Malware Evolution: October – December 2005

This latest report continues Kaspersky Lab’s series of quarterly reports on malware and cyber threat evolution.

2005 was rich in security incidents, many of which are covered in our quarterly reports. This final report for 2005 covers the main trends of the fourth quarter, including viruses for new platforms, and zero day vulnerabilities.

Sober – a unique worm

On 15th November, the Bavarian police published a press release announcing that a new version of the Sober email worm might be imminent. The warning didn’t include any details about how the police had arrived at this conclusion. However, given Sober’s German origins, antivirus companies throughout the world took the warning extremely seriously. And just one day later, on 16th November, Kaspersky Lab received a sample of the latest variant of Sober. As it turned out, this sample, Sober.y, was to be at the root of the upcoming virus epidemic.

On 18th November, millions of users throughout Western Europe received strange emails. The messages themselves varied, but as a rule, they informed the user that they had infringed copyright by downloading music and video files from the Internet. The message had allegedly been sent from FBI headquarters. The messages asked the recipients to open the attached file, which contained evidence of the alleged infringement.

This was social engineering at its best, and this approach had already been used by Sober once, in spring 2005. However, tens (possibly hundreds) of thousands of users believed the message, opened the attachment, and released Sober.y, launching a new epidemic. The worm used all the victim machines for mass mailing purposes, and tens of millions of copies of the worm started circulating in mail traffic.

The messages allegedly stemming from the FBI had a side effect. The message text included the FBI switchboard telephone number. The result was that not only did users launch the attachment, but many of them called the FBI directly, resulting in a kind of DDoS attack on the switchboard.

It was only by the beginning of December that the epidemic passed its peak. Sober.y was one of the most successful (from the author’s point of view) viruses of 2005 in terms of the number of infected machines and infected messages in mail traffic.

In some ways it’s hard to see why the Sober family is so successful. There aren’t any clear reasons why these worms should be able to cause an epidemic of such proportions. From a technical point of view, Sober is extremely primitive – it’s written in Visual Basic, which tends to result in large programs. It’s an extremely simple language, and a common view is that anyone can learn in. Most viruses today are written in C/C++ or assembler. There are also a significant number of viruses written in Delphi. Visual Basic is normally used to create simple, even primitive viruses – I can’t think of a single virus, apart from Sober, which was written in Visual Basic and managed to cause a global epidemic.

To continue, virus epidemics of the recent past have usually been caused by viruses which exploited a critical Windows vulnerability in order to propagate. Lovesan, Slammer, Sasser, Mytob, and a wide range of various bots. Sober doesn’t exploit any vulnerability, except the vulnerability of humans themselves; this is the same method which was used by Mydoom, the worm which caused the biggest virus epidemic in history.

We’ve repeatedly mentioned that virus threats are changing. The virus threat is evolving from malicious programs designed with random vandalism and destruction in mind (such as NetSky, Sasser and Lovesan) into programs which have a different purpose – accessing user information and profiting from this information (Mytob, Bagle). Consequently, virus writers are gradually moving away from global epidemics in favour of local epidemics which target specific groups of users. The fact that there were no truly major epidemics in 2005 was in part thanks to the antivirus industry, which has developed measures to limit virus epidemics before they become global. It did seem that the situation had changed, and would remain stable until the next evolutionary period began. But then Sober appeared: a worm written in a simple language, which didn’t exploit vulnerabilities, and which only propagated via email. It didn’t seem to have been written with any commercial aims, as it didn’t steal data, create botnets or conduct DoS attacks. By rights, Sober should not have been able to survive, but instead the worm ranks top of the viruses in the fourth quarter of 2005. This is strange, and taking the evidence given above into account, almost inexplicable.

The Sober family is now two years old. Almost every Sober variant has attracted attention, both within the security industry and the world at large. In addition to its malicious technology, the worm’s author uses Sober to circulate far right propaganda. Sober can be seen as one of the political viruses which I wrote about in my last overview. It wouldn’t be surprising if the worm’s author is arrested in the near future; perhaps the Bavarian police’s press release warning of a possible epidemic is a sign that law enforcement bodies are getting closer to the author.

Krotten – the evolution of cyber blackmail

Our previous reports and our weblog have included information about a new class of malicious programs designed with one aim: to get money from users. These programs work in an extremely simple way: once they have penetrated the victim machine, they encrypt data, and then inform the victim that the data will be unencrypted once payment is received. The most obvious examples are GpCode (see https://securelist.com/malware-evolution-april-june-2005/36052/) and JuNy (see https://securelist.com/new-file-encryptor-on-the-loose-in-russia/30070/).

Some users do contact the authors of the programs and pay the sum demanded. Other users, however, are much smarter, and send the files to antivirus companies. Thankfully, the authors of such programs don’t have particularly strong cryptography skills, and the encryption algorithm used was easily cracked by Kaspersky Lab virus analysts. We were able not only to decrypt encrypted files, but also add this function to our antivirus databases.

In September 2005 we detected Krotten, a new Trojan, which was sent to us by a number of Russian users. Initially, it was named Trojan.Win32.Agent.il. On analysis, it became clear that this was another Trojan cyber racket. However, Krotten’s methods differed significantly from those used by GpCode and JuNy. The Trojan didn’t encrypt users’ files; it was far less subtle than that, and modified the Windows system registry, thus limiting the actions which a user could perform.

Specifically, Krotten prevents RegEdit and Task Manager from being launched, prevents the user from closing explorer and Internet Explorer windows, and from accessing file and folder configuration; modifies the Start menu; prevents the command line from being launched etc.

Naturally enough, it’s barely possible to use a computer which has been modified to such an extent. The authors of Krotten demanded 25 hryvna (the Ukrainian national currency), the equivalent of $5, to restore normal functionality.

Over the following months we detected more than 30 modifications of this Trojan, and we are still receiving new samples.

The case of Krotten shows that Internet rackets are becoming more and more popular with virus writers. This is a very dangerous trend, which is intensifying with each passing month. However crude it may seem, this is a separate type of cyber crime. Over the past few years, we’ve become accustomed to user data – credit card numbers, passwords, and other information being stolen. This data is then used by cyber criminals in a variety of ways – it may be sold on, or it may be used for identity theft. However, measures taken by Internet banks, e-payment systems and antivirus companies have had some effect, making this type of cyber crime more difficult to commit, and less profitable than before. Additionally, there is a new generation of virus writers on the scene – virus writers who neither want nor are able to create complex Trojan programs. The script-kiddies are growing up and entering the cyber racket business. Why should they steal data which will be hard to turn a profit on? It’s far simpler just to shake down users for a small sum – and if enough users are affected, the money will start to add up.

Zero day vulnerabilities

Critical vulnerabilities in Windows inevitably lead to outbreaks of virus activity, and sometimes to global epidemics. This is what happened in August 2003, when Lovesan exploited the RPC DCOM vulnerability, and in April 2004, when Sasser infected several million computers around the world, propagating via the LSASS vulnerability. The situation was the same with the Plug’n’Play vulnerability detailed in Microsoft Security Bulletin MS05-039. However, all these vulnerabilities were at system level, giving a remote malicious user the opportunity to penetrate the victim machine from outside via a port. There is another Windows component which is responsible for a huge number of infections, and that’s Internet Explorer. The number of vulnerabilities detected in this program is already in the dozens, and the most critical of them provide a remote malicious user with the ability to install any file on a victim machine which has been used to view a compromised site.

Thankfully, up until now we have been able to avoid the situation where there has been exploit code publicly available for a vulnerability for which no patch yet exists. Security professionals call such exploits ‘zero day’. If we’re talking about viruses which penetrate systems via a known vulnerability, the problem can be solved by applying a Microsoft patch. However, in the case of viruses written for zero day vulnerabilities, there are no patches. Microsoft has managed to keep this situation under control by working closely with companies which specialize in identifying vulnerabilities. In spite of the fact that in some cases, it has taken several months from the moment the vulnerability was identified to a patch being released, information about the vulnerability was not publicized, and was therefore not widely available.

However, at the end of 2005 a watershed was reached. There were two critical vulnerabilities in Windows, a month apart, which were publicized before a patch was made available. In both cases the vulnerabilities were used by malicious programs to spread.

On 21st November a British group of researchers, going under the strange name of “Computer Terrorism” published a Proof of Concept exploit which would run on a fully patched version of Internet Explorer. The vulnerability was present in the java script processing function ‘window()’. The vulnerability was first made public in May 2005, but at that stage, Microsoft was unable to find any way in which the vulnerability could be exploited to execute random code on a victim machine, and did not rate it critical. As a result, fixing this vulnerability was not viewed as a priority.

However, it seems that the researchers from Computer Terrorism understood the vulnerability better than Microsoft. The proof of concept code, after a little tweaking, made it possible to install and execute a file on a victim system without the knowledge or consent of the user.

It took virus writers a little over a week before they began to place malicious code to exploit the vulnerability on compromised sites. We detected a number of Trojans which propagated in this way. The only method to combat the exploit was to disable Java Script in Internet Explorer, but only a small number of users did this. Tens, or possibly hundred of millions of users around the globe were left unprotected against these Trojans; this was the first case in which a Trojan exploited a vulnerability in Windows for which no patch existed.

It might have been expected that Microsoft would do everything possible to correct this error. After all, the company has been positioning itself recently being in the forefront of the battle against malicious code; it has released its own antivirus solution and is taking legal action against virus writers. However, in this case Microsoft’s reaction was rather strange. The company announced that in spite of the fact that the vulnerability was rated critical, no unscheduled patch would be released. Since 2004 Microsoft has been releasing patches every second Tuesday of the month. December’s patches were scheduled to be released on the 13th of the month, and Microsoft was planning to adhere to the schedule.

Facts are facts – three weeks had passed since the proof of concept code had appeared, and six months had passed since the vulnerability was first detected. Overall, this was a significant period of time, during which any IE user could have been infected. This was a cause for considerable concern, but could have been seen as a one-off. However, within two weeks the scenario was repeated, and the potential consequences were far more serious.

On 26th December some antivirus companies received mysterious WMF-files. Analysis showed that these files contained executable code which would download files from sites which were known to be spreading adware and spyware. The malicious code would be executed when a user opened the WMF file. Other actions, such as using explorer to open the directory in which the file was located, viewing the file properties etc. would also lead to the malicious code being executed. The code could be executed on any existing version of Windows, including Windows 95/ 98, even on a fully patched system.

It was clear that this was the latest zero day vulnerability, and Microsoft knew nothing about it. The most worrying thing is that the virus writing community not only detected this vulnerability before Microsoft did, but also before any other major company specializing in the identification of vulnerabilities.

Many security professionals spent the next two days analyzing the vulnerability. Information on the vulnerability was published, and the majority of antivirus companies developed heuristic detection for the malicious WMF files. However, Pandora’s box had been opened, and new Trojan programs exploiting the vulnerability started circulating on the Internet. More than a thousand malicious ‘pictures’ were detected in a single week. As the vulnerability was present in all versions of Windows, the situation threatened to spiral out of control. Worms and mass mailings which used the malicious code to exploit the vulnerability were also detected.

Thankfully, all of this took place over Christmas. Fewer people were using the Internet, and many major companies were also on holiday. The number of Internet users was far less than normal, and this prevented a major disaster.

So what was Microsoft doing about the problem? Again, the company’s behaviour seems inexplicable. Security Bulletin KB 912840 was published, which stated that the vulnerability had been identified and listed the vulnerable versions of Windows. More concrete information was issued on 3rd January, when Microsoft stated that a patch would be issued in the monthly patch bulletin on 10th January. The justification for this action was that the patch needed thorough testing and localization for all versions of Windows. Microsoft also asserted that although the problem was critical, no significant virus epidemic had been detected.

The IT world was horrified. This was the second time in a month when Microsoft not only hadn’t been able to address a security issue appropriately, but didn’t even seem to understand the severity of the situation. The number of articles criticizing Windows heavily was equal to the number of malicious wmf files detected. At the same time, the beta patch developed by Microsoft for Windows XP was leaked. The patch was published on a number of sites, and this patch, together with a unofficial third party patch developed by Ilfak Gulfanov, was the only immediately available solution.

Microsoft finally bowed to criticism on 6th January, and issued Security Bulletin MS06-001 containing a patch for the WMF vulnerability.

The situation is clear. It’s already been discussed countless times. Putting emotion and opinions about Microsoft’s behaviour aside, everyone can draw their own conclusions.

One very important aspect of this case is that the vulnerability was first identified by members of the computer underground. Kaspersky Lab has researched the case, and the picture seems to be the following:

It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russia were selling this exploit for $4,000. Interestingly, the groups don’t seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public.

We don’t know who was the first to discover the vulnerability; we only know who was involved in creating and distributing the exploit and subsequent modifications. The data we have, plus the Russian involvement, make it clear that information about the vulnerability was not passed to companies such as eEye or iDefence, which specialize in identifying vulnerabilities. Firstly, the hacker groups didn’t understand exactly how the vulnerability functions, and secondly, the exploit was created in order to be sold on to cyber criminals. Thirdly, research bodies did not have information about the fact that the exploit was being sold, due to the fact that it was created for the Russian market.

Mobile malware

Mobile malware appeared to reach a stable phase in its evolution in the fourth quarter of 2005. The number of new Trojan programs grew steadily, in line with our predictions. Many of the forecasts contained in our last quarterly report, published in September 2005 were confirmed.

A Trojan called PBstealer is evidence of this – it’s the first Trojan for mobile devices designed to steal user data. The Trojan accesses the address book of the infected device and sends it via Bluetooth to the nearest accessible device. There’s also been a significant increase in the number of dual purpose Trojans. Such Trojans are designed not only to infect handsets, but also any PC which a telephone is connected to.

‘Vandal’ Trojans should also be mentioned – these programs compose the majority of malicious code for smartphones. They don’t only corrupt system files by replacing them with non-functional copies, or by deleting information, but also block access to data. The Cardblock family of Trojans installs a password to access the device card. If the malicious code is deleted, the user will no longer be able to access data on the card. It’s likely that the next stage in these Trojan’s evolution will be the encryption of data, with payment being demanded before the data is unencrypted. Both Gpcode and Krotten (written for PCs) did this, and Trojans for mobiles are unlikely to be far behind.

Towards the end of 2005, the hypothetical epidemic of mobile malware became a reality. Kaspersky Lab started selling an antivirus solution for mobile phones throughout Russian and the CIS. The company then started to receive reports of infected devices. Previous data was based on conjecture and the company analysts’ attempts to detect mobile malware in the wild. The vast majority of reported infections were caused by Cabir, which spreads via Bluetooth, and has now been detected in more than 30 countries worldwide. Extrapolating from these facts, if a new worm appears, it is likely to cause a global epidemic.

The majority of new malicious programs for mobile phones are coming from Asia (primarily China and South Korea) which is a cause for concern. The high population density, together with the high percentage of people who have access to computers and mobile phones, create ideal conditions for a potential epidemic. We also shouldn’t forget that Thailand, Malaysia and Indonesia, prime tourist destinations, are also located in this part of the world. By infecting tourists’ phones, a new malicious program could easily spread from this geographical area to the rest of the world.

Gaming consoles: a new platform for viruses?

The beginning of October 2005 brought a new stage in malware evolution. Virus writers moved their attention to a new platform, which raises questions about the future security of digital devices.

Malicious code for gaming consoles was detected. A few years ago, nobody would have thought that such a development could take place, and predictions that malicious code for other consoles such as microwaves would appear, were simply treated as a joke. However, this case meant the IT world’s worst fears were being realized.

Sony’s PlayStation Portable was the first victim. A Trojan, which appeared to be a game, was distributed to a number of sites. This Trojan operated in a way very similar to Trojans for mobile phones: deleted the console’s system files and caused it to crash. A few days later two more Trojans were detected, this time for Nintendo DS. However, in both cases, standard consoles were not infected, but only those consoles which had been cracked, in order to make use of pirated games. As licensed games cost a considerable amount of money, such cracked consoles are very popular. There is also a large number of hacker groups which specialize in copying and cracking games.

We currently have a situation which fulfils the three main criteria for viruses for a particular platform to appear:

1. The popularity of gaming consoles. Gaming consoles are experiencing a boom, and are effectively a de facto standard in the gaming world. These consoles are used by tens of millions of people throughout the world.
2. Documentation for the platform. In spite of the fact that there are three main manufacturers of gaming consoles (Sony, Nintendo and Microsoft), the internal structure of these consoles has been carefully studied by hacking groups in order to profit from selling pirated games. Information on how to crack consoles, related sites, and forums is widely available.
3. The presence of vulnerabilities. One major vulnerability is that that is it possible for the user to access system files. And if a user can do this, so can a virus.

In terms of gaming consoles, all of these three criteria were met, and this resulted in the appearance of Trojan programs. No new malicious code for these consoles has appeared since the first Trojans were detected. However, the fact that malicious programs for this platform exist means that the door has been opened, and will undoubtedly be opened further by malicious users.

Another important factor is the world wide trend towards creating new consoles which can be networked, which can access the Internet, and which can be administered from a single central point. Previously, this category was confined to computers (including PDAs) and telephones. However, devices and technologies are continuing to evolve. Some think that it should be possible to connect any console to a network, and to control it remotely. Gaming consoles, household appliances, smart houses can all be connected to each other. As a rule, wireless technologies such as WiFi, Bluetooth or IrDA are used. This greatly increases the risk of using such technologies. Any device will have vulnerabilities, which means that any and all devices will be targeted by hackers. Add the eternal issue of wireless network security to the equation, and even the near future begins to look less than bright. A future in which traditional anti-virus solutions are of little use is a sobering thought.

Sony’s rootkit

A security researcher, Mark Russinovich, received a lot of publicity when he announced that he had detected a rootkit in the DRM module of discs manufactured by Sony. A lot of articles have been published about this case, and Sony has been the subject of several court cases. There’s no doubt that this case, together with the Windows vulnerabilities described earlier, isn’t just one of the most important events in the security world in the fourth quarter of 2005, but one of the most important events of the security year.

The details are widely available, so rather than re-tell the story, let’s take the opportunity to look at the overall situation, and draw some conclusions.

It was due to Sony that hundreds of thousands of computers throughout the world had software installed on them which would hide files and processes from the user. This meant that theoretically any file with a name beginning with “$sys$” would become invisible unless special tools were used. Such functionality can, of course, potentially be exploited by malicious programs in order to mask their presence in the system. Unsurprising, this is exactly what took place once information about the rootkit was published. A few days after Russinovich blogged about the presence of the rootkit, we detected a backdoor which installed itself to the system using a name beginning with $sys$. It was named Backdoor.Win32.Breplibot.b

Other viruses started to take advantage of the opportunity. Given the number of potentially vulnerable computers, and the inability of some antivirus solutions to detect rootkits, this was hardly surprising.

The Sony rootkit case is something of an exception to the rule; a major security incident was caused by a company other than Microsoft. Up until then, virus writers had targeted Windows vulnerabilities – Sony provided them with new opportunities. Personally, I think that this is a key moment, with a change in attack vectors. More attention was paid to identifying potential vulnerabilities in products other than Windows products. Such research is likely, sooner or later, to be used by hackers. We did expect such a change, but believed that attacks would focus on vulnerabilities in antivirus products or in Cisco network components (specifically, IOS). The fact that the vulnerability in the Sony case was simple to exploit, and was also highly publicized, may have played a role.

1. The use of rootkit technologies should be seen as unacceptable (both morally and technically) by software developers. Rootkits have been used by some types of AdWare, and are regarded as a way to protect programs. The authors of these programs conveniently forget that such technologies are morally dubious and open to abuse.
2. Poor programming skills in major software companies. This does not refer to the fact that the number of vulnerabilities in today’s software has already exceeded all acceptable boundaries. It refers to the fact that many programmers do not have the skills to create the programs which the company requires. For instance, a year ago programmers from First4Internet, which created the rootkit for Sony, were searching for information on how to hide files within the system. This makes it very difficult to take the rootkit created by this company seriously from a technical point of view.
3. Microsoft and Windows are no longer the only cause of virus epidemics. Any company developing widely used programs which contain vulnerabilities or undocumented functions can potentially cause an outbreak. Any such vulnerability or function could be exploited to launch an attack.
4. Virus writers are shifting their focus from tracking Windows vulnerabilities and using them after information about them has been issued. They are now identifying vulnerabilities themselves, both in Windows and the programs of other companies. This is clearly shown by both the Sony rootkit case and the history of the WMF vulnerability.
5. Antivirus companies are more and more often going to find themselves in the position where the interests of users may conflict with the interest of major software developers who are using potentially exploitable technologies. Naturally, users may want rootkits to be detected and deleted from the system; however, manufacturers and vendors may believe they are simply using these technologies to protect their programs. Clearly, it’s necessary for antivirus companies and software developers and vendors to reach consensus on this matter.

Conclusion

The final quarter of 2005 included a number of events which had far-reaching implications both for the security community and users in general. Undoubtedly 2006 will bring new developments in malicious code, and new vulnerabilities in programs and systems other than Windows. These developments will, in turn, provide new opportunities for virus writers, hackers, and cyber criminals. And naturally, the antivirus industry will continue to track the evolution of malicious code, and develop methods to address emerging threats and vulnerabilities.