ic3qu33n

# My Super Sweet 16-Bit Malware *MS-DOS Edition * [project]

This project focuses on the application of techniques from MS-DOS malware to the generation/creation of novel work (the original focus of this research was using the techniques from reversed malware samples to create art).  It covers fundamentals about MS-DOS architecture and COM programs, and explains the various infection/stealth/persistence techniques of some notable MS-DOS viruses, highlighting both the technical complexity of early malware and their flare for dazzling graphical displays. The project is ongoing and has expanded from its original art focus to a variadic malware analysis/RE project that includes extensions such as:

- how the investigation of an EOL OS can inform understanding about the foundations of a modern OS

- thoughts on inheriting vulnerabilities in a legacy code base, as well as what can be gleaned from studying the techniques of the malware masters of the ‘80s/‘90s,

-tracing the evolution of techniques developed in MS-DOS malware to malware of today and potential related vectors for leveraging these techniques on a variety of systems

(i.e. modern Windows — including UEFI firmware implants, embedded/IoT systems, etc.)

Once upon a time…

Every piece of malware tells a story. Sometimes those stories are interesting. Sometimes they’re boring and trite, overindulgent in their application of hackneyed programmatic idioms and syntactical monotony. Sometimes, even worse, they’re solipsistic.

In any case, malware tells a story because it chronicles the design choices in executing maneoeuvres around the structural obstacles of an operating system. There is a protagonist and an antagonist, a central conflict, a plot. Throw in some code obfuscation, and you’ve got a non-linear narrative (Christopher Nolan who?), add in polymorphism and it’s like trying to interpret Lost Highway (or any David Lynch film) in an art school film class — “the work is evocative of surrealism,” “No but they were the same person the whole time,” or as Roger Ebert put it in his 1997 review of the film “Is the joke on us? Is it our error to try to make sense of the film, to try to figure out why protagonists change in midstream?”

In both cases, it’s a brilliant, sometimes beautiful sometimes boring,  convoluted hot mess and I can’t look away.

Of course, if every piece of malware tells a story, how can we understand those stories, not just discretely but as an interconnected history of malware and the authors?

More so, after we understand the content of those stories, how can we apply what we’ve learned — the techniques used, the tricks employed — to further progress?

Unfortunately, we’re all gluttons for the latest gossip and focusing on the hot new thing is well, a *symptom of the human condition*, or something. We want new news and we want it now.

And I get it, Veruca Salt, I really do. But over the last year, I’ve been learning the stories of vx of yesteryear and they’ve got wild tales to tell.

[Hi I don’t like the use of an extended simile as a rhetorical device, wtf are you talking about?]

TL;DR : This is a malware RE project focused on MS-DOS malware of the 1980s/1990s and that was the introduction. Consider yourself introduced. Welcome to the party, do you want a drink?

I began this project as an investigation into some questions that I had been trying to respond to in my artistic practice. It was initially an RE art project. A more detailed post about those questions and the project in the context of my art practice will be posted soon.

So why would anyone want to study malware of this era? What is the point of analyzing 16-bit malware for an EOL OS? Often when I’ve described this project to people, a frequent respond has been “oh the 80s… you mean, when malware was about drawing pretty pictures?”

And it is here — in this very remark, where we can begin our analysis.

Even now the most sophisticated MS-DOS malware is as effective as it was in its heyday — because many of the more sophisticated samples employed, leveraged, I daresay exploited this very arrogance where a user underestimates the brutality of a payload with a pretty picture.

Put another way — many pieces of MS-DOS malware made extensive use of visual trickery to show off the coding chops of the malware authors (because yeah, you try writing a fire animation without WIN32GDI in 16-bit x86 assembly with the right syntax on your MASM directives while remembering to save the right registers when you’re writing directly to the VGA buffer with BIOS interrupts or IOCTL function calls, and then we can talk). On its own, this technical mastery is worth celebrating.

However, the story does not end there. Because viruses of this era sometimes used visual trickery for a more sinister purpose. They used it to devastating ends and they did it in style. And it is these programs in particular that I am going to focus on, because we can see the echoes of this malware style and these techniques in modern malware.

After all, underestimating and undervaluing a threat are the precursors to marking it as a false negative. When this is in the context of AV, a virus with a pretty payload may be dismissed as just being pretty. Who needs to be stealthy when you can just walk through the front door?

We’ll explore these techniques more in depth later on. For now, let’s dig in a bit more in answering the question of “why would I want to reverse MS-DOS malware?”

Beyond celebrating and appreciating this technical mastery, there are several ways in which reversing these viruses and writing my own 16-bit vx demos has advanced my skills in several other tangential areas of VR/VX. I will highlight a couple of those here:

binary golf (multum et parvo — much in a little; These samples are compact and dense — the COM programs by definition are smaller than 64k, most are less than 1Kb.  The vast majority of MS-DOS viruses were truly exemplary programs that demonstrate how to make use of a paucity of resources and create a masterpiece)

Assembly programming (optimization choices taken by malware authors are complex and multivalent — they reveal deep intricacy woven into the choices of each instruction — operations optimized for clock cycles and the tradeoffs made when the likelihood of a given BIOS interrupt to hang is higher vs that of an equivalent IOCTL call.); even reading the source for a lot of these viruses is like reading the work of a Pulitzer-winning writer: their innovative and precise craftsmanship can be challenging and inspiring.

Graphics programming — VGA modes bb

The misconception that malware of this era was purely for visual effects is a common one. It is not unfounded- many viruses of this era were created to show off the technical and aesthetic panache of their writers (aka a 1337 flex). However, to discount these viruses as belonging in a category of “pretty but benign logic bombs” does a disservice, both to the virus writers themselves, and to our own ability to learn from them in applying these techniques for both creative vx work and malware analysis of the present day.

However, I think that this misconception reinforces the efficacy of these viruses many years later.

Because there were some viruses that were not only aesthetically dazzling but brutally destructive. And their techniques for bringing about this destruction were not focused on being as quiet and undetectable as possible. Supreme tacticians, these viruses created a distracting spectacle in the foreground while, in the background, carried out devastating maneuvers. In this respect, I think the term magicians is a more accurate term for these malware authors. Not because these viruses are particularly evocative of the spectacle of a Houdini show, but rather because of their carefully applied application of the techniques of misdirection.

It’s an interesting philosophical question, particularly from an historical perspective, in relation to both artists of the time (video artists and performance artists in particular): what do these technologies and their components present in terms of new methods of communication? How can these tools be used to say something unique and what about the tools facilitates this dialogue?

To quote one prominent vx-er of this era (and easily one of my favorites) , Spanska: “Formatting a HD? Twenty lines of assembler, coded in one minute. Deleting a file? Five instructions. Written in one second. Easy things are not interesting for the coder. I prefer to spend weeks to code a beautiful VGA effect.”

There’s an interesting analogy I see in art and art history where art motifs repeat and resurface throughout history. The commercialization of an industry doesn’t heed these cycles either — just look at the fashion industry. There is a strong parallel in the commercialization of malware and the drastic shifts in the vx scene from the DOS era to the present. For anyone who has felt dismayed or disheartened by modern malware, or anyone in InfoSec who has gone through a period of searching for creative inspiration for their work in exploit dev/vx/etc. — anyone who has felt the particular cataclysmic thrill of looking at a piece of malware and thinking that it accomplished such a complex trick in a manner so slick, if not elegant, that it made you say “well goddamn.” — I say to you, let’s take a trip to the malware museum, let’s look at some fossils, let’s examine some bones.

Looking into the past can give you ideas for where to search for inspiration for exploits next, and which vectors are ignored now but were favorites in past eras.

These viruses were fascinating and beautiful to me when I first saw them, and they continue to evoke wonder, awe and inspiration. They continue to draw me in. I do think there is a rarity in that which deserves higher praise and certainly more analysis than they are commonly given (an example of this is that many modern tools for reverse engineering and malware analysis have little or no support for 16-bit executables. We’ll come back to this later).

I use the term rarity here, because of the layers of mystery that encompasses many of these viruses.

Often, when I’ve worked on an RE project in the past, the goal has typically been to understand something; once I’ve been able to successfully reverse a piece of hardware/firmware/software, the mystery fades and the allure of the project dims. Put simply, a successful reversing project has concluded with me saying, “okay, I’ve reversed this. I understand it. Siq. Next topic.” With these DOS-era viruses, that has not been the case. After I reversed the first few viruses I was working on, I had more questions than answers.

Some of these questions were: why include a beautiful payload in a piece of malware, which is (in definition at least) meant to be destructive or malicious? Are these viruses destructive and if so, how do they accomplish that? What is the intention of the virus writer? Or rather, the artist? What is the artist trying to say? What are we, as viewers, as audience members, as participants meant to understand about this work? How are we meant to interact with it? Are we meant to interact with it as a piece of art? As malicious software? Neither? Both?

These questions of course, will not be resolved here. I leave them as an exercise for the reader.

Like a chocolate fondant, these viruses are rich; like a well-aged sherry, they are infused with a complex palette, improved with age and meant to be savored.

With that, I extend this invitation to you, dear reader. I’m throwing a party for the ages and serving up a veritable smorgasbord of vintage exploits.

Send in your RSVP asap + can’t wait to c u there

xoxo

ic3qu33n