Continuing his talk at Defcon 19, F-Secure’s CRO Mikko Hypponen analyzes the shift that took place in the computer virus world around 2003. In this part, he is focusing on moneymaking techniques implemented through keyloggers, spam generating viruses, bots and rootkits.
But something even more important was about to happen: 2003, a virus called ‘Fizzer’, which I claim nobody here remembers, and I also claim it’s one of the most important viruses in history.
Because ‘Fizzer’ was the first virus we would conclusively prove, that from the very beginning this virus was written for one motive only, and that motive was money.
So, before 2003 everything we saw was written for fun, for challenge, for laughs, for kicks, right? Nobody tried to make money with viruses until ‘Fizzer’. And the way ‘Fizzer’ tried to make money is by sending spam. So, it would infect computers, build a proxy network out of them, so you could reroute proxy or email traffic through them, and that service was then sold to spammers.
And this is something we still see today: spam, email spam still exists, and it’s still being sent through infected home computers, and obviously there’s money to be made out of this.
Very quickly, many of the hobbyists virus writers of that time realized that they could actually use their skills to make money by cooperating with spammers, by starting to steal passwords with keyloggers1, starting to steal credit card details when people were doing online purchases from infected computers and typing in their usernames and passwords.
And very quickly we also started seeing the shift, geographical shift on where viruses were coming from. In the good old days, before viruses turned into money making machines, they were mostly done in developed western nations, like Europe, USA, Canada, Japan, Australia. (Upper image to the right).
Today the biggest hotspots are Russia, Ukraine, Kazakhstan, Romania, Moldova, China obviously, and South America, especially Brazil, which is the biggest source of banking trojans which steal money during online banking (See bottom world map image).
And the virus writers themselves changed. We had completely new kinds of online criminals getting onto the Internet and doing this. Here’s examples of caught virus writers of 1990s, including in the top middle Mr. Chen Ing Hau, who wrote the ‘CIH’, aka the ‘Chernobyl’ virus.
In the lower section of the image, there are some caught virus writers after 2003. Do you see any difference? So, they became much more organized, much more professional. The guy at the bottom middle Mr. Tariq Al-Daour was actually using keyloggers to steal credit card numbers and they were then laundering money from those credit card numbers by putting them into online poker games, and losing money on purpose from the credit card numbers to accounts that they controled, and then they would move it back to the real world. What they did is they laundered close to 2 million Euros. And that money was then used to purchase gear – gear like hiking boots, tents, sleeping bags, knives, GPS navigators, plane tickets. And all this was shipped to Iraq, to the insurgents fighting over there. So what we have here, for example, is a link between online crime – viruses, trojans, backdoors – and funding the insurgents in Iraq.
2003 – Sobig
2003 – Witty
2003 – SDBot
2004 – Mydoom
2004 – Netsky
2005 – Mytob
And then, open source bots, like ‘SDBot’ whose source code is actually licensed under GNU2 public license, and we’ve seen tens of thousands of variants of this throughout the years, we probably still see versions of ‘SDBot’ being made today, like 8 years later.
Another typical problem at that time was botnets creating bots. So you have a number of infected machines, and they could all be controlled centrally, creating a botnet which could be used not just to send spam but also do banking trojan attacks and credit card theft, and stuff like that.
And then we got ‘Sony’. Now, ‘Sony’ gets a lot of fame. And they get it for a good reason. They’ve been doing bad stuff for a number of years. I think it pretty much really started with the rootkit that they were shipping on ‘Van Zant’, ‘Switchfoot’ and ‘Celine Dion’ music CDs.
So if you would buy a ‘Celine Dion’ music CD and listen to it on your CD player – no problem. But if you put it inside your computer, it would autorun an installer which would install a DRM3 code on your system. No questions asked, no prompting, nothing – it just installs a DRM system. And then it installs a rootkit, a Windows rootkit which hides the DRM. And in fact, it doesn’t just hide the DRM. It hides any file or any folder which starts with specific characters. Basically, a ‘$_$’, I believe, or something like that.
Which means, yes, could hide the DRM, but you could also hide anything else, and viruses very quickly started naming their binaries with ‘$_$’, because if a computer which had been used to listen to ‘Celine Dion’ got infected, ‘Sony’ would now hide the virus. And it would hide it so well that pretty much none of the antivirus program at that time could scan the files anymore – they’re just gone. And of course some would claim that if you listen to ‘Celine Dion’ you deserve to get infected, but I’m not saying that.
But there were interesting comments coming out of ‘Sony’ at that time. Especially, the person named Thomas Hesse, President for ‘Sony BMG’ International. He made a quote which was so cool that we actually printed T-shirts out of it: ‘Most people don’t even know what a rootkit is, so why should they care about it?’
And that’s a great quote, I mean, it says ‘you don’t know what it is’. I mean, most people don’t even know what a brain damage is, so why should they care about it?
Then we started seeing more and more rootkits. Not just from ‘Sony’ but from traditional virus writing gangs who wanted to hide their malicious code better. ‘Haxdoor’ basically was a kit which you could use to hide any other binary or processes, or registry keys, or open ports.
2006 – Warezov
2007 – Storm Worm
2008 – Mebroot
And then we had ‘Mebroot’. ‘Mebroot’ which probably for a number of years stayed as the most advanced malware we’ve ever seen. Now we have two contenders for the same title. But ‘Mebroot’, when we first found it, was all related to this. Do you know Monica Bellucci? She plays the part of Persephone in the ‘Matrix’ movie. This is the website of Monica Bellucci, MonicaBellucci.it (see the website screenshot), in Italy, she is Italian. And this was one of the first, if not the very first website that we saw, that was used to spread ‘Mebroot’. So, we entered the days of drive-by downloads. You would get infected by just browsing the web.
It was one of the first cases where we saw it happening. And what ‘Mebroot’ actually did is that it installed itself to the master boot record of the infected computer, which is pretty much exactly what ‘Brain’ did. Except when ‘Brain’ was in the wild we didn’t have hard drives, so it went to the boot sector of the floppy. This actually goes to the boot sector of your hard drive, the first master boot record.
And that’s pretty hard to do under Windows, but they did it. And even more remarkably – I think it’s a good example of how advanced these viruses started to become – it’s that obviously when you’re running below Windows (it boots before ‘Windows’ boots), you run the risk of crashing Windows, but it almost never did. It was very well tested. And if it did, I mean, if something went wrong, then you actually ended up with a Windows blue screen. Now, obviously Windows has crashed, Windows is no longer running, but ‘Mebroot’ was still running. And in this case, ‘Mebroot’ would make a diagnostic dump of the crashed computer and send it back to the virus writers over the Internet, so they could debug and figure out why it crashed: remote quality assurance for malware, right?
1 – Keylogger is malicious software that tracks (or logs) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.
2 – GNU (recursive acronym for ‘GNU’s Not Unix’) is a Unix-like computer operating system developed by the GNU project, ultimately aiming to be a ‘complete Unix-compatible software system’ composed wholly of free software.
3 – DRM (digital rights management) is a class of access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices after sale.