SlideShare a Scribd company logo
1 of 41
L’industrie du Malware
             (Part I)
                        Présentée par : Sofiane Talmat

                                                         Malware research team :
                                                         Sofiane Talmat (Algeria)
                                                         Ehab Hussein (Egypt)
http://www.synapse-labs.com                                   info@synapse-labs.com
Security                 Corporate
     Services                  Services

    Solution
                              Trainings
    Development



http://www.synapse-labs.com    info@synapse-labs.com
Viruses don't harm, ignorance does!




              « The Evolution of malware within the last ten years is described
              by the evolution of people who develop that » (Eugene kaspersky)

http://www.synapse-labs.com                                  info@synapse-labs.com
• 1948 – 1966 (First theroical Approach)
• John von Neumann
  « Theory of self-reproducing
  automata »




http://www.synapse-labs.com      info@synapse-labs.com
• 1971          (First Worm)
• Robert (Bob) H. Thomas (BBN technologies)
  "I'm the creeper, catch me if you can!"
• Machine : PDP-10
• System : TENEX
• Transport : ARPANET



http://www.synapse-labs.com      info@synapse-labs.com
WORM




http://www.synapse-labs.com          info@synapse-labs.com
• 1974/1975 (First Trojan Virus)
• John Walker
  « ANIMAL »

  UNIVAC 1108




http://www.synapse-labs.com        info@synapse-labs.com
TROJAN HORSE




http://www.synapse-labs.com              info@synapse-labs.com
• 1982/1982 (First microcomputer Virus)
• Rich Skrenta
  « Elk Cloner »
      Apple II
    Boot Sector




http://www.synapse-labs.com    info@synapse-labs.com
BOOT SECTOR




http://www.synapse-labs.com                 info@synapse-labs.com
• 1986     (First IBM-PC Virus)
• Basit & Amjad Farooq Alvi
  « Brain Boot Sector »
  « Pakistan Flu »
  « Lahore »




http://www.synapse-labs.com       info@synapse-labs.com
• 1986     (First File Infector Virus)
• Ralf Burger
                           VirDem Ver.: 1.06 (Generation #) aktive.
   « Virdem model»          Copyright by R.Burger 1986,1987
                            Phone.: D - 05932/5451
  .com
                                   This is a demoprogram for
                                   computerviruses. Please put in a
                                   number now.
                                   If you're right, you'll be
                                   able to continue.
                                   The number is between
                                   0 and x


http://www.synapse-labs.com                           info@synapse-labs.com
COM INFECTION




http://www.synapse-labs.com              info@synapse-labs.com
• 1987            (Destructive Virus)
    – Vienna / Lehigh / Yale / Stoned / Ping Pong


• Cascade (self-encrypting file virus)
    IBM Antivirus




http://www.synapse-labs.com               info@synapse-labs.com
SELF-ENCRYPTED




http://www.synapse-labs.com               info@synapse-labs.com
• 1987
• Jerusalem                   1808(EXE)
                              1813(COM)
  « Infecting .EXE »          ArabStar
                              BlackBox
• Interrupt                   BlackWindow
                              Friday13th
• Friday 13th                 HebrewUniversity
                              Israeli
                              PLO
                              Russian



http://www.synapse-labs.com                      info@synapse-labs.com
EXE Infection




http://www.synapse-labs.com                   info@synapse-labs.com
• 1988     (First Internet Worm)
• Robert Tappan Morris
  « The Morris worm »
   Buffer Overflow
   6000 infections




http://www.synapse-labs.com        info@synapse-labs.com
BUFFER OVERFLOW




http://www.synapse-labs.com              info@synapse-labs.com
• 1988      (First Multipartite Virus)
  Ghostball
• EXE/COM/Boot Sector




http://www.synapse-labs.com          info@synapse-labs.com
Multipartite virus




http://www.synapse-labs.com                   info@synapse-labs.com
• 1988     (First Polymorphic Virus)
• Mark Washburn & Ralf Burger
  « the Chameleon family »
   « Vienna and Cascade »
           1260




http://www.synapse-labs.com        info@synapse-labs.com
Polymorphism




http://www.synapse-labs.com                  info@synapse-labs.com
• 1995    (First Macro Virus)
  « Concept »
      Sub MAIN
      REM That's enough to prove my point
      End Sub




http://www.synapse-labs.com                 info@synapse-labs.com
Macro Virus




http://www.synapse-labs.com                 info@synapse-labs.com
• 1998
• Chen Ing Hau
• CIH v1
  « Chernobyl / Spacefiller »

Sep.1998 : Yamaha Driver
Oct.1998 : Jeux Activision SiN
Mar.1999: IBM Aptivas


http://www.synapse-labs.com      info@synapse-labs.com
• 1999            (Year of the worms)

    –   Janvier 20: Happy99 worm (emails) (Spanska)
    –   Mars 26: Melissa worm (Microsoft Word/ Outlook)
    –   Juin 06: ExploreZip worm(Microsoft Office documents)
    –   Decembre 30: Kak worm (Javascript worm / Outlook
        Express bug)




http://www.synapse-labs.com                     info@synapse-labs.com
• 2000     (The most damaging worm ever)
  « ILOVEYOU worm (VBS/Loveletter) »
  VBScript




http://www.synapse-labs.com     info@synapse-labs.com
• 2000            (The year of Exploits)

    –   Mai : Sadmind worm (Sun Solaris / Microsoft IIS)
    –   Juillet : Code Red worm (Microsoft IIS indexing)
    –   Septembre : Nimda worm (Windows/Code Red / Sadmind)
    –   Octobre : Klez worm (MS IE / MS Outlook / Outlook
        Express)




http://www.synapse-labs.com                 info@synapse-labs.com
• 2002     (Metamorphic virus)
• Mental Driller
  « Win32/Simile » (Etap / MetaPHOR)
  90% metamorphose
  May 14 / System locale




http://www.synapse-labs.com      info@synapse-labs.com
METAMORPHIC VIRUS




http://www.synapse-labs.com              info@synapse-labs.com
• 2002/2003                   (Rise of the RAT & Trojans)

    – Beast (Delphi)
    – Optix Pro
    – Graybird
    – ProRat




http://www.synapse-labs.com                     info@synapse-labs.com
• 2003            (More worms in the wild)

    – SQL Slammer worm
         • 75,000 en 10 minutes


    – Blaster worm (RPC) (similar to sasser 2004)
         • DDoS with SYN flood (windowsupdate.com)




http://www.synapse-labs.com                  info@synapse-labs.com
• 2004      (First Webworm)
  « Santy »

   - Target : phpbb forums
   - 40 000 sites infectés




http://www.synapse-labs.com   info@synapse-labs.com
• 2006    (First ever Mac OS X virus)
  « OSX/Leap-A or OSX/Oompa-A »

    – Lan worm
    – Bonjour Protocol (iChat buddy list)
    – Destruit les fichiers infectes




http://www.synapse-labs.com                 info@synapse-labs.com
• 2007      (Vous avez dit ZEUS ?)
  « ZEUS » (drive-by downloads /phishing)

    – 196 pays
    – Juin.2009 : 74,000 comptes FTP
    – 3.6 million d’infections aux USA
    – 28 Oct.2009 : 1.5 million de messages fishing sur facebook
    – 14/15 Nov. 2009 : 9 millions emails infectes(Verizon
      Wireless)
    – Cartes de credits de 15 banques compromises
    – 1 Oct.2010 : FBI / 70 millions $ et 90 arrestations
    – Mai.2011 : le code source est dévoilé

http://www.synapse-labs.com                     info@synapse-labs.com
• 2007      (Mise a pirx : 250 000 $)
  « Conflicker »

         NetBIOS Exploits MS08-067




http://www.synapse-labs.com             info@synapse-labs.com
BOTNET




http://www.synapse-labs.com            info@synapse-labs.com
• 2009            (Cyber attack)
   « W32.Dozer »
   « July 2009 Cyber Attacks »

    – 04/07/2009 :
         • USA / Corée du Sud
    – 07/07/2009 :
         • Corée du Sud
    – 09/07/2009 :
         • Corée du Sud

http://www.synapse-labs.com        info@synapse-labs.com
Cyber Weapons !!!!!

                   2010 : STUXNET

                        2011 : Duqu

http://www.synapse-labs.com           info@synapse-labs.com
Questions
                          Facebook.com/Synapse.Labs
                            Twitter : @Synapse_Labs




http://www.synapse-labs.com                           info@synapse-labs.com

More Related Content

Similar to BSides algiers - Malware History - Sofiane Talmat

BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
Involutionary%20Self-Replicating%20Machines.ppt_1
Involutionary%20Self-Replicating%20Machines.ppt_1Involutionary%20Self-Replicating%20Machines.ppt_1
Involutionary%20Self-Replicating%20Machines.ppt_1
David Keirsey
 

Similar to BSides algiers - Malware History - Sofiane Talmat (20)

Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysisKeith J. Jones, Ph.D. - Crash Course malware analysis
Keith J. Jones, Ph.D. - Crash Course malware analysis
 
History of some Vulnerabilities and exploit techniques
History of some Vulnerabilities and exploit techniquesHistory of some Vulnerabilities and exploit techniques
History of some Vulnerabilities and exploit techniques
 
Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?
 
radhika.pdf
radhika.pdfradhika.pdf
radhika.pdf
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineering
 
Malware Trends Developments
Malware Trends DevelopmentsMalware Trends Developments
Malware Trends Developments
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
 
Malware
MalwareMalware
Malware
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
10 malware
10 malware10 malware
10 malware
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Malware
MalwareMalware
Malware
 
Atilim üniversitesi ceh sunum
Atilim üniversitesi ceh sunumAtilim üniversitesi ceh sunum
Atilim üniversitesi ceh sunum
 
Involutionary%20Self-Replicating%20Machines.ppt_1
Involutionary%20Self-Replicating%20Machines.ppt_1Involutionary%20Self-Replicating%20Machines.ppt_1
Involutionary%20Self-Replicating%20Machines.ppt_1
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
 
Cybersecurity cyberlab1
Cybersecurity cyberlab1Cybersecurity cyberlab1
Cybersecurity cyberlab1
 

More from Shellmates

Atelier Python 2eme partie par Achraf Kacimi El Hassani
Atelier Python 2eme partie par Achraf Kacimi El HassaniAtelier Python 2eme partie par Achraf Kacimi El Hassani
Atelier Python 2eme partie par Achraf Kacimi El Hassani
Shellmates
 
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniBSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
Shellmates
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
Shellmates
 
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine HebbalBSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
Shellmates
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
Shellmates
 
BSides Algiers - Normes ISO 2700x - Badis Remli
BSides Algiers - Normes ISO 2700x - Badis RemliBSides Algiers - Normes ISO 2700x - Badis Remli
BSides Algiers - Normes ISO 2700x - Badis Remli
Shellmates
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarBSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
Shellmates
 
BSides Algiers - Certification Electronique - Lilia Ounini
BSides Algiers - Certification Electronique - Lilia OuniniBSides Algiers - Certification Electronique - Lilia Ounini
BSides Algiers - Certification Electronique - Lilia Ounini
Shellmates
 

More from Shellmates (13)

HTML basics
HTML basics HTML basics
HTML basics
 
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15
Malware Analysis par Mohamed Ali FATHI - BSides Algiers 2k15
 
Atelier Python 2eme partie par Achraf Kacimi El Hassani
Atelier Python 2eme partie par Achraf Kacimi El HassaniAtelier Python 2eme partie par Achraf Kacimi El Hassani
Atelier Python 2eme partie par Achraf Kacimi El Hassani
 
JavaScript 1.0 by Zakaria Smahi
JavaScript 1.0 by Zakaria SmahiJavaScript 1.0 by Zakaria Smahi
JavaScript 1.0 by Zakaria Smahi
 
Introduction à Python - Achraf Kacimi El Hassani
Introduction à Python - Achraf Kacimi El HassaniIntroduction à Python - Achraf Kacimi El Hassani
Introduction à Python - Achraf Kacimi El Hassani
 
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal HarouniBSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
BSides Algiers - Linux Kernel and Recent Security Protections - Djallal Harouni
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
 
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine HebbalBSides Algiers - Reversing Win32 applications - Yacine Hebbal
BSides Algiers - Reversing Win32 applications - Yacine Hebbal
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
 
BSides Algiers - Normes ISO 2700x - Badis Remli
BSides Algiers - Normes ISO 2700x - Badis RemliBSides Algiers - Normes ISO 2700x - Badis Remli
BSides Algiers - Normes ISO 2700x - Badis Remli
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarBSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
 
BSides Algiers - Certification Electronique - Lilia Ounini
BSides Algiers - Certification Electronique - Lilia OuniniBSides Algiers - Certification Electronique - Lilia Ounini
BSides Algiers - Certification Electronique - Lilia Ounini
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 

Recently uploaded (20)

State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 

BSides algiers - Malware History - Sofiane Talmat

  • 1. L’industrie du Malware (Part I) Présentée par : Sofiane Talmat Malware research team : Sofiane Talmat (Algeria) Ehab Hussein (Egypt) http://www.synapse-labs.com info@synapse-labs.com
  • 2. Security Corporate Services Services Solution Trainings Development http://www.synapse-labs.com info@synapse-labs.com
  • 3. Viruses don't harm, ignorance does! « The Evolution of malware within the last ten years is described by the evolution of people who develop that » (Eugene kaspersky) http://www.synapse-labs.com info@synapse-labs.com
  • 4. • 1948 – 1966 (First theroical Approach) • John von Neumann « Theory of self-reproducing automata » http://www.synapse-labs.com info@synapse-labs.com
  • 5. • 1971 (First Worm) • Robert (Bob) H. Thomas (BBN technologies) "I'm the creeper, catch me if you can!" • Machine : PDP-10 • System : TENEX • Transport : ARPANET http://www.synapse-labs.com info@synapse-labs.com
  • 6. WORM http://www.synapse-labs.com info@synapse-labs.com
  • 7. • 1974/1975 (First Trojan Virus) • John Walker « ANIMAL » UNIVAC 1108 http://www.synapse-labs.com info@synapse-labs.com
  • 9. • 1982/1982 (First microcomputer Virus) • Rich Skrenta « Elk Cloner » Apple II Boot Sector http://www.synapse-labs.com info@synapse-labs.com
  • 11. • 1986 (First IBM-PC Virus) • Basit & Amjad Farooq Alvi « Brain Boot Sector » « Pakistan Flu » « Lahore » http://www.synapse-labs.com info@synapse-labs.com
  • 12. • 1986 (First File Infector Virus) • Ralf Burger VirDem Ver.: 1.06 (Generation #) aktive. « Virdem model» Copyright by R.Burger 1986,1987 Phone.: D - 05932/5451 .com This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and x http://www.synapse-labs.com info@synapse-labs.com
  • 14. • 1987 (Destructive Virus) – Vienna / Lehigh / Yale / Stoned / Ping Pong • Cascade (self-encrypting file virus) IBM Antivirus http://www.synapse-labs.com info@synapse-labs.com
  • 16. • 1987 • Jerusalem 1808(EXE) 1813(COM) « Infecting .EXE » ArabStar BlackBox • Interrupt BlackWindow Friday13th • Friday 13th HebrewUniversity Israeli PLO Russian http://www.synapse-labs.com info@synapse-labs.com
