Malware

868 views

Published on

Presentation about history and evolution of malware from BSides Manchester cyber secutity conference held on June 28th

Published in: Software, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
868
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Malware

  1. 1. History and Evolution of Malware Nikola Milošević nikola.milosevic@owasp.org ● @dreadknight011
  2. 2. About Me • My name is Nikola Milošević • OWASP Serbia local chapter leader • OWASP Seraphimdroid project leader • OWASP anti-malware project contributor • Interested in topic; wrote and analyzed some key-loggers, spam bombers for self amusement and educational purposes • PhD student at University of Manchester
  3. 3. What is malware? ● Malware, short for malicious software, is software used or created by attackers to disrupt computer operation. It gathers sensitive information or gains access to private computer systems.
  4. 4. How it started? • Brain.A – January 1986. Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS…. Contact us for vaccination………… $#@%$@!!
  5. 5. Then it continued • Stoned -1987 • Cascade – 1987 • Form - 1990 • Omega – showing omega sign on Friday 13 • Michelangelo – 1992 • V-Sign – 1992 • Walker...
  6. 6. Mutation • 1992. MtE or Mutation Engine • Creating polymorph viruses, hard to detect • Author – Dark Avenger
  7. 7. GUI •Virus Creation Laboratory
  8. 8. Windows came out • WinVir – 1992 – first capable of infecting PE files • Monkey – again Master Boot Record • One_half – polymorphism, encrypting • Concept – 1995 – infecting Office files
  9. 9. Windows... • Laroux (X97M/Laroux) 1996. • Boza (jan 1996.) • Marburg (1998) –Wargames CD –PC Power Play CD –Slow polymorphism –After 3 months he shows:
  10. 10. Mail worms... • Happy99 (1998) - first mail virus • Melissa - macro virus+mail worm • LoveLetter (2001) – one of the biggest outbreak in history • Anakournikova (2001) - social engineering • Mimail (2003)
  11. 11. Real worms • Morris Worm (1988) – first internet worm • CodeRed (2000) – no user interaction –Spread around the globe in few hours (attacked IIS) –After 19. days lunched DoS attacks (White House)
  12. 12. Real worms 2 • Nimda –E-mail virus with attachment affecting Win 95, 98, Me, NT4, 2000 –Worm affecting IIS using Unicode exploit –Modifies website to offer downloading of infectious files –Uses end user machines to scan network –Can reach PC behind firewalls –Has bug that causes crashes or inability to spread
  13. 13. Money, money, money • In 2003, first virus was made for financial gain • Fizzer – sending spam –Attachment that takes over PC and sends spam
  14. 14. Malware authors
  15. 15. Malware authors
  16. 16. Getting destructive • Slapper (September 13th 2002) – Used OpenSSL vulnerability to spread. – Had backdoor that listened on port UDP2002. – Infected Linux hosts (Apache servers) • Slammer (2003) – Attacks SQL Server, – Never writes anything to HDD. – Generates traffic – Root name-servers down (5 of 13)
  17. 17. Getting destructive 2 • Blaster (august 2003) –Buffer overflow in DCOM RPC –SYN flood on windowsupdate.com (Aug 15 2003) –2 messages : • I just want to say LOVE YOU SAN!!soo much • billy gates why do you make this possible ? Stop making money and fix your software!! • Sasser (April 2004.) –Used buffer overflow in Local Security Authority Subsystem Service –Spread over network –Crushed infected PC in minute
  18. 18. Getting destructive 3
  19. 19. Rootkits • Sony BMG (2005) –First rootkit was created by SONY –Kelly Minogue, Ricky Martin and 50 more titles –Intention was copy protection –Hides files that stats with $sys$ –Virus writers used it to hide –Great scandal –Bad PR handling by SONY
  20. 20. Rootkits • Mebroot (2008) –Uses browser exploit (used Monica Beluci web site), infects MBR –Hides as rootkit –Sends keystrokes to attacker, if it crashes sends trace to attacker/creator • Conficker(2008) –Created botnet –Spread using USB, NS, LAN –9-15 million infected
  21. 21. Ransomware •Blackmailing (GPCode.ax - 2010)
  22. 22. Let the war begin • Spyware, key-loggers • Cyber espionage, industrial espionage • German police released Trojan spyware in 2010
  23. 23. When the war get serious • Stuxnet (2010) –Big game changer, first intended physical sabotage of industrial system –Spread over USB, used 5 exploits (4 was 0days) –When it was discovered it already did what it was made for –Kills itself on June 24th 2012. –To do something, PC has to be connected to particular PLC that is connected to particular industry
  24. 24. When the war get serious 2 – DuQu (September 2011) – Similar code base as Stuxnet – Used for information retrieval and espionage of victim and has a rootkit capabilities – Written in higher languages, it is believed OO C, compiled with MS Visual Studio 2008 • Flame(2012) – Can spread using USB or LAN – Can record audio, video, skype calls, network traffic, steal files(Office, PDF, txt)... – About 20MB!!! But modular, so attacker can add more modules – Written in Lua and C++ – Remotely controlled and killed – DuQu and Stuxnet had valid stolen certificate
  25. 25. Quick classification • Virus • Worm • Trojan horse • Malicious mobile code • Backdoor • User level rootkits • Kernel level rootkits • Combination malware
  26. 26. Thank you http://inspiratron.org nikola.milosevic@owasp.org @dreadknight011

×