Approaching Zero Part 6

With his stealth bug Teodor had more or less reached the pinnacle: there was little he could do to improve the programming of his latest virus except, perhaps, to add a destructive payload. But, for Teodor, destruction of data or programs was never the point. He wrote viruses as an intellectual challenge. None of his viruses had ever been intentionally damaging, though he had become aware that they could cause collateral losses. He had also realized that a completely harmless virus was an impossibility. All viruses, by their mere presence on a computer, can accidentally overwrite data or cause a system to crash. And the most dangerous of all, he thought, was an undetectable virus that could spread unstoppably, causing collateral damage without the operators even being aware they were under attack.

In 1989 Teodor decided to retire from virus writing. His own career up until then had, curiously, mirrored his friend Vesko's. While Teodor wrote viruses, Vesko wrote about them; as Teodor became more proficient at writing bugs, Ves...o...b..came more accomplished at a.n.a.lyzing them. By 1989 Vesko had become Bulgaria's most important virus researcher and a major contributor to Western literature on the subject. He had been invited to submit papers and to lecture at Western European computer security conferences: he was recognized as an authority on viruses, particularly those from Eastern Europe.

Vesko's reputation was due, in a large part, to having been in the right place at the right time. First, there were his friend Teodor's bugs. Teodor would often pa.s.s on the programming code to Vesko for a.n.a.lysis, who would then report on their capabilities in the local press and in Western journals. It was a convenient arrangement, and the resulting publicity would encourage other writers. Eventually, what became known as the Bulgarian virus factory started to pump out bug after bug, each more dangerous than the last, and Vesko was there to record it. He was in the eye of the storm, collecting viruses from all over Bulgaria as they spread from computer to computer. By 1991 he was reporting two new locally grown viruses each week.

In a country with so many bugs flying around, it was inevitable that Bulgarian computers would become overrun. Most computers in the country had been hit at least once; many had been hit with multiple viruses at the same time. Because Vesko was the country's leading authority on the malicious programs, he was eventually given responsibility for coordinating Bulgaria's effort to fight them off. He was constantly on call. Days he worked in his office in the Bulgarian Academy of Sciences, where he was given the dour t.i.tle of a.s.sistant Research Worker Engineer. Weekends and nights he continued the fight from his own cramped room on a borrowed Bulgarian clone of an IBM PC. He dealt with ten to twenty phone calls each day from inst.i.tutions or firms that had been attacked by viruses.

By then the Bulgarian virus factory was in full production. It was no longer a matter of Vesko and his friend Teodor, one a researcher, the other a virus writer. Bulgaria had sp.a.w.ned some of the most skilled and prolific virus writers in the world.

In Plovdiv, Bulgaria's second largest town, a student named Peter Dimov produced a series of viruses "as revenge against his tutor" and another two "in tribute" to his girlfriend, Nina (it is not known if she was pleased). One of Peter's ambitions was to write the world's smallest virus: his first came to under 200 bytes. Later he wrote one only 45 bytes long. For a few weeks it was the shortest virus known--until another Bulgarian programmer produced one that was just 30 bytes. Peter was also the author of the first Bulgarian boot-sector virus as well as two ominous-sounding bugs that he called Terror and Manowar. But despite their names, neither was particularly damaging. In total, Peter wrote around twenty-five viruses.

In Varna, on the Black Sea, two students at the Mathematics Gymnasium (Upper School), Vasil Popov and Stanislav Kirilov, produced a series of viruses and trojans. Their most dangerous, called Creeping Death (or DIR-2), was reported to be able to infect all the files on a hard disk within minutes.

Lubomir Mateev, then a twenty-three-year-old university student, and his friend Iani Brankov wrote a virus together to embarra.s.s their professor when they were studying at Sofia University. Their first bug was programmed to make a shuffling noise while he was lecturing that sounded like the rustling of paper.

This virus and a subsequent variant (which borrowed the bouncing-ball payload from Ping Pong) became known as Murphy 1 and Murphy 2. Highly infectious, they spread throughout Bulgaria and reached the West in 1991.

Many other programmers and students took a stab at writing nruses, with varying degrees of success. It became something of a fad among computer freaks in Sofia and other Bulgarian cities in the late 1980s. There was, of course, no "factory" in the usual sense of the word--just a group of young men (they were all male), probably unknown to each other, who had learned the tricks of writing viruses through the techniques perfected while stealing Western software.

