[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:17.86,Default,,0000,0000,0000,,{\i1}35C3 Intro music{\i0}
Dialogue: 0,0:00:17.86,0:00:23.06,Default,,0000,0000,0000,,Herald Angel: OK. So this talk is called\N"A deep dive into the world of DOS
Dialogue: 0,0:00:23.06,0:00:33.50,Default,,0000,0000,0000,,viruses" and if you happened to be at the\N8C3, that is 27 years ago, you would have
Dialogue: 0,0:00:33.50,0:00:38.60,Default,,0000,0000,0000,,seen a very young and awkward, even more\Nawkward than I am of the moment, version
Dialogue: 0,0:00:38.60,0:00:46.12,Default,,0000,0000,0000,,of myself, speaking on basically the same\Nsubject. The stage of course was a lot
Dialogue: 0,0:00:46.12,0:00:50.49,Default,,0000,0000,0000,,smaller than this, this would have really\Nintimidated me back then, but I was
Dialogue: 0,0:00:50.49,0:00:55.16,Default,,0000,0000,0000,,talking about a university project that we\Nhad run for about 3 years at that point,
Dialogue: 0,0:00:55.16,0:01:05.50,Default,,0000,0000,0000,,and our possibilities were very limited.\NMeanwhile, 27 years later, our speaker, in
Dialogue: 0,0:01:05.50,0:01:13.04,Default,,0000,0000,0000,,between fighting battleships over the\Npublic BGP network and trying to encode
Dialogue: 0,0:01:13.04,0:01:18.69,Default,,0000,0000,0000,,data in dubstep music, was able to\Nactually do all of the stuff that we were
Dialogue: 0,0:01:18.69,0:01:25.65,Default,,0000,0000,0000,,trying to do, with a lot of effort,\Nbasically, and I guess 4 hours of CPU time
Dialogue: 0,0:01:25.65,0:01:32.61,Default,,0000,0000,0000,,or something like that. Please help me in\Nwelcoming Ben to our stage, to talk about
Dialogue: 0,0:01:32.61,0:01:35.82,Default,,0000,0000,0000,,a bygone era.\N{\i1}Applause{\i0}
Dialogue: 0,0:01:35.82,0:01:40.92,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:01:40.92,0:01:48.34,Default,,0000,0000,0000,,Ben: Thank you. Hi, I'm Ben Cartwright-\NCox, as the slide suggests. So I have an
Dialogue: 0,0:01:48.34,0:01:53.10,Default,,0000,0000,0000,,admission to make: So this is a thing to\Nbe aware of.
Dialogue: 0,0:01:53.10,0:01:56.97,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NBen: And you know, things also to be aware
Dialogue: 0,0:01:56.97,0:02:07.11,Default,,0000,0000,0000,,of. Anyway. So what is DOS? To get\Nstraight into it. You can do it in a
Dialogue: 0,0:02:07.11,0:02:10.95,Default,,0000,0000,0000,,bullet points way. You know, DOS is an\Nupgrade from CP/M, another very old legacy
Dialogue: 0,0:02:10.95,0:02:14.82,Default,,0000,0000,0000,,system, but another thing to be aware of\Nis that DOS covers a wide range of
Dialogue: 0,0:02:14.82,0:02:19.95,Default,,0000,0000,0000,,vendors. Might not just be like those old\NIBM PCs. Some of the DOSes had
Dialogue: 0,0:02:19.95,0:02:23.95,Default,,0000,0000,0000,,compatibility with each other, meaning\Nthat some of the DOSes had shared malware
Dialogue: 0,0:02:23.95,0:02:31.39,Default,,0000,0000,0000,,with each other. But to be honest, most\Npeople know DOS as these lovely old beige
Dialogue: 0,0:02:31.39,0:02:37.71,Default,,0000,0000,0000,,boxes; the same era gave us our loved\NModel M keyboard. Hated by some, loved by
Dialogue: 0,0:02:37.71,0:02:42.84,Default,,0000,0000,0000,,others, for the sound. But, you know, most\Npeople's knowledge of DOS came from
Dialogue: 0,0:02:42.84,0:02:59.60,Default,,0000,0000,0000,,computers, a user interface that looked\Nlike this. Pretty basic. Okay so this is
Dialogue: 0,0:02:59.60,0:03:04.34,Default,,0000,0000,0000,,Wordstar, some of you may not know that\NGame of Thrones was written on Wordstar.
Dialogue: 0,0:03:04.34,0:03:09.28,Default,,0000,0000,0000,,George R. R. Martin is apparently not a\Nbig fan of modern word processing. he
Dialogue: 0,0:03:09.28,0:03:16.34,Default,,0000,0000,0000,,admitted he had some issue with disliking\Nhow spell checking worked. So just uses,
Dialogue: 0,0:03:16.34,0:03:18.70,Default,,0000,0000,0000,,and I also guess it's a good security\Nquality, you know, you can't get hacked,
Dialogue: 0,0:03:18.70,0:03:24.68,Default,,0000,0000,0000,,if it literally has no Internet access.\NSo, also though, for a lot of people this
Dialogue: 0,0:03:24.68,0:03:28.31,Default,,0000,0000,0000,,is also their first experience into\Nprogramming. For the some of the older
Dialogue: 0,0:03:28.31,0:03:36.50,Default,,0000,0000,0000,,crowd. This is also the invention of\NQBasic, which, you know, gave a very basic
Dialogue: 0,0:03:36.50,0:03:40.94,Default,,0000,0000,0000,,language to program creatively in DOS. For\Nsome people this was the gateway drug into
Dialogue: 0,0:03:40.94,0:03:47.16,Default,,0000,0000,0000,,programming and perhaps the gateway drug\Ninto what they started as a career. For
Dialogue: 0,0:03:47.16,0:03:52.80,Default,,0000,0000,0000,,other people the experience of DOS was not\Nso great. For example, you know, let's
Dialogue: 0,0:03:52.80,0:03:57.64,Default,,0000,0000,0000,,just say you were doing some work in an\Ninfinite loop and at some point stuff like
Dialogue: 0,0:03:57.64,0:04:04.00,Default,,0000,0000,0000,,this happens. Unfortunately I don't have\Nsound for this one, but you can just, in
Dialogue: 0,0:04:04.00,0:04:09.20,Default,,0000,0000,0000,,your head, imagine like our PC speakers\Nplaying some small techno music, on like,
Dialogue: 0,0:04:09.20,0:04:14.31,Default,,0000,0000,0000,,you know, but only one frequency at a\Ntime. This might get especially incredibly
Dialogue: 0,0:04:14.31,0:04:18.59,Default,,0000,0000,0000,,embarrassing, if you are in an office\Nenvironment, just slowly beeping away. You
Dialogue: 0,0:04:18.59,0:04:22.77,Default,,0000,0000,0000,,can't exit this. It has to finish fully and\Nif you touch the keyboard it reminds you
Dialogue: 0,0:04:22.77,0:04:30.07,Default,,0000,0000,0000,,not to touch the keyboard, and continues\Nplaying this music. So, you know, this would be
Dialogue: 0,0:04:30.07,0:04:34.32,Default,,0000,0000,0000,,fun, but this wouldn't be fun, especially\Nin an office environment. But, you know,
Dialogue: 0,0:04:34.32,0:04:40.34,Default,,0000,0000,0000,,ultimately it's not malicious. And that\Ntrend continues. This is another good
Dialogue: 0,0:04:40.34,0:04:45.24,Default,,0000,0000,0000,,example of a DOS virus. This is ambulance,\Nfor when you run it, an ambulance just
Dialogue: 0,0:04:45.24,0:04:50.59,Default,,0000,0000,0000,,drives past and then your normal program\Njust continues running. I think this is
Dialogue: 0,0:04:50.59,0:04:56.73,Default,,0000,0000,0000,,amazing, it's an interesting era of\Nviruses. It was all, the history of it was
Dialogue: 0,0:04:56.73,0:05:01.27,Default,,0000,0000,0000,,collected very well by a website called VX\Nheavens, which sort of still lives, but
Dialogue: 0,0:05:01.27,0:05:06.63,Default,,0000,0000,0000,,unfortunately, at one point was raided by\Nthe Ukrainian police, for what is the
Dialogue: 0,0:05:06.63,0:05:11.47,Default,,0000,0000,0000,,fantastic wording they used. Basically,\Nsomeone told them they were distributing
Dialogue: 0,0:05:11.47,0:05:16.77,Default,,0000,0000,0000,,Malware. Unfortunately not malware that\Noperates in this century. But I guess
Dialogue: 0,0:05:16.77,0:05:21.71,Default,,0000,0000,0000,,that's good enough for a raid. But luckily\Nfor the archivists there are archivists of
Dialogue: 0,0:05:21.71,0:05:28.81,Default,,0000,0000,0000,,archivists, and so we have a saved capture\Nof VX heavens. This is actually an old
Dialogue: 0,0:05:28.81,0:05:32.77,Default,,0000,0000,0000,,snapshot, there are way more modern\Nsnapshots, but thankfully the MS DOS virus
Dialogue: 0,0:05:32.77,0:05:38.19,Default,,0000,0000,0000,,era doesn't move very quickly. So, but the\Ninteresting thing here is, like, there's
Dialogue: 0,0:05:38.19,0:05:44.35,Default,,0000,0000,0000,,66000 items in this tarball and it's 6.6\Ngigabytes of code. And these viruses are
Dialogue: 0,0:05:44.35,0:05:48.58,Default,,0000,0000,0000,,like super dense. There's not much to\Nthem, like they are just blobs of machine
Dialogue: 0,0:05:48.58,0:05:51.52,Default,,0000,0000,0000,,code. They are not like your electron app\Nthese days that ships an entire Chrome
Dialogue: 0,0:05:51.52,0:05:57.22,Default,,0000,0000,0000,,browser, and normally an out of date\NChrome browser, you know, this is just
Dialogue: 0,0:05:57.22,0:06:00.43,Default,,0000,0000,0000,,basic, like, you know, how to draw an\Nambulance and, you know, some infection
Dialogue: 0,0:06:00.43,0:06:06.63,Default,,0000,0000,0000,,routines. The normal distribution also\Nchanges with it as well. For example, the
Dialogue: 0,0:06:06.63,0:06:11.06,Default,,0000,0000,0000,,normal lifecycle of an MS DOS virus is,\Nyou know, you download, or for some other
Dialogue: 0,0:06:11.06,0:06:17.56,Default,,0000,0000,0000,,reason run an infected program that\Npresumably does nothing; to you it looks
Dialogue: 0,0:06:17.56,0:06:22.13,Default,,0000,0000,0000,,like it does nothing, so, you know,\Nremains roughly undetected. Then you go
Dialogue: 0,0:06:22.13,0:06:27.83,Default,,0000,0000,0000,,and run more files, the DOS virus infects\Nmore files and at some point you're
Dialogue: 0,0:06:27.83,0:06:31.07,Default,,0000,0000,0000,,probably going to give one of those\Nexcutables to some other computer, or some
Dialogue: 0,0:06:31.07,0:06:35.41,Default,,0000,0000,0000,,other person, whether it was by giving\Nsomeone or copying a floppy disk of some
Dialogue: 0,0:06:35.41,0:06:38.88,Default,,0000,0000,0000,,software, maybe some expensive software,\Nso they didn't have to pay for it, or
Dialogue: 0,0:06:38.88,0:06:44.90,Default,,0000,0000,0000,,uploading it to a BBS, where it could be\Ndownloaded by many people. So the
Dialogue: 0,0:06:44.90,0:06:49.69,Default,,0000,0000,0000,,distribution mechanism is a far cry from\Nthe eternal blues of this era, where, you
Dialogue: 0,0:06:49.69,0:06:54.45,Default,,0000,0000,0000,,know, we can have a strain of malware\Nspread across the world very brutally,
Dialogue: 0,0:06:54.45,0:07:01.71,Default,,0000,0000,0000,,very quickly. So most DOS viruses are\Npretty simple: They start, they say "have
Dialogue: 0,0:07:01.71,0:07:06.84,Default,,0000,0000,0000,,my payload conditions been met?" If not,\Nthen they'll go on display, if they are
Dialogue: 0,0:07:06.84,0:07:11.80,Default,,0000,0000,0000,,met they'll go and display the payload.\NAnd the payloads are definitely more,
Dialogue: 0,0:07:11.80,0:07:16.95,Default,,0000,0000,0000,,I don't know, nice. You know, you have stuff\Nlike this, which is pretty and it uses VGA
Dialogue: 0,0:07:16.95,0:07:20.58,Default,,0000,0000,0000,,colors and all sorts of pretty nice stuff.\NYou get also some very demoscene vibes
Dialogue: 0,0:07:20.58,0:07:26.27,Default,,0000,0000,0000,,from this. Another good example is this\Nlike VGA, like super trippy thing, which
Dialogue: 0,0:07:26.27,0:07:29.91,Default,,0000,0000,0000,,is really impressive, 'cause this is\Nreally small. This is less than 1 kilobyte
Dialogue: 0,0:07:29.91,0:07:34.87,Default,,0000,0000,0000,,of code. It's in fact way less than 1\Nkilobyte, it's like 64k. Or you just get
Dialogue: 0,0:07:34.87,0:07:38.59,Default,,0000,0000,0000,,like interesting screen effects as well.\NFor example, it's quick, but like, you can
Dialogue: 0,0:07:38.59,0:07:43.58,Default,,0000,0000,0000,,just watch the entire computer just\Ndissolve away, which also might be quite
Dialogue: 0,0:07:43.58,0:07:47.93,Default,,0000,0000,0000,,worrying, if you weren't expecting that.\NAlternatively, if the payload conditions
Dialogue: 0,0:07:47.93,0:07:52.86,Default,,0000,0000,0000,,are not met, then, you know, you hook\Nsyscalls and you, or alternatively, if you
Dialogue: 0,0:07:52.86,0:07:56.87,Default,,0000,0000,0000,,want to be way more aggressive, as a\Nmalware offer, you scan for files on the
Dialogue: 0,0:07:56.87,0:08:02.65,Default,,0000,0000,0000,,system to infect proactively. And the way\Nyou infect DOS programs is pretty simple:
Dialogue: 0,0:08:02.65,0:08:07.22,Default,,0000,0000,0000,,Imagining you have like one giant tape of\Nall the code you have for the target
Dialogue: 0,0:08:07.22,0:08:11.50,Default,,0000,0000,0000,,program. Most of them work like this: They\Nreplace the first 3 bytes of the program
Dialogue: 0,0:08:11.50,0:08:16.91,Default,,0000,0000,0000,,with a x86 jump. They append their malware\Nonto the end of the executable, and so the
Dialogue: 0,0:08:16.91,0:08:19.78,Default,,0000,0000,0000,,first thing that you do, when you run the\Nexecutable, is it jumps to the end of the
Dialogue: 0,0:08:19.78,0:08:25.49,Default,,0000,0000,0000,,file, effectively, runs the malware chunk,\Nand then it optionally will return control
Dialogue: 0,0:08:25.49,0:08:33.80,Default,,0000,0000,0000,,back to the original program. But there's\Nalso the thing about hooking syscalls, right?
Dialogue: 0,0:08:33.80,0:08:39.22,Default,,0000,0000,0000,,So, you know, MS-DOS is an\Noperating system, it does have syscalls,
Dialogue: 0,0:08:39.22,0:08:43.78,Default,,0000,0000,0000,,programs can reach out to MS-DOS, to do\Nthings like file access and stuff, so as
Dialogue: 0,0:08:43.78,0:08:48.99,Default,,0000,0000,0000,,you expect, you run a software interrupt\Nto get there. Thankfully though, MS-DOS
Dialogue: 0,0:08:48.99,0:08:55.83,Default,,0000,0000,0000,,does also allow you to extend MS-DOS by\Nadding handlers itself, or even
Dialogue: 0,0:08:55.83,0:08:59.03,Default,,0000,0000,0000,,overwriting existing handlers, which is\Nvery convenient, if you are trying to
Dialogue: 0,0:08:59.03,0:09:02.16,Default,,0000,0000,0000,,write drivers, but it's also incredibly\Nconvenient, if you're trying to write
Dialogue: 0,0:09:02.16,0:09:09.41,Default,,0000,0000,0000,,malware. For some of the examples of the\Nsyscalls, most of them relevant towards
Dialogue: 0,0:09:09.41,0:09:15.53,Default,,0000,0000,0000,,DOS virus making. Here's a decent example\Nof the things that DOS will provide you. A lot
Dialogue: 0,0:09:15.53,0:09:21.18,Default,,0000,0000,0000,,of them are just very useful in general\Nfor producing functional executables the
Dialogue: 0,0:09:21.18,0:09:25.66,Default,,0000,0000,0000,,end users want to use. This is what an\Naverage program looks like. This is almost
Dialogue: 0,0:09:25.66,0:09:29.27,Default,,0000,0000,0000,,the shortest hello world you can make,\Nminus the actual hello world string. In
Dialogue: 0,0:09:29.27,0:09:34.87,Default,,0000,0000,0000,,fact, the hello world string might be the\Nlargest part of this binary. It's a pretty
Dialogue: 0,0:09:34.87,0:09:40.48,Default,,0000,0000,0000,,simple binary. Here we we're moving a\Npointer to the message we just set. We
Dialogue: 0,0:09:40.48,0:09:50.41,Default,,0000,0000,0000,,then set the AH register to 9, or hex 9.\NThat's the syscall for printing a string,
Dialogue: 0,0:09:50.41,0:09:58.30,Default,,0000,0000,0000,,and then we run a software interrupt, 21h,\Nwhich is short for 21 hex, and we continue on.
