Presentation on theme: "Greetings from Finland F-Secure Corp We used to be fighting these... Chen-Ing Hau Author of the CIH virus Joseph McElroy Hacked the Fermi lab network."— Presentation transcript:
Case Sobig / 2003 Series of email worms released roughly a month apart Variant Found Expires ____________________________________________ Sobig.A January 9th Never Sobig.B May 18th May 31st Sobig.C May 31st June 8th Sobig.D June 18th July 2nd Sobig.E June 25th July 14th Sobig.F August 19th Sept 10th ____________________________________________
Case Sobig All variants we're connected to spamming All downloaded and installed an email proxy Some of the variants we're very succesful One variant was the biggest email outbreak ever
Direct spam Cheap Viagra, loans and Rolexes Inc. (Spammer) Ed Bob Lisa Jack Mary ?#%$!? ?#%$!? ?#%$!? ?#%$!? ?#%$!?
Spam through Proxy Cheap Viagra, loans and Rolexes Inc. (Spammer) Ed Bob Lisa Jack Mary Peter (Proxy) ?#%$!? ?#%$!? ?#%$!? ?#%$!? ?#%$!?
Risk & Reward Few weeks after Sobig.F outbreak, Microsoft started the bounty program $250,000 offered for information leading to the arrest of the author Sobig Manhunt started With no results And nothing happened...
Then, in October 2004... Somebody send us a report Which was made by an anonymous party Called "WhoWroteSobig.pdf"WhoWroteSobig.pdf
About WhoWroteSobig.pdf - Written by anonymous source - Verifiable by a PGP signature - Uses technical analysis to prove the author of the worm - 48 pages
Main arguments Claims that Sobig was written by a Mr. Ruslan Ibragimov / Send- Safe team from Russia Send-Safe uses proxies – created by Sobig Release times of Sobig match release times of Send-Safe The code of Send-Safe and Sobig are Similar
Coreflood Sobig.F Send-Safe v2.19 Comparing Sobig and Send-safe visually Sobig.E (embedded PDFs, click to open)
Case Cabir First real mobile phone virus Found in June 2004 Proof-of-concept By 29A Spreads via Bluetooth Kinda like the flu
Cabir is spreading in the wild. Cabir was found in June It was thought not to be in the wild In August, we got unconfirmed reports from Philippines Last month, we got first confirmed reports from Singapore New Reports also from: UAE China India Finland!
Case Skulls New trojan for Symbian Found last week Kills your apps Very hard to get rid of
Nokia 6670 and 7710 First phones in history to contain antivirus by default