• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Malware
 

Malware

on

  • 587 views

Nikola Milošević from OWASP local chapter Serbia held presentation on December 10th in University of Belgrade, School of Electrical Engineering about history and evolution of Malware, from Brain to ...

Nikola Milošević from OWASP local chapter Serbia held presentation on December 10th in University of Belgrade, School of Electrical Engineering about history and evolution of Malware, from Brain to Flame.

Statistics

Views

Total Views
587
Views on SlideShare
586
Embed Views
1

Actions

Likes
0
Downloads
24
Comments
0

1 Embed 1

https://cybozulive.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Malware Malware Presentation Transcript

    • History and Evolution of Malware How to fight malicious code Nikola Milošević nikola.milosevic@owasp.org
    • About Me• My name is Nikola Milošević• OWASP Serbia local chapter leader• OWASP anty-malware project contributor• Interested in topic, wrote and analyzed some keyloggers, spam bombers for self amusement and educational purposes• Working at ManageWP, Company LogoPrelovac Media
    • What is malware?• Malware, short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
    • How it started?• Brain.A – January 1986.• Welcome to the Dungeon © 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...
    • Then it continued• Stoned -1987• Cascade – 1987• Form - 1990• Omega – showing omega sign on Friday 13• Michelangelo – 1992• V-Sign – 1992• Walker...
    • Mutation• 1992. MtE or Mutation Engine• Creating polimorph viruses, hard to detect• Author – Dark Avenger
    • GUI• Virus Creation Labor
    • Windows came out• WinVir – 1992 – first capable of infecting PE files• Monkey – again Master Boot Record• One_half – polimorphism, crypting• Concept – 1995 – infecting Office files
    • Windows...• Laroux (X97M/Laroux) 1996.• Boza (jan 1996.)• Marburg (1998) – Wargames CD – PC Power Play CD – Slow polimorphism – After 3 months he shows:
    • Mail worms...• Happy99 (1998) - first mail virus• Melissa – macro virus+mail worm• LoveLetter (2001) – one of thebigest outbreak in history• Anakournikova – social engineering• Mimail (2003)
    • Real worms• Morris Worm (1988) – first internet worm• CodeRed (2000) – no user interaction – Spread around the globe in few hours(attacked IIS) – After 19. days lunched DoS attacks (White House)
    • Real worms 2• Nimda – mail virus with attachemnt affecting Win 95,98,Me,NT4,2000 – Worm affecting IIS using unicode exploit – Modifies website to offer downloading of infecting files – Used end user machines to scan network – Can reach PC behing firewalls – Has bug that causes crashes or inability to spread
    • Money, money, money• In 2003 was found first virus made for financial gain• Fizzer – sending spam – Attachment that takes over PC and send spam
    • Malware authors
    • Malware authors
    • Getting destructive• Slapper (September 13th 2002) – used OpenSSL vulnerability to spread. – Had backdoor that listened on port UDP2002. – Infected Linux hosts (Apache servers)• Slammer (2003) – Attacks SQL Server, – never writes anything to HDD. – Generates trafic. – Root nameservers down (5 of 13)
    • Getting destructive 2• Blaster (august 2003) – Buffer overflow in DCOM RPC – SYN flood on windowsupdate.com (Aug 15 2003) – 2 messages : • I just want to say LOVE YOU SAN!!soo much • billy gates why do you make this possible ? Stop making money and fix your software!!• Sasser (April 2004.) – Used buffer overflow in Local Security Authority Subsystem Service – Spread over network – Crushed infected PC in minute
    • Getting destructive 3
    • Rootkits• Sony BMG (2005) – First rootkit was created by SONY – Kelly Minogue, Ricky Martin and 50 more titles – Intension was copy protection – Hides files that stats with $sys$ – Virus writers used it to hide – Great scandal – Bad PR handling by SONY
    • Rootkits• Mebroot (2008) – Uses browser explot (used Monica Beluci web site), infects MBR – Hides as rootkit – Sends keystrokes to attacker, if it crashes sends trace to attacker/creator• Conficker(2008) – Created botnet – Spread using USB, NS, LAN – 9-15 million infected
    • Ransomware• Blackmailing
    • Let the war begin• Spyware, keyloggers• Cyber espionage, industrial espionage• German police released Troyan spyware in 2010
    • When the war get serious• Stuxnet (2010) – Big game changer, first intended phisical sabotage of industrial system – Spread over USB, used 5 exploits (4 was 0days) – When it was discovered it already did what it was made for – Kills itself on June 24th 2012. – To do something PC has to be connected to particular PLC that is connected to particular industry
    • When the war get serious 2• DoQu (September 2011) – Similar codebase as Stuxnet – Used for information retrieval and espionage of victim, but has injection and rootkit capabilities – Written in higher languages, it is believed OO C, compiled with MS Visual Studio 2008• Flame(2012) – Can spread using USB or LAN – Can record audio, video, skype calls, network trafic, steal files (Office, PDF, txt)... – About 20MB!!! But modular, so attacker can add more modules – Written in Lua and C++ – Remotly controled and killed – As DoQu and Stuxnet has valid stolen cerificate
    • Quick classification• Virus• Worm• Troyan horse• Malicious mobile code• Backdoor• User and Kernel level rootkits• Combination malware
    • Malware analysis• Its all about reverse engineering – Reverse engineer how malware works – Specifiy algorithm for protection – Develop protection• Some malware analysis labs automated some processes• Not everything can be automated
    • Reverse engineering• Dinamic reverse engineering – Have system diagnostic tools and loggers – Run the code – Observe what is happening to system, network, files...• Static reverse engineering – Decompile the code – Analyze it and find out what is code doing
    • Questions