Malware Evolution: October Roundup

In comparison with previous months, October was fairly quiet, with relatively few new malicious programs appearing. Epidemics and outbreaks were at a minimum. However, spy and theft programs continued to be widespread, and new vulnerabilities were detected. Below are the highlights of the previous month.

Firstly, another vulnerability was discovered in Microsoft Internet Explorer. Patches can be downloaded from the Microsoft site, and a detailed description of the vulnerability is available in Microsoft Security Bulletin MS04-032. A previously identified vulnerability was connected with the processing of BMP and JPEG graphics files; now Microsoft metafiles, WMF/EMF, have been added to the list. This is another buffer overrun vulnerability – an attacker can use it to cause malicious code built-in to an infected graphic file to be executed. This vulnerability is potentially more dangerous than the BMP/ JPEG processing vulnerability, as Microsoft Windows uses the contents of WMF/EMF files to create icons for these files. This makes it possible to exploit the vulnerability simply by causing the operating system to create an icon for the appropriate graphics file.

Secondly, even though October was a relatively quiet month in terms of malicious code, we nevertheless detected some new email worms. All of them followed the recent trend where such worms have a short life-cycle. The new representatives of the Bagle and Mydoom families were all short lived, propagating for no more than 2 -3 days before ceasing to work. I-Worm.Mydoom.aa, I-Worm.Mydoom.ab, I-Worm.Bagle.atand I-Worm.Bagle.au were more or less clones, using the source code of previous worms from their respective families. Due to this, there was hardly any difference between the new versions.

October resurrected I-Worm.Zafi, with the new version, Zafi.c, appearing after a fairly lengthy break. It was detected right at the end of the month, and it relatively interesting from an evolutionary point of view. The worm’s authors are continuing to develop their social engineering skills: the texts infected messages contain are becoming more and more varied. The text constructor used has undergone considerable modification since the last version of Zafi. In spite of the relatively small volume of text in the constructor, the worm’s authors have achieved a wide range of possible variants; the texts are also now both more coherent and more enticing.

The list of servers which the worm is intended to conduct DoS attacks against is another point of interest. In addition to google.com and Microsoft.com, the list also includes the Hungarian prime-minister’s site – perhaps a return to the politics of Zafi.a?

All of the above worms were kept company by a new worm, I-Worm.Bagz.a. This worm is able to infect computers not only via email, but also if the user visits certain sites which contain malicious scripts – these scripts then install the worm on the victim machine. This version of Bagz did not propagate very widely or very rapidly, but the family seems set to evolve; it’s therefore likely that more successful version of the worm will be detected in the not-too-distant future.

Worm.Win32.Opasoft.s could also be judged one of October’s novelties. Although the family is not new, there have been no new versions of this malicious program for a long time. This latest version caused a significant outbreak in the Russian Federation. However, it’s difficult to predict what will happen in the future – it may be that we will see renewed activity, or it may be that the worm will once again disappear from the landscape for an undefined time.

As a conclusion to this round-up, spy and theft programs deserve a mention for the high level activity which they demonstrated this month. Several families of remote administration programs (Backdoor.Win32.Agobot, Backdoor.Win32.Rbot, Backdoor.Win32.Wootbot and Backdoor.Win32.SdBot) also come under this umbrella.

Trojan.PSW.LdPinch, Trojan.PSW.PdPinch, and the strictly regional Trojan.PSW.Lmir, Trojan.PSW.Lineage, TrojanSpy.Win32.Bancos and TrojanSpy.Win32.Banker were all active this month, as were TrojanSpy.HTML.Citifraud, TrojanSpy.HTML.Bankfraud and TrojanSpy.HTML.Sunfraud – these last three carrying out fraudulent mailings as part of phishing attacks.

This high level of activity seems to indicate that such programs remain in demand by fraudsters, and there is no reason to suppose that this trend will be reversed.

The month gone by has shown us that the Trojan programs listed above are following a recent trend – familiar malicious programs are compressed and/ or encrypted in new ways in order to avoid antivirus scanners.

To summarize:

  • New vulnerabilities, and viruses which exploit them, continue to be detected.
  • All serious outbreaks in October were caused by the continued evolution of Mydoom, Bagle and Opasoft.
  • Virus writers are continuing to perfect malicious code which is intended to steal personal or confidential user data.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *