NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_N uK Nu KE The true story about Talon uK E_ KE _N By E_ Nu T a L o N _N uK Nu KE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuK NuKE Info-Journal #8 April 1994 The true story about T„L”N... by T„L”N ~~~ ~~~~ ~~~~~ ~~~~~ ~~~~~ For a while I didn't have any interactions with anybody remotely connected with either the AV or Vx worlds, because of the local scene breakdown, and my exclusion from NuKENet for reasons unknown at the time (which this article shows to be mostly fabrications and distortions of truth). As a result, only my older work stood as an example of my capabilities. This in combination with other things led to my misrepresentation and misunderstanding among the Vx community. This article hopes to dispel or at least straighten out some of these problems. This article refers to articles which aren't altogether new, but until now I hadn't seen them, let alone have the exposure enough to reply to them. These are, Crypt Newsletter 18 ("An incredibly complicated tale of mystery and intrigue", September 1993) and 40Hex release 11, article 001 ("Life, the Universe, and 40Hex", June 1993). ____ I think it's about time that the story, the TRUE story, was let out for all to read and digest. Forget everything (well most things) that you've heard, read, eavesdropped on etc, because there's a good chance it's bullshit. It's a bit hard to choose where to start the tale. I guess i'll start by rebutting some of the things which have been said about me, for example, NuKE infojournal #7 perhaps ? Or, more recently, Crypt Newsletter 18 ... and I quote: "Confusion to your enemies" could be TaLon's motto and you'll agree after reading this whopper. Originally, the writer of the PuKE/Harry McBungus viruses, Talon created Harry McBungus and Terminator-Z as electronic beards for a group predominatly interested in optimizing virus code and poking fun of the NuKE virus-programming group. But, fate took a hand and made the PuKE virus famous down under when it infected a company and the event was publicized in a newspaper. Talon, according to sources, saw the article, called the newspaper and gave them an interview, perhaps thinking editors would keep his name secret. They didn't. (for a start, this extract, and following extracts, were based upon old, second-hand and whats more _incorrect_ "facts"). The above extract is essentially true. (almost). In about 1990 I decided to teach myself assembly language, and quickly developed an insane fascination with cracking and viruses. As Terminator Z, when Gnarly Beast ran the Australian iNC headquarters (Hellzone/Crime Syndicate), I was a part-time cracker for iNC and stuff like that. But quickly my appetite for viruses overcame, and I created my first virus at the age of 15. Now that my previous aliases have been released, I might as well make no secret of the fact that I wrote X-Fungus, which did actually infect a prominent institution in Brisbane, which made headlines. This was my first ever virus, which was TSR, infected COM and EXE files, hid the file size increase on the directory, and included an encrypted text message which was displayed on certain dates. My first virus. 1422 bytes. And for which I had absolutely no reference material to learn from. Not trying to blow my own horn, just stating the facts, other people at the time were writing simpler viruses which were twice the size. I then cut that down and optimized it to create No Frills, which was to be a 'skeleton' from which other ones could me made. A few others, such as K-Lame Kreation, No Frills 2.0 and No Frills 3.0 were created from this. (NF2.0 was a bug-fix of 1.0, and K-Lame Kreation was never released). But before all this happened, I showed a number of people my virus sources and what the viruses could do - but never gave anybody a copy. This is where good friendships came into effect. Sombody flogged them. (somthing which has occurred more than once in my career unfortunately, but more on that later). My source codes turned up on a few local BBSs. I was spewing. It was soon after this that I learned that X-Fungus had hit this famed institution .. (as you can see this is a bit out of chronological order..). But the newspaper report was full of shit, they called it the "K-Mart" virus.. so I called the newspaper and told them they were wankers, and he being a reporter, juiced more info out of me (not that I cared, what could a reporter do). ... re: Editors passed his name along to the Fraud Squad, a branch of the Australian national crime-fighting force which focuses on computer crime. ... This is partly true. In the meantime, No Frills 2.0 had made the rounds of large numbers of public & private high schools, and No Frills 3.0 actually hit the network of one of Brisbane's largest private schools. It was then that I found out that the cops were after me, because a friend of mine was brown-nosing the computer administrator, and he found that they (the cops) came up to the school and asked if they were interested in supplying evidence for their "case". Anyway the case came to pass, I was interrogated over the course of two days. They TOLD me that they wouldn't have bothered with the investigation, it was so hard to prove, but they had to try since that institution had lodged a formal complaint to the fraud squad. I NEVER told them any names (I knew none at the time anyway). I NEVER dobbed anyone in. Anyway read the entire article, and I will continue... (from crypt letter 18, verbatim..) >An incredibly complicated tale of mystery and intrigue: Former NuKE virus-programmer Talon, of Brisbane, Australia, makes it into Fictual Facts this month for making life just a little more brutish than it ought to be. "Confusion to your enemies" could be TaLon's motto and you'll agree after reading this whopper. Originally, the writer of the PuKE/Harry McBungus viruses, Talon created Harry McBungus and Terminator-Z as electronic beards for a group predominatly interested in optimizing virus code and poking fun of the NuKE virus-programming group. But, fate took a hand and made the PuKE virus famous down under when it infected a company and the event was publicized in a newspaper. Talon, according to sources, saw the article, called the newspaper and gave them an interview, perhaps thinking editors would keep his name secret. They didn't. Editors passed his name along to the Fraud Squad, a branch of the Australian national crime-fighting force which focuses on computer crime. Agents from the Fraud Squad promptly rounded up Talon and here's where the story gets tricky. Talon, by adroitly using the aliases of Harry McBungus and Terminator-Z, was able to sufficiently confuse the investigation by pushing authorship of the PuKE virus onto people, who essentially, didn't exit. At this point, TaLon applied for membership to NuKE and submitted the Daeman virus. Shortly therafter, the Daeman virus infected a PC network belonging to Australian Telecom, sufficiently inconveniencing the company so that it summoned the Fraud Squad. It was "round up the usual suspects" time and Talon again went into the bag. This time, he shifted suspicion onto two other Australian hackers and NuKE members, Phrozen Doberman and Screaming Radish. NuKE promptly terminated TaLon's membership for this graceless cybersocial faux pas, but did publish the Daeman source code in its InfoJournal #7 before wishing him luck with Australian authorities. TaLon promptly uploaded a fakeware archive called VCL20.ZIP into some US virus exchange bulletin board systems. Advertised as the Virus Creation Laboratory v. 2.0, the archive was "password protected" with the phrase "Nowhere Man Sucks." It was a hoax. [NuKE Infojournal #7, with the source code to the Daeman virus, is available on most of the systems listed at the end of this issue.] Now I can say a few more things. Most people who know me or have read my posts will know my standpoint on the creation of millions of sad-arse viruses for the pleasure of saying "Ive written XXXXX number of viruses, I'm so cool" versus writing REAL viruses which will actually be any good. In its infancy, NukE was an outfit which couldn't really program viruses, and although they'd progressed past overwriting they were still only sad direct-infectors, and still managed to inflate their dolls over them. At the time I was writing better viruses, smaller viruses, more viable viruses, and thus PuKE was formed. A pretty bogus group and I make no secret of that. I was PuKE, the only member. Yes I eventually gave the newspaper an interview, along with 3 others, including Storm Waterdrain (now seemingly retired). We went into the interview with the intention of helping to educate the public on what the whole deal was about, to help maybe reduce the crap and stigma that surrounds the whole deal .. but nooooooooooo.. typical reporter etc etc and I ended up getting _totally_ burnt, a maladjusted misfit hell-bent on screwing peoples' computers up. As if a newspaper isn't going to be sensationalistic. You can't get sensationalism out of education. You get it out of portraying people like me and the rest of the Vx as monsters, feeding the public exactly what they want to hear. I was a victim of all that shit. Anyways enough of that. Back to the Crypt article... At this point, TaLon applied for membership to NuKE and submitted the Daeman virus. Shortly therafter, the Daeman virus infected a PC network belonging to Australian Telecom, sufficiently inconveniencing the company so that it summoned the Fraud Squad. I didn't join NuKE and just upload DaeMaen, I was conferencing with Rock Steady for a number of weeks and mainly brainstormed new ideas and tricks and stuff. Ask him about it. A lot of ideas came into effect and many of them did go into the creation of Daemaen. I did join nuke.. But under the condition that none of my previous aliases and stuff were mentioned, for the simple reason regards the investigation - trying to make a clean break, not get NuKE tangled up in my previous endeavours. And also that DaeMaen wasn't to be published. Both were violated.. not happy.. Apparently justified by the fact that i'd dobbed people in, which was BULLSHIT. ABSOLUTE BULLSHIT. Daemaen didn't work on dos versions above 3.3 for the simple reason that it does a dodgey search method for the original interrupt 13 vector, and the structure changed for higher dos versions... so it didn't matter anyway. So it couldn't possibly have been DaeMaen that infected Australian OTC. I know for a fact it wasn't, because the virus that did was called the Dudley virus, which just happens to be based around No Frills but with a mutation engine thrown on top. I didn't write this, well not exactly, but wrote half the mutation engine then gave it to someone else, who then coupled it up with the unofficially-released No Frills source and then released the resulting virus under the PuKE banner (I didn't know this until later). ... It was "round up the usual suspects" time and Talon again went into the bag. This time, he shifted suspicion onto two other Australian hackers and NuKE members, Phrozen Doberman and Screaming Radish. NuKE promptly terminated TaLon's membership for this graceless cybersocial faux pas, but did publish the Daeman source code in its InfoJournal #7 before wishing him luck with Australian authorities. 100% CRAP (except for the membership termination and the publishing of the source code). I later learn that most of the bullshit was informed to NuKE by none other than Phrozen Dobermann. I have no knowledge of ever offending him, nor anyone else, but I dont care and this was told to me by several members. Rock Steady said he found out from NuKE Melbourne, and god knows where they heard it from. As for the second investigation, i'm still waiting... TaLon promptly uploaded a fakeware archive called VCL20.ZIP into some US virus exchange bulletin board systems. Advertised as the Virus Creation Laboratory v. 2.0, the archive was "password protected" with the phrase "Nowhere Man Sucks." It was a hoax. Well well well, if the bit before was 100% crap, this is 200% absolute bullshit. For a start I consider myself a person of some sort of common decency (some in the public world would disagree, though :) ) and would never resort to such pathetic, underhand "tactics". I piss on the grave of whoever took it upon themselves to do this. Anyway, I wasn't calling out and don't have access on ANY boards in the States, simply because I never call there. If I did, I would have discounted this trend before now - this is my first opportunity. [NuKE Infojournal #7, with the source code to the Daeman virus, is available on most of the systems listed at the end of this issue.] Which didn't work... and is a major embarassment to me since it's largely crap. Another virus was eventually built out of that, which emerged as "1984", which also wasn't to be released. A few would find my story a little hard to believe -- first time things were stolen ,,, but a SECOND time ? yeah , sure. Well to all of you who think that, go shove it up your arse, there are a number of things which point to the fact that it was stolen : 1. 1984 was to be 1984 bytes long. The in-the-wild version is 1979 bytes long. 2. The infection counter on the SCAN trojanned with 1984 is infection number 7. 3. There are several buggy and unoptimized bits in the virus which I wouldn't ever have released. 4. The virus code on the disk boot sector infection isn't encrypted, this was fixed long before I saw 1984 (without encryption) in the wild. 5. The boot sector infection routine will bug out on high-density disks. This reduced the bandwidth of the virus by a large degree. This was also fixed. Anyway I hope I've set a few things straight here and stamped out a lot of shit rumours and speculations. Problem is, until now I haven't been able to stamp them out because of the very fact that I was still percieved as a narc until a very short time ago, when Screaming Radish finally called me voice and I cleared the air. I had my banishment from NuKENet lifted, among other things. I'm a bit sick of the entire virus deal, but at least my faith has been partly restored. Perhaps even the author of the above section of Crypt Newsletter 18 will publish something now that he knows the real story ? Who knows. That doesn't mean to say that I've retired, mind you... there's still stuff in the pipeline. Hmm This reminds me of what I read in 40Hex issue 11, where a particular Dark Angel, whom I have had no previous interaction with, but all the while I respected him for his work, took it upon himself to make a judgement on the little available information about me. He didn't actually state any names, but it's pretty obvious to those who know.. Interestingly enough, my little tale was told (not the tale about the feds etc, but my virus writing) inside an article complaining about all the lame biting-ass virus "groups" out there. Here's the business half of the article. (This appears in the 11th issue of 40Hex magazine, the file 40HEX-11.001). It is apparent to even the blindest of observers that the virus phenomenon has caught on. Everyone and his kid brother has decided to start a virus group, whether or not they have programmers capable of creating a viable (read: parasitic) virus. While this in itself is merely offensive, it is the sheer arrogance of these meta-groups which is irritating. Of course, no names will be mentioned, as that would be mean and we all wish for a happy world. The most common trait of these pseudo-groups is for a member to state that all code that was written was "developed on my own." Of course, this is seldom the case. Often, the "original source code" to their viruses clearly originated at some point from a Sourcer disassembly. Heck, when you see "seg_a" or "loc_0027," you know they're just poor hacks. Of course, the the disparate coding styles in the "source" also reveals the nature of the virus. If the reader reads on, about the 387-byte TSR COM/EXE infector, about self-developed techniques, about other shit which I said, the above reference may not be understood unless it's stated that the source code to this 387-byte virus was lost in a HD crash, and I had to use sourcer to recover it. (I had the .bin image of the virus in question on a backup disk). I'd imagine the statement of the "loc_0027" above is referring to this fact, attacking my integrity as a self-respecting programmer. [irrelevant paragraph skipped] Every group goes through a phase in which they hack viruses; they should not be proud of these viruses. But it is merely the first step and most grow out of it. Skism-1, for example, was a Jerusalem hack. It is ancient history. I might also point out that the Phalcon/Skism viruses published in both the last issue and this one are far superior to Skism-1. Phalcon/Skism does not release the source code to half-baked viruses just so 40Hex can look larger. Every virus programmer has a few experimental viruses; yet it is not necessarily appropriate to print all of them. If I wrote a virus which had several hundred bytes of repetitious code, I would be ashamed to print it. It's like releasing a program which has only been half-completed. This I agree with, it's pointless releasing every revision of every virus you've ever written. My standpoint on this issue is pretty clear, I have written a fair few, and none I have actually released myself, and I wouldn't want all of them to have been released for the simple fact that I dont want to be seen to be writing almost identical viruses and being "proud" to put my name to them. What's the point in that? I dont respect people like that, and from all indications neither does the author of this article (Dark Angel). And no, I never hacked another virus, and didn't think about it for a second. I've borrowed some techniques (but not code) and gained inspiration from some viruses, but nothing of the likes of Dark Avenger or Jerusalem! When a virus programmer additionally claims, "This virus was written two years ago, so it sucks, but I'm going to release it anyway because it's good to learn from," I have my doubts. When s/he further hurridly states, "My other viruses are better," then my doubts grow. Where, pray tell, are these superior viruses? Why publish that which you admit sucks? Of course, anyone that makes such a claim, or one such as, "Next time, I'll release a COM/EXE/SYS/MBR/OV?/DAT/DOC/TXT/ANS/ASC polymorphic, stealth infector that I wrote last week," is suspicious. As an example of the mindless boasting, observe the following: (Note: the following should not be construed as a personal attack against either the person or group in question.) Now this is only _slightly_ directed towards me (not). OK then, that source code was released - I had nothing better at the time - becuase I was in the _middle_ of writing the super-duper "COM/EXE/BIN/SYS/OVL/MBR/Boot Sector/Dir Stealth/Partition Stealth" virus in question, which Dark Angel slanders me for for being "bullshit". So, my other viruses ARE better. Have no doubt, Dark Angel obviously drew invalid assumptions from a poor pool of information. Mindless boasting? hmf. Anyway i'll quote the next paragraph. This person wrote, "As with many of my routines, stuff which took many other virus writers a few pages of code took me one page... that's not bad! I have many other goodies up my sleeve, like a 387-byte generic COM/EXE parasitic infector on execution, the smallest of its kind in the WORLD... (with room for improvement!)." I do not deny stating this, but my I say it was mostly to burn off some lamer in Sydney who rang me up telling me he was hot shit, so I had to do something about it. And it's true, I squashed both the COM and the EXE infection routines into just over a single page (24 lines), something most viruses at the time had a good 200 bytes devoted to. Somethign else must be said though. One must remember the time frame in which my viruses were written. If viruses of that quality were written today, then big deal, but they were written 2 years ago, in an environment where 1024-byte TSR COM/EXE infectors was considered GOOD. It must also be pointed out that at the time, the smallest TSR COM/EXE infector was the Ontario viurs (512 bytes; mine was 387), ... Which _Just So Happened_ to be written by Dark Angel himself. My virus, when included with the text string "[PuKE]" hence the name Puke393, was absolutely functionally equivalent to Ontario 512, unlike the virus included later in Dark Angel's article.. but more on that later. Please do not boast if you cannot substantiate your claims. For example, these claims are easily shredded by counterexample. Let us examine the Voronezh-370 virus. It is a generic parasitic COM/EXE infector and it is indeed less than 387 bytes. If 387 bytes is the smallest in the world, then this may very well be the smallest in the universe. With only two hours of fiddling, I came up with the following virus (278 bytes), which may yet be the smallest of its kind in all of creation! Actually, I make no such claim, as a smaller one _can_ be written. The point was to show that this claim was not all that impressive and was, in fact, dead wrong. Let us not be o'erhasty to boast next time. As with many of my viruses, stuff which took many other virus writers over 380 bytes took me under 280... that's not bad! Humour aside, I might point out that this virus is _over_ 100 bytes less than the boaster's attempt, so it is _significantly_ smaller. Gee, I wonder what those extra 109 bytes are used for. It must be stated again, that it WAS the smallest in the world _at the time_ - it's not as if I was lying. What's more, the above paragraphs imply that I'd said it couldn't be beaten -- I made no such claim. I wouldn't. That sort of thing is only for the self-important, blinded by their own stupidity. So, when the virus was written, 387 bytes WAS the smallest in the world for what it did. The article goes on to list the source code of the sub-280 byte virus, ; Phalcon/Skism _Small virus ; Written by Dark Angel of Phalcon/Skism ; 278 byte generic COM/EXE infector again written by Dark Angel. But what I failed to point out, is that 387 bytes is pretty small considering that it sacrifices absolutely NO "safety features". The PS Small virus DOES. This makes it unstable, and in terms of wild viability, a failure. As I said, to make the code smaller, Dark Angel sacrificed a number of features (hence the 109 byte deficit). I'm not saying that DA's programming is shoddy; the opposite, he is quite a competent coder (credit where it's due, I admit it at least). The Small virus will not infect programs with a Read Only attribute; the Small virus wil not disable the critical error handler; the Small virus will infect EXE programs with internal overlays (potentially damaging them); the Small virus will update the file's date/time to time of infection; and what's more, the Small virus will return control to its host with dirty registers, and considering that a lot of programs assume clean regiters, with CS=DS=ES, this is a bad move if a viable virus is what you want. PuKE393 sacrifices none of these important safety features. It is a viable virus in the wild. If I were out to make the smallest virus in the world, full stop, I too would remove these features, and would also derive a virus of similar size to that which Dark Angel proudly whipped up in two hours. So you see, the statement.. I think the informed virus and anti-virus person recognises these claims as the baseless boasts they are. Let me assure you that you will see none of that in 40Hex. ..applies equally well to the author of the article. I am just as capable, but prefer to have a stable virus rather than an exceedingly small one. A decent exercise to satisfy any curiosity perhaps, but not to try and prove the point that someone's a bad programmer. If anything, it proves the reverse. But anyway. I also have to mimic one of the article's paragraphs, and state that "this article does not serve as a platform to personally attack the person or group in question." In fact, from all indications, Dark Angel appears to be an intelligent and capable programmer. It's just a shame he had to draw his conclusions from such a small source of information -- but in his position, I probably would have done the same thing. After all, PuKE was formed to do exactly the same thing to NuKE when they were unwarrantedly calling themselves Kings of the Mountain. So, by this, I mean no hard feelings towards Dark Angel (if anything, I wouldn't say No to any mutual exchange of information with him, or at least a chat). Anyway, DA, if it's goodies you're after, all you have to do is ask, I do have them, they're just not on public display. It's a shame, because you seem to abuse me for going on about them and not having done them. I look forward to some sort of interaction, if you're interested, and I'm sure something can be gained by all. Actually it's pretty funny, because when I applied for NuKENet all that time ago when I was in the process of writing the now-common 1984 virus, I stated such on the net. "com/exe/bin/sys/ovl/mbr/bs/stealth etc" ? Rock Steady immediately attacked me, "Piss off, and come back when you've actually written it. Unlike you, we write the Proto-T. When VCL 2.0 comes out even you'll be able to write the k0oL viruses you say you can". However his tune changed when he realized I actually was the genuine article, and .. (quoted from IJ#6, nuke timeline, i believe) __________________________________________________________________________ January 10th, 1993 T„L”N enough respect goes out to this charm... He too has succeeded the wild-bush hunt of the Aussie, though he was never the same afterward... Just as Compton was put on the map by the Brothers, T„L”N is the one to put Aussie onto the map. For that I gave him a whole paragraph in this intro... __________________________________________________________________________ Side note, it appears that Dark Angel and I have made around about the same achievements, if not in viral common-ness, in viral technology. Whether this is true or not is debatable. Both he and I can write small TSR COM/EXE infectors. Both he and I wrote SYS infectors at around the same time, using similar techniques (convergent evolution? great minds think alike? :) ). Both he and I have written mutation engines of similar calibre (perhaps DA's has slightly more features, but mine is a fair bit smaller. I won't boast about its size this time ;) ). I'm sure DA has written a multipartite infector by now. Another side note, DA implies I can't write the "com/exe/bin/sys/ovl/ /mbr/bs/directory stealth/mbr-bs stealth/file stealth/polymorphic" virus. I admit that I've never actually sat down and fully debugged a full-stealth virus and got it 100% working, but I can and I will eventually. I had written one which does all of the above minus the full stealth, but can't get the i21 hooking off bootup when DOS=High working properly yet. This will have to wait. Since 1984 I've corrected and optimized a lot of code, and it will now do stealth on not just partition tables but floppy disks of all capacities. If you don't believe me, you'll probably see it in the next infojournal. So there you have it. Hopefully a little educational to some. Cheers T„L”N