The Dark Side

As I said, there was a huge coming and going of floppies in the university computer labs: each student brought their own disks, saved programs, and the place turned into a petri dish for computer viruses. Every day there was some virus going around in the lab. Most of the time, a regular antivirus handled it: you just ran the scanner at home before using the floppy. But one day it was different: I got home, ran our favorite antivirus at the time, F-Prot, and it flagged an unknown variant of the Jerusalem virus. Of course that piqued our curiosity, and off we went to investigate.

At that point, it was my brother that was doing his internship at IBM, so we still had access to the researchers in New York. We sent them a sample, and they confirmed it was indeed something new, with some resemblance to Jerusalem, but possibly not from the same family. I went to the university to find a professor to let them know we had found a new virus in the lab. I ended up being told to talk to Professor Bauer, who worked on virus-related topics, and from that point on the lab staff started running F-Prot daily to clean the machines. At the same time, we sent samples to the major antivirus vendors we knew. The virus ended up being named Freddy Krueger, because of a line in the code that referenced the movie character.

Freddy Krueger was just the first of the viruses we found there, and he wasn’t even that aggressive. A few months later, though, a much meaner one appeared. Some called it Freddy Krueger 2; we ended up calling it the Frisk virus. I thought it was the work of the same author, someone with access to the department’s computers, because this second piece of malware carried a direct reference: a string “hello Frisk” — Frisk being the name of the developer of F-Prot. In other words, the author seemed to be pointing out that the fight was specifically against that antivirus.

The Frisk virus was more sophisticated: it was polymorphic, which meant it changed its form with each infection, making detection by traditional antivirus signatures harder. On top of that, it stayed resident in memory and, every time a file was opened, it changed a byte of that file. In a lab as busy as ours, by the end of the day nothing would run properly anymore: the system files had been corrupted and the students’ assignments were full of garbled characters. It was chaos: the computers had to be formatted and reinstalled at the end of each day.

Then, one of the students from one of the classes ahead of me, famous for being very good at computing, managed to write a program that could detect and clean the Frisk virus. That utility saved hours of reinstallation and was a great relief for the people running the lab. The rumor mill, of course, said that whoever had developed the antivirus was the author of the virus, which is why he knew exactly how to remove it.

Later came Leandro & Kelly, a boot sector virus also found in the lab. It carried the string “Leandro e Kelly, GV, MG”. Coincidentally, there was a younger student named Leandro, from the city of Governador Valadares (GV), MG. He has always denied any involvement, but gossip didn’t spare him and the story ran through the hallways.

While we were finding these viruses, the course went on. We studied data structures, and I remember professor Ziviani introduced one of them as useful for pattern detection: the PATRICIA tree. The idea came quickly: could we implement that structure and extract virus signatures, maybe even for some polymorphic ones? We tried, but the implementation in the book had a bug, and the project died right there because we didn’t understand it enough to fix it.

In another course we studied the RSA algorithm for public-key cryptography. I already knew cryptography existed, but understanding RSA opened a new perspective: information security stopped being just about antivirus and became a much bigger field, with lots of nuances. The course assignment was to implement RSA, at the same time that we were learning the C programming language. In my readings online, I had seen mentions of PGP (Pretty Good Privacy), which used RSA, and I knew that, at the time, cryptographic software was treated as a weapon by the United States Government — there were export restrictions. A creative bunch got around this by printing the code in a book and selling it in bookstores, because the U.S. Constitution protects printed expression and prevents the government from banning the book or stopping it from being exported. Now, someone could buy the book outside the U.S., scan it, and recover the source code. It was an unusual solution and it made the news.

When the professor had us implement RSA, my first idea was to reuse the PGP code I knew about, but I discovered PGP was a lot more complex than the course exercise. I ended up borrowing some ideas from it, but I didn’t turn in a whole PGP as a second-year project. Even so, doing well on that assignment opened doors within the university — but that’s a story for a future chapter.