Archive for March 2009

Virus group 29A disbanded – who’s next?   Leave a comment

Couple of weeks back, 29A officially shut down business. 29A’s published work was one of the best (IMHO) sources for cutting edge virus technologies. Their e-zines provided a sampling of what was happening in the Virus underground during that period.

This was the last message posted by VirusBuster in their site:

” I tried to contact ValleZ for some time in order to take a decision together about the future of 29A with no luck therefore I decided to take the decision alone. And my decision is that 29A goes officially retired. I feel this is fair because I am kinda the alpha and the omega of the group. 29A was born in Dark Node, my BBS, and I am the last active member of the group. My last words as 29A member are for all the people that worked hard to make of this group the best one: Thank you very much! Regards, VirusBuster/29A

29A has left the building! “

Kind of sad.

I came to know of 29A when I was in my 2nd year UG, around 1997. 29A was a new group then (If I am right, the group formed only in the mid of 1996). BTW, if you are wondering why they named it so, 29A is the hex representation of 666 decimal.

One of my (crazy, if you ask my wife now!) hobbies back then was collecting DOS/Windows virii source code. I was more interested in the source than the binary. I had close to 23K source files when I decided to move on to other things. There were umpteen number of sites even back then which listed for download many viruses, but most of them were distributed as either EXE or COM files. I used to take them, decompile/disassemble them using SOURCER or debug.exe (I had to use this only for a few files; Sourcer did a good job for the others.) and add to my virus database. I remember checking out a DB tool (VirSort or VirusBuster??) for sometime, but resorted to maintaining them myself (that is, keeping them scattered through out my 4GB HDD ).

Apart from these, lots of VX tutors were there too. I remember some of the tutorials that were considered state-of-the-art (!?) then:

  • Advanced Polymorphism Primer by DarkAngel
  • Calling the Windows API in Assembly Language by Qark
  • MCB Stealth by Darkman

Particularly, I used to devour anything by Dark Angel, Lord Julus & VLAD. How can I ever forget Lord Julus’s “Ring 0 Residency under Windows 95/98” article?? Classic!!

29A Magazine

When 29A started releasing their e-zines, it quickly became one of my favorites. I loved all their articles, especially by MrSandman, Benny, VirusBuster, Jacky Qwerty, Vecna & Rajaat – they were my favorites. Issue #4 was, IMO, pure gold!!

Later, when I came out of the college, I lost touch with the VX scene. & F-Secure’s blog were the only VX news source for me. Though 29A published lots of new things, the following are considered notable accomplishments (?!):

  • Cabir, which infected Symbian mobile phones
  • Duts, the first ever Pocket PC virus
  • Haiku, which generated Japanese-style poetry
  • Stream, which was the first virus to take advantage of NTFS Alternate Data Streams
  • Lindose, which infected both Windows and Linux computers
  • Donut a .NET aware Windows file infector

I have given some links to the interviews (public/through email) of some 29A members below: I will be updating this with more as I find them in the net.


Posted March 22, 2009 by oneh in Uncategorized

automating the snort IDS in FreeBSD   Leave a comment

Currently I am into automating the process of installing and configuring snort in FreeBSD. I have developed a small script which installs and configures Snort, MySql, Apache, PHP, ADODB and Base console in FreeBSD. Currently I have written the following scripts:

1) -> creates all necessary directories and users

2) -> installs dependencies like libpcap, pcre, libxml2

3) -> installs mysql

4) -> installs snort and updates the rules

5) -> creates snort db schema and confifures acl’s for accessing

6) -> installs apache, php and mod security


right now I am into developing scripts for updating configuration files too.. like after you install all the above you need to manually modify snort.conf, httpd.conf;etc for settings.. 

i am also developing a model to secure the entire ids by hardening FreeBSD, MySQL, Apache;etc and distributed IDS

will update soon !!!



Posted March 4, 2009 by oneh in Uncategorized