Copy Link
Add to Bookmark
Report

SLAM2.032: Interview with Stefan Kurtzhals/FWIN

eZine's profile picture
Published in 
Slam
 · 2 years ago

 \     \ 
\ \__
/ \
/ _\
( / / / / \ \
(_( (/ /_> \) _ _ _ ___ ___ ___ _ _ _ ___ _ _
( ( | |\ | | | |___| | | | | | | |
\ \ | | \ | | |-- | \ | | | |-- | | |
\) | | \| | |___ | \ \___/ | |___ |__|__|

Here is a quick interview with the maker of F/WIN and Suspicious.
=> Stefan Kurtzhals.

=============================================================================

'>' is Nightmare Joker
no '>' is Stefan Kurtzhals

=============================================================================

> Who are you exactly? Introduce yourself.

Well, born on the 15.12.1972, I am currently studying electrical engineering at the University of Wuppertal. Beside studying and working on my AV programs I like to hang around on IRC (molesting people on #virus is sometimes quite funny :) ), read books (all kind of SF and fantasy, I prefer to read the original English versions because the German translations are mostly very bad), listening to music (EBM and Wave, mostly electronical things but I actually hate Techno (ARGH!) and similar rubbish), playing computer games (preferring network games, I usually only play (GL)Quake, and if the German Telekom will be able to install ISDN here within this century, I will most likely join one of the Quake clans :) ) and such things.

I got my first computer at the fall of 1986, of course a Commodore 64. :)
After about 6 months I came to the conclusing that coding Assembler is by far superior to BASIC (I noticed that in ASM, you can change screen colors within every rasterline :) ) and started learning Assembler. I was busy coding demos and games on the C64, visiting demo parties and such things until the end of 1991 when I got my first PC, a 80286/16 MHz with 4 MB of RAM and a 85 MB HDD. After about some weeks I caught my first PC virus, Flash.688.A and was at once fascinated by the idea behind it. I started to learn 80x86 assembler language and disassembled every virus I could find on the computers around, such as Flash, Stoned, Parity_Boot.B, Tequila (that one was funny, I didn't realize at that time that Tequila infects both MBR and EXE files and low-level formated my HDD almost every day to get rid of the virus :) ), Form and other common viruses. I also started to write my first AV program, SYANBOOT at that time, followed by SSC, SVS, SCRC, SDISK and MEMCHK (the SUSPICIOUS package). From the beginning I was prefering all kind of generic virus detection and I focused on writing heuristic detections. When the first macro viruses for Winword poped up 1995, I started to write a heuristic scanner for macro viruses, F/WIN.

> How many years have you been part of the anti virus scene?

Since 1992. I wish I had the chance to join earlier because the really interesting time was around 1987-1991.

> What was your your first av program?

No, I didn't wrote any Stoned cleaner :)
(at the time I started with AV, Stoned was almost extinct and I only found it on some *very* old 360 KB disks). My first AV program was "SYANBOOT", some boot protection tool that stored copies of the MBR and the bootsector and used saved interrupt vectors to bypass stealth bootviruses. It was very simple, but I kept the ugly color scheme for my programs until today. :) And like all my programs it was written in Assembler.

> Have sales of your AV products increased or decreased?

They are just stable. It depends if my programs get mentioned in some popular computer magazine, then they increase for a while.

> Do you see the number of new macro viruses increasing or decreasing over the coming months, to a year?

The number is actually exploding and we can expect to reach at least 1000 if not 2000 or more macro viruses at the end of 1997 (there are about 650 known ones at the moment). The reasons for this are simple: it's too easy to write a macro virus (just take a look at WINWORD.HLP) and Winword itself creates new, slightly corrupted variants due to bugs in some critical DLLs.

> What do you think about:

--> Java

I think it's just a nice toy for the computer industry so far. Net computers will never become widespread when the software keep on growing this way (ok, we all want to download some MBs of data every time we want to write letters, don`t we?) and the telephone companies keep on charging high prices.

--> ActiveX

Never heard about it. :)

--> Office 97?

Yet another virus platform the AV must care about. :(

--> Microsoft

Hrmph... They really should have learned some lessons about how to do secure programs since the first version of MS-DOS, don't they? :(

> If you could change anything about the Anti-Virus industry, what would it be?

  • a) That some companies stop claiming their program is detecting 100% of all viruses ("past, present and future"...). There is no 100% detection or cleaning of viruses. Some if not most AV advertisement is simply ridiciulous - that is what happens if some merchandizers make advertisement for high-tech products they don't understand at all. It's funny to see that the products with the least level of perfection and features have the highest advertisement presence - and especially these companies exagerate too much then.
  • b) That some AV companies stop their childish press release wars (and similar things). They really have better things to do. :(

> Do you have any future plans?

Regarding my AV programs: Finishing F/WIN32 with a *real* macro heuristic and VxD based virus scanning, adding VBA5.0 support etc. .
About other things, well, I don't have much time to think about that. :)

> Do you feel the window into anti virus programming is still open or has the ship left the dock already, its too steep a learning curve for beginners?

Regarding how fast Microsoft invents new and even more complex virus platforms I think it's getting almost impossible to create a really useful AV program nowadays with unique features. Even the deafest AV companies noticed that some degree of generic virus detection (and cleaning) is useful (alas, there are still some products that don't have heuristics).

The number of viruses keeps on growing very fast (though the DOS virus increase is slowing down), you really need a person which is busy just sorting and managing the virus base. Then you need a DOS coder, a Windows coder (better three or more because Windows coder tend to waste much time playing Mine Sweeper and such things :) ), some experts to analyse new viruses, new file formats and so on. And I think it's difficult to find really talented coders nowadays that care about the necessary low level stuff. Visual programming has it's disadvantages, sure...

> How many virus programmer have you allready persuaded to stop their work. (don't say noone. ;))

Hehe. None. They currently stopped because they got bored writing viruses or reading stupid interviews. ;)
I actually cannot even persuade myself to do some work, get up early etc, how should I be able to persuade other ones then? :)

Actually I sometimes have the impression that F/WIN has the opposing effect - some ******* think it's a good idea to write some anti-F/WIN virus every time I release a new version. :(

> If the anti virus people went by handles, what would you call yourself and why?

I only use a handle on IRC, and I choosed it from some funny Robert Asprin books I read a long time ago. The person with that name is exceptionally lazy and dull, but he also has much luck. I think that describes me good enough, doesn't it? :)

> Do you think it's possible to make the PERFECT av program? I mean a av program that find/remove all present/past viruses.

There is no perfect AV program. The day after you released it, some virus writer will find a weak point in it and write an virus called "AntiXYZ". And the day after that the AV program get's improved. This will never stop, but maybe some day the operating systems get so complex that writing a virus is impossible because the virus writer cannot afford to buy the necessary information from the operating system company, but the AV companies still can afford buying it.

> What do you think is the best asm virus at the moment?

I haven't looked at ASM viruses for a while because they are all getting so boring. How do you define "best"? Best polymorphic engine, best stealth, most tricky infection method or best code "design"? Usually, the DOS viruses that try to combine that all into their code are very buggy and will never spread at all. And doesn't it seems senseless to write a very complex polymorphic engine when some AV programs will rip it away within some days or even hours of improvements? Or write a very unique infection method when there are very little files of the type the virus can infect?

--------------------------------------
--------------------------------------

The second part will be probably in SLAM 3. ;) Info for all, who think now:
"Hey, he has stolen the question from some other interviews!"
I have taken it, because they are good and I think that's the things, we all want to know. Moreover I didn't have at last enough time. ;)

- Nightmare Joker -

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT