WEBVTT 1 00:00:00.080 --> 00:00:04.080 Welcome curious minds to another deep dive. Today we're plunging 2 00:00:04.120 --> 00:00:09.880 into a truly intriguing and surprisingly controversial piece of tech history, 3 00:00:10.400 --> 00:00:15.000 The Little Black Book of Computer Viruses by Mark A. Ludwig. Yeah, 4 00:00:15.039 --> 00:00:15.759 it's quite something. 5 00:00:15.759 --> 00:00:15.839 Now. 6 00:00:15.919 --> 00:00:19.120 This isn't just some dusty technical manual from the early 7 00:00:19.199 --> 00:00:22.120 nineteen nineties. From the moment you open it, it reveals 8 00:00:22.120 --> 00:00:26.920 itself as well a profound philosophical statement about knowledge, about 9 00:00:26.920 --> 00:00:31.600 freedom and about digital responsibility. It really is quite a. 10 00:00:31.640 --> 00:00:35.240 Ride, definitely, and our mission today is to unpack exactly that. 11 00:00:35.399 --> 00:00:39.920 We'll explore Ludwigs, let's say, audacious ideas behind releasing such 12 00:00:39.960 --> 00:00:43.679 sensitive information, will delve into the fundamental technical concepts of 13 00:00:43.679 --> 00:00:46.719 these early computer viruses, and then reflect on the broader, 14 00:00:46.920 --> 00:00:50.520 often provocative questions it raises about the power of information 15 00:00:50.799 --> 00:00:54.439 and well individual agency in our digital world. Okay, we're 16 00:00:54.439 --> 00:00:57.280 here to extract the most important nuggets of insight from 17 00:00:57.280 --> 00:00:58.920 this very unique source. 18 00:00:59.000 --> 00:01:01.439 Okay, let's unpack this and Mark A. Ludwig, when he 19 00:01:01.479 --> 00:01:04.799 first published this book back in nineteen ninety, he explicitly 20 00:01:04.879 --> 00:01:07.959 viewed it as an experiment. He candidly admits he had 21 00:01:08.000 --> 00:01:10.280 no idea what would happen whether people would use the 22 00:01:10.359 --> 00:01:14.400 virus information responsibly or for destructive purposes. 23 00:01:13.920 --> 00:01:15.959 Which is quite the gamble it really is. 24 00:01:16.359 --> 00:01:19.319 What's even more telling is that the anti virus community 25 00:01:19.319 --> 00:01:22.239 at the time was so wary of the whole idea 26 00:01:22.640 --> 00:01:25.959 they initially refused to even engage with him, like at all. 27 00:01:26.120 --> 00:01:29.159 Yeah, they wanted nothing to do with it. But five 28 00:01:29.239 --> 00:01:31.920 years later, in nineteen ninety six, when the electronic edition 29 00:01:32.000 --> 00:01:35.280 came out, Ludwig firmly believed the book had done a 30 00:01:35.319 --> 00:01:36.599 lot more good than harm. 31 00:01:37.040 --> 00:01:39.400 Okay, so what was the good in his view? 32 00:01:39.599 --> 00:01:41.959 Well, on the good side, he explained how it provided 33 00:01:42.040 --> 00:01:46.280 desperately needed, like really detailed technical information for the people 34 00:01:46.400 --> 00:01:49.760 actually responsible for keeping viruses off computers. 35 00:01:49.400 --> 00:01:51.920 Right the cissimens, the tech teams exactly. 36 00:01:52.480 --> 00:01:56.120 For large networks, say ten thousand or more users, you're 37 00:01:56.319 --> 00:01:59.319 off the shelf. Antivirus solutions just weren't cutting it back then, 38 00:01:59.439 --> 00:02:03.159 not sophistic enough, not nearly. So the book it empowered 39 00:02:03.159 --> 00:02:05.959 their internal tech staff to handle issues quickly, you know, 40 00:02:06.000 --> 00:02:08.479 without having to rely on external vendors or shut down 41 00:02:08.479 --> 00:02:12.120 massive systems for days on end. It gave them the tools. 42 00:02:12.080 --> 00:02:14.599 That makes sense from a practical standpoint, and that's. 43 00:02:14.479 --> 00:02:17.919 Not all it. Also, he argued, played a crucial role 44 00:02:17.960 --> 00:02:22.000 in just educating curious individuals on how things work. 45 00:02:22.080 --> 00:02:24.719 You know, the pure knowledge aspect, right. 46 00:02:25.240 --> 00:02:28.560 Ludwig emphasized what he found to be the exciting idea 47 00:02:29.000 --> 00:02:31.719 of a program gaining a life independent of its maker. 48 00:02:32.199 --> 00:02:36.360 He drew this really striking analogy. Yeah, that basic information 49 00:02:36.439 --> 00:02:39.800 is vital for innovation. He said. It's like depriving the 50 00:02:39.840 --> 00:02:42.400 carpenter of his hammer and then asking him to build 51 00:02:42.400 --> 00:02:43.080 a better building. 52 00:02:43.479 --> 00:02:45.120 Huh okay, I see the point. 53 00:02:45.520 --> 00:02:49.400 His core belief was that restricting knowledge actually harms progress. 54 00:02:49.840 --> 00:02:52.400 You need the tools, the info to build better things, 55 00:02:52.479 --> 00:02:53.240 even defensive. 56 00:02:53.680 --> 00:02:57.879 But despite all that stated good, Ludwig himself admits that 57 00:02:58.000 --> 00:03:01.960 his experiment has not been without its dangers, which you know, 58 00:03:02.000 --> 00:03:02.800 sounds like an understate. 59 00:03:02.960 --> 00:03:05.639 Oh yeah. He reveals that the stealth virus, which was 60 00:03:05.719 --> 00:03:09.199 meticulously described in the book, actually succeeded in establishing itself 61 00:03:09.240 --> 00:03:11.879 in the wild. Wow, And as of nineteen ninety six, 62 00:03:11.919 --> 00:03:14.599 it was ranked number eight on the annual frequency list 63 00:03:14.680 --> 00:03:16.719 of most commonly found viruses. 64 00:03:17.240 --> 00:03:21.919 Number eight. That's yeah, that's significant. That's quite a consequence 65 00:03:21.960 --> 00:03:23.319 for an experiment, isn't it. 66 00:03:23.319 --> 00:03:27.960 It absolutely is. And what's fascinating here is Ludwig's complex 67 00:03:28.039 --> 00:03:32.759 reaction to Stealth getting out there. He expresses regret, yes. 68 00:03:32.759 --> 00:03:34.400 Okay, some regret, but also. 69 00:03:34.159 --> 00:03:37.240 A certain sense of well, he called it divine humor 70 00:03:37.479 --> 00:03:39.960 directed at some of the anti virus people he'd kind 71 00:03:39.960 --> 00:03:40.680 of sparred with. 72 00:03:40.719 --> 00:03:42.680 Oh really, b if I told you so? 73 00:03:42.840 --> 00:03:45.520 Maybe perhaps a little. He points out that the original 74 00:03:45.560 --> 00:03:49.759 Stealth in his book was designed for older PCs, specifically 75 00:03:49.879 --> 00:03:53.319 to hide itself on an extra disc track, which in 76 00:03:53.439 --> 00:03:56.240 theory limited its ability to replicate widely. 77 00:03:56.639 --> 00:03:59.319 But clearly that limitation wasn't enough in practice. 78 00:03:59.400 --> 00:04:02.319 Apparently someone adapted it or it found a. 79 00:04:02.240 --> 00:04:05.080 Way, And Ludwig takes this really provocative stance with the 80 00:04:05.120 --> 00:04:08.159 whole thing right. He actually hopes the book offends some people, 81 00:04:08.240 --> 00:04:09.639 stating they need. 82 00:04:09.479 --> 00:04:11.120 To Yeah, it's pretty blunt. 83 00:04:11.319 --> 00:04:13.919 His core belief right there in the preface is that 84 00:04:14.000 --> 00:04:17.360 computer viruses are not evil and that programmers have a 85 00:04:17.439 --> 00:04:20.639 right to create, possess, and experiment with them. That's a 86 00:04:20.639 --> 00:04:22.040 bold claim, it is. 87 00:04:22.120 --> 00:04:24.000 And it really gets to the heart of his philosophy. 88 00:04:24.079 --> 00:04:28.160 He emphasizes that truth is the truth, and it needs 89 00:04:28.240 --> 00:04:31.279 to be spoken, even if it is offensive. 90 00:04:31.560 --> 00:04:33.560 No compromises on truth none. 91 00:04:33.920 --> 00:04:36.639 He argues that morals and ethics, while they can't be 92 00:04:36.680 --> 00:04:39.680 determined by a majority vote or by force, he states 93 00:04:39.680 --> 00:04:43.199 directly that Mike does not make right. Okay, and this 94 00:04:43.240 --> 00:04:47.319 isn't just some abstract philosophical point for him. Ludwig's insistence 95 00:04:47.360 --> 00:04:50.399 on truth above comfort it kind of set a precedent 96 00:04:50.439 --> 00:04:53.199 for debates we still have today about open source information, 97 00:04:54.000 --> 00:04:57.800 cybersecurity vulnerabilities, and the ethical lines of disclosure. 98 00:04:58.040 --> 00:05:00.759 Yeah, where do you draw that line? He even brings 99 00:05:00.800 --> 00:05:03.639 in a no pain, no gain principle for intellectual growth. 100 00:05:03.720 --> 00:05:06.920 Right. He encourages critical self reflection, urges you to listen 101 00:05:06.959 --> 00:05:10.360 to opposing viewpoints, even if they challenge your comfort zone. 102 00:05:10.439 --> 00:05:12.879 He really wanted people to think for themselves, to grapple 103 00:05:12.920 --> 00:05:14.079 with difficult ideas. 104 00:05:14.279 --> 00:05:17.720 Crucially, despite these controversial views, he does include a very 105 00:05:17.759 --> 00:05:18.800 clear warning, doesn't he? 106 00:05:19.079 --> 00:05:23.120 Oh, absolutely very clear. He explicitly states that he does 107 00:05:23.160 --> 00:05:27.480 not advocate infecting an innocent party's computer system with a 108 00:05:27.519 --> 00:05:31.240 malicious virus designed to destroy valuable data or bring their 109 00:05:31.279 --> 00:05:32.120 system to a halt. 110 00:05:32.160 --> 00:05:35.240 Okay, So creating is one thing, releasing maliciously as another. 111 00:05:35.439 --> 00:05:38.879 Exactly, he calls that wrong and illegal, cautioning that you 112 00:05:38.920 --> 00:05:41.800 could risk jail time or find yourself sued for millions. 113 00:05:42.279 --> 00:05:44.160 He's not naive about the consequences. 114 00:05:44.279 --> 00:05:48.399 He reinforces that distinction. Then it's not illegal in his 115 00:05:48.519 --> 00:05:52.399 view to create an experiment with viruses privately. Correct, But 116 00:05:52.800 --> 00:05:56.360 he stresses that absolute point about responsibility, saying you should 117 00:05:56.360 --> 00:05:59.120 treat these programs with the respect you would have for 118 00:05:59.160 --> 00:06:02.680 a lethal weapon, to avoid any accidental destructive release. 119 00:06:02.759 --> 00:06:04.040 That's a serious analogy. 120 00:06:04.120 --> 00:06:07.279 It is a piece of code treated like a weapon. Okay, 121 00:06:07.360 --> 00:06:10.439 shifting gears a bit. Let's move from the philosophy to 122 00:06:10.759 --> 00:06:14.920 the fascinating mechanics of these early digital life forms. Right then, 123 00:06:15.000 --> 00:06:19.600 Naty Gritty Ludwig observed what he called computer hypochondria, stemming 124 00:06:19.600 --> 00:06:22.879 from the sheer complexity of machines back then, the rarity 125 00:06:22.920 --> 00:06:25.759 of actual virus incidents compared to other problems, and of 126 00:06:25.759 --> 00:06:29.279 course a lot of fear mongering reports in the media. 127 00:06:29.360 --> 00:06:31.199 Oh yeah, the panic was real sometimes. 128 00:06:31.279 --> 00:06:35.040 He says this led to mass hysteria, contrasting it with 129 00:06:35.360 --> 00:06:38.360 common computer problems that are usually just you know, user 130 00:06:38.480 --> 00:06:41.680 error or hardware failure, things that weren't viruses. 131 00:06:41.319 --> 00:06:45.639 At all exactly, and what's fascinating here is Ludwig's direct analogy. 132 00:06:46.079 --> 00:06:49.319 He compares the computer virus to the simplest biological unit 133 00:06:49.360 --> 00:06:53.800 of life, a single celled photosynthetic organism like algae. Basically, yeah, 134 00:06:54.120 --> 00:06:57.879 he explains, they share fundamental goals, first to survive and 135 00:06:58.000 --> 00:06:59.120 second to reproduce. 136 00:06:59.199 --> 00:07:02.120 Surviv and sounds biological it does. 137 00:07:02.600 --> 00:07:05.399 He clarifies that much like simple organisms drawing nutrients from 138 00:07:05.439 --> 00:07:09.000 their environment, a computer virus uses the computer system's resources 139 00:07:09.160 --> 00:07:13.560 disk storage, CPU time. It doesn't attack other self reproducing 140 00:07:13.600 --> 00:07:16.120 programs in the way we might think. It just exists 141 00:07:16.480 --> 00:07:20.199 and well proliferates within the electronic environment of the computer itself. 142 00:07:20.399 --> 00:07:23.720 So what really makes it computer virus unique? Then? What 143 00:07:23.920 --> 00:07:28.199 sets it apart from other self reproducing things like John 144 00:07:28.279 --> 00:07:31.920 von Neumann's theoretical stuff or even simple worms that needed 145 00:07:31.920 --> 00:07:32.759 people to spread them. 146 00:07:33.079 --> 00:07:36.639 Well, the defining feature of a computer virus, according to Ludwig, 147 00:07:36.839 --> 00:07:39.279 is its ability to hide itself in other programs. 148 00:07:39.439 --> 00:07:41.160 Ah, the hiding part exactly. 149 00:07:41.800 --> 00:07:46.720 This is how it overcomes operator control meaning the user's actions, 150 00:07:46.759 --> 00:07:50.600 and gains CPU access without the user's knowledge. That's what 151 00:07:50.759 --> 00:07:54.879 makes it a viable electronic life form in his terms, Okay, 152 00:07:55.319 --> 00:07:57.759 this parasitic nature, he notes, that's what earned it the 153 00:07:57.800 --> 00:08:01.399 name virus, even though the host per themselves aren't alive 154 00:08:01.480 --> 00:08:03.160 in any biological sense. 155 00:08:03.240 --> 00:08:07.000 Right, it's infecting code, not cells, and he briefly details 156 00:08:07.000 --> 00:08:10.439 the types of files these early viruses typically went after calm, 157 00:08:10.560 --> 00:08:14.120 exc or sys files yep, the executable types. These are 158 00:08:14.120 --> 00:08:17.079 the common application files on early PCs, basically the programs 159 00:08:17.120 --> 00:08:19.800 you'd click to run like today's audiax files on Windows. Right. 160 00:08:19.879 --> 00:08:22.560 Pretty much a virus needed to run to reproduce, so 161 00:08:22.639 --> 00:08:24.680 these executable files were the perfect hosts. 162 00:08:24.839 --> 00:08:25.279 Make sense. 163 00:08:25.600 --> 00:08:28.759 And then there's the boots sector virus, which he describes 164 00:08:28.800 --> 00:08:32.960 as a particularly potent type. Why potent because this virus 165 00:08:33.000 --> 00:08:35.639 attacks the boot sector. That's the very first thing a 166 00:08:35.720 --> 00:08:38.240 computer loads and executes from a disc when you turn. 167 00:08:38.120 --> 00:08:39.840 It on, right at the beginning, exactly. 168 00:08:40.320 --> 00:08:43.039 This allows the virus to gain immediate control of the 169 00:08:43.200 --> 00:08:48.840 entire system, even before other programs or crucially, detection software 170 00:08:48.919 --> 00:08:50.639 can even load and execute. 171 00:08:50.759 --> 00:08:53.360 Wow, it's like taking over the operating system before it 172 00:08:53.399 --> 00:08:54.000 even wakes up. 173 00:08:54.039 --> 00:08:56.679 That's a good way to put it, and Ludwig often 174 00:08:56.759 --> 00:09:00.559 illustrates the functional elements common to every viable computer virus 175 00:09:00.600 --> 00:09:03.039 with the diagram. They all need a few key. 176 00:09:02.879 --> 00:09:04.559 Parts, Okay, like what First? 177 00:09:04.799 --> 00:09:08.200 A search routine. This is for locating new targets, new 178 00:09:08.240 --> 00:09:11.720 files to infect. How good this is dictates how well 179 00:09:11.759 --> 00:09:13.360 and quickly it spreads. 180 00:09:13.159 --> 00:09:14.919 Makes sense find the next victim. 181 00:09:14.960 --> 00:09:17.960 Then a copy mechanism. This is the actual process by 182 00:09:17.960 --> 00:09:20.759 which the virus replicates itself, copies its code into the 183 00:09:20.799 --> 00:09:21.240 new host. 184 00:09:21.320 --> 00:09:22.799 A reproduction part exactly. 185 00:09:23.240 --> 00:09:27.080 And finally, anti detection routines. These are tricks designed to 186 00:09:27.120 --> 00:09:29.919 avoid discovery by antivirus software or users. 187 00:09:30.080 --> 00:09:31.279 Gotta stay hidden. 188 00:09:31.200 --> 00:09:35.360 Right, And he emphasizes that other routines like those designed 189 00:09:35.360 --> 00:09:39.559 for pure destruction, sometimes called logic bombs or even just pranks, 190 00:09:39.679 --> 00:09:42.480 like that old wash machine simulation virus. 191 00:09:42.759 --> 00:09:44.360 I think I remember hearing about that one. 192 00:09:44.559 --> 00:09:47.840 Yeah. While those destructive or annoying parts, they are not 193 00:09:48.000 --> 00:09:51.360 essential to a virus's existence. In fact, he argues, they 194 00:09:51.399 --> 00:09:54.600 can be very detrimental to its survival because they actively 195 00:09:54.639 --> 00:09:58.480 reveal its presence. If your computer suddenly starts acting crazy, 196 00:09:58.600 --> 00:09:59.639 you know something's wrong. 197 00:10:00.080 --> 00:10:02.440 Ah, okay, So destruction makes it easier to spot. 198 00:10:02.600 --> 00:10:08.279 Precisely, he uses this vivid kamikaze pilot analogy the destructive 199 00:10:08.320 --> 00:10:12.120 payload is useless without an effective delivery system. The search 200 00:10:12.159 --> 00:10:16.679 and copy mechanisms the survival parts are way more crucial. Survival, 201 00:10:16.720 --> 00:10:20.039 not destruction, is the virus's primary drive biologically speaking. 202 00:10:20.120 --> 00:10:22.639 Okay, let's look at some real examples Ludwig uses to 203 00:10:22.639 --> 00:10:25.720 illustrate these concepts. He starts with simpler ones, right, and 204 00:10:25.759 --> 00:10:26.879 then gets more sophisticated. 205 00:10:26.960 --> 00:10:27.879 Yeah, he builds it up. 206 00:10:27.960 --> 00:10:33.200 First. Up is TIMID, which stands for the Instructional Comfile Infector. 207 00:10:33.480 --> 00:10:38.799 He describes TIMID as a simple comfile infector. It's safe, tiny, 208 00:10:39.200 --> 00:10:42.200 and designed as an instructional tool. It apparently even tells 209 00:10:42.200 --> 00:10:43.559 you when it's infecting a file. 210 00:10:43.799 --> 00:10:46.240 Yeah, it's meant to be educational, not malicious. 211 00:10:46.279 --> 00:10:50.480 And crucially, it has no destructive code and only targets 212 00:10:50.519 --> 00:10:53.360 comfiles in the current directory. Very limited. 213 00:10:53.639 --> 00:10:56.559 Very And to understand TIMID, you need a little background 214 00:10:56.600 --> 00:11:00.159 on how those early com programs worked. He explains. They 215 00:11:00.200 --> 00:11:03.519 had a very predictable structure. How so they loaded directly 216 00:11:03.559 --> 00:11:07.000 into a specific memory spot after doss, the operating system 217 00:11:07.320 --> 00:11:11.679 prepared a small sort of foundational area for them. This predictability, 218 00:11:11.720 --> 00:11:14.519 which was actually a remnant from even older operating systems, 219 00:11:14.519 --> 00:11:18.320 like CPM was exactly what viruses like Timid exploited. 220 00:11:18.440 --> 00:11:21.840 Okay, so how does this tiny program actually do the infection? 221 00:11:22.039 --> 00:11:25.600 Well, Timid's infection process is quite clever for its simplicity. 222 00:11:25.879 --> 00:11:29.120 It first copies the host program's original starting instructions, just 223 00:11:29.159 --> 00:11:32.240 the first few bites, save them, saves them. Then it 224 00:11:32.279 --> 00:11:34.200 writes its own virus code to the end of the 225 00:11:34.200 --> 00:11:37.039 host file. After that, it goes back and replaces the 226 00:11:37.080 --> 00:11:42.279 host's original starting instructions with a jop instruction exactly a 227 00:11:42.320 --> 00:11:45.799 redirect that points the CPU to the virus's code at 228 00:11:45.799 --> 00:11:47.879 the end of the file and mugs it with VI 229 00:11:48.120 --> 00:11:48.960 so it knows it's. 230 00:11:48.840 --> 00:11:51.519 Infected, and after the virus runs. 231 00:11:51.320 --> 00:11:54.960 After executing, the virus restores those original instructions it saved, 232 00:11:55.279 --> 00:11:57.840 and then jumps back to the host program, making it 233 00:11:57.840 --> 00:11:59.559 seem like everything is running normally. 234 00:12:00.039 --> 00:12:03.960 Snik And what about its antidetection? How did it avoid 235 00:12:04.000 --> 00:12:05.919 giving itself away? Even being simple? 236 00:12:06.200 --> 00:12:09.000 Ah? The clever bit for Timid is its use of 237 00:12:09.039 --> 00:12:13.679 something called the disk transfer area or DTA manipulation uiki. Yeah. 238 00:12:13.679 --> 00:12:16.960 This DTA was a default location in memory where DOS 239 00:12:16.960 --> 00:12:20.399 would put things like command line parameters for a program Okay, 240 00:12:20.519 --> 00:12:23.759 what TIMID does is it temporarily moves this DTA somewhere 241 00:12:23.759 --> 00:12:26.200 else before it searches for files to infect, and then 242 00:12:26.240 --> 00:12:27.440 it restores it afterwards. 243 00:12:27.480 --> 00:12:28.039 Why does that. 244 00:12:27.960 --> 00:12:30.919 Matter because if it didn't, its own file searching could 245 00:12:30.960 --> 00:12:33.960 overwrite the host program's command line parameter stored in that 246 00:12:34.039 --> 00:12:37.440 default DTA location, which would cause the host program to 247 00:12:37.679 --> 00:12:41.639 maybe crash or act weirdly, revealing the virus exactly. So, 248 00:12:41.720 --> 00:12:45.279 by moving the DTA temporarily, it ensures the host program 249 00:12:45.360 --> 00:12:48.519 runs correctly without any hint that something else was running first. 250 00:12:48.840 --> 00:12:50.879 It's a subtle but effective trick for hiding. 251 00:12:51.120 --> 00:12:55.120 Okay, subtle indeed. Now let's move to Intruder, which Lidbig 252 00:12:55.120 --> 00:12:56.480 describes as no toy. 253 00:12:56.679 --> 00:12:57.279 Definitely not. 254 00:12:57.480 --> 00:13:01.120 This is a truly sophisticated executable virus, he says, that 255 00:13:01.240 --> 00:13:05.759 overcomes all of timmid's limitations. It infects EXE files, not 256 00:13:05.840 --> 00:13:09.960 just comms, and it spreads across directories and drives. He claims, 257 00:13:10.000 --> 00:13:12.720 is capable of deceiving a very capable computer. 258 00:13:12.919 --> 00:13:16.120 Whiz Yeah, Intruder is a big step up. Infecting exx 259 00:13:16.279 --> 00:13:20.000 files is significantly more complex than CALM files exact because 260 00:13:20.039 --> 00:13:24.799 ex files have more complex internal structures, headers, relocation tables, 261 00:13:25.120 --> 00:13:27.679 things that need careful modification if you're going to insert 262 00:13:27.720 --> 00:13:30.840 code without breaking the original program. Intruder attaches itself to 263 00:13:30.840 --> 00:13:33.440 the very end of an exx file and then modifies 264 00:13:33.480 --> 00:13:36.080 the header to gain control right when the program starts up? 265 00:13:36.159 --> 00:13:38.679 And how did it spread efficiently without being too obvious? Like, 266 00:13:38.720 --> 00:13:41.120 wouldn't scanning the whole hard drive slow things down? 267 00:13:41.360 --> 00:13:46.600 Good question. Intruder's search optimization is quite ingenious. Instead of 268 00:13:46.639 --> 00:13:51.080 doing exhaustive searches on potentially huge hard disks, which would 269 00:13:51.120 --> 00:13:55.360 be incredibly noticeable, right, slow down disc noise. That's only 270 00:13:55.799 --> 00:13:58.639 it truncates its search. It only looks in the current 271 00:13:58.639 --> 00:14:01.879 directory and its subdirect up to two levels deep. And 272 00:14:01.919 --> 00:14:04.919 also the root directory and its subdirectory is just one. 273 00:14:04.799 --> 00:14:06.799 Level deep, so limited search each time. 274 00:14:07.000 --> 00:14:10.039 Right. It relies on infected programs being run from various 275 00:14:10.080 --> 00:14:13.519 locations over time to achieve widespread propagation, rather than doing 276 00:14:13.559 --> 00:14:16.320 all the heavy lifting itself in one go. Much stealthier. 277 00:14:16.360 --> 00:14:19.159 Okay, that makes sense. So how did it manage to 278 00:14:19.240 --> 00:14:21.399 be so stealthy and avoid detection? 279 00:14:21.519 --> 00:14:21.679 Then? 280 00:14:21.919 --> 00:14:23.720 What was its antidetection routine? 281 00:14:23.919 --> 00:14:27.159 Ah? This is where Intruder gets really fascinating. Its main 282 00:14:27.200 --> 00:14:30.960 subtle anti detection routine is this. It doesn't execute its 283 00:14:30.960 --> 00:14:35.159 search and copy routine every single time and infected program runs. 284 00:14:34.879 --> 00:14:36.840 Oh only sometimes exactly. 285 00:14:37.279 --> 00:14:40.919 Instead, it checks the system clocks, specifically the number of 286 00:14:41.000 --> 00:14:44.200 ticks modulo sixty four, basically a randomizing element to decide 287 00:14:44.240 --> 00:14:47.039 whether to replicate or not. So it's roughly random. Yeah, 288 00:14:47.440 --> 00:14:50.320 it means it only tries to replicate roughly one in 289 00:14:50.360 --> 00:14:53.080 every sixty four times an infected program is run. 290 00:14:53.120 --> 00:14:54.639 Wow, that would be hard to spot. 291 00:14:54.519 --> 00:14:59.240 Extremely difficult without constant, painstaking monitoring. But there's a catch 292 00:14:59.759 --> 00:15:02.480 it It has a little routine sets sore that ensures 293 00:15:02.559 --> 00:15:05.200 it does run the search and copy the very first 294 00:15:05.200 --> 00:15:08.559 time an infected program is executed on a clean system. 295 00:15:08.279 --> 00:15:10.360 To guarantee initial infection precisely. 296 00:15:10.679 --> 00:15:13.399 Then after that first run, it reverts to the random 297 00:15:13.440 --> 00:15:16.799 one in sixty four. Check. It's a masterclass and subtlety 298 00:15:16.840 --> 00:15:17.440 for its time. 299 00:15:17.679 --> 00:15:20.720 Incredible. Yeah, okay, let's connect this now to the bigger 300 00:15:20.720 --> 00:15:24.360 picture you mentioned earlier, the boot sector virus. Can you 301 00:15:24.399 --> 00:15:26.480 remind us about the PC's startup sequence? 302 00:15:26.600 --> 00:15:28.480 Sure? So, when you turn on an old PC, the 303 00:15:28.559 --> 00:15:31.000 very first thing the CPU does is execute a small 304 00:15:31.039 --> 00:15:35.080 program stored in the computer's built in memory, the BIOSROM. 305 00:15:34.519 --> 00:15:37.320 Okay, the basic input output system right. 306 00:15:37.720 --> 00:15:40.320 This BIOS code then attempts to read the boot sector 307 00:15:40.399 --> 00:15:43.200 that's the very first physical sector from a disc. Usually 308 00:15:43.200 --> 00:15:45.919 it tries the floppy drive a first, then. 309 00:15:45.759 --> 00:15:48.240 The hard drive c reads it into memory. 310 00:15:48.120 --> 00:15:52.000 Reads it into a specific memory location zero zero point 311 00:15:52.120 --> 00:15:55.720 seven C zero zero h Then it checks the very 312 00:15:55.799 --> 00:15:59.039 last two bytes of that sector if they contain a 313 00:15:59.080 --> 00:16:03.159 specific signature fifty five hah. The BIOS considers it a 314 00:16:03.279 --> 00:16:06.519 valid bootable sector and passes control to it, and passes 315 00:16:06.559 --> 00:16:09.759 control directly to the code loaded from that sector. This 316 00:16:09.840 --> 00:16:13.919 makes boot sector viruses incredibly powerful because they gain control 317 00:16:14.080 --> 00:16:18.559 before almost anything else on the computer, the operating system, antivirus, 318 00:16:18.600 --> 00:16:19.159 anything can. 319 00:16:19.080 --> 00:16:21.200 Even start right at the source of power. Okay. So 320 00:16:21.240 --> 00:16:24.879 he describes kilroy as a simple one sector boot virus. 321 00:16:25.080 --> 00:16:28.399 Its goals is designed to load doss the operating system 322 00:16:28.519 --> 00:16:32.039 and reproduce itself onto other boot sectors. Very basic function. 323 00:16:32.120 --> 00:16:33.360 And you mentioned it was rude. 324 00:16:33.519 --> 00:16:35.960 Yeah. Leadwood calls it rude in its design because it 325 00:16:35.960 --> 00:16:38.919 doesn't display any polite error messages if something goes wrong, 326 00:16:39.240 --> 00:16:42.399 mainly to save precious space in that single sector. It 327 00:16:42.440 --> 00:16:45.000 also uses a guessing strategy for finding the hard drive's 328 00:16:45.039 --> 00:16:48.000 boot sector location. Tracks zero had one sector one was 329 00:16:48.000 --> 00:16:50.399 a common guess. If that guess was wrong for a 330 00:16:50.399 --> 00:16:54.639 particular hard drive, it could potentially corrupt or crash the 331 00:16:54.679 --> 00:16:57.440 disc trying to write to the wrong place. Not very 332 00:16:57.440 --> 00:17:00.799 sophisticated in the name, oh amusingly yeah, If a disc 333 00:17:00.879 --> 00:17:04.359 infected with kill Roy successfully boots, it actually displays the 334 00:17:04.359 --> 00:17:06.359 phrase Kilroy was here on the screen. 335 00:17:06.480 --> 00:17:11.720 Ah classic graffiti tag. Okay, so Kilroy is simple, potentially clumsy. 336 00:17:12.279 --> 00:17:14.640 Now he introduces Stealth right. 337 00:17:14.920 --> 00:17:18.640 Stealth is presented as a truly sophisticated boots sector virus 338 00:17:19.160 --> 00:17:23.680 designed to overcome Kilroy's limitations, hiding much more carefully and 339 00:17:23.759 --> 00:17:27.599 infecting efficiently and importantly not just at boot. 340 00:17:27.359 --> 00:17:29.119 Time, not just at bouta. And this is the one 341 00:17:29.119 --> 00:17:31.000 that got out in the wild, the infamous one. 342 00:17:31.039 --> 00:17:33.680 That's the one number eight on the list, remember, And 343 00:17:33.799 --> 00:17:38.240 what's fascinating here. Contrasting with Kilroy is Stealth's polite behavior. 344 00:17:38.519 --> 00:17:40.599 Polite a polite virus. 345 00:17:40.200 --> 00:17:43.960 Relatively speaking, It actually checks the disc's file allocation table, 346 00:17:44.000 --> 00:17:47.400 the FAT, which is like the disc's directory. It aborts 347 00:17:47.400 --> 00:17:49.680 the infection process that the disc is full or has 348 00:17:49.799 --> 00:17:51.279 bad sectors reported. 349 00:17:50.960 --> 00:17:52.240 In the fact, Why would it do that. 350 00:17:52.519 --> 00:17:56.279 To avoid causing obvious permanent damage to the disc or 351 00:17:56.400 --> 00:18:00.240 corrupting user data, which would again reveal its presence. It 352 00:18:00.319 --> 00:18:01.880 wants to survive undetected. 353 00:18:02.039 --> 00:18:06.160 Clever Yeah, and its copy mechanism. How does it actually infect. 354 00:18:05.839 --> 00:18:09.160 It's quite involved. It involves carefully updating those f fat 355 00:18:09.200 --> 00:18:13.480 tables to mark certain sectors as bad or unusable. These 356 00:18:13.480 --> 00:18:16.079 are rare, will hide itself. Then it moves its own 357 00:18:16.240 --> 00:18:19.559 virus code and the original clean boot sector into these 358 00:18:19.680 --> 00:18:23.599 hidden areas. Finally, it writes its new viral boot sector 359 00:18:23.680 --> 00:18:27.240 code to the disc's primary boot sector location. Sectors it all. 360 00:18:27.079 --> 00:18:29.599 So it hides the original and puts itself in charge. 361 00:18:29.759 --> 00:18:31.640 What does this all mean for its spread? Then you 362 00:18:31.640 --> 00:18:33.599 said not just at boot time, right? 363 00:18:33.799 --> 00:18:38.200 Stells has an incredibly aggressive infection trigger, specifically for floppy discs. 364 00:18:38.559 --> 00:18:40.799 It infects anytime the boot sector is read from the 365 00:18:40.839 --> 00:18:43.680 disc anytime, not just on boot anytime. So for example, 366 00:18:43.759 --> 00:18:46.559 just inserting an infected floppy disk and doing a directory 367 00:18:46.559 --> 00:18:49.640 listing DRA could trigger the read of the boot. 368 00:18:49.400 --> 00:18:51.440 Sector and infect your system right then and there. 369 00:18:51.759 --> 00:18:54.440 Exactly. It didn't even need the disc to be booted 370 00:18:54.440 --> 00:18:56.759 from to spread to the system's memory, making it much 371 00:18:56.759 --> 00:18:58.839 more contigious than simpler boot viruses. 372 00:18:58.920 --> 00:19:03.519 Wow, that raises the important question, then, how does it 373 00:19:03.559 --> 00:19:06.519 stay hidden from detection if it's sitting there in memory? 374 00:19:06.920 --> 00:19:11.880 Good question. Stealth's core antidetection relies on intercepting something called 375 00:19:12.000 --> 00:19:13.079 interrupt thirteen H. 376 00:19:13.440 --> 00:19:15.640 Interrupt thirteen Yeah, you can think. 377 00:19:15.519 --> 00:19:19.759 Of interrupts like the operating system's direct hotline for specific services. 378 00:19:20.240 --> 00:19:23.200 Interrupt thirteen H is the BIOS level service for reading 379 00:19:23.279 --> 00:19:24.680 and writing to disk drives. 380 00:19:24.720 --> 00:19:26.759 Okay, the disc controller hotline. 381 00:19:26.319 --> 00:19:29.960 Pretty much so Stealth installs itself in memory and then 382 00:19:30.079 --> 00:19:33.680 reroutes this interrupt to thirteen H. When any program dos 383 00:19:33.720 --> 00:19:36.799 an application, an antivirus checker tries to read the boot 384 00:19:36.880 --> 00:19:37.839 sector using in. 385 00:19:37.880 --> 00:19:39.799 Thirteen H, Stealth intercepts the call. 386 00:19:39.920 --> 00:19:42.000 Stealth intercepts the call before it gets to the real 387 00:19:42.039 --> 00:19:44.720 bios routine. It quickly checks if it should infect the 388 00:19:44.720 --> 00:19:47.720 disc if it's a floppy for example, performs its infection 389 00:19:47.799 --> 00:19:50.519 routine if needed, and then it cleverly passes the original 390 00:19:50.519 --> 00:19:53.440 request along to the real bios routine, but points it 391 00:19:53.519 --> 00:19:56.839 to read the original clean boot sector it's saved earlier. 392 00:19:56.559 --> 00:19:59.559 So the requesting program gets the clean version exactly. 393 00:20:00.000 --> 00:20:02.720 The requesting program gets the data it asked for the 394 00:20:02.799 --> 00:20:06.519 clean boot sector, and remains completely oblivious that the virus 395 00:20:06.559 --> 00:20:10.000 intercepted the call, potentially infected the disk and fed it 396 00:20:10.039 --> 00:20:11.920 clean data. It's stealthy. 397 00:20:12.200 --> 00:20:15.160 That is incredibly sneaky and the ultimate stealth move, he 398 00:20:15.240 --> 00:20:18.000 calls it. How Stealth installs itself in memory in the 399 00:20:18.039 --> 00:20:19.599 first place. That sounds tricky. 400 00:20:19.680 --> 00:20:20.480 It is very clever. 401 00:20:20.599 --> 00:20:20.839