Malware evolution: June Roundup

June was characterised by cyber espionage and cyber theft in a variety of guises. Malicious code designed to steal passwords and grab keys to popular computer games has been evolving for some time, and this trend strengthened in June. Trojan.PSW.LdPinch, one such program, showed increased activity in June; a large number of new versions appeared, with several of them using spam mailings to propagate.

Overall, the number of malicious programs designed to steal confidential data is growing. More and more programs which steal credit card and e-payment system details are appearing. On 22nd June, the first version of TrojanSpy.Win32.Qukart was detected. This Trojan intercepts VISA and Mastercard credit card details and the corresponding PIN codes, and then sends them to the author of the program. Several modifications of the Trojan appeared within a few days of the first version making its appearance.

The evolution of malware designed to steal passwords and financial information has led to new approaches being taken to download and execute malicious code on victim machines. Virus writers are still actively using classic methods, but also exploiting the new opportunities offered, generally by vulnerabilities in operating systems. The vulnerability discovered in Windows LSASS is a prime example. Once the vulnerability was identified in mid-April, virus writers rapidly took advantage of it. The result – programs like Worm.Win32.Padobot and Backdoor.Rbot – new versions of old malware, rewritten with the capability to propagate via this vulnerability.

Among such programs, the most outstanding was I-Worm.Plexus, the first new virus to appear last month. Plexus was created using the source code of I-Worm.Mydoom as a starting point. However, the two worms are almost completely different; whereas Mydoom propagated via email and the Kazaa file-sharing network, Plexus exploits the majority of propagation methods currently available: email, local and file-sharing networks, and the LSASS and DCOM RPC vulnerabilties.

Plexus spreads as a Trojan downloader program with two main components. The first component controls propagation, while the second may be any piece of malware (or even a harmless program). Plexus.a contained a backdoor program from the Backdoor.Dumador family, whereas Plexus.b harbored Win32.Webber, a Trojan Proxy program. The worms appeared in quick succession at the beginning of June.

Plexus is currently the only network worm which utilizes such a wide range of propagation methods. However, it seems highly likely that this will not be the case for long. This month has shown that virus writers are quick to learn from each other, and we can expect to see programs with similar characterisitics appearing in the not-too-distant future.

As the saying goes, there’s nothing new under the sun – although new vulnerabilities offer new opportunities, virus writers continue to exploit the tried and trusted methods. And this continues to bring results: regardless of intrinsic software or system security, the user will always be the weakest link in a chain. And this brings us to the second hit of the month: I-Worm.Zafi.b used social engineering techniques with great success, enabling it to spread widely and rapidly.

I-Worm.Zafi.b took up where its predecessor, Zafi.a, left off. Although it propagated in a standard manner, as an attachment to infected emails, it managed to cause a significant outbreak. The authors of Zafi.b achieved this by taking a tip from the authors of I-Worm.Netsky.y. Before sending an infected message, Zafi.b attempts to determine the language used by the recipient. In order to do this, it extracts the mail server domain name from the email address; in the majority of cases, the domain name gives a hint to the mail box owner’s nationality. The worm then chooses a message written in the appropriate language from a list coded into its body. Such an approach increases the likelihood of the recipient being able to read the message, and, consequently, opening the infected file attached to the message. However, this trick was not foolproof – for example, the Russian message was full of mistakes, which made users in the .ru domain far less likely to open the attachment.

The most original new virus this month was Worm.SymbOS.Cabir.a – a malicious program coded for mobile phones which propagates via Bluetooth. This proof-of-concept virus seems to indicate that virus writers are testing their strength, sniffing out new areas of potential interest. So can we say that a new battlefield has been opened up? So far, no: Cabir was more like a border skirmish. It seems unlikely that such malicious code will evolve rapidly or cause epidemics in the near future, as the technology it uses to propagate is still in relatively limited use.

To sum up, the events of June lead to the following conclusions:

• Malicious code designed to steal confidential information is likely to continue evolving rapidly
• New vulnerabilities will probably be detected, rapidly followed by viruses coded to exploit these vulnerabilities
• Virus writers will continue use current methods for creating, downloading and executing malicious code, both in the creation of new viruses and the modification of ones which are already in circulation
• Given that new viruses are often followed by a number of modifications, new versions of I-Worm.Plexus, or worms with similar characteristics may well appear