Malware Trends

Where are we headed? An in-depth look at recent events helps forecast future trends and security issues.

Where We've Been and Where We're Going

Worms - trendsetting

The trends in virusology that we observe today have their primary roots in the second half of 2003. Internet worms Lovesan, Sobig, Swen and Sober all not only caused global epidemics, but alos profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers.

Once a piece of malware which uses fundamentally new techniques to propagate or infect victim machines appears, virus writers are quick to adopt the new approach. Today's new threats all incorporate characteristics of Lovesan, Sobig, Swen or Sober. Therefore, in order to understand what virus writers are doing currently, and to predict what the future may bring, we need to examine this quartet of worms carefully.

Lovesan

Lovesan appeared in August 2003 and infected millions of computers worldwide in just a few days. This Internet worm propagated by exploiting a critical vulnerability in MS Windows. Lovesan spread directly via the Internet, moving from computer to computer, ignoring methods such as IRC, P2P and email, which were popular at the time. The Morris worm first used this propagation method in 1988, but it took 15 years for another virus writer to take advantage of this particular technique.

To some extent, Lovesan was a copycat worm; by exploiting an MS Windows vulnerability, it followed in Slammer's footsteps. However, although Slammer, which struck in January 2003, infected approximately half a million computers, it did not achieve the same infection rates as Lovesan.

Slammer was also the first classic file-less worm - certainly an achievement, in a perverse way for the coder, since writing a viable file-less worm requires strong programming skills. As a matter of fact, there has only been one other moderately 'successful' file-less worm since Slammer - Witty, which made its appearance in March 2004.

Lovesan also started another trend - the inclusion of DoS attacks on corporate sites part of the worm's payload. Lovesan attacked Microsoft and had the attack been successful, millions of users worldwide would have been unable to download the patches they needed to protect their machines from the worm. Fortunately, the DoS attack failed, but Microsoft did re-engineer their web server architecture in response.

summarize, Lovesan set the following trends:

• Exploiting critical vulnerabilities in MS Windows
• Propagation via the Internet through direct connections to victim machines
• Organising DoS and DDos attacks on key websites

Sobig.f

Sobig.f followed hard on the heels of Lovesan in August 2003 and created the first serious email worm outbreak of the twenty-first century. At the height of the epidemic one out of 10 email messages was infected by Sobig. Email traffic increased ten fold and included millions of messages from antivirus programs faithfully informing spoofed senders about the detected and deleted malware.

Sobig.f did not exploit any vulnerabilities and the messages attributes (message subject etc.) were also nothing out of the ordinary. However, Sobig's payload included a backdoor function that left antivirus professionals waiting with bated breath for August 22 - the date when all Sobig controlled zombies were scheduled to receive a mystery command. Fortunately, the server where the command was to be launched was shut down on time, but Sobig.f continues to plague the Internet community, remaining among one of the most common viruses worldwide.

Large-scale epidemics are not caused by classic worms released into the wild from a few computers. These classic worms often take weeks or even months to reach a peak of activity.Sobig.f was no exception to this rule: it exploited machines infected previously by prior versions. Sobig.a appeared in January 2003 and was followed by several modifications, all of which conscientiously built a network of infected machines, machine by machine. Once critical mass was reached Sobig.f struck.

Sobig.f initiated the wave of large-scale email worm outbreaks seen in 2004, and this wave will continue to break until some new technique is invented! Sobig brought two innovative techniques to the world of malware:

• The creation of networks of infected machines to serve as epidemic platforms
• Mass mailing of malware using spammer techniques

Swen

Let's move on in time to September 18, 2003. Early in the morning, Kaspersky Lab received a sample from New Zealand. The worm looked interesting, but nobody anticipated an epidemic. However, 6 hours later cries for help from infected users worldwide proved that a new and dangerous virus has joined the fray.

At first glance, Swen seemed to be yet another worm using standard propagation methods - email, IRC and P2P networks. However, Swen stood out from the crowd for its stunningly successful social engineering. The worm arrived disguised as a patch from Microsoft which would supposedly secure all vulnerabilities. The message included Microsoft logos, links to real Microsoft resources and a very convincing text. Recipients, scared by the recent publicity about the Lovesan and Sobig outbreaks, and having absorbed the lesson that patching is essential, obediently clicked on the link. The email was so convincing that many experienced users were caught out, joining droves of less informed users in launching the worm.

The resulting outbreak was certainly less serious than the ones caused by Lovesan and Sobig (only 350 infected servers were used to spread Swen), however, Swen did prove that social engineering works, and works very well indeed when properly implemented.

Sober

Sober is the final entrant in the list of interesting worms from 2003. Sober is a Sobig copycat, but had some innovative features. Infected emails came in many languages, with the language chosen being determined by the recipient's IP address of the recipient. Sober also exploited social engineering techniques by pretending to be a removal tool for Sobig.

2OO4

2004 has so far given us many new and original malicious programs. Some of these incorporate last year's developments, but many new features and proof of concept viruses demonstrate that the computer underground is still thriving and continuing to evolve.

January 2004

A new Trojan proxy, Mitglieder, appeared in the first week of the new year. Thousands of ICQ users received a message inviting them to visit a specified site. Users who clicked on the link then turned to antivirus vendors for help. The site contained a Trojan that used a vulnerability in MS IE to install and launch a proxy server on the victim machine without the user's knowledge. The proxy opened a port making it possible for a remote user to send and receive email using the infected machine. Victim machines were transformed into zombies spewing out spam. Virus writers quickly adopted the two new techniques introduced in Mitglieder:

• Mass mailings of links to infected sites via email or ICQ
• Trojan proxies become a separate class of malware closely linked to spammers

Last but not least, Mitglieder also created a network of zombie machines - but the world only found out about this when Bagle struck.

Bagle seems to have been written by the same group which authored Mitglieder. Bagle also either installed a Trojan proxy server or downloaded it from the Internet. In any case, the worm was simply an improved version of Mitglieder, with the ability to propagate by email. Moreover, Bagle was sent from machines infected by Mitglieder.

And finally, the most serious virus epidemic in computer history to date: the worm Mydoom.a. It propagated using a network of zombie machines infected in advance (like Sobig), a clever bit of social engineering (like Swen), incorporated an effective backdoor function and was programmed to conduct a DoS attack on a corporate site (like Lovesan).

This concatenation of features copied from three highly viable worms broke all records.

Mydoom.a created more email traffic than the recent leader Sobig.f; infected millions of machines worldwide, opening ports to external access and effectively crashing the SCO website.
Mydoom.a did more than build on the success of its predecessors in creating the most severe epidemic in computer virology to date. The worm introduced a new technique as well. The backdoor installed by Mydoom was exploited by other malware authors, with new viruses that searched for the Mydoom backdoor component appearing immediately. Most of these newcomers penetrated machines via the backdoor, deleted Mydoom and installed themselves in place of Mydoom. Some of these copycats caused local outbreaks and they all forced local segments of the Mydoom zombie network to work for the copycat virus writers instead.

Thus, we saw yet another technique gain popularity:

• Using vulnerabilities or holes created by other viruses

February 2004

NetSky.b

This email worm used the network of infected machines left in the wake of Backdoor.Agobot to spread. NetSky.b demonstrated most of the techniques listed above but also deleted a number of worms: Mydoom, Bagle and Mimail. The idea of a so-called 'antivirus' virus is not new. The first significant example of this supposedly helpful species, Welchia, appeared in 2003. Welchia not only penetrated computers to clean machines infected by Lovesan, it also attempted to download the Windows patch that closed the vulnerability exploited by Lovesan in the first place.

NetSky not only deleted competitor viruses, but engaged their authors in a war of word, coding insults into the body of the virus. The writer of Mydoom did not take up the challenge, but the authors of Bagle picked up the gauntlet and the virus war began. At the peak of activity, three versions of each worm appeared in the space of one day.

Setting aside the issue of verbal warfare, the authors of Bagle and NetSky introduced several innovations:

• Active deletion of competitor viruses
• Propagation in archived files (Bagle & NetSky variants)
• Propagation in password-protected compressed files: passwords were either included as text strings or as graphics (Bagle)
• Abandoning propagation by email: instead, the malicious programs spread by directing infected machines to sites where the worm's body was downloaded or downloading the worm's body from previously infected machines (NetSky)

The incidents listed above have not only had a serious influence on virus writers, but also on the evolution of the architecture and functionality of contemporary antivirus solutions.

The move to abandon emailing the body of the worm is particularly significant. NetSky.q, a NetSky variant that spread by sending emails with links to previously infected machines, was immediately followed by Bizex. Bizex was the first ICQ worm; it penetrated machines via ICQ and sent all ICQ contacts found on newly infected machines links to a site where the body of the worm was located. Once users clicked on the link, the body of the worm would be downloaded from the infected web site and the cycle started again. Bizex successfully combined characteristics of Mitglieder (propagation via ICQ) and NetSky (sending links to infected web sites).

March - May 2004

Snapper and Wallon

These Internet worms consolidated the techniques introduced by NetSky and Bizex. Both worms scanned email address books on infected machines and sent links to infected sites to all contacts in the local address books. Virus writers placed script Trojans on infected sites: these Trojans then exploited vulnerabilities in Internet Explorer to install the main components on victim machines.

Even today, emails containing links are not treated by recipients with the appropriate caution. The user who is suspicious of emails with attachments will nevertheless cheerfully click on links supposedly sent by friends. Undoubtedly, this technique will continue to be used until users learn to treat links sent via email with the same wariness that they display towards email attachments. It seems likely that the continual discovery of new vulnerabilities in Internet Explorer and Outlook will only add fuel to the fire.

Sasser

The final ground-breaking virus of 2004 to date was Sasser, which appeared in late April. This Internet worm exploited a critical vulnerability in MS Windows, and spread in a similar way to Lovesan, connecting directly to the victim machine via the Internet. Sasser caused a serious outbreak in Europe and left behind an FTP-server vulnerability that was immediately picked up by Dabber and Cycle. When Sven Jaschan, the teenage author of Sasser, was arrested, he admitted to also being the author of the NetSky family.

The arrest of a virus writer so soon after the release of a new malicious program made history.
Sasser was evidence that virus writers recycle and plagiarize successful techniques: Jaschan used techniques exploited by Lovesan, and other virus writers in turn immediately picked up on his ideas.

Plexus

Plexus made history by becoming the first worm since Nimbda (2001) to use all available propagation techniques: - the Internet, email, P2P networks and LANs. Three years had passed since any virus writer utilized so many resources simultaneously.

Plexus was potentially an extremely dangerous worm based on the Mydoom source code. Here the virus writer followed in the footsteps of Sober's author. Parts of Sober were pure plagiarism, resulting in a worm which was more successful than some of the malicious program 'donors'.
Fortunately, no version of Plexus caused a serious outbreaks, most likely because none of them used spammer mass mailing techniques for initial propagation. Nor did the author of these worms use any effective social engineering techniques. However, should they or somebody else choose to create new versions which correct these failings, the world may be at risk of a serious outbreak.

Beyond worms

The worms described above caused the most publicized outbreaks in recent IT history. However, other types of malware can pose a serious threat to computer and data security; it is therefore important to evaluate the total picture, including non-Windows environments, in in order to gain a complete picture of current trends.

Other Malware

Trojans

Trojans are often perceived as being less dangerous than worms, as they cannot replicate or travel independently. However, this is a misconception: most of today's malware combines several components, and many worms carry Trojans as part of their payload. These Trojans also lay the foundations for bot networks.

Trojans themselves are becoming more sophisticated. Trojan spy programs are proliferating, with dozens of new versions appearing every week. These versions are all slightly different, but developed with one aim in mind: to steal confidential financial information.

Some of these programs are simple key loggers, which send a record of keyboard activity to the author or user of the program. The more elaborate versions offer complete control over victim machines, sending data to remote servers and receiving and executing commands.

Total control over victim machines is often the goal for Trojan writers. Infected machines are usually joined in a bot network often using IRC channels or web sites where the coder puts new commands. The more complex Trojans, such as many Agobot variants, unites all infected machines into a single P2P network.

Once bot networks have been created, they are rented out to spammers or used to conduct DDoS attacks. The escalating commercialization of virus writing is leading to increased sophistication in bot network creation.

Trojan droppers and downloaders

Both droppers and downloaders have one goal: to install an additional piece of malware, be it a worm or another Trojan, on the victim machine. They differ from Trojans simply in the methods which they use.

Droppers either install another malicious program or a new version of previously installed malware. Droppers can carry several completely unrelated pieces of malware, which may display different behaviours and may even be written by different authors. In effect, droppers act as an archiver which can compress many different kinds of malware.

Droppers are often used to carry known Trojans. This is because it is significantly easier to write a dropper than a new Trojan, and to ensure that the dropper cannot be detected by antivirus solutions. Most droppers are written in VBS and JS, which accounts for their popularity; the languages themselves are relatively simple, with cross-platform application.

Virus writers often use downloaders in the same way as droppers. However, downloaders can be more useful than droppers. Firstly, downloaders are much smaller than droppers. Secondly, they can be used to download endless new versions of the targeted malware. Like droppers, downloaders are usually written in script languages such as VBS and JS, but they also often exploit Internet Explorer vulnerabilities.

Moreover, both droppers and downloaders are use not only to install other Trojans, but also other malicious programs such as adware and pornware.

Classic File Viruses

Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, we often see samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces.

On the whole, there is very little danger that classic file viruses will cause any major epidemics. Even Rugrat, the first proof of concept virus for Win64, is unlikely to change the situation in the foreseeable future.

Other Environments

Linux

To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware.

Handhelds

PDAs are now almost household appliances. Virus writers have not been slow to take advantage of their growing popularity. the first Trojan for Palm OS appeared in September 2000. The first proof of concept virus for Pocket PC, Duts, was slower to arrive, finally appearing in July 2004. So far there have not been any serious virus outbreaks in the world of handhelds, but it is only a question of time. Once virus writers decided that information saved on handhelds is worth accessing, malware for these devices will undoubtedly evolve rapidly.

Mobile Phones

Mobile phones have come a long way, and are now both complex and widely used. These two factors are bound to attract the attention of virus writers, particularly with the advent of smart phones, which effectively have computer functionality. The first proof of concept virus for smartphones running Symbian OS appeared in June 2004. The only missing factor is commercial use - once virus writers identify a way to make money by exploiting cell phones, viruses will inevitably appear.