The document traces the evolution of malware from early theoretical concepts in the 1940s-1960s to modern viruses, worms, trojans, and botnets. It outlines key events like the first computer virus in 1971, first IBM PC virus in 1986, first internet worm in 1988, rise of polymorphic and metamorphic viruses in the late 1980s-1990s, emergence of macro and email-borne viruses in the 1990s, and increasingly sophisticated botnets in the 2000s responsible for large-scale attacks. The document thus provides a high-level history of malware development and some of its most impactful examples from the past 70 years.

1. L’industrie du Malware
(Part I)
Présentée par : Sofiane Talmat
Malware research team :
Sofiane Talmat (Algeria)
Ehab Hussein (Egypt)
http://www.synapse-labs.com info@synapse-labs.com

2. Security Corporate
Services Services
Solution
Trainings
Development
http://www.synapse-labs.com info@synapse-labs.com

3. Viruses don't harm, ignorance does!
« The Evolution of malware within the last ten years is described
by the evolution of people who develop that » (Eugene kaspersky)
http://www.synapse-labs.com info@synapse-labs.com

4. • 1948 – 1966 (First theroical Approach)
• John von Neumann
« Theory of self-reproducing
automata »
http://www.synapse-labs.com info@synapse-labs.com

5. • 1971 (First Worm)
• Robert (Bob) H. Thomas (BBN technologies)
"I'm the creeper, catch me if you can!"
• Machine : PDP-10
• System : TENEX
• Transport : ARPANET
http://www.synapse-labs.com info@synapse-labs.com

6. WORM
http://www.synapse-labs.com info@synapse-labs.com

7. • 1974/1975 (First Trojan Virus)
• John Walker
« ANIMAL »
UNIVAC 1108
http://www.synapse-labs.com info@synapse-labs.com

8. TROJAN HORSE
http://www.synapse-labs.com info@synapse-labs.com

9. • 1982/1982 (First microcomputer Virus)
• Rich Skrenta
« Elk Cloner »
Apple II
Boot Sector
http://www.synapse-labs.com info@synapse-labs.com

10. BOOT SECTOR
http://www.synapse-labs.com info@synapse-labs.com

11. • 1986 (First IBM-PC Virus)
• Basit & Amjad Farooq Alvi
« Brain Boot Sector »
« Pakistan Flu »
« Lahore »
http://www.synapse-labs.com info@synapse-labs.com

12. • 1986 (First File Infector Virus)
• Ralf Burger
VirDem Ver.: 1.06 (Generation #) aktive.
« Virdem model» Copyright by R.Burger 1986,1987
Phone.: D - 05932/5451
.com
This is a demoprogram for
computerviruses. Please put in a
number now.
If you're right, you'll be
able to continue.
The number is between
0 and x
http://www.synapse-labs.com info@synapse-labs.com

13. COM INFECTION
http://www.synapse-labs.com info@synapse-labs.com

14. • 1987 (Destructive Virus)
– Vienna / Lehigh / Yale / Stoned / Ping Pong
• Cascade (self-encrypting file virus)
IBM Antivirus
http://www.synapse-labs.com info@synapse-labs.com

15. SELF-ENCRYPTED
http://www.synapse-labs.com info@synapse-labs.com

16. • 1987
• Jerusalem 1808(EXE)
1813(COM)
« Infecting .EXE » ArabStar
BlackBox
• Interrupt BlackWindow
Friday13th
• Friday 13th HebrewUniversity
Israeli
PLO
Russian
http://www.synapse-labs.com info@synapse-labs.com

17. EXE Infection
http://www.synapse-labs.com info@synapse-labs.com

18. • 1988 (First Internet Worm)
• Robert Tappan Morris
« The Morris worm »
Buffer Overflow
6000 infections
http://www.synapse-labs.com info@synapse-labs.com

19. BUFFER OVERFLOW
http://www.synapse-labs.com info@synapse-labs.com

20. • 1988 (First Multipartite Virus)
Ghostball
• EXE/COM/Boot Sector
http://www.synapse-labs.com info@synapse-labs.com

21. Multipartite virus
http://www.synapse-labs.com info@synapse-labs.com

22. • 1988 (First Polymorphic Virus)
• Mark Washburn & Ralf Burger
« the Chameleon family »
« Vienna and Cascade »
1260
http://www.synapse-labs.com info@synapse-labs.com

