Kaspersky Security Bulletin: Malware Evolution 2008

Kaspersky Lab, a leading developer of secure content management solutions, announces the publication of “Kaspersky Security Bulletin: Malware Evolution 2008”, authored by the company’s senior analysts.

The report is aimed both at IT security professionals and users who have an interest in malicious programs.

For the first time, data generated by the Kaspersky Security Network has been used as the basis for this yearly report. This new technology not only enables Kaspersky Lab to get information about malware threats and to track their evolution in real-time mode, but also significantly speeds up the detection of new threats for which signature or heuristic detection does not yet exist.

In 2007, experts highlighted that “non-commercial” malware was dying out. In 2008, this was true of “exclusive” malicious programs (those created and used by one or at the most two people). The vast majority of Trojans and viruses detected this year were developed in order to be sold on to other people. There was also a considerable uptake for “support” services associated with such sales, which included helping ensure the circumvention of antivirus products. Cybercrime started to demonstrate a clear division of labour, with different groups of people being involved in the different stages of creating, spreading, and using malicious programs.

Globally, China took a definitive lead as the main creator of malicious programs. Chinese hackers did not limit themselves to creating their own variants of Trojan programs, but also started localizing malicious programs created in other countries. Chinese hackers were behind two major attacks between April and October 2008 designed to hack websites. During the first attack, conducted between April and June 2008, more than 2 million sites were hacked around the world.

With their continued activity in the area of Malware 2.0, Russian virus writers were at the vanguard of the malware scene. This activity was most clearly demonstrated by Rustock.c and Sinowal, two rootkits which pose a major threat, and which implement technologies that are more sophisticated than those used in the Zhelatin and Warezov worms.

As anticipated, 2008 saw the renaissance of the file virus. Data stealing functions and the ability to spread via removable storage media was added to the traditional file infection payload; the latter made it possible for such malicious programs to infect a large number of computers in countries around the world in a short space of time.

It turned out that worms on flash drives were capable of circumventing the traditional methods used to protect corporate networks (e.g. mail and file server antivirus, and firewalls.) Once a workstation has been penetrated, such worms are able to spread quickly across the entire network by copying themselves to all accessible network resources.

In 2008, many variants of Zhelatin (aka the Storm Worm) stopped spreading. The history of this worm, nearly two years long (the first variants of the worm appeared in January 2007), gave rise to a lot of questions. The almost mythical “Storm botnet”, which some estimated contained more than 2 million computers, never demonstrated its full potential, and the anticipated gigantic spam mailings and DDoS attacks never took place.

One of the reasons for this could be that RBN (the Russian Business Network), a cyber criminal hosting business, was effectively shut down. Extensive discussion as to how this network might be involved in almost all criminal activity taking place on the Internet led to the unknown owners of RBN transferring their business to dozens of hosting sites around the world, and to conducting their activities in a less obvious way. Several blows were struck against cybercrime in the autumn of last year. Atrivo/Intercage, EstDomains and McColo were all closed down thanks to co-ordinated action by Internet companies, governments and antivirus companies. The closure of McColo led to the amount of spam on the Internet falling sharply, by more than 50%. This resulted in a lot of botnets which had been managed via closed resources effectively ceasing to function. In spite of the fact that within a few weeks the volume of spam started reverting to previous levels, this incident should be seen as one of the most significant victories of the past few years.

The most significant issues of 2008 affected the entire antivirus industry and had major implications for the IT security industry. These issues were the spread of rootkits, malicious programs which target online games, and botnets.

The spread of rootkits became a more serious problem than in the previous year. Kaspersky Lab published three major pieces of research relating to this issue: “Rustock and all that”, “Rootkit evolution” and “Bootkit: the challenge of 2008”. These publications all demonstrated how rootkits can be used to conduct sophisticated attacks, and that the entire antivirus industry must put serious efforts into determining how active rootkits can be detected and disinfected. The increasing popularity of social networking sites, and the active use of these sites in countries with a large number of new Internet users (Southeast Asia, India, China, South America, Turkey, North Africa, and the former USSR) resulted in attacks on and via social networking sites becoming not isolated incidents, but a fact of everyday life. Experts estimate that spreading malicious code via a social networking site has an approximate 10% success rate, significantly greater than the less than 1% success rate of malicious code spread via email.

Social networking sites weren’t only used to spread new malicious programs, but also for data harvesting and a wide variety of scams, including phishing. The most significant incident was the Koobface epidemic; the first variants of this worm were detected by Kaspersky Lab in July 2008, and by December, this worm, which targets users of Facebook and MySpace, was also able to attack users of Bebo, yet another popular social networking site.

In 2008, the number of malicious programs designed to steal passwords to online games rose steadily: 100,397 new gaming Trojans were identified during the year, three times more than during 2007 (32,374). In spite of the fact that in the majority of online worlds it’s forbidden to sell virtual assets for real money, the number of buyers continues to increase. As a rule, the buyers are indifferent to whether virtual assets have been won by other players or simply stolen by using malicious code. This undoubtedly strengthens the hand of virus writers as it leads to an increase in the price of virtual assets and encourages the criminalization of the virtual asset market.

Only a few years ago, the word ‘botnet’ was only used by personnel from antivirus companies, but in the last year it has become a commonplace term. Botnets have become the main source of spam, DDoS attacks, and for spreading new malicious programs.

It should be noted that botnets have a direct bearing on all the topics highlighted in this report: rootkits, attacks on users of social networking sites and online gamers etc. This is no surprise as it is these very fields and technologies which are currently the focus of attention. Most importantly, the events of 2008 demonstrate that these issues are huge potential problems and there is no doubt that they will continue to evolve in the near future.

The full version of the report contains more details on each of the topics mentioned above.

Forecast

It’s clear that the threats currently in existence will not disappear in 2009; attacks on online gamers and social networking sites will continue; malware technologies will become more sophisticated, botnets will increase in number, and cybercrime as a business and services will evolve.

The forecast from Kaspersky Lab experts relate to trends which are not yet sharply defined but which could have a significant effect on the development of cyber threats in 2009.

Global epidemics

Experts acknowledged the end of the long era of global epidemics in 2008. This period, which began in 2000, and reached its peak in 2003–2005, was characterized by a large number of worms which caused global epidemics. Such worms initially used email to spread, and then, towards the end of the period, spread via network attacks. 2007–2008 were years in which the number of Trojan programs designed to steal confidential data, mainly from online bank accounts and online games, rose sharply. However, this year may see a reversal of this trend. There may be serious incidents, which, in terms of scale, could potentially surpass the epidemics of previous years. The spread of the Kido network worm is the first example of such an epidemic.

The modern cybercrime world has entered a period of market saturation: the number of people and groupings active in this market has become too large, leading to serious competition. Nonetheless, an increase in the number of cybercriminals is expected in 2009. The main reason for this is the global economic downturn: an increase in the number of unemployed, together with fewer IT jobs being available due to projects being closed will lead to many highly skilled programmers either being out of work, or in need of money due to a drop in income. Some of these people will be actively recruited by the cybercriminals, while others may see it as an attractive way of earning money. Given that the technical skills of such new recruits are significantly higher than those of most cybercriminals, this will create serious competition.

There’s only one approach which will ensure survival in the competitive cybercrime market: to infect as many machines as possible as quickly as possible. And to do this, cyber criminals will have to conduct regular attacks on millions of users’ computers.

Gaming Trojans: decreased activity

The prediction that there will be a drop in gaming Trojan activity is in contrast to the opinion held by most other antivirus companies. At the moment, the number of gaming Trojans is in the hundreds of thousands. The fact that these programs are easy to create, and the enormous number of potential victims, have, along with other factors, led to saturation of the gaming cybercrime market.

The income of those who live by stealing virtual assets has shrunk while competition amongst cybercriminals is becoming fiercer. Antivirus companies are managing to cope with the flood of malicious programs targeting online games, users are becoming more aware of security issues and gaming companies have taken steps to stop illegal operations with stolen accounts and assets. The result of this could be a drop in the number of new malicious programs for online games and the number of criminal groups which specialize in creating them.

Malware 2.5

Malware 2.0 has been replaced by a new conceptual model: that of huge distributed botnet systems. This model, created by Russian hackers and implemented in Rustock.c, the Sinowal bootkit and a few other malicious programs, has been proved to be both highly effective and reliable.

The model is characterized by:

• the absence of a fixed command and control center for the botnet – a so-called ‘migrating botnet’
• the use of strong cryptographic algorithms for communication between the command and control center and the machines in the botnet
• the use of universal command and control centers to manage a number of different botnets

These technologies are closely linked to distributed computing and the creation of systems which work under significant loads with huge volumes of data (High Load architecture). Increased competition between cybercriminal groupings is expected in the area of creating highly resistant distributed systems. Those malicious users who are able to create their own systems will be those responsible for the overall threat level in the future. Serious professionals who have the ability to work within the Malware 2.5 model will come to replace script kiddies.

Phishing / scams

Scams and phishing on the Internet will gain pace. Attacks by cybercriminals will become more sophisticated and intense.

Two factors will influence the increase in scams and phishing attacks. Firstly, in a crisis period, when banks are going under, owners are changing or they are experiencing problems with payouts, scammers have a wealth of new opportunities when it comes to persuading users to believe fake messages. Secondly, the technical sophistication needed to develop and spread new malicious programs will force many cybercriminals to search for simpler and cheaper ways of making a profit. Phishing may be one of the more attractive solutions.

Migration to new platforms

The increased competition between cybercriminals and the drive to infect as many computers as possible will lead to a migration of threats to platforms previously not commonly targeted. This will affect all non-Windows platforms, but the impact will first and foremost be felt by Mac OS and mobile platforms. Previously, malicious programs targeting these platforms were, by and large, proof of concept code; now, however, the market share of these platforms is large enough for them to be of interest to cybercriminals. There are also numerous unresolved security issues relating to these platforms and users are generally not prepared for attacks by malicious programs.

The full version of “Kaspersky Security Bulletin 2008: Malware Evolution in 2008” can be found on viruslist.com.