Malware reports

Malware Evolution: April – June 2005

Kaspersky Lab presents its quarterly report on malware evolution by Alexander Gostev, Senior Virus Analyst. This latest report addresses issues such as changing network attack trends, the evolution of adware, the use of old technologies to create new viruses, the appearance of cyber blackmailers, and political malware.

  1. Changing network attack trends
  2. Site hacking
  3. Adware
  4. The return of virus technology
  5. Cyber hostages
  6. Politics and viruses

There have been several serious IT security incidents in the last few months, all of which clearly show that hack attack vectors are changing. Major financial institutions such as Bank of America, Sumitomo Bank, Master Card and Visa have all suffered from the attention of cyber criminals. Another noteably event this quarter was the Hotworld incident, where a Trojan-Spy program was detected in the networks of more than 80 organisations in Israel and Great Britain.

An analysis of these attacks, and some other incidents which received less publicity, leads us to the following conclusions:

1. Cyber criminals are starting to forsake mass attacks conducted using network worms or spamming Trojans.

There are several reasons for this. Firstly, the antivirus industry has almost a decade’s worth experience with worms which cause global epidemics, and have developed effective methods to combat such attacks. These range from the simplest type of protection – detecting multiple copies of the same file in mail traffic, the first sign that a malicious program has been spammed – to more complex approaches, including IDS and firewalls. Today, it can take less than an hour between the first copy of a worm being detected to an antivirus database which will detect and neutralize the malicious program being released. Consequently, the effectiveness of such attacks is minimized significantly, and sometimes completely.

The antivirus industry has almost a decade’s worth experience with worms which cause global epidemics, and have developed effective methods to combat such attacks.

Secondly, even those worms which manage to break through the many layers of protection or infect a few thousand users who don’t have antivirus installed on their machines face a daunting task: they have to replicate, and, most importantly, from the point of view of the cyber criminals who use them, harvest and transmit information from infected machines. Analysis of malicious programs by virus analysts makes it possible to find the server from which harvested information is transmitted, and also the channels and methods by which infected machines are controlled. This makes it possible to shut down servers – although this may not lead to the arrest of cyber criminals, it will ensure they are no longer able to get the information they desire.

Thirdly, even if criminals do manage to get their hands on the stolen data, they are then faced with the difficult task of using it in order to earn money. This is far from simple, and at this stage of the process the risk of arrest increases significantly.

2. Criminals are now attacking specific major targets.

The issues described above are leading cyber criminals to find other targets and other methods to access data which can then be used or sold to a client who orders an attack.

So what are the motives behind such targeted attacks?

Firstly, attacks are carried out with the aim of stealing banking and personal confidential information – credit card and social security numbers, and any other personal data which modern computer users possess. This data can then be used for fraud and blackmail: emptying bank accounts, forging documents and bank cards, and so on. Industrial espionage, which is becoming more and more widespread, also plays a role here. Information about a competitor’s business (such as financial and employee data), previously captured using bugs, recorders, and cameras is now accessible via an organization’s network.

3. Selecting targets and penetration methods

How do such targeted attacks differ from stealing Internet or ICQ passwords, and then selling them on for five dollars?

It’s one thing to infect a million computers around the world, and steal 50 thousand credit card numbers from them. It’s quite another thing to steal a million credit card numbers by infecting only one computer.

An analysis of the CardSystem Solutions incident as reported by the mass media gives details which do not add up to a coherent story.

The malicious program allegedly detected within the CardSystem Solutions network has still not reached antivirus companies. In comparison, antivirus companies added a sample of the Hotworld Trojan to antivirus databases two days after the malicious program was detected.

This Trojan cannot have been a key logger, as it’s highly unlikely that 40 million credit card numbers were manually entered into the system via the keyboard of one infected computer.

In order to gain access to the database where credit card numbers were saved, the Trojan would have to have been programmed specifcally for the CardSystem Solutions database.

It’s still not been established how the information was transmitted beyond the CardSystem Solutions network boundaries.

Obviously, the incident is still being investigated. It’s unlikely that the details of the case will be made public in the near future, and consequently there’s some doubt as to why the mass media are asserting that Russian hackers are behind the attack. It’s claimed that that some Russian carding sites have some of the stolen numbers available for sale. However, it’s not clear how the mass media know exactly which credit card numbers were stolen, nor whether these numbers were stolen during the CSS incident. The numbers for sale could have come from another source.

Well publicized IT security incidents this year illustrate the new face of cyber crime. The latest generation of cyber criminals is ready to spend tens of thousands of dollars to get insider information about the target object. They have contacts within organizations who know how to evade multiple intrusion detection systems. They are not script kiddies selling Trojans for ten dollars apiece, and they certainly do not sell stolen information through publicly accessible (even underground) forums and sites.

Well publicized IT security incidents this year illustrate the new face of cyber crime.

The reason why we are hearing about such attacks more and more often is because they have become more frequent, and the number has risen significantly. It’s clear that often, the bigger the financial institution, the more potentially vulnerable the network. A multitude of computers, hybrid networks with various levels of access, large numbers of employees, all of these are additional factors making it easier for a remote malicious user to construct an attack. In some large networks it’s impossible to find a specific document. So how much harder is it to find a Trojan program deliberately hidden in the system?

Such Trojans are also unique, programmed as a one-off with a specific target in mind. This means it is almost impossible to writer heuristic detections, and the fact that only one copy may exist (in contrast to worms which spread in their millions) mean that antivirus companies may never see a sample.

To conclude: attack vectors and targets are changing, moving away from end users to direct attacks on sites and site owners with valuable information for cyber criminals.

Hacking sites

Infiltrating Trojans into banking networks and government organisations is still a matter for professionals. There are still, of course, many rank and file virus writers who create and maintain botnets and information theft at a rather lower level. In spite of all the publicity which spammed Trojans receive, such mailings in fact cause relatively small, local epidemics and target the least protected user group on the Internet – those who either don’t use antivirus solutions, or those who fail to patch their operating systems.

Using email to cause an epidemic is now somewhat problematic, and unprofitable from a financial point of view. The absence of critical vulnerabilities, or at any rate, the absence of vulnerabilities which could profitably lead to the creation of an email worm) also hinders such virus writers, as it means they have to find new methods for penetrating potential victim machines.

Kaspersky Lab’s previous quarterly report contained information about the danger of vulnerable browser versions, and the situation has not changed since then. The MHTML URL Processing Vulnerability remains the most widely-used vulnerability by virus writers. But this is only one aspect of the problem – in order to exploit this vulnerability, it’s necessary to tempt users into visiting a vulnerable site.

The MHTML URL Processing Vulnerability remains the most widely-used vulnerability by virus writers.

There are two main ways of doing this.

The first is to create a dedicated site, hosted anywhere, with a page containing malicious code. An email will then be spammed with a message encouraging users to visit the site – a classic form of social engineering. This spam mailing can be done using other programs such as IM applications.

This is the oldest and best known method. In practice, most of these sites are only in existence for a short space of time until they are closed by the hosts at the request of antivirus companies or law enforcement agencies.

The second method is relatively new: hacking well known sites. The popularity of the site in question plays an important role in attracting the attention of cyber criminals. After all, they don’t have to organize a spam mailing encouraging users to visit the site, as users will go there anyway on a regular basis. The most frequently attacked sites are those running popular PHP engines (PhpBB, PhpNuke, WorldPress and so on). Why? Because vulnerabilities are constantly being detected in these programs, and such vulnerabilities allow malicious users to add the necessary scripts to a number of pages on the site. Santy demonstrated how quick and easy it was to hack dozens, or even hundreds, of such sites in December 2004. Cyber criminals who hack such sites are effectively acting in the same way as Santy.

The most frequently attacked sites are those running popular PHP engines.

There is one more method which Trojan authors use to gain access to sites: by infecting the site owner’s or hosting company’s computer, thus gaining access to the site administration account.

One example of this approach is the series of attacks on sites running Php engines in the Russian segment of the Internet during this year. In most cases, the goal was to install the Trojan spy program LdPinch on end user machines. Also notable this year was the MSN Korea server hacking. Antivirus professionals believe that there was a lapse of approximately 5 days from the moment the site was hacked to the moment when the Trojan was detected. During this time, everyone who visited the site was in danger of being infected, and several thousand machines were indeed infected. Its known which Trojan was used in the attack – yet another spy program, which steals user accounts to the popular on-line game LineAge. Last quarter’s report highlighted the fact that on-line games and their subscribers are becoming a target for cyber criminals, and the MSN Korea case confirms this.

Adware

Kaspersky Lab virus analysts have been following the evolution of Adware with great interest. This group of malicious programs is evolving at a rate unique in the contemporary computing world; the number of variants is also unprecedented. The programs which started out a few years ago as simple scripts which opened additional browser windows have now developed from undesirably, but still legal software, into full fledged malicious programs. Much Adware now uses virus technology to penetrate systems and mask its presence on infected machines, such as exploiting browser vulnerabilities, utilizing rootkit technology, writing its own code to system files and replacing system applications, changing files on the user’s computer etc.

Given the enormous market for Internet advertising, these developments are hardly surprising. The market is estimated at several billion dollars, and, most significantly, there are many competitors trying to gain market share. To do this, they need to reach the largest number of users possible, and they are willing to use any means necessary to do this.

In June we detected a piece of Adware which hides its presence in the system by using a rootkit driver. This is a cause for serious concern as until then, this behaviour had only been present in backdoor programs. The vast majority of antivirus solutions are unable to detect and delete rootkits from Windows systems, and naturally, the latest dedicated anti-adware/spyware solutions are unable to do this either. Only a multi-functional antivirus program, which works with the operating system at the very lowest levels and monitors all system functions, is able to detect rootkits in an infected system.

Overall, the Adware situation is reminiscent of the traditional tension between viruses and anti-virus solutions. The more effort is put into combating such programs, the more devious and illegal the technologies used to install Adware on systems will become. It seems likely that the Adware problem can’t be solved by antivirus and anti-adware solutions alone – there needs to be dialogue with those ordering and creating advertising. And it shouldn’t be forgotten that much of the Internet depends on advertising revenue for its survival, leading to a clear conflict of interest.

The return of virus technology

Over the last three to four years, traditional file viruses have almost disappeared. This long interval might indicate that such malicious programs were virtually extinct, as during this period there wasn’t a single program which, without worm functionality, would have been able to cause a significant epidemic. Virus writers have switched their attention to creating Trojans and worms – not the quickest way of causing an epidemic or stealing data, but far simpler than using a file virus.

Creating file viruses which will work correctly and infect files in more than one version of Windows takes a great deal of programming experience. Polymorphism is an important attribute for such viruses, which means that the programmer has to have experience of encryption algorithms.

However, in spite of the fact that no notable file viruses were detected during this period, a handful of such viruses created early remained in existence. They also retained their capability to spread around the world from machines which they had previously infected.

Given that methods for creating such viruses exist, why is no one using them? The consistent opposition from antivirus companies has forced virus writers to find new ways to penetrate machines, and to hide the presence of their creations within the infected system. One of the most popular methods is to use rootkits, with another being injecting malicious code into system files.

Last quarter’s review included details of Virus.Win32.Bube, a malicious program which appended its code to Explorer.exe. When Internet Explorer was launched, the virus would act as a Trojan-Downloader. Of course, detecting and blocking such behavior in Internet Explorer was beyond the functionality of the majority of contemporary fire walls.

This malicious program appended its code to Explorer.exe.

It wasn’t only antivirus professionals who found this idea interesting, but virus writers too. An outbreak of a very specific type of backdoor was detected at the beginning of the year: each backdoor was a legal type of file or utility (such as winrar.exe) which contained Trojan code. The Trojan code was added to the standard file using EPO (Entry Point Obscuring) methods, and, depending on which sub-program was called in the main file, the Trojan code would then be activated. Nearly all these EPO backdoors were a version of one of the widespread bot programs – Agobot, Rbot or SdBot. It’s more likely than not that these files (the legal program/ utility with an added backdoor) were created using a virus constructor, a program used to develop malware.

May and June brought yet another twist in the Trojan-code-in-system-files story. However, this time a package of malicious programs was used. Trojan-Downloader.Win32.Agent.ns acted as the main infector – once it penetrated the system, in addition to downloading other Trojans it would also infect wininet.dll, the system library. A small piece of code added to this file gives added functionality, which intercepts all calls to the library (this happens constantly when Explorer is being used to surf the Internet) and which also attempts to download other malicious programs. So in this case, wininet.dll is effectively turned into a virus (i.e. a program infected by other code).

It could be said that here, a standard Trojan is being called a virus – after all, even an infected explorer.exe or wininet.dll is not going to infect other files in the system. Perhaps, the classic term ‘virus’ is not appropriate in such a case. However, this is a completely new class of malicious program, which use methods traditionally used by viruses to inject code into the body of other programs. Nevertheless, such programs differ from viruses in that the malicious code is not self-replicating. This makes Kaspersky Lab inclined to classify such programs as a sub-group of viruses, together with overwriting and companion viruses. If such viruses become more wide-spread in the near future (and there are precedents for this), then it is possible that such viruses will then be placed in a class of their own.

These new types of malware make it all the more important for users to not only scan all new files on the computer, but also older files which have already been checked for infection; such files may well have had malicious code injected into them since the last scan. In addition to checking file size, it is also necessary to monitor the contents of such files, as the virus may not change the size of the infected file. Consequently, the necessity for effective file monitoring within programs also increases.

Cyber hostages

In December 2004 we received the first samples of a number of files which were encrypted by an unknown encryption program. There was no hint that in six months time, such files would become so common that we would be receiving several dozen a day. Nor was there any clue that in the space of a single week in June, the different encryption methods used would exceed two dozen.

Virus.Win32.Gpcode marked the beginning of a new era in cyber crime. This new approach is reminiscent of a hostage/ ransom situation. An avalanche of emails from users in Russia, and a significantly smaller number from users in the rest of the world, shows that blackmail and racketeering are becoming widespread on the Internet.

Unfortunately, it is still not clear how this malicious program penetrates victim machines. The vast majority of infected systems are those belonging to banks, financial organizations and advertising companies, major manufacturers, real estate offices and other organizations which have a very high document throughput. Hardly any home users have fallen victim to this malicious program. This inevitably gives rise to the theory that this might be a targeted attack. If so, how was is carried out? It’s possible that spam was mass mailed to a list of organizations’ addresses, but no Trojans were detected in victims’ email programs – some of the infected machines don’t even have email. It’s possible that the malicious program penetrated via an Internet Explorer vulnerability, but that would mean that all these affected organizations visited one and the same infected site; no confirmation of this has yet been found. The geographical distribution of the victims makes it impossible to characterize this as a local epidemic, taking place within a single town or region. And finally, the large number of different encryption programs used makes it highly unlikely that there was a single source of infection – all the victims were infected at different times and not from one single external source.

Unfortunately, it is still not clear how this malicious program penetrates victim machines.

Given all of the above, what other possible explanations are there? A logic bomb? This is a program which is activated when the chosen application – in this case an accounting or financial sector application – reaches a designated condition. All the infected organizations would need to have been using the same software for this explanation to be true.

In spite of the fact that the malicious program which encrypts the data deletes itself from the system once it has finished the encryption process, Kaspersky Lab has obtained and analyzed several different samples. The program recursively searches all directories on the victim machine using a designated algorithm, encrypts all document files in all formats, and email client databases. A file called readme.txt will also appear in each directory which contains encrypted files – the file contains an email address where the presumed author of the program can be contacted. An offer is made: pay up, and we will de-encrypt your files. This is effectively blackmail. It seems extremely likely that the cyber criminal, or grouping, behind Gpcode is Russian; this conclusion is due to certain text strings in the messages, the email addresses used, and some encrypted file formats which are specific to Russia.

Files infected by GPCode were also detected in the West, and in these cases, the messages from the program’s author were in English. This is another clear sign that attacks on the Russian and foreign segments of the Internet are clearly differentiated, both in terms of timing, and in terms of the program variants used.

The most depressing thing about this whole affair has been the number of users who have contacted the author of the malicious program, and who may have paid him the ransom demanded. By doing so, the users have not only lost money, but have also encouraged the author to create new versions of this encryption program and to conduct further attacks on other users. Such actions are not only unacceptable (and possibly criminal) but also unjustifiable. The encryption algorithms used to encrypt files are extremely primitive and encrypted files can easily be restored to their original condition by using a good antivirus which includes the right detections and treatment procedures. All the user needs to do is send one encrypted file to an antivirus company for analysis. Unfortunately, some users find it easier to pay for decryption of their files, which negates all the time and financial resources expended on creating an IT security policy.

An assessment of the current situation by security professionals concludes that the situation could potentially develop in a number of ways. If legislative and law enforcement bodies both within Russia and throughout the world do not take decisive action now, it’s highly likely more complex encryption methods will be developed in the future, and these will be used on a massive scale by cyber criminals for financial gain.

Kaspersky Lab strongly recommends all those working in organizations potentially at risk to perform a security audit of their current systems and applications. It is also extremely important to back up data on a regular basis to prevent any data loss.

Kaspersky Lab strongly recommends all those working in organizations potentially at risk to perform a security audit of their current systems and applications.

Politics and viruses

Malicious programs which contain political slogans, or which draw attention to a politician or political group are nothing new in the world of viruses.. In the 1990s, the vast majority of such viruses were created in Russia and former republics of the USSR, a fact easily explained by the political climate prevalent at the time. The political atmosphere captured the imagination not only of the public, but also of the virus writers. Political figures were caricatured in graphics and rhyme, but soon, such viruses started to disappear. The last memorable virus of this type was Email-Worm.Win32.Sexer (October 2003), which agitated for one particular candidate in the mayoral elections, and ceased to function as soon as voting was over.

In Europe, however, until recently the situation was the other way round – during the period when political viruses were spreading actively in former Eastern Europe, viruses in the West were simply malicious programs without any political overtones. With the detection of malicious code such as Email-Worm.Win32.Blare, which contained a text criticizing the British leader Tony Blair, the situation has clearly changed. Other viruses have contained attacks on the president of the USA, George Bush, and comment on the war in Iraq.

In terms of political viruses, Email-Worm.Win32.Sober stands apart head and shoulders above the rest – this family has been in existence for a year and a half, and several of its variants have had clear political leanings.

In May 2005 millions of email users in Western Europe received messages which contained far-right propaganda. These messages were sent from machines which had already been infected by Sober.p, and consequently, with the worm’s following variant, Sober.q.

The worm’s author clearly planned the attack. At the beginning of May, Sober.p caused an epidemic. Sober.p then downloaded another component, Sober.q, to infected machines. It seems that the author was on his own initiative when he used malicious code and spam to express his political views. However, such methods could very quickly become popular with political groups themselves, resulting in such viruses being written to order.

The cyber wars currently taking place in Asia also bear witness to the fact that politics could becoming a driving force behind new cyber threats. The longstanding conflict between Indian and Pakistani hackers (in the course of which, incidentally, the notorious Lentin (Yaha) worm was created) continues to this day. And this year gave rise to the latest political conflict between China and Japan, with unrest taking place not only on the streets, but also in cyberspace, with Chinese hackers attacking a number of governmental servers in Japan. Some of the servers were hacked, and some were crashed. Similar incidents have taken place between the Chinese and the Taiwanese, and also in South Korea. Over the last few months, several Russian sites belonging to political organisations have been attacked, and in many cases, the groups’ political opponents have taken responsibility for these actions.

If such trends evolve further, there may be serious consequences. Some government departments have been paralysed by virus epidemics (e.g., the US state department during the Welchia epidemic in 2003). However, this was not a targeted attack – if an attack was constructed in such a way that it targeted the national infrastructure of a country, lives could be at risk. The beginning of this quarter’s overview mentioned the current threat to financial organizations, which is frightening enough; however, in the future, military and political bodies could be attacked, with the ultimate aim being to cause chaos, score political points, and perhaps ultimately even to seize power.

Conclusion

During the first half of 2005, one of the main trends was the shift from major, wide-ranging epidemics, to targeted attacks. This trend is noticeably in almost all fields of malware and cyber threat evolution: in site hacking, mass mailings, and the spreading of new malicious programs.

In addition to this, new threats which are designed to attack home users’ machines are utilizing root kits more and more frequently to mask their presence in the system. This is even used by Adware developers in an attempt to prevent their creations from being to evade being detected by antivirus solutions. Trojans are also utilizing methods traditionally employed by file viruses, making them able to evade the majority of firewalls. Overall, this shows that the technical skills of virus writers are continuing to develop; the fact that there have been no recent major epidemics does not mean that computers are not being penetrated. Rather, the antivirus industry’s successful efforts to prevent the spread of malicious code is forcing virus writers to become more inventive and discriminating in choosing their methods and targets.

What will the rest of 2005 bring? The next quarterly analysis from Kaspersky Lab, covering summer and the beginning of autumn, will be available in three months time on this site.

Malware Evolution: April – June 2005

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox