Red Hot Cyber

Cyber security, cybercrime, hack news, and more

PRAISE TO VX-UNDERGROUND – The hack-library turns 5!

Alessio Stefan : 19 May 2024 06:00

Every nerd or technology enthusiasts cannot deny the influence of the 1980s on modern computer science. Commodore Amiga, Nintendo, Apple II, now computers are affordable to everyone who could finally benefits of this outstanding innovation.

During this years what actually changed the view of the world was the birth of the first internet connections. Not just technology have started to spread but information as well, once a slow trickle now races across borders like a digital wildfire.

Not surprisingly, the hacker culture received a huge boost during this period. The Jargon File has been shared publicly for the first time and Open Source projects started to grow without limits. in short new subcultures have resurfaced out of the mud shining with their own light.

But this is not what we are interested in this article, instead of lightness we are going to discover what happened deep down the neo-internet era. This is the story of VX-UNDERGROUND, the biggest collection of malware samples, paper, APT reports (and a lot more) that you can find in the internet.

Symphony of Disobedience – Unveilling the Forbidden

One of the embryonic versions of modern internet was BBS (Bulletin Board System) which permitted different users to connect through the terminal, the most famous one was FidoNet. On those servers users could text (group or individually), upload and download files.

This is where Virus Exchanges (VX) started to pop-out. Safe places where new ideas, concepts and code techniques could be shared freely. Hidden by judging eyes, members can unleash their burning passion and improve coding skills teaching to each other.

Group of hackers created their own e-zine containing articles, code and news. E-zine were shared jumping from a BBS to another but no place to statically reside. Is hard now to imagine how obselete those networks were but slow connection, absence of browsers and lack of discoverability of those hidden rooms blocks the potential information flow.

People needed a central library to search snippets, samples or paper on specific topics, this is the idea that made VX-HEAVEN to be opened.

Opened in the late 1990s, VX-HEAVEN was the holy bible for malware lovers. Everything was grouped by an ever-growing collection run by an Ukrainian hacker called herm1t. Viruses don’t harm, ignorance does!”, this is the spirit of his project, information for everyone even on taboo like malwares.

VX-HEAVEN became viral in the scene very quickly, new contributions and the arising of digital criminals allowed the site to become bigger and bigger. The hacker community exploded in after the ‘00s and VX-HEAVEN has been one of the best contributors for that.

But not everyone can understand this culture especially when we speak about malware, for others writing malware is not an art or the results of a knowledgeable craftsman but a boogie-man that needs to be avoided at all cost.

In 2012 Ukrainan law enforcement seized VX-HEAVEN server, the church was desecrated and closed. Bigottism and fear driven by ignorance won this time, highlighting how hard is to make other understand the beauty of knowledge that hackers see on such things. Writing malware is not bad, learn new tricks is not a crime and sharing is a duty.

You can shut down a website but not the values behind it, this is why the heaven reopened the gates after the short forced pause it took. Security experts around the world and accademics wanted it back expressing their opposition to the police actions. In 2013 VX-HEAVEN rised from hashes stating to be “BACK AND LOADED” after the scandal.

Finally hackers can return back and help to preserve the knowledge over time but no for too long, in 2014 the heaven gates closed definitely in 2014. Generations of hackers grow up with herm1t project, the culture should be proud and grateful of his tenacity. Now we have petabytes of info around the internet if we want to learn about malware but it would be different if place like VX-HEAVEN never existed.

We suggest to read this interview to herm1t to understand what happened to him after 2014 because is one example on how hacking can be used for good causes and how he was able to clear the right value of the culture.

Echoes in the Catacombs – From hashes to flames

There was a teenager who was a frequent visitor of VX and VX-HEAVEN, he was driven by hunger of knowledge and herm1t website looked like a free buffet for his eyes. Under the alias smelly he spent his days studying what others shared and sharpening his skills about coding and malwares.

While growing up he lost VX-HEAVEN for a while but in 2017, driven by boredom of doing his favorite hobby alone, decided to return where he comes from. Sadly he discovered the heaven was lost but this time forever. He cannot accepted it, he spent time searching for it online but at the end he needed to face the reality.

Smelly was a nobody in the scene, a lone wolf that lost is pack but not his nature. Under the suggestions of a person called Phait (met in IRC chat) who said to him “Well, if you miss it so much, why don’t you make your own?, he started to work on it. There was a void in internet and even if he was not very keen with web development he bought the vx-underground domain, everything was set for a new era.

In May 2019 (exactly 5 years ago) from the memory of VX-HEAVEN, a new succesor was ready to fill the void created on the internet. VX-UNDERGROUND is not just a second version of the predecessor, is the new generation of the hacker culture.

Obviously was not popular on the start, you need to build your prestige to become a valuable asset. After the creation of the official twitter account (August 2019) the first bridges allowing the so needed relationships starting to be builded. The first persons to reach smelly were members of ThugCrowd hackers group. The group was valuable for smelly, spreading the voice that a new VX-HEAVEN project was ready and needs what every library lives with : readers and contributors.

Unlucky, even with the promising future of the brand new library, things didn’t changed outside the malware community. Profane mentalities still thinks that sharing knowledge about malwares is synonim of criminal activities, they cannot see what’s the charm of “hack things” using coding skills. This is why in August 2019 was banned by multiple web hosts, the same that share gambling service or neo-nazis blog doesn’t gives freedom for who want to preserve knowledge.

VX-UNDERGROUND is not a company and hosting malware samples is not that simple if you rely on third-parties but he manged to find strong hosting services, shielding and protecting VXUG from external threat. The cult finally have a new church where everyone are welcome!

Now smelly could focus just on his goal “more papers, more samples, more code”. He is not alone anymore, he was able to find his own pack which grew more and more at the same pace as his project . No one can stop it to become what it is now, the center of the nebula, a centralized collection of resources with free access.

Right now VX-UNDERGROUND have terabyte of terabye of traffic, millions of visits on twitter and thousands of visitors per day. Regardless the name, a lot of people could find VXUG and benefits of the informations stored, from newbie-hackers to accademics.

VXUG is not just the biggest collection of malware samples and paper but also a point of reference for what happen in digital crime scene, smelly was able to interview different APT members (including LockbitSupp!)

Also he gives the tribute of his origins storing an archive of VX-HEAVEN preserving his memory making others know the root of everything.

The Cult of the Underground

VXUG is not just a successor of VX-HEAVEN, is the evolution of what herm1t started. With a living ecosystem made by a community that never lived old-times but needs exaclty what generations of hackers backs in the days always believed : Freedom of information.

The internal group working on the underground library have experience in Anti-Virus, Universities, Red Teaming and Threat Intelligence fields not just malware coders. This makes the library valuable for everyone in the security field, both difenders and attackers can understand about differents topics like Windows internals, Builders, leaks, ICS and a lot more.

Neutrality is what characterizes the collective, they don’t aid malicious groups or law enforcements, they just pubblish and spread knowledge. Is up to others decide how to use it, no one should blame VXUG to help APT or similar in their actions.

The library has successsfully created a scenario that can be perfectly understanded by the artwork created by designers for them and you can see some examples on this article as well. Despite the “dark mood” is clear the humor in (most) of their Twitter posts recalls LulzSec group which started the “take the humor seriously and the serious humorously” thing.

VXUG have a long experience in malware and they pubblished Black Mass (2022) a manual about malware, it didn’t took much before Black Mass II released in 2023. VXUG is proving capabilities on moving outside the digital copy and provide physicals artifacts as well.

There are some interesting facts which highlights the influence of VX-UNDERGROUND in the scene. The first are surely the Ransomware artifacts of a variant of Phobos in 2023. This malware encrypts the files and saves them with extension .VXUG leaving behind a ransom note that replicate VX-UNDERGROUND theme.

It is not clear the motivation behind this framing but the tribute set a line of the hack-library history. Another fun fact is pretty recent, for some reasons the inbox of VXUG email has been flooded by compromised email joking about it.

Just a small note about it, the emails comes from less-developed countries which can be bought for a little moneys and sometimes are free but is fun that people used it notify VX-UNDERGROUND about it. Without a purpose just for a laugh or two.

