Dark Avenger
Encyclopedia
Dark Avenger was a pseudonym of a computer virus
writer from Sofia
, Bulgaria
. He gained considerable popularity during the early 1990s, as some of his viruses spread not only nationwide, but across Europe as well, even reaching the United States
.
In April, 1988, Bulgaria's specialised magazine for computers, 'Компютър за Вас' (Computer for You), issued an article which explained in detail the nature of computer viruses and even methods for writing them. A few months after that, Bulgaria was "visited" by several foreign viruses, namely "Vienna", "Ping Pong" and "Cascade". The interest spawned by both the article and the viruses was huge, and soon, young Bulgarian programmers began to search for ways to devise their own viruses.
Soon, a wave of Bulgarian viruses erupted, started by the "Old Yankee" and "Vacsina" viruses. Dark Avenger made his first appearance in the spring of 1989.
It was very infectious: if the virus was active in memory opening or just copying an executable file was sufficient to infect it. Additionally, the virus also destroyed data, by overwriting a random sector of the disk at every 16th run of an infected program, progressively corrupting files and directories on the disk.
Corrupted files contained the string "Eddie lives... somewhere in time!"—possibly a reference to Iron Maiden's album, "Somewhere in Time". Due to its highly-infectious nature, the virus spread world-wide, reaching Western Europe
, the USSR, the United States
, and even East Asia
. It even received moderate mention in the New York Times and Washington Post.
This virus was soon followed by others, each employing a new clever trick. Dark Avenger is believed to have authored the following viruses: Dark Avenger, V2000 (two variants), V2100 (two variants), 651, Diamond (two variants), Nomenklatura, 512 (six variants), 800, 1226, Proud, Evil, Phoenix, Anthrax, Leech. As a major means for spreading the source code
of his viruses, Dark Avenger used the then popular bulletin board systems.
In its variants, the virus also contained the following strings:
In technical terms, the most prominent feature of some of Dark Avenger's viruses was their polymorphic
engine, the Mutation Engine (MtE); MtE could be linked to the plain virus in order to generate polymorphic decryptors. Dark Avenger did not, however, invent polymorphism itself, since this had already been predicted by Fred Cohen
, and later put into practice by Mark Washburn in his 1260
virus, in 1990. It wasn't until a year or more later that Dark Avenger's viruses began to employ polymorphic code.
Dark Avenger made frequent attacks on Bulgarian anti-virus researcher Vesselin Bontchev. Such is the case with the viruses V2000 and V2100, which claim to be written by Vesselin Bontchev, in an attempt to cause defamation. This "conflict" between the two has led many to believe that Bontchev and Dark Avenger were intentionally "promoting" each other, or that they might even be the same person.
Dark Avenger's actions were not treated as a crime at that time in Bulgaria, since there was no law for information protection.
which contains revealing information. Some of Dark Avenger's contemporaries, mainly Vesselin Bontchev, have also shed light on his potential identity.
If Dark Avenger is to be tied with a certain name, there are two major candidates. One is Vesselin Bontchev himself, who may have deceptively posed as "Dark Avenger" for the sake of self-promotion. The other is Todor Todorov. Todor Todorov was a student of the Bulgarian National School of Mathematics
who took particular interest in programming viruses during his school days, and even hosted his own BBS
for the purpose of sharing them. Anton Ivanov, a schoolmate and friend of Todorov's, has ambiguously hinted at the possibility of Todorov being Dark Avenger.
Dark Avenger may have been a fan of heavy metal music
. The string Eddie lives...somewhere in time, which the virus outputs, draws attention. Eddie the Head
is the name of the mascot of the heavy metal band Iron Maiden
. Additionally, Somewhere in Time is the name of the band's sixth album. Furthermore, in his interview with Sarah Gordon, Dark Avenger states that he named himself after "an old song"; Manowar (also a heavy metal band) have a song called Dark Avenger, on their debut album
.
, a computer security researcher. Gordon became intrigued with the virus, and joined a virus-exchange BBS
in search of more information. Thus, she randomly came upon Dark Avenger, who was an avid visitor of BBSes himself. The two came into contact and maintained it through emails for a good several years. Eventually, Sarah Gordon compiled most of these e-mails into a makeshift interview.
The interview is the best insight into Dark Avenger's personality and motives and it contains some valuable information. Dark Avenger had previously stated on several occasions that "destroying data is a pleasure". However, in this interview, he confesses that he regrets his actions, and that they were not right. The degree to which Dark Avenger exposes himself to Sarah Gordon has led many to believe that he held a deep affection for her. He even went as far as devoting one of his viruses to her.
It has been suggested by some virus writers that the Dark Avenger personality was a social experiment and Gordon was the object of a study herself, while helping build the myth. Others have hypothesized that she herself was Dark Avenger. In reality, her work has been externally validated, and is recognized as the seminal scientific/academic work on the topic.
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
writer from Sofia
Sofia
Sofia is the capital and largest city of Bulgaria and the 12th largest city in the European Union with a population of 1.27 million people. It is located in western Bulgaria, at the foot of Mount Vitosha and approximately at the centre of the Balkan Peninsula.Prehistoric settlements were excavated...
, Bulgaria
Bulgaria
Bulgaria , officially the Republic of Bulgaria , is a parliamentary democracy within a unitary constitutional republic in Southeast Europe. The country borders Romania to the north, Serbia and Macedonia to the west, Greece and Turkey to the south, as well as the Black Sea to the east...
. He gained considerable popularity during the early 1990s, as some of his viruses spread not only nationwide, but across Europe as well, even reaching the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
.
Background and origins
In the late 80's and early 90's, personal computers in Bulgaria were relatively rare, with only the wealthiest citizens able to afford one. Nevertheless, Bulgaria had a blooming computer hardware industry, which specialised in providing large numbers of PCs for educational purposes. Thus, many schools and universities were provided with computers, and informatics was a commonly studied subject. This helped foster a certain attitude towards computers among the newest generation.In April, 1988, Bulgaria's specialised magazine for computers, 'Компютър за Вас' (Computer for You), issued an article which explained in detail the nature of computer viruses and even methods for writing them. A few months after that, Bulgaria was "visited" by several foreign viruses, namely "Vienna", "Ping Pong" and "Cascade". The interest spawned by both the article and the viruses was huge, and soon, young Bulgarian programmers began to search for ways to devise their own viruses.
Soon, a wave of Bulgarian viruses erupted, started by the "Old Yankee" and "Vacsina" viruses. Dark Avenger made his first appearance in the spring of 1989.
Viruses
Dark Avenger's first virus appeared in early 1989 and contained the string "This program was written in the city of Sofia (C) 1988-89 Dark Avenger". Thus, this first virus is usually referred to as "Dark Avenger", eponymous to its author.It was very infectious: if the virus was active in memory opening or just copying an executable file was sufficient to infect it. Additionally, the virus also destroyed data, by overwriting a random sector of the disk at every 16th run of an infected program, progressively corrupting files and directories on the disk.
Corrupted files contained the string "Eddie lives... somewhere in time!"—possibly a reference to Iron Maiden's album, "Somewhere in Time". Due to its highly-infectious nature, the virus spread world-wide, reaching Western Europe
Western Europe
Western Europe is a loose term for the collection of countries in the western most region of the European continents, though this definition is context-dependent and carries cultural and political connotations. One definition describes Western Europe as a geographic entity—the region lying in the...
, the USSR, the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
, and even East Asia
East Asia
East Asia or Eastern Asia is a subregion of Asia that can be defined in either geographical or cultural terms...
. It even received moderate mention in the New York Times and Washington Post.
This virus was soon followed by others, each employing a new clever trick. Dark Avenger is believed to have authored the following viruses: Dark Avenger, V2000 (two variants), V2100 (two variants), 651, Diamond (two variants), Nomenklatura, 512 (six variants), 800, 1226, Proud, Evil, Phoenix, Anthrax, Leech. As a major means for spreading the source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
of his viruses, Dark Avenger used the then popular bulletin board systems.
In its variants, the virus also contained the following strings:
- "Zopy (sic) me - I want to travel"
- "Only the Good die young..."
- "Copyright (C) 1989 by Vesselin Bontchev"
In technical terms, the most prominent feature of some of Dark Avenger's viruses was their polymorphic
Polymorphic code
In computer terminology, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code will not change at all...
engine, the Mutation Engine (MtE); MtE could be linked to the plain virus in order to generate polymorphic decryptors. Dark Avenger did not, however, invent polymorphism itself, since this had already been predicted by Fred Cohen
Fred Cohen
Frederick B. Cohen is an American computer scientist and best known as the inventor of computer virus defense techniques.In 1983, while a student at the University of Southern California's School of Engineering , he wrote a program for a parasitic application that seized control of computer...
, and later put into practice by Mark Washburn in his 1260
1260 (computer virus)
1260, or V2PX, was a computer virus written in 1989 by Mark Washburn that used a form of polymorphic encryption. Derived from Ralph Burger's publication of the disassembled Vienna virus source code, the 1260 altered its signature by randomizing and obfuscating its decryption algorithm in an effort...
virus, in 1990. It wasn't until a year or more later that Dark Avenger's viruses began to employ polymorphic code.
Dark Avenger made frequent attacks on Bulgarian anti-virus researcher Vesselin Bontchev. Such is the case with the viruses V2000 and V2100, which claim to be written by Vesselin Bontchev, in an attempt to cause defamation. This "conflict" between the two has led many to believe that Bontchev and Dark Avenger were intentionally "promoting" each other, or that they might even be the same person.
Dark Avenger's actions were not treated as a crime at that time in Bulgaria, since there was no law for information protection.
Identity
The identity of the person behind the pseudonym has never been ascertained. However, a lot can be inferred via various details of the viruses. Additionally, Dark Avenger was the subject of an interview conducted by Sarah GordonSarah Gordon
Sarah Gordon is a computer security researcher, responsible for early scientific and academic work on virus writers, hackers, and social issues in computing She was among the first computer scientists to propose a multidisciplinary approach to computer security...
which contains revealing information. Some of Dark Avenger's contemporaries, mainly Vesselin Bontchev, have also shed light on his potential identity.
If Dark Avenger is to be tied with a certain name, there are two major candidates. One is Vesselin Bontchev himself, who may have deceptively posed as "Dark Avenger" for the sake of self-promotion. The other is Todor Todorov. Todor Todorov was a student of the Bulgarian National School of Mathematics
National Gymnasium of Natural Sciences and Mathematics "Academician Lyubomir Chakalov"
National High School of Mathematics and Natural Sciences "Academician Lyubomir Chakalov" is a high school in Sofia, Bulgaria. It is located in Lozenets municipality. The school is named after the Bulgarian mathematician Lyubomir Chakalov...
who took particular interest in programming viruses during his school days, and even hosted his own BBS
Bulletin board system
A Bulletin Board System, or BBS, is a computer system running software that allows users to connect and log in to the system using a terminal program. Once logged in, a user can perform functions such as uploading and downloading software and data, reading news and bulletins, and exchanging...
for the purpose of sharing them. Anton Ivanov, a schoolmate and friend of Todorov's, has ambiguously hinted at the possibility of Todorov being Dark Avenger.
Dark Avenger may have been a fan of heavy metal music
Heavy metal music
Heavy metal is a genre of rock music that developed in the late 1960s and early 1970s, largely in the Midlands of the United Kingdom and the United States...
. The string Eddie lives...somewhere in time, which the virus outputs, draws attention. Eddie the Head
Eddie the Head
Eddie, also known as Eddie The Head, is the mascot for the British heavy metal band, Iron Maiden. He is a perennial fixture of the group's artwork, appearing in all of their record covers and in their merchandise, which includes t-shirts, posters and action figures...
is the name of the mascot of the heavy metal band Iron Maiden
Iron Maiden
Iron Maiden are an English heavy metal band from Leyton in east London, formed in 1975 by bassist and primary songwriter Steve Harris. Since their inception, the band's discography has grown to include a total of thirty-six albums: fifteen studio albums; eleven live albums; four EPs; and six...
. Additionally, Somewhere in Time is the name of the band's sixth album. Furthermore, in his interview with Sarah Gordon, Dark Avenger states that he named himself after "an old song"; Manowar (also a heavy metal band) have a song called Dark Avenger, on their debut album
Battle Hymns (Manowar album)
Battle Hymns is the 1982 heavy metal debut album by Manowar.- Track listing :# "Death Tone" – 4:48# "Metal Daze" – 4:18# "Fast Taker" – 3:56# "Shell Shock" – 4:04...
.
Interview with Sarah Gordon
One of the victims of Dark Avenger's viruses was Sarah GordonSarah Gordon
Sarah Gordon is a computer security researcher, responsible for early scientific and academic work on virus writers, hackers, and social issues in computing She was among the first computer scientists to propose a multidisciplinary approach to computer security...
, a computer security researcher. Gordon became intrigued with the virus, and joined a virus-exchange BBS
Bulletin board system
A Bulletin Board System, or BBS, is a computer system running software that allows users to connect and log in to the system using a terminal program. Once logged in, a user can perform functions such as uploading and downloading software and data, reading news and bulletins, and exchanging...
in search of more information. Thus, she randomly came upon Dark Avenger, who was an avid visitor of BBSes himself. The two came into contact and maintained it through emails for a good several years. Eventually, Sarah Gordon compiled most of these e-mails into a makeshift interview.
The interview is the best insight into Dark Avenger's personality and motives and it contains some valuable information. Dark Avenger had previously stated on several occasions that "destroying data is a pleasure". However, in this interview, he confesses that he regrets his actions, and that they were not right. The degree to which Dark Avenger exposes himself to Sarah Gordon has led many to believe that he held a deep affection for her. He even went as far as devoting one of his viruses to her.
It has been suggested by some virus writers that the Dark Avenger personality was a social experiment and Gordon was the object of a study herself, while helping build the myth. Others have hypothesized that she herself was Dark Avenger. In reality, her work has been externally validated, and is recognized as the seminal scientific/academic work on the topic.
External links
- MtE downloads for three of its versions
- An interview of the Dark Avenger made by Sarah Gordon
- An interview of the Dark Avenger made by Sarah Gordon (another link)
- General psychological profile over virus writers I, by Sarah Gordon
- General psychological profile over virus writers II, by Sarah Gordon
- Many papers on virus writers by Sarah Gordon
- Dark Avenger Virus Information
- Heart of Darkness, by David S. Bennahum