1
00:00:02,930 --> 00:00:08,470
If anyone still wasn't convinced whether or not to install the program he or she could visit the program's

2
00:00:08,470 --> 00:00:11,010
Web site which looked very professional

3
00:00:13,600 --> 00:00:19,480
as you can see in the slide web site provided information about previous versions of the program and

4
00:00:19,480 --> 00:00:24,750
new viruses it managed to discover when the program was installed.

5
00:00:24,750 --> 00:00:26,640
It was only the beginning of the troubles

6
00:00:32,130 --> 00:00:33,030
up to this moment.

7
00:00:33,030 --> 00:00:37,990
The attackers managed to convince the victim to install the program on his or her computer.

8
00:00:39,040 --> 00:00:46,890
The program uninstalled the victim's anti-virus software this alone was already a success for the attackers.

9
00:00:47,130 --> 00:00:51,560
But in this situation they were after money.

10
00:00:51,630 --> 00:00:58,160
The goal of the second phase of the attack was to convince the user to register the program.

11
00:00:58,200 --> 00:01:05,910
It's harder to convince the user to do that than to convince him or her to merely install the software.

12
00:01:05,960 --> 00:01:13,170
We are all still easily tricked into opening every program downloaded from the internet.

13
00:01:13,190 --> 00:01:17,050
If you don't have to register it or pay for it it won't be a problem.

14
00:01:18,760 --> 00:01:23,440
This is of course wrong but such an attitude persists.

15
00:01:23,490 --> 00:01:30,510
So it took some effort to make the user pay for the program and alien program installed on a user's

16
00:01:30,510 --> 00:01:35,270
computer can basically allow the attacker to remotely control its operating system.

17
00:01:37,290 --> 00:01:42,330
XP in a virus was programmed to start on system startup and to always find lots of viruses

18
00:01:47,480 --> 00:01:55,550
through an Internet Explorer plug in the program monitored the user's Internet activities on random

19
00:01:55,550 --> 00:02:02,140
web sites XP and a virus regularly warns users that someone may be checking their data.

20
00:02:02,190 --> 00:02:07,410
Clicking on a green button that promised solving the problem redirected the user to the program's registration

21
00:02:07,530 --> 00:02:10,580
website.

22
00:02:10,580 --> 00:02:13,960
There is a screensaver that imitates the windows blue screen error.

23
00:02:14,930 --> 00:02:18,750
It's also called Stop Error.

24
00:02:18,850 --> 00:02:22,780
It was created by Mark Russinovich who's a security expert at Microsoft

25
00:02:26,500 --> 00:02:32,290
security companies that examined XP antivirus have found recent of a surname because the program used

26
00:02:32,290 --> 00:02:35,390
his screensaver.

27
00:02:35,460 --> 00:02:39,660
If you left your computer on for a while you would return to find an error screen.

28
00:02:41,210 --> 00:02:46,400
In reality it was the screensaver but it gave the impression that the computer was infected by viruses

29
00:02:48,810 --> 00:02:51,440
to hide the fact that it was only a screensaver.

30
00:02:51,510 --> 00:03:02,870
The program hid the screen saver card from the control panel and from the display settings.

31
00:03:02,950 --> 00:03:08,190
Moreover the program constantly displayed warnings telling the user that the computer was still at risk.

32
00:03:09,350 --> 00:03:12,110
These warnings were also displayed on the system taskbar

33
00:03:17,580 --> 00:03:18,370
in the slide above.

34
00:03:18,480 --> 00:03:25,400
You can see two versions of Windows XP security center the one on the left is real.

35
00:03:25,440 --> 00:03:32,550
The one on the right is fabricated by XP antivirus the program created short cuts to the fix security

36
00:03:32,550 --> 00:03:40,200
center in the control panel and the start menu the most visible difference between the windows is that

37
00:03:40,200 --> 00:03:47,060
there is only one button on the bar instead of three looking closer we can see that the main difference

38
00:03:47,060 --> 00:03:48,230
concerns the section.

39
00:03:48,230 --> 00:03:50,730
Virus protection.

40
00:03:50,850 --> 00:03:55,120
The picture on the left shows that the system can't find any virus protection software.

41
00:03:56,380 --> 00:04:01,780
The one on the right displays a message that Windows has detected an unregistered version of XP antivirus

42
00:04:02,350 --> 00:04:08,830
and it recommends to register it a system message seems trustworthy.

43
00:04:09,740 --> 00:04:21,990
Clicking the recommendations Button took the user to the XP antivirus registration website.

44
00:04:22,180 --> 00:04:25,810
Many people went to that site because they couldn't use their computers anymore.

45
00:04:27,400 --> 00:04:34,070
Messages generated by the program were very intrusive my friends often called me to help them with those

46
00:04:34,070 --> 00:04:39,390
windows that would constantly pop up take up half the screen and couldn't be closed.

47
00:04:41,510 --> 00:04:45,380
Many people paid just to get rid of the problem.

48
00:04:45,380 --> 00:04:50,170
This is one of the manipulation techniques we've discussed.

49
00:04:50,270 --> 00:04:55,440
The registration fee was set at only about $40.

50
00:04:55,450 --> 00:05:01,230
Please note that the registration website didn't use a secure connection.

51
00:05:01,250 --> 00:05:08,200
You can see only the age TTP protocol in the header field even back in those days.

52
00:05:08,200 --> 00:05:15,910
Very few web sites used unsecured connections when requesting a credit card number to obtain a certificate

53
00:05:15,910 --> 00:05:17,750
needed for secure connections.

54
00:05:18,100 --> 00:05:23,410
The creators of XP and a virus would have had to disclose their true identities.

55
00:05:23,420 --> 00:05:25,300
This was something they wanted to avoid

56
00:05:28,310 --> 00:05:29,980
after the registration process.

57
00:05:29,990 --> 00:05:33,800
It turned out that $39 wasn't the only fee that needed to be paid.

58
00:05:34,870 --> 00:05:42,940
Additional payments ranged from 80 to $400 at least a few people paid $39 and the money went to bank

59
00:05:42,940 --> 00:05:50,400
accounts in Eastern Europe.

60
00:05:50,470 --> 00:05:56,520
There were more programs such as Expedia and a virus at that time because of the wide scale success

61
00:05:56,520 --> 00:05:57,970
of the program.

62
00:05:57,990 --> 00:06:04,710
Few other firms decided to seize the opportunity and created their own versions.

63
00:06:04,750 --> 00:06:07,250
You can see another such program on the slide.

64
00:06:07,480 --> 00:06:16,050
It's called anti-spyware master XP and or virus was being regularly developed for the next six months.

65
00:06:16,110 --> 00:06:20,550
No one knows how much profit it brought to its creators.

66
00:06:20,630 --> 00:06:28,260
It certainly was much more profitable than creating databases or such software.

67
00:06:28,300 --> 00:06:29,490
Thank you for your attention.