Hex code from the Blaster worm reveals the potential motivations of the worm’s creator. Ward Moerman
By Dr. Howard Besser (left) and Jonathan Farbowitz (right) / 08.08.2016
Besser – Professor of Cinema Studies, New York University
Farbowitz – Graduate Student in Moving Image Archiving and Preservation, New York University
On average, 82,000 new malware threats are created each day. These include all sorts of malicious software – like computer viruses, computer worms and ransomware. Some are pranks or minor annoyances; others seek to pilfer data or extort money. Malware has been used to steal sensitive emails from political parties, or even as weapons directed at civilian, government or military targets.
Malware has been called a “pervasive feature of the internet” by the head of the British Library’s digital preservation team. A multi-billion-dollar industry exists to control its spread. Though it is part of the texture of digital life, libraries, museums and archives tasked with preserving the past are not saving malware for future generations. They are likely (and rightly) afraid: It can destroy data, which librarians and archivists are bound to protect.
Without long-term preservation, though, viruses and worms themselves will be difficult to analyze, research or write about. Cultural heritage institutions should seek to archive malware in ways that render it safely accessible to researchers and historians.
Our research has addressed two separate but connected concerns: First, how would an institution create a malware archive? And second, how should archivists, who have already encountered malware-infected hard drives and disks in their collections, handle these items? If an archivist chooses to remove the infection, what might we lose? And if the malware is not removed, how can the infected data be stored and accessed safely?
A recent history of malware appears in the new film “Zero Days,” a documentary about the Stuxnet worm that destroyed Iranian nuclear equipment. “Zero Days” reveals that researchers not only examined Stuxnet’s code to discover how it worked, but also looked at current geopolitics to determine why it was created.
Without efforts to save code and other items that add context, researchers may lose the ability to conduct similar analysis in the future – and to check the work of the past. Information related to historical malware can disappear from the internet. For example, anti-virus firms have removed publicly accessible information about malware from their websites.
In 1988, Robert Morris, a Cornell graduate student, released the first worm to draw widespread attention. Morris’ motivations remain unclear, but some suspect curiosity, hubris or the desire to demonstrate network vulnerabilities.
Since then, malware has been used for many purposes:
- As a political statement, such as the WANK worm, released to express political dissent. Today the hacktivist movement includes groups like Anonymous (which has carried out online actions in support of Black Lives Matter and the Occupy movement) and Cult of the Dead Cow (which attempted to interfere with China’s internet censorship technologies).
- To disrupt the rhythms of everyday life, such as ILOVEYOU, which in 2000 infected more than 50 million computers over 10 days. It cost an estimated US$5.5 billion to $8.7 billion in lost time and data recovery expenses. It prompted the Pentagon, the CIA and many corporations to temporarily shut down their email systems.
- As artistic expression, such as the Rebel! virus, part of an Italian art installation. Since then, artists like Eva and Franco Mattes (with hacker group Epidemic) and James Hoff have created malware or used malware code in their work.
- To affect world conflicts, such as the 2015 Ukrainian conflict, when malware took down part of Ukraine’s electric grid. The Egyptian government monitored political dissidents’ communications with spyware during the 2011 Arab Spring.
As internet connectivity becomes a feature of home heating and security devices, medical devices and even baby monitors, security experts worry about increasing numbers of malware attacks on this equipment.
An important resource for research
As digital culture scholar Jussi Parikka wrote recently, malware reflects the society in which it arose. In the 1990s, for example, not only were several computer viruses named for AIDS, but computer security professionals used “safe sex” analogies to explain how to keep electronics virus-free.
The interactions between malware, culture and history should not be lost. Just as historians have examined FBI wiretaps on Martin Luther King Jr.’s phone, researchers will want to know if a prominent activist had spyware on their computer and who likely installed it. Dissecting the spyware itself may prove crucial in understanding how the surveillance worked and its ultimate goal.
Literary scholars will want to know if a virus damaged an early draft of an important novel. Malware on a corporate executive’s computer could be evidence of espionage or a protest against the company.
Who is saving malware?
Computer security companies and security organizations hold the most comprehensive and well-organized collections of malware. However, these collections are not easy for researchers or the general public to browse – and were never designed for that use. And these organizations are not required to preserve their collections long-term. Their primary mission is to fight current malware threats. No organization has discarded unique samples yet. But what if the company with the best malware collection suddenly shuttered its doors?
Cultural heritage institutions, on the other hand, exist to keep objects for centuries, sometimes millennia, and make them broadly accessible. They can preserve a historical sample of malware for the future and ensure patrons can easily find and view the items they want to learn about.
Some efforts have already been taken to exhibit malware, including the Malware Museum, Daniel White’s YouTube channel and exhibits at swissnex San Francisco and Frankfurt’s Museum of Applied Arts. While these endeavors are commendable, they were mostly undertaken as side projects by individuals with other primary responsibilities. And they have displayed only a small number of viruses or worms and focused on their visual effects. None have committed to systematically collecting items that would give the malware further context.
Challenges of preserving malware
Saving and analyzing software often designed to wreak havoc – deleting files or launching internet-based attacks – presents unique challenges and requires complex solutions.
Even with special precautions (like simulated networks that fool malware into thinking it’s online), studying malware will become increasingly difficult. Like all software, malware eventually becomes obsolete: One day, no contemporary computers will be able to demonstrate how these programs functioned without emulation or virtualization.
Institutions have not yet begun to face the question of which malware to preserve. Should viruses and worms that infected massive numbers of computers be the primary goal for preservationists? What about malware displaying novel programming techniques, or released in conjunction with offline protest? How can they even begin to evaluate candidates for preservation, given the massive amounts of malware constantly being created?
The work ahead
Working collaboratively, archivists can learn how to appraise the historical value of malware, assess and mitigate the risks of storing it, and document its existence or potential removal.
Any malware collection should aim beyond saving code. It should capture the process of development (which will be difficult as most malware creators prefer to remain anonymous), as well as the sometimes short-lived effects of the infection. For example, archivists can collect oral histories of computer security professionals and, if possible, malware coders. They can also save websites, emails and log files pertaining to an infection.
Already, scholars like Jussi Parikka, Finn Brunton, Eugene Thacker and Alexander Galloway have explored the importance of malware in contemporary communications. Archives, museums and libraries can support future research with well-curated collections.
Highlighting a seldom recognized aspect of computing history, a malware archive could spark the creation of new cultural histories. By preserving malware, we can understand how we got from the Morris worm in 1988 to Stuxnet to July’s Democratic National Committee email hack – and beyond.