1 / 27

Greetings from Finland

Greetings from Finland. F-Secure Corp. We used to be fighting these. Chen-Ing Hau Author of the CIH virus. Joseph McElroy Hacked the Fermi lab network. Benny Ex-29A. Today we are fighting these!. Jeremy Jaynes Millionaire, and a spammer. Jay Echouafni CEO, and a DDoS attacker.

sailor
Download Presentation

Greetings from Finland

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Greetings from Finland

  2. F-Secure Corp

  3. We used to be fighting these... • Chen-Ing HauAuthor of the CIH virus • Joseph McElroyHacked the Fermi lab network • BennyEx-29A

  4. Today we are fighting these! • Jeremy JaynesMillionaire,and a spammer • Jay EchouafniCEO,and a DDoS attacker • Andrew SchwarmkoffMember of Russian mob, and a phisher

  5. Virus year 2004

  6. Fri 23.1.2004: Bagle.A • Tue 27.1.2004: Mydoom.A • Mon 16.2.2004: Netsky.A • Mon 16.2.2004: Mydoom.E • Tue 17.2.2004: Bagle.B • Wed 18.2.2004: Netsky.B • Tue 24.2.2004: Mydoom.F • Wed 25.2.2004: Netsky.C • Fri 27.2.2004: Bagle.C • Sat 28.2.2004: Bagle.D • Sat 28.2.2004: Bagle.E • Sun 29.2.2004: Netsky.D • Mon 1.3.2004: Bagle.F • Mon 1.3.2004: Bagle.G • Mon 1.3.2004: Netsky.E • Tue 2.3.2004: Bagle.H • Tue 2.3.2004: Bagle.I • Tue 2.3.2004: Netsky.F • Tue 2.3.2004: Bagle.J • Wed 3.3.2004: Mydoom.G • Wed 3.3.2004: Bagle.K • Wed 3.3.2004: Mydoom.H • Thu 4.3.2004: Netsky.G • Fri 5.3.2004: Netsky.H • Sun 7.3.2004: Netsky.I The Virus Weeks 2004 • Mon 8.3.2004: Netsky.J • Mon 8.3.2004: Netsky.K • Tue 9.3.2004: Bagle.L • Wed 10.3.2004: Netsky.L • Thu 11.3.2004: Netsky.M • Tue 11.3.2004: Bagle.M • Thu 13.3.2004: Bagle.N • Thu 13.3.2004: Bagle.O • Sat 15.3.2004: Bagle.P • Mon 17.3.2004: Netsky.O • Tue 18.3.2004: Bagle.Q • Thu 18.3.2004: Bagle.R • Thu 18.3.2004: Bagle.S • Thu 18.3.2004: Bagle.T • Sun 21.3.2004: Netsky.P • Fri 26.3.2004: Bagle.U • Mon 29.3.2004: Bagle.V • Mon 29.3.2004: Netsky.Q • Wed 31.3.2004: Netsky.R • Mon 5.4.2004: Netsky.S • Mon 5.4.2004: Bagle.W • Tue 6.4.2004: Netsky.T • Thu 8.4.2004: Netsky.U • Tue 13.4.2004: Mydoom.I • Wed 14.4.2004: Netsky.V • Thu 15.4.2004: Netsky.W • Fri 16.4.2004: Mydoom.J • Mon 19.4.2004: Netsky.X • Tue 20.4.2004: Netsky.Y • Wed 21.4.2004: Netsky.Z

  7. Virus year 2004 $ • Bagle • Mydoom • Netsky • Sasser • Korgo • Sober $ $

  8. @ Case Sobig / 2003 Series of email worms released roughly a month apart • Variant Found Expires ____________________________________________ • Sobig.A January 9th Never • Sobig.B May 18th May 31st • Sobig.C May 31st June 8th • Sobig.D June 18th July 2nd • Sobig.E June 25th July 14th • Sobig.F August 19th Sept 10th • ____________________________________________

  9. Case Sobig • All variants we're connected to spamming • All downloaded and installed an email proxy • Some of the variants we're very succesful One variant was the biggest email outbreak ever

  10. Direct spam Cheap Viagra, loans and Rolexes Inc.(Spammer) • ?#%$!? • Ed • Bob • ?#%$!? • Lisa • ?#%$!? • Jack • ?#%$!? • ?#%$!? • Mary

  11. Spam through Proxy Cheap Viagra, loans and Rolexes Inc.(Spammer) • ?#%$!? • Ed • Bob • ?#%$!? • Lisa • ?#%$!? • Jack • ?#%$!? • Peter • (Proxy) • ?#%$!? • Mary

  12. Risk & Reward • Few weeks after Sobig.F outbreak, Microsoft started the bounty program • $250,000 offered for information leading to the arrest of the author Sobig • Manhunt started • With no results • And nothing happened... ¥ $ €

  13. Then, in October 2004... • Somebody send us a report • Which was made by an anonymous party • Called "WhoWroteSobig.pdf"

  14. About WhoWroteSobig.pdf • Written by anonymous source • Verifiable by a PGP signature • Uses technical analysis to prove the author of the worm • 48 pages

  15. Main arguments • Claims that Sobig was written by a Mr. Ruslan Ibragimov / Send-Safe team from Russia • Send-Safe uses proxies – created by Sobig • Release times of Sobig match release times of Send-Safe • The code of Send-Safe and Sobig are Similar

  16. Send-safe

  17. Coreflood Comparing Sobig and Send-safe visually Sobig.E Sobig.F Send-Safe v2.19 (embedded PDFs, click to open)

  18. Case Cabir • First real mobile phone virus • Found in June 2004 • Proof-of-concept • By 29A • Spreads via Bluetooth • Kinda like the flu

  19. Cabir is spreading in the wild . Right Now! • Cabir was found in June • It was thought not to be in the wild • In August, we got unconfirmed reports from Philippines • Last month, we got first confirmed reports from Singapore New Reports also from: UAE China India Finland!

  20. Case Skulls • New trojan for Symbian • Found last week • Kills your apps • Very hard to get rid of

  21. Nokia 6670 and 7710 First phones in history to contain antivirus by default

  22. Thank you!

  23. F-Secure Awards Norway 05/04 Germany 05/04 United Kingdom 05/04 United Kingdom 03/04 and 02/04 Finland 02/04 PC Pro United Kingdom 01/04 Sweden 11/03 United Kingdom 10/03 Germany 04/03 Sweden 03/03

More Related