Call to Action – Support the Cause

Everyone can partecipate to the development of VX-Underground. Share the library, the knowledge you learn there and your own discovery as well. This “dream-library is always open for new papers, samples or technique that you can find/create. Every single resource is important and will be stored inside the digital Alexandria library and would help others to learn for free.

Donations are always open and they are reguraly searching for sponsors. These are all the ways available to help VXUG to maintain the knowledge free and alive, we cannot allow to lose such beauty again:

  1. VX-UNDERGROUND website
  2. Twitter profile
  3. Github account
  4. If you are an artist donate an artwork, they are well accepted and pubblished on their gallery
  5. Get some cool swags on their merch store, there you can also file an HDD version of their malware collection
  6. Donorbox platform to directly support the project witha a monthly subscription
  7. Buy Black Mass and Black Mass II (both physical and digital option are available)
  8. Write at [email protected] if you have something new to propose or to share

The Unwritten Grimoire – Voice from the underworld

Smelly attitude and persistence makes him very busy and full of work especially in the last years where samples, attacks and new technique pop out faster than ever. We asked him out some questions about VXUG and his purpose, he was incredibly gracious in responding, showing that he genuinely wanted to contribute.

RHC : “Hi smelly, thanks for joining us. First of all happy birthday to your project, how would you define VXUG to someone unrelated to this reality?”

Smelly_vx : “vx-underground is a website where computer malware enthusiasts have collected and assembled a massive digital library to help others learn”

RHC : “What’s the main mission of VX-underground and how do you justify your activities?”

Smelly_vx : “Our mission is to remain a central location for all things malware related, there is no secret plans – the goal is to keep collecting and keeping things updated”

RHC : “How do you ensure that the information and software you distribute are not used for illegal activities?”

Smelly_vx : “We can’t ensure that. Anything can be abused maliciously, legitimate applications are abused all of the time.”

RHC : “What project or publication are you most proud of, and why?”

Smelly_vx : “Black Mass Volume 1 and Volume 2 (our books, free in PDF format, available for physical purchase on Amazon) and our APT sample collection.”

RHC : “What are your views on the current state of global cybersecurity?”

Smelly_vx : “Cybersecurity is growing exponentially, we are in the middle of a cyber security ‘big bang’, or rather we are witnessing the expansion (metaphorically) of the cyber security universe. There are tools, academies, certs, and criminals keep making more and more money.”

RHC : “Do you collaborate with any researchers or cybersecurity organizations? If so, how do these collaborations influence your work?”

Smelly_vx : “Sometimes, some smaller companies sponsor us or give us money to help with the bills or do giveaways. Researchers keep us up to date on new papers, or code, or samples, or news, etc. It helps us stay focused and up to date.”

RHC : “What are the biggest challenges you face in keeping the VX-underground site active and updated?”

Smelly_vx : “The constant flow of information. Every single day there are new samples, new papers, new security breaches. It moves fast and it’s difficult to stay up to date with everything. It’s chaotic.”

RHC : “How do you see the future of malware research and dissemination in the coming years?”

Smelly_vx : “That’s difficult to answer. In the future we see more and more information being available for people to learn. We are seeing more books released regarding malware. We hope to see more sample sharing too, but that is a big money maker, so maybe that won’t be as common.”

RHC : “What advice would you give to young researchers interested in cybersecurity and, specifically, malware studies?”

Smelly_vx : “Just do it. We wrote a small paper on it”

RHC : “Are you still in touch with herm1t? What he thinks about VXUG?”

Smelly_vx : “Yes, we have spoken with herm1t in passing, but he is a busy man. His days of VXHeaven are behind him. He has given us his blessing, but these days he is part of the Ukrainian Cyber Army, and always doing some pretty intense stuff”

RHC : “What has changed the most from when you started attending VX heaven to today in the hacking/malware scene?”

Smelly_vx : “Infectors are less common, multi-staged malware is the new meta. C2 frameworks are also the standard for a lot of red team operations. The ‘scene’ in itself is also scattered and instead of everyone idling on IRC, they’re shit posting and doom scrolling on social media”

RHC : “Currently malware are still seen as the “boogie-man”? Why and how to change this?”

Smelly_vx : “Yes, it’s still a taboo subject, but we’ve noticed a change in the public perception of it. Law enforcement and governments may hate it, but we see more and more interested in it, discussing it, and seeing that it is a way to learn, not just to do damage.”

RHC : “How you felt when the services that deny to host VXUG are the same who allowed neo-nazis and gambling?”

Smelly_vx : “It’s ridiculous. But we are seeing more and more hosts allow malware (for research purposes). In just a few years public perception has changed a lot.”

RHC : “Convince the audience reading this to support VXUG in a single phrase.”

Smelly_vx : “Malware is cool and badass”

RHC : “Leaving out herm1t, there are others hacker/security specialists (legal or not) who motivate you or you consider as ‘mentor’?”

Smelly_vx : “Personally I’m a huge fan of Grzegorz Tworek and Hexacorn. Their research on system components and abuse is amazing, top notch. They inspire me to keep exploring.”

RHC : “I cannot avoid this question, what do you think about LockBit ‘TV-show’ and the recent evolution?”

Smelly_vx : “I’ve seen Lockbit’s mental health and behavior become more and more erratic. Regardless of how much he denies it, he is under immense stress and is having a hard time coping with law enforcement pressure”

RHC : “Would you like to tell us how your team is composed, the roles they cover and how you manage the website?”

Smelly_vx : “I’m the admin and founder. I make sure everyone is doing their thing and ensuring everything is working. I collect malware builders, malware papers, Threat Intel posts and/or information sharing, Malware source code leaks, I do research, handle merch and handle the Twitter and e-mail. Duchy handles architecture and makes sure the site isn’t offline. GuessThePwd develops and maintains the vx-underground website (the code base) and our VXDB. f0wl handles APT paper and sample collections. Petik handles bulk malware collections (VirusShare, VirusSign, Bazaar, etc). Bradley does malware family collections, TheOldNewThing archives, handles the merch store, and does general assistance. He also handles the Twitter and e-mail. B0t runs BlackMass and does research reviews. Helen assists b0t with BlackMass and assists with various tasks when needed. Disrel assists with various tasks when needed.

RHC : “Ever been in Italy? What do you like about our country?”

Smelly_vx : “No, I’ve never been to Italy, I’ve never left the United States. I’m an agoraphobe and I don’t like traveling.”

RHC : “Smelly thanks a lot, we wish you the best for the future of your project!”

(Shoutout to Pietro Melillo for his help in drafting the questions)

Conclusion – Redemption of the fallen

The whole story behind VX-UNDERGROUND is a piece of hacking culture and his history. The collective proved that fo fulfill your objectives you must follow what smelly said “Just do something. Stop Talking”.

From being a nobody to the founders of a cult Inheriting what past generations have left behind, as he always said is “no one special and in a certain sense is true. Don’t get it wrong obviously without him we would not be here looking at the history of his project, but he had nothing special that every other hacking/malware hobbyst didn’t have.

He started from being an hobbyst to communicate with the latest and greatest APT. He had with no one to support him to create a whole internal team. He had no web development skills and no one wanted to host him but now he found his safe house. From no relationship to a dense network of specialists, enthusiasts and supporters. From losing the heaven of knowledge to create his own.

This is hacker culture all round, defeat the boredom creating new stuff and sharing with others. Everyone can help, don’t be afraid of knowledge, let it flow becuase just good things can return from it. Money is not the goal, instead helping the community to grow can just be beneficial and contest the biggotism which continues to be present even today.

Malwares are not the boogie-man and hacking is not for criminals. The lessons we extract from all the story is not just non-impossible to fight back when others try to silence suc realities but it should be a responsability of everyone whose are part of the community. Never be scared or underestimate your contribution. Sometimes a single spark can become an explosion, soon or later.

Herm1t inspired smelly and now smelly is doing the same to new generations. In the future we would surely needs to be called to move, please don’t let the dream die and let it live as long as possible!

The whole Red Hot Cyber editorial team wish happy birthday to VXUG and wish a long life to the the biggest malware library existing.

Alessio Stefan
Master's student of AI & Cybersecurity and CTF player with a passion for ethical hacking that has been with him since a young age. He spends his days immersed in studying and discovering new methods of attack with just the right amount of practice. Convinced that hacking is a culture he applies its principles not only in the digital world but also to daily life while waiting of turning his dedication into a career.