Malware Trends in 2004

24 Dec 2004
Virus News


This year's record holders for damage caused are certainly Mydoom.a (February 2004) and Sasser.a (May 2004). The most important changes in the malware world include the criminalization of the Internet with malicious code writers and hackers migrating to the creation of bot networks to support spammers. On the other hand antivirus companies have become more responsive, while law enforcement agencies worldwide have finally focused efforts on cyber crime. 2004 was a record year for arrests of cyber criminals.

  • AdWare (advertising systems) becomes one of the biggest security headaches;
  • Email traffic is clogged with spam, and in most cases it is impossible to work with email without anti-spam filters;
  • Successful attacks on Internet banks;
  • Numerous cases of Internet racket (DDoS attacks with consequent extortion);
  • Antivirus companies include protection from AdWare in their products;
  • The fastest response to new malware threats becomes the main criteria for evaluating antivirus vendors;
  • A lot of different anti-spam solutions appear; using such solutions is de-facto standard for mail service providers;
  • Successful investigations and arrests (about 100 hackers arrested, three of whom were on the FBI top 20 most wanted list).

Malware developments in 2004

Each generation of malware (malicious software) writers stands on the shoulders of the previous one. It's no surprise, therefore, that the seeds of development in malware that have come to fruition in 2004 were actually sown in the previous year. Lovesan 'popularized' the use of system exploits to infect vulnerable machines directly over the Internet and included in its 'back pocket' a Distributed-Denial-of-Service (DDoS) attack (on the Windows update server). Sobig.f broke all previous records (at its height, one in ten emails were infected with Sobig) by using spam techniques to spread. It also pioneered the 'slow burn': each new variant of the worm created a network of infected machines that were used as a platform for a later epidemic. When Swen appeared in September 2003, it seemed to be just another mass-mailer. However, it succeeded through 'social engineering'. Social engineering is just a fancy way of describing a non-technical breach of security that relies on human interaction: in the case of viruses and worms, it means tricking unsuspecting users into running an infected attachment. Swen masqueraded as a cumulative Microsoft patch designed to patch all vulnerabilities, manipulating users' growing awareness of the need to secure their operating system from attack.

These techniques have been continued, and further developed, by successive threats in 2004.

The use of system exploits to get a foothold in the corporate network and spread rapidly has now become commonplace, as writers of malicious code have woken up to the potential 'helping hand' provided by vulnerabilities in common applications and operating systems. Some threats in 2004, like Sasser, Padobot and Bobax, have used the system exploit as their sole attack mechanism, spreading directly over the Internet from machine to machine, avoiding the use of 'traditional' virus techniques altogether. Others, among them Plexus and the numerous Bagle, Netsky and Mydoom variants, have combined the use of system exploits with other infection methods (for example, mass-mailing and the use of network resources, including P2P networking).

Many of today's most successful threats (successful from the author's perspective that is) are a composite 'bundle' that includes different kinds of threat. And increasingly this 'bundle' includes a Trojan of one kind or another. Typically Trojans are dropped onto the system by a virus or worm. Since Trojans don't have their own on-board replication capability, they're often perceived as being less dangerous than viruses or worms. Yet their effects can be dangerous and far-reaching. They're not only becoming more sophisticated. They're being put to an increasing number of malicious uses.

The 2004 New Year celebrations had hardly ended before the appearance of the Trojan proxy Mitgleider set the scene for the coming year. Thousands of ICQ users received a message with a link directing them to a web site containing this Trojan. Mitgleider used one of two Microsoft Internet Explorer vulnerabilities to install and launch a proxy server on the victim machine without the user's knowledge. It then opened a port on the machine, allowing it to send and receive email. The result was that victim machines were turned into an army of spam-spewing 'zombies'. Mitgleider established Trojan proxies as a separate class of malware closely linked to the distribution of spam. It also set a trend with the mass-mailing of links to infected web sites.

Most of the significant threats that followed Mitgleider have made use of Trojans. Bagle, a worm that seems to have been written by the same coders that produced Mitglieder, either installed a Trojan proxy or downloaded it from the Internet. In any case, the worm was simply an improved version of Mitgleider that included propagation by email. Bagle was distributed from machines infected by Mitgleider. This highlights another important feature of 2004 threats: the use of Trojan programs to 'seed' computers in the field as a platform for a later epidemic. This technique was used to great success not only by Bagle, but also by Netsky, Mydoom and other significant threats. As each successive variant of these worms was released, it increased the number of infected machines: once 'critical mass' was reached, there was a new epidemic. This was the principal factor behind the success of Mydoom, which outdid Sobig to become the biggest epidemic that we've seen to-date. Mydoom is also a good illustration of the point made earlier about malware 'bundles'. It used effective a clever piece of social engineering, set up a DDoS attack on '' that crashed the SCO site for months and dropped a backdoor Trojan onto victim machines that was used by many copycat threats that followed in its wake.

2004 witnessed a battle between rival malicious code writers. Netsky didn't simply infect victim machines; it deleted any existing infection by Mydoom, Bagle and Mimail worms. On top of this, the authors of Netsky instigated a war of words with rival authors of Bagle. At its height, several new variants of both worms appeared daily, complete with insults embedded within the code.

Bagle and Netsky authors also pioneered the use of password protection for infected attachments, in a clear attempt to make them difficult to detect. The body of the email contained the password, either in plain text or as graphics, so users had all they needed to launch the infected attachments.

The technique of mass-mailing an infected attachment, so successful since it was first used by Melissa in March 1999, has been used by many of the major threats since then. However, there are alternative methods. One we've already discussed: Internet worms like Lovesan, Welchia and Sasser infect directly, using system exploits. One important alternative that has become common in 2004 is the use of links to direct users to a web site containing malicious code. The Mitgleider Trojan proxy, discussed earlier, is not the only threat that has used this technique: it has also been used by a number of worms.

Netsky, for example, spread by sending an email containing links to previously infected machines. It was followed by Bizex, the first ICQ worm. Bizex penetrated machines via ICQ sending all the ICQ contacts found on the newly infected machine links to a site where the body of the worm was located. Once users clicked on the links, the body of the worm was downloaded from the infected web site and the cycle was initiated all over again. Snapper and Wallon later used the same technique, but used it to download Trojans that the author had placed on the web sites.

So far, emails containing links have not been treated with suspicion by recipients, many of whom are much more likely to follow a link than they are to double-click an attachment. In addition, this method effectively 'skips over' the perimeter defenses deployed at the Internet gateway by many enterprises: they're used to blocking suspect extensions (EXE, SCR, etc.), but emails containing links slip through unnoticed. Undoubtedly, this method will continue to be used until users learn to treat links sent via email with the same caution that many now show email attachments.

We've seen a significant increase in the numbers of Trojan spies, designed to steal confidential financial data. Dozens of new variants appear every week, often different in both form and function. Some of them are simple keystroke loggers that use email to send all keystrokes to the author or controller of the Trojan. The more elaborate Trojan spies provide total control over victim machines, sending data streams to remote servers and receiving further commands from these servers.

This total control over victim machines is often the goal for Trojan writers. Infected machines are frequently combined into 'bot' networks, often using IRC channels or web sites where the author puts new commands. The more complex Trojans, like many Agobot variants, combine all infected machines into a single P2P network. Once these bot networks have been constructed, they are leased out for spam distribution, or used in DDoS attacks (like those carried out by Wallon, Plexus, Zafi and Mydoom).

We're also seeing large numbers of Trojan droppers and Trojan downloaders. Both have one goal: to install an additional piece of malware on the victim machine, whether it's a virus, a worm or another Trojan. They simply use different methods to achieve their goal.

Droppers contain additional malicious code. They either install another malicious program or a new version of some previously installed malware. They may carry several completely unrelated pieces of malware; different in behavior and even written by different coders. In effect, they're a kind of malware archiving program that can compress many kinds of different malicious code. Droppers are often used to carry known Trojans, since it is significantly easier to write a dropper than a brand new Trojan that antivirus programs will not be able to detect. Most droppers are written in Visual Basic Script (VBS) or JavaScript (JS), the reason being that they're easy to write and can perform multiple tasks.

Virus writers often use downloaders in the same way as droppers, although they can be more useful to them than droppers. First, downloaders are much smaller than droppers. Second, they can be used to download endless new versions of the targeted malware. Like droppers, downloaders are usually written in script languages such as VBS and JS, but they also often exploit Microsoft Internet Explorer (IE) vulnerabilities.

Droppers and downloaders are used not only to install other malicious code. They're also used to install non-viral adware or pornware programs without the knowledge or consent of the user. Adware refers to programs that show advertisements, often banners, independently of user activity. Pornware refers to dialers installed without the knowledge or consent of the user that dial pornographic pay-to view sites automatically.

The use of Trojan programs to steal passwords, to access confidential data, to launch DDoS attacks and to distribute spam email highlights a key change in the nature of the threat landscape, its increasing commercialization. It's clear that the computer underground has realized the potential for making money from their creations in a wired world. This includes the use of 'zombie' machines leased to the highest bidder as a platform for spam distribution. Or the use of extortion, where the same 'zombie' machines are used to launch a 'demonstration' DDoS attacks on a victim as a way of extorting money [pay up or we'll take down your site with a full-scale DDoS attack]. In addition, there's theft of login information. And the use of 'phishing' scams to trick users into providing their bank details (username, password, PIN number, etc.).

2004 has also seen the launch of a series of threats specifically targeting wireless devices. Cabir, the first virus for mobile phones appeared in June. This was a proof-of-concept virus produced by the virus-writing group 29A, although the virus was later reported in the field in the Far East. This was followed by the Duts virus in July (another creation of 29A) and the Trojan Brador in August, both aimed at Pocket PC. The number of wireless devices used within the corporate world is increasing. In particular, the use of handheld devices - PDAs and smart phones - is growing significantly and with it the use of wireless technology of one sort or another (802.11b, Bluetooth, etc.). These devices are quite sophisticated. They run IP services, offer web access and are hooked up to corporate networks. They also provide users with the ability to connect remotely to other devices and networks. Unfortunately, they're intrinsically less secure, operating outside the reach of traditional network security safeguards. And as they start to carry more and more valuable corporate data, wireless devices and wireless networks are likely to become a more attractive target for the writers of malicious code.

Furthemore, 2004 has also been significant for the number of arrests of malicious code writers. In February, the Belgian virus writer Gigabyte was arrested. In May, two virus writers were arrested in Germany. The first was Sven Jaschen, who admitted to writing Sasser and some Netsky variants. A second coder was arrested for created the numerous Agobot/Phatbot worm families. These arrests followed the announcement by Microsoft of bounties for information leading to the arrest of virus writers.

In July, a Hungarian teenager, 'Laszlo K', was found guilty of distributing the Magold.a worm that became widespread in Hungary during May 2003. He was sentenced to two years probation and ordered to pay court costs of $2,400. In the same month, a computer engineer from Spain was arrested and tried for distributing the Cabrotor Trojan: Oscar Lopez Hinarejos was sentenced to two years in prison. There were other arrests in the same month In Taiwan, Canada and Romania.

In August, Jeffrey Lee Parson, a teenager from Minnesota, pleaded guilty to damaging computers by creating the Lovesan.b worm.

The fast spread of viruses and worms during the last few years has clearly demonstrated the global nature of the threat. Increasingly, however, law enforcement is becoming a global phenomenon, with government authorities from various countries collaborating to bring to justice malicious coders. One example of how successful such joint operations can be is the arrest of 28 people in October in connection with identity theft in six countries. The operation involved the US Secret Service, the UK National Hi-Tech Crime Unit, the Vancouver Police Department's Financial Crimes Section (Canada), the Royal Mounted Police (Canada), Europol and police agencies in Belarus, Poland, Sweden, The Netherlands and Ukraine.

More recently, a Russian phisher was arrested in Boston and charged with multiple counts of fraud, identity theft and the use of credit card scanning devices.

So, what does the future hold? Well, we're likely to see 'more of the same'. As long as the techniques outlined above prove successful in attacking PC users, the writers of malicious code will continue to use them. This includes tried-and-trusted methods like mass-mailing and the use of system exploits to attack vulnerable computers, the widespread use of Trojans to steal data or as a platform for DDoS attacks or spam distribution. It also includes techniques pioneered this year, like the use of links in emails to download malicious code from a web site. The key factor is that these methods have proved successful, for the writers of malicious code and those who pay them to create code that can be used to make money illegally. Of course, they will continue to tweak their creations, adding new features to make them even more effective, or new 'self-defence' mechanisms to make them less easy to detect and remove. As in the past, some malware authors will continue to break new ground. In particular, they're likely to target the growing numbers of wireless devices that are increasingly used by enterprises and users alike.

For the latest in malware developments, check out


Eugene Kaspersky
David Emm
Aleks Gostev
Marc Blanchard