Vesselin Bontchev did not read German. He was a junior researcher working at the Institute of Industrial Cybernetics and Robotics at the Bulgarian Academy of Sciences in Sofia, the capital of Bulgaria. On a long holiday to Munich in 1989, he came across a book written by Professor Klaus Brunnstein, of Hamburg University, entitled Computer-Viren-Report: Gefahren, Wirkung, Aufbau, Früherkennung, Vorsorge (Report on Computer Viruses: Dangers, Effects, Structure, Early Detection, and Prevention). Vesselin was fascinated by computer viruses, so he bought it.
Because of the language barrier, he could read only the technical appendix at the back of the book, written in English. Vesselin could see from the discussion, however, that Professor Brunnstein had made numerous mistakes. So Vesselin composed a long letter in English to Professor Brunnstein detailing the errors. It was a gutsy, even foolish thing for a junior researcher to do.
A few weeks later, Professor Brunnstein’s student, Morton Swimmer, wrote to Vesselin inviting him to Hamburg University. Vesselin declined. Flying to Hamburg from Munich was too expensive. The train was too slow. It would take an entire day to cross Germany by rail, and Vesselin was returning to Sofia in four days.
If Vesselin would not come to Hamburg, Hamburg would go to Vesselin. Brunnstein sent Swimmer down to Munich to meet with Vesselin. Swimmer was impressed. This junior researcher from Bulgaria knew his stuff.
Several weeks after returning to the institute in Sofia, Vesselin received a telephone call from Blagovest Sendov, the chairman of the Bulgarian Academy of Sciences. The call was unexpected: Vesselin had never met or spoken to the academy’s president before. He was even more startled by President Sendov’s angry accusation: “Why are you writing computer viruses?”
Vesselin did not write computer viruses. It was a point of pride that he had never written any. Rather, he collected viruses written by others, most of which he found on infected computers. He studied these malicious programs to improve his antivirus software, which he distributed for free. Vesselin even published his home address in the leading Bulgarian computer magazine; those who sent him a blank diskette and a stamped envelope would get a copy of his software in return. To be accused of writing viruses was not just false; it was galling. Vesselin yelled back at Sendov—a high government official with the rank of minister and his boss’s boss’s boss—for the unfounded accusation.
As the conversation cooled down, the real story came out. Sendov had returned from a cybersecurity conference in Jerusalem, where he’d met Professor Brunnstein. Brunnstein asked Sendov about his academy’s computer virus expert. Sendov had no idea who that was and decided to find out. When he got Vesselin on the line, his “angry accusation” was meant in jest. He did not think that one of the Academy’s researchers was actually writing viruses.
Given Vesselin’s expertise, Sendov offered to establish a new laboratory at the academy specializing in computer virology. Within the past year, Bulgaria had experienced a sudden epidemic of computer viruses. Not only were the academy’s computers infected—it was difficult to find a Bulgarian computer that wasn’t. Since computer viruses were novel pathogens, few knew how to stop them. Sendov was hoping that Vesselin could help.
Sendov offered to make the twenty-nine-year-old researcher the lab’s new director. Vesselin, however, did not want to direct a lab. He found administrative work tedious. He found people tedious. He liked dealing with computers. They are predictable; humans are not.
Nevertheless, this was an opportunity he could not pass up. It would allow Vesselin to work on the subject he loved. And there was no better place than Bulgaria for virus lovers. The socialist country—plagued by hyperinflation, crumbling infrastructure, food and gas rationing, daily blackouts, and packs of wild dogs in its streets—had become one of the hottest high-tech zones on the planet. Legions of young Bulgarian programmers were tinkering on their Pravetz-16 pirated IBM PC clones, pumping out computer viruses that managed to travel to the gleaming and prosperous West.
Vesselin Bontchev would be the general in charge of Bulgaria’s cyberdefenses. President Sendov had picked the right man.
Computer for You
If you were Bulgarian and interested in computers in the late 1980s, you read one magazine religiously: Komputar za vas (Computer for You). The Bulgarian government had started the magazine in 1985 to stimulate interest in personal computers. Vesselin not only read every issue but had also become a contributor to the magazine.
In 1988, Vesselin was twenty-eight and living with his mother in a three-room flat in Sofia. Born in the resort city of Varna, on the Black Sea, Vesselin was thin and short with a large fleshy mole on the right side of his mouth. Both of his parents were engineers; his mother worked at the Bulgarian Academy of Sciences specializing in structural engineering. Vesselin graduated from the Technical University of Sofia in 1985 with a master’s degree in computer science, after which he joined the Institute of Industrial Cybernetics and Robotics at the Bulgarian Academy of Sciences.
In 1988, Computer for You ran its first article on computer viruses. Originally written in German for the magazine Chip, the article predicted an epidemic of destructive viruses overwhelming the personal computer industry. Chip illustrated its story with alien-like viruses raining down from heaven, attacking brightly colored floppy disks and melting them into brightly colored goo. Computer for You hired a professional translator, but the translator had no experience with computers and produced a bizarre translation. The German term for “hard disk” (festplatte), for example, was rendered in Bulgarian as “hard plate.” Fortunately, Vesselin fixed these mistakes before publication. Computer for You printed the improved Bulgarian translation with the same German illustration, though in trademark socialist style, the picture was printed in drab black and white.
Though he corrected the translation, Vesselin thought the original article was misguided. Its apocalyptic warnings were extreme. But the article was in keeping with the media’s treatment of computer viruses, which was sensationalistic and inaccurate. When the Morris Worm crashed the internet in November 1988, Bulgarian newscasts breathlessly reported that the worm was capable of infecting every computer in the world. Vesselin knew this claim was wildly false. As we’ve seen, only two kinds of computers could have been infected: VAX and Sun. Every other computer was immune.
To debunk the hysteria, Vesselin wrote an article, “The Truth About Computer Viruses,” published in the January–February 1989 issue of Computer for You. Fear of computer viruses was turning into “mass psychosis, akin to AIDS.” Any competent programmer, Vesselin claimed, could tell when files were corrupted by a virus. Infected files are bigger than uninfected files. They run slower. They do strange things, such as play tunes, draw Christmas trees on the screen, and reboot computers. It was hard to miss a virus! Prevention through basic cyberhygiene was as simple as detection: “Do not allow other people to use your computer; do not use suspicious software products; do not use software products acquired illegally.”
Vesselin would later regret this article. He had not appreciated that what might be an obvious virus to him might not be obvious to the secretary using a computer as a typewriter. Moreover, most users in Bulgaria did not have their own personal computers; they shared them. Cyberhygiene was hard when personal computers were anything but personal.
When Vesselin wrote this dismissive article, he had not yet seen a virus. What he knew about viruses he’d learned from academic articles. A year earlier, Vesselin was at a computer conference in Poland. He asked the participants whether they had ever spotted a virus. A few had heard of them, but no one had actually observed one.
Vesselin was therefore surprised when two men walked into Computer for You’s office, where he used to hang out, and claimed to have a virus. They had read the articles about these strange new creatures in the magazine and wanted to show Vesselin the virus they had discovered in their small software company. Vesselin was probably just as shocked that there was a software business in Bulgaria. In 1989, Bulgaria was still transitioning from communism, and private businesses were rare. The vast majority of software in Bulgaria was pirated.
The men not only reported that they had a virus; they also claimed to have written an antivirus program that eliminated the virus. They were so proud that they’d brought their laptop with them. The laptop had a virus on it. When they ran their antivirus program, the virus disappeared.
Vesselin was both fascinated and horrified: fascinated because he had never seen a virus before (or a laptop, for that matter), horrified because the men had just killed it. Horror turned to panic when the men told him that they had purged the virus from their firm’s computers as well. Vesselin raced to their place of business looking for any remnants. He found a printout of the virus’s code in the garbage. He took it home and entered it—byte by byte—into his computer. Since the virus was 648 bytes long, he had to enter 1,296 characters (each character is 4 bits, two characters is 8 bits, or 1 byte) plus 324 spaces—one space between every two bytes. So as not to make any mistakes, he entered these characters twice. Vesselin eventually figured out that he had resurrected the virus commonly known as Vienna.
When he analyzed Vienna, Vesselin was disappointed. He imagined something wondrous—self-reproducing computer programs should be elegant, fruits of some esoteric black art. A look under the hood, however, revealed it was not so pretty. Vienna’s code was crude and sloppy. Vesselin was sure he could have written a better version in half an hour.
Vesselin wasn’t the only one thinking he could do better. As Vesselin was studying Vienna, other Bulgarians began tinkering with malicious programs, too. One of Vesselin’s compatriots would soon become the most dangerous virus writer in the world—and Vesselin’s most bitter enemy.
Vienna
Reportedly written by a high school student from the eponymous Austrian city, Vienna is a simple virus. It is known as a “com infector”—meaning that it infects command files, typically designated by the .com file extension. Command files contain simple programs in machine code. To run this code, a user simply types the name of the file or clicks the icon. The operating system loads the binary strings into memory and runs them.
Command files are easy to infect because they’re simple. A virus needs somewhere to hide, and command files are easy to hide in. Vienna is an “appending” virus, one that writes a copy of itself onto the ends of the files it infects. After appending its viral code, Vienna adds a jump instruction to the beginning of the file telling the operating system to run the new appendage at the end.
When a user runs a command file infected with Vienna, the jump instruction starts the appended viral code. The viral code tells the operating system to comb through the file directories looking for command files. If it finds a command file, the viral code copies itself to the end of the target and adds a jump instruction to the beginning. After infecting the file, the viral code resumes its search for additional command files to infect.
Vienna was designed to infect seven out of eight command files. The virus did not affect how these command files functioned. The programs in the files still worked, except that the virus would try to infect additional command files each time the programs ran. Vienna, however, took out its fury on every eighth command file it found; this file set off Vienna’s “trigger” condition.
A virus’s trigger condition executes its “payload.” Not all viruses have payloads, and not all payloads are destructive. Vienna, however, had a payload, and it was viciously destructive. It destroyed the eighth command file by overwriting its first three bytes with a jump instruction to the boot code of the operating system. Every time a user tried to use that command file, the computer would restart.
Unlike the Morris Worm, which was written in the human-readable programming language of C, Vienna was written in “assembly language.” Assembly language is low-level downcode that enables programmers to access directly those parts of an operating system that viruses need to perform their acrobatics. Assembly language is easier to use than machine code, but much harder than programming languages such as C, which are mostly written in English. Assembly language also requires the programmer to fiddle with technical details that higher-level languages handle for the coder. As the cybersecurity consultant Khalil Sehnaoui recently tweeted, “Coding in Assembly is easy. It’s like riding a bike. Except the bike is on fire & you’re on fire & everything is on fire & you’re in Hell.” The granular control, however, makes up for the difficulty of riding a bike on fire while aflame in hell. Assembly language gives the virus writer the precise tools needed to hide code in files, redirect program flows, and construct payloads.
Vesselin learned assembly language, for example, because his first lab job entailed writing a computer program that taught people how to use stenotyping machines. Only assembly language was fast enough to handle and analyze input from the stenotype machine in real time.
The Factory
Being so simple, Vienna was a good virus on which to experiment. Vesselin passed on the opportunity, not wanting to sully his reputation. His friend Teodor Prevalsky had fewer qualms. He was fascinated by the concept of artificial life, especially after news of the Morris Worm broke, and decided to explore its possibility. After two days of hacking at the Technical University, Bulgaria’s largest engineering school, Teodor produced a virus. Though he modeled it on Vienna, his virus did not destroy files—its payload was an assembly language instruction for the speaker to beep whenever it infected a file. In his diary for November 12, 1988, he recorded his accomplishment: “Version 0 lives.”
As the weeks went by, Teodor added new features to the virus. The second variant—version 2.4—could infect executable files as well as command files. Executable files contain more sophisticated programs than command files and have a more complex structure. They are therefore harder to infect. Version 2.4 solved this complication with a clever hack: it converted executable files to command files and then attacked them with the com infector.
Teodor also experimented with antivirus programs. He wrote an “antivirus” virus: this virus searched the files on a disk and eliminated any earlier version of Vienna. Further experimentation led to version 5, which was immune to the antivirus version. This new variety protected itself by pretending to be the antivirus virus. It contained the string Vascina—Bulgarian for “vaccine.” If the antivirus virus found version 5, it would think that it had found one of its own and would leave it alone.
All of Teodor’s creations were “zoo” viruses. He built these specimens for research purposes, not for releasing into the wild. Nevertheless, they escaped from the zoo. Indeed, Vienna 5 became the first Bulgarian virus to immigrate to the United States. When American security researchers studied it, they saw the string Vascina and named this version after the virus’s telltale sign. Version 5 was not actually a vaccine, but merely pretended to be one.
Vascina was able to escape from Teodor’s computer because his computer was running a Microsoft operating system known as DOS—short for “disk operating system.” Unlike UNIX, which was designed to be a multiuser operating system, DOS was single-use only. It had no security features. Machines running DOS had no log-in page, individual accounts, usernames, or passwords. Everyone who had access to a DOS machine had full access to every file and command on the system—they ran as root, the absolute sovereign of the computer.
UNIX, as we saw, was written for time-sharing on large, expensive machines. DOS was developed for individual use on small, inexpensive microcomputers, which hit the market in the mid-1970s with names such as Apple II, TRS-80, and Commodore. Security was not a priority, or even necessary, for these personal computers, or PCs. If everyone had their own PC, there would be no sharing of users’ code and data in one large machine. If cybersecurity hell is company, cybersecurity nirvana is solitude. Cybersecurity at this time was reducible to physical security; to stop people from stealing your data, you had to lock your door.
Those who used personal computers, however, wanted to share their code. Young nerds hungered for new computer games but didn’t want to pay for them. DOS wasn’t free either, and bootleg copies freely circulated among PC users. Software piracy was normal in Bulgaria. Hardly anyone bought software.
Games, DOS, and data files were passed around using removable storage devices known as floppy disks. Floppy disks, commonly found in the popular 5¼-inch variety, were thin magnetic films encased in black plastic envelopes with a hole in the middle. The square disks drooped over when held by a corner.
Absolute computing power, Lord Acton might have said, corrupts files absolutely. Since anyone running DOS has unlimited power, they are free to run infected files. And since programs run with unlimited power in DOS, they are free to copy themselves and infect other files as well.
Even though Teodor had an IBM PC clone in his university office, he shared it with four other researchers. And they passed around floppy disks with abandon. Though Teodor took great care to keep his zoo viruses captive, they inevitably escaped. He had put them in cages with no locks.
While Teodor was indulging his intellectual curiosity, Vesselin was chronicling his friend’s exploits. In one article, Vesselin claimed that despite Teodor’s success with command files, viruses could not infect all executable files. Vladimir Botchev, another friend of Vesselin’s, saw the article as a challenge and, in response, wrote an elegant virus that infected all executables. It was not a malicious virus—its only action was to play the tune “Yankee Doodle” when corrupting a file (and since the song alerted the user to the infection, the virus did not spread). Teodor liked the payload so much that he “borrowed” it. Now, when Vascina version 16 infected a new file, it played “Yankee Doodle” as well.
Teodor continued his experimentation. In version 42, he tried to write another “good” virus—one that went after the Ping-Pong virus, whose payload caused an irritating dot to ricochet across the screen. When version 42 ran, it searched for files infected with Ping-Pong; when it found an infected file, Teodor’s creation would disable it. In version 44, he modified the time for playing “Yankee Doodle”—it would play the tune at 5:00 p.m. for eight straight days. This virus also escaped his zoo and was the most traveled of all Teodor’s creations. On September 30, 1989, it was detected in the United Nations’ offices in (you guessed it) Vienna. In 1991, it infected a large California publishing house. Even though it caused no damage, it took IT many days to eradicate it, at the cost of $500,000 in lost business.
Having played around with viruses and created many of them, Teodor grew bored. Creating artificial life wasn’t so interesting after all. Teodor was especially disappointed that he could find no productive use for his creations. When released into the wild, even his “good” viruses had bad side effects.
As Teodor was retiring from the virus business, Vesselin’s career was heating up. With admirable candor, he wrote an article in Computer for You confessing error. Viruses were clearly a growing problem, and Vesselin wanted to rectify his mistake. He began to analyze new viruses that were spreading around Bulgaria and published the results.
His articles detailing the dangers of viruses, however, had an unintended consequence: they inspired more virus writers. Computer for You readers learned how to write viruses from these articles, and some tried to improve existing versions. These new viruses became fodder for new articles. Vesselin Bontchev was quickly establishing himself as the leading virus researcher in Bulgaria, recognized internationally as an authority on viruses, especially those from Eastern Europe.
Soon, it seemed as though every computer programmer in Bulgaria felt the need to write a virus. Peter Dimov, a student from Plovdiv, was mad at his tutor, so he wrote a virus to infect his files. Dimov wrote two more viruses for his girlfriend as tokens of his affection. Lubomir Mateev and his friend Iani Brankov were angry at their boss for not paying them. The virus they wrote as revenge made the lame sound of shuffling paper when infecting files. This virus quickly escaped the lab. It came to be known around the world as Murphy 1 because of the embedded text string: “Hello, I’m Murphy. Nice to meet you friend. I was written in Nov/Dec. Copyright @ 1989 Lubo & Pat, Sofia, USM Laboratory.”
Bulgaria was punching way above its weight in virus writing, so much so that people started speaking of the “Bulgarian virus factory.” Morton Swimmer was quoted in a 1990 New York Times article: “We’ve counted about three hundred viruses written for the IBM personal computer; of these, eighty or ninety originated in Bulgaria.” But the ascendancy of the Bulgarian virus factory went beyond mere quantity. “Not only do the Bulgarians produce the most computer viruses, they produce the best.” And the best viruses were able to make the transatlantic trip to the United States.
The output of this factory was collected and shared on an internet bulletin board called the Virus Exchange, or vX. Todor Todorov, also known as Commander Tosh, established vX at the end of 1990 and ran it out of his mother’s apartment using a single phone line and a 2400 baud modem. The vX was private, open only by invitation and on the condition that the invitee donate a virus available to all other members of the vX:
If you want to download viruses from this bulletin board, just upload to us at least 1 virus which we don’t already have. Then you will be given access to the virus area, where you can find many live viruses, documented disassemblies, virus descriptions, and original virus source copies!
Once accepted, members could download virus samples and share tips on how to make them more potent. Commander Tosh described the vX as “a place for free exchange of viruses and a place where everything is permitted!” The bulletin board quickly built up a large collection of viruses after visitors learned of his exchange procedures.
With the vX, Bulgarians were re-creating what Americans had developed almost two decades earlier: a system of free and open software, or FOSS. Just as UNIX developers were creating, sharing, and adapting computer utilities such as SENDMAIL, Bulgarians were sharing and perfecting viruses. Todorov’s vX was eventually copied by others in the U.K., Italy, Sweden, Germany, the United States, and Russia. These virus forums were connected by FidoNet, a computer network used to communicate between internet bulletin boards. Viruses had gone from being specimens in a local zoo to publications in a global library.
The Bulgarian virus factory was a factory in the Andy Warhol sense: not a building filled with hoodied coders chugging energy drinks, but rather a loose collective of young Bulgarian men (they were all men) who were highly intelligent and bored. Writing viruses became a source of intellectual stimulation and a form of social distinction. Peter Dimov, for example, was obsessed with writing the smallest virus in the world. His first attempt resulted in a virus two hundred bytes long (by contrast, most Vienna variants are over a thousand bytes). He whittled it down to forty-five bytes, though a few weeks later, another programmer made it to thirty.
Because virus writing had become a national pastime among programmers, Vesselin’s job as the director of the Computer Virology lab kept him busy. By 1991, he was finding two new Bulgarian viruses per week. He spent his days fielding calls from firms attacked by viruses; he spent his nights and weekends studying these viruses. In Computer for You, Vesselin published his home address. His offer: if you sent him a diskette with a virus, he would send back a program to detect that virus and kill it.
Vesselin was also a founding member of CARO, the Computer Antivirus Research Organization. In addition to creating a naming convention for viruses, CARO advocated for certain ethical principles of antivirus research. One of the most important was the strict prohibition on writing viruses. CARO treated computer viruses like biological weapons. As with anthrax or smallpox, digital viruses are indiscriminate weapons that attack anything they encounter. Moreover, they cannot be controlled once released. The danger of their escaping the lab was deemed too high to justify experimentation.
Indeed, CARO helped cement a schism between antivirus researchers and the general cybersecurity community. The cybersecurity community generally expects its members to have hacked in order to know how to defend against hackers. The practice is known as ethical or white-hat hacking. The upcode of hackers permits, even encourages, them to hack downcode.
Antivirus upcode, by contrast, strictly prohibited the writing of viral downcode, given the risks that this malicious code might leak. There is no corresponding practice of “ethical virus writing.” Any researcher who has written a virus would have been vetoed for membership in CARO. Though many in the antivirus industry have tinkered with viruses, it was not something they talked about.
Malware Is Disgusting
If you want to start a fight among antivirus researchers, ask them to define virus. If you want that fight to turn into a brawl, ask them to distinguish viruses from worms. Definitional issues in the field are so touchy that the virus writer Quantum trolled security researchers when the payload of his Happy99 virus printed out:
Is it a virus, or a worm, or a Trojan, or some other thing?
Whether a malicious program should be called a virus is not merely a semantic debate among computer scientists. As discussed before, the terminology of cybersecurity is couched in the language of pollution and disease, language that tends to elicit feelings of disgust and revulsion. While disgust might help us practice proper cyberhygiene and avoid malware, it may also prevent us from thinking rationally about the proper way to combat these problems. The natural reaction to disgust is visceral: we urgently want to avoid contact with the disgusting object and to cleanse ourselves lest it contaminate us.
Disgust and disease naturally encourage us to seek out downcode remedies. We want the best that science and industry can produce to protect us from disgusting viruses, worms, and bugs. We want digital antibiotics to disinfect our computers if these pathogens get past the antiviral quarantine and sicken our computers. We want the viruses, worms, and bugs gone. Now.
To tackle the problem of malware, we will need to think past downcode solutions and consider upcode changes. Disgust, though, is a barrier to upcode thinking; disgust not only triggers panicky demands for quick fixes, but it also prevents us from thinking sympathetically about those who create viruses. If we regard virus writers as revolting as well, we are unlikely to take the steps needed to redirect their talents to societal advantage.
I am not suggesting that we change how we speak about malware. The terminology is already set. But if we examine the underlying phenomena, we might be able to avoid the distortions produced by our powerful reactions of revulsion and disgust. We should treat digital threats clinically, to understand what they are and how we might best deal with the challenges they present.
There is another reason to discuss terminology. The distinction between viruses and worms reflects genuine differences between kinds of malware. Viruses spread differently from worms because they exploit different kinds of downcode and upcode vulnerabilities. To understand how to stop worms and viruses alike, we have to understand what they are and how they work.
What Are Viruses?
The first person to popularize the term computer virus was David Gerrold, in his 1972 science fiction novel, When HARLIE Was One. HARLIE (Human Analogue Robot, Life Input Equivalents) is a supercomputer with unbridled access to all human knowledge but with the emotional maturity of an eight-year-old boy. HARLIE hacks into his company’s computer system to blackmail a shortsighted executive who wants to shut him down and sell HARLIE off for parts. The hack is accomplished via an infectious program called a “virus.” Gerrold claims he got the virus concept from a computer programmer in the summer of 1968, who shared it with him as a joke.
The term computer virus has, of course, become commonplace. When something goes wrong with our computer, we naturally wonder if it “has a virus.” A computer virus has become a catchall term for malicious code, or what is now called malware—code unwelcome by users because it doesn’t serve their interests.
Cybersecurity researchers disagree a lot, but they are united in rejecting the equation of viruses with malware. Not all malicious code is viral. Viruses must be capable of self-reproduction. Fred Cohen, the first computer scientist to formally characterize computer viruses, informally defined one as “a program that can ‘infect’ other programs by modifying them to include a possibly evolved copy of itself.” Vienna fits this definition because it infects command files by appending copies of itself to these files.
Viruses are not simply self-reproducing code. To be a true virus, the self-replication must be recursive. In other words, it is not enough for a parent program to self-replicate. Its progeny must also be capable of self- replication. And their progeny must be capable of self-replication. Ad infinitum. Something is a virus, therefore, if it is self-replicating code and its progeny are viruses as well.
The recursive nature of self-replication gives viruses and worms their “virality.” If V1 is a virus and self-replicates once, then at the end of the first cycle there will be two viruses: V1 and V2. At the end of the second cycle, there will be four: V1 produces V3, V2 produces V4. The third cycle will produce eight: V1 produces V5, V2 produces V6, V3 produces V7, and V4 produces V8. The fourth cycle will produce sixteen, and the fifth cycle gives us thirty-two viruses. By the tenth cycle, there will be over a thousand viruses.
Recursive self-replicating propagators exhibit “exponential growth.” Even though four cycles yield sixteen viruses, thirty cycles yields 230 or over 1 billion copies. If V1 makes two copies of itself, it will hit 1 billion copies in nineteen cycles (319 = 1,162,261,467). If V1 makes ten copies of itself, it will hit a billion in a mere nine cycles (109 is exactly a billion). Viruses are frightening because they threaten to rapidly infect billions of files and hosts.
Not all malware programs are viruses. Only those that recursively self- reproduce are. But is the converse true: Are all viruses malware?
Antivirus researchers generally answer yes. They reject the possibility of good viruses. Viruses mess around with the internal and delicate workings of code in a way that may lead to unpredictable results, some of which are very bad. Indeed, the term virus comes from the Latin word for poison. In early English, virus referred to snake venom. It’s hard to think of poison, or venom, as good.
Among the few dissenters from this consensus is Fred Cohen, the researcher who popularized the term virus, though he later came to regret it. He believed that beneficial viruses were possible. They could replicate, spread, and do good things. He preferred the more neutral term living program. The choice of the term virus, and the reason for its virality, might have been influenced by the AIDS crisis that was then ravaging the gay community in the United States. In 1983, a year before Cohen’s first article, scientists discovered that AIDS was caused by HIV, which infected human T cells, hijacked the cell’s reproductive machinery, made many copies of itself, and thus spread to other cells and other people.
What Is a Worm?
The term worm also comes from a science fiction novel. John Brunner’s 1975 Shockwave Rider is set in a dystopian twenty-first-century America turned techno-police state where authorities ruthlessly crush all forms of political dissent. Nick, the hero of the story, fights back against the repressive regime using his hacking skills. He creates a computer program to infiltrate the state’s network and release copies of itself. Brunner called Nick’s code a “worm” after tapeworms, hermaphroditic organisms that carry eggs in their tail and drop them as they move from host to host. The ultimate function of Nick’s program—called a “worm” in the novel—is to uncover all official secrets, leak them to the public, and liberate the people from tyranny.
When computer scientists adopted the term worm in the early 1980s, there was little agreement about what made code a worm. The earliest definition was developed along the biological model: a computer worm is an independent self-replicating program, just like a tapeworm, or a bacterium, is an independent self-replicating organism. By contrast, a virus is a code fragment. It must infect a host file to copy itself, much as a biological virus must infect a cell to reproduce.
This definition has fallen out of favor. Computer scientists have retooled their classifications so that they track functional differences. Malware is now classified by how it works, which is why it’s important to be clear about the differences between viruses and worms.
One popular definition characterizes worms based on their distinctive way of spreading: worms use networks to replicate. The Morris Worm spread by forging network connections to other hosts on the internet. Vienna, by contrast, merely searched through the directories of a local host to infect files. Indeed, Vienna is a DOS virus, and DOS is not a networked operating system. It runs only on stand-alone personal computers.
While this definition of worms emphasizes propagation, a second definition highlights execution. When Robert Morris released his worm at MIT, he did not need to do anything else. He turned it on and went to dinner. The worm runs autonomously—it creates new children, turns them on, and looks for new hosts on the network to infect.
Since worms don’t need users, they don’t need to trick users into running them. Rather, they need to trick operating systems into letting them in. Worms, therefore, try to locate network vulnerabilities and exploit them. Once they’ve broken through to a new host, the parents send their children out and turn them on. Worms tend to be much larger than viruses because finding and exploiting network vulnerabilities is computationally demanding. That is one reason why the Morris Worm is ten times larger than the Vienna virus.
Viruses, on the other hand, cannot turn themselves on. They need users. When Vienna copies itself and spreads to another floppy disk, it remains dormant until the user intervenes. Once the user runs the infected program, the embedded virus begins the next cycle.
Rather than exploit network vulnerabilities, ordinary viruses exploit human vulnerabilities. Since they are user executed, they have to trick humans into executing them, which is often easier than tricking a sophisticated operating system such as UNIX BSD 4.2. The main way that early viruses, such as Vienna, tricked users was by hiding in legitimate files. If a virus infects Microsoft Word, then every time someone executes the word processor, it spreads the virus.
We have two ways to distinguish worms: (1) how they spread (through network or only locally?) and (2) how they are executed (by parent or user?). Some malware programs, such as the Morris Worm, are worms in both senses. They spread by networks, and parents activate their children. Other pieces of malware are spread over networks but require a user to run it to spread further.
Let’s imagine a new group of self-replicating malware. Call them “vorms.” Vorms are hybrid creatures, halfway between ordinary viruses and full-blown worms. A vorm spreads over networks, but requires users to spread further.
Having a new name for hybrid self-replicating malware is important because, as we will see in the future chapters, vorms eventually become dominant. The World Wide Web changed virus writing and pushed malware to be ever more contagious. Viruses that had not previously exploited networks became internet-ready. DOS viruses evolved into internet vorms.
Dark Avenger
Even before Computer for You published its first article on viruses, someone was secretly trying to refine the medium. His online handle was Dark Avenger. “In those days there were no viruses being written in Bulgaria, so I decided to write the first,” Dark Avenger claimed. “In early March 1989 it came into existence and started to live its own life, and to terrorize all engineers and other suckers.”
Dark Avenger was wrong. Teodor had been pumping out viruses since November of the previous year. But unlike Teodor’s viruses, which were largely harmless, Dark Avenger built his to be lethal. His first creation would be known as Eddie. When a user ran a program infected with Eddie, the virus would not start by attacking other files. It would lurk in computer memory and hand back control to the original program. However, when a user loaded another program, skulking Eddie would spring into action and infect that program. These infected programs would be Eddie’s new carriers.
Eddie also packed a payload. But the payload wasn’t amusing: it didn’t play a silly tune, bounce a ball across the screen, or even reboot the computer. Eddie slowly, and silently, destroyed every file it touched, like voracious termites silently gnawing down a whole house. When the infected program was run the sixteenth time, the virus overwrote a random section of the disk in the computer with its calling card: “Eddie lives … Somewhere in time.” After enough of these indiscriminate changes, programs on the disk stopped loading.
Destructive viruses were not new. Vienna, for example, destroyed every eighth file. But Eddie was far more malicious. Because Eddie infections took a while to produce symptoms, users spread the virus and backed up contaminated files. When users discovered that their disk had turned into digital sawdust, they also learned that their backups were badly damaged. Dark Avenger had invented what are now called data diddling viruses—viruses that alter data in files.
Dark Avenger was proud of his cruel creation and claimed credit in the code. First, he inserted an ironic copyright notice: “This program was written in the city of Sofia (C) 1988–89 Dark Avenger.” This string illustrated his love of heavy-metal music. “Eddie” refers to the skeletal mascot of the band Iron Maiden; Somewhere in Time is the name of Iron Maiden’s sixth album, in which Eddie appears on the cover as a muscular cyborg in a Blade Runner setting, next to graffiti that reads, “Eddie lives.”
Dark Avenger went on to write more viruses. And each virus was more sophisticated than the last. The viruses were so contagious that they infiltrated the computers of the military, banks, insurance companies, and medical offices around the world. According to John McAfee, who at the time was the head of the Computer Virus Industry Association but went on to a career of alleged tax evasion and murder that ended with his death in a Spanish prison cell, “I would say that ten percent of the sixty calls we receive each week are for Bulgarian viruses, and ninety-nine percent of these are for Dark Avenger.” Dark Avenger’s techniques were also copied by other virus writers. Murphy 1 and 2, viruses written by Lubomir Mateev and Iani Brankov to retaliate against their boss, spread to the United States because they copied the replication strategy that Dark Avenger had pioneered in Eddie.
One of Dark Avenger’s nastiest creations was first observed in the House of Commons library in Westminster in October 1990. Research staff were perplexed that some of their regular files were missing and others were corrupted. Since the problem kept getting worse, the library called in an outside specialist. A virus scan came out negative, but the specialist was sure that there had been an infection because the corrupted files grew in size. When he examined the contents of the files, he noticed one word in the jumble of characters: NOMENKLATURA.
Nomenklatura is Russian and literally means “list of names.” It referred to the elite of Soviet society—the bureaucrats and party leaders—given special privileges in return for their service to the party and state. Bulgaria followed this system as well. The term had a pejorative connotation, at least to those not on the list.
When the noted British virus researcher Alan Solomon was consulted, he discovered the most destructive virus he had ever observed. Unlike other viruses, which attacked files, Nomenklatura went after the entire file system. Its target is the all-important FAT—the File Allocation Table—the map of where files are stored on disk. With the FAT corrupted, a computer’s operating system could no longer find the files to run. Solomon also noticed some Cyrillic characters and guessed that they were Bulgarian. Using FidoNet, he contacted a Bulgarian engineer. He got back the following broken translation: “This fat idiot instead of kissing the girl’s lips, kisses quite some other thing.”
Dark Avenger quickly achieved notoriety in the Bulgarian computer- virus community. No one knew his identity, or anything about him, adding to his mystique. According to David Stang, research director for the International Virus Research Center, “His work is elegant … He helps younger programmers. He’s a superhero to many of them.”
Excitement, therefore, erupted when he joined the Virus Exchange in November 1990. Pierre, a French virus writer, wrote, “Hi, Dark Avenger! Where have you learned programming? And what does Eddie lives mean?” Another hacker named Free Rider welcomed Dark Avenger with praise: “Hi, brilliant virus writer.” Someone who ran another bulletin board complained that Dark Avenger did not visit his site: “Hi, I’m one SYSOP [systems operator] of the Innersoft bulletin board. Should I consider my board not popular because you don’t like to call it? Please give it a call.”
Not everyone was a fan, however—least of all Bulgaria’s leading antivirus crusader. Indeed, Dark Avenger and Vesselin Bontchev would become bitter enemies. And their animosity would propel Dark Avenger to write ever-more-malicious programs, malware that posed a mortal threat to the antivirus industry and every user of personal computers on the planet.