Transcript Virus Bulletin 2006 Keynote

Virus Bulletin 2006 Montreal KEYNOTE
Mikko Hypponen
Chief Research Officer
F-Secure Corporation
www.f-secure.com
www.hypponen.com
Simplified example
(a) Computer virus consists of an excitatory (x) and an
inhibitory (y) binary neuron. Each neuron represents the
average activity of a cluster of biological cells.
(b) Synchronizing connections (solid) holds between
oscillators within one layer and desynchronizing
connections (dotted) between different layers. “R” and “G”
denote the red and green channel.
(c) Oscillators are arranged in a 3D-topology. The shaded
circles visualize the range of synchronizing (light gray)
and desynchronizing (dark gray) connections of a neuron
in the top layer (black pixel).
Hello
name:
Mikko Hypponen
CRO
Helsinki
1990
300 PC viruses
200,000
Good
Evil
Canada!
eh
Keynote
Criminal
investigation
For-profit botnet
gang
Attacked us
Investigation
Several months
Busted
3 arrests
Excellent
case study
Keynote
www.f-secure.com/weblog
1986
Brain
1987
Stoned
1987
Cascade
1989
Yankee Doodle
1989
Dark Avenger
1990
Form
1991
Omega
13th of September
1991
1992
Michelangelo
1992
V-Sign
C:\horror\vdemo\ELVIRA-G.COM
C:\horror\vdemo\Q-V-SIGN.COM
C:\horror\vdemo\WALKER.COM
C:\horror\vdemo\ELVIRA-G.COM
C:\horror\vdemo\MARS-G.COM
C:\horror\vdemo\Q-CASINO.COM
1992
MtE
1992
VCL
1992
1992
WinVir
1993
Monkey
1994
One_half
1995
Concept
Bail:
If Err <> 102 Then
FileSaveAs dlg
End If
Done:
End Sub
Payload:
Sub MAIN
REM That's enough to prove my point
End Sub
1996
Laroux
Good
Evil
1996
Boza
1998
Marburg
1998
RemoteExplorer
1998
Happy99
1999
Funlove
1999
ZippedFiles
1999
Melissa
1999
Bubbleboy
2000
Loveletter
C:\h
Date: Thu, 4 May 2000 10:23:38 +0100
From: "Alex at MessageLabs" <[email protected]>
To: "F-Secure Samples" <[email protected]>
Subject: URGENT HEADS UP - LoveBug virus sample
This is a big one guys.
600 copies in the last hour.
Call me for details
Alex
2001
Annakournikova
[ aka VBSWG.ASDF ]
2001
Badtrans
2001
Sircam
2001
a dmiN
2002
Klez
2002
Bugbear
2003
Mimail
2003
Swen
2001
Code Red
2002
Slapper
2003
Slammer
2003
Blaster
2004
Sasser
00:00:50
00:00:00
00:00:05
00:00:10
00:00:15
00:00:20
00:00:25
00:00:30
00:00:35
00:00:40
00:00:45
00:00:55
89
OOPS
Name
Transportation
Power
Infrastructure
Banks
Slammer
Air traffic control
problems in USA
Infected a
nuclear power
plant in Ohio
911 phone
services down
in Seattle
Bank of
America's ATM
network down
Blaster
Air Canada flights
grounded, CSX
trains stopped
NY ISO power
operator's
network infected
Numerous
RPC-based
SCADA
networks down
Several
Windowsbased ATM
networks
infected
Sasser
Railcorp trains
stopped in
Australia, Delta
flight problems,
delays with British
Airways flights
Hong Kong
government's
department of
energy networks
infected
Infected: Two
hospitals in
Sweden, EU
commission,
Heathrow
airport,
Coastguard UK
Several banks
shutting down
offices
because of
internal
infections
2003
Fizzer
Spam through Proxy
Enlarge-Your-Penis
Enterprises Inc.
Peter
(infected computer)
(Spammer)
95
Old enemy
Chen-Ing Hau
Joseph McElroy
Jeffrey Lee Parson
96
New enemy
Jeremy Jaynes
Jay Echouafni
Andrew Schwarmkoff
97
Good
Evil
2003
Sobig
2004
Mydoom
2004
Bagle
2004
Netsky
Fri 23.1.2004:
Tue 27.1.2004:
Bagle.A
Mydoom.A
Mon 16.2.2004:
Mon 16.2.2004:
Tue 17.2.2004:
Wed 18.2.2004:
Netsky.A
Mydoom.E
Bagle.B
Netsky.B
Tue 24.2.2004:
Wed 25.2.2004:
Fri 27.2.2004:
Sat 28.2.2004:
Sat 28.2.2004:
Sun 29.2.2004:
Mydoom.F
Netsky.C
Bagle.C
Bagle.D
Bagle.E
Netsky.D
Mon 1.3.2004:
Mon 1.3.2004:
Mon 1.3.2004:
Tue 2.3.2004:
Tue 2.3.2004:
Tue 2.3.2004:
Tue 2.3.2004:
Wed 3.3.2004:
Wed 3.3.2004:
Wed 3.3.2004:
Thu 4.3.2004:
Fri 5.3.2004:
Sun 7.3.2004:
Bagle.F
Bagle.G
Netsky.E
Bagle.H
Bagle.I
Netsky.F
Bagle.J
Mydoom.G
Bagle.K
Mydoom.H
Netsky.G
Netsky.H
Netsky.I
Mon 8.3.2004:
Mon 8.3.2004:
Tue 9.3.2004:
Wed 10.3.2004:
Thu 11.3.2004:
Tue 11.3.2004:
Thu 13.3.2004:
Thu 13.3.2004:
Sat 15.3.2004:
Mon 17.3.2004:
Tue 18.3.2004:
Thu 18.3.2004:
Thu 18.3.2004:
Thu 18.3.2004:
Sun 21.3.2004:
Fri 26.3.2004:
Mon 29.3.2004:
Mon 29.3.2004:
Wed 31.3.2004:
Mon 5.4.2004:
Mon 5.4.2004:
Tue 6.4.2004:
Thu 8.4.2004:
Tue 13.4.2004:
Wed 14.4.2004:
Thu 15.4.2004:
Fri 16.4.2004:
Mon 19.4.2004:
Netsky.J
Netsky.K
Bagle.L
Netsky.L
Netsky.M
Bagle.M
Bagle.N
Bagle.O
Bagle.P
Netsky.O
Bagle.Q
Bagle.R
Bagle.S
Bagle.T
Netsky.P
Bagle.U
Bagle.V
Netsky.Q
Netsky.R
Netsky.S
Bagle.W
Netsky.T
Netsky.U
Mydoom.I
Netsky.V
Netsky.W
Mydoom.J
Netsky.X
2003
SDBot
2005
Mytob
2005
Zotob
2005
Sony BMG
quote
2005
Nyxem
2005
Haxdoor
2006
Warezov
sadujadesion.com
yuhadefunjinsa.com
jaxedunnjsatunheri.com
gadesunheranwui.com
vertionkdaseliplim.com
ertinmdesachlion.com
2005
Spysheriff
Bancos
Brazilian Busts
Operation
Arrests
Money
stolen
2001
"Cash net"
2003
"Cavalo de
troija I"
2004
"Cavalo de
troija II"
2005
"Pegasus"
17
27
64
85
$46,000,000
$14,000,000
$110,000,000
$33,000,000
2006
"Scan"
63
$4,700,000
#darkmarket
<claatrass>
<hacker_xero>
<claatrass>
<hacker_xero>
<claatrass>
<hacker_xero>
<claatrass>
what accounts you have and the value
i have chase accts with wire enabled
whats the value
balances 21k, 44k, 30k
how much for all three
$500
ok
123
Good
Evil
How on earth can
we handle all
these?
128
Future?
VB2011
VB2016
Wi-Fi viruses
Hitting Windows
laptops
Sniffing
WLAN traffic
Inserting itself into
TCP/IP frames
Uses
web exploits
Good
Evil
Good
will
prevail
Mikko Hypponen
Chief Research Officer
F-Secure Corporation
www.f-secure.com
www.hypponen.com
Thanks to Lawrence Lessig