Fortinet Reviews Malicious Code Activity During 2005
This year's highlights:
- Innovations in 2005
- Botnets go mainstream
- Sober: the clever misfit
- Future trends
- Protecting yourself
Without any doubt, 2005 has witnessed the emergence of some interesting innovations; such as the first IM worms, with Bropia spotted in February then Kelvir in March, making their way throughout MSN contact lists.
Perhaps more "proof-of-concept" oriented, Commwarrior, the first Symbian OS worm propagating via MMS appeared in March. Although this was expected, this is considered a major breakthrough over previous Cabir-like worms that would only hop from systems to systems via short-range Bluetooth. Overall, mobile viruses and Trojans increased more than 500% to over 100 unique threats in 2005 compared to less than 20 in 2004.
Another innovation worth our attention: April saw the first
Pharming attacks, aimed at massively installing spyware on
machines running unpatched browsers. Pharming did get some
well-deserved media coverage: In such DNS-poisoning attacks,
targeted end-user browsers address bars displayed a correct
address while ending up on a rogue site...
Although not quite an innovation, it is worth mentioning that plain old phishing attacks grew as well, with monthly phishing counts doubling compared to 2004. Phishing also expanded geographically, with arrests of phishers in UK, Brazil, Estonia and Japan and phishing emails spotted in more than 15 different languages.
Eventually, the very exclusive family of auto worms grew up by two new members: Zotob hit in August, and Dasher in December, respectively exploiting MS05-039 and MS05-051. Of course, these exploit modules were included afterwards in bot-worms such as SdBot and the like.
In 2005, we also saw the re-emergence of some older trends. For instance, in June we started hearing about rootkits (a tool that can hide itself or other processes/files to the system) again. As the rootkits vs. rootkit revealers race to arms truly started, rootkits started implementing process name checking to fool the differential analysis of revealers (essentially, they pretend not to hide themselves when they deal with a process they identified as a revealer). Revealer processes then started to use random names. A few months later, some fellow researchers at the Virus Bulletin (VB) conference exhibited samples of a (non-free!) rootkit implementing binary pattern recognition to spot revealers...
Today, writing viruses has obviously become an -almost exclusively- lucrative activity, and in 2005, it became more and more obvious that Botnets turned out to be the epicenter of virus-related profit generation and cyber crime:
- Phase 1: Raise
In March, MyTob appeared. It was the first mass-mailing worm to embed a bot, allowing for massive and light speed-fast botnet building. The concept has been adopted by most mass-mailers. The days when botnets would be populated manually, by running custom exploits targeting UNIX systems seem far behind...
- Phase 2: "Fire ze missiles"
In June, MyTob variants infiltrated half of our virus top 20, accounting for 40% of the total virus activity. At the same time, Trojan activity doubled, and W32/Small.AUX-tr became the first non-replicative malware to enter the top 20 list this year. This indicates that botnets have reached a mature state, in their number and size. Now, the strategy for botnet herders is to use them to generate money, by renting them for Trojan and Spyware installation or relay.
- Phase 3: Keep a low profile
During the second half of the year, outbreaks were more and more fragmented among variants and seemed to be subject of a sound control by their instigators, who don't need lousy huge outbreaks anymore (which would attract Police attention), but rather small and controlled ones to maintain the size of their botnets. Consequently, for the first time in the year, half of the top ten viruses in September were not worm oriented.
Perfect examples of this were the frequent and highly fragmented Mitglieder (aka Bagle downloader) outbreaks.
Botnets are now being used for a variety of purposes, including relaying spam, phishing, installing spyware, extortion (by threatening online services with DDoS attacks) and much more. Cyber criminals could build and use their own botnet to conduct such activities, or simply rent one.
With the above in mind, Sober appears to be a total misfit, a lone cowboy on the lucrative virus scene. Indeed, it is today, the only mass-mailing worm that does NOT embed a bot. It is therefore not financially motivated. Instead, Sober is one of the rare political worms... Let's look back on the facts:
- May: Sober.P
outbreaks, rapidly getting thousands of users to "click
on the attachment" Thanks to a cunning and soundly timed
social engineering strategy, the outbreak is synchronized
with the FIFA World Cup ticket sales opening, with Sober's
infected emails posing as invitations for the event. The text
is either in English or in German, depending on the target
After days propagating around the planet, the bilingual worm goes dormant - well, almost. From time to time, it connects to an Internet Time server (chosen among a list embedded inside the worm body) to check the date.... Eventually, on Saturday, May 14, it downloads an update, known as Sober.Q, which starts mass-spamming Nazi propaganda. A well rounded job overall.
- September: A Trojan called W32/Yusufa.A-tr is spotted in the wild. As one of the rare political/ideological worms, along with Sober, it is worth mentioning. This cyber-moralist monitors the browser's title bar and hides the window whenever it contains certain words (e.g: sex, teen...). Scripts from the Koran are displayed instead.
- November: Here comes Sober.AD (aka Sober.X or Sober.Z), a slight variant, which seeding has been extremely aggressive. Soon, it skyrockets in the charts and eventually kicks Netsky.P off the top, after this one had ruled over top tens from March 2004 to November 2005!
Following Sober.P's scheme, it soon went dormant but was programmed to "wake up" at midnight on January 5, when it will start to download an update that in turn will likely conduct a new cyber-propaganda operation.
Bilingual, timed, featuring a synchronization scheme and a complex update URL encoding based on the current date, Sober is by far the most technical piece of malware we have seen in 2005, in addition to being the most prevalent since it appeared.
2005 featured a notorious so called "focused attack",
where a custom Trojan was distributed to several companies
in Israel on the form of "demo CDs", for industrial
spying purpose. These kinds of attacks, which are easy to conduct and
have a high "pay-off" potential, are likely to multiply
in a near future - if not already underway. Indeed, their "focused"
nature makes them particularly stealth. Some hackers, on publicly
accessible websites offer their service, for a moderate fee
(around $100), to companies or individuals who would want
an "undetectable" Trojan. In practice, those people
just pack, repack, and tweak the binary until it gets undetected
when cross-scanned by mainstream AV products.
It is therefore probable that hundreds of such Trojans are out there, but since they are targeting one specific victim -and provided they stay quiet enough- they remain in the dark.
Though it has been said, and repeated, no future trend highlight can omit the strong future of mobile viruses. Potentially very similar to PC viruses, their prevalence is growing, and will continue to grow as the number of smart phones is growing rapidly. At the pace mobile phones are evolving, there's no denying that sooner or later the number of smart phone users will surpass that of personal computer users - thereby making mobile viruses a far bigger threat what we've historically seen among PC viruses.
Eventually, seeing how powerful weapons botnets are and how easy they are to control or rent, one may question whether terrorists will use them to cause massive cyber-havoc. Potentially, in an era where nearly every resource, ranging from administrations to banks, airports and plants, is connected to the Internet, it could be possible to use DDoS attacks to seriously harm global economy and communications. Some recent studies showed that mere domains of Zombies would be enough to take a regular website offline for a while. Some botnets feature millions of Zombies. So, why hasn't it been done yet? Despite several discussions with specialists, no one has a truly convincing hypothesis on this. One thing is sure: it might happen. Can we protect against it? Merely.
Statistics and malware analysis are nice, but what is most important to you, me, and everyone, lays in one single question: How do I protect against all these threats? In fact, protection still comes down to the good old trinity: antivirus ware / system updates / user education.
Antivirus ware must be multi-layered and consistent. Gateway filters can be bypassed (see Zotob's case, introduced in corporate networks by infected laptops) and desktop AV solutions are too user-dependant and mostly useless against network worms. Both are good together, if they are synchronized, kept up to date and embed heuristic engines. Adding intrusion protection systems (IPS) and real time URL filtering provides further protection. For instance, most URL-filtering services would block Sober's update URLs.
System update policies are definitely a must have to avoid being victim of a common scheme: vendor releases a patch, hackers reverse engineer the patch to find out the vulnerability it addresses, create an exploit for it, and embed it into malware. Hence, fast reaction and good disinfection tools will in most case tremendously reduce the damage caused by viruses.
However, the end of this year showed all of this is still not sufficient, when "zero-day" threats (i.e.: no patch exists) such as the infamous WMF vulnerability are being discovered. Workarounds are often available, though, to administrators who stay aware of the bleeding trends.
User education is important, but isn't going deep enough to be effective. Simply telling users "do not click on attachment" is only one of numerous necessary pre-cautions that must be taken. With numerous worms attempting to brute force passwords to propagate inside networks, weak or shared passwords is a practice that must be thoroughly avoided. Additionally, something must also be said about the often overlooked but important practice of disinfection.
Eventually, a word or two need to be said about a feature sometimes being overlooked upon: disinfection.
Given an undetected, yet brand new sample, the question "is it a malware?" brings indecision - Fred Cohen demonstrated it two decades ago. Heuristics may help to spot a decent percentage of suspicious files, however, a window of vulnerability exists where your network goes unprotected against certain viruses.
Hence, fast reaction and good disinfection tools will in most case tremendously reduce the damage caused by viruses.