The History of Malware: From Floppies to Droppers

welcome everybody this is the next talk very interesting topic the history of malware from floppies to droppers please welcome ilad kimy thank you thank you all right thank you so much for coming so uh this is going to be the history of malware my name is Elliot Kimi I'll have a who mi slide at the end but there's a lot to cover so we'll move quickly so today we're going to take a journey through time and space I think it's really important to understand especially people who work in security research in any area of security really important to understand where these things come from the motivations um how did we get to the point today um and and how did it all

evolve how do we get to the point where we are today with malware and uh we're going to talk a little bit about when some of the first phenomenons that we understand today in malware when did they first happen we're going to talk about what happened who are the people behind it what were their motivations and sometimes where they came from and that's going to be really interesting before we start I'll start with a question and this is common ground and somebody told me that I need we should do some sort of uh there should be some discussion so I'll I'll ask some questions um the first question is uh when was the first ransomware

incident yeah 1989 1989 very good a round of applause uh do you do you want to do you do you know the details C orid yes very well done so the AIDS Trojan or the PC cyber was the name of the company but uh in 1989 the first ransomware incident that's really funny and kind of weird for a couple of reasons one is 1989 uh there's people in this room that weren't born in 1989 I imagine um I was born shortly before so this really predates a lot of things and also like really ransomware 1989 was the technology there to enable this and this is a real story and I mean I think uh for starters it took a lot of creativity

and a lot of determination to actually make ransomware in 1989 um there was a guy called Joseph L Pope he had this brilliant idea um what if he could software that basically blackmails people into paying him and he thought this is great this is fantastic idea he took 20,000 floppy discs which is a huge investment uh Financial investment each one would go in an envelope he would send it by mail to people all over the world actually most of them were in the UK um if you ran it it asked you to turn on your printer because back then ransomware wasn't paperless yet you know so it would print out the invoice which is also the ransom

known and uh yeah it would lock up your computer after a while it would ask you to pay um you was you were supposed to send money to a PO Box in Panama because of the genius uh that he was he thought he could just go on vacation immediately after um and it was a really really interesting incident first of all the the malow itself the Trojan itself had some it wasn't super sophisticated but it was really clever one thing that it did is it would fake an MS DOS environment so it basically would create this Ms do environment which you couldn't escape out of um control out Delete would just return you to that

environment uh restarting would just return you to that environment you would basically you're supposed to think that you're locked out of your computer in the back uh or behind the scenes it would encrypt files it was an exor encryption it would change the names of the files and that would create uh it would make it really hard for you to access your information this had impact in a lot of different ways similar to where we see impact today with ransomware um a lot of people back in 1989 didn't really know how to recover from something like this there were AIDS researchers that had lost reportedly 10 years of their research and it was also partly the

impact that it caused was the reason that Joseph El po uh kind of went crazy uh towards the the sort of uh later part of his life and it I read a lot of different counts uh but some of them say that he was just so ridden with guilt when he'd heard of what he had uh caused that he was in a in an airport in Amsterdam and he passed on a note to law enforcement something along the lines of do Dr Joseph L Pope is uh not well or something to that effect they caught him they tried him he would show up in court with like curlers in his beard hats made out of a cardboard I

think and he was completely insane and they let him go because he was crazy maybe he was crazy before before I don't know but uh he was certainly crazy after and that was the first ransomware and this was a Trojan and we'll come back Trojans will'll make a a a great comeback towards uh towards the letter part of this talk but really to start talking about um malware and malware writers we have to sort of put ourselves let's Journey Through Time and try to understand what computers meant to people in the 70s and ' 80s and there was this sense of wonder Fascination computers were this magical thing that could enable uh uh everything that we could imagine uh when you look

at pop culture and sci-fi in particular computers were this thing that would make science happen that would make magic happen uh there would be the thing that would take you to space or teleport you at least enable these things to happen there were some some films where it was the main character like war games or Tron things like that and so there was this sense of wonder and in that sort of environment you have a lot of people sort of theorizing and they're sort of fascinated with these ideas of what could happen on a computer and in 19 uh 84 there was a man called Alexander dudney he wrote a column for the Scientific American um he wrote

about a game that he created the game was called core Wars and the whole premise was you know what if there were two programs on a computer and they just fight each other they can copy themselves they can think they can attack each other you write the code and then you Let it Loose you know so it's kind of like Battle Bots but without chainsaws um and they would fight it out and what whoever wins wins and he he says I was inspired by this story that I heard he says this this Fantastical story this myth um about the Reaper and The Creeper he says somewhere uh uh in the 70s there was a lab and some scientists created this

virus called the creeper and it spread throughout the lab and it infested everything and they couldn't get rid of it until they wrote another virus that went and spread again and then all it did was look for copies of the first virus and delete them uh and delete itself and he thought you know there's some obvious holes in this story and it's a bit of a you know it's a weird kind of story um but what if it could be true what if it was true and that's why he created his game um but back in ' 84 there was no uh real uh awareness of what viruses were so he asked his readers to send him some uh some of

their creations and what he got instead is a whole lot of virus uh uh evidence of virus creators all sorts of virus that people uh uh encountered so a year later he writes of worms viruses and other creatures he writes this column again and there he tells people all over the world about viruses actually existing what he had considered a myth was actually a reality and this was a surprise to a lot of people um what I'd heard is is really this wasn't commonly discussed because nobody really wanted to hinder the sales of computers that's one thing that I had read but in mid 80s despite viruses having existed for a long time they were

still considered something of a my and maybe maybe some people in the audience can confirm or deny this but in 198 he writes another column he starts that with a quote from Eugene spord something along the lines of the only safe computer is one that is turned off cast in a cement block put in a safe room and guarded with live guards and even then I have my doubts so by four years later he everybody understands the danger of what can happen with with computers and it's interesting to see this transition and we're going to talk about a little bit why this this happens and by the way the story that he's thinking about that myth

is real and I encourage everybody to to kind of research this uh in 1971 there was a lab called BBN Labs uh B BNN Labs BBN labs in Massachusetts it was a name by a man by the name of Bob Thomas he wrote The Creeper they were trying to create software that would replicate itself to create backups for itself uh systems weren't always uh you know fail proof sometimes they would crash so how do you back something out well you move it you copy it to another machine so he ran this experiment and he was a little Whimsical so he created this thing that would replicate onto another computer and to know that it success uh

successfully uh replicated it would put on the screen I and the creeper Catch Me If You Can it's a really cool story um later on they created the reaper which was of same concept but it was meant to delete the creeper um and I don't think it went out of control I think it was a control environment from what I've read so it wasn't this Fantastical story but it did happen so we're not going to talk this is we're not going to do background for much longer but I do want to talk a little bit about what happened with technology around that time in the 80s and the 90s personal computers came on the scene 1977 were the first three

personal computers the Apple 2 the trs8 and the commodor pet really really important uh fact for for malware writers um IBM came into the scene in 1981 with their PC and this was the first time where people actually had access for a lot of people to computers uh and with great access comes uh uh no responsibility and lots of lots of power and uh people started writing viruses and they started seeing them in the office in their homes and the other thing that was happening is the sort of the creation of the sneaker net um there were portable medium portable storage devices you could actually take and put into another computer so this was a boon

and a curse for virus rers and a huge influence on what we're about to look at because now you could actually transfer your your virus from one computer to another powered by the power of shoes people walking around and that was great because you could spread it and the curse was that those shoes were connected to a thinking living living human being that had to actually want to pass this along so you had to be stealthy they should they couldn't know that they were infected or maybe uh you make something really funny and Whimsical um that they would want to show their friends and these are some of the early this is these are viruses from sort of

the early 80s uh some of them are from the later part of the 80s but a lot of the early viruses were experimental they were Whimsical um they did things like write peace on Earth on your computer or I am the hyper Avenger uh dukak is for president uh peace on Earth and love for everyone or they would do these things like the Cascade virus here which would create this visual effect and a lot of them were harmless but if you weren't really paying attention then things would start happening and maybe you didn't know really how to how to handle this and all of them had these different messages or different effects uh I read

somewhere it it had this uh silly sort of look what I can do bravado uh rather than sheer hostility and it was cool I mean I think we could think of it more as graffiti you know you're not really trying to knock down the wall you're trying to cover it it's vandalistic a little bit but it's it's interesting has anybody here ever experienced a virus like that you want you want to share or you want to tell a story or I I just remember the casc pretty well and and these these things would spread and that's really really interesting because you wouldn't you might not imagine something that can only travel by floppy to actually get to a lot of different

places but we'll start seeing these viruses spread later on I want to talk about one specific one and that's elk cloner and maybe maybe really talk about what were the inspiration aloner was written by a man called Richard scr um scran and he got his first Apple computer in his seventh grade and he was in love by the 9th grade he was uh pirating games for his friends and playing little pranks so he would pirate a game and he would put a kill switch in there and after four or five times it ran the game would delete itself and so his friends would play the game they would get hooked and then the game would delete itself and he loved it

he was just laughing his ass off and just enjoying the whole thing and his friends did not like it at all and they stopped taking floppy discs from him so he started thinking what can I do to to infect people to continue to play pranks so he decided he's going to make some sort of sticky um software and I I don't know what you were doing when you were in ninth grade uh I wasn't writing brilliant viruses for for a brand new sort of Technology but he was and so he decided he was going to create it was a a boot sector virus a lot of the viruses back then were boot sector viruses and

the virus if you put a floppy disc that had this virus on it put it into the computer it would copy itself to the boot sector and it would run every time you were on the computer it would also in other floppy discs um that's just sort of the simplified version of that so Richard wrote this virus um and contined to prank his friends um and generally speaking a lot of these viruses worked similar to this um they would sort of append themselves to the end of the program they would hijack the command to start sort of start start the program uh that was running they would run the virus code and then they would

jump back to the program so you basic basically think you're running a program but you're running the virus as well they would use these uh interrupts this is from MS DOS these are kind of like system calls you could use them to do all sorts of things and you would hook on to that um basically nowadays I think uh obviously we don't use MS DOS but there's other things that we hook on to there's other uh system calls that we use so this is something that is very similar to maybe in some way similar to what we do today however a boot sector vir is things like that we don't see a lot anymore we do see malware that

infects the ma Master boot uh record like Peta um but there's not a lot of them that do that so those are sort of the some of the earlier viruses but something happens we know that malware uh becomes malicious we know because Mal malicious but the question is uh why and when and it's really hard to pinpoint but uh somewhere in the mid 80s we start to see news stories all over the place about the computer virus and this sort of builds both attention and hype about what could happen on your computer and also it builds the anxiety the general anxiety of people this kind of starts with this virus called the brain virus and what's interesting about the brain

virus first of all it infected the news organization the Providence Journal and then so it got a lot of coverage the other thing is it came from Pakistan and nobody knew how a virus came from Pakistan and made it all the way to the US on a floppy disc nobody knew how it got there nobody knew how it in it uh infected tens of thousands of floppy discs it wasn't particularly malicious but it was enigmatic and with this Enigma you get a lot of uh uh Buzz there was also people writing uh books about viruses like the Glon computer van B in Germany telling you how to build a virus and then you start to see viruses that

are a lot more malicious that are a lot more destructive like the casino virus uh or The Malt Casino from 1991 this one was pretty nasty it would copy uh your file allocation table to the memory it would hold on to that while it deleted it so your computer doesn't know where your files are it doesn't know how to access basically deleting your your your hard drive and it would make you play a game it's a it's a little um slot machine if you get three pound signs you would get your memory you you would get your data back if you didn't you didn't get your data back and if you get three question marks

where it says it will give you his phone number and he says something along the lines of screw you why are you trying to track me down as punishment I'm going to delete your files anyway and delete your files so you have this maltes casino coming from Malta you can have like the Vienna virus uh you know oddly enough researched in Bulgaria you have uh uh the Italian virus you have the Israeli virus Jerusalem virus 1987 this was a virus that was designed to activate its payload and delete everything on Friday the 13th uh 1988 or sorry every year after 1987 because it was created in 1987 and they wanted to have a year to sort of try and

infect as much as it can and these things would create these panics Michelangelo was another panic because they would be found before the day that they were supposed to um to infect or before the day they were supposed to activate their payload so people didn't know if they were the a victim to something like that if on the day 20th of January uh 1988 are all of the computers around the world going to be deleted or not it was kind of like a Y2K um sort of panic every every few few years one of my favorite viruses though I want to talk about is the one half virus and I'll just talk shortly about that um this was is a destructive one

this is towards uh the later period of what we're talking about here 1994 but already there's a lot of sophistication so one half doesn't just jump into the entire virus uh code and then jumps back to the software it actually splits itself up to different functions and then distributes it itself inside the program that it tries to infect it looks for empty sectors in that program and just attaches itself and it would jump from one instruction to another and this is a form of polymorphism or metamorph ISM and this is MS DOS this is in 1994 so that was one thing that was interesting pretty pretty clever uh the other thing is it would encrypt itself

and decrypt itself on the Fly because it didn't want to be discovered or or or um by by antivirus software um it would also look for the names of antivirus software in the software that it's trying to encrypt or trying to infect and it it wouldn't infect so it would watch out for antivirus so this is pretty clever for the time and what it would do is it would start encrypting your hard drive slowly encrypting every reboot would encrypt a little bit more um and you wouldn't know it because it would also decrypt it on the fly so as you uh um trying to reach into that it would start decrypting your your memory and then encrypting it again and you

have no idea until one day it pops up a message that says this is one half and by that point a bunch of your memory or a bunch of your hard drive is encrypted and when in your Drive is encrypted and the only thing that decrypts it is this virus then you have a problem because you can't delete it but you also don't want to know maybe you don't want to live with this on your computer it's really strange and I don't know I thought I thought it was fascinating this type of parasitic relationship between you and and malware um it didn't do anything else so technically you could just live with it if you wanted

to so this was the world of early viruses um we have Trojans and worms that are also making their first appearance we talked about the a Trojan uh Morris worm I'm not going to tell the whole story of the Morris worm because we're going to talk about worms a little bit later but 1988 this is another big story in the news um Robert Morris writes this warm he has this idea if I could make a software that copies itself into other computers on the uh early days very early days of arpanet Internet kind of um if I can send this to all of the contacts if I can make it send itself use a couple of vulnerabilities

and also uh something that would sort of uh uh guess passwords and he figured if I could do that I could spread my uh my software everywhere I want um and he did it and it infected 6,000 computers which at the time was 10% of the entire internet um and it was a big story and everybody forgot about that until the next worm comes around so this is another Trend that you'll notice things happen and then we forget and then they happen more seriously but now we arrive at the mid90s and why is it important why is this an important time well first of all in pop culture we also understand already understand what what

uh uh hackers are we kind of start to get an idea although it's still a lot of clicky clack and you know I'm in the Mainframe um but also we have two wonderful things happen um we have Windows 95 which before that came out uh Microsoft said that there that uh viruses are not going to work on Windows 95 and so that is the end of my talk actually they never worked again but uh and probably it was a marketing person that said that but um yeah Windows 95 had a lot of uh other convenient ways to activate to work with for malware and more importantly Office 95 and Office 95 had this great new

feature macros you heard of macros and macros this was this kind of cool feature that uh somebody at Microsoft thought about and well I shouldn't I shouldn't talk about it this way but macros basically uh gave you the option to automate some functions whenever you uh uh were working with an office file and so you would automate maybe you could open things close things you can run debug commands you can run commands on on on Windows you could do a whole lot and because you could do a whole lot people started thinking about how this could be abused so the first ever macro virus um was the concept virus came out maybe a month after

Windows uh after office uh 95 came out and macro was super super simple you open a word file the macro runs it tells the computer to display this you press okay and then nothing happens it was literally a proof of concept um so nobody cared and then macro and then and then concept was uh you know and when it came out it was maybe the fourth most infect infectious virus and then it became uh the second and then a month later it was the first and then it was the first and then 3 years later all of the viruses were macro viruses and that became a really popular uh technique but we're talking about macr viruses macro

viruses H haven't gone anywhere we're still seeing macros being used for fishing this is still an effective way of or in the past uh uh let's say 10 years has been a very effective way of um being able to run commands on a computer Powershell or anything like that so you're looking basically at some sort of prehistoric like a shark something that that uh uh has this Ultra Predator from from 25 years ago that still haunts to this day so macr viruses throughout the the late '90s continued to evolve and we actually start to see the same Trend they were experimental then they were Whimsical then they were destructive um this is one of these experimental viruses this

was written by a guy called uh nightmare Joker and he was a famous virus writer at the time they were like Rockstar virus writers uh back in those days um he was super famous he wrote some kids but he also wrote this this is interesting for a couple of reasons when you uh run the document it would run the macro the macro would copy itself to the global macros which mean it starts to infect all your other documents whenever you open them um or when you create a new one it would also Opus skate the names of the macros because like I said uh when concept came out nobody really did anything about macr viruses by the time

antivirus caught up to this trend they were just looking for names of macros so virus Rider would just opusc the name create a generate a name on the spot so it would create these macros and it they had a very specific purpose um on a specific date uh they would activate and when they activate on that specific day it was January 20th I believe um it would basically hijack your screen it would say uh you are infected with Outlaw of virus from nighter Joker behind the scenes it would run debug commands it would create a file generate a binary file and change it to a a wave file a sound file that sound file was

the sound of someone laughing so if you press the wrong key which is was the E key on January 20th your computer would get hijacked and it would start laughing at you um kind of a prehistoric dropper of sorts and really really creepy uh if you ask me um and macro viruses just continued to evolve during those days now remember the worm the Morris worm from earlier back then the internet was maybe uh 60,000 machines by 1999 the internet was uh 250 million machines so we start to see the first emergence of these big worm infections so Melissa uh is a macro virus that had taken on a worming uh capability so instead of doing something like delach your entire

computer or instead of doing something like laugh at you it opens Outlook and then it sends itself to uh 50 contacts the first 50 contacts that it can find and then when it lands on the other on the next computer hopefully somebody opens the the uh the file it would send itself to 50 more people and Melissa spread so quickly and so uh uh thoroughly that in 1999 this virus shut down 300 companies uh where they had to shut down their emails shut down the communication including IBM Microsoft and a lot of other companies and it made huge huge news all over the world um they the this the FBI got involved they actually caught the guy

but this was the this was a new era this ushers in something really really important for the first time we have a maybe not the first time but but the first time with a major major impact we have a macrovirus that can warm itself to other computers and this was an important step in the evolution of of malware um after the Melissa virus uh we see the we we finally I love you virus uh one year later and this one was a lot more destructive had some destructive capabilities it could change files it could change the the uh it could hide files and there were variants that would delete files and it would cause a lot

more damage but from that point on we start to see these type of um warming viruses and we kind of move into the 2000s and the 2000s bring with them a lot more ways for us to communicate with each other and that's sort of the technological influence of that time that it brings onto malware we've got Kaza we've got uh IRC and a and malare would spread through all of these channels macr viruses would spread through all of these channels and we'll maybe talk about why but also IRC was super super important at time because it provided it ended up being some sort of uh um uh consolidated point for control and we'll talk about control of of what

exactly well we talked about Trojans and we kind of forgot about Trojans and now we're coming back to the Trojan so there were these Evolutions the the Kaza and and all these things it meant that actually it it makes more sense for you to send somebody a file and tell tell them that this is the new Britney Spears album um and for them to to run that file then to try and send them a Word document with a macro on it so suddenly we start to see this this uh um decline of macro viruses and we see a lot more Trojans pop in so we start to see MCR viruses being compiled the macroscript is getting compiled into a file and then

they tell you it's some kind of a a pirated uh or maybe it's a a crack for your favorite game um but it actually contains both the crack and the virus and you get infected without knowing another thing is happening uh at the same time um we start to see these types of remote access uh Trojans or uh remote Administration tools however you want to call it the abbreviation is the same and the idea is that now you have computers networking for the first time computer and networking on mass and so you have administrators and admin ad ministrators do need to administrate uh and they need something to help them control computers um but at

the same time you have this sort of uh on the other side of this coin you have these remote access Trojans which the whole point it starts out with netbus in 1980 1998 and net bus was created by a Swedish man bus in Swedish is uh Mischief so this was supposed to be a prank or a joke um and it would basic Bally create a connection between two computers you have one computer that's infected the other computer is controlling it one is the server the other is the client and the client can send commands over to the the controlled uh computer could open the CD ROM or it could do all sorts of fun things like

play fart sound awesome that same year we have Cult of the dead cow group of very famous hackers released back orifice that was in black hat 1998 um back orifice did the ex similar concept only that was uh uh allowed you to do a lot more you could do a lot more than just make funny sounds you could delete somebody's computer you could keylog you could look through their camera you could listen in on what they're doing um and that opened the door for a lot more that you could do with these remote exess Trojans in 1999 we get sub seven the script Mecca um which enabled you a lot more things and also eventually included the

connection the ability to connect to an IRC server or IRC Channel where you can control script uh uh you can control sub s and you know I I said script Kitty and I know we deride script Kitty and for some in some ways justifiably but I want you to try and imagine being 15 year years old and having that that type of power I think like I said with great access comes absolutely no responsibility and great power and and I think a lot of people just went that route because it seemed like some kind of Grand Adventure um that they could do I don't think that justifies anything but I just think it's it's interesting so these

would act as inspiration um for for malware writers in in the 2000s and suddenly malware is starting to get a purpose because up until now we get these things that make fun of you or they do some silly thing or they delete your files but here we can do so much more and that opens up the door for a lot of different things so what happened when you combine this with the warming viruses well you get macro viruses that can warm to a lot of other computers and then they could install some back door or they can put some back door dooring capability and when you put a back door on a computer they can do

whatever they want with that computer you could uh a lot of the early ones would uh use it to send spam so you would have this these macro viruses some of them would act like downloaders so some of some viruses going all the way back to 1999 the way they would operate is they would connect to a a website online or a server online and they would download the rest of the payload this is this goes all the way to macr viruses um they would update themselves they would download modules from the internet and they basically would spread through email IRC messenger anything they could find and sometimes drive by downloads and they would install a backd door so

we start to see this happening in the early part of the 2000s and this is for the formation of the first botn Nets so botn Nets would start to become more popular um the idea was that you could um create a bunch of slave computers you either install a proxy on them or you install a back door and they all connected the Sam IRC server and then you could do stuff with that um and what you start to see around that time is highly infectious viruses spreading to the to the tune of millions and millions please don't tell me okay good I need to remain in compliance sorry pause let's comply um and so uh you would see these explosions of

M in in the early 2000s because you would get Mau that spreads really quickly and uh because it's connected to some kind of command and control server or it downloads part of its uh um its payload these would be hardcoded into the malare and when you block an ioc back then you blocked the malare so they would just go all the way up to like 11 million uh infections and then they would disappear a month later which is really interesting but these develop from these worming viruses that could connect to a server you start to see the modern botn net emerge throughout the late 2000s or between 2005 2000 to 2010 and again this grows the sense of

purpose that malware now has it's not just something that could delete your files or or make a a fart noise on your machine machine now you could create a huge network of computers and you can tell them to Dos somebody all at the same time and you could start to maybe you sell that capability to other people you could start to make money a lot of these would create spam so they would use proxies or computers to sand spam everywhere and you could pay for that suddenly you could make money on on your on your botnet and that was a huge Evolution and you start to see from that the first emergence of cyber crime but

these are these are there's you know a lot of a lot of botnets emerging at this time and one of the ways that botnets would remain active is they would have to iterate because if you block a an an ioc It would be difficult if you uh find their signature it would be difficult for them to spread so they start to iterate and they iterate quickly the name of the game in this later part of uh between 2005 2010 was iteration new versions would come out so quickly that you would start to see conversations happening between malare writers and writers of ENT uh or researchers security researchers this is near bought and throughout uh the I think it was

2005 throughout 2005 whoever wrote this with every new iteration would write a new comment for researchers to find and it would just basically be a conversation the gist of it is he wanted it to be called iron bot and everybody else was calling it nearb bot and they just continue to call it near bot probably to kind of annoy him and throughout this he's saying a lot of not nice things about security researchers but they would iterate very quickly and 2010 to 2020 we uh we start to see the sort of evolution of what we know as modern malware um one of the big things that happens in 2012 was is the creation of Bitcoin and another thing that

happens is is eternal blue in 2017 and with it w to cry why these two things are important is because um Bitcoin gives people a way to monetize on their malware that is a lot harder to detect no more uh gift cards or vouchers which they they they would then have to resell and it's a huge problem and they could be tracked back now you could work with Bitcoin it was a lot more effective vulnerabilities gave you access to a lot more computers are more networked now than ever before and so you could use these vulnerabilities to G gain crazy amount of access and so when you think about the next part in the evolution of maare and I know that

this is now getting a little simplified because when I when you do the research into the the history of maare you start out really sort of narrow you start with like amisos viruses and it's all pretty simple and then it kind of grow GRS a little bit and then it grows again and then it becomes exponential so I'm having to simplify a little bit but we start to see the phenomenon of these botn nets um developing more and more complex back doors um which leads to more and more monetization of these botnets and we like I said start out with Spam and uh dos but it's not uh it doesn't take too long for these uh

botnets to start using backdooring capabilities like key logging and password uh um credential harvesting and so on and we see the first uh um uh banking Trojans sort of come into the scene where the goal is to steal uh steal banking information and then finally um dropping a a ransomware when you're done with this this endpoint when you have no more use for it you drop a ransomware on it uh this was first done with crypto Locker um in 2013 2012 201 13 and the Zeus uh B net so Zeus was a very famous bot net at the time and then were basically when they didn't need the the malare anymore or the the end point

anymore they would just drop uh ranser on it eventually just like uh every time in the history of of uh cyber security uh you start to see first you see attacks against people and then that moves into organizations eventually these attacks that were mostly targeting people move to organizations and I showed the slide for example uh uh you know W to cry and uh others like it really show the world that Ransom can be an infection that is uh really really hard to stop both for individuals and for companies so I know I'm kind of rushing through the later part but I feel like we've all lived through more modern malare and I kind of kind of want

to focus on the history so I'm sorry I'm simplifying here a lot right but I wanted to kind of show you my train of thought um you know in the early days imagine kind of the 80s right here and then the kind of late '90s and then finally uh 2000s we start with uh viruses just regular Ms uh dos viruses there were a lot of those there were a few worms and there were a few Trojans but there were a lot of viruses and then we start to see the macro virus in '95 so that's an evolution there and then when you start to get the put the sort of Internet into the picture you start

to see macro viruses that worm around uh the world that spread themselves at the same time Trojans develop and we start to see backdooring capabilities develop in a lot of different malware and so when you combine those two you actually form uh botnets and then from botnets you start to see uh the the sort of development of Trojans of of uh banging Trojans and uh Ransom that's kind of it I guess obviously there's a lot more to this story um but of course now we're dealing with with a lot of other things uh uh in the corporate world but when I thought think about malware specifically that's kind of where I want to trace this journey so

the last thing that I have to ask myself is is okay when I was doing research for this um it's a lot of reading it's really fun but it's also really a lot of reading and you try to make connections and you try to figure out all right what was the technology that showed up around that time that seems to have enabled what's going on throughout this period and I thought to myself if I write this 20 years from now and look back what would be the thing that uh that I see as the as the driving factor for maare that are going to be created let's say in 202s and it seems to me that AI might

might be something that that uh uh would play a big role and I don't know how if if this is correct or if it's not correct but the way to sort of know this is maybe to follow the same pattern that we see throughout the development of noware throughout the years what we're going to start to see is uh some Concepts we're going to start to see something experimental come out and to be fair I think those things already exist I think we're kind of past the experimental stage in a lot of ways there's already AI uh or language models that could write malware um not just fishing but write malware um so the question is is this going to get to

develop into something serious and I think first thing we'll see is is Concepts uh proof of concept and I'm wondering if one day we'll see this vision of Alexander dudney of two software two AI software Creations fighting it out inside a computer uh when we have you know the malware writers and a and the security people just kind of building their own AIS to kind of battle it out and that's kind of a an exciting future and also very uh creepy I would say but it it might happen and I think the the one thing that it's important to take away from this history is to Never Say Never a lot of these things start out at Concepts

this happened with the the concept uh macro worm this happened with a lot of the early worms that that were being created people didn't pay attention they thought this this this is not going to be a thing this is not going to cause any harm but never say never um and so I think this might be the next stage there's there's so much more to the history of malware there's so much so many more stories that I wish I could tell you uh that I wish I could share with you um I've put a lot of different links and and uh as you can see every slide has has different links for you to go and read uh for yourself I don't know

if we'll be sharing slides later on there's so much information out there and I encourage you to go and read about it yourself I hope this was good I hope this was interesting I hope this this this uh invigorated your desire to learn about the history of ma and thank you for much uh so much for bearing with

me we're at time but if anybody wants to ask any questions go ahead your thoughts

what viruses uh have you heard about I mean okay yeah I think yeah I'll repeat it so what what is my opinion about metav viruses and and AR viruses so there's a um shoot what's the name of the book um with hero is it snow crash snow crash right there was a virus that would infect your VR glasses and would alter your brain right I mean I think I don't have an opinion I'm not qualified to make an opinion about the future of of VR but could this is a good example of some technology that's being developed uh and might seem innocuous it might seem um might seem uh uh uh safe and harmless and then you start to see

people abusing it for for different purposes that's something that we might see and again to find out if that that's a actual reality that might happen we need to look for the uh you know for these first uh the canaries in the in the coal mine kind of these first proofs of concept of a virus in a VR headset I don't know is interesting what you might be able to do it something like that I think we can do one more question

yeah getting messed upep it so I kind of got a joke out of the the macro viruses because so many companies still use macros yes right so that's not really an old Tech it's an old technology but it's still really valid yes but we rely so much and developers lie rely so much on like shared code so direct system calls you know uh click once applications direct handlers MH why as a group have we not just gone to Microsoft and that and said just stop it right I mean I mean cuz at some point we have I mean there's so many things that are built in that use click want right true things and there's so many

vulnerabilities we can take advantage of which is great but it's not good for the world you know oh so we have so there's two things I can say about this one is security researchers are always at the Forefront of telling people uh oh I should put this on my where am I slide by the way if anybody's interested um security researchers are always on the Forefront of telling uh corporate people that stop like put some some defenses into what you're doing so if you read through uh you know there's a lot of great archives for magazines uh like virus bulletin for example when it actually used to be a bulletin in the 80s 90s um and security research do warn about

the the dangers and specifically with macros this has been something that Microsoft has Pro promised to block off starting from 1995 or 1996 when when you start to see these uh um the concept virus and other viruses come up so it's you can read about it and in during those days they they it's something that's repeated that Microsoft was supposed to solve the problem I believe in 96 and then they didn't because they didn't want to break anything and then they were supposed to shut it off later on and then they they didn't actually macrovirus actually kind of fell off the face of the Earth on their own because because uh people didn't want to open attachments and uh it

everybody started compiling their macros um and then they just made a comeback towards the end so we have we have they just don't they just didn't listen and and now I think I think now Microsoft is somehow blocking macros I don't know yeah I mean there's the warning but uh yeah go ahead thank you everybody for your questions I I really appreciate that yeah just wondering uh about the diagram you had of the classification of different threats I was just wondering where do you think threats like Peta uh fit into that things that essentially are ransomware but also have a destructive purpose get rid of the master boot record because good question very good question look a lot of malare today if

you look at an attack cycle it will have a lot of these components coming in through so the the thing that really dawned on me that was really interesting because I've always known and and I worked with a lot of researchers um you see often you see fishing start with a document and then it runs a um it runs a macro and that macro maybe will run a Powershell command and that would start the whole infection chain and yeah I always thought okay macros right fishing goes to macro and one thing that kind of dawned on me as I was working on this is hey that's a virus actually because the macro is is sort of appended to or

infected onto the uh um the the file itself and so a lot of this history still exists through a modern attack cycle I don't know exactly how Peta works but if I had to generalize I maybe think maybe through fishing do you have the answer no got a question yeah yeah so maybe you know you you do the fishing you run the macro you download something um that something probably acts as some remote access uh tool or remote access trojen gives you some back dooring activity you start to you know you continue to operate in in the network download the payload and install it the only I think one of the the bigger differences between petche and other uh

um brand someware is that from minor sending Peta does work in in the uh Master boot record so think I think when it runs it it will run I think it it I can't recall if it starts to encrypt files already but it would some point asks you to reboot like wipers yeah yeah so if if I if I had to if I had more time like if this was a two-parter or something like that then I would probably go more into yeah perced talk about wipers maybe talk about web applications as applications and how threats sort of get into those areas and how maybe the genealogy exists there talk about the web and the

evolution of the web talk about exploit kits and you know how different programs like Java and Flash enable people to just infect uh you know drive by downloads just infect people I think there's there's a lot more to talk about it's so but this is kind of the the base of it all right last one yeah we have to break for lunch I don't know this is just a build on what he was already asking but one of the things I was thinking about was um what about viruses that um jump from like you know cyber to physical that you know actually can reprogram or you know like in with industrial Control Systems reprogram machines to destroy themselves

I'm think like with stuck net and such so you're thinking about like something like stuck net so you were saying what about viruses that that off come out of the V but but their um their purposes is entirely like you know it'll sit and wait and make sure it's on the right machine in the right place and then um because it's you know it's targeting a particular system in a particular place and the object is to destroy something physical and possibly cause physical harm yeah yeah yeah there's um of course so no not you know not sure what the question is but but that that is something that I saw popping up throughout the the history there's this

there's this story and that uh the first instance of something like that happening was in I think 82 or something like that which is not a very credible account and it was the US uh infecting some kind of a Russian uh control system for gas pipeline um yes tux it was the the the coolest one of those but what would be your question what would you want to I mean this is this is all part of sort of the Cyber War the activity that nation states are doing I mean I think this is going to continue to play out I I don't think that yeah most of this kind of evolves into what I'm talking about

evolves into cyber crime but this is definitely a set of cyber security that maybe you guys can talk offline thank you come with really great thank you thank you everybody [Applause] great