Greetings from FinlandGreetings from Finland
F-Secure Corp
We used to be fighting these...
Chen-Ing HauAuthor of the CIH virus
Joseph McElroyHacked the Fermi lab network
BennyEx-29A
Today we are fighting these!
Jeremy JaynesMillionaire,and a spammer
Jay EchouafniCEO,and a DDoS attacker
Andrew SchwarmkoffMember of Russian mob, and a phisher
Mon 8.3.2004: Netsky.J
Mon 8.3.2004: Netsky.K
Tue 9.3.2004: Bagle.L
Wed 10.3.2004: Netsky.L
Thu 11.3.2004: Netsky.M
Tue 11.3.2004: Bagle.M
Thu 13.3.2004: Bagle.N
Thu 13.3.2004: Bagle.O
Sat 15.3.2004: Bagle.P
Mon 17.3.2004: Netsky.O
Tue 18.3.2004: Bagle.Q
Thu 18.3.2004: Bagle.R
Thu 18.3.2004: Bagle.S
Thu 18.3.2004: Bagle.T
Sun 21.3.2004: Netsky.P
Fri 26.3.2004: Bagle.U
Mon 29.3.2004: Bagle.V
Mon 29.3.2004: Netsky.Q
Wed 31.3.2004: Netsky.R
Mon 5.4.2004: Netsky.S
Mon 5.4.2004: Bagle.W
Tue 6.4.2004: Netsky.T
Thu 8.4.2004: Netsky.U
Tue 13.4.2004: Mydoom.I
Wed 14.4.2004: Netsky.V
Thu 15.4.2004: Netsky.W
Fri 16.4.2004: Mydoom.J
Mon 19.4.2004: Netsky.X
Tue 20.4.2004: Netsky.Y
Wed 21.4.2004: Netsky.Z
Fri 23.1.2004: Bagle.A
Tue 27.1.2004: Mydoom.A
Mon 16.2.2004: Netsky.A
Mon 16.2.2004: Mydoom.E
Tue 17.2.2004: Bagle.B
Wed 18.2.2004: Netsky.B
Tue 24.2.2004: Mydoom.F
Wed 25.2.2004: Netsky.C
Fri 27.2.2004: Bagle.C
Sat 28.2.2004: Bagle.D
Sat 28.2.2004: Bagle.E
Sun 29.2.2004: Netsky.D
Mon 1.3.2004: Bagle.F
Mon 1.3.2004: Bagle.G
Mon 1.3.2004: Netsky.E
Tue 2.3.2004: Bagle.H
Tue 2.3.2004: Bagle.I
Tue 2.3.2004: Netsky.F
Tue 2.3.2004: Bagle.J
Wed 3.3.2004: Mydoom.G
Wed 3.3.2004: Bagle.K
Wed 3.3.2004: Mydoom.H
Thu 4.3.2004: Netsky.G
Fri 5.3.2004: Netsky.H
Sun 7.3.2004: Netsky.I
Bagle
Mydoom
Netsky
Sasser
Korgo
Sober
Bagle
Mydoom
Netsky
Sasser
Korgo
Sober
Case Sobig / 2003
Series of email worms released roughly a month apart
Variant Found Expires ____________________________________________
Sobig.A January 9th Never
Sobig.B May 18th May 31st
Sobig.C May 31st June 8th
Sobig.D June 18th July 2nd
Sobig.E June 25th July 14th
Sobig.F August 19th Sept 10th
____________________________________________
Case Sobig
All variants we're connected to spamming
All downloaded and installed an email proxy
Some of the variants we're very succesful
One variant was the biggest email outbreak everOne variant was the biggest email outbreak ever
Direct spam
Cheap Viagra, loans and
Rolexes Inc.(Spammer)
Ed
Bob
Lisa
Jack
Mary
?#%$!??#%$!?
?#%$!??#%$!?
?#%$!?
?#%$!?
?#%$!??#%$!?
?#%$!??#%$!?
Spam through Proxy
Cheap Viagra, loans and
Rolexes Inc.(Spammer)
Ed
Bob
Lisa
Jack
Mary
Peter
(Proxy)
?#%$!??#%$!?
?#%$!??#%$!?
?#%$!?
?#%$!?
?#%$!??#%$!?
?#%$!??#%$!?
Risk & Reward
Few weeks after Sobig.F outbreak, Microsoft started the bounty program
$250,000 offered for information leading to the arrest of the author Sobig
Manhunt started
With no results
And nothing happened...
Then, in October 2004...
Somebody send us a report
Which was made by an anonymous party
Called "WhoWroteSobig.pdf"
About WhoWroteSobig.pdf
- Written by anonymous source
- Verifiable by a PGP signature
- Uses technical analysis to prove the author of the worm
- 48 pages
Main arguments
Claims that Sobig was written by a Mr. Ruslan Ibragimov / Send-Safe team from Russia
Send-Safe uses proxies – created by Sobig
Release times of Sobig match release times of Send-Safe
The code of Send-Safe and Sobig are Similar
Send-safe
Coreflood
Sobig.F
Send-Safe v2.19
Comparing Sobig and Send-safe visually
send-safeSobig.E
(embedded PDFs, click to open)
Case Cabir
First real mobile phone virus
Found in June 2004
Proof-of-concept
By 29A
Spreads via Bluetooth
Kinda like the flu
Cabir is spreading in the wild .
Cabir was found in June
It was thought not to be in the wild
In August, we got unconfirmed reports from Philippines
Last month, we got first confirmed reports from Singapore
New Reports also from:UAEChinaIndiaFinland!
Case Skulls
New trojan for Symbian
Found last week
Kills your apps
Very hard to get rid of
Nokia 6670 and 7710
First phones in history to contain antivirus by default
Thank you!
United Kingdom
10/03
United Kingdom
05/04
Sweden
11/03
Sweden
03/03
United Kingdom
03/04 and 02/04
Finland
02/04
Germany
04/03
Germany
05/04
United Kingdom
01/04
PC Pro
Norway
05/04
F-Secure Awards