Approaching Zero by Paul Mungo (bts book recommendations .txt) 📖

his antivirus program saw the string, it would leave the bug alone.

 

It was shortly thereafter that Version 5 escaped. Like most Bulgarians, Teodor

had to share his computer with colleagues at the Technical Institute; with four

people using one machine, with software copying rampant, and with the casual

transfer of diskettes, it was only a matter of time before one of the bugs

began to propagate out of his control. Within weeks Version 5 had spread

throughout Bulgaria. In less than a year it had reached the West—the first

Eastern virus to jump the Iron Curtain. When the virus was examined,

researchers discovered the text string “Vacsina,” which immediately gave a name

to Version 5.

 

Meanwhile, Teodor continued experimenting. By December 15, 1988 he had advanced

to Version 8. On this variant the payload—the innocuous beep—now sounded only

when an infected computer was restarted from the keyboard (a “warm reboot”),

allowing it to remain hidden for longer. In the best programming tradition, all

his improvements were duly documented and given version numbers as they

appeared.

 

Later in December a new Bulgarian virus was discovered. It carried a text

string which said it had been authored by a Vladimir Botchev. The bug was

almost certainly written in response to one of Vesko’s magazine articles: in

November Vesko had stated that it would be “difficult” to write a virus that

could infect all EXE files, including the longer ones, and Vladimir had

presumably seen that as a challenge. His virus appeared less than a month after

the article was published. It employed a novel and technically elegant device

that enabled it to attach itself to any EXE file, no matter what length. After

it infected a file it played the tune “Yankee Doodle”—in celebration, perhaps.

 

This virus was generally not damaging—its payload was the tune—and because it

was easy to detect, it never spread. But the new bug’s payload was immediately

copied by Teodor in his new variant, Version 18, which appeared on January 6,

1989. This one didn’t beep; instead it played “Yankee Doodle,” which Teodor had

lifted, note for note, straight from Vladimir’s program.

 

Five days later, Teodor produced Version 21, which could remove the virus from

infected files if a more recent version of this bug attacked the same system.

Then, on February 6, 1989, Version 30 appeared. It incorporated a “detection

and repair” capability, that would warn the virus if it had been modified or

corrupted while replicating. Eerily, it could then fix the damage itself by

changing the corrupted instructions back to their original form. It was a kind

of artificial life, though the repair capability was limited (it could handle

only changes of up to 16 bytes in length).

 

By the end of February Teodor was on to Version 39 and his virus was now full

of tricks: it could infect EXE files of any size,

it could even evade antiviral software. As soon as it noted the presence of

a detection program, it would detach itself from the infected file and hide

elsewhere in the computer’s memory.

 

With Version 42, which appeared in March, his virus took on a new role: virus

fighter. The Ping Pong boot-sector virus, which is believed to have been

created at Turin University in Italy, had now reached Bulgaria. Ping Pong (also

called Bouncing Ball) was a joke virus: from time to time it simply sent a dot

careering around the screen, like a ball in a squash court. Teodor’s new virus

could detect Ping Pong and was able to modify it in such a way that, after a

time, it destroyed itself, leaving behind its corpse. He persisted with the

tune “Yankee Doodle” as his payload, but he varied the time and frequency it

would play. One of his next variants was Version 44, which plays the tune every

eight days at 5 P.M. This was the version destined to become the most widely

traveled of all Teodor’s viruses: once again, it escaped from his office

machine, probably on a diskette, and spread through Bulgaria; on September 30,

1989 it was sighted in offices of the United Nations in Vienna; and from there,

now known as Yankee Doodle, it traveled the world. It was this version which

caused mayhem at the California publishing house in July 1991.

 

Teodor continued to develop his virus. The last variant was Version 50, by

which time it had been given the additional power to detect and destroy the

Cascade bug, which had just arrived in

Bulgaria from Austria. Cascade was another joke virus: it caused the letters on

a computer terminal to fall down and pile up in heaps at the bottom of the

screen to an accompanying clicking noise. After it had finished its

performance, a user could resume his work—though he would need to replace the

letters and words that had fallen from his screen. It wasn’t particularly

damaging, though the operator’s nerves could well have been frayed.

 

After Version 50 Teodor began to explore some of his other ideas. One was a

joke virus that hopped around a hard disk while challenging the operator to

FIND ME! It was unusual in that it was nearly undetectable: unlike other

viruses, Find Me! wouldn’t infect the boot sector or a program file. It created

its own home within infected systems by stealing the name of an EXE file and

attributing it to a new COM file; this new COM file became its hiding place.

 

It was a clever trick. Teodor knew that on computers with two files of the same

name the COM file is always loaded prior to the EXE file. So his little bug

would get to the screen first, to taunt the operator with “Find Me!” messages.

If the operator looked at his list of files he might notice that he had an

extra COM file with the same name as one of his EXE files, but he generally

wouldn’t realize the significance. Even if he did, the bug would probably be

one step ahead of him. From time to time, Find Me! would create a new COM file

(always with the same name as an EXE file) and transfer itself to a new home,

deleting the old one as it did so. In that way it continued to hop around the

hard disk, usually well ahead of the increasingly irritated operator. It was

possible to remove the bug completely, but it invariably took a few manhours of

frustrating chasing.

 

Teodor also experimented with “stealth” viruses—silent, deadly, and almost

undetectable bugs that evade antiviral software in much the same way that the

Stealth plane evades radar detection. Stealth technology has been exploited by

virus writers since 1986 (the Pakistani Brain virus has some stealth capability

in that it is able to camouflage its presence on the boot sector), but Teodor’s

was the first that could add itself to a program file without, apparently,

increasing the length of the file. Of course it was only an illusion: the virus

would simply deduct its own length from the infected file whenever it was being

examined.

 

With his stealth bug Teodor had more or less reached the pinnacle: there was

little he could do to improve the programming of his latest virus except,

perhaps, to add a destructive payload. But, for Teodor, destruction of data or

programs was never the point. He wrote viruses as an intellectual challenge.

None of his viruses had ever been intentionally damaging, though he had become

aware that they could cause collateral losses. He had also realized that a

completely harmless virus was an impossibility. All viruses, by their mere

presence on a computer, can accidentally overwrite data or cause a system to

crash. And the most dangerous of all, he thought, was an undetectable virus

that could spread unstoppably, causing collateral damage without the operators

even being aware they were under attack.

 

In 1989 Teodor decided to retire from virus writing. His own career up until

then had, curiously, mirrored his friend Vesko’s. While Teodor wrote viruses,

Vesko wrote about them; as Teodor became more proficient at writing bugs, Vesko

became more accomplished at analyzing them. By 1989 Vesko had become Bulgaria’s

most important virus researcher and a major contributor to Western literature

on the subject. He had been invited to submit papers and to lecture at Western

European computer security conferences: he was recognized as an authority on

viruses, particularly those from Eastern Europe.

 

Vesko’s reputation was due, in a large part, to having been in the right place

at the right time. First, there were his friend Teodor’s bugs. Teodor would

often pass on the programming code to Vesko for analysis, who would then report

on their capabilities in the local press and in Western journals. It was a

convenient arrangement, and the resulting publicity would encourage other

writers. Eventually, what became known as the Bulgarian virus factory started

to pump out bug after bug, each more dangerous

than the last, and Vesko was there to record it. He was in the eye of the

storm, collecting viruses from all over Bulgaria as they spread from computer

to computer. By 1991 he was reporting two new locally grown viruses each week.

 

In a country with so many bugs flying around, it was inevitable that Bulgarian

computers would become overrun. Most computers in the country had been hit at

least once; many had been hit with multiple viruses at the same time. Because

Vesko was the country’s leading authority on the malicious programs, he was

eventually given responsibility for coordinating Bulgaria’s effort to fight

them off. He was constantly on call. Days he worked in his office in the

Bulgarian Academy of Sciences, where he was given the dour title of Assistant

Research Worker Engineer. Weekends and nights he continued the fight from his

own cramped room on a borrowed Bulgarian clone of an IBM PC. He dealt with ten

to twenty phone calls each day from institutions or firms that had been

attacked by viruses.

 

By then the Bulgarian virus factory was in full production. It was no longer a

matter of Vesko and his friend Teodor, one a researcher, the other a virus

writer. Bulgaria had spawned some of the most skilled and prolific virus

writers in the world.

 

In Plovdiv, Bulgaria’s second largest town, a student named Peter Dimov

produced a series of viruses “as revenge against his tutor” and another two “in

tribute” to his girlfriend, Nina (it is not known if she was pleased). One of

Peter’s ambitions was to write the world’s smallest virus: his first came to

under 200 bytes. Later he wrote one only 45 bytes long. For a few weeks it was

the shortest virus known—until another Bulgarian programmer produced one that

was just 30 bytes. Peter was also the author of the first Bulgarian boot-sector

virus as well as two ominous-sounding bugs that he called Terror and Manowar.

But despite their names, neither was particularly damaging. In total, Peter

wrote around twenty-five viruses.

 

In Varna, on the Black Sea, two students at the Mathematics Gymnasium (Upper

School), Vasil Popov and Stanislav Kirilov, produced a series of viruses and

trojans. Their most dangerous, called Creeping Death (or DIR-2), was reported

to be able to infect all the files on a hard disk within minutes.

 

Lubomir Mateev, then a twenty-three-yearold university student, and his friend

Iani Brankov wrote a virus together to embarrass their professor when they were

studying at Sofia University. Their first bug was programmed to make a

shuffling noise while he was lecturing that sounded like the rustling of paper.

 

This virus and a subsequent variant (which borrowed the bouncing-ball payload

from Ping Pong) became known as Murphy 1 and Murphy 2. Highly infectious, they

spread throughout Bulgaria and reached the West in 1991.

 

Many other programmers and students took a stab