Proactive IT Security
 

Malicious programs in the Klez family

[Malware discussion, Spreading mechanisms]

Security Information  Week 25, 2002

Introduction

The Security Information for week 20 discussed in general terms why some malicious programs succeed in becoming widespread while other do not, based on some characteristics for success. This Security Information will focus on the malicious programs in the Klez family, in particular Klez.E and Klez.H.

The abovementioned Security Information is recommended for background reading prior to reading the rest of this one.

A bit of history

The Klez family of malicious programs consists of several members. Common for all is that they consist of two parts - a mass mailer (the Klez part) carrying a virus (the Elkern family of viruses).

The Klez mass mailer typically have several variants of subjects, body texts and attachment names. Further, it uses a well-known vulnerability in Microsofts email clients. For this vulnerability Microsoft provided a patch as early as in March 2001.

There are two Klez familiy members who have succeeded in becoming much widespread:

  • W32/Klez.E - discovered In the Wild in the middle of January 2002
  • W32/Klez.H - discovered In the Wild in the middle of April 2002

What is amazing is that even when this is written these two worms are still spreading. In fact there seems to be no reduction in the amount of emails sent over the Internet that are infected by these worms even now, several months after they were first seen and antivirus vendors published virus definition files with detection. Klez.H is probably the most wide-spread worm ever, and Klez.E likely among the top five.

Why?

What is it with these two worms that has resulted is such spreading?

And - perhaps even more interesting: Why has the ratio of infected emails by these worms not dropped so long after antivirus vendors published the antidote? Typically other worms reach the top in few days and thereafter drops quite quickly into being a rare occurence in few weeks' time.

In the Security Information about why malicious programs spread, these criteria were listed as important:

  1. Spreading technique by email
  2. Clever use of social engineering (including using email addresses harvested from the infected user to use as sender and/or recipient)
  3. Exploits of security issues in installed software
  4. Different techniques to spread
  5. Problems finding good techniques for email filtering due to different subjects and bodies
  6. Getting rid of the infection is difficult

The two worms in question take advantage of all these techniques.

However, it seems significant to focus in particular on item 2 and 6.

The way the Klez worms collect email addresses and use a semi-random address as the sender effectively blocks one way to reduce a worms "life" - namely by informing infected users that they are infected. Since the apparent sender is normally not the real, infected sender - the warnings either from users who gets the infected email, or from automatic responses by antivirus software installed, will fail to reach the user of the infected computer.

One of Klez.H's many activities is to disable antivirus software. This, of course, makes it harder to get rid of the worm. Both Klez.E and Klez.H, as well as their viral companions (the Elkerns), use encryption, making them difficult for antivirus vendors to analyze and protect against. Thus, the development and release of "fixes" - cleaning programs - by antivirus vendors has been a gruelling process, going through many new versions as more information has been gathered about the worms and their viral companions' behaviour.

Implications and thoughts

The techniques used by the Klez familiy and other malicious programs seem, based on the discussion above, to ensure that a malicious program's "life expectancy" is increased. One may safely assume that other authors of malicious programs and/or the author(s) of Klez will attempt to spread more worms. The fact that the life expectancy of such programs are longer and if there is no decrease in the number of malicious programs produced (which there is no reason to belive), will result in a higher ratio of infected emails on the Internet, hence a higher probability for infection for a random user. This is a challenge for the antivirus industry.

One may wonder - in these days of increased focus on the acts and potential for acting of the terrorist groups - if/when malicious programs are/will be used by organizations or states (of any kind!) in order to achieve a mean or simply to spread terror. It would be naïve not to assume that such is not already being planned.

Per Olav Førland