Dialogue: 0,0:09:58.30,0:10:06.59,Default,,0000,0000,0000,,We then set AH again, to 4C, which is\Nexit with a return code, and the program
Dialogue: 0,0:10:06.59,0:10:12.44,Default,,0000,0000,0000,,will return. So, in the meantime, this is\Nroughly the loop that just happened.
Dialogue: 0,0:10:12.44,0:10:18.47,Default,,0000,0000,0000,,You have your program code, that calls an\Ninterrupt and that gets passed over to the
Dialogue: 0,0:10:18.47,0:10:22.19,Default,,0000,0000,0000,,interrupt handler. In the process of doing\Nthis, the CPU has quickly looked at the
Dialogue: 0,0:10:22.19,0:10:28.43,Default,,0000,0000,0000,,first 100 bytes of memory in the interrupt\Nvector table, IVT, as it's abbreviated,
Dialogue: 0,0:10:28.43,0:10:32.30,Default,,0000,0000,0000,,and then it's effectively a router. If\Nanyone has written like a small piece of
Dialogue: 0,0:10:32.30,0:10:36.15,Default,,0000,0000,0000,,code to route HTTP requests, or anything,\Nit's basically like that, but in the 80s,
Dialogue: 0,0:10:36.15,0:10:41.03,Default,,0000,0000,0000,,with syscalls. So it's just basically\Nsaying "Compare this, compare that, jump
Dialogue: 0,0:10:41.03,0:10:46.24,Default,,0000,0000,0000,,there, jump there." Then the thing gets\Npassed to the call handler, it goes and
Dialogue: 0,0:10:46.24,0:10:49.74,Default,,0000,0000,0000,,does the syscall, the thing that was\Nrequired. Normally it will leave some
Dialogue: 0,0:10:49.74,0:10:55.13,Default,,0000,0000,0000,,registers behind, a state, or results of\Nactions it has performed, and it returns
Dialogue: 0,0:10:55.13,0:10:59.52,Default,,0000,0000,0000,,control back to the program. So,\Ntheoretically speaking, if we wanted to go
Dialogue: 0,0:10:59.52,0:11:04.20,Default,,0000,0000,0000,,and look at what a program actually does\Nwe need to set a break point here, because
Dialogue: 0,0:11:04.20,0:11:11.03,Default,,0000,0000,0000,,this is the only place that we can be sure\Nthe location exists, because this is way
Dialogue: 0,0:11:11.03,0:11:15.76,Default,,0000,0000,0000,,before the era of ASLR, address space\Nrandomisation, and this is way, way before
Dialogue: 0,0:11:15.76,0:11:19.82,Default,,0000,0000,0000,,the era of kernel space randomisation, in\Nfact, MS DOS has almost no memory
Dialogue: 0,0:11:19.82,0:11:24.61,Default,,0000,0000,0000,,protection whatsoever. Once you run a\Nprogram you are basically putting the full
Dialogue: 0,0:11:24.61,0:11:29.43,Default,,0000,0000,0000,,control of the system to that program,\Nwhich means you can happily also boot
Dialogue: 0,0:11:29.43,0:11:33.87,Default,,0000,0000,0000,,things like Linux directly from a COM\Nfile, which is handy if you want to
Dialogue: 0,0:11:33.87,0:11:43.86,Default,,0000,0000,0000,,upgrade. So, if we look at certain files\Nwe can go and see what they do. So in this
Dialogue: 0,0:11:43.86,0:11:50.11,Default,,0000,0000,0000,,case, here is one example. This is a goat\Nfile. A goat file is like a sacrificial
Dialogue: 0,0:11:50.11,0:11:54.70,Default,,0000,0000,0000,,goat. It is a file that is purely designed\Nto be infected. So what you do is you
Dialogue: 0,0:11:54.70,0:11:59.79,Default,,0000,0000,0000,,bring a virus into into memory in the\Nsystem and then you run a goat file, in
Dialogue: 0,0:11:59.79,0:12:03.88,Default,,0000,0000,0000,,the vague hope that the virus will infect\Nit, and then you have a nice clean sample
Dialogue: 0,0:12:03.88,0:12:08.45,Default,,0000,0000,0000,,of just that virus and not another program\Ninside the virus, which makes it way
Dialogue: 0,0:12:08.45,0:12:12.08,Default,,0000,0000,0000,,easier to test and reverse engineer. So,\Nwe can see things are happening here. For
Dialogue: 0,0:12:12.08,0:12:16.60,Default,,0000,0000,0000,,example, we can see it opening a file,\Nmoving like where it's looking into the
Dialogue: 0,0:12:16.60,0:12:19.77,Default,,0000,0000,0000,,file, reading some data from the file,\Njust 2 bytes, though, and it closes a
Dialogue: 0,0:12:19.77,0:12:23.84,Default,,0000,0000,0000,,file. We see the same sort of thing repeat\Nitself, except at one point it reads a
Dialogue: 0,0:12:23.84,0:12:27.53,Default,,0000,0000,0000,,large amount of data, moves the file\Npointer, writes another large amount of
Dialogue: 0,0:12:27.53,0:12:32.77,Default,,0000,0000,0000,,data, does some more stuff, and yeah, we\Npass some filenames, we display a string,
Dialogue: 0,0:12:32.77,0:12:39.23,Default,,0000,0000,0000,,which is almost definitely the goat file\Nmessage and yeah, we pretty much exit
Dialogue: 0,0:12:39.23,0:12:42.86,Default,,0000,0000,0000,,after that. So, there were a few syscalls\Nhere that we would really like to know
Dialogue: 0,0:12:42.86,0:12:48.79,Default,,0000,0000,0000,,more about. So, for that, it's the open\Nfiles, we'd really like to know what files
Dialogue: 0,0:12:48.79,0:12:52.87,Default,,0000,0000,0000,,were being opened. We would also want to\Nknow what, we'd like to know, what data
Dialogue: 0,0:12:52.87,0:12:55.95,Default,,0000,0000,0000,,was being written to the file, rather than\Nhaving to fish it out of the virtual
Dialogue: 0,0:12:55.95,0:13:00.55,Default,,0000,0000,0000,,machine later, and we'd also, just out of\Ncuriosity, really want to know what
Dialogue: 0,0:13:00.55,0:13:05.42,Default,,0000,0000,0000,,filenames it was asking MS-DOS to parse.\NDisplay string is also a nice test to
Dialogue: 0,0:13:05.42,0:13:08.52,Default,,0000,0000,0000,,know, whether your code is working. So to\Ndo this you're gonna have to look a little
Dialogue: 0,0:13:08.52,0:13:14.53,Default,,0000,0000,0000,,bit deeper into how the MS-DOS runtime\Nand, by proxy, how x86 in 16-bit mode
Dialogue: 0,0:13:14.53,0:13:20.25,Default,,0000,0000,0000,,works, or legacy mode, I guess. This is\Nbasically all the registers you have in
Dialogue: 0,0:13:20.25,0:13:26.12,Default,,0000,0000,0000,,16-bit mode, and some nice computations at\Nthe bottom, to make it easier to read.
Dialogue: 0,0:13:26.12,0:13:33.55,Default,,0000,0000,0000,,So, as we mentioned, AH is the one that you\Nuse to specify, which syscall you want,
Dialogue: 0,0:13:33.55,0:13:40.34,Default,,0000,0000,0000,,and you'll notice it's not there. AH is\Nactually the upper half of AX. AH is a
Dialogue: 0,0:13:40.34,0:13:46.32,Default,,0000,0000,0000,,8-bit register, because sometimes people\Nreally just wanted only 8 bits. It's very
Dialogue: 0,0:13:46.32,0:13:53.58,Default,,0000,0000,0000,,obscure that we were saving that much\Nspace. And so, this is what a, this is the
Dialogue: 0,0:13:53.58,0:13:57.66,Default,,0000,0000,0000,,definition of the syscall of a print\Nstring. So you have AH needs to be set to
Dialogue: 0,0:13:57.66,0:14:02.84,Default,,0000,0000,0000,,9, this is once you, in order to call the\Nsyscall for printing string, you set AH to
Dialogue: 0,0:14:02.84,0:14:09.07,Default,,0000,0000,0000,,9, and then you need to set DS and DX to a\Npointer to a string that ends in a dollar.
Dialogue: 0,0:14:09.07,0:14:11.89,Default,,0000,0000,0000,,And that doesn't make a lot of sense, or\Nit didn't make a lot of sense to me, when
Dialogue: 0,0:14:11.89,0:14:15.58,Default,,0000,0000,0000,,I first read that and so, to do this,\Nwe need to learn a little bit more about
Dialogue: 0,0:14:15.58,0:14:19.73,Default,,0000,0000,0000,,how memory works, on these old CPUs, or\Nthe CPUs that are probably in your
Dialogue: 0,0:14:19.73,0:14:25.72,Default,,0000,0000,0000,,laptops, but running in an older mode. So\Nthis is effectively what it looks like.
