The History and Evolution of Computer Viruses

Video thumbnail (Frame 0) Video thumbnail (Frame 1924) Video thumbnail (Frame 4877) Video thumbnail (Frame 5835) Video thumbnail (Frame 6850) Video thumbnail (Frame 9077) Video thumbnail (Frame 10410) Video thumbnail (Frame 12529) Video thumbnail (Frame 13994) Video thumbnail (Frame 15464) Video thumbnail (Frame 16447) Video thumbnail (Frame 17540) Video thumbnail (Frame 18984) Video thumbnail (Frame 20762) Video thumbnail (Frame 22272) Video thumbnail (Frame 25509) Video thumbnail (Frame 26655) Video thumbnail (Frame 28254) Video thumbnail (Frame 29919) Video thumbnail (Frame 32795) Video thumbnail (Frame 34179) Video thumbnail (Frame 35627) Video thumbnail (Frame 37139) Video thumbnail (Frame 38284) Video thumbnail (Frame 40694) Video thumbnail (Frame 42230) Video thumbnail (Frame 43414) Video thumbnail (Frame 44429) Video thumbnail (Frame 45765) Video thumbnail (Frame 47394) Video thumbnail (Frame 48612) Video thumbnail (Frame 49622) Video thumbnail (Frame 50627) Video thumbnail (Frame 51734) Video thumbnail (Frame 53820) Video thumbnail (Frame 55480) Video thumbnail (Frame 57839) Video thumbnail (Frame 58904) Video thumbnail (Frame 59990) Video thumbnail (Frame 61114) Video thumbnail (Frame 63280) Video thumbnail (Frame 65205) Video thumbnail (Frame 66184) Video thumbnail (Frame 68164) Video thumbnail (Frame 69870) Video thumbnail (Frame 71844) Video thumbnail (Frame 74472)
Video in TIB AV-Portal: The History and Evolution of Computer Viruses

Formal Metadata

The History and Evolution of Computer Viruses
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
It's 2011, so this year it's going to be 25 years since Brain.A, the first PC virus, Join Mikko Hypponen as he talks about the history and evolution of computer viruses. From Brain to Stuxnet, he's spent his career tracking malware and will give a pretty good rundown on what has happened, when and why it mattered. Mikko Hypponen is based in Helsinki, Finland. He has been analysing computer viruses for more than 20 years. He has written on his research for magazines such as Scientific American. According to information leaked by Wikileaks, the US Government has classified Mr. Hypponen as an infosec ROCK STAR (true story). He doesn't often speak publicly, but when he does, it's in venues like TED or Rubicon Detroit - or DEF CON. He's also the oldest child genius on the planet. And every time he swims, dolfins appear. Apart from computer security issues, Mr. Hypponen enjoys collecting and restoring classic arcade video games and pinball machines from past decades.
Computer virus Point (geometry) Building Code Range (statistics) Moment (mathematics) Sampling (statistics) Bit Evolute Power (physics) Antivirus software Malware Operator (mathematics) Backdoor (computing) Physical system Reverse engineering Computer worm
Computer virus Context awareness Mathematics Hypermedia Floppy disk Cuboid Right angle Lattice (order) Quicksort Information security Booting Neuroinformatik
Code Decimal Zoom lens Dreizehn Icosahedron Number Uniformer Raum Touch typing Uniform resource name Convex hull Maize Game theory Library (computing)
Mainframe computer Computer virus Boss Corporation Building Block (periodic table) Code Density of states System call Neuroinformatik Proof theory Different (Kate Ryan album) Internetworking Operator (mathematics) Telecommunication Family Address space Physical system
Computer virus Personal identification number Dataflow Divisor Computer file Multiplication sign Floppy disk Neuroinformatik Arithmetic mean Software Vector space Hard disk drive Normal (geometry) Booting
Computer virus Sign (mathematics) Dreizehn Assembly language Code Personal digital assistant Multiplication sign Sampling (statistics) Figurate number Physical system Neuroinformatik Number
Computer virus Computer file Multiplication sign Table (information) Resource allocation Booting Physical system
Ocean current Computer virus Touchscreen Online help Code Multiplication sign Binary code 3 (number) Replication (computing) Mereology Sign (mathematics) Right angle Game theory Booting Curve fitting Window Physical system
Computer virus Touchscreen Code Multiplication sign Interior (topology) Mereology Host Identity Protocol Sign (mathematics) Pauli exclusion principle Hardware-in-the-loop simulation Website Booting Installable File System
Computer virus Demo (music) Weight Interior (topology) Quicksort Graph coloring
Computer virus Execution unit Touchscreen Multiplication sign Water vapor Annulus (mathematics) Type theory Software development kit Crash (computing) Electronic visual display Game theory Whiteboard Data type
Computer virus Software engineering Computer file Code Interior (topology) Virtual machine Sign (mathematics) Semiconductor memory Hard disk drive Right angle Game theory Table (information) Resource allocation Curve fitting
Computer virus Polymorphism (materials science) User interface Code Multiplication sign Variance Medical imaging Malware Different (Kate Ryan album) Single-precision floating-point format Encryption Software testing Game theory CD-ROM Musical ensemble Physical system Software development kit Data type
Computer virus Backup Random number generation Computer file Online help Variety (linguistics) Multiplication sign Closed set Binary code Floppy disk Shared memory Cartesian coordinate system Formal language Number Neuroinformatik Word Spreadsheet Visualization (computer graphics) Lie group Data structure Office suite Window
Computer virus Group action Word Email Normal (geometry) Plastikkarte Remote procedure call Window Computer worm
Filter <Stochastik> Computer virus Computer file Firewall (computing) View (database) Multiplication sign Replication (computing) 2 (number) Twitter Operator (mathematics) Single-precision floating-point format Macro (computer science) Address space Email Touchscreen Information Binary code Content (media) Cartesian coordinate system Leak Word Personal digital assistant Hard disk drive Window Computer worm
Scripting language Computer virus Email Computer virus Computer file Multiplication sign Content (media) Computer Menu (computing) Expert system Field (computer science) Web 2.0 Medical imaging Estimator Word Visualization (computer graphics) Befehlsprozessor Window Physical system Computer worm
Computer virus Trigonometry Email Software Personal digital assistant Multiplication sign System administrator Shared memory Computer-integrated manufacturing Theory Window Social engineering (security)
Execution unit Email Personal identification number Computer file Patch (Unix) Real number Multiplication sign Menu (computing) Core dump Term (mathematics) Number Duality (mathematics) Message passing Touch typing Queue (abstract data type) Arrow of time Convex hull Lipschitz-Stetigkeit Gamma function output Drum memory Information security Physical system
Computer virus Server (computing) Code Multiplication sign Physical law Workstation <Musikinstrument> Replication (computing) Web 2.0 Mechanism design Order (biology) Quicksort Window Computer worm
Randomization Multiplication sign Firewall (computing) Patch (Unix) Workstation <Musikinstrument> Moment (mathematics) Range (statistics) Exploit (computer security) IP address Neuroinformatik Connected space Software Internetworking Personal digital assistant Single-precision floating-point format Remote procedure call Quicksort Routing Window Address space
Computer virus Web page Key (cryptography) Computer file Patch (Unix) Multiplication sign IP address 2 (number) Crash (computing) Boom (sailing) Quicksort Table (information) Booting Physical system Window Vulnerability (computing) Physical system
Execution unit Service Pack Touchscreen Code Patch (Unix) Multiplication sign Interprozesskommunikation 2 (number) Neuroinformatik Game theory Endliche Modelltheorie Error message Booting Information security Window
Asynchronous Transfer Mode Game controller Electric generator Service (economics) Multiplication sign Simultaneous localization and mapping Nuclear space Operator (mathematics) Cloud computing Computer network Insertion loss Denial-of-service attack Food energy Mass Control flow Software Internetworking Remote procedure call Physical system Computer worm Asynchronous Transfer Mode
Computer virus Area Execution unit Computer virus Touchscreen Service (economics) Multiplication sign Patch (Unix) Commutator 8 (number) Cartesian coordinate system Neuroinformatik Wave packet Single-precision floating-point format Normal (geometry) Convex hull Normal (geometry) Resultant Physical system
Group action Personal digital assistant Forest Multiplication sign Dreizehn Data structure Trigonometric functions Window Connected space Neuroinformatik Physical system
Computer virus
Computer virus Purchasing Email Shift operator Service (economics) Key (cryptography) Multiplication sign Software developer Source code Virtual machine Plastikkarte Telebanking Neuroinformatik Software Password Proxy server
Computer virus Purchasing Game controller Greatest element Link (knot theory) 1 (number) Plastikkarte Planning Number Different (Kate Ryan album) Right angle Game theory Booting Navigation Backdoor (computing)
Computer virus Installation art Open source Computer file Code Multiplication sign Robot Source code Binary code Virtual machine Plastikkarte Trojanisches Pferd <Informatik> Number 10 (number) Neuroinformatik Revision control Antivirus software Estimator Digital rights management Rootkit Series (mathematics) Musical ensemble Window Physical system
Computer virus Windows Registry Malware Rootkit Multiplication sign Videoconferencing Computer worm Open set Computer worm Software development kit
Computer virus Multiplication sign Mass Physical system Neuroinformatik Connected space
Malware Matrix (mathematics) Mereology Number
Computer virus Web page Java applet Multiplication sign Flash memory MIDI Web browser Parallel port Number Twitter Neuroinformatik Revision control Web 2.0 Goodness of fit Internetworking Core dump Normal (geometry) Booting Plug-in (computing) Chi-squared distribution Execution unit Email Touchscreen FLOPS Line (geometry) Personal digital assistant Hard disk drive Formal grammar Website Configuration space Convex hull Hill differential equation Computational fluid dynamics Remote procedure call Hydraulic jump Window Row (database) Computer worm
Computer virus Rootkit State of matter Different (Kate Ryan album) Moment (mathematics) Virtual machine Mass Information security Window
Reading (process) Computer file Algorithm Code Multiplication sign Computer file Trojanisches Pferd <Informatik> Neuroinformatik Message passing Wallpaper group Hard disk drive Encryption Encryption Message passing Window RSA (algorithm) Physical system
Laptop Wechselseitige Information Email Backup Computer file Key (cryptography) Computer file Interior (topology) Shared memory Plastikkarte CAN bus Malware Software Personal digital assistant Encryption Encryption Message passing Advanced Encryption Standard Task (computing) Address space RSA (algorithm) Physical system
Computer virus Mathematics Operator (mathematics) Multiplication sign Planning Core dump Bit Information security Leak Mach's principle
Building Workstation <Musikinstrument> Ultraviolet photoelectron spectroscopy Line (geometry) Replication (computing) Fault-tolerant system Neuroinformatik Process (computing) Integrated development environment Factory (trading post) Endliche Modelltheorie Routing Window Exception handling
Computer virus Code Multiplication sign Projective plane Floppy disk Computer programming Theory Power (physics) Number Neuroinformatik Frequency Mathematics Internetworking Rootkit Right angle Data conversion Booting Window Physical system
Information management
nonane about women tomorrow at effort toward a high def con helado system my name is Michael Pollan and we'll be doing the first session here talking about the history and evolution of computer viruses I'm from Finland I've I've been playing around with viruses for the past 20 years little bit more than that and we are at an interesting point in history and I'll get back to that in just a moment and that's the main reason why I wanted to speak about the the whole evolution of where we've been where we are right now and where we will be going with malware Trojans backdoors worms viruses now all those years I've been working with the same company f-secure so we run antivirus labs around the world and of course in the early days our operations were very small couple of guys in the lab analyzed everything by hand reverse-engineer the code build detection try to figure out how they spread today all professional antivirus companies run massive labs around the world with automation because we are on a typical day right now receiving somewhere in the range of hundred to two hundred thousand samples coming into our systems so obviously we can't keep up with normal human power anymore but we'll start from brain so
this is brain this is an original final quarter inch floppy disk infected by brain and those of you who've seen my TED talk which came out all right three weeks ago well you'll see the first five minutes maybe some stuff you've seen before but then we'll get into more more interesting stuff because in my TED talk I was also speaking about this last year around November we were cleaning our labs and from one of the cup boards we found this box which were full of five and quarter-inch floppy disks now that box had basically the first hundred PC viruses in it including this brain dot a and brain today is considered to be and it's known to be the first PC virus in history that's the first PC virus we've seen before 1986 for example some Apple two viruses and stuff like that but this actually important because we are still fighting PC viruses today right so I did the math 1986 2011 that's 25 it's gonna be 25 years and we had a meeting in the lab ok what should we do about this it's gonna be 25 years since the first PC virus and our media team thought that we should have some sort of social media campaign to raise awareness of computer security and I thought that that's boring what about if I try to go and find the guys who wrote brain 25 years ago and if I find them I'll speak with them and ask them like why did you do it and what were you thinking and what do you think about what you started 25 years ago and actually doing that like trying to find virus all those 25 years later typically would be impossible in case of brain it actually agent and I'll show you in the world which actually has a floppy drive oh here to go and here's the actual boot
code of a floppy infected by brain so if
you just take a closer look you'll see that inside here shouldn't zoom so I can
draw right about here you'll see text
right welcome to the dungeon 1986 Basit and Amjad and positon Amjad are first names they are pakistani first names then there is a phone number and a straight end so in February I went to
Pakistan this is from the west side of
the city of Lahore which is like 200 miles south from above the bed which is where bin Laden was caught didn't see him I did see one funny guy with a long beard but I didn't think it was him this
is from the road leading to this building which is seven-30 Nizam block
allama iqbal town and that's the address listed inside the brain code so I knocked on the door you want to guess once the door buzz it and object they are still there so here boss it's standing up I'm jut
his brother sitting down nominees these guys run a Internet operator is RIT telco operator for the city of Lahore a companies called brain telecommunications so we had a very interesting chat about ok like why did you do it and what were you thinking and and their explanation was that it was a proof of concept these guys had a background in UNIX worlds they had been running different mainframe systems in the early 1980s when they were like in the late teens early 20s and then PC DOS came around 1985 and they hated it they thought that it's like it isn't as secure and obviously it wasn't and they decided to prove it by writing a varnish and that's what they did and of course they had no idea the virus will go around the world in fact computers in more than 100 countries around the world but that's what it did they also started getting phone calls from around the world from people that infected by the virus and all that they really weren't expecting that to happen but of course it went khloga became a global problem now viruses like this were I mean brain was a very typical example of the early early viruses we used to see back then the motive wasn't anything very concrete these guys wanted to try something out they they wanted to do something that would replicate and go around the world and of course around those days 1986
1987 1988 viruses like brain and stone
and cascade and yankee-doodle we're all basically the same thing they were spreading on floppy disks infecting both sectors so you would have infected flow pins on your computer you boot from the floppy you get infected and every other floppy you put in after that gets infected as well or filing factors like Yankee Doodle which would infect those cog files and then when you share files well it spreads from one computer to another and these floppy infectors I mean what we have to remember in 1986 we didn't have networks I mean normal computers PC computers we're not connected to each other in any way in fact most computers didn't have a hard drive they would typically have two floppy drives only right so if you wanted to move data around you had to put in my flopping there was no other means of doing it that's why floppy basting vectors spread so quickly well many of these viruses at the time are also in one way or another
visual what I mean by that is that you would typically know that you're infected what do you example of that is
is the Omega virus and Omega virus actually it's not important in any history books or anywhere actually to anyone else except to me but it's important to me because it's the first virus I analyzed in September 1991 we had a customer case of a large company actually a telco where they have damage on their computers and they were suspecting a virus and they sent us a sample and I got a sign to look at the sample because around that time you never Sakura was the only guy who do reverse engineering an assembly language Amy even that I actually had never done on PC I had a background with Commodore 64 and doing assembly there but you know go figure I decided to do it and I printed out the code spent a couple of days trying to go through and understand how it works and learning they interrupt off those system and all that and I did it I decoded it I actually didn't have a spare PC I could infect at the time so actually couldn't run the code I was just reading and trying to figure what it does and one of the things that I thought it did just looking at the code was that he would display on 13th of the month if it was a Friday would activate and display one character character number 232 I believe in ASCII chart and I looked up the character and that is the Omega sign so I named the virus
Omega that's the first virus I ever named and the name stuck if you google around you'll still find his Mars as the Omega virus and that actually started a tradition in nowadays in in our company once you'll be in ten years with the company you'll get a Omega watch like
this so I should have named damaris Ferrari now many of you will remember viruses
like Michelle Angela at the time which were destructive so one way that you would know that you're infected by a virus that you could destroy your files let me show enjoy what override the first hundred sectors on your harddrive base destroying your file allocation table on toast systems on your PC world boot other examples for viruses which were visual and they mean let me demonstrate that what we'll do is some will boot up dosbox those of you
who play old games will know this tool
it's basically a way of running old code on current like this is a Windows 7 system so let's mount some folders see what I have here is a collection of
binaries comm files because if you look
at the dates 1993 1994 and so these are all examples of virus code which at the time I modified slightly to remove all
the destructive parts and replication parts and what we're left with is basically the activation code so for example the V sign virus which will infect your boot sectors if I'm actually running the code right here it activates by drawing a V sign on your screen
that's one that's what we call it the design bars because you get a victory sign so what I'm running right here is actually code from 1992 which is the original virus code but everything else has just been knocked out except the visual part of the virus and many of the viruses at the time would do this they would show themselves to the user via sign would do this once a month once a month when you boot up your PC it would draw this V sign on your screen and we
have plenty of these examples in here for example the Walker virus guess why
it's called the Walker
don't actually remember what the tequila virus does well it draws a fractal
planet of course the traffic spotter does based on ASCII graphics with colors
Alex I think it's some sort of a demo whether yeah that's pretty nice actually
believed what let's do that again it was so nice actually
you want to see more we have for example
the ambulance car which is neat because makes sound exhibit weights at dee da dee da dee don't doesn't work right now for some reason let's do one more let's show you
something which actually does all the crash waters look like this
no you know you're infected because that's pretty bad but oh yeah this is a
good one coffee shop made in the Netherlands but
the one I actually tried to show is this
one actual traffic s-- EGA or maybe actually vga graphics the quotes someone
I don't know Carl Sagan I believe so you
would know that you're infected by a
virus because it would get visual displays on your screen or the virus would play games with you like the cha-ching which one day of the year when you board up the PC it won't do it it ends in this screen and then you have to type happy birthday George and then it continues apparently that's the nickname of the virus writer of the time actually I want to go back to those books and show one more example which is a good
example of the virus playing games with
the user let's try with the casino virus
here we go casino virus is neat it
actually takes a copy of your file
allocation table to memory then it overrides it on your hard drive right so you just lost all your files because the file allocation table is gone but it has a copy in RAM right and now it lets you play a game you have five critics and if you win it's gonna write the allocation table back to the drive and if you just reset the machine you lose but it has already deleted so and it explains this in detail read user and it actually lets you play and if you win it actually does what it claims and we can actually play this right now we have five credits if you get five pound signs we win so let's try and that's the original code so we might win or lose it's not gonna destroy my drive but everything else is real so we might win No two credits sometimes you win
so that's what I mean by viruses which play games with the user or at the very least make themselves known to the user and this is an important difference to today's motor today when you get infected by malware you will not know that you're infected you will not see funny images your PC will not play music your cd-rom tray will not open and close all the time nothing like that I mean you will not know it's running silently in the background they won't even crash your systems nowadays they're pretty well done it they're pretty compatible won't slow down your system won't take too much resources they do testing on the virus code nowadays so you won't actually see that you're infected like you used to see tomorrow see started getting more
and more advanced things like mutation engine and T Eve made by a Bulgarian virus writer who we knew at the time as dark Avenger which was basically not a virus but a kit that you could use to turn any other virus into polymorphic virus which would in encrypt itself a different encryption every single time or VCL vars creation laboratory which actually was the first one which had the user interface you could use to create viruses but that's VCL you just click on
the menus you click generate and it makes a virus for you and this is in 1992 so pretty advanced 24:19 years ago then comes windows first
windows viruses were written for windows 3.0 in 1992 very first one was called vineyard did nothing special it was the first one capable of infecting the PE file structure the windows was using at the time other parties at the time Monkey 1/2 these are mostly encrypting boot sector viruses and then we get concept in 1995 which is a virus that infects not your floppies not your binaries but it infects your documents concept actually infects Word documents using the VBA Visual Basic for applications scripting language inside office at the time and that's actually a big deal because if you think about what you do with your computers every single day I mean most computer users spent their days handling documents creating and reading files Excel sheets where documents PowerPoint slides what-have-you and if sharing those shares a virus that's a big deal and concept became the most common virus in the world within the first 30 days since we found it LaRue was a close follower LaRue did not infect word files it infected Excel spreadsheet files in fact we later found a variety of Leroux which would not just infect your Excel spreadsheet but it also randomly round your random numbers inside your spreadsheets by zero zero one percent up or down once a day so but slowly corrupt the numbers you're working with and that's that's a 2d nasty attack because you will not notice the problem until it's been happening for quite a while which means the deme are working with is bad your backups are bad and if there's no easy way to recover there's no easy way to figure what it has changed and when that's a big deal windows viruses were also the early windows viruses were often visual I mean they would show themselves this is the
both of our was written by a virus writing group from Australia calling themselves Vlad and that's the name of the group that's the nicknames of the guys in the group so parties were still very much being done by hobbyists for fame for challenge just because they could another example is the Marburg
virus from 1998 which would change your
Windows desktop to look like this so you would know you're infected this was still the norm in the late 1990s more
Windows viruses remote explore happy 99 and this one is actually important because happy 99 is the very first email word we're talking about late 1998 this was an email worm which claimed to be a creating card wishing Happy New Year 1999 I would actually show you fireworks
on your screen and while it's doing that it would take your address book and email itself as an email which looks like you send it to everybody listed in your address book and the email contents were happy new year 1999 and there's an attachment called happy 99 of Exe in it and of course your friends would believe you send it because it looks like you said it and they would open up the attachment that they thought that that's what it's supposed to do would replicate I'd replicate and replicate and this kind of email worms quickly became the biggest problem we have one thing which feels funny knowledge that you could actually do that I mean you could just take a binary like an executable and email it to someone else anywhere else in the world and they would get it no problem I'll take would run it no problem obviously you can't do that any more filters would kill any I mean if I tried emailing an exe windows binary to every single mode of view I don't think any of you would actually get it I mean my operator your operator or your firewall whatever would kill off an executable attachment nowadays but that wasn't the case back then so more windows borrows
it at the time Melissa became one of the largest outbreaks in history because it combined these two big trends at the time it combined an email worm with a macro virus infecting Word documents so it would send itself as an email which looks like it's coming from you once you get infected sending it to all of your contacts in your address book and then the attachment is not an executable it's a dropped file it's a Word document file in fact it's one of your own where document files which has been infected with a macro virus and this has two problems first of all you are going to infect your friends second of all it leaks confidential information it takes a doc file from your hard drive infected and sends it out to thousands of people and that file could be anything could be plants potted applications a love letter who code I mean anything love letter this is still in the history books as one of the largest single email outbreak and we probably will stay as the largest the email outbreak on one of them because we don't see email outbreaks anymore this was one of the problems which has has gone away in fact here's a
screenshot from at the time I'm
actually here making an estimate that now it's not going to be a big problem of course I was completely wrong it became one of the largest outbreaks in history there you go whoopsie Anna
Kournikova I'll just pick this one as an example of the of the email words at the time many of these which simply just tried to fool the user into opening up an attachment and Anna Kournikova was an email word which claimed that it has an image of
Anna Kournikova and here's an example of an email I know those of you don't remember Anna Kournikova used to be a tennis player a pretty tennis player player so it is the email they would send here you have that's the subject field and then the content hi check this under Kournikova dot jpg dot VBS VBS is visual basic script for Windows system which it's executable by almost cryptic executable and we actually had quite a large outbreak on this virus and we had people calling our labs I actually spoke with one guy myself and he told me that yes he received a email and he heard in the radio news that it's a worm so he knows it's a worm and I would further actually I mean I'll run the ball that he blocked it so he's safe but he still wanted to see the picture like huh buddy basically how could I disable you run the bar so I could just click on it and of course it definitely let me show you any images I mean I just picked this because she's a pretty girl but when you actually clicked on the VBS file if it just replicate further you wouldn't actually see any images I believe I told the guy to just you know we already had web at the time I told him to go online and find some pictures maybe that's the easier way more viruses of the time
maybe this one is more important than others this was one of the first windows network share replicating virus nimnim which got its name from admin which which one that's why it's named um a ninja there was lots of conspiracy theories at the time because nimda was found in 2001 in September 2001 exactly one week after the terrorist attacks and they were lots of conspiracy theories that this was somehow related but we never actually proved anything either way nowadays looking back I don't think it was related in any way but everybody was pretty paranoid at the time more viruses and you know these are all email Windows email replicating viruses Swain is a good example of the kind of social engineering tricks they were using here's an email sent by swen and it looks like it's an email coming from
Microsoft so senders in s technical assistance it explains that you know
there's new patches and this is in 2003 so we didn't have Microsoft updates yet you didn't have automatic updates if you wanted to patch your system you get to download the patch file an executable file I'd run it so this used that trick too it's it's it's benefit looks fairly convincing looks like a real Microsoft email and there's a file you can see it
there in the top queue something that exe attached into it that is the naming convention Microsoft used at the time for patches and it's especially handy because it the message explains to you
that is a security update for September 2003 and it would actually get the current date so when this bar was kept on replicating for a number of years would always speak about the current month of the current year if you would run Swain today which speak about August 2011 cumulative touch so it felt pretty real and that's one of the reasons why it became such a big problem
and this is also one of the viruses where the virus order was caught Swedish going I was caught and sentenced for some sort of online disruption based on Swedish laws at the time but then things
started changing we entered the years of internet worms or web worms like Code Red Code Red did not infect Windows workstations Code Red infected Windows servers it specifically infected Windows web servers running AI is using a remote exploited when in fact those servers immediately continue replicating from that infected server it just scan IP ranges trying to find more servers and then using the remote exploit infect them we actually see how quickly such a replication mechanism goes worldwide this is basically 20 the first 24 hours in the replication of Code Red and it started getting copycats of various kinds including slapper and slammer and
blaster and Sasser most of these targeting Windows workstations using remote exploits in LS a SS or in our PC or some other network visible resources of Windows and we have to remember 2004 most Windows users were not running a fireable I mean if they were online even if they were inside a company most likely they had open ports all the way to the Internet which now feels pretty weird that that's the situation at the time so you had port 139 or port 445 TCP or penetrate anybody would connect to it from anywhere in the world and if they were remote exploits they could exploit them and they did and that's how for example Sasser spread so if you think
about that you got you have one infected PC and it's just start scanning either random IP addresses or just one by one and try to go all through all four addresses and the IP 4 addresses we don't have I mean we have 4.3 billion IP addresses which is perfectly scannable you can't scan them all many of these were I mean most of these weren't scanned every single IP address in the world and of course they'll find empty addresses like addresses which route nowhere so there's nothing to infect all then find an address which has a computer but it's a wrong kind of a computer like it's a mac and windows were won't be able to infect it or it finds a right kind of a computer like you know a Windows computer but it's blocked it's only behind a firewall or some sort of routing protection so you can't connect or it's already patched so the patch that the other ability has already been closed by the user but as you can guess if it just keeps on scanning and keeps on scanning eventually it will find a computer which is the right kind of a computer which is not behind a firewall which has not yet been patched and in that case of course it will infect that computer and it will immediately start replicating further from that computer in fact they are now both scanning the whole public IP ranges and it gets faster and faster and this explains why we got these massive spreading speeds including slammer news laner proven that it's can't you know what IP IP 4 IP address range in less than 20 minutes from the moment when it was started and that's pretty remarkable in 20 minutes all of us who were online in 2003 its scammed our computers it scanned our mobile phones if we had mobile phones with Internet connectivity at the time and to the end-user you would typically
know that something like this was happening because you get some sort of a crash on your system slammer blaster and disaster for example would cause a system shutdown because table Dremel to crash our PC or LSAs as when in Windows at the time so the end user would see that there's a problem his PC would shut down they would have 60 seconds of time to save his data and then it would shut down they would reboot and he would most likely see again in a minute or two or maybe in ten minutes maybe in half an hour depends on when the next time someone else is scanning his IP address so let's think about this you are an end-user you start seeing this regularly on your PC you can't work because your PC key is rebooting what are you gonna do well you ask around what what should i do my PC reboot somebody will know that the edge of virus all right what should I do well you should patch the whole patch the RPC vulnerability or the LSA SS will regulate all right how do i patch it well you go to Microsoft comm and you find the patch you download if you're running okay let's do that we have here
Microsoft download pages from 2003 that's the actual patch for the RPC vulnerability MSO 3 0 3 9 click download excellent beginning executable file
let's download it on our desktop here we go and now we're downloading it excellent and of course this takes a while which means it's more than likely that you actually get while you're downloading it you get the same same error message and now you have two counters on your screen at the same time you have to count down from 60 seconds to 0 of reboot and you have the download counter like how many percentages of the actual patch of download so you're basically running a game or a race like who's gonna be first and this game was being run on on thousands and thousands of computers around the world and of course most of the users lost again they
didn't get the patch before it rebooted again very very frustrating and these are the kinds of problems that led Microsoft to change their the way they look into security 2003 they did the big overhaul code review of Windows based code and started taking security seriously this resulted first team service pack 2 for Windows XP later into what we have today and for example in 64-bit Windows 7 which actually has a decent security model so it this was the basic reason why security in Windows world regarding problems like these were finally taken seriously and the problems we saw at the time were serious here's
the packet loss chart of the whole internet during the hours when the slammer worms started spreading typical packet loss globally 1 to 2 percent then suddenly jumps to 20 30 % massive problems so we started getting denial of service problems on systems which weren't in fact picked themselves but they were in the same networks with infected systems and the packet generation that they saw was so massive that we started seeing problems with
critical infrastructure so in 2003 I wrote down some of the things we saw
thanks to slammer blaster and sesor we had air traffic control problems we had ATM networks down we had 9-1-1 services down we had infected nuclear plants in USA in 2003 because of Sasser flight problems government systems infected Heathrow Airport checking systems infected a couple of screenshots I took at the time
Air Canada couldn't operate because they were infected by SAS sir I believe in fact here's a picture from their chicken
and it buddy spot the blue screen right there and it wasn't just computers I mean normal computers at time for example the automation gear started
getting affected here's a screen from a CSX that I took in August 2003 doesn't be who don't know CSX it's one of the largest railroad operators here in USA if you'll look what they announced is
that they had an in-house infection which resulted in a slowdown of major applications including these patching and single systems as a result passenger and freight train traffic was halted immediately including the morning commuter train service in the Metropolitan Washington DC area so trains around the capital of the United States of America stopped in the middle of the day in the middle of their tracks because of a computer virus this actually happened in 2003 and things like this were to wake up go and then of course we
are infections in things like these we
had a large case of infected four structures because they weren't Windows and they got infected because they had GPRS connections they were actually sending embedded gigs in tractors in the middle of the forest to find because they wouldn't do that but they couldn't operate these once they got infected and they were typically far away in forests and you have to somehow rescue them from there and never have cases like these
this is a screenshot from a Swedish Aftonbladet magazine explaining that this hospital in mr. talent had in-house infection with 5000 computers infected which is bad but what's even worse is that also these got infected their x-ray
systems which were running Windows and they actually had patients put into ambulance cars and drove in to other hospitals to be taken care of because they're in actions in their hospital systems at the time but something even more important
was about to happen 2003 a virus called
phizzer which I claim nobody here remembers and I also claim it's one of the most important viruses in history because fizzer was the first virus we would conclusively prove that from the very beginning this virus was written for one motive only and that motive was money so before 2003 everything we saw was written for fun for challenge for loves for kicks right nobody tried to make money with viruses until feasor and the way Fischer tried to make money is by sending spam so if you infect
computers build a proxy Network out of them so you could reroute proxy or email traffic through them and that that service has been sold to spammers and this is something we still still see today spam email spam still exists and it's still being sent through intact in home computers and obviously there's money to be made out of this very quickly many of the hobbyist virus writers of the time realized that they could actually use their skills to make money by cooperating with spammers by starting to steal passwords with key loggers starting to steal credit card details when people from infected computers were doing online purchases and typing in their usernames or passwords and very
quickly we also started seeing the shift geographical shift on where viruses were coming from in the good old days before our Z's turned into money-making machines they were mostly done in developed Western nations like Europe USA Canada Japan Australia today the biggest hotspots are Russia Ukraine Kazakhstan Romania Moldova China obviously and South America especially Brazil which is the biggest source of banking Trojans would steal money doing online banking and the virus riders themselves changed we had completely do kind of online criminals getting on the Vanetta and doing these his examples of
caught ones riders of the 1990s in on the top right corner mr. Channing how who wrote the love of cih aka the chernobyl virus and then here's some caught virus riders after 2003 you see
any difference so they became much more organized much more professional the guy at the bottom left mr. Tariq Alda who was actually using key loggers to steal credit card numbers and they were then laundering money from those credit card numbers by putting them into online poker games and losing money on purpose from the credit card numbers to account the day controls and then they would move them back to the real world and what they did is that they laundered close to 2 million euros and that money was then used to purchase gear gear like hiking boots tents sleeping bags knives GPS navigators plane tickets and all this was shipped to Iraq to the insurance fighting fighting over there so what we have here for example is a link between online crime viruses Trojans backdoors and funding the insurgents in Iraq so
some of the viruses that then started to make headlines money making viruses so big wait if my do bagel these were spam generating viruses mostly and then open-source are books like estimate which actually code source code of SP but it's licensed under GNU Public License and we've seen tens of thousands of variants of this throughout the years we probably still see versions of s T both being made today like eight years later and other typical BOTS or botnet creating books at the time so you have a number of infected machines and they could all be controlled centrally creating a botnet which could be used not just to send spam but also do banking Trojan attacks and credit card theft and stuff like that and then we got soul now Sony gets a lot of hate and they get it for a good reason they've been doing that stuff for a number of years I think it has really started with the rootkit that they were shipping on one sent and
switched food and Celine Dion music series so if you would buy a Celine Dion music CD and listen to it on your CD player no problem but if you put it inside your computer it would alter run an installer which would install a DRM code on your system no questions asked no prompting nothing it just installs a DRM system and then it installs a rootkit a Windows rootkit which hides the DRM and in fact it doesn't just hide the DRM it hides any file or any folder which starts with specific characters basically dollar underscore dollar I believe something like that which means yes you could hide a DRM but you could hide also anything else and viruses very quickly started naming their binaries with dollar underscore dollar because if a computer which had been used to in to listen to Celine Dion got infected Sony would know hide divulge and it would hide it so well that pretty much none of the antivirus programs at the time could scan the file telling them they just gone and of course some would claim that if you listen to sell in their own you deserve to get infected but I'm not saying that but they were in interesting comments coming out of Sony at the time especially a person called Thomas his'n president for Sony BMG international he made an the quote which was so good we actually printed t-shirts out of it most people don't even know
what a rootkit is so why should take care about it that's a great quote honey I don't know what it is I mean most people don't even know what the brain damage is so I should take care about it then we started seeing more and more
opiates not just from Sony but I mean from traditional virus riding gang so we wanted to make hide their their malicious code better hacks to our base it was a kit which you could use to hide any other binary or processes or registry keys or open ports then more viruses at the time storm worm many will still remember from 2007 in fact I believe we have yeah here's a video clip
shot in our lab showing the spread of storm work these we run this system which has illustrate where we block viruses if you look at the top corner the time is ticking away it's getting close to midnight and pretty much around midnight the outbreak of storm starts so watch carefully the system is now normal that's what it looks normally right now it's 11 p.m. and here we go well that's what an outbreak looks like that's a decent outbreak globally but it was everywhere where you have connectivity anywhere where you have computers massive infections Greenland looks great no viruses in Greenland and now it's over I mean took like maybe seven hours that's a typical outbreak but the kind of outbreak we used to see back then and then we had Midrand
Babolat which probably for a number of years stayed as the most advanced malware we've ever seen now we have two contenders for the same title but mebroot when we first found it it was
all related to this which movie is this matrix no matrix - that's correct matrix - there actually is a matrix Daisy I even heard this a matrix three but I haven't seen it what is she called what's her name Monica Bellucci very good she plays the part of Persephone in the movie why am i showing her because
she's gorgeous that's right but this is the website of monica bellucci many Capel she dug it in Italy she's Italian then this was one of the first if not the very first website that we saw that was used to spread may bro so we entered the days of drive-by downloads we would get infected by just browsing the web and now today this is the number one way of getting infected email and email worms haven't been the main problem for a number of years it's the web you browse the web you're there saying injecting JavaScript line there which goes through your all your plugins in your browser learning Java and QuickTime and flash and what have you tries to find an old version if you're an old version it will pop it and you're infected that's exactly what this page did that was one of the first cases where we saw it happening and what method actually did I study the install itself - the Master Boot Record of the infected computer which is pretty much exactly what brain did except a trend time we didn't have hard drives so it only went to the boot sector of the flopping this actually goes to the boot sector of your hard drive the first Master Boot Record now that's pretty hard to do on the windows but it did it and even more remarkably I think it's good example of how advanced these viruses started to become is that obviously when you're running below window boots before windows boots you've run the risk of crashing windows but it almost never did it was very well tested and and if it did I mean if something went wrong and then you
actually ended up with a problem with the windows blue screen now obviously Windows is crashed Windows is no longer running but mebroot was still running and in this case metal it would make a diagnostic dump of the crashed computer and send it back to the virus writers over the internet so they could debug and figure out white crashed no remote quality assurance formal configure the
biggest outbreak of 2009 still remains one of the biggest mysteries we have in the history of viruses massive massive infection which wasn't used to do anything at all and then we started
finding even more advanced if may bird was advanced this is pretty much the state of the art nowadays TDS s or aka allure L root kits which are today capable of infecting a 64-bit Windows 7 in the MBR booting all the way from the MBR surviving the windows boat regardless of all D all the security features that were introduced in Windows 7 pretty remarkable stuff the amount of infected machines around the world right now with this is in the millions and it's being used for different kind of money-making scams it's one of the biggest problems we have at the moment but that was still quite different from
from these ransom Trojans what we started seeing as well by this time like I explained earlier most of the infections were invisible you wouldn't know but you're infected but then we started seeing Trojans like GP code which were very visible but GP code does is that the infect your system then it waits for the PC to be idle so that you're not at the computer and then it starts encrypting your hard drive goes through your hard drive encrypts everything and then it changes to Windows wallpaper to this message where
it explains that you know all your files have now been encrypted if you want to get your files back please read the how to decrypt txt file and when you read the how to decrypt txt file they
explains to you in detail that yep we just encrypted your files using RSA 1024
with an aes key and if you want to get your files please actually email us here filemaker
at safe mail yet and send us a hundred and twenty-five bucks through a you cash prepaid system and provide this unique key which is unique to your system and they will provide you with the Decrypter and they actually will we work with multiple cases were affected users have sent the money and have gotten the deep crafter back and as much as I hate the idea of anybody sending any money to his clowns I know the people have done it that they have gotten their files back and this is this is pretty nasty way of making money with malware and it's also got nupoc Lee when we would find an email address like this which we know is being used by online criminals we would shut it down we haven't tracked this one down this email address still works today because we know there are users out there who need to be able to send money to criminals because they need their files back because they don't have backups of course but you should have these backups many of these cases have actually been corporate users well not just a corporate laptop has been encrypted but also Network shares have been encrypted and then they learned they actually don't have good backups on they have a big problem and they would be more than happy to pay a hundred and twenty-five dollars to get their files back but all
this work with Mulder like this did not prepare us for what we would find next when that was Stuxnet
Stuxnet which was found in summer of 2010 Stuxnet which had been around spreading in the wild already for a year and that's actually remarkable and that's actually embarrassing to us I mean us under virus vendors and us security companies we missed Stuxnet for a freaking year nobody saw it going around eventually when it was found it already had done what it wanted to do and of course as we know by now stocks it was written by you guys and you guys I mean the Americans the US government and it was a successful operation wanted to disrupt the Natanz nuclear enrichment plan in Iran and it did in fact we believe it was it already did what it wanted to do in 2000 9 so by the time we found it in 2010 it didn't actually matter anymore that already done what it did so let's let's look at that a little bit closer we have
obviously computers everywhere in factories in plants you go to any
chemical plant any power plant a food processing plant you look around it's
all being run by these that's a siemens s7 400 a typical PLC programmable logic controller and for example the elevators in this building most likely one PLC's or maybe SDU something along these lines automation which isn't running Windows isn't running is actually running CMAs gears running at 32 with light ups inside very fault-tolerant systems and the way they are being programmed is typically from Windows workstations and that's the route in in Stuxnet will in fact pretty much any Windows computer in the world but it won't do anything except replicates unless the computer has the siemens step7 programming environment installed and that's the environment you use to program these and even if if it finds step 7 running on the computer it won't do anything unless it's connected to the right kind of a PLC it has to be seen as as seven four one seven or another model if it finds the right PLC then it will reprogram the play of C and now it waits for somebody to disconnect the PLC from the computer and take it to a factory floor and it still won't do anything unless it's connected exactly the right kind of gear and it's looking specifically these
these are high frequency power converters manufactured by a company called mark on it's looking for a specific number of the right kind of high frequency power converters and of course these we believe where the converters that were used to spin in the centrifuge in the natives nuclear enrichment plant so the real target becomes not just the high frequency
power converters but the whole nuclear program or the nuclear enrichment program so it has been a pretty wild ride if we look at the last 25 years from brain spreading on five and quarter-inch floppy disks to Stuxnet's which is more than a megabyte of code multi-million dollar project more than ten nine years in making targeting completely undocumented tailor-made systems infecting PLC's which has never been done before it's been amazing change what we've seen many things have changed the same time many things haven't changed for example just a brain never spread over the internet because we didn't really have internet in 1996 that's when you have it today Stuxnet doesn't spread over the internet spread from on USB sticks why because the systems it wants to reach are not on the internet obviously nuclear systems are not online they're separated that's why it spreads on USB sticks brain was actually a rootkit if you try to read the infect the boot sector you wouldn't see it it would redirect theory that Center give you the original boot sector instead Stuxnet has a rootkit to hide itself not just on the infected Windows computer but also on the infected PLC so everything has changed so nothing has changed and it will be interesting to see what kind of viruses we will be analyzing 25 years from now thank you very much