270 likes | 512 Vues
Greetings from Finland. F-Secure Corp. We used to be fighting these. Chen-Ing Hau Author of the CIH virus. Joseph McElroy Hacked the Fermi lab network. Benny Ex-29A. Today we are fighting these!. Jeremy Jaynes Millionaire, and a spammer. Jay Echouafni CEO, and a DDoS attacker.
E N D
We used to be fighting these... • Chen-Ing HauAuthor of the CIH virus • Joseph McElroyHacked the Fermi lab network • BennyEx-29A
Today we are fighting these! • Jeremy JaynesMillionaire,and a spammer • Jay EchouafniCEO,and a DDoS attacker • Andrew SchwarmkoffMember of Russian mob, and a phisher
Virus year 2004
Fri 23.1.2004: Bagle.A • Tue 27.1.2004: Mydoom.A • Mon 16.2.2004: Netsky.A • Mon 16.2.2004: Mydoom.E • Tue 17.2.2004: Bagle.B • Wed 18.2.2004: Netsky.B • Tue 24.2.2004: Mydoom.F • Wed 25.2.2004: Netsky.C • Fri 27.2.2004: Bagle.C • Sat 28.2.2004: Bagle.D • Sat 28.2.2004: Bagle.E • Sun 29.2.2004: Netsky.D • Mon 1.3.2004: Bagle.F • Mon 1.3.2004: Bagle.G • Mon 1.3.2004: Netsky.E • Tue 2.3.2004: Bagle.H • Tue 2.3.2004: Bagle.I • Tue 2.3.2004: Netsky.F • Tue 2.3.2004: Bagle.J • Wed 3.3.2004: Mydoom.G • Wed 3.3.2004: Bagle.K • Wed 3.3.2004: Mydoom.H • Thu 4.3.2004: Netsky.G • Fri 5.3.2004: Netsky.H • Sun 7.3.2004: Netsky.I The Virus Weeks 2004 • Mon 8.3.2004: Netsky.J • Mon 8.3.2004: Netsky.K • Tue 9.3.2004: Bagle.L • Wed 10.3.2004: Netsky.L • Thu 11.3.2004: Netsky.M • Tue 11.3.2004: Bagle.M • Thu 13.3.2004: Bagle.N • Thu 13.3.2004: Bagle.O • Sat 15.3.2004: Bagle.P • Mon 17.3.2004: Netsky.O • Tue 18.3.2004: Bagle.Q • Thu 18.3.2004: Bagle.R • Thu 18.3.2004: Bagle.S • Thu 18.3.2004: Bagle.T • Sun 21.3.2004: Netsky.P • Fri 26.3.2004: Bagle.U • Mon 29.3.2004: Bagle.V • Mon 29.3.2004: Netsky.Q • Wed 31.3.2004: Netsky.R • Mon 5.4.2004: Netsky.S • Mon 5.4.2004: Bagle.W • Tue 6.4.2004: Netsky.T • Thu 8.4.2004: Netsky.U • Tue 13.4.2004: Mydoom.I • Wed 14.4.2004: Netsky.V • Thu 15.4.2004: Netsky.W • Fri 16.4.2004: Mydoom.J • Mon 19.4.2004: Netsky.X • Tue 20.4.2004: Netsky.Y • Wed 21.4.2004: Netsky.Z
Virus year 2004 $ • Bagle • Mydoom • Netsky • Sasser • Korgo • Sober $ $
@ Case Sobig / 2003 Series of email worms released roughly a month apart • Variant Found Expires ____________________________________________ • Sobig.A January 9th Never • Sobig.B May 18th May 31st • Sobig.C May 31st June 8th • Sobig.D June 18th July 2nd • Sobig.E June 25th July 14th • Sobig.F August 19th Sept 10th • ____________________________________________
Case Sobig • All variants we're connected to spamming • All downloaded and installed an email proxy • Some of the variants we're very succesful One variant was the biggest email outbreak ever
Direct spam Cheap Viagra, loans and Rolexes Inc.(Spammer) • ?#%$!? • Ed • Bob • ?#%$!? • Lisa • ?#%$!? • Jack • ?#%$!? • ?#%$!? • Mary
Spam through Proxy Cheap Viagra, loans and Rolexes Inc.(Spammer) • ?#%$!? • Ed • Bob • ?#%$!? • Lisa • ?#%$!? • Jack • ?#%$!? • Peter • (Proxy) • ?#%$!? • Mary
Risk & Reward • Few weeks after Sobig.F outbreak, Microsoft started the bounty program • $250,000 offered for information leading to the arrest of the author Sobig • Manhunt started • With no results • And nothing happened... ¥ $ €
Then, in October 2004... • Somebody send us a report • Which was made by an anonymous party • Called "WhoWroteSobig.pdf"
About WhoWroteSobig.pdf • Written by anonymous source • Verifiable by a PGP signature • Uses technical analysis to prove the author of the worm • 48 pages
Main arguments • Claims that Sobig was written by a Mr. Ruslan Ibragimov / Send-Safe team from Russia • Send-Safe uses proxies – created by Sobig • Release times of Sobig match release times of Send-Safe • The code of Send-Safe and Sobig are Similar
Coreflood Comparing Sobig and Send-safe visually Sobig.E Sobig.F Send-Safe v2.19 (embedded PDFs, click to open)
Case Cabir • First real mobile phone virus • Found in June 2004 • Proof-of-concept • By 29A • Spreads via Bluetooth • Kinda like the flu
Cabir is spreading in the wild . Right Now! • Cabir was found in June • It was thought not to be in the wild • In August, we got unconfirmed reports from Philippines • Last month, we got first confirmed reports from Singapore New Reports also from: UAE China India Finland!
Case Skulls • New trojan for Symbian • Found last week • Kills your apps • Very hard to get rid of
Nokia 6670 and 7710 First phones in history to contain antivirus by default
F-Secure Awards Norway 05/04 Germany 05/04 United Kingdom 05/04 United Kingdom 03/04 and 02/04 Finland 02/04 PC Pro United Kingdom 01/04 Sweden 11/03 United Kingdom 10/03 Germany 04/03 Sweden 03/03