Upload
shellmates
View
689
Download
4
Tags:
Embed Size (px)
Citation preview
http://www.synapse-labs.com [email protected]
L’industrie du Malware(Part I)
Présentée par : Sofiane Talmat
Malware research team :Sofiane Talmat (Algeria)Ehab Hussein (Egypt)
http://www.synapse-labs.com [email protected]
Solution
Development
Security
Services
Corporate Services
Trainings
http://www.synapse-labs.com [email protected]
Viruses don't harm, ignorance does!
« The Evolution of malware within the last ten years is described by the evolution of people who develop that » (Eugene kaspersky)
http://www.synapse-labs.com [email protected]
• 1948 – 1966 (First theroical Approach)• John von Neumann « Theory of self-reproducing
automata »
http://www.synapse-labs.com [email protected]
• 1971 (First Worm)• Robert (Bob) H. Thomas (BBN technologies)
"I'm the creeper, catch me if you can!"• Machine : PDP-10• System : TENEX• Transport : ARPANET
http://www.synapse-labs.com [email protected]
WORM
http://www.synapse-labs.com [email protected]
• 1974/1975(First Trojan Virus)• John Walker « ANIMAL » UNIVAC 1108
http://www.synapse-labs.com [email protected]
TROJAN HORSE
http://www.synapse-labs.com [email protected]
• 1982/1982(First microcomputer Virus)• Rich Skrenta
« Elk Cloner »Apple II
Boot Sector
http://www.synapse-labs.com [email protected]
BOOT SECTOR
http://www.synapse-labs.com [email protected]
• 1986 (First IBM-PC Virus)• Basit & Amjad Farooq Alvi
« Brain Boot Sector » « Pakistan Flu » « Lahore »
http://www.synapse-labs.com [email protected]
• 1986 (First File Infector Virus)• Ralf Burger
« Virdem model».com
VirDem Ver.: 1.06 (Generation #) aktive. Copyright by R.Burger 1986,1987 Phone.: D - 05932/5451 This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and x
http://www.synapse-labs.com [email protected]
COM INFECTION
http://www.synapse-labs.com [email protected]
• 1987 (Destructive Virus)– Vienna / Lehigh / Yale / Stoned / Ping Pong
• Cascade (self-encrypting file virus)IBM Antivirus
http://www.synapse-labs.com [email protected]
SELF-ENCRYPTED
http://www.synapse-labs.com [email protected]
• 1987• Jerusalem
« Infecting .EXE »• Interrupt• Friday 13th
1808(EXE)1813(COM)ArabStarBlackBoxBlackWindowFriday13th HebrewUniversityIsraeliPLORussian
http://www.synapse-labs.com [email protected]
EXE Infection
http://www.synapse-labs.com [email protected]
• 1988 (First Internet Worm)• Robert Tappan Morris
« The Morris worm » Buffer Overflow 6000 infections
http://www.synapse-labs.com [email protected]
BUFFER OVERFLOW
http://www.synapse-labs.com [email protected]
• 1988 (First Multipartite Virus)Ghostball
• EXE/COM/Boot Sector
http://www.synapse-labs.com [email protected]
Multipartite virus
http://www.synapse-labs.com [email protected]
• 1988 (First Polymorphic Virus)• Mark Washburn & Ralf Burger
« the Chameleon family » « Vienna and Cascade »
1260
http://www.synapse-labs.com [email protected]
Polymorphism
http://www.synapse-labs.com [email protected]
• 1995 (First Macro Virus)« Concept »
Sub MAINREM That's enough to prove my pointEnd Sub
http://www.synapse-labs.com [email protected]
Macro Virus
http://www.synapse-labs.com [email protected]
• 1998• Chen Ing Hau• CIH v1
« Chernobyl / Spacefiller »
Sep.1998 : Yamaha DriverOct.1998 : Jeux Activision SiNMar.1999: IBM Aptivas
http://www.synapse-labs.com [email protected]
• 1999 (Year of the worms)
– Janvier 20: Happy99 worm (emails) (Spanska)– Mars 26: Melissa worm (Microsoft Word/ Outlook)– Juin 06: ExploreZip worm(Microsoft Office documents)– Decembre 30: Kak worm (Javascript worm / Outlook
Express bug)
http://www.synapse-labs.com [email protected]
• 2000 (The most damaging worm ever) « ILOVEYOU worm (VBS/Loveletter) »
VBScript
http://www.synapse-labs.com [email protected]
• 2000 (The year of Exploits)
– Mai : Sadmind worm (Sun Solaris / Microsoft IIS)– Juillet : Code Red worm (Microsoft IIS indexing) – Septembre : Nimda worm (Windows/Code Red / Sadmind)– Octobre : Klez worm (MS IE / MS Outlook / Outlook
Express)
http://www.synapse-labs.com [email protected]
• 2002 (Metamorphic virus)• Mental Driller
« Win32/Simile » (Etap / MetaPHOR)90% metamorphoseMay 14 / System locale
http://www.synapse-labs.com [email protected]
METAMORPHIC VIRUS
http://www.synapse-labs.com [email protected]
• 2002/2003 (Rise of the RAT & Trojans)
– Beast (Delphi)– Optix Pro – Graybird– ProRat
http://www.synapse-labs.com [email protected]
• 2003 (More worms in the wild)
– SQL Slammer worm• 75,000 en 10 minutes
– Blaster worm (RPC) (similar to sasser 2004)• DDoS with SYN flood (windowsupdate.com)
http://www.synapse-labs.com [email protected]
• 2004 (First Webworm)« Santy »
- Target : phpbb forums- 40 000 sites infectés
http://www.synapse-labs.com [email protected]
• 2006 (First ever Mac OS X virus)« OSX/Leap-A or OSX/Oompa-A »
– Lan worm– Bonjour Protocol (iChat buddy list)– Destruit les fichiers infectes
http://www.synapse-labs.com [email protected]
• 2007 (Vous avez dit ZEUS ?)« ZEUS » (drive-by downloads /phishing)
– 196 pays– Juin.2009 : 74,000 comptes FTP– 3.6 million d’infections aux USA– 28 Oct.2009 : 1.5 million de messages fishing sur facebook– 14/15 Nov. 2009 : 9 millions emails infectes(Verizon Wireless)– Cartes de credits de 15 banques compromises– 1 Oct.2010 : FBI / 70 millions $ et 90 arrestations– Mai.2011 : le code source est dévoilé
http://www.synapse-labs.com [email protected]
• 2007 (Mise a pirx : 250 000 $)« Conflicker »
NetBIOS Exploits MS08-067
http://www.synapse-labs.com [email protected]
BOTNET
http://www.synapse-labs.com [email protected]
• 2009 (Cyber attack)« W32.Dozer »« July 2009 Cyber Attacks »
– 04/07/2009 :• USA / Corée du Sud
– 07/07/2009 :• Corée du Sud
– 09/07/2009 :• Corée du Sud
http://www.synapse-labs.com [email protected]
Questions
Facebook.com/Synapse.LabsTwitter : @Synapse_Labs