Ero Carrera is watching the computer screen in a lab as he tracks a new computer virus, one targeting cellphones, that is slowly circling...

Share story

SAN JOSE, Calif. — Ero Carrera is watching the computer screen in a lab as he tracks a new computer virus, one targeting cellphones, that is slowly circling the globe.

He’s one of a couple of hundred virus hunters worldwide who guard computers and cellphones from attack. Working from the San Jose office of a Finnish computer-security company, F-Secure, Carrera knows this virus could be the start of something big and nasty.

That’s just the job for these unlikely action heroes of the Internet age, where quick and curious minds are more important than bulging muscles.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

Carrera, a Spaniard, works with Tzvetan “Ceco” Chaliavski, a Bulgarian, to form the two-man team for F-Secure in San Jose. The two trade shifts with the company’s main lab in Helsinki, Finland, to make a SWATlike team that stretches across the globe 24/7 to keep the world’s network of computers and cellphones safe from attack.

“These guys spend weeks writing viruses, and we decode several a day,” Carrera said, bragging a bit about how he matches intellects with virus writers. “You have to like looking at the code and being challenged.”

Carrera and Chaliavski love the thrill of the chase, yet seldom leave their desks. They stare all day at computer screens filled with a sea of jumbled numbers and symbols — the electronic guts of computer worms and viruses.

Their arcane work is at the forefront of protecting the world’s computers from the damaging barrage of viruses, worms, Trojan horses and other so-called “malware.” Last year’s top four attacks — Mydoom, Sasser, NetSky and Bagel — cost an estimated $13 billion in damage and lost productivity worldwide, according to Computer Economics, a research company.

The cellphone virus, nicknamed Cabir, already has more than 20 variations and has spread to at least 14 countries.

Ero Carrera welcomes the daily battle of intellects.

Although the Cabir virus so far has done little damage beyond draining phone batteries, it could be a stalking horse for other, more-devastating viruses in the works.

This year, so far, attacks have been light. But Carrera knows that could change any day.

The fight for Internet security is a global one. Carrera, 23, and Chaliavski, 35, are a couple of streetwise geeks in that fight.

With blond highlights streaking his dark hair, Carrera looks more hipster than nerd. But he’s just as excited describing decryption as he is about his first surfing trip to the Pacific.

Their job is called “reverse engineering” because it’s the opposite of writing a software program. They break down software to detect a new virus and crack its encrypted code. Then they create and ship out a software update, or antidote, to customers to thwart a cyber-meltdown.

Tzvetan Chaliavski is proud to be a “freak.”

Carrera and Chaliavski proudly call themselves “freaks” because they were childhood math and computer wizards who are still obsessed with figuring out how things work.

“It’s just persistence and curiosity,” Carrera said.

Inside-out expertise

Despite the huge stakes for guarding Internet security, there are only about 200 top virus hunters worldwide like Carrera and Chaliavski. Most work for anti-virus companies such as F-Secure, Symantec of Cupertino, Calif., McAfee of Santa Clara, Calif., and Trend Micro of Japan. They possess inside-out expertise in obscure computer-assembly languages and a steely determination to grapple with encrypted software code day after day.

Any morning could bring a 12-hour caffeine and adrenaline-fueled rush to thwart a major outbreak of a mass-mailing worm like last year’s Mydoom, which at its peak accounted for one of every 12 e-mails worldwide, according to MessageLabs, an e-mail security company.

Or — more likely — they could spend tedious hours naming and classifying hundreds of routine bugs that have no more impact than infecting a few computers.

Virus-naming rights

A new virus is named by the hunter who discovers it, such as “Bagel,” which caused major outbreaks last year. Then every new version of that virus is added to its family tree, such as Bagel.B for the second variant.

Virus hunters have discovered more than 100,000 viruses, many of them variations of a few large virus families like Mydoom or Sobig. These attacks can be simple mischief but often have criminal intent, such as launching an online attack against a hated Web site, sending spam to sell drugs or “phishing” e-mail to lure people into divulging personal information.

Such attacks can range from annoying to devastating.

If a company’s computer network is infected, productivity “grinds to a halt,” said Dave Bixler, information-security officer for Siemens Business Services, which provides technical services to businesses.

Mydoom generated more than 100 million e-mails on its first day in January 2004. The worm also left behind a backdoor program, which was used to launch an attack, called DDOS for “distributed denial of service,” which flooded the Web site of a software maker, SCO, with so many junk requests that it shut down the site for weeks.

Spammers also can use such backdoor programs to hijack an army of “zombie” computers — owned by others who are oblivious to the hijacking — for such uses as sending waves of e-mail messages that are hard to trace.

Hunters target niches

In San Jose, Carrera and Chaliavski take over duties each morning from F-Secure’s team of nine virus hunters at company headquarters in Helsinki, where it’s 10 hours ahead and already evening. F-Secure has 75 percent of its sales in Europe, but added the two virus hunters to its San Jose sales office to compete with much larger rivals like Symantec.

The smaller company is also targeting certain security niches, such as protecting cellphones and other mobile devices from attacks like Cabir.

Roughly 300 new samples await the pair on an average day. The potential “malware” is forwarded by customers, or collected from “honey pots,” which are decoy computers that F-Secure maintains without security updates or simple passwords.

Carrera has created an algorithm, or mathematical formula, to visually depict the software structure of viruses to better compare the many variants and families of malware. His portrait of the Sobig worm he helped unravel hangs as a sort of trophy back in Helsinki.

To his partner, Chaliavski, who grew up in communist Bulgaria, it doesn’t even matter why someone would create a virus.

All that matters is the hunt.

“I focus on the technical point of view,” he said. “I don’t really focus on the psychology of why they wrote the virus. To me it’s irrelevant.”