2001: The Year in Review

2001: The Year in Review

Kaspersky Lab presents a year-end review of events taking place in anti-virus safety

2001 saw anti-virus companies achieve many definitive successes in the area of new anti-virus development, as well as the perfecting of already existing defense technologies thwarting malicious programs. In spite of these achievements, this year also witnessed the further increase in the number of users who suffered from virus attacks.

The rapid development of information technology (IT) has its pluses and minuses. On one hand, IT increases the effectiveness and efficiency of communication, developing documents, completing financial transactions, and in general has a very positive effect on conducting business. On the other hand, the continuing development of IT attracts even more new users, with the majority having only a superficial understanding of proper computer safety guidelines and rules. Because of this, even the most primitive malicious program can be enough to cause a global epidemic, such as with the "Kournikova" virus. These factors are the main reason for the worsening conditions in the anti-virus defense area.

Not one month has passed in 2001 without the latest virus epidemic infecting computer systems in various countries. It is important to note that this is precipitated by virus writers actively creating new methods for virus penetration on computers, giving further rise to the amount of virus incidents.

The following is a brief checklist of 2001 developments in the area of anti-virus safety:

  • The widespread distribution of malicious programs exploiting breaches and holes in software safety systems;
  • E-mail and the Internet solidified their positions as the most dangerous sources for malicious programs;
  • The creation of other popular alternative means - ICQ, Gnutella, MSN Messenger, IRC - for the spreading of malicious programs;
  • The increase of malicious programs for Linux;
  • The appearance of "fileless" network worms;
  • The predominance of Windows network worms, and the sharp decrease in script- and macro-viruses on the list of the most widespread malicious programs.
Safety System Errors

A breach is an error in a regular software program, through which a malefactor is able imperceptibly to penetrate a computer with malicious code.

The danger inherent in this type of virus is that it is activated automatically and virtually independent of a user. For example, in order to be infected by Nimda, a user simply needs to either open or read a message containing the worm in the preliminary viewing window. CodeRed doesn't even require this - it independently locates vulnerable computers via the Internet and infects them.

The main event of 2001 was the widespread distribution of malicious programs exploiting breaches and holes in an operating system's safety measures and applications for the purpose of penetrating computers (examples of such viruses are CodeRed, Nimda, BadtransII etc.).

According to Kaspersky Lab statistics, this type of malicious code has been responsible for 55% of the overall virus incidents occurring in 2001. This percentage speaks volumes for the necessity of adhering to the important anti-virus safety rules.

The particular attention paid by the computer underground to these breaches is perfectly understandable. While the traditional method of a virus penetrating a computer-when a user personally starts up an infected file-is just as effective as it previously was, it is not so efficient in achieving a malefactor's designs. This is because long ago, the majority of users realized the danger present in attached files. Therefore, many people simply prefer not to open such messages, asking a sender to instead send the information in the e-mail body. Taking this into consideration, virus writers have begun their search for new, more effective means of infecting computers, and they have found this new means in safety system vulnerabilities, i.e., breaches.

In order to guarantee yourself protection against such malicious programs, it is imperative to combine the use of Kaspersky Anti-Virus with the installation of the special software patches closing the well-known breaches. The said patches are available free of charge directly from the developers of applicably vulnerable software, and can be found at the corresponding company's Web site.

Kaspersky Lab recommends paying particular attention to the patches for MS Windows, MS Outlook, and MS Internet Explorer, as they are the software most susceptible to virus attacks via the above-mentioned breaches. In order to receive an announcement about an available patch in a timely manner, a user can simply subscribe to the mailing list of the appropriate software developer.

E-mail and the Internet - The Main Virus-Threat Sources

In 2001, according to Kaspersky Lab data, the number of virus attacks via e-mail, compared to 2000, increased by 5%, reaching 90% of overall virus-related incidents.

In conjunction with this, there has been a noticeable increase in the number of computers infected via the Internet. Whereas before the majority of infections were a direct result of a user downloading an unscanned file from a Web site and starting it up on his/her computer, today, more and more incidents of infection occur during an intended or accidental visit to an infected site. This occurs when a malicious program overrides one of the victim-site's pages so that when a user browses this page, his/her computer can be infected in two cases: The first occurs when a malefactor exploits a breach in the Web browser's safety system - most often on Internet Explorer (these breaches allow for a computer to be imperceptibly infected the moment a compromised page is viewed). The second case occurs automatically when a user downloads a proposed page containing malicious code.

In 2001, it also became clear that there are vulnerabilities inherent in many Internet paging systems (ICQ, Instant Messenger), popular amongst users, used for the spreading of a whole string of malicious programs. For example, Gnutella, the information-exchange network, fell victim to the network worm Mandragore; and a very large number of worms have been programmed for spreading via IRC.

Today's trend allows for the assessment that e-mail and the Internet will remain the most popular means for virus spreading. We must once again emphasize the importance of installing a reliable anti-virus defense for thwarting virus attacks via these sources.

Attacks on Linux Continue

2001 also saw the appearance of even more malicious programs targeted at the Linux operating system. The first sign of this was the Ramen network worm that was detected on January 19, and since that time, has struck a large number of corporate systems. Among the list of those falling victim to the Ramen worm were NASA, Texas A&M University, and Supermicro, a Taiwanese computer equipment producer.

Following this, the infection rate took on a flash-flood effect: Ramen clones appeared along with other original Linux worms, causing a similar amount of virus incidents.

Virtually all malicious programs for Linux exploit breaches in this operating system, and the widespread nature of these viruses demonstrates Linux's inability to withstand current and new threats. By considering Linux to be impenetrable, users have not responsibly responded to the necessity of installing Linux patches and an anti-virus in general. As a result, many users have also fallen victim to Linux worms.

The Linux situation would be even graver were the operating system not simply used on specialized servers, but were it also used as a workstation platform. Were Linux used as a workstation platform, the number of Linux users would increase many times over; thus, attracting the interest of an ever increasing number of virus writers creating malicious code for Linux.

You can read more about the Kaspersky Lab research into the problem of protecting Linux from viruses at this site.

"Fileless" Worms - The Next Call to Arms for the Anti-Virus Industry

One of 2001's most unpleasant surprises came in the form of detecting a new type of malicious code (CodeRed and BlueCode) able to actively spread and function on an infected computer without the use of a file. While in operation, such programs are present in the system memory only, and upon transfer to other computers, the programs are in the form of special data packets.

This peculiarity created serious problems for anti-virus developers, because traditional technology (anti-virus scanners and monitors) is incapable of effectively withstanding such a new threat. The standard defense algorithms thwarting malicious code are based on intercepting file operations. Kaspersky Lab was the first to remedy this problem by creating a special anti-virus filter that, in the background, checks all incoming data packets and deletes "fileless" worms.

The global epidemic caused by CodeRed (which according to some estimates has infected over 300,000 computers) confirmed the effectiveness of the "fileless" technology. It is important to note that even now, most computers have inadequate defense measures against this type of malicious code. Taking this into consideration, Kaspersky Lab believes next year will witness a repeat epidemic caused by new versions of "fileless" worms.

Windows Worms Make Their Entrance

In 2001, there has been a sharp change in the make-up of the most widespread malicious programs. From 1999-2000, the unquestionable leaders of all viruses were macro- and, a bit later, script-virus worms. However, at the beginning of this year, the situation began to change drastically, and already nearly 90% of registered cases of computer infection have been caused by Windows worms.

The reason behind such an about-face change is witnessed in the development of an effective means for battling macro- and script-viruses, found in the ability of an anti-virus to neutralize both existing and potential threats of this type. For example, the first background checker in the world that intercepts script-viruses, Script Checker, was integrated into Kaspersky Anti-Virus in May 2000. Script Checker repelled all attacks of the various forms of the LoveLetter (ILOVEYOU) virus without any additional updates to the anti-virus database. This impressive result was achieved thanks to the unique heuristic technology created specifically for defending against unknown script-viruses.

For the fight against macro-viruses, Kaspersky Lab developed Office Guard that provides 100% protection against these types of viruses. Unlike traditional anti-viruses, Office Guard does not search for virus signatures (the data results), but rather emulates and analyzes macro-virus behavior, blocking any harm they could cause to a computer.

Government Control Over the Anti-Virus Industry?

In November, it became known that the FBI had developed a Trojan program for the tracking of suspects. This "classic" Trojan, christened Magic Lantern, intercepts all keystrokes a suspect makes, copying them to a secret file. Later, the received data can be used to decode and decrypt sent e-mail and provide evidence against said suspect or suspects.

On December 3, Paul Bresson, spokesman for the FBI, during an interview with the magazine Information Security, confirmed the development of the Magic Lantern Trojan. However, at the behest of the US government (or at least the strong "suggestion"), will anti-virus developers not include means for detecting such a Trojan in their software? McAfee and Symantec have already confirmed that they won't include detection measures for Magic Lantern - is this the beginning of a user exodus to other anti-virus products?

This type of move by the US government could be precedent setting. Theoretically, should this happen, other countries' governments could make similar demands of other anti-virus companies to not include means for detecting similar governmental spying Trojans. In this case, anti-virus security could completely get out of control. And sooner or later, as always happens, the original Magic Lantern could fall into the hands of malefactors, whose goal would be to use this program for their own ends. As a result, the world economy, heavily dependent on IT, could be paralyzed by a worldwide virus epidemic.

The Future Safety of the Worldwide Net

The worsening condition of the virus situation gives rise to pessimistic predictions in relation to Internet development. According to the England-based company MessageLabs, should the present tendency continue, by 2013, every second e-mail could contain malicious code.

There is the opinion that in order to get out of this difficult bind, a safe, parallel Internet must be created. This means to solving the problem could be complicated by the majority of users being unwilling to switch over to the new Net, and also complicated by the possibility of malicious code also "migrating" from the current Internet. According to Kaspersky Lab, the best solution is to introduce, step-by-step, new equipment and software into the current Internet technology, using only checked and certified information and data. Together with this, the most important aspect would be the issuing of a personal identification number to each user on the Net. This would help keep track of and stave off virus epidemics, and also help localize the creators of malicious programs and stop their actions.

Conclusion

Current trends allow for predicting the situation in virus development as it may occur in 2002. Unfortunately, there isn't any basis for absolute optimism. Kaspersky Lab believes that there will be an increase in the number and variety of virus epidemics in the coming year. First and foremost, this is dependent on the number of users, some of whom will be virus writers, and the others, their victims. The amount of malicious programs, varying in type, will also grow; and undoubtedly, their methods of penetrating computers will be improved.

In connection with this, Kaspersky Lab will continue developing the very latest defense technology that will reliably protect and defend computers and the Net from the rising virus-threat tide. For 2002, Kaspersky Lab plans to release new virus technologies that will make our users even more secure. A more than 150% increase in the number of Kaspersky Anti-Virus users in 2001 confirms our anti-virus' high quality and our commitment to overall customer service.

In conclusion, we present the Top Ten most widespread viruses, by percentage of occurrence, for the last quarter (Sept.-Dec.) of 2001.

position virus percentage by occurrence
1 I-Worm.BadtransII 37.0%
2 I-Worm.Sircam 15.4%
3 I-Worm.Hybris 6.2%
4 I-Worm.Aliz 3.0%
5 I-Worm.Nimda 2.5%
6 I-Worm.Magistr 2.2%
7 Trojan.PSW.GIP 1.8%
8 I-Worm.Happytime 0.5%
9 I-Worm.Klez 0.3%
10 JS.Trojan.Seeker 0.3%
25 Dec 2001