  • 18. • 1988 (First Internet Worm) • Robert Tappan Morris « The Morris worm » Buffer Overflow 6000 infections http://www.synapse-labs.com info@synapse-labs.com
  • 20. • 1988 (First Multipartite Virus) Ghostball • EXE/COM/Boot Sector http://www.synapse-labs.com info@synapse-labs.com
  • 22. • 1988 (First Polymorphic Virus) • Mark Washburn & Ralf Burger « the Chameleon family » « Vienna and Cascade » 1260 http://www.synapse-labs.com info@synapse-labs.com
  • 24. • 1995 (First Macro Virus) « Concept » Sub MAIN REM That's enough to prove my point End Sub http://www.synapse-labs.com info@synapse-labs.com
  • 26. • 1998 • Chen Ing Hau • CIH v1 « Chernobyl / Spacefiller » Sep.1998 : Yamaha Driver Oct.1998 : Jeux Activision SiN Mar.1999: IBM Aptivas http://www.synapse-labs.com info@synapse-labs.com
  • 27. • 1999 (Year of the worms) – Janvier 20: Happy99 worm (emails) (Spanska) – Mars 26: Melissa worm (Microsoft Word/ Outlook) – Juin 06: ExploreZip worm(Microsoft Office documents) – Decembre 30: Kak worm (Javascript worm / Outlook Express bug) http://www.synapse-labs.com info@synapse-labs.com
  • 28. • 2000 (The most damaging worm ever) « ILOVEYOU worm (VBS/Loveletter) » VBScript http://www.synapse-labs.com info@synapse-labs.com
  • 29. • 2000 (The year of Exploits) – Mai : Sadmind worm (Sun Solaris / Microsoft IIS) – Juillet : Code Red worm (Microsoft IIS indexing) – Septembre : Nimda worm (Windows/Code Red / Sadmind) – Octobre : Klez worm (MS IE / MS Outlook / Outlook Express) http://www.synapse-labs.com info@synapse-labs.com
  • 30. • 2002 (Metamorphic virus) • Mental Driller « Win32/Simile » (Etap / MetaPHOR) 90% metamorphose May 14 / System locale http://www.synapse-labs.com info@synapse-labs.com
  • 32. • 2002/2003 (Rise of the RAT & Trojans) – Beast (Delphi) – Optix Pro – Graybird – ProRat http://www.synapse-labs.com info@synapse-labs.com
  • 33. • 2003 (More worms in the wild) – SQL Slammer worm • 75,000 en 10 minutes – Blaster worm (RPC) (similar to sasser 2004) • DDoS with SYN flood (windowsupdate.com) http://www.synapse-labs.com info@synapse-labs.com
  • 34. • 2004 (First Webworm) « Santy » - Target : phpbb forums - 40 000 sites infectés http://www.synapse-labs.com info@synapse-labs.com
  • 35. • 2006 (First ever Mac OS X virus) « OSX/Leap-A or OSX/Oompa-A » – Lan worm – Bonjour Protocol (iChat buddy list) – Destruit les fichiers infectes http://www.synapse-labs.com info@synapse-labs.com
  • 36. • 2007 (Vous avez dit ZEUS ?) « ZEUS » (drive-by downloads /phishing) – 196 pays – Juin.2009 : 74,000 comptes FTP – 3.6 million d’infections aux USA – 28 Oct.2009 : 1.5 million de messages fishing sur facebook – 14/15 Nov. 2009 : 9 millions emails infectes(Verizon Wireless) – Cartes de credits de 15 banques compromises – 1 Oct.2010 : FBI / 70 millions $ et 90 arrestations – Mai.2011 : le code source est dévoilé http://www.synapse-labs.com info@synapse-labs.com
  • 37. • 2007 (Mise a pirx : 250 000 $) « Conflicker » NetBIOS Exploits MS08-067 http://www.synapse-labs.com info@synapse-labs.com
  • 38. BOTNET http://www.synapse-labs.com info@synapse-labs.com
  • 39. • 2009 (Cyber attack) « W32.Dozer » « July 2009 Cyber Attacks » – 04/07/2009 : • USA / Corée du Sud – 07/07/2009 : • Corée du Sud – 09/07/2009 : • Corée du Sud http://www.synapse-labs.com info@synapse-labs.com
  • 40. Cyber Weapons !!!!! 2010 : STUXNET 2011 : Duqu http://www.synapse-labs.com info@synapse-labs.com
  • 41. Questions Facebook.com/Synapse.Labs Twitter : @Synapse_Labs http://www.synapse-labs.com info@synapse-labs.com