Proaktiv IT sikkerhed
 

2002 - a quiet year with respect to malicious programs, or not?

[Trends & predictions]

Security Information  Week 34, 2002

In August this year some news items appeared, which claimed that the year so far had been a quiet one for the computer security industry. The alleged reason was that there had been very few dangerous new viruses and worms on the loose.

The origin of this seems to be a news issue 12 August from Reuters - New Computer Security Dilemma: Lack of Viruses. This news item was referred to in several other media, e.g. ZDNet News - Are Virus writers getting scared away?, and Digi.no's Hvor blir det av virusene? (Norwegian text).

To support the claim, the original article tells that while 2001 had the malicious programs Code Red, Nimda and Sircam, 2002 so far had only had the Klez worm (which in the article is said to have been around since earlier in the summer).

Before looking into potential implications of this, one should ask:

  • Are the articles' claims true? Has there been a decrease in the problem malicious programs represents?

A problem of measuring

Whether the articles are true or not are difficult to research, as such is difficult to measure! There are several criteria that may be used, neither are particularly good nor possible to estimate exactly. Let us look at some:

  • Ratio of infected emails compared to total number of emails This seems to be a very good criterion. On the other hand, one important aspect that does not make it so good anyway, is that it only measures malicious programs spreading through emails. More problematic, however, is that it is difficult to measure.
  • Number of warnings issued by the antivirus industry This one has major flaws. The antivirus industry has to issue its warnings very soon after a malicious program has been discovered In the Wild and analyzed. Sometimes, retrospectively, these warnings turn out to be justified; other times the industry was wrong in its estimate of the malicious programs ability to spread and/or make havoc.
  • Number of malicious programs added to the antivirus signature files one year compared to other years Here another type of problem arises. Such a number does not tell anything about the severity of the malicious programs.
  • Number of malicious programs In the Wild one year compared to other years. This suffers from the same problems as the one above.
  • Number of infected computers One may really wish for knowledge about this figure. Unfortunately it is more of less impossible to get exact figures here. There are also problems about counting, as one organization with 10.000 infected computers may count as one infection - like one with only three computers.

What we know

Regardless of the problems with measuring mentioned above, there is something we know about 2002 compared to earlier years. There is probably consensus about this in the antivirus industry as well as in the security business as a whole.

  • The Klez.H worm which appeared In the Wild in April 2002 is by far the most widespread worm ever. It is still very active four months after the antivirus industry added detection of this worm to its signature files.
  • The BadTrans.B worm was found In the Wild late November 2001. It was spreading severely for several months in 2002.
  • The Klez.E worm was discovered in January 2002. It was very active until late June, and it is still seen in quite a few infected emails.
  • The Yaha.E worm was discovered in June this year. It is one of the most widespread worms we have seen during history.

Common for most of these is that they have these chacteristics:

  1. They use a huge variety of different subjects and body texts
  2. They harvest email addresses from the infected computer and use these addresses as the sender of the email, making it difficult to notify the owner of the infected computer.
  3. They disable antivirus software.
  4. They utilize security weaknesses in installed programs. In certain circumstances this enable infection without having to launch the infected attachment.

1, 2 and 3 above make them difficult to stop, thus securing a longer life-span than usual for other types of malicious programs. 4 means that a user may be infected very easily provided the insecure program is not patched.

See Security Information 20/2002 and 25/2002 for a more thorough discussion about such infection methods .

As mentioned above, the virus warnings issued by the antivirus industry during a given periode in time, is not a good tool to measure the activity of malicious programs. For those interested, Norman has issued eight alerts so far in 2002. Total for 2001 was 15.

An attempt to measure spreading frequency of malicious programs

MessageLabs is a company specializing in scanning emails on the server level. They have lots of computers around the world that scan huge amounts of emails for infected attachments. Since there is such a large number of emails scanned by their servers, MessageLabs' statistics would be of interest. Fortunately MessageLabs does make some of these statistics available to the public.

One should be aware of the fact that what MessageLabs is able to monitor is infections using email only as a technique for spreading. Malware that spread e.g. through maliciously formed web pages and over networks in an organization is not included in this statistics. However, since we know that so far email is the most effective technique to spread, the information we can gather from MessageLabs is interesting nevertheless.

Since MessageLabs' base of installed computers scanning emails, has been increasing during the latest years, the numbers given are not directly comparable. However, they may give us an indication of tendencies.

Let us look into some of the numbers published by MessageLabs. The statistics referred to are as of 16 August. We will draw your attention to MessageLabs' VirusEye for more and updated statistics.

The top five malicious programs using emails to spread are (the date in parenthesis is when they were added to Norman's virus detection files in yyyy.mm.dd syntax):

  1. W32/Klez.H (2002.04.17)
  2. W32/SirCam (2001.07.20)
  3. W32/Klez.E (2002.01.17)
  4. W32/Badtrans.B (2001.11.24)
  5. W32/Yaha.E (2002.06.21)

To spell it out: Of the top five malicious programs on MessageLabs lists, three were discovered in 2002, and one late in 2001, having severe effect in 2002. It should be noted that emails infected by Klez.H are almost three times as many than those infected by SirCam. Interestingly Klez.H is, when this is written, still by far the current most active malicious program in MessageLabs statistics.

To conclude

What we can see from some of the statistics available and what is known in general, is that 2002 has not at all been a quiet year with respect to activity from malicious programs.

On the contrary - Norman estimates that 2002 is most likely the most active year ever regarding the ratio of infected emails compared to the total number of emails sent.

Per Olav Førland