The Caribbean country of Cuba is a vintage car museum, with Chevys and Plymouths from the 1940s and 1950s, some in mint condition, others rusting away and featuring spare parts from Volgas, Ladas and other Soviet vehicles imported since the 1960s.While classic cars appear in photographs and are often cited as a top tourist attraction, another side of retro Cuba is hidden from view. The country has some of the oldest computers still in use, and it was likely the place where the last MS-DOS viruses were seen in the wild not very long ago.An open time capsuleSoftware developer Victor Manuel Alvarez, the creator of the malware research tool YARA, is a Cuba native. He got his B.Sc. in Computer Science from the University of Havana in 2001, and during the last year of his studies, he worked for Segurm\u00e1tica, the only Cuban antivirus lab.Alvarez became interested in security just in time to catch the end of the DOS malware era in Cuba and, probably, in the world. \u201cIt wasn't uncommon to see MS-DOS running in some places even in the early 2000s,\u201d he says by email. Several current and former Segurm\u00e1tica employees confirm this for CSO, and one says that the lab\u2019s products are still working on Pentium III CPU-based computers running Windows XP. The company did not reply to our requests for comment.\u201cWe are a little country, but our people put their hearts in what they do,\u201d a Cuban researcher tells me in English. \u201cWe try to do our best.\u201dBefore 2008, only foreigners and companies were allowed to buy PCs. The first decree Ra\u00fal Castro signed after he became Cuba\u2019s leader authorized the unrestricted sale of computers, DVDs and video players. Even so, in a country where a few U.S. dollars could go a long way, only a limited number of locals could afford them.The state of technology in Cuba has significantly improved in the last decade. When Alvarez was a teenager, it was common to see PCs that were 10, 15 or even 20 years old, he says. \u201cI started to learn programming with an IBM XT clone from 1983, and it was 1993! Those computers were still in use in 1995-96.\u201dCuba imported hardware from whoever didn't mind violating the U.S. embargo, Alvarez says. \u201cIt was something similar to what happened with cars. We had a variety of computers from different brands and countries, including Russian, East German, Japanese and American ones. I remember using some real Texas Instruments and IBM PCs.\u201dAlvarez experienced DOS malware more as a user than a researcher, as he liked to share floppy disks with his friends. \u201cMost of them were relatively boring viruses, with no visual effect, but at some point, I remember getting the Cascade virus, which caused the letters in your screen to fall down,\u201d he says. \u201cI was more amused than frustrated.\u201d Security intrigued him, so he spent a lot of time learning Assembly, doing reverse-engineering and using system debuggers. When he was about to graduate from the University of Havana in 2001, he had to do his thesis project with a company, a common practice in his country. So, he approached Segurm\u00e1tica. \u201cThey welcomed me warmly, and I worked in the detection of memory-resident viruses in Windows 9x,\u201d he says.Alvarez is now living in Spain, and for the last seven years he has been working as a staff software developer for VirusTotal, a platform that lets users scan files for malware. I ask him when the last DOS virus was uploaded. \u201cToday,\u201d he tells me. \u201cWe constantly receive all kinds of malware, even MS-DOS malware. This doesn't mean that all the malware we receive is found in the wild. In many cases, it's just people scanning their malware collections.\u201dNobody knows for sure, but several security researchers believe that MS-DOS malware has lived the last chapter of its life secluded in Cuba. It was the end of a fascinating journey that began across the globe, in a small computer shop, in Lahore.Tracking down the first MS-DOS virusOne day in February 2011, researcher Mikko Hypp\u00f6nen of F-Secure left his freezing Finland to go to Lahore, one of Pakistan's most progressive and cosmopolitan cities and the place where Brain, the first MS-DOS virus in history, was written in 1986.As a young security researcher, Hypp\u00f6nen analyzed Brain and was mesmerized by how it worked and where it came from. So that winter, to mark the 25th anniversary of the virus, he decided to board a plane and finally go to Lahore to meet Brain\u2019s creators.\u201cIt felt really surreal,\u201d Hypp\u00f6nen tells me by phone. \u201cI've got some kind of closure on myself for the whole thing. We captured an important piece of IT history, and I think we also got some kind of an answer to the mystery of the first PC virus.\u201dTracking down Brain proved to be remarkably easy. Inside the code, its authors, brothers Amjad and Basit Farooq Alvi, listed a physical address and three phone numbers. \u201cYou would think that over the years they would have moved many, many times, but that\u2019s the address where their company still operates today,\u201d Hypp\u00f6nen tells me.When he arrived in Lahore, he didn\u2019t know what to expect. The streets were filled with three-wheeled cars, donkey-drawn carts and motorcycles. But the brothers welcomed him, and he had the chance to do an interview. Amjad and Basit Farooq Alvi are now successful businessmen in Pakistan, and their company\u2019s name is Brain Telecommunication.Hypp\u00f6nen asked them why they wrote the virus. They said they wanted to explore the holes in MS-DOS, but also to see how far software written by them, in Pakistan, could travel the world by floppy disks. They built medical software at that time, which was often pirated, and with Brain they believed they could track down illegal copies.Tech-savvy users from different parts of the world noticed the virus in the late 1980s, and some even called the authors using the phone numbers hidden inside the code. \u201cThe first call we received was from Miami University,\u201d Amjad Farooq Alvi told Hypp\u00f6nen, \u201c[from] someone taking care of a local magazine...I was shocked rather, because I had no expectations that\u2026it will go so far.\u201d Brain infects the boot sector of a floppy disk. The original boot sector is moved to another place on the disk and marked as bad. The Pakistani brothers said the virus was not meant to be destructive. It was just an experiment, they said.\u201cThey didn't really think that they were doing something nasty or illegal,\u201d Hypp\u00f6nen says. \u201cAnd it wasn't illegal at that time; they broke no laws. They were basically curious.\u201dGambling for your filesThe Finnish researcher is a bit nostalgic of those early moments that marked the beginning of the security industry, when computer viruses were written for fun rather than profit, and researchers often had to solve clever puzzles or find hidden messages. It was a time when viruses were written by hobbyists, not by government-sponsored groups. A time when geography and social class mattered less, but intelligence triumphed.I ask Hypp\u00f6nen to name his favorite DOS virus. He picks Casino, a piece of malware that lets the user try to win deleted files back on a digital slot machine. \u201cThis actually works; it gives you five chances to play the game,\u201d the researcher says.Casino activates itself on certain days of the year. It copies the file allocation table (FAT) to memory, and then it wipes it from the disk, so practically every file disappears. \u201cThe virus gives you the chance to play a game, and by winning the jackpot, you get your files back. If you don't win, you will lose all your files. And if you don't play the game, if you reset the computer, you automatically lose,\u201d Hypp\u00f6nen says. He wishes he had done more to help early virus authors who, unlike the Pakistani brothers, turned into cybercriminals. \u201cThese were often people who were victims of the circumstances where they were growing up,\u201d Hypp\u00f6nen says.He remembers a teenager he talked to in the 1990s, who started writing viruses to break away from his world. \u201cHe was in the middle of Finland, in the middle of nowhere, with the cows and horses,\u201d the researcher says.The teenager uploaded his work to a BBS (bulletin board system), an early type of forum for sharing software, chatting and reading the news. \u201cThe boy explained to me that he felt trapped in[side him]self. So, he wrote something which escaped, and when his virus made it out all the way into California, he felt good,\u201d Hypp\u00f6nen says.These stories from the beginnings of the security industry should be told, not forgotten, Hypp\u00f6nen says. Luckily, he thought about preserving those moments early on. He started to collect malware samples in 1991, thinking that they might be valuable one day. Like Brain, many of his viruses are stored on 5\u00bc-inch floppy disks with the write-protect notch sealed with tape.A few years ago, he donated his samples to the Internet Archive\u2019s Malware Museum, so that young people and technology historians could see what it was like to have a computer infected with viruses in the late 1980s or the 1990s. Such initiatives to save the history of malware gather enthusiasts all across the world.Malware in the mountainsAt the base of the Rocky Mountains, in Boulder, Colorado, old technology gets one more chance to shine. The Media Archaeology Lab (MAL), a museum that hosts some of the most exciting computers ever made, is a space that welcomes anyone who wants to better understand the history of technology and its impact on society. \u201cThe past must be lived so that the present can be seen,\u201d is the lab's motto.Computers such as an Apple I replica, a few Commodore 64s, and even an Osborne 1, the first commercially successful portable machine, are set up on long benches next to typewriters, video game consoles, audio cassette players and cameras. All are in working condition and can be used by retro-tech enthusiasts and artists.Andrew Brandt, principal security researcher for Sophos, who lives in Boulder, visited the Media Archaeology Lab last year for the first time. \u201cI absolutely went over the moon for it! Because these are the kinds of computers that I used as a kid.\u201dBrandt started volunteering at the museum one afternoon a week, hoping to get his hands on some archaic software, but also to help the museum build a large collection of malicious samples. \u201cI\u2019m a malware analyst,\u201d he tells me. \u201cThe MAL has a huge library of software, but one thing that they didn\u2019t have, and that most people don\u2019t have, is old malware. I wanted to see if I could get old viruses to run on these old devices.\u201dBrandt began to reconstruct four decades of security history by collecting samples and drawing a timeline that shows how viruses have evolved. He tries to understand what can be learned by analyzing pre-Windows malware and \u201cwhether or not we can actually see a genetic line between these old viruses and more modern ones.\u201dHis research is still ongoing, but he plans to reveal his first conclusions during the next Virus Bulletin conference that will take place in London at the beginning of October.The Sophos researcher wants to go back in time as much as he can. He started with Elk Cloner, one of the first known microcomputer viruses that spread in the wild. It was written in around 1982 by an American 15-year-old, Rich Skrenta, whose sole purpose was to play pranks on people. This was a boot sector virus that spread by infecting the Apple DOS 3.3 operating system. Another early virus is BHP, written in 1986 in Germany, the first piece of malware to attack the Commodore 64, Brandt\u2019s childhood computer.Let the games beginThe Media Archaeology Lab\u2019s sample collection keeps growing, and quite a few MS-DOS viruses have arrived on the shelves. By looking at them, one can see how virus authors improved their skills to avoid being detected by security researchers. \u201cIt was the beginning of this cat-and-mouse game,\u201d Brandt says.Dutch researcher Righard Zwienenberg of ESET witnessed this game firsthand. He started working in security in 1988, and he still remembers the first MS-DOS virus that intrigued him. It was a variant of Jerusalem, he tells me: Jerusalem.1808.A204.A\u201cIt was the first virus I encountered at the Technical University in Delft,\u201d Zwienenberg says. Jerusalem was first detected in October 1987, and it had some quirky ideas for its time. It infected executables, adding about 1,800 bytes to their size. Most .EXE files would enlarge each time the user ran them. This could slow the computer, but momentarily \u2014 that was it.The virus was set to go off on Friday the 13th, every year, except for 1987, and once the doomed day came, it deleted the programs the user attempted to execute. It displayed a slightly altered message when someone wanted to run an executable file. It read \u201cBad Command or file name,\u201d with a capital C, instead of the well-known \u201cBad command or file name.\u201d A retro-tech collector himself, Zwienenberg likes to educate people on old viruses, and often likes to point out that some of today\u2019s most common threats have been with us for a long time. He has a talk titled \u201cOops! It happened again,\u201d which he delivers together with Eddy Willems, security evangelist at G Data.Ransom for a cause\u201cDo you know when the first ransomware appeared?,\u201d he asks. \u201cIt was 1989.\u201d That virus, known as the AIDS Trojan, infected computers through a floppy disk tagged "AIDS Information Introductory Diskette," which was sent by snail mail.AIDS would replace the AUTOEXEC.BAT file and would count how many times the computer booted. When it reached 90, it hid the directories on drive C: and it encrypted the names of files, rendering the computer unusable. It asked for a $189 ransom to be paid to a post office box in Panama for those who wanted to access to their data, Zwienenberg tells me. \u201cI don\u2019t know how the author came up with that number, 189.\u201dIt was soon discovered that the AIDS Trojan was written by an evolutionary biologist, Dr. Joseph Popp, who was later detained. He defended himself during the trial saying that all the money would have gone to AIDS research, a topic the author was interested in.Even so, most virus writers from the late 1980s and early 1990s didn\u2019t necessarily want money, Zwienenberg says. They were more interested in learning, and they hoped to get \u201c15 seconds of fame on CNN.\u201dUnlike today, when malware tries to stay hidden, old virus authors preferred to put on a show and display not only technical, but also artistic skills. \u201cThink about Yankee Doodle, which played the theme at 5 pm every day; Walker, where an old man with a stick walked across the screen; Casino or Cascade,\u201d Zwienenberg says. Sometimes, we lose sight of the lessons that had been learned a few decades ago, the Dutch researcher says. Sophos\u2019s Brandt agrees. \u201cCompanies are so focused on the next thing, that they become less aware of the past,\u201d he says. \u201cThis is not helping us in the future. We\u2019re getting lost in the forest for the trees, and we\u2019re not looking at the big picture.\u201dThis is why, like a rusty Plymouth car from Cuba, the MS-DOS malware history is in need of restoration.