Approaching Zero Part 5
You’re reading novel Approaching Zero Part 5 online at LightNovelFree.com. Please use the follow button to get notification about the latest chapter next time when you visit LightNovelFree.com. Use F11 button to read novel in full-screen(PC only). Drop by anytime you want to read free – fast – latest novel. It’s great if you could leave a comment, share your opinion about the new chapters, new novel with others on the internet. We’ll do our best to bring you the finest, latest novel everyday. Enjoy!
The Jerusalem virus was a malicious joke, which would delete any program files used on Friday the 13th. There are two Friday the 13ths in any given year; in between those dates the virus signaled its presence by displaying a little box in the lower half of the computer screen and then slowing down infected systems to an unacceptable crawl. It also contained a gremlin that, contrary to the programmer's intentions, caused it to reinfect--or add itself to--many of the same program files. Eventually the files would grow so big that the virus would take up all of the computer's memory.
The virus quickly acquired a fearsome reputation. Maariv, one of Israel's leading daily newspapers, heralded its discovery with an article on January 8, 1988, that warned, "Don't use your computer on Friday the 13th of May this year! On this day, the Israeli virus which is running wild will wake up from its hibernation and destroy any information found in the computer memory or on the disks."
The report was somewhat exaggerated. It wasn't true that Jerusalem could destroy "any information found in the computer memory or on the disks," as it had been written to delete only programs that were used on Friday the 13th. In practice, few users suffered any real damage. Most operators would delete the virus as soon as they saw the little box appear on the screen and noticed the system slow down--which generally happened about half an hour after the virus had infected a computer.
While Jerusalem may not have been as destructive as its publicity suggested, it was exceptionally virulent and spread quickly and widely. Unlike most previous viruses, Jerusalem could infect nearly any common program file, which gave it more opportunity to travel. (By contrast, the Pakistani virus, Brain, could only infect the boot sector on specific diskettes, and Lehigh could only infect one particular type of program file.) Jerusalem's propagation rate was phenomenal. From Israel it spread quickly to Europe and North America, and a year after its discovery in Israel it had become the most common virus in the world. In 1989 it was said to have been responsible for almost 90 percent of all reported incidents of viral infection in the United States.
Because Tippett's predictions were based on the propagation rate of this particularly infectious bug, they probably overstated the potential growth rate of viruses. One of the peculiarities of viruses that Tippett overlooked is that most remain localized, causing infection on a limited number of machines, sometimes on just a single site. So far only about fifty viruses have propagated rapidly and spread from their sp.a.w.ning ground to computers throughout the world. The rate of propagation seems to be a matter of luck. Through an unpredictable combination of circ.u.mstance and chance, some viruses are destined to wither away in parochial isolation, while others achieve a sort of international notoriety. There seems little logic to which remain localized and which propagate.
In March 1989 a new virus was discovered in the United States, which was reported to have come to North America via Venezuela. Its payload was simple: it displayed the words Den and Zuk, converging from separate sides of the computer screen. The word Zuk was followed by a globe resembling the AT&T corporate logo. Inevitably, the virus became known as Den Zuk.
The bug was found to be relatively harmless. Like Brain, it nestled in the boot sector of infected diskettes, but changed their volume labels to "Y.C.I.E.R.P."
Its payload was set to trigger after what is known as a warm reboot--restarting the computer from the keyboard without using the power switch. Warm reboots are generally employed when the computer has frozen, or stopped--a fairly uncommon occurrence, so the payload wasnt triggered very often.
An Icelandic virus researcher, Fridrik Skulason, surmised that the character string "Y.C.I.E.R.P" could be an amateur radio call sign. He looked up the sign in the International Callbook and found that it was attributed to an operator in Bandung, a city on the island of Java, in Indonesia. Skulason wrote to the operator, Denny Ramdhani, who replied with a long and detailed letter. He was, he admitted, the author of Den Zuk: "Den" was an allusion to his first name; "Zuk" came from his nickname, Zuko, after Danny Zuko, the character played by John Travolta in the film Grease. He had written the virus in March 1988, when he was twenty-four, "as an experiment." He wanted, he said, "to 'say h.e.l.lo' to other computer users in my city. I never thought or expected it to spread nationwide and then worldwide. I was really surprised when my virus attacked the U.S.A."
If Denny was surprised, the computer industry was flabbergasted. Den Zuk was neither a particularly infectious bug, nor was it grown in a locale that could be said to be within the communication mainstream. Bandung, for all of its exotic charm, is not a city normally a.s.sociated with high-technology industries. Denny's virus traveled simply because it got lucky.
Viruses are unguided missiles, so it seems almost as likely that a bug launched from an obscure Indonesian city will hit targets in North America as one set off from, say, Germany. Nor is the sophistication of the bug any arbiter of its reach: Den Zuk was a simple virus, without any real pretension to what is known as an infection strategy.
The universality of the PC culture is reflected by the provenance of viruses. In Britain, New Scotland Yard's Computer Crime Unit recently compiled a list of the country's most troublesome bugs, which originated in places as diverse as New Zealand, Taiwan. Italy, Israel (the Jerusalem virus), Austria, Pakistan (Brain), Switzerland, India, and Spain--as well as a couple from the United States and even one that is believed to be from China.
The increasing links between virus writers in different parts of the world is demonstrated by the growing number of adaptations of existing viruses. The Vienna virus, which Ralph Burger had included in his Das grosse Computerirenbuch sp.a.w.ned a whole series of knockoffs, with slightly differing payloads and messages. As did the Jerusalem virus: there are now perhaps a hundred variants, all based on the one prototype. The knockoffs come from all over the world: Australia, the Netherlands, the republics of the former Soviet Union, Britain, South Africa, Czechoslovakia, Malaysia, Argentina, Spain, Switzerland, the United States--the list is only slightly shorter than the members.h.i.+p of the U.N. Some of the new variants are just jokes, and play tunes, but others are even more destructive than the original.
Jerusalem's most fearsome variant came from Asia. Called Invader, this bug first appeared in Taiwan in July 1990, where it is presumed to have been written. Within a month it had swept through the Far East and was reported to have reached North America. Just four months later it was found at the Canadian Computer Show, where it was running amok on the PC displays. Invader is an exceptionally sophisticated variant. It would infect a target computer's hard disk, diskettes, and program files, and its payload was devastating: it would zap data stored on a hard disk or diskette to the sound of an exploding bomb whenever a particular, quite common, piece of drafting software, called Autocad, was loaded.
Invader is part of the new generation of viruses: destructive, malicious, and clever. Since 1988, as the number of bugs has grown exponentially, virus techniques have improved dramatically, and their infection strategies have become more effective, which means they have a better chance of traveling. They exploit obscure functions of computers in order to evade detection; they can trash data; and in some cases, they can zero out large-scale computer networks.
While the early viruses could cause damage, it was generally by accident; the new strains are programmed to be destructive. Some seem demonic and frenzied, as if the virus writer was driven by a personal animus.
On January 15, 1991, the princ.i.p.al bank on the Mediterranean island of Malta was attacked by a particularly vicious bug. The first warning of the virus was an announcement that popped up suddenly on the computer screen: DISK DESTROYER--A SOUVENIR OF MALTA I HAVE JUST DESTROYED THE FAT ON YOUR DISK!!
HOWEVER, I HAVE KEPT A COPY IN RAM, AND IM GIVING YOU A LAST CHANCE TO RESTORE YOUR PRECIOUS DATA.
WARNING: IF YOU RESET NOW ALL YOUR DATA WILL BE LOST FOREVER!! YOUR DATA DEPENDS ON A GAME OF JACKPOT CASINO DE MALTE JACKPOT +L+~+?+ ~+c+ CREDITS: 5 ANY KEY TO PLAY The virus was, in essence, inviting operators to gamble with the data on their hard disks. It had captured the FAT, the File Allocation Table which, despite its unprepossessing name, is one of the most important components of a computer's hard disk: it is a master index that keeps track of where all the pages for each file are kept. On a hard disk, unlike in a filing cabinet, pages of a single file are not necessarily stored together; they are stored wherever there happens to be disk s.p.a.ce, which often results in "fragmentation"-- particularly of larger files. Whenever a user selects a particular file, the FAT is responsible for finding all of the file's parts and a.s.sembling them in the correct order. Once corrupted, the FAT takes on all the attributes of an unqualified temporary secretary: it can't find anything, it loses files, and the ones it doesn't lose are incomplete or presented in the wrong order.
The gamble the operators faced was more or less the same as on a slot machine-- except that the computer user was playing with data instead of a coin. If he played and lost, the virus would zap the FAT, with disastrous consequences. If he played and won, the virus would replace the FAT it had captured with the copy it had sequestered in the RAM, or random access memory, the computer's princ.i.p.al memory, and the area where programs are run.
When the user followed the on-screen instructions and pressed a key, the characters in the three "windows" ran through a sequence, like a real slot machine. The operator had five "credits," or tries, and the game ended when three Ls, Cs, or .~s came up. The operator could try again if a combination of characters came up. The jackpot was three Ls. Then the operator would see the following message on his screen: b.a.s.t.a.r.d! YOURE LUCKY THIS TIME, BUT FOR YOUR OWN SAKE, SWITCH OFF YOUR COMPUTER NOW AND DONT TURN IT ON UNTIL TOMORROW! Three .~s was a loser: the virus would then announce NO f.u.c.kING CHANCE and destroy the FAT. Three Cs, unsportingly, was also a loser: the message was: HA HA! YOU a.s.sHOLE, YOUVE LOST: SAY BYE TO YOUR b.a.l.l.s. Once again, the FAT would be zapped.
The Maltese bank had no choice but to gamble. Once the virus had seized control of the FAT, there was no possible way of retrieving it other than by coming up with a jackpot, and the odds against that were three to one. The computer operators pressed their keys, losing two games to every one they won and having to rebuild the system and restore the damaged files on two thirds of their infected computers. They also had to track down and destroy the virus, which became known as Casino, on all of their machines, a process that required the help of a computer security expert from Britain.
From the spelling and the use of American expressions such as a.s.shole, it was thought that the author of Casino was American, or perhaps a Maltese who had previously lived in the States. But, as in so many cases, his ident.i.ty was never discovered.
Casino epitomized many of the characteristics of the new breed of viruses: it was vicious, destructive, and its payload was curiously spiteful. To date, the virus hasn't spread from its island home, though that doesn't mean that it won't travel in the future.
It is estimated that a virus that is going to travel will reach its peak propagation within eighteen months. (Casino is thought to have been written just a few weeks before it hit the bank.) About half of the viruses ever written are less than six months old: they are, in a manner of speaking, now waiting for their travel doc.u.ments, for that odd confluence of luck and circ.u.mstance that will unleash them throughout the world.
As the world population of computer viruses grows exponentially, so does the potential for real disaster. Viruses will affect computer users first, but then, indirectly, many people who have never even touched a computer will be affected. A virus let loose in a hospital computer could harm vital records and might result in patients receiving the wrong dosages of medicine; workers could suffer job losses in virus-ravaged businesses; dangerous emissions could be released from nuclear power plants if the controlling computers were compromised; and so on. Even military operations could be affected. Already, during the 1991 Gulf conflict, Allied forces had to contend with at least two separate virus a.s.saults affecting over seven thousand computers. One of the incidents was caused by the ubiquitous Jerusalem bug, the other by a "fun" virus from New Zealand called Stoned, which displayed the message YOUR PC IS NOW STONED on the screen. The two outbreaks were enough to cause computer shutdowns and the loss of data. The consequences for the military, now utterly dependent on computers, of an attack by one of the newer, more destructive viruses--perhaps one unleashed by the enemy--could be catastrophic.
In truth, there has been no major disaster, no loss of life or jobs due to a virus. The only losses to date have been financial. But hospitals have already found viruses lurking in their systems; the military has been affected; and a Russian nuclear power plant's central computer was once shut down because of a virus. None of the bugs were destructive, but it is probably only a matter of time before there is a real catastrophe.
It is now believed by many that the real threat from computer viruses will escalate in the mid-nineties when a new generation of bugs begins to spread throughout the industrialized countries of the West. The new viruses will attack from every corner of the world, but the biggest threat will come from one country--Bulgaria.
The first call came in to the Help Desk of a California magazme publisher just after five P.M. on Thursday, June 27, 1991.3 The company has 1,500 interlinked computers spread around three buildings. The Help Desk, part of the technical-support department, works as a sort of troubleshooter for the entire networked system, dealing with routine problems and helping the less com- puter-literate staff with their ha.s.sles.
"My computer has started making a noise," said the caller.
In the normal run of events, noises, apart from the standard beep when starting up or the low-pitched whir of the machine's cooling system, are not part of a computer's standard repertoire. A noise usually suggests a problem--a high-pitched whine can be a warning that the computer's monitor is faulty; a loud hum can signal a difficulty with the hard disk.
"What sort of noise?" asked the girl at the Help Desk.
"I don't know, it's just a noise. I've switched it off. Can someone come over?"
Seconds later the Help Desk received a call from another user with the same problem. Then the switchboard lit up. There were callers from all over the company, all with the same complaint: their computers were making odd noises. It may be a tune, one of the callers added helpfully, coming from the computer's small internal speaker. The sixth caller recognized the melody. The computers were all playing tinny renditions of "Yankee Doodle."
To the specialists in the technical-support department, the discovery that the tune was "Yankee Doodle" was confirmation that they had been hit by a virus, and a well-known one at that. The Yankee Doodle virus had first been seen in 1989 and was said to be relatively harmless. There are a number of variants of the bug but most simply cause computers to play "Yankee Doodle." This particular variant, known as Version 44, played the tune at five P.M. every eight days.
The company arranged for antiviral software to be s.h.i.+pped overnight by Federal Express. The publishers of the software a.s.sured the Help Desk that they would simply need to run the program on the computers to locate the infected files and kill the virus; the files wouldn't be damaged and no data would be lost. Yankee Doodle was a nuisance, they said, but not a major problem.
On Friday morning the technical-support staff began the timeconsuming task of checking every computer in the company. They discovered that eighteen of their machines had been hit by the virus and that the killer function of the software they had just bought wouldn't work on their particular variant of Yankee Doo- dle. Instead, to clean the bug out, they would need to delete all infected files and replace them.
The virus they were fighting is generally transferred by diskette. It attaches itself to an executable file--a word-processing program or a game, for instance--then, once loaded on to a computer, it searches out other programs to infect. It is generally harmless in that it never attacks data files, the ones users actually work on, so it can't cause serious damage. Its nuisance value comes in eradicating it: deleting programs and then replacing them can be time-consuming.
In the meantime, to stop the virus from spreading any farther, the company decided to shut down the entire network of 1,500 computers, leaving machines and staff idle. The technical-support specialists estimated that killing the bug and replacing the programs would take them two or three hours at the most. But by mid-afternoon they realized that they had underestimated the size of the job, and arranged to come in over the weekend. In the end, the technical staff worked for four days, Friday through Monday, before they were satisfied that all the machines were free of the virus. During that time computers and staff were inactive, neither processing work in progress nor going ahead with anything else.
The computers worked well for the next three days, but then, at ten A.M. on Thursday, July 4th, the virus was rediscovered. In a routine scan of one of the computers with the new antiviral software, one member of a small crew working over the Independence Day holiday received a big shock: Yankee Doodle was back.
The technical specialists, called into the offices from their homes, discovered to their horror that this time 320 machines had been infected and when they asked the maker of the antiviral software for an explanation, they were simply told, "You missed a spot.
The company was forced to shut ctown Its Computers again, and again staff and machinery sat idle while the support staff searched laboriously through every program on all 1,500 machines. There was no damage: the bug was eradicated and the programs reinstalled without even a byte of data lost. But the lack of damage disguised the virus's real cost in downtime. By the time Yankee Doodle had been completely eradicated, the company had suffered one week of lost production, one week in which 1,500 staff were idle, one week of irrecoverable business. The company never quantified its loss, but it is estimated to run into the hundreds of thousands of dollars--all from what was purported to be a harmless virus.
Since 1990 virus researchers have pieced together a history of Yankee Doodle. It was first spotted in 1989 in the United Nations offices in Vienna on a computer game called Outrun. The game is proprietary, though unauthorized pirate copies are often pa.s.sed , around on diskette. Someone, somewhere, is thought to have infected a copy of the game, accidentally or deliberately, and the Virus began its travels, first to Vienna, then around the world courtesy of the United Nations. Though there are known to be fifty-one versions of the virus, they are all based on one original prototype. And that program, despite the virus's all-American name, was written in Bulgaria.
In the same month that the California publis.h.i.+ng company was trying to eradicate Yankee Doodle, a major financial-services house on the other side of the country was. .h.i.t by another bug. This one wasn't a joke; it was deliberately malicious.
The first symptoms appeared when one of the secretaries was unable to print out a letter she had just entered into her computer. In such cases people usually follow the same routine: the secretary checked the paper, switched both the computer and the printer off and on, and then fiddled with the connecting cables. Still nothing printed out. Finally she rang her company's technical-support office.
When the specialist arrived, he began running tests on the affected machine. First he created a new doc.u.ment and tried printing it out, but that didn't work. He then guessed that the word-processing program itself was defective, that one of its files had become corrupted and was preventing the machine from printing. He went to another computer and copied out the list of program files used by the company, which showed the names of the programs and their size, in bytes (or characters). He then compared the files on the problem machine with the list. Everything matched, except that eight of the files on the affected computer were slightly larger than on the other. He checked the differences, and in each case the files on the problem machine were exactly 1,800 bytes larger.
With that information, the specialist knew immediately that the company had been hit by a virus; he also knew it was 1,800 bytes long and attached itself to program files. He called his supervisor, who hurried over with a virus-detection diskette. They inserted it in the infected computer and instructed it to check the machine for viruses. Program file names appeared briefly, one by one on the screen, as the virus detector bustled through its checks, examining each file for known bugs. After five minutes, a message appeared on the screen: it stated that eighty-three files had been checked and no virus had been found. In exasperation, the supervisor called the vendor of the virus-detection program.
"It does sound like you've got a virus," the vendor agreed. 'But if it's not getting picked up by our software, then it must be a new virus. Or a new strain of an old one."
Most virus-detection programs operate by looking for known characteristics of familiar viruses--in other words, for a string of text or a jumble of characters that is known to be contained within the program of a previously discovered bug. Such virus detection kits are, of course, unable to detect new or modified viruses.
At the suggestion of the vendor, the technical-support staff began a search of one of the infected files, looking for text or messages. Specialized software is needed to inspect the inside of the program file; during the inspection the screen displays a jumble of computer code. But within the code the staff saw two strings of text: EDDIE LIVES ... SOMEWHERE IN TIME! said the first. The second announced: THIS PROGRAM WAS WRITTEN IN THE CITY OF SOFIA 1988--1989 (C) DARK AVENGER.
The supervisor phoned the vendor again: "Who the h.e.l.l is the Dark Avenger?"
The short answer, the vendor explained patiently, is that no one knows. The Dark Avenger is an enigma. Most virus writers remain anonymous, their viruses appearing, seemingly, out of the ether, without provenance or claimed authors.h.i.+p, but the Dark Avenger is different: not only does he put his name to his viruses, he also signals where they were written--Sofia, the capital of Bulgaria. The Dark Avenger's viruses began seeping into the West in 1989. They are all highly contagious and maliciously destructive.
"The virus you've been hit with is called Eddie, or sometimes the Dark Avenger, the vendor told the increasingly worried technical-support supervisor. "It must be a new strain or something. That's why it wasn't picked up. Is there any other text message, a girl's name?"
The supervisor took a closer look at the virus. "I missed it before. There's another word here, Diana P. What does this thing do?"
"Well, as it's a new version, the answer is I don't know. Until we've seen a copy, it's anybody's guess."
To discover what a virus actually does, it has to be disa.s.sembled, its operating instructions--the program--taken apart line by line. This is a difficult and time-consuming process and can be carried out only by specialists. In the meantime the technical support staff could only wait and watch as the virus spread slowly through the company, bouncing from machine to machine via the network cables that interlinked the company's 2,200 computers.
Viruses like Eddie work by attaching a copy of themselves to an executable file; whenever an infected program is used, the virus springs into action. It usually has two tasks: first, to find more files to infect; then, after it has had enough time to spread its infection to release its payload. It was obvious that Eddie was spreading so it was already performing its infection task. What was worrying was what its payload would prove to be.
To arrest the spread of the bug, it was decided to turn off all the computers in the company and wait until the virus could be cleaned out. It was a difficult decision--it would mean downtime and lost business--but it was a sensible precaution. It was later discovered that the payload in the Eddie variant was particularly malicious. When unleashed, it takes occasional potshots at the hard disk, zapping any data or programs it hits. The effect is equivalent to tearing a page out of a book at random. The loss of the pages may not become evident until one can't be found. But on a computer, if the loss goes undetected over a period of time, then the backup files, taken as a security measure in case of problems with the originals, could also have pages missing. The slow corruption of data is particularly insidious. Any computer breakdown can cause a loss of data, necessitating some reentry of the affected transactions since the last backup. But if the backups are also affected, then the task could become impossible. At worst, the data could be lost forever.
In this instance some data was irrecoverably destroyed, even though only sixty machines were found to be infected. But, in a sense, the company had been lucky: because Eddie had taken a potshot at a secretary's word-processing program and knocked out its print capability, it was discovered fairly early on. Had it lurked undetected for longer, it could have destroyed even more data.
The process of checking all 2,200 computers in the company took four and a half days, with a team of twelve people working twelve hours a day. Every executable file on every hard disk on every machine had to be checked. The team had special programs to help with the task, but viruses could easily get wrapped up inside "archived" files--files that are compressed to save computer s.p.a.ce-- where they can escape detection. All archived files had to be expanded back to their full size, checked, and then packed away again. That took time. Also, all diskettes had to be checked, a nearly impossible task given the difficulty in finding them: diskettes have a habit of disappearing into black holes in desk drawers, in briefcases, in storage cupboards.
The computer diskette has now a.s.sumed the generality of paper as a medium for storing information. Staff with home computers often carry diskettes to and from their office, and it makes sense that diskettes containing valuable data should be stored off-site, as a precaution against problems with the office computer. But the home PC also encourages the transfer of viruses among fami- lies. A student might transfer a virus from college to home; a parent might transfer a virus from home to office. For the most part, viruses are spread innocently, but there is now such a large traffic in diskettes that it is usually impossible to trace the source of an infection.
After seven hundred hours of intensive effort, the technicalf support staff felt confident they had eliminated all traces of Eddie. Their confidence was short-lived. Within a week Eddie was back. This time they lost a further one and a half days' work. (Because it is very difficult to remove all traces of a virus, 90 percent of victims suffer a recurrence within thirty days.) After the final bout of Eddie was cleared away, executives of the company tried to quantify how much the bug's visit had cost them--not that any of it would be recoverable from insurance. "We lost $500,000 of business-- really lost business, not orders deferred until we could catch up, but business that had to be done there and then or it went to a compet.i.tor," said the company's chief financial officer. "We also lost data. That cost us $20,000. But what really hurt was the lost business. If we force a customer into the hands of a compet.i.tor, he might go there again. I guess that could cost us another $500,000."
The company tried to find out how the virus had got into its machines in the first place. Sometimes disenchanted employees (or ex-employees) have been known deliberately to cause havoc on computer systems, but it seemed unlikely in this case. The company concluded that the infection was almost certainly accidental, probably introduced on a diskette brought in from outside. All they knew for certain was that some Bulgarian who called himself the Dark Avenger had cost them $1 million.
Meanwhile, across the Atlantic in England, computer operators in government offices in Whitehall and regional centers were confounded by a new virus that spread, seemingly unstoppably, from office to office and department to department.
The virus was first observed in the House of Commons library in the Palace of Westminster. In early October 1990, researchers at the library became concerned about one of their computer systems. The library operates a PC-based research service for members of Parliament, providing information, background, and doc.u.mentation on subjects of concern. Part of the service uses a network of Compaq computers, and it was this system that was causing problems. Computer files that should have been available suddenly appeared to be missing, while others were corrupted or incomplete, and some of the file names were distorted.
As the days went by, the problems multiplied, and the head of computer systems at the library called in an outside specialist. A virus-detection program run on one of the affected machines came up clean, but from the way the computers were malfunctioning, the specialist was convinced that the House of Commons library had been hit by a virus. He compared the lengths of the program files on an infected machine with those on a clean computer. As expected, the programs on the infected computer were longer, which suggested the unknown virus was attaching itself to the ends of program files. A visual inspection of the virus followed, revealing one full word in the jumble of characters on the screen: NOMENKLATURA.
The word is of Russian origin, though in common use throughout Eastern Europe. It was the name given to the upper echelons of the Communist party and the high-ranking bureaucrats--the cla.s.s that did well from the old system, those who had access to the special shops and the special rations, the cars and the country homes. It is a pejorative now and was almost certainly picked by the virus writer for its ironic overtones.
A copy of the virus, immediately nicknamed Nomenklatura, was sent to a British researcher, Alan Solomon, who runs a specialist computer data-recovery service from Berkhamsted, northwest of London. When he disa.s.sembled the bug, he found he was looking at one of the most destructive viruses he had ever seen.
The virus's target proved to be the FAT, the all-important File Allocation Table. With the FAT corrupted, the computer would be unable to rea.s.semble data files in the correct order--hence the gaps in the information accessed in the House of Commons library. Solomon also noticed a string of text characters within the Nomenklatura program. It could be a message, he thought, except that the text was represented on his computer screen by a code that appeared to refer to non-English-language characters, which looked like Greek or Russian. Solomon guessed it was Bulgarian.
To confirm his hunch, Solomon dialed an electronic bulletin board in Sofia, linking to the East European country via Fidonet, an international public-access computer network run by hobby- ists. The board he accessed was owned by MicroComm, a subsidiary of the Bulgarian public telephone company. Once linked to the board, he managed to make contact with one of the company's engineers, Veni Markovski, who spoke a little English Solomon uploaded the code to Sofia, and Veni looked at it with his Cyrillic converter. If the code represented Cyrillic characters the converter--a program that translates keyboard strokes into Cyrillic--would recognize them and display the message in the virus. The text, though, would be in Bulgarian, which was why Solomon needed Veni's help.
The converter rapidly deciphered the code, changing it to Cyrillic. Solomon had guessed correctly. The phrase, Veni reported, was an idiomatic Bulgarian expression. It took some time to translate--Veni's English is poor--and its meaning is obscure. But, Veni said, it translates to something like: "This fat idiot instead of kissing the girl's lips, kisses quite some other thing."
Solomon wasn't surprised that the message was in Bulgarian. By 1990 everyone involved in computer security had become aware that something odd was going on in that obscure East European country. Increasingly sophisticated and damaging viruses that affected IBM-type PCs were moving into the West, carried on diskette or transferred by electronic bulletin boards, and all had one thing in common: they had been written in Bulgaria.
Though only a few of the viruses had actually been seen "in the wild"--that is, infecting computers--reports from Bulgaria suggested that two new viruses were being discovered in that country every week. By mid-1990 there were so many reported Bulgarian viruses that one researcher was moved to refer to the existence of a "Bulgarian virus factory." The phrase stuck.
The origins of that factory go back to the last decade. In the early 1980s the then president of Bulgaria, Todor Zhivkov, decided that his country was to become a high-tech power, with computers managing the economy while industry concentrated on manufacturing hardware to match that of the West. Bulgaria he decided, would function as the hardware-manufacturing center for Comecon (Eastern Europe's Council for Mutual Economic a.s.sistance, now defunct), trading its computers for cheap raw materials from the Soviet Union and basic imports from the other Socialist countries. Bulgaria had the potential, in that it had many well-educated young electronics engineers; what it didn't have, with its archaic infrastructure and ill-managed economy, was any particularly useful application for its own hardware.
With the resources of the state behind Bulgaria's computerization, the country began manufacturing copies of IBM and Apple models. The machines were slow-- very slow by today's standards--and were already obsolete even when they first started crawling off the production line. They had been "designed" at the Bulgarian Academy of Sciences, but without the help or blessing of either IBM or Apple. The Bulgarian machines were simply poorly manufactured clones that used the same operating systems and computer language as the real IBMs and Apples.
In the latter half of the 1980s s.h.i.+ny new computers started to appear in state organizations, schools, colleges, and computer clubs. Many were destined to sit on the boss's desk, largely unused, symbols of a high-tech society that never really existed. Few businesses had any real need for computers; some used them simply to store personnel records. It was a gloss of technology laid over a system that, at its core, wasn't functioning.
In addition, Bulgaria didn't have any software. While the factories continued to manufacture PCs, the most basic requirement--programs to make the machines function had to be pirated. So the Bulgarians began copying Western programs, cracking any copy-protection schemes that stood in their way, and became more and more skilled at hacking--in the cla.s.sic sense of the word. They could program their way around any problem; they learned the ins and outs of the IBM and Apple operating systems; they became skilled computer technicians as they struggled to keep their unreliable and poorly manufactured computers func- tioning. In short, they were a.s.similating all the skills they would need to become first-cla.s.s virus writers.
The first Bulgarian viruses to arrive in the West were seen in 1989. They became increasingly sophisticated and malignant progressing within a year from the relatively harmless Yankee Doodle to the more destructive Eddie and then to Nomenklatura, which was deadly.
Nomenklatura's attack on the House of Commons library had zapped data in the statistical section, rendering valuable information irrecoverable. From the House of Commons, the virus began to journey through other sectors of the British government, presumably carried on diskettes from the library. The virus traveled slowly, popping up first in one department, then spreading to another.
As soon as it was wiped out in one office, it would reappear elsewhere; it has not been completely eradicated to this day. Alan Solomon, a computer security specialist who worked on the case, is convinced that Nomenklatura's creator is the Dark Avenger.
In November 1988 stories about Robert Morris, Jr., and the Internet Worm were published in Bulgaria. The news, already exaggerated in the American press, became even more fanciful by the time it was retold in Bulgarian newspapers.
The worm excited the curiosity of two young men, Teodor Prevalsky and Vesselin (Vesko) Bontchev. They had been close friends for many years, had gone to university together, and had served side by side as officers in the Bulgarian army. Aged twentyseven, they were both engineering graduates from professional families, which made them part of the privileged cla.s.s in Bulgaria at the time.
The Bulgarian computer industry was in full swing by then, but the country had few uses for the new machines. In response, a magazine was started called Komputar za vas ("Computer for You"), to show readers how to do something constructive on their relatively worthless PCs. The magazine needed technical writers who could explain how the machines worked, and Vesko, provided with desk s.p.a.ce at the magazine's offices, found that he could double his income of $45 a month by writing the articles. By Bulgarian standards his salary was already high; with the additional income from the magazine he was positively wealthy.
When news of the Internet Worm broke, Vesko and his friend Teodor discussed it at length. For Vesko, it would be the inspiration for an article; for Teodor, it was the catalyst for a new intelectual pursuit.
On November 10, 1988, Teodor sat down at a computer at the technical inst.i.tute where he worked and started to write his first virus. He had managed to get a copy of Vienna, which had been copied from Ralf Burger's book, and he used it as a model for his own bug. On November 12th Teodor proudly made an entry in his diary: "Version 0 lives."
Version 0 was, in all probability, the first homegrown Bulgarian virus. It did very little except replicate, leaving copies of itself on what are called COM files--simple program files of limited length, used for basic computer utilities. When the virus infected a file, it beeped.
Just two days after writing Version 0, Teodor had prepared Version 2.4 It was more clever than the original in that it could infect both common types of executable files: COM and EXE. The latter are the more sophisticated programs-- like word-processing, for instance--and because they are structurally complex they are more difficult to infect. But Teodor's Version 2 employed a little trick that would convert the shorter EXE files into COM files. When the operator called up, or loaded, an EXE file, the lurking virus saw the load command, jumped in ahead and modified the structure of the EXE file so it resembled a COM file. The next time a restructured EXE file was loaded up, it could be successfully infected by the virus, just like an ordinary COM file.
Teodor was also experimenting with anti-virus software at the time, and developed a program that would hunt down and kill Versions 0 and 2. It was called "Vacsina," the Bulgarian word for vaccine. However, by Version 5 Teodor had adapted his virus so that it was immune to his own killer program. He accomplished this by simply adding the character string "Vacsina" to the virus.
When his anti-virus program saw the string, it would leave the bug alone.
It was shortly thereafter that Version 5 escaped. Like most Bulgarians, Teodor had to share his computer with colleagues at the Technical Inst.i.tute; with four people using one machine, with software copying rampant, and with the casual transfer of diskettes, it was only a matter of time before one of the bugs began to propagate out of his control. Within weeks Version 5 had spread throughout Bulgaria. In less than a year it had reached the West--the first Eastern virus to jump the Iron Curtain. When the virus was examined, researchers discovered the text string "Vacsina," which immediately gave a name to Version 5.
Meanwhile, Teodor continued experimenting. By December 15, 1988 he had advanced to Version 8. On this variant the payload--the innocuous beep--now sounded only when an infected computer was restarted from the keyboard (a "warm reboot"), allowing it to remain hidden for longer. In the best programming tradition, all his improvements were duly doc.u.mented and given version numbers as they appeared.
Later in December a new Bulgarian virus was discovered. It carried a text string which said it had been auth.o.r.ed by a Vladimir Botchev. The bug was almost certainly written in response to one of Vesko's magazine articles: in November Vesko had stated that it would be "difficult" to write a virus that could infect all EXE files, including the longer ones, and Vladimir had presumably seen that as a challenge. His virus appeared less than a month after the article was published. It employed a novel and technically elegant device that enabled it to attach itself to any EXE file, no matter what length. After it infected a file it played the tune "Yankee Doodle"--in celebration, perhaps.
This virus was generally not damaging--its payload was the tune--and because it was easy to detect, it never spread. But the new bug's payload was immediately copied by Teodor in his new variant, Version 18, which appeared on January 6, 1989. This one didn't beep; instead it played "Yankee Doodle," which Teodor had lifted, note for note, straight from Vladimir's program.
Five days later, Teodor produced Version 21, which could remove the virus from infected files if a more recent version of this bug attacked the same system. Then, on February 6, 1989, Version 30 appeared. It incorporated a "detection and repair" capability, that would warn the virus if it had been modified or corrupted while replicating. Eerily, it could then fix the damage itself by changing the corrupted instructions back to their original form. It was a kind of artificial life, though the repair capability was limited (it could handle only changes of up to 16 bytes in length).
By the end of February Teodor was on to Version 39 and his virus was now full of tricks: it could infect EXE files of any size, it could even evade antiviral software. As soon as it noted the presence of a detection program, it would detach itself from the infected file and hide elsewhere in the computer's memory.
With Version 42, which appeared in March, his virus took on a new role: virus fighter. The Ping Pong boot-sector virus, which is believed to have been created at Turin University in Italy, had now reached Bulgaria. Ping Pong (also called Bouncing Ball) was a joke virus: from time to time it simply sent a dot careering around the screen, like a ball in a squash court. Teodor's new virus could detect Ping Pong and was able to modify it in such a way that, after a time, it destroyed itself, leaving behind its corpse. He persisted with the tune "Yankee Doodle" as his payload, but he varied the time and frequency it would play. One of his next variants was Version 44, which plays the tune every eight days at 5 P.M. This was the version destined to become the most widely traveled of all Teodor's viruses: once again, it escaped from his office machine, probably on a diskette, and spread through Bulgaria; on September 30, 1989 it was sighted in offices of the United Nations in Vienna; and from there, now known as Yankee Doodle, it traveled the world. It was this version which caused mayhem at the California publis.h.i.+ng house in July 1991.
Teodor continued to develop his virus. The last variant was Version 50, by which time it had been given the additional power to detect and destroy the Cascade bug, which had just arrived in Bulgaria from Austria. Cascade was another joke virus: it caused the letters on a computer terminal to fall down and pile up in heaps at the bottom of the screen to an accompanying clicking noise. After it had finished its performance, a user could resume his work--though he would need to replace the letters and words that had fallen from his screen. It wasn't particularly damaging, though the operator's nerves could well have been frayed.
After Version 50 Teodor began to explore some of his other ideas. One was a joke virus that hopped around a hard disk while challenging the operator to FIND ME! It was unusual in that it was nearly undetectable: unlike other viruses, Find Me! wouldn't infect the boot sector or a program file. It created its own home within infected systems by stealing the name of an EXE file and attributing it to a new COM file; this new COM file became its hiding place.
It was a clever trick. Teodor knew that on computers with two files of the same name the COM file is always loaded prior to the EXE file. So his little bug would get to the screen first, to taunt the operator with "Find Me!" messages. If the operator looked at his list of files he might notice that he had an extra COM file with the same name as one of his EXE files, but he generally wouldn't realize the significance. Even if he did, the bug would probably be one step ahead of him. From time to time, Find Me! would create a new COM file (always with the same name as an EXE file) and transfer itself to a new home, deleting the old one as it did so. In that way it continued to hop around the hard disk, usually well ahead of the increasingly irritated operator. It was possible to remove the bug completely, but it invariably took a few manhours of frustrating chasing.
Teodor also experimented with "stealth" viruses--silent, deadly, and almost undetectable bugs that evade antiviral software in much the same way that the Stealth plane evades radar detection. Stealth technology has been exploited by virus writers since 1986 (the Pakistani Brain virus has some stealth capability in that it is able to camouflage its presence on the boot sector), but Teodor's was the first that could add itself to a program file without, apparently, increasing the length of the file. Of course it was only an illusion: the virus would simply deduct its own length from the infected file whenever it was being examined.
Approaching Zero Part 5
You're reading novel Approaching Zero Part 5 online at LightNovelFree.com. You can use the follow function to bookmark your favorite novel ( Only for registered users ). If you find any errors ( broken links, can't load photos, etc.. ), Please let us know so we can fix it as soon as possible. And when you start a conversation or debate about a certain topic with other people, please do not offend them just because you don't like their opinions.
Approaching Zero Part 5 summary
You're reading Approaching Zero Part 5. This novel has been translated by Updating. Author: Paul Mungo already has 617 views.
It's great if you read and follow any novel on our website. We promise you that we'll bring you the latest, hottest novel everyday and FREE.
LightNovelFree.com is a most smartest website for reading novel online, it can automatic resize images to fit your pc screen, even on your mobile. Experience now by using your smartphone and access to LightNovelFree.com
- Related chapter:
- Approaching Zero Part 4
- Approaching Zero Part 6