
A deep dive into the world of DOS viruses [video] - pjmlp
https://media.ccc.de/v/35c3-9617-a_deep_dive_into_the_world_of_dos_viruses
======
rzzzt
If you are interested in more examples on what virus payloads did on
activation, danooct1 on YouTube has recorded lots of them (link goes to the
MS-DOS playlist):
[https://www.youtube.com/playlist?list=PLi_KYBWS_E71ObQ8QpGj5...](https://www.youtube.com/playlist?list=PLi_KYBWS_E71ObQ8QpGj5zIDXHREbdWaM)

~~~
robertAngst
This was awesome.

Wish I knew the most interesting/popular of these.

My first virus/worm(one that wasnt adware from freeware games) was the
Conficker-

[https://en.wikipedia.org/wiki/Conficker](https://en.wikipedia.org/wiki/Conficker)

Think I got it for sticking my USB in college and HS computers. Back then
having a USB full of cool things was a big deal. I probably infected hundreds
of computers.

~~~
userbinator
That Conficker spread widely and remained active for a long time could be
attributed to the fact that it was relatively benign --- in contrast to
ransomware, both that article and my memories of it agree that it did not
destroy user data, which would've lead to a far more intense "immune
response".

------
pnash
40hex is a great zine from the early 90s that was focused on viruses, from a
virus writers perspective. Mutation engines, polymorphism, virus decompilation
& spotlights, etc.

[http://textfiles.rolz.org/magazines/40HEX/](http://textfiles.rolz.org/magazines/40HEX/)

------
gesman
Back in 1990-1996 I was involved in anti-virus work for Israeli company and
later on for IBM Watson Research building anti-virus technologies and
software.

We had a separate, disconnected laboratory with strict rules (disk-in / no
disk out!). Nasty unknown stuff being tested there.

At some time my work was to develop virtual machine (in C) capable of
emulating x86 instruction set to quickly run EXEc files through it to detect
if anything weird was going on.

Fun times!

------
riq_
nice video, I liked it. But the I wouldn't call it "deep dive". In any case,
it is just a quick overview.

by "deep dive" I would expect in detail infecting techniques (.com is
mentioned, but MBR is missing), stealth techniques (how virus by passed
debuggers and anti-virus), techniques used by antivirus (besides basic pattern
matching).

~~~
EvanAnderson
There was definitely some interesting stuff in the DOS virus era. One of the
"Priest" / "Little Loc" viruses (can't remember which one right now) exploited
a vulnerability in the tracing code in the ThunderByte "TBCLEAN" utility to
detect when the virus was being run under single-step. It would "break out" of
TBCLEAN and destroy data. (ThunderByte didn't correctly emulate / "virtualize"
every instruction that could expose the trap flag. There was also a
vulnerability to allow you to override their single-step interrupt handler.)
Priest also ended up using what he learned when he found that vulnerability in
the ISR trace code in "Natas" to bypass TSR anti-virus by locating the
original BIOS and DOS entry points (by executing a call under single-step and
emulating / virtualizing instructions that expose the trap flag to avoid
detection.) I've wondered if his techniques might actually be prior art for
some of the various patents on virtualizing x86.

------
vectorEQ
:') i feel these old dos things are nice to discuss, if you look at current
documentation and implementation of x86_64 systems a lot of these techniques
still seem valid. most awsome work i could find on such things was z0mbie's
work on his mistfall engine. trying to re-write a sort of benign version of
that for x64 to educate myself about executable file formats, linking /
loading and other subjects. really nice to teach yourself about how computers
work if you try to apply some of these techniques to an OS yourself.

------
LeoPanthera
See also the textfiles.com virus archive:
[http://textfiles.com/virus/](http://textfiles.com/virus/)

If your browser uses the Google Safe Browsing blacklist, you may not be able
to access that site, ironically because of the very viruses intentionally
hosted there, despite the fact that they are decades old.

------
ghostDancer
There were some really great groups in the vx scene and some made things
really interesting :
[http://virus.wikidot.com/esperanto](http://virus.wikidot.com/esperanto)

------
db48x
You can run some fun ones in your browser:
[https://archive.org/details/malwaremuseum](https://archive.org/details/malwaremuseum)

------
wolfspider
Very cool blast from the past! I remember stealth_c as being extremely
aggravating. It would infect the MBR and spread to all disks and pretty much
grenade your PC.

