Security Experts Push Ukraine to Drop VX Heavens Prosecution

For more than a decade, "Herm1t" -- the online nickname of Andrey Baranovich -- has chronicled the development of malicious code on a website called VX Heavens.

VX Heavens was dedicated to recording the history of malicious code, a site hailed by some computer security researchers as an invaluable resource but one of little practical use to real cybercriminals.

The website was shut down by Ukrainian authorities last month, and Baranovich faces charges for allegedly selling malicious code in violation of the country's computer crime laws. He denies wrongdoing and has launched a Facebook page, "Saving Private Herm1t," to solicit funds for his legal defense.

In an interview over e-mail, Baranovich said he was "quite surprised and even shocked by the actions of the police. VX Heavens was running for more than a decade and nobody complained about it."

"I never sold anything," Baranovich said. "I was not involved in black hat activity, and it was impossible to get infected by visiting the site. Any [malicious software] sample would require special knowledge and training and intentional, deliberate actions to activate it."

Baranovich is gaining support from computer security experts who say the accusations are unfounded. Those experts are writing to the authorities in Donetsk, Ukraine, asking that Baranovich be left alone.

Patroklos Argyroudis, co-founder of Census, a security company based in Thessaloniki, Greece, said he wrote a letter in support of Baranovich after using VX Heavens many times for research.

"I consider Andrey's work as an essential reference for everyone doing research on these or related areas," Argyroudis said via e-mail. "VX Heavens contributes to the body of knowledge and is frequently much more useful than academic texts."

Daniel Bilar, director of research and senior principal scientist for Siege Technologies, said in an interview that VX Heavens was of immense use when he was doing research into malicious code around 2005.

Although Bilar contacted major antivirus vendors to see their code samples, those vendors had many restrictions which made his research difficult. In his letter to the Ukrainian authorities, Bilar described VX Heavens as "the first comprehensive digital computer virus museum in the world."

During his research, Bilar began corresponding with Baranovich, who asked if Bilar had ever come across an extremely hard-to-find master's thesis written in 1980 by Juergen Kraus.

The paper is the equivalent of a "10th century" manuscript found in a Scottish convent, Bilar wrote in a introduction to a translated version of the paper in English. It explored mathematically the minimal requirements for creating self-reproducing programs, breaking new ground in the study of computer virology.

After inquiries by Bilar, a librarian at the University of Dortmund in Germany finally located the last copy of the thesis in a vault. It was rumored to have been hidden at the request of the BND, Germany's foreign intelligence service, but the real reason appears to be to prevent it from inadvertently being thrown away.

Bilar said because of Baranovich, "a substantial piece of computer virology has come to the forefront because of his curiosity and his collection."

"Had he [Baranovich] not asked me for this, I would have not looked for it," Bilar said. "It was a masterpiece that was hidden."

Eric Filiol, scientific director of the European Institute of Computer Antivirus Research (EICAR), wrote on his blog that the shut down of VX Heavens meant "another library of Alexandria has just burnt."

Filiol wrote that all "technical precautions" were taken with VX Heavens to prevent the information it stored from being misused, and the site was run in "a very ethical way."

"The academic and technical world needs VX Heavens and Herm1t's wonderful work," Filiol wrote.

Send news tips and comments to jeremy_kirk@idg.com

Subscribe to the Security Watch Newsletter

Comments