Malware Evolution: January – March 2008. Executive Summary

Kaspersky Lab, a leading developer of secure content management solutions, announces the publication of Malware Evolution: January - March. Alexander Gostev, the author of the report and senior virus analyst at Kaspersky Lab, outlines the key malware trends and threats facing today’s information security industry.

The first quarter of 2008 continued to see an increase in the rate at which the number of malicious programs appeared, with thousands of new variants being detected every day. This process is gradually coming to be accompanied by an increased technical sophistication. As before, we are seeing the reincarnation of old ideas and techniques, and the implementation of these in the current landscape brings a whole different level of threat. For instance, infecting boot sectors on victim machines, spreading malicious programs via storage media and infecting files.

The first three months of the year also witnessed the symbolic death of the old school of virus writing. An announcement about the official closure of the legendary 29A group appeared on their site at the end of February. The people who created Cap (the first macro virus to cause a global epidemic), Stream (the first virus for additional NTFS streams), Donut (the first virus for the .NET platform), Rugrat (the first virus for the Win64 platform), the mobile viruses Cabir and Duts and many others, have now retreated in the face of an increasingly criminalized virus writing society. Gone are the days when malware was created as a form of self-expression or for research purposes – it's far more profitable to generate hundreds of primitive Trojan programs and then sell them.

The Bootkit

The main problem for the antivirus industry at the start of 2008 was that of bootkits – rootkits with the ability to boot from the boot sector of any device. At the dawn of the virus-writing age, boot viruses were one of the most widespread types of malicious programs, replacing the original boot sector code on the disk with their own code. With the advent of Windows 95/98 and the subsequent demise of floppies, boot sector viruses faded from the landscape.

At the beginning of 2007, however, two Indian programmers called Nitin and Vipin Kumar presented Vbootkit – a rootkit with a function to launch from boot sectors that is capable of running on Windows Vista. The old technology for infecting boot sectors had met the fashion for rootkits.

In November 2007 several websites appeared on the Internet that downloaded a specific type of malicious program. A detailed analysis of this program revealed code which was able to infect the MBR and the hard disk sector. In addition to hiding its presence in the system, the malicious code installs a backdoor in Windows that can steal user data, including user data for bank account systems. This bootkit has the appearance of being something of a self-sufficient platform which can be added to any existing malicious program in order to protect it and mask its presence in the system. This means the possibility that bootkits may go on sale in the near future and that the technology will be available to thousands of script kiddies cannot be excluded. Taking into account the rate at which the number of malicious programs is increasing, this could become one of the most widespread threats.

The danger of bootkits is that they gain control before the operating system starts, and thus before the antivirus program starts. Ten years ago this problem was solved by using a boot disk equipped with an antivirus. It may be that the time is coming not only for a return to the virus technologies of old but also the old antivirus technologies.

The storm continues

Mid-January 2008 marked the first anniversary of the appearance of the first samples of what would become known variously as Zhelatin, Nuwar or the Storm Worm. Zhelatin combines a modular structure with frequent releases of new variants, using hundreds of infected sites and Skype and IM to spread the malicious code, as well as rootkit technologies, methods for launching counter attacks on antivirus companies, and a decentralized botnet. In less than a year, the Storm Worm became the main problem for information security, and this was due to its almost mythical botnet. Due to the decentralized nature of the botnet, it's impossible to establish the exact number of zombie machines. In January, Fortinet announced it believed the botnet was part of phishing attacks which had been launched on the Barclays and Halifax banks. If this is the case, then it is the first time the Storm botnet has been directly used for classic cybercrime aims.

Experts differ in their opinions as to who is behind Storm Worm and where they are based. One of the most likely scenarios is that an international group, whose elements have clearly defined roles, is responsible. Someone creates the worm, someone else is responsible for the mass mailings, someone else places the worm on the infected sites, someone else hacks the sites, someone else is responsible for spreading the malicious program via instant messaging, and yet another person is responsible for creating the exploits. Storm Worm may well be a textbook example of modern cybercrime and its international distribution of labour.

TrojanGet

Information security incidents in which legitimate programs and software companies spread infections are relatively rare, but they exist, nonetheless.

Every incident of this nature has a significant effect on the reputation either of the software or of the company concerned and causes problems for antivirus companies who view legitimate software and the sources it stems from as trustworthy.

At the beginning of March, Kaspersky Lab analysts encountered messages from users saying that a Trojan was present in the directory of the popular download client FlashGet. A quick check showed that apart from the Trojan files themselves, the FGUpdate3.ini file (containing a link to the Trojan inapp4.exe file) had recently been created and modified. The Trojan would download from the genuine FlashGet site. A popular legitimate program had been acting as a Trojan downloader, installing and launching Trojan programs on victims’ machines from the site of the developers.

As a result of the site being hacked, a malicious user would be able to replace the standard configuration file with a file that would lead to the Trojan placed on the site. The 'vulnerability' is present in all versions of FlashGet 1.9.xx. Any Trojan program can modify the local FlashGet .ini file, making it act as a Trojan downloader. There has, as yet, been no official response from the Chinese developers of FlashGet.

Social worms

According to our forecasts, in 2008 users of social networking sites will become the main targets for phishing attacks. Account data for services such as Facebook, MySpace, LiveJournal, and Blogger will be the subject of increased demand by malicious users. In 2008, many Trojan programs will spread via user accounts on social networking sites, on their blogs and on their profiles.

The main reasons why Web 2.0 services are popular with both users and hackers are listed below:

1. Migration of user data from a PC to the Internet
2. The ability to use one account to access a number of different services
3. Detailed information about the user
4. Information about the user's connections, contacts and friends
5. Space to publish whatever you like
6. Trust between contacts

The problem has already become serious enough to pose a major information security threat.

Mobile news

There was a lot of activity in the world of mobile virology in the first quarter of 2008. It was clear that technologies were continuing to evolve and that there were ever more participants, both virus writers and antivirus companies. Innovations in terms of malicious code were split more or less evenly between the four targets of Symbian, Windows Mobile, J2ME and the iPhone.

During the first quarter of 2008, Trojans for J2ME (a mobile version of the Java platform), which will run on almost any modern mobile, started appearing with frightening regularity. In January we detected Smarm.b, followed by Smarm.c and Swapi.a in February, while March brought SMSFree.d. They all use the same method for extracting money from users: sending SMS messages to premium numbers.

A completely new family of Symbian worms named Beselo was also detected, as well as the InfoJack Windows Mobile Trojan that spread from China. The latter was found in the wild and has caused a significant number of infections.

Conclusion

The period of technical stagnation on the threat landscape appears to be drawing to a close.

Last year, we described conveyor belt code: a process generating multiple primitive copy-cat programs, which made no effort to implement new virus technologies.

However, now there is a noticeable change in direction, which is demonstrated above all by the appearance of the first malicious implementation of a bootkit. File infection methods are also being used more and more frequently, often in conjunction with complex polymorphic techniques. It should also be noted that virus writers are even borrowing certain technologies from the antivirus world.

The events of the first quarter of 2008 may have a strong influence on the whole information security business in the near future.

The full version of Malware Evolution: January – March is available at Viruslist.com.