Hacker News new | comments | show | ask | jobs | submit login
The Malware Museum (archive.org)
472 points by mikkohypponen on Feb 5, 2016 | hide | past | web | favorite | 75 comments

Back in the days a lot of thought and ingenuity was put into making these viruses. For instance, the Friday 13th [1][2][3] virus:

* was only 419 bytes long

* infected both .COM and .EXE, increasing the size of the former by only 1813 bytes

* on infection, became memory resident (using only 2kb of memory)

* hooked itself into interrupt processing and other low level DOS services to, for instance, suppress the printing of console messages in failure cases (like trying to to infect a file on a read-only floppy disk)

* activated itself every friday 13th and deleted programs used that day

It still managed to spread itself worldwide (mostly via floppy disk sharing as the world wide web didn't exist yet) and went mainstream enough for the broadcast news to advise people not to turn on their computers on that date or to push the date one day ahead.

All that in 419 bytes, about a third of the size of this post.

[1] https://en.wikipedia.org/wiki/Jerusalem_%28computer_virus%29

[2] https://www.f-secure.com/v-descs/jerusale.shtml

[3] http://www.pandasecurity.com/mediacenter/malware/famous-viru...

about a third of the size of this post.

This was a delightful comparison. It didn't really sink in until you said that.

Or three tweets, if you did not try squeezing it inside multi-byte characters.

Somebody tweet it!

It's raw binary. The best way would be to base64 encode it and break it into four tweets.

The best way to find some other base?????? encoding that maps to unicode glyphs!

Hello Luso Brailian: I'm a senior writer with Wired (www.wired.com). Am putting together a small story on this. Would love to chat, if you have a second: cade_metz@wired.com

No problems, I'll e-mail you. My hash is 66aaeaf1850395a78696b3b6c178d49fd71bf5c3

curious, what does that mean?

Most likely authentication. He'll e-mail the reporter and include the input that hashes to the value. This way, the reporter can be sure it's him.

> I'm a senior writer with Wired (www.wired.com). Am putting together a small story on this. Would love to chat

You must not have a full grasp of how HN operates.

If all it takes to get into a Wired article is to regurgitate information already plentifully available online, I'm pretty worried about Wired's future.

While the comment was substantive and linked to sources, this is normal for HN and nothing special.

How about you contact the guy who posted the article? He's the CRO from F-Secure, one of the research companies that was linked to as a source.

I really hope Wired doesn't start using random comments as "experts" in articles.

I have a printout of the disassembly of that virus (in wide format fanfold) from around then. When I come across it I'll donate it to the Hellenic IT Museum...

Here's a disassembly of a strain of that virus: http://textfiles.com/virus/jeru-b.asm

Aren't these two statements contradictory?

  > * was only 419 bytes long
  > * infected both .COM and .EXE, 
      increasing the size of the former 
      by only 1813 bytes

Compressing the payload was pretty common.

I know nothing about these, but is it possible it put it's code in multiple places on the .com or .exe?

> mostly via floppy disk sharing as the world wide web didn't exist yet

Great post, but wouldn't the internet, email, BBS and other networks have been the main cause of its worldwide spread?

As the initial source of infection in a certain geographical area maybe but as far as I remember most viruses (specially boot sector ones) spread through floppy disk sharing, first from people to people inside companies, from company computer to personal computer at home, from friend to friend personal computer and then from personal computer to company computer.

Much like the spread of HIV back in the late 80's and early 90's most people didn't really understand how exactly computers programs worked and didn't follow IT guidelines on how to avoid getting infected. The number of infections was naturally limited by the small number of people at risk: computer users.

But as the availability of computers and the number of useful applications increased so did the volume of infections being spread through the same bad habits: floppy sharing without protection, and by that I mean the read only lock.

And, instead of the ideal (but very hard) way to eradicate the problem (informatic prophylaxis and education for users) the industry "solved" the problem by creating the antivirus and accepting an occasional infection as something unavoidable.

Then the World Wide Web exploded, creating a frictionless media for the spread of these infections and here we are.

Thanks. Yeah, I think I was overestimating usage of online file transfer systems at that time, and underestimating offline/business usage of PCs.

In 1987 sneakernet was way more popular than any online service. The majority of regular folks weren't online yet.

And some of us who were were still rocking a Commodore. 30+ years, still 0 infections here!

Reminds me that Woz claimed that one reason the early Macs were so resistant to viruses was that most of the OS lived in ROM.

I wrote an AV Scanner (for the lulz) in the early 1990's and ended working at Symantec for my sins. Some of the programs were seriously well coded with self-hamming code, polymorphism, multi-partite capabilities, etc. Some of my favourites were the 'Eddie' series - written by a Bulgarian guy with a liking for Iron Maiden. :)

I remember this ezine 40Hex used to have virus assembly in it, which to my 12 year old self was pretty much the coolest thing I could imagine, until I compiled and accidentally ran it and destroyed my parents Windows 98 installation.

I believe I have a full collection of the 40Hex zines. Maybe I should add them to this archive.

Jason Scott has some too, I'm not sure how complete his collection is http://www.textfiles.com/magazines/40HEX/

It looks to be complete. Dark Angel's virus writing guides ("ps_vir..." files here http://textfiles.com/virus/) are good for some nostalgia, too.

Please do, I think that they would make a great addition.

The good old days... when viruses merely displayed a funny message or erased your hard disk, but didn't turn your computer into part of a botnet controlled by organized crime.

There was an insidious period when viruses would attempt to flash the bios with garbage, rendering the computer useless. I heard that some crafty individuals would recover by purchasing a motherboard of the same model, swapping the bios chip to boot up, hot swapping the old chip back and then reflashing the old chip with a good bios. After that, you could also reinstall the new bios chip in the motherboard and return it, slightly used.

I'll take a botnet computer over a bricked one any day.

I'll take a trashed BIOS over a backdoored BIOS any day. Firmware viruses are a very real threat today.

If anyone feels like researching this, don't look at the BadBios conspiracy, that's an internet meme.

Instead look at things like Intel's trusted computing. Igor Skochinsky (of fame from Hexrays / IDA, and moderator on /r/reverseengineering) has an excellent powerpoint highlighting some research on their Management Engine, which is probably in your computer right now.

pdf: https://github.com/skochinsky/papers/raw/master/2014-10%20%5...

A bricked computer isn't as likely to empty your bank account though.

I think many of the UEFI variable bugs that brick systems can be easily exploited from Windows even today.

I'm imagining the iFixit instructions for this on an iMac.

LMAO! Good old days, need that paper to frame it!

Or weren't written by a government as part of a multi-million-dollar malware R&D program that reduces to practice way-out-there speculations about what malicious software could theoretically do.

I'd rather suck in a botnet virus DDOS-ing some random site over losing my data.

This is a fantastic, numerous talk on the subject: https://www.youtube.com/watch?v=s2g9lgYrYJM

Viruses were so much better before https://archive.org/details/malware_ZOHRA.COM

That's just what early MS DOS looked like.

I remember back in the 90s, demonstration of the viruses (with all animations, music, etc.) was one of the coolest features of popular Polish antivirus mks_vir.

Mks_vir, especially its DOS incarnations from its heyday back when it was developed by Marek Sell himself, definitely deserves much more international publicity than it got.

Malware back then was usually pranks. Today it's mostly run by organized crime. Money changes everything.

I wrote DOS viruses when I was fifteen or sixteen. Most of them didn't do anything or did silly little pranks, but it's how I learned X86 ASM.

Sadly due to copyright law, malware is one of the safest things to publish. Who's going to bring a copyright claim?

I remember actually getting infected with one of these when I was a teenager. From what I recall, it was mostly harmless.

Me and some friends pooled together and bought a couple of CD-ROM's full of warez from some guy we found online and one of the games or applications was infected. Looking back, I'm actually pretty more all of them weren't infected!

A long shot, but just in case...

Even shady 1990s warez CDs need to be preserved :)

In the early 90s, I created a stealth benign virus in just 127 bytes. Good old times!

Back then, one of the most amazing virus was Whale [0]!

[0]: http://www.mycal.net/Group42/virus/40hex/40hex22.htm

Imagine being a virus writer crafting a virus so complicated that it would only work in a future not written different kind of OS or virtual machine, and work in differing operating systems, and identify and poke for weaknesses by itself.

Perhaps it would just be a Science Fiction plot device!

When you download a usenet message from the High Beyond[1], be sure send it through a proxy in the Slow Zone before you read it.

[1] https://en.wikipedia.org/wiki/A_Fire_Upon_the_Deep#Setting

Well, something more nefarious is already possible with a bit of money. Someone could hide a few armed drones set to wake up 100 years from now, setted up to shoot everyone they find. The perfect crime in the sense that police can't capture him if he is already dead.

Luckily this seems not easy. Mechanical parts do not like being unmaintained for decades, while being stored in a damp/sandy/cold/hot environment. Batteries, solar cells and other means of stored energy are not to fond of that either.

A virus on the other hand that inserts itself for example into source code could very well live a long time.

cough Sky Captain and the World of Tomorrow cough

That's the kind of thinking suicide bombers have.

cough Arthur C Clarke's _3001_ cough

Or _Independence Day_.

Age of Ultron

This fills me with all sorts of romantic nostalgia.

Reminds me of danooct1's work on YouTube. He does videos of DOS (and Win9x) viruses.

What a great compilation! I would love to know what harmful effects they had though. It is quite a difference if the virus is erasing your HDD while it is slowly printing the nice message or not...

I used to collect these too! Thanks for posting!

I'll have to look to see if there are any familiar boot sector viruses - the kind that propagated via floppies. Those made the rounds at work.

I enjoyed disassembling them and seeing how they work. It was an education that kids miss out on today.

Come to think of it, back when I was teaching a Perl class one of my first assignments was to create a "virus" that found Perl scripts and copied itself into them. Good times.

This is awesome. But, I was really hoping for Stoned. It was the first virus I got.


If you're interested in this stuff, there#s also an awesome archive at VX Heaven [1], which not only includes malware sources but also a lot of documentation, simulators etc.

[1] http://vxheaven.org/

An F-PROT v2 with its virus descriptions running in em-dosbox would be an appropriate addition to those viruses: http://patraulea.com/fprot/

Sweet days, when your OS was larger than your virus.

Relevant XKCD: https://xkcd.com/350/

Someone really should build this. I'd pay handsomely for an easy to setup linux version that i could just boot on a beefy machine and keep running as an installation like that.

Most antivirus/security firms have a similar kind of network where they analyze samples. It's detached from the internet to avoid spreading the infections, but they usually have mechanisms to emulate being online, etc.

This XKCD is a likening of the very established notion of a honeynet with an acquarium. If you want to set one up there are good open source tools available, but you will want to be quite careful to comprehend what you are doing. See https://en.wikipedia.org/wiki/Honeypot_%28computing%29

It kind of depends on the systems (you can run a number of 640K DOS boxes in a simulator though :-) and virii of this period tended to make the boxes break so it wasn't really something that a flock would keep going.

Someone did try (I believe it was called wecanhasthetechnology or something), but it didn't last long.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact