Mikko Hypponen at the Museum of Malware Art

Welcome to a very special episode of Modern Cyber with powerful visual elements. So the audio on this one may be a little bit tough, but I am delighted to be at the Museum of Malware  Art today, and we're going to get an insider kind of guided tour from Mikko Hypponen. Mikko, thank you for taking the time Sure. First of all. And talk to us about the museum.

Well, thanks for coming over and, you get the curator's tour. The curator tour. Awesome. Yes. This is the Museum of Malware Art.

We're in Helsinki. We are in the brand new headquarters for WithSecure, and I am the chief research officer for WithSecure in my day job. Okay. But what this is all about is that this is a way of looking at the history Okay. Present, and future of cyberattacks and malware through the lens of art.

So was that the original idea, was to use art to kind of make cyber attacks real in people's mind or what was the inspiration? It all really starts from the cooperation I started with the Internet archive 6 years ago. Okay. Internet archive, many of us know archive.org. We have like archivable websites and everything else.

I know one of the guys there, Jason Scott. Okay. He built with his developers an emulator around 6 years ago, so you could actually run old MS DOS games in browsers on the website. So we archive all all medium. And the emulator was amazing.

Okay. So so we started chatting with Jason whether it would be good enough, compatible enough to actually run old viruses in the browser. In the emulator? Yes. Okay.

So people could actually look at old viruses through the web by running them inside their browsers in a virtual machine, and it actually worked. Okay. That led to the beginning of Malware Museum on the Internet Archive where we collected a large collection of old viruses. Yep. Then when we started planning this building, the new headquarter for WithSecure, we had plenty of empty space in the lobby, and we were thinking about what to put in here.

Someone floated the idea that we should take the old viruses and, you know, have an exhibition here, But we didn't just want to dwell in the past. Yeah. So we started commissioning completely new pieces of artwork from artists around the world, art inspired by malware, art inspired by cyberattacks. So was there any connection to the malware running in the emulators? Yes.

Okay. We actually show those as well. So we want to look at the past by looking at the old viruses, but then we want to have completely new art. So this is not a new sale. This is an art. Okay.

Okay. And this is a great example. This is maybe the most visible piece of of of the museum. This is called Click for Love Okay. Made by 2 artists, Hugo Lankinen & Kasper Hildén.

This is inspired by the Love Letter worm outbreak, and you might remember Love Letter. Melissa virus? This was before Melissa. Same year, 2000. Okay.

So back when email worms became the biggest problem we had, love letter would arrive to you in an email what the subject field was. I love you. Yep. And then the email said, please see the attached love letter coming from me. If you would click on the attachment, then you would send the same email Yeah.

Everybody in your Outlook had Yeah. Yeah. Yeah. This was this wave of visual basic viruses, word macros. You open them up.

They scrape your contact list and just send themselves out. That's exactly what it was. The name of the attachment was love letter for you dot txt.vbs, visual basic script. So that's exactly what it was. So, clearly, you needed to click on the attachment with the mouse.

Right. The artists were inspired by that. So we crowdsourced 827 mice from our customers and clients around the world. They painted them all pink, and they used this this software which calculated the volume of 1 mouse and used it as a 3 d pixel, which gave instructions on how to build a heart. Where do you put the holes, how long cables do you need for each each mouse, and we end up with this this heart.

It's a nice symbol. And it may be a little bit hard to see on the video here. I'm not sure, but it's it's three-dimensional. So this piece goes back a good 60 centimeters or so. Yeah.

Yeah. So please don't touch it because when it gets mangled, it's it's it's a bitch to get out. Okay. But it is also another other thing here that we wanted to accomplish because this is we are at the ground level at the headquarters. We have 7 floors here, but there's a lot of traffic outside.

There's a big hotel. There's the Mercocompas shop out there for electronics. A lot of geeks and nerds won't buy. So we light up these art pieces in the evening and hope to attract people coming in because this is a permanent museum and it's a public museum. We want people to visit them and look at the art pieces with permission.

And free entry? Yes. It's free entry indeed. At least nobody charged me on my way in, so I'm thankful for that. For the opening hours, museumofmalware.art is where you can find it.

Alright. Good deal. Good deal. And if this is inspired by the love letter worm, let's pick up the camera and take a look at the love letter for real. Let's do that.

So you're gonna get a little bit of motion as we transition from place to place here today. Take a look at this. This is a collection of old viruses. And if you look at this one right here, that's I love you from 2,000. And it's actually a video of the machine getting infected by the world for real.

So people who weren't around in 2000 to see what it looked like can actually see what it looked like for real when you infect your Windows 90 this is Windows 90 8 or maybe NT Windows NT getting infected inside the lab later work. And there's a collection. If you pan around, you will see that we have, like, different visual examples of what old viruses look like, some of them with really fancy animations or or or displays that they show to users. And this is the history of malware. This is what they used to look like.

They used to be visual. They used to be, like, playing music or playing games with the user or doing different kinds of tricks, like with the cascade worm, which would activate at the end of the year or in the last 2 months of the year and would start dropping down the letters on your infected MS DOS computer to the bottom of the screen. And, of course, users couldn't understand what's wrong with their computer. Why are my letters dropping to the bottom of the screen? And we named it cascade because it sort of looks like cascade as it happens.

So this is the history part. The oldest viruses we showcase here are from 1987, and that's ancient. I've been around forever. I started working in this field in 1991. I've analyzed all these viruses back then, and then I started my reverse engineering career inside, inside Datafellow at the time.

There were so few viruses in existence that I copied them all, and then reverse engineered them all just to understand the field. One of one of the things that I learned from there is that, you know, how to do reverse engineering and that's basically what led to my career and the rest of it. Right. Right. So you're the original virus Pokemon master.

Gotta catch them all. Gotta catch them all. That's what I was doing. Here, I have to send greetings to Daniel White, known online as danooct1. For example, this video right here, if you look closely, you actually see that you can see the pixels of the CRT screen.

This is a real video shot from a real physical infected computer that Daniel recorded for us earlier this year. He has a very popular YouTube channel, where he posts videos of old viruses with hundreds of thousands of followers, so clearly, people like old viruses. This particular video showcases the Virus Creation Laboratory from 1992, which was the first virus generator. It's a tool for people who want to write viruses but don't know how to program, so it can automate the work for you. Right?

And then if we pan a little bit to the left, we have, the casino virus, which played a game with the user. The way it worked is that when you got infected, three dates of the year, 15th January or April or or August, when you start up the computer, it's destructive. It overwrites a copy of your file allocation table, which means you've now lost all the information about where your files are. Right. But before it overwrites it, it takes a copy in memory, and now it gives you a chance to win your files back.

You have 5 crates. You see crates 5, you can play a game of jackpot. If you get 3 '£'s in a row, you win. And it will then write your file allocation table back to your hard drive. You recover your files.

So it actually worked? It actually works. We tested this. And in fact, when I was recording, I made this video earlier this year, and I had a hard time actually losing the game because, you know, I wanted to get a video of of user losing their files. For first four runs, I did I won.

So it's it's it's likely. It's it's I think that the chance of winning your files back is fairly high, but sometimes you lose. And when you lose, it simply hangs your computer, and then you've lost automatically because the files have already been overwritten. That's interesting. It's a little bit different than what we're hearing about some of the modern ransomware attacks where even companies who pay the ransom don't get their data back.

And, speaking about ransom, let's switch to the other side. Follow me with more of these old malware samples on this side, and not all of them are approved. For example, here's, more recent Windows malware, and here, we showcase current design and art and branding. When you think about, like, 2024 attacks, it's mostly ransomware. And many of the ransomware gangs, practically all of them, do branding.

They have names. They have logos. That's that's the vice society. Right there. And and this is art as well.

Not maybe the same kind of art we think when we think about art in general, but clearly, someone has designed this. They've hired artists maybe, or getting these on Fiverr, or we don't actually know. But, you know, we try to record that part of the design process in in modern malware as well here in the Museum of Modern Art. Yeah. I mean, it's interesting.

If you think about all the things that go into an organization or go into a company, definitely branding is one of those things that is pretty important. Yeah. It's important for criminals as well. Yeah. There will always be branding as as they say.

Some of these viruses were actually loud. They make noises as well so for example, here, we have the ambulance car virus that you have a car running across your screen randomly whenever you run an infected program. So you try to launch a game of the other the other computer before the game launches an ambulance car once you get the screen. And it would also make it sound, like, bee-baw bee-baw we've decided to turn off the original we can give it to them very quickly. I think the audience and I are both thankful for that.

I mean, it's it's also interesting to think about how the most widespread viruses in this of the 19 era didn't actually do anything visual. Yeah. But, many of them still had things that are interesting. So for example, here, we wanted to record the form of virus because one of the most widespread boot sector floppy infectors in history. It never showed you anything at all, but there is a hidden message inside the boot sector of an infected floppy.

You never see this message. It's never shown to anyone, but if you take a hex dump of the boot chapter and read it through, you'll find this message where the phone wire sends greetings, and, then there's a message to Corinne. We don't know who Corinne is. I'm guessing it's an ex girlfriend of the author or maybe something like that.

Right. Right. So we tried to record some of the historical artifacts here. And it's also, this is the version 1.0 of the museum. This will be expanding and and changing.

Yeah. Right now. It's interesting on that form virus, by the way. In that message, it says form doesn't destroy data. And that's really changed over time.

Like It has. Yeah. Of course, today, events over here is maybe the biggest single malware problem. Not only you know, Maybe another thing which has changed with Marvel over the years is that these things used to spread. We call them viruses because they would infect your computer.

And then spread out. Every floppy you use, they infect it. Or every program you run can infect it. Today, we almost never see viruses. They're more like trojans.

Right. So that's Right. That hits your computer, but it doesn't spread. Well, don't a lot of them spread across local networks or across the corporate network? That's the pros.

That's the owners. That's the people inside the network Okay. Scanning network and infecting the machines. The malware itself doesn't have spreading functionality with some exception. But one acquired ransomware did have spreading functionality.

That's why it remains such a huge case. But most of the cases we see will be closer to progress Okay. For instance, viruses. Got it. Got it.

And, of course, they are destructing, but they don't destroy files. They encrypt files. Yeah. Are recoverable. Right.

Right. And then we have to remember that cyber problems today are they go beyond that. So we're still finding a lot of other cases, but it is the most visible. Yeah. Yeah.

Well, let's move on. What else have we got here in the museum? Yeah. We have a piece of painting. So, actually, AI rendered images of art called Greg Linares.

Greg is from California. He's an old-school security expert. He's been around since the nineties. This this art is called CyberWar because every single one of these paintings is auto generated from a malware sample. And the samples here are all used in war.

So every single one of these are actually written by the Russian government to use against Ukraine in in the Ukraine war. So for example, these are things that here is generating from the indestroyer malware, which it because the malware which they've used multiple times to cut power Yeah. In in Ukraine. The way these are generated is fascinating because Greg has built his own, malware or generator. It takes the actual binary of the malware, so EMC of the malware Okay.

Flows it into his emulator, his emulator, and extracts functions from the malware code, then uses a custom large language model to create English language descriptions of the function, and then that description is used in an image generator based on top of stable diffusion, which then takes the images out of it, and then we end up doing things like this. We printed these on aluminium. That's why they shine so nicely. The light hits the dark. These are beautiful in the in the night time.

But it was a bit of a challenge getting them printed, with printing these locals here in Finland, and and when we were sending the original images for the printing house, I thought we had really nice original images that is very huge. It was 4,000 pixels by 4,000. The printing house got back to us and said that this is not nearly enough. We need much higher resolution if you want to give the high linear. So we asked Greg to rerender the images.

These are 12,000 pixels by 12,000 pixels. So 12 k instead of, like, 4 k, 8 k? Something like that. The images of the JPEGs are 300 gigs each. Okay.

Biggest jpegs I've seen in my life. But look at the images. If you come in Yeah. Close-up, for example, from here, then the light strikes these raindrops or or, lightning things, it is quite amazing. Yeah.

The video may not do it justice here, but I do see the detail and this is really interesting. And are these kind of two sided printed? So they're visible on the other side as well for people passing by? On the other side, it has the logos for the Museum of Modern Art. Ah, okay.

Museum of Modern Art. Got it. A little bit of branding on the other side. Always be branding, as they say. There we go.

And then we have here a work of art, a a sculpture called Araneomorph by Joey Holder from the United Kingdom. Yeah. This is inspired by ransomware in a group of bronze. And there's multiple ways Joey was inspired by ransomware attacks, creatives. So, clearly, we have the spider here symbolizing the attack itself.

But Joey chose bronze as the metal to be used in this sculpture. And bronze changes over time. Right now, it's nice and shiny, but bronze oxidizes over months years to come. It's gonna turn green. Right.

Just like, you know, the Statue of Liberty or any number of statues. And the symbolic importance here is that, you know, data corrupts all the time, changes all the time, just like the bronze, will will change over time. And then another thing I find fascinating is that there's a hidden message. If you look at the message here, there's sort of like hieroglyphs or a signal as Joey called it herself, a message she purposely hid on this sculpture. And, interestingly, at the last stage before she encoded the message into this hieroglyphs, she used a one way hash mark.

Okay. What that means, it means that the message is unrecoverable. Right. So there is a message. There's a message hidden in this art piece, but no one can never recover the message.

Sort of like if you don't pay the ransom for ransomware, you will never get your files. But is that strictly speaking true, or that's theoretically true? Well, it's true as long as we didn't have quantum computers. Right. You know, one way hash.

But actually, I don't think even quantum can solve that. One way hash loses information on purpose. Okay. So it's basically hash of the original thing. It's unique for the message.

We know there's a message. If we know the message, we know the hash matches. We know that we recover the message from the hash. But if we have the same one way hash algorithm and we're using the same public key going into the one way hash mechanism and we have infinite resources to throw at this. Right.

In theory, we could arrive on it over the course of time. Absolutely. You're right. Just like we can recover passwords even though they went through one way hash function by trying all possible possible. All possible possible.

Possible messages and if you get the same hash function, yeah, doable. Very tricky, very unlikely to happen. Well, you should have gotten the sigil on video there. If you're really interested in a challenge and you've got some resources to throw at it, go for it. Yes.

There's a reward for it. Right? Oh, is there? Well, I'll I'll I'll get a reward. Coffee on Mikko is what I'm hearing.

I got a bottle of gin. Alright. There we go. Alright. Very good.

Let's move on to the next part of the museum. Alright. Sounds good. This interactive market is called Threatscape designed by Iikko Kuusela. We've actually used this outside of the museum already in, like, conferences and fairs as interactive.

We we wanted to, you know, get people to somehow join into the action. So we have, like, a simulation of the network environment that we'd like to take the attack here on top of this cube. The thing is gonna detect that there's someone there, and then you can grab this piece of malware from the thin air. And we use the generative AI system to generate every time a different unique piece of malware, description, name, and the image. And the person who caught, "caught" the malware, they have a brief moment to actually scan the QR code and download the malware on their phone or safely download the malware.

It's it's a real malware to simulate the malware. And now we run out of time, and it will disappear, and we will never see the same malware yet. There's only the amount of things that we're able to generate. And we actually had someone comment about this during the, dirty shots, doing the opening of the model that we sell. But, yeah, it's it's kinda nice.

The amount would be the amount of malware. But wouldn't it be more challenging or interesting if there would be a little bit amount, a 100 different, and you could collect them all. Maybe then they can fight each other. Right. It sounds like an interesting idea.

We've got we're calling about an idea about doing this before and making different versions where you actually collect Alright. Yeah. Malware go. Malware go. So those those those things.

Alright. If we turn around this side, here we have music inspired by Malware. The, old iPod here is playing an LP or an album from a heavy metal band or chiptune heavy metal band called Master Boot Record. Master Boot Record is an Italian band, and they make a very unique flavor of heavy metal. And, of course, Finland is the heavy metal capital Capital of the world.

Yeah. Everybody loves metal over here. We also are showcasing the album itself. It's a limited edition of of the album, which is called Virus dot DOS, recorded in 2018. So this clip wasn't commissioned for the art, but we wanted to showcase it because every song on this album is inspired by one particular MS-DOS virus.

And every single one of the track is also named after the virus. And, if you go to the website of the museum, museumofmalware.art there's actually a link. A Spotify link to the album for those of you who are interested to understand what Chiptune heavy metal sounds like. I mean, it's a pretty niche market, but I feel like it's exactly if if you drew the Venn diagram of Museum of Malware Art Visitors and Modern Cyber Listeners, it's gonna be a pretty good overlap. So this is probably the Spotify playlist for our audience.

Yes. We recommend it. I've I've seen the band live. Twice It's amazing. The band will actually be visiting the museum live in February if that could happen.

Awesome. And here on the listening station, there's actually chairs for people to sit down. The chairs have been upholstered in custom fabric, which was designed for us by a fabric designer, called Johanna Vierimaa. This is called Ducktail. Ducktail is a piece of malware from Vietnam, which we found here at WithSecure in 2023.

It's a family of financially dedicated malware. And, So kind of in the info stealer category looking for banking credentials and things like that. It's actually stealing, Facebook business accounts and other things, which can be used to make money, have been used to make money by this group. And Johanna was inspired about the story. You can actually see a small duck in feet in the in the fabric.

And we've used this fabric in different ways. We've made pocket squares out of it that we sell in the museum shop or gift shop for the museum. Yep. And, we made laptop bags, and this is the infamous Tankki tuoli Traditional Finnish design. Upholstery with the same design. So we tried to make different ways, different kinds of art for the museum of photo art. So we have sculptures, painting, fabric, music, soundscapes. We're actually not gonna able to take a look at the soundscape, but even the toilet in the museum have soundscape, which has been inspired by phishing attacks and scam messages, which basically is gonna be Yeah. Going to one of our, booths in the toilets.

Someone is gonna start to recommend to do this great investment of the few that you can do this new crypto comments. Okay. Or you might be getting a missed about a ETH or hack, so to speak. Museum of malware art coin? Oh, I love that.

I think we can make a blockchain. There we go. Sounds good. It leads us to the last piece we'll take a look at in the museum of malware art. So graffiti and malware has, I think, something to do with each other.

And when I first got into malware myself in in 19 nineties, I didn't see any or or anything of value in art. I've learned to appreciate that there really really is artistic features there as well. And I think many people have had the same discovery with graffiti. Like, when you see dirty tags on the sides of building, they don't look like art at all. But sometimes you see a really beautiful graffiti, colorful, clearly artistic.

Yeah. So here we work together with, graffiti artist EGS. He's famous for making really large pieces, typically with spray cap. And like many graffiti artists, he always repeats his name. If you look closely, you'll see EGS.

EGS. EGS will be over and over again in this piece, which is called InterContinental and which was inspired by the Blaster Worm outbreak of 2,003. So when we started the collaboration with EGS, we provided him with material about Blaster Worm, which was one of the largest Internet world outbreaks history. What kind of material did you provide? Well, we we analyzed the malware in 2003, we we merged into their export.

It was using Windows RPC export. It was basically scanning machines on the Internet whenever it found the machine because on the right. Yep. And and it's for our PC, hopefully, to be infected, and then that machine would start scanning the whole Internet as well. And when the outbreak started, it started from Asia.

So this is actually the world map. We have created back then the world map visualisation where the malware outbreak started in Asia, infecting machines in Japan and in Australia, but it was daytime. And then when the day dawned in Europe, the the outbreak moved slowly but surely to different European countries. People wake up, turn on their computer, and it gets infected. And then 4 hours later we start seeing infections in New Jersey, New York, of course, South America, everything we call that, and then it goes around the world.

And that's what inspired EGS to create this piece, which is actually a stainless steel instead of graffiti. But it's a permanent exhibition of what the outbreak looked like. And once again, we wanted to have it here in our windows so people can see from the inside and also from the outside as we light these up during the evening Yeah. Maybe a little bit of geographic curiosity with it, but I really like the, designs here. I I wasn't aware there was kind of a, water break between Asia and Europe here in the middle, but This is artistic freedom.

There we go. Artistic interpretation. This is really interesting. When what did this malware do? Blaster didn't do anything else except spread.

It showed no messages. It wasn't destructive, but it did create a botnet which could be used to launch denial of service attacks from the machines which were infected. But by and large, it caused problems because of the this scale of the spreading. Okay. Far too efficient for its own good.

So the network, the logistics were congested Yep. Because it was just generating so much stuff. So this is effectively a denial of service attack but on a local network level as opposed to what we see now with kind of distributed denial of service attacks coming from, you know, botnet spread on the Internet that largely target, you know, it's impossible to take the Internet offline or I'd say very hard to take the Internet offline, but you can take down individual websites. But this was the case where it took down individual corporate networks as a result of the congestion that they experienced. Yeah.

These early outbreaks had a side effect of denial of service. So, for example, love letter that we looked at earlier, that created so much email that the email system's crashed. Yeah. Yeah. I actually remember, it was either love letter or Melissa or one of the similar it is so big, One of these early emails web outbreaks that we were analyzing it in our labs.

I wanted to send a block list of IP addresses that needed to be shut down by operators to shut down the worm. I tried sending that list to search operators in different countries. I couldn't get the email go through because the email systems of the operators were down. Were down. Because of the word.

Yep. I I actually ended up faxing the list. Oh my gosh. Fax still worked. Fax still worked?

Yeah. Yeah. I certainly remember going through Melissa, two waves of it at the company that I was at the time and I think many people had the same experience. You got the infection, you figured out what was going on, you figured out your mitigation method, clear your message transfer agent queues on your exchange server, wipe out, you know, sometimes you will wipe out legitimate email as part of that as well, but then you could at least get email back up and running, but then inevitably somebody was on vacation, would come back a week later, open their email inbox, click the thing and you were going through the same process once again. The crazy thing about the the Love Letter outbreak that you spoke about earlier was that in 2,000, we got it ourselves.

Yeah. One of our employees we were looking at the art piece. Kim, who used to work with already back in 2000, remembered, yeah. Yeah. Yeah.

I got this. I was working in this company, and I got it in my work email from my girlfriend. And I immediately knew that this is fake. She wouldn't write like this. She wouldn't send a message saying I love you.

Nice. But this is the museum of Malware Art in Helsinki, Finland, permanent exhibition, public exhibition. This is an invitation to you. Come and visit the Museum of Malware Art. Awesome, Mikko.

Thank you so much for the curated tour. It's been a real pleasure.