Hacker 2

home *** CD-ROM | disk | FTP | other *** search

/ Hacker 2 / HACKER2.mdf / virus / bulgfact.doc < prev next >

Wrap

Text File | 1995-01-03 | 57KB | 1,107 lines

The Bulgarian and Soviet Virus Factories ======================================== Vesselin Bontchev, Director Laboratory of Computer Virology Bulgarian Academy of Sciences, Sofia, Bulgaria 0) Abstract =========== It is now well known that Bulgaria is leader in computer virus production and the USSR is following closely. This paper tries to answer the main questions: Who makes viruses there, What viruses are made, and Why this is done. It also underlines the impact of this process on the West, as well as on the national software industry. 1) How the story began ====================== Just three years ago there were no computer viruses in Bulgaria. After all, these were things that can happen only in the capitalist countries. They were first mentioned in the April issue of the Bulgarian computer magazine "Komputar za vas" ("Computer for you") [KV88] in a paper, translated from the German magazine "Chip" [Chip]. Soon after that, the same Bulgarian magazine published an article [KV89]], explaining why computer viruses cannot be dangerous. The arguments presented were, in general, correct, but the author had completely missed the fact that the majority of PC users are not experienced programmers. A few months later, in the fall of the same year, two men came in the editor's office of the magazine and claimed that they have found a computer virus. Careful examination showed that it was the VIENNA virus. At that time the computer virus was a completely new idea for us. To make a computer program, whose performance resembles a live being, is able to replicate and to move from computer to computer even against the will of the user, seemed extremely exciting. The fact that "it can be done" and that even "it had been done" spread in our country like wildfire. Soon hackers obtained a copy of the virus and began to hack it. It was noticed that the program contains no "black magic" and that it was even quite sloppily written. Soon new, home--made and improved versions appeared. Some of them were produced just by assembling the disassembly of the virus using a better optimizing assembler. Some were optimized by hand. As a result, now there are several versions of this virus, that were created in Bulgaria --- versions with infective lengths of 627, 623, 622, 435, 367, 353 and even 348 bytes. The virus has been made almost two times shorter (its original infective length is 648 bytes) without any loss of functionality. This virus was the first case. Soon after that, we were "visited" by the CASCADE and the PING PONG viruses. The later was the first boot--sector virus and proved that this special area, present on every diskette can be used as a virus carrier, too. All these three viruses were probably imported with illegal copies of pirated programs. 2) Who, What & Why. =================== 2.1) The first Bulgarian virus. ------------------------------- At that time both known viruses that infected files ( VIENNA and CASCADE) infected only COM files. This made me believe that the infection of EXE files was much more difficult. Unfortunately, I made the mistake by telling my opinion to a friend of mine. Let's call him "V.B." for privacy reasons.(1) ................................................................... [(1) These are the initials of his true name. It will be the same with the other virus writers that I shall mention. Please note, that while I have the same initials (and even his full name resembles mine), we are two different persons.] ................................................................... The challenge was taken immediately and soon after that I received a simple virus that was able to infect only EXE files. It is now known to the world under the name of OLD YANKEE. The reason for this is that when the virus infects a new file, it plays the "Yankee Doodle" melody. The virus itself was quite trivial. Its only feature was its ability to infect EXE files. The author of this virus even distributed its source code (or, more exactly, the source code of the program that releases it). Nevertheless, the virus did not spread very widely and even had not been modified a lot. Only a few sites reported to be infected by it. Probably the reason for this was the fact, that the virus was non--resident and that it infected files only on the current drive. So the only possibility to get infected by it was to copy an infected file from one computer to another. When the puzzle of creating a virus which is able to infect EXE files was solved, V.B. lost his interest in this field and didn't write any other viruses. As far as I know, he currently works in real--time signal processing. 2.2) The T.P. case. ------------------- The second Bulgarian virus--writer, T.P., caused much more trouble. When he first heard the idea about aself--replicating program, he was very interested, decided to writehis own virus, and he succeeded. Then he tried to implement a virus protection scheme and succeeded again. The next move was to improve his virus to bypass his own virus protection, then to improve the virus protection and so on. That is why there are currently about 50 different versions of his viruses. Unfortunately, several of them (about a dozen) were quite "successful." They spread world--wide. There are reports about them from all countries of the former Eastern block, as well as from the USA and West Europe. Earlier versions of these TP viruses are known under the name VACSINA, because they contain such a string. In fact, this is the name of the virus author's virus protection program. It is implemented as a device driver with this name. The virus merely tries to open a file with this name, which means "Hey, it's me, let me pass." The latest versions of the virus are best known under the name YANKEE DOODLE, because they play this tune. The conditions on which the tune is played are different with the different versions of the virus --- for instance when the user tries to reboot the system, or when the system timer reaches 5 p.m. All TP viruses are strictly non--destructive. Their author payed particular attention not to destroy any data. For instance, the virus does not infect EXE files for which the true file length and the length of the loadable part as it is present in the EXE header, are not equal. As far as I know, no other virus that is able to infect EXE files works this way. Also, the virus does not try to bypass the resident programs that have intercepted INT 13h, therefore it takes the risk to be detected by most virus activities monitoring software. The author of the virus obviously could circumvent it --- for instance it uses a clever technique, now known as "interrupt tracing" to bypass all programs that have hooked INT 21h. The only reason for not bypassing INT 13h as well, is that this would also bypass all disk casheing programs, thus it could cause damage. Of course, the fact that the virus is not intentionally destructive does not mean that it does not cause any damage. There are several reports of incompatibilities with other software; or of panicking users, that have formatted their disks; or, at least, damage caused by time loss, denial of computer services, or expenses removing the virus. It is well known, that "there ain't no such thing as a good virus." The TP viruses were not spread intentionally; the cause could be called "criminal negligence." The computer used by T.P. to develope his viruses was also shared by several other people. This is common practice in Bulgaria, where not everyone can have a really "personal" computer to work with. T.P. warned the other users that he is writing viruses, but at this time computer viruses were a completely new idea, so nobody took the warning seriously. Since T.P. didn't bother to clean up after himself, these users got, of course, infected. Unintentionally, they spread the infection further. When asked about the reason of writing viruses, T.P. replied that he did this in order to try several new ideas; to better learn the operating system and several programming tricks. He is not interested in this field any more --- he has stopped writing viruses about two years ago. 2.3) The Dark Avenger. ---------------------- In the spring of 1989 a new virus appeared in Bulgaria. It was obviously "home--made" and just to remove any doubts about it, there was a string in it, saying "This program was written in the city of Sofia (C) 1988-89 Dark Avenger." The virus was incredibly infectious --- when it was in memory, it was sufficient to copy or just to open a file to get it infected. When the user felt that there is a virus in his/her system and, without booting from a non--infected write--protected system diskette, ran an anti--virus program which wasn't aware of this new virus, he usually got all his/her executable files infected. The idea of infecting a file when it is opened was new and really "successful." Now such viruses are called "fast infectors." This strategy helped the virus to spread world-- wide. There are reports from all European countries, from the USA, the USSR, even from Thailand and Mongolia. On the top of this, the virus was very dangerously destructive. On each 16th run of an infected program, it overwrote a sector on a random place of the disk, thus possibly destroying the file or directory that contained this sector. The contents of the overwritten sector was the first 512 bytes of the virus body, so even after the system has been cleaned up, there were files, containing a string "Eddie lives...somewhere in time!" This was causing much more damage than if the virus was just formatting the hard disk, since the destruction was very unnoticable and when the user eventually discovered it, his backups probably already contained corrupted data. Soon after that, other clever viruses began to appear. Almost all of them were very destructive. Several contained completely new ideas. Now this person (we still cannot identify him exactly) is believed to be the author of the following viruses: DARK AVENGER, V2000 (two variants), V2100 (two variants), 651, DIAMOND (two variants), NOMENKLATURA, 512 (six variants), 800, 1226, PROUD, EVIL, PHOENIX, ANTHRAX, LEECH... Dark Avenger has several times attacked some anti--virus researchers personally. The V2000/V2100 viruses claim to be written by "Vesselin Bontchev" and in fact hang the computer when any program, containing this string is run. A slightly modified variant of V2100 (V2100-B) has been used to trojanize version 66 of John McAfee's package VIRUSCAN. There are reports that Dark Avenger has called several bulletin board systems in Europe and has uploaded there viruses. The reports come from the UK, Sweden, the Netherlands, Greece... Sometimes the viruses uploaded there are unknown in Bulgaria (NOMENKLATURA,ANTHRAX). But they are obviously made in our country --- they contain messages in Cyrillic. Sometimes Dark Avenger uploads a Trojan program that spreads the virus --- not just an infected program. This makes the detection of the source of infection more difficult. One particular case is when he has uploaded a file called UScan, which, when run, claims to be the "universal virus scanner," written by Vesselin Bontchev. Even the person who has uploaded it, has logged under the name "Vesselin Bontchev." In fact, the program just infected all scanned files with the ANTHRAX virus. While the other Bulgarian virus writers seem to be just irresponsible or with childish mentality, the Dark Avenger can be classified as a "technopath." He is a regular user of several Bulgarian bulletin board systems, so one can easily exchange e-mail messages with him. When asked why his viruses are destructive, he replied that "destroying data is a pleasure" and that he "just loves to destroy other people's work." Unfortunately, no measures can be taken against him in Bulgaria. Since there is no law for information protection, his activities are not illegal there. He can be easily caught by tapping the phones of the BBSes that he uses, but the law enforcement authorities cannot take such measures, since there is no evidence of illegal activities. Alas, he knows this perfectly. 2.4) Lubo & Ian. ---------------- Some of the Dark Avenger's viruses proved to be very "successful" and caused real epidemics. That is why they were often imitated by other virus writers, that had no imagination to design their own virus, but were jealous of Dark Avenger's fame. So they just disassembled his viruses (usually the first one) and used parts of it --- sometimes without even understanding their purpose. Such is the case with the MURPHY viruses. According to a string in them, they are written by "Lubo & Ian, USM Laboratory, Sofia." These people do exist and they have used their real names. "Lubo" has even been several times interviewed by newspaper's reporters. They claim that the virus was written for vengeance. They have done some important work for their boss and the latter refused to pay them. That is why they developed te virus in one night and released it. The fact that the virus will spread outside the laboratory just didn't come to their minds. However, this does not explain the developing of the other versions of the same virus (there are at least four variants). Nevertheless, it proves one more time that it is better (and safer, too) to pay the good programmers well... Besides MURPHY, these two virus writers have created another virus, called SENTINEL (5 variants). The only unusual thing with this virus is that it is written in a high--level programming language (Turbo PASCAL), but is not an overwriting or a companion virus as most HLL viruses are. It is able to infect COM and EXE files by appending itself to them and by preserving their full functionality. It is also memory resident, hides the file length increase when the user issues the DIR command, and even mutates. 2.5) The virus writer from Plovdiv. ----------------------------------- This man, P.D., claimed that he has written viruses "for fun" and only "for himself" and that he "never releases them." Unfortunately, at least two of them have "escaped" by accident. These are the ANTI- PASCAL605 and the TERROR viruses. Especially the latter is extremely virulent and caused a large epidemic in Bulgaria. P.D. was very sorry for that and submitted examples of all his viruses to the anti--virus researchers so that the respective anti--virus programs be developed --- just in case some of these viruses escapes too. These viruses turned out to be quite a few, ranging from extremely stupid to very sophisticated. Here are some of them: XBOOT, ANTIPASCAL (5 variants), TINY (11 variants), MINIMAL-45, TERROR, DARK LORD, NINA, GERGANA, HAPPY NEW YEAR (2 variants), INT 13. P.D. claims that the DARK LORD virus (a minor TERROR variant) is not written by him. The TINY family has nothing to do with the Danish TINY virus (the 163--byte variant of the KENNEDY virus), and, as well as the MINIMAL-45 virus, are written with the only purpose to make the shortest virus in the world. Now P.D. is not writing viruses any more --- because "it is so easy, that it is not interesting," according to his own words. He is currently writing anti--virus programs --- and rather good ones. 2.6) The two guys from Varna. ----------------------------- They are two pupils (V.P. and S.K.) from the Mathematical High School in Varna (a town on the Black Sea). They have developed several viruses and continue to do so, producing more and more sophisticated ones. Furthermore, they intentionally spread their viruses, usually releasing them on the school's computers or in the Technical University in Varna. When asked why they write and release viruses, they reply "because it's so interesting!" The viruses written by them are: MG (5 variants), SHAKE (5 variants), DIR and DIR II. All of them are memory resident and infect files when the DIR command is performed. The last one is an extremely virulent and sophisticated virus --- as sophisticated, as THE NUMBER OF THE BEAST. It is also a completely new type of virus --- it infects nether boot sectors, nor files. Instead, it infects the file system as a whole, changing the information in the directory entries, so that each file seems to begin with the virus. There is a counter of the number of infected systems in the virus body. There is evidence that V.P. and S.K. collect infected files, copy the contents of the counter and then draw curves of the spread of infection, checking the normal distribution law. They are doing this "for fun." 2.7) W.T.'s case. ----------------- W.T. is a virus writer from Sofia, who has written two viruses --- WWT (2 variants) and DARTH VADER (4 variants). According to his own words, he has done so to test a new idea and to gain access to the Virus eXchange BBS (see below). The new idea consisted of a virus (DARTH VADER) that does not increase file lengths, because it searches for unused holes, filled with zeros, and writes itself there. Also, the virus does not perform any write operations. Instead, it just waits for a COM file to be written to by DOS and modifies the file's image in memory just before the write operation is performed. W.T. does not write viruses any more, but he is still extremely interested in this field. He is collecting sophisticated viruses and disassembles them, looking for clever ideas. 2.8) The Naughty Hacker. ------------------------ This virus writer, M.H., is a pupil and also lives in Sofia. He has written several viruses, most of which contain the string "Naughty Hacker" in their body. All of them are non-- destructive, but contain different video effects --- from display desynchronization to a bouncing ball. Currently, at least 8 different variants are isolated, but it is believed that even more exist and are spread in the wild. Also, it is believed that M.H. continues to produce viruses. As usual, he is doing so "because it is interesting" and "for fun." He is also the author of three simple boot sector viruses (BOOTHORSE and two others that are still unnamed). 2.9) Other known virus writers. ------------------------------- The persons listed above are the major Bulgarian virus producers. However, they are not alone. Several other people in Bulgaria have written at least one virus (sometimes more). In fact, making a virus is currently considered there a kind of sport, or a practical joke, or means of self--establishment. Some of these virus writers have supplied their creations directly to the anti--virus researchers, as if they are waiting for a reward. This happens quite often --- probably they expect that the anti--virus researcher, as the best qualified person, will evaluate their creation better. Sometimes the fact that their virus becomes known, is described, and is included in the best anti--virus programs is sufficient for these people and they don't bother to really spread their virus in the wild. So, probably the main reason for these people to produce viruses is the seek of glory, fame, and self--establishment. Such known Bulgarian virus writers (with the respective names of their viruses given in parentheses) are V.D. from Pleven (MICRO-128), A.S. and R.D. from Mihajlovgrad (V123), I.D. from Trojan (MUTANT, V127, V270x), K.D. from Tutrakan (BOYS, WARRIER, WARRIOR, DREAM), and others. 2.10) Unknown Bulgarian virus writers. -------------------------------------- Of course, there are also other virus writers, that are not known to the author of this paper. Sometimes it is possible to determine the town where the viruses were developed --- usually due to an appropriate string in the virus body, or because the virus wasn't found elsewhere. Some of the viruses are very simple, others are quite sophisticated. Here are examples of such viruses. - The KAMIKAZE virus has been detected only in the Institute of Mathematics at the Bulgarian Academy of Sciences, Sofia and is probably made there; - The RAT virus, made in Sofia, as it is written in its body; - The VFSI (HAPPY DAY) virus has been developed in the Higher Institute of Finances and Economics in Svishtov (a small town on the Danube) by an unknown programmer; - The DESTRUCTOR virus, probably made in Plovdiv, where it has been first detected; - The PARITY virus, probably written in the Technical University, Sofia, since it has not been detected elsewhere; - The TONY file and boot sector viruses, probably created in Plovdiv where they have been first detected; - The ETC virus, detected only in Sofia; - The 1963 virus, a quite sophisticated one, probably made in the Sofia University; - The JUSTICE virus. 2.11) The Virus eXchange BBS. ----------------------------- About a year ago, the virus writing in Bulgaria entered a new phase. The virus writers began to organize themselves. The first step was the creation of a specialized bulletin board system (BBS), dedicated to virus exchange. The Virus eXchange BBS. It's system operator (SysOp), T.T. is a student of computer science in the Sofia University. He has established the BBS in his own home. On this BBS, there are two major kinds of files --- anti--virus programs and viruses. The anti--virus programs can be downloaded freely. In order to get access to the virus area, one has to upload there a new virus. However, anyone who uploads a new virus, gets access to the whole virus collection. S/He could then download every virus that is already available, or even all of them. No questions are asked --- for instance for what reason s/he might need these viruses. Furthermore, the SysOp takes no steps to verify the identity of his users. They are allowed to use fake names and are even encouraged to do so. Dark Avenger and W.T., between them are, the most active users, but there are also names like George Bush from New York, Saddam Hussein from Baghdad, Ozzy Ozburn and others. Since this BBS has already a large collection of computer viruses (about 300), it is quite difficult to find a new virus for it. If one wants badly to get access to the virus area, it is much simpler to write a new virus, instead of trying to find a new one. That is exactly what W.T. did. Therefore, this BBS encourages virus writing. Furthermore, on this BBS there are all kinds of viruses --- some of them as 1260, V2P6Z, FLIP, WHALE are considered as extremely dangerous, since they are using several new ideas and clever tricks, which makes them very difficult to be recognized and removed from the infected files. And the Virus eXchange BBS policy makes all these viruses freely available to any hacker that bothers to download them. This will, undoubtedly, lead to the creation of more and more such "difficult" viruses in the near future. The free availability of live viruses has already given its bitter fruits. It helped to viruses created far away from Bulgaria and not widely spread, to cause epidemics in our country. Such was the case of the DATALOCK virus. It has been created in California, USA and uploaded to the Virus eXchange BBS. A few weeks later it was detected in the Technical University, Sofia. Probably one of the users of the BBS had downloaded it from there and spread it "for fun." In the similar way the INTERNAL, TYPO and 1575 viruses entered our country. But the free availability of known live viruses is not the most dangerous thing. After all, since they are already known, there already exist programs to detect and probably to remove them. Much more dangerous is the free availability on this BBS of virus source code! Indeed, original source code or well commented virus disassemblies of several viruses are freely available on the Virus eXchange BBS --- just as any other live virus. To name a few, there are: DARK AVENGER, OLD YANKEE, DIAMOND, AMSTRAD, HYMN, MLTI830, MURPHY, MAGNITOGORSK, ICELANDIC, MIX1, STONED, JERUSALEM, DATACRIME, BURGER, ARMAGEDON, OROPAX, DARTH VADER, NAUGHTY HACKER, 512, VIENNA, 4096, FISH#6, PING PONG, BLACK JEC, WWT, MG, TSD, BOOTHORSE, BAD BOY, LEECH... Most of them are perfectly assemblable sources. The publishing of virus source code has proven to be the most dangerous thing in this field. The VIENNA, JERUSALEM, CASCADE and AMSTRAD viruses are the best examples. Their source code has been made publicly available, which led to the creation of scores of new variants of these viruses. The known variants of only these four viruses are about 20 % of all known viruses, which means more than a hundred variants. One can imagine the consequences of making publicly available the source code of all the viruses listed above. In less than a year we probably will be submerged by thousands new variants... In fact, this process has already begun. The HIV, MIGRAM, KAMASYA, CEMETERY and ANTICHRIST viruses have been obviously created by someone who had access to the source of the MURPHY virus. The ENIGMA virus is clearly based on the OLD YANKEE code. There have been reports about infections with these viruses in one Italian school and an Italian virus writer, known as Cracker Jack is a user of Virus eXchange... The damage caused by this BBS alone to the rest of the world is big enough. But this is not all. Since possession of "viral knowledge" (i.e., live viruses, virus source code) has always tempted hackers and since the legitimate anti--virus researchers usually exchange such things only between themselves and in a very restricted manner, it is not surprising that similar "virus boards" began to pop up around the world. There are currently such BBSes in the USA, Germany, Italy, Sweden, Czechoslovakia, the UK and the Soviet Union. Stopping their activities is very difficult in legal terms, because the possession, storage or willful downloading of computer viruses usually is not considered as a criminal offence. And it shouldn't be --- otherwise the anti--virus researchers themselves will not have a way to exchange virus samples to work with. The creation of a virus--oriented BBS, the system operator of which supported the writing, spreading and exchanging of virus code didn't go unnoticed in Bulgaria. Almost all virus writers have obtained a modem (a not very easy thing in Bulgaria) and contacted it. Afterwards, they began to contact each other by means of electronic messages on this BBS. They have even created a specialized local conference (local for Bulgaria), in order to keep in touch and to exchange ideas how to write clever viruses. Therefore, they began to organize themselves --- a thing that cannot be said about the anti--virus research community in all countries... 3) New ideas. ============= As it can be seen from the examples above, the whole of Bulgaria has turned into some kind of computer virus developing laboratory, where any capable (or not so capable) pupil/student/ programmer is tempted to write his own virus and to test it in the wild. It is not therefore unusual that several completely new ideas were first developed in our country. I shall try to enumerate here some (only the most important) of them. - The interrupt tracing technique, capable of finding the original handler (in DOS or BIOS) of any interrupt vector, has been first implemented in the YANKEE DOODLE (TP) viruses. Later other viruses in the world began to use it (4096, NAUGHTY HACKER). - The "fast infectors" --- viruses that infect on file opening or even on any file operation were first developed in Bulgaria. The first such virus was the DARK AVENGER. Now there are a lot of fast infectors. One of them --- 1963 --- even infects on file deletion. - The "semi--stealth" viruses --- viruses that hide the increasing of the size of the infected files (the 651 virus) or that remove them from the inflected files when one loads them with a debugger (YANKEE DOODLE) both are viruses, made in our country. - Hiding the true file length usually causes problems, because CHKDSK is able to detect the difference between the disk space marked as used in the FAT and the reported file length. Only two Bulgarian viruses in the world are able to handle this problem --- DIAMOND and V2100. - The first really "stealth" file infector --- the 512 virus was Bulgarian. It is true however, that the idea has been discovered independently almost at the same time in other parts of the world (the 4096 virus from Israel). - The only known stealth parasitic virus, which "stealthy" features go down to the BIOS level (i.e., it cannot be detected if active in memory even if the infected file is read at sector and not at file level) is the Bulgarian INT13 virus. - One of the first multi--partite viruses (viruses that are able to infect both files and boot sectors) --- the ANTHRAX virus, has been developed in Bulgaria. It is true, however, that similar ideas can be noticed in the 4096 and GHOST BALLS viruses, which are developed much earlier. Also, other multi--partite viruses (VIRUS-101, V-1, FLIP, INVADER) were created independently almost at the same time (and even earlier) in other parts of the world. - The idea first used in the LEHIGH virus --- to place the virus body in an unused part of the file COMMAND.COM has been further developed by several Bulgarian viruses. They all can infect any COM or EXE file (unlike the LEHIGH virus) in the usual way, but when they are infecting the command interpreter, they place themselves in an area filled with zeros at the end of the file and thus in this case they do not increase its length. Such viruses are TERROR, NAUGHTY HACKER and others. - The method, mentioned above has been developed even further by other Bulgarian viruses. They have noticed that any sufficiently large area of zeros in any file (not just COMMAND.COM) can be used to hide the virus body. The viruses that use this method are again of Bulgarian origin --- PROUD, EVIL, PHOENIX, RAT, DARTH VADER... The latter even does not write to the infected files --- it leaves this task to DOS. And the RAT virus hides itself into the unused part of the EXE file headers. - One of the extremely mutating viruses is the Dark Avenger's virus LEECH. It can exist in more than 4.5 billion variants. It is true, however, that this is neither the first entirely mutating virus (1260 being the first), nor it has the most flexible mutating mechanism (it is much simpler than V2P6Z). - A completely new type of computer virus (DIR II) has been developed by two Bulgarian pupils. This virus does not infect neither files, nor boot sectors. Instead, it infects file systems as a whole, or more exactly --- directory entries. - Different tricks to get control without directly hooking the INT 21h vector were developed by several Bulgarian virus writers. The TERROR virus places a JMP instruction to its body in the original INT 21h handler in DOS. The viruses from the PHOENIX family ( 800, 1226, PROUD, EVIL, PHOENIX) hook an interrupt that is called by DOS on every file--related function (INT 2Ah, AH=82h). The DIR II virus patches itself in the chain of DOS disk device drivers. - The first virus, that is able to infect device drivers (SYS files only), is, of course, Bulgarian. This is the HAPPY NEW YEAR ( 1600) virus. - The first fully functional parasitic virus, written entirely in a high level language (Turbo PASCAL) is the Bulgarian virus SENTINEL. - The Bulgarian virus ANTHRAX is the first virus that is resident in memory only temporary. It removes itself from there after it has infected the first file and then acts as a non--resident virus. - The shortest memory resident virus in the IBM PC world --- only 128 bytes --- is again developed in Bulgaria. There are reports about a 108--byte resident virus, also from there, but they are unconfirmed yet. - The shortest virus in the IBM PC world --- only 45 bytes long, is the Bulgarian virus MINIMAL-45. It seems possible, however, to shorten it even further --- up to 31 bytes, with a big loss of reliability. 4) Why so many viruses are created in Bulgaria. =============================================== Computer viruses are created in all parts of the world, not only in Bulgaria. However, the portion of them that are created in our country is extremely high. Therefore, in the whole world there exist preconditions that make virus writing tempting, but in Bulgaria there exist specific conditions as well. 4.1) Specific reasons for virus writing in Bulgaria. ---------------------------------------------------- 4.1.1) The first, and most important of all is the existence of a huge army of young and extremely qualified people, computer wizards, that are not actively involved in the economic life. The computerization in Bulgaria began without economical reasons. Since our country was a socialist one, its economics was of administrative type. The economics didn't need to be computerized. In fact, computers and planned economics are quite incompatible --- computers help you to produce more in less time and with less effort and money, while the goal of a manager in a planned economics is to fulfil the plan exactly as it is given --- for no more and no less time, and with no more and no less money. However, the communist party leaders in Bulgaria decided that we should computerize --- mainly to be able to supply computers to the Soviet Union and circumvent the embargo. While computerization in itself is not a bad thing, we made a very severe mistake. Bulgarian economics was very weak (now it is even weaker), but we had quite a lot skilled people. Therefore, we should not have tried to produce hardware while we had good chances in the software industry, where mainly "brainware" is required. However, Bulgaria did just the opposite. Instead of buying the hardware, we began to produce it (mainly illegal Apple and IBM clones). Instead of producing our own software and to try to sell it in the West, we began to steal Western computer programs, to change some copyright notices in them, and to re--sell them (mainly in Bulgaria, in the Soviet Union, and in the other countries of the former Eastern block). At that time most Western software was copy protected. Instead of training our skilled people in writing their own programs, we began to train them to break copy protection schemes. And they achieved great success in this field. The Bulgarian hackers are maybe the best in cracking copy protected programs. Besides, they had no real hope in making and selling their own programs, since, due to the total lack of copyright law on computer software, it was impossible to sell more than two or three examples of a computer program in Bulgaria. The rest were copied. Since the introduction of computers in the Bulgarian offices was not a natural process, but due to an administrative order, very often these computers were not used --- they were only considered as an object of prestige. Very often on the desk of a company director, near the phone, stood a personal computer. The director himself almost never used the computer --- however sometimes his/her children came to the office to use it --- to play games or to investigate its internals. While the price of personal computers in Bulgaria was too high to permit a private person to have his/her own computer, it was a common practice to use the computer at the office for personal reasons. At the same time, the computer education was very widely introduced in Bulgaria. Everyone was educated in this field --- from children in the kindergartens to old teachers that had just a few years until pension. Since this kind of science is better comprehended by younger brains, it is no wonder that the people, who became most skilled in this field, were very young. Very young and not morally grown--up. We spent a lot of effort teaching these people how to program, but forgot to educate them in computer ethics. Besides, the lack of respect to the others' work is a common problem in the socialist societies. 4.1.2) The second main reason is the wide--spread practice of software pirating (which was, in fact, a kind of state policy) and the very low payment of the average programmers. As was mentioned above, Bulgaria took the wrong decision in producing computers and stealing programs. There is still no copyright law, concerning computer software there. Because of this, the software piracy was an extremely widespread practice. In fact, almost all software products used were illegal copies. Most people using them have never seen the original diskettes or original documentation. Very often there was no documentation at all. Since all kinds of programs (from games to desktop publishing systems) were copied very often, this greatly helped for the spread of computer viruses. At the same time, the work of the average programmer was evaluated very low --- there were almost no chances to sell his/her software products. Even now, a programmer in Bulgaria is paid 100 to 120 times less than the programmer with the same qualification in the USA. This caused several young people to become embittered against the society that was unable to evaluate them as it should. There is only one step in the transformation of these young people into creators of destructive viruses. Some of them (e.g., the Dark Avenger) took this step. 4.1.3) The third major reason is the total lack of legislative against creation and willful distribution of computer viruses and against illegal access and modification of computer information in general. Because of the lack of copyright laws on computer software, there is no such thing as ownership of computer information in Bulgaria. Therefore, the modification or even the destruction of computer information is not considered a crime --- since no one's property is damaged. The Bulgarian legislature is hopelessly old in this area. Furthermore, even if the appropriate law is accepted in the future, as a punishing law it will not be able to be applied to crimes, committed before it was passed. Therefore, the virus writers still have nothing to fear of. That is why, the creation of new computer viruses has become some kind of sport or entertainment in Bulgaria. 4.1.4) The next reason is the very weak organization of the fight against computer viruses in Bulgaria. Just now our country is in a very deep economical crisis. We lack funds for everything, including such basic goods as food and gasoline. At the same time, the organization of the virus fight would require money --- for the establishment of a network of virus test centers that collect and investigate computer viruses, centers equipped with the best hardware, centers that are able to communicate between themselves and with the other similar centers in the world in an effective way. Such an effective way is the electronic mail system --- and Bulgaria still does its first steps in global computer communications. All this requires a lot of money --- money that our government just does not have now. 4.1.5) Another reason is the incorrect opinion, that the society has on the computer virus problem. Still, the victims of a computer virus attack consider themselves as victims of a bad joke, not as victims of a crime. 4.1.6) The least important reason, in my opinion, is the availability and the easy access to information of a particular kind. All kind of tricks how to fool the operating system circulate among the Bulgarian hackers. Some of them are often published in the computer related magazines. As it was mentioned above, there is even a specialized BBS, dedicated to virus spreading and a special (local to Bulgaria) FidoNet echo, dedicated to virus writing. Not to mention the well--known file INTERxyy, published by Ralf Brown from the USA as shareware. It is very popular in Bulgaria, since it contains, carefully described, a huge number of undocumented tricks. However, this is not a very important reason. Usually those, who have decided to make a virus already know how to do it, or, at least, can figure it out by themselves. They do not need to take an existing virus and to modify it. The proof is the prevalence of original Bulgarian viruses over the variants of known ones, as well as the fact, that many new ideas for virus writing were first invented and implemented in Bulgaria. 4.2) General reasons. --------------------- Since viruses are also created in all the other parts of the world, there should be also some general reasons for this. These reasons are, of course, valid for Bulgaria too. Let's see these general reasons. 4.2.1) Wish for glory. Every programmer dreams that his/her program gets widely spread and used. A lot of very good programmers write and distribute wonderful software packages for free --- with the only intention to have more users using their package. However, for a program to be used, it has to be good enough. And not every programmer is able to make a program so good that the users will widely use it --- even for free. At the same time, computer viruses do spread very widely, regardless and even against the users' will. So, when a virus writer reads in a newspaper that his virus has been discovered at the other end of the world, he feels some kind of perverted pleasure. Some people write viruses just to see their names (or the names of their viruses) published in the newspapers. This reason has yet another aspect. In the beginning of the virus era, when the idea of the computer virus was very new, only the very good programmers were able to make a virus. It became a common myth that if you can write a virus, you're a great programmer. This myth might have been justified at the beginning, but now it is completely without sense. Nevertheless, young hackers began to write viruses --- just to prove to their friends and to the rest of the world how good programmers they are. Some of them were really unable to invent something original --- that's why they just picked a known virus, modified it a bit and released this new mutation. This explains why there are so many variants of the simplest viruses that were first created --- BRAIN, JERUSALEM, STONED, VIENNA, CASCADE... A typical example is the Italian virus writer, who calls himself Cracker Jack. 4.2.2) Simple human curiosity. One has to admit that the idea of a computer program that is able to spread by its own means, to replicate, to hide from the user (who is believed to maintain the computer under full control), and in general to behave as a real live being is really fascinating. Just simple human curiosity is sufficient to make some people, if they are young and irresponsible enough, to try to make a computer virus. Some of them do succeed. A greater and greater part, if we consider the amount of last reports for new viruses. Some of them claim that they are writing viruses "only for themselves," "only for fun," and that "they do not spread them." However, it is often impossible to fully control the spread of a "successful" computer virus. The more clever these viruses are, the greater the probability that they will "escape." There is an idea to teach students how viruses are made --- of course in a very strongly restricted environment. Maybe at least for some this will fulfil their curiosity and they will not be tempted to write their own virus. Maybe if we force every computer science student to learn Dr. Fred Cohen's theorems on the computational aspects of computer viruses, if we administer an exam and ask students to design a virus protection scheme or to help a cluster of users, attacked by a computer virus for a course work --- well, maybe in this case these students will have more than enough of the computer virus problem and will not want to hear about it any more --- least to make their own viruses. 4.2.3) Easy access to information. Sufficient information, needed to write a virus can be found easily. This information is often even more accessible than in Bulgaria. The person that wants to write an average virus needs only to dig in the respective manuals --- manuals, which are often not available in Bulgaria. However, the usefulness of the easy access to this information is much greater than the damage, caused by the fact that it is used by the virus writers. 4.2.4) Military interests. It is often rumoured that the superpowers are working on the problem how to use computer viruses to destroy the enemy computers' software. It is even very probable, that in several countries such research is performed. There are reports on this from the USA, France and the USSR. This is no wonder --- it is the right of every military force to investigate any new idea and to consider the possible usefulness and/or threats it might bring to the national defense. However, it is quite improbable that the computer viruses can be used for this purpose. Just like the live viruses, the computer ones are able to spread only among individuals with very similar immunotype, i.e. --- among compatible computers. The most widely used kinds of personal computers are the IBM PC, Macintosh, Amiga and Atari ST. It is therefore no wonder that the vast majority of existing computer viruses are able to infect only these computers. In the same time, viruses that infect one kind of computer (say, IBM PC), are unable to spread (or even to run) on another (e.g., a Macintosh). They are usually not able to run even on two different operating systems in one and the same computer. Even a different version of the same operating system might cause big problems to a particular computer virus --- up to preventing it to work. The common personal computers are never assigned important tasks in the army. Therefore, even if a virus infects them, and even if it destroys all the data on all such computers, the caused damage will not be of great importance. Computers that are used for the really important things, such as rocket leading or cannon aiming, are always specialized ones. Their programs are usually hard--coded and only data can be entered in them. It is not possible to insert an infected IBM PC diskette in the computers that control the NORAD system. At the same time, the computers that control different important devices are usually incompatible even between themselves. Therefore, even if someone writes a virus for a specialized rocket computer, this virus will not be able to infect the computers of a strategic bomber or even these of a rocket of a different system. So, such virus will not spread very much. And last, but not least, such virus has to be placed somehow in the enemy's computers. Since, as we saw above, it won't be able to spread from one computer to another of a different kind, obviously someone has to insert it in the victim computer. But if you have access to the enemy's computers, you don't need a virus. You can do the same task easier (and often much better) "manually", or with a Trojan horse or a logic bomb. 4..2.5) Corporate interests. It is also often speculated that the large software companies and the producers of anti--virus software make or willfully spread computer viruses. There is some reason behind this. Indeed the fear of viruses can make the user buy only original software (sometimes --- quite expensive), and not to use pirated copies, shareware or freeware. At the same time, companies that produce anti--virus software are interested that their products are sold. And they will be, if the user needs anti--virus protection. However, it is rather improbable, that a software company (whether producing or not anti--virus software) will take the risk to become known that it willfully spreads viruses. It will be probably boycotted by its users and the losses of income will be much greater than any gains. As to the producers of anti--virus software, they don't need to write viruses themselves, in order to sell their programs. It is sufficient to use the hype that the media accords to the problem, to mention how many viruses there are and how many of them their wonderful product is able to defeat. 5) The Soviet virus factory and virus writing in the other countries ===================================================================== of the former Eastern block. ============================ While Bulgaria was one of the best computerized countries in East Europe, the political, economical, and social conditions in the other countries were (and maybe still are) quite similar. That is why the virus writing and spreading has been developed in these countries too. Viruses are created in Poland ( W13, 217, 583, FATHER CHRISTMAS, DOT EATER, JOKER, VCOMM, AKUKU, 311, HYBRYD), in Hungary ( STONE `90, FILLER, MONXLA, POLIMER, TURBO KUKAC), in Czechoslovakia (the AANTIVIRUS virus), and even in Yugoslavia ( 17Y4, SVIR). According to some reports from Romania, there are no viruses written there, but the W13, YANKEE DOODLE, DARK AVENGER and StONED viruses are quite widespread. However, the country most similar to Bulgaria is, undoubtedly, the Soviet Union. According to the Soviet anti--virus researcher Bezrukov [Bezrukov], the first virus appeared there almost at the same time as in Bulgaria and, by the way, it was the same virus ( VIENNA). So, the preconditions are almost the same as with our country. There are, however, two main differences: the level of computerization and the number of virus writers. The level of computerization is still much lower than in Bulgaria. There are much fewer computers per person than in our country. The users are much more isolated, due to the much larger distances. The telephone network is in the same miserable condition, as in Bulgaria. The networks are very few and not widely used. For instance, in Sofia alone there are more FidoNet nodes than in the whole Soviet Union. It is not safe to send floppy disks by regular mail, since they will be probably stolen. All this delays very much the spreading of viruses. Unfortunately, it also delays the distribution of anti--virus products and the information exchange between the anti--virus researchers. For instance, examples of new viruses created there reach the Western anti--virus researchers with huge delays. Unfortunately, the other factor is much more dangerous. In the USSR there are much more programmers than in Bulgaria and they seem at least as much motivated in creating new viruses. The virus writing in the Soviet Union is currently in the same state as it was in Bulgaria about three years ago. However, at that time only nine variants of known viruses and one stupid original virus has been created there (6 VIENNA variants, 3 AMSTRAD variants, and the OLD YANKEE virus). At the first Soviet anti--virus conference in Kiev (mid--November, 1990) more than 35 different viruses of Russian origin were reported. Some of them were variants of known viruses, while others were completely new. It has been noticed that the Soviet virus writers are less qualified than the Bulgarian ones, but they use a destructive payload in their creations much more often. Since the reasons of virus writing in the USSR are very similar to those in Bulgaria; since this virus writing occurs in a much larger scale; and since no steps are taken by the authorities in order to stop it, it is possible to predict that in the next few years the Soviet Union will be far ahead of Bulgaria in computer virus creation and that a new, much larger wave of computer viruses will come from there. Probably after a year, several (up to ten) virus writers with the qualification of the Dark Avenger will emerge from there. 6) The impact of the Bulgarian viruses on the West and on the national ====================================================================== software industry. ================== While a huge part of the existing viruses are produced in Bulgaria, a relatively very small part of them spread successfully to the West. Of more than 160 Bulgarian viruses, only very few ( DARK AVENGER, V2000, V2100, PHOENIX, DIAMOND, NOMENKLATURA, VACSINA, YANKEE DOODLE) are relatively widespread. At the same time some of them ( DARK AVENGER, V2000, YANKEE DOODLE, VACSINA) are extremely widespread. According to John McAfee, about 10 % of all infections in the USA are caused by Bulgarian viruses --- usually by the DARK AVENGER virus. In West Europe this virus shares the popularity with YANKEE DOODLE and VACSINA. Of the viruses listed above, the major part are written by the Dark Avenger --- all except YANKEE DOODLE and VACSINA. Almost all his viruses (in this case --- with the exception of DIAMOND, which is the least spread) are extremely destructive. The PHOENIX and NOMENKLATURA viruses corrupt the FAT in such a subtle way, that when the user notices the damage, there is no way to disinfect the infected files and even to determine which files are damaged. The only way is to reformat the hard disk. It is difficult to estimate the costs of all damage caused by Bulgarian viruses. There are reports from Germany about a 10,000,000 DM damage, caused only by the VACSINA virus. It is probable, however, that these numbers are largely overestimated. The huge number of known Bulgarian viruses causes also indirect damage to the West community, even if the viruses themselves do not escape from Bulgaria, but only examples of them are supplied to the anti--virus researchers. These researchers have to develop anti--virus programs against these viruses (just in case the latter succeed to spread outside Bulgaria). Therefore, they have to waste their time and efforts. Furthermore, the user is forced to buy new anti--virus programs (or pay for updates of the old ones), in order to feel safe against these viruses. In the same time, the creation and spreading of Bulgarian viruses causes a lot of damage to the Bulgarian economics. In Bulgaria, the Bulgarian viruses are much more widespread. More than 80 % of about 160 known Bulgarian viruses have been detected in the wild in our country. It is difficult, however, to evaluate, or even to estimate the exact costs of the caused damage, since in Bulgaria the term "property of computer information" simply does not exist in legal sense. It is the same with the cost of this information. In fact, the creation of computer viruses causes also indirect damage to our economics. First of all, a lot of extremely capable people are wasting their minds to create destructive viruses, instead of something useful. Second, the fact that the Bulgarian programmers use their time to create computer viruses destroys their reputation as a whole. No serious software company accepts to deal with Bulgarian programmers or software companies, because it is afraid that the supplied software might be pirated or might contain a virus. 7) Conclusion. Virus writing in Bulgaria is an extremely widespread hobby. Most of the major virus writers are known, but no measures can be taken against them. Their work causes a lot of damage to the Western community, as well as to the national economics. Therefore, it is urgent to take legal measures in this direction; measures that will make virus writing and willful spread of computer viruses a criminal act. This is the only way to stop, or at least to reduce the threat. References ========== [KV88] Viruses in Memory, Komputar za vas, 4--5, 1988, pp.12--13 (in Bulgarian) [KV89] The Truth about Computer Viruses, Vesselin Bontchev, Komputar za vas, 1--2, 1989, pp. 5--6 (in Bulgarian) [Chip] Die neue Gefahr --- Computerviren, Steffen Wernery, Chip, 9, 1987, pp. 34--37 (in German) [Bezrukov] Computer Virology, Nikolay Nikolaevitch Bezrukov, Kiev, 1991, ISBN 5-88500-931-X (in Russian) Downloaded From P-80 International Information Systems 304-744-2253