History of 4th Decade In Virus History
2001
2001 was a mixed bag: antivirus vendors took significant strides forward, but the number of virus attacks rose nevertheless. The changeover from classic viruses to worms continued as Internet use exploded. Virus writers demonstrated a definite preference for malicious code that propagated by sending their files across local networks and the Internet.
Significant outbreaks
Malicious programs that exploited vulnerabilities in applications and operating systems caused serious epidemics in 2001: CodeRed, Nimda, Aliz and BadtransII. The large-scale epidemics caused by these worms changed the face of computer security and set trends for malware evolution for several years to come.
Endless variants of LoveLetter (aka ILoveYou), Magistr and SirCam also enlivened the malware landscape, keeping users and antivirus vendors on their toes.
Vulnerablities
A vulnerability is a hole in a legitimate application or operating system that can be exploited by a virus writer: malicious code penetrates the system via such loopholes.
Viruses and worms that exploit vulnerabilities are particularly dangerous in that they are installed and activated automatically regardless of user action. For instance, Nimda penetrated computers even when the infected email was simply viewed through the preview window in MS Outlook. CodeRed went a step further: it scanned the Internet for vulnerable machines and infected them. According to Kaspersky Virus Lab statistics, malware exploiting vulnerabilities made up almost 55% of all malware detected in 2001.
The interest displayed by virus writers in vulnerabilities was justified. Traditional infection techniques used by classic file viruses, where the user initiated the infection cycle, were no longer as effective as previously. Therefore, virus writers eagerly adopted the new technique.
Email and the Internet - primary sources of new threats
Kaspersky Virus Lab statistics showed that virus attacks via email rose by 5% in 2001 in comparison with 2000 and made up almost 90% of the total number of virus incidents in 2001.
2001 proved to be a watershed in the evolution of virus attacks via the Internet. Previously, most Internet-related infections occurred when users downloaded and executed files from untrustworthy web sites. In 2001 a new infection technique appeared: users no longer needed to download files - a visit to an infected web site was enough. Virus writers substituted infected pages for clean ones. Most users were infected by malware that exploited vulnerabilities in MS IE. In some cases compromised sites offered free programs that turned out to be malicious.
Attacks via non-Internet technologies
2001 was also the year that instant messaging services, such as ICQ and MS Instant Messenger, were first used as channels for spreading malicious code. A spate of worm infections turned these services into further traps for unwary users. The Internet worm Mandragore attacked the Gnutella file-sharing network. And last but not least, 2001 saw a proliferation of worms designed to propagate via IRC channels.
More attacks on Linux
A significant number of malicious programs targeting Linux appeared in 2001. Ramen opened the season on January 19 and penetrated a large number of corporate networks within days. Victims included NASA (USA), A&M University (USA) and hardware vendor Supermicro (Taiwan).
The attacks swelled into an avalanche with Ramen clones and new Linux worms appearing one after another. Most of these malicious programs exploited vulnerabilities in the operating system. The rapid spread of these threats underlined the lack of preparation by Linux developers, who had been sleeping peacefully, sure that Linux was a completely secure environment. Many Linux users hadn't even bothered to install the patches that were available for some of the exploited vulnerabilities and fell easy prey for these worms.
Fileless worms - a new challenge
So-called fileless worms turned out to be one of the nastiest surprises of 2001. These worms were able to self-replicate and function on infected machines without using files. These worms exist only in RAM and spread as specially configured data packets.
This new technique gave antivirus experts some difficult moments. Traditional antivirus scanners and monitors proved helpless against this new threat, since up to that time antivirus engines had detected malicious programs during file operations. Kaspersky Lab was the first to develop a new antivirus filter that scanned incoming data packets in background mode and deleted fileless worms.
Worms for Windows increase
While classic viruses, (predominantly macro and script viruses) visibly dominated throughout 1999-2000, 2001 was the year of worms for Windows. By the fall, these worms had caused about 90% of all registered virus infections.
The reasons for this trend were two-fold: on the one hand new technologies allowed virus writers to create better worms, and on the other, antivirus vendors had developed effective protection against macro and script viruses.
Virus hoaxes
Virus hoaxes were all the rage in 2001, with 10 new warnings about a dangerous new virus registered by March. And nervous users, frightened by the large-scale outbreaks in 2000 scrambled to forward these warnings to friends and relatives. California IBM and Girl Thing proved especially effective. A letter warning users about a new ILoveYou outbreak scheduled for Valentine's day was also extremely effective.
Some of these hoaxes were so effective that copies of the messages were still circulating around the Internet several years later.
2001 in review:
Email and the Internet move to the fore environments for new threats;
Alternate channels such as ICQ, IRC, MSN Messenger and file-sharing networks also gain prominence;
Fileless worms appear on the scene;
Worms for Windows make up the majority of new threats by mid-year, with macro- and script-viruses losing ground significantly.
2002
There were 12 significant and 34 less serious virus outbreaks in 2002, along with continuing activity caused by viruses from previous years. Virus writers actively penetrated new platforms, applications and technologies.
2002 Highlights
Two new flash worms, LFM and Donut, appeared in January: both of these worms were designed to spread in the .NET environment. Fortunately, both worms turned out to be only proof of concept viruses and no infections were registered.
In May, we saw Spida, a worm that attacked SQL servers and Benjamin, a virus that triggered a whole series of copycat malware targeted at the Kazaa file-sharing network.
Malware for Linux
The worm Slapper finally convinced all remaining skeptics that Linux users need to be just as aware of security issues as users of all other operating systems. Slapper penetrated thousands of machines running Linux within a few days. Users of FreeBSD also got a timely reminder about security: a new worm called Scalper struck FreeBSD machines in September, though the damage did not escalate to the proportions caused by Slapper.
Professional virus writers
This was the year professional writers got down to business: there was a significant increase in malicious programs designed to commit financial fraud. These programs stole passwords, confidential data, Internet access information and other data that allowed virus writers to make money by using the harvested data.
Worms
Email worms, such as Klez and Lentin had already been popular prior to 2002. However, a new breed of email worms superseded the older versions: these new email worms spread by connecting directly to built-in SMTP servers on infected machines.
This development grew out of increased security measures which prevented worms from spreading via MS Outlook and other email clients. Email system developers integrated either antivirus protection or special functionality preventing unauthorized mailings. As a result, virus writers focused on worms that were able to avoid these measures.
Worms multiplying in other environments, such as LANs, P2P, IRC and so forth, disappeared almost entirely in this year.
Klez
An Internet worm named Klez caused the most serious outbreak of the year. Klez was first detected on 26 October and remained on the list of the most widespread malicious programs for the next two years. This is a record in virusology that is yet to be broken. New Klez variants, Klez.e and Klez.h were the most active Klez clones. Altogether, by the end of 2002, 6 out of 10 registered infections were caused by Klez.
Though Klez caused the most serious outbreak during 2002, several other worms provided some stiff competition: Lentin and Tanatos (aka Bugbear). In fact, Lentin surpassed Klez in the number of incidents by the end of the year.
Vulnerabilities
The trend to exploit vulnerabilities that first became significant in 2001 continued: virus writers homed in on the IFRAME vulnerability in MS Internet Explorer to create worms including Klez, Lentin and Tanatos. Altogether, 85% of all virus incidents.
Classic viruses
Interestingly enough, macro viruses rose to the fore among classic viruses this year. Macro viruses for MS Word - Thus, TheSecond, Marker and Flop were the most widespread. These viruses had first appeared in the late 1990s, but they resurfaced in 2002. The most likely reason is increased numbers of Windows users who were all sure that macro viruses were a thing of the past. Inconvenient security measures were abandoned and the result was a second round of old viruses. The majority of infections were caused by Elkern, CIH, FunLove and Spaces.
On the plus side, script viruses and other classic viruses almost disappeared in 2002.
Virus hoaxes
The upsurge in virus hoaxes that began in 2001 continued into 2002. Users worldwide flooded each other with new and old hoaxes: JDBGNR, Ace-?, SULFNBK, Virtual Card for You, California IBM and Girl Thing.
2002 summary
By the end of the year, an interesting pattern emerged in the spread of malicious programs. In previous years, the overwhelming majority of virus incidents were connected to a small number of viruses, typically 2-3. By September 2002, however, this pattern was broken: more and more infections were caused by viruses which did not make it to the top twenty.
Increased end user awareness regarding security issues and willingness to adopt precautionary methods undoubtedly played a role in this development. Correct protective techniques implemented by end users led to a decrease in number of incidents caused by individual viruses.
And yet, the overall number of infections did not decrease, meaning that the overall number of malicious programs in the wild had grown. Even though no single virus caused a significant outbreak, together they constituted an impressive volume.
2003
In 2003 two global Internet attacks took place that could be called the biggest in the history of the Internet. The Internet worm Slammer laid the foundation for the attacks, and used a vulnerability in the MS SQL Server to spread. Slammer was the first classic fileless worm, which fully illustrated the capabilities of a flash-worm - capabilities which had been foreseen several years before.
On January 25th, 2003, within the space of a few minutes, the worm infected hundreds of thousands of computers throughout the world, and increased network traffic to the point where several national segments of the Internet crashed. Experts estimate that traffic increased from 40% - 80% in a variety of networks. The worm attacked computers through ports 1433 and 1434 and on penetrating machines did not copy itself on any disk, but simply remained in computer memory. If we analyse the dynamics of the epidemic, we can assert that the worm originated in the Far East.
The second, more important epidemic was caused by the Lovesan worm, which appeared in August 2003. The worm demonstrated just how vulnerable Windows is. Just as Slammer did, Lovesan exploited a vulnerability in Windows in order to replicate itself. The difference was that Lovesan used a loophole in the RPC DCOM service working under Windows 2000/XP. This led to almost every Internet user being attacked by the worm.
As for viruses penetrating new platforms and applications, the year was surprisingly quiet. The only news was the discovery, in the wild, of MBP.Kynel, by Kaspersky Labs. This virus infects MapInfo documents and is written in MapBasic. The MBP.Kynel virus was undoubtedly written by a Russian.
2003 was the year of ceaseless epidemics caused by email worms. Ganda and Avron were first detected in January. The former was written in Sweden and is still one of the most widespread email worms in Scandinavia despite the fact that the Swedish police arrested the autour of the worm at the end of March.
Avron was the first worm to be created in the former USSR capable of causing a significant worldwide epidemic. The source code for the worm was published on the Internet and this has led to the appearance of a number of less effective versions.
Another important event in 2003 was the appearance of the first Sobig worm in January. Worms from this family all caused significant virus outbreaks but it was version 'f' which broke all records, becoming the most widely distributed worm in network traffic in Internet history. At the peak of the epidemic, Sobig.f, which was first detected in August, could be found in every 20th email message. The virus writers who created the Sobig family, were aiming to create a network of infected machines with the aim of conducting DoS attacks on arbitrarily selected sites and also to use the network for spam attacks.
The Tanatos.b email worm was also a notable event in virusology. The first version of Tanatos was written in the middle of 2002, but version 'b' appeared only a year later. The worm exploited the well-known IFRAME loophole in MS Outlook to automatically launch itself from infected messages. Tanatos caused one of the most significant email epidemics of 2003, coming second to that caused by Sobig.f, which probably has the record for the most machines infected by an email worm.
Worms from the Lentin family continued to appear. All these worms were written in India by a local hacker group as part of the 'virtual war' between Indian and Pakistani hackers. The most widespread versions were 'm' and 'o', where the virus replicated in the form of a ZIP archive file attached to infected messages.
Russian writers remained active; the second worm from the former USSR, which also caused a global epidemic was Mimail. The worm used the latest vulnerability in Internet Explorer to activate itself. The vulnerability allowed binary code to be extracted from HTML files and executed. This was first used in Russia in May 2003 (Trojan.Win32.StartPage.l) Following this, the vulnerability was used by the Mimail family and several other Trojan programs. The authors of the Mimail worm published the source code on the Internet, which led to the appearance of several new varieties of the worm in November 2003, written by other virus writers.
September was the month of Swen. I-Worm.Swen, masquerading as a patch from Microsoft, managed to infect several hundred thousand computers throughout the world and to date remains one of the most widespread email worms. The author of the virus exploited frightened users who were still nervous after the recent Lovesan and Sobig.f epidemics.
A recent significant epidemic was caused by Sober, a relatively simple mail worm written by a German, it is an imitation of the year's leader, Sobig.f.
In 2002, the trend was towards an increase in the number of backdoor and spy Trojan programs and this continued in 2003. In this category, Backdoor.Agobot and Afcore were most notable. There are now more than 40 varieties of Agobot in existence, since the author of the original version created a network of websites and IRC channels where anyone who wanted could, for a fee starting from $150, become the owner of an 'exclusive' version of Backdoor-a, which would be created in accordance with the client's wishes.
Afcore is slightly less widespread. However, in order to mask its presence in the system, it uses an unusual method; it places itself in additional file systems of the NTFS systems, i.e. in the catalogue stream, not the file streams.
A new and potentially dangerous trend was identified at the end of 2003; a new type of Trojan, TrojanProxy. This was the first and clearest sign of virus writers and spammers uniting. Spammers began using machines infected by such Trojan programs for mass spammer attacks. It is also clear that spammers participated in a number of epidemics as malicious programs were spread using spamming technology.
Internet worms constituted the second most active class of viruses in 2003; specifically I-Worms which replicated by seizing passwords to remote network resources. As a rule, such worms are based on IRC clients, and scan the addresses of IRC users. They then attempt to penetrate computers using the NetBIOS protocol and port 445. One of the most notable viruses in this class was the Randon family of Internet worms.
Throughout the year Internet worms remained the dominant type of malicious software.
Viruses, namely macro viruses such as Macro.Word97.Saver came in second. However, Trojan programs overtook viruses in the autumn, and this trend continues through today.
Where We've Been and Where We're Going
Worms - trendsetting in 2003
The trends in virusology that we observe today have their primary roots in the second half of 2003. Internet worms Lovesan, Sobig, Swen and Sober all not only caused global epidemics, but alos profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers.
Once a piece of malware which uses fundamentally new techniques to propagate or infect victim machines appears, virus writers are quick to adopt the new approach. Today's new threats all incorporate characteristics of Lovesan, Sobig, Swen or Sober. Therefore, in order to understand what virus writers are doing currently, and to predict what the future may bring, we need to examine this quartet of worms carefully.
Lovesan
Lovesan appeared in August 2003 and infected millions of computers worldwide in just a few days. This Internet worm propagated by exploiting a critical vulnerability in MS Windows. Lovesan spread directly via the Internet, moving from computer to computer, ignoring methods such as IRC, P2P and email, which were popular at the time. The Morris worm first used this propagation method in 1988, but it took 15 years for another virus writer to take advantage of this particular technique.
To some extent, Lovesan was a copycat worm; by exploiting an MS Windows vulnerability, it followed in Slammer's footsteps. However, although Slammer, which struck in January 2003, infected approximately half a million computers, it did not achieve the same infection rates as Lovesan.
Slammer was also the first classic file-less worm - certainly an achievement, in a perverse way for the coder, since writing a viable file-less worm requires strong programming skills. As a matter of fact, there has only been one other moderately 'successful' file-less worm since Slammer - Witty, which made its appearance in March 2004.
Lovesan also started another trend - the inclusion of DoS attacks on corporate sites part of the worm's payload. Lovesan attacked Microsoft and had the attack been successful, millions of users worldwide would have been unable to download the patches they needed to protect their machines from the worm. Fortunately, the DoS attack failed, but Microsoft did re-engineer their web server architecture in response.
To summarize, Lovesan set the following trends:
Exploiting critical vulnerabilities in MS Windows
Propagation via the Internet through direct connections to victim machines
Organising DoS and DDos attacks on key websites
Sobig.f
Sobig.f followed hard on the heels of Lovesan in August 2003 and created the first serious email worm outbreak of the twenty-first century. At the height of the epidemic one out of 10 email messages was infected by Sobig. Email traffic increased ten fold and included millions of messages from antivirus programs faithfully informing spoofed senders about the detected and deleted malware.
Sobig.f did not exploit any vulnerabilities and the messages attributes (message subject etc.) were also nothing out of the ordinary. However, Sobig's payload included a backdoor function that left antivirus professionals waiting with bated breath for August 22 - the date when all Sobig controlled zombies were scheduled to receive a mystery command. Fortunately, the server where the command was to be launched was shut down on time, but Sobig.f continues to plague the Internet community, remaining among one of the most common viruses worldwide.
Large-scale epidemics are not caused by classic worms released into the wild from a few computers. These classic worms often take weeks or even months to reach a peak of activity. Sobig.f was no exception to this rule: it exploited machines infected previously by prior versions. Sobig.a appeared in January 2003 and was followed by several modifications, all of which conscientiously built a network of infected machines, machine by machine. Once critical mass was reached Sobig.f struck.
Sobig.f initiated the wave of large-scale email worm outbreaks seen in 2004, and this wave will continue to break until some new technique is invented! Sobig brought two innovative techniques to the world of malware:
The creation of networks of infected machines to serve as epidemic platforms
Mass mailing of malware using spammer techniques
Swen
Let's move on in time to September 18, 2003. Early in the morning, Kaspersky Lab received a sample from New Zealand. The worm looked interesting, but nobody anticipated an epidemic. However, 6 hours later cries for help from infected users worldwide proved that a new and dangerous virus has joined the fray.
At first glance, Swen seemed to be yet another worm using standard propagation methods - email, IRC and P2P networks. However, Swen stood out from the crowd for its stunningly successful social engineering. The worm arrived disguised as a patch from Microsoft which would supposedly secure all vulnerabilities. The message included Microsoft logos, links to real Microsoft resources and a very convincing text. Recipients, scared by the recent publicity about the Lovesan and Sobig outbreaks, and having absorbed the lesson that patching is essential, obediently clicked on the link. The email was so convincing that many experienced users were caught out, joining droves of less informed users in launching the worm.
The resulting outbreak was certainly less serious than the ones caused by Lovesan and Sobig (only 350 infected servers were used to spread Swen), however, Swen did prove that social engineering works, and works very well indeed when properly implemented.
Sober
Sober is the final entrant in the list of interesting worms from 2003. Sober is a Sobig copycat, but had some innovative features. Infected emails came in many languages, with the language chosen being determined by the recipient's IP address of the recipient. Sober also exploited social engineering techniques by pretending to be a removal tool for Sobig.
2004
2004 has so far given us many new and original malicious programs. Some of these incorporate last year's developments, but many new features and proof of concept viruses demonstrate that the computer underground is still thriving and continuing to evolve.
January 2004
A new Trojan proxy, Mitglieder, appeared in the first week of the new year. Thousands of ICQ users received a message inviting them to visit a specified site. Users who clicked on the link then turned to antivirus vendors for help. The site contained a Trojan that used a vulnerability in MS IE to install and launch a proxy server on the victim machine without the user's knowledge. The proxy opened a port making it possible for a remote user to send and receive email using the infected machine. Victim machines were transformed into zombies spewing out spam. Virus writers quickly adopted the two new techniques introduced in Mitglieder:
Mass mailings of links to infected sites via email or ICQ
Trojan proxies become a separate class of malware closely linked to spammers
Last but not least, Mitglieder also created a network of zombie machines - but the world only found out about this when Bagle struck.
Bagle seems to have been written by the same group which authored Mitglieder. Bagle also either installed a Trojan proxy server or downloaded it from the Internet. In any case, the worm was simply an improved version of Mitglieder, with the ability to propagate by email. Moreover, Bagle was sent from machines infected by Mitglieder.
And finally, the most serious virus epidemic in computer history to date: the worm Mydoom.a. It propagated using a network of zombie machines infected in advance (like Sobig), a clever bit of social engineering (like Swen), incorporated an effective backdoor function and was programmed to conduct a DoS attack on a corporate site (like Lovesan).
This concatenation of features copied from three highly viable worms broke all records. Mydoom.a created more email traffic than the recent leader Sobig.f; infected millions of machines worldwide, opening ports to external access and effectively crashing the SCO website.
Mydoom.a did more than build on the success of its predecessors in creating the most severe epidemic in computer virology to date. The worm introduced a new technique as well. The backdoor installed by Mydoom was exploited by other malware authors, with new viruses that searched for the Mydoom backdoor component appearing immediately. Most of these newcomers penetrated machines via the backdoor, deleted Mydoom and installed themselves in place of Mydoom. Some of these copycats caused local outbreaks and they all forced local segments of the Mydoom zombie network to work for the copycat virus writers instead.
Thus, we saw yet another technique gain popularity:
Using vulnerabilities or holes created by other viruses
February 2004
NetSky.b
This email worm used the network of infected machines left in the wake of Backdoor.Agobot to spread. NetSky.b demonstrated most of the techniques listed above but also deleted a number of worms: Mydoom, Bagle and Mimail. The idea of a so-called 'antivirus' virus is not new. The first significant example of this supposedly helpful species, Welchia, appeared in 2003. Welchia not only penetrated computers to clean machines infected by Lovesan, it also attempted to download the Windows patch that closed the vulnerability exploited by Lovesan in the first place.
NetSky not only deleted competitor viruses, but engaged their authors in a war of word, coding insults into the body of the virus. The writer of Mydoom did not take up the challenge, but the authors of Bagle picked up the gauntlet and the virus war began. At the peak of activity, three versions of each worm appeared in the space of one day.
Setting aside the issue of verbal warfare, the authors of Bagle and NetSky introduced several innovations:
Active deletion of competitor viruses
Propagation in archived files (Bagle & NetSky variants)
Propagation in password-protected compressed files: passwords were either included as text strings or as graphics (Bagle)
Abandoning propagation by email: instead, the malicious programs spread by directing infected machines to sites where the worm's body was downloaded or downloading the worm's body from previously infected machines (NetSky)
The incidents listed above have not only had a serious influence on virus writers, but also on the evolution of the architecture and functionality of contemporary antivirus solutions.
The move to abandon emailing the body of the worm is particularly significant. NetSky.q, a NetSky variant that spread by sending emails with links to previously infected machines, was immediately followed by Bizex. Bizex was the first ICQ worm; it penetrated machines via ICQ and sent all ICQ contacts found on newly infected machines links to a site where the body of the worm was located. Once users clicked on the link, the body of the worm would be downloaded from the infected web site and the cycle started again. Bizex successfully combined characteristics of Mitglieder (propagation via ICQ) and NetSky (sending links to infected web sites).
March - May 2004
Snapper and Wallon
These Internet worms consolidated the techniques introduced by NetSky and Bizex. Both worms scanned email address books on infected machines and sent links to infected sites to all contacts in the local address books. Virus writers placed script Trojans on infected sites: these Trojans then exploited vulnerabilities in Internet Explorer to install the main components on victim machines.
Even today, emails containing links are not treated by recipients with the appropriate caution. The user who is suspicious of emails with attachments will nevertheless cheerfully click on links supposedly sent by friends. Undoubtedly, this technique will continue to be used until users learn to treat links sent via email with the same wariness that they display towards email attachments. It seems likely that the continual discovery of new vulnerabilities in Internet Explorer and Outlook will only add fuel to the fire.
Sasser
The final ground-breaking virus of 2004 to date was Sasser, which appeared in late April. This Internet worm exploited a critical vulnerability in MS Windows, and spread in a similar way to Lovesan, connecting directly to the victim machine via the Internet. Sasser caused a serious outbreak in Europe and left behind an FTP-server vulnerability that was immediately picked up by Dabber and Cycle. When Sven Jaschan, the teenage author of Sasser, was arrested, he admitted to also being the author of the NetSky family.
The arrest of a virus writer so soon after the release of a new malicious program made history.
Sasser was evidence that virus writers recycle and plagiarize successful techniques: Jaschan used techniques exploited by Lovesan, and other virus writers in turn immediately picked up on his ideas.
Plexus
Plexus made history by becoming the first worm since Nimbda (2001) to use all available propagation techniques: - the Internet, email, P2P networks and LANs. Three years had passed since any virus writer utilized so many resources simultaneously.
Plexus was potentially an extremely dangerous worm based on the Mydoom source code. Here the virus writer followed in the footsteps of Sober's author. Parts of Sober were pure plagiarism, resulting in a worm which was more successful than some of the malicious program 'donors'.
Fortunately, no version of Plexus caused a serious outbreaks, most likely because none of them used spammer mass mailing techniques for initial propagation. Nor did the author of these worms use any effective social engineering techniques. However, should they or somebody else choose to create new versions which correct these failings, the world may be at risk of a serious outbreak.
Beyond worms
The worms described above caused the most publicized outbreaks in recent IT history. However, other types of malware can pose a serious threat to computer and data security; it is therefore important to evaluate the total picture, including non-Windows environments, in in order to gain a complete picture of current trends.
Other Malware
Trojans
Trojans are often perceived as being less dangerous than worms, as they cannot replicate or travel independently. However, this is a misconception: most of today's malware combines several components, and many worms carry Trojans as part of their payload. These Trojans also lay the foundations for bot networks.
Trojans themselves are becoming more sophisticated. Trojan spy programs are proliferating, with dozens of new versions appearing every week. These versions are all slightly different, but developed with one aim in mind: to steal confidential financial information.
Some of these programs are simple key loggers, which send a record of keyboard activity to the author or user of the program. The more elaborate versions offer complete control over victim machines, sending data to remote servers and receiving and executing commands.
Total control over victim machines is often the goal for Trojan writers. Infected machines are usually joined in a bot network often using IRC channels or web sites where the coder puts new commands. The more complex Trojans, such as many Agobot variants, unites all infected machines into a single P2P network.
Once bot networks have been created, they are rented out to spammers or used to conduct DDoS attacks. The escalating commercialization of virus writing is leading to increased sophistication in bot network creation.
Trojan droppers and downloaders
Both droppers and downloaders have one goal: to install an additional piece of malware, be it a worm or another Trojan, on the victim machine. They differ from Trojans simply in the methods which they use.
Droppers either install another malicious program or a new version of previously installed malware. Droppers can carry several completely unrelated pieces of malware, which may display different behaviours and may even be written by different authors. In effect, droppers act as an archiver which can compress many different kinds of malware.
Droppers are often used to carry known Trojans. This is because it is significantly easier to write a dropper than a new Trojan, and to ensure that the dropper cannot be detected by antivirus solutions. Most droppers are written in VBS and JS, which accounts for their popularity; the languages themselves are relatively simple, with cross-platform application.
Virus writers often use downloaders in the same way as droppers. However, downloaders can be more useful than droppers. Firstly, downloaders are much smaller than droppers. Secondly, they can be used to download endless new versions of the targeted malware. Like droppers, downloaders are usually written in script languages such as VBS and JS, but they also often exploit Internet Explorer vulnerabilities.
Moreover, both droppers and downloaders are use not only to install other Trojans, but also other malicious programs such as adware and pornware.
Classic File Viruses
Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, we often see samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces.
On the whole, there is very little danger that classic file viruses will cause any major epidemics. Even Rugrat, the first proof of concept virus for Win64, is unlikely to change the situation in the foreseeable future.
Other Environments
Linux
To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware.
Handhelds
PDAs are now almost household appliances. Virus writers have not been slow to take advantage of their growing popularity. the first Trojan for Palm OS appeared in September 2000. The first proof of concept virus for Pocket PC, Duts, was slower to arrive, finally appearing in July 2004. So far there have not been any serious virus outbreaks in the world of handhelds, but it is only a question of time. Once virus writers decided that information saved on handhelds is worth accessing, malware for these devices will undoubtedly evolve rapidly.
Mobile Phones
Mobile phones have come a long way, and are now both complex and widely used. These two factors are bound to attract the attention of virus writers, particularly with the advent of smart phones, which effectively have computer functionality. The first proof of concept virus for smartphones running Symbian OS appeared in June 2004. The only missing factor is commercial use - once virus writers identify a way to make money by exploiting cell phones, viruses will inevitably appear.
Saturday, June 7, 2008
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment