Month: April 2005

IM-Worms
Worms that propagate via Internet messaging services by sending URLs to all contacts in the local contact list. The URLs take incautious users to websites containing the body of the worm. This approach is also often used by email worms.

One of the most interesting developments in 2005 was the appearance of worms for instant messenger applications. Instant messenger applications have become very popular, but users rarely perceive them as potential infection vectors. The source code for some early IM-worms was also published on a number of virus writers’ sites, and most of the new worms are clearly based on this code. As P2P-worms were simple to create, and spread rapidly, several hundred families appeared, with numerous versions in each. Kaspersky Lab monitored P2P networks closely during the upsurge in P2P-worms and analysis showed that almost every second file in the Kazaa file-sharing network was a P2P-worm. Despite the fact that Internet messaging services allow file transfer, for some reason virus writers are not utilizing it as a method of infection, possibly because they find overly complex. The worm penetrates victim systems either by exploiting Internet Explorer vulnerabilities or simply by downloading and installing the malicious code. Monitoring incoming http traffic for malicious code (which should be part of any responsible security policy) will block those worms which penetrate via browser vulnerabilities.

Botnets
Initially, infected computers were linked via an IRC channel and received commands from the remote user via IRC, and this is still the most popular way of controlling botnets from a single central point and is used by the Agobot, Rbot and SdBot families, which are the most common malicious bots. Mydoom would open a single port in the range between 3127 and 3198 which gave anyone access to the infected system. The Internet was flooded with worms attempting to penetrate computers already infected by Mydoom. Virus writers also wrote scanners that allowed potential controllers to search computers for the Mydoom backdoor component: if the backdoor was detected, the new controller would drop and execute new malware on the infected machine. At the height of this outbreak, infected machines were passing from controller to controller several times a day. All of these infected machines are being actively used by cyber criminals as spamming platforms in order to make money. Botnets can also be used in DoS attacks and to spread new malware – such threats often lead site owners to pay cyber criminals not to attack their sites. Detection and prevention of botnets should be a priority for both the IT industry and end users, since the future of the Internet depends on coordinated action now.

Email Worms
2004 was distinguished by a number of major epidemics caused by email worms such as Mydoom, NetSky, Bagle and Zafi. However, late 2004 and early 2005 was free of such outbreaks, with nothing on the scale of even the mid-sized outbreaks of 2004.

Social engineering
I.e. techniques used by cybercriminals to trick end users into sharing confidential data, continues to evolve. According to data from the Anti-Phishing Working Group, in January 2005 phishers sent 12,845 unique phishing letters leading to 2,560 spoofed websites. The public fear of spyware has also been exploited by Adware writers and other cyber -fraudsters to penetrate victim machines.

No new critical Windows vulnerabilities
Isolated attacks notwithstanding, the fact that older versions of Windows do not have critical vulnerabilities, and the encouraging trend of more and more Windows XP users installing Service Pack 2 gives hope for the future. The current lack of worldwide outbreaks can be partially acounted for by two important factors: no new serious vulnerabilites in Windows and the migration of users to Windows XP with Service Pack 2.

On the other hand, security holes in Internet Explorer are responsible for a significant number of infections. Kaspersky Lab data shows that the MHTML URL Processing Vulnerability (CAN-2004-0380) is the loophole currently most frequently exploited by virus writers. This vulnerability makes it possible to hide executable files written in VBS or JS in CHM files (Microsoft Compiled Help) and post links to the infected files on the Internet. When an infected CHM file is opened, the hidden files are executed in the Local Internet Zone with current user rights.These scripts are usually Trojan Downloaders or Droppers that install other Trojans on the victim machines. However, this vulnerability is not new and Microsoft issued the MS04-013 patch for it over a year ago on April 13, 2004, meaning that users do have the ability to protect themselves against such attacks.

On-line games: a new arena
Contemporary cyber criminals don’t only steal banking and financial details. Games have achieved enormous popularity since their first appearance, and individual items and/or characters in various on-line games are sold for tens of thousands of dollars in on-line auctions. For instance, a virtual island from “Project Entropia” was sold, for $26,500, the largest amount spent at any one time in online-gaming history. In short, several billion dollars are currently invested in virtual worlds and role-playing games, a sum equivalent to the budget of a small country. Naturally, the presence of real money in on-line games hasn’t escaped the attention of cyber criminals.

The first cybercrime targeting on-line games was committed in early 2003, when Trojans designed to steal user account data to the Asian game Legend of Mir were detected. And two years on, there are more than 700 known malicious programs which target Legend of Mir. Detailed analysis of these programs shows that most of them originate in South Korea and China. The first Trojans attacking Lineage were detected by Kaspersky Lab virus analysts in October 2004; in less than six months the number of such malicious programs has grown to several hundred.

Among the most recent programs targeting online games is a family of Trojans designed to steal personal information from Gamania players. The first one was detected in February 2005 and since then there has been at least one new variant every week. Admnistrators immediately forward any viruses, scripts and Trojans attacking the game portals, and Kaspersky Lab ensures that updates protecting against such threats are released almost immediately.

Adware, spyware and viruses: is there a difference?
Adware and spyware are the IT buzzwords of the moment. Such programs may exhibit Trojan behaviour in how they install themselves, (for instance by exploiting browser vulnerabilities), or in how they behave once they are installed. With adware becoming increasingly inseparable from classic malware, dedicated anti-adware solutions will simply cease to provide adequate protection.

Mobile malware
The first malicious code targeting mobile phones (Cabir) was detected in the middle of June. We are now staring into the abyss: a Warhol Worm, which attacks all possible systems in the shortest possible time, is now a very real possiblity. The first attempt to create such a worm surfaced in March this year. Fortunately, ComWar, an MMS-worm, contained a number of errors and there was a significant time lag during propagation.

At the time of writing, no further Bluetooth-worms have been detected.

http://www.viruslist.com/en/analysis?pubid=162454316