Malware reports

Malware Evolution: December Roundup

In December 2004, 3 vulnerabilities in Windows NT (affecting Windows NT, 2000, 2003 and XP) were detected.

  • A vulnerability in winhlp32.exe, which is used to open files with an .hlp extension
  • A vulnerability making it possible for random code to be executed when specially crafted .bmp, .ico, .cur and .ani files are opened
  • A vulnerability making it possible to crash a system when a specially crafted .ani file is opened

It therefore seems likely that a large number of exploits for these vulnerabilities will start to appear at the beginning of 2005. However, Russian virus writers and hackers are likely to start exploiting these vulnerabilities sometime in the middle of January, the delay being due to a large number of national holidays.

Email-Worm.Win32.Atak was active throughout December, with a new version appearing approximately every three days. The first two versions of this worm made their initial appearance in July this year, and December brought a total of 11 new versions.

Net-Worm.Perl.Santy, a worm which infected websites, caused a significant outbreak on 21st December. This worm exploited a vulnerability in phpBB, a popular application for creating sites. The vulnerability is present in versions lower than 2.0.11. The worm used a specially formulated Google search request, which would find sites running vulnerable versions of phpBB. The worm then sent a string which contained an exploit for the vulnerability to the sites in question. The server under attack, when processing the exploit, allowed the worm to penetrate the site and commences its propagation routine. Although it caused a serious outbreak, Santy didn’t represent a direct threat to rank-and-file Internet users, as it didn’t infect machines used to view compromised sites.

Email-Worm.MyDoom came in a special holiday edition; infected messages contained the text ‘Mery Chrismas & Happy New Year! 2005 will be the beginning!’ or ‘Happy New year and wish you good luck on next year!’. There was other Christmas presents in the form of the latest Zafi variant, Zafi.d, and a large number of email worms written in Visual Basic.

A large number of new versions of Trojan-PSW.Win32.LdPinch, Backdoor.Win32.SdBot, and Backdoor.Win32Rbot were also detected. The versions generally differed from each other only in the way the executable files were encrypted.

The majority of December’s malicious programs were written in order to gain information, or control over a remote machine. December’s most widespread malicious programs were as follows:

  • Trojan-Downloader – programs which will download another program to the victim machine
  • Trojan-Spy, Trojan-PSW – programs designed to steal a variety of information
  • Worm
  • Backdoor – programs designed to provide remote access to the victim machine
  • It seems likely that January won’t differ much from December in terms of malware evolution. December’s trends won’t change significantly in January. Additionally, as predicted last month, the number of phishing attacks continues to rise, another trend which looks sent to continue.

Malware Evolution: December Roundup

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox