The History of Malware: From Floppies to Droppers

I do I need to I need to go here or just talk right here. Is that good? All right. >> It's this one. >> Hello. >> Should I get closer? Should I just Should I just talk like this the whole time? [laughter] It's bad for my back, but uh Okay. All right. Thank you everybody for coming. It's it's a really nice uh nice to see everybody. It's a good good mix of ages. Today we're going to talk about the history of cyber security, the history of malware. Uh my name is Elliot. We'll have like a whole who is who am I slide at the end, but there's there's so much to cover. Um also kind of ironic. I

wrote this talk about two years ago. So the good news is not much has changed about the uh malware in the 80s. The bad news is I hope I I can deliver it the same way I did two years ago. Um but today what I want to do is I want to take us all uh in in a journey through time and space and we're going to talk about how malware evolved. I really like the topic. It's a really interesting topic but it's important. If you're a student of cyber security, it's great for you to know this these things. What were the inspirations? Um what were the motivations? How did these things come up? how early they came up and let's see

if we can learn something uh along the line. If you're a veteran, you're probably going to have fun reminiscing and maybe all of us can can just look at this history and get into, you know, get into the spirit of the time because malware meant different things throughout the history. So, in the 80s, malware was different than what it was in the 90s, the 2000s, and today. Let's start with a question. This This looks like a classroom. Uh, who knows when was the first ransomware incident? Does anybody know? It's kind of a well-known story. No. Okay. >> 899. >> 89. 89. That's right. 1989. Does anybody know the name? >> No, that's 99, I think.

>> Or maybe maybe a little bit later than that. >> No, sorry. 90 95 94. >> It's It's earlier than 99. The AIDS Trojan. >> The AIDS Trojan. Very well done. All right. So, the first ransomware was uh in 1989. It was called the AIDS Trojan. It's a very bad very poor name. Um but we'll talk about why that was the name. Uh I think it's for for starters, this is a fun really funny interesting fact. In 1989, a lot of the people in this room weren't born in 1989. How is that possible that ransomware something that we know from the past let's say decades you know became a really a big phenomenon in the last decade has

existed or was first created in 1989 um h how was this even possible? It took a lot of creativity and a lot of ingenuity to actually create a ransomware in 1989. Uh there was a guy called Joseph El Pope and Joseph El Pope had this brilliant idea. He thought okay I can if I can create a software that uh hijacks people's computers blackmails them for money for for their the control of their computers I can make millions and he was so convinced of his idea and he wrote the software and he bought a bunch of floppy discs this is 1989 this is there is no internet there's arponet but this is not something that everyone's

connected to he bought floppy discs 2000s of them 20,000 floppy discs in 1989 was a huge huge uh uh investment of money. That's how convinced he was. He knew that you need to spend money to make money. But he took these floppies, he sent them by mail uh to a bunch of people. We can talk about where he got those lists. Um, and the the the deal was if you put that floppy disc in your computer, sometime afterwards, your computer would ask you to turn on the printer and then it would print out a ransom note because, you know, kids, kids today, you know, they get their ransom notes on their directly on their background, but back then we needed, you

know, you needed to check if you had toner in your in your printer to get ransoms. And then, you know, you had to send money to a PO box in Panama because Joseph L. was such a genius that he thought he would just take a vacation immediately after. Um, this had impact. This is this was this was a very very creative malware and it actually had impact um similar to to what we see with malware today. Was creative. It was interesting because what it did was it would fake a DOS environment. DOSs was sort of the operating system of the time. Um, and it would fake this environment. It was like you were you were locked in to an environment that

that he had created for for you. You couldn't escape it. It was very difficult to escape it. And in the background, your files would get encrypted and their names would change. So for anyone that didn't really understand computers back then and there weren't that many people who did, this was a very confusing experience. Now I talked about the name uh the AIDS Trojan or the AIDS Information uh software. Uh Joseph Al Pope was a scientist and he was somehow connected to to uh AIDS research. He was in those circles. So he was able to get lists uh address lists because back then you you had to you had to fish people by snail mail, right? So

he got those address lists and he sent this to people um who some of them were working in AIDS research. And some of the impact that this had caused was that people who were uh reportedly there was a lab in Italy that had lost 10 years of research of AIDS research, very important research. Um and this was because it was very hard to a lot of people just didn't understand what was going on. And this is this is very typical for early viruses. People did just did not understand what was going on with their computer. Um so this this impact actually was what got Joseph Al Pope uh taken into custody and not because you know the authorities

were looking for him under every rock and in every crevice but well I don't know if they made a lot of effort to catch him but actually he was guiltridden by knowing that what he did had caused well you might say this was foreseeable but he was guiltridden and he turned himself in at an uh airport in Amsterdam and he then they took him in in Amsterdam. They tried him and he came to the courthouse with like curlers in his beard and he was wearing like cardboard hats and it really seemed like the man had gone crazy. So they let him go because in 1989 if you write ransomware you might be crazy. You probably are.

And um that was a story of dear dear old uh Joseph El Pope. Um it's a really really interesting story. Um it's also a story about a Trojan. This was a Trojan. It was malware. It was pretending to be something else. The AIDS information software was this sort of calculator that helped you calculate. It was completely use. It's pointless. Just helped you calculate the chances of of of having AIDS. I don't remember exactly, but it wasn't. uh but it pretended to be something else. Trojans are going to make a great comeback later on. We're going to put them we're going to put a pin in them and we're going to move on. So to talk about to really

understand early malware, early viruses in the 80s, you really need to understand what computers meant to people. And we can do this by kind of looking at at pop culture literature. In pop culture, computers were these things that enabled magic, wondrous things to happen. You know, in in Star Wars, Star Trek, these were things that enabled space flight, teleportation, war games is a great movie. If if anybody uh wants to watch some some hacker hacker classic film in in war games, the computer is the one of the main characters. And so it was an environment in the 70s and 80s. We were still trying to understand the potential of computers as they sort of interact

with humanity. And in this environment of wonder, people were asking themselves questions like what is possible? And this is this is an interesting sort of uh a number of columns that I kind of picked up on. I think really tell this story in a very interesting way. In 1984, there was a man called Alexander Dudney, and he wrote a column for the Scientific American, and Alexander Dudney wrote uh this game called Core Warts. It's a really cool game. In his words, it's uh two computer programs in their native habitat uh stalk each other, they fight. It's like battlebots, but with like coding. No chainsaws, just clickity clack. And uh this was a really really interesting game. they, you know,

they would work like they'd have instructions kind of like assembly instructions and then you would tell it what to do. It would go over the instructions and hopefully you put two programs in the same uh space and they would one of them would emerge victorious. But he said, "I got this idea because I I'd heard of this fantastical story, this myth uh uh about this virus that got out of control in some lab and it took over the lab and then they had to write another virus to hunt down the first virus and and that second virus would then delete itself and that's the only way like this sort of sci-fi story." And he said, "Yeah,

it's kind of a silly story. It's full of holes. But what if it was true? What if it could be true? And he says, "This inspired me uh to create this game. What if there really were these viruses kind of going uh uh between computers and and infecting people and doing all sorts of things?" Now, here's something to understand. In 1984, not a lot of people knew about computer viruses. There there's a lot of possibilities. I've read what I've read is uh uh one reason was that people didn't want to harm the sales of computers. So they just didn't really talk about it. Um maybe it wasn't spreading fast enough. But uh when Alexander Dudney wrote this

column, he asked people to send him letters uh with their creations, these battle bots that that he wanted them to create for him uh for his game. What he got instead was letters from all over the world or I guess all over America of people who actually had encountered viruses, worms, all sorts of things. And this was not something that that Alexander Dudney expected. A year later, he writes another column in the scientific Americans. It's called corore bestiary of of worms and viruses and all sorts of creatures. Something along those lines. Um in that in that uh uh column he talks about the shock of receiving all of this information about actual viruses and then he starts to

detail those stories sharing them with people. It was a big discovery for him and he was thinking it would be a big discovery for other people. In 1989 Dudney writes another column for the scientific American. That column he opens with a quote from Eugene Spefford goes something along the lines of the only safe computer system is one that's switched off, cast in an in a in a cement box, put in a room with guards, and even then I have my doubts. So that was 1989. So somewhere between 84 and 89 uh uh malware viruses went from sort of being vaguely understood, vaguely known to being an absolute certainty. And we need to sort of ask ourselves what

happened uh around that time and we're we're going to talk about that now. And by the way, the story uh this this fantastical story that's full of holes, it's actually true. And I recommend people research this. This is uh attributes to be The first rom ever written uh might be it was called the creeper. Um I don't know if I should get into a lot of details about it because I'm already already too slow. But uh I would encourage people to check this out on on on their own. The Creeper and the Reaper. It's a very interesting story. It did happen in a lab at BBN Labs in Cambridge. Uh it didn't go out of

control, but it was a self-replicating uh virus and it was the first one of its kind. was very very interesting story about ingenuity and you know how do you how do you solve problems they were trying to create programs that back themselves up so that was a real story that myth that was that's uh uh takes us all the way back to 71 I'm not going to do much more background but I do want to just set the scene computers and uh uh personal computers are coming onto the scene around that time 1977 you have your first trifecta of personal computers the uh um Apple 2, TRS80, Commodore PET and uh 1981 you have IBM

PC. So people are starting to get computers in their homes, in their offices, people are starting to use these computers. This is a huge evolution for people because now you have access and with great access, at least in the computer world, with great access comes zero responsibility and lots and lots of power. So people started using these things and trying to test what they can do. You know the sense of wander. Another thing is the the sneaker net. So back then there there was no uh internet. There was maybe the arponet. Uh again this was a sort of a system not not a lot of computers were on it but there wasn't the commercial internet

that we know today. So how do you get things from computer A to computer B? Well, you carry them with your on your feet with which are wearing uh sneakers, I guess. And the sneaker net is is the way that you uh transfer these things. This is this is good and bad for for people who write mail. It's good because now you have this physical medium. You can put your your program on and you can have it go to another computer. It's bad because uh uh the sneaker net is those sneakers are connected to a thinking human being which who probably doesn't want to spread viruses. So you have to be clever. You have to be more clever

than the people you're infecting. You have to be stealthy. You have to find ways maybe delay the execution of the malicious part of your of your software. And this really creates uh builds the sort of the atmosphere of very early viruses. Let's look at some of these early viruses. So, here are some examples. You can see cascade. Um, these were sort of these these experiments. They were whimsical. They were fun. These are I'm talking about the first half of the 80s, let's say 80 81 to 805. Um, they weren't really meant to cause a lot of harm. Uh, they would write things like peace on earth, dukakis, dukakis for president. I don't know. Does anybody remember Dukakus as a Yeah.

Okay, good. [laughter] Um, you know, they would do really funny things and and they would they would cause all these really weird interruptions. And in 1985, if you had your all the letters dropping on your computer, you had no idea what to do and you you weren't sure what's going on. But these were I don't know, maybe you can categorize them as something similar to graffiti, right? Graffiti is not meant to to break the wall that it's painted on. It's meant to to make a statement or maybe maybe make something look pretty. So, uh these these were the types of viruses that you would see in the early uh early part of the the 80s. And uh the

people who wrote them, I mean, I'm sure there were various motivations for this, but I want to focus on one specific one. Elk cloner 1982. This is a an Apple 2 virus. uh if not the first and one of the first. Um El Coloner was written by this uh person called Richard Scrrena and he was a young man. He got his first personal computer in uh in the seventh grade when he was in the seventh grade and he was in love with computers like like a lot of us like many of us here in this room. Um by the ninth grade he was writing uh you know he was uh um creating bootleg copies of games for his

friends but you know he was just like any other kid. He wanted to play some pranks and he would create a kill switch in the game. So every let's say the the six the sixth time you would run the game the game would delete itself. So then his friends would play the games that he would bring them, the bootleg games, and then they would play it for six or seven times and then they would delete him themselves exactly when they were like getting into it and Richard was was was loving it and his friends were hating it and then nobody wanted to take any more games from Richard. Makes sense. So Richard had to find a

way around that and Richard wrote a virus. Um he wrote a boot sector virus. started thinking how can I make this he I think in his words it was a sticky program how can I make it sticky he wrote a boot sector virus a lot of viruses back then were boot sector viruses uh the boot sector would would uh run first was the the thing that boots first when you boot your computer so you put this uh if you have a floppy disc that's infected it would it would run the virus first um and then it would presumably copy itself or copy itself to the the operating system or copy itself to the machine and then would infect other

floppy discs as as it would be used with the same computer. So, Richard was able to create this this uh this virus, this eloner. And again, motivations, inspirations. Um Richard wasn't trying to harm anybody. He was just trying to have some fun. A lot of these viruses, the way that they worked is they would append themselves to programs. Uh this is not exactly a boot sector virus but a lot of them uh uh there's you you would have your boot sector virus you would have viruses that would append themselves to to programs and when you run the program you actually run the virus uh because these these uh these viruses would maybe append themselves to the end of the

program but they would write uh they would jump from the beginning of the program they would jump to the malware code to the the virus code and then we would jump back to the beginning of the program. Um, sorry, I'm just trying to make sure I'm on track and I I am not. Uh, and also they used uh what was uh called interrupts. So in these these old operating system, interrupts were the ways that you would uh it's kind of like system calls in in Windows. All of these things kind of reminiscent of what we see in malware today. In some ways, you know, uh, um, putting your malware code, uh, appending it to to a program is not

that different from, uh, uh, you know, emptying a program and putting your shell code in and having it run. Um, you know, calling on interrupts is not that different from using system calls and so on. Um, but those those were the days and those were the ways that people used it. But we know that from the sort of mid uh or I I told you and you have to believe me because I'm on the podium here and from the mid80s so or so we start to see things change and we start to see uh um malware becoming more and more destructive and it's really really hard to pinpoint why and how and and when it

happened. But you start to see from that point on where you start to see these big stories in the news about malware like oh my god uh um this infection you start to see stories about computer viruses. One thing I love about uh um malware in the 80s is just how sort of imaginative these names are. Viruses it's sort of a metaphor. It evokes a lot of a lot of things. It's not uh an information stealer. Uh today we deal with a lot of information stealer. an information st. It does what it does. But a worm. That's cool. That's also by the way taken from a worm. A computer worm is taken from a book. Um can't

remember the name if anybody can recall, but they they were very interesting. They were very exciting for people. They still evoked that sense of wonder. Uh viruses uh one of the first things that uh one of the first viruses that has caused had caused this sensation was uh the brain virus. That was in 1986. And the brain virus had two interesting things going for it. The first one is that it in had infected a news organization, the Providence Journal. Uh uh I don't remember how many computers but but a large number of computers in the Providence Journal was was a a newspaper were infected with this brain virus. The second thing that was interesting about the brain virus is it

was written in Pakistan and nobody knew how a virus from Pakistan made its way to Providence. Nobody knew how this could happen and not just Providence but a lot of other computers all over the United States. Uh it we we know it's from Pakistan because the people who wrote the virus put their address in the sort of in the code. Um this is another interesting story to check out. So look look for the brain virus and um is another very interesting one. So you have this huge story the brain virus uh comes up in the news. People don't really know what to make of it. Um but over time you start to see more and

more stories in the news about these viruses. You also see books like this uh German book over there computer v. It's a book about writing viruses, teaching people how to write viruses. This is uh written I think 1987 or so. So you start to have this this information coming out. You start to see this sense of wonder and we go from whimsical experimentation and to really malicious malicious nasty nasty nasty stuff. Um for example like uh Maltese Casino or Q Casino 91. Uh this was a virus that basically had you gamble with your computer. It would uh I think it was it would steal your file allocation table. Without that, it's very difficult for you to to know where your files

were. And then it made you play a game and you basically played a slot machine and if you won, it would restore your file allocation table and everything is good. If you didn't win, you'd lose everything. Um terrible. It was a the Maltese casino. And you have all these like names for these viruses. the Italian virus which was researched in Bulgaria and the Jerusalem virus. All of these things sort of created uh uh this again this sense of wonder. Um for example the Jerusalem virus 1987 the Jerusalem virus I think the the the virus was supposed to delete all your files and it did that at a specific point in time. So it was supposed to

operate every Friday the 13th after 19 1988 and onwards, right? And why? Because you maybe if you wrote it in 1987, you want to give it like a year head start to spread and then bam, one day everything goes uh uh goes out. And the problem is people would discover these viruses before the the you know the activation point and then there would be just this huge panic. Oh my god. Uh what are we going to do? Everybody's computers are going to be deleted uh on Friday the 13th, 1988. and and every single time it would be it's kind of like a Y2K uh scare every every few years. Um and those were those were

the the the more destructive viruses. One of them that I really really like talking about is the one half virus. By the way, you mentioned Michelangelo. I think Michelangelo was the same thing. It was had this point in time. It was supposed to execute. It's a huge >> Yeah. Okay. There you go. March 6th. and then just like panic, you know, imagine imagine the news stories. Actually, you could go and find these news stories and you see these these newscasters who were just had completely out of their death, you know, like big shoulder pads just talking about computer doctors and computer viruses and computer vaccines and they just like had no idea how to and then the other side you have these

like uh computer people who were doing their best to to to explain it. But you can still find those on YouTube and they're very very fun to watch. Um this this virus I wanted to talk to you about the one half virus is a really really interesting one. One half uh first of all technically was very interesting but the the concept of it was super cool but it it was pretty pretty destructive. Um it would slowly encrypt your your hard drive. So it would do like one sector every time you reboot where every time you would start a program one sector would get encrypted. Um, but if you start having like uh encrypted sectors of your drive, you would

immediately very shortly after you try to start something that's that's uh that's that's partly encrypted, you would get an error. So what it would do is it would it would catch that. It would unencrypt the sector, whatever you're trying to access, and then it would give you you would get the file. You wouldn't know that there was a virus that's slowly encrypting your computer until finally you would get a message that says this is one half. And when that happens, presumably one half of your hard drive is encrypted. Why is that a problem? Because the only thing that's unencrypting these files is the virus that's sitting on your machine. And so you now have a choice. If you

remove the virus, you're left with an encry half- encrypted drive. if you don't remove the virus, you're having a some sort of symbiotic relationship with a virus. Um, it was also pretty clever. Like there was a lot of interesting things. For example, I told you viruses would append themselves to to programs. This one did it a little bit different. This was this was 1994. um it would look for empty sectors in a program and then it would just like split itself up and put like instructions and then just kind of jump from one instruction to the next thereby creating some sort of polymorphism metamorphism. It's sort of uh changes. It would it would also look for uh uh

antivirus programs back in the 90s. I think in the early 90s that's when you start to see antivirus programs. it would look for antivirus programs uh and it would avoid them just like modern malware today looks for antivirus programs also this this the whole like uh uh way that it would encrypt decrypt itself was very clever those were the the viruses now we're back touching a little bit on these Trojans and worms as I said the first Trojan was 1989 we had the first worm the Morris worm in 1988 another very very famous story another story that caused a lot of this, you know, shoulder pads, uh, news anchors talking to people completely out of their death. I won't

get too deep into the Morris worm because I'm already like 10 minutes late. So, but the Morris worms uh uh was was another infection uh that uh it was was the first worm. It was on the Arpanet uh which was a precursor to the internet. uh it managed to infect 6,000 machines which was 10% of all the machines connected to the ARPANET back then. Um it infected it was a combination of exploiting vulnerabilities also guessing weak passwords you know and of course after that everybody learned their lessons and we never never had any weak passwords ever again. Option A did we panic and then learn our lessons or B did we panic and then did

nothing? option B. Um, but we'll talk about worms and Trojans later on because now we are entering the golden age, the '9s. Um, the '9s are a period that's interesting for for several reasons. First, on this sort of pop culture um landscape, things have changed. People understand sort of what a hacker is. John Hammond, I think, made this this point in his keynote, right? He was like, "Oh, I wanted to be a hacker." People start to understand it's still in movies and, you know, it's a lot of clicketity clack. I'm in the mainframe kind of nonsense. Uh, you know, Swordfish, uh, all these sorts of s sorts of movies. Um, but people start to get an idea of what it is. The second

thing on the technology front is we have a few innovations. One is the commercial internet. This is a 1995 I think around that time commercial internet people are able to network from their homes. They're able to get into the internet. Uh the second thing is Windows 95. When Windows 95 came out, Microsoft said viruses will not be effective anymore and that is what happened and that's the end of my talk. No, I think they thought maybe DOSs viruses wouldn't work, which was partially partially true, but uh Microsoft being Microsoft, they opened the Pandora's box for a lot of other things that were were able to become viruses. And um and as we all know, Windows is like a block of Swiss cheese

that's laid on top of a house of cards. Um and it is um and uh we have Office 95 and Office 95 also brought with it this wonderful thing called macros. And macros somebody really I think somebody thought wow this would be super useful. People can automate things and you can write commands that operate at the same time you operate your file and you can automate and write whatever. And um there's still a lot of stuff like that like um yeah I won't give any examples. I'm already late. So uh but uh Office 95 and macros hit the scene and macros does anybody like does that ring a bell? Because macros to this day are used in

cyber security attacks and in in fishing emails. Um, this is when you next time you open you research or you look at uh some user in your your network that was infected by a a word document with a macro on it, just know that you're looking at a prehistoric a shark like some kind of alligator that that has evolved but hasn't changed much from from the early days. And the first virus, this macro virus, the first uh uh proof of concept for for a macro virus that came out came out about a month after when uh Office 95 came out, it was called Concept. It was literally a proof of concept. And all that it did was uh

it popped up this alert with this this one and and okay, and it it's you know, it spread rather quickly. Um, interestingly enough, it spread rather quickly. In the first month when it came out, it was the fourth uh most common. This is in 1995. Fourth most common uh uh uh malware. Again, this is this is virus bulletin by the way. Virus bulletin today is like this this big conference. Back then it was an actual bulletin with viruses. So you could see and I think it's self-reporting. You could see who's how many incidents are happening. So concept was uh first sort of number four. the the month after that it was it was the second most common male uh

virus. The uh month after that it was the first most common virus and then again the first most common virus and then three years later every virus is a macro virus. So macros became sort of the dominant form of virus. It just gave you a lot more power. And as we said earlier DOSs viruses uh kind of went out of style. Windows kind of helped uh in some ways to you know people weren't using DOSs anymore. So um you have the this rise of macros and of course this was a concept proof of concept and and as we know from earlier examples we immediately learned our lesson and macroviruses never ever bothered us again. No. Uh of course now

here's here's here's the interesting thing. We see this sort of similar trend when we talked about uh MS DOSS viruses. We saw I kind of made this this distinction between sort of the first were experimental then they got a little bit whimsical fun you know they were doing these fun things then at some point they got really malicious. Here we see this very similar pattern. We start experimental. This is another uh um macro virus that I think was really really interesting and fun. It's called the outlaw virus by nightmare joker. What a what a lovely name. Um this virus was interesting for a few reasons. Uh the first one is it would obfuscate itself. So it would obfuscate

it. It was a macro virus. You would open a document. It would install it would basically run the macro. It would also cop copy the macros to the global macros which means that every time you start a new uh uh document, it would you know the global macros will then apply to the the document that you open. if if if I'm understanding this correctly. This is ancient history for me as well. Um and it would it would uh obuscate the the names. It would randomize the names of the uh uh macros because back then the best way that people figured how they could stop macro viruses but was by catching the name of the macro by doing

uh obfuscation by doing random macro names it would evade that. Uh the other thing that it did that I thought was really interesting is it would actually drop a file. it would generate a file. Uh it would create a sound file and let me let me just explain to you what what happens to you if you if you have this virus on your computer. This virus on January 20th, uh if you are unlucky enough to use your computer on January 20th and you are unlucky enough to press the key, the E key, which is a very common common letter, it would run. It would take over the screen. It would say you are infected with the outlaw virus. And then

the file that it drops, the sound file is a sound of of laugh, a laugh track, and your computer would start laughing at you, which is so creepy. It's so so bizarre. Um, but that's how it would work. Um, so we have the these whimsical things, but we're not going to be whimsical for much longer, friends. We're going destructive. Um, and remember the worms that we talked about? Uh, remember the Morris worm? What a what a wonderful time. 60,000 machines on the Arponet. 6,000 of them were infected. In 1999 when Melissa viruses sort of comes on the scene. You have 250 million devices on the internet all sort of tangentially connected, potentially connected. And in this environment, you

start to see macroviruses that also worm. Um, and you see sort of this the worm is coming back to the this conversation. The most famous one or one of the more more famous ones is the Melissa virus. Um, the Melissa virus uh was a virus with a macro virus. Same story. You ran a document and then it would one one of the commands that it would run it would look through your list of contacts and it would send itself to 50 other contacts and this just 50 contacts and all you and the user still had to open the document. This was so effective in spreading that I don't know how long after it started spreading but

eventually we got to a point where 300 uh companies in the United States had to shut down IBM Microsoft all had to shut down shut down their email servers uh everything just so they could fix this. This was another one of these huge infections that were talked about in the news and minimal amount of lessons learned. Um, well, that was a Melissa virus. Imagine being Microsoft back then. You sort of you have to shut down your company because of the macros that you created. Um, the beast that you unleashed on the world. Um, well, I shouldn't be so negative, right? I mean, there's good intentions uh and and uh there's always people with bad intentions looking to abuse. Uh, a year

later, we have the I love you virus. It was a very similar virus, only this one would do a lot of different things. it would delete your files. It would cause damage and that was uh there was also causing huge problems. Um they eventually did catch the guy who wrote the Melissa virus. Again, this was a huge huge huge story. But um these this this was a huge development. the the ability of viruses to worm uh to spread themselves was a huge capability and we're going to see how this is leveraged as we moved we move ourselves to the 2000s and in the 2000s the thing that I feel like is the big development is we are as we are now more connected

than ever I think in the 2000s we really started to really use the potential of the internet to connect and you start to see file sharing and you start to see IRC which is a chatting program which is also very important for for viruses and malware. You start to see messengers like a IM. Uh IRC is particularly important because it it eventually becomes a sort of control a hub for controlling a malware and we'll talk about that in a second. So we talked a little bit about Trojans. Now Trojans are making their great comeback. Uh in in in around this time around the 2000s uh the thing that becomes apparent well first we start to see macroviruses

decline. We start to see uh Trojans rise. The ability to share files with people all over the world is a as we know is a risky risky business. you're downloading, you know, the the your uh favorite Britney Spears album as people did in the 2000s. And does any does anybody know who Britney Spears is? [laughter] Okay, we'll talk about that later. Come come after the show, we'll talk about Britney Spears. Uh it's like Sabrina Carpenter of the time. I don't know who Sabrina Carpenter, so we're we're on the same terms. Uh so you would download something that you thought was one thing. It ended up being another thing. Maybe you were cracking a computer game

that you own and it, you know, maybe it would also crack the computer game, but at the same time it would install something else. Um, you know, these things would you would either compile a macro virus, so it didn't run as a macro anymore, but it would ran as as a as an executable or you would do something like this. These are the the first uh rats remote access trojans or remote administ administration tools. That abbreviation refers to both. We now use RAT as a remote access Trojan primarily in the security business and you start to see these things come up. This is partly because we're just so connected also because you know administrators in

companies now had a lot of computers connected. You needed a central way to manage them. You needed something that could could be deployed that you could manage computers that you're not directly uh you don't directly have access to. But people always find a way to take this concept and make it into something else. Here we also have interestingly experimentation whimsical. This first one over here is netbus. Um it was written by a Swedish uh person. Bus in Swedish is uh mischief I believe. So net mischief. And it really was this mischievous program. There was a a victim and there was a an attacker. There was the victim was a server and the attacker was a client. And the the

attacker had some control over the victim machine. So if you got someone to install this on their machine, you could open their CDROM when they're least when they least expect it or play a fart sound. High five. Um, this was a lot of fun. But in the same year, you have Back Orifice, the developed by the Cult of the Dead Cow, which is a famous group of hackers. Uh, and back orifice was a lot more uh uh, you know, had a lot it was a lot less fun, a lot less funny, let's say. You could delete files, you could move files, you could do a lot of things. Eventually we have sub7. Does anybody here know sub 7 script

kitty mecca? Um sub7 had a lot of other developments and primarily one important thing that sub7 did is it could communicate back to an IRC server for control. That was a big big development because now you don't need to have like this direct you know your client and server. You could have that coming into you could you could control more than one machine uh from an IRC server. IRC again is a sort of a chatting program or at least I knew it as a chatting program when I was a teenager allows you but it it gave you the ability to control a lot of machines a lot of machines and again this was um a Trojan that um that could

do a lot of things deleting files moving files doing all sorts of things opening your camera so this was a lot of fun for people. I said script kitties first earlier and I you know I don't want to deride imagine being 15 and having this much power right this this was for some people was a grand adventure and I I know a lot of people who ended up in security because of this um and it doesn't justify anything it's just I think it's just interesting um but remember these Trojans because what happens when you combine these two elements these macroviruses that can spread themselves and then the Trojans which uh help give you some control over

a machine which would then communicate back to an IRC server. you start to see the uh uh the the sort of first glances of what bot botn nets would become and we'll talk talk a little bit about botn nets but this this is what would normally happen in the 2000s if you sort of look at some of these these infections you have uh viruses that are either spreading themselves uh email IRC messengers whatever they can find and however they can spread themselves uh sending themselves to other people or they're they're on file sharing uh or or whatever and these macro viruses or or macro viruses were they were compiled uh they would run and then they would

actually be able to download modules from the internet. So downloaders go all the way back to uh uh the 2000s um they would then put some sort of backd dooror on the machine some sort of remote access Trojan and that would communicate back to a server. Back then, these things were hard-coded. These addresses that you would communicate back to were hard-coded. So, back then, if you blocked the the the the IP address, the IOC, whatever it is, you killed the the malware, but they were spreading so fast, so quickly that what you'd see here, you would see these these things kind of pop up, these macro viruses pop up. They would spread in the millions.

They would go up to 11 million. and then a month later they're gone because it's blocked and and it's it's done. Um but these these were the precursors for for what we know as botnets. They they would eventually create botnetss and what ended up dominating or or being a large part of the malware scenes in the in the mid 2000s uh 2005 and onwards were botnets. Botnets were sort of putting it all together. uh you have you know you're spreading and then you put you can control a bunch of machines and when you have like a a gaggle of computers under your control you can do a lot of things with them and this this actually

gives uh uh malware a purpose uh because now you can sell things you you could use these computers to uh do denial of service attacks and you can sell this as a service you could do spam a lot of these did did spam back in the day spam was a business and uh you would you'd get paid for it So it gave it a purpose. This is the beginning of sort of this cyber criminal element. Um and so you have these uh these botn nets popping up. And it was interesting because again like I said when you block the IOC you kill the malware. So how do you get around that as a malware writer? You iterate. you

keep creating new versions of your malware with new addresses so that when one goes down you can immediately bring in another one and another one and another one. Uh and it was they were iterating so quickly that they were actually the virus writers were having conversations with the people who were taking them down in real time. So this is this is one of them. This is a nearbot. This is a malware called Nearbot. And the writer of this malware is having the gist of this conversation is basically he wants them to call it Ironbot, but they're calling it Nearbot, but he wants them to call it Ironbot. And then he just like curses them for

for and he just tell tells them how bad they are. But this is really fun, really interesting. Um, by the way, all these things I have links here below. All these things like you can read about like you can read about them from magazines from from that time. like you can actually read about people researching these things back then. Um, all right. We're moving now from like ancient history to very recent history. So, we're kind of speeding things up. 2010s, we see new technologies. I would say primarily is that we start to see ransomware that uses crypto uh cryptocurrency uh cryptocurrency. Bitcoin uh was created not not in it was created in 2008 I think 2008 or n but the first uh

ransomware that used cryptocurrency was bit lock crypto locker in 2012 2013. So this is a huge huge huge change. Before that, if you wanted to get paid, you either you either had to run it, you know, on the black whatever internet or whatever it was, the the dark, sorry, the dark internet uh dark web, sorry. Uh or you had to use uh gift cards, for example, or you had to use uh ecurrency. There were all these things that would enable you to accept money for, let's say, blackmail or something like that. But these weren't great ways to get paid because they were traceable and a lot of people would get caught and it wasn't very healthy for

you to go to prison. So when cryptocurrency came onto the scene, this is a major major change enabled a lot of things. Also, computers are more connected than ever and uh these vulnerabilities you you would get vulnerabilities that would affect millions of people. For example, Eternal Blue was a leaked vulnerability uh that that later caused the W to cry incident in 2017. Uh we we see a lot of these types of vulnerabilities. We see a vulnerability pop up every uh year or so. And so I would say in the decade of 2010 to 2020 what we see mostly rising is is uh is ransomware. We see this evolution starting out with with these botn nets.

Uh these botn nets would uh you know you have all these computers that you you control. Spam is not worth that much anymore. So what do you do? First banking trojans. Banking trojans would steal uh banking information. Then later on ransomware was the thing. Uh the first one to do that I believe was the Zeus botnet and crypto locker and it would sort of lock your computer up uh and and demand money. Eventually this made its way to enterprises and so on. And we we we kind of know most of us I would say know the story of ransomware and what it did. I wanted to break this down. I have five minutes. So this is

this is really simplified. So, write your angry emails to besidesnyc uh [snorts] huxleybsidesnenyc.com. Um, but I wanted to show sort of this. Now, I really couldn't get to every single thing in the history. I focused primarily on some of the older history. When you look at like the 80s, 90s, there's it's it's it's a lot simpler. When once you get past the the mid 90s, there's really a lot more to talk about. There's a lot more forms of malware. And when we start to get into all the different kinds of malware, we would be here for another hour, which I would be happy to do, but nobody wants to invite me to do a two-hour talk. Um, so let's

look at this simplified version. You know, we start in the early 80s with these these boot sector viruses. uh these are very simple sort of viruses or very very creative very interesting viruses but simple consider compared to what we see today. Um at the same time in the the 80s you see worms you see trojans these sort of uh come come up but but not that often viruses dominate the mau scene. And you see macroviruses as an evolution and eventually these these macroviruses gain worming capabilities and they start to to spread themselves. Um so that that we see worms kind of come into the picture. Then we we see Trojans start to come into the picture through

remote access Trojans. They're back in the in the picture and eventually this leads to the creation of of botn nets which eventually spread ransomware. And that was the shortest most concise way I could summarize this. Now um again your your angry emails send them to Huxley for inviting me to talk but like you know let's let's think what can we what can we learn from this history there's some patterns that I talked about already um what can we learn what is the dominant technology of of of this if I had to write this in 2040 uh or one of you writes this talk in 2040 uh what would you look at the 2020s what were they like? And AI seems to be

a big a big deal. I don't know if you saw like every vendor is an AI vendor. And actually, every vendor was an AI vendor also before AI was. [laughter] So, go figure. Um, but now I think now it's for real real. Um, so you have you have all sorts of things now that could do the that could autonomously um do these sorts of things. Like I just saw a burp. Burp is like a um I don't I don't know how to define burp, but it also has an AI uh function. Um so you could you know pentest webs web applications and websites with with AI. I I don't know how well it works but this is kind of

you know this is going somewhere. So this could be the future. And you know, it's kind of a nice way to sort of round it all up because when we started, we talked about this wonder, oh, could could there be these these programs t fighting each other in the in the web in this space, the cyber space. Um, and maybe maybe, you know, one day we will see these autonomous intelligent programs sort of battling it out. Who knows? Um, I I would be interested to see. I would come let's come back. Let's meet again in 2040 and see see what happened. Uh my name is Elliot Kimi. I'm a security researcher at Acronis uh producer of a

podcast, ex-p producer of a podcast. It's an exod also malicious life about the history of cyber security. And uh if you like security research, check the true acronis uh threat research. Just acronis.comtrue. We write about everything. Uh all sorts of threats uh uh nation state threats. Uh yeah, that's that's my my pitch. That's it. Thank you so much. [applause] Thank you very much. >> Sure. If it's not too difficult. Yeah. Yeah. What do you got? >> Yeah.

A lot of

>> you know. Yeah. I think I think first of all that's true. So you're Should I do I need to like repeat it? I'll repeat it. You're saying uh is there a question by the way? >> Yeah.

>> Okay. >> Yeah. So, so the the the point was made that that uh a lot of the sort of most insecure system came out of the '9s like Flash, Windows, Office uh etc etc. And why? Because it all started in the 80s. Why weren't people more security conscious in the 90s? You're asking me for an opinion? I'll give you an opinion. I don't know the answer to that. This wasn't something I I I was able to cover. But I look the reality is I'll tell you a secret. Even today, people are writing uh software that's insecure. Um so that's that's one thing. The other thing is there wasn't such a an awareness of security in the 90s. And

that's that's exactly the point. uh lessons weren't learned and I think >> systems were closed. Yeah.

Yeah, >> thank you. So, you know the point point made the systems were closed. You had to be connected. Yeah. >> Yeah. >> I I don't Yeah, I think and I think to to that that point, I don't think we anticipated I don't this is my opinion. I don't think we anticipated just exactly how the technology this technology would evolve and there's a lot of things there's just good intentions right like I was researching uh file fix you know clickfix is a fishing technique file fix is like a more advanced uh technique and it turns out that the way it operates if if you put a command in the address bar of explorer just the address where it

says see whatever user you can run commands from there and that's what what a great somebody thought what a cool feature to put in you know windows uh I can tried cmd and I can open a command uh uh prompt uh exactly at the directory that I'm in. Great. And and then you you know you you devise an attack that abuses that to write PowerShell commands. And so I think there was a lot of good intentions and there was just a lack of foresight and even today we run into problems. Even 10 years ago when Wukry came out in 2017, we were having a hard time explaining to people that they need to patch. And so

it is it is what it is. Sorry, I probably can't answer the question better than that. And people are starting to thank you so much. [applause]

>> Yeah.