Dialogue: 0,0:14:25.72,0:14:31.84,Default,,0000,0000,0000,,They have a 16-bit CPU, 2 to the 16 is 64\Nkilobytes, and we have a 20-bit memory
Dialogue: 0,0:14:31.84,0:14:36.35,Default,,0000,0000,0000,,addressing space. 2 to 20 is 1 megabyte,\Nso if you ever see an MS-DOS machine like
Dialogue: 0,0:14:36.35,0:14:39.52,Default,,0000,0000,0000,,limiting at 1 megabyte, or some old\Noperating system, saying like the maximum
Dialogue: 0,0:14:39.52,0:14:43.98,Default,,0000,0000,0000,,memory you can have is 1 megabyte, it's\Nbecause it's running in 16 bit mode. And
Dialogue: 0,0:14:43.98,0:14:50.25,Default,,0000,0000,0000,,the maximum it can physically see is 20\Nbits. So the question is: How do we
Dialogue: 0,0:14:50.25,0:14:58.58,Default,,0000,0000,0000,,address anything above 64K? If the CPU can\Nonly fundamentally see 16 bits. So, this
Dialogue: 0,0:14:58.58,0:15:02.40,Default,,0000,0000,0000,,is where segment registers come in. We\Nhave 4 segment registers, actually we
Dialogue: 0,0:15:02.40,0:15:05.90,Default,,0000,0000,0000,,might have more, but they're the ones who\Nneed to care about. There's the code
Dialogue: 0,0:15:05.90,0:15:10.82,Default,,0000,0000,0000,,segment, the data segment, the stack\Nsegment and the extra segment, in case you
Dialogue: 0,0:15:10.82,0:15:15.42,Default,,0000,0000,0000,,need just another one. So anyway, with\Nthat in mind, let's have a quick crash
Dialogue: 0,0:15:15.42,0:15:21.42,Default,,0000,0000,0000,,course on segment registers. So, imagine\Nif you have a very long piece of memory,
Dialogue: 0,0:15:21.42,0:15:30.43,Default,,0000,0000,0000,,and we can only see 16 bits at a time. So,\Nhowever, we can move the sliding window
Dialogue: 0,0:15:30.43,0:15:36.18,Default,,0000,0000,0000,,around in the memory, to go and see, like,\Nto move our view of where it is. So, we
Dialogue: 0,0:15:36.18,0:15:42.41,Default,,0000,0000,0000,,can do this and put data around the\Nsystem, and we can use the final pointer
Dialogue: 0,0:15:42.41,0:15:48.59,Default,,0000,0000,0000,,to specify, how far in to the memory\Nsegment we should go. So the DS and DX
Dialogue: 0,0:15:48.59,0:15:55.36,Default,,0000,0000,0000,,really just means a multiplier. So, where\Nthe data segment is 100, you need to just
Dialogue: 0,0:15:55.36,0:16:01.35,Default,,0000,0000,0000,,move 100 times 16 to get to the correct\Nplace in memory, and then DX is the
Dialogue: 0,0:16:01.35,0:16:09.17,Default,,0000,0000,0000,,offset. This continues on, so, where we\Nhave a 16 bit cpu, we have a bunch of
Dialogue: 0,0:16:09.17,0:16:13.22,Default,,0000,0000,0000,,general use registers or general purpose\Nregisters. They're quite useful for
Dialogue: 0,0:16:13.22,0:16:17.38,Default,,0000,0000,0000,,ensuring, you don't need to touch RAM too\Noften. x86 actually has a fairly small
Dialogue: 0,0:16:17.38,0:16:25.24,Default,,0000,0000,0000,,amount of general purpose registers. Some\Narchitectures have way more. I think more
Dialogue: 0,0:16:25.24,0:16:32.14,Default,,0000,0000,0000,,modern chips like GPUs have hundreds, well\Nhundreds, maybe thousands. However, this
Dialogue: 0,0:16:32.14,0:16:34.70,Default,,0000,0000,0000,,doesn't really change over time in x86\Nbecause we have to force backwards
Dialogue: 0,0:16:34.70,0:16:38.14,Default,,0000,0000,0000,,compatibility. So, really what actually\Nends up happening, when we move up the
Dialogue: 0,0:16:38.14,0:16:42.71,Default,,0000,0000,0000,,bittage, is that the same registers just\Nget wider, and we add some more ones for
Dialogue: 0,0:16:42.71,0:16:45.50,Default,,0000,0000,0000,,the programmers, that want them, and the\Nexact same thing happened to 64 bit: The
Dialogue: 0,0:16:45.50,0:16:52.97,Default,,0000,0000,0000,,registers just got wider. So thinking\Nabout it, we have a lot of malware now,
Dialogue: 0,0:16:52.97,0:16:58.32,Default,,0000,0000,0000,,what if we want to know everything that's\Nhappened in this entire archive. So we
Dialogue: 0,0:16:58.32,0:17:01.42,Default,,0000,0000,0000,,kind of want to trace all of these\Nautomatically, but we might not know what
Dialogue: 0,0:17:01.42,0:17:04.48,Default,,0000,0000,0000,,we're looking for, so let's go through the\Nchecklist of what we need to do, to trace
Dialogue: 0,0:17:04.48,0:17:09.34,Default,,0000,0000,0000,,all of this malware. We need to break\Npoint on the syscall handler. When we get
Dialogue: 0,0:17:09.34,0:17:13.26,Default,,0000,0000,0000,,that breakpoint, we need to save all the\Nregisters, so we know which syscall was
Dialogue: 0,0:17:13.26,0:17:19.88,Default,,0000,0000,0000,,run and potentially what data is being\Ngiven to the syscall. Ideally, we're going
Dialogue: 0,0:17:19.88,0:17:25.13,Default,,0000,0000,0000,,to save one hundred bytes from that data\Npointer, not especially because we need
Dialogue: 0,0:17:25.13,0:17:28.15,Default,,0000,0000,0000,,it, but it's quite handy in a lot of\Nregisters in a lot of syscalls. It's for
Dialogue: 0,0:17:28.15,0:17:34.43,Default,,0000,0000,0000,,example what you use to get the open file\Npath, when you're opening files. We should
Dialogue: 0,0:17:34.43,0:17:37.65,Default,,0000,0000,0000,,also, probably, record the screen for\Nquick analysis, rather than just staring
Dialogue: 0,0:17:37.65,0:17:43.87,Default,,0000,0000,0000,,at HTML tables, and so we can do that, we\Nburn a lot of CPU time and probably cause
Dialogue: 0,0:17:43.87,0:17:51.12,Default,,0000,0000,0000,,some minor amounts of environmental\Ndamage. And we get nothing. We just run a
Dialogue: 0,0:17:51.12,0:17:55.08,Default,,0000,0000,0000,,bunch of stuff and most of them don't\Nreturn anything. At best they return a
Dialogue: 0,0:17:55.08,0:18:02.77,Default,,0000,0000,0000,,goat file string. They just do nothing.\NSo, if we look deeper into the reason why,
Dialogue: 0,0:18:02.77,0:18:05.49,Default,,0000,0000,0000,,it's sort of a smoking gun here, so we can\Nsee the syscalls that run on this file
Dialogue: 0,0:18:05.49,0:18:09.84,Default,,0000,0000,0000,,that does nothing, and the smoking gun\Nhere is the date. So it's asking for the
Dialogue: 0,0:18:09.84,0:18:15.19,Default,,0000,0000,0000,,date from the system, and this sort of\Nflags out the first issue, is that a lot
Dialogue: 0,0:18:15.19,0:18:18.75,Default,,0000,0000,0000,,of MS-DOS viruses don't really have a lot\Nto go on, because they have no internet
Dialogue: 0,0:18:18.75,0:18:24.18,Default,,0000,0000,0000,,connection, and there's not really any\Nother state they can decide to activate on.
Dialogue: 0,0:18:24.18,0:18:28.60,Default,,0000,0000,0000,,So the date syscall is pretty simple.\NThe get date and get time just return all
Dialogue: 0,0:18:28.60,0:18:34.36,Default,,0000,0000,0000,,of their values as registers. And, you\Nknow, some using the 8-bit halves, to save
Dialogue: 0,0:18:34.36,0:18:44.97,Default,,0000,0000,0000,,space. So, a naive way of doing this, is\Nwhat we do, is we would run the sample,
Dialogue: 0,0:18:44.97,0:18:50.03,Default,,0000,0000,0000,,we'd wait for the syscall for date or\Ntime, we would just fiddle the values,
Dialogue: 0,0:18:50.03,0:18:53.24,Default,,0000,0000,0000,,'cause in this case we're using a debugger,\Nso we can automatically change, what the
Dialogue: 0,0:18:53.24,0:18:56.76,Default,,0000,0000,0000,,state registers are, and we can then\Nobserve to see, if any of the syscalls
Dialogue: 0,0:18:56.76,0:18:59.58,Default,,0000,0000,0000,,that the program ran changed, which is a\Npretty good indication that you've hit
Dialogue: 0,0:18:59.58,0:19:04.33,Default,,0000,0000,0000,,some behavior that is different. And then,\Nyou know, we can say "Hooray, we found a
Dialogue: 0,0:19:04.33,0:19:08.33,Default,,0000,0000,0000,,new test case!" The downside is: running\Nevery one of these samples takes 15
Dialogue: 0,0:19:08.33,0:19:13.94,Default,,0000,0000,0000,,seconds of CPU-time because MS-DOS, well,\N15 seconds of wall-time, which,
Dialogue: 0,0:19:13.94,0:19:18.08,Default,,0000,0000,0000,,when you are emulating MS-DOS is 15\Nseconds of CPU-time because of the fact
Dialogue: 0,0:19:18.08,0:19:20.61,Default,,0000,0000,0000,,that MS-DOS doesn't have power saving\Nmode, so when it's not doing anything, it
Dialogue: 0,0:19:20.61,0:19:27.12,Default,,0000,0000,0000,,just goes into a busy loop which makes it\Nvery hard to optimize. Or we could take a
Dialogue: 0,0:19:27.12,0:19:33.35,Default,,0000,0000,0000,,cleverer look. So when we think about it,\Nwe are in the interrupt handler where all
Dialogue: 0,0:19:33.35,0:19:36.83,Default,,0000,0000,0000,,we ever see is the insides of the\Ninterrupt handler because we don't know
Dialogue: 0,0:19:36.83,0:19:40.99,Default,,0000,0000,0000,,where the program code is. The interrupt\Nhandler is the only place that we know is
Dialogue: 0,0:19:40.99,0:19:45.45,Default,,0000,0000,0000,,consistent because MS-DOS could\Npotentially load the code for the malware
Dialogue: 0,0:19:45.45,0:19:50.61,Default,,0000,0000,0000,,or the program anywhere. But we want to\Nknow where the code is. It would be really
Dialogue: 0,0:19:50.61,0:19:54.25,Default,,0000,0000,0000,,handy to know what the code is that we'd\Nbe about to run. So for this we need to
Dialogue: 0,0:19:54.25,0:19:59.19,Default,,0000,0000,0000,,look towards the stack. Just like the DSN\NDX registers the stacks are located on a
Dialogue: 0,0:19:59.19,0:20:02.97,Default,,0000,0000,0000,,stack segment, on a stack pointer.\NLuckily, the first two values is the
Dialogue: 0,0:20:02.97,0:20:07.13,Default,,0000,0000,0000,,interrupt, the interrupt pointer in the\Nstack segment so we can use that to grab
Dialogue: 0,0:20:07.13,0:20:10.78,Default,,0000,0000,0000,,exactly where, what the code will be run\Nafterwards. So we just need to add a few
Dialogue: 0,0:20:10.78,0:20:14.44,Default,,0000,0000,0000,,things to our checklist. We need to grab 4\Nbytes from the stack pointer and then
Dialogue: 0,0:20:14.44,0:20:18.37,Default,,0000,0000,0000,,using that, we can calculate the\Ndestination that the syscall will return
Dialogue: 0,0:20:18.37,0:20:22.55,Default,,0000,0000,0000,,to. And if we look at some of them - we\Ncan look at an example here - well, this
Dialogue: 0,0:20:22.55,0:20:27.24,Default,,0000,0000,0000,,is what a piece of what one of the calls\Nreturns to us. So we see we running a compare
Dialogue: 0,0:20:27.24,0:20:36.64,Default,,0000,0000,0000,,on DL against the HEX of 0x1E. And then\Nif that comparison is equal it will
Dialogue: 0,0:20:36.64,0:20:43.17,Default,,0000,0000,0000,,jump to 1 memory address. And if not it\Nwill jump to another. So if we look back
Dialogue: 0,0:20:43.17,0:20:52.56,Default,,0000,0000,0000,,at the definition of those syscalls we can\Nsee that DL is the day. So with this we
Dialogue: 0,0:20:52.56,0:21:01.15,Default,,0000,0000,0000,,can conclude that D if 0x1e is 30 and DL\Nis the day this malware effectively is
Dialogue: 0,0:21:01.15,0:21:07.12,Default,,0000,0000,0000,,saying if the day of month is 30 we need\Nto go down a different path. If we run
Dialogue: 0,0:21:07.12,0:21:11.95,Default,,0000,0000,0000,,these all over time across the whole\Ndataset what we see is roughly this as a
Dialogue: 0,0:21:11.95,0:21:21.74,Default,,0000,0000,0000,,polydome bar chart. We see out of the 17.500\Nsamples we have around 4.700 of them
Dialogue: 0,0:21:21.74,0:21:24.33,Default,,0000,0000,0000,,checked for the date and time and these\Nare the ones that are really tricky
Dialogue: 0,0:21:24.33,0:21:27.59,Default,,0000,0000,0000,,because they're really hard to activate.\NThey're also the most interesting though, because
Dialogue: 0,0:21:27.59,0:21:33.90,Default,,0000,0000,0000,,those are the ones trying to hide. So, with\Nthat in mind, we need to, we have the code
Dialogue: 0,0:21:33.90,0:21:38.10,Default,,0000,0000,0000,,segment that we're about to run, when we\Nreturn and we can't really brute force
Dialogue: 0,0:21:38.10,0:21:43.73,Default,,0000,0000,0000,,because it takes a little CPU-time and we\Ncan't brute force it inside a 'real' or
Dialogue: 0,0:21:43.73,0:21:47.42,Default,,0000,0000,0000,,emulated machine but we can brute force it\Nin a significantly more interesting way.
Dialogue: 0,0:21:47.42,0:21:53.96,Default,,0000,0000,0000,,We need to build something: we need to\Nbuild the world's worst x86 emulator so
Dialogue: 0,0:21:53.96,0:22:02.02,Default,,0000,0000,0000,,dubbed BenX86, it's 16-bit only. Any\Nattempt to access memory effectively ends
Dialogue: 0,0:22:02.02,0:22:06.03,Default,,0000,0000,0000,,the simulation. It's got a fake stack if\Nyou try and push something onto the stack
Dialogue: 0,0:22:06.03,0:22:09.64,Default,,0000,0000,0000,,it says sure, fine if you try and pop it\Nit's like oh actually I never held any of
Dialogue: 0,0:22:09.64,0:22:13.69,Default,,0000,0000,0000,,that data anyway so we are ending the\Nsimulation. 80 opcodes, most of them are
Dialogue: 0,0:22:13.69,0:22:18.90,Default,,0000,0000,0000,,jumps. Because that's the primary\Npurposes, comparing and jumps. The
Dialogue: 0,0:22:18.90,0:22:23.63,Default,,0000,0000,0000,,difference is it logs every opcode every\Naddress that it went trough and it can be
Dialogue: 0,0:22:23.63,0:22:29.21,Default,,0000,0000,0000,,run with just a small x86 code segment and\Na register snapshot. This means that we
Dialogue: 0,0:22:29.21,0:22:34.91,Default,,0000,0000,0000,,can test old age from 1980 to 2005 and are\Nroughly about 100 milliseconds and most
Dialogue: 0,0:22:34.91,0:22:40.86,Default,,0000,0000,0000,,programs ended up having just 3 different\Ncode paths on average so that yields us
Dialogue: 0,0:22:40.86,0:22:48.02,Default,,0000,0000,0000,,with 17.000 virus samples and about 10.000\Nof samples that had date variations as in:
Dialogue: 0,0:22:48.02,0:22:53.54,Default,,0000,0000,0000,,Once you exploit the complexity. So I'm\Ngoing to now use my final remaining time
Dialogue: 0,0:22:53.54,0:22:59.77,Default,,0000,0000,0000,,to go through some of my favorites. So\Nthis is an example of a virus that just
Dialogue: 0,0:22:59.77,0:23:04.44,Default,,0000,0000,0000,,doesn't do anything on the 1st of 1980.\NHowever if you'd happen to be running this
Dialogue: 0,0:23:04.44,0:23:08.48,Default,,0000,0000,0000,,on New Year's Day you would get this. \N{\i1}Laughter{\i0}
Dialogue: 0,0:23:08.48,0:23:10.61,Default,,0000,0000,0000,,No matter what you do, every program you can't
Dialogue: 0,0:23:10.61,0:23:14.94,Default,,0000,0000,0000,,exit out of this, your machine is hung. This\Nmight be great, right? You might be like:
Dialogue: 0,0:23:14.94,0:23:19.04,Default,,0000,0000,0000,,'Oh cool, I don't need to do work anymore\Nbecause my computer will literally not let me'
Dialogue: 0,0:23:19.04,0:23:21.05,Default,,0000,0000,0000,,This also might be terrible, because\Nyou might need to do some work on New
Dialogue: 0,0:23:21.05,0:23:28.10,Default,,0000,0000,0000,,Year's day. Here's another example. This\Ndoes nothing as well just another innocent
Dialogue: 0,0:23:28.10,0:23:33.60,Default,,0000,0000,0000,,.com file. Of course reminding these\Npieces of malware will be wrapped around
Dialogue: 0,0:23:33.60,0:23:37.62,Default,,0000,0000,0000,,something else. Almost anything could be\Ninfected in here. In this case though
Dialogue: 0,0:23:37.62,0:23:46.88,Default,,0000,0000,0000,,these binary is a nice and shaped down.\NHowever instead we get this, which I think
Dialogue: 0,0:23:46.88,0:23:53.56,Default,,0000,0000,0000,,is super interesting and is basically the\Nauthor is aware - they're telling you they
Dialogue: 0,0:23:53.56,0:23:57.11,Default,,0000,0000,0000,,are actually like self disclosing in\Nsaying the previous year I've infected
Dialogue: 0,0:23:57.11,0:24:04.80,Default,,0000,0000,0000,,your computer. And for some reason it's\Nbeing nice. They're just saying. Actually
Dialogue: 0,0:24:04.80,0:24:11.58,Default,,0000,0000,0000,,you have been infected. And as a - I guess a\Npity - I'm just going to remove myself now.
Dialogue: 0,0:24:11.58,0:24:17.12,Default,,0000,0000,0000,,I don't really. For some reason it's also\Nencouraging you to buy McAfee. This is
Dialogue: 0,0:24:17.12,0:24:26.18,Default,,0000,0000,0000,,back in the day when John McAfee himself\Nactually wrote McAfee. Interesting times.
Dialogue: 0,0:24:26.18,0:24:33.06,Default,,0000,0000,0000,,Definitely interesting times. Here is\Nanother example. This one I found
Dialogue: 0,0:24:33.06,0:24:41.45,Default,,0000,0000,0000,,particularly obscure. On the 8th of\NNovember 1980 or any year I think actually
Dialogue: 0,0:24:41.45,0:24:51.11,Default,,0000,0000,0000,,it turns all zeroes on the system into\Ntiny little glyphs that say "hate" if
Dialogue: 0,0:24:51.11,0:24:54.76,Default,,0000,0000,0000,,anyone understands this I'd really like to\Nknow like I've been thinking about this a
Dialogue: 0,0:24:54.76,0:25:01.95,Default,,0000,0000,0000,,lot. What does it mean? Is it an artistic\Nstatement? Is it. I wish I knew.
Dialogue: 0,0:25:01.95,0:25:05.67,Default,,0000,0000,0000,,Someone in the audience: it says MATE\NBen: There could be a CCC variant says
Dialogue: 0,0:25:05.67,0:25:12.63,Default,,0000,0000,0000,,MATE. Another good one in that it's the\Nlast thing I ever want to see any program
Dialogue: 0,0:25:12.63,0:25:19.67,Default,,0000,0000,0000,,tell me is this one here where you run it\Nand it says "error eating drive C:". I
Dialogue: 0,0:25:19.67,0:25:25.07,Default,,0000,0000,0000,,never ever want an error in any program\Nunexpectedly just says 'Sorry almost I
Dialogue: 0,0:25:25.07,0:25:30.16,Default,,0000,0000,0000,,failed to remove you root file system,\Ndon't know why, could you like change your
Dialogue: 0,0:25:30.16,0:25:35.94,Default,,0000,0000,0000,,settings so I can remove it?' Cheers. And\Nfinally this is one of my absolute
Dialogue: 0,0:25:35.94,0:25:41.42,Default,,0000,0000,0000,,favorites in that it's just brilliant in\Nthat it also stops you from running the
Dialogue: 0,0:25:41.42,0:25:46.49,Default,,0000,0000,0000,,program you want to run it exits\Nprematurely. This is the virus version of
Dialogue: 0,0:25:46.49,0:25:50.61,Default,,0000,0000,0000,,the Navy SEAL copy pasta. Says "I am an\Nassassin. I want to and I shall kill you."
Dialogue: 0,0:25:50.61,0:25:59.81,Default,,0000,0000,0000,,"I also hate Aladdin and I also will kill\Nit. I will eliminate you with ...". You know where
Dialogue: 0,0:25:59.81,0:26:04.88,Default,,0000,0000,0000,,this is going. It says fear\Nthe virus that is more powerful than God.
Dialogue: 0,0:26:04.88,0:26:10.83,Default,,0000,0000,0000,,It only activates on one day though, so\Nit's fine. Thank you for your time. I know
Dialogue: 0,0:26:10.83,0:26:15.48,Default,,0000,0000,0000,,it's late and I will happily take any\Nquestions or corrections if you know this
Dialogue: 0,0:26:15.48,0:26:27.03,Default,,0000,0000,0000,,topic better than me.\N{\i1}applause{\i0}
Dialogue: 0,0:26:27.03,0:26:33.41,Default,,0000,0000,0000,,Herald: This totally brings tears to my\Neyes with nostalgia. So if there is any
Dialogue: 0,0:26:33.41,0:26:37.97,Default,,0000,0000,0000,,questions, we have microphones distributed around\Nthe room, there is like 1,2, 3, 4 and
Dialogue: 0,0:26:37.97,0:26:42.63,Default,,0000,0000,0000,,one in the back. We also have questions\Nperhaps from the internet if you want to
Dialogue: 0,0:26:42.63,0:26:47.98,Default,,0000,0000,0000,,ask a question come up to the microphone\Nask the question just as a reminder a
Dialogue: 0,0:26:47.98,0:26:53.79,Default,,0000,0000,0000,,question is one or two sentences with a\Nquestion mark behind it and not a life
Dialogue: 0,0:26:53.79,0:27:00.84,Default,,0000,0000,0000,,story attached. So let's see what we have.\NI'm going to start with microphone number
Dialogue: 0,0:27:00.84,0:27:04.47,Default,,0000,0000,0000,,1 just because I can see it easiest, let's\Ngo for it.
Dialogue: 0,0:27:04.47,0:27:09.56,Default,,0000,0000,0000,,Microphone 1: Hi Ben, thanks for the talk.\NReally interesting. My question would be
Dialogue: 0,0:27:09.56,0:27:16.30,Default,,0000,0000,0000,,did you do any analysis on what ratio of\Nthe viruses was more artistic
Dialogue: 0,0:27:16.30,0:27:20.69,Default,,0000,0000,0000,,and which one actually did damage.\NBen: So most of them surprisingly don't do
Dialogue: 0,0:27:20.69,0:27:26.45,Default,,0000,0000,0000,,damage. I actually really struggled to\Nfind a date varying sample that
Dialogue: 0,0:27:26.45,0:27:30.14,Default,,0000,0000,0000,,specifically activated on a certain day\Nand decided to delete every file. There
Dialogue: 0,0:27:30.14,0:27:35.26,Default,,0000,0000,0000,,are some very good ones in some of them\Nare like virus scanning utilities that just
Dialogue: 0,0:27:35.26,0:27:37.99,Default,,0000,0000,0000,,don't do anything on certain dates and in\None day like while they're telling you all
Dialogue: 0,0:27:37.99,0:27:41.12,Default,,0000,0000,0000,,the files they are scanning is actually\Ntelling you all the files they're
Dialogue: 0,0:27:41.12,0:27:46.12,Default,,0000,0000,0000,,deleting. So that's particularly cruel but\Nit's actually surprisingly hard to find a
Dialogue: 0,0:27:46.12,0:27:50.48,Default,,0000,0000,0000,,virus sample that actually was brutally\Nmalicious. There was some, that would just,
Dialogue: 0,0:27:50.48,0:27:53.91,Default,,0000,0000,0000,,you know, infect binaries is but it's very hard\Nto find one that I think was brutally
Dialogue: 0,0:27:53.91,0:27:58.10,Default,,0000,0000,0000,,malicious, which is a far cry from the days\Nwell from the days that we live in right
Dialogue: 0,0:27:58.10,0:28:03.55,Default,,0000,0000,0000,,now, where we're taking down hospitals with\Nwindows bugs.
Dialogue: 0,0:28:03.55,0:28:09.21,Default,,0000,0000,0000,,Herald: as everybody is leaving the room.\NPlease do it quietly. I see a question at
Dialogue: 0,0:28:09.21,0:28:12.20,Default,,0000,0000,0000,,(microphone) 3, on that side.\NMicrophone 3: Yes. Since a lot of
Dialogue: 0,0:28:12.20,0:28:19.97,Default,,0000,0000,0000,,industrial control systems still run DOS.\NWhat's the threat from DOS malware that
Dialogue: 0,0:28:19.97,0:28:27.15,Default,,0000,0000,0000,,might be written today.\NBen: It's probably unlikely than an
Dialogue: 0,0:28:27.15,0:28:31.01,Default,,0000,0000,0000,,Industrial Control System that's running\NDOS, would come into contact with DOS-malware.
Dialogue: 0,0:28:31.01,0:28:36.01,Default,,0000,0000,0000,,The only way I can think is if one vendor\Nwas like or a factory or supply or
Dialogue: 0,0:28:36.01,0:28:41.05,Default,,0000,0000,0000,,whatever it was basically downloading all\Nbasically wares onto industrial control
Dialogue: 0,0:28:41.05,0:28:47.42,Default,,0000,0000,0000,,boxes. I wouldn't be surprised but it\Nwould be pretty irresponsible. But it
Dialogue: 0,0:28:47.42,0:28:52.51,Default,,0000,0000,0000,,would be quite surprising to find MS-DOS\Nmalware today on industrial controllers
Dialogue: 0,0:28:52.51,0:28:57.11,Default,,0000,0000,0000,,that was installed recently and not just a\Nlingering infection from the last 20
Dialogue: 0,0:28:57.11,0:29:00.03,Default,,0000,0000,0000,,years.\NHerald: Microphone 2
Dialogue: 0,0:29:00.03,0:29:05.00,Default,,0000,0000,0000,,Microphone 2: Did you find any conditions\Nthat weren't date based. Some of them do
Dialogue: 0,0:29:05.00,0:29:09.61,Default,,0000,0000,0000,,attempt to some of them try and circumvent\Nthe date recognition. Unfortunately it's
Dialogue: 0,0:29:09.61,0:29:12.81,Default,,0000,0000,0000,,very hard to brute force those. Some of\Nthem install themselves as what's called
Dialogue: 0,0:29:12.81,0:29:19.71,Default,,0000,0000,0000,,TSR or Terminate and Stay Resident which\Nbasically means that they will exit out,
Dialogue: 0,0:29:19.71,0:29:23.75,Default,,0000,0000,0000,,run in the background and continuously ask\Nthe actual system time what time it is.
Dialogue: 0,0:29:23.75,0:29:27.64,Default,,0000,0000,0000,,It's a bit of a more risky strategy\Nbecause the system timer might not exist
Dialogue: 0,0:29:27.64,0:29:31.65,Default,,0000,0000,0000,,which would be unfortunate for the virus.\NSo definitely there are viruses that have
Dialogue: 0,0:29:31.65,0:29:38.34,Default,,0000,0000,0000,,way more complicated execution conditions.\NI observed one sample that only activated
Dialogue: 0,0:29:38.34,0:29:43.85,Default,,0000,0000,0000,,after I believe it was something silly\Nlike 100 keypresses which is very hard to
Dialogue: 0,0:29:43.85,0:29:49.77,Default,,0000,0000,0000,,automatically test. Those sort of viruses\Nrequire static analysis and statically
Dialogue: 0,0:29:49.77,0:29:54.48,Default,,0000,0000,0000,,analyzing 17.000 samples is a time\Nconsuming task.
Dialogue: 0,0:29:54.48,0:30:02.01,Default,,0000,0000,0000,,Herald: So we have a question from the Internet.\NSignal Angel: Do you have the source? What
Dialogue: 0,0:30:02.01,0:30:07.99,Default,,0000,0000,0000,,is the source of the malware that you\Nanalyzed here, is it published somewhere?
Dialogue: 0,0:30:07.99,0:30:13.40,Default,,0000,0000,0000,,Ben:You can still find dump's of VX\Nheavens, and more modern dumps of VX
Dialogue: 0,0:30:13.40,0:30:17.99,Default,,0000,0000,0000,,heavens on popular torrent websites.\NBut I'm sure there are also copies
Dialogue: 0,0:30:17.99,0:30:21.40,Default,,0000,0000,0000,,floating about on non-popular torrent\Nwebsites.
Dialogue: 0,0:30:21.40,0:30:24.81,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NHerald: Over to microphone 1.
Dialogue: 0,0:30:24.81,0:30:32.24,Default,,0000,0000,0000,,Microphone 1: Hi Ben. I'm Jope. Thank you\Nfor your talk. I was wondering: did you
Dialogue: 0,0:30:32.24,0:30:36.64,Default,,0000,0000,0000,,learn anything from your studies of these\Nviruses that should be taught in modern
Dialogue: 0,0:30:36.64,0:30:42.82,Default,,0000,0000,0000,,day computer science classes like more\Nefficient sorting algorithm or some hidden
Dialogue: 0,0:30:42.82,0:30:47.08,Default,,0000,0000,0000,,gem that actually should be part of\Ncomputing these days.
Dialogue: 0,0:30:47.08,0:30:53.57,Default,,0000,0000,0000,,Ben: My primary takeaway was x86 was a\Nmistake.
Dialogue: 0,0:30:53.57,0:31:01.32,Default,,0000,0000,0000,,{\i1}Laughter &amp; applause{\i0}\NHerald: So I'm not seeing any more
Dialogue: 0,0:31:01.32,0:31:04.48,Default,,0000,0000,0000,,questions. Oh no there is. OK one more\Nquestion from the internet.
Dialogue: 0,0:31:04.48,0:31:11.39,Default,,0000,0000,0000,,Signal angel: Have you found malware\Nsamples that did like try to detect dummy
Dialogue: 0,0:31:11.39,0:31:14.62,Default,,0000,0000,0000,,binaries or whatever, to avoid easy\Nanalysis?
Dialogue: 0,0:31:14.62,0:31:20.01,Default,,0000,0000,0000,,Ben: Oh actually, that's a really good question. \NSo it is it's complicated:
Dialogue: 0,0:31:20.01,0:31:24.58,Default,,0000,0000,0000,,So some viruses would so, maybe let's be
Dialogue: 0,0:31:25.03,0:31:29.77,Default,,0000,0000,0000,,dangerous let's try and go backwards on my\Nhome written presentation software. So
Dialogue: 0,0:31:29.77,0:31:41.16,Default,,0000,0000,0000,,{\i1}humming{\i0} Too many slides. I have\Nregrets. Yes. OK. Here we are. This slide.
Dialogue: 0,0:31:41.16,0:31:45.45,Default,,0000,0000,0000,,OK. So you know here I'm saying that the\Nmalware infection goes to the end. Well
Dialogue: 0,0:31:45.45,0:31:49.85,Default,,0000,0000,0000,,some samples are really cool. They don't\Nchange the size of the file. They just
Dialogue: 0,0:31:49.85,0:31:54.59,Default,,0000,0000,0000,,find areas in the files that are full of\Nnull bites and just say this is probably
Dialogue: 0,0:31:54.59,0:32:00.23,Default,,0000,0000,0000,,fine. I'm just going to put myself here\Nwhich may have unintended consequences. It
Dialogue: 0,0:32:00.23,0:32:04.96,Default,,0000,0000,0000,,may mean if a program is like a statically\Ntyped, statically defined byte array of
Dialogue: 0,0:32:04.96,0:32:10.04,Default,,0000,0000,0000,,like a certain size and the program is\Nrelying on it being zeros when it accesses
Dialogue: 0,0:32:10.04,0:32:14.44,Default,,0000,0000,0000,,it for the first time it may get very\Nsurprised to find some malware code in
Dialogue: 0,0:32:14.44,0:32:20.16,Default,,0000,0000,0000,,there. But generally speaking as far as\NI'm aware, this deployment
Dialogue: 0,0:32:20.16,0:32:26.22,Default,,0000,0000,0000,,procedure works pretty well and actually\Nis very good at avoiding antivirus of the
Dialogue: 0,0:32:26.22,0:32:30.39,Default,,0000,0000,0000,,era which would just be checking like\Ncommon system files and its size. And you
Dialogue: 0,0:32:30.39,0:32:35.06,Default,,0000,0000,0000,,know the size increases of COMMAND.COM\Nthen that's clearly bad news.
Dialogue: 0,0:32:35.06,0:32:38.45,Default,,0000,0000,0000,,Herald: We have a question on microphone\N1.
Dialogue: 0,0:32:38.45,0:32:45.62,Default,,0000,0000,0000,,Microphone 1: Are there any viruses that\Ntry to eliminate or manipulate virus
Dialogue: 0,0:32:45.62,0:32:48.97,Default,,0000,0000,0000,,scanners of the day.\NOh yeah. So a lot of the samples will
Dialogue: 0,0:32:48.97,0:32:52.96,Default,,0000,0000,0000,,actively go and look for files of other\Nanti-viruses.
Dialogue: 0,0:32:52.96,0:32:57.16,Default,,0000,0000,0000,,But I am generally under the impression\Nthat it's kind of hard to find them. They
Dialogue: 0,0:32:57.16,0:33:01.75,Default,,0000,0000,0000,,weren't actually that many antivirus\Nproducts back in the day.
Dialogue: 0,0:33:01.75,0:33:06.41,Default,,0000,0000,0000,,I feel like, it was a bit of a niche thing to\Nbe running. Microsoft did for a while ship
Dialogue: 0,0:33:06.41,0:33:14.33,Default,,0000,0000,0000,,their own antivirus with MS-DOS. So I\Nguess you know what's new is old. So there
Dialogue: 0,0:33:14.33,0:33:17.86,Default,,0000,0000,0000,,were antiviruses out there. I don't think\Nmany of them were very effective.
Dialogue: 0,0:33:17.86,0:33:27.26,Default,,0000,0000,0000,,Herald: Any more questions? There, where?\NOh right. Another one from the Internet.
Dialogue: 0,0:33:27.26,0:33:32.05,Default,,0000,0000,0000,,It's interesting that the internet is\Nquerying MS-DOS all the time. Go ahead.
Dialogue: 0,0:33:32.05,0:33:38.00,Default,,0000,0000,0000,,Signal angel: Did you do the diagrams by\Nhand or do you have a tool?
Dialogue: 0,0:33:38.00,0:33:42.56,Default,,0000,0000,0000,,Ben: So many hours. No. So there's a\Ncouple of good tools to do it.
Dialogue: 0,0:33:42.56,0:33:46.43,Default,,0000,0000,0000,,asciiflow.org. I think is a fantastic\Ntool. I would highly recommend it. I think
Dialogue: 0,0:33:46.43,0:33:52.78,Default,,0000,0000,0000,,it's not maintained very well, though.\NHerald: microphone 1.
Dialogue: 0,0:33:52.78,0:33:55.52,Default,,0000,0000,0000,,Microphone 1: Are you publishing the tools\Nyou wrote?
Dialogue: 0,0:33:55.52,0:34:02.43,Default,,0000,0000,0000,,Ben: I will be publishing the tools at\Nsome point when they are less... when they
Dialogue: 0,0:34:02.43,0:34:08.32,Default,,0000,0000,0000,,are less ugly. I will be publishing all of\Nthe automatic malware runs and the gifs
Dialogue: 0,0:34:08.32,0:34:12.93,Default,,0000,0000,0000,,generated by them so that people can\Neasily search google for the virus names
Dialogue: 0,0:34:12.93,0:34:16.89,Default,,0000,0000,0000,,and get like actual real time versions.\NThe hardest thing that I've found is when
Dialogue: 0,0:34:16.89,0:34:21.71,Default,,0000,0000,0000,,looking at virus names was literally just\Nfinding any information about them and one
Dialogue: 0,0:34:21.71,0:34:25.22,Default,,0000,0000,0000,,of the things I really wish existed at the\Ntime of writing this talk, was being able
Dialogue: 0,0:34:25.22,0:34:29.58,Default,,0000,0000,0000,,to just query a name and be like oh yeah\Nthis virus it looks like it does this.
Dialogue: 0,0:34:29.58,0:34:33.42,Default,,0000,0000,0000,,Herald: since I saw microphone 1 first\Nlet's go with that.
Dialogue: 0,0:34:33.42,0:34:40.26,Default,,0000,0000,0000,,Microphone 1: Did you find any viruses\Nthat had signage in them not signage of
Dialogue: 0,0:34:40.26,0:34:43.52,Default,,0000,0000,0000,,today but the name of the author. Like he\Nwas very proud of what he wrote.
Dialogue: 0,0:34:43.52,0:34:47.45,Default,,0000,0000,0000,,Ben: Yeah, there are some notable\Nexamples. Quite a few of them will try and
Dialogue: 0,0:34:47.45,0:34:52.87,Default,,0000,0000,0000,,name - so DOS-viruses do like have\N[incomprehensible] sample names in the same way
Dialogue: 0,0:34:52.87,0:34:57.47,Default,,0000,0000,0000,,that we'd still today give viruses names.\NA lot of the time you will just encode a
Dialogue: 0,0:34:57.47,0:35:01.13,Default,,0000,0000,0000,,string that you want the virus to be\Nnamed, you know, somewhere in the file
Dialogue: 0,0:35:01.13,0:35:04.47,Default,,0000,0000,0000,,just a random string doing nothing. It's\Nlike oh, ok, they clearly wanted the virus
Dialogue: 0,0:35:04.47,0:35:11.43,Default,,0000,0000,0000,,to be called Tempest. So that does happen.\NOne of the favorite examples is the brain
Dialogue: 0,0:35:11.43,0:35:16.75,Default,,0000,0000,0000,,malware which literally encodes an address\Nand phone number of the author. I believe
Dialogue: 0,0:35:16.75,0:35:22.72,Default,,0000,0000,0000,,in Pakistan and there's a fantastic mini\Ndocumentary by F-Secure where they go and
Dialogue: 0,0:35:22.72,0:35:25.85,Default,,0000,0000,0000,,visit the people who wrote it. It's a\Nsuper interesting watch and I would really
Dialogue: 0,0:35:25.85,0:35:29.99,Default,,0000,0000,0000,,recommend it.\NHerald: Indeed it is. Microphone 2?
Dialogue: 0,0:35:29.99,0:35:36.26,Default,,0000,0000,0000,,Microphone 2: Did you have any chance to\Nlook at any kind of viruses that did not
Dialogue: 0,0:35:36.26,0:35:42.33,Default,,0000,0000,0000,,modify the files themselves. For example\None of the largest virus infections at the time was a
Dialogue: 0,0:35:42.33,0:35:46.08,Default,,0000,0000,0000,,virus called [incomprehensible] which modified\Nthe master boot record
Dialogue: 0,0:35:46.08,0:35:51.06,Default,,0000,0000,0000,,Ben: Yes, Master boot record, I did\Nconsider. It was more of a time problem
Dialogue: 0,0:35:51.06,0:35:55.32,Default,,0000,0000,0000,,that I had in getting to the point where\Nyou could brute force time and date
Dialogue: 0,0:35:55.32,0:36:01.02,Default,,0000,0000,0000,,combinations and looking for master boot\Nrecord changes. It was really hard. I am
Dialogue: 0,0:36:01.02,0:36:06.61,Default,,0000,0000,0000,,super interested in reviewing a fact to be\Nthe root kits of the era. But yes that's
Dialogue: 0,0:36:06.61,0:36:10.22,Default,,0000,0000,0000,,definitely something I will look into in\Nthe future.
Dialogue: 0,0:36:10.22,0:36:14.41,Default,,0000,0000,0000,,Herald: And we have yet another question\Nfrom the Internet.
Dialogue: 0,0:36:14.41,0:36:17.40,Default,,0000,0000,0000,,Signal angel: And it's even from the same\Nguy.
Dialogue: 0,0:36:17.40,0:36:22.83,Default,,0000,0000,0000,,Ben: Oh damn.\NSignal angel: is the BenX86 software open-
Dialogue: 0,0:36:22.83,0:36:25.53,Default,,0000,0000,0000,,source or can be found on the web\Nsomewhere.
Dialogue: 0,0:36:25.53,0:36:29.87,Default,,0000,0000,0000,,Ben: It probably will be. I wouldn't\Nexpect it to work in, well, in any use-case
Dialogue: 0,0:36:29.87,0:36:36.36,Default,,0000,0000,0000,,though. It's effectively designed to like\Nnot work correctly, right? Like what
Dialogue: 0,0:36:36.36,0:36:40.88,Default,,0000,0000,0000,,was the spec? It basically like fails at\Nevery single thing awkward. I just went
Dialogue: 0,0:36:40.88,0:36:46.66,Default,,0000,0000,0000,,like oh that's fine. We're probably far\Nenough down there anyway. Are we? Be aware
Dialogue: 0,0:36:46.66,0:36:50.74,Default,,0000,0000,0000,,this is the feature list.\NHerald: So is that a follow up question
Dialogue: 0,0:36:50.74,0:36:57.01,Default,,0000,0000,0000,,from the internet?\NSignal angel: No it's a new one. I don't
Dialogue: 0,0:36:57.01,0:37:02.66,Default,,0000,0000,0000,,know how serious it is but would it be\Npossible or a good idea to use machine
Dialogue: 0,0:37:02.66,0:37:09.50,Default,,0000,0000,0000,,learning to create new DOS malware from\Nthe existing samples.
Dialogue: 0,0:37:09.50,0:37:17.02,Default,,0000,0000,0000,,{\i1}Laughter &amp; applause{\i0}\NBen: It would not be a good idea. But I
Dialogue: 0,0:37:17.02,0:37:24.23,Default,,0000,0000,0000,,like how you think.\NHerald: Actually I saw somebody trying to
Dialogue: 0,0:37:24.23,0:37:27.64,Default,,0000,0000,0000,,use NLP to generate viruses but ok that's\Nenough for now.
Dialogue: 0,0:37:27.64,0:37:32.40,Default,,0000,0000,0000,,Ben: you could probably do Markov Chains\Nwith x86 to be honest. Please don't do
Dialogue: 0,0:37:32.40,0:37:34.53,Default,,0000,0000,0000,,that, please!\NHerald: Don't try this at home.
Dialogue: 0,0:37:34.53,0:37:37.48,Default,,0000,0000,0000,,Ben: I have seen things I've seen. Just\Nplease don't do that.
Dialogue: 0,0:37:37.48,0:37:43.46,Default,,0000,0000,0000,,Herald: So I think we've run out of\Nquestions. Going once, going twice. Let's
Dialogue: 0,0:37:43.46,0:37:49.52,Default,,0000,0000,0000,,thank Ben for this marvelous retrospective\Ntalk.\N{\i1}Big applause{\i0}
Dialogue: 0,0:37:49.52,0:37:58.78,Default,,0000,0000,0000,,{\i1}36C3 postroll music{\i0}
Dialogue: 0,0:37:58.78,0:38:12.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!