Bulgaria in the 1980s became known as the ‘virus factory’, where hundreds of malicious computer programs were unleashed to wreak havoc. But who was writing them, and why?
In 1989, an article appeared in Bulgaria’s leading computer magazine saying the media’s treatment of computer viruses was sensationalist and inaccurate. The article, in the January issue of Bulgaria’s Computer for You magazine, titled The Truth About Computer Viruses, was written by Vesselin Bontchev, a 29-year-old researcher at the Institute of Industrial Cybernetics and Robotics at the Bulgarian Academy of Sciences in Sofia. Fear of computer viruses, Bontchev wrote, was turning into “mass psychosis”.
Any competent programmer, Bontchev claimed, could tell when files are corrupted by a virus. Infected files are bigger than uninfected files. They run slower. They do strange things, such as play tunes, draw Christmas trees on the screen and reboot computers. It was hard to miss a virus! Prevention through basic cyber hygiene was simple: “Do not allow other people to use your computer; do not use suspicious software products; do not use software products acquired illegally.”
Bontchev would come to regret this article. He had not appreciated that what may be an obvious virus to him may not be obvious to the secretary using a computer as a typewriter. Moreover, most users in Bulgaria did not have their own personal computers; they shared them.
When Bontchev wrote this dismissive article, he had not yet seen a virus. He was very surprised when two men walked into Computer for You’s office, where he used to hang out, and claimed to have a virus. They had read the articles about these strange new creatures in the magazine and wanted to show Bontchev the virus they had discovered in their small software company. The men not only reported that they had a virus; they also claimed to have written an antivirus program that eliminated it. They’d brought their laptop with them. The laptop had a virus on it, and when they ran their antivirus program, the virus disappeared.
Bontchev was both fascinated and horrified: fascinated because he had never seen a virus before (or a laptop, for that matter), horrified because the men had just killed it. Horror turned to panic when the men told him that they had purged the virus from their firm’s computers as well. Bontchev raced to their place of business looking for any remnants. He found a printout of the virus’s code in the garbage. He took it home and entered it – byte by byte – into his computer, careful not to make any mistakes. Bontchev eventually figured out that he had resurrected the virus commonly known as Vienna.
When he analysed Vienna, Bontchev was disappointed. He imagined something wondrous – self-reproducing computer programs should be elegant, fruits of some esoteric black art. A look under the hood, however, revealed it was not so pretty. Vienna was viciously destructive, but its code was crude and sloppy.
As Bontchev was studying Vienna, other Bulgarians began tinkering with malicious programs, too. One of Bontchev’s compatriots would soon become the most dangerous virus writer in the world – and Bontchev’s most bitter enemy.
Vienna is a simple virus, and therefore a good one with which to experiment. Bontchev passed up the opportunity, not wanting to sully his reputation. But Teodor Prevalsky, a friend of his, had fewer qualms. He was fascinated by the concept of artificial life and decided to explore its possibilities. After two days’ work at the Technical University, Bulgaria’s largest engineering school, Prevalsky produced a virus. Though he modelled it on Vienna, his virus did not destroy files – it only instructed the speaker to beep whenever it infected a file. In his diary for 12 November 1988, he recorded his accomplishment: “Version 0 lives.”
As the weeks went by, Prevalsky added new features to the virus. He also experimented with antivirus programs. All of Prevalsky’s creations were “zoo” viruses, specimens built for research purposes, not for releasing into the wild. Nevertheless, they escaped from the zoo. Indeed, a version of Vienna became the first Bulgarian virus to immigrate to the US.
Vienna was able to escape from Prevalsky’s computer because his computer was running a Microsoft operating system known as DOS – short for “disk operating system” – which had no security features. DOS was developed for individual use on small, inexpensive micro-computers, which hit the market in the mid-1970s with names such as Apple II, TRS-80 and Commodore. Security was not a priority or even a necessity for these personal computers, or PCs. Cybersecurity at this time was simple: to stop people from stealing your data, you had to lock your door.
Those who used personal computers, however, wanted to share their code. Young nerds hungered for new video games but didn’t want to pay for them. DOS wasn’t free, either, and bootleg copies freely circulated among PC users. Software piracy was normal in Bulgaria.
Prevalsky shared a computer with four other researchers, and they passed around floppy disks freely. Though Prevalsky took great care to keep his zoo viruses captive, they inevitably escaped. He had put them in cages with no locks.
But Prevalsky was disappointed that he could find no productive use for his creations. When released into the wild, even his “good” viruses had bad side-effects. As Prevalsky was becoming disillusioned with the virus business, Bontchev’s career was heating up. With admirable candour, he wrote an article in Computer for You confessing his earlier error. Viruses were clearly a growing problem, and Bontchev wanted to rectify his mistake. He began to analyse new viruses that were spreading around Bulgaria and published the results.
Bontchev’s articles detailing the dangers of viruses had an unintended consequence: they inspired more virus writers. His readers learned how to write viruses from these articles, and some tried to improve existing versions.
Soon, it seemed as though every computer programmer in Bulgaria felt the need to write a virus. A student from Plovdiv was mad at his tutor, so he wrote a virus to infect his files. He wrote two more viruses for his girlfriend as tokens of his affection. Two friends who were angry with their boss for not paying them wrote a virus as revenge that made the sound of shuffling paper when infecting files. This virus quickly escaped the lab.
People started speaking of the “Bulgarian virus factory”. The founder of the Virus Test Centre in Hamburg, Morton Swimmer, was quoted in a 1990 New York Times article: “Not only do the Bulgarians produce the most computer viruses, they produce the best.”
The Bulgarian virus factory was a factory in the Andy Warhol sense: a loose collective of young Bulgarian men (they were all men) who were highly intelligent and bored. Writing viruses became a source of intellectual stimulation and a form of social distinction.
By 1991, Bontchev was finding two new Bulgarian viruses a week. He spent his days fielding calls from firms attacked by viruses; he spent his nights and weekends studying these viruses. Bontchev was also a founding member of the Computer Antivirus Research Organization (Caro). Caro advocated for certain ethical principles of antivirus research. One of the most important was the strict prohibition of writing viruses. Caro treated computer viruses like biological weapons. The danger of their escaping the lab was deemed too high to justify experimentation.
Indeed, Caro helped create a schism between antivirus researchers and the general cybersecurity community. The community generally expects its members to have hacked, so that they would know how to defend against hackers. The practice is known as ethical or white-hat hacking. Any researcher who has written a virus would have been vetoed for membership in Caro. Though many in the antivirus industry have tinkered with viruses, it is not something they talk about.
Even before Bontchev published his warning article on viruses in Computer for You, someone was secretly trying to refine the medium. His online handle was Dark Avenger. “In those days, there were no viruses being written in Bulgaria, so I decided to write the first,” Dark Avenger claimed. “In early March 1989 it came into existence and started to live its own life, and to terrorise all engineers and other suckers.”
Dark Avenger was wrong. Others had been pumping out viruses for months, but Dark Avenger built his to be lethal. His first creation would be known as Eddie. When a user ran a program infected with Eddie, the virus would not start by attacking other files. It would lurk in computer memory and hand back control to the original program. However, when a user loaded another program, skulking Eddie would spring into action and infect that program. These infected programs would be Eddie’s new carriers.
Eddie also packed a payload that slowly and silently destroyed every file it touched. When the infected program was run the 16th time, the virus overwrote a random section of the disk in the computer with its calling card: “Eddie lives … somewhere in time.” After enough of these indiscriminate changes, programs on the disk stopped loading.
Destructive viruses were not new. Vienna, for example, destroyed every eighth file. But Eddie was far more malicious. Because Eddie infections took a while to produce symptoms, users spread the virus and backed up contaminated files. When users discovered that their disk had turned into digital sawdust, they also learned that their backups were badly damaged. Dark Avenger had invented what are now called “data diddling” viruses – viruses that alter data in files.
Dark Avenger was proud of his cruel creation and claimed credit in the code. First, he inserted an ironic copyright notice: “This program was written in the city of Sofia (C) 1988–89 Dark Avenger.” The “Eddie lives” string that wreaked such destruction was a tribute to his love of heavy metal music. “Eddie” refers to the skeletal mascot of the band Iron Maiden; Somewhere in Time is the name of Iron Maiden’s sixth album, in which Eddie appears on the cover as a muscular cyborg in a Blade Runner setting, next to graffiti that reads “Eddie lives”.
Dark Avenger went on to write more viruses. And each virus was more sophisticated than the last. The viruses were so contagious that they infiltrated the computers of the military, banks, insurance companies and medical offices around the world. According to John McAfee, who at the time was the head of the Computer Virus Industry Association, “I would say that 10% of the 60 calls we receive each week are for Bulgarian viruses, and 99% of these are for Dark Avenger.”
One of Dark Avenger’s nastiest creations was first observed in the House of Commons library in Westminster in October 1990. Research staff were perplexed that some of their regular files were missing and others were corrupted. Since the problem kept getting worse, the library called in an outside specialist. A virus scan came out negative, but the specialist was sure that there had been an infection because the corrupted files grew in size. When he examined the contents of the files, he noticed one word in the jumble of characters: NOMENKLATURA.
Nomenklatura is Russian and literally means “list of names”. It referred to the elite of Soviet society – the bureaucrats and party leaders – given special privileges in return for their service to the party and state. Bulgaria followed this system as well. The term had a pejorative connotation, at least to those not on the list.
When the noted British virus researcher Alan Solomon was consulted, he discovered the most destructive virus he had ever observed. Unlike other viruses, which attacked files, Nomenklatura went after the entire file system. Its target is the all-important file allocation table (FAT) – the map of where files are stored on disk. With the FAT corrupted, a computer’s operating system could no longer find the files to run. Solomon also noticed some Cyrillic characters and guessed that they were Bulgarian. Using FidoNet, a computer network used to communicate between internet bulletin boards, he contacted a Bulgarian engineer. He got back the following broken translation: “This fat idiot instead of kissing the girl’s lips, kisses quite some other thing.”
Dark Avenger quickly achieved notoriety in the Bulgarian computer-virus community. No one knew his identity or anything about him, adding to his mystique. According to David Stang, the research director at the International Virus Research Center, “His work is elegant … he helps younger programmers. He’s a superhero to many of them.”
Excitement, therefore, erupted when he joined the Virus Exchange in November 1990. Pierre, a French virus writer, wrote: “Hi, Dark Avenger! Where have you learned programming? And what does ‘Eddie lives’ mean?” Another hacker named Free Rider welcomed Dark Avenger with praise: “Hi, brilliant virus writer.”
Not everyone was a fan, however – least of all Bulgaria’s leading antivirus crusader. Indeed, Dark Avenger and Vesselin Bontchev would become hostile rivals. And their animosity would propel Dark Avenger to write ever more malicious programs, malware that posed a real threat to the antivirus industry and every user of personal computers on the planet.
Sarah Gordon did not start her career as a virus researcher, or even in the tech industry. She grew up in extreme poverty in east St Louis, Missouri, in a house that had no heat or running water. She dropped out of school when she was 14 and ran away from home. At 17, she received her high school diploma by passing every exam the school offered, despite not having taken any of the classes. She held many jobs: among them, juvenile crisis counsellor. She grew her own food. And she liked to play with computers. In 1990, she bought her first personal computer, a secondhand IBM PC/XT.
As Gordon familiarised herself with her pre-owned computer, she noticed something curious: whenever she accessed files on her disk drive at the half-hour mark, a small “ball” (actually, the bullet character ) would ricochet around the screen. Her files seemed fine, but the ping-ponging ball was irritating. Gordon had no idea what was happening, so she asked around. But no one else knew either. In 1990, few Americans had encountered a computer virus.
As Gordon attempted to figure out what had infected her computer, she logged on to FidoNet, the network that connected the virus exchanges. Virus writers swore a lot and traded malware like baseball cards, but she noticed that one user was treated with reverence – Dark Avenger.
Gordon was haunted by Dark Avenger. He felt familiar. Given her background in juvenile correction and youth in crisis, she recognised the rebellious relationship that troubled young men often have with authority figures. Gordon knew how to draw these young men out. She managed to correspond with other virus writers she met on FidoNet. Dark Avenger, however, was not interested in talking.
She posted on a bulletin board that she wanted to have a virus named after her. A few weeks later, her wish came true. Dark Avenger uploaded new malware to the bulletin board. In the source code to the virus, he commented: “We dedicate this little virus to Sara [sic] Gordon, who wanted to have a virus named after her.” This virus would be known as Dedicated.
Gordon would later regret making such a flippant request. Asking someone to name a virus after her was an invitation for Dark Avenger to create destructive code that could cause much damage. It was irresponsible.
But that was not all. The virus that Dark Avenger wrote was ensconced within another piece of malware that he also built. This program was a “polymorphic virus engine”, a tool for creating mutated viruses that threatened to vanquish all antivirus software. When viruses emerged from Dark Avenger’s mutation engine, their altered genome was unrecognisable by the existing detectors. Even worse, it was an off-the-shelf program that anyone with a virus could use. It was small, a little over 2,000 bytes, and no one needed to understand how it worked. A beginner could use it to create undetectable, self-reproducing malware.
Gordon had innocently requested a BB gun. She got a nuclear weapon.
Though Bontchev spent his days and nights battling viruses, he did not dislike those who wrote them. After all, some of these writers were his friends. And he understood why they did it. According to Bontchev, “The first and most important [reason] of all is the existence of a huge army of young and extremely qualified people, computer wizards, who are not actively involved in the economic life.” Bontchev understood that these young men were trained with a hi-tech skill but had nothing to use it on. Bulgaria had few software companies and the salaries were minuscule. Writing cute and clever viruses was an outlet for creativity.
But the psychological need to create was not the only reason for the Bulgarian virus factory. Since software piracy was so widespread in Bulgaria – according to Bontchev it “was, in fact, a kind of state policy” – infections were, too. When everyone copies programs instead of buying them from the manufacturer, viruses have an easy way of moving from disk to disk, computer to computer. Software manufacturers could do nothing about this piracy because Bulgaria had no copyright laws. Bontchev understood the widespread harm that viruses were creating. He regarded the new national pastime as irresponsible and juvenile. But if this activity was not justifiable, it was at least understandable.
Bontchev could not, however, understand Dark Avenger. His exploits were so destructive, so malevolent, that their creator had to be psychologically abnormal. The feeling was mutual. Dark Avenger despised Bontchev and called him “the weasel”. In part, the antipathy is understandable – they were natural enemies. How could they not dislike each other? But the antipathy between virus and antivirus writers cannot fully explain the mutual loathing.
Dark Avenger was likely hurt by Bontchev’s harsh critique of his viruses. When analysing Dark Avenger’s creations in Computer for You, Bontchev savaged the code, calling it sloppy and pointing out errors. While the rest of the virus world thought of Dark Avenger as a viral deity, Bontchev portrayed him as a rank amateur. Dark Avenger lashed out by revising Eddie and inserting a new string into the code: “Copyright (C) 1989 by Vesselin Bontchev”. Dark Avenger was trying not only to frame Bontchev, but also to thwart his antivirus software. When run, the new variant (later known as Eddie.2000, because it is 2,000 bytes long) would search files for Bontchev’s name, a sign that the computer was running his antivirus software, and freeze the system.
Dark Avenger and Bontchev developed a codependent relationship. Each needed the other for notoriety, so much so that rumours began circulating that Dark Avenger and Vesselin Bontchev were the same person. Gossips claimed that Dark Avenger was Bontchev’s “sockpuppet”, a deceptive online identity. Many of those who did not believe the rumours, however, thought that Bontchev was unnecessarily antagonistic, publicly taunting and provoking Dark Avenger to lash out with even greater rage.
Because computer-virus writing was a relatively new phenomenon, social scientists had not studied virus writers. Sensational reports from the media drove a stereotype. “The virus writer has been characterised by some as a bad, evil, depraved, maniac, terrorist, technopathic, genius-gone-mad sociopath,” Sarah Gordon reported in 1994. She set out to discover whether this stereotype was true.
Gordon was shocked when Dark Avenger dedicated his demo virus attached to the mutation engine to her. She reached out to him but got a dismissive response, routed through an intermediary: “You should see a doctor. Normal women don’t spend their time talking about computer viruses.”
Undeterred, she laboriously composed a message in Bulgarian asking Dark Avenger whether he would answer some questions. She passed it to an American security researcher who was in regular contact with him. He quickly responded. Soon they were corresponding over the internet.
Gordon and Dark Avenger communicated for five months. She has never made those messages public, except for excerpts that she published in 1993 (with Dark Avenger’s permission). These snippets are revealing. They show that Dark Avenger expressed remorse for his behaviour and considered the moral consequences of his actions. They also showed that he was belligerent, resentful and prone to blaming his victims. Gordon’s main area of questioning concerned motivation. Why did Dark Avenger write destructive viruses? And why did he seem so unconcerned by the damage he was causing?
Sarah Gordon: Some time ago, in the FidoNet virus echo, when you were told one of your viruses was responsible for the deaths of thousands, possibly, you responded with an obscenity. Let’s assume for the moment this story is true. Tell me, if one of your viruses was used by someone else to cause a tragic incident, how would you really feel?
Dark Avenger: I am sorry for it. I never meant to cause tragic incidents. I never imagined that these viruses would affect anything outside computers. I used the nasty words because the people who wrote to me said some very nasty things to me first.
Gordon knew that Dark Avenger’s notoriety depended on his creations being highly contagious and destructive. His nemesis, Bontchev, had been hired to combat the virus epidemic that he helped start. Claiming ignorance was just not believable.
SG: Do you mean you were not aware that there could be any serious consequences of the viruses? Don’t computers in your country affect the lives and livelihoods of people?
DA: They don’t, or at least at that time they didn’t. PCs were just some very expensive toys nobody could afford and nobody knew how to use.
Class resentment comes out several times in the exchanges between Gordon and Dark Avenger. He also blamed computer users for software piracy. “The innocent users would be much less affected if they bought all the software they used.”
Dark Avenger admitted to enjoying the fame and power. He loved when his viruses made their way into western programs. He was feared and his handiwork could not be ignored. He also regarded his viruses as extensions of his identity, parts of him that could escape dreary Bulgaria and explore the world: “I think the idea of making a program that would travel on its own and go to places its creator could never go was the most interesting for me. The American government can stop me from going to the US, but they can’t stop my virus.”
Dark Avenger’s strongest reactions, however, were reserved for Bontchev: “The weasel can go to hell.” Dark Avenger even insinuated that Bontchev was to blame for the Bulgarian virus factory: “His articles were a plain challenge to virus writers, encouraging them to write more. Also, they were an excellent guide [on] how to write them for those who wanted to but did not know how.”
When Dark Avenger read on the internet that Gordon was engaged to be married, their correspondence turned ugly. Their contact ended shortly after her marriage. “I think he may have been one of the kindest people I have met,” Gordon told me 25 years later, “and one of the most dangerous.”
Dark Avenger’s true identity remains a mystery to this day. That someone, or some group, could wreak havoc on a global scale and remain anonymous is remarkable, especially considering that Bulgaria is a small country with an intimate virus scene. Dark Avenger’s obscurity was a harbinger of things to come. A new generation would use a veil of anonymity to act with total impunity. And they would flood the emerging world wide web with new species of self-reproducing malware far more destructive than anything Dark Avenger created, many of which we are still living with today.
This is an edited extract from Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks, published by Allen Lane on 23 May.
No comments:
Post a Comment