CG - The History of Malware- From Floppies to Droppers

welcome everybody this is the next talk very interesting topic the history of malware from floppies to droppers please welcome ilad kimy thank you thank you all right thank you so much for coming so uh this is going to be the history of malware my name is Elliot Kimi I'll have a who mi slide at the end but there's a lot to cover so we'll move quickly so today we're going to take a journey through time and space I think it's really important to understand especially people who work in security research in any area of security really important to understand where these things come from the motivations um how did we get to the point today um and and how did it all evolve how do we get to the point where we are today with malware and uh we're going to talk a little bit about when some of the first phenomenons that we understand today in malware when did they first happen we're going to talk about what happened who are the people behind it what were their motivations and sometimes where they came from and that's going to be really interesting before we start I'll start with a question and this is common ground and somebody told me that I need we should do some sort of uh there should be some discussion so I'll I'll ask some questions um the first question is uh when was the first ransomware incident yeah 1989 1989 very good a round of applause uh do you do you want to do you do you know the details C orid yes very well done so the AIDS Trojan or the PC cyber was the name of the company but uh in 1989 the first ransomware incident that's really funny and kind of weird for a couple of reasons one is 1989 uh there's people in this room that weren't born in 1989 I imagine um I was born shortly before so this really predates a lot of things and also like really ransomware 1989 was the technology there to enable this and this is a real story and I mean I think uh for starters it took a lot of creativity and a lot of determination to actually make ransomware in 1989 um there was a guy called Joseph L Pope he had this brilliant idea um what if he could software that basically blackmails people into paying him and he thought this is great this is fantastic idea he took 20,000 floppy discs which is a huge investment uh Financial investment each one would go in an envelope he would send it by mail to people all over the world actually most of them were in the UK um if you ran it it asked you to turn on your printer because back then ransomware wasn't paperless yet you know so it would print out the invoice which is also the ransom known and uh yeah it would lock up your computer after a while it would ask you to pay um you was you were supposed to send money to a PO Box in Panama because of the genius uh that he was he thought he could just go on vacation immediately after um and it was a really really interesting incident first of all the the malow itself the Trojan itself had some it wasn't super sophisticated but it was really clever one thing that it did is it would fake an MS DOS environment so it basically would create this Ms do environment which you couldn't escape out of um control out Delete would just return you to that environment uh restarting would just return you to that environment you would basically you're supposed to think that you're locked out of your computer in the back uh or behind the scenes it would encrypt files it was an exor encryption it would change the names of the files and that would create uh it would make it really hard for you to access your information this had impact in a lot of different ways similar to where we see impact today with ransomware um a lot of people back in 1989 didn't really know how to recover from something like this there were AIDS researchers that had lost reportedly 10 years of their research and it was also partly the impact that it caused was the reason that Joseph El po uh kind of went crazy uh towards the the sort of uh later part of his life and it I read a lot of different counts uh but some of them say that he was just so ridden with guilt when he'd heard of what he had uh caused that he was in a in an airport in Amsterdam and he passed on a note to law enforcement something along the lines of do Dr Joseph L Pope is uh not well or something to that effect they caught him they tried him he would show up in court with like curlers in his beard hats made out of a cardboard I think and he was completely insane and they let him go because he was crazy maybe he was crazy before before I don't know but uh he was certainly crazy after and that was the first ransomware and this was a Trojan and we'll come back Trojans will'll make a a a great comeback towards uh towards the letter part of this talk but really to start talking about um malware and malware writers we have to sort of put ourselves let's Journey Through Time and try to understand what computers meant to people in the 70s and ' 80s and there was this sense of wonder Fascination computers were this magical thing that could enable uh uh everything that we could imagine uh when you look at pop culture and sci-fi in particular computers were this thing that would make science happen that would make magic happen uh there would be the thing that would take you to space or teleport you at least enable these things to happen there were some some films where it was the main character like war games or Tron things like that and so there was this sense of wonder and in that sort of environment you have a lot of people sort of theorizing and they're sort of fascinated with these ideas of what could happen on a computer and in 19 uh 84 there was a man called Alexander dudney he wrote a column for the Scientific American um he wrote about a game that he created the game was called core Wars and the whole premise was you know what if there were two programs on a computer and they just fight each other they can copy themselves they can think they can attack each other you write the code and then you Let it Loose you know so it's kind of like Battle Bots but without chainsaws um and they would fight it out and what whoever wins wins and he he says I was inspired by this story that I heard he says this this Fantastical story this myth um about the Reaper and The Creeper he says somewhere uh uh in the 70s there was a lab and some scientists created this virus called the creeper and it spread throughout the lab and it infested everything and they couldn't get rid of it until they wrote another virus that went and spread again and then all it did was look for copies of the first virus and delete them uh and delete itself and he thought you know there's some obvious holes in this story and it's a bit of a you know it's a weird kind of story um but what if it could be true what if it was true and that's why he created his game um but back in ' 84 there was no uh real uh awareness of what viruses were so he asked his readers to send him some uh some of their creations and what he got instead is a whole lot of virus uh uh evidence of virus creators all sorts of virus that people uh uh encountered so a year later he writes of worms viruses and other creatures he writes this column again and there he tells people all over the world about viruses actually existing what he had considered a myth was actually a reality and this was a surprise to a lot of people um what I'd heard is is really this wasn't commonly discussed because nobody really wanted to hinder the sales of computers that's one thing that I had read but in mid 80s despite viruses having existed for a long time they were still considered something of a my and maybe maybe some people in the audience can confirm or deny this but in 198 he writes another column he starts that with a quote from Eugene spord something along the lines of the only safe computer is one that is turned off cast in a cement block put in a safe room and guarded with live guards and even then I have my doubts so by four years later he everybody understands the danger of what can happen with with computers and it's interesting to see this transition and we're going to talk about a little bit why this this happens and by the way the story that he's thinking about that myth is real and I encourage everybody to to kind of research this uh in 1971 there was a lab called BBN Labs uh B BNN Labs BBN labs in Massachusetts it was a name by a man by the name of Bob Thomas he wrote The Creeper they were trying to create software that would replicate itself to create backups for itself uh systems weren't always uh you know fail proof sometimes they would crash so how do you back something out well you move it you copy it to another machine so he ran this experiment and he was a little Whimsical so he created this thing that would replicate onto another computer and to know that it success uh successfully uh replicated it would put on the screen I and the creeper Catch Me If You Can it's a really cool story um later on they created the reaper which was of same concept but it was meant to delete the creeper um and I don't think it went out of control I think it was a control environment from what I've read so it wasn't this Fantastical story but it did happen so we're not going to talk this is we're not going to do background for much longer but I do want to talk a little bit about what happened with technology around that time in the 80s and the 90s personal computers came on the scene 1977 were the first three personal computers the Apple 2 the trs8 and the commodor pet really really important uh fact for for malware writers um IBM came into the scene in 1981 with their PC and this was the first time where people actually had access for a lot of people to computers uh and with great access comes uh uh no responsibility and lots of lots of power and uh people started writing viruses and they started seeing them in the office in their homes and the other thing that was happening is the sort of the creation of the sneaker net um there were portable medium portable storage devices you could actually take and put into another computer so this was a boon and a curse for virus rers and a huge influence on what we're about to look at because now you could actually transfer your your virus from one computer to another powered by the power of shoes people walking around and that was great because you could spread it and the curse was that those shoes were connected to a thinking living living human being that had to actually want to pass this along so you had to be stealthy they should they couldn't know that they were infected or maybe uh you make something really funny and Whimsical um that they would want to show their friends and these are some of the early this is these are viruses from sort of the early 80s uh some of them are from the later part of the 80s but a lot of the early viruses were experimental they were Whimsical um they did things like write peace on Earth on your computer or I am the hyper Avenger uh dukak is for president uh peace on Earth and love for everyone or they would do these things like the Cascade virus here which would create this visual effect and a lot of them were harmless but if you weren't really paying attention then things would start happening and maybe you didn't know really how to how to handle this and all of them had these different messages or different effects uh I read somewhere it it had this uh silly sort of look what I can do bravado uh rather than sheer hostility and it was cool I mean I think we could think of it more as graffiti you know you're not really trying to knock down the wall you're trying to cover it it's vandalistic a little bit but it's it's interesting has anybody here ever experienced a virus like that you want you want to share or you want to tell a story or I I just remember the casc pretty well and and these these things would spread and that's really really interesting because you wouldn't you might not imagine something that can only travel by floppy to actually get to a lot of different places but we'll start seeing these viruses spread later on I want to talk about one specific one and that's elk cloner and maybe maybe really talk about what were the inspiration aloner was written by a man called Richard scr um scran and he got his first Apple computer in his seventh grade and he was in love by the 9th grade he was uh pirating games for his friends and playing little pranks so he would pirate a game and he would put a kill switch in there and after four or five times it ran the game would delete itself and so his friends would play the game they would get hooked and then the game would delete itself and he loved it he was just laughing his ass off and just enjoying the whole thing and his friends did not like it at all and they stopped taking floppy discs from him so he started thinking what can I do to to infect people to continue to play pranks so he decided he's going to make some sort of sticky um software and I I don't know what you were doing when you were in ninth grade uh I wasn't writing brilliant viruses for for a brand new sort of Technology but he was and so he decided he was going to create it was a a boot sector virus a lot of the viruses back then were boot sector viruses and the virus if you put a floppy disc that had this virus on it put it into the computer it would copy itself to the boot sector and it would run every time you were on the computer it would also in other floppy discs um that's just sort of the simplified version of that so Richard wrote this virus um and contined to prank his friends um and generally speaking a lot of these viruses worked similar to this um they would sort of append themselves to the end of the program they would hijack the command to start sort of start start the program uh that was running they would run the virus code and then they would jump back to the program so you basic basically think you're running a program but you're running the virus as well they would use these uh interrupts this is from MS DOS these are kind of like system calls you could use them to do all sorts of things and you would hook on to that um basically nowadays I think uh obviously we don't use MS DOS but there's other things that we hook on to there's other uh system calls that we use so this is something that is very similar to maybe in some way similar to what we do today however a boot sector vir is things like that we don't see a lot anymore we do see malware that infects the ma Master boot uh record like Peta um but there's not a lot of them that do that so those are sort of the some of the earlier viruses but something happens we know that malware uh becomes malicious we know because Mal malicious but the question is uh why and when and it's really hard to pinpoint but uh somewhere in the mid 80s we start to see news stories all over the place about the computer virus and this sort of builds both attention and hype about what could happen on your computer and also it builds the anxiety the general anxiety of people this kind of starts with this virus called the brain virus and what's interesting about the brain virus first of all it infected the news organization the Providence Journal and then so it got a lot of coverage the other thing is it came from Pakistan and nobody knew how a virus came from Pakistan and made it all the way to the US on a floppy disc nobody knew how it got there nobody knew how it in it uh infected tens of thousands of floppy discs it wasn't particularly malicious but it was enigmatic and with this Enigma you get a lot of uh uh Buzz there was also people writing uh books about viruses like the Glon computer van B in Germany telling you how to build a virus and then you start to see viruses that are a lot more malicious that are a lot more destructive like the casino virus uh or The Malt Casino from 1991 this one was pretty nasty it would copy uh your file allocation table to the memory it would hold on to that while it deleted it so your computer doesn't know where your files are it doesn't know how to access basically deleting your your your hard drive and it would make you play a game it's a it's a little um slot machine if you get three pound signs you would get your memory you you would get your data back if you didn't you didn't get your data back and if you get three question marks where it says it will give you his phone number and he says something along the lines of screw you why are you trying to track me down as punishment I'm going to delete your files anyway and delete your files so you have this maltes casino coming from Malta you can have like the Vienna virus uh you know oddly enough researched in Bulgaria you have uh uh the Italian virus you have the Israeli virus Jerusalem virus 1987 this was a virus that was designed to activate its payload and delete everything on Friday the 13th uh 1988 or sorry every year after 1987 because it was created in 1987 and they wanted to have a year to sort of try and infect as much as it can and these things would create these panics Michelangelo was another panic because they would be found before the day that they were supposed to um to infect or before the day they were supposed to activate their payload so people didn't know if they were the a victim to something like that if on the day 20th of January uh 1988 are all of the computers around the world going to be deleted or not it was kind of like a Y2K um sort of panic every every few few years one of my favorite viruses though I want to talk about is the one half virus and I'll just talk shortly about that um this was is a destructive one this is towards uh the later period of what we're talking about here 1994 but already there's a lot of sophistication so one half doesn't just jump into the entire virus uh code and then jumps back to the software it actually splits itself up to different functions and then distributes it itself inside the program that it tries to infect it looks for empty sectors in that program and just attaches itself and it would jump from one instruction to another and this is a form of polymorphism or metamorph ISM and this is MS DOS this is in 1994 so that was one thing that was interesting pretty pretty clever uh the other thing is it would encrypt itself and decrypt itself on the Fly because it didn't want to be discovered or or or um by by antivirus software um it would also look for the names of antivirus software in the software that it's trying to encrypt or trying to infect and it it wouldn't infect so it would watch out for antivirus so this is pretty clever for the time and what it would do is it would start encrypting your hard drive slowly encrypting every reboot would encrypt a little bit more um and you wouldn't know it because it would also decrypt it on the fly so as you uh um trying to reach into that it would start decrypting your your memory and then encrypting it again and you have no idea until one day it pops up a message that says this is one half and by that point a bunch of your memory or a bunch of your hard drive is encrypted and when in your Drive is encrypted and the only thing that decrypts it is this virus then you have a problem because you can't delete it but you also don't want to know maybe you don't want to live with this on your computer it's really strange and I don't know I thought I thought it was fascinating this type of parasitic relationship between you and and malware um it didn't do anything else so technically you could just live with it if you wanted to so this was the world of early viruses um we have Trojans and worms that are also making their first appearance we talked about the a Trojan uh Morris worm I'm not going to tell the whole story of the Morris worm because we're going to talk about worms a little bit later but 1988 this is another big story in the news um Robert Morris writes this warm he has this idea if