- Email: [email protected]
Malicious software – past, present and future
Andrey Nikishin 10, Geroev Panfilovtsev Str, Moscow 125363, Russia. andrey.nikishin @kaspersky.com Andrey Nikishin wrote his first antivirus program as a result of coming across his first computer virus in 1989. Following the release of Windows 3.0, he switched to programming for this operating system. In 1992 he began developing The Nicks Speed Checker, an antivirus program for Windows 3.0. In 1994 he started developing an integrity checker, the Nicks Ghost Buster, for Windows 3.x, and continued working on this for Windows 95. In 1997, Andrey joined the AVP (which later became Kaspersky Labs) developers team, where he worked as a senior software engineer and architect. In 2003, he moved to the Strategic Marketing department and worked as a Product Strategy Manager, where he was involved in developing a range of antivirus software for Windows projects. Currently he is responsible for Kaspersky Labs’ product and marketing strategy. Andrey took his undergraduate degree in St. Petersburg and gained his MBA from the Institute of Business Studies in Moscow in 2003.
Malicious software – past, present and future Ten to fifteen years ago, computer viruses, network worms, Trojan code and hacker attacks were only associated with Hollywood action films. Nowadays computer viruses, Internet worms, hackers and cyber-crime are everyday occurrences for today’s computer users. Warnings about new Internet worm epidemics and publicized hacker attacks have become frequent on TV and radio news. What exactly is happening in today’s computer world and why; what threats we may face in the future; and what we ought to do about them. Answers to these and other questions are outlined in this article.
1. The past In order to understand the future, it is necessary to know and understand the past. Let us start with a review of various viruses for the past two years – 2002 and 2003.
1.1. Virus review – 2002 1.1.1. General overview The year 2002 saw twelve large scale and 34 lesser, yet significant, virus epidemics that together continued an epidemic started in previous years (“Sircam”, “Hybris”, “CIH”, “BadtransII”, “Thus” among others). Over the course of 2002, malicious programs consistently penetrated new computer platforms and applications. In January, the first viruses to employ the .NET technology for propagating themselves were discovered, however after the initial outbreak both viruses proved to be no more than conceptual and did not account for a single registered infection. The middle of March brought with it the appearance of the SQL-server infecting network worm “Spida” and “Benjamin”. The later became the inspiration for a whole family of malicious programs that,
6
1363-4127/04/© 2004, Elsevier Ltd
over the course of 2002, unabatedly attacked users of the KaZaA file-sharing network. Also under constant fire were Linux users. The best refutation of the widely held opinion that the Linux operating system is immune to malicious programs was the “Slapper” worm that, over several days, managed to infect over 1,000 Linux systems worldwide. Suffering a similar fate were FreeBSD users who suffered through fairly widespread attacks from the worm “Scalper” in September. We must not forget to mention the drastic growth of the so called commercial viruses that demonstrate a clear commercial purpose, namely the theft of confidential data, financial information, Internet access passwords or other similar actions that lead to some kind of material loss for their victims. 1.1.2. The most widespread malicious programs Without doubt the leader in the number of registered incidences for the year 2002 is the Internet worm “Klez”. This virus was first detected on 26 October 2001 and even now this worm is still one of the most widespread virus threats. Never before, in the history of “virology”, has a malicious program been able to hold onto the highest position among the top ten for such an extended period. However, for the year 2002, only two of the ten various forms of the Klez worm were able to rise up to mass levels – “Klez.H” (detected April 17, 2002) and “Klez.E” (detected January 11, 2002). In general, 6 out of every 10 registered infections were attributed to “Klez”. It is interesting to note that the four highest places in the top ten are taken by malicious programs that exploit the Internet
Andrey Nikishin Malicious software – past, present and future
Place
Name
%*
Circulation Index
1
I-Worm.Klez
61.22%
10.0
2
I-Worm.Lentin
20.52%
3.4
3
I-Worm.Tanatos
2.09%
0.3
4
I-Worm.BadtransII
1.31%
0.2
5
Macro.Word97.Thus
1.19%
0.2
6
I-Worm.Hybris
0.60%
0.1
7
I-Worm.Bridex
0.32%
0.1
8
I-Worm.Magistr
0.30%
0.1
9
Win95.CIH
0.27%
0.1
10
I-Worm.Sircam
0.24%
0.1
The 10 most widespread malicious programs for 2002 (Source – Kaspersky Labs) Explorer IFRAME security breach. In total, the viruses using this propagation technique account for over 85% of all computer virus incidences. This figure underlines the importance of timely installations of software patches for this and other vulnerabilities. Once a patch is installed a user not only automatically protects his or her computer from the majority of current virus threats but also guarantees a defence against all similar viruses that may appear in the future. 1.1.3. Different types of computer malware making waves in 2002 No less interesting is the picture depicting the spread of different malicious program types. Following the established tradition of dominant network worms, this situation held true up until September 2002. The fourth quarter of 2002, however, clearly shows a trend in which network worms lose ground while computer viruses and Trojans gain. In December 2002 viruses steadfastly held the number two position at 31.3% with Trojans following with 16.6%. In contrast the totals for the year 2002 show worms at 89.1%, viruses at 7% and Trojans at 3.9%.
1.1.3.1. Network worms Network worms traditionally are predominated by email worms (most notably “Klez” and “Lentin”) that utilize email as a main means of transport. It should be noted that more and more email worms use a direct method of connection with SMTP servers. This tendency sheds light on the fact that the traditional method of sending out worms (for example via Outlook or other mail clients) no longer enjoys a good chance of success. Manufacturers of email software have integrated into their programs anti-virus modules or special functionality that warns against unauthorized mailings of any data. Taking this into account, virus writers usually use new methods to spread worms that get past this type of defence. Other worm types appearing periodically on the graph that are worth mentioning are: • LAN-worms (2.5%), spread via local area networks; • P2P-worms (1.7%), spread via Peer-toPeer networks (such as KaZaA); • IRC-worms (0.2%), spread via IRC channels (Internet Relay Chat).
Information Security Technical Report. Vol. 9, No. 2
7
Malware
types were “Trojans”, though they never occupied the upper echelons of the list. Though in the final quarter of the year they seemingly tried to make up for lost time and in December reached as high as 16.6%.
Spread of the major malicious program types in 2002. (Source - Kaspersky Labs) 1.1.3.2. Viruses Among the most notable computer viruses in 2002, macro-viruses appeared the most (56.1%), including the macro viruses “Thus”, “TheSecond”, “Marker” and “Flop”. These macro viruses all targeted the word processing program Microsoft Word and have been in existence less than one year. Macro viruses were the cause of epidemics many years ago before falling silent, only to resurface in impressive fashion. Their resurgence can be largely attributed to users as a whole, who were sure macro viruses had ceased to be a threat, letting their guard down. Falling back a bit were Windows viruses (40.9%); the most infectious of which were “Elkern”, “CIH”, “FunLove” and “Spaces”. For 2002, script viruses were practically insignificant as a group (2.7%) as well as other malware types of this class (0.3%). 1.1.3.3. Trojan programs Most consistently appearing in the list of the most widespread malicious program
8
The Trojan program category is clearly led by unauthorized administration utilities, backdoor access programs (representing 54% of the year’s Trojans) that allow malintended individuals to imperceptibly remotely control infected computers. Less frequent appearances were made by PSWTrojans (17.9%) – malicious programs designed to search for illegal exploit system information and access passwords (such as to the Internet or Internet resources). The remaining Trojan programs (28.1%) are other types that are sent out to perform various specific tasks on victim computers.
1.2. Virus review – 2003 Nine major virus outbreaks were registered in 2003 with twenty-six less significant ones, mainly of a local nature. This figure is lower than that of 2002, however, even though the number of outbreaks has decreased, their scale and the impact they have on the Internet has increased significantly. 1.2.1. Major virus outbreaks There were two global outbreaks in 2003, which were the biggest in the history of the Internet. It should be noted that these outbreaks were not caused by classic email worms, but by worms modified for the Internet, which spread as network data packets. The foundations of the first outbreak were laid on 25 January 2003 by the Internet worm “Slammer” (Helkern), which used vulnerability in the Microsoft SQL Server in order to replicate. Slammer became the first
Information Security Technical Report. Vol. 9, No. 2
Andrey Nikishin Malicious software – past, present and future
file-less Internet worm, which fully demonstrated the capabilities of flash worms, first described in 2001. On 25 January 2003, in a matter of mere minutes, the worm infected millions of computers throughout the world, and increased network traffic by between 40% and 80% (estimates vary), causing national backbone servers to crash. The worm attacked through port 1434; on penetration it did not replicate itself on the disk, but simply remained in the memory of the infected machine. An analysis of the outbreak shows that the worm probably originated from East Asia. The second outbreak, which was no less damaging than the first, was started on 12 August by “Lovesan” (Blaster). Lovesan clearly demonstrated to the entire world just how vulnerable the popular operating system Windows is. Lovesan used a Windows security breach to propagate itself. However, in contrast to Slammer, Lovesan used a breach in the RPC DCOM service, which is present on every computer working under Windows 2000/XP. This meant that the majority of Internet users that day were exposed to the worm. Only a few days after the worm first appeared, three other versions of Lovesan were detected. Then the “Welchia” worm, which used the same Windows breach, exploded onto the Internet. However, Welchia differed from the original worm. It deleted copies of Lovesan on infected computers, and attempted to install a patch for the RPC DCOM service. 2003 was the year of email worm outbreaks. “Ganda” and “Avron” were detected in January. The former was written in Sweden, and is still one of the most widespread email worms in Scandinavia. The author was arrested by Swedish police at the end of March. Avron was the first worm written in Kazakhstan to cause a global
outbreak. The source code of the worm was published on virus web sites, which led to the creation of several less successful versions of the worm. January also saw the appearance of the first worm in the “Sobig” family, which caused regular outbreaks. Version Sobig.f broke all records, becoming the most widespread email worm in the history of the Internet. At the peak of the outbreak in August, one copy of Sobig.f could be found in every twenty email messages. This particular malicious program was especially dangerous: one of the aims of the authors of the Sobig family was to create an infected network of computers in order to carry out distributed denial of service (DoS) attacks on random web sites. The infected network of computers was also intended to act as a proxy server for distributing spam. The email worm “Tanatos.b” was another notable piece of malicious program that appeared in 2003. The first version of Tanatos (Bugbear) was written in mid-2002, with the second version appearing nearly a year later. The worm used a breach long known about in the Microsoft Outlook security system (the IFRAME breach) to automatically launch itself from infected messages. The latest worms in the “Lentin” (Yaha) family continued to appear. According to current data they were all created in India by one of the local hacker groups in the course of a virtual war being conducted between Indian and Pakistani hackers. The most widespread were versions M and O, where the virus replicated in the form of a ZIP archive attached to infected messages. Virus writers from Eastern Europe were also active in 2003. The second worm from the former USSR to cause a global outbreak was “Mimail”. The worm used a
Information Security Technical Report. Vol. 9, No. 2
9
Malware
vulnerability in Internet Explorer to replicate itself, and the vulnerability became known as Mimail-based. The vulnerability allowed the extraction and execution of binary code from an HTML file and was first exploited in Russia in May 2003 by Trojan.Win32.Start Page.L. Following this, the vulnerability was used by the Mimail family of worms and a number of Trojan programs. The author of Mimail published the source code on the Internet, giving rise to several new versions by virus writers from other countries, including the USA and France. September 2003 was the month of the Internet worm “Swen”. Swen disguised itself as a Microsoft patch, infected hundreds of thousands of computers throughout the world, and to this day, remains one of the most widespread email worms. The virus author was able to exploit the fact that users were already unsettled by the recent Lovesan and Sobig.f incidents and were therefore likely to instantly install the so-called patch. There were two other major security events that should be mentioned. The first of these was caused by “Sober”, a relatively simple email worm written by a German in imitation
Ranking Name
Percentage
1
I-Worm.Sobig
18.25%
2
I-Worm.Klez
16.84%
3
I-Worm.Swen
11.01%
4
I-Worm.Lentin
8.46%
5
I-Worm.Tanatos
2.72%
6
I-Worm.Avron
2.14%
7
Macro.Word97.Thus
2.02%
8
I-Worm.Mimail
1.45%
9
I-Worm.Hybris
1.12%
10
I-Worm.Roron
1.01%
The top ten viruses in 2003* (Source – Kaspersky Labs)
10
of the leader of the year, Sobig.f. The second of these was the Trojan “Afcore”: in spite of the fact that it did not spread widely, it is worth a certain amount of attention due to the interesting way it conceals itself in a system, by writing its code to alternate data streams of the NTFS file system. Even more interesting, Afcore does not use the alternate data streams of files but of directories. 1.2.2. Types of malicious programs Throughout the year worms remained the dominant type of malicious programs. Viruses rank second, thanks to the activity of the macro viruses Macro.Word97.Thus and Macro.Word.Saver. However, in the autumn of 2003 Trojan programs overtook viruses, and this trend still continues. 1.2.3. Trends The most noticeable trend in 2003 was the way in which worms dominated. Moreover, within this category, there was a worrying increase in the number of Internet worms over classic email worms. The discovery of breaches in operating systems and applications is a cause for great concern. In previous years, the vulnerabilities that were used to penetrate systems had been known about for a long time and patches already existed for the breaches, but in 2003 this time frame collapsed to a matter of weeks. The interval between the discovery of vulnerability and an attack exploiting the vulnerability is becoming shorter and shorter. In the case of Slammer, the breach in the Microsoft SQL Server was known about for more than six months prior to the attack. In a couple of months the instructions on how to exploit the breach were published in several places on the Internet. However, Lovesan, the next worm
Information Security Technical Report. Vol. 9, No. 2
Andrey Nikishin Malicious software – past, present and future
Internet Worms
Viruses
-
93,24%
16,02% 1,92%
5,68%
4,84% 05.03
6,06% 04.03
5,67% 03.03
6,49% 02.03
01.03
-
5,67%
5,38%
8,26%
2,30%
A new trend in 2003 was the increasing appearance, towards the end of the summer, of a new class of Trojan programs, “TrojanProxy”, intended for illegal installation of proxy servers. This was the first and most noticeable sign of the appearance of mixed threats, a cross between viruses and spam. Computers infected by these Trojans were then used by spammers for the distribution of unsolicited email, while the owner of the computer might be unaware of such abuse. used to attack the Internet on 12th August 2003, appeared only 26 days after a patch was issued to secure the RPC DCOM vulnerability in MS Windows. The computer underground has come to the understanding that attacking through a security breach is the most effective method of penetrating computers and is actively making use of this idea. As a result virus writers receive information about the newest vulnerability and quickly write malicious programs. The Trojan program “StartPage” was registered as spreading on 20 May 2003. It penetrated through the ‘Exploit.SelfExecHtml’ breach, and at the time there was no patch for this vulnerability. Given this, it may be that in the near future breaches may come to light thanks to reports of new viruses, rather than vendors’ reports on the issuing of patches.
It is clear that spammers also participated in several major outbreaks where the initial replication of the malicious software used spamming technology (Sobig). Worms also developed actively, replicating themselves by stealing passwords to remote network resources. Such worms, as a rule, are based on IRC clients, scan the addresses of IRC channel users, and then attempt to penetrate the users’ computers, using the NetBIOS protocol and port 445. In this group, one of the most notable representatives was the worm “Randon”.
2. Present – the year 2004 2.1. January “I-Worm.Mydoom” unarguably led the virus “hit-parade” in January 2004. The
Information Security Technical Report. Vol. 9, No. 2
11
0,68%
3,86%
2,77%
0,00%
6,47%
1,39%
11.03
9,04%
10.03
14,05%
09.03
17,92%
75,72%
08.03
16,33%
79,89%
90,76%
90,74%
07.03
76,41%
-
99,45%
97,93%
92,32%
85,28%
06.03
77,18%
Trojan Programs
0,55%
Malware
worm appeared on January 27 and accounted for more than three quarters of all infections. In fact, within a week, Mydoom beat all the statistics produced by Sobig.f, last year’s leader. According to Message Labs, Mydoom is the most spread e-mail worm ever. During the peak of epidemic this worm was present in each ninth email sent on the Internet.
The creator of NetSky seems to have been encouraged by the havoc wreaked by the second version; he or she made some minor changes and released a third version. The last newcomer in the top twenty is yet another version of Mydoom – Mydoom.b. It appeared at the end of January and needed all of February to make its presence felt.
2.2. February 2.3. March History was made in February 2004, which turned out to be the most active month in computer virology for several years. There has never been such a large number of email worms active at the same time. First we had January’s leader, Mydoom.a, which stayed in first place in the most-prevalent table. Even though the worm stopped propagating on 12 February, Mydoom.a retained its leading position due to the huge number of copies mailed before 12 February as well as the large number of infected machines with incorrect dates. There are also some new entrants that will undoubtedly play (and already play) a key role in the coming months. The most important newcomer is “I-Worm.NetSky.b” (Moodown.b), which the creator coded to disinfect machines infected by Mydoom.a, but also to interfere with antivirus programs. The second significant newcomer is “Mydoom.e”. Unlike Mydoom.a, this version deletes random MS Office documents. It is highly likely that this version was based on the original Mydoom. Our old ‘friend’ Mimail is now polymorphic and spreads as a polymorphic dropper. Mimail.q was the first version with this new feature and it immediately climbed to tenth position in the top twenty.
12
March 2004 was an even more virus filled month than February. February’s virus prevalence table contained six new email worms; this figure nearly doubled in March, with eleven new viruses appearing. March was the month of the Bagles. Five new versions of “Bagle” appeared. These differ from other worms in the Bagle family in that they spread in password protected ZIP and RAR archives, and the password is either included in the message or contained in a graphics file. Such an approach is not new, but Bagle exploited it with great success. Incidentally, tricks like this have positively influenced the development of new antivirus technology designed to detect and intercept such sneaky viruses. Statistics for March show that Netsky.b and Mydoom.a have changed places, with Netsky.b now leading the charts. Worms from the Netsky family made a significant impact in March, with four versions appearing. Netsky was also the initiator of a virtual war, deleting Mydoom, Bagle and Mimail from machines infected by these viruses: an antivirus virus. This action, together with the rapid propagation of Netsky led to three groups of virus writers writing insults directed at the other groups into the code of their viruses.
Information Security Technical Report. Vol. 9, No. 2
Andrey Nikishin Malicious software – past, present and future
2.4. Summary By the end of April, thrity versions of email worm NetSky, eight versions of MyDoom, twenty-one versions of Mimail, twenty-six versions of Bagle and twentythree versions of Lentin were revealed. More than half of these have caused epidemics of differing scales. What waits in the future? Chaos? Or complete disposal of computer threats? We will find out…
3. Virology – fundamental characteristics of current virus threats To achieve a general understanding of the current situation as far as virus threats are concerned, the most important characteristics of the modern computer “animal kingdom” must be defined: • • • • •
behavior; habitat; penetration; quantitative characteristics; propagation speed.
administration system), which provide hackers with practically complete control over victim machines; • Trojan spies, which track the actions of a user on a computer (which applications are launched, what text is entered in various queries in this applications, etc.); • Trojan thieves, which send a range of information from the infected computer; • hacker network packets, designed for breaking into the system under attack. 2. Programs which present no direct threat to the computer, but may, however, use computer resources in others’ interests or offer irritating, unneeded “services” or carry out such (fairly harmless but undesirable) actions: • Porno Dialers, programs which continually invite the user to visit some pornographic site requiring payment. • “Clickers”, which spin the counters on various Web resources. • Adware, which directly or indirectly advertise various goods and services. • Practical jokes, which inform the user of various unwanted actions (e.g. the successful formatting of a hard disk).
3.1 Diversity of behavior (species) At present, malicious programs can be divided into the following species according to their behavior: 1. Classic malicious programs, the very existence of which presents a real threat for the functionality of computer systems. Such programs are listed below: • real viruses that infect the executable files of various operating systems; • worms, which replicate through a network spreading from computer to computer; • destructive Trojan programs, which are programmed to destroy or alter the contents of various files; • Trojan backdoors (a hacker
3. More and more often hackers are using utilities from the category of “riskware” to carry out attacks, i.e. legal software developed with good intentions but used by hackers as a Trojan. (For example, a completely legal remote administration utility can become a full-fledged Trojan backdoor if it is visually imperceptible.) And thus, the following all fit into the category of “risky” software: • remote network administration utilities; • various servers (FTP, Proxy, etc.) i.e. utilities for providing a network service; • IRC clients, i.e. utilities for using a network service; • utilities for working with network resources (e.g. uploading files to the network).
Information Security Technical Report. Vol. 9, No. 2
13
Malware
In total, we have already listed around two dozen different species of malicious programs. In comparison to ten years ago in 1994, only two species were known: viruses and a few destructive Trojan programs.
3.2. Diversity of habitat (operating environment) The multitude of present-day malicious programs described above exists in very diverse operating environments, i.e. in operating systems, applications and utilities complex enough to provide a habitat (or cover) for malicious programs. Habitats with the potential to be infected can be divided into the following categories: 1. Operating systems in the contemporary understanding (i.e. designed for the loading of various file applications) or which functionally permit the launch of service applications (script programs, macros) aimed at automating information processing or organizing various processes – for example MS Windows, Linux, Palm OS, etc; various offices, such as MS Office and other systems for saving and handling information, e.g. SQL, which use built-in script languages (macros); independent script languages, like VBS, JS, Perl, etc. 2. Various network applications complex enough to have the functionality necessary for the multiplication of viruses or the existence of Trojan programs: a. mail systems and Internet browsers which use built-in script languages; b. network games, network pagers, etc. (malicious programs designed for such software has not yet been discovered, but it is theoretically possible); c. non-network applications which may be used for the spread of viruses, Trojan programs or for the realization of hacker attacks;
14
d. auxiliary utilities for operating systems (for example, the scripts in Windows Help files); e. independent utilities of sufficient complexity (such as archivers, media programs, etc.). Again, to compare the present day with the situation ten years ago, instead of just two habitats, (inhabited by downloaded viruses and DOS-viruses) a multitude of ecological niches have appeared, wholly suitable for the rapid development of computer vermin.
3.3. Diversity of penetration methods The penetration methods of malicious programs can be divided into three types: 1. Errors (vulnerabilities) in the security systems of a program (from operating systems to media players). As a result of such errors it is possible to either force a program to execute an action for which it is not designed, or to embed harmful program code in the program, and then activate it. For example – buffer overrun; improper handling of files and file associations; improper handling of login/password query for opening full access to network resources. 2. Documented quirks of program systems and utilities of sufficient complexity. Situations are known where harmful code was automatically loaded, without any reaction from built-in protection systems, using methods documented in the user’s manual for the given software. For example: • the CALL function in MS Excel (up to MS Office 97), which permitted any Windows API function to be executed without any warning. What’s more, the
Information Security Technical Report. Vol. 9, No. 2
Andrey Nikishin Malicious software – past, present and future
command came directly from a cell (not from a macro procedure). • decompressing files from archives not into the current folder but into the folder or directory indicated in the archive itself (for example, into the Windows autorun directory). • The human factor. It is well-known that man is the most vulnerable link in any safety chain. For this reason the human factor is taken advantage of by numerous worms, viruses and Trojan programs more often than the software errors and vulnerabilities listed above.
3.4. Increasing quantity Undoubtedly, everyone is aware of the everincreasing number of malicious programs. There are already tens of thousands of viruses and Trojan programs: the Kaspersky virus database already has over 87,000 definitions. Antivirus databases swell month after month, despite embedded methods of “universal” detection (i.e. detection, not of concrete variations of individual apprehended viruses/Trojans, but of the whole “family” or even entire class of malicious programs). As we have seen, the reason for the population growth of computer threats lies in the fact that more and more cybervandals are gaining access to computers. A definite number of them begin by affirming themselves in the manner described above, and as a result the number of inquiries from suffering users grows. Unfortunately, it is practically impossible to battle this under the conditions of modern computer networks.
3.5. Propagation rate The propagation rate is also an important characteristic of this class of network threat. Naturally, the given trait pertains
more to viruses and worms that to Trojans and other malicious programs, as the latter are unable to self-propagate, although cases of mass mailing of Trojan programs do periodically occur. Malicious programs can be split into three categories based on their propagation rate: 1. Traditional viruses which infect files discovered in the computer and spread along with them in data storage equipment (floppy disks, CDs) or if the user accidentally sends an email with the infected attachment or places the infected file in network resources. The propagation rate of these viruses in terms of global networks is minimal, insofar as they in no way use the opportunity of the network to multiply. These viruses more often than not create local epidemics within the limits of an organization’s local network. 2. Email and network worms, i.e. those that send themselves out as attachments to infected emails or copy themselves to accessible network resources. They are also activated on the victim’s computer with human participation: when the user opens the attachment to the infected email or simply opens the email, if the virus uses auto-launching methods (for mail worms) or if the user has restarted the computer (network worms). The propagation rate for such worms is significantly greater, insofar as the first half of the spreading procedure (dispatch from the infected computer) is performed by the virus itself, without human intervention. A person needs only do the second half of the work – accepting and activating the copy of the worm. As a result, to create a global epidemic, such viruses require only a few days. Epidemics often spread in correspondence with time zones, starting
Information Security Technical Report. Vol. 9, No. 2
15
Malware
from the beginning of the working day in the given time zone. 3. Network worms, which automatically start on the infected computer, i.e. the victim computer is infected from the moment a copy of the worm is accepted. Considering that the human factor is completely excluded from the reproduction cycle, the propagation rate of such network worms is extremely rapid, depending only on the propagation characteristics of a given worm and on the popularity of the software being attacked, which is installed on the victim computer. As a result, the appearance of the new “flash worms” is possible, with which a global epidemic can be achieved in a matter of minutes.
4. Future Tendencies in the world of malicious software (viruses, the Trojan horses, worms) testify that, in the near future, malicious programs will be distributed more often, more quickly; the quantity of the malware will grow. Already today the basic threat is made with malicious programs that are distributed with the help of e-mail and the Internet. Speed of distribution of the given kind of malicious programs is great. The attacks of hackers directed both to destabilization of work of networks and to steal or have access to confidential information are an additional, but no less dangerous, threat. The facts state the following: • the growth of quantity of users of the Internet is observed; • the majority of businesses already use the Internet, moreover a part of monetary streams today are already transferred via the Internet; • the quantity of cyber crimes connected
16
to larceny of the confidential data and money resources grows. Moreover, new types of malware have appeared recently: • Adware – programs of display of advertising on computers of users; • Spyware – programs spies; • the Proxy of the program for use of a computer of a victim for reception of transfers of files or post messages (spam). • Porno-dialers - programs giving access to paid porno resources that use dial-up connection, thus the price of connection is very high; • “Risk-ware” – software, which under some conditions can become risky for the user (FTP, IRC, proxy). Besides malware and hackers, spam is starting to play a larger role. Refusing to adhere to anti-spam legislation, spammers started to unite themselves with hackers and authors of viruses. Spammers are acting similarly to hackers by penetrating personal computers of users and using them as an open-post relay for spamming others. The majority of domestic computer users do not have access to network screens, and are not familiar with systems of intrusion prevention. Every year the quantity of network attacks grows. With the increase in economic dependence on the Internet, the quantity of network attacks with the purpose of theft, updating or falsifying information, leading to catastrophic consequences, will continue to grow. On the next table, dependence of a zone of defeat of types of malware is shown. It is obvious that modern malware basically damages whole regions and countries, and can even lead to global accidents (examples
Information Security Technical Report. Vol. 9, No. 2
Impact
Andrey Nikishin Malicious software – past, present and future
Sector
Global
Fl ash threats Massive worm-dri ven DDos Mi xed tech (s pam & worms) Critical infrastructure attacks
Individual Organizations PCs
Regional
e-mail worm epi demics, IRC-worms back doors, s pies Worm-dri ven DDos flash-worms (CodeRed) E-mail worms; Linux, Script viruses DoS attacks
Polymorphic-; Stealth-; Macro viruses DOS-, Boot-viruses; mainframe worms
1980s
1990s
2000
Time 2003
Table – Threats and zones defeat
of such epidemics are the Internet worms SQL.Slammer and Worm.Lovesan (Blaster)). Existing methods used to detect malicious software, based on detecting known malware and on distribution of a database with signatures of known viruses, are poorly adapted to counter these types of threats and cannot keep up with speed of distribution of malicious software. The reason is that the speed of distribution of malicious programs is frequently higher than the speed of distribution updates to anti-virus base. Users simply have not time to update before their computers will be attacked by a new virus. Thus, it is necessary to develop new methods of detection malware that, to a degree, would not depend on the update anti-virus base.
5. Disappointing conclusion Trends in the contemporary development of malicious programs are discomforting. The range of various virus behaviors will
grow in proportion to the growth of the number of various services provided by today’s global networks and applications; the appearance of new, insufficiently safe operating systems and sufficiently complex applications (including handhelds, mobile telephones and computerized home appliances) will inevitably increase the number of habitats available. Hackers and virus writers will doubtlessly develop and implement new penetration methods. Particularly, it should be noted that behaviors, habitats, and methods of penetration may be combined: some malicious programs have been protected, for example, by worms that use several methods of penetration (sending themselves via email, copying themselves into network resources, attacking server software, like “Nimda”), or a virus which infects files of different operating systems (for example, “Pelf,” which infects the executable files for Windows and Linux). Moreover, separate mutations of a given type may have different propagation rates.
Information Security Technical Report. Vol. 9, No. 2
17
Malware
Thus, antivirus companies and antivirus professionals encounter the following problems: 1. Unpredictable combinations of wellknown behaviors, habitats and penetration methods, as well as the appearance of completely new ones. So long as the number of such theoretically possible variations simply exceeds the resources of antivirus companies and does so significantly, we are in no position to cover all the loopholes that viruses and Trojan programs can use in contemporary computer systems. Antivirus companies: • have specialists who thoroughly understand all the nuances of all existing software or are ready to quickly work
18
through the needed software (which establishes high demands for the level of antivirus experts); • are not in a position to define the exact time, place and characteristics of the next “virus hit”; 2. The possibility of the appearance of new flash viruses, infecting the worldwide web in merely minutes. As a result, antivirus companies would simply be unable to ensure timely protection against such viruses, insofar as antivirus professionals (people) are analyzing the new viruses and developing antivirus procedures, whereas the virus propagates at the speed of modern computer networks (machines).
Information Security Technical Report. Vol. 9, No. 2
Malicious software – past, present and future Ten to fifteen years ago, computer viruses, network worms, Trojan code and hacker attacks were only associated with Hollywood action films. Nowadays computer viruses, Internet worms, hackers and cyber-crime are everyday occurrences for today’s computer users. Warnings about new Internet worm epidemics and publicized hacker attacks have become frequent on TV and radio news. What exactly is happening in today’s computer world and why; what threats we may face in the future; and what we ought to do about them. Answers to these and other questions are outlined in this article.
1. The past In order to understand the future, it is necessary to know and understand the past. Let us start with a review of various viruses for the past two years – 2002 and 2003.
1.1. Virus review – 2002 1.1.1. General overview The year 2002 saw twelve large scale and 34 lesser, yet significant, virus epidemics that together continued an epidemic started in previous years (“Sircam”, “Hybris”, “CIH”, “BadtransII”, “Thus” among others). Over the course of 2002, malicious programs consistently penetrated new computer platforms and applications. In January, the first viruses to employ the .NET technology for propagating themselves were discovered, however after the initial outbreak both viruses proved to be no more than conceptual and did not account for a single registered infection. The middle of March brought with it the appearance of the SQL-server infecting network worm “Spida” and “Benjamin”. The later became the inspiration for a whole family of malicious programs that,
6
1363-4127/04/© 2004, Elsevier Ltd
over the course of 2002, unabatedly attacked users of the KaZaA file-sharing network. Also under constant fire were Linux users. The best refutation of the widely held opinion that the Linux operating system is immune to malicious programs was the “Slapper” worm that, over several days, managed to infect over 1,000 Linux systems worldwide. Suffering a similar fate were FreeBSD users who suffered through fairly widespread attacks from the worm “Scalper” in September. We must not forget to mention the drastic growth of the so called commercial viruses that demonstrate a clear commercial purpose, namely the theft of confidential data, financial information, Internet access passwords or other similar actions that lead to some kind of material loss for their victims. 1.1.2. The most widespread malicious programs Without doubt the leader in the number of registered incidences for the year 2002 is the Internet worm “Klez”. This virus was first detected on 26 October 2001 and even now this worm is still one of the most widespread virus threats. Never before, in the history of “virology”, has a malicious program been able to hold onto the highest position among the top ten for such an extended period. However, for the year 2002, only two of the ten various forms of the Klez worm were able to rise up to mass levels – “Klez.H” (detected April 17, 2002) and “Klez.E” (detected January 11, 2002). In general, 6 out of every 10 registered infections were attributed to “Klez”. It is interesting to note that the four highest places in the top ten are taken by malicious programs that exploit the Internet
Andrey Nikishin Malicious software – past, present and future
Place
Name
%*
Circulation Index
1
I-Worm.Klez
61.22%
10.0
2
I-Worm.Lentin
20.52%
3.4
3
I-Worm.Tanatos
2.09%
0.3
4
I-Worm.BadtransII
1.31%
0.2
5
Macro.Word97.Thus
1.19%
0.2
6
I-Worm.Hybris
0.60%
0.1
7
I-Worm.Bridex
0.32%
0.1
8
I-Worm.Magistr
0.30%
0.1
9
Win95.CIH
0.27%
0.1
10
I-Worm.Sircam
0.24%
0.1
The 10 most widespread malicious programs for 2002 (Source – Kaspersky Labs) Explorer IFRAME security breach. In total, the viruses using this propagation technique account for over 85% of all computer virus incidences. This figure underlines the importance of timely installations of software patches for this and other vulnerabilities. Once a patch is installed a user not only automatically protects his or her computer from the majority of current virus threats but also guarantees a defence against all similar viruses that may appear in the future. 1.1.3. Different types of computer malware making waves in 2002 No less interesting is the picture depicting the spread of different malicious program types. Following the established tradition of dominant network worms, this situation held true up until September 2002. The fourth quarter of 2002, however, clearly shows a trend in which network worms lose ground while computer viruses and Trojans gain. In December 2002 viruses steadfastly held the number two position at 31.3% with Trojans following with 16.6%. In contrast the totals for the year 2002 show worms at 89.1%, viruses at 7% and Trojans at 3.9%.
1.1.3.1. Network worms Network worms traditionally are predominated by email worms (most notably “Klez” and “Lentin”) that utilize email as a main means of transport. It should be noted that more and more email worms use a direct method of connection with SMTP servers. This tendency sheds light on the fact that the traditional method of sending out worms (for example via Outlook or other mail clients) no longer enjoys a good chance of success. Manufacturers of email software have integrated into their programs anti-virus modules or special functionality that warns against unauthorized mailings of any data. Taking this into account, virus writers usually use new methods to spread worms that get past this type of defence. Other worm types appearing periodically on the graph that are worth mentioning are: • LAN-worms (2.5%), spread via local area networks; • P2P-worms (1.7%), spread via Peer-toPeer networks (such as KaZaA); • IRC-worms (0.2%), spread via IRC channels (Internet Relay Chat).
Information Security Technical Report. Vol. 9, No. 2
7
Malware
types were “Trojans”, though they never occupied the upper echelons of the list. Though in the final quarter of the year they seemingly tried to make up for lost time and in December reached as high as 16.6%.
Spread of the major malicious program types in 2002. (Source - Kaspersky Labs) 1.1.3.2. Viruses Among the most notable computer viruses in 2002, macro-viruses appeared the most (56.1%), including the macro viruses “Thus”, “TheSecond”, “Marker” and “Flop”. These macro viruses all targeted the word processing program Microsoft Word and have been in existence less than one year. Macro viruses were the cause of epidemics many years ago before falling silent, only to resurface in impressive fashion. Their resurgence can be largely attributed to users as a whole, who were sure macro viruses had ceased to be a threat, letting their guard down. Falling back a bit were Windows viruses (40.9%); the most infectious of which were “Elkern”, “CIH”, “FunLove” and “Spaces”. For 2002, script viruses were practically insignificant as a group (2.7%) as well as other malware types of this class (0.3%). 1.1.3.3. Trojan programs Most consistently appearing in the list of the most widespread malicious program
8
The Trojan program category is clearly led by unauthorized administration utilities, backdoor access programs (representing 54% of the year’s Trojans) that allow malintended individuals to imperceptibly remotely control infected computers. Less frequent appearances were made by PSWTrojans (17.9%) – malicious programs designed to search for illegal exploit system information and access passwords (such as to the Internet or Internet resources). The remaining Trojan programs (28.1%) are other types that are sent out to perform various specific tasks on victim computers.
1.2. Virus review – 2003 Nine major virus outbreaks were registered in 2003 with twenty-six less significant ones, mainly of a local nature. This figure is lower than that of 2002, however, even though the number of outbreaks has decreased, their scale and the impact they have on the Internet has increased significantly. 1.2.1. Major virus outbreaks There were two global outbreaks in 2003, which were the biggest in the history of the Internet. It should be noted that these outbreaks were not caused by classic email worms, but by worms modified for the Internet, which spread as network data packets. The foundations of the first outbreak were laid on 25 January 2003 by the Internet worm “Slammer” (Helkern), which used vulnerability in the Microsoft SQL Server in order to replicate. Slammer became the first
Information Security Technical Report. Vol. 9, No. 2
Andrey Nikishin Malicious software – past, present and future
file-less Internet worm, which fully demonstrated the capabilities of flash worms, first described in 2001. On 25 January 2003, in a matter of mere minutes, the worm infected millions of computers throughout the world, and increased network traffic by between 40% and 80% (estimates vary), causing national backbone servers to crash. The worm attacked through port 1434; on penetration it did not replicate itself on the disk, but simply remained in the memory of the infected machine. An analysis of the outbreak shows that the worm probably originated from East Asia. The second outbreak, which was no less damaging than the first, was started on 12 August by “Lovesan” (Blaster). Lovesan clearly demonstrated to the entire world just how vulnerable the popular operating system Windows is. Lovesan used a Windows security breach to propagate itself. However, in contrast to Slammer, Lovesan used a breach in the RPC DCOM service, which is present on every computer working under Windows 2000/XP. This meant that the majority of Internet users that day were exposed to the worm. Only a few days after the worm first appeared, three other versions of Lovesan were detected. Then the “Welchia” worm, which used the same Windows breach, exploded onto the Internet. However, Welchia differed from the original worm. It deleted copies of Lovesan on infected computers, and attempted to install a patch for the RPC DCOM service. 2003 was the year of email worm outbreaks. “Ganda” and “Avron” were detected in January. The former was written in Sweden, and is still one of the most widespread email worms in Scandinavia. The author was arrested by Swedish police at the end of March. Avron was the first worm written in Kazakhstan to cause a global
outbreak. The source code of the worm was published on virus web sites, which led to the creation of several less successful versions of the worm. January also saw the appearance of the first worm in the “Sobig” family, which caused regular outbreaks. Version Sobig.f broke all records, becoming the most widespread email worm in the history of the Internet. At the peak of the outbreak in August, one copy of Sobig.f could be found in every twenty email messages. This particular malicious program was especially dangerous: one of the aims of the authors of the Sobig family was to create an infected network of computers in order to carry out distributed denial of service (DoS) attacks on random web sites. The infected network of computers was also intended to act as a proxy server for distributing spam. The email worm “Tanatos.b” was another notable piece of malicious program that appeared in 2003. The first version of Tanatos (Bugbear) was written in mid-2002, with the second version appearing nearly a year later. The worm used a breach long known about in the Microsoft Outlook security system (the IFRAME breach) to automatically launch itself from infected messages. The latest worms in the “Lentin” (Yaha) family continued to appear. According to current data they were all created in India by one of the local hacker groups in the course of a virtual war being conducted between Indian and Pakistani hackers. The most widespread were versions M and O, where the virus replicated in the form of a ZIP archive attached to infected messages. Virus writers from Eastern Europe were also active in 2003. The second worm from the former USSR to cause a global outbreak was “Mimail”. The worm used a
Information Security Technical Report. Vol. 9, No. 2
9
Malware
vulnerability in Internet Explorer to replicate itself, and the vulnerability became known as Mimail-based. The vulnerability allowed the extraction and execution of binary code from an HTML file and was first exploited in Russia in May 2003 by Trojan.Win32.Start Page.L. Following this, the vulnerability was used by the Mimail family of worms and a number of Trojan programs. The author of Mimail published the source code on the Internet, giving rise to several new versions by virus writers from other countries, including the USA and France. September 2003 was the month of the Internet worm “Swen”. Swen disguised itself as a Microsoft patch, infected hundreds of thousands of computers throughout the world, and to this day, remains one of the most widespread email worms. The virus author was able to exploit the fact that users were already unsettled by the recent Lovesan and Sobig.f incidents and were therefore likely to instantly install the so-called patch. There were two other major security events that should be mentioned. The first of these was caused by “Sober”, a relatively simple email worm written by a German in imitation
Ranking Name
Percentage
1
I-Worm.Sobig
18.25%
2
I-Worm.Klez
16.84%
3
I-Worm.Swen
11.01%
4
I-Worm.Lentin
8.46%
5
I-Worm.Tanatos
2.72%
6
I-Worm.Avron
2.14%
7
Macro.Word97.Thus
2.02%
8
I-Worm.Mimail
1.45%
9
I-Worm.Hybris
1.12%
10
I-Worm.Roron
1.01%
The top ten viruses in 2003* (Source – Kaspersky Labs)
10
of the leader of the year, Sobig.f. The second of these was the Trojan “Afcore”: in spite of the fact that it did not spread widely, it is worth a certain amount of attention due to the interesting way it conceals itself in a system, by writing its code to alternate data streams of the NTFS file system. Even more interesting, Afcore does not use the alternate data streams of files but of directories. 1.2.2. Types of malicious programs Throughout the year worms remained the dominant type of malicious programs. Viruses rank second, thanks to the activity of the macro viruses Macro.Word97.Thus and Macro.Word.Saver. However, in the autumn of 2003 Trojan programs overtook viruses, and this trend still continues. 1.2.3. Trends The most noticeable trend in 2003 was the way in which worms dominated. Moreover, within this category, there was a worrying increase in the number of Internet worms over classic email worms. The discovery of breaches in operating systems and applications is a cause for great concern. In previous years, the vulnerabilities that were used to penetrate systems had been known about for a long time and patches already existed for the breaches, but in 2003 this time frame collapsed to a matter of weeks. The interval between the discovery of vulnerability and an attack exploiting the vulnerability is becoming shorter and shorter. In the case of Slammer, the breach in the Microsoft SQL Server was known about for more than six months prior to the attack. In a couple of months the instructions on how to exploit the breach were published in several places on the Internet. However, Lovesan, the next worm
Information Security Technical Report. Vol. 9, No. 2
Andrey Nikishin Malicious software – past, present and future
Internet Worms
Viruses
-
93,24%
16,02% 1,92%
5,68%
4,84% 05.03
6,06% 04.03
5,67% 03.03
6,49% 02.03
01.03
-
5,67%
5,38%
8,26%
2,30%
A new trend in 2003 was the increasing appearance, towards the end of the summer, of a new class of Trojan programs, “TrojanProxy”, intended for illegal installation of proxy servers. This was the first and most noticeable sign of the appearance of mixed threats, a cross between viruses and spam. Computers infected by these Trojans were then used by spammers for the distribution of unsolicited email, while the owner of the computer might be unaware of such abuse. used to attack the Internet on 12th August 2003, appeared only 26 days after a patch was issued to secure the RPC DCOM vulnerability in MS Windows. The computer underground has come to the understanding that attacking through a security breach is the most effective method of penetrating computers and is actively making use of this idea. As a result virus writers receive information about the newest vulnerability and quickly write malicious programs. The Trojan program “StartPage” was registered as spreading on 20 May 2003. It penetrated through the ‘Exploit.SelfExecHtml’ breach, and at the time there was no patch for this vulnerability. Given this, it may be that in the near future breaches may come to light thanks to reports of new viruses, rather than vendors’ reports on the issuing of patches.
It is clear that spammers also participated in several major outbreaks where the initial replication of the malicious software used spamming technology (Sobig). Worms also developed actively, replicating themselves by stealing passwords to remote network resources. Such worms, as a rule, are based on IRC clients, scan the addresses of IRC channel users, and then attempt to penetrate the users’ computers, using the NetBIOS protocol and port 445. In this group, one of the most notable representatives was the worm “Randon”.
2. Present – the year 2004 2.1. January “I-Worm.Mydoom” unarguably led the virus “hit-parade” in January 2004. The
Information Security Technical Report. Vol. 9, No. 2
11
0,68%
3,86%
2,77%
0,00%
6,47%
1,39%
11.03
9,04%
10.03
14,05%
09.03
17,92%
75,72%
08.03
16,33%
79,89%
90,76%
90,74%
07.03
76,41%
-
99,45%
97,93%
92,32%
85,28%
06.03
77,18%
Trojan Programs
0,55%
Malware
worm appeared on January 27 and accounted for more than three quarters of all infections. In fact, within a week, Mydoom beat all the statistics produced by Sobig.f, last year’s leader. According to Message Labs, Mydoom is the most spread e-mail worm ever. During the peak of epidemic this worm was present in each ninth email sent on the Internet.
The creator of NetSky seems to have been encouraged by the havoc wreaked by the second version; he or she made some minor changes and released a third version. The last newcomer in the top twenty is yet another version of Mydoom – Mydoom.b. It appeared at the end of January and needed all of February to make its presence felt.
2.2. February 2.3. March History was made in February 2004, which turned out to be the most active month in computer virology for several years. There has never been such a large number of email worms active at the same time. First we had January’s leader, Mydoom.a, which stayed in first place in the most-prevalent table. Even though the worm stopped propagating on 12 February, Mydoom.a retained its leading position due to the huge number of copies mailed before 12 February as well as the large number of infected machines with incorrect dates. There are also some new entrants that will undoubtedly play (and already play) a key role in the coming months. The most important newcomer is “I-Worm.NetSky.b” (Moodown.b), which the creator coded to disinfect machines infected by Mydoom.a, but also to interfere with antivirus programs. The second significant newcomer is “Mydoom.e”. Unlike Mydoom.a, this version deletes random MS Office documents. It is highly likely that this version was based on the original Mydoom. Our old ‘friend’ Mimail is now polymorphic and spreads as a polymorphic dropper. Mimail.q was the first version with this new feature and it immediately climbed to tenth position in the top twenty.
12
March 2004 was an even more virus filled month than February. February’s virus prevalence table contained six new email worms; this figure nearly doubled in March, with eleven new viruses appearing. March was the month of the Bagles. Five new versions of “Bagle” appeared. These differ from other worms in the Bagle family in that they spread in password protected ZIP and RAR archives, and the password is either included in the message or contained in a graphics file. Such an approach is not new, but Bagle exploited it with great success. Incidentally, tricks like this have positively influenced the development of new antivirus technology designed to detect and intercept such sneaky viruses. Statistics for March show that Netsky.b and Mydoom.a have changed places, with Netsky.b now leading the charts. Worms from the Netsky family made a significant impact in March, with four versions appearing. Netsky was also the initiator of a virtual war, deleting Mydoom, Bagle and Mimail from machines infected by these viruses: an antivirus virus. This action, together with the rapid propagation of Netsky led to three groups of virus writers writing insults directed at the other groups into the code of their viruses.
Information Security Technical Report. Vol. 9, No. 2
Andrey Nikishin Malicious software – past, present and future
2.4. Summary By the end of April, thrity versions of email worm NetSky, eight versions of MyDoom, twenty-one versions of Mimail, twenty-six versions of Bagle and twentythree versions of Lentin were revealed. More than half of these have caused epidemics of differing scales. What waits in the future? Chaos? Or complete disposal of computer threats? We will find out…
3. Virology – fundamental characteristics of current virus threats To achieve a general understanding of the current situation as far as virus threats are concerned, the most important characteristics of the modern computer “animal kingdom” must be defined: • • • • •
behavior; habitat; penetration; quantitative characteristics; propagation speed.
administration system), which provide hackers with practically complete control over victim machines; • Trojan spies, which track the actions of a user on a computer (which applications are launched, what text is entered in various queries in this applications, etc.); • Trojan thieves, which send a range of information from the infected computer; • hacker network packets, designed for breaking into the system under attack. 2. Programs which present no direct threat to the computer, but may, however, use computer resources in others’ interests or offer irritating, unneeded “services” or carry out such (fairly harmless but undesirable) actions: • Porno Dialers, programs which continually invite the user to visit some pornographic site requiring payment. • “Clickers”, which spin the counters on various Web resources. • Adware, which directly or indirectly advertise various goods and services. • Practical jokes, which inform the user of various unwanted actions (e.g. the successful formatting of a hard disk).
3.1 Diversity of behavior (species) At present, malicious programs can be divided into the following species according to their behavior: 1. Classic malicious programs, the very existence of which presents a real threat for the functionality of computer systems. Such programs are listed below: • real viruses that infect the executable files of various operating systems; • worms, which replicate through a network spreading from computer to computer; • destructive Trojan programs, which are programmed to destroy or alter the contents of various files; • Trojan backdoors (a hacker
3. More and more often hackers are using utilities from the category of “riskware” to carry out attacks, i.e. legal software developed with good intentions but used by hackers as a Trojan. (For example, a completely legal remote administration utility can become a full-fledged Trojan backdoor if it is visually imperceptible.) And thus, the following all fit into the category of “risky” software: • remote network administration utilities; • various servers (FTP, Proxy, etc.) i.e. utilities for providing a network service; • IRC clients, i.e. utilities for using a network service; • utilities for working with network resources (e.g. uploading files to the network).
Information Security Technical Report. Vol. 9, No. 2
13
Malware
In total, we have already listed around two dozen different species of malicious programs. In comparison to ten years ago in 1994, only two species were known: viruses and a few destructive Trojan programs.
3.2. Diversity of habitat (operating environment) The multitude of present-day malicious programs described above exists in very diverse operating environments, i.e. in operating systems, applications and utilities complex enough to provide a habitat (or cover) for malicious programs. Habitats with the potential to be infected can be divided into the following categories: 1. Operating systems in the contemporary understanding (i.e. designed for the loading of various file applications) or which functionally permit the launch of service applications (script programs, macros) aimed at automating information processing or organizing various processes – for example MS Windows, Linux, Palm OS, etc; various offices, such as MS Office and other systems for saving and handling information, e.g. SQL, which use built-in script languages (macros); independent script languages, like VBS, JS, Perl, etc. 2. Various network applications complex enough to have the functionality necessary for the multiplication of viruses or the existence of Trojan programs: a. mail systems and Internet browsers which use built-in script languages; b. network games, network pagers, etc. (malicious programs designed for such software has not yet been discovered, but it is theoretically possible); c. non-network applications which may be used for the spread of viruses, Trojan programs or for the realization of hacker attacks;
14
d. auxiliary utilities for operating systems (for example, the scripts in Windows Help files); e. independent utilities of sufficient complexity (such as archivers, media programs, etc.). Again, to compare the present day with the situation ten years ago, instead of just two habitats, (inhabited by downloaded viruses and DOS-viruses) a multitude of ecological niches have appeared, wholly suitable for the rapid development of computer vermin.
3.3. Diversity of penetration methods The penetration methods of malicious programs can be divided into three types: 1. Errors (vulnerabilities) in the security systems of a program (from operating systems to media players). As a result of such errors it is possible to either force a program to execute an action for which it is not designed, or to embed harmful program code in the program, and then activate it. For example – buffer overrun; improper handling of files and file associations; improper handling of login/password query for opening full access to network resources. 2. Documented quirks of program systems and utilities of sufficient complexity. Situations are known where harmful code was automatically loaded, without any reaction from built-in protection systems, using methods documented in the user’s manual for the given software. For example: • the CALL function in MS Excel (up to MS Office 97), which permitted any Windows API function to be executed without any warning. What’s more, the
Information Security Technical Report. Vol. 9, No. 2
Andrey Nikishin Malicious software – past, present and future
command came directly from a cell (not from a macro procedure). • decompressing files from archives not into the current folder but into the folder or directory indicated in the archive itself (for example, into the Windows autorun directory). • The human factor. It is well-known that man is the most vulnerable link in any safety chain. For this reason the human factor is taken advantage of by numerous worms, viruses and Trojan programs more often than the software errors and vulnerabilities listed above.
3.4. Increasing quantity Undoubtedly, everyone is aware of the everincreasing number of malicious programs. There are already tens of thousands of viruses and Trojan programs: the Kaspersky virus database already has over 87,000 definitions. Antivirus databases swell month after month, despite embedded methods of “universal” detection (i.e. detection, not of concrete variations of individual apprehended viruses/Trojans, but of the whole “family” or even entire class of malicious programs). As we have seen, the reason for the population growth of computer threats lies in the fact that more and more cybervandals are gaining access to computers. A definite number of them begin by affirming themselves in the manner described above, and as a result the number of inquiries from suffering users grows. Unfortunately, it is practically impossible to battle this under the conditions of modern computer networks.
3.5. Propagation rate The propagation rate is also an important characteristic of this class of network threat. Naturally, the given trait pertains
more to viruses and worms that to Trojans and other malicious programs, as the latter are unable to self-propagate, although cases of mass mailing of Trojan programs do periodically occur. Malicious programs can be split into three categories based on their propagation rate: 1. Traditional viruses which infect files discovered in the computer and spread along with them in data storage equipment (floppy disks, CDs) or if the user accidentally sends an email with the infected attachment or places the infected file in network resources. The propagation rate of these viruses in terms of global networks is minimal, insofar as they in no way use the opportunity of the network to multiply. These viruses more often than not create local epidemics within the limits of an organization’s local network. 2. Email and network worms, i.e. those that send themselves out as attachments to infected emails or copy themselves to accessible network resources. They are also activated on the victim’s computer with human participation: when the user opens the attachment to the infected email or simply opens the email, if the virus uses auto-launching methods (for mail worms) or if the user has restarted the computer (network worms). The propagation rate for such worms is significantly greater, insofar as the first half of the spreading procedure (dispatch from the infected computer) is performed by the virus itself, without human intervention. A person needs only do the second half of the work – accepting and activating the copy of the worm. As a result, to create a global epidemic, such viruses require only a few days. Epidemics often spread in correspondence with time zones, starting
Information Security Technical Report. Vol. 9, No. 2
15
Malware
from the beginning of the working day in the given time zone. 3. Network worms, which automatically start on the infected computer, i.e. the victim computer is infected from the moment a copy of the worm is accepted. Considering that the human factor is completely excluded from the reproduction cycle, the propagation rate of such network worms is extremely rapid, depending only on the propagation characteristics of a given worm and on the popularity of the software being attacked, which is installed on the victim computer. As a result, the appearance of the new “flash worms” is possible, with which a global epidemic can be achieved in a matter of minutes.
4. Future Tendencies in the world of malicious software (viruses, the Trojan horses, worms) testify that, in the near future, malicious programs will be distributed more often, more quickly; the quantity of the malware will grow. Already today the basic threat is made with malicious programs that are distributed with the help of e-mail and the Internet. Speed of distribution of the given kind of malicious programs is great. The attacks of hackers directed both to destabilization of work of networks and to steal or have access to confidential information are an additional, but no less dangerous, threat. The facts state the following: • the growth of quantity of users of the Internet is observed; • the majority of businesses already use the Internet, moreover a part of monetary streams today are already transferred via the Internet; • the quantity of cyber crimes connected
16
to larceny of the confidential data and money resources grows. Moreover, new types of malware have appeared recently: • Adware – programs of display of advertising on computers of users; • Spyware – programs spies; • the Proxy of the program for use of a computer of a victim for reception of transfers of files or post messages (spam). • Porno-dialers - programs giving access to paid porno resources that use dial-up connection, thus the price of connection is very high; • “Risk-ware” – software, which under some conditions can become risky for the user (FTP, IRC, proxy). Besides malware and hackers, spam is starting to play a larger role. Refusing to adhere to anti-spam legislation, spammers started to unite themselves with hackers and authors of viruses. Spammers are acting similarly to hackers by penetrating personal computers of users and using them as an open-post relay for spamming others. The majority of domestic computer users do not have access to network screens, and are not familiar with systems of intrusion prevention. Every year the quantity of network attacks grows. With the increase in economic dependence on the Internet, the quantity of network attacks with the purpose of theft, updating or falsifying information, leading to catastrophic consequences, will continue to grow. On the next table, dependence of a zone of defeat of types of malware is shown. It is obvious that modern malware basically damages whole regions and countries, and can even lead to global accidents (examples
Information Security Technical Report. Vol. 9, No. 2
Impact
Andrey Nikishin Malicious software – past, present and future
Sector
Global
Fl ash threats Massive worm-dri ven DDos Mi xed tech (s pam & worms) Critical infrastructure attacks
Individual Organizations PCs
Regional
e-mail worm epi demics, IRC-worms back doors, s pies Worm-dri ven DDos flash-worms (CodeRed) E-mail worms; Linux, Script viruses DoS attacks
Polymorphic-; Stealth-; Macro viruses DOS-, Boot-viruses; mainframe worms
1980s
1990s
2000
Time 2003
Table – Threats and zones defeat
of such epidemics are the Internet worms SQL.Slammer and Worm.Lovesan (Blaster)). Existing methods used to detect malicious software, based on detecting known malware and on distribution of a database with signatures of known viruses, are poorly adapted to counter these types of threats and cannot keep up with speed of distribution of malicious software. The reason is that the speed of distribution of malicious programs is frequently higher than the speed of distribution updates to anti-virus base. Users simply have not time to update before their computers will be attacked by a new virus. Thus, it is necessary to develop new methods of detection malware that, to a degree, would not depend on the update anti-virus base.
5. Disappointing conclusion Trends in the contemporary development of malicious programs are discomforting. The range of various virus behaviors will
grow in proportion to the growth of the number of various services provided by today’s global networks and applications; the appearance of new, insufficiently safe operating systems and sufficiently complex applications (including handhelds, mobile telephones and computerized home appliances) will inevitably increase the number of habitats available. Hackers and virus writers will doubtlessly develop and implement new penetration methods. Particularly, it should be noted that behaviors, habitats, and methods of penetration may be combined: some malicious programs have been protected, for example, by worms that use several methods of penetration (sending themselves via email, copying themselves into network resources, attacking server software, like “Nimda”), or a virus which infects files of different operating systems (for example, “Pelf,” which infects the executable files for Windows and Linux). Moreover, separate mutations of a given type may have different propagation rates.
Information Security Technical Report. Vol. 9, No. 2
17
Malware
Thus, antivirus companies and antivirus professionals encounter the following problems: 1. Unpredictable combinations of wellknown behaviors, habitats and penetration methods, as well as the appearance of completely new ones. So long as the number of such theoretically possible variations simply exceeds the resources of antivirus companies and does so significantly, we are in no position to cover all the loopholes that viruses and Trojan programs can use in contemporary computer systems. Antivirus companies: • have specialists who thoroughly understand all the nuances of all existing software or are ready to quickly work
18
through the needed software (which establishes high demands for the level of antivirus experts); • are not in a position to define the exact time, place and characteristics of the next “virus hit”; 2. The possibility of the appearance of new flash viruses, infecting the worldwide web in merely minutes. As a result, antivirus companies would simply be unable to ensure timely protection against such viruses, insofar as antivirus professionals (people) are analyzing the new viruses and developing antivirus procedures, whereas the virus propagates at the speed of modern computer networks (machines).
Information Security Technical Report. Vol. 9, No. 2