Listen

The Dark Avenger

In 1989, a message was found in a virus: "Eddie Lives…Somewhere in Time!". 'Eddie' was a particularly nasty virus, and its discovery led a young Bulgarian security researcher down a rabbit hole, on a hunt for the prolific creator of the Eddie virus: The Dark Avenger.

Guests: Vesselin Bontchev, Graham Cluley

Hosted By:

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 9 million downloads as of June 2017.
The author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guests:

Vesselin Bontchev

Dr. Vesselin Bontchev was born in Varna, Bulgaria. He graduated from the Technical University of Sofia in 1985 with an M.Sc. in computer science (systems programming). He worked for the university's Laboratory for Microprocessors and Microcomputers and for the Institute of Industrial Cybernetics and Robotics at the Bulgarian Academy of Sciences, building expert systems. In 1988, he became interested in computer viruses and began producing freeware anti-virus programs. Two years later he became the Director of the Laboratory of Computer Virology at the Bulgarian Academy of Sciences. Dr. Bontchev presently works at the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences in Sofia, Bulgaria.

Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon’s. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Episode transcript:

In the previous episode, we met the first computer virus programmers: engineers such as Bob Thomas who tried to stretch the limits of what was possible in the brave new world of computers.

During the 1980s, with the rise of the personal computer, these experts were cast aside to make room for a growing number of amateur programmers, who had discovered how easy it was to create a program capable of self-replication. Viruses turned from an esoteric rumor, traveling by word of mouth throughout the halls of academia and industry, into an absolute fact, with dozens of new viruses being discovered every day.

Unusually Cruel Payload

One such virus was discovered in late 1989 in a large number of computers in the U.S. and Europe. Security experts who analyzed the new virus identified a message hidden inside it as plain text. The message read –

“Eddie Lives…Somewhere in Time!”

Heavy Metal fans would have an easy time identifying the reference: ‘Eddie’ was the mascot of the famous heavy metal band Iron Maiden, and ‘Somewhere in Time’ was their sixth album. The hidden message gave the new virus its name: Eddie.

Finding hidden messages in viruses was rather common back then: these were usually addressed to other virus authors or to the security analysts themselves. However, Eddie was an exceptional virus due to its sophisticated and unusually cruel payload.
Harmful viruses that erased the data on the infected machine were rare, but not unheard of. Analysts were already familiar with destructive viruses such as Lehigh, which erased the data in every fourth floppy disk it infected, or the Jerusalem virus that was programmed to erase data every Friday the 13th. These were nasty viruses – but a smart user who kept proper backups could potentially recover from such an unfortunate incident.

Eddie, however, did not erase all the information stored on the computer at once, but gradually, over time – and randomly: a sector here, a sector there, pause and then another random piece of information somewhere else on the disk. This kind of destruction is similar to the difference between blowing up a house with dynamite or gradually pulling out the support beams, like a game of Jenga. A slow, continuous deletion of information means that by the time the user understands that the computer is infected with a virus, chances are that the backup was also corrupted, riddled with holes like Swiss cheese. This virus had a sort of evil that wasn’t found in other viruses yet. Who wrote Eddie? Well, a clue was found in a second message hidden in the virus.

“This program was written in the city of Sofia (C) 1988-89 Dark Avenger”

State-Sponsored Piracy

Sofia, the capital of Bulgaria, may seem like an unexpected source of such a sophisticated virus, but in the 1980s, this small eastern European country was considered like a Silicon Valley of the communist bloc. Bulgaria invested great resources in reverse-engineering western computers such as the Apple II, and producing local clones. This state-sponsored piracy enterprise did benefit Bulgaria’s economy greatly, and it produced a young generation of skilled engineers and smart programmers – but it also had an unexpected side effect. Bulgaria, we should remember, was a communist state, and so private companies were rare – and in particular private companies who made software. Furthermore, software piracy was very common in Bulgaria: hacking and copying software was the norm since basically the entire industry was based on it. This meant that you literally could not buy software in Bulgaria because no one was selling any. And if no one was making money from selling software, all these smart young programmers had nothing to do with their hard-earned computer skills.  Vesselin Bontchev was a young computer scientist living in Sofia at the time. He started his career in Information Security back when Bulgaria was under the iron curtain.

Vesselin Bontchev was a young computer scientist living in Sofia at the time. He started his career in Information Security back when Bulgaria was under the iron curtain.

Ran: I mean back then in Bulgaria, if you were an amazingly smart software developer, clever, did you have any economic future in that profession? Was there a job for a professional programmer?

Vesselin: It wasn’t like if you studied computers and then you had nothing to do. There was plenty to do. You could certainly get a job. You just couldn’t sell software. It was not economically feasible because everybody was pirating it.”

So, Bulgaria was packed full with young talented people who had enormous amounts of knowledge and easy access to personal computers, but no practical venue to channel their skills. There was no software industry in Bulgaria that could attract these young talents and use their skill in a positive way, so many of them found a creative outlet in writing viruses.

Virus Capital of The World

A thriving virus-writing underground scene developed in Bulgaria, with several Electronic Bulletin Board Systems (or BBSs, for short) serving as the main meeting places for hackers and virus authors. Here the young programmers shared viruses, exchanged source code snippets and discussed new ideas. Hundreds of new viruses came out of Bulgaria every year, making it the undisputed Virus Capital of the world.

Graham Cluley, a security analyst and a programmer who wrote anti-virus software in the early 1990s, describes the motivation and mindset of many virus authors who took part in the virus writing scene, both inside and outside of Bulgaria:

“Well, in the early days, there wasn’t much point to writing a virus. Usually, they were being written to show off to their friends, to their peer group. And so—in fact, I miss those days because the viruses back then was so much more visual and graphical, and so they would put funny messages up on the screen or that have some ASCII art or letters would drop down the screen or you’d have a green caterpillar crawling across the screen eating up your letters and pooing them out the other end brown. You know, you knew when you had a virus.

Viruses way back then would do something visual because they needed to announce their presence or they’d play a tune through your speaker and, you know, even the typical guy in the accounts department would know that something bad had happened.” “Mostly, they wanted to show to the world how clever they are. Almost all viruses had something interesting in them either some unusual trick or displaying some interesting video effects and even the few ones that were intentionally destructive, they also try to do something clever.”

The Dark Avenger

The Dark Avenger was a prominent figure in the Bulgarian virus scene. Eddie’s international success made him a celebrity in these online forums, and many copy-cats created new versions of his virus. After Eddie, the virus that made him famous, the Dark Avenger released a number of other viruses. Some, such as virus named ‘Nomenklatura’, had destructive payloads just as nasty as Eddie. Others were less destructive but employed clever ideas and tricks.  For example, he made two viruses that cooperated with each other. The first was a virus named Anthrax, which as part of the infection process, would plant a “dormant” copy of itself in some remote area of the hard drive. If Anthrax was discovered and removed by an anti-virus software, it was very likely that the dormant copy survived. The second virus was called V2100, and it was programmed to scan every computer it had infected for the dormant copy of Anthrax. If it had found such a copy, it would “bring it to life”- or more accurately, it would copy it back into the computer’s memory.

One of the Dark Avenger’s most memorable creations was the one called MtE- short for “Mutation Engine”. This wasn’t a virus, but a software library that was meant to help virus authors – a kind of plugin that turns a plain virus into a more sophisticated one. This plugin gave the viruses an ability called Polymorphism, or simply put- Shapeshifting. With every infection, the virus re-encoded itself and changed its appearance just a little, so that the anti-virus software would have a harder time identifying it. It’s kind of like a burglar who can change his fingerprints so that the police won’t be able to prove a link between two separate break-ins.

Polymorphism existed before the Dark Avenger, but it was considered an advanced technique that was beyond the reach of amateur programmers. Polymorphism demanded a relatively in-depth understanding of cryptography techniques, and there were very few viruses that actually implemented polymorphism. But the Dark Avenger’s Mutation Engine changed the rules of the game: it allowed inexperienced virus writers to incorporate advanced polymorphism in their virus through a few lines of code, which referred to an existing code in the Mutation Engine. Nowadays, using code libraries to implement advanced functions in your software is considered common practice, but the idea was unheard of in the virus world at that point and created great excitement among many virus writes.

A Face to Face Confrontation

The following years saw the appearance of many new viruses that used the Mutation Engine and forced many security companies to redesign their anti-virus software.  Vesselin Bontchev, because he was living in Sofia, was almost always the first security expert to get his hands on the Dark Avenger’s latest virus and to analyze it thoroughly, and the Dark Avenger didn’t always like what Bontchev had to say. Although the Dark Avenger’s viruses were very sophisticated, they were not perfect. Vesselin claimed that despite his sophistication, the Dark Avenger was a sloppy programmer, who made many mistakes and unnecessary errors. In other words, he was talented – but still an amateur.

It would seem, that this critique made the Dark Avenger angry, and he developed a personal grudge against Vesselin. Some of his viruses contained slurs against Vesselin, and one virus was designed to search the infected machine for a specific antivirus software created by Vesselin – and if it was installed, erase it. Eventually, this personal animosity even led to a  face to face confrontation.

It began when Vesselin came across a new virus, supposedly authored by the Dark Avenger. Its name was Number Of The Beast – again, after an Iron Maiden album. Number Of The Beast was an extremely sophisticated virus and packed many clever tricks and hacks into a tight package of only 512 bytes. Vesselin analyzed the new virus and was thoroughly impressed.

“It has incredible number of tricks for such a small program. So, for me, it’s a really amazing piece of work.”

The only problem was that Vesselin didn’t believe the Number Of The Beast was written by the Dark Avenger. For starters, its programming style was very different from that he knew from analyzing prior Dark Avenger viruses. It was clean, efficient and hinted at a very high level of expertise. Secondly, it was non-destructive, which was unusual for the Dark Avenger.

A few days later, Vesselin gave a speech at the University of Sofia, and there he discussed the new virus and his suspicion that it was not written by the Dark Avenger because it was, frankly, just too good. Little did he know that the Dark Avenger was sitting in one of the chairs in front of him.

“When I met him actually in person for the first time, I think it was in December of the same year, when I had a speech about computer viruses at the Sofia University, the University of Sofia, and he was one of the people who approached me. I didn’t know at the time that he was the Dark Avenger, but he already—he immediately created an unpleasant feeling. I mean he was a relatively short person, obviously in a confrontational mood. His whole body language was saying, “Who are you to tell about computer viruses? You don’t know anything. I’m much smarter than you,” and things like that. He was just an unpleasant person to talk to.”

Two days later, Vesselin found an anonymous letter in his mailbox. It was from the Dark Avenger.

“The author of the Eddie virus is writing to you. I have been reading your pieces of stupidity for quite a long time but what I heard in your lecture was, to put it boldly, the tops. I will tell you that my viruses really destroy information but, on the other hand, I don’t turn other people’s misfortunes into money. Since you [get paid to] write articles that mention my programs, do you not think I should get something?”

Fueling The Rage

Interestingly enough, this same criticism was pointed at Vesselin Bontchev from others in the security community as well. Some had accused him that his pointed analysis of the Dark Avenger’s viruses was just fueling the virus authors rage and determinism to create more destructive viruses. Another critic wrote to Vesselin:

“What I have never understood, is your glorification of the Dark Avenger’s little innovations. It seems almost to be encouraging him to invent them so that you provide [him] the publicity he seems to crave. This crap just provokes virus writers to try to surprise us.”

Vesselin rejected these accusations, of course. In his reply to the said critic he wrote –

“This is not a glorification. I listed the innovative things he has invented in virus writing. They are harmful. There is no glory in inventing them ­- only a shame. Yet, they are important attacks against some of the virus defenses, attacks that have forced us to re­design these defenses.”

It is interesting to note that such bitter rivalry was not characteristic of the relations between information security experts and virus writers at the time. In fact, the opposite is closer to the truth. Virus writers would often send their work to antivirus companies, asking to hear the experts’ opinions: will the virus work? What do you think of this clever trick I added? Such cooperation sounds strange today- it’s hard to imagine the creator of Stuxnet or Zeus, the banking Trojan, sending a copy of their malicious software to one of the security experts for a review. But in those days, like we said earlier, the motivation for creating viruses was different- an intellectual challenge and the desire to show everyone how smart you are and not financial motivation, for example. This is something that I as a writer can relate to: the only thing worse than a brutal review of your book is no review at all… No one wanted to write a virus that no one would ever see.

Most virus writers maintained their anonymity while communicating with information security experts, but Graham Cluley also remembers some more personal encounters.

“I’d sometimes met them at computer shows, so you’ll be, you know, manning the booth at some ghastly computer show and members of the public come up to you and ask you questions and occasionally someone would come up and say, “Hi, I’m Garbage Heap.” It’s like, “Oh, really? Do I call you Garbage or Mr. Heap?” you know, and he might talk about whatever you said about his virus and you tell him something about his virus and you have that—those kind of conversations. It doesn’t tend to happen as much these days obviously because I think the typical malware author realizes just how much serious trouble they can get into. But back then, certainly it did happen. Normally though—I mean you wouldn’t meet these guys in person.”

Fancy Names

So, who was the Dark Avenger? From the names he gave to his viruses we can safely assume that he was a heavy-metal fan. What about the nickname itself? Can it tell something about his personality? Unfortunately, probably not. As Cluley explains, such fancy names were quite the rage back then.

“I think many of them in the early days were really doing it for fun because they were into computers and they wanted to hang out at least electronically with other guys who shared the same interest. And they would create alter-egos for themselves so they would have these fanciful names like Nowhere Man, Patchy Warrior, Ice-9, Colostomy Bag Boy, you know. They would have these—and it was a bit like, you know, thinking of members of the World Wrestling Federation, you know. They have all this bravado and they have this great big name but, you know, in reality, that wasn’t what they were at all. But they had this alter-ego online where they would, you know, describe themselves as dark, phantom or something like that and it’s like, “Come on.””

Sarah Gordon

Surprisingly, the person who was perhaps closest to the Dark Avenger, outside of his close-knit group of Bulgarian virus authors, was an American social worker named Sarah Gordon, who developed a special relationship with him. Sarah described how this odd relationship came to be in an article she later wrote titled – ‘Inside the Mind of the Dark Avenger’.

“About three years ago I was introduced to the man known as Dark Avenger. Having just purchased a PC, and finding myself the proud owner of not only the PC but of the Ping­Pong virus as well, I found my way to [an online Information Security forum]. Watching the information fly back and forth, suddenly there appeared a new name: Dark Avenger. I was intrigued by his style and the hype surrounding him. At some early point of participation in the forum, I commented that I would like to have a virus named after me, hoping to draw his attention.”

This act drew a lot of criticism towards Gordon, with many people accusing her of encouraging the virus author. Gordon later apologized, but her controversial act proved itself worthwhile.

“With the release of the now­ infamous Mutation Engine, I found Dark Avenger had indeed noticed me. The demo virus which accompanied the engine contained the text: “We dedicate this little virus to Sara Gordon, who wanted to have a virus named after her.” […] I sent him a message […] written slowly and laboriously in Bulgarian, and I briefly stated that I would like to ask him some questions.”

The Dark Avenger agreed, and the two communicated at length via emails and chat.  Among other things, Gordon asked the Dark Avenger why his viruses were so destructive. He replied with the following:

“At that time there were few PCs in Bulgaria, and they were only used by a bunch of hotshots (or their kids). I just hated it when some asshole had a new powerful [computer] and didn’t use it for anything, while I had to program on a [weak computer] with no harddisk (and I was lucky if I could ever get access to it at all). Actually, I don’t know why I’m saying all this. The real answer is: I don’t know. And I didn’t care. I also don’t care very much now, I’m afraid. I just want the other people to leave me alone. The weasel (Vesselin Bontchev) can go to hell. By the way, if you really think you should not break any laws, you can start by purchasing MS-DOS, or turning off all your computers permanently. First law of computer security: don’t buy a computer. Second law: if you ever buy a computer, don’t turn it on.”

Gordon, perhaps due to her prior experience with working with delinquent youths in other fields, wasn’t impressed by the Dark Avenger’s harsh tone and bravado. In her analysis of his personality she wrote:

“[The Dark Avenger is neither] a grazed technopath, nor a maniac intent on destroying the world. [However,] He has very little in common with the usual crop of virus writers I have talked to. He is, all in all, a unique individual.”

Alterego

If Sarah Gordon learned of the Dark Avenger’s real identity during their many conversations, she never revealed it to anyone. She did, however, address one question that kept nagging at people’s curiosity. Could it be that Vesselin Bontchev himself was the Dark Avenger? After all, the rumors said, it was because of the Dark Avenger that Bontchev became so well known. Could it be that Bontchev is a sort of Peter Parker who publishes Spiderman’s exclusive photos? In her article, Gordon wrote –

“Many people have asked me: “Is Vesselin Bontchev the Dark Avenger?”; in fact, one of the reasons I became so intent on finding the Dark Avenger was to learn the answer to this question. I can state unequivocally that the Dark Avenger is not Vesselin Bontchev.”

”Ran: When I read the news reports from back then, there were those who speculated on who the Dark Avenger was and some of these speculations, people were saying maybe that’s Dr. Bontchev, maybe the Dark Avenger is a kind of an alter-ego like Superman and Clark Kent.

Vesselin:  No, that’s nonsense. The two of us are nothing alike. We have completely different personalities. We’re not the same person.”

True Identity

Vesselin says he spent a lot of time trying to uncover the true identity of the Dark Avenger, and was finally able to point a finger at a likely target: a brilliant 23 year old student at the Institute of Mathematics at the Bulgarian Academy of Sciences. His personality, as described to Vesselin by the man’s friends, fit that of the man he met after the talk he gave at the University of Sofia.

“Ran:  How did you discover later that that particular person is the Dark Avenger?

Vesselin:  I suspected sooner or later about the person who talked to me then was the Dark Avenger. And later, I think one of the people from the group who knew that it was him, he didn’t exactly tell me, but implied very strongly that, yeah, I’m right and this was the person. He’s calling himself Dark Avenger.”

Furthermore, that student was part of a group of people who collaborated on writing viruses. That explained to Vesselin why the programming style of The Number Of The Beast virus was so different from that of the Eddie virus: parts of The Number Of The Beast were given to the Dark Avenger by other programmers. But still, Vesselin had no proof, and so he said nothing. Not that it would have mattered much if he did: writing viruses wasn’t considered illegal in Bulgaria at the time.

A Career Change

The Dark Avenger continued releasing new viruses for about 4 more years, until in 1993 he suddenly stopped. What happened? Did the Dark Avenger reform, regretting his deeds? Sarah Gordon claimed that the Dark Avenger promised her he would stop writing viruses. Vesselin Bontchev, however, suspects a much more practical reason: the Dark Avenger turned his attention to other, more lucrative fields of online crime.

“I heard that he started getting into hacking, into breaking into other people’s computers.”

But it seemed that the Dark Avenger’s luck ran out: apparently, he was caught red-handed hacking into a Bulgarian company’s network. The story that reached Vesselin is that the network’s system administrator discovered the break-in, and managed to identify the intruder’s whereabouts.

“And he reported this problem to the company and reportedly the company sent three people who got this person and beat him up significantly and then broke his hands. At least it is what I heard. I don’t know.“

It would appear then, that the career change did not go well for the Dark Avenger, to say the least, and he was forced into early retirement. The Bulgarian virus empire also did not survive for long, and after the collapse of the Soviet Union, Russia began to take the lead in the world of cybercrime. n the next episode of Malicious Life, we will trace the early stages of organized cybercrime and the economic fuel that allowed criminals to build cybercrime empires: everyone’s favorite online pest – Spam. We will discover how spam was responsible for the transition from self-replicating viruses to trojans that created huge networks of ‘zombified’ computers, or Botnets. And we will tell the amazing story of one company that dared face the cyber-underworld, and paid dearly for doing so.

X

WANT TO GET OUR FREE T-SHIRT?