Malware evolution: January – July 2007

This half-year report examines changes in malware compared with to the second half of 2006. This report was prepared using a new statistical method that differs from the method we used previously. The figures for 2006 shown in this report were also calculated using the new method, and so they may not coincide with the figures published in the previous annual report.

Different types of malware in the first half of 2007

Kaspersky Lab’s classification system contains three malware classes:

• TrojWare: various Trojan programs that are not capable of self-replicating (backdoors, rootkits and all kinds of Trojans);
• VirWare: self-replicating malicious programs (viruses and worms);
• Other MalWare: software that is actively used by malicious users to create malicious programs and organize attacks.

The first half of 2006 brought some notable changes. The number of malicious programs detected each month increased by an average of 89% from the second half of 2006 and amounted to 15,292.2 (up from 8,108.5 in the second half of 2006). A total of 91,753 new malicious programs were detected over the reporting period.

The same trend noted in previous years continued into the first half of 2007: the share of Trojans grew and the numbers for VirWare and Other MalWare declined.

During the first six months of this year, the percentage of Trojans increased by 2.61% to 91.36%. The two key reasons behind the strong growth of Trojans on the Internet are (1) it is relatively easy to create malicious programs in this class of malware (in contrast to creating worms and viruses), and (2) Trojans are able to steal data, and can be used to create botnets which are then used in organizing spam mailings.

The falling percentages of worms and viruses (VirWare) is not as noticeable as in past years (down by 2.26%), although it is easy to explain the extremely low levels they have already reached. The share of VirWare will not likely continue to fall anytime soon. Instead, it is expected to reach a state of equilibrium. Worms and viruses will not disappear from the scene altogether, and may even see a little growth in 2007, depending on whether or not new critical vulnerabilities are found in Windows operating systems in general and Vista in particular.

As far as the Other MalWare class is concerned (specifically different types of exploit), despite an increase from the last six months of 2006, Other MalWare has seen a decline of 0.36%, leaving it at a meager 1.95%.

Let’s now take a more detailed look at the changes that have taken place in each class.

Trojans

The chart below illustrates the number of new Trojans detected by Kaspersky Lab each month:

Even from a quick glance at the chart, it’s obvious that Trojans are steadily on the rise. They are becoming more of a threat, especially since the overwhelming majority of Trojans are programs designed to cause financial damage to Internet users.

The next figure shows a breakdown of different subcategories of Trojans:

In order to better understand the changes that are taking place within the Trojan class, one may examine the growth dynamics among different malware behaviors within the class. Nearly every kind of Trojan has markedly increased in number:

 

In the first half of 2007, backdoors showed the largest increase among all Trojans at 202%. Only email worms experienced a similar upsurge in number back in 2002-2004. These days, most backdoors are created in China – over 30% of all detected backdoors, according to our statistics.

Such high growth rates among backdoors have changed the distribution of malware behaviours in the TrojWare class. In 2006, the largest percentage was accounted for by Trojan Downloaders, but these days, Downloaders represent only a third of this group.

In addition to backdoors, which now account for nearly one-third of all Trojans (and almost one-third of all malware), there has been a significant increase in the number of PSW Trojans, which steal user accounts for a variety of services, applications and games (+135%). This particular TrojWare behavior is ranked in second place – just as it was in the second half of 2006 – retaining a high position in spite of the still large number of Downloaders.

At present, there are three main types of behaviour in the TrojWare class:

1. Backdoors, PSW Trojans, and Trojan Downloaders. These are the most widespread kinds of Trojan and represent over 70% of the entire TrojWare class (the share of each of these subcategories exceeds 20%).
2. Trojans and Trojan Spies. The percentage of these subgroups average between 8% and 10%. While it is highly improbable that they could increase enough to enter the first group, it is also unlikely that they will fall enough to enter the third category.
3. Trojan Proxies, Trojan Droppers, Trojan Clickers, and other Trojans. The shares of these behaviours amount to less than 3% each. With the exception of Trojan Clickers, the growth rate among the behaviors in this group does not exceed 30%. The programs in this category could possibly increase in number and enter the second group, although it is more likely that the percentages of the malware behaviours in this group will continue to inch down as the figures for representatives of the first group continue to climb.

Gaming Trojans

In the first half of 2007, the number of PSW Trojans increased by 135%, and the current positive trend means that this category of Trojans will continue to grow. PSW Trojans managed to top their 2006 results (+125%). Such high numbers are due to the fact that 68% of PSW Trojans are Trojans for online games, which are designed to steal user data for a variety of online games.

Online games are currently experiencing a peak in popularity. Online games such as World of Warcraft, Lineage and Legend of Mir are played by millions of people around the world, especially in Asia. Often the value of online characters or various in-game items reach tens of thousands of dollars. This obviously attracts the interest of cyber criminals, who steal account data and then sell stolen virtual items on Internet auction sites.

Trojans for online games include the following families of Trojan spy programs:

 

A total of 64% of the number of Trojans for online games was represented by the OnlineGames family in the first six months of 2007. This family differs from the others in this Trojan category in that it is made up of Trojans designed to steal account information for two or more games and Trojans that attack less popular games. Kaspersky Lab began to single out this family during the second half of 2006. While we are observing incredible growth of 127%, this of course does not portray the actual state of affairs since the statistical period is still much too short. Data which more accurately reflects the situation will be available in another six months.

Lmir, the oldest family – at one time also the most numerous – of Trojans for online games, targets the game Legend of Mir. This family has been falling in position for some time now. In 2007 the share of these Trojan spies fell 21%. A slight decline also took place among Trojans targeting World of Warcraft (down 14%).

Otherwise, virus writers have clearly become more interested in other virtual worlds, such as Gamania (the Magania family of Trojans) and Tibia. Although Tibia saw an upsurge of 200%, the number of new Trojans (45) was relatively small. Gamania, on the other hand, is currently the second most often attacked virtual world.

Considering the non-representative numbers of the OnlineGames family, the most common Trojan family for online games is Nilage, which targets accounts for the game Lineage and accounts for over 18% of all Trojans for online games.

Banking Trojans

A significant share of Trojans – which triggered a 69% rise among Trojan Spies – are the so-called Bankers. These are Trojans that are designed to steal access data for various online payment systems, online banking services and credit card details. This is probably the most common line of business among cyber criminals. In addition to Trojan Spies, the Banker group also includes some Trojan Downloaders (the Banload family), which works by downloading a variety of Bankers to infected computers. This feature makes Banload an inseparable member of the group of Banker Trojans.

In 2006, Banker Trojans continued to evolve and the number of new Bankers nearly doubled, up 97% from 2005. In 2007 the growth rate slowed down slightly, with the half-year increase recorded at 62% up from the second half of 2006. That means over 4,500 new Trojans.

Rootkits

Rootkits also deserve a mention. Rootkits were not included in the charts showing the breakdown of Trojan behaviors, since there are fewer of them than even Trojan Clickers which are right at the bottom of the chart. However, rootkits are often a cover for many different kinds of Trojans, and one and the same rootkit can be used by more than one malicious user. A variety of malicious programs may be classified as rootkits; both those with the word ‘rootkit’ in their classification name, and some other Trojan families which use rootkit technologies, such as Backdoor.Win32.HacDef.

In 2005 (when we first classified rootkits as a separate behaviour) rootkits demonstrated an unprecedented growth of 413%. At that time, rootkits were one of the hottest topics in the antivirus industry, and virus writers actively worked on new developments in the field. After this skyrocketing growth, it would have been reasonable to expect a bit of a slowdown in the rootkit growth rate, but in 2006 they remained at a high level with a 74% increase.

During the first six months of 2007, rootkits experienced another growth spurt of 178%.

The most active use of rootkits this year was observed in the Zhelatin family of worms, and in a large number of backdoors created in China.

It remains unclear how the release of Windows Vista will influence the development of rootkit technologies. Windows developers have made assurances that rootkits cannot survive in the Vista environment.

Worms and viruses

The chart below shows the number of new VirWare programs detected by Kaspersky Lab each month:

The stagnation in this class that has been observed over the past two years (2004-2005) began to change towards the end of 2006. In the first six months of 2007, this growth continued, although absolute figures are still lagging behind the record high noted in October last year, when hundreds of new variants of the Warezov worm hit the scene.

The chart below illustrates the growth among the different behaviours of this class.

In the first half of 2007, so-called classic viruses demonstrated the most growth among all malware (+237%). This is primarily due to the highly widespread method of using flash drives to spread viruses. In 2007 the Win32.Autorun family of viruses produced another 200 new variants. The incidents linked to the infection of flash drives, including those used with cameras, phones and mp3 players, number in the hundreds. The ability to use the file autorun function with removable media storage devices and the “autorun.inf” file – which is included by default in Windows – is yet another hole in the security of this operating system. Readers should bear in mind that the Autorun family includes several dozens of the Viking worm, which is discussed below.

Representatives of the Worm behavior continued the trend that started in 2006, when they demonstrated growth of over 200%. In 2007 the Worm family slowed down a bit, but the growth rate still exceeds 100%. The leader once again was the Asian worm Viking. We examined Viking, its history and the reasons for the contained Chinese epidemic in our quarterly report (https://securelist.com/malware-evolution-january-march-2007/36145/). However, despite the fact that the author of the worm was arrested, Viking’s source code is still accessible on the Internet, and more and more new modifications created by other people are finding their way to antivirus companies.

A breakdown of different VirWare behaviours is shown in the pie chart below:

The most common behavior in the class is still the email worm, which accounts for over one-half of all VirWare. In 2006, the increase in the number of email worms amounted to 43% (mostly thanks to the Warezov worm’s “October madness”). In 2007, however, the growth rate is down to just 5%. The bulk of email worms are still represented by just three main families: Warezov, Zhelatin and Bagle. Eliminating one of these three from the scene would inevitably lead to a decrease in the representation of the behaviour as a whole, probably by dozens of percentage points.

The VirWare class can be divided into two main groups:

1. Email worm, worm and virus: The percentages of each of these behaviours account for over 15% of the entire VirWare class. Currently, there is a lack of any movement in the leader (Email-Worm) while worms and viruses are experiencing steady increases in number. It’s possible that the virus category might share second place with the worm category in the second half of 2007.
2. IM-Worm, Net-Worm, P2P-Worm, and IRC-Worm. The percentages of each of these behaviors represent less than 5% of all VirWare. The average growth rate ranges from 50% – 80%. Only IM Worms are likely increase in number due to the rapid evolution and adoption of instant messaging services, including Skype. The situation continues to worsen for Net -Worms, as there are no critical vulnerabilities in Windows OS network services, which rules out the possibility of virus writers implementing new approaches or exploiting this attack vector.

Over all, the growth rate in the VirWare class lags behind that of TrojWare (41% against 94%) and even behind Other MalWare numbers, which we will examine below.

Other MalWare

This class is the least widespread in terms of the number of detected malicious programs, yet it has the widest variety of behaviours.

Slow-moving growth in the number of new malicious programs in this class in 2004 – 2005 (13% and 43%, respectively) took a turn for the worse in 2006 (down 7%). However, the first six months of 2007 have demonstrated that 2006 was likely a period of stabilization for this class, which strengthened its position before reaching a new level. The most notable example of this took place in the second quarter of 2007, when the number of new programs detected on a monthly basis practically doubled.

Overall, at the end of the first six months of 2007, this class had experienced an increase of nearly 60%, although this turned out to be insufficient to retain its share of all malicious programs, and its percentage decreased in 2006 from 2.51% to 1.95% in 2007.

The pie chart below shows a breakdown of Other MalWare behaviours:

The chart below illustrates growth rate data among the behaviours in this class, showing a clearer picture of the changes that have taken place in Other MalWare:

 

Spam and DoS attacks have been two of the main topics in information security news in 2007. Starting in October last year, when Warezov began to build enormous botnets, the Internet saw a new turn in spam evolution: there was more spam, and more different types of spam. There are a few reasons these events could be linked. Warezov harvested email address databases and sent them to malicious users. Furthermore, it installed a variety of modules on victim machines so they could then be used to conduct spam mailings. Two other email worms – Zhelatin and Bagle – exhibited similar behaviour.

In 2005, Kaspersky Lab observed cyber criminals showing a certain interest in programs classified as SpamTool. In 2006, the number of malicious programs with this behaviour skyrocketed 107%, and there were five different kinds of SpamTool represented in the Other MalWare class. In the first six months of 2007, SpamTool was the absolute leader in terms of growth rates in this class. An increase of 222% helped SpamTool reach second place within its class.

DoS attacks were most common in 2002-2003, after which they spent a long time out of the spotlight. It’s possible that this was due to a certain change in the generations of cyber criminals. Those who had employed DoS attacks 4-5 years ago began using more “subtle” ways of making money, such as sending spam, stealing data and installing AdWare. Today, there is a new generation of script-kiddies who don’t yet know how to do much of anything and prefer to use other people’s creations combined with brute force. This is why we have seen an upsurge in the use of several different DoS programs (up 209%) that help organize DoS attacks and use the same botnets around the world. Although the number of these behaviours is still small, a clear growth rate has been observed and it’s possible that they could number in the hundreds this year.

The most common new kinds of malicious programs in Other MalWare are still exploits designed to target a variety of vulnerabilities. This may remind readers of several major stories when collections of exploits were offered for sale by different hacker groups and later found on thousands of hacked sites (see Mpack in the second quarterly report).

Overall, the growth in the number of exploits is seen as average, but still not sufficient to put them at their previous 30% of the Other MalWare class. SpamTool programs will probably not be able to outnumber exploits.

Virus writers are still very interested in using all different types of constructor program. This also demonstrates the attitude of the new generation. Using constructors means there is no need to create something from scratch – you don’t even need programming skills to use one to create a malicious program in a matter of minutes.

Platforms and operating systems

Kaspersky Lab has not previously published detailed statistics on the numbers of malicious programs targeting various operating systems and platforms, and instead restricted publications to separate analyses of the non-Windows systems that generate the most interest (*nix, Mac OS and Symbian). However, this report will examine the situation as a whole.

Operating systems and applications may be susceptible to an attack from malicious programs if and when they are capable of launching a program that is not a part of the system itself. This condition is met by all operating systems, many office applications, graphics editors, project planning systems and other software suites that have built-in scripting languages.

In the first six months of 2007 alone, Kaspersky Lab recorded malicious programs for 30 different platforms and operating systems.

Naturally, the overwhelming majority of existing malicious programs are designed to function in the Win32 environment and are executable binary files. Other malicious programs that target different operating systems and platforms represent less than 4% of all malware.

However, the share of non Win32 malicious programs increased in the first half of 2007 from 3.18% to 3.42%. The numbers are still relatively small, but the rate at which these figures are increasing reached nearly 111%, which exceeds the same figure for malicious programs targeting Win32 (96%). Clearly, in the future the percentage of programs aimed at Win32 will decrease as more malicious programs will be designed to target Win64 and also as other operating systems gain in popularity.

 

The chart below illustrates the growth rates among malicious programs for all platforms:

Negative trends have been recorded for nearly half of the platforms and operating systems. These include malware for commonly used operating systems such as Unix (e.g. malicious programs which can run on any *nix operating system) and Symbian. Over one full year (starting in July 2006), Mac OS has not seen the appearance of even one malicious program. This just goes to show that virus writers are not interested in operating systems that are not as widespread; they have limited themselves to creating a handful of proof of concept programs before switching back to targeting popular applications and operating systems.

Practically all script programming languages are in the top ten most common environments for viruses: JS, VBS, HTML, BAT, Perl, PHP and ASP. Although in the past the numbers for three script platforms (JS, VBS and HTML) were roughly the same (with nearly 205 malicious programs for each platform in the second half of 2006), JavaScript has seen a positive trend in 2007.

JavaScript has become the latest spawning ground for malware (+380%), leaving the similar VisualBasic Script lagging behind. No doubt, the main reason for this upsurge was an increase in the number of different exploits in widespread browsers such as Internet Explorer and Mozilla Firefox. Furthermore, JavaScript malicious programs often function as Trojan Downloaders.

Linux has taken second place in terms of most interest generated among virus writers, with 123 new malicious programs and an increase of 55% from the last six months of 2006.

Of the applications that can function in more than one operating system, MS Word has the largest number of malicious programs targeting it, with 150 new malicious programs and an increase of 95%. This number includes traditional macro viruses as well as the more destructive Trojan Droppers, which target vulnerabilities in MS Word that were identified last year. These represent the overwhelming majority of contemporary MS Word threats.

There was also an 80% increase in the number of malicious programs designed for rare operating systems such as SunOS. The number of known threats for this system now number in the dozens, which naturally means that antivirus companies will be closely following developments in this area and perhaps even conduct a separate study of this area in the near future.

Antivirus database updates

In response to the rise in the number of virus threats and the increasingly frequent appearance of new threats, Kaspersky Lab released antivirus database updates faster than ever, responding faster to new threats.

New antivirus database records

The number of new records in Kaspersky Lab’s antivirus database varied from 8,000 per month in the beginning of the year and reached 25,000 per month at the end of the reporting period. The monthly average over the first six months of the year amounted to 15,518; in the second half of 2006 the monthly average was 8,221. This 80% increase fully corresponds to the increased number of newly-detected malicious programs.

As the chart above illustrates, the number of entries added to the antivirus database each month has been increasing more or less steadily throughout the year. May was the only month that broke the general trend, as Kaspersky Lab detected a record high for the number of new malicious programs that month with 25,205 records.

Regular and urgent updates

Kaspersky Lab has reacted to the emergence of new malicious programs by releasing two types of antivirus database updates: regular (approximately every hour) and urgent (in the event of an epidemic). The total number of regular updates in the first six months of the year exceeded 4,000, and the monthly average was 700.

The figures for urgent updates are interesting for two reasons. First of all, they illustrate the total number of epidemic situations in the first half of 2007 and they allow us to compare that information with the epidemic statistics for 2006. Furthermore, they also provide an opportunity to track epidemics against each month of the year.

These numbers show that the events related to urgent updates were 33% less in the first six months of 2007 than during the same period in 2006 and 4% less than in the second half of 2006. There was an average of 16 urgent updates each month.

Conclusion

The predictions we made back in 2006 for 2007 have almost all been right on target. As expected, virus writers have almost exclusively been using Trojans designed to steal user information. The key targets of attack are still the clients of various banking and payment systems as well as players of online games.

There are still strong ties between spammers and the authors of malicious programs. All of the major epidemics in 2007 (Warezov, Zhelatin, Bagle) were designed to create botnets for subsequent spam mailings and to harvest email addresses in order to create spam mailing databases.

The main infection vectors are still email and browser vulnerabilities. The lack of any new critical vulnerabilities in Windows is still the main reason why there have been no major epidemics caused by network worms launching direct attacks via computer ports.

The growth rate of malicious programs using P2P networks and instant messaging systems will remain at an average level. We don’t expect there to be any significant changes in the second half of 2007.

In the first six months of the year, a clear trend emerged: localized epidemics on one segment of the Internet or another that did not then spread to other users in other parts of the world.

Despite experts’ predictions, Windows Vista has not yet become the major information security topic of 2007. This is primarily because it is much less widespread than was expected; the number of users that transitioned to this OS is not enough to create a critical mass that would get hackers and virus writers interested.

Virus writers’ interest in MacOS has also remained low despite the increased popularity of this platform and the existence of a number of major vulnerabilities. Symbian and Windows Mobile are also undergoing similar experiences – the number of users is growing, while the number of malicious programs targeting these platforms has slowed down considerably. On the other hand, we have seen the emergence of more Trojans written for J2ME, which also runs on mobile phones.

Most likely, we will not see any major changes in these processes before the end of the year and situation will continue to develop in line with projected scenarios.