Hamburg?
I am a research associate here, working on a half-time basis. During the rest of the time I am supposed to write my Ph.D. thesis. Needless to say, I am in front of the computer 14 hours a day - from 10 am till midnight. :-) My job here is to maintain our virus collection, to analyse viruses, to answer calls for help (mostly by e-mail), to maintain the anti-virus section on our ftp site, to maintain contact with the other anti-virus researchers in the world, and many other less interesting things. :-)
> What is your definition of viruses (not mathematical!)
A computer virus is a sequence of symbols, which, when interpreted by computer, attaches itself to other computer interpretable symbol sequences in such a way that they become able to recursively spread the (possibly modified) initial sequence further.
Additional explanations of the terms used:
Infection is the process of attaching a computer virus to other computer interpretable symbol sequences.
"Attaching" means that the interpretation of the infected symbol sequences causes the interpretation of (possibly part of) the computer virus.
"Interpretable" is anything that a computer can interpret.
"Able to spread recursively" means when a virus infects an executable object, this object is able to spread virus to another object, which in turn is able to cause the infection of another object and so on.
> Do you have a favorite virus? Which one and why?
Yes, Eddie-2. It is simple and the programmin style is rather straightforward, yet it implements the basic components of a moderately well-written virus - memory installation, COM and EXE infection, semi-stealth. I often use this virus as an example when I have to teach somebody how to disassemble viruses.
> Do you have a favorite antivirus? Which one and why?
Yes - F-Prot. This is one of the best scanners around (I know only two that have a better detection rate), yet it is completely free for indivudual use. I like this a lot. Also, among the integrity checkers I like Untouchable a lot, because it is so secure and has most of the necessary features a good integrity checker should have.
> What do you think of virus authors?
They are irresponsible idiots who are showing off at the expense of the rest of the society.
> Had you ever written a virus?
No.
> How do you analyse the viruses?
Mostly with a debugger. Sometimes I inspect the supposedly infected file with a hex editor - just a glance is usually enough to tell whether the file is infected or not, and even to discover some of the properties of the virus. From time to time I use a disassembler (Sourcer), but not often. I don't have time any more to produce well-commented disassemblies. :-(
> Which are the most common calls?
The local ones are usually for Parity_Boot.B, Form, Stoned. From time to time there are infections by less common ones - Tremor, One_Half, Junkie, Delwin, Tai-pan, etc.
> There are much false alarms?
Yes, there are. Not very much, but quite a few. They are usually caused by VSAFE ("Filler in memory"), or by the crappy identification in SCAN, but from time to time we get a false positive report about F-Prot.
> Do you have any funny story happened to you about viruses, false alarms,
> or something like that?

Not really; I look rather seriously at those things... OK, let's see.
A few days ago I was in Vienna. There was a meeting there - several friends of mine from the time when I worked in a Lab at the Technical University of Sofia. Most of them are all over the world now - I am in Germany, there are two in Austria, one in England, two in Japan, one in France, and one in the USA. So, after almost 8 years, most of us decided to meet there and have a good time.
Well, we all work with computers. The person who is in France, is a technical director of a bank. He knew that I am into viruses, and told us the following story.
As you probably know, the banks use some kind of digital signatures (no, not public-key; they use some proprietary algorithm) to authenticate the messages they send to other banks. At the time when this story happened, the bank my friend works in, used a PC to compute the authentication numbers. Well, one day the program began to generate garbage. Effectively, this meant that all business had to be stopped - the bank was unable neither to accept the incoming messages, nor to send any. This particular bank transfers averagely $35 millions per day. In practice, this means that every hour delay costs millions of dollars. So, my friend was called, and was told to fix the problem *now*.
He quickly discovered that the authentication program wasn't working properly, so he used a hex editor to browse it and look for possible problems. In particular, he used Norton Utilities and text mode - he was looking for text strings and messages. His boss was standing behind his back, waiting for the problem to be localized and solved - as fast as possible. Well, my friend browsed the file page after page, and suddently a message appeared on the screen: "This program was written in the city of Sofia (C) 1988-89 Dark Avenger". My friend was the only Bulgarian working there - can you imagine his feelings?
He was only able to tell his boss: "We've got infected by a computer virus. I assure you that I am not responsible for this, but if you don't believe me, just tell me, and my resignation will be on your table in five minutes." The boss just smiled nervously and replied, "OK, OK, I believe you, I want you just to fix the problem, but do it *fast*!"
Much later they discovered the culpable. It was some Libanese clerk, who had a brother, who has been in Bulgaria on holidays, got a computer game from there, and gave his brother a copy. The clerk made the mistake to "try it" on the office computer. Needless to say, this clerk doesn't work there any more...
Till the story happened, my friend had heard about computer viruses, but didn't believe that they really existed or were a significant threat. His oppinion is quite different now... He has thrown away all PCs from the bank, has installed a mainframe, accessible via dumb terminals, and doesn't even want to hear such things as installing Novell LANs, connecting the mainframe to the Internet, and so on...
> >> What do you think of virus authors?
>
> bud> They are irresponsible idiots who are showing off at the expense of
> bud> the rest of the society.
>
> You know some virus authors, and some may have different motivations to
> write viruses (research, just for fun, etc). You really can say that *all of
> them* are idiots?


All of them are *irresponsible* idiots - even those who are smart enough.



Logo de Ubik World Domination

 


e-mail: ubik@ubik.com.ar