Dr. Vesselin Bontchev: Non-Replicating Malware Has Taken over the Computer Virus

expert-bio-dr-vesselin-bontchev-stforum

Did you know that Sofia, the capital of Bulgaria, was the birth place of one of the most destructive and infectious computer viruses of the late 90’s? The Dark Avenger first appeared in the spring of 1989, just in time for the fall of the communists. Four years before that, Vesselin Bontchev, now a PhD., graduated from the Technical University of Sofia with an M.Sc. in computer science.

Coincidentally or not, Dark Avenger frequently attacked Dr. Bontchev (for more information, have a look at his paper The Bulgarian and Soviet Virus Factories).

Dr. Bontchev is indeed one of the leading minds in computer security in Europe, who has dedicated his life to anti-virus research:

  • He has worked for the Technical University of Sofia’s Laboratory for Microprocessors and Microcomputers;
  • He has worked for the Institute of Industrial Cybernetics and Robotics at the Bulgarian Academy of Sciences;
  • He is a founding member of CARO (the Computer Anti-virus Researchers’ Organization) and a founding member of VSI (the Virus Security Institute);

Today Dr. Bontchev can be found at the National Laboratory for Computer Virology at the Bulgarian Academy of Sciences in Sofia. Besides being a true master in computer security matters and a contemporary of Dark Avenger, Dr. Bontchev is a great interlocutor. He also doesn’t own a smartphone.


STF: Your professional background is quite impressive. How did you become interested in computer viruses specifically?

Dr. Bontchev: Self-replicating programming constructs have always fascinated me. When I first learned how to program in 1978, my very first moderately complex program (I mean, something more sophisticated than trivial stuff like solving quadratic equations) was a FORTRAN implementation of J.H.Conway’s game of “Life”. It is a relatively simple simulation of two-dimensional finite automata on a grid of square cells, with each cell being either empty or full. The full cells form configurations, which develop in time according to a rather simple set of rules. Some of the basic configurations, like the “glider”, replicate themselves to different positions on the grid, simulating “movement” across the grid.

As an aside, the very first version of my program didn’t fare very well. At the time, I knew nothing about how computers worked and what their limitations were. For me, the computer was just a black box into which you input a program and out of which came the result. Since I wanted to detect configurations with cyclical development, I made my program simulate a 100×100 grid, remembering each configuration over 100 steps. The machine I was trying to run this program on was a Russian clone of an IBM System/360 with pitiful (by contemporary standards) 128 Kb memory, so my program was aborted due to a memory overflow.

Later I read C. Wetherel’s book “Etudes for Programmers”. I described several “hard” programming problems without offering any solutions for them; the solving was left as an exercise to the reader. One of these problems was to write a program that doesn’t input anything but outputs its own source. (Nowadays such programs are called “quines”.) I tried hard but couldn’t solve that problem at the time.

A few years later (in the early 1980’s) I read an article in “Scientific American” by Martin Gardner (one of my favorite authors). It described the computer game “Core War”, in which two programs, created by the two players, and written in a specialized language, would fight each other on a simulated computer. One of the very successful early programs, the “Imp”, was a self-replicator, quickly –overwriting the available memory with copies of itself.

In the late 80s (I was a computer science student at the Technical University of Sofia), I was doing some volunteering work as a technical consultant to the only Bulgarian computer-related magazine, “Computer for you”. One day (it was in 1987, I think), they asked me to help translating an article from the German magazine “CHIP”. The subject of this article was computer viruses.

I didn’t know any German at the time, but that wasn’t the problem. The article was already “translated” by a professional translator – one who knew German very well but who didn’t have any knowledge of computers and computer-related terms, so many of the expressions looked rather funny. For instance, the part of the article describing the Brain virus (which changes the volume label of the disk it infects) was translated as the virus “changing the capacity of the disk”. Terms like “hard disk” (“festplatte” in German) were translated literally as “hard plate” and so on.

I helped clean up the translation but the subject really fascinated me, so I kept thinking about what self-replicating programs (i.e., viruses) could do. After some reflection, I reached the conclusion that they could never pose any significant threat, because any user with a brain would immediately notice that something is amiss. (Boy, was I wrong.) I even wrote an article, explaining this conclusion of mine, and published it in the magazine.

When my article came out of print a few months later, two guys came to the editor’s office and told us that they had discovered a computer virus in their company. They had even written a program that could repair the infected files by removing the virus from them – which they promptly demonstrated to us using a laptop they had brought with them. (All this was indeed very novel to us at the time. Bulgaria was still a socialist country. Yet these guys had a private company! A laptop! A virus! We felt like living in the future.)

Unfortunately, it turned out that when they demonstrated their cleanup program, they had also removed the only copy of the virus they had left – since they had already cleaned up the computers at their company. But I wanted so much to examine it! I went with them to their company, looking for another copy. We didn’t find any. We did, however, find a piece of paper in the trash bin, containing a printed hex dump of a small infected program. I took that piece of paper home and carefully entered the information byte-by-byte into my computer. I did it twice, so that I could compare the two copies and find any mistakes I might have made when entering the bytes. Finally I had a working virus to examine!

I learned later that it was a variant of a virus we now know under the name Vienna.648.A, the source code of which had been published in a German book by Ralf Burger. I disassembled it and analyzed it and it turned out being a pretty stupid program. I was looking for COM files (a kind of executable files) in the current directory and in the directories listed in the PATH variable of the environment. Once it found such a file, it would append itself at the end of it, and would modify the first 3 bytes, replacing them with a JMP instruction to the virus body. The overwritten bytes would be saved inside the virus body, so that they could be restored at runtime – so that the infected program would still work. With a probability of 1/5, the virus would damage the file instead of infecting it, overwriting the first 5 bytes with a JMP instruction to the address that caused the computer to reboot.

All in all, a rather stupid thing, and 648 bytes seemed like overkill for such a trivial task; I could have probably fit an equivalent program in half that space. But it was the very first virus I had seen.

Later many other viruses were discovered in Bulgaria. Cascade (made the letters of the test screen drop down and pile at the bottom), PingPong (showed a bouncing dot on the screen), and so on. Eventually, Bulgarians started writing viruses, too. One of them, using the handle The Dark Avenger, became rather notorious with his sophisticated and malicious creations. But that’s a story for another time.


STF: How has malicious software evolved? What has changed since the 90’s and where do you think malware is headed?

Dr. Bontchev: Originally, malware was written by immature kids who wanted to show to the world how smart they were. As a result, malware was mostly viruses (i.e., self-replicating programs), because it was believed that making a self-replicating program was “hard”. In addition, these viruses often contained various clever programming tricks – stealth, tunneling, polymorphism – as well as cute video effects (falling letters, bouncing dots, animations, etc.). Sadly, this has changed.

Nowadays malware is mostly produced by very different people. The largest group is professional criminals. They aren’t interested in showing off to the world how smart they are – they are only interested in making money. This has had several effects on the kind of malware being produced.

To begin with, nowadays we rarely see viruses. Most of the time it is non-replicating malware. There are two reasons for this. First, non-replicating malware is easier to write. The criminals who make it are running a business – a criminal business, yes, but a business nevertheless. So, they are concerned with efficiency. The produce that is easiest to produce with the minimum of efforts and expenses. Second, anti-virus programs pretty much managed to get viruses under control. No matter how fast the virus spreads, the update of the anti-virus programs that will detect it will spread even faster. So, global computer virus pandemics are pretty much a no-show these days. Yes, there will still be isolated cases with obsolete machines that don’t use anti-virus software (or don’t update it) – but these are relatively few and far between.

Non-replicating malware, on the other hand – we don’t know how to deal with that efficiently. It is a one-shot weapon. By the time we, the anti-virus people, get a sample, the malware would have already run, performed its damage, and we’re unlikely to see exactly the same malware again. So, yes, we can update our programs and implement detection of it – but it won’t be very helpful; the next time some other, slightly different malware will be used.

So, from the point of view of the bad guys, non-replicating malware is much more efficient than viruses – it is both easier to produce and harder to stop, as a whole (although any particular known variant of it is trivial to stop).

The other change concerns the payload. These guys are not motivated to show off how clever they are – they are motivated to make money. So, instead of cute and flashy payloads, malware nowadays has mostly financially-oriented payloads. Sending spam, showing ads, stealing passwords and credit card numbers, encrypting the user’s data and holding it for ransom – that sort of thing.

The other king of malware producers we see nowadays (much more rarely, however) are the various government spy agencies. They, too, aren’t concerned with showing off how smart they are. They are mostly concerned with “getting the job done”. The “job” almost always is intelligence-gathering, with some rare exceptions like the sabotage caused by Stuxnet. Speaking of Stuxnet, it is a typical example of government-produced malware. It is huge, messy, modular, gets the job done. It wasn’t written by some clever kid in his mom’s basement – it was assembled from modules that were part of a huge framework, designed not even just by several people but by several teams, writing by specification and not talking to each other.

As I said, this change makes me sad. Fighting the clever kids was fun, like a game. I definitely don’t like fighting the Russian mafia or somebody’s cyberwar.


STF: What about the future of ransomware, particularly? We recently analyzed the so-called doxware. Is it going to get any worse than that?

Dr. Bontchev: Ransomware is indeed the future. It is the easiest way to monetize the value of the compromised computer. Instead of stealing passwords and credit card numbers and trying to figure out how to make money from them, you directly sell to the user what they undoubtedly find valuable – their own data. Currently we are seeing a lot of “junk” ransomware – obviously written by ignorant idiots who can never get the cryptography right. But this is temporary. Sooner or later, the majority of bad guys will learn how to make undecryptable ransomware. As long as efficient protocols for value transfer like Bitcoin exist, and as long as the majority of people don’t regularly back up their data, ransomware will be a successful moneymaker for the criminals.

Of course, that doesn’t mean that every random Tom, Dick or Harry can produce successful ransomware like Locky, for instance. Getting the cryptography right is necessary but not sufficient. You also need the proper infrastructure (botnets, exploit kits, etc.) for distributing the malware to the victims.

Personally, I don’t think that “doxing” ransomware is such a big deal. While many people have private data they would pay to prevent seeing it publicly exposed, that’s by far not always the case. Most people don’t have very sensitive data on their computers. But all people have data on their computers that they consider valuable. So, threatening to destroy the data (or the keys with which it is encrypted) is much more “stimulating” than threatening to publish it. At least this is my opinion – but, hey, I’ve been wrong before. Time will tell, as it always does.

A much more dangerous trend would be ransomware running on some mission-critical devices – like medical devices, industrial controllers, etc.


STF: Considering the evolution of “professionally written” malware, do you believe that more young people should be encouraged to pursue a career in information security?

Dr. Bontchev: I believe that young people should pursue whatever they find interesting and satisfying. I will be glad if more of them turn to the field of information security – it’s a fascinating field and there is an acute lack of specialists in it – but it would be wrong to direct artificially the interests of young people in any particular direction. Certainly, make it possible for them to learn and get involved, if this is what they find interesting. But don’t tell them what they should be interested in; let them find themselves.


STF: Data privacy has turned into a major issue. Is there something we could do to protect ourselves from both legal and illegal data collection practices?

Dr. Bontchev: I am not an expert on legal matters, so I am going to skip that part of the question.

Regarding privacy in general, yes, things are really getting out of control. And it is the big companies that are causing most of the problems. I wish there was an option to pay for the various Google, Facebook, etc. services with money, instead of our personal data.

There is very little a person can do. Definitely, use an ad blocker. Avoid sites that don’t allow you to use one. Configure Flash to play-on-click, instead of automatically (this is done differently in the different browsers). Disable Java. Use Disconnect, Privacy Badger, etc. Use throw-away e-mail addresses when registering to web sites (Mailinator and Spamgourmet are very good for this purpose).

I use NoScript, but most people probably won’t be able to live with it – way too many sites are completely broken and unusable if JavaScript is disabled. I wish I could recommend using Tor (it is very good for protecting your privacy), but, sadly, CloudFlare makes half of the Internet unusable via Tor. Avoid installing “software bundles”, or at least use something like Unchecky that automatically rejects the bundle crapware.

Understand that if you are using a web e-mail service like GMail or Yahoo or Hotmail/Outlook, you are essentially giving up your privacy to the e-mail provider. (I use my Yahoo! Mail address as a “public” throw-away address – something I can afford to give to people I don’t know and for which I don’t care if it ends up on a spam list.) If you have to rely on a web e-mail service, at least use something privacy-friendly like ProtonMail or Unseen.is.

Also, if you are using a smartphone (I don’t), you give up a lot of your privacy. Not just your name and location; many apps leak all kinds of data that can be used to track you in one way or another.


STF: Now a more practical question… What is the most effective automated system a user can utilize to backup their files if they want to access them on a daily basis?

Dr. Bontchev: This very much depends on the particular needs of the user. I do monthly backups to an external disk (which I connect only during the backup/restore process), and also copy the relatively finished versions of my work (e.g., a program or a paper) to external USB thumb drives. That would clearly be insufficient for a company that wouldn’t survive if it loses a week worth of customer data. So, there is no one “most effective” solution that would work for everyone. There are many different products with different prices and different capabilities that are suitable for different needs.

Particularly in relation with ransomware, I would recommend something that can do the so-called “streaming” backup. That is, only the backup software can access the backup; the backup isn’t visible as files on the file system of the computer that is being backed up.


SensorsTechForum’s “Ask the Experts” Interview Series

If you are a cyber security expert and you want to share your experience with our audience, send us an email at support[at]sensorstechforum.com. We will gladly converse with you about anything cyber security!

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.