23. Polymorphism
http://www.synapse-labs.com info@synapse-labs.com

24. • 1995 (First Macro Virus)
« Concept »
Sub MAIN
REM That's enough to prove my point
End Sub
http://www.synapse-labs.com info@synapse-labs.com

25. Macro Virus
http://www.synapse-labs.com info@synapse-labs.com

26. • 1998
• Chen Ing Hau
• CIH v1
« Chernobyl / Spacefiller »
Sep.1998 : Yamaha Driver
Oct.1998 : Jeux Activision SiN
Mar.1999: IBM Aptivas
http://www.synapse-labs.com info@synapse-labs.com

27. • 1999 (Year of the worms)
– Janvier 20: Happy99 worm (emails) (Spanska)
– Mars 26: Melissa worm (Microsoft Word/ Outlook)
– Juin 06: ExploreZip worm(Microsoft Office documents)
– Decembre 30: Kak worm (Javascript worm / Outlook
Express bug)
http://www.synapse-labs.com info@synapse-labs.com

28. • 2000 (The most damaging worm ever)
« ILOVEYOU worm (VBS/Loveletter) »
VBScript
http://www.synapse-labs.com info@synapse-labs.com

29. • 2000 (The year of Exploits)
– Mai : Sadmind worm (Sun Solaris / Microsoft IIS)
– Juillet : Code Red worm (Microsoft IIS indexing)
– Septembre : Nimda worm (Windows/Code Red / Sadmind)
– Octobre : Klez worm (MS IE / MS Outlook / Outlook
Express)
http://www.synapse-labs.com info@synapse-labs.com

30. • 2002 (Metamorphic virus)
• Mental Driller
« Win32/Simile » (Etap / MetaPHOR)
90% metamorphose
May 14 / System locale
http://www.synapse-labs.com info@synapse-labs.com

31. METAMORPHIC VIRUS
http://www.synapse-labs.com info@synapse-labs.com

32. • 2002/2003 (Rise of the RAT & Trojans)
– Beast (Delphi)
– Optix Pro
– Graybird
– ProRat
http://www.synapse-labs.com info@synapse-labs.com

33. • 2003 (More worms in the wild)
– SQL Slammer worm
• 75,000 en 10 minutes
– Blaster worm (RPC) (similar to sasser 2004)
• DDoS with SYN flood (windowsupdate.com)
http://www.synapse-labs.com info@synapse-labs.com

34. • 2004 (First Webworm)
« Santy »
- Target : phpbb forums
- 40 000 sites infectés
http://www.synapse-labs.com info@synapse-labs.com

35. • 2006 (First ever Mac OS X virus)
« OSX/Leap-A or OSX/Oompa-A »
– Lan worm
– Bonjour Protocol (iChat buddy list)
– Destruit les fichiers infectes
http://www.synapse-labs.com info@synapse-labs.com

36. • 2007 (Vous avez dit ZEUS ?)
« ZEUS » (drive-by downloads /phishing)
– 196 pays
– Juin.2009 : 74,000 comptes FTP
– 3.6 million d’infections aux USA
– 28 Oct.2009 : 1.5 million de messages fishing sur facebook
– 14/15 Nov. 2009 : 9 millions emails infectes(Verizon
Wireless)
– Cartes de credits de 15 banques compromises
– 1 Oct.2010 : FBI / 70 millions $ et 90 arrestations
– Mai.2011 : le code source est dévoilé
http://www.synapse-labs.com info@synapse-labs.com

37. • 2007 (Mise a pirx : 250 000 $)
« Conflicker »
NetBIOS Exploits MS08-067
http://www.synapse-labs.com info@synapse-labs.com

38. BOTNET
http://www.synapse-labs.com info@synapse-labs.com

39. • 2009 (Cyber attack)
« W32.Dozer »
« July 2009 Cyber Attacks »
– 04/07/2009 :
• USA / Corée du Sud
– 07/07/2009 :
• Corée du Sud
– 09/07/2009 :
• Corée du Sud
http://www.synapse-labs.com info@synapse-labs.com

40. Cyber Weapons !!!!!
2010 : STUXNET
2011 : Duqu
http://www.synapse-labs.com info@synapse-labs.com

41. Questions
Facebook.com/Synapse.Labs
Twitter : @Synapse_Labs
http://www.synapse-labs.com info@synapse-labs.com