Malware reports

Malware Evolution: April – June 2007

This quarterly report may be the most unusual of all of our previous quarterly reports. The events that took place during the first six months of 2007 have shown us that the direction in which threats are evolving is from social engineering to the increased usage of a variety of vulnerabilities to penetrate the system.

The virus writing “crisis of ideas” that we wrote about at the close of last year (and which we feared would end in a crisis in the near future) is still in full swing. The current period is characterized by the lack of any real new threats and an upswing in the commercialization of the virus writing environment. As I previously confirmed, the ball is now in our court – for the first time in many years, the antivirus companies have the upper hand. Virus writers are concerned solely with earning dirty money and are incapable of coming up with new ideas, so instead they are trying to milk what they can out of old technologies – and the antivirus industry is coping quite well. The worst thing about the current situation is that quality has given way to quantity. The barrage of primitive malicious programs stealing things right and left continues to grow, but it’s more reminiscent of a battle between rock’em sock’em robots than a battle of wits.

This report will say very little about malicious programs. We will be changing gears to examine a wider range of information security: Internet problems, new technologies and vulnerabilities. These are the areas in which today’s key tasks lie, the problems which today’s antivirus companies must resolve.

Estonia

These events, which took place in late April and early May, will likely remain the most discussed events in all of 2007. For the first time in history, politicians, representatives of the armed forces, and computer experts around the world discussed this still virtual topic: cyberwar.

This topic concerned Estonia, namely the attacks that dozens of servers in the Estonian sector of the Internet suffered. It began in mid-April, when the Estonian government ruled to remove a monument dedicated to Soviet soldiers who died in WWII as Estonia was being liberated from one of Tallinn’s central squares. This decision was met with great protest from Russia and led to an exacerbation of the political ties between the two countries.

Similar political situations in the relations between Russia and the former republics of the Soviet Union who have done everything in their power to get as far away as possible from the Soviet past are certainly nothing new. It’s possible that this incident would have remained an issue for the diplomats to tackle, but several other factors compounded the issue and then something else happened.

On April 27, the Estonian websites of the president, the prime minister, the Estonian parliament, police and a number of ministries were overloaded with an enormous number of requests from thousands of computers located around the world. This happened immediately after the Estonian police broke up a demonstration in Tallinn that had gathered in protest at the removal of the monument. Over 600 people were arrested, and about a hundred were injured in this skirmish with the police.

Immediately afterwards, a counterattack was made via the Internet. According to studies conducted by the experts at Finland-based F-Secure, the following websites were completely inaccessible on April 28:

  • www.peaminister.ee (Website of the prime minister): unreachable
  • www.mkm.ee (Ministry of Economic Affairs and Communications): unreachable
  • www.sisemin.gov.ee (Ministry of Internal Affairs): unreachable
  • www.vm.ee (Ministry of Foreign Affairs): unreachable
  • www.valitsus.ee (Estonian Government): unreachable
  • www.riigikogu.ee (Estonian Parliament): unreachable

The first attack lasted roughly until May 4. During this DDoS attack, over ten Estonian sites took a lashing. However everyone knew fully well that the worst was yet to come. May 9th, Russia’s Victory Day, was still ahead.

The company Arbor, which specializes in protection against DoS attacks, later published its own statistics from observing the events in Estonia. Interestingly enough, their reports show that attacks began on May 3, 2007. It’s possible that this was the day on which Estonian officials approached Arbor for assistance, as there are no data on the first wave of the attack (April 27th through May 3rd). The stats are shown here:

Attacks Date
21 2007.05.03
17 2007.05.04
31 2007.05.08
58 2007.05.09
1 2007.05.11

As we can clearly see, the second wave of attacks began on May 8th and peaked on the ninth of the month. Let us clarify the definition of “attack” in this context. Arbor reported that during the course of two weeks, they recorded 128 individual DDoS attacks, of which 115 utilized a typical ICMP-flood, 4 used SYN, and the remaining 9 were different variants of attacks meant to increase traffic.

Of course this is only part of all of the attacks that took place, but one can still get the general idea of the enormous scale of the attack. Furthermore, the overwhelming majority of the attacks were rather short-lived at one hour or less. Only 7 attacks lasting over 10 hours were recorded.

The attack against Estonia happened on several levels at once. Besides the DoS attacks targeting key government sites, there were also mass defacements of dozens of other Estonian websites. Most of these were aimed at websites running different script engines which have a number of vulnerabilities ranging from CSS/XSS vulnerabilities to SQL injections.

These attacks were not particularly complex technically and they could have taken place at any other time, although the events as a whole attracted hackers around the world, and many of them managed to use the situation as an arena for honing and applying their skills.

One of the first websites to be broke into was that of the Reformist Party, which is chaired by Estonia’s Prime Minister, Andrus Ansip. The text on the website’s homepage was replaced with an alleged apology addressed to the Russian-speaking population of Estonia. “The Prime Minister Asks For Forgiveness! The Prime Minister of Estonia and the Estonian government begs the forgiveness of the entire Russian population of Estonia and takes responsibility for returning the Bronze Soldier statue to its rightful place” the hackers wrote.

Meanwhile, Russian websites were also subjected to the attacks.“On May 3 this year the website of the President of Russia was hit by an unprecedented scale of hacker attacks from servers that seem to be located in the Baltics”RIA Novosti news agency was told by a source in the Kremlin.

However, thanks to a multifaceted backup system and a modern security system, the president’s website managed to retain control. The source at the Kremlin did admit that “there were certain problems.” “The hacker attacks on government institutions in various countries are, unfortunately, a widespread practice” added the source.

The attacks also targeted Russian media outlets, such as the Ekho Moskvy radio station, and the Kommersant newspaper. In some cases the victims of these attacks did not even make the connection between the events in Estonia and the attacks on their sites.

Estonian hackers were likely party to the attacks against the sites of their direct opponents on Russian soil. On May 9, the website for the protectors of the monument was hacked. The homepage no longer featured the “Night Watch” (dozor.ru) organization information – it was replaced with a banner that read: “Proud to be Estonian” with an Estonian flag and “Estonia Forever!” Furthermore, the hackers also attacked at least one other site: 1-net.ru.

This was a direct exchange of virtual blows, as you can see from these screenshots:



(c) F-Secure

How did the Estonian authorities respond? First, the country’s Central Criminal Police arrested a 19 year-old resident of Tallinn named Dmitri, who happened to have a higher technical education, as a suspect in the cyber attacks against government websites. The next developments, however, were completely unexpected. Estonian politicians broke an unspoken rule when the accused the Russian special service of orchestrating the attacks – and for the first time, the word “cyberwar” was used at this level.

It is no secret for anyone that the most prominent government special services have special departments dedicated to the security of a country’s electronic resources and taking appropriate measures to do so. We call this “e-reconnaissance”. There are similar divisions in the US army, and its members have even taken part in some hacker competitions to penetrate electronic resources, although without much success.

Yet this was the first time in history that one government accused another of launching a cyber attack. This never happened during the conflict between India and Pakistan, when the hackers of these two countries engaged in a virtual battle with one another on the Internet in the late nineties. That was, by the way, when the Lentin (Yaha) worm was created – one of the most destructive email worms in the last decade.

Nor did it happen during a different time from NATO’s interference in the Yugoslavia conflict and the bombing of Serbia, when Serbian hackers formed an alliance with hackers from other countries and attacked US and NATO web resources.

Such accusations were not voiced during the many complications in relations between China and Japan, when DoS attacks targeted Japanese government websites.

Nothing of the sort happened when American government departments and agencies were (and still are) the target of Chinese hacker groups, which often gain access to secret information.

However, this time, although the nature of the attacks was clearly vandalism aimed against Estonian sites, it must have been beneficial for someone to bring the conflict to a new level. At first Urmas Paet, the Estonian Minister of Foreign Affairs, stated that the hackers were acting on behalf of Russia, including from computers located in government institutions. Later, Yaak Aaviksoo, the Estonian Minister of Defense, proposed declaring that the cyber attacks were a form of military action. “At present, NATO does not view cyber attacks as military action. That means that the NATO countries which have fallen victim to these attacks are automatically not included under the fifth article of the NATO agreement on military protection. None of the NATO Ministers of Defense today would recognize a cyber attack as military action. This issue must be resolved soon.”

Ultimately, Estonia wanted military protection against threats from the Internet – this was getting serious. These kinds of statements would generally require – at the very least – irrefutable evidence of the Russian government’s participation in the attacks. For months after the attacks began, Estonia was unable to present any such evidence. Nothing could be established by the NATO experts that had rushed to Tallinn in early May to “save their ally.” Basically, the accusations that the Russian government was involved were based on the single, isolated fact that the Estonian president’s website had been visited from an IP address that “belongs to an employee of the Russian presidential administration.” The completeness of the knowledge of Estonian services regarding the owners of all Russian IP addresses is amazing, as is their knowledge about just how “difficult” it is to spoof such an address.

But the cyberwar had been declared. Suddenly experts from around the world poured into Estonia – from the US, Europe and Israel. Some came to help counter the threat, while others arrived to gain invaluable experience by observing the conflict and learning from it so that they might contribute to the security of their own countries.

What was happening on the Russian Internet during those days? In the attempts to accuse the Russian authorities, everyone somehow forgot to ask Russian Internet users what they thought about the bronze statue incident. Their opinions were overwhelmingly anti-Estonian, and as soon as the conflicts began with the police, many Russian Internet users who were not able to voice their protest in person used the only outlet they could: an online protest – in the form of DoS attacks.

These days it’s hard to determine when and where the idea to launch traffic attacks took shape. It likely came from the same groups of hackers who carried out similar attacks against the websites of Chechen militants in the past. This experience, however, turned out to be valuable and was applied again. A great number of different programs that appeared on relevant message boards and websites sent innumerable requests to Estonian websites. Anyone could download the program and launch it on their own computer. From a technological point of view, this constitutes a botnet. But it’s a botnet that is voluntary and created with the consent of the owners of the computers being used, who know perfectly well what they are doing. Take another look at the attack statistics gathered by Arbor experts, and you can see that the overwhelming majority of attacks lasted less than one hour. How can one be sure that Russian special services “rented” botnets from hackers for these short periods of time?

Of course, some of the attacks originated from “real” botnets from previously infected computers, but that doesn’t mean we should underestimate the power of a “manual” attack. If this is a cyberwar, then it’s likely a guerilla war.

By the way, not one antivirus company in the world was able to find any specific malicious programs that were designed specifically to launch attacks against the Estonian websites.

The attacks against Estonia have stopped. Experts have returned to their home countries, manufacturers of network equipment have entered into numerous new contracts, journalists have written dozens of articles about what happened, and in the end the statue was put in a new place, and the remains of Soviet soldiers were reburied. Dmitri, the 19 year-old from Tallinn and the only suspect in the attacks, has been released due to lack of evidence.

“I don’t think it was Russia, but how do you prove that?” asked Gadi Evron, an IT security expert from Israel. Evron traveled to Tallinn for 4 days and conducted, so to speak, a post-mortem examination of the Estonian system. “The Internet is ideally suited for plausibly refuting anything, really.”

“If political tension arises, it will definitely have consequences on virtual networks” Evron said, referring to attacks against Danish websites after a Danish newspaper published cartoons featuring the prophet Mohammed.

The peaceful computer community is now playing with the words “cyberwar” and “cyber terrorism” and labeling Russia as the first country to use the “digital bomb”. Experts are doing all they can to create scenarios for real computer wars:

“They’re talking about a cascade-type attack” said Mikhel Tammet, the head of the Communications and IT Dept under the Estonian Defense Ministry, about one possible scenario. “At first, because of mass mailings from botnets that the FBI wrote about previously, it will be difficult to gain access to popular information websites. Then there will be interruptions in email services, and hackers will use that as a cover to get into government services, communications, transport and financial companies, which could destabilize the functioning of the social system as a whole.”

While search engines and governments around the world introduce various restrictions on the access to information on the Internet about “how to make the bomb”, the question of cyber terrorism is not being discussed enough in terms of the actual state of affairs. Kaspersky Lab has always held the opinion that the publication and discussion of different ways to eliminate the vital functions of a target cannot be described as anything but reprehensible. There is no doubt that any such information could provoke certain extremist groups to attempt to spark off a similar scenario.

Pandora’s box has been opened, ladies and gentlemen. But to whose advantage?

The iPhone

The biggest global event in the cell phone industry in the second quarter of 2007 – or probably the entire year – was the release of Apple’s new iPhone.


Millions of US users stood impatiently in line waiting for sales to begin, and many waited in line by the store for several days before the official release date. Meanwhile, IT security experts tried to analyze just how the iPhone will change the cellular landscape and the average level of cell phone security. Won’t its huge popularity become the very reason that upsets the stagnant status quo in the world of mobile viruses?

Mobile threats are very closely watched at Kaspersky Lab. It was exactly three years ago that we were the first to run into mobile viruses.

In order to evaluate the probability that malicious programs will be designed for different devices and operating systems, we apply a system based on three criteria:

  1. The popularity of a system and the extent to which it is widely used;
  2. Documentation – the availability of a variety of complete documentation on the system;
  3. Security – the lack of security for a system or any known vulnerabilities in the system or its applications.

Each of these criteria is necessary. If all three are met, there is reason enough to expect the emergence of malicious programs.

Let’s apply these criteria to the iPhone.

Popularity

During the first three days the iPhone was on sale, Apple sold nearly half million of the new devices. The blog egadgetmobile.com, with a link to waitingforiphone.com, reported that during the first ten days of July, over one million iPhones were sold. Analysts expect sales over the first six months to reach 13.5 million units.

Are these numbers indicative of high popularity?

Over 2003, 6.7 million handsets running on the Symbian operating system were sold around the world, and over one million phones were sold in December 2003.

In 2004, when Cabir – the first mobile worm – appeared, there were already about 15 million smartphones running on Symbian, of which nearly 70% were Nokia. Overall, in 2004 Symbian represented 38% of the smartphone market.

In the second quarter of 2005, 7.8 million Symbian phones were sold, compared to 2.4 million in the second quarter of 2004. In the first six months of 2005, a total of 14.5 million mobile devices running on Symbian were sold.

Clearly, the expected 13.5 million iPhones expected to be sold by the end of 2008 is comparable with the 15 million Symbian devices that were sold in 2004. Based on these numbers, we can conclude that the year 2008 is when we can expect to see virus problems for the iPhone become a reality. This will likely happen before the end of the year, thanks to high user demand for these communicators and the massive advertising campaign.

De facto, the iPhone is already popular, even though the sales figures in absolute terms are not quite that high yet. According to data from a large-scale analysis conducted by the staff at Lightspeed Research one week after the official announcement by Apple developers of this long-awaited smartphone, one American in three wants an iPhone. Approximately 8% of respondents plan to buy this phone in the next 3 months, and 22% plan to buy an iPhone “sometime in the future.”

There are, however, two more criteria to consider.

Documentation

Apple has announced that the iPhone runs on a special version of Mac OS X. How exactly the mobile OS differs from the desktop version has yet to be officially explained, but the differences are probably minor. This usually involves optimizing the version for use without the support of various computer devices and extra applications. The internal operating system is identified as “OS X 1.0 (1A543a).”

The iPhone’s processor is built on ARM architecture, which means that it can run applications written with ARM assembler, which is very well documented.

These two facts show that there are no major factors keeping us from putting a checkmark next to the “documentation” criterion.

Security

There is still one more criterion which is possibly the most important of all three: the level of security (or lack thereof) and the existence of vulnerabilities.

Overall, Apple – or to be more precise, Apple’s operating systems and applications – doesn’t stand up so well when it comes to vulnerabilities. Vulnerabilities do exist, and many of them can be categorized as critical. Most of them were found precisely because Mac OS has recently enjoyed a new influx of new users-cum-devotees, and its popularity is growing steadily. Consequently, hackers have begun digging deeper. We have already seen network worms for Mac OS X that use vulnerabilities to spread. There is no reason to assume that the same problems won’t exist for the iPhone operation system.

In early June the experts at SPI Dynamics reported the first iPhone vulnerability, which was related to the number selection system that used special automated solutions built into the Safari web browser. Under certain conditions, a malicious user would be able to redirect the calls from an iPhone owner to a different telephone number, make calls without the user’s knowledge, make it impossible to connect calls, and initiate an endless dialing cycle that could only be stopped by rebooting the device.

Organizing an attack, as SPI Dynamic reports on its website, theoretically could be done in a number of ways. Malicious users in particular could attempt to lure a potential victim onto a malicious website. Alternatively, an attack could be launched via a legitimate online resource vulnerable to CSS (cross-site scripting) attacks.

“Because this vulnerability can be launched from Web sites, everybody who has an iPhone has the potential to get exploited,” said Bill Hoffman, an SPI analyst. That means this is a serious vulnerability.

The iPhone has a number of distinguishing features that may well complicate things for virus writers. First, it can only use Bluetooth to connect to Bluetooth headset devices. Bluetooth cannot be used to transfer files or synchronize the phone with a personal computer. This peculiarity makes the possibility of worms like Cabir (which targeted Symbian) questionable. The lack of Bluetooth file transfer capabilities will likely deprive any future worms of their key mode of transportation.

The second limitation is… no MMS! This feature (or lack thereof) has caused a great deal of criticism among users, but it means the same thing for viruses that the lack of Bluetooth file transfer means for worms. If there’s no MMS, then the second most common route for spreading malicious programs is also blocked off. The ComWar Symbian worm will not likely migrate to the iPhone.

These are some major limitations, no doubt about it. But the most remarkable thing is that they are not the result of Apple’s consideration of potential problems with mobile worms or a decision to increase the device’s security.

Considering all of the above, our conclusion is that malicious programs for the iPhone will likely begin to emerge during the next year, but they probably won’t be worms. Instead, they will probably be typical file viruses and a variety of Trojans. But the biggest threat for iPhone users will be the different vulnerabilities that may be used by malicious users to access information stored on the phone.

Mpack

In mid June, the IT security media were bombarded with reports from Italy. Several thousand Italian websites turned out to be the sources of malicious programs spreading. Over several days, over six thousand servers were found with pages containing several lines of HTML code that were added by someone other than the owners of these sites. The code looked something like this (there are a number of variants when the size of the iframe windows (width/height) are shown as zero, one, etc.):

Kaspersky Lab experts have known about these strings for several years now. They are a typical construction used to exploit vulnerabilities in browsers. The website shown in the “address” field acts either as a redirector to the next site containing the exploit, or is the infector itself.

The tag long ago became one of the favorite techniques in these instances. It opens a new browser window and when the window size is set to zero, it can remain unnoticed by the user. As a result, the exploit can be utilized unnoticed, and the user won’t even suspect that he is visiting any other website besides the one in the main window.

Here are some recent examples:

In September 2006, Kaspersky Lab analysts received a report about strange web browser behavior when users opened top.rbc.ru pages: Internet Explorer, even with all the patches installed, would crash, and Firefox worked, but would eat up about 400 MB of RAM.

In analyzing these pages, the analysts at Kaspersky Lab found a code in the link leading to the site registered on the pp.se domain. Using that link, script was found that exploits a vulnerability described in Microsoft Security Advisory (926043)

The exploit downloaded the latest version of Trojan-PSW.Win32.LdPinch.ayj.

In December 2006, Kaspersky Lab experts found at least 470 servers infected by Trojan-Downloader.JS.Psyme, and all of them were using the services of the hosting provider Valuehost. One of the infected resources was the popular www.5757.ru.

When Internet users visited the infected sites, a script built into the page by malicious users would begin to download Trojan-Downloader.JS.Psyme.ct, which would then download other malicious programs to the victim machine.

As you can see, we have already had quite a bit of experience in fighting these kinds of exploits. Several days before the problems in Italy, we recorded a similar incident in Russia, once again on the popular website RBC.ru.

On June 7, 2007 many users who visited rbc.ru saw an antivirus warning declaring that a Trojan was attempting to infect the system.

A detailed analysis showed that the homepage contained the following code:

We were surprised that Mpack had made it beyond Russian borders and was used in Italy. Here’s why:

  • Mpack was created in Russia and was sold by Russian hackers to Russian hackers.
  • Its authors are people who were active participants in creating and supporting another widespread Trojan, LdPinch.
  • The black market features several similar exploits packages: Q406 Roll-up package, MDAC, WebAttacker, etc. These are all much more “effective” than Mpack.

Let’s take a closer look at what’s happening and how.

There is a certain collection of exploits that were written in PHP (or any other script language, like VBS or JS).

This collection includes several exploits that take advantage of vulnerabilities in popular browsers and operating systems. The simplest collection might be something like this:

  • MS06-014 for Internet Explorer 6
  • MS06-006 for Firefox 1.5
  • MS06-006 for Opera 7
  • WMF Overflow
  • QuickTime Overflow
  • WinZip Overflow
  • VML Overflow

As a rule, the exploits are also encrypted in order to evade web antivirus programs and to make it harder to detect and analyze them.

Malicious users place a ready-made set of exploits on their own site, and from there the main idea is to get users to visit. Other sites are used for these purposes. The malicious user will receive access to other sites, usually by using access accounts previously stolen by a Trojan such as LdPinch.

Then the malicious iframe tag will be added to all of the pages of these sites, which leads to the site with the exploits. In order to add the iframe tag to mass numbers of websites, a malicious user might use other programs, such as FTPToolz, which was also created by another Russian schoolboy.

Then everything is ready, and thousands and tens of thousands of people visit the sites they usually visit without suspecting that they have been hacked and that their browsers are being attacked by a number of different exploits.

But getting the exploits to work isn’t the end goal for malicious users. The objective is to install malicious programs on the victim computers. Generally, this involves installing a Trojan Downloader. This gives malicious users the opportunity to subsequently install viruses, worms, backdoors, spyware, etc. on victim computers.

All similar sets of exploits have statistics modules and malicious users can access information about how many users have been infected, where in the world they are located, what browsers they use and which sites snared the victims.

Mpack’s authors were selling the program for $1,000 with further support (adding new exploits to the collection) offered separately. This is exactly the same way in which the other popular exploit collections named above are sold.

One way to gauge the effectiveness of an exploit collection is the infection rate for users who visit the infected site. The authors promise a 30% – 50% hit rate, although practice shows that the figures generally do not exceed 10% -12%. This rate is still reason for worry if you consider that thousands of users are visiting the site.

We believe that the biggest problem is that it is extremely difficult to hold the authors of Mpack criminally responsible. Technically, they are merely running an illegitimate business and not paying taxes on their sales. They aren’t hacking websites to put iframe links on them – that’s what their customers do. They don’t spread Trojans – their customers do. They just take exploits from open sources that are published on hundreds of websites for IT security purposes and which were found by other people. They are merely collecting these exploits into a group and are not liable for how they are subsequently used.

Let’s take a look at the popular and respected IT security project Metasploit Framework. There is no difference between what the authors of Mpack do, and what HD Moore (the author of Metasploit) does. The only difference is that one of them speaks honestly about what these exploit collections can be used for, and the other claims their product is an administration tool needed to test the security of computer systems.

This is where we come to the age-old question: does published information do more harm than good? We don’t want to get into the middle of an argument about this with either side. For now, we will simply state the facts, but we promise to return to this issue and voice our views on what’s going on today in terms of blackhat vs. whitehat.

Viver

In mid May we found three variants of a new Trojan for cell phones: Trojan-SMS.SymbOS.Viver. This Trojan sends fee—based text messages to premium numbers. As a result, the subscriber who falls victim is charged a certain amount of money that is then transferred to the malicious user’s account.

Similar Trojans aren’t anything new: we detected the first such creations capable of functioning on practically any cell phone with Java support (i.e. RedBrowser, Wesber) last year. What makes Viver different from the others is that Viver was written specifically for phones running on the Symbian platform and is the first text message Trojan for smartphones.

An analysis helps us establish how this Trojan spreads and how malicious users get the money.

Trojans were placed on a popular Russian website for smartphone users, dimonvideo.ru, in the file exchange section. Files can be added by any of the site’s registered users.

As usual, the Trojans were disguised as useful utility programs, such as photo editors, video codecs, etc. After installation on a smartphone, the Trojan sends a text message to the number 1055. The cost of the text message amounts to 177 rubles (about US $7).

The number 1055 is very interesting. It turned out that this was not the first time this number had been used by Russian cell phone fraudsters. And they continue to get away with it…

How does it work?

We know that cell phone operators rent out short numbers – but the costs are too high for a private individual to bear. There are certain content providers that lease these short numbers and sub-lease them out with a certain prefix.

The short number 1055 is leased out by one such Russian content provider. If the number is sub-leased and a text message sent to it begins with, for example, S1, then the system provider takes a portion of the cost of the message and transfers the rest to the account of the party subleasing that number, i.e. S1. The cell phone operator takes 45% – 49% of the cost of the message, and the provider takes another 10%. The remainder goes to the party subleasing the number, who in this case is the cell phone fraudster.

It is known and proven that one of the variants of Viver alone has been able to spread itself to nearly 200 people in a mere 24 hours. After that, information needed to access the Trojan was deleted from site by its administrator. A simple calculation will show that with 200 victims and an initial text cost of 177 rubles, the malicious user could have “earned” up to 14,000 rubles (over US $500) in one day.

This incident goes to show, once again, that modern cell phone technologies continue to attract the attention of cyber criminals. In this case the scheme was based on the use of “short number services” offered by many mobile providers and content providers. Unfortunately, the opportunity to take money from the account of a mobile subscriber without his knowledge and without obtaining any additional confirmation is a weak spot in today’s cellular services which damages the reputations of mobile and content providers and the services in general.

In May we registered three such incidents. We can only guess how many more went undetected. Unfortunately, we do not have statistics for most other countries, and foreign antivirus companies have not issued reports on similar incidents. It’s difficult to believe that this is an exclusively Russian problem.

Conclusion

The key events of the second quarter discussed in this report are certainly food for thought, but they still do not answer our question: what is the next step for viruses and information threats? Despite the emergence of new operating systems (such as Windows Vista), new services (mobile content) and devices (the iPhone), the cyber criminal underworld continues to lack initiative and use tried and true ways to cause harm to Internet users. Innovations are limited to a small number of proof-of-concept threats that are not developed further.

Furthermore, we are observing a significant return to “the sources”: computers are increasingly targeted by DDoS attacks and attacks that use browser vulnerabilities to penetrate the system. Probably the only thing that distinguishes the present from three years ago is the fact that email is not being used as the primary vehicle for spreading viruses. Instead, instant messaging services are one of today’s key means of distribution. One more difference is that there has been an explosive increase in Trojans targeting the users of online games.

The threats are not becoming “smarter.” Innovation has stagnated as development is now focused on cosmetic changes, and we still don’t know what may ultimately serve as a catalyst for changing the nature of viruses in the global arena, events comparable to the launch of Windows95, the emergence of the LoveLetter and Melissa worms, the first macro virus, and Lovesan and Mydoom epidemics.

Antivirus companies have considerably improved their technologies and introduced several new technologies, while continuing to develop new methods.

Each new version of just about any antivirus product is more than just a different interface – it includes several new features that greatly improve a user’s protection. Presently, antivirus company clients are protected much more effectively than two years ago. The average time that most new malicious programs spend “in the wild” has been cut down to a number of hours, and is rarely ever counted in days anymore.

But let’s predict what will happen next.

Malicious users will attempt to reach beyond the “field of protection” put in place by antivirus solutions – a task that is a shift from “getting around” antivirus programs and implies more action in fields that have not yet been mastered by quality antivirus protection, or areas in which protection is not an option for any number of reasons. This is more than likely where the new front will form in the information war: online games, blogs, instant messengers and file exchange networks.

Malware Evolution: April – June 2007

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox