March 1, 2013

Back from the dead: the original virus writers.

Hi all!

A great many computer security events occur around the world all the time, but the RSA Conference is one of the most important of all of them. What exactly it’s all about here I’ll not go into; instead I’ll just share with you some pics from the gig. The photos were taken the day before it started while the stands were still being set up, so though all the installations aren’t ready, at least you can see the near-completed scene without throngs of visitors getting in the way…

RSA Conference 2013Stylish stands

RSA Conference 2013Gaudy stands

RSA Conference 2013Stand mash-up

RSA Conference 2013…and center stage…:)

RSA Conference 2013Red means “stop!”

RSA Conference 2013Green means “go!” That’s why we’re green. Unlike the amber gamblers :)

RSA Conference 2013All that trash – and the conf hasn’t begun yet. Agh – modern day packaging…

RSA Conference 2013Jeez! Who be it? Korea’s AL! Now that was a surprise. Blue. Eh?

RSA Conference 2013Enter the public (defense) sector big guns

RSA Conference 2013More red

RSA Conference 2013Just don’t mention “unique passwords”

RSA Conference 2013Green scene

RSA Conference 2013“Who are we”?

When all was set up, it was up to the plate for my speech:

RSA Conference 2013

Not long after that my path crossed that of several big-cheese gurus of both the antivirus industry and security journalism. Here are Mikko Hypponen, Jimmy Kyo, and moi:

RSA Conference 2013

And here’s one taken later on in the bar with the man himself, Brian Krebs:

RSA Conference 2013

All in all – great conf/exhib. But it was reports that originated thousands of miles from sunny San Fran that got me all excited most of all (not to mention concerned). My mind was totally blown by news of the appearance of a new Trojan – MiniDuke. I was in shock! Why? Read on…

These days I don’t normally look at code of new Trojan-extortioner-spy-whatever else’s. Alas, that hasn’t been my job for many years now (also, where would I even begin today – given that our virus analysis lab filters a wholly humungous stream of all sorts of Internet rubbish?). This time, however, an exception was made – and you’ll see why (clue: “old school”). Thus, I was thrown a bone – a piece of a disassembler, “just to have a look” (yeah, right). So I looked. And I was bowled over!

The last time I saw code like this was ~10 years ago. But this Trojan spy is not just written in the style of the old school. Something tells me it’s actually been created by the old schoolers themselves. Some of you may remember that back in the day there was a group of virus writers called 29A. Well, MiniDuke looks pretty much like their coding style! Interestingly, this was a virus writer group – not a cybercrime group (these chaps hail from an era before the dawn of cybercrime!).

So what does it mean? Well, actually… I’ll be damned if I know! All I know is that suddenly something resembling bad-old virus innovators – 29A-style – appear to have decided to return to the scene. Were they offered tasty contracts? Made offers they couldn’t refuse? I’m with Manuel on this one, but what I do know is that this is very bad news. If these kids – nope, add a decade – if these experienced old hands have decided to return to the arena of malware coding for Tinker-Tailor-Soldier-Spy objectives – this is reeaal bad news. Why? Simply put – they know their stuff.

Coders from back then (including the 29A gang) were the initiators of practically all present-day virus technologies. They came up with email worms (1999), flash-worms (2003), viruses for smartphones (2004), and a lot more besides. Then, for almost a decade, their presence all but disappeared, nowhere to be seen or heard – not a squeak. Until a few days ago…

So yep, what we’ve got here is (thought-to-be) long-dead virus-writing techniques rising from the grave to cause trouble – a unit of live undead, a jam of resurrection Joes, a return of the living dead… you get the macabre picture.

Must dash…

Later!

Enter your email address to subscribe to this blog and receive notifications of new posts by email
(Required)

READ COMMENTS 4
Comments 1 Leave a note

    Geoff Nicoletti

    You need to focus on Stuxnet-like payloads…the old timers building payloads….you are talking about air craft carriers and I am talking nuclear weapons: the physical destruction, not digital, of systems from a distance…resonating till destruction…fans switched off…registers hammered…tracks of HDDS acting as if there is only one track. I’m talking the chaos of replacing devices; you’re talking being down for an hour. You just don’t get it.

    2
    Reply to conversation
Trackbacks 3

Jak przerażający może być “oldskulowy” programista? | Kaspersky B2C Poland

Read track

Researchers dismiss Mask research, say it relies on historical technology

Read track

10 years since the first smartphone malware – to the day. | TechWorldBD

Read track
Leave a note
Facebook

November 2, 2024

Another country (Indonesia) – another volcano (Ijen).

Just like in Kamchatka, in Indonesia (where last week we had our super-successful Security Analyst Summit), there are a great many really cool hot volcanoes! I should know, since I’ve checked some of them out a few times – in 2018 around New Year, and last year after a press event (when we scaled Mount […]

October 30, 2024

Kamchatka-2024 – Part 4: Could this be the world’s remotest hotel?

At the foot of Kizimen volcano in Kamchatka – literally in the middle of nowhere, with no roads or settlements for 70 kilometers – today there happens to be… a five-star tourism base (here)! -> What? The lap of luxury – out here?! Pretty much. For there’s hot springs, a marvelous view of Kizimen, digital […]

October 28, 2024

SAS-2024 – truly cosmic (and world-record breaking!)

Hai folks! The official part of our SAS-2024 conference: done. Now – the fun part: our esteemed delegates, respected speakers, honorable guests (and I!) continue to enjoy this picture-perfect corner of the island of Bali while they come to their senses – still digesting the mega-doses of first-class cybersecurity content they’ve just received… As to my […]

October 24, 2024

Kamchatka-2024 – Part 3: Getting volcanic kicks – viewing both the Tolbachiks!

Hi folks, After the brief Chinese interlude (the three intro-posts to our China-2024 trip), it’s time to move (figuratively) directly northeast back to… Kamchatka! Without a doubt, one of the jewels in the crown of the Klyuchevsky group of volcanoes is Tolbachik. We’d already marveled at the northern volcanic trio (Klyuchevskaya Sopka, Kamen and Bezymianny) […]

October 23, 2024

ASTONISHING CHINA – HORS D’OEUVRES, PT. 3.

Though these tales and pics from the Chinese side are only just warming up to get going – in the meantime we’ve gone and completed our China-2024 trip! Cheeky spoiler: this year’s China-in-the-fall trip was especially full-to-the-brim with active tourisms: Over two weeks a full 23 (!) natural and historical objects were visited, strolled, prodded, […]

October 22, 2024

SAS-2024 – what you waiting for?!

Hi folks – from Indonesia, where we’re holding our yearly international cybersecurity conference SAS – the Security Analyst Summit. Dozens of cybersecurity events take place around the world every year, but ours has its own special format – its own special work-hard-play-hard ethic, and it’s always by the sea in a tropical clime. It attracts […]

More

Travel Vlog

You might also like…