BSides algiers - Malware History - Sofiane Talmat

1,745 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,745
On SlideShare
0
From Embeds
0
Number of Embeds
170
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

BSides algiers - Malware History - Sofiane Talmat

  1. 1. L’industrie du Malware (Part I) Présentée par : Sofiane Talmat Malware research team : Sofiane Talmat (Algeria) Ehab Hussein (Egypt)http://www.synapse-labs.com info@synapse-labs.com
  2. 2. Security Corporate Services Services Solution Trainings Developmenthttp://www.synapse-labs.com info@synapse-labs.com
  3. 3. Viruses dont harm, ignorance does! « The Evolution of malware within the last ten years is described by the evolution of people who develop that » (Eugene kaspersky)http://www.synapse-labs.com info@synapse-labs.com
  4. 4. • 1948 – 1966 (First theroical Approach)• John von Neumann « Theory of self-reproducing automata »http://www.synapse-labs.com info@synapse-labs.com
  5. 5. • 1971 (First Worm)• Robert (Bob) H. Thomas (BBN technologies) "Im the creeper, catch me if you can!"• Machine : PDP-10• System : TENEX• Transport : ARPANEThttp://www.synapse-labs.com info@synapse-labs.com
  6. 6. WORMhttp://www.synapse-labs.com info@synapse-labs.com
  7. 7. • 1974/1975 (First Trojan Virus)• John Walker « ANIMAL » UNIVAC 1108http://www.synapse-labs.com info@synapse-labs.com
  8. 8. TROJAN HORSEhttp://www.synapse-labs.com info@synapse-labs.com
  9. 9. • 1982/1982 (First microcomputer Virus)• Rich Skrenta « Elk Cloner » Apple II Boot Sectorhttp://www.synapse-labs.com info@synapse-labs.com
  10. 10. BOOT SECTORhttp://www.synapse-labs.com info@synapse-labs.com
  11. 11. • 1986 (First IBM-PC Virus)• Basit & Amjad Farooq Alvi « Brain Boot Sector » « Pakistan Flu » « Lahore »http://www.synapse-labs.com info@synapse-labs.com
  12. 12. • 1986 (First File Infector Virus)• Ralf Burger VirDem Ver.: 1.06 (Generation #) aktive. « Virdem model» Copyright by R.Burger 1986,1987 Phone.: D - 05932/5451 .com This is a demoprogram for computerviruses. Please put in a number now. If youre right, youll be able to continue. The number is between 0 and xhttp://www.synapse-labs.com info@synapse-labs.com
  13. 13. COM INFECTIONhttp://www.synapse-labs.com info@synapse-labs.com
  14. 14. • 1987 (Destructive Virus) – Vienna / Lehigh / Yale / Stoned / Ping Pong• Cascade (self-encrypting file virus) IBM Antivirushttp://www.synapse-labs.com info@synapse-labs.com
  15. 15. SELF-ENCRYPTEDhttp://www.synapse-labs.com info@synapse-labs.com
  16. 16. • 1987• Jerusalem 1808(EXE) 1813(COM) « Infecting .EXE » ArabStar BlackBox• Interrupt BlackWindow Friday13th• Friday 13th HebrewUniversity Israeli PLO Russianhttp://www.synapse-labs.com info@synapse-labs.com
  17. 17. EXE Infectionhttp://www.synapse-labs.com info@synapse-labs.com
  18. 18. • 1988 (First Internet Worm)• Robert Tappan Morris « The Morris worm » Buffer Overflow 6000 infectionshttp://www.synapse-labs.com info@synapse-labs.com
  19. 19. BUFFER OVERFLOWhttp://www.synapse-labs.com info@synapse-labs.com
  20. 20. • 1988 (First Multipartite Virus) Ghostball• EXE/COM/Boot Sectorhttp://www.synapse-labs.com info@synapse-labs.com
  21. 21. Multipartite virushttp://www.synapse-labs.com info@synapse-labs.com
  22. 22. • 1988 (First Polymorphic Virus)• Mark Washburn & Ralf Burger « the Chameleon family » « Vienna and Cascade » 1260http://www.synapse-labs.com info@synapse-labs.com
  23. 23. Polymorphismhttp://www.synapse-labs.com info@synapse-labs.com
  24. 24. • 1995 (First Macro Virus) « Concept » Sub MAIN REM Thats enough to prove my point End Subhttp://www.synapse-labs.com info@synapse-labs.com
  25. 25. Macro Virushttp://www.synapse-labs.com info@synapse-labs.com
  26. 26. • 1998• Chen Ing Hau• CIH v1 « Chernobyl / Spacefiller »Sep.1998 : Yamaha DriverOct.1998 : Jeux Activision SiNMar.1999: IBM Aptivashttp://www.synapse-labs.com info@synapse-labs.com
  27. 27. • 1999 (Year of the worms) – Janvier 20: Happy99 worm (emails) (Spanska) – Mars 26: Melissa worm (Microsoft Word/ Outlook) – Juin 06: ExploreZip worm(Microsoft Office documents) – Decembre 30: Kak worm (Javascript worm / Outlook Express bug)http://www.synapse-labs.com info@synapse-labs.com
  28. 28. • 2000 (The most damaging worm ever) « ILOVEYOU worm (VBS/Loveletter) » VBScripthttp://www.synapse-labs.com info@synapse-labs.com
  29. 29. • 2000 (The year of Exploits) – Mai : Sadmind worm (Sun Solaris / Microsoft IIS) – Juillet : Code Red worm (Microsoft IIS indexing) – Septembre : Nimda worm (Windows/Code Red / Sadmind) – Octobre : Klez worm (MS IE / MS Outlook / Outlook Express)http://www.synapse-labs.com info@synapse-labs.com
  30. 30. • 2002 (Metamorphic virus)• Mental Driller « Win32/Simile » (Etap / MetaPHOR) 90% metamorphose May 14 / System localehttp://www.synapse-labs.com info@synapse-labs.com
  31. 31. METAMORPHIC VIRUShttp://www.synapse-labs.com info@synapse-labs.com
  32. 32. • 2002/2003 (Rise of the RAT & Trojans) – Beast (Delphi) – Optix Pro – Graybird – ProRathttp://www.synapse-labs.com info@synapse-labs.com
  33. 33. • 2003 (More worms in the wild) – SQL Slammer worm • 75,000 en 10 minutes – Blaster worm (RPC) (similar to sasser 2004) • DDoS with SYN flood (windowsupdate.com)http://www.synapse-labs.com info@synapse-labs.com
  34. 34. • 2004 (First Webworm) « Santy » - Target : phpbb forums - 40 000 sites infectéshttp://www.synapse-labs.com info@synapse-labs.com
  35. 35. • 2006 (First ever Mac OS X virus) « OSX/Leap-A or OSX/Oompa-A » – Lan worm – Bonjour Protocol (iChat buddy list) – Destruit les fichiers infecteshttp://www.synapse-labs.com info@synapse-labs.com
  36. 36. • 2007 (Vous avez dit ZEUS ?) « ZEUS » (drive-by downloads /phishing) – 196 pays – Juin.2009 : 74,000 comptes FTP – 3.6 million d’infections aux USA – 28 Oct.2009 : 1.5 million de messages fishing sur facebook – 14/15 Nov. 2009 : 9 millions emails infectes(Verizon Wireless) – Cartes de credits de 15 banques compromises – 1 Oct.2010 : FBI / 70 millions $ et 90 arrestations – Mai.2011 : le code source est dévoiléhttp://www.synapse-labs.com info@synapse-labs.com
  37. 37. • 2007 (Mise a pirx : 250 000 $) « Conflicker » NetBIOS Exploits MS08-067http://www.synapse-labs.com info@synapse-labs.com
  38. 38. BOTNEThttp://www.synapse-labs.com info@synapse-labs.com
  39. 39. • 2009 (Cyber attack) « W32.Dozer » « July 2009 Cyber Attacks » – 04/07/2009 : • USA / Corée du Sud – 07/07/2009 : • Corée du Sud – 09/07/2009 : • Corée du Sudhttp://www.synapse-labs.com info@synapse-labs.com
  40. 40. Cyber Weapons !!!!! 2010 : STUXNET 2011 : Duquhttp://www.synapse-labs.com info@synapse-labs.com
  41. 41. Questions Facebook.com/Synapse.Labs Twitter : @Synapse_Labshttp://www.synapse-labs.com info@synapse-labs.com

×