Select countrySecurity Information Week 3, 2006
 |
Introduction
This Security Information attempts to focus on the security trends that could be observed during 2005, and will also briefly comment upon what can be expected in 2006.
Viruses, worms and other malware - overview
In 2005 Norman issued only one alert about malicious programs:
In addition two other programs were set as HIGH RISK, but no alerts were sent.
The previous year there was 12 alerts, while it was 14 in 2003.
This clearly shows that there has been a new trend in malicious programs that manifestated itself during 2005. More about this later.
The Sober, Bagle and Mytob worms
Although not many high profile malicious programs have been seen in 2005, compared to previous years, three groups of worms were active in 2005 with lots of new variants:
The Sober worms
This family of worms was first seen in October 2003, but is still active with new variants coming up. Its main spreading mechanism is email. One characteristic of this malicious software is that is has technicques to update itself from a series of different servers with new functionality.
The Bagle worms
This family was first seen in January 2004, and since then new variants have been coming at a steady pace. These worms use several spreading mechanisms; for example by emails and network propagation. The emails composed by the Bagles worms consist of lots of different "from addresses", subject fields and email bodies.
The Mytob worms
This is a big family of worms that can spread via email and via security vulnerabilities in the operating systems. The main spreading mechanism seems to be "seeding" from computers that are already compromized in some way. The Mytobs' ability to propagate on their own seem more limited. At the end of 2005 there were approximately 500 different Mytob variants detected by Norman.
A general description of the Mytob familiy is available here (opens in a separate browser window)..
Bots and more bots
"Bots" is an abbreviation for robots, indicating that these are programs controlled by someone.
2004 is the year when this type of malware exploded, with hundreds upon hundreds of new variants. These bots spread over network connections - often by utilizing security flaws - and may perform different tasks like
- Performing Denial of Service (DoS) attacks against computers
- Update themselves
- Download or upload files
- Launch program files
- Infect other computers
A generic description of one such family of bots, SDbots, is available here (opens in a separate browser window).
2005 was a year when different types of bots were even more widespread than i 2004. There are no indications that the number of bots will be any less in 2006.
Malware "coctails"
This phenomenon can be described as lots of different types of malware that have "knowledge" of each other. One malicious malware may e.g. download others and if one is removed, other parts of the cocktail may ensure that the removed one is reinstalled on the infected computer.
Due to such a behaviour, the malware cocktails are often very difficult to remove, as the antivirus products must detect and remove all parts of the cocktail in order to clean the infected computer.
This is not a new way for malware to behave, but during 2005 we experienced more of these than previously.
Norman Sandbox technology
In 2005 Norman Sandbox technology took another major leap forward when Norman Sandbox 2005 was released.
This version had several new features, which protects users of Norman's antivirus technology better against new and unknown malware - here is a brief overview of the highlights (opens in separate browser window).
No major outbreaks
As mentioned in the introduction, 2005 had no outbreaks that can be compared to the famous ones in later years. Instead there where a continous, large trickle of new malware. During the year the number of file submissions of malware to Norman increased from hundreds each day to more than two thousand in average.
Several of the new malware are short-lived and aimed to accomplish one particular task, e.g. unsolicited marketing of a program tool.
The word "greyware" was commonly used for programs where it is not clear whether they are useful or suspect; some are both, as they actually perform what they claim in addition to e.g. more dubious tasks.
A day zero exploit
The tendency for writers of malware to focus on security flaws in operating systems and other software continued.
The most prominent happened at the very end of December 2005, when a day-zero exploit in Microsoft's Graphic Rendering Engine was published (link opens a separate browser window). This got lot of media attention and prominent security organizations like SANS' Internet Storm Center, for the first time ever urged users to apply an unoffical patch not developed by Microsoft.
Microsoft's patch was not released in 2005. Thus the end of this story will be a topic for the Security Information summing up 2006 (or you may read the updated Security Advisory from Norman here (opens in a new browser window)).
Other trends and predictions
Among the other tendencies seen in 2005, we will briefly mention:
- Rootkits are not a new technique for installing malware. However, in 2005 quite a lot of media attention was aimed at such, not least due to the fact that Sony installed a rootkit as part of its CD copy protection scheme.
- There seems to be a tendency that computers that are infected by malware, are used as spam relays to send unsolicited emails to end users.
- The "phishing" problem continued. Phishing is attempts to trick a user into entering personal information, like credit card information. This information may later be abused, ultimately for identity theft. This tendency is expected to continue with more advanced techniques in 2006.
- More and more malware are used for criminal economic gain rather than pure malicious intent. It is expected that this will continue in 2006 as even more organized groups will use software as a tool for criminal activity.
Medium risk
Low risk