Malware Evolution: January – March 2005

Kaspersky Lab presents its quarterly report on malware evolution by Alexander Gostev, Senior Virus Analyst. The report addresses questions such as why email worms no longer seem to be causing epidemics, the increase in worms targeting instant messenger applications, what effect the release of SP2 for Windows XP has had on security, and why adware and spyware are the latest buzzwords in the field of IT security.

IM-Worm

One of the most interesting developments in 2005 was the appearance of worms for instant messenger applications. Instant messenger applications have become very popular, but users rarely perceive them as potential infection vectors. Although IM-worms were detected prior to 2005, the start of the year brought a noticeable increase in this type of malware.

An analysis of the IM-worms detected so far this year provides some data on possible future trends.

As Table 1 shows, most new IM-worms target MSN Messenger, which is extremely popular in the United States, but almost never used in Russia. All the worms except for Atlex are written in Visual Basic.

These two facts taken together seem to indicate that IM-worms are at the initial stage of evolution. And the fact that the vast majority of the worms are written in Visual Basic demonstrates that most of the authors are fairly new to the virus writing scene and are relatively inexperienced programmers. VB is one of the easiest programming languages to master, but it’s unsuitable for serious projects due to the large files and the relatively slow speed that results from this.

The obvious preference for MSN suggests that new worms were based on earlier samples. A detailed analysis of the worms’ code by Kaspersky Lab virus analysts confirms this hypothesis. The source code for some early IM-worms was also published on a number of virus writers’ sites, and most of the new worms are clearly based on this code. The evidence currently points to IM-worms being the domain of script-kiddies.

This situation is effectively a repeat of the evolution of P2P-worms between 2002 and 2004. When P2P worms first appeared, they were also mostly written in Visual Basic and also targeted one P2P client, Kazaa, the most popular client at the time. As P2P-worms were simple to create, and spread rapidly, several hundred families appeared, with numerous versions in each. The increase in this type of malware reached its peak in 2003, with more than 10 new versions being detected every week.

Today IM-worms are evolving in a very similiar way to the P2P-worms developed between 2002 and 2004.

Kaspersky Lab monitored P2P networks closely during the upsurge in P2P-worms and analysis showed that almost every second file in the Kazaa file-sharing network was a P2P-worm. During that period most email-worms used file-sharing networks as a secondary channel for propagation. However, the rapid evolution of P2P-worms slowed dramatically in 2004 and they currently comprise an insignificant percentage of contemporary malware. It seems likely that IM-worms will have the same life cycle.

One of the most interesting aspects of IM-worms is the way in which the worm files are delivered to the victim machine. Despite the fact that Internet messaging services allow file transfer, for some reason virus writers are not utilizing it as a method of infection, possibly because they find overly complex. Instead, they all (with the exception of Aimes) use a technique pioneered by email-worms in 2004: a link to an infected website containing the body of the worm is sent to the recipient, instead of a message with an attached file containing the worm’s body. The user believes that the link is from a trusted source, as the worms send their links to contacts harvested from the local contact list. This makes the user more likely to visit the site in question. The worm penetrates victim systems either by exploiting Internet Explorer vulnerabilities or simply by downloading and installing the malicious code.

Given the fact that IM-worms have demonstrated their ability to propagate and spread, it seems self-evident that system administrators and security managers should be focusing their attention on the potential threat which IM applications represent. One option would be to forbid the use of IM applications in enterprise settings until security improves. Monitoring incoming http traffic for malicious code (which should be part of any responsible security policy) will block those worms which penetrate via browser vulnerabilities.

The majority of IM-worms also install other malware on the victim machine. IM-worm.Bropia, the family with the most versions at the time of writing, installs Backdoor.Win32.Rbot on the infected machine, turning it into a zombie machine in a bot network.

Botnets

Botnets have been an issue for the past few years; the first botnets of any size were first sold on the computing black market in 2002. The number of botnets has increased proportionally with the number of Internet users has grown and the number of vulnerabilities detected in Windows.

Today, the term botnet is used to refer to any network of infected computers that is controlled by a single (malicious) remote user. Initially, infected computers were linked via an IRC channel and received commands from the remote user via IRC, and this is still the most popular way of controlling botnets from a single central point and is used by the Agobot, Rbot and SdBot families, which are the most common malicious bots. They all penetrate victim machines by exploiting common vulnerabilities in Windows. Malicious bots usually exploit the RPC DCOM and LSASS vulnerabilities, but there are bots that exploit as many as 8 vulnerabilities simultaneously. Modern bots also use password generation algorithms/techniques to penetrate shared network resources.

The term botnet refers to a network of infected computers that is controlled remotely by a single malicious user.

July 16 2003, the day the RPC DCOM vulnerability was detected in Windows 2000 and XP, was a decisive day in the history of contemporary botnets. In January 2004, Email-worm Mydoom placed a second cornerstone in today’s botnets . Mydoom would open a single port in the range between 3127 and 3198 which gave anyone access to the infected system. Mydoom was also able to download files from the Internet and launch them.. A special 5-byte combination provided access to the backdoor, and other virus writers quickly discovered and began using this hole. The Internet was flooded with worms attempting to penetrate computers already infected by Mydoom. Virus writers also wrote scanners that allowed potential controllers to search computers for the Mydoom backdoor component: if the backdoor was detected, the new controller would drop and execute new malware on the infected machine. At the height of this outbreak, infected machines were passing from controller to controller several times a day.

The critical LSASS vulnerability, first detected in April 2004, was the third key factor in the increase in botnets. Sasser infected a large number of machines via this vulnerability, leaving potential zombies in its wake. Virus writers immediately seized this opportunity and began using Sasser-infected machines, as well as the LSASS vulnerability, to extend their reach.

Researchers estimate that the number of zombie machines in botnets increases by 300,000 to 350,000 every month. The total number of zombies is estimated at several million. All of these infected machines are being actively used by cyber criminals as spamming platforms in order to make money. Botnets can also be used in DoS attacks and to spread new malware – such threats often lead site owners to pay cyber criminals not to attack their sites. Botnets are also used to mail out more and more new Trojans that harvest and send banking information to the controller. Today, virus writers from Brazil dominate this area of cyber crime.

Botnets are the greatest threat to the Internet as we know it. They stimulate the creation of new malicious programs as they require constant refreshment, both in terms of new malware and new zombie machines to extend the network. Detection and prevention of botnets should be a priority for both the IT industry and end users, since the future of the Internet depends on coordinated action now.

The twilight of email worms

Towards the end of 2004, many IT security analysts forecast that email worms would gradually become less and less prevalent. The events of 2005 have so far borne this out. Email worms have been effectively displaced by network worms incorporating Trojan components.

2004 was distinguished by a number of major epidemics caused by email worms such as Mydoom, NetSky, Bagle and Zafi. However, late 2004 and early 2005 was free of such outbreaks, with nothing on the scale of even the mid-sized outbreaks of 2004.

The decline in successful email worms (i.e. ones which caused significant outbreaks) may be due to to the fact that the antivirus industry has developed new methods to block such worms. These include breakthrough technologies such as detecting worms in password protected zip files and preliminary analysis of emails with executable attachments. All these techniques make it possible to stop outbreaks in the early stages before an epidemic can develop.

We are witnessing a marked lull in email-worm outbreaks: a noticeable change after the global epidemics of 2004 (Mydoom, Bagle, NetSky and Sasser)

However, network worms which exploit Windows vulnerabilities are starting to represent more and more of a threat. Scanning network traffic as well as email traffic is therefore essential from a security point of view.

It is extremely unlikely that email worms which arrive as attachments will cause significant outbreaks in the foreseeable future. Firstly, during the first three months of 2005, Microsoft ensured that patches were available for all known critical vulnerabilities in both Outlook and Outlook Express. Secondly, information provided by antivirus vendors, and increased media focus on malicious code and security issues has resulted in end users being noticeably more cautious about opening email attachments, especially those from unknown sources.

Virus writers will now have to find new methods of tricking users into opening suspicious attachments or clicking on links in emails.

Social engineering and phishing

Social engineering, i.e. techniques used by cybercriminals to trick end users into sharing confidential data, continues to evolve. No truly new methods have been evolved, but the older tried and trusted methods are being used in epidemic proportions. Phishing is currently among the most common and successful forms of cybercrime which utilizies social engineering techniques.

According to data from the Anti-Phishing Working Group, in January 2005 phishers sent 12,845 unique phishing letters leading to 2,560 spoofed websites.

In January 2005, on-line fraud rose by 47% in comparison with December 2004, when 1,740 spoofed websites were detected. January figures were up almost twice on October 2004, when 1,186 spoofed websites were identified. The number of phishing emails has risen by 42% in comparison with December 2004 statistics.

Well known banks and on-line payment systems such as Citibank, Paypal, E-Gold, US Bank, WAMU are the main targets of phishing attacks. Other major sites which may request financial data, such as Ebay, are also frequently targeted.

As mentioned earlier, phishing attacks are carried out using spamming techniques, and are launched from botnets. Brazilian hackers and virus writers are particularly fond of using botnets to spread additional spyware that steals confidential and banking information. Trojans that steal banking information from Brazilian users currently make up the majority of this particualr call of malware.

Public awareness of spyware is being exploited by makers of adware, as well as virus writers: unwary users are captured after agreeing to install purported anti-spyware solutions.

Social engineering techniques are used not only in phishing attacks, but in other areas too. Increased media coverage of spyware, and the consequent heightened public awareness of the issues, have created new opportunities for cybercriminals. As soon as Microsoft released a free anti-spyware application, even though it was only a beta version, virus writers seized the chance to disguise their creations as a new, improved version of the program. The public fear of spyware has also been exploited by Adware writers and other cyber -fraudsters to penetrate victim machines.

The Kaspersky Virus Lab has seen a significant increase in spam sent via Windows Messenger Service. This type of spam exploits inbuilt features in the Messenger service, meaning that the message appears as a standard pop up window.

In most cases, these pop-ups inform the user that a large amount of spyware has been detected on the computer, and urges the user to visit a specific site to download a free anti-spyware utility. Of course, the computer hasn’t been scanned for spyware and the downloadable utilities are either Trojans or at best useless applications which neither detect nor delete spyware.

Cyber criminals also exploit tragedies for their own ends. The devastating tsunami in the Indian Ocean brought a flood of scams and infected emails in its wake. Cyber criminals disguised Trojans as tsunami photographs or confidential reports about the real number of victims. Other fraudsters sent phishing emails purportedly from charities. These emails aimed to seduce users into donating money on-line via spoofed websites.

No new critical Windows vulnerabilities

Another reason for the relative calm on the virus front in 2005 is the fact that no new vulnerabilities as serious as the LSASS or RPC DCOM vulnerabilities have been detected in Windows so far this year. The most recent Windows vulnerability to pose a potentially serious threat was the WINS server NetBIOS naming issue, detected on November 26, 2004. Microsoft issued a patch immediately, and there have been no significant cases of malware exploiting this vulnerability.

Of course, serious serious vulnerabilities have been detected in Windows this year:

• Vulnerability in Cursor and Icon Format Handling
• Windows Kernel Vulnerability
• Vulnerability in PNG Processing
• Vulnerability in Hyperlink Object Library

To date, none of these have been exploited by virus writers to cause a worldwide outbreak, although all the vulnerabilities listed above have been utilized at least once, with a variety of spy programs being installed on the victim machines.

Isolated attacks notwithstanding, the fact that older versions of Windows do not have critical vulnerabilities, and the encouraging trend of more and more Windows XP users installing Service Pack 2 gives hope for the future. It seems that a more secure Windows environment is one of the main reasons for the relative quiet during the first quarter of this year.

The current lack of worldwide outbreaks can be partially acounted for by two important factors: no new serious vulnerabilites in Windows and the migration of users to Windows XP with Service Pack 2.

On the other hand, security holes in Internet Explorer are responsible for a significant number of infections. Kaspersky Lab data shows that the MHTML URL Processing Vulnerability (CAN-2004-0380) is the loophole currently most frequently exploited by virus writers.

This vulnerability makes it possible to hide executable files written in VBS or JS in CHM files (Microsoft Compiled Help) and post links to the infected files on the Internet. When an infected CHM file is opened, the hidden files are executed in the Local Internet Zone with current user rights.These scripts are usually Trojan Downloaders or Droppers that install other Trojans on the victim machines.

However, this vulnerability is not new and Microsoft issued the MS04-013 patch for it over a year ago on April 13, 2004, meaning that users do have the ability to protect themselves against such attacks.

On-line games: a new arena

Contemporary cyber criminals don’t only steal banking and financial details. On-line games are also a target. Such games have achieved enormous popularity since their first appearance, and individual items and/or characters in various on-line games are sold for tens of thousands of dollars in on-line auctions. For instance, a virtual island from “Project Entropia” was sold, for $26,500, the largest amount spent at any one time in online-gaming history. In short, several billion dollars are currently invested in virtual worlds and role-playing games, a sum equivalent to the budget of a small country.

Naturally, the presence of real money in on-line games hasn’t escaped the attention of cyber criminals. The first cybercrime targeting on-line games was committed in early 2003, when Trojans designed to steal user account data to the Asian game Legend of Mir were detected. (Today over 3 million players – mostly from South Korea – participate in this game) And two years on, there are more than 700 known malicious programs which target Legend of Mir. Detailed analysis of these programs shows that most of them originate in South Korea and China.

As on-line games gain in popularity, the large sums of money involved naturally attract cyber criminals.

Lineage, another Korean on-line game with a large following, is the second target of choice for cybercriminals. The first Trojans attacking Lineage were detected by Kaspersky Lab virus analysts in October 2004; in less than six months the number of such malicious programs has grown to several hundred.

Among the most recent programs targeting online games is a family of Trojans designed to steal personal information from Gamania players. The first one was detected in February 2005 and since then there has been at least one new variant every week.

Russian virus writers are also participating in this new form of cyber crime. They have focused their efforts on a popular Russian game called “Boitsovsky Klub” (Fight Club). In this game, a single object can be sold on for up to a thousand dollars. In this case, the game administrators realised that the threat posed by such malicious programs was serious, and and turned to Kaspersky Lab. Admnistrators immediately forward any viruses, scripts and Trojans attacking the game portals, and Kaspersky Lab ensures that updates protecting against such threats are released almost immediately. This joint project is unique in the world of online gaming.

Adware, spyware and viruses: is there a difference?

Adware and spyware are the IT buzzwords of the moment. This paper will not go into any details on the legal aspects of such programs, or debate whether or not such programs are appropriately used. However, our latest research indicates the following:

The boundary between harmless adware and malicious programs has effectively disappeared. Every day the Kaspersky Virus Lab detects more and more programs which seem to be adware, but which bear all of the hallmarks of Trojans. Such programs may exhibit Trojan behaviour in how they install themselves, (for instance by exploiting browser vulnerabilities), or in how they behave once they are installed.

Contemporary adware programs will attempt to disguise their presence in the system and prevent the user from deinstalling them. Additionally, many recent adware programs will search for and delete competitor programs before installing themselves. Adware is often developed in order to send information to a remote malicious user, and this may include information about sites visited, as well as personal data which the user has on certain sites. Adware writers first began to use these techniques in 2004, and in 2005, another approach was pioneered: adware started to appear in the form of file viruses, dinosaurs which most analysts believed had long died out.

One example of such a virus is Virus.Win32.Bube, which downloads itself to victim machines when the user visits sites containing exploits for Internet Explorer (MHTML URL Processing Vulnerability) or for the Flaw in Microsoft VM. Once Bube penetrates the system, it writes its body to the end of explorer.exe, where it acts as a Trojan-downloader, downloading other adware onto the victim machine. This method of exploiting Internet Explorer enables Bube to circumvent some firewalls.

Bube serves as a vivid example of how the boundary between adware and other malware no longer really exists. Adware, viruses and Trojans now exhibit many of the same characteristics, meaning that products designed only to protect against adware should be treated with a healthy degree of skepticism. With adware becoming increasingly inseparable from classic malware, dedicated anti-adware solutions will simply cease to provide adequate protection.

Mobile malware

In 2004, a new chapter was opened in the history of information security. The first malicious code targeting mobile phones (Cabir) was detected in the middle of June. Since then, mobile viruses have continued to appear, and malicious programs for mobile devices now come in a range of forms.

Cabir code was made freely available on the internet. These technologies have been used by other virus writers, and several versions of Cabir based on the original source code have come out of Brazil and China. However, hackers and virus writers have not yet gone so far as to create their own, original mobile malware.

Rather than producing their own code, virus writers have provided the antivirus industry with new types of malicious program for mobiles: Trojans and worm-virus hybrids:

Table 2 shows that once the first Bluetooth-worm was detected, three types of mobile malware appeared in under a year: worms, viruses, and Trojans. The characteristics of all of these programs correspond to their standard PC counterparts. Frighteningly, it took over a decade for computer malware to evolve into these three families, but it has taken less than a year for virus writers to adapt all three forms to the mobile environment. We are now staring into the abyss: a Warhol Worm, which attacks all possible systems in the shortest possible time, is now a very real possiblity.

The first attempt to create such a worm occurred in March this year. Fortunately, ComWar, an MMS-worm, contained a number of errors and there was a significant time lag during propagation. In theory, however, a similar worm using MMS messaging could not only propagate via mobile networks, but would overload them, possibly even causing outages. Such malicious programs are therefore a serious concern both for security personnel and mobile providers worldwide.

Virus writers who write mobile malware are on the verge of creating a Warhol Worm: a worm that spreads over all possible systems in a minimal time period.

At the time of writing, no further Bluetooth-worms have been detected. However, despite the fact that Bluetooth connections operate within a limited zone, restricting the speed at which worms can spread, Cabir and subsequent versions of the program have been detected in 17 countries around the globe. Given that the the use of mobile devices is increasing worldwide, a new worm could potentially spread much further and faster than Cabir has done so far.

So far, 5 different Trojan families for mobile devices have been detected. Most of these are Trojan-bombs. Once installed, they replace various applications on the device with their body, eventually causing the device to cease functioning. Nearly all of them contain versions of Cabir which they use as a vehicle to propagate further.

One worm, Lasco, deserves individual attention. Lasco is a worm-virus hybrid. Once installed it scans the device for SIS archives and infects them by writing its own code to the files. Currently, two version of Lasco exist – one infecting SIS archives on Win32 devices and one for devices running Symbian. The Bluetooth propagation routine is copied straight from the Cabir source code.

And a final word on mobile malware: Kaspersky Lab virus analysts have conducted a number of tests to check whether or not automobile on-board computers running Symbian are infectable. At the time of writing, the tests show that the answer to this question is negative. However, this may well the next target for virus writers, and research will continue. Overall, the worms and Trojans created for smartphones are the harbingers of the malware storm to come – smartphones, smart houses, and the devices and technologies of the future will provide endless opportunities for generations of cyber criminals to come.

Summary

The events of the first quarter of 2005 bear witness to the fact that many of our analysts’ predictions have come true. It’s clear that classic email worms are on the decline, with network and instant messaging worms exploiting relatively lax security to take their place.

IM-worms are still in their infancy, and the combination of this, together with improved Windows security, have led to a relatively quiet three months. However, phishing attacks are now moving to the fore; the convergence of adware and malicious code, the increase in botnets, and malicious programs for mobile devices seem to indicate that the first quarter of this year may simply be the calm before the storm.

Improved antivirus technologies, and increased user awareness of security issues are clearly forcing virus writers and hackers to use new approaches to access users’ information and systems.

And finally, the increasing interest in on-line games, with the potential profits to be made in this area, make it more than likely that malicious code designed to steal such information will continue to evolve rapidly.