Malware reports

Malware Evolution: July Roundup

July brought evidence that hand held PCs are no longer invulnerable to malware. The first virus capable of infecting Pocket PCs running Windows CE appeared on 17th July. WinCE.Duts.a is also able to infect systems running Windows Mobile, as more recent versions of the operating system are called.

Although Duts is capable of replicating, it was not detected in the wild, and does not present a threat to Pocket PCs. However, it was coded by a virus writer who was previously an active coder of spyware programs. Many of these programs are now widespread. So it seems reasonable to assume that viruses which will cause serious damage to hand held computers are not that far in the future. And this naturally highlights the issue of information security: such a virus could be used to steal or leak confidential data. As most handheld computers are used in a business environment, such viruses could pose a serious security risk.

Duts extended the range of platforms vulnerable to malware; other programs demonstrated that the techniques used by virus writers to ensure their creations replicate are also evolving. Mydoom.m used the search engines Google, AltaVista, Lycos and Yahoo! to harvest email addresses, and then sent itself to all addresses found. Previous versions of Mydoom only sent themselves to email addresses found in the Microsoft Outlook address book and some files on the infected computer. At first glance, it seemed that Mydoom.m had tapped into an almost unlimited resource.

As long as even one machine infected by Mydoom.m remains connected to the Internet, any user may find the worm in his or her inbox. However, Mydoom.m’s propagation mechanism restricted the spread of the worm, due to the way in which the algorithm for search requests was coded. The text searched for used the domain name of the victim machine, which limited the number of search results. However, it seems likely that worms of the future will structure searches which are not in any way dependent on the victim machine, e.g. a worm will be programmed to harvest email addresses from forums, guest books and other rich sources. So Internet users who have openly posted their email addresses may, in the future, find themselves threatened not only by spam, but by new malicious programs.

More versions of Bagle appeared in July; Bagle.aa, like Mydoom, differed from its predecessors. Bagle.aa spread in the form of an executable file which contained the worm’s own source code. Although this did not increase the threat posed by the worm, the ready availability of the source code makes it likely that further modified versions of Bagle will be released into the wild. This is undoubtedly yet another method to increase the number of machines penetrated, without resorting to complex coding techniques or social engineering.

The past few months have shown that installing backdoors on victim machines is becoming more and more popular. This results not only in mass mailed infected messages, but also to the propagation of opportunistic viruses and worms. July’s example was Worm.Win32.Zindos.a, which infected systems left open by Mydoom.m

Standard file viruses are also continuing to evolve. There was a marked increase in piggybacking: in July, a number of email worms were detected where the body of the worm was infected with a file virus.

In conclusion, the evolution of email worms is a cause for concern. In the past, the development and spread of viruses and worms was simply a matter of virus writers trying their strength, investigating which methods worked and which didn’t. Nowadays, however, virus writers are joining forces with spammers and other criminals; this means that malicious software now represents a huge threat both to confidential information and to the performance of almost any network.

Malware Evolution: July Roundup

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox