Virus Review - 2002

16 Jan 2003
Virus News


Virus Review - 2002

Kaspersky Lab, an international data-security software developer, presents its yearly review of virus activity. The report contains information shedding light on 2002's more significant virus incidents, along with expert evaluations regarding the creation and spreading of malicious programs and Kaspersky Lab' forecasts for what is to come.

Contents:

Virus Review - 2002
General Overview
Different Types of Computer Viruses Making Waves in 2002
Network Worms
Viruses
Trojan Programs
Virus Threat Sources
Hoaxes
Useful Links

 

General Overview

The year 2002 saw 12 large scale and 34 lesser, yet significant virus epidemics that together formed a never-ending epidemic started in previous years ("Sircam", "Hybris", , "CIH", "BadtransII", "Thus" among others).

Over the course of the year malicious programs consistently penetrated new computer platforms and applications. As soon as the year began, within the span of two days, January saw the appearance of the "Flash-"LFM" and "Donut" - viruses. These were the first viruses to employ the .NET technology for spreading, however after the initial outbreak of both viruses proved to be no more than conceptual and subsequently accounted for not a single registered infection. The middle of March brought with it the appearance of the SQL-server infecting network worm "Spida" and "Benjamin". The later became the inspiration for a whole family of malicious programs that over the course of 2002 unabatedly attacked users of the KaZaA file-sharing network. Also under constant fire for the year were Linux users. The best refutation of the widely held opinion that the Linux operating system is immune to malicious programs was the "Slapper" worm that over several days managed to infect over 1,000 Linux systems worldwide. Not to escape a similar fate were FreeBSD users who in September suffered through fairly widespread attacks from the worm "Scalper".

We mustn't forget to mention the drastic growth of the so called commercial viruses that demonstrate a clear commercial purpose, namely the theft of confidential data, financial information, Internet access passwords or other likewise actions that lead to some kind of material loss for their victims.

The Most Widespread Malicious Programs

Without doubt the leader in the number of registered incidences for the year 2002 is the Internet worm "Klez". This virus was first detected on October 26, 2001 and to the current time has still not lost its place on the list of most widespread virus threats. Never before, in the history of "virology", has a malicious program been able to hold onto the highest position among the top 10 for such an extended period. Though, for the year 2002, only 2 of the 10 various forms of the Klez worm, were able to rise up to mass levels - "Klez.H" (detected April 17, 2002) and "Klez.E" (detected January 11, 2002). In general, 6 out of every 10 registered infections were attributed to "Klez".

The 10 Most Widespread Malicious Programs for 2002

Place

Name

%*

Circulation Index

1 I-Worm.Klez

61.22%

10.0

2I-Worm.Lentin

20.52%

3.4

3 I-Worm.Tanatos

2.09%

0.3

4 I-Worm.BadtransII

1.31%

0.2

5 Macro.Word97.Thus

1.19%

0.2

6 I-Worm.Hybris

0.60%

0.1

7 I-Worm.Bridex

0.32%

0.1

8 I-Worm.Magistr

0.30%

0.1

9 Win95.CIH

0.27%

0.1

10 I-Worm.Sircam 

0.24%

0.1

           

* general percentage representing the portion of registered incidences

The sheer scale and persistence of the "Klez" epidemic has no equal. Its closest pursuer is the Internet worm "Lentin". Despite lagging behind Klez over three times for the entire year in terms of number of registered infections for 2002, Lentin stands a real chance in 2003 to battle its way to the highest position on the podium. Data for the final three months of 2002 show Lentin already moving past Klez in number of registered incidents.

After this pair indicators for the remaining contestants look humble. Recently disturbing the peace was the "Tanatos" worm (also known as "Bugbear") whose virulent abilities raged only in October. After this it promptly joined the rest the leaders in the virus "hit parade" way down near the "X" axis, picturing the sudden and dramatic loss of Lentin's thunder.

It is interesting to note that the 4 highest places in the top 10 are taken by malicious programs that exploit the Internet Explorer IFRAME security breach. In total the viruses using this technique to propagate account for over 85% of all computer virus incidences. This circumstance underlines the importance of timely installations of software patches for this and other vulnerabilities. Once a patch is installed a user not only automatically protects his or her computer from the majority of current virus threats but also guarantees a defense against all similar viruses that may appear in the future.

Top 10-virus dissemination for 2002.

At the year's conclusion we witnessed an interesting tendency in the quality of the ingredients of the most widespread virus programs. If earlier, virtually 100% of all incidences were due to 1, 2 or maximum 3 viruses, then starting in September the situation radically changed. From this time we observe a so called diversification where all subsequent infections are caused by viruses not found in the "hit parade" - in December this indicator reached 62%. Thus shedding evidence on the fact that finally users turned their attention to the main threats and undertook the necessary measures for protection. This in itself reduced the number of incidents at the hands of the big guns such as "Klez", "Lentin" and "Tanatos". However the lowering of the total amount of infections from all viruses has not occurred. This allows us to conclude that the total number of other viruses has increased (for example "Bridex"). Separately, the share of damaged doled out by each virus is not particularly considerable, but in totality they are a significantly impressive force that presents a real threat for computer users.

Different Types of Computer Malware Making Waves in 2002

No less interesting is the picture depicting the spread of different malicious program types. Following the established tradition of dominant network worms, this situation held true up until September. The fourth quarter however clearly shows a trend in which network worms lose ground and computer viruses and Trojans gain. In December viruses steadfastly held the number 2 position at 31.3% with Trojans following with 16.6%. In contrast the totals for the year 2002 show worms at 89.1%, viruses at 7% and Trojans at 3.9%.

The above data shows users have begun to pay more attention to protecting email, the main source of network worms. Though the absolute and relative growth of other types of malicious programs affirms that users less and less regard them to be a source of real threat and therefore don't actively protect themselves. In actuality, the destructive activity of viruses and Trojan programs have as much negative impact on data security for home computers and they do in corporate networks. Therefore it is mandatory to further strengthen system defenses against viruses (particularly against macro-viruses) and Trojan programs. To solve this need we recommend employing additional information security technologies such as: behavior blockers, integrity checkers, and firewalls. The combination of these technologies in concert with traditional anti-virus scanners best minimizes the risk of infection from malicious programs. Additionally, this approach provides a sufficiently staunch immunity against unknown viruses and Trojan programs.

Spread of the major malicious program types in 2002.

2002 Malicious program types.

Network Worms

Network worms traditionally are predominated by email worms (most notably "Klez" and "Lentin") that utilize email as a main means of transport. It should be noted that more and more email worms use a direct method of connection with SMTP servers. This tendency sheds light on the fact that the traditional method of sending out worms (for example via Outlook or other mail clients) no longer enjoys a good chance of success. Manufacturers of email software have integrated into their programs anti-virus modules or special functionality that warns against unauthorized mailings of any data. Taking this into account virus writers more often use new methods to spread worms that get past this type of defense.

Other worm types appearing periodically on the graph that are worth mentioning are:

  • LAN-worms (2.5%), spread via local area networks
  • P2P-worms (1.7%), spread via Peer-to-Peer networks (such as KaZaA)
  • IRC-worms (0.2%), spread via IRC channels (Internet Relay Chat)

The most widespread network worm types.

Viruses

Among the most notable in 2002 regarding computer viruses, macro-viruses appeared the most (56.1%). It is worth noting the macro viruses "Thus", "TheSecond", "Marker" and "Flop". These macro viruses all target the word processing program Microsoft Word and have been in existence less than one year. Macro viruses were the cause of epidemics many years ago before falling silent only to resurface in impressive fashion this past year. The resurgence of macro viruses can be largely attributed to users as a whole, who were sure macro viruses had ceased to be a threat, letting their guard down.

Falling back a bit were Windows viruses (40.9%); the most infectious of which were "Elkern", "CIH", "FunLove" and "Spaces". For 2002, script viruses were practically insignificant as a group (2.7%) as well as other malware types of this class (0.3%).

The most widespread computer virus types.

Trojan Programs

Most consistently appearing in the list of the most widespread malicious program types were "Trojans", though they never occupied the upper echelons of the list. Though in the final quarter of the year they seemingly tried to make up for lost time and in December reached as high as 16.6%.

The Trojan program category is clearly led by unauthorized administration utilities, backdoor access programs (representing 54% of the year's Trojans) that allow mal-intended individuals to imperceptibly remotely control infected computers. More than twice less frequent to appear were PSW-trojans (17.9%) - malicious programs designed to steal for illegal exploit system information and access passwords (such as to the Internet or Internet resources). The remaining Trojan programs (28.1%) are other types that are sent out to perform various specific tasks on victim computers.

The most widespread Trojan program types.

Virus Threat Sources

Despite changes in the overall picture of most widespread types of malicious programs, the undisputed leader among main virus threat sources remains email, which claimed 96.4% of all registered incidences. Other main virus sources trailing email are the Internet at 2.3% (Web-sites, FTP-sites, P2P-networks, IRC-channels, etc.), and portable media at 1.3% (disks, CD-ROM, magnetic disks etc.). It is a proven fact that email is exploited as a tool for spreading by not only network worms but also by viruses and "Trojans" as well. The difference is network worms have self-spreading functionality and can actively spread themselves, while viruses and Trojan programs spread passively and need to be sent out manually by virus writers or infected users.

Main virus threat sources for 2002.

Hoaxes

Any threat can be can give rise to either intentional or unintentional speculation. "Fear takes molehills for mountains" - this saying very well describes an interesting phenomenon - computer virus hoaxes. Such hoaxes involve the spreading of false rumors concerning the appearance of new, highly dangerous computer viruses. The main idea behind these rumors, which are themselves a virus form, is to scare computer users into urgently spreading messages (often entailing a warning and advice), to all there friends and family members. Obviously computer virus hoaxes do not bring any direct harm to individual computers, however they clog computer networks with useless traffic, unnecessarily alarm users and discredit people who mistakenly believe the hoaxes.

2002 proved to be no exception with computer users regularly passing around both old and new virus hoaxes. The most notable virus hoaxes for 2002 were "JDBGMGR", "Ace-?", "SULFNBK", "Virtual Card for You", "California IBM" and "Girl Thing".

Users can check out a manual designed to explain virus hoaxes here.

More detailed information about computer virus hoaxes can be found in the Kaspersky Virus Encyclopedia.

Useful Links

Year-end Virus Review - 2001