RetroMal: Analyzing malware on the earliest computing platforms presented at SAINTCON 2019

by Andrew Brandt,

Summary : The world of information security spends much of its time focused on looking forward, trying to tackle the bleeding edge of malicious code and obfuscation, which is as it should be. Lost in the rapid pace of technological adaptation in the malware arms race is a sense of history: the origins of malware and its earliest days. How did malware get its start, and what lessons can today's defenders learn about the origins of malicious code, back from the days when analysts first coined the term "virus" as a binary analogue to biological illness? To learn more about malware's origins, we obtained samples of some of the oldest extant malicious code and devised ways of putting that malware onto the retro storage media required by the computers that were the earliest malware victims. With the assistance of the Media Archaeology Lab, an educational museum of retro computing based at the University of Colorado at Boulder, the author executed those samples on real, physical retrocomputing devices like the Apple II, the Commodore 64, an IBM PC 5150, and early Apple Lisa and 68k Macintosh computers running Mac OS System 7. Running malware on ancient computer systems is no different from using modern virtual or physical testbeds for detonation: you need to do it safely, in a "detonation chamber" of sorts, so the author and other volunteers also had to devise methods of safely moving the infected code from device to device or storage medium to storage medium, without spreading the infection to hard drives or other floppy disks or cassette tapes, or potentially damaging irreplaceable software or hardware. Finally, we analysed these malware samples using both modern reverse engineering tools, and the rudimentary analysis utilities that would have been available in the era (roughly 40 years ago, on average) in which the computers used in the study were still contemporary devices, to see what we could learn about this ancient malicious code, and whether it bears any resemblance to modern malware. The author believes the malicious code of the present day bears a more-than-passing resemblance to the malware of prior eras. If studying dinosaur bones contributes to science's understanding of evolutionary processes and biology, the study of retromalware surely can contribute to our modern understanding of sophisticated threats, and may help plan countermeasures against future ones.