The State of Malware Today - The Year 2005
Innovations in 2005
Without any doubt, 2005 has witnessed the emergence of some
interesting innovations; such as the first IM worms, with
Bropia
spotted in February then Kelvir
in March, making their way throughout MSN contact lists.
Perhaps more "proof-of-concept" oriented, Commwarrior,
the first Symbian OS worm propagating via MMS appeared in
March. Although this was expected, this is considered a major
breakthrough over previous Cabir-like
worms that would only hop from systems to systems via short-range
Bluetooth. Overall, mobile viruses and Trojans increased more than 500%
to over 100 unique threats in 2005 compared to less than 20
in 2004.
Another innovation worth our attention: April saw the first
Pharming attacks, aimed at massively installing spyware on
machines running unpatched browsers. Pharming did get some
well-deserved media coverage: In such DNS-poisoning attacks,
targeted end-user browsers address bars displayed a correct
address while ending up on a rogue site...
Although not quite an innovation, it is worth mentioning that
plain old phishing attacks grew as well, with monthly phishing counts
doubling compared to 2004. Phishing also expanded geographically,
with arrests of phishers in UK, Brazil, Estonia and Japan
and phishing emails spotted in more than 15 different languages.
Eventually, the very exclusive family of auto worms grew
up by two new members: Zotob
hit in August, and Dasher in December, respectively exploiting
MS05-039 and MS05-051. Of course, these exploit modules were
included afterwards in bot-worms such as SdBot
and the like.
In 2005, we also saw the re-emergence of some older trends. For instance, in June we started hearing
about rootkits
(a tool that can hide itself or other processes/files to the
system) again. As the rootkits vs. rootkit revealers race
to arms truly started, rootkits started implementing process
name checking to fool the differential analysis of revealers
(essentially, they pretend not to hide themselves when they
deal with a process they identified as a revealer). Revealer
processes then started to use random names. A few months later,
some fellow researchers at the Virus Bulletin (VB) conference exhibited
samples of a (non-free!) rootkit implementing binary pattern
recognition to spot revealers...
Botnets go mainstream
Today, writing viruses has obviously become an -almost exclusively-
lucrative activity, and in 2005, it became
more and more obvious that Botnets turned out to be the epicenter
of virus-related profit generation and cyber crime:
- Phase 1: Raise
In March, MyTob
appeared. It was the first mass-mailing worm to embed a
bot, allowing for massive and light speed-fast botnet building.
The concept has been adopted by most mass-mailers. The days when
botnets would be populated manually, by running custom exploits
targeting UNIX systems seem far behind...
- Phase 2: "Fire ze missiles"
In June, MyTob
variants infiltrated half of our virus top 20, accounting
for 40% of the total virus activity. At the same time, Trojan
activity doubled, and W32/Small.AUX-tr
became the first non-replicative malware to enter the top
20 list this year. This indicates that botnets have reached a mature
state, in their number and size. Now, the strategy for botnet
herders is to use them to generate money, by renting them
for Trojan and Spyware installation or relay.
- Phase 3: Keep a low profile
During the second half of the year, outbreaks were more
and more fragmented among variants and seemed to be subject
of a sound control by their instigators, who don't need lousy
huge outbreaks anymore (which would attract Police attention),
but rather small and controlled ones to maintain the size
of their botnets. Consequently, for the first time in the year,
half of the top ten viruses in September were not worm oriented.
Perfect examples of this were the frequent and highly
fragmented Mitglieder
(aka Bagle downloader) outbreaks.
Botnets are now being used for a variety of purposes, including relaying spam, phishing, installing spyware,
extortion (by threatening online services with DDoS attacks)
and much more. Cyber criminals could build and use their own
botnet to conduct such activities, or simply rent one.
Sober: the clever misfit
With the above in mind, Sober
appears to be a total misfit, a lone cowboy on the lucrative
virus scene. Indeed, it is today, the only mass-mailing worm
that does NOT embed a bot. It is therefore not financially motivated.
Instead, Sober is one of the rare political worms... Let's look back on the facts:
- May: Sober.P
outbreaks, rapidly getting thousands of users to "click
on the attachment" Thanks to a cunning and soundly timed
social engineering strategy, the outbreak is synchronized
with the FIFA World Cup ticket sales opening, with Sober's
infected emails posing as invitations for the event. The text
is either in English or in German, depending on the target
email.
After days propagating around the planet, the bilingual worm
goes dormant - well, almost. From time to time, it connects
to an Internet Time server (chosen among a list embedded inside
the worm body) to check the date.... Eventually, on Saturday,
May 14, it downloads an update, known as Sober.Q,
which starts mass-spamming Nazi propaganda. A well rounded
job overall.
- September: A Trojan called W32/Yusufa.A-tr
is spotted in the wild. As one of the rare political/ideological
worms, along with Sober, it is worth mentioning. This cyber-moralist
monitors the browser's title bar and hides the window whenever
it contains certain words (e.g: sex, teen...). Scripts from
the Koran are displayed instead.
- November: Here comes Sober.AD
(aka Sober.X or Sober.Z), a slight variant, which seeding
has been extremely aggressive. Soon, it skyrockets in the
charts and eventually kicks Netsky.P
off the top, after this one had ruled over top tens from March
2004 to November 2005!
Following Sober.P's
scheme, it soon went dormant but was programmed to "wake
up" at midnight on January 5, when it will start to download
an update that in turn will likely conduct a new cyber-propaganda
operation.
Bilingual, timed, featuring a synchronization scheme and
a complex update URL encoding based on the current date, Sober
is by far the most technical piece of malware we have seen
in 2005, in addition to being the most prevalent since it
appeared.
Future trends
2005 featured a notorious so called "focused attack",
where a custom Trojan was distributed to several companies
in Israel on the form of "demo CDs", for industrial
spying purpose. These kinds of attacks, which are easy to conduct and
have a high "pay-off" potential, are likely to multiply
in a near future - if not already underway. Indeed, their "focused"
nature makes them particularly stealth. Some hackers, on publicly
accessible websites offer their service, for a moderate fee
(around $100), to companies or individuals who would want
an "undetectable" Trojan. In practice, those people
just pack, repack, and tweak the binary until it gets undetected
when cross-scanned by mainstream AV products.
It is therefore probable that hundreds of such Trojans are
out there, but since they are targeting one specific victim
-and provided they stay quiet enough- they remain in the dark.
Though it has been said, and repeated, no future trend highlight can omit the strong future of mobile viruses. Potentially very similar to PC viruses, their prevalence is growing, and will continue to grow as the number of smart phones is growing rapidly. At the pace mobile phones are evolving, there's no denying that sooner or later the number of smart phone users will surpass that of personal computer users - thereby making mobile viruses a far bigger threat what we've historically seen among PC viruses.
Eventually, seeing how powerful weapons botnets are and how easy they are to control or rent, one may question whether terrorists will use them to cause massive cyber-havoc. Potentially, in an era where nearly every resource, ranging from administrations to banks, airports and plants, is connected to the Internet, it could be possible to use DDoS attacks to seriously harm global economy and communications.
Some recent studies showed that mere domains of Zombies would be enough to take a regular website offline for a while. Some botnets feature millions of Zombies. So, why hasn't it been done yet? Despite several discussions with specialists, no one has a truly convincing hypothesis on this. One thing is sure: it might happen. Can we protect against it? Merely.
Protecting yourself
Statistics and malware analysis are nice, but what is most important to you, me, and everyone, lays in one single question: How do I protect against all these threats? In fact, protection still comes down to the good old trinity: antivirus ware / system updates / user education.
Antivirus ware must be multi-layered and consistent. Gateway filters can be bypassed (see Zotob's case, introduced in corporate networks by infected laptops) and desktop AV solutions are too user-dependant and mostly useless against network worms. Both are good together, if they are synchronized, kept up to date and embed heuristic engines. Adding intrusion protection systems (IPS) and real time URL filtering provides further protection. For instance, most URL-filtering services would block Sober's update URLs.
System update policies are definitely a must have to avoid being victim of a common scheme: vendor releases a patch, hackers reverse engineer the patch to find out the vulnerability it addresses, create an exploit for it, and embed it into malware.
Hence, fast reaction and good disinfection tools will in most case tremendously reduce the damage caused by viruses.
However, the end of this year showed all of this is still not sufficient, when "zero-day"
threats (i.e.: no patch exists) such as the infamous WMF vulnerability are being
discovered. Workarounds are often available, though, to administrators who stay aware of
the bleeding trends.
User education is important, but isn't going deep enough to be effective. Simply telling users "do not click on attachment" is only one of numerous necessary pre-cautions that must be taken. With numerous worms attempting to brute force passwords to propagate inside networks, weak or shared passwords is a practice that must be thoroughly avoided. Additionally, something must also be said about the often overlooked but important practice of disinfection.
Eventually, a word or two need to be said about a feature
sometimes being overlooked upon: disinfection.
Given an undetected, yet brand new sample, the question "is it a malware?" brings indecision - Fred Cohen demonstrated it two decades ago. Heuristics may help to spot a decent percentage of suspicious files, however, a window of vulnerability exists where your network goes unprotected against certain viruses.
Hence, fast reaction and good disinfection tools will in most case tremendously reduce the damage caused by viruses.
|
