 Tervetuloa tähän DEFKoni-aloitusessioon. Minä olen Mikko Yppönen. Täältä ensimmäinen seuraavassa puhutaan history and evolution of computer viruses. Minä olen Fintlant. Olen jääntänyt virusia 20 vuotta. Me olemme ymmärtäneet historiasta. Täältä ymmärtää ymmärtää. Täältä ensimmäinen seuraavassa puhutaan ymmärtää ymmärtäneet historiasta. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Minä olen Yppönen. Bray. Tämä on yhdessä 5,5-luvun kautta. Lopit on yhdessä infekteistä Brayin. Ja teille, jotka olivat nähneet minun TET-tokkiin, joka tuli kolme vuotta sitten, olisivat nähneet ensimmäinen 5 minuuttia, joita olisivat nähneet. Mutta sitten olemme nähneet enemmän. Minun TET-tokkiin oli myös sanoa tätä. Tällä vuoksi, olemme valmiassa, olemme valmiassa lähelle. Tällä vuoksi tuli kolme vuotta 5,5-luvun kautta. Tällä vuoksi tuli ensimmäinen 100 PC-virusin. Tällä vuoksi, Brayin. A. Brayin. A on tullut olla, ja se on tullut olla ensimmäinen PC-virus in history. Tämä on ensimmäinen PC-virus. Olemme nähneet jollain 1986, esimerkiksi Apple II-virusin, mutta tämä on tärkeintä, koska olemme vielä käyneet PC-virusin tänään. Tätä olemme tullut matkalla 1986, 2011. Tämä on 25 vuotta. Tämä on 25 vuotta. Olemme tullut olla ensimmäinen PC-virusin. Tämä on 25 vuotta. Tämä on ensimmäinen PC-virus. Meidän media-tipin ajattelimme, että pitäisi olla yhteisömediaa, että ottaa kautta computeria. Tänään ajattelimme, että se on tullut vahvistaa. Mitä jos olen tullut tulla, ja löysin tämän, johon Brayin 25 vuotta. Tänään ajattelimme, että miksi olet tullut? Mitä ajattelimme? Mitä ajattelimme? 25 vuotta. Ja oikeastaan, että ottaa vahvistaa 25 vuotta, pitäisi olla mahdollista, jos Brayin on tullut. Tänään näin. Laptop in the world, joka on vahvistaa. Tässä on tullut vahvistaa ja vahvistaa Brayin. Jos tuntuu tuntuu, näet, että tässä, johon voin ottaa, tässä, näet, 1986, Basit ja Amjad. Basit ja Amjad ovat ensimmäisenä, ne ovat pakistanneet ensimmäisenä. Ja sitten on pannuun ja sydän. Tällä februari olin pakistanneet. Tämä on Lahore, joka on 200 miltä vahvistaa, joka on tullut. Tänne ei näy. Tänne ei näy. Tämä on pannuun, joka on 730 Nisan Block, Alma Iqbal Town. Se on tullut Brayin kotiin, joten minä otin loppuun. Haluatko sanoa, joka on loppuun? Basit ja Amjad. Ne ovat vielä siellä. Tässä, Basit, Amjad, sinun jälkeen, ympäristö. Tällä päivänä on internet-operaatio, Teleco-operaatio Lahore. Kompana on tullut Brayintelekomminkatioon. Tällä päivänä on tullut loppuun, joten minä otin Lappuun, joten minä otin Lahore. Kompana on tullut Brayintelekomminkatioon. Lappuun, Lappuun, Lappuun, Lappuun, Lappuun, Lappuun, Lappuun. Viro purposes Tällä päivänä on tapahtumattaCK Eripyristö. Se ei ole mitään todella yksinkertaisuja. Tätä ihmisiä haluavat esittää jotain. He haluavat tehdä jotain, jotka vaikuttavat ja vaikuttavat the world. Ja tietysti tämän päivänä 1986, 1987 ja 1988 virusia, kuten bräin, stoon, kaskaita ja junkitutu ovat kaikki yksinkertaisuja. He olivat yksinkertaisuja, vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti vaikuttavasti. Tätä ihmisiä haluavat esittää myös. Ja tietysti vähkäämme yksinkertaisuja, jotka vaikuttavat ja vähkäämme tärkeitä. Ja tietysti heiltä on vähkäämme että kaikkia computeria. Tämä kaskaita ei ole kukaan, meidän täytyy recuerää, 1986 ei ole kukaan. Normaalista computeria, PC-kaskaita eivät ole yhteyden kukaan. Inmai, tietysti kaan ei ole hirveä. On tietysti kaskaita, joten jos haluat uskoa dataa, kustaa haasteita. Voi huikea, infekturissa, jotta se on järjestävä. Mielestäni sellaista virusilla on myös yksinkertaisuja tai yksinkertaisuja. Mielestäni se on, että oletko yksinkertaisuja, että oletko infekturissa. Se on hyvä esimerkki, että se on omegavirus. Omegavirus ei ole tarkoittava, se ei ole tarkoittava, kuten mitään historiassa tai järjestävässä. Tämä ei ole tarkoittava, koska se on ensimmäinen virus, jota olin analytiinitin. Inseptember 1991 olemme kaihtiaan yksinkertaisuja, joissa on tosiaan ongelman perä-telkoulu, joissa onnistaukset pohjuttavat ja niitä onnistuu virusin. Olemme yksinkertaisuja, jotta tuntuu yksinkertaisuja, koska se on sellaista yksinkertaisuja, joka on ajeutettu ongelmua yksinkertaisuja. Tarkoittamme yksinkertaisuja ja uudetinkoamme yksinkertaisuja 64-järjestävä. Suomi katsotaan, että kokoomuutin kautta, jossa olin tullut testua, siihen, miten se tehtäisi ja ymmärtää. Ja minulla on kauttu. Minulla ei ole suuret PC, jossa olisin tullut, että ei tilaa kautta. Mä oon vaan ymmärtänyt, mitä se on. Hieno asia, jota jäi, olit kautta, että se tuli 13. ja se oli fria, jota tiivi, ja se tuli ymmärtää. number 232, I believe, in ASCII chart. And I looked up the character and that is the omega sign. So I named the virus omega. That's the first virus I ever named. And the name stuck. If you google around, you'll still find this virus as the omega virus. And that actually started a tradition. Nowadays in our company, once you've been ten years with the company, you'll get an omega watch like this. So I should have named the virus Ferrari. Now, many of you will remember viruses like Michelangelo at the time, which were destructive. So one way that you would know that you are infected by a virus is that it would destroy your files. Like Michelangelo would overwrite the first hundred sectors on your hard drive, destroying your file allocation table on those systems and your PC wouldn't boot. Other examples were viruses which were visual. Let me demonstrate that. So what we'll do is we'll boot up those books. Those of you who play old games will know this tool. It's basically a way of running old code on current, like this is a Windows 7 system. So let's mount some folders. Let's see. What I have here is a collection of binaries, com files, because if you look at the dates 1993, 1994 and so. These are all examples of virus code, which at the time I modified slightly to remove all the destructive parts and replication parts. Now what we left with is basically the activation code. So for example the v-sign virus, which would infect your boot sectors. If I'm actually running the code right here, actually it activates by drawing a v-sign on your screen. That's why we call it the v-sign virus, because you get a victory sign. So what I'm running right here is actually code from 1992, which is the original virus code, but everything else has just been knocked out except the visual parts of the virus. And many of the viruses at the time would do this. They would show themselves to the user. V-sign would do this once a month. Once a month when you boot up your PC, it would draw this v-sign on your screen. And we have plenty of these examples in here. For example the walker virus. Guess why it's called the walker? Don't actually remember what the tequila virus does. Well it draws a fractal. That's of course not graphics, but does paste ASCII graphics with colors. Alex, I think it's some sort of a demo effect. Yeah, that's pretty nice actually. Let's do that again if it's so nice actually. There we go. Oh, pretty nice. You want to see more? We have for example the ambulance car, which is neat because it makes sound. Except, well it says D-D-D-D. It doesn't work right now for some reason. Let's do one more. Actually I'll show you something which actually does all the crash wires look like this. You know you're infected because it looks pretty bad. But yeah, this is a good one. Coffee shop made in the Netherlands. But the one I actually tried to show is this one. Actual graphics like EGA. Oh, maybe actually VGA graphics. Quotes. Carl Sagan I believe. So you would know that you're infected by a virus because you would get visual displays on your screen. Or the virus would play games with you. Like the which one day of the year when you boot up the PC it won't boot. It ends in this screen and then you have to type. Happy birthday, Joshy. And then it continues. Apparently that's the nickname of the virus rider of the time. Actually I want to go back to those books and show one more example. Which is a good example of virus playing games with the user. Let's try with the Casino virus. Here we go. Casino virus is neat. It actually takes a copy of your file allocation table to memory. Then it overwrites it on your hard drive. So you just lost all your files because the file allocation table is gone. But it has a copy in RAM. And now it lets you play a game. You have five credits and if you win it's going to write the allocation table back to the drive. And if you just reset the machine you lose because it has already deleted the stuff. And it explains this in detail to the user and it actually lets you play and if you win it actually does what it claims. And we can actually play this right now. We have five credits. If you get five pound signs we win. So let's try. And that's the original code. So we might win or lose. It's not going to destroy my drive but everything else is real. So we might win. No. Two credits. Sometimes you win. I've won this game. Lost. So that's what I mean by viruses which play games with the user or at the very least make themselves known to the user. And this is an important difference to today's malware. Today when you get infected by malware you will not know that you're infected. You will not see funny images, your PC will not play music, your CD-rom tray will not open and close all the time. Nothing like that. I mean you will not know. It's running silently in the background. They won't even crash your systems nowadays. They're pretty well done. They're pretty compatible. Won't slow down your system. Won't take too much resources. They do testing on the virus code nowadays. So you won't actually see that you're infected like you used to see. But viruses started getting more and more advanced. Things like mutation engine MTE made by a Bulgarian virus writer who we knew at the time as Darko wanger, which was basically not a virus but a kit that you could use to turn any other virus into polymorphic virus. So it encrypt itself a different encryption every single time. Or VCL, Virus Creation Laboratory, which actually was the first one which had a user interface you could use to create viruses. VCL, you just click on the menus, you click generate and it makes a virus for you. And this is in 1992. So pretty advanced, well 19 years ago. And then comes Windows. First Windows viruses were written for Windows 3.0 in 1992. Very first one was called Wienwehr. Did nothing special. It was the first one capable of infecting the PE file structure that Windows was using at the time. Other viruses of the time, monkey, one-half. These are mostly encrypting bootsector viruses. And then we get concept in 1995. Which is a virus that infects not your floppies, not your binaries, but it infects your documents. Concept actually infects word documents using the VBA Visual Basic for Applications, scripting language inside office at the time. And that's actually a big deal. Because if you think about what you do with your computer every single day. Computer users spent their days handling documents, creating and reading files. Excel sheets were documents, PowerPoint slides, what have you. And if sharing those shares a virus, that's a big deal. And concept became the most common virus in the world within the first 30 days since we found it. LaRue was a close follower. LaRue did not infect word files, it infected Excel spreadsheet files. In fact, we later found a variant of LaRue which would not just infect your Excel spreadsheets, but it would also randomly round your random numbers inside your spreadsheets by 0, 1% up or down once a day. So it would slowly corrupt the numbers you're working with. And that's a pretty nasty attack because you will not notice the problem until it's been happening for quite a while. Which means the day you're working with is bad, your backups are bad. I mean there's no easy way to recover, there's no easy way to figure what it has changed and when. That's a big deal. Windows viruses were also the early windows viruses were often visual. I mean they would show themselves. This is the Bosa virus written by a virus writing group from Australia, calling themselves Vlad. And that's the name of the group, that's the nickname of the guys in the group. So viruses were still very much being done by hobbies. It's for fame, for challenge, just because they could. Another example is the Martburg virus from 1998 which would change your windows desktop to look like this. So you would know you're infected. This was still the norm in the late 1990s. More windows viruses, remote explorer, Happy 99. And this one is actually important because Happy 99 is the very first email worm. We're talking about late 1998. This was an email worm which claimed to be a greeting card wishing Happy New Year 1999 and it would actually show you fireworks on your screen. And while it's doing that it would take your address book and email itself as an email which looks like you send it to everybody listed in your address book. And the email contents were Happy New Year 1999 and there's an attachment called Happy99.exe in it. And of course your friends would believe you send it because it looks like you send it and they would open up the attachment and they thought that that's what it's supposed to do. And it would replicate and replicate and replicate. And these kind of email worms quickly became the biggest problem we have. And one thing which feels funny now is that you could actually do that. I mean you could just take a binary like an executable and email it to someone else, anywhere else in the world and they would get it. No problem. And they could run it. No problem. Obviously you can't do that anymore. Filters would kill any. I mean if I tried emailing an EXE windows binary to every single one of you I don't think any of you would actually get it. I mean my operator, your operator or your firewall or whatever would kill off an executable attachment nowadays, but that wasn't the case back then. So more windows viruses at the time. Melissa became one of the largest outbreaks in history because it combined these two big trends at the time. It combined an email worm with a macro virus infecting word documents. So it would send itself as an email which looks like it's coming from you once you get infected, sending it to all of your contacts in your address book and the attachment is not an executable. It's a doc file. It's a word document file. In fact, it's one of your own word document files which has been infected with a macro virus. And this has two problems. First of all, you are going to infect your friends. Second of all, it leaks confidential information. It takes a doc file from your hard drive, infects it and sends it out to thousands of people. And that file could be anything. It could be plans, patent applications, a love letter. So, I mean, anything. Love letter, this is still in the history books as one of the largest single email outbreak and you probably will stay as the largest email outbreak or one of them because we don't see email outbreaks anymore. This was one of the problems which has gone away. In fact, here's a screenshot from cnn.com at the time. I'm actually here making an estimate that no, it's not going to be a big problem. Of course, I was completely wrong. It became one of the largest outbreaks in history. There you go. Whoopsie. Anna Kornikova, I'll just pick this one as an example of the email worms at the time. Many of these would simply just try to fool the user into opening up an attachment. Anna Kornikova was an email worm which claimed that it has an image of Anna Kornikova. Here's an example of an email and those of you who don't remember, Anna Kornikova used to be a tennis player, a pretty tennis player. So, this is the email they would send. Here you have, that's the subject field, and then the content. Hi, check this. Anna Kornikova.jpeg.vbs. Vbs is visual basic script or window system, which it's executable. Scripting is executable. We actually had quite a large outbreak on this virus and we had people calling our labs. I actually spoke with one guy myself and he told me that yes, he received the email and he heard in the radio news that it's a worm, so he knows it's a worm. And our product actually, I mean our rendezvous actually blocked it, so he's safe. But he still wanted to see the picture. Basically how could I disable your rendezvous so I could just click on it. And of course it didn't actually show you any images. I mean I just picked this because she's a pretty girl. But when you actually clicked on the VBS file, if you just replicate further, you wouldn't actually see any images. I believe I told the guy to just, you know, we already had web at the time. I told him to go online and find some pictures. Maybe that's the easier way on. More viruses of the time. Maybe this one is more important than others. This was one of the first Windows network share replicating virus, NIMDA, which got its name from admin, which well, that's why it's named. NIMDA was there was lots of conspiracy theories at the time, because NIMDA was found in 2001, in September 2001, exactly one week after the terrorist attacks. And there were lots of conspiracy theories that this was somehow related, but it never actually proved anything either way. Nowadays, looking back, I don't think it was related in any way, but everybody was pretty paranoid at the time. More viruses, and now these are all email, Windows email replicating viruses. Sven is a good example on the kind of social engineering tricks they were using. Here's an email sent by Sven, and it looks like it's an email coming from Microsoft, so sender is MS technical assistance. It explains that, you know, there's new patches, and this is in 2003, so we didn't have Microsoft updates yet. You didn't have automatic updates. If you wanted to patch your system, you had to download a patch file and execute a profile and run it. So this used that trick to its benefit, looks fairly convincing, looks like a real Microsoft email, and there's a file, you can see it's there in the top, Q something at EXE, attached into it, and that is the name in convention Microsoft used at the time for patches. And it's especially handy, because the message explains to you that this is a security update for September 2003, and it would actually get the current date. So when this virus kept on replicating for a number of years, it would always speak about the current month and the current year. If you would run Sven today, it would speak about August 2011 cumulative patch. So it felt pretty real, and that's one of the reasons why it became such a big problem. And this is also one of the viruses where the virus author was caught, Swedish guy, was caught and sentenced for some sort of online disruption based on Swedish laws at the time. But then things started changing. We entered the years of internet worms or web worms, like Code Red. Code Red did not infect Windows workstations. Code Red infected Windows servers. It specifically infected Windows web servers running IIS. Using a remote exploit, it would infect those servers and immediately continue replicating from that infected server. It would just scan IP ranges, trying to find more servers, and then using the remote exploit infect them. You can actually see how quickly such a replication mechanism goes worldwide. This is basically the first 24 hours in the replication of Code Red. And it started getting copycats of various kinds, including Slapper and Slammer and Blaster and Sasser. Most of these targeting Windows workstations using remote exploits in LSASS or in RPC or some other network visible resources of Windows. And we have to remember, 2004 most Windows users were not running a firewall. I mean, if they were online, even if they were inside a company, most likely they had open ports all the way to the internet, which now feels pretty weird, but that's the situation at the time. So you had port 139 or port 445 TCP open. Anybody could connect to it from anywhere in the world. And if there were remote exploits, they could exploit them. And they did. And that's how, for example, Sasser spread. So if you think about that, you have one infected PC. And it just starts scanning either random IP addresses or just one by one. Try to go through all IP4 addresses. And in the IP4 addresses we don't have, I mean, we have 4.3 billion IP addresses, which is perfectly scanable. You can scan them all. Many of these, I mean, most of these worms scan every single IP address in the world. And, of course, they'll find empty addresses, like addresses which route nowhere. So there's nothing to infect or they'll find an address which has a computer but it's a wrong kind of a computer, like it's a Mac. A Windows worm won't be able to infect it. Or it finds a right kind of a computer, like a Windows computer, but it's blocked. I mean, behind a firewall or some sort of routing protection so you can't connect. Or it's already patched. So the patch that the vulnerability has already been closed by the user. But as you can guess, if it just keeps on scanning and keeps on scanning eventually it will find a computer which is the right kind of a computer which is not behind a firewall, which has not yet been patched. And in that case, of course, it will infect that computer. And it will immediately start replicating further from that computer. In fact, they are now both scanning the whole public IP ranges and it gets faster and faster. And this explains why we got these massive spreading speeds, including a slammer, which was later proven that it scanned the whole IP4 address range in less than 20 minutes from the moment when it was started. And that's pretty remarkable. In 20 minutes, all of us who were online in 2003, it scanned our computers, it scanned our mobile phones if we had mobile phones with internet connectivity at the time. And to the end user, you would typically know that something like this was happening because you got some sort of a crash on your system. Slammer, blaster and sassar, for example, would cause a system shutdown because they would remotely crash our PC or LSAS in Windows at the time. So the end user would see that there's a problem. His PC would shut down. He would have 60 seconds of time to save his data and then it would shut down. He would reboot and he would most likely see it again in a minute or two or maybe in 10 minutes, maybe in half an hour. It depends on when the next time someone else is scanning his IP address. So let's think about this. You are an end user. You start seeing this regularly on your PC. You can't work because your PC keeps rebooting. What are you going to do? Well, you ask around. What should I do? My PC reboots. Somebody will know that yeah, it's a virus. What should I do? Well, you should patch the whole, patch the RPC vulnerability or the LSAS vulnerability. All right, how do I patch it? Well, you go to Microsoft.com and you find the patch, you download it, you run it. Okay, let's do that. We have here Microsoft download pages from 2003. That's the actual patch for the RPC vulnerability MS039. Click download. Excellent. We get an executable file. Let's download it on our desktop. Here we go and now we're downloading it. Excellent. And of course this takes a while, which means it's more than likely that you'll actually get while you're downloading it, you get the same error message. And now you have two counters on your screen at the same time. You have to count down from 60 seconds to zero of reboot and you have the download counter, like how many percentages of the actual patch you've downloaded. So you're basically running a game or a race, like who's going to be first. And this game was being run on thousands and thousands of computers around the world. And of course most of the users lost the game. They didn't get the patch before it rebooted again. Very, very frustrating. And these are the kinds of problems that led Microsoft to change their, the way they look into security. 2003, they did the big overhaul code review of Windows base code and started taking security seriously. This resulted first in service back to for Windows XP later into what we have today. For example in 64 with Windows 7, which actually has a decent security model. So this was the basic reason why security in Windows world regarding problems like these were finally taken seriously. And the problems we saw at the time were serious. Here's the packet loss chart of the whole internet during the hours when the slammer worm started spreading. Typical packet loss globally 1-2%, then suddenly jumps to 20-30%. Massive problems. So we started getting denial of service problems on systems which weren't infected themselves. But they were in the same networks with infected systems and the packet generation that they saw was so massive that we started seeing problems with critical infrastructure. So in 2003, I wrote down some of the things we saw thanks to slammer and blaster and sassar. We had air traffic control problems. We had ATM networks down. We had 911 services down. We had infected nuclear plants in USA in 2003 because of sassar. Flight problems, government systems infected, Heathrow airport, checking systems infected. Couple of screenshots I took at the time. Air Canada couldn't operate because they were infected by sassar I believe. In fact here's a picture from their checking. Anybody spot the blue screen right there. And it wasn't just computers. I mean normal computers at the time. For example, the automation gear started getting affected. Here's a screenshot from CSX that I took in August 2003. Those of you who don't know CSX is one of the largest railroad operators here in USA. If you look what they announced is that they had an in-house infection which resulted in a slow down of major applications including dispatching and single systems. As a result passenger and freight train traffic was halted immediately including the morning commuter train service in the Metropolitan Washington DC area. So trains around the capital of the United States of America stopped in the middle of the day, in the middle of their tracks because of a computer virus. This actually happened in 2003. And things like these were to wake up call. And then of course we had infections in things like these. We had a large case of infected forest tractors because they were windows and they got infected because they had GPR's connections. They were actually sending embedded geeks in tractors in the middle of the forest to fight because they couldn't boot up. They couldn't operate these once they got infected and they were typically far away in forests so you have to somehow rescue them from there. And then we had cases like these. This is a screenshot from a Swedish Uftonbladet magazine explaining that this hospital in Västra Jötaland had in-house infection with 5,000 computers infected which is bad. But what's even worse is that also these got infected. Their x-ray systems which were running windows and they actually had patients put into ambulance cars and drove into other hospitals to be taken care of because they had infections in their hospital systems at the time. But something even more important was about to happen. 2003. A virus called Pfizer which I claim nobody here remembers. And I also claim it's one of the most important viruses in history because Pfizer was the first virus we would conclusively prove that from the very beginning this virus was written for one motive only and that motive was money. So before 2003 everything we saw was written for fun, for challenge, for louse, for kicks, right? Nobody tried to make money with viruses until Pfizer. And the way Pfizer tried to make money is by sending spam. So it would infect computers, build a proxy network out of them so you could reroute proxy or email traffic through them and that service was then sold to spammers. And this is something we still see today. Spam, email spam still exists and it's still being sent through infected home computers. And obviously there's money to be made out of this. And very quickly many of the hobbyist virus writers of the time realised that they could actually use their skills to make money by cooperating with spammers, by starting to steal passwords with keyloggers, starting to steal credit card details when people from infected computers were doing online purchases and typing in their username and passwords. And very quickly we also started seeing the shift, geographical shift on where viruses were coming from. In the good old days before viruses turned into money making machines they were mostly done in developed western nations like Europe, USA, Canada, Japan, Australia. Today the biggest hotspots are Russia, Ukraine, Kazakhstan, Romania, Moldova, China obviously and South America especially Brazil which is the biggest source of banking trojans which steal money during online banking. And the virus writers themselves changed. We had completely new kinds of online criminals getting onto the net and doing these. These examples of caught virus writers of the 1990s including on the top right corner Mr. Chenning Hao who wrote the CIH aka Chernobyl virus. And then here's some caught virus writers after 2003. You see any difference? So they became much more organised, much more professional. The guy at the bottom left Mr. Tariik Al Daur was actually using keyloggers to steal credit card numbers and they were then laundering money from those credit card numbers by putting them into online poker games and losing money on purpose from the credit card numbers to accounts that they controlled and then they moved them back to the real world. What they did is that they laundered close to 2 million euros and that money was then used to purchase gear, gear like hiking boots, tents, sleeping bags, knives, GPS navigators, plane tickets. And all this was shipped to Iraq to the insurgents fighting over there. So what we have here for example is a link between online crime, virus insurgents back doors and funding the insurgents in Iraq. So some of the viruses that then started to make headlines, money making viruses, sobic, witty, mydum, bagel, these were spam generating viruses mostly. And then open source bots like SD bot which actually the code source code of SD bot is licensed under GNU public license and we've seen tens of thousands of variants of this throughout the years. We probably still see versions of SD bot being made today like 8 years later. And other typical bots or botnet creating bots at the time. So you would have a number of infected machines and they could all be controlled centrally creating a botnet which could be used not just to send spam but also to banking trojan attacks and credit card theft and stuff like that. And then we got Sony. Now Sony gets a lot of hate and they get it for a good reason. They've been doing bad stuff for a number of years. I think it pretty much really started with the rootkit that they were shipping on. One cent and switch food and selling the on music CDs. So if you would buy a selling the on music CD and listen to it on your CD player no problem but if you put it inside your computer it would auto run an installer which would install a DRM code on your system. No questions asked, no prompting, just installs a DRM system and then it installs a rootkit, a windows rootkit which hides the DRM and in fact it doesn't just hide the DRM it hides any file or any folder which starts with specific characters basically dollar underscore dollar I believe something like that. Which means yes you could hide a DRM but you could hide also anything else and viruses very quickly started naming their binaries with dollar underscore dollar. Because if a computer which had been used to listen to selling the on got infected, Sony would now hide the virus and it would hide it so well that pretty much none of the undivirus program at the time could scan the files anymore. They would be just gone. And of course some would claim that if you listen to selling the on you deserve to get infected. But I'm not saying that. But there are interesting comments coming out of Sony at the time especially person called Thomas Hesse, president for Sony BMG international. He made a quote which was so cool we actually printed t-shirts out of it. Most people don't even know what a rootkit is so why should take care about it? That's a great quote. If they don't know what it is, I mean most people don't even know what the brain damage is so why should they care about it? Then we started seeing more and more rootkits not just from Sony but I mean from traditional virus writing gang so we wanted to make hide their malicious code better. Hackstore basically was a kit which you could use to hide any other binary or processes or register keys or open ports. Then more viruses at the time. Stormworm many will still remember from 2007. In fact I believe we have here's a video clip shot in our lab showing the spread of stormworm. We run this system which just illustrates where we block viruses. If you look at the top corner the time is ticking away. It's getting close to midnight and pretty much around midnight the outbreak of storm starts. So watch carefully. The system is now normal. That's what it looks normally, right? It's 11 p.m. and here we go. Well that's what an outbreak looks like. That's a decent outbreak globally. Pretty much everywhere where you have connectivity. Anywhere where you have computers. Massive infections. Greenland looks great. No viruses in Greenland. And now it's over. I mean it took like maybe 7 hours. That's a typical outbreak. The kind of outbreak we used to see back then. And then we had Mebrut. Mebrut which probably for a number of years stayed as the most advanced malware we've ever seen. Now we have two contenders for the same title. But Mebrut when we first found it it was all related to this. Which movie is this? Matrix? No. Matrix 2. That's correct. There actually is a matrix. I even heard there's a matrix 3 but I haven't seen it. What is she called? What's her name? Monica Bellucci. Very good. She plays the part of Persephone in the movie. Why am I showing her? Because she's gorgeous. That's right. But this is the website of Monica Bellucci. Monica Bellucci.it in Italy. She's Italian. And this was one of the first, if not the very first website that we saw that was used to spread Mebrut. So we entered the days of drive-by downloads. You would get infected by just browsing the web. And now today this is the number one way of getting infected. Email and email worms haven't been the main problem for a number of years. It's the web. You browse the web, there's an injected javascript line there which goes through all your plugins in your browser, including Java and QuickTime and Flash and what have you. Tries to find an old version. If you're an old version it will pop it and you're infected. That's exactly what this page did. It was one of the first cases where we saw it happening. What Mebrut actually did is that it installed itself to the master boot record of the infected computer, which is pretty much exactly what brain did. Except at brain time we didn't have hard drive, so it only went to the boot sector of the floppy. This actually goes to the boot sector of your hard drive, the first master boot record. That's pretty hard to do under Windows, but it did it. Even more remarkably, I think it's a good example of how advanced these viruses started to become is that obviously when you're running below Windows, boots before Windows boots, you run the risk of crashing Windows, but it almost never did. It was very well tested and if it did, I mean if something went wrong and then you actually ended up with a Windows blue screen, now obviously Windows is crashed, Windows is no longer running, but Mebrut was still running and in this case Mebrut would make a diagnostic dump of the crashed computer and send it back to the virus riders over the internet so they could debug and figure out why it crashed. Remote quality assurance for malware. Configure, the biggest outbreak of 2009, still remains one of the biggest mysteries we have in the history of viruses, massive, massive infection which wasn't used to do anything at all. And then we started finding even more advanced. If Mebrut was advanced this is pretty much the state of the art nowadays. Or a.k.a. Allureon, root kits which are today capable of infecting a 64-bit Windows 7 in the MBR, booting all the way from the MBR, surviving the Windows boot regardless of all the security features that were introduced in Windows 7. Pretty remarkable stuff. The amount of infected machines around the world right now with this is in the millions and it's being used for different kind of money making scams. It's one of the biggest problems we have at the moment. But that was still quite different from these ransom trojans that we started seeing as well. By this time, like I explained earlier, most of the infections were invisible. You wouldn't know that you're infecting. But then we started seeing trojans like GP code, which were very visible. What GP code does is that it infects your system, then it waits for the PC to be idle so that you're not at the computer and then it starts encrypting your hard drive. Goes through your hard drive, encrypts everything and then it changes the Windows wallpaper to this message where it explains that all your files have now been encrypted. If you want to get your files back, please read the how to decrypt TXT file. When you read the how to decrypt TXT file, it explains to you in detail that we just encrypted your files using RSA 1024 with an AES key. If you want to get your files back, please actually email us here, file maker at safemail.net, and send us 125 bucks through a UCash prepaid system and provide this unique key, which is unique to your system, and they will provide you with the decrypture. And they actually will. We've worked with multiple cases where affected users have sent the money and have gotten the decrypt back. And as much as I hate the idea of anybody sending any money to these clowns, I know the people have done it and they have gotten their files back. And this is a pretty nasty way of making money with malware. And it's also, I mean, typically when we would find an email address like this, which we know is being used by online criminals, we would shut it down. We haven't shut this one down. This email address still works today because we know there are users out there who need to be able to send money to criminals because they need their files back because they don't have backups. And of course what you should have is backups. Many of these cases have actually been corporate users where not just a corporate laptop has been encrypted, but also network shares have been encrypted. And then they learned they actually don't have good backups and they have a big problem and they would be more than happy to pay 125 dollars to get their files back. But all this work with malware like this did not prepare us for what we would find next. And that was Stuxnet. Stuxnet, which was found in summer of 2010. Stuxnet which had been around spreading in the wild already for a year. And that's actually remarkable. And that's actually embarrassing to us. I mean us, under-virus vendors and us security companies. We missed Stuxnet for a freaking year. Nobody saw it going around. Eventually when it was found it already had done what it wanted to do. And of course as we know by now Stuxnet was written by you guys and you guys I mean the Americans, the US government. It was a successful operation. We wanted to disrupt the Natan's nuclear enrichment plan in Iran and it did. In fact we believe it already did what it wanted to do in 2009. So by the time it found it in 2010 it didn't actually matter anymore. It had already done what it did. So let's look at that a little bit closer. We have obviously computers everywhere in factories, in plants. You go to any chemical plant, any power plant, any food processing plant. You look around and it's all being run by these. That's a Siemens S7400, a typical PLC programmable logic controller. And for example the elevators in this building most likely run PLCs or maybe STUs, something along these lines. Automation which isn't running Windows, isn't running, it's actually running, Siemens Gear is running 32 with Linux inside. Very full tolerant systems. And the way they are being programmed is typically from Windows workstations and that's the route in. Stuxnet will in fact pretty much any Windows computer in the world. But it won't do anything except replicates unless the computer has the Siemens step 7 programming environment installed. And that's the environment you use to program these. And even if it finds step 7 running on the computer it won't do anything unless it's connected to the right kind of a PLC. It has to be Siemens S7417 or another model. If it finds the right PLC then it will reprogram the PLC. And now it waits for somebody to disconnect the PLC from the computer and take it to a factory floor. And it still won't do anything. Unless it's connected exactly to the right kind of gear and it's looking specifically these. These are high frequency power converters manufactured by a company called Vacon. It's looking for a specific number of the right kind of high frequency power converters. And of course these we believe were the converters that were used to spin the centrifuge in the Natanz nuclear enrichment plant. So the real target becomes not just the high frequency power converters but the whole nuclear program or the nuclear enrichment program. So it has been a pretty wild ride. If we look at the last 25 years from brain spreading on 5.4 inch floppy disks to Stuxnet which is more than a megabyte of code, multi-million dollar project, more than 10 man years in making targeting completely undocumented tailor made systems, infecting PLCs which has never been done before. It's been amazing change what we've seen. Many things have changed at the same time many things haven't changed. For example brain never spread over the internet because we didn't really have internet in 1986 as we have it today. Stuxnet doesn't spread over the internet spreads on USB sticks. Why? Because the systems it wants to reach are not on the internet. Obviously nuclear systems are not online, they are separated. That's why it spreads on USB sticks. Brain was actually a rootkit. If you tried to read the infected bootsector you wouldn't see it. It would redirect the read attempt and give you the original bootsector instead. Stuxnet has a rootkit to hide itself not just on the infected Windows computer but also on the infected PLC. So everything has changed and nothing has changed. And it will be interesting to see what kind of viruses we will be analyzing 25 years from now. Thank you very much.