Malware reports

Malware Evolution: May Roundup

Email worms sent the virusology trend in early spring: Bagle, Mydoom and Netsky all spread as attachments to infected emails, and all used social engineering techniques in order to propagate. However, May brought a sharp change of direction, with the appearance of a large number of malicious programs which propagated by exploiting technical, rather than human, vulnerabilities. In the course of the month, one completely new vulnerability was detected, which was rapidly exploited by virus writers, and two new types of malware appeared.

In mid April, Microsoft published details of an LSASS vulnerability, which the company rated critical. The vulnerability makes it possible for code to be remotely executed on victim machines. Virus writers reacted quickly – Worm.Win32.Sasser was the first program to exploit the newly publicized vulnerability, and made its debut on 30th April. By the following day, the outbreak had reached significant proportions; the war of the worms cooled as virus writers started to focus on the new opportunities provided by the vulnerability. A whole range of malicious programs exploiting the LSASS vulnerability rapidly appeared on the Internet. Two of these became relatively widespread by the end of May: TrojanProxy.Win32.Bobax, which replicates on external command) and Worm.Win32.Padobot, which includes a backdoor function.

Windows Local Security Authority Service Remote Buffer Overflow

The vulnerability resides in LSASRV.dll in Windows 2000 and XP, a library which is used by the Local Security Authority Service (lsass.exe)

One of the Active Directory service functions of this DLL is connected with logging: writing entries to a specific debug journal. This can be exploited as a result of the absence of bounds checking for the data it transmits; this results in the execution of approximately 2KB of arbitrary code with system privileges on the victim machine.

A few months earlier, an unusual vulnerability was detected in Internet Explorer 5.x. This vulnerability is connected to the processing of bmp files. Theoretically, when the user views an infected bmp file using Internet Explorer/ Outlook Express 5.x, any code, including malicious code, could then be executed on the victim machine.

Interestingly, although this vulnerability was detected in February, TrojanDownloader.BMPAgent.a, the malware coded to exploit this vulnerability, only appeared in the middle of May. This was the first specially constructed BMP file Trojan in virusology; when the BMP file is processed by the IE 5.x engine, Backdoor.Throd.a is downloaded from the Internet and launched on the victim machine. A user could fall victim to this approach by opening an emailed html file containing supposed graphics using Outlook Express; when opened using Outlook Express, the exploit is triggered, installing the backdoor to the victim machine.

Microsoft Internet Explorer Bitmap Processing Integer Overflow Vulnerability

This vulnerability was discovered due to the leaking of some parts of the Windows 2000 source code. In one of the BMP graphic format processing routines, a signed variable is incorrectly used to store what are supposed to be unsigned data. Due to this, the function for processing BMP files can be ‘tricked’ with a negative offset thus causing a stack overflow and code from the stack to be executed as a consequence. A BMP file with a special code placed at the appropriate offset of a deliberately edited header can be used to exploit this vulnerability.

A high point in May was Win64.Rugrat, the first virus for 64 bit Windows, the operating system for the IntelIA64 platform. The specifics of IA64 make writing a virus for this platform far more challenging than creating malware which targets the 32 bit systems currently in use. Rugrat was written by a member of group 29a, which specialises in proof-of-concept viruses; it did not pose any significant threat due to the current limited use of 64 bit architecture. Rather than being a fundamentally new virus, it is effectively a rewrite of Win32.Chiton, exhibiting the same behaviour.


IA64 is not just an add-on or extension of x86: it is brand new technology.
It is designed to improve processor performance by the means of extended parallel processing of individual sequential instructions and advanced prediction of memory access operations as well for the instruction execution flow. The other major ways in which IA64 differs from x86 is the fixed length of machine instructions; the grouping of three 41-bits instructions in blocks of 128 bits; the technology for marking blocks for parallel processing, and the fact that speed optimization is not done on the processor but mainly at compiler level. However, the new 64 bit platform will not replace x86 in the forseeable future as it is designed for high technology processors and server stations, not for desktop PCs.

Another vulnerability detected in May which could potentially be used to propagate viruses and malicious code is the option to create HTML files with specially constructed image maps. Such files look like standard HTML pages with links; clicking on such a link will lead to a false URL being displayed in the status bar. The user’s browser will then be redirected to a fake site; malicious code may be placed on the site with the aim of stealing users’ personal data, or to be downloaded to victim machines.

Overall, virus activity in May highlighted two main trends. Firstly, Sasser confirmed that virus writers are reacting more and more quickly to newly publicized vulnerabilities.
Secondly, the malicious code which appeared in May illustrates the increasing flexibility and blended nature of viruses. A single piece of malware will now often include a backdoor or proxy-server function, and one or more propagation methods. One example is Worm.Win32.Kibuv.b, which has ten different propagation methods, designed to work under different versions of Windows, and backdoors in the form of an FTP server, an IRC bot, and an atypical server which works on port 420.

Evolving technology is offering new habitats for malware, and the events of May have shown that virus writers are quick to respond to new challenges. Traditional malware is not dying out; however, users should be ready to patch newly publicized vulnerabilities as quickly as possible in order to avoid encounters with new destructive programs.

Malware Evolution: May Roundup

Your email address will not be published. Required fields are marked *



Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox