Malware Evolution: December Roundup

In December 2004, 3 vulnerabilities in Windows NT (affecting Windows NT, 2000, 2003 and XP) were detected.

• A vulnerability in winhlp32.exe, which is used to open files with an .hlp extension
• A vulnerability making it possible for random code to be executed when specially crafted .bmp, .ico, .cur and .ani files are opened
• A vulnerability making it possible to crash a system when a specially crafted .ani file is opened

It therefore seems likely that a large number of exploits for these vulnerabilities will start to appear at the beginning of 2005. However, Russian virus writers and hackers are likely to start exploiting these vulnerabilities sometime in the middle of January, the delay being due to a large number of national holidays.

Email-Worm.Win32.Atak was active throughout December, with a new version appearing approximately every three days. The first two versions of this worm made their initial appearance in July this year, and December brought a total of 11 new versions.

Net-Worm.Perl.Santy, a worm which infected websites, caused a significant outbreak on 21st December. This worm exploited a vulnerability in phpBB, a popular application for creating sites. The vulnerability is present in versions lower than 2.0.11. The worm used a specially formulated Google search request, which would find sites running vulnerable versions of phpBB. The worm then sent a string which contained an exploit for the vulnerability to the sites in question. The server under attack, when processing the exploit, allowed the worm to penetrate the site and commences its propagation routine. Although it caused a serious outbreak, Santy didn’t represent a direct threat to rank-and-file Internet users, as it didn’t infect machines used to view compromised sites.

Email-Worm.MyDoom came in a special holiday edition; infected messages contained the text ‘Mery Chrismas & Happy New Year! 2005 will be the beginning!’ or ‘Happy New year and wish you good luck on next year!’. There was other Christmas presents in the form of the latest Zafi variant, Zafi.d, and a large number of email worms written in Visual Basic.

A large number of new versions of Trojan-PSW.Win32.LdPinch, Backdoor.Win32.SdBot, and Backdoor.Win32Rbot were also detected. The versions generally differed from each other only in the way the executable files were encrypted.

The majority of December’s malicious programs were written in order to gain information, or control over a remote machine. December’s most widespread malicious programs were as follows:

• Trojan-Downloader – programs which will download another program to the victim machine
• Trojan-Spy, Trojan-PSW – programs designed to steal a variety of information
• Worm
• Backdoor – programs designed to provide remote access to the victim machine

It seems likely that January won’t differ much from December in terms of malware evolution. December’s trends won’t change significantly in January. Additionally, as predicted last month, the number of phishing attacks continues to rise, another trend which looks sent to continue.