Approaching Zero by Paul Mungo (bts book recommendations .txt) 📖

the

company’s chief financial officer. “We also lost data. That cost us $20,000.

But what really hurt was the lost business. If we force a customer into the

hands of a competitor, he might go there again. I guess that could cost us

another $500,000.”

 

The company tried to find out how the virus had got into its machines in the

first place. Sometimes disenchanted employees (or ex-employees) have been known

deliberately to cause havoc on computer systems, but it seemed unlikely in this

case. The company concluded that the infection was almost certainly accidental,

probably introduced on a diskette brought in from outside. All they knew for

certain was that some Bulgarian who called himself the Dark Avenger had cost

them $1 million.

 

Meanwhile, across the Atlantic in England, computer operators in government

offices in Whitehall and regional centers were confounded by a new virus that

spread, seemingly unstoppably, from office to office and department to

department.

 

The virus was first observed in the House of Commons library in the Palace of

Westminster. In early October 1990, researchers at the library became concerned

about one of their computer systems. The library operates a PC-based research

service for members of Parliament, providing information, background, and

documentation on subjects of concern. Part of the service uses a network of

Compaq computers, and it was this system that was causing problems. Computer

files that should have been available suddenly appeared to be missing, while

others were corrupted or incomplete, and some of the file names were distorted.

 

As the days went by, the problems multiplied, and the head of computer systems

at the library called in an outside specialist. A virus-detection program run

on one of the affected machines came up clean, but from the way the computers

were malfunctioning, the specialist was convinced that the House of Commons

library had been hit by a virus. He compared the lengths of the program files

on an infected machine with those on a clean computer. As expected, the

programs on the infected computer were longer, which suggested the unknown

virus was attaching itself to the ends of program files. A visual inspection of

the virus followed, revealing one full word in the jumble of characters on the

screen: NOMENKLATURA.

 

The word is of Russian origin, though in common use throughout Eastern Europe.

It was the name given to the upper echelons of the Communist party and the

high-ranking bureaucrats—the class that did well from the old system, those

who had access to the special shops and the special rations, the cars and the

country homes. It is a pejorative now and was almost certainly picked by the

virus writer for its ironic overtones.

 

A copy of the virus, immediately nicknamed Nomenklatura, was sent to a British

researcher, Alan Solomon, who runs a specialist computer data-recovery service

from Berkhamsted, northwest of London. When he disassembled the bug, he found

he was looking at one of the most destructive viruses he had ever seen.

 

The virus’s target proved to be the FAT, the all-important File Allocation

Table. With the FAT corrupted, the computer would be unable to reassemble data

files in the correct order—hence the gaps in the information accessed in the

House of Commons library. Solomon also noticed a string of text characters

within the Nomenklatura program. It could be a message, he thought, except that

the text was represented on his computer screen by a code that appeared to

refer to non-English-language characters, which looked like Greek or Russian.

Solomon guessed it was Bulgarian.

 

To confirm his hunch, Solomon dialed an electronic bulletin board in Sofia,

linking to the East European country via Fidonet, an international

public-access computer network run by hobbyists. The board he accessed was owned by MicroComm, a subsidiary of the

Bulgarian public telephone company. Once linked to the board, he managed to

make contact with one of the company’s engineers, Veni Markovski, who spoke a

little English Solomon uploaded the code to Sofia, and Veni looked at it with

his Cyrillic converter. If the code represented Cyrillic characters the

converter—a program that translates keyboard strokes into Cyrillic—would

recognize them and display the message in the virus. The text, though, would be

in Bulgarian, which was why Solomon needed Veni’s help.

 

The converter rapidly deciphered the code, changing it to Cyrillic. Solomon had

guessed correctly. The phrase, Veni reported, was an idiomatic Bulgarian

expression. It took some time to translate—Veni’s English is poor—and its

meaning is obscure. But, Veni said, it translates to something like: “This fat

idiot instead of kissing the girl’s lips, kisses quite some other thing.”

 

Solomon wasn’t surprised that the message was in Bulgarian. By 1990 everyone

involved in computer security had become aware that something odd was going on

in that obscure East European country. Increasingly sophisticated and damaging

viruses that affected IBM-type PCs were moving into the West, carried on

diskette or transferred by electronic bulletin boards, and all had one thing in

common: they had been written in Bulgaria.

 

Though only a few of the viruses had actually been seen “in the wild”—that is,

infecting computers—reports from Bulgaria suggested that two new viruses were

being discovered in that country every week. By mid-1990 there were so many

reported Bulgarian viruses that one researcher was moved to refer to the

existence of a “Bulgarian virus factory.” The phrase stuck.

 

The origins of that factory go back to the last decade. In the early 1980s the

then president of Bulgaria, Todor Zhivkov, decided that his country was to

become a high-tech power, with computers managing the economy while industry

concentrated on manufacturing hardware to match that of the West. Bulgaria he

decided, would function as the hardware-manufacturing center

for Comecon (Eastern Europe’s Council for Mutual Economic Assistance, now

defunct), trading its computers for cheap raw materials from the Soviet Union

and basic imports from the other Socialist countries. Bulgaria had the

potential, in that it had many well-educated young electronics engineers; what

it didn’t have, with its archaic infrastructure and ill-managed economy, was

any particularly useful application for its own hardware.

 

With the resources of the state behind Bulgaria’s computerization, the country

began manufacturing copies of IBM and Apple models. The machines were slow—

very slow by today’s standards—and were already obsolete even when they first

started crawling off the production line. They had been “designed” at the

Bulgarian Academy of Sciences, but without the help or blessing of either IBM

or Apple. The Bulgarian machines were simply poorly manufactured clones that

used the same operating systems and computer language as the real IBMs and

Apples.

 

In the latter half of the 1980s shiny new computers started to appear in state

organizations, schools, colleges, and computer clubs. Many were destined to sit

on the boss’s desk, largely unused, symbols of a high-tech society that never

really existed. Few businesses had any real need for computers; some used them

simply to store personnel records. It was a gloss of technology laid over a

system that, at its core, wasn’t functioning.

 

In addition, Bulgaria didn’t have any software. While the factories continued

to manufacture PCs, the most basic requirement—programs to make the machines

function had to be pirated. So the Bulgarians began copying Western programs,

cracking any copy-protection schemes that stood in their way, and became more

and more skilled at hacking—in the classic sense of the word. They could

program their way around any problem; they learned the ins and outs of the IBM

and Apple operating systems; they became skilled computer technicians as they

struggled to keep their unreliable and poorly manufactured computers functioning. In short, they were assimilating all the skills they would need to

become first-class virus writers.

 

The first Bulgarian viruses to arrive in the West were seen in

1989. They became increasingly sophisticated and malignant progressing within a

year from the relatively harmless Yankee Doodle to the more destructive Eddie

and then to Nomenklatura, which was deadly.

 

Nomenklatura’s attack on the House of Commons library had zapped data in the

statistical section, rendering valuable information irrecoverable. From the

House of Commons, the virus began to journey through other sectors of the

British government, presumably carried on diskettes from the library. The virus

traveled slowly, popping up first in one department, then spreading to another.

 

As soon as it was wiped out in one office, it would reappear elsewhere; it has

not been completely eradicated to this day. Alan Solomon, a computer security

specialist who worked on the case, is convinced that Nomenklatura’s creator is

the Dark Avenger.

 

In November 1988 stories about Robert Morris, Jr., and the Internet Worm were

published in Bulgaria. The news, already exaggerated in the American press,

became even more fanciful by the time it was retold in Bulgarian newspapers.

 

The worm excited the curiosity of two young men, Teodor Prevalsky and Vesselin

(Vesko) Bontchev. They had been close friends for many years, had gone to

university together, and had served side by side as officers in the Bulgarian

army. Aged twentyseven, they were both engineering graduates from professional

families, which made them part of the privileged class in Bulgaria at the time.

 

The Bulgarian computer industry was in full swing by then, but the country had

few uses for the new machines. In response, a magazine was started called

Komputar za vas (“Computer for You”), to show readers how to do something

constructive on their relatively worthless PCs. The magazine needed technical

writers who could explain how the machines worked, and Vesko, provided with

desk space at the magazine’s offices, found that he could double his income of

$45 a month by writing the articles. By Bulgarian standards his salary was

already high; with the additional income from the magazine he was positively

wealthy.

 

When news of the Internet Worm broke, Vesko and his friend Teodor discussed it

at length. For Vesko, it would be the inspiration for an article; for Teodor,

it was the catalyst for a new intelectual pursuit.

 

On November 10, 1988, Teodor sat down at a computer at the technical institute

where he worked and started to write his first virus. He had managed to get a

copy of Vienna, which had been copied from Ralf Burger’s book, and he used it

as a model for his own bug. On November 12th Teodor proudly made an entry in

his diary: “Version 0 lives.”

 

Version 0 was, in all probability, the first homegrown Bulgarian virus. It did

very little except replicate, leaving copies of itself on what are called COM

files—simple program files of limited length, used for basic computer

utilities. When the virus infected a file, it beeped.

 

Just two days after writing Version 0, Teodor had prepared Version 2.4 It was

more clever than the original in that it could infect both common types of

executable files: COM and EXE. The latter are the more sophisticated programs—

like word-processing, for instance—and because they are structurally complex

they are more difficult to infect. But Teodor’s Version 2 employed a little

trick that would convert the shorter EXE files into COM files. When the

operator called up, or loaded, an EXE file, the lurking virus saw the load

command, jumped in ahead and modified the structure of the EXE file so it

resembled a COM file. The next time a restructured EXE file was loaded up, it

could be successfully infected by the virus, just like an ordinary COM file.

 

Teodor was also experimenting with antivirus software at the time, and

developed a program that would hunt down and kill Versions 0 and 2. It was

called “Vacsina,” the Bulgarian word for vaccine. However, by Version 5 Teodor

had adapted his virus so that it was immune to his own killer program. He

accomplished this by simply adding the character string “Vacsina” to the virus.

 

When