IsraBye — The First Anti-Israeli Wiper

the Pecha Kucha is a special turbo talk it is only seven minutes long and each slide is going to auto advance which means one moment sorry but it's okay anyway this is a challenge for both us as organizers and for you to audience but most of all it's a challenging talk for our speaker because all of the slides are going to Auto advance that means he doesn't get that mean Thank You Stefan it doesn't means that our new speaker re8 on who is awesome and we love our returned speakers so thank you re for returning to besides elevated check out check out his shirt the vintage 2016 original besides Tel Aviv Edition now nowhere to be found even not

on eBay you cannot get one shirt like this and now REI I'm gonna leave you to do this amazing thing which is the Pecha Kucha challenge before that I'll wait to have a whiskey okay

I'll just tell you why then here we go so hi everyone my name is Ellie and I'm the VP of research at integer it's great to be once again like Aaron said in this Pacha Kucha I will talk about Israel by which is the first anti Israeli wiper today I would like to present the story and significance of this specific mode so let's start last August I got my hands on a very interesting marvelous sample the malware itself wasn't very sophisticated but since it involved Israel by the Hebrew encryption message and as you can see and here I'm Israeli it really attracted my attention after quick investigation I quickly came to the conclusion that it's the first

anti-israel and pro-palestinian data wiper which called Israel by without causing damage to Israeli victims Israel I also try to deliver some kind of political message for those of you who are not familiar with wipers it's a type of model with the intention of wiping the hard drive of the computer it in fact an icon somewhere where you can allegedly recover your files if you pay in this case the files are gone forever Israel I was spotted shortly after a political incident between the Jewish and our people in Jerusalem magno met him usually after incidents like this we see more activity in social media such as Facebook and Twitter but this time they try to convey the message across

the cyberspace landscape the agenda of the author of Israel by wasn't meant to be undetected at all he hates Israel and the Israeli people based on the messages inside the Viper he believes that the Palestinians should have full control over Jerusalem you see it now back to cyber normal politics about the morrow itself as you can see it's written all in seashell so for us it's very easy to analyze and understand the code the issue by wiper is modular which means that instead of having all the malicious code in one executable it spread its functionality between five different executables so what does it do first it changes the background of your computer to this scary photo

besides the Byrne Israeli flags it has messages in Arabic with the translation of get out of the Palestinian land from the sea to the river Palestine is not for sale and so on you can imagine the rest after that it changes the mouse cursor to this picture the end of Israel photo which follows any way you move it on the actual screen and it also starts playing some Arabic music in the background which I'm going to speak next it opens the window with Hebrew and English messages about the files this is it the messages say you will get them after Palestine will be free and sure you can recover your files well the last sentence is alive because like I said in

this case we're dealing with the wiper and not on someone and now for the best part in my opinion the wiping part rather than encrypting the files is why we change the content of the actual files to [ __ ] Israel the username you will never recover your files until Israel disappear and the disappeared typo is original remember that because we'll go back to it later on now surprisingly the motto has some evasion techniques it looked for processes like pauses sake task manager and process Explorer and just terminates them if they're being detected but this doesn't mean that we're dealing with some kind of an advanced threat so I tweeted about the malware this is it which become

viral got a lot of retweets bleeping computer wrote a full article about it actually including my tweet and they even created the demo video of an infected machine where you can see them all in action wiping the files and now for the bugs in the malware it's important to say that the programming level of the mauville was not high at all technically speaking like I said was written in C sharp and all the other executables were included in the resource section of the main P and by the name of each whistle you can understand what it does a curve for changing the cursor for example now another thing the model doesn't even wipe the entire files like it should the

files that are stored in the desktop and downloads folders are being wiped but five-toed in other folders such as Program Files they just stay without any change at all so pretty fail ok the name Israel by is not our idea actually but the name the author gave it we know it because we've detected a PDB pass in the far away as you can see and we can see the original name of the project we can even see the username who created it in this case it's Ahmed yeah and if that's not enough then you don't know from Kaspersky great I found a way to make it crash the Maori tries to copy itself to a specific folder and it turns out that

if a file is already exists in this exact path the malware crashes and without conducting any damage hello yeah now remember the typo there are new samples of visual bye at first I created the Yahoo signature based on the disappear typo and I was able to find a new sample the author's recompile the source code and now the PDB path has been removed but besides that all the major bugs that I just showed out still in them so what do we learn from it mostly that it's probably easy to write a model as you can see especially using C sharp or Java and to use it to push and promote your agenda but as you can

see it's probably not that easy to make it work perfect and without any bugs at all and this is it thank you very much [Applause]