The first part of 2009 as seen through secure glasses
Introduction
The time has arrived when it is useful to look back on the first half of this year, and attempt to sum up the situation seen from Norman as a security company's point of view.
Particularly noteworthy pieces of malware
There are some incidents this first half of 2009 that should be focused in particular.
Conficker
Although this worm first appeared at the end of 2008, it was in 2009 the worm caused most problems for end users, and in particular organizations.
W32/Conficker exists in several variants and is a network propagating worm that has the ability to update itself by downloads from the Internet. These downloads are from a subset of servers chosen by the worm from a very large set of generated potential download servers .
The worm's most noteworthy feature is that one of its spreading mechanisms is accomplished by exploiting a vulnerability in Windows Server Service. This vulnerability allows the worm to trigger a download of itself to the remote computer without the user's knowledge.
The worm also spreads to shares in a network and to/from removable drives, for example USB sticks. The former makes it difficult to get rid of in a network, while the latter has resulted in several infections in high-profile organizations, which normally would have had quite adequate security systems in place.
The Conficker worms have quite advanced systems to protect themselves from being disabled by antivirus and other security applications.
More details about Conficker in Norman's virus description.
Virut
W32/Virut is a family of highly polymorphic viruses. Several spreading mechanisms are used, including the autorun fucntionality for USB sticks, which will run the virus when such a device is attached to a computer (unless this fucntionality is disabled).
In addition to its highly polymorphic nature, Virut's most interesting feature is that some variants have the ability to disable Windows' file protection system in order to infect essential protected Windows system files.
The Virut viruses use techniques to protect themselves from being disabled by antivirus and other security applications by blocking access from infected computers to a series of security web sites.
More details about Virut in Norman's virus description.
Koobface
W32/Koobface is of interest primarily because it uses spreading mechanisms through social networks like Facebook. It first appeared in 2008, but was very active in the first half of 2009.
A computer infected by Koobface, automatically sends messages with malicious links to the computer owner's contacts on various social networking sites. The worm will search through cookies on the computer looking for