Reflecting on the Year 2000

14 Dec 2000
Business News

Kaspersky Lab Int. presents a year-end review of events having taken place in the area of anti-virus security.

Observing the picture of events that have occurred during this year, we must admit that the situation in the anti-virus field is more complicated as compared with that in 1999. Just in May 2000 alone, the LoveLetter virus attacked more than 40 million computers around the world. As reported by the Computer Economics research center, during the first 5 days of the epidemic, the LoveLetter virus caused worldwide losses in the amount of US$ 6.7 billion. You may compare these figures with the report provided by the center in 1999, where they reported worldwide year-ending losses of US$ 12 billion.

The results of malware development in 2000 are the following:

  • E-mail is the undisputed leader among all the available virus propagation sources;
  • technological diversification of viruses;
  • script and macro viruses are dominant amongst other virus types;
  • the first attempt to develop a virus for cellular phones;
  • "invisible" viruses have spread throughout the world by exploiting security breaches in Internet Explorer;
  • a new generation of self-updating viruses has appeared
  • new viruses using the alternative data streams of NTFS have been detected
  • a lot of new viruses have been developed for Linux

Therefore, the question of anti-virus protection in 2000 has once again proved to be the most critical element in personal and corporate computer protection systems.

E-mail: The best means for virus transport

Vigorous growth in the frequency of virus attacks in 2000 has been accompanied by substantial changes in the technology of malware development and distribution.

First of all, we would like to emphasize the tendency of more and more viruses acquiring the ability to self-distribute via e-mail. According to Kaspersky Lab's department of technical support, about 85% of all registered cases of computer infection have resulted from those viruses using e-mail for spreading; therefore, these types of cases have increased by 70% in 2000 as compared to 1999.

In connection with this, Kaspersky Lab would like again to emphasize the importance of installing reliable anti-virus software for e-mail systems. As for a corporate network, this kind of system should filter e-mail messages on two levels: the mail server and the workstation.

The increasing attention that virus-writers have been paying to e-mail can be explained rather simply: the more popular the application, the more virus-writers are eager to develop viruses for it. Today, e-mail is de facto the standard for business and private communication. Millions of people worldwide could not imagine their businesses without this form of communication; so, e-mail's popularity predetermined the large-scale development of the viruses that spread via this means.

Virus Diversification

While taking into account the technological complexity of viruses that have been detected "in-the-wild" in 2000, we must state their diversification. On one hand, there have appeared more viruses that are complex, and written using low-level computer languages. On the other hand, the so-called primitive viruses - written in Visual Basic Script (VBS) and Visual Basic for Application (VBA) - have occupied the top places in virus prevalence tables.

The tendency for the technological simplification of viruses may be proved by the following statistics: about 70% of all the viruses "in-the-wild" are script-viruses, while macro-viruses constitute another 20%. While both of these types of computer viruses have a primitive structure and are easy to develop, they are just as dangerous as any other type of virus. The programming languages VBS and VBA - used in script and macro-viruses--actually provide as many resources allowing for the damaging of an infected computer as other, more complex programming languages. No wonder virus writers prefer the more simple VBA and VBS languages to the more complicated ones, such as Assembler and C.

Year of the LoveLetter

Kaspersky Lab experts agree that 2000 has been the year of the Love Letter. The LoveLetter virus (detected on May 5th) in no time at all spread all over the world, infecting millions of computers. The reasons are the following:

i) A very high speed of distribution. Right after infection, the virus e-mails itself to entries in the address books maintained by Microsoft's Outlook e-mail software. Just like the Melissa virus (detected in the fall of 1999), the LoveLetter virus does its work on behalf of the unaware and unsuspecting computer owner.

ii) The deceptive extension of the files attached to the messages: 'TXT.vbs'. Many users still believe that text files cannot contain virus code. This is true, but sometimes this extension may hide a file of another type, in this case it was a program in Visual Basic Script (VBS).

iii) The author of this virus used a very simple and brilliant psychological approach: there are not many people that are able to resist the temptation to read a love letter from an acquaintance.

Here we should remind you of Rabbit - the first script-virus that was detected in November 1998. Right after it had happened, Kaspersky Lab forecasted the global epidemic that can be caused by script-viruses (viruses similar to LoveLetter). At that time, many companies accused Kaspersky Lab of causing "virus hysteria"; however, in the fall of 2000, Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, was vindicated as his prediction was validated.

Currently we know of 80 modifications of the LoveLetter virus that have been detected by Kaspersky Lab experts. In order to protect our customers and users from all the possible modifications of this virus, Kaspersky Lab released a unique technology under the name of Script Checker on May 7th. This tool allows for the checking of unknown script-viruses. Thanks to the integrated heuristic mechanism analyzing script-programs, Script Checker reliably protects Kaspersky® Anti-Virus (AVP) users from all modifications of LoveLetter without any extra updates needed for the anti-virus database.

Expecting Cell Phone Viruses

It all began on June 6th when the Internet-worm by the name of Timofonica was detected in Spain. This worm has one peculiar quality: it is capable of sending meaningless SMS-messages to the cellular phones of the MoviStar network. This case has caused rumors about the first virus infecting mobile phones. Fortunately, the reality was not so cruel - except for its SMS-messages, the virus had nothing in common with cellular phones.

Two months later, the utility called HSE was detected. This utility is able to send SMS-messages of any content to the phones operating on several cellular networks in Germany. Unlike Timofonica, this utility cannot be classified as a virus or Internet-worm. In fact, this is just a piece of malware that may be used against the cell phone owners.

And finally, on August 30th, the world was made aware of the new "cellular" virus that had been detected by Web2Wap AS, a Norwegian company. As it turned out later, the Norwegian experts merely had discovered a "hole" in the protection system of several Nokia cell phone models. This hole allowed for the locking of the phone keyboard by means of a certain SMS-message. But this had nothing to do with a virus.

It's worthwhile to emphasize that, currently, the problem of cellular viruses cannot be considered to be urgent. The main and only reason is that current cell phones do not have the appropriate hardware environment to support a virus. The conditions allowing for virus existence are as follows: i) the hardware should provide the means to create, modify and exchange with the executable software objects, ii) the hardware should be popular among users and iii) its protection system must be weak.

However, we can expect the appearance of the first cellular viruses in the very near future. The MID standard (Mobile Information Device), based on Java (JavaTM 2 Platform Micro Edition - J2ME) and released on August 19th by the Sun company and its partners, in fact gives the green light for the development of the appropriate malware.

Invisible Worms

In 2000, viruses exploiting a breach (called Scriptlet.Typelib) in the protection system of Internet Explorer 5.0 frequently have attacked computers. This virus uses the breach and infects the computer right after an infected message has been read: you do not even have to start the attached file.

The first virus of this kind (BubbleBoy) was detected in November 1999. One week before, Microsoft had released the appropriate patch for this breach. But, despite this fact, during the year the virus called KakWorm infected many computers. This means that users have a tendency to ignore the advice of anti-virus companies, and they do not install patches for their software in due course. Because of this, we would like to advise you once again to install the free patch for your Internet Explorer 5.0. You may download this patch from here.

Self-updating Viruses

In 2000, the so-called self-updating viruses or viruses downloading updates via the Internet came into vogue. The author of this kind of virus may use this technology to update old components of the installed malware and to install new ones without the user knowing about it.

This technology was established in the end of 1999, and the first virus that used it was Babylonia. In 2000, several more viruses were developed based on this technology: their names are Sonic and Music, along with others. The Internet-worm called Hybris is a more advanced user of this technology. This virus is able to download updates not only from Web sites, but also from newsgroups (alt.comp.virus). This is very convenient, because site owners close them right after they have learned that the Web sites are being used by malware to download updates. As for the newsgroup, it's impossible to do so. Besides, the Hybris author has implemented another advanced technology that protects the virus from being controlled by an unauthorized person. He has used a powerful algorithm, encoding the updates with a digital signature.

Viruses in The Alternate NTFS Data Streams

At the beginning of September, the first virus (Stream) able to manipulate the alternate data streams (ADS) of the NTFS file system was detected. According to the Kaspersky Lab report, this virus cannot be considered as something that constitutes a real threat. But the technology enabling it to penetrate the additional streams is very dangerous, since only a few anti-virus scanners are currently able to detect malware in ADS.

To our regret, the story caused an inadequate response from some competitor anti-virus companies accusing Kaspersky Lab of causing unnecessary alarm amongst users. Nevertheless, except for their unsubstantiated accusations, our competitors haven't provided any evidence to prove their theory that additional data streams are safe. The problem with anti-virus protection of NTFS is still topical, since during the months that have passed since the moment the Stream virus was detected, only a few anti-virus scanners have "learned" how to check for viruses in ADS. Kaspersky Anti-Virus was the first anti-virus scanner in the world that acquired this ability; this function was implemented in the version 3.5.

Linux Withstanding the Siege

Increased virus-writer activity in the area of virus development for Linux has been registered this year. 37 new viruses and Trojans for this operating system have been detected. Therefore, currently the total number of viruses for Linux is 43, and what is most remarkable is that in 2000, the quantity of these viruses has increased 7-fold.

Despite the fact that some species are able to replicate and work independently, no Linux virus has ever been detected "in-the-wild." Kaspersky Lab experts assume that this is because the Linux desktop standard is not as popular as its competitors.

The most interesting member of the Linux virus family is Siilov. It is the first Linux virus that works in background mode, and is able to infect files in real-time mode.

Virus Hoaxes Continue

Virus hoaxes have continued to shake the world in 2000. This term describes a false alarm warning users about "a new computer virus." These messages inform users about a new virus that is distributed via e-mail or the Internet, and is able to delete entire data on an infected hard drive.

This kind of message is deliberately published on the Internet, and an army of duped users, thinking that they are actually helping inform the computer community of the danger, foolishly aids in the distribution and spreading of such hoaxes.

The following hoaxes have been the most active during this year: 'Wobbler', 'Budwiser Frogs', 'Join the Crew', 'It Takes Guts to Say Jesus' and 'Buddlylst'. On some days, the Kaspersky Lab technical support service receives hundreds of messages from our users asking us to explain the "new viruses."

Here you will find an explanation about how to differentiate a virus warning from a hoax.

What's Next?

Many users have asked us whether they should expect a slew of new viruses on Christmas Eve and during the first days of the New Year. In fact, we remember last year's warning that was distributed by some competitor anti-virus companies, informing users about the computer underground's plans to launch an attack marking the beginning of the year 2000. According to these messages, hackers from all over the world had prepared thousands of new viruses to be released during the first days of the New Year.

Last year, we explained our opinion, and today we can simply repeat it: Kaspersky Lab considers this type of information to be a marketing ploy designed to boost the sales of anti-virus programs on Christmas Eve.