Malware reports

Malware Evolution: December Roundup

In December 2004, 3 vulnerabilities in Windows NT (affecting Windows NT, 2000, 2003 and XP) were detected.

  • A vulnerability in winhlp32.exe, which is used to open files with an .hlp extension
  • A vulnerability making it possible for random code to be executed when specially crafted .bmp, .ico, .cur and .ani files are opened
  • A vulnerability making it possible to crash a system when a specially crafted .ani file is opened

It therefore seems likely that a large number of exploits for these vulnerabilities will start to appear at the beginning of 2005. However, Russian virus writers and hackers are likely to start exploiting these vulnerabilities sometime in the middle of January, the delay being due to a large number of national holidays.

Email-Worm.Win32.Atak was active throughout December, with a new version appearing approximately every three days. The first two versions of this worm made their initial appearance in July this year, and December brought a total of 11 new versions.

Net-Worm.Perl.Santy, a worm which infected websites, caused a significant outbreak on 21st December. This worm exploited a vulnerability in phpBB, a popular application for creating sites. The vulnerability is present in versions lower than 2.0.11. The worm used a specially formulated Google search request, which would find sites running vulnerable versions of phpBB. The worm then sent a string which contained an exploit for the vulnerability to the sites in question. The server under attack, when processing the exploit, allowed the worm to penetrate the site and commences its propagation routine. Although it caused a serious outbreak, Santy didn’t represent a direct threat to rank-and-file Internet users, as it didn’t infect machines used to view compromised sites.

Email-Worm.MyDoom came in a special holiday edition; infected messages contained the text ‘Mery Chrismas & Happy New Year! 2005 will be the beginning!’ or ‘Happy New year and wish you good luck on next year!’. There was other Christmas presents in the form of the latest Zafi variant, Zafi.d, and a large number of email worms written in Visual Basic.

A large number of new versions of Trojan-PSW.Win32.LdPinch, Backdoor.Win32.SdBot, and Backdoor.Win32Rbot were also detected. The versions generally differed from each other only in the way the executable files were encrypted.

The majority of December’s malicious programs were written in order to gain information, or control over a remote machine. December’s most widespread malicious programs were as follows:

  • Trojan-Downloader – programs which will download another program to the victim machine
  • Trojan-Spy, Trojan-PSW – programs designed to steal a variety of information
  • Worm
  • Backdoor – programs designed to provide remote access to the victim machine
  • It seems likely that January won’t differ much from December in terms of malware evolution. December’s trends won’t change significantly in January. Additionally, as predicted last month, the number of phishing attacks continues to rise, another trend which looks sent to continue.

Malware Evolution: December Roundup

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox