Watershed in malicious code evolution

Over the last few years, Kaspersky Lab virus analysts have been tracking the increasing criminalization of the Internet. Individual criminals are uniting into international criminal groups, The influence this has had on the market for malicious programs has been so great that it has led to a significant change, if not to say a watershed, in many of the standard evolutionary trends shown by many verdicts of malicious programs (TrojWare, VirWare, AdWare).

Accordingly, there has been a watershed in how Kaspersky Lab classifies malware. A professional malware market started to emerge at the very end of 2003, gained ground during 2004, and was well established by the beginning of 2005. Therefore, 2004 could be called the year in which the Internet became comprehensively criminal. Data based on Kaspersky Virus Lab statistics clearly demonstrates this trend. Some of this data is used in the discussion of the malware classifications used by Kaspersky virus analysts which follows.

  1. VirWare
  2. TrojWare
  3. MalWare
  4. Attention: AdWare
  5. Other platforms: .NET, UNIX, Symbian
  6. Virus-writing: a growing business
  7. Conclusions and forecasts

VirWare

According to Kaspersky Lab classification, VirWare includes all viruses and worms (i.e. all those malicious programs which are capable of self replication). The graph below shows the number of new samples added to this group between January 2003 and June 2005.


Graph 1. VirWare evolution – new viruses and worms detected January 2003 to May 2005.

As the graph shows, after a noticeable drop which took place at the very end of 2003, the numbers of new viruses and worms identified by Kaspersky Lab remains, in essence, stable. However, a more detailed analysis of specific behaviours of malware from this category (see table 1) clearly demonstrates that this overall plateau effect is due to a convergence of interests in types of malware within the classification VirWare. There is increased interest in new behaviours, with a corresponding lack of interest (and therefore decrease) in viruses, P2P worms and other ‘classic’ malicious code.

Behaviour Growth rate 2004 against 2003 Growth rate 2005 against 2004
Email-Worm -20% 8%
IM-Worm ^ (average = 1 per month) ^ (average = 28 per month)
IRC-Worm -28% -1%
Net-Worm 21% 29%
P2P-Worm -50% -36%
Worm -1% 24%
Virus -54% -28%
VirWare -37% 7%

Table 1. VirWare growth rates 2004 – 2005.

Let’s take a closer look at the figures. Email-Worms experienced a 20% decrease in growth rate in 2004, which was partially compensated by a mere 8% growth in the 2005. However, it is too early to tell whether this 8% signifies real growth. Compared to the overall growth rate of VirWare on the whole – 7%, the growth of Email-Worms simply reflects the overall tendency of VirWare to hold its own during the first half of 2005.

The primary reasons for the overall decrease in Email-Worms is due to serious efforts by antivirus vendors to provide rapid protection and improved heuristics, as well as heightened user awareness. However, another important reason is that spamming Trojan programs has become increasingly popular among cyber criminals, rather than using email worms to create global outbreaks. This method has become popular for purely economic reasons – the authors do not need to develop a malicious program which will deliver itself to the victim machine. Trojans are cheaper and quicker to develop, and the size of the malicious program itself is smaller, making it easier to spam.

IM-Worms are showing the highest growth rates within this class. This type of worm was first detected in 2001, and did not exhibit any significant growth over the past few years. However, 2005 has been a turning point, with a marked increase in growth to date. In comparison, last year Kaspersky Lab analysts detected, on average, one IM-Worm a month; the average this year is 28 per month. This is explained partly by the fact that IM-Worms are still something of a novelty, and that many users are unaware of the potential threat posed by this type of malware.

2004 could be viewed as the year IRC worms exited the stage.

IRC-Worms have effectively disappeared from the arena, with the vast majority of them being reincarnated as backdoors. The decline by 1% in this class during 2005 shows not so much a period of stagnation, but rather the end of an era. This class has reached its evolutionary boundaries; these programs are effectively identical to each other, and an additional significant drop in numbers is simply impossible. 2004 could be viewed as the year IRC worms exited the stage.

Net-worms have not only maintained their growth rate, but have actually increased it. The popularity of this type of malware can be explained by the fact that there is no need for user interaction in the propagation process. With Net-Worms, there is no uncertainty as to whether or not the user will get the infected message, or launch the infected attachment, and there is also no need to write tempting social engineering texts to increase the likelihood of the user launching the worm.

P2P-Worms are continuing to decrease in popularity and are already on a level with IRC worms. The disappearance of this class of worms can be attributed to a great degree to the efforts by media companies to control and/or close P2P networks as part of their anti-piracy campaign.

Worms experienced noticeable growth in 2005, following an insignificant drop in growth in 2004. However, this is not due to worm authors becoming more active; they are simply migrating to new environments – such as Symbian for mobile devices (see below)

Classic viruses, the original malicious programs, have almost disappeared. This is easily explained, as on the one hand, they require more work to develop in comparison with other malicious programs and on the other hand, their low propagation rates bring low return on investment for professional virus writers. 2005 is the second year in a row where the interest in classic viruses has shown a significant drop.

An insignificant overall growth (7%) in the VirWare class after a perceptible drop in the growth rate (-37%) shows that VirWare has reached a watershed. graph 1 clearly illustrates that starting from early 2004 this category of malware has virtually reached a plateau, with fluctuations in the growth rate of specific types of malware within this category being balanced by the fluctuations of other types. Thus, the overall growth rate (or lack of it) of VirWare is likely to remain stable.

TrojWare

This category is among the leaders and includes Trojan programs of all types. Trojans have become the favourite weapon of virus writers over the past year, as can be seen in graph 2: the number of new Trojans added to the Kaspersky Lab virus collection since January 2003.


graph 2. Increase in TrojWare – number of Trojans added to Kaspersky Lab collection January 2003 to May 2005.

This graph shows that the watershed in the evolution of TrojWare took place in the second half of 2004. To date, the growth rate continues at a high level, and exceeds the growth rate exhibited by all other malware classes. Table 2 illustrates how different types of Trojans have evolved over the past two years.A dash is used to indicate positions where it was difficult to obtain data as they do not exceed the statistical error boundaries.

Behaviour Growth rate for 2004 against 2003 Growth rate for 2005 against 2004
Banker 170% 115%
Backdoor 41% 49%
Trojan 537% 74%
Trojan-ArcBomb
Trojan-Clicker 263% 83%
Trojan-DDoS
Trojan-Downloader 184%
Trojan-Dropper 188%
Trojan-IM
Trojan-Notifier
Trojan-Proxy 61%
Trojan-PSW 52% 47%
Trojan-Spy 251% 71%
Rootkit ^ (average = 6.25 per month) ^ (average = 17.8 per month)
TrojWare 157% 82%

Table 2. TrojWare growth rates 2004 – 2005

It should be noted that Banker programs are not really a separate type of Trojan – they are simply Trojans which steal bank account information from infected computers. The fact that they are identified as a separate group highlights the particular interest shown in them by the computer underground, as well as their recent intensive growth rate. The average growth rate of Bankers exceeds the average growth rate of TrojWare overall. Moreover, the gap has widened recently, which underscores the economic interest of the criminal underground.

Backdoors are growing at a steady rate that has not changed in the last few years, while Trojans experienced a significantly lower growth rate in 2005 than in 2004 – 74% in comparison to 537%. Their numbers continue to grow, though a plateau seems imminent.

The number of Trojan-Clickers has also been rising less rapidly than other types of Trojans, although the figures are relatively high, leading us to conclude that the number of Clickers will continue to grow.

Trojan-Downloaders exhibit some of the highest growth rates within this class And it’s clear why – they are currently being widely used to create botnets. Recently, they have been spread using spam mailings, which has been a factor in the decrease of email worms. Once a spam mailing has been carried out, Downloaders are used to install and update malicious programs on the victim machine at the whim of the author. Increased interest in spam mailings versus Email-Worms is also easily explained if we take into account the fact that the cyber criminals have already tested the antivirus industry response to Email-Worm outbreaks and have lost the battle against the speed of the industry’s reaction.

Trojan-Downloaders are currently being widely used to create botnets.

Trojan-Droppers have reached the same numbers as Trojan-Downloaders, exhibiting the same growth rates. The increased interest to this behaviour is also explicable when one considers the part that Trojan-Droppers play in the creation of botnets. They contain either Trojan-Downloaders, or Backdoors, or Trojan-Proxies, which, incidentally, are also increasing in number, although not as much as Trojan-Downloaders and Trojan-Droppers. The relatively restrained increase in Trojan-Proxies can be explained by the fact that malware with this behaviour has no universal application – Droppers, Downloaders and Backdoors are all used to create bot-nets, whereas Trojan-Proxies are mainly used only to carry out spam mailings from infected machines.

Noticeable growth rates in Trojan-Spy and Trojan-PSW programs simply underline the financial motives driving most contemporary virus writers: nearly all harvested data is used to gain unsanctioned access to the user’s Internet and financial resources. Such data is also often sold on to third parties.

Rootkits have been identified within our classification as a separate behaviour relatively recently, which indicates the increased interest in these programs.. This can be explained by the fact that rootkits can be used to increase the life expectancy of other types of malware used to infect victim machines. In turn, antivirus vendors have developed new forms of user protection. The successful implementation of rootkits on Windows systems is mainly due to lack of user education, as most users run their computers with admin privileges, an essential condition for a rootkit to be successfully installed on the system.

Virus writers have also shifted their focus from user mode rootkits to kernel mode rootkits: the latter are increasing in number because kernel mode rootkits can hide more information.

Overall, TrojWare is increasing steadily, and the average growth rate is higher than that of any other category. We can say for certain that the watershed has already been passed, and nearly all types of Trojan are approaching a stable rate of growth.

MalWare

This class is the most wide-ranging in our classification system; however, due to a lack of interest from virus writers in these types of malware we may see the growth of this group plateauing out in the near future, followed by an insignificant drop. The growth rates for MalWare are shown below.

There are only two newly identified behaviours that demonstrated significant growth within this class: Exploit and HackTool, which show growth of 49% and 36% respectively.


Graph 3. Increase in MalWare January 2003 to May 2005

A new behaviour was included in this class in 2004 – SpamTool. Although SpamTools are not showing rapid growth, several examples are detected a month. SpamTools are used to search for new email addresses on infected machines, for use in future spam mailings. SpamTools are spread either by being spammed, or by a botnet.

The lack of interest in other malware types within this class can be attributed to a great extent to the difficulty of using such programs for financial gain.

Attention: Adware

Adware is software which is installed on the victim machine in order to advertise goods or services. The number of these programs rose dramatically in the second half of 2004. Overall, in 2004 adware grew by 789%, which is ample evidence of the interest which malware writers have in this class.


Graph 4. Increase in adware January 2003 to May 2005.

This can be explained by the fact that adware is theoretically legal, although this is something of a contradiction in terms. This legal ambiguity allows many companies to openly develop such software. For instance, Claria Corporation, the biggest adware developer in the world already has a turnover of $90.5 million dollars: they created Gator, a well known piece of Adware. And a forecast by Jupiter Communications Inc. forecasts that Internet advertising will increase to 28 billion dollars this year.

Currently adware is performing a delicate balancing act on the border between legal and illegal software. Different types of potentially and/or downright malicious adware that have been detected recently include:

  • adware which infects executable files
  • adware which utilizes root-kit technologies to mask its presence in the system
  • adware which uses exploits to install itself in the system
  • adware which illegally harvests information

All of this proves that adware developers are fully aware of the nuisance factor inherent in their products.. Therefore, they are constantly trying to increase the window of opportunity between installation and detection and/or removal by using virus, rootkit and other malicious technologies.

The number of court cases against adware developers and vendors indicates that the antivirus industry is on the verge of classifying adware as truly malicious software. One example is Symantec, which initiated a case against Hotbar.com, asserting that Hotbar advertising programs pose a threat to IT security. In light of this court case, it’s somewhat surprising that companies such as Deutsche Bank and Eurofund are among Hotbar’s investors.

In short, the gap between so-called adware and real malware has in effect disappeared.

Other platforms – .NET, Unix and Symbian

Cyber crime is constantly evolving, and virus writers carefully monitor user migration to new platforms. There has been increased interest amongst virus writers in .NET; although the number of malicious programs for this platform is still insignificant, it is increasing steadily. It seems that virus writers are currently monitoring this platform, though they do not yet view it as a serious target.

The number of malicious programs for UNIX (see Table 3 below), is growing in proportion to the increased popularity of UNIX. This dispels the myth that UNIX is invulnerable and confirms the hypothesis that the number of infections targeting any given platform will be in proportion to its popularity.

Year Average number of malicious programs per month
2003 12.67
2004 21.58
2005 35.20

Table 3. Increase in malicious programs targeting UNIX.

Over the past year, cyber criminals have also turned their attention to mobile devices running under Symbian. Last year, on average 1.42 malicious programs for this platform were detected every month, and this year the figure is already up to an average 7.4 per month. This indicates that interest in this platform has increased significantly, and is likely to increase further.

The real boom in mobile malware will come once mobile phone users will be able to access on-line payment systems and on-line bank accounts. This is a cause for serious concern, given the current level of security in mobile phone operating systems, compounded by the lack of user awareness among mobile phone users (who do not think before authorizing an incoming message). The first global mobile malware epidemic could easily cause mobile networks to collapse.

Virus-writing: a growing business

Towards the end of the 1990’s and throughout the early 2000’s many analysts asserted that virus writers had no future because they were usually teenagers or university students who had no real means of financial support. However, by 2005, the situation has changed radically; it is now professional criminals who are writing malware, with specific financial goals in mind, as can be seen from the following:

  • spam mailing of malicious programs is increasing in comparison to the classic self-replicating worms. This has already had an effect on the TrojWare and VirWare categories. For instance, the authors of Bagle are gradually moving away from writing new versions of Bagle email worms to Trojan-PSW.Win32.LdPinch. This Trojan is being widely used to create bot nets.
  • growth in the number of malicious programs used to gain unsanctioned access to user data, such as network and ICQ passwords, financial information etc, with the aim of using this information illegally.
  • an avalanche of new adware

Everything above confirms that a lack of finance is not an issue, since writing malware is now a lucrative business. Currently, the antivirus industry is able to resist the advances of the virus writers by utilising the infrastructure which it has taken years to create; a rapid response to new threats. However, monitoring the virus writing underground makes it clear that virus writers are also monitoring the antivirus industry. They are developing a counter structure with the aim of scanning for new victim machines and infecting them.

With the constantly increasing number and frequency of network attacks (for instance, we often see several versions of a single piece of malware from the VirWare class in a single day) the speed at which antivirus companies react to new threats plays a decisive role in halting epidemics. Table 4 shows the number of antivirus database updates issued by Kaspersky Lab over the last few years.

Year Number of updates Update frequency Number of urgent updates
2003 818 every 3 hours 120
2004 4008 Hourly 215
2005 (forecast) 6500 Hourly 270

Table 4. Annual increase in the number of antivirus database updates.

The number of regular updates also shows that Kaspersky Lab is attempting to prevent users from being infected by increasing the number of scheduled updates. However, data collected in questionnaires show that only 25% of users update their antivirus solutions more than once a week

The fact that the number of urgent updates has increased proves that the number of situations where users need urgent protection in order to prevent a significant outbreak have also increased significantly.

Cyber criminals are using packing programs more and more frequently in an attempt to make their malicious programs undetectable.

Year Increase in packed malware relative to other malware
2003 28.94%
2004 33.06%
2005 (forecast) approx. 35%

Table 5. Increase in packed malware relative to other malware

In the virtual world, it’s not only antivirus companies and cyber criminals which are involved in a stand-off; the criminals are engaged in fighting each other. New criminal groups are forming, and the current trend is for smaller groups to unite into larger ones. This trend will undoubtedly reach a peak, after which we will see conflicts of interest leading to new cyber wars which in turn will lead to the elimination of weaker groups.

The position of the antivirus industry will be strengthened not only by the introduction of new technologies, but also with increasingly close ties with law enforcement agencies, which have recently been increasingly targeting cyber crime. We have already seen an increase in the number of court cases brought against virus writers and cyber criminals in 2004 and 2005. This a natural result of the negative effect cyber crime is having on the world economy.

However, despite the increase in arrests and court cases, the number of new malicious programs is also increasing steadily. In other words, the battle against cyber crime at the legislative level is in its infancy. Better legislation and additional resources are required to make law enforcement effective in this area.

Conclusion and predictions

As can be seen above, the Internet community has passed the watershed.. What can Internet users expect to see in the future? Issues to consider in the immediate future include:

  • regional mailings of malicious programs, which will be designed to make it more difficult to detect the malicious program in the region where it was originally spammed.
  • targeted mailings of malicious programs which aim to victimize a particular organization – this will make it harder for the antivirus industry to respond effectively.
  • a continuing decrease in the number of global outbreaks caused by network worms, which will depend to a great extent on a decrease in the number of new critical vulnerabilities in MS Windows, and/or the prompt reaction of MS to newly discovered vulnerabilities.
  • searching for new social engineering techniques in order to infect victim machines in a more efficient and effective way (e.g. following a mass mailing of the latest version of Trojan-PSW.Win32.LdPinch by ICQ, a bot net was used by the remote malicious user to answer the ICQ messages from users)
  • the criminal market for malicious programs is far from saturated and this market will continue to expand, leading to cyber wars between a decreasing amount of larger and better-organized criminal groupings
  • continued increase in the quantity of spam, phishing attacks, adware, malicious programs, bot nets, Internet fraud and blackmail, and other cyber crimes
  • slow but steady increase in new legislation followed by punitive action by law enforcement agencies
  • virus writers will migrate to new platforms along with users.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *