virus list

Tuesday, May 12, 2009

If Your Computer is Infected

An infected computer is like a person - if you analyse the symptoms, you can diagnose the illness.

What to Do If Your Computer Is Infected

Sometimes even an experienced user will not realise that a computer is infected with a virus. This is because viruses can hide among regular files, or camoflage themselves as standard files. This section contains a detailed discussion of the symptoms of virus infection, how to recover data after a virus attack and how to prevent data from being corrupted by malware.

Symptoms of infection

There are a number of symptoms which indicate that your computer has been infected. If you notice "strange things" happening to your computer, namely:

unexpected messages or images are suddenly displayed
unusual sounds or music played at random
your CD-ROM drive mysteriously opens and closes
programs suddenly start on your computer
you receive notification from your firewall that some applications have attempted to connect to the Internet, although you did not initiate this, then it is very likely that your computer has been infected by a virus

Additionally, there are some typical symptoms which indicate that your computer has been infected via email:

your friends mention that they have received messages from your address which you know you did not send
your mailbox contains a lot of messages without a sender's e-mail address or message header

These problems, however, may not be caused by viruses. For example, infected messages that are supposedly coming from your address can actually be sent from a different computer.

There is a range of secondary symptoms which indicate that your computer may be infected:

your computer freezes frequently or encounters errors
your computer slows down when programs are started
the operating system is unable to load
files and folders have been deleted or their content has changed
your hard drive is accessed too often (the light on your main unit flashes rapidly)
Microsoft Internet Explorer freezes or functions erratically e.g. you cannot close the application window

0% of the time the symptoms listed above indicate a hardware or software problem. Although such symptoms are unlikely to be caused by a virus, you should use your antivirus software to scan your computer fully.

What you should do if you notice symptoms of infection

If you notice that your computer is functioning erratically

Don't panic! This golden rule may prevent the loss of important data stored in your computer and help you avoid unnecessary stress.
Disconnect your computer from the Internet.
If your computer is connected to a Local Area Network, disconnect it.
If the computer cannot boot from the hard drive (error at startup), try to start the system in Safe Mode or from the Windows boot disk
Before taking any action, back up all critical data to an external drive (a floppy disk, CD, flash memory, etc.).
Install antivirus software if you do not have it installed.
Download the latest updates for your antivirus database. If possible, do not use the infected computer to download updates, but use a friend's computer, or a computer at your office, an Internet cafe, etc. This is important because if you are connected to the Internet, a virus can send important information to third parties or may try to send itself to all email addresses in your address book. You may also be able to obtain updates for your antivirus software on CD-ROM from the software vendors or authorized dealers.
Perform a full system scan.

If no viruses are found during a scan

If no viruses are found during the scan and the symptoms that alarmed you are classifed, you probably have no reason to worry. Check all hardware and software installed in your computer. Download Windows patches using Windows Update. Deinstall all unlicensed software from your computer and clean your hard drives of any junk files.

If viruses are found during a scan

A good antivirus solution will notify you if viruses are found during a scan, and offer several options for dealing with infected objects.

In the vast majority of cases, personal computers are infected by worms, Trojan programs, or viruses. In most cases, lost data can be successfully recovered.

A good antivirus solution will provide the option to disinfect for infected objects, quarantine possibly infected objects and delete worms and Trojans. A report will provide the names of the malicious software discovered on your computer.
In some cases, you may need a special utility to recover data that have been corrupted. Visit your antivirus software vendor's site, and search for information about the virus, Trojan or worm which has infected your computer. Download any special utilities if these are available.
If your computer has been infected by viruses that exploit Microsoft Outlook Express vulnerabilities, you can fully clean your computer by disinfecting all infected objects, and then scanning and disinfecting the mail client's databases. This ensures that the malicious programs cannot be reactivated when messages which were infected prior to scanning are re-opened. You should also download and install security patches for Microsoft Outlook Express.
Unfortunately, some viruses cannot be removed from infected objects. Some of these viruses may corrupt information on your computer when infecting, and it may not be possible to restore this information. If a virus cannot be removed from a file, the file should be deleted.

If your computer has suffered a severe virus attack

Some viruses and Trojans can cause severe damage to your computer:

If you cannot boot from your hard drive (error at startup), try to boot from the Windows rescue disk. If the system can not recognize your hard drive, the virus has damaged the disk partition table. In this case, try to recover the partition table using scandisk, a standard Windows program. If this does not help, contact a computer data recovery service. Your computer vendor should be able to provide contact details for such services.

If you have a disk management utility installed, some of your logical drives may be unavailable when you boot from the rescue disk. In this case, you should disinfect all accessible drives, reboot from the system hard drive and disinfect the remaining logical drives.

Recover corrupted files and applications using backup copies after you have scanned the drive containing this data.

Diagnosing the problem using standard Windows tools

Although this is not recommended unless you are an experience user, you may wish to:

check the integrity of the file system on your hard drive (using CHKDSK program) and repair file system errors. If there are a large number of errors, you must backup the most important files to removable storage media before fixing the errors
scan your computer after booting from the Windows rescue disk
use other standard Windows tools, for example, the scandisk utility

For more details on using these utilities, refer to the Windows Help topics.

If nothing helps

If the symptoms described above persist even after you have scanned your computer, and checked all installed hardware and software and your hard drive using Windows utilities, you should send a message with a full description of the problem to your antivirus vendor's technical support department.

Some antivirus software developers will analyse infected files submitted by users.

After you have eradicated the infection

Once you have eradicated the infection, scan all disks and removable storage media that may be infected by the virus.

Make sure that you have appropriately configured antivirus software installed on your computer.

Practice safe computing.

All of these measures will help prevent your computer getting infected in the future.

Malware Trends

Where are we headed? An in-depth look at recent events helps forecast future trends and security issues.

Where We've Been and Where We're Going

Worms - trendsetting

The trends in virusology that we observe today have their primary roots in the second half of 2003. Internet worms Lovesan, Sobig, Swen and Sober all not only caused global epidemics, but alos profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers.

Once a piece of malware which uses fundamentally new techniques to propagate or infect victim machines appears, virus writers are quick to adopt the new approach. Today's new threats all incorporate characteristics of Lovesan, Sobig, Swen or Sober. Therefore, in order to understand what virus writers are doing currently, and to predict what the future may bring, we need to examine this quartet of worms carefully.

Lovesan

Lovesan appeared in August 2003 and infected millions of computers worldwide in just a few days. This Internet worm propagated by exploiting a critical vulnerability in MS Windows. Lovesan spread directly via the Internet, moving from computer to computer, ignoring methods such as IRC, P2P and email, which were popular at the time. The Morris worm first used this propagation method in 1988, but it took 15 years for another virus writer to take advantage of this particular technique.

To some extent, Lovesan was a copycat worm; by exploiting an MS Windows vulnerability, it followed in Slammer's footsteps. However, although Slammer, which struck in January 2003, infected approximately half a million computers, it did not achieve the same infection rates as Lovesan.

Slammer was also the first classic file-less worm - certainly an achievement, in a perverse way for the coder, since writing a viable file-less worm requires strong programming skills. As a matter of fact, there has only been one other moderately 'successful' file-less worm since Slammer - Witty, which made its appearance in March 2004.

Lovesan also started another trend - the inclusion of DoS attacks on corporate sites part of the worm's payload. Lovesan attacked Microsoft and had the attack been successful, millions of users worldwide would have been unable to download the patches they needed to protect their machines from the worm. Fortunately, the DoS attack failed, but Microsoft did re-engineer their web server architecture in response.

summarize, Lovesan set the following trends:

Exploiting critical vulnerabilities in MS Windows
Propagation via the Internet through direct connections to victim machines
Organising DoS and DDos attacks on key websites

Sobig.f

Sobig.f followed hard on the heels of Lovesan in August 2003 and created the first serious email worm outbreak of the twenty-first century. At the height of the epidemic one out of 10 email messages was infected by Sobig. Email traffic increased ten fold and included millions of messages from antivirus programs faithfully informing spoofed senders about the detected and deleted malware.

Sobig.f did not exploit any vulnerabilities and the messages attributes (message subject etc.) were also nothing out of the ordinary. However, Sobig's payload included a backdoor function that left antivirus professionals waiting with bated breath for August 22 - the date when all Sobig controlled zombies were scheduled to receive a mystery command. Fortunately, the server where the command was to be launched was shut down on time, but Sobig.f continues to plague the Internet community, remaining among one of the most common viruses worldwide.

Large-scale epidemics are not caused by classic worms released into the wild from a few computers. These classic worms often take weeks or even months to reach a peak of activity.Sobig.f was no exception to this rule: it exploited machines infected previously by prior versions. Sobig.a appeared in January 2003 and was followed by several modifications, all of which conscientiously built a network of infected machines, machine by machine. Once critical mass was reached Sobig.f struck.

Sobig.f initiated the wave of large-scale email worm outbreaks seen in 2004, and this wave will continue to break until some new technique is invented! Sobig brought two innovative techniques to the world of malware:

The creation of networks of infected machines to serve as epidemic platforms
Mass mailing of malware using spammer techniques

Swen

Let's move on in time to September 18, 2003. Early in the morning, Kaspersky Lab received a sample from New Zealand. The worm looked interesting, but nobody anticipated an epidemic. However, 6 hours later cries for help from infected users worldwide proved that a new and dangerous virus has joined the fray.

At first glance, Swen seemed to be yet another worm using standard propagation methods - email, IRC and P2P networks. However, Swen stood out from the crowd for its stunningly successful social engineering. The worm arrived disguised as a patch from Microsoft which would supposedly secure all vulnerabilities. The message included Microsoft logos, links to real Microsoft resources and a very convincing text. Recipients, scared by the recent publicity about the Lovesan and Sobig outbreaks, and having absorbed the lesson that patching is essential, obediently clicked on the link. The email was so convincing that many experienced users were caught out, joining droves of less informed users in launching the worm.

The resulting outbreak was certainly less serious than the ones caused by Lovesan and Sobig (only 350 infected servers were used to spread Swen), however, Swen did prove that social engineering works, and works very well indeed when properly implemented.

Sober

Sober is the final entrant in the list of interesting worms from 2003. Sober is a Sobig copycat, but had some innovative features. Infected emails came in many languages, with the language chosen being determined by the recipient's IP address of the recipient. Sober also exploited social engineering techniques by pretending to be a removal tool for Sobig.

2OO4

2004 has so far given us many new and original malicious programs. Some of these incorporate last year's developments, but many new features and proof of concept viruses demonstrate that the computer underground is still thriving and continuing to evolve.

January 2004

A new Trojan proxy, Mitglieder, appeared in the first week of the new year. Thousands of ICQ users received a message inviting them to visit a specified site. Users who clicked on the link then turned to antivirus vendors for help. The site contained a Trojan that used a vulnerability in MS IE to install and launch a proxy server on the victim machine without the user's knowledge. The proxy opened a port making it possible for a remote user to send and receive email using the infected machine. Victim machines were transformed into zombies spewing out spam. Virus writers quickly adopted the two new techniques introduced in Mitglieder:

Mass mailings of links to infected sites via email or ICQ
Trojan proxies become a separate class of malware closely linked to spammers

Last but not least, Mitglieder also created a network of zombie machines - but the world only found out about this when Bagle struck.

Bagle seems to have been written by the same group which authored Mitglieder. Bagle also either installed a Trojan proxy server or downloaded it from the Internet. In any case, the worm was simply an improved version of Mitglieder, with the ability to propagate by email. Moreover, Bagle was sent from machines infected by Mitglieder.

And finally, the most serious virus epidemic in computer history to date: the worm Mydoom.a. It propagated using a network of zombie machines infected in advance (like Sobig), a clever bit of social engineering (like Swen), incorporated an effective backdoor function and was programmed to conduct a DoS attack on a corporate site (like Lovesan).

This concatenation of features copied from three highly viable worms broke all records.

Mydoom.a created more email traffic than the recent leader Sobig.f; infected millions of machines worldwide, opening ports to external access and effectively crashing the SCO website.
Mydoom.a did more than build on the success of its predecessors in creating the most severe epidemic in computer virology to date. The worm introduced a new technique as well. The backdoor installed by Mydoom was exploited by other malware authors, with new viruses that searched for the Mydoom backdoor component appearing immediately. Most of these newcomers penetrated machines via the backdoor, deleted Mydoom and installed themselves in place of Mydoom. Some of these copycats caused local outbreaks and they all forced local segments of the Mydoom zombie network to work for the copycat virus writers instead.

Thus, we saw yet another technique gain popularity:

Using vulnerabilities or holes created by other viruses

February 2004

NetSky.b

This email worm used the network of infected machines left in the wake of Backdoor.Agobot to spread. NetSky.b demonstrated most of the techniques listed above but also deleted a number of worms: Mydoom, Bagle and Mimail. The idea of a so-called 'antivirus' virus is not new. The first significant example of this supposedly helpful species, Welchia, appeared in 2003. Welchia not only penetrated computers to clean machines infected by Lovesan, it also attempted to download the Windows patch that closed the vulnerability exploited by Lovesan in the first place.

NetSky not only deleted competitor viruses, but engaged their authors in a war of word, coding insults into the body of the virus. The writer of Mydoom did not take up the challenge, but the authors of Bagle picked up the gauntlet and the virus war began. At the peak of activity, three versions of each worm appeared in the space of one day.

Setting aside the issue of verbal warfare, the authors of Bagle and NetSky introduced several innovations:

Active deletion of competitor viruses
Propagation in archived files (Bagle & NetSky variants)
Propagation in password-protected compressed files: passwords were either included as text strings or as graphics (Bagle)
Abandoning propagation by email: instead, the malicious programs spread by directing infected machines to sites where the worm's body was downloaded or downloading the worm's body from previously infected machines (NetSky)

The incidents listed above have not only had a serious influence on virus writers, but also on the evolution of the architecture and functionality of contemporary antivirus solutions.

The move to abandon emailing the body of the worm is particularly significant. NetSky.q, a NetSky variant that spread by sending emails with links to previously infected machines, was immediately followed by Bizex. Bizex was the first ICQ worm; it penetrated machines via ICQ and sent all ICQ contacts found on newly infected machines links to a site where the body of the worm was located. Once users clicked on the link, the body of the worm would be downloaded from the infected web site and the cycle started again. Bizex successfully combined characteristics of Mitglieder (propagation via ICQ) and NetSky (sending links to infected web sites).

March - May 2004

Snapper and Wallon

These Internet worms consolidated the techniques introduced by NetSky and Bizex. Both worms scanned email address books on infected machines and sent links to infected sites to all contacts in the local address books. Virus writers placed script Trojans on infected sites: these Trojans then exploited vulnerabilities in Internet Explorer to install the main components on victim machines.

Even today, emails containing links are not treated by recipients with the appropriate caution. The user who is suspicious of emails with attachments will nevertheless cheerfully click on links supposedly sent by friends. Undoubtedly, this technique will continue to be used until users learn to treat links sent via email with the same wariness that they display towards email attachments. It seems likely that the continual discovery of new vulnerabilities in Internet Explorer and Outlook will only add fuel to the fire.

Sasser

The final ground-breaking virus of 2004 to date was Sasser, which appeared in late April. This Internet worm exploited a critical vulnerability in MS Windows, and spread in a similar way to Lovesan, connecting directly to the victim machine via the Internet. Sasser caused a serious outbreak in Europe and left behind an FTP-server vulnerability that was immediately picked up by Dabber and Cycle. When Sven Jaschan, the teenage author of Sasser, was arrested, he admitted to also being the author of the NetSky family.

The arrest of a virus writer so soon after the release of a new malicious program made history.
Sasser was evidence that virus writers recycle and plagiarize successful techniques: Jaschan used techniques exploited by Lovesan, and other virus writers in turn immediately picked up on his ideas.

Plexus

Plexus made history by becoming the first worm since Nimbda (2001) to use all available propagation techniques: - the Internet, email, P2P networks and LANs. Three years had passed since any virus writer utilized so many resources simultaneously.

Plexus was potentially an extremely dangerous worm based on the Mydoom source code. Here the virus writer followed in the footsteps of Sober's author. Parts of Sober were pure plagiarism, resulting in a worm which was more successful than some of the malicious program 'donors'.
Fortunately, no version of Plexus caused a serious outbreaks, most likely because none of them used spammer mass mailing techniques for initial propagation. Nor did the author of these worms use any effective social engineering techniques. However, should they or somebody else choose to create new versions which correct these failings, the world may be at risk of a serious outbreak.

Beyond worms

The worms described above caused the most publicized outbreaks in recent IT history. However, other types of malware can pose a serious threat to computer and data security; it is therefore important to evaluate the total picture, including non-Windows environments, in in order to gain a complete picture of current trends.

Other Malware

Trojans

Trojans are often perceived as being less dangerous than worms, as they cannot replicate or travel independently. However, this is a misconception: most of today's malware combines several components, and many worms carry Trojans as part of their payload. These Trojans also lay the foundations for bot networks.

Trojans themselves are becoming more sophisticated. Trojan spy programs are proliferating, with dozens of new versions appearing every week. These versions are all slightly different, but developed with one aim in mind: to steal confidential financial information.

Some of these programs are simple key loggers, which send a record of keyboard activity to the author or user of the program. The more elaborate versions offer complete control over victim machines, sending data to remote servers and receiving and executing commands.

Total control over victim machines is often the goal for Trojan writers. Infected machines are usually joined in a bot network often using IRC channels or web sites where the coder puts new commands. The more complex Trojans, such as many Agobot variants, unites all infected machines into a single P2P network.

Once bot networks have been created, they are rented out to spammers or used to conduct DDoS attacks. The escalating commercialization of virus writing is leading to increased sophistication in bot network creation.

Trojan droppers and downloaders

Both droppers and downloaders have one goal: to install an additional piece of malware, be it a worm or another Trojan, on the victim machine. They differ from Trojans simply in the methods which they use.

Droppers either install another malicious program or a new version of previously installed malware. Droppers can carry several completely unrelated pieces of malware, which may display different behaviours and may even be written by different authors. In effect, droppers act as an archiver which can compress many different kinds of malware.

Droppers are often used to carry known Trojans. This is because it is significantly easier to write a dropper than a new Trojan, and to ensure that the dropper cannot be detected by antivirus solutions. Most droppers are written in VBS and JS, which accounts for their popularity; the languages themselves are relatively simple, with cross-platform application.

Virus writers often use downloaders in the same way as droppers. However, downloaders can be more useful than droppers. Firstly, downloaders are much smaller than droppers. Secondly, they can be used to download endless new versions of the targeted malware. Like droppers, downloaders are usually written in script languages such as VBS and JS, but they also often exploit Internet Explorer vulnerabilities.

Moreover, both droppers and downloaders are use not only to install other Trojans, but also other malicious programs such as adware and pornware.

Classic File Viruses

Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, we often see samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces.

On the whole, there is very little danger that classic file viruses will cause any major epidemics. Even Rugrat, the first proof of concept virus for Win64, is unlikely to change the situation in the foreseeable future.

Other Environments

Linux

To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware.

Handhelds

PDAs are now almost household appliances. Virus writers have not been slow to take advantage of their growing popularity. the first Trojan for Palm OS appeared in September 2000. The first proof of concept virus for Pocket PC, Duts, was slower to arrive, finally appearing in July 2004. So far there have not been any serious virus outbreaks in the world of handhelds, but it is only a question of time. Once virus writers decided that information saved on handhelds is worth accessing, malware for these devices will undoubtedly evolve rapidly.

Mobile Phones

Mobile phones have come a long way, and are now both complex and widely used. These two factors are bound to attract the attention of virus writers, particularly with the advent of smart phones, which effectively have computer functionality. The first proof of concept virus for smartphones running Symbian OS appeared in June 2004. The only missing factor is commercial use - once virus writers identify a way to make money by exploiting cell phones, viruses will inevitably appear.

History of Malware

Computer viruses have been around for a long time now. A detailed look at the roots of malware from the mid 20th century to the present.

History of Malicious Programs:

Malicious software may seem like a relatively new concept. The epidemics of the past few years have introduced the majority of computer users to viruses, worms and Trojans - usually because their computers were attacked. The media has also played a role, reporting more and more frequently on the latest cyber threats and virus writer arrests.

However, malicious software is not really new. Although the first computers were not attacked by viruses, this does not mean they were not potentially vulnerable. It was simply that when information technology was in its infancy, not enough people understood computer systems to exploit them.

But once computers became slightly more common, the problems started. Viruses started appearing on dedicated networks such as the ARPANET in the 1970s. The boom in personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in viruses. As more and more people gained hands-on access to computers, they were able to learn how the machines worked. And some individuals inevitably used their knowledge with malicious intent.
As technology has evolved, so have viruses. In the space of a couple of decades, we have seen computers change almost beyond recognition. The extremely limited machines which booted from a floppy disk are now powerful systems that can send huge volumes of data almost instantaneously, route email to hundreds or thousands of addresses, and entertain individuals with movies, music and interactive Web sites. And virus writers have kept pace with these changes.

While the viruses of the 1980s targeted a variety of operating systems and networks, most viruses today are written to exploit vulnerabilities in the most commonly used software: Microsoft Windows. The increasing number of vulnerable users is now being actively exploited by virus writers. The first malicious programs may have shocked users, by causing computers to behave in unexpected ways. However, the viruses which started appearing in the 1990s present much more of a threat: they are often used to steal confidential information such as bank account details and passwords.

So malicious software has turned into big business. An understanding of contemporary threats is vital for safe computing. This section gives an overview of the evolution of malware: it offers a glimpse of some historical curiosities, and provides a framework to help understand the origins of today's cyber-threats.

Who Creates Malware

Viruses and other malware do not come from nowhere: an explanation of who writes malicious programs and why.

Who Writes Malicious Programs and Why?

Virus writers: four general types

Virus writers belong to one of four broad groups: cyber-vandals, who can be divided into two categories, and more serious programmers, who can again be split into two groups.

Cyber vandalism - stage 1

In the past, most malware was written by young programmers: kids who just had learned to program who wanted to test their skills. Fortunately most of these programs did not spread widely - the majority of such malware died when disks were reformatted or upgraded. Viruses like these were not written with a concrete aim or a definite target, but simply for the writers to assert themselves.

Cyber vandalism - stage 2

The second largest group of contributors to malware coding were young people, usually students. They were still learning programming, but had already made a conscious decision to devote their skills to virus writing. These were people who had chosen to disrupt the computing community by committing acts of cyber hooliganism and cyber vandalism. Viruses authored by members of this group were usually extremely primitive and the code contained a large number of errors.

However, the development of the Internet provided space and new opportunities for these would-be virus writers.Numerous sites, chat rooms and other resources sprang up where anyone could learn about virus writing: by talking to experienced authors and downloading everything from tools for constructing and concealing malware to malicious program source code.

Professional virus writers

And then these 'script kiddies' grew up. Unfortunately, some of them did not grow out of virus writing. Instead, they looked for commercial applications for their dubious talents. This group remains the most secretive and dangerous section of the computer underground: they have created a network of professional and talented programmers who are very serious about writing and spreading viruses.

Professional virus writers often write innovative code designed to penetrate computers and networks; they research software and hardware vulnerabilities and use social engineering in original ways to ensure that their malicious creations will not only survive, but also spread widely.

Virus researchers: the 'proof-of-concept' malware authors

The fourth and smallest group of virus writers is rather unusual. These virus writers call themselves researchers, and they are often talented programmers who devote their skills to developing new methods for penetrating and infecting systems, fooling antivirus programs and so forth. They are usually among the first to penetrate new operating systems and hardware. Nevertheless, these virus writers are not writing viruses for money, but for research purposes. They usually do not spread the source code of their 'proof of concept viruses', but do actively discuss their innovations on Internet resources devoted to virus writing.

All of this may sound innocent or even beneficial. However, a virus remains a virus and research into new threats should be conducted by people devoted to curing the disease, not by amateurs who take no responsibility for the results of their research. Many proof of concept viruses can turn into serious threats once the professional virus writers gain access to them, since virus writing is a source of income for this group.

Why write viruses?

Fraud

The computer underground has realised that paid for Internet services, such as Internet access, email and web hosting, provides new opportunities for illegal activity with the additional satisfaction of getting something for nothing. Virus writers have authored a range of Trojans which steal login information and passwords to gain free access to other users' Internet resources.

The first password stealing Trojans appeared in 1997: the aim was to gain access to AOL. By 1998 similar Trojans appeared for all other major Internet service providers. Trojans stealing log in data for dial-up ISPs, AOL and other Internet services are usually written by people with limited means to support their Internet habit, or by people who do not accept that Internet resources are a commercial service just like any other, and must therefore be paid for.

For a long time, this group of Trojans constituted a significant portion of the daily 'catch' for antivirus companies worldwide. Today, the numbers are decreasing in proportion to the decreasing cost of Internet access.

Computer games and software license keys are another target for cyber fraud. Once again, Trojans providing free access to these resources are written by and for people with limited financial resources. Some hacking and cracking utilities are also written by so-called 'freedom fighters', who proclaim that all infomration should be shared freely throughout the computing community. However, fraud remains a crime, no matter how noble the aim is made out to be.

Organised cyber crime

The most dangerous virus writers are individuals and groups who have turned professional. These people either extract money directly from end users (either by theft or by fraud) or use zombie machines to earn money in other ways, such as creating and selling a spamming platform, or organizing DoS attacks, with the aim here being blackmail.

Most of today's serious outbreaks are caused by professional virus writers who organize the blanket installations of Trojans to victim machines. This may be done by using worms, links to infected sites or other Trojans.

Bot networks

Currently, virus writers either work for particular spammers or sell their wares to the highest bidder. Today, one standard procedure is for virus writers to create bot networks, i.e. networks of zombie computer infected with identical malicious code. In the case of networks used as spamming platforms, a Trojan proxy server will penetrate the victim machines. These networks number from a thousand to tens of thousands of infected machines. The virus writers then sell these networks to the highest bidder in the computer underground.

Such networks are generally used as spamming platforms. Hacker utilities can be used to ensure that these networks run efficiently; malicious software is installed without the knowledge or consent of the user, adware programs can be camoflaged to prevent detection and deletion, and antivirus software may be attacked.

Financial gain

Apart from servicing spam and adware, professional virus writers also create Tojan spies which they use to steal money from e-wallets, Pay Pal accounts and/or directly from Internet bank accounts. These Trojans harvest banking and payment information from local machines or even corporate servers and then forward it to the master.

Cyber extortion

The third major form of contemporary cyber crime is extortion or Internet rackets. Usually, virus writers create a network of zombie machines capable of conducting an organized DoS attack. Then they blackmail companies by threatening to conduct a DoS attack against the corporate website. Popular targets include estores, banking and gambling sites, i.e. companies whose revenues are generated directly by their on-line presence.

Other malware

Virus writers and hackers also ensure that adware, dialers, utilities that redirect browsers to pay-to-view sites and other types of unwanted software function efficiently. Such programs can generate profits for the computer underground, so it's in the interests of virus writers and hackers to make sure that these programs are not detected and are regularly updated.

In spite of the media attention given to young virus writers who manage to cause a global epidemic, approximately 90% of malicious code is written by the professionals. Although all of four groups of virus writers challenge computer security, the group which poses a serious, and growing threat is the community of professional virus writers who sell their services.

Malware Descriptions

Definitions of malware categories and descriptions of individual viruses, Trojans, worms and other malicious programs.

Malicious Programs Descriptions

Malicious programs can be divided into the following groups: worms, viruses, Trojans, hacker utilities and other malware. All of these are designed to damage the infected machine or other networked machines.

Network Worms

This category includes programs that propagate via LANs or the Internet with the following objectives:

Penetrating remote machines
Launching copies on victim machines
Spreading further to new machines

Worms use different networking systems to propagate: email, instant messaging, file-sharing (P2P), IRC channels, LANs, WANs and so forth.

Most existing worms spread as files in one form or another - email attachments, in ICQ or IRC messages, links to files stored on infected websites or FTP servers, files accessible via P2P networks and so on.

There are a small number of so-called fileless or packet worms; these spread as network packets and directly penetrate the RAM of the victim machine, where the code is then executed.

Worms use a variety of methods for penetrating victim machines and subsequently executing code, including:

Social engineering; emails that encourage recipients to open the attachment
Poorly configured networks; networks that leave local machines open to access from outside the network
Vulnerabilities in operating systems and applications

Today's malware is often a composite creation: worms now often include Trojan functions or are able to infect exe files on the victim machine. They are no longer pure worms, but blended threats.

Classic Viruses

This class of malicious programs covers programs that spread copies of themselves throughout a single machine in order to:

Launch and/or execute this code once a user fulfills a designated action
Penetrate other resources within the victim machine

Unlike worms, viruses do not use network resources to penetrate other machines. Copies of viruses can penetrate other machines only if an infected object is accessed and the code is launched by a user on an uninfected machine.

This can happen in the following ways:

The virus infects files on a network resource that other users can access
The virus infects removable storage media which are then attached to a clean machine
The user attaches an infected file to an email and sends it to a 'healthy' recipient

Viruses are sometimes carried by worms as additional payloads or they can themselves include backdoor or Trojan functionality which destroy data on an infected machine.

Trojan Programs

This class of malware includes a wide variety of programs that perform actions without the user's knowledge or consent: collecting data and sending it to a cyber criminal, destroying or altering data with malicious intent, causing the computer to malfunction, or using a machine's capabilities for malicious or criminal purposes, such as sending spam.

A subset of Trojans damage remote machines or networks without compromising infected machines; these are Trojans that utilize victim machines to participate in a DoS attack on a designated web site.

Hacker Utilities and other malicious programs

This diverse class includes:

Utilities such as constructors that can be used to create viruses, worms and Trojans
Program libraries specially developed to be used in creating malware
Hacker utilities that encrypt infected files to hide them from antivirus software
Jokes that interfere with normal computer function
Programs that deliberately misinform users about their actions in the system
Other programs that are designed to directly or indirectly damage local or networked machines

Virus Encyclopedia

Malware Environment:

Where do viruses live? What does a worm need to flourish? A concise description of software requirements for malware.

Three Criteria for Malware Existence

No operating system or application is vulnerable to malicious programs unless external programs, no matter how simple, can be launched. If an external program, even the simplest, can be launched within an operating system or application, then it will be vulnerable to malicious programs. Most contemporary operating systems and applications need to work with other programs, so they do end up being vulnerable. Potentially vulnerable OS and applications include:

All popular desktop operating systems
Most office applications
Most graphical editors
Project applications
Any applications with in-built script language

Computer viruses, worms, Trojans have been written for countless operating systems and applications. On the other hand, there are still numerous OSs and applications that are free from malware so far. Why is this so? What makes one OS more attractive to virus writers than others?

Malware appears in any given environment when the following criteria are met:

The operating system is widely used
Reasonably high-quality documentation is available
The targeted system is insecure or has a number of documented vulnerabilities

All three criteria are key factors and all three need to be met before the given system will be targeted by virus writers.

In the first place, in order for hackers and cyber vandals to even consider any system, the target needs to be popular enough for them to access it. Once an OS or application is widely available and marketed successfully, it turns into a viable target for virus writers.

A quick look at the number of malicious programs written for Windows and Linux shows that the volume of malware is roughly proportional to the respective market share of these two operating systems.

Detailed documentation is necessary for both legal developers and hackers, since documentation includes descriptions of available services and rules for writing compatible programs.

For instance, most mobile phone vendors do not share this information, leaving both legal vendors and hackers helpless. On the other hand, some vendors of smart phones do publish their documentation. The first viruses for Symbian (Worm.SymbOS.Cabir.a) and Windows CE (WinCE.Duts.a) appeared shortly after the documentation was published in mid-2004.

The architecture of a well-built (constructed designed) OS or applications needs to take security into account. A secure solution does not allow new or unsanctioned programs extensive access to files or potentially dangerous services. This leads to difficulties, as a fully secure system, will block not only malware, but 'friendly' programs as well. As a result, none of the widely available systems can be called truly secure.

Java machines that launch Java applications in 'sandbox' mode come close to achieving secure conditions. As a matter of fact, there have been no viruses or Trojans which pose a serious threat written in Java for a long time, though non-viable proof of concept malware does occasionally appear. Malware written in Java appeared only when vulnerabilities in Java Virtual Machine security were discovered and publicized.