It looks like a normal PC, but it is the computer with the most malware installed in the world. The VirusTotal team calls it MICE (‘The Most Infected Computer Ever’) and during the inauguration of the new GSEC in Malaga we were able to verify that it is still working.

The question was “how many malware from different families can we run at the same time?” This is the challenge set by Bernardo Quintero, founder of VirusTotal and director of security engineering at Google. From Xataka we have spoken with him to tell us what the creation of this computer was like, what he set out to achieve and how the whole world around malware has changed over the years.

MICE is still an experiment. A test of how much malware can be infected on a single computer without crashing the system. The result is this computer that they have exposed in the new Google cybersecurity center and that contains up to 30 different types of malware, executed at the same time and without causing a system collapse.





“In the end it is something educational. We wanted to make a website where we would explain all the different types of malware that attack us, but it was not very attractive. And I came up with this idea, as a challenge,” explains Quintero.

The founder of VirusTotal does not remember the exact moment it emerged. He points to 2019, somewhat before the pandemic. “The challenge was to find malware that didn’t stick together too much,” he says. “At first it failed a lot, since by the third or fourth there was some type of incompatibility. “It was trial and error.”





It took a week of work to reach 30 different types of malware. “The great advantage we had was the large VirusTotal database. We simply searched for certain families and among them, we looked for which files were not incompatible. And also the order of execution,” Quintero describes. Precisely finding the correct order of execution was the most complexbecause if you do it differently the system collapses.

Currently the MICE is capable of operating for more than 24 hours without problem. The Google team has it turned off normally and turns it on when they want to do the demonstration. In this case they have a command already created to run all the malware again, in the order they know does not crash.

They remember that during its creation, the computer’s GPU crashed, although a priori it should not be related. At the hardware level, the MICE is a typical computer. It does have a large front fan, mainly to counteract the temperature of the Miner, which is the type of malware that mines cryptocurrencies without the user’s permission.

This is just one of the 30 types of malware that are running. “We have chosen some representative samples of the oldest viruses. For example, the ambulance virus, which was the first real virus of its category,” explains Daniel Vaca, software engineer at VirusTotal.

The full list, which can be found on the VirusTotal team’s Github page, is as follows: APT, virus, worm, backdoor, exploit, banker, clicker, FakeAV, spyware, keylogger, VirTool, dialer, toolbar, adware , miner, bot, ransomware, game thief, rootkit, IM worm, Net worm, P2P worm, DDoS, dropper, hack tool, MailFinder, Joke, Autorun, hijacker and trojan.





MICE works on Windows XP, since with more modern operating systems probably all of this malware could not be executed, they point out. “I went straight to Windows XPbecause I more or less know the operating systems and it was clear to me.”

“I did it at the time and I forgot a little about the project, because in the end it was something anecdotal. What happened is that I did realize its usefulness, especially educational and training. With the excuse that it is the most infected computer in the world. My first goal was 10, then I went to 20 and then I reached 30 families. I mainly looked for the different types of malware to have a graphical effect. Because if not a little, this computer has 30 malware at the same time but if they are in the background you have to believe it,” Quintero describes.





The result is very striking, since Quintero opted for different malware with a visual effect. We have windows that go from red error alerts to notices in Russianpassing through the animation of Happy New Year 1999.

“We have the ambulance, the ping pong… now a visual effect no longer makes sense, because what interests them is to remain in the system for as long as possible without being detected,” he points out.

“Once the 30 are running, It is quite stable“explains its creator. Would it be possible to replicate it? Given this, Quintero stops for a second and answers that “perhaps a person with knowledge can do something similar. Yes he could, as long as he has access to the different malware samples. Because that is the advantage we have at VirusTotal. “It doesn’t require super advanced knowledge, it’s a matter of a lot of trial and error.”

“At first I was not clear exactly which ones, within all the families, were specifically the most suitable. I was looking for them based on size; those that consume less resources. I believe that we are not missing any type of malware. We have more than six million in our VirusTotal base and these 30 represent all the variations,” says Quintero, highlighting the educational value of the experiment.

From VirusTotal They have carried out MICE in schools, as part of cybersecurity education. “What they ask us most is if Fortnite runs; what graphics it has and how the Miner works. We believe that it does serve to teach them many things, although we have to suddenly remind them of details such as that routers used to connect by phone,” he points out. Vaca, in reference to the Dialer malware.





Quintero explains to us how much the sector has changed since then. From the golden age of computer viruses, where there was no type of monetization behind it and it was “a bit of personal ego within the world” until now, when cybersecurity is an issue that affects globally and companies dedicate billions of euros . “The Internet arrived and changed everything, because it was already seen that there was a vein where the issue of malware could be monetized.. That’s where we started with the issue of AdWare.”

“I had to be constantly searching through underground forums and then I came up with the idea of ​​VirusTotal. People will send me suspicious samples, I collect them and in real time I see how the antivirus detects them and I get my statistics. That was my original idea. Then I saw that from those comparisons I knew that each antivirus covered a part of the malware and they began to use it to complement each other and in the end offer more effective protection,” he reviews.

“That culture of anonymity has been lost a bit. Now everything has become very professional,” explains Quintero, while remembering that in Spain there have been great malware experts, such as the 29A group, composed mainly of Spaniards and who created the first virus for mobile phones in symbian and the first virus for Windows 95. What happened to them? We asked him: “I think the majority have ended up dedicating themselves to computer security issues. They were very low-level specialists, assemblers and such. “The truth is that they were very good technically.”

“They made very advanced viruses, but they were never malicious in terms of deleting files or doing damage. They sought to be the spearhead in terms of research. There was a case where one of the 29A members designed a worm-type malware, the first in binary format. But he was worried that she would escape. What he did was provide me, who was at Hispasec, with the virus sample so that I could analyze it and get the report before it spread. A bit like having the vaccine before the virus hits. “There was a certain ethic.”

