Pit Schultz on Thu, 15 May 1997 03:30:56 +0200 (MET DST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> The Bulgarian and Soviet Virus Factories


The Bulgarian and Soviet Virus Factories

Vesselin Bontchev, Director
Laboratory of Computer Virology
Bulgarian Academy of Sciences, Sofia, Bulgaria
 
0) Abstract

It is now well known that Bulgaria is the leader in computer virus 
production and the USSR is following closely. This paper tries to answer the 
main questions: Who makes viruses there, What viruses are made, and Why this 
is done. It also underlines the impact of this process on the West, as well 
as on the national software industry.
 
1) How the story began
 
Just three years ago there were no computer viruses in Bulgaria. After all, 
these were things that can happen only in the capitalist countries. They 
were first mentioned in the April issue of the Bulgarian computer magazine 
"Komputar za vas" ("Computer for you") [KV88] in a paper, translated from 
the German magazine "Chip" [Chip]. Soon after that, the same Bulgarian 
magazine published an article [KV89]], explaining why computer viruses 
cannot be dangerous. The arguments presented were, correct, in general, but 
the author had completely missed the fact that the majority of PC users are 
not experienced programmers.
 
A few months later, in the fall of the same year, two men came in the 
editor's office of the magazine and claimed that they had found a computer 
virus. Careful examination showed that it was the VIENNA virus.
 
At that time the computer virus was a completely new idea for us. To make a 
computer program whose performance resembles a living being, which is able 
to replicate and move from computer to computer even against the will of the 
user, seemed extremely exciting.
 
The news that "it can be done" and that even "it had been done" spread in 
our country like wildfire. Soon hackers obtained a copy of the virus and 
began to hack it. It was noticed that the program contains no "black magic" 
and that it was even quite sloppily written. Soon new, home-made, improved 
versions appeared. Some of them were produced just by assembling the 
disassembly of the virus using a better optimizing assembler. Some were 
optimized by hand. As a result, now there are several versions of this virus 
created in Bulgaria -- versions with infective lengths of 627, 623, 622, 
435, 367, 353 and even 348 bytes. The virus has been made almost two times 
shorter (its original infective length is 648 bytes) without any loss of 
functionality.
 
This virus was the first case. Soon after that, we were "visited" by the 
CASCADE and the PING PONG viruses. The latter was the first boot-sector 
virus and proved that this special area, present on
every diskette, can be used as a virus carrier, too. All these three viruses 
were probably imported with illegal copies of pirated programs.
 
2) Who, What & Why.
 
2.1) The first Bulgarian virus.

At that time both known viruses that infected files ( VIENNA and CASCADE) 
infected only COM files. This made me believe that the infection of EXE 
files was much more difficult. Unfortunately, I made the mistake by telling 
my opinion to a friend of mine. Let's call him "V.B." for privacy 
reasons.(1) [(1) These are the initials of his real name. It will be the 
same with the other virus writers that I shall mention. Please note, that 
while I have the same initials (and even his full name resembles mine), we 
are two different persons.] The challenge was taken up immediately and soon 
after that I received a simple virus that was able to infect only EXE files. 
It is now known to the world under the name of OLD YANKEE. The reason for 
this is that when the virus infects a new file, it plays the "Yankee Doodle" 
melody.
 
The virus itself was quite trivial. Its only feature was its ability to 
infect EXE files. The author of this virus even distributed its source code 
(or, more exactly, the source code of the program that releases it). 
Nevertheless, the virus did not spread very widely and had not even been 
modified a lot. Only a few sites reported to be infected by it. Probably the 
reason for this was the fact that the virus was non-resident, and that it 
infected files only on the current drive, so the only possibility to get 
infected by it was to copy an infected file from one computer to another.
 
When the puzzle of creating a virus which is able to infect EXE files was 
solved, V.B. lost his interest in this field and didn't write any other 
viruses. As far as I know, he currently works in real-time signal processing.
 
2.2) The T.P. case.
 
The second Bulgarian virus--writer, T.P., caused much more trouble. When he 
first heard the idea about a self-replicating program, he was  very 
interested, decided to write his own virus, and he succeeded. Then he tried 
to implement a virus protection scheme and succeeded again. The next move 
was to improve his virus to bypass his own virus protection, then to improve 
the virus protection and so on. That is why there are currently about 50 
different versions of his viruses.
 
Unfortunately, several of them (about a dozen) were quite "successful." They 
spread world-wide. There are reports about them from all countries of the 
former Eastern Bloc, as well as from the USA and West Europe.  Earlier 
versions of these TP viruses are known as VACSINA, because they contain such 
a string. In fact, this is the name of the virus author's virus protection 
program. It is implemented as a device driver with this name. The virus 
merely tries to open a file with this name, which means "Hey, it's me, let 
me pass."
 
The latest versions of the virus are best known under the name YANKEE 
DOODLE, because they play this tune. The conditions on which the tune is 
played are different with the different versions of the virus --- for 
instance when the user tries to reboot the system, or when the system timer 
reaches 5 p.m.

All TP viruses are strictly non-destructive. Their author paid particular 
attention not to destroy any data. For instance, the virus does not infect 
EXE files for which the true file length and the length of the loadable 
part, as it is in the EXE header, are not equal. As far as I know, no other 
virus that is able to infect EXE files works this way.
 
Also, the virus does not try to bypass the resident programs that have 
intercepted INT 13h, therefore it takes the risk to be detected by most 
virus activities monitoring software. The author of the virus obviously 
could circumvent it --- for instance it uses a clever technique, now known 
as "interrupt tracing" to bypass all programs that have hooked INT 21h. The 
only reason for not bypassing INT 13h as well, is that this would also 
bypass all disk caching programs, thus it could cause damage.
 
Of course, the fact that the virus is not intentionally destructive does not 
mean that it does not cause any damage. There are several reports of 
incompatibilities with other software; or of panicking users, that have 
formatted their disks; or, at least, damage caused by time loss, denial of 
computer services, or expenses removing the virus. It is well known that 
"there ain't no such thing as a good
virus."
 
The TP viruses were not spread intentionally; the cause could be called 
"criminal negligence." The computer used by T.P. to develop his viruses was 
also shared by several other people. This is common practice in Bulgaria, 
where not everyone can have a really "personal" computer to work with. T.P. 
warned the other users that he is writing viruses, but at this time computer 
viruses were a completely new idea, so nobody took the warning seriously. 
Since T.P. didn't bother to clean up after himself, these users got, of 
course, infected. Unintentionally, they spread the infection further.
 
When asked about the reason of writing viruses, T.P. replied that he did 
this in order to try several new ideas; to better learn the operating system 
and several programming tricks. He is not interested in this field any more 
- he stopped writing viruses about two years ago.
 
2.3) The Dark Avenger.

In the spring of 1989 a new virus appeared in Bulgaria. It was obviously 
"home-made" and just to remove any doubts about it, there was a string in 
it, saying "This program was written in the city of Sofia (C) 1988-89 Dark 
Avenger."
 
The virus was incredibly infectious: when it was in memory it was sufficient 
to copy or just to open a file to get it infected.  If a user thought there 
was a virus in his/her system, and, without booting from a non-infected 
write-protected system diskette, ran an anti-virus program which wasn't 
aware of this new virus, he usually got all his/her executable files infected.
 
The idea of infecting a file when it was opened was new and really 
"successful." Now such viruses are called "fast infectors." This strategy 
helped the virus to spread world-wide. There are reports from all European 
countries, from the USA, the USSR, even from Thailand and Mongolia.
 
On the top of this the virus was very dangerous and destructive. On every 
16th run of an infected program, it overwrote a sector on a random place of 
the disk, thus possibly destroying the file or directory that contained this 
sector. The contents of the overwritten sector was the first 512 bytes of 
the virus body, so even after the system has been cleaned up, there were 
files containing a string "Eddie lives...somewhere in time!" This caused 
much more damage than if the virus were just formatting the hard disk, since 
the destruction was almost unnoticeable and when the user eventually 
discovered it, his backups probably already contained corrupted data.
 
Soon after that, other clever viruses began to appear. Almost all of them 
were very destructive. Several contained completely new ideas. Now this 
person (we still cannot identify him exactly) is believed to be the author 
of the following viruses:
 
DARK AVENGER, V2000 (two variants), V2100 (two variants), 651, DIAMOND (two 
variants), NOMENKLATURA, 512 (six variants), 800, 1226, PROUD, EVIL, 
PHOENIX, ANTHRAX, LEECH...
 
Dark Avenger has several times attacked some anti-virus researchers 
personally. The V2000/V2100 viruses claim to be written by "Vesselin 
Bontchev" and in fact hang the computer when any program containing this 
string is run. A slightly modified variant of V2100 (V2100-B)
has been used to trojanize version 66 of John McAfee's package VIRUSCAN.
 
There are reports that Dark Avenger has called several bulletin board 
systems in Europe and has uploaded there viruses. The reports come from the 
UK, Sweden, the Netherlands, Greece... Sometimes the viruses uploaded there 
are unknown in Bulgaria (NOMENKLATURA,ANTHRAX). But they are obviously made 
in our country - they contain messages in Cyrillic. Sometimes Dark Avenger 
uploads a Trojan program that spreads the virus - not just an infected 
program. This makes the detection of the source of infection more difficult.
 
One particular case is when he has uploaded a file called UScan, which, when 
run, claims to be the "universal virus scanner," written by Vesselin 
Bontchev. Even the person who has uploaded it has logged under the name 
"Vesselin Bontchev." In fact, the program just infected all scanned files 
with the ANTHRAX virus.
 
While the other Bulgarian virus writers seem to be merely irresponsible or 
childish, the Dark Avenger can be classified as a "technopath." He is a 
regular user of several Bulgarian bulletin board systems, so one can easily 
exchange e-mail messages with him. When asked why his viruses are 
destructive, he replied that "destroying data is a pleasure" and that he 
"just loves to destroy other people's work."
 
Unfortunately, no measures can be taken against him in Bulgaria. Since there 
is no law for information protection, his activities are not illegal there. 
He can be easily caught by tapping the phones of the BBSes that he uses, but 
the law enforcement authorities cannot take such measures, since there is no 
evidence of illegal activities. Alas, he knows this perfectly.
 
2.4) Lubo & Ian.
 
Some of the Dark Avenger's viruses proved to be very "successful" and caused 
real epidemics. That is why they were often imitated by other virus writers, 
that had no imagination to design their own virus, but were jealous of Dark 
Avenger's fame. So they just disassembled his viruses (usually the first 
one) and used parts of it - sometimes without even understanding their 
purpose. Such is the case with the MURPHY viruses.
 
According to a string in them, they are written by "Lubo & Ian, USM 
Laboratory, Sofia." These people do exist and they have used their real 
names. "Lubo" has even been several times interviewed by newspaper's
reporters.
 
They claim that the virus was written for vengeance. They had done some 
important work for their boss who later refused to pay them. That’s why, one 
night, they developed the virus and released it. The fact that the virus 
would spread outside the laboratory just didn't come to their minds. 
However, this does not explain the developing of the other versions of the 
same virus (there are at least four variants). Nevertheless, it proves one 
more time that it is better (and safer, too) to pay good programmers well...
 
Besides MURPHY, these two virus writers have created another virus, called 
SENTINEL (5 variants). The only unusual thing with this virus is that it is 
written in a high-level programming language (Turbo PASCAL), but is not an 
overwriting or a companion virus as most HLL viruses are. It is able to 
infect COM and EXE files by appending itself to them and by preserving their 
full functionality. It is also memory resident - it hides the file length 
increase when the user issues the DIR command, and even mutates.  

2.5) The virus writer from Plovdiv.
 
This man, P.D., claimed that he has written viruses "for fun" and only "for 
himself" and that he "never releases them." Unfortunately, at least two of 
them have "escaped" by accident. These are the ANTI- PASCAL605 and the 
TERROR viruses. Especially the latter is extremely virulent and caused a 
large epidemic in Bulgaria.
 
P.D. was very sorry for that and submitted examples of all his viruses to 
the anti-virus researchers so that the respective anti-virus programs be 
developed - just in case some of these viruses escapes too. These viruses 
turned out to be quite a few, ranging from extremely stupid to very 
sophisticated. Here are some of them:
 
XBOOT, ANTIPASCAL (5 variants), TINY (11 variants), MINIMAL-45, TERROR, DARK 
LORD, NINA, GERGANA, HAPPY NEW YEAR (2 variants), INT13.
 
P.D. claims that the DARK LORD virus (a minor TERROR variant) is not written 
by him. The TINY family has nothing to do with the Danish TINY virus (the 
163--byte variant of the KENNEDY virus), and, as well as the MINIMAL-45 
virus, are written with the only purpose to make the shortest virus in the 
world.
 
Now P.D. is not writing viruses any more --- because, in his own words, “it 
is so easy that it is not interesting.” He is currently writing anti-virus 
programs - and rather good ones.
 
2.6) The two guys from Varna.

They are two pupils (V.P. and S.K.) from the Mathematical High School in 
Varna (a town on the Black Sea). They have developed several viruses and 
continue to do so, producing more and more sophisticated ones. Furthermore, 
they intentionally spread their viruses, usually releasing them on the 
school's computers or in the Technical University in Varna. When asked why 
they write and release viruses, they reply "because it's so interesting!"
 
The viruses written by them are: MG (5 variants), SHAKE (5 variants), DIR 
and DIR II. All of them are memory resident and infect files when the DIR 
command is performed.

 The last one is an extremely virulent and sophisticated virus - as 
sophisticated as THE NUMBER OF THE BEAST. It is a completely new type of 
virus as well - it infects nether boot sectors, nor files. Instead, it 
infects the file system as a whole, changing the information in the 
directory entries, so that each file seems to begin with the virus.
 
There is a counter of the number of infected systems in the virus body. 
There is evidence that V.P. and S.K. collect infected files, copy the 
contents of the counter and then draw curves of the spread of infection, 
checking the normal distribution law. They are doing this "for fun."
 
2.7) W.T.'s case.
 
W.T. is a virus writer from Sofia who has written two viruses --- WWT (2 
variants) and DARTH VADER (4 variants). According to his own words, he has 
done so to test a new idea and to gain access to the Virus eXchange BBS (see 
below).
 
The new idea consisted of a virus (DARTH VADER) that does not increase file 
lengths, because it searches for unused holes, filled with zeros, and writes 
itself there. Also, the virus does not perform any write operations. 
Instead, it just waits for a COM file to be written to by DOS and modifies 
the file's image in memory just before the write operation is performed.
 
W.T. does not write viruses any more, but he is still extremely interested 
in this field. He is collecting sophisticated viruses and disassembles them, 
looking for clever ideas.
 
2.8) The Naughty Hacker.
 
This virus writer, M.H., is a pupil and also lives in Sofia. He has written 
several viruses, most of which contain the string "Naughty Hacker" in their 
body. All of them are non-destructive, but contain different video effects - 
from display desynchronization to a bouncing ball.
 
Currently, at least 8 different variants are isolated, but it is believed 
that even more exist and are spread in the wild. Also, it is believed that 
M.H. continues to produce viruses. As usual, he is doing so "because it is 
interesting" and “for fun."
 
He is also the author of three simple boot sector viruses (BOOTHORSE and two 
others that are still unnamed).
 
2.9) Other known virus writers.
 
The persons listed above are the major Bulgarian virus producers. However, 
they are not alone. Several other people in Bulgaria have written at least 
one virus (sometimes more). In fact, making a virus is currently considered 
a kind of sport there, or a practical joke, or means of self-establishment.

 Some of these virus writers have supplied their creations directly to the 
anti-virus researchers, as if they are waiting for a reward. This happens 
quite often - probably they expect that the anti-virus researcher, as the 
best qualified person, will evaluate their creation better. Sometimes the 
fact that their virus becomes known, is described, and is included in the 
best anti-virus programs is sufficient for these people and they don't 
bother to really spread their virus in the wild. So, probably the main 
reason for these people to produce viruses is the pursuit of glory, fame, 
and self-establishment.
 
Such known Bulgarian virus writers (with the respective names of their 
viruses given in parentheses) are V.D. from Pleven (MICRO-128), A.S. and 
R.D. from Mihajlovgrad (V123), I.D. from Trojan (MUTANT, V127, V270x), K.D. 
from Tutrakan (BOYS, WARRIER, WARRIOR, DREAM), and others.
 

2.10) Unknown Bulgarian virus writers.

Of course, there are also other virus writers, that are not known to the 
author of this paper. Sometimes it is possible to determine the town where 
the viruses were developed - usually due to an appropriate string in the 
virus body, or because the virus wasn't found elsewhere. Some of the viruses 
are very simple, others are quite sophisticated. Here are examples of such 
viruses.
 
- The KAMIKAZE virus has been detected only in the Institute of Mathematics 
at the Bulgarian Academy of Sciences, Sofia and was probably made there;
 
- The RAT virus was made in Sofia, as is said in its body;
 
- The VFSI (HAPPY DAY) virus was developed in the Higher Institute of 
Finances and Economics in Svishtov (a small town on the Danube) by an 
unknown programmer;
 
- The DESTRUCTOR virus was probably made in Plovdiv, where it was first 
detected;
 
- The PARITY virus was probably written in the Technical University, Sofia, 
since it has not been detected elsewhere;
 
- The TONY file and boot sector viruses was probably created in Plovdiv 
where it was first detected;
 
- The ETC virus was detected only in Sofia;
 
- The 1963, a quite sophisticated virus was probably made in the Sofia 
University;
 
- The JUSTICE virus.
 

2.11) The Virus eXchange BBS.


About a year ago virus writing in Bulgaria entered a new phase. Virus 
writers began to organize. The first step was the creation of a specialized 
bulletin board system (BBS), dedicated to virus exchange. The Virus eXchange 
BBS.
 
It's system operator (SysOp), T.T., is a student of computer science in the 
Sofia University. He established the BBS in his own home. On this BBS, there 
are two major kinds of files - anti-virus programs and viruses. The 
anti-virus programs can be downloaded freely.
 
In order to get access to the virus area one has to upload a new virus. 
However, anyone who uploads a new virus, gets access to the whole virus 
collection. S/he could then download every virus that is already available, 
or even all of them. No questions are asked - for instance the reason s/he 
might need these viruses.
 
Furthermore, the SysOp takes no steps to verify the identity of his users. 
They are allowed to use fake names and are even encouraged to do so. Dark 
Avenger and W.T. are the most active users, but there are also names like 
George Bush from New York, Saddam Hussein from Baghdad, Ozzy Ozbourn and
others

Since this BBS has already a large collection of computer viruses (about 
300), it is quite difficult to find a new virus for it. If one wants to get 
access to the virus area, it is much simpler to write a new virus than to 
find a new one. That is exactly what W.T. did. The BBS, then, encourages 
virus writing.
 
Furthermore, on this BBS there are all kinds of viruses - some of them as 
1260, V2P6Z, FLIP, and WHALE are considered extremely dangerous because they 
use several new ideas and clever tricks, which makes them very difficult to 
recognize and remove from the infected files. And the Virus eXchange BBS 
policy makes all these viruses freely available to any hacker that bothers 
to download them. This will, undoubtedly, lead to the creation of more and 
more such "difficult" viruses in the near future.
 
The free availability of live viruses has already borne its bitter fruits. 
It’s helped to find viruses created far away from Bulgaria, and not widely 
spread, to cause epidemics in our country. Such was the case of the DATALOCK 
virus. It was created in California and uploaded to the Virus eXchange BBS. 
A few weeks later it was detected in the Technical University, Sofia. 
Probably one of the users of the BBS had downloaded it from there and spread 
it "for fun." In the similar way the INTERNAL, TYPO and 1575 viruses entered 
our country.
 
But the free availability of known live viruses is not the most dangerous 
thing. After all, since they are already known, there already exist programs 
to detect and probably to remove them. Much more dangerous is the free 
availability on this BBS of virus source code! Indeed, original source code 
or well commented disassemblies of several viruses are freely available on 
the Virus eXchange BBS - just as any other live virus. To name a few, there 
are:
 
DARK AVENGER, OLD YANKEE, DIAMOND, AMSTRAD, HYMN, MLTI830, MURPHY, 
MAGNITOGORSK, ICELANDIC, MIX1, STONED, JERUSALEM, DATACRIME, BURGER, 
ARMAGEDON, OROPAX, DARTH VADER, NAUGHTY HACKER, 512, VIENNA, 4096, FISH#6, 
PING PONG, BLACK JEC, WWT, MG, TSD, BOOTHORSE, BAD BOY, LEECH...
 
Most of them are easily assembled sources.
 
The publishing of virus source code proved to be the most dangerous thing in 
this field. The VIENNA, JERUSALEM, CASCADE and AMSTRAD viruses are the best 
examples. Their source code was made publicly available, leading to the 
creation of scores of new variants of these viruses. The known variants of 
only these four viruses are about 20 % of all known viruses, which means 
more than a hundred variants. One can imagine the consequences of making 
publicly available the source code of all the viruses listed above. In less 
than a year we probably will be submerged in thousands of new variants...
 
In fact, this process has already begun. The HIV, MIGRAM, KAMASYA, CEMETERY 
and ANTICHRIST viruses were obviously created by someone who had access to 
the source of the MURPHY virus. The ENIGMA virus is clearly based on the OLD 
YANKEE code. There have been reports about infections of these viruses in 
one Italian school, and an Italian virus writer, known as Cracker Jack is a 
user of Virus eXchange...
 
The damage to the rest of the world caused by the BBS alone is big enough. 
But this is not all. Since possession of "viral knowledge" (i.e., live 
viruses, virus source code) has always tempted hackers, and since the 
legitimate anti-virus researchers usually exchange such things only between 
themselves and in a very restricted manner, it is not surprising that 
similar "virus boards" began to pop up around the world. There are currently 
such BBSs in the USA, Germany, Italy, Sweden, Czechoslovakia, the UK, and 
the Soviet Union. Stopping their activities is very difficult in legal 
terms, because the possession, storage or wilful downloading of computer 
viruses usually is not considered a criminal offence. And it shouldn't be - 
otherwise the anti-virus researchers themselves would not have a way to 
exchange virus samples to work with.
 
The creation of a virus-oriented BBS, the system operator of which supports 
the writing, spreading and exchanging of virus code hasn’t gone unnoticed in 
Bulgaria. Almost all virus writers have obtained a modem (not very easy in 
Bulgaria) and contacted it. Afterwards, they began to contact each other by 
means of electronic messages on this BBS. They have even created a 
specialized local conference (local for Bulgaria), in order to keep in touch 
and to exchange ideas about how to write clever viruses. They’ve begun to 
organize themselves - a thing that cannot be said about the international 
anti-virus research community...

Origem: info.cert.org   subdiretorio pub/virus-l/docs

(this text appeared not to fit into ZKP4 anymore, even after we upgraded 
from 32 to 64 // thanks to some quick nonbueraucratic financial help, more 
soon! /p)


---
#  distributed via nettime-l : no commercial use without permission
#  <nettime> is a closed moderated mailinglist for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@icf.de and "info nettime" in the msg body
#  URL: http://www.desk.nl/~nettime/  contact: nettime-owner@icf.de