RetroMal: analysing malware on the earliest computing platforms

Wednesday 2 October 11:30 - 12:30, Small talks

Andrew Brandt (Sophos)

The world of information security spends much of its time focused on looking forward, trying to tackle the bleeding edge of malicious code and obfuscation, which is as it should be. Lost in the rapid pace of technological adaptation in the malware arms race is a sense of history: the origins of malware and its earliest days.

How did malware get its start, and what lessons can today's defenders learn about the origins of malicious code, back from the days when analysts first coined the term "virus" as a binary analogue to biological illness? To learn more about malware's origins, we obtained samples of some of the oldest extant malicious code and devised ways of putting that malware onto the retro storage media required by the computers that were the earliest malware victims.

With the assistance of the Media Archaeology Lab, an educational museum of retro computing based at the University of Colorado at Boulder, the author executed those samples on real, physical retrocomputing devices like the Apple II, the Commodore 64, an IBM PC 5150, and early Apple Lisa and 68k Macintosh computers running Mac OS System 7.

Running malware on ancient computer systems is no different from using modern virtual or physical testbeds for detonation: you need to do it safely, in a "detonation chamber" of sorts, so the author and other volunteers also had to devise methods of safely moving the infected code from device to device or storage medium to storage medium, without spreading the infection to hard drives or other floppy disks or cassette tapes, or potentially damaging irreplaceable software or hardware.

Finally, we analysed these malware samples using both modern reverse engineering tools, and the rudimentary analysis utilities that would have been available in the era (roughly 40 years ago, on average) in which the computers used in the study were still contemporary devices, to see what we could learn about this ancient malicious code, and whether it bears any resemblance to modern malware.

The author believes the malicious code of the present day bears a more-than-passing resemblance to the malware of prior eras. If studying dinosaur bones contributes to science's understanding of evolutionary processes and biology, the study of retromalware surely can contribute to our modern understanding of sophisticated threats, and may help plan countermeasures against future ones.



Andrew Brandt

Andrew Brandt works as a principal researcher for Sophos, where he runs a malware and network forensics research lab, and serves as the Editor of the SophosLabs Uncut blog. In his spare time, he works as a volunteer archaeologist at the Media Archaeology Lab, a living history museum of retro, archaic and esoteric technology based at, and sponsored by, the University of Colorado at Boulder.


   Download slides

Back to VB2019 Programme page

Other VB2019 papers

Keynote: Nexus between OT and IT threat intelligence

Selena Larson (Dragos)

APT cases exploiting vulnerabilities in region-specific software

Shusei Tomonaga (JPCERT/CC)
Tomoaki Tani (JPCERT/CC)
Hiroshi Soeda (JPCERT/CC)
Wataru Takahashi (JPCERT/CC)

Panel: Where is threat intelligence headed?

Derek Manky (Fortinet)
Samir Mody (K7 Computing)
Heather King (CTA)
Warren Mercer (Cisco Talos)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.