Malware Evolution 2006: Executive Summary

Kaspersky Lab, a leading developer of secure content management systems, presents its annual report on virus evolution in 2006. The report contains information about major virus-related incidents in 2006, an analysis of specific trends and Kaspersky Lab analysts’ forecasts for the future.

Year End Results

The trends seen in malware evolution in previous years continued throughout 2006; as usual, Trojans were far more numerous than worms, and the number of new malicious programs designed to inflict financial damage increased.

In 2006 Trojans made up more than 90% of all new malware programs (both new families and new variants).

Class	%	Change
TrojWare	91.79%	+2.79%
VirWare	4.7%	-1.3%
MalWare	3.51%	-1.49%

Breakdown of malicious programs by class at the end of 2006.

The number of Trojan programs has been steadily increasing over the last few years. This is because they are relatively easy to write and use in order to steal information, create botnets and carry out spam mass mailings.

The most interesting trends in 2006 included a steady increase in the number of Trojan spy programs. These are designed to steal information from users with accounts in online games. Another interesting trend was the continued evolution of Trojans designed to encrypt data. Such programs began to use professional cryptographic algorithms for encrypting data.

Programs classified as Trojan-PSW, most of which are meant to steal user account information from the players of online games, achieved the highest growth among all programs classified as TrojWare (+125%).

The number of worms and viruses (classified as VirWare) fell by 1.3%. This was a much smaller decrease than the -6.53% recorded in 2005 and was due to the class's already very low numbers. Programs classified as VirWare are not expected to continue to decline in future; rather, they are likely to reach a state of equilibrium.

In terms of the MalWare category, the most important factor in 2006 was an increased focus on MS Office by virus writers, and the consequent appearance of a large number of exploits for MS Office.

Another very significant event was the appearance of the first “real” viruses and worms for MacOS as well as Trojans for the J2ME mobile platform. These last were designed to steal money from mobile user accounts.

Overall, the number of new malicious programs rose 41% from 2005.

Virus writers are focusing more actively on using nonstandard infection vectors: instant messaging (IM) programs, such as ICQ, AOL and MSN. became some of the most dangerous Internet-based applications. Of course, this is directly connected with the large number of vulnerabilities in popular browsers, primarily Internet Explorer.

Overall, it was an interesting year from a technical point of view, and happily the year passed without a single global epidemic on the scale of those seen in 2005, such as Mytob. On the other hand, global epidemics were, to some extent, replaced by local epidemics which were designed to hit certain specific areas (China, Russia, etc.) or extremely short-lived burst of activity.

In 2006 seven major virus epidemics were recorded – half the number recorded in 2005. The 2006 epidemics can be divided into four groups: those caused by Nyxem.e, Bagle and Warezov variants, and several variants of Gpcode, the RansomWare Trojan.

The Top Ten malicious programs in email traffic, 2006.

Most important changes from 2005

In 2006 the antivirus industry faced a number of new problems and threats. More and more viruses were clearly being written with a view to cybercrime. There is a clear increase in malicious programs for areas previously thought to be relatively secure, such as online games and social networking sites (blogs and forums). Millions of users on popular game networks such as World of Warcraft and Lineage were targeted by Asian virus writers looking to steal information used to access player accounts. The largest blogger communities were regularly subjected to attempts to spread viruses and Trojans via blogs.

Due to the lack of critical vulnerabilities in Microsoft Windows system services, hackers and other malicious users turned their attention to other popular software products: Microsoft Office and Internet Explorer. Word, Excel and PowerPoint all fell victim to blackhats. In the course of the year the number of vulnerabilities amounted to over two dozen, and all of them were made public before Microsoft released a patch to fix the relevant vulnerability.

Malicious users took a major step in 2006 when they started encrypting user files in order to extort money from victims. In 2005, such programs had limited functionality due to the use of primitive DIY encryption algorithms. In 2006, however, these programs employed professional cryptographic algorithms, such as RSA, generally considered to be one of the most secure.

As antivirus technologies continue to improve, virus writers are having to be more inventive in the ways they combat security solutions. The overwhelming majority of new malicious programs use a range of methods to pack their code. This makes it more difficult for virus analysts to analyze these files. Increasingly, encryption is being used to hinder analysis, as is garbage code.

The changes described above, when taken together with the new tendency for large-scale, short-term, localized epidemics, mean that antivirus companies are under pressure to respond faster to these types of threats.

What to Expect in 2007

Going on the information presented above, in 2007 we expect virus writers to continue using Trojans used to steal user information. Users of various online banking and payment systems, as well as players of online games, will remain the main targets.

The symbiosis between virus writers and spammers will result in infected computers being used to conduct new epidemics, targeted attacks and spam mailings.

Email and browser vulnerabilities will remain the chief infection vectors used to penetrate computer systems. Direct port attacks will be less common and will depend on whether or not critical vulnerabilities are identified in Windows services. Using P2P networks and IRC channels to spread malicious programs is likely to be appropriate only in the case of local attacks (for example, the Winny P2P client, which is very popular in Japan, may become a serious problem for Asian users in 2007). IM applications will remain among the top three most common infection vectors; however, we do not expect to see any significant increase.

Overall, epidemics and virus attacks will become more clearly geographically defined. For example, Asia will see mainly Trojans and worms with virus functionality, while the majority of malicious programs in Europe and the US will be Trojan spy programs and backdoors. South America and Latin America will continue to suffer from all a wide range of Trojans targeting banking information.

Vista, Microsoft’s new operating system will undoubtedly play a deciding role in 2007. Both Vista and the vulnerabilities within it will be a determining factor in the evolution of malicious code over the next few years. Although it's unlikely that there will be major changes in the near future, this new product will definitely establish future trends.

Malicious programs will continue to use technical innovations and ways to mask their presence in infected systems. New polymorphic methods, “garbage code” and rootkit technologies will become more widespread and will ultimately become standard for most new malicious programs.

There will also be a significant increase in the number of malicious programs for other operating systems, first and foremost for MacOS, and then for *nix systems. Malicious users are also likely to examine the possibilities of malicious code for gaming consoles like PlayStation and Nintendo more extensively. The ever-increasing number of such devices and their new abilities to communicate both with each other and with the Internet may attract the attention of virus writers. For now, however, these attacks will be limited to proof of concept and vandalism. Viruses for “non-computers” may experience a breakthrough in 2007, although this is not very likely, and any breakthrough is likely to be restricted to a large number of proof of concept programs.

The number of targeted attacks on mid-sized and large businesses will increase. In addition to traditional information theft, these attacks will be designed to extorting money from the victim organizations, including by demanding a ransom in exchange for decrypting data. MS Office files will serve as one of the main infection vectors, as will the vulnerabilities in this particular product.

Further details are available in Kaspersky Lab's annual analytical report (www.viruslist.com).