The value to Bulgaria of all the virus-writing activity was negligible. Though the programmers who compiled the bugs were, no doubt, honing their skills, and some of the viruses demonstrated a cleverness and technical dexterity that may have been admirable, viruses simply do not have any productive purpose. Indeed, Fred Cohen--the man who coined the term "computer virus" in the first place-- once tried to find a role for them and organized a compet.i.tion to write a beneficial virus. None was found.

In any event, in late 1990 and early 1991, Bulgaria itself, no longer Communist and not quite democratic, was going through an ident.i.ty crisis. Public confidence in the government, in state inst.i.tutions, and in the currency had evaporated, to be replaced by a deeply cynical, almost anarchic national ethos. Bulgaria had become a country of shabby, small-time dealers, of petty blackmarketers and crooked currency changers. The symbols of the immediate past, of the near half-century of Communism, had been pulled down; little had been erected in their place. But the computers that President Zhirkov had decreed would turn Bulgaria into a modern technological power remained, and indeed offered themselves to the new generation of computer programmers as weapons to be turned against the state, to drive an electronic stake through the heart of the system. Viruses would cripple Zhivkov's dream. In this gray time of shortages and rationing, of cynicism and despair, writing viruses was a sort of protest--perhaps against the Communists, possibly against the transitional state, almost certainly against the lack of opportunity and hope. Writing viruses was a form of individualism, of striking out; it was also an opportunity for notoriety.

Since 1988 the Bulgarian virus factory has produced around two hundred new viruses. Most have yet to travel; only a few have reached the industrialized West. The scale of the problem may not become apparent for several years.

Some of those who created the viruses are known, some aren't, but the greatest threat is Bulgaria's most proficient and fearsome virus writer: the Dark Avenger.

The man who was to become known as the Dark Avenger began work on his first virus in September 1988. "In those days there were no viruses being written in Bulgaria, so I decided to write the first," he once said. "In early March 1989 it came into existence and started to live its own life, and to terrorize all engineers and other suckers."

The Dark Avenger had started work on the virus known as Eddie just weeks before Teodor had sat down to write the first of what became his Vacsina-Yankee Doodle series. Teodor's virus was ready first, but the Dark Avenger's bug was much more malicious and infective. "It may be of interest to you to know that Eddie is the most widespread virus in Bulgaria. I also have information that Eddie is well known in the U.S.A., West Germany, and Russia too," the Dark Avenger once boasted.

The Dark Avenger likes to leave teasing references to his ident.i.ty in his viruses. As in the Eddie virus, he sometimes "copyrights" his bugs, and often gives Sofia as the source. The text strillg DIANA P. was a.s.sumed to be a reference to his girlfriend, except that Diana isn't a particularly Bulgarian name. It's now belicved to be a reference to Diana, Princess of Wales.

The Dark Avenger also likes heavy-metal music: the other text string in his first virus, the mysterious EDDIE LIVES ..., apparently refers to the skeletal mascot, Eddie, used by the British heavymetal group Iron Maiden in their stage act. Heavy-metal symbols and motifs run through many of the other viruses written by the Dark Avenger. A family of perhaps twenty or more viruses can be attributed to him, all technically advanced, most deliberately ma- licious, some containing text strings that use the t.i.tles of Iron Maiden tracks: "Somewhere in Time," "The Evil That Men Do," and "The Good Die Young." His viruses also mimic the posturing Satanism of heavy-metal music. His Number of the Beast virus (the name is yet another reference to an Iron Maiden song) contains the 3-byte signature "666," the mystical number believed to refer to "the beast," the Antichrist in the Book of Revelations.

Perhaps appropriately, of all the viruses attributed to the Dark Avenger, Number of the Beast is considered the most technically accomplished. A stealth virus, it exploits an obscure feature of the standard PC operating system to evade detection and hide in unused s.p.a.ce on program files so that it doesn't change the length of the host file. Oddly, the virus doesn't have a payload, though its mere presence on a PC is likely to cause it to crash.

The Dark Avenger has produced four versions of Eddie and six versions of Number of the Beast, as well as four variants of a virus called Phoenix and four of another one known as Anthrax (the name of an American heavy-metal group). He is also generally believed to have written Nomenklatura, the virus that attacked Britain s House of Commons library, princ.i.p.ally because the bug is technically sophisticated and vicious and employs techniques that have been seen in his other viruses. In a way, the Dark Avenger has become so well known that any particularly destructive and clever Bulgarian virus will almost automatically be attributed to him. The alternative is too dire for the computer security industry to contemplate.

The Dark Avenger's fame was evident from the response to his calls to the world's first "virus exchange" bulletin board, which was established in Sofia by twenty-year-old Todor Todorov on November 1, 1990. The idea was eventually copied by others in Britain, Italy, Sweden, Germany, the United States, and Russia, but Todorov was the first. The board describes itself as "a place for free exchange of viruses and a place where everything is permitted!"

Todorov built up a large collection of viruses after callers learned of his exchange procedures.

IF YOU WANT TO DOWNLOAD VIRUSES FROM THIS BULLETIN BOARD, JUST UPLOAD TO US AT LEAST 1 VIRUS WHICH WE DON'T ALREADY HAVE. THEN YOU WILL BE GIVEN ACCESS TO THE VIRUS AREA, WHERE YOU CAN FIND MANY LIVE VIRUSES, DOc.u.mENTED DISa.s.sEMBLIES, VIRUS DESCRIPTIONS, AND ORIGINAL VIRUS SOURCE COPIES! IF YOU CANNOT UPLOAD A VIRUS, JUST ASK THE SYSOP [SYSTEM OPERATOR] AND HE WILL DECIDE IF HE WILL GIVE YOU SOME VIRUSES.

The Dark Avenger made his first call on November 28, 1990, four weeks after the bulletin board was set up. I'M GLAD TO SEE THAT THIS BOARD lS RUNNING, he wrote Todorov. I'VE UPLOADED A COUPLE OF VIRUSES TO YOU. I HOPE YOU WILL GIVE ME ACCESS TO THE VIRUS AREA. To which Todorov replied, THANK YOU FOR THE UPLOAD. YOUR SECURITY LEVEL HAS BEEN UPGRADED ... AND YOU HAVE ACCESS TO THE VIRUS AREA NOW. IF YOU FIND ANY OTHER VIRUSES, PLEASE UPLOAD THEM HERE.

When it was learned that the Dark Avenger frequented Todorov's bulletin board, other users began leaving messages for him.

HI. DARK AVENGER! WHERE HAVE YOU LEARNED PROGRAMMING?

AND WHAT DOES EDDIE LIVES MEAN? AND WHO IS DIANA P. ? IS SHE YOUR GIRLFRIEND OR WHAT? The queries were from Yves P., a French virus writer. Free Raider posted his salute on December 9th: Hl, BRILLIANT VIRUS WRITER. Another message said, Hl, I'M ONE SYSOP OF THE INNERSOFT BULLETIN BOARD. SHOULD I CONSIDER MY BOARD NOT POPULAR BECAUSE YOU DON T LIKE TO CALL IT? PLEASE GIVE IT A CALL.

The messages from his fans reflected the Dark Avenger's new status: he had become a star. In the two years since he created Eddie, he had become the computer underworld's most notorious virus writer. He had established a brand ident.i.ty: the Dark Avenger's viruses were known to be the most destructive and among the best engineered ever seen. His fame, as he knew, had spread throughout Europe and to North America as well.

So it's not surprising that he wanted to be treated like the star he was, and reacted badly to criticism. In March 1991 he sent the following message to Fidonet, the international bulletin board network: h.e.l.lO, ALL ANTIVIRUS RESEARCHERS WHO ARE READING THIS MESSAGE. I AM GLAD TO INFORM YOU THAT MY FRIENDS AND I ARE DEVELOPING A NEW VIRUS, THAT WILL MUTATE IN 1 OF 4,000,000,000 DIFFERENT WAYS! IT WILL NOT CONTAIN ANY CONSTANT INFORMATION. NO VIRUS SCANNER CAN DETECT IT. THE VIRUS WILL HAVE MANY OTHER NEW FEATURES THAT WILL MAKE IT COMPLETELY UNDETECTABLE AND VERY DESTRUCTIVE! Fidonet may not have been the best outlet for his boasting: its users are mostly ethical computer enthusiasts. The Dark Avenger received a flood of replies, from all over Europe. Most were critical; some were abusive. The Dark Avenger replied testily, I RECEIVED NO FRIENDLY REPLIES TO MY MESSAGE. THAT'S WHY I WILL NOT REPLY TO ALL THESE MESSAGES SAYING "f.u.c.k YOU." THAT'S WHY I WILL NOT SAY IY MORE ABOUT MY PLANS.

At thirty-one, Ves...o...b..ntchev is surprisingly young looking, thin and somewhat frail. He is a serious man who speaks deliberately and intensely about the virus problem in Bulgaria. He lives with his mother in a shabby five-story 1950s block on a characteristically grim East European housing estate on the outskirts of Sofia. The apartment is large by Bulgarian standards: Vesko has his own room.

Although he is una.s.suming, it is apparent that he is proud of his reputation as the country's foremost virus fighter and of his contacts with other researchers in the West. His position is ensured by his oddly symbiotic relationship with the Dark Avenger, one that almost parallels his earlier relationship with Teodor. Because the Dark Avenger lives in Bulgaria, Vesko's position as a lecturer and researcher is secure. At the same time, Vesko contributes to the Dark Avenger's fame by publicizing his activities abroad. In a curious way the two need each other.

Cynics who have noticed this have argued that if the Dark Avenger hadn't existed, it would have been in Vesko's interest to have invented him. Some have even theorized that the two are one and the same: that the quiet, intense virus researcher has an alter ego--the demonic, heavy-metal fan, the admirer of Princess Diana, the virus writer called the Dark Avenger. The Avenger has himself contributed to the notion: one of his viruses contains Vesko's own copyright notice, and every so often he teases Vesko. Once, the Dark Avenger wrote: "To learn how to find out a program author by its code, or why virus-writers are not dead yet, contact Mr. Vesselin Bontchev. So, never say die! Eddie lives on and on and on ..."

In an interview in a Bulgarian newspaper, Vesko was asked about the rumours. "Can you give me the name of Dark Avenger?" the reporter queried.

"No."

"Is it possibly you?"

"I have been asked similar questions both in the West and in the Soviet Union. But it is not true."

Despite the rumors, Vesko isn't the Dark Avenger--but he does provide the oxygen of publicity for the Bulgarian virus writer. It suits them both: for Vesko, the Dark Avenger provides the raw material for his reports; for the Dark Avenger, Vesko's watchfulness ensures his own reputation as the demonic scourge of computers.

The two young men--the hunter and the outlaw--are locked in an unfriendly embrace. The relationship between the two is one of mutual distrust, which neither attempts to disguise. It is the cla.s.sic relationship between a cop and his adversary: hatred, tinged with a measure of respect.

On several occasions, Vesko says, he has tried to smoke out the virus writer. Once Vesko announced that he had carefully a.n.a.lyzed two viruses attributed to the Dark Avenger: the Number of the Beast and Eddie. He said that, in his view, they could not possibly be the work of the same writer. One was clever, the work of a professional, the other sloppy, the work of an amateur. Furthermore, he said that he intended to present his evidence at a lecture that would be held in Sofia. He guessed that the Dark Avenger would appear, if only to hear what Vesko had to say about his programs.

The meeting was well attended, particularly for a cold Friday night in early December. Vesko presented his evidence. Number of the Beast, he said, was obviously written by an extremely skilled specialist whose style contrasted in every way with the poor quality of Eddie. He watched the audience during his presentation, Vesko says, looking for someone who might be the Dark Avenger; during the questions and discussion afterwards he listened for anyone defending the programming of Eddie. He saw and heard nothing that gave him any clues.

But two days after the lecture he received a letter from the Dark Avenger. According to the letter, the virus writer had attended the meeting. Vesko published his comments in the magazine Komputar za was. "The author of the Eddie virus is writing to you," the Dark Avenger began. "I have been reading your pieces of stupidity for quite a long time but what I heard in your lecture was, to put it boldly, the tops." The virus writer went on to complain about Vesko's critique of his programming skills. Then he added: "I will tell you that my viruses really destroy information but, on the other hand, I don't turn other people's misfortunes into money. Since you [get paid to] write articles that mention my programs, do you not think I should get something?"

Virus writing is not a lucrative field. The Dark Avenger had once before alluded to getting paid for his skills, in a message to a local bulletin board operator, when he had suggested, none too hopefully, that "maybe someone can buy viruses." So far as is known, he has never sold any of his bugs.

In 1990 Vesko put together a psychological profile of the Dark Avenger, a compilation of all the known facts about him: his taste in music, his favorite groups, his supposed interest in the Princess of Wales, his need for money and so on. From his letter Vesko gleaned he had been a student at Sofia University and, from sarcastic remarks he had made about Vesko's engineering degree, that he was either a mathematics or science student (there is a traditional rivalry between engineering and the other two faculties). He sent the profile to seven former students at the university, asking if they knew anyone who fitted the criteria. All seven replied, Vesko says, and all seven mentioned the same name- -that of a young man, then twenty-three, a programmer in a small, private software house in Sofia.

Vesko didn't turn him in. Even had he wanted to, there was little point: writing viruses is not illegal in Bulgaria.

Chapter 6.

HACKING FOR PROFIT.

Inevitably there are people in the computer underworld who use their skills to make money--legally or illegally. Hacking into suppliers to steal goods, or looting credit card companies, has become established practice. But there seems to be little commercial potential in viruses--unless it becomes part of a scam.

In December 1989 the first such scam appeared. The virus was used as a blackmail weapon to frighten computer users into paying for protection. Jim Bates, a free-lance computer security consultant, was one of the first to examine the blackmail demand delivered on an apparently ordinary computer diskette. He had received a call earlier that day from Mark Hamilton, the technical editor of a British computer magazine called PC Business World. Mark had sounded worried: "There's apparently been a trojan diskette sent out to PC Business World customers. We don't know anything about it. If we send you a copy, can you look into it?"

Jim runs his little business from his home in a commuter suburb ith the misleadingly bucolic name of Wigston Magna, near ~icester, in the English Midlands. Though he had other work to at the time, he agreed to "look into it"- -which meant, effecvely, disa.s.sembling the bug. It would be a time-consuming task. "What does it do?" he asked.

"We don't know. It may be some sort of blackmail attempt."

To Jim, the concept of viral blackmail sounded unlikely. As far as he knew, no one had ever made a penny out of writing virUses. It was said that if there was any money in writing bugs, Bulgaria would be one of the richest countries in Europe; but instead it remained one of the poorest.

At 5:30 that afternoon, December 12,1989, the package from PC Business World arrived. As promised, it contained a diskette, of the sort sent out to the magazine's readers; it also contained a copy of a blue instruction leaflet that had accompanied the diskette.

Jim examined the leaflet closely. "Read this license agreement carefully [and] if you do not agree with the terms and conditions ... do not use the software," it began. It then stated that the program on the diskette was leased to operators for either 365 uses at a price of $189, or the lifetime of their hard disk at a price of $389. "PC Cyborg Corporation," it continued, "also reserves the right [sic] to use program mechanisms to ensure termination of the use of the program [which] will adversely affect other program applications."

So far, Jim thought, it read much like a normal software licensing agreement, except for the warning that the program might "adversely effect other program applications."

But farther down in the small print on the leaflet was a paragraph that made him sit up. "You are advised of the most serious consequences of your failure to abide by the terms of this agreement: your conscience may haunt you for the rest of your life ... and your computer will stop functioning normally [authors' italics]."

This, Jim thought, was carrying the concept of a licensing agreement too far. Licensing software was a perfectly acceptable business practice, as was making threats that unauthorized users of their products would be prosecuted for "copyright infringement." They never threatened to punish unauthorized users by damaging their computers.

Even more unusual, the diskette had been sent out like junk mail, unrequested, to computer users around Great Britain, inviting them to run it on their machines. Whoever had distributed the diskettes had obviously purchased PC Business World's mailing list, which the magazine routinely rented out in the form of addressed labels. The magazine had seeded its list with names and addresses of its own staff, an ordinary practice that allows the renter to check that its clients aren't using the list more often than agreed. These seeded addresses had alerted the magazine to the existence of the diskette. If the publication had received copies from its seeded addresses, so had some seven thousand others on the mailing list. And Jim knew that many of these would have loaded the program without reading the blue leaflet--which was, in any case, printed in type so small that it was almost unreadable. Anyone who had already run the diskette, Jim thought, could well be sitting on a time bomb.

Later that evening an increasingly anxious Mark Hamilton phoned again: "We're now getting reports that this disk has been found in Belgium, Paris, Germany, Switzerland, Scandinavia, and Italy. Can you do anything with it?"

In fact, Jim was already working on an antidote. He had loaded the diskette on an isolated test computer in his upstairs office and had discovered that it contained two very large executable files: an "Install" program and an "AIDS" program. Jim had previously attempted to run the AIDS file on its own, but after a few seconds it aborted, displaying the message: "You must run the Install program before you can use the AIDS program."

He followed the instructions, warily loading up Install. It beeped into life, the light on the hard disk flickering off and on. When the installation was finished, Jim looked at the hard disk, using software designed to see all of the files listed in the computer's various directories. The software also allowed him to see any "hidden" files, those generally concealed from casual inspection to prevent them being deleted accidentally. There are always two hidden operating system files on a hard disk; but now, after running the Install program, there was suddenly a whole series of them, none of them named.

He decided to have a look at the hidden files, using another special program. This software went right into the heart of the files, penetrating the binary code, the building blocks of programs. It presented the contents on a vertically split screen: the left side displaying the files in computer code, the right in ordinary text. Jim went through them page by page. He discovered that the hidden files contained a counter, which kept track of the number of times the computer was turned on. After ninety start-ups the hidden files would spring to life and attack the computer's hard disk, encrypting working files and hiding programs. Without access to programs and data, the system would be unusable.

The diskette Jim realized, was a huge trojan horse, a malicious piece of software that entered a system in the guise of something useful, then unleashed its payload. In this case the "useful" component was the "AIDS information" file; the payload was the scrambling of the hard disk.

Curiously, Jim found that the program had been written to behave almost like the real AIDS virus. It was opportunistic, just like its biological counterpart; it spread its infection slowly; and was ultimately fatal to its hosts. Whoever wrote the program must have been casually interested in AIDS, though perhaps he didn't know a great deal about the subject. Switching to the AIDS information file, Jim read through the material it offered, which described itself as "An interactive program for health education on the disease called AIDS.... The health information provided could save your life.... Please share this program diskette with other people so that they can benefit from it too."

The program offered "up-to-date information about how you can reduce the risk of future infection, based on the details of your own lifestyle and history." It required a user to answer thirtyeight questions--s.e.x, age, number of s.e.xual partners since 1980, medical history, s.e.xual behavior, and so on--and according to the user's answers it provided "confidential advice," most of which was eccentric and misleading: "Scientific studies show that you cannot catch AIDS from insects," and "AIDS can be prevented by avoiding the virus" were two of the less helpful comments. Others included, "Danger: Reduce the number of your s.e.x partners now!" "You are advised that your risk of contracting AIDS is so large that it goes off the chart of probabilities." "Buy condoms today when you leave your office." "Insist that your s.e.x partner be mutually faithful to the relationship." "Casual kissing appears to be safe. Open-mouth kissing appears to be more dangerous. It is that which follows open-mouth kissing that is most risky." "The AIDS virus may appear in small quant.i.ties in the tears of an infected person."

The AIDS trojan, as it had quickly become named, also produced a variety of messages demanding payment for the license. In certain cases, if the computer was linked to a printer, it could cause an invoice to be printed out. The money for the license was to be sent to PC Cyborg Corporation at a post office box in Panama City, Panama. It was not specified what users would receive for the fee, apart from a license. But it was a.s.sumed that an antidote for the trojan would be included in the deal.

The AIDS information diskette was the largest and most complex trojan Jim had ever seen. He worked on it eighteen hours a day for seventeen days and later said that taking the program apart was "like peeling an onion with a paper clip." His final disa.s.sembly ran to 383 pages, each containing 120 lines of code. He had managed to produce a quick antidote to the AIDS trojan on the day he received it, but after he had disa.s.sembled the bug, he put together a program called ClearAid which would restore files and cleanse infected systems.

The antidote and ClearAid were offered free to infected computer users by Jim and PC Business World.

Later, when the furor died down, Jim decided that the trojan had been written "by a young, inexperienced programmer with only scant knowledge of both the language and the machine capabilities at his disposal." Its tortuous complexity had been caused by incompetence rather than design.

This was little comfort for those who had suffered damage from the bug. Over twenty thousand of the AIDS diskettes had been sent out, using not only the PC Business World mailing list, but the delegate register to a World Health Organization (WHO) conference on AIDS in Stockholm. In the first few days, a number of recipients had panicked when they realized that they had just loaded a potentially destructive trojan onto their systems. The trojan had caused the loss of data at the U.N. Development Program offices in Geneva, and in Italy an AIDS research center at the University of Bologna reported the loss of ten years of research. Like many users, they had not kept backup copies of their valuable data. The trojan reached hospitals and clinics throughout Europe, and the Chase Manhattan Bank and International Computers Limited (ICL) in England both reported unspecified "problems" caused by the program. In every instance, scientists, researchers, and computer operators wasted days chasing down and eliminating the bug, even after Jim's antidote and ClearAid program became generally available.

At New Scotland Yard the Computer Crime Unit under Detective Inspector John Austen established that all twenty thousand diskettes had been posted from west and southwest London, between December 7 and I I, 1989, and that they had been sent to addresses in almost every country of the world, with one glaring exception: none had been sent to the United States.

The Computer Crime Unit does not have an easy job.

In many cases it has been frustrated by the unusual nature of computer crime, and with viruses it has been noticeably unsuccessful in bringing prosecutions. Most viruses are written abroad, by unknown and certainly untraceable authors, often in countries such as Bulgaria where the act itself is not a criminal offense. To prosecute a case against a virus writer, the unit must have a complaint against the author from a victim in Britain, evidence of criminal intent, proof of the author's ident.i.ty, and finally, his presence in Britain, or at least in a country from which he can be extradited.

The legal problem with viruses, quite simply, is their internationality. They seep across borders, carried anonymously on diskettes or uploaded via phone lines to bulletin boards; their provenance is often unknown, their authorship usually a mystery. But inspector John Austen was determined that the AIDS diskette incident would be different. He viewed it as the "most serious" case the unit had faced: not only was it a large-scale attack on computers by a trojan-horse program, it was blackmail--or something very similar. In this case, he also had a complaint; indeed, he had a few thousand complaints. It was clearly time for the unit to throw its resources into tracking down the author of the trojan.

The publishers of PC Business World told the police that they had sold this particular mailing list for about $2,000 to a Mr. E. Ketema of Ketema & a.s.sociates, who purported to be an African businessman representing a Nigerian software company. The transaction had been carried out by post; no one had ever met Ketema.

Ketema & a.s.sociates operated out of a maildrop address in Bond Street, London. Company doc.u.ments revealed that the firm had three other directors, supposedly Nigerian: Kitian Mekonen, Asrat Wakjiri, and Fantu Mekesse. The staff of the company that operated the maildrop had never seen the three Nigerians, but they had met Mr. Ketema. Far from being an African businessman, he was described as white, bearded, and probably American.

Computer Unit detectives then turned their attention to PC Cyborg Corporation of Panama City. Through inquiries to the Panamanian police, it was discovered that the company had been registered a year earlier. The Panamanians were also able to find the company's local telephone number.

Waiting until early evening in London, when it would be ten A.M. in Panama, a detective put a call through, and was rewarded by the sound of an American voice when the phone was answered. "Mr. Ketema?" asked the detective tentatively. "Who?" answered the voice. It turned out to be an American marine.

Panama had been invaded on that very day.

- Simultaneous inquiries in Nigeria did not turn up evidence of the three Nigerian businessmen who were registered as directors of the company.

Indeed, the Unit discovered that the three names didn't sound Nigerian at all. They might have been made up.

By then the Computer Unit's detectives were convinced that they were chasing one man, probably an American.

The arrest happened almost by accident. New Scotland Yard had routinely circulated details of the case to Interpol, the international police intelligence agency. Four days before Christmas in 1989, just two weeks after the diskettes had been posted from London, the Dutch police detained an American citizen at Schiphol airport in Amsterdam, who had been behaving strangely.

The American was Joseph Lewis Popp. He was en route from Nairobi, where he had been attending a WHO seminar, to Ohio, where he lived with his parents in the small town of Willowick, near Cleveland. Popp seemed to think that someone was trying to kill him: at Schiphol he had written "Dr. Popp has been poisoned" on the suitcase of another traveler, apparently in an attempt to notify the police. When he had calmed down, the authorities took a discreet look through his bags: in one, they found the company seal for PC Cyborg Corporation.

The police let Popp continue his journey to Ohio, then notified Austen in England about the seal. On January 18, 1990, Austen began extradition proceedings. The charge: "That on December 11, 1989, within the jurisdiction of the Central Criminal Court, you with a view to gain for another, viz. PC Cyborg Corporation of Panama, with menaces made unwarranted demands, viz. a payment of one hundred and eighty nine U.S. dollars or three hundred and seventy eight U.S. dollars from the victim." In Ohio the FBI began a surveillance of Popp's parents' home, and finally arrested him on February 3rd.

Neighbors in Willowick were said to have been surprised at his arrest. He was described as "quiet, intelligent, and a real gentleman." At the time of his arrest he was thirty-nine, a zoologist and anthropologist who had worked as a consultant on animal behavior with UNICEF and WHO. He was a soft-spoken man, darkhaired, with flecks of gray in his beard. He had graduated from Ohio State University in 1972 and obtained a doctorate in anthropology from Harvard in 1979. In the previous few years he had become pa.s.sionately interested in AIDS.

Austen's extradition request ground through the American courts for nearly a year. In September 1990 Jim Bates was flown over to Cleveland for five days to give evidence at Popp's extradition hearing. It is unusual to have live witnesses at such hearings, but Jim brought the AIDS diskette. He was the princ.i.p.al witness, and it was his task to demonstrate to the court what the diskette was and what it did.

In the hallway outside the small courtroom, Jim sat beside Popp's parents, a friendly and courteous pair. "Do you like Cleveland?" Popp's mother asked. Jim wasn't sure; all he had seen by then was the airport, a hotel room, and the hallway. Inside the courtroom Jim had his first glance at Joseph Popp. His hair was long and unkempt, his beard had grown out, making the ~ray more emphatic. He shuffled around the courtroom, wearing a shabby jacket, a sweater, and faded jeans. He looked, Jim later said, "like a lost soul."

Popp's mental state was the crux of the defense's argument in the extradition hearings: his lawyers argued that he had suffered a nervous breakdown and was unfit to stand trial. Popp never denied writing the AIDS trojan nor sending out the diskettes. But at the time, his lawyers said, he was in the grip of mental illness and was behaving abnormally.

The lawyers also argued that the demand for a license fee for the use of the diskette was not tantamount to blackmail. It was, they agreed, somewhat extreme to wreck a computer's hard disk if the user didn't pay, but operators were warned not to load the diskette if they didn't accept the terms and conditions laid down in the instruction leaflet. And it was quite clearly stated on the same sheet that if they used the diskette and didn't pay, the computer "would stop functioning normally."

There was a basis in law to the argument. Software publishers have long struggled to stop the unauthorized use and copying of their copyright programs. Software piracy is said to cost American publishers as much as $5 billion a year, and many markets Taiwan, Thailand, Hong Kong, Singapore, Brazil, India, and even j.a.pan, among others--have become what are euphemistically referred to as "single-disk" countries: in other words, countries where one legitimate copy of a software program is bought and the rest illegally copied. To combat piracy, publishing houses have used a number of devices: some programs, for example, contain deliberate "errors," which are triggered at set intervals--say, once every year--and which require a call from the user to the publisher to rectify. The publisher can then verify that the user is legitimate and has paid his license fee before telling him how to fix it.

Other publishers have resorted to more extreme methods. One celebrated case involved an American cosmetics conglomerate that had leased a program from a small software house to handle the distribution of its products. On October 16, 1990, after a disagreement between the two about the lease payments, the soft- ware company dialed into the cosmetic giant's computer and entered a code that disabled its own program. The cosmetics company's entire distribution operation was halted for three days. The software house argued that it was simply protecting its property and that its action was akin to a disconnection by the telephone company. The cosmetics company said that it was "commercial terrorism."

The Cleveland District Court, however, rejected arguments that the AIDS diskettes simply contained some sort of elaborate copyright-protection device. It also ruled that Popp was fit to stand trial and ordered his extradition to Britain to face charges.

Popp was the first person ever extradited for a computer crime and the first ever to be tried in Britain for writing a malicious program. From the welter of complaints, the police had prepared five counts against him; he faced ten years in prison on each charge. According to the police, Popp had perpetrated a scam that could have grossed him over $7.5 million, a.s.suming that each of the twenty thousand recipients of the diskette had sent the "lifetime" license fee. More realistically, it was estimated that one thousand recipients had actually loaded the diskette after receiving it; but even if only those one thousand had sent him the minimum license fee, he still would have earned $189,000.

The police also discovered a diskette that they believed Popp intended to send out to "registered users" who had opted for the cheaper, $189 license. Far from being an antidote, it was another trojan and merely extended the counter from 90 boot-ups to 365 before scrambling the hard disk. In addition, there was evidence that the London mailing was only an initial test run: when Popp's home in Ohio was raided, the FBI found one million blank diskettes. It was believed that Popp was intending to use the proceeds from the AIDS scheme to fund a ma.s.s, worldwide mailing, using another trojan. The potential return from one million diskettes is a rather improbable $378 million.

The police also had suspicions that Popp, far from being mentally unstable, had launched the scheme with cunning and foresight. For example, he had purposely avoided sending any of the diskettes to addresses in the United States, where he lived, possibly believing that it would make him immune to prosecution under American law.

But the case was never to come to trial. Popp's defense presented evidence that his mental state had deteriorated. Their client, his British lawyers said, had begun putting curlers in his beard and wearing a cardboard box on his head to protect himself from radiation. In November 1991 the prosecution accepted that Popp was mentally unfit to stand trial. To this day, the Computer Crime Unit has never successfully prosecuted a virus writer.