How Eastern Europe's villains changed sides in the malware war - and made you protect your PC

The region, first known as a computer virus factory, has since became one of the most advanced security hubs in the world, housing companies like Kaspersky, Bitdefender, and ESET. This is how it happened.
Written by Andrada Fiscutean, Contributor
The Tequila virus.
Image: Sophos
He called himself Dark Avenger. Nobody knew who he was. Back in the late 1980s, when Bulgaria was still a communist country, he engineered clever viruses that passed from one floppy disk to another. His code reached Western Europe and the US and brought about fear into company after company. At that time, 10 percent of viruses found in North America could be traced back to Bulgaria, and almost all of those were the work of Dark Avenger.

Who is the Dark Avenger?

The media was all over the story. Articles about US companies losing millions of dollars because of Eastern European viruses were everywhere. In a 1990 piece entitled 'Bulgarians Linked to Computer Virus,' the New York Times quoted a security researcher saying: "Not only do the Bulgarians produce the most computer viruses, they produce the best."

Dark Avenger infected American military computers, banks, insurance companies, and accountancy firms. John McAfee, at the time the head of the Computer Virus Industry Association, told the paper: "I would say that 10 percent of the 60 calls we receive each week are for Bulgarian viruses, and 99 percent of these are for Dark Avenger."

The Bulgarian whizzkid was merciless. The viruses he created were effective, highly contagious, and difficult to detect. One of his most famous creations, Dark Avenger.1800, targeted .com and .exe files, bloating them with 1800 bytes of code. It infected files the user opened, closed, and created, and randomly deleted parts of the hard drive. Messages proclaiming "Eddie lives...somewhere in time!" and "This program was written in the city of Sofia (C) 1988-89 Dark Avenger" were carried by the virus.

Clearly talented, Dark Avenger developed a tool that made viruses change their form to become harder to detect by traditional means. He called it the MtE, or Mutation Engine. It was responsible for creating a billion different forms of viruses by late 1992, according to Norton Antivirus figures.

"I developed big respect for his programming skills. Every one of his viruses was original, brought new ideas. The code was very clean and optimised to the last clock cycle. I compare it to Swiss watches," Miroslav Trnka, who co-wrote the first version of the Czechoslovakian antivirus software ESET NOD32, told ZDNet.

Dark Avenger's Bulgaria was a flagship virus factory that scared the western world, as well as Russia and Ukraine. Other countries within the region, including the Czech Republic, Hungary, Romania, and Slovakia, were caught in the middle.

The knowledge needed to build inventive viruses was found throughout the region and, for many, it was just too cool not to use. Some of those early malware writers ultimately left behind their malware-writing past and moved onto legitimate pursuits, while others grew interested in fighting the phenomenon. The story of antivirus had begun.

Sound and vision

Most virus creators wanted to prove themselves by creating sophisticated code that people would recognize. "They were in general young men, with a lot of time and no girlfriend. I've seen many of them stop writing viruses as soon as they got a job or a girlfriend," Costin Raiu, director of global research at security software firm Kaspersky Lab, told ZDNet.

Kids in school were imbued with math and sciences all around the Eastern Bloc. The communist government needed students who could reverse-engineer western products, and computers were top of the list in Bulgaria. It was Bulgarians who cloned the Apple II with the machine that became Pravetz 82, while Romanians came up with HC 85, a device that closely resembled the ZX Spectrum.

Students throughout the communist countries were enthusiastic about the potential of technology. "There was a big computer movement and young people that were very interested in technologies met together through competitions and clubs," Miroslav Trnka from security software maker ESET told ZDNet. They played with those cloned computers but didn't stop there. They were eager to write code and to learn as much as they could.

"Most virus writers were quite skilled in Assembler, which was the required programming language back then," said Kaspersky Lab's Raiu says. Later, they used Pascal and Visual Basic. Among the viruses he encountered were BadSectors, which marked sectors on disk as bad, and Michelangelo (also known as March 6), which wiped the computer master boot record on March 6. Another one was Jabber, which would automatically type the name of Romania's president at the time, Iliescu, if somebody wrote the word 'jos', which means 'resign' in Romanian.

Many viruses were focused on doing something their writers considered cool, like showing an image or playing a song. Some of them contained secret messages and puzzles. The Tequila virus, for example, displayed a Mandelbrot fractal on screen. "[They] played games with victims, sometimes winning the prize meant you could have your data back," ESET's Trnka said.

Fame not money

Dark Avenger and his ilk were dedicated. They sat for hours in front of their computers analysing code, learning from each other, trying to be the best they could be - and trying to come up with the next big thing.

Back then, it didn't matter how much data the virus destroyed or havoc it wreaked. The point was how brilliant it was. Bulgarian Todor Todorov, also known as Commander Tosh, founded the first Virus Exchange bulletin board in the world. The bulletin board system (BBS) helped geeks exchange virus code and other sensitive information. "No malware was written for financial gain, unlike nowadays, when most of the malware is written for some kind of financial profit," Kaspersky's Raiu said.

He was one of the good kids eager to learn more about viruses. The computer network in his Romanian high school got infected with BadSectors.3428. No existing antivirus product was able to catch and remove it, and so he spent a whole night trying to figure out how to beat it.

"I was really afraid one of the other computer-savvy guys would do it before me. My tool became popular and in time, people started bringing more and more new viruses that were not disinfected by popular solutions from the outside," he said.

Raiu wrote RAV, a Romanian antivirus product, in 1994. It was eventually bought by Microsoft in 2003 and integrated into Redmond's own software.

One of the first viruses ESET's Trinka encountered was Vienna.648, which infected .com files. Its simplicity made it elegant. Later came Cascade. "At a certain time, the characters on the screen fell down and ended in a heap on the bottom. On top of that, the virus's code was mostly encrypted to disable reverse-engineering," Raiu said.

This virus was also the first to enter the Kaspersky Lab Antivirus Database. The man behind it was Eugene Kaspersky, who graduated from the Institute of Cryptography, Telecommunications and Computer Science in Russia. His security product, named AVP in the beginning, was the world's first antivirus program to have a graphical user interface.

Over 400 million people worldwide now use Kaspersky Lab products. "I consider myself one of the happiest people around, since what I do I once did as a hobby, and that's long since become my job," Kaspersky told CIO magazine.

Good guys show up

Meanwhile in Czechoslovakia, Miroslav Trnka and his friend Peter Paško were among those who discovered the first computer viruses in 1987. They wanted to build a universal software product to counteract emerging threats and ended up writing the first version of NOD32. Czechoslovakia was a single communist country back then, and not quite the perfect place for entrepreneurship.

"We always wanted to run a business with the aim of protecting people and data, similar to a hospital setting. That is why we called the software NOD, an acronym for Nemocnica na Okraji Disku [which translates as 'Hospital on the Edge of the Disk']. At that time, Czechoslovak television was showing a very popular medical TV series called 'Hospital on the Edge of the City'," Trnka told ZDNet.

In 1992, three years after the fall of communism, Trnka, Paško, and a third friend Rudolf Hrubý established ESET as a privately owned limited liability company. Today, over 100 million people around the globe have used their security software.

A few years later, another name arose in the region: Bitdefender. After the fall of communism in Romania, Florin Talpeş, his wife Măriuca, and their friends created a software company called Softwin. They helped some developers in France struggling with a computer game of tennis. It was the first time they left the country, as the borders were virtually closed when dictator Nicolae Ceaușescu was in power.

Soon, they started developing computer games. "Mr Talpeș's company was repeatedly hit by viruses created by fledgling cybercriminals in neighboring countries. The damage forced him to design programs in-house to fight the viruses that were increasingly infecting his business," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.

"Mr Talpeș started giving away his antivirus solutions in the hopes of ridding the region of malware. He soon found greater demand for the antivirus software than for his company's services as an outsourcer."

It wasn't easy to do business in that particular corner of Europe. First, the law didn't allow a company to have a bank account, so Bitdefender had to handle all payments in cash. Secondly, the company needed to fill in export forms that demanded the weight of their software in kilograms. The solution was to consider 100 grams for every 100 kilobytes.

Before it became the eponymous Bitdefender, the name of the security software was AVX (Anti-Virus eXpert). "It was the first product of its kind to feature an update system that required no input from the user. AVX would automatically download lists of new threats that were circulating through the online community, which kept the software up to date without bothering the user," Botezatu said.

Now, Bitdefender has 500 million users worldwide. Its most important markets are the US, Germany, the UK, and France, according to the company.

'The spirit carries on'

Kaspersky, Bitdefender, ESET, avast!, AVG, and other antivirus providers from this region blazed a trail two decades ago - and haven't lost their touch. Today, privacy and Internet of Things are two important battlegrounds on which they continue to fight against malware.

"We are just about to launch a smart innovative solution for the Internet of Things. The Bitdefender BOX is a hardware appliance that runs inside your network and scans traffic regardless of the device it is generated from," said Botezatu.

In one way, the whole computer security industry came about because of Dark Avenger and other early malware creators. They inspired some, frightened others, but in the end made everyone compete and excel. Through the losses US and Western European companies suffered, Dark Avenger's work taught the world that computer security is a big deal and must be taken seriously.

By 1993, Dark Avenger had disappeared. Nobody has heard from him since, or discovered his identity. He might have lost interest in writing viruses, or he could have become a well-established professional in the antivirus field. As a malware writer, he had finished his job. Computer security had become a dog-eat-dog arena.

Read more from Central Europe

Editorial standards