Would you pay more than a million dollars for a Samsung laptop that is 11 years old? How about I sweeten the deal by adding that it’s running the long-since out of date and unsupported Windows XP operating system? Still not doing it for you. OK, here’s the deal-maker: this laptop is also infected with some of the most notorious malware the world has encountered over the past 20 years. If you still think that $1.2 million is a little much for a laptop, however infected, at least the shipping is free and there are no fees for bidding in the auction.
Created as an art project called The Persistence of Chaos, as first reported here on Forbes, this is a collaboration between Beijing-based artist Guo O Dong and New York-headquartered “deep learning” cybersecurity vendor Deep Instinct. His previous projects have included being led around Brooklyn on a Segway by a hipster on a leash, and a Twitter bot which substituted Chinese names into retweeted postings. Neither of which come close to being as controversial as selling a laptop pre-loaded with examples of “live” malware. Talking to Vice, Guo described the project as “a kind of bestiary, a catalog of historical threats. It’s more exciting to see the beasts in a live environment.”
So what do you get for your $1.2 million? In terms of the hardware, it’s just an old Samsung NC10 laptop from 2008 and running Windows XP SP3. But it also comes complete with no less than six pieces of malware. There’s the ILoveYou virus from the year 2000, which gained notoriety by infecting more than 50 million devices in just ten days. To which you can add the 2003 SoBig worm that is one of the fastest spreading worms ever, but not as fast as MyDoom from the following year, which also appears on the laptop. Fast forward to 2015 and we have the BlackEnergy malware that helped turn the lights off in Ukraine when it was used in a cyber attack on the power grid. WannaCry also makes an appearance, fresh from causing havoc to NHS hospitals in 2017. The last, and most recently deployed, piece of malware to feature is the DarkTequila credential stealer from 2018.
At this point, you are probably thinking that is all sounds a little, well, illegal. You’d be right in as far as it is a crime in the U.S. to distribute or sell malware for nefarious purposes, but this is a work of art. Apparently. The disclaimer here is that while the sale is being conducted from New York, the infected laptop isn’t being sold for operational purposes. Indeed, the terms of sale clearly state that the buyer has to agree the purchase is “as a piece of art or for academic reasons” and that they “have no intention of disseminating any malware.” What’s more, upon the conclusion of the auction and before the laptop is shipped the internet capability along with all ports will be “functionally disabled.”
There is a further disclaimer though, which confirms that the malware files will “come encrypted and locked with specific instructions to unencrypt” but goes on to remind the buyer they are both live and dangerous samples which should be run “in a VM (virtual machine) which has no internet connection. Running them unconstrained means that you will infect yourself or others with vicious and dangerous malware.”
Deep Instinct, which was responsible for providing the malware and the “technical expertise to execute the work in a safe environment” also states that it “shall have no liability, and you agree to reimburse, indemnify and hold it harmless against any and all claims from any third party that the use of the Work of Art, including but limited the unauthorized use of the Work of Art (e.g. by connecting it to any computer network).” I have to say that none of this makes me any more comfortable at the thought of such a collection of malware being made available on the open market. I fear it seems like an accident, or at least an information security incident, waiting to happen.
Etienne Greeff, the CTO and founder at security service provider SecureData, sums it up when he says that “paying $1,000,000 to acquire some malware while my users still use ‘Password1′ does illustrate that art does not make sense.” But if you still really want a computer with malware pre-installed then I’d suggest looking for a second user laptop running Windows XP. The chances are pretty good that not only will it come with more malware than you can throw a stick at thanks to the operating system being long past its end of life date, but it won’t cost anything like a million bucks. As a bonus, the internet connectivity will probably be OK as well. Failing that, disable any antivirus software you have on your current laptop and leave it connected to the internet for a day or two. Of course, I’m not actually recommending you do either of these things—or spend a million dollars on an old malware-infected laptop for that matter.