Malware Evolution: August Roundup

In contrast to last summer, August was a relatively quiet month in terms of virus activity. However, the month did bring certain developments in the evolution of malicious code. Some of the programs which were first detected this month are likely to appear more frequently in the future.

The most important event this month was the appearance of Backdoor.WinCE.Brador.a. This is the first true malicious program for Pocket PCs; although last month a proof of concept virus was detected devices running Windows CE, it was effectively harmless and not detected in the wild. Brador, in contrast, is a remote administration utility, which can receive and execute a range of commands. The author of the program is offering to sell the client part to any interested party; if this offer is taken up, Brador may become widespread in the future.

Another innovation this month was Trojan.SymbOS.Mosquit.a. This Trojan for mobile phones confirms the theory that once the first piece of malicious code for an operating system has appeared, variations or new programs will not be long in following. In this case, Mosquit.a followed on the heels of Cabir, the proof of concept virus coded for phones running the Symbian operating system, which was first released in June this year. Mosquit is actually a popular game for mobile phones. However, the program is coded to send SMS messages to numbers contained in the body of the program, without the knowledge of the user; it is therefore classified as a Trojan.

The flood of Trojan spy programs showed no signs of decreasing in August, with 7 new versions of Trojan.PSW.LdPinch being detected, and two new versions of TrojanSpy.Win32.Small.q. This Trojan is designed to steal account details to 55 on-line payment systems; the information is then sent to the author of the program. Also circulating this month were a number of modifications of Trojan.PSW.Lmir, a program which steals passwords to Legend of Mir, a Chinese on-line game.

In the middle of the month, the British company Pentest announced the detection of a vulnerability in WIDCOMM Bluetooth Connectivity software. The vulnerability allows the execution of arbitrary code with current user rights. No patch for this vulnerability has been released. Although so far there have been no reports of this vulnerability being exploited, it may only be a matter of time before the first program coded to take advantage of this loophole appears.

The end of the month brought a number of emails with the subject ‘1’, and an attachment named 1.gif or 2.gif. The attachments contained the text 45451212. The messages themselves contained html code, which uses Exploit.HTML.ObjData to download a file containing TrojanDropper.Win32.Small.kv from the Internet. This Trojan spread with a number of versions of Bagle; this spam mailing may be a preparation for the release of a new version of Bagle.

August also brought a new Mydoom epidemic: I-Worm.Mydoom.q. This worm was programmed to cease replicating on 20th August when the system clock shows 21.11.11. However, Backdoor.Win32.Surila.g, which Mydoom installed on victim machines, has no expiry date; the machines will remain open to remote administration until the backdoor program is removed.

Forecast for the coming month:

Next month worms will, as usual, be the most widespread type of malicious program, while spy programs will appear in the highest numbers. It is quite possible that new malicious programs for hand held computers and mobile phones will be detected, including programs which use the vulnerability in WIDCOMM Bluetooth Connectivity Software to spread. The spamming of Exploit.HTML.ObjData, which downloads TrojanDropper.Win32.Small.kv may be the precursor to another Bagle outbreak.