Proaktiv IT säkerhet
 

2003 - the worst year ever regarding malicious programs?

[Trends & predictions]

Security Information Week 3, 2004

Introduction

In our Security Information for week 34 in August 2002, we concluded that 2002 most likely was the most active year ever with respect to malicious software.

Time has come to look back on 2003 to evaluate the activity and tendencies regarding malicious software.

Norman’s virus warnings for 2003

In 2003 Norman issued 14 alerts:

  • W32/Lirva.A and C
  • W32/Sobig.A
  • W32/Lovgate.B
  • W32/Lovgate.F
  • W32/Fizzer.A
  • W32/Palyh.A
  • W32/Sobig.C
  • W32/Bugbear.B
  • W32/Sobig.E
  • W32/Mimail.A
  • W32/Blaster.A
  • W32/Sobig.F
  • W32/Raleka
  • W32/Swen.A

In 2002 the number of alerts was 8 (in 2001 it was 15).

In retrospect one is as usual wiser and might conclude that some of the alerts mentioned above should probably not have been issued, while others might have been (e.g. W32/Nachi). However, this is a situation where it is impossible achieve 100% success, when one has to estimate the potential for spreading and destructivity of a malicious program just minutes after it has been analysed. Errors are unavoidable, but the ambition should be to send out alerts regarding those programs that really are a threat, as well as to avoid sending out alerts for a malicious program that ends up not being a major threat.

The year in more detail

Several of the programs that caused big problems in 2003, may be assigned to three different groups:

  • The Sobig family
  • The Mimail family
  • The Blaster and Nachi group

Sobigs

The worms in the Sobig family have all - except the A variant - the significant characteristic that they all stop spreading some weeks after being published. In spite of this, these worms became a major problem in the previous year. In particular Sobig.F became huge, and turned out to be the most widespread worm ever, by far. The reason for this is mainly that it had an unprecedented ability to send out vast amounts of emails - infected computers may send thousands of emails each minute, and this did not stop until the infected computer was cleaned.

For a more in-dept analysis of Sobig.F, please see our Security Information 37/2003.

Mimails

The Mimails are another gang of malicious programs that were a major problem in 2003. The first one appeared in August, and even as of this writing five different members of the Mimail family are on the list of virus warnings from Norman.

The Mimail worms exploit a security flaw in Microsoft’s Outlook Express - a flaw which has been patched by Microsoft months ago.

Blasters (and Nachi)

Note that Nachi is named Blaster.D by some antivirus vendors.

All these worms spread by utilizing security weaknesses in Microsoft Windows. Organizations with unpatched computers were particularly harmed if only one PC was infected, as these malicious programs propagate very quickly in networks. The cleaning of infected networks turned out to be a difficult and time-consuming task.

Bugbear.B and Swen.A

These two malware programs should also be mentioned, as they were significant in 2003 with respect to causing problems for many organizations and home users. Both of these are still on Norman’s virus warning list, Swen.A is one of the worms being most wide-spread ever.

2003 in conclusion - predictions for the future

Based on the outbreaks of several pandemics in the previous it seems fair to conclude that 2003 was the worst year with respect to malicious programs ever.

What to expect for the future, then?

Norman has several times pointed out that there is a tendency for authors of malicious programs to use known vulnerabilities in operating systems and applications to spread. (See e.g. Security Information for week 32/2003) This is a particular threat for home users and small organizations without resources to observe and participate in communication within the security community, and be updated at any point in time. When such a major part of the online participants is vulnerable, even secured organizations and computeres are affected. This became crystal clear during the Sobig.F attack, where the main problem was that computers and email servers were flooded by emails from infected computers.

Nothing indicates that 2004 is going to be a year with less activity from authors of malicious programs, nor does anything argue that vendors of applications and operating systems are going to make their products significantly more secure in a short time-frame.

In such a situation Norman’s Sandbox technology, being able to detect unknown malware, may be a cruzial element in anyone’s protection scheme.

Användning Titel Kommentar
  2002 - a quiet year with respect to malicious programs, or not?  

 

Läs mer...

2003 - the worst year ever regarding malicious programs?
2002 - a quiet year with respect to malicious programs, or not?