Hacker News Comments on
A deep dive into the world of DOS viruses
media.ccc.de
·
122
HN points
·
0
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.⬐ pnash40hex is a great zine from the early 90s that was focused on viruses, from a virus writers perspective. Mutation engines, polymorphism, virus decompilation & spotlights, etc.⬐ gesmanBack in 1990-1996 I was involved in anti-virus work for Israeli company and later on for IBM Watson Research building anti-virus technologies and software.We had a separate, disconnected laboratory with strict rules (disk-in / no disk out!). Nasty unknown stuff being tested there.
At some time my work was to develop virtual machine (in C) capable of emulating x86 instruction set to quickly run EXEc files through it to detect if anything weird was going on.
Fun times!
⬐ riq_nice video, I liked it. But the I wouldn't call it "deep dive". In any case, it is just a quick overview.by "deep dive" I would expect in detail infecting techniques (.com is mentioned, but MBR is missing), stealth techniques (how virus by passed debuggers and anti-virus), techniques used by antivirus (besides basic pattern matching).
⬐ EvanAnderson⬐ vectorEQThere was definitely some interesting stuff in the DOS virus era. One of the "Priest" / "Little Loc" viruses (can't remember which one right now) exploited a vulnerability in the tracing code in the ThunderByte "TBCLEAN" utility to detect when the virus was being run under single-step. It would "break out" of TBCLEAN and destroy data. (ThunderByte didn't correctly emulate / "virtualize" every instruction that could expose the trap flag. There was also a vulnerability to allow you to override their single-step interrupt handler.) Priest also ended up using what he learned when he found that vulnerability in the ISR trace code in "Natas" to bypass TSR anti-virus by locating the original BIOS and DOS entry points (by executing a call under single-step and emulating / virtualizing instructions that expose the trap flag to avoid detection.) I've wondered if his techniques might actually be prior art for some of the various patents on virtualizing x86.:') i feel these old dos things are nice to discuss, if you look at current documentation and implementation of x86_64 systems a lot of these techniques still seem valid. most awsome work i could find on such things was z0mbie's work on his mistfall engine. trying to re-write a sort of benign version of that for x64 to educate myself about executable file formats, linking / loading and other subjects. really nice to teach yourself about how computers work if you try to apply some of these techniques to an OS yourself.⬐ LeoPantheraSee also the textfiles.com virus archive: http://textfiles.com/virus/If your browser uses the Google Safe Browsing blacklist, you may not be able to access that site, ironically because of the very viruses intentionally hosted there, despite the fact that they are decades old.
⬐ ghostDancerThere were some really great groups in the vx scene and some made things really interesting : http://virus.wikidot.com/esperanto⬐ db48xYou can run some fun ones in your browser: https://archive.org/details/malwaremuseum⬐ wolfspiderVery cool blast from the past! I remember stealth_c as being extremely aggravating. It would infect the MBR and spread to all disks and pretty much grenade your PC.⬐ rzzztIf you are interested in more examples on what virus payloads did on activation, danooct1 on YouTube has recorded lots of them (link goes to the MS-DOS playlist): https://www.youtube.com/playlist?list=PLi_KYBWS_E71ObQ8QpGj5...⬐ robertAngstThis was awesome.Wish I knew the most interesting/popular of these.
My first virus/worm(one that wasnt adware from freeware games) was the Conficker-
https://en.wikipedia.org/wiki/Conficker
Think I got it for sticking my USB in college and HS computers. Back then having a USB full of cool things was a big deal. I probably infected hundreds of computers.
⬐ rzzztThe most known viruses of "my time" (even portrayed in local national television) was Cascade, where all the letters fall to the bottom of the screen, and Jerusalem, activating on friday 13th of any month. You were even advised to keep the computer off that day!⬐ userbinatorThat Conficker spread widely and remained active for a long time could be attributed to the fact that it was relatively benign --- in contrast to ransomware, both that article and my memories of it agree that it did not destroy user data, which would've lead to a far more intense "immune response".