Portrait of the artist as a young vx-er: This painting is an MBR bootkit

Presented at REcon 2023, June 11, 2023, 3:30 p.m. (30 minutes)

What can the early bootkits of the 1980s and 1990s teach us about bootkits of the present day? Why did vx-ers of that era use graphical payloads and how can their creative stealth and persistence techniques be applied to exploit writing and bootkit development of the present day? Part history lesson, part malware analysis and part RE extravaganza, this talk will be a greatest hits deep dive into several of the most iconic and memorable moments in early bootkit history — Brain, Stoned, Ping-Pong, and others — and will explore the connection between legacy bootkit techniques and modern UEFI-targeting malware. The talk will then focus on the details of how I reverse engineered the infamous Michaelangelo bootkit and remixed its MBR infection techniques, to create a polymorphic art engine. In the words of the ‘90s vx-er Spanska: “Coding a virus can be creative.” This talk presents malware art that aims to pay homage to the techniques of notable vx-ers of the ‘80s and ‘90s while adapting their techniques for the modern era. There will be pretty pictures. There will be core wars. There will be a plethora of assembly language programming tricks. I’m throwing a party for the ages and serving up a veritable smorgasbord of vintage exploits. can’t wait to c u there xoxo ic3qu33n This talk focuses on the application of techniques from the era of MS-DOS malware to the generation/creation of novel work — using the assembly programming techniques from reversed malware samples to create art. The talk provides a primer on the fundamentals of MS-DOS architecture, and delves into the various infection/stealth/persistence techniques of some notable MS-DOS era bootkits, highlighting both the technical complexity of early malware and their flare for dazzling graphical displays. The project uses virus writing as a creative medium to explore questions such as: -how the investigation of an EOL OS can inform understanding about the foundations of an existing one -Reflections on inheriting vulnerabilities in a legacy code base, as well as what can be gleaned from studying the techniques of the malware masters of the ‘80s/‘90s -tracing the evolution of techniques developed in MS-DOS malware to malware of today and potential related vectors for leveraging these techniques on a variety of targets (i.e. UEFI firmware implants, embedded/IoT systems, etc.)

Presenters:

• Nika Korchok Wakulich
  Nika Korchok Wakulich (ic3qu33n) is a Security Consultant at Leviathan Security Group where she works on a range of penetration testing engagements, with a focus on hardware and embedded security. Outside of work, she combines her artistic practice (woodcut prints, painting, drawing, etc.) with her independent security research on passion projects in different areas of security. A few of her current favorites are hardware&firmware RE, DOS malware, bootkits, and writing vx/art demos in x86 asm. When she isn’t making art, reverse engineering or making art as a part of her reverse engineering process, she enjoys learning languages and skateboarding. You can find her on Instagram as @nikaroxanne, and on Mastodon/Discord/etc. as @ic3qu33n

Links:

• https://cfp.recon.cx/2023/talk/BWWSE3/

Similar Presentations:

• REcon 2012 / Bootkit Threats: In-Depth Reverse Engineering & Defense
• SAINTCON 2019 / RetroMal: Analyzing malware on the earliest computing platforms
• VB2019 / RetroMal: analysing malware on the earliest computing platforms