Malware reports

Malware Evolution: July – September 2006

The first six months of 2006 was notable for the complexity of the technologies which antivirus companies had to deal with, a large number of new proof of concept programs, and the ever increasing interest shown by hackers in Microsoft Office. The impression was that of a stormy confrontation of ideas from those on both sides of the virus war. Proactive protection, cryptography, rootkit technologies, and vulnerabilities were all hot topics in the first half of the year. However, after a burst of activity there’s inevitably a period of calm, when both sides attempt to evaluate the results of their labours, and come to some sort of conclusion about just how successful (or otherwise) a particular approach or idea has been. The third quarter of 2006 turned out to be just such a period of reflection and summer relaxation.

There wasn’t a single significant epidemic during this period, although of course the antivirus industry waited for August with bated breath. This was more a matter of tradition than because of any real threat; for the past three years, August has always brought a major virus epidemic. 2003: Lovesan and the MS03-026 vulnerability. 2004: Zafi and Bagle. 2005: Bozori (a.k.a. Zotob) which exploited the MS05-039 vulnerability to paralyze the networks of CNN, ABC, the New York Times and many other organizations in the USA.

There weren’t any new proof of concept viruses either. This is also connected to the fact that the virus writers needed time to digest the events of the first six months of the year – an embarrassment of riches which they exploited to the full with new proof of concept code.

All was quiet on the virus front, with most of the activity being the everyday jockeying for position on the Internet.

Vulnerabilities

It’s starting to seem that we use the word ‘vulnerability’ more often in our quarterly reports than we do the word ‘virus’. This is an accurate reflection of current trends in information security. The days when viruses were able to exist and spread at the whim of their creators are long gone. The years of struggle between virus writers on the one side and antivirus companies and software developers on the other have led to the current situation, where nearly all malicious programs capable of causing an epidemic spread via security loopholes. Network worms, which owe their existence to vulnerabilities in Windows services are a shining example of how exploiting a security hole can result in an epidemic of global proportions. Internet Explorer vulnerabilities have provided fertile soil for thousands of Trojan programs. All of this makes us wait for information about new critical vulnerabilities with bated breath, and all the more so when there is no patch available for the relevant vulnerability.

Vulnerabilities in Office

In our report covering the second quarter of 2006, we highlighted a problem which very quickly became a key information security issue. From March onwards, we were barely able to keep up with the flood of vulnerabilties being detected in Microsoft Office products. Word, Excel and PowerPoint all came under fire from the blackhats. In a mere three months, the number of security holes rose to close on a dozen, and they were all publicized before Microsoft was able to put out an appropriate patch.

Furthermore, it was clear that virus writers had adapted to Microsoft’s habit of releasing patches according to a schedule, on the second Tuesday of every month. Malware authors started releasing their creations just a few days (and no longer than a week) after the latest scheduled patches had been issued. This resulted in almost a month going by during which the latest vulnerabilities could be exploited by hackers, with users being left unprotected.

However, that’s not the most worrying thing. In analyzing the malicious programs which use vulnerabilities in Office to propagate, both Kaspersky Lab and other antivirus companies analyzed the vulnerabilities themselves. And it became clear that one and the same problem in OLE documents (files created using Microsoft Office) lay at the heart of all these vulnerabilities. It wouldn’t be enough to issue a patch for each vulnerability – Microsoft would have to totally review the technology used to process OLE objects. Issuing patches each month was similar to putting a Bandaid on a major wound – the total number of potential loopholes in OLE objects came to over 100.

Between July and September nothing really changed. Malicious users – with Chinese hackers being the most active – continued to challenge Microsoft with new Trojans, and Microsoft continued to stick to its scheduled patch routine.

July (3 vulnerabilities):

  • Microsoft Security Bulletin MS06-037
  • Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)
  • Microsoft Security Bulletin MS06-038
  • Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)
  • Microsoft Security Bulletin MS06-039
  • Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)

August (2 vulnerabilities):

  • Microsoft Security Bulletin MS06-047
  • Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code
  • Execution (921645)
  • Microsoft Security Bulletin MS06-048
  • Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)

September (1 vulnerability):

  • Microsoft Security Bulletin MS06-054
  • Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)

The situation was becoming ridiculous. At Kaspersky Lab, we even started betting on how long it would take for a new vulnerability to be detected in Office after the previous patch had been released. And the question wasn’t whether a new vulnerability would be detected, but when: in each case, it was clearly only a matter of time, and not much time at that. It should be stressed that for nearly all of these vulnerabilities there were dozens of Trojans which were detected either in mail traffic, or on users’ machines. Thanks have to go to our colleagues in the antivirus industry, and particularly to Trend Micro – they detected both the vulnerabilities and the Trojans exploiting them, and informed Microsoft of the problem.

As I’ve already mentioned, Chinese virus writers were particularly active in exploiting these vulnerabilities and using them to circulate Trojan programs. Users in Europe, Asia and the USA were targeted by Hupigon, PcClient and HackArmy, all backdoor programs. It could be that the DoS attacks on antivirus vendors, which originated from zombie networks created by these Trojans, were a spin off from the ongoing struggle between hackers and antivirus companies.

Chance – or a planned attack?

Here’s a controversial thought. Maybe we’re dealing not with hackers who are demonstrating their latest burst of interest in a piece of software. Maybe it’s a carefully planned and carefully conducted attack on Microsoft. If that’s the case, who is doing it and why?

We haven’t managed to establish that a single hacker group is responsible for all these attacks. And it’s very hard to believe that that timing is coincidental – that over a period of six months, new security loopholes are uncovered by a number of unconnected hackers immediately after old vulnerabilities had been patched. No, that’s not the way things happen, with individual virus writers around the world are all struck by the idea of disclosing vulnerabilities in conjunction with Microsoft’s patch schedule. If hackers get their hands on a new exploit, they’re not going to wait several weeks before using it. After all, the dictum ‘time is money’ is just as applicable to cybercrime as it is to business. As for how exploits and money are related: the WMF vulnerability is a case in point, and an exploit for this vulnerability was sold on certain hacker forums for $4,000 (see Malware Evolution: September – December 2005 for details.)

As we know, MS Office is Microsoft’s second most important product, and brings the company approximately half of its profits. Office is the de-facto standard, and effectively has a monopoly on the market. Naturally enough, this doesn’t please competitors, who have been attempting to create similar products for years.

In the majority of countries, searching for vulnerabilities is not forbidden by law. Whether or not you should comb your competitor’s products for vulnerabilities therefore seems to be more of an ethical question than one governed by legislation. The tendency for new vulnerabilities to surface a mere few days after a patch for previous vulnerabilities had been released seems like an attempt to discredit Microsoft as an information security specialist in general, and to specifically target the company’s habit of releasing patches according to a defined schedule.

Microsoft has a lot of enemies, and a concerted campaign to discredit the company using vulnerabilities and the company’s own patch schedule could, indeed, damage the software giant’s reputation.

The situation remains extremely complex. Although the number of vulnerabilities fell to zero by the end of the quarter (going by the Security Bulletins released by Microsoft), this does not mean that the problem has been solved. On the contrary, we expect to see even more complex attacks on Microsoft Office. Why? Because Microsoft has released Office 2007 into open beta testing, and this will give hackers and security researchers yet another target.

This report, written in October, also examines vulnerabilities fixed by patches released in October. I believe they should be included in this report as they were originally detected in September.

October:

  • Microsoft Security Bulletin MS06-058
  • Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)
  • Microsoft Security Bulletin MS06-059
  • Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)
  • Microsoft Security Bulletin MS06-060
  • Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554)
  • Microsoft Security Bulletin MS06-062
  • Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581)

No comment.

News from the mobile front

The problem of mobile malware is of great interest both to Kaspersky Lab and to me personally. Regular readers will know that we’ve put out a certain amount of material on this topic lately, including information in our half yearly report and in ‘Mobile Malware Evolution’. These materials provided an overview of all current types and classes of mobile malware, which leaves only the events of July – September 2006 unexamined.

In this period, there were only a few pieces of mobile malware which stood out from the mass of primitive Skuller- like Trojans.

Comwar 3.0

Let’s take a look at them in order of appearance. In August, antivirus companies got hold of a new variant of Comwar, the most widely spread MMS worm.

Detailed analysis showed that the worm contains the following text strings:

  • CommWarrior Outcast: The Dark Masters of Symbian.
  • The Dark Side has more power!
  • CommWarrior v3.0 Copyright (c) 2005-2006 by e10d0r
  • CommWarrior is freeware product. You may freely distribute it in it’s original unmodified form.

The new variant differed from previous ones not only because it contained a version number (3.0), but also because its Russian author had made some technical innovations. This variant was the first to use file infecting technologies – the worm searches for other sis files on the phone, and writes itself to these files. This makes it possible for it to spread in yet another way, in addition to its traditional MMS and Bluetooth propagation routines.

Essentially, Comwar now uses all possible vectors to penetrate devices and to propagate. All, except for one. And this was demonstrated at the end of August by another worm, Mobler.a

Mobler.A

Mobler.a was the first cross platform virus capable of infecting both Symbian and Windows systems. The propagation routine works as follows: the worm copies itself from the computer to the telephone and vice versa. If the worm is launched on a PC, it drops its .sis file to disk E: (as a rule, mobile devices connected to a computer will be defined as the E: drive.) This file contains several empty files, and overwrites a number of system applications with these files. The file also contains the worm’s Win32 component, which copies itself to the device’s removable memory card and drops a file called autorun.inf. If an infected phone is connected to a computer and an attempt is made to contact the removable memory card, then the worm will launch automatically and infect the computer.

This is proof of concept code developed by an unknown author; however, this propagation method could theoretically become one of the most popular for infecting mobile devices. It’s also possible that it could have even more of an influence on the evolution of mobile malware than propagation via MMS, as not only the handset, but also the computer would be targeted. And the computer, naturally, contains data which is of interest to the cyber criminal. Given this, Mobler.a should probably be regarded as a new way of attacking personal computers, rather than purely a new way of penetrating mobile phones.

Acallno

In general, mobile malware is in a state of stagnation. Nearly all the possible technologies, types and classes of virus for Symbian smartphones have already been implemented. It’s only the low level of smartphone ownership (low in comparison to computer ownership) and the fact that there’s no clear commercial benefit to be had from infecting a telephone that is preventing the mass spread of mobile malware. The resources which can currently be stolen from a telephone are limited: the address book, and the call and SMS logs. And the Acallno Trojan targets just that: SMS data.

This program, which is designed to spy on the user of a designated telephone, was developed by a commercial firm. Acallno can be configured for use on a particular phone in accordance with the phone’s International Mobile Equipment Identity code, and will not work if it’s simply copied to another phone. It masks its presence in the system and this, in conjunction with its spy functionality, makes us view it as a malicious program. The Trojan (which is how we classify it, even though the program is sold legally) sends copies of all sent and received SMS messages to a specially configured number.

Wesber

In addition to the fact that the content of SMS messages can be stolen, SMSs can also be used to steal money from the subscriber’s account. Wesber, the latest Trojan for J2ME, implements this functionality. Wesber was originally detected at the very beginning of September, and it’s the second Trojan that we know of which is capable of functioning both of smartphones and the vast majority of modern handsets, as it’s written for the Java platform.

Just as RedBrowser, its predecessor did, Wesber.a sends several SMSs to a premium number. The subscriber is charged $2.99 for every SMS sent. Until recently, it was extremely easy to utilize Russian mobile operator premium numbers. If such a Trojan had become widespread, it would have been fairly difficult to track the culprit. However, recently mobile operators have started to be concerned about the increase in SMS scams, and have started to take steps, including making registering such premium numbers more difficult. (See http://mobile-review.com/articles/2006/virus-mobile.shtm for further details.)

And this is where our review of mobile malware in the third quarter of 2006 ends. However, there is one more topic which is indirectly related to mobile device security: the question of Wi-Fi malware.

Wi-Fi worms: almost a reality

In August, Intel announced that a serious vulnerability had been detected in the Wi-Fi function of Intel Centrino processors. Although the details of the vulnerability weren’t made public, it was clear that the vulnerability could make it possible to “Execute arbitrary code on the target system with kernel-level privileges”. A fix for laptops affected by the issue was released straight away, but we were hooked by the very fact that what had previously been mere theory had almost become reality. I’m talking, of course, about Wi-Fi worms.

There are a number of ways in which such a worm could function, and I’d rather not go into detail, so as not to give virus writers any ideas. However, this case is fairly clear. Such a vulnerability in Intel Centrino chips makes the appearance of a worm which would spread from laptop to laptop within its Wi-Fi range more likely. A very simple principle – all we have to do is remember the classic network worms of the past, such as Lovesan, Sasser and Slammer. The worm detects a vulnerable laptop and sends a specially crafted packet to exploit the vulnerability. It’s possible for the worm to then send its body to the computer under attack, and then start the infection-propagation cycle again. The only obstacle would be how to find victims to attack. Selecting victims according to MAC address would be relatively difficult, and selecting them according to IP address clearly wouldn’t work in such a case. However, a worm could use IP addresses to attack neighbouring machines on a Wi-Fi access point. And here, of course, we shouldn’t forget that lots of laptops are configured to automatically search for Wi-fi access points.

I want to stress that this is only one of the possible methods a Wi-Fi worm could use. Wi-Fi adaptor vulnerabilities are still rare, but who knows what will happen in the future? After all, it’s not so long ago that mobile malware seemed like the purest science fiction…

Viruses for Instant Messenger

Over the past year, one major security problem has been caused by malicious programs which spread using IM clients such as ICQ, MSN, and AOL. The beginning of 2005 was notable for multiple primitive IM worms. These demonstrated that sending to links via IM, which lead to malicious programs placed on sites is almost as effective in terms of infection as sending malicious code via email. Interestingly, in spite of the fact that all IM clients have a ‘send file’ function, the authors of IM-worms either decided not to use this function, or were unsure of how to use it to penetrate a system.

Since 2005, most IM attacks have been conducted by sending links which lead to a web site prepped with a malicious file. The user is extremely likely to open a link sent by an acquaintance or friend (a lot of Trojans send links to those on the user’s IM contact list). Click on the link, and the malicious program then penetrates the system, either by exploiting various vulnerabilities in Internet Explorer, or by simply being uploaded and launched on the victim machine.

Over time, we’ve seen two main trends develop in the evolution and implementation of this method. They are closely connected to the fact that different IM clients are popular in different countries.

In Europe and the USA, most IM attacks target MSN and AOL users. In Russia, however, ICQ, Miranda, and Trillian users will be under attack. This is because AOL and MSN are rarely used in Russia, and therefore not a popular target for attack. The situation in China is similar, where the most common IM client is QQ.

In addition to the tendency to attack different IM clients, the malicious programs also vary according to region. In the West, the main threat to IM is IM-Worms, a grouping which includes the well known Kelvir, Bropia and Licat, which attack AOL and MSN. In addition to being able to propagate, the majority of IM-Worms are also able to install other malicious programs to the system. One example is Bropia (which currently holds the record for the most number of variants among programs targeting IM) a worm which installs Backdoor.Win32.Rbot on the victim machine, turning it into another zombie machine in a botnet. There are also a number of worms which attack the popular Chinese QQ IM client.

The situation with ICQ is entirely different. There are very few worms which spread via ICQ. Instead, Russian users are targeted by a multitude of Trojan programs, most notably the notorious Trojan spy program LdPinch.

Some variants of this malicious program have very interesting functionality. Once the program has penetrated the victim machine, and harvested information which the remote malicious user wants, the Trojan then sends a link to the site where it’s located to the user’s ICQ contacts. In the third quarter of 2006, the Russian segment of the Internet was hit by several such epidemics, when hundreds of thousands of users received links from their contacts – links which promised ‘funny pictures’ or ‘summer pictures’. Of course, the source of the link were machines infected by the Trojan, and not the users they purportedly came from.

Unfortunately, ICQ is not currently taking any measures to filter content and delete such links from messages, preventing them from being delivered to users, as MSN has done. Microsoft had to take such a step, blocking links to executable files, after significant IM-Worm activity last year. However, such a filter is not a universal panacea, as in addition to sending links to infected files, a malicious user can send links to websites which contain browser exploits. As a result, a user with an unpatched browser can be infected. The current MSN filter algorithm is also far from perfect, as the incident described below shows.

At the end of September, a burst of IM-Worm activity was detected in the Western segment of the Internet. The largest burst of activity was caused by IM-Worm.Win32.Licat.c. The worm used MSN to send links which looked like this:

licat

All of these links lead to a variety of Trojan downloaders, which would, in turn, install adware (Adware.Win32.Softomate) and other Trojan programs connected to adware. Of course, Licat.c would also install itself on the victim machine, leading to another propagation cycle.

Although it looked as though the MSN filter should be able to block messages like this, the worm continued to spread actively. Analysis showed that the MSN filter doesn’t block links to a PIF file if the file has an extension other than .pif. In other words, the filter was case sensitive, and would not be triggered by capital letters. The worm’s authors used this loophole, and the filter let links with a PIF extension through. We informed Microsoft of the issue, and it was quickly dealt with.

All of these examples show that there is no method which will protect against such propagation methods. The main problem is the human factor: users are very trusting of links which appear to have been sent by a friend or a contact, and the situation is reminiscent of the era of email worms, when unsuspecting users launched files sent to them via email. Now they’re clicking on IM links instead.

The advice that we gave a year and a half ago remains relevant. We recommend that system adminstrators and IT security professionals should be highly aware of the potential threat currently posed by IM, and should consider forbidding its use as part of the company’s security policy. In addition to this, taking into account the way in which such worms penetrate victim machines (via a link which is opened in the browser), all incoming HTTP traffic should be monitored.

And more vulnerabilities…

It’s starting to seem that we use the word ‘vulnerability’ more often in our quarterly reports than we do the word ‘virus’. This is an accurate reflection of current trends in information security. The days when viruses were able to exist and spread at the whim of their creators are long gone. The years of struggle between virus writers on the one side and antivirus companies and software developers on the other have led to the current situation, where nearly all malicious programs capable of causing an epidemic spread via security loopholes. Network worms, which owe their existence to vulnerabilities in Windows services are a shining example of how exploiting a security hole can result in an epidemic of global proportions. Internet Explorer vulnerabilities have provided fertile soil for thousands of Trojan programs. All of this makes us wait for information about new critical vulnerabilities with bated breath, and all the more so when there is no patch available for the relevant vulnerability.

Between July and September 2006, it wasn’t only the multiple vulnerabilities in Microsoft Office which posed a serious threat to users, but also two other security loopholes in Microsoft products. The first of these was described in Microsoft Security Bulletin MS06-040, and was reminiscent of MS03-026, a vulnerability from August 2003. The two vulnerabilities had a great deal in common. They were both of the most dangerous type of vulnerability – a loophole which made it possible for an attacker to execute arbitrary code via a network attack. Back in August 2003, MS03-026 resulted in the massive Lovesan epidemic and spawned hundreds of similar worms. August 2006 could have ended in just such a disaster, as an exploit for the vulnerability was publicly available and any virus writer could have used it to create their own destructive worm.

Of course, virus writers weren’t indifferent to this news. Only a few days after Microsoft issued a patch, they released a number of malicious programs exploiting MS06-040 into the wild. The first of these was Backdoor.Win32.Vanbot (aka Mocbot). Thankfully, this program was only capable of attacking machines running under Windows 2000 and Windows XP SP1. Users who had installed SP 2 for XP were safe. The second reason why a global epidemic didn’t, in the end, take place was because the malicious program wasn’t a worm, capable of self-replication, but a backdoor program controlled via IRC. The backdoor was only be able to spread when commanded to by the author, and this limited the spread of its penetration. It’s clear that the author intended to use the program to create a botnet for further use.

Over the next few days a number of other programs exploiting MS06-040 appeared. These were all variants on the backdoor botnet theme. Many of the old malicious programs, such as Rbot and SdBot simply had new exploits added to them; we started seeing real mutant programs, equipped with dozens of the most dangerous Windows exploits ranging from MS03-026 to the very latest MS06-040. It’s clear that such programs would have a better chance of penetrating victim machines than their competitors. Happily, the very nature of the vulnerability and the composition of the exploits were not so different from those which were already known (very similar to MS04-011 and MS05-039) and this made it possible for a lot of antivirus and firewall vendors to block the virus attacks without having to patch their products. An epidemic was averted, and August 2006 did not become another latest black month in the virus vs. antivirus calendar.

All of this could have changed the following month, when, on 19th September, news about the latest vulnerability in Internet Explorer started circulating on the Internet. A vulnerability in the processing of VML (Vector Markup Language) documents would allow a remote malicious user to create a script which would execute arbitrary code on a victim machine when the user visited an infected site.

The same day, Sunbelt Software announced that they had detected an exploit for the vulnerability on some Russian pornographic sites created by hackers. This fact meant that many thought Russian hackers had been involved in creating and distibuting the exploit, as had been the case with the vulnerability in WMF file processing in December 2005. However, our research didn’t uncover any clear connection between Russians and the VML incident.

The Danish company Secunia rated the vulnerability ‘extremely critical’. This is the highest possible threat level, and the vulnerability was given this rating as it could be exploited on any version of Windows when using Internet Explorer.

The vulnerability is caused due to a boundary error in the Microsoft Vector Graphics Rendering(VML) library (vgx.dll) when processing certain content in Vector Markup Language (VML) documents. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long “fill” method inside a “rect” tag with the Internet Explorer browser. This enables the execution of arbitrary code on the victim machine.

The following days brought a mass of hacker sites containing script exploits for the VML vulnerability. Many virus writers tried to use the situation to get their Trojans onto users’ machines. The situation was further complicated by the fact that the VML vulnerability was a so called zero-day vulnerability – there was no patch available from Microsoft. And according to the patch schedule, the patch would be released only after another three weeks had gone by, on 10th October. This was the second time this situation had arisen, with a vulnerability being actively exploited by virus writers, and mass infections, but no fix available. The first case was in December 2005, with the WMF vulnerability. This time, just as happened then, some independent security professionals released their own, unofficial patches to plug the security hole. This was done in order to provide users with at least some level of protection prior to the official patch release from Microsoft.

Happily, Microsoft quickly acknowledged the gravity of the situation, and released an out of schedule patch in an extremely short time, on 26th September, a mere week after the vulnerability had been identified. The patch was issued as part of Microsoft Security Bulletin MS06-055 and did significantly reduce the number of infections. However, this vulnerability is still being exploited by hackers along with a range of other well known Internet Explorer vulnerabilities and we would urge all users to update their systems as a matter of priority.

Conclusion

All the events of the third quarter of 2006 lead me to conclude that both the Internet and the field of information security are on the verge of something totally new. I would say that the second stage of both virus and antivirus evolution is now complete.

The first stage was during the 1990s, which simple signature detection was enough to combat simple viruses. At this stage, malicious code was not highly technical and did not use complex infection methods.

The start of the new millennium brought email and network worms to the fore. These malicious programs exploited vulnerabilities and the human factor in order to spread. The ability of worms to infect a large number of machines in a short space of time led to the rise of cyber criminality, and technologies used by viruses became more complex, as did the range of malicious programs. Spam, phishing, mobile malware, vulnerabilities in browsers and networking equipment, and blended threats, which spread not only via email, but also via the Internet and instant messaging clients all played their roles. Reaction time became critical, with antivirus companies starting to used code emulation, anti-rootkit technologies, and techniques to protect users’ confidential data.

The overwhelming trend throughout 2006 is that the well of truly new ideas has run dry, and this is reflected in our reports. Virus writers are feverishly trying to defend their creations against new protective technologies by creating PoC code for new platforms, plunging deeper and deeper in the search for vulnerabilities. However, this isn’t finding any significant reflection in reality: by this I mean that we are not seeing threats that would be able to cause millions and millions of dollars of damage, as Klez, Mydoom, Lovesan and Sasser did in the past.

What we are seeing at the moment is a mixture of the occasionally interesting and the intermittently highly technical (for instance, viruses using cryptographic techniques). Overall, however, the bar seems to have been lowered. Threats are no longer global, and are not effective for as long as they used to be. There’s nothing really new taking place. It’s the same unending stream of Trojans, viruses, and worms – the only difference is that the numbers have significantly increased.

Of course, some might disapprove of this opinion. Nevertheless, I believe that today’s virus writers and cyber criminals have adapted in line with the contemporary antivirus industry. We’re currently experiencing something of a standoff. Antivirus companies are working at the limits of their capabilities in terms of speed, and have, to a great extent, already reached certain technical technical boundaries in terms of technologies employed. Virus writers find the current reaction times of antivirus companies – which could be a few hours, or even minutes – acceptable, and have come to terms with what they can achieve within the window of opportunity provided.

If the situation is as I have described it, then something will have to change in the near future. Either antivirus companies will go on the attack, making a new concerted effort to quash the virus uprising, or virus writers will come up with something truly new, raising the bar for the antivirus industry as a whole.

Malware Evolution: July – September 2006

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox