Introduction

Earlier this year we summed up the security year 2004 and tried to make some forecasts for 2005. Still in the first quarter of the year, we can see clear indications that the threat situation is changing compared to previous years.

This article will highlight some of the tendensies we now observe.

An explosion in new "bots"

A few months ago Norman received around 50 new malware programs of different kinds that were sent to our virus analysts each day.

Now we receive up to 500 different kinds of malware daily. This is an increase unpresedented in the history of malware.

Interestingly, the increase has not resulted in any kind of new situation of pandemic character like the Sobig.F attack, and the MyDoom attacks last year.
The increase consists of lots and lots of "bots" (robots). These are programs that may perform various actions, like

• Connecting to several web sites and downloading other malware, like backdoor programs;
• Installing malware on your computer, like backdoor programs;
• Browsing the network for nearby computers that are unpatched and therefore open for being exploited;
• Harvesting personal information like bank account numbers, credit card numbers and passwords.

Since each of these bots are not so widespread, the focus on each of them is low, and you may therefore be infected without even being aware that there is any particular threat at the moment.

If you are infected by a program that leaves a backdoor on your computer, your PC is in principle open for everyone in the world that attempts to connect to it knowing the credentials (if any) to connect successfully. Regardless of whether you have personal or corporate information on your computer, it may be used for malicious actions like:

A harbour for sending spam

Since such action is illegal in several countries, spammers of course want to avoid sending from their own computers. There your compromized computer comes in handy.

A zombie to be used for attacks against third parties

Several high-profile web sites have been taken down by Distributed Denial of Service (DDoS) attacks over the years. These attacks are carried out by a set of computers (among those potentially yours) simultaneously sending lots of commands against one particular other computer (e.g. a web server) or one network. The amount of incoming data is then so huge that the attacked computers cannot handle it, and they become unavailable for legitimate use.

Computers that are infected are then, without the owners' knowledge, used as the attackers - the zombie computers. The real attacker is sitting somewhere else and she's just pressing the button to start the attack by controlling your and thousands of other zombie computers.

New applications used to infect users

The latest years email has by far been the most popular and efficient way to spread malware. We have also seen several instances of malware spreading over networks (only), like e.g Pinfi (the link opens a separate browser window). These network spreaders are often difficult to get rid of, as only one not-cleaned computer in a network can generate infection attempt messages from the entire network, or even infect the entire network within seconds, if it is unprotected against this specific threat..

Early in 2005 we have seen several instances of MSN Messinger being used as a spreading tool for malicious software.

The first (and technically most interesting case) was by using a newly disclosed vulnerability to infect another user by sending a specially created image. Microsoft took quick action regarding this vulnerability, and disabled any use of MSN Messenger until a user had updated to a newer MSN version without this vulnerability.

Then the authors of malicious software really got back to basics - the good old "social engineering" technique:

Sending a message (presumably) from a user in your MSN contact list that encourages you to click on a web link to see something funny, or interesting, or daring etc., etc. And open the program that the link eventually prompts you to open.

And users that would not even in their wildest dreams open an email attachment or click on and execute an email link without being sure of its authenticity, clicked away and were infected...

Same old technique, slightly different medium.

Presumably we will experience a lot of similar infection attempts in weeks and months to come. And at some point in time most users will learn that it is as unwise to open such a link/program as if it is sent by email.

A merger of different types of malware

One observation that can be made, regardless of which tools that are used to spread the malware, is that different types of malware are becoming more and more intimately linked.

• Viruses are used to install backdoors that enables sending of spam.
• Worms connect to web sites and runs programs that install spyware and adware.
• Bots are becoming increasingly more sophisticated in their attempts to exploit vulnerabilities in operating systems and applications, and may leave computers wide open for persons with malicious intent.

This tendency is likely to continue during the year.

The challenges for the security community seem no less demanding this year than in previous years.

Per Olav Førland