Approaching Zero, Paul Mungo [good summer reads TXT] 📗
- Author: Paul Mungo
- Performer: -
Book online «Approaching Zero, Paul Mungo [good summer reads TXT] 📗». Author Paul Mungo
company’s chief financial officer. “We also lost data. That cost us $20,000.
But what really hurt was the lost business. If we force a customer into the
hands of a competitor, he might go there again. I guess that could cost us
another $500,000.”
The company tried to find out how the virus had got into its machines in the
first place. Sometimes disenchanted employees (or ex-employees) have been known
deliberately to cause havoc on computer systems, but it seemed unlikely in this
case. The company concluded that the infection was almost certainly accidental,
probably introduced on a diskette brought in from outside. All they knew for
certain was that some Bulgarian who called himself the Dark Avenger had cost
them $1 million.
Meanwhile, across the Atlantic in England, computer operators in government
offices in Whitehall and regional centers were confounded by a new virus that
spread, seemingly unstoppably, from office to office and department to
department.
The virus was first observed in the House of Commons library in the Palace of
Westminster. In early October 1990, researchers at the library became concerned
about one of their computer systems. The library operates a PC-based research
service for members of Parliament, providing information, background, and
documentation on subjects of concern. Part of the service uses a network of
Compaq computers, and it was this system that was causing problems. Computer
files that should have been available suddenly appeared to be missing, while
others were corrupted or incomplete, and some of the file names were distorted.
As the days went by, the problems multiplied, and the head of computer systems
at the library called in an outside specialist. A virus-detection program run
on one of the affected machines came up clean, but from the way the computers
were malfunctioning, the specialist was convinced that the House of Commons
library had been hit by a virus. He compared the lengths of the program files
on an infected machine with those on a clean computer. As expected, the
programs on the infected computer were longer, which suggested the unknown
virus was attaching itself to the ends of program files. A visual inspection of
the virus followed, revealing one full word in the jumble of characters on the
screen: NOMENKLATURA.
The word is of Russian origin, though in common use throughout Eastern Europe.
It was the name given to the upper echelons of the Communist party and the
high-ranking bureaucrats—the class that did well from the old system, those
who had access to the special shops and the special rations, the cars and the
country homes. It is a pejorative now and was almost certainly picked by the
virus writer for its ironic overtones.
A copy of the virus, immediately nicknamed Nomenklatura, was sent to a British
researcher, Alan Solomon, who runs a specialist computer data-recovery service
from Berkhamsted, northwest of London. When he disassembled the bug, he found
he was looking at one of the most destructive viruses he had ever seen.
The virus’s target proved to be the FAT, the all-important File Allocation
Table. With the FAT corrupted, the computer would be unable to reassemble data
files in the correct order—hence the gaps in the information accessed in the
House of Commons library. Solomon also noticed a string of text characters
within the Nomenklatura program. It could be a message, he thought, except that
the text was represented on his computer screen by a code that appeared to
refer to non-English-language characters, which looked like Greek or Russian.
Solomon guessed it was Bulgarian.
To confirm his hunch, Solomon dialed an electronic bulletin board in Sofia,
linking to the East European country via Fidonet, an international
public-access computer network run by hobbyists. The board he accessed was owned by MicroComm, a subsidiary of the
Bulgarian public telephone company. Once linked to the board, he managed to
make contact with one of the company’s engineers, Veni Markovski, who spoke a
little English Solomon uploaded the code to Sofia, and Veni looked at it with
his Cyrillic converter. If the code represented Cyrillic characters the
converter—a program that translates keyboard strokes into Cyrillic—would
recognize them and display the message in the virus. The text, though, would be
in Bulgarian, which was why Solomon needed Veni’s help.
The converter rapidly deciphered the code, changing it to Cyrillic. Solomon had
guessed correctly. The phrase, Veni reported, was an idiomatic Bulgarian
expression. It took some time to translate—Veni’s English is poor—and its
meaning is obscure. But, Veni said, it translates to something like: “This fat
idiot instead of kissing the girl’s lips, kisses quite some other thing.”
Solomon wasn’t surprised that the message was in Bulgarian. By 1990 everyone
involved in computer security had become aware that something odd was going on
in that obscure East European country. Increasingly sophisticated and damaging
viruses that affected IBM-type PCs were moving into the West, carried on
diskette or transferred by electronic bulletin boards, and all had one thing in
common: they had been written in Bulgaria.
Though only a few of the viruses had actually been seen “in the wild”—that is,
infecting computers—reports from Bulgaria suggested that two new viruses were
being discovered in that country every week. By mid-1990 there were so many
reported Bulgarian viruses that one researcher was moved to refer to the
existence of a “Bulgarian virus factory.” The phrase stuck.
The origins of that factory go back to the last decade. In the early 1980s the
then president of Bulgaria, Todor Zhivkov, decided that his country was to
become a high-tech power, with computers managing the economy while industry
concentrated on manufacturing hardware to match that of the West. Bulgaria he
decided, would function as the hardware-manufacturing center
for Comecon (Eastern Europe’s Council for Mutual Economic Assistance, now
defunct), trading its computers for cheap raw materials from the Soviet Union
and basic imports from the other Socialist countries. Bulgaria had the
potential, in that it had many well-educated young electronics engineers; what
it didn’t have, with its archaic infrastructure and ill-managed economy, was
any particularly useful application for its own hardware.
With the resources of the state behind Bulgaria’s computerization, the country
began manufacturing copies of IBM and Apple models. The machines were slow—
very slow by today’s standards—and were already obsolete even when they first
started crawling off the production line. They had been “designed” at the
Bulgarian Academy of Sciences, but without the help or blessing of either IBM
or Apple. The Bulgarian machines were simply poorly manufactured clones that
used the same operating systems and computer language as the real IBMs and
Apples.
In the latter half of the 1980s shiny new computers started to appear in state
organizations, schools, colleges, and computer clubs. Many were destined to sit
on the boss’s desk, largely unused, symbols of a high-tech society that never
really existed. Few businesses had any real need for computers; some used them
simply to store personnel records. It was a gloss of technology laid over a
system that, at its core, wasn’t functioning.
In addition, Bulgaria didn’t have any software. While the factories continued
to manufacture PCs, the most basic requirement—programs to make the machines
function had to be pirated. So the Bulgarians began copying Western programs,
cracking any copy-protection schemes that stood in their way, and became more
and more skilled at hacking—in the classic sense of the word. They could
program their way around any problem; they learned the ins and outs of the IBM
and Apple operating systems; they became skilled computer technicians as they
struggled to keep their unreliable and poorly manufactured computers functioning. In short, they were assimilating all the skills they would need to
become first-class virus writers.
The first Bulgarian viruses to arrive in the West were seen in
1989. They became increasingly sophisticated and malignant progressing within a
year from the relatively harmless Yankee Doodle to the more destructive Eddie
and then to Nomenklatura, which was deadly.
Nomenklatura’s attack on the House of Commons library had zapped data in the
statistical section, rendering valuable information irrecoverable. From the
House of Commons, the virus began to journey through other sectors of the
British government, presumably carried on diskettes from the library. The virus
traveled slowly, popping up first in one department, then spreading to another.
As soon as it was wiped out in one office, it would reappear elsewhere; it has
not been completely eradicated to this day. Alan Solomon, a computer security
specialist who worked on the case, is convinced that Nomenklatura’s creator is
the Dark Avenger.
In November 1988 stories about Robert Morris, Jr., and the Internet Worm were
published in Bulgaria. The news, already exaggerated in the American press,
became even more fanciful by the time it was retold in Bulgarian newspapers.
The worm excited the curiosity of two young men, Teodor Prevalsky and Vesselin
(Vesko) Bontchev. They had been close friends for many years, had gone to
university together, and had served side by side as officers in the Bulgarian
army. Aged twentyseven, they were both engineering graduates from professional
families, which made them part of the privileged class in Bulgaria at the time.
The Bulgarian computer industry was in full swing by then, but the country had
few uses for the new machines. In response, a magazine was started called
Komputar za vas (“Computer for You”), to show readers how to do something
constructive on their relatively worthless PCs. The magazine needed technical
writers who could explain how the machines worked, and Vesko, provided with
desk space at the magazine’s offices, found that he could double his income of
$45 a month by writing the articles. By Bulgarian standards his salary was
already high; with the additional income from the magazine he was positively
wealthy.
When news of the Internet Worm broke, Vesko and his friend Teodor discussed it
at length. For Vesko, it would be the inspiration for an article; for Teodor,
it was the catalyst for a new intelectual pursuit.
On November 10, 1988, Teodor sat down at a computer at the technical institute
where he worked and started to write his first virus. He had managed to get a
copy of Vienna, which had been copied from Ralf Burger’s book, and he used it
as a model for his own bug. On November 12th Teodor proudly made an entry in
his diary: “Version 0 lives.”
Version 0 was, in all probability, the first homegrown Bulgarian virus. It did
very little except replicate, leaving copies of itself on what are called COM
files—simple program files of limited length, used for basic computer
utilities. When the virus infected a file, it beeped.
Just two days after writing Version 0, Teodor had prepared Version 2.4 It was
more clever than the original in that it could infect both common types of
executable files: COM and EXE. The latter are the more sophisticated programs—
like word-processing, for instance—and because they are structurally complex
they are more difficult to infect. But Teodor’s Version 2 employed a little
trick that would convert the shorter EXE files into COM files. When the
operator called up, or loaded, an EXE file, the lurking virus saw the load
command, jumped in ahead and modified the structure of the EXE file so it
resembled a COM file. The next time a restructured EXE file was loaded up, it
could be successfully infected by the virus, just like an ordinary COM file.
Teodor was also experimenting with antivirus software at the time, and
developed a program that would hunt down and kill Versions 0 and 2. It was
called “Vacsina,” the Bulgarian word for vaccine. However, by Version 5 Teodor
had adapted his virus so that it was immune to his own killer program. He
accomplished this by simply adding the character string “Vacsina” to the virus.
When
Comments (0)