Since computer viruses appeared for the first time the middle of the 80s, there has been a rapid development of these and other malicious programs. We have seen the authors of such programs beginning to use new tools and techniques to cause problems to computer users. These problems may be minor, or they may cause damages in the multi billion range.

A little background

In the early years of computer viruses, these programs were binary viruses - compiled computer programs. Not so many years ago, however, writers of malicious programs started to use scripting languages - programs which execute a non-compiled program code. Such code is easier to copy and slightly alter; thus creating new kinds of malicious programs based on the original program source. A few years ago most of the widespread new malicious programs were macro viruses.

The two malicious programs which have caused most problems in recent years are the Melissa virus in the end of March 1999 and the Loveletter virus in May 2000 - a macro virus and a Visual Basic Script virus, respectively. Interestingly, it was not the payload of these viruses which caused the worst problems, rather the damage on the Internet infrastructure (e.g. email servers' overload).

The turn of the millennium

At the turn of this millennium there seems to be a change in what malicious programs do as well as how they are created and propagate. There also seems to be a tendency to a constant spreading of malicious programs, not peaks as before.

• Binary 32 bits malicious programs are those which have been most widespread lately
• The programs are often encrypted, making analysis and detection more difficult.
• Several malicious actions are often combined in one program or one set of programs, like virus and worm functionality.
• Mass emailing is increasingly used as a propagation technique.
• The Internet itself is used, not only as a means to spread the malicious program, but also as a source for updating the program with new functionality.

Among the malicious programs most often reported to Norman in January 2001, the top five were all 32 bits. Four of the top five are mass mailing based. Three use encryption techniques to some degree. Two of the top five have more than one malicious part. One uses plug-ins posted on newsgroups on the Internet to get new functionality. None has had a propagation which has been very fast and then "died"; on the contrary, most has been constantly growing in distribution.

What to expect in the near future?

One may guess that these trends are going to continue. Techniques proven to be successful will be adapted by other writers of malicious software, and continue to be used by those who first started using these techniques.

We may expect that new types of malicious software utilize plug-ins available from the Internet, in a similar way as W32/Hybris. We may expect malicious software to have different functionality - viruses, trojans and worms - combined in one program; W32/MTX is an example of such.

It is also reason to believe that one part of these future malicious programs may be a so-called Zombie, which enables a PC to unwillingly participate in a Distributed Denial of Service (DDoS) attack against other. Such attacks were discussed in Norman's Security Information week 41/2000 and week 6/2000.

Late 1999 and last year there were examples of malicious programs, like JS/Kak which could infect a PC if a user just read an email or viewed a specially created web page. This particular program used a security flaw in Microsoft's program which support Active Scripting. Microsoft has long ago released a patch which prevents being exposed to this vulnerability. Nevertheless, JS/Kak is currently one of the more widespread malicious programs. It is reason to expect that emails and web pages which utilize this technique will continue to appear.

The challenge

The vendors of protection against malicious software and end users are both challenged by these trends. As the malicious software grows more complex and difficult to analyze, heuristic detection of actions performed by software will get increasingly more important to stop infection and propagation. The new version 5 of Norman Virus Control is an important step in such a direction.

The end users must be constantly aware that email attachments may contain malicious software. This is true even though the email is sent from a colleague or friend. Malicious software like W32/Navidad.B is able to send emails with attachments without the sender knowing.

End users and system administrators in particular should be aware of security issues in the software used, and install the relevant patches. Many software vendors have special mailing list for security issues, and there are also several security forums and mailing lists of an independent character. Norman's web page about Internet Security refers to some of these.

There is one sure thing about the situation at the early days of the new millennium: The security issue regarding malicious software is not yet solved.

Per Olav Førland