Inside the Mind of Dark Avenger
By Sarah Gordon
This article is an abridged version of the original, which first appeared in the January 1993 issue of Virus News International.
copyright © 1993, VFR Systems International, Sarah Gordon. Excerpted from a compendium appearing originally in Virus News International. This document may not be reproduced in whole or in part, stored on any electronic information system, or otherwise be made available without prior express written consent of the author.
The Bulgarian Dark Avenger writes viruses. Much like Hannibal Lecter, he is clever - and cunningly dangerous. In a unique interview, Sarah Gordon - much like Clarice Starling - explores the cold logic of a criminal brain.
About three years ago I was introduced to the man known as Dark Avenger. Having just purchased a PC, and finding myself the proud owner of not only the PC but of the Ping-Pong virus as well, I found my way to the Fidonet virus echo. Watching the information fly back and forth, suddenly there appeared a new name - Dark Avenger. I was intrigued by his style and the hype surrounding him. At some early point of participation in the forum, I commented that I would like to have a virus named after me, hoping to draw his attention. Had I understood at that time quite what viruses actually entailed, I would not have made that statement. As I talked with anti-virus researchers and product-developers, I began to understand the issues. I also talked to virus writers. Having a background in juvenile correction, I found their attitude typical of youths in crisis. Their response to public mail demonstrated the attitude so prevalent in interaction between rebellious teenagers and authority figures. Their private mail (which I have not and will not disclose) resembled the private conversations I'd had when counseling in a one-on-one situation: frustation, anger and general dissatisfaction followed by small glimpses of conscience - often resulting in a decision to at least consider the consequences of their actions. Some, like their more traditional counterparts, never made it to that final stage, but at least we had some stimulating discussions. I've had, and continue to have, detailed conversations with virus writers, focusing on the reasons behind their misdirected creativity.
Time passed, and still Dark Avenger continued to haunt me. Why had he not responded to me like the majority of virus writers? Despite several failed attempts to contact him, he remained elusive.
Enter the MtE
With the release of the now-infamous Mutation Engine, I found Dark Avenger had indeed noticed me. The demo virus which accompanied the engine contained the text: "We dedicate this little virus to Sara Gordon, who wanted to have a virus named after her." Many people asked me about this, and I became quite accustomed to people assuming I knew Dark Avenger personally. The fact of the matter is, at that time, he was still a mystery. How could I explain to people that I "knew" him, yet had never spoken with him? I'm not a programmer, yet I knew him from looking at his viruses. I have no formal background in computer science, but I could understand what he was doing and how he was feeling, despite some people arguing that there is no such thing as "instinctive hacking". Few people believed me at that point; yet the fact is, at that time, I had never spoken with him directly.
When I learned Christopher Seeley was talking on a semi-regular basis to someone identified by both Alan Solomon and Vesselin Bontchev as Dark Avenger, I sent him a message to pass on to (dav). The message was written slowly and laboriously in Bulgarian, and I briefly stated that I would like to ask him some questions.
His response came quickly. I immediately recognised the author as the creator (not neccesarily distributor) of the viruses attributed to him. We exchanged several electronic messages, routed through various gateways. Eventually - with the assistance of various intermediaries - I was able to speak "live" (or at least electronically) with Dark Avenger.
Since that time we have exchanged many messages, this interview being an edited compendium of our messages and conversations taking place over a five-month period. He agreed to allow me to ask him these questions, and I agreed to allow him to remove any questions or responses he was not comfortable answering or making public.
Who is the Dark Avenger? Many people have asked me: "Is Vesselin Bontchev the Dark Avenger?"; in fact, one of the reasons I became so intent on finding the Dark Avenger was to learn the answer to this question. I can state unequivocably that the Dark Avenger is not Vesselin Bontchev. Neither is he a crazed technopath, nor a maniac intent on destroying the world. He has very little in common with the usual crop of virus writers I have talked to. He is, all in all, a unique individual.
Sara Gordon - Some time ago, in the Fidonet virus echo, when you were told one of your viruses was responsible for the deaths of thousands, possibly, you responded with an obscenity. Let's assume for the moment this story is true. Tell me, if one of your viruses was used by someone else to cause a tragic incident, how would you really feel?
Dark Avenger - I am sorry for it. I never meant to cause tragic incidents. I never imagined that these viruses would affect anything outside computers. I used the nasty words because the people who wrote to me said some very nasty things to me first.
SG - Do you mean you were not aware that there could be any serious consequences of the viruses? Don't computers in your country affect the lives and livelihoods of people?
DA - They don't, or at least at that time they didn't. PCs were just some very expensive toys nobody could afford and nobody knew how to use. They were only used by some hotshots (or their children) who had nothing else to play with.
I was not aware that there could be any consequences. This virus was so badly written, I never imagined it would leave the town. It all depends on human stupidity, you know. It's not the computer's fault that viruses spread.
SG - It is said many people working for the government and companies in Bulgaria had computers at that time. Isn't this correct?
DA - I don't know who said that, but it's not true. Actually, at that time, most of the people in Bulgaria did not even know what a computer was.
SG - Did you have access to modems at that time? Did you ever make use of virus exchange systems to send your viruses? I've seen your name on some of the mail coming from thos systems.
DA - At that time, I did not have access to a modem. At that time there were no virus exchange systems, I think. I've been on some of them, but that was much later. I never made any "use" of them, I was just fooling with them. I've been on almost no VX systems using that name. If you saw it somewhere, probably it was just some imposter, not me. When I have called any of them they (the sysops) insist I have written many more viruses. It's very difficult, when you're (dav) [Dark Avenger] and you upload a virus, to make out that you didn't write it.
SG - Did you ever call the virus systems using your real name?
DA - Not a real name but a name that sounded like a real person.
SG - Why didn't you ever contact me?
DA - I did. I left you a message once. Well, it was not to you, but I put something in it for you.
SG - Yes, I remember that one. Something about: "You should see a doctor. Normal women don't spend their time talking about computer viruses." I answered it, if you recall?
DA - Yes. You said: "I do not want to be a normal woman, at least not in Bulgaria."
SG - Yes, but why didn't you talk to me directly?
DA- I didn't know you wanted to talk to me. Why didn't you send me mail?
SG - I was afraid of you. Anyway, why did you dedicate that virus to me?
DA- You said you wanted it.
SG - People have wondered why you wrote your first virus. Why did you write it and do you have any regrets about it?
DA- I wrote it because I had heard about viruses and wanted to know about them, but nobody around me could tell me anything. So I decided to write my own. I put some code inside it that intentionally destroys data, and I am sorry for it. I started working on it in September 1988.
SG- Couldn't you have asked someone who had a virus to show it to you?
DA- I knew nobody who had a virus. In fact, I think that at that time, nobody in Bulgaria had one.
SG- Where did you hear about viruses? What in particular caught your interest?
DA- There was a magazine called Computer For You, the only magazine in Bulgaria at that time. In its May 1988 issue there was a stupid article about viruses, and a funny picture on its cover. This particular article was what made me write that virus. Of course, this was not the first time I heard about viruses. I wasinterested in them, and thinking of writing one a long time before that. I think the idea of making a program that would travel on its own, and go to places its creator could never go, was the most interesting for me. The American government can stop me from going to the US, but they can't stop my virus.
SG- It has been stated by Valery Todorov that he wrote his first virus, WWT, because he was curious as to whether he could write one or not, but that he wrote his second virus because Vesselin Bontchev (often called the Number One Enemy of Dark Avenger) gave him the idea. Did you get any ideas from other people's viruses? Have you ever written a virus with someone else?
DA- No, but for someone else, yes.
SG- For who?
DA- For you.
SG- How do you feel about the destruction of data?
DA- I think it's not right to destroy someone else's data.
SG- If you think that, then why did you put destructive code in your viruses?
DA- As for the first virus, the truth is that I didn't know what else to put in it. Also, to make people try to get rid of the virus, not just let it live. At that time, I didn't think that data in PCs could have any great value.
SG- Do you mean the data in PCs in Bulgaria is of no value?
DA- As I said (or did I?), at that time there were few PCs in Bulgaria, and they were only used by a bunch of hotshots (or their kids). I just hated it when some asshole had a new powerful 16Mhz 286 and didn't use it for anything, while I had to program on a 4.77Mhz XT with no harddisk (and I was lucky if I could ever get access to it at all).
Actually, I don;t know why I'm saying all this. The real answer is: I don't know. And I didn't care. I also don't care very much know, I'm afraid. I just want the other people to leave me alone. The weasel (Vesselin Bontchev) can go to hell.
By the way, if you really think you should not break any laws, you can start by purchasing MS-DOS, or turning off all your computers permanently. First law of computer security: don't buy a computer. Second law: if you ever buy a computer, don't turn it on.
SG- Don't you feel responsible if someone else uses one of your viruses to cause actual harm to a person's machine?
DA- No. If they wanted to cause harm, they wouldn;t need my viruses. The could simply type "format c:" or something else that is much more effective.
SG- How can you say this? By writing and distributing the viruses, making them available, you do provide people with the idea and the means, in the same way you were initially provided. By doing this, your actions affect innocent users.
DA- The innocent users would be much less affected if they bought all the software they used (and from an authorised dealer) and if they used it ion the way they are allowed to by the license agreement. If somebody instead of working plays pirated computer games all day long, then it's quite likely that at some point they will get a virus.
Besides, there's no such thing as an innocent user, but that's another subject.
SG- What about the fact that you're giving people the idea, by creating such clever viruses?
DA- Ideas are not responsible for people who believe in them. Or use them. Or abuse them. Also, I didn't write them to "provide" anybody with anything. The weasel is the one who "provides". I just wrote them for fun. I couldn't care less for all the suckers who see/use them. They were not supposed to make such a big mess.
SG- Still, you have provided them with an insedious weapon. Don't you feel that by providing them with such clever computer tricks, you are contributing to hurting the innocent users?
DA- I don't provide nobody with nothing. The weasel provides.
SG- How does he provide?
DA- He just "provides". That's one of his favorite words. I don't want to talk or think about it.
SG- What do you think about the new crop of virus writers, like Falcon/Skism and nUkE?
DA- They are kids, most of whom seek fame (and achieve it easily with the help of a-v people). Most of them are not good at programming viruses at all.
SG- Weel, at least that is some point you and the a-v community agree upon. You have achieved a certain amount of "fame" yourself. How does it make you feel when you see your name in magazines and mail? How do you feel when you see your viruses "defeated" by anti virus programs?
DA- I wrote the virus so it would be killed, like I said. It was not supposed to do all this. I like seeing my name in magazines and in messages. I used to read all the messages about me. but I like it most when I see it printed somewhere. And I liked it a LOT seeing my things in western a-v programs. First time I saw McAfee Scan was about version 5.0 or so. I liked it a lot. I was just excited, happy.
SG- Where did you get that name, Dark Avenger?
DA- I didn't really "get" the name. I mean, I didn't call myself that. I put those words in the virus and someone else (we both know who) said it was written by the Dark Avenger. He's the one that made me be the Dark Avenger, that name. I didn't use the name until after he called me that. That phrase itself came from some old song from a long time ago, and not from an Iron Maiden song, like some people have said. In many ways, I suppose you could say he made the Dark Avenger.
SG- How long do you think you continue writing viruses?
DA- I don't. I never planned it.
SG- You misunderstood the question. Are you going to continue writing viruses?
DA- I don't know. I depends on what will happen to me.
SG- What do you mean?
DA- I mean, I will not normally write/spread any destructive or virus code, unless something extraordinary happens. Well, not if they put me in jail. If they do, and I ever get out, I will not be in a mood for programming. It is not/was not a crime to write the viruses, so I don't think this should happen. I just am not interested in writing them now.
SG- Do you know the difference between right and wrong?
DA- Why do you ask me this? In American movies, at the end, always the good guy gets the money, the girl and the applause, and the bad guy gets in jail or something. But in real life, it's not clear who is good and who is bad, and who gets what. It's not black and white. The only thing that is for sure is that good people always lose.
SG- Have you ever considered making an anti-virus product, other than the fake doctor.exe which is actually a virus?
DA- I have considered it many times, but anti-virus products are as useless as viruses. As for doctor.exe, it's not fake, it really does the job as it says it does.
SG- Why do you say they are useless? Don't you think they help protect users from common viruses?
DA- The users spend much more money on buying such products and their updates rather than on the losses of data damaged because of viruses. The a-v products only help the users to empty their wallets. Besides, viruses would spread much less if the "innocent users" did not steal software, and if they worked a bit more at their workplace, instead of playing games. For example, it is known that the Dark Avenger virus was transported from Europe to the USA via some (stolen) games.
SG- But viruses have now spread far beyond games. Most viruses are known to come by other routes.
DA- Sure they spread beyond the games. Still, I've never found a virus on any original disk from a package I bought from Borland International.
SG- But I got my first virus from commercial software! Don't you remember my telling that story?
DA- Not from Borland International. Some places you get a virus, some places you don't.
SG- It is said that your fellow Bulgarian, Vesselin Bontchev, did many things to provoke the virus writers. Did he provoke you?
DA- This is quite true, and I don't think he ever denied it. If he did, it would be a lie. There are a lot of people in Bulgaria who know it and can confirm it, but I don't think this was a big contribution to virus writing - his viruses were pretty worthless. He is not a good programmer.
SG- Do you feel that conditions in your country really help create virus writers as was stated by Bontchev in his "factory" paper? What can you tell me about the conditions in your country that contributed to your writing your first virus?
DA- I don't think the conditions in my country help create virus writers any more than conditions in any other country in Eastern Europe. Not after a certain person we both know left the country. As for my first virus, it had nothing to do with it that.
SG- What contribution could "a certain person" have made to assist you (or anyone) in writing a virus? Don't you think that the conditions affecting the economy and computer technology of your country have indeed contributed to the overabundance of virus writers coming from former Eastern Bloc countries?
DA- His articles were a plain challenge to virus writers, encouraging them to write more. Also they were an excellent guide how to write them, for those who wanted to, but did not know how. It never said that he himself wrote some.
SG- According to some people, the story of viruses being such a big problem from Bulgaria begins with: "Soon hackers obtained a copy of the virus and began to hack it... some were optimised by hand. As a result, now there are several versions of this virus that were created in Bulgaria - versions with infective length 627, 623, 622, 435, 367, 353 and even 348 bytes." It is said many young people brought Bontchev viruses in those early days.
DA- Sure they did. Do you know the viruses vhp and vhp2?
SG- I think I may have heard of them.
DA- I think you don't want to know about this. I will send you a copy of a book that will tell you all about it. You don't want to hear it, and most of all you don't want to hear it from me.
SG- Did you ever personally give a virus to Vesselin Bontchev? Have you ever met him? There is such an animosity between the two of you, which seems unlikely to exist for two "strangers". Why is this?
DA- Please, let's not talk about him ever again. I don't want you to talk to him.
About the Author
Sarah Gordon's work in various areas of IT Security can be found profiled in various publications including the New York Times, Computer Security Journal and Virus Bulletin. She is a frequent speaker at such diverse conferences as those sponsored by NSA/NIST/NCSC and DEFCON. Recently appointed to the Wildlist Board of Directors, she is actively involved in the development of anti-virus software test criteria and methods. She may be reached as [email protected]