Looking back on the security trends for 2006

Introduction

This Security Information attempts to focus on the security trends that could be observed during 2006, and will also briefly comment upon what can be expected in 2007.

Viruses, worms and other malware - overview

In 2006 Norman issued only one alert about malicious programs:

• W32/Small.KI

This is the same number of alerts as the previous year while there were more than ten alerts both in 2004 and 2003.

This clearly shows that the trend in malicious programs that manifestated itself during 2005 still continues. More about this later.

Several malware families with lots of new variants

Although not many unique high profile malicious programs have been seen in 2006, compared to previous years, several families of malware have grown with a continous stream of new "siblings".

The families with most brothers and sisters in Norman's virus detection files are:

• DLoader
• Spybot
• Agent
• Banker
• Dialer
• SDBot
• Hupigon
• Delf
• Zlob
• Smalldoor
• Smalltroj
• Tibs

All these families have more than 10 000 different siblings.

Major increase in new malware signatures

As mentioned, there were not many particular malware incidents in 2006. However, the number of different types of malware grew at an unprecedented rate. To exemplify by the number of different malware signatures in Norman's virus detection files:

• 1 January 2006: 150 000 different signatures
• 31 December 2006: 550 000 different signatures

These figures show that the malware threat is by no means decreased. By examining the tendencies during the year, one may say though, that the threat has changed from major pandemics to more targeted, short-lived incidents.

Bots and more bots

"Bots" is an abbreviation for robots, indicating that these are programs controlled by someone.

2004 was the year when this type of malware exploded, with hundreds upon hundreds of new variants. These bots spread over network connections - often by utilizing security flaws - and may perform different tasks like

• Performing Denial of Service (DoS) attacks against computers 
• Update themselves
• Download or upload files
• Launch program files
• Infect other computers

A generic description of one such family of bots, SDbots, is available here (opens in a separate browser window).

The trend from 2004/2005 continued in 2006. The botnets created are numerous and very short-lived. It is reason to believe that this trend will continue in 2007.

No major outbreaks

As mentioned in the introduction, 2006 had no outbreaks that can be compared to the famous ones in the years before 2005. Instead there where a continous, large trickle of new malware.

Several of the new malware are short-lived and aimed to accomplish one particular task, e.g. unsolicited marketing of a program tool.

Day zero exploits

The tendency for writers of malware to focus on security flaws in operating systems and other software continued.

The year started with the then unpatched day-zero exploit in Microsoft's Graphic Rendering Engine was published (link opens a separate browser window) from December 2005. Microsoft's patch was released early January 2006 outside its normal patch cycle, which is quite rare.

Interestingly the year ended in a similar way: Unpatched day zero exploits in a Microsoft product (Word). The first vulnerbility was first publicly reported in the beginning of December 2006. Neither Microsoft's patches for December 2006 nor January 2007 addressed the vulnerability. When a patch / patches are issued remain to be seen as of this writing. The end of this particular story will therefore be a topic for the summing up of 2007, or you can read the latest new in Norman's continously uppdated Security Advisory on this (link opens separate browser window).

Throughout the year several other day zero exploits in products from different vendors were published and exploited by various malware.

Norman predicts that the tendency by authors of malicious programs to utilize program vulnerabilities will continue in 2007.

Predictions for 2007

Most of the tendencies we have seen in 2006 are presumed to continue in 2007.  We will particularly focus on the following:

• Computers that are infected by malware, are used as spam relays to send unsolicited emails to end users.
  
• Computers that are infected by malware, are used as parts of botnets to participate in distributing malware. Each and every botnet will be short-lived, and removing them from the Internet will have minimal effect as new ones are continously set up.
  
• The "phishing" problem will continue. Phishing is attempts to trick a user into entering personal information, like credit card information. This information may later be abused, ultimately for identity theft. 2007 will probably show even more targeted attacks - so-called "spear phishing"; attacks particularly aimed at a particular organization.
  
• More and more malware are used for criminal economic gain rather than pure malicious intent. This trend started in full a few years ago and is expected to continue in 2007 as even more organized groups will use software as a tool for criminal activity.
  
• The SPAM problem will continue. Use of image spam as a tool to circumvent antispam products will grow and increase in sophistication.

Previous years' trends are discussed here: