Malware Evolution: May Roundup

A number of families of malicious programs became noticeably more active last month. Net-Worm.Win32.Mytob was one of these, and in May it started to present a serious challenge to Email-Worm.Win32.Mydoom. It may be that in the near future Mytob, which is a direct descendant of Mydoom (with added functionality) will be come more prevalent than Mydoom. This is because Mytob’s extended functionality makes it capable of propagating via networks. It also contains an IRC backdoor, and some versions of Mytob are capable of propagating via IM networks: these versions include a separate module which is effectively a clone of IM-Worm.Win32.Kelvir. This is installed separately to the victim machine by the main executable file of the malicious program. It should be noticed that in addition to extended functionalities, the life-cycle of Mytob is also changing. In contrast to the most recent, short lived email worms, Mytob is designed to be active for longer, similar to the first versions of Mydoom, NetSKy, Zafi and Bagle. All the modifications listed above, together with the new versions which are regularly released, and recompiled, make the worm highly prevalent.

The next worm on the list worth examining is Eyeveg, for a variety of reasons. In May, after nearly six months in hibernation, Eyeveg became extremely active again. The first three versions of this worm were detected in 2003 (the last one on the 14th October), with another two being detected in 2004. And then, this month, Eyeveg.f, Eyeveg.g and Eyeveg.h appeared, with approximately a week’s lapse between versions. It’s currently one of the most active malicious programs, with the majority of activity being in the Russian Federation. It’s difficult to predict what will happen in the future. Maybe the worm will retreat again after this burst of frenzied activity, or continue to spread, and maintain its current level of activity, as some other programs – Trojan-Downloader.Win32.INService, for example – have done.

Finally, Email-Worm.Win32.Sober made another appearance, as Sober.q, which spread actively throughout Europe, sending far right propaganda and updating itself (to Sober.p) via the Internet.

IM worms remain active, with new versions appearing frequently – IM-Worm.Win32.Bropia and IM-Worm.Win32.Kelvir have been detected in a number of versions. New versions are characterized by their short life cycle.

In contrast to worms, spyware has been less active this month. However, the decreased activity is not particularly significant, and mainly applies to Trojan-PSW.Win32.LdPinch, PdPinch and Trojan-Spy.Win32.Goldun. In fact, the decreased activity is simply a drop from an extremely high peak to a more standard level.

On the other hand, within this same group of programs, Brazilian spyware has become far more prevalent, both the spyware itself and the downloader programs which install it. Every day we see either a new version of one of these programs, or a modified old version – older versions are modified in order to make it more difficult for antivirus solutions to detect them. One example of this approach is Trojan-Spy.Win32.Baner.ju, which constantly arrives in slightly different guises.

Spyware spreads in a number of ways, with the most popular method being mass mailing (spamming). This can be done in a variety of ways, either in a single stage (where the file containing the spyware is mailed to the user) or in two stages, using a Trojan downloader (in the case of this spyware family, Dadobra is used. Some recent versions of Dadobra have been modified to download files containing other malicious programs via FTP, rather than using HTTP as in the past.) One other method, which is used relatively infrequently, is using Email-Worm.Win32.Combra as the carrier; this worm will download either the spyware program itself or the Trojan downloader to the infected machine.

May was also notable for the Chinese attempting to compete with the Brazilians in terms of virus activity. However, Chinese programs such as Trojan-PSW.Win32.Lmir, Lineage, Gamania and other QQ (Chinese instant messaging application) malware have not shown any significantly increased activity. Backdoor.Win32.Hupigon is something of an exception here, as several new versions have been released in the recent past, but they have not caused any serious disruption.

Finally, an interesting newcomer this month was Trojan-Downloader.Win32.Peerat.a, which is distinguished by its functionality. It differs from standard Trojan downloaders in that it doesn’t just download other malicious programs to the victim machine, but also to any file sharing network present.

To summarize: Mytob became more active than Mydoom, its predecessor, and this trend looks set to continue. Mytob may come to effectively replace Mydoom.

Some groups of malicious programs which have been inactive for a long time may demonstrate renewed activity.

Spyware and theft programs will continue to be used, either at the current level, or with increased intensity.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *