Malware Evolution: 2005

Backdoor, Trojan-Downloader, Trojan-Dropper, and Trojan-Proxy programs are the TrojWare programs which show the most significant increase in numbers. All of these programs are used by malicious users in order to create bot networks. It’s worth saying a little bit about bot-networks: they are composed of a large number of infected computers which are united into a single network. The network is administered by the remote malicious user, who is effectively the owner of the network. Recently, such networks have become extremely popular among cyber criminals, which explains the increase in the programs mentioned above. It is these programs which are used to create bot networks, and ensure that they are kept up to date. It’s becoming increasingly common for these Trojans to be distributed via mass mailing.

There has also been an increase in the number of Trojan-PSW and Trojan-Spy programs detected; this reflects the growth of the malicious software market. These programs are used to steal data from victim machines, and more often than not this data is finance related. It’s clear that malicious users are no longer simply writing viruses for their own amusement, but are creating and using Trojan programs for financial gain. Kaspersky Lab analysts have detected Trojan-Spy programs which are capable of harvesting information about several hundred online banking and e-payment systems. This data can then be sold on further.

Trojan-Clickers are generally used to increase the ratings of sites selected by malicious users. The increase in the number of programs which exhibit this behaviour is lower than the growth of the class overall. This indicates that malicious users are turning their attention to more ‘profitable’ malicious programs.

Classic Trojan programs are undoubtedly one of the oldest representatives of the TrojWare class. This term covers all Trojan programs which for one reason or another have not classified as having one of the behaviours mentioned above. The increase in the number of programs exhibiting this behaviour is lower than the growth of the class as a whole, but nevertheless remains high overall.

Rootkits are one of the most recent additions to this class, having started to become widespread 2 -3 years ago. During this period, rootkits have attracted a significant amount of attention. Recently, Kaspersky Lab has noted an immense increase in the number of programs exhibiting rootkit behaviour – an increase of 413% in 2005. It should be noted that this figure, while seeming impressive, is partly due to the fact that last year rootkits appeared at a steady average rate of 6 per month. However, in 2005, there have been, on average, 28 new rootkits a month. This highlights that the computer underground is showing great interest in this type of program. It should be noted that rootkits on their own have no malicious payload, but they are increasingly being used to mask the activity of other malicious programs. Given that rootkits are becoming so widespread, we’ll take a more detailed look at them later in this article.

It is striking that most programs within the TrojWare class have increased in number in comparison to 2004. TrojWare is the only class which exhibited such extreme growth during the period under examination.

VirWare — worms and viruses

The graph below presents data on the number of programs in the VirWare class detected by Kaspersky Lab:

4. Increase in VirWare.

The chart below gives a breakdown of these programs by behaviour:

5. Distiribution of VirWare by behaviour (end 2005)

The graph shows that the stagnation of this class, which began in 2004, has not only continued, but has become even more marked. The growth of this class as a whole is insignificant in comparison to the increase in malicious programs overall. Additionally, this class appears to be experiencing a plateau due to the fact that certain worms which exhibit specific behaviours have increased in number. Other programs in this class are continuing to decrease in number. The data in table.3 clearly illustrates this. It should be stressed again that the decreasing numbers of many programs in the VirWare class is due to the increasing interest shown by the computer underground in malicious programs in the TrojWare class.

The insignificant increase in the number of email worms was entirely due to activity on the part of Bagle’s authors. Programs produced by these virus writers are still detected as Email-Worms, in spite of the fact that they are often Trojan programs, used to maintain the bot net. If it hadn’t been for the activity of one or two criminal groupings, the 2005 figures for Email-Worms would undoubtedly have dropped. Moreover, 2% growth is a far smaller increase than the increase in malicious programs overall, and this underlines the slow demise of email worms in favour of Trojan programs, which are far cheaper to develop and distribute.

In spite of the fact that they first appeared in 2001, IM-Worms only started to become common in the middle of 2004. By the end of 2005, an average of 35 new IM-Worms were being detected each month.

IRC-Worms continue to decrease in number, effectively being reincarnated as Backdoor programs. Although IRC-worms continue to be detected, new ones are relatively rare.

Over the past year the growth rate of Net-Worms has more than doubled, increasing by 43% in 2005 over 21% in 2004. This is in part due to new vulnerabilities, for instance the vulnerability detailed in Microsoft Security Bulletin MS05-39; a worm which was written to exploit this vulnerability caused a global epidemic. It is also partly due to the behaviour exhibited by these worms, which excludes human beings from the replication cycle (i.e. there is no need to wait until the user launches the worm by opening an attachment). This increases the speed at which Net-Worms are able to propagate.

The number of P2P-Worms continues to decrease, a tendency that first started in 2004. The decrease is easily explained by the campaigns initiated against file-sharing networks by (among others) law enforcement bodies and those concerned about copyright issues.

Worms as a group are also maintaining last year’s pattern; programs exhibiting this behaviour are the only group in the VirWare classification where the growth rate has not changed. Worms still exhibit a growth rate of -2%; this figure does not exceed the boundaries of statistical error and clearly indicates that this group of program remains in a state of stagnation.

Now let’s take a look at the very oldest type of malicious program for computers: classic viruses. Over the last year, the number of viruses detected per month continued to decrease, but at a lower rate than during 2004 (-45% in 2005 as against -54% in 2004). This is no surprise, as viruses take the most effort in terms of development. In addition to this, the speed at which classic viruses can infect is far slower than the speed at which machines can be infected by malware which is, for instance, distributed using spamming technologies.

VirWare programs clearly indicate that although malicious programs exhibiting some behaviours have become less widespread, this has been compensated for by the increase in malicious programs exhibiting other behaviours. The class overall has shown an insignificant drop of -2%.

MalWare — other malicious programs

Malicious programs in this class are the least wide common, but exhibit the widest range of behaviours. Statistics collected during the course of the year show that the number of programs in this class has grown slightly; however, the overall growth rate is the lowest among all the malicious programs detected by Kaspersky Lab.

6. Increase in MalWare.

The chart below gives a breakdown of these programs by behaviour:

7. Distiribution of MalWare by behaviour (end 2005)

Out of the many behaviours exhibited by programs in this class, only five of them deserve closer attention. Malicious programs which exhibit behaviours not covered by these 5 classes appear relatively rarely; due to this, it is impossible to say that they are evolving in any significant way.

Exploits, naturally enough, exhibit the highest growth rate in the MalWare classification. The constant identification of new vulnerabilities in systems and software have enabled exploits to become undoubted leaders in this class. There is no reason to suppose that the situation will alter in the near future; this behaviour gets the victors palm in terms of numbers of new programs and modifications detected.

HackTools are used to conduct a range of attacks. Although the 33% increase in 2005 is less than the increase shown by the MalWare class overall, it still indicates malicious users’ growing interest in such programs.

Constructors are used to create new modifications of already existing malicious programs, and the decrease in the number of these programs has been relatively small.

Flooders (IM-Flooders, Email-Flooders, SMS-Flooder etc) are utilized by malicious users to send massive amounts of random information. Programs exhibiting this behaviour increased by 20%, i.e. at the same rate as the class overall.

SpamTool programs are designed to harvest email addresses from victim machines. They are then transmitted onwards to the remote user, so that they can be used for mass mailings. Although the increase in such programs is relatively small, the steady growth shown by this group does indicate that these programs are of interest to malicious users.

Overall, it can’t be said that 2005 was a successful year for MalWare – the overall increase in the number of programs from this class is noticeably lower than the increase in malicious programs in general. Over the course of the year, the number of MalWare programs fell steadily, while the number of programs in the TrojWare classification rose steadily.

Other trends

Internet banking

It should be stressed that the number of Trojan programs designed to steal financial information has increased significantly. This information is used by malicious users to access third party bank accounts and withdraw funds.

This group of malicious programs exhibited the highest growth rate of any type of malicious software, and reached a record 402% by the end of the year. Moreover, Kaspersky Lab has detected attempts by malicious users to create something similar to a botnet: first a program designed to install Trojan-Spy.Win32.Banker was distributed and then a malicious user is able to configure the bot network in such a way as to steal information relating to any banking system.

Malicious code for new platforms and multi-platform malicious code

The growing interest shown by cybercriminals and virus writers in other platforms, and continued attempts to create multi-platform malicious programs is a matter of some interest. During 2005, Kaspersky Lab analysts detected malicious programs for a number of new platforms, including Trojan.PSP.Brick.a (developed for PSP, the platform used by Sony Playstation) and Trojan.NDS.Taihen.a (for Nintendo gaming systems). The very fact that proof of concept code has appeared for these platforms once again confirms the fact that the computer underground is constantly on the search for new targets, including new platforms, in order to tap new sources of potential profit.

There are also a number of other malicious programs which deserve a mention. The first of these is Worm.SymbOS.Comwar.a, the first worm for mobile devices running Symbian which was capable of propagating via MMS. This differed from previous worms which propagated via Bluetooth, a propagation method which limited the worm’s capabilities, as it was only able to spread to devices within a 10 metre radius.

Another interesting event in 2005 was the appearance of Trojan.SymbOS.Cardtrap.a,. This program is a standard SIS file. However, when launched, the program extracts another malicious program (this time for Win32 platforms) from itself and saves it to removable media. Although the Win32 program is unable to launch itself automatically on a PC due to certain peculiarities of the Windows operating system, this attempt is a serious cause for concern.

UNIX should also be mentioned, as the increased popularity of this operating system has led to an increased number of malicious programs. On average, in 2004, Kaspersky Lab detected 22 malicious programs for this platform per month. However, in 2005, an average of 31 programs were detected each month. By the end of 2005, this resulted in a growth rate of 45%.

Let’s now turn our attention to AdWare; this class grew by 63% in 2005 in comparison to 2004. This is less than the growth rate exhibited by AdWare in 2004, and it seems likely that this class is entering a plateau stage of its evolution. We’ve previously stated that most programs from this class belong in a sort of no-man’s land, where the difference between malicious and non-malicious programs is unclear. This is underscored by the fact that more often than not, AdWare programs use virus technology to perform whatever their designated function is.

Antivirus companies are starting to detect AdWare programs as malicious programs more and more frequently. In addition to this, there are an increasing number of court actions being brought against those companies who develop AdWare programs.

Conclusion

2005 brought some significant changes in the world of computer virology. The data above shows clearly how the malware landscape is changing.

There was a sharp increase in the number of nearly all types of Trojan programs. As we have mentioned before, the computer underground is becoming increasingly criminalized, focussing on accessing and using confidential information to gain access to profitable data, whether that be system resources, bank accounts, proprietary information or on-line games. Trojan programs can be used to gain access to such data.

The increase in the number of Trojan programs, when taken in conjunction with the fact that the number of worms has remained relatively stable, underlines the fact that malware writers are shifting their focus from the time-consuming development of new worms in favour of Trojans which are distributed by mass mailing.

Finally, 2005 was notable in that it brought either malware for new platforms (Trojans for gaming consoles) or new approaches for old platforms (more advanced worms and Trojans for Symbian OS).

The changes observed in 2005 will undoubtedly continue to develop in 2006, with new technologies and devices influencing, to some extent, the evolution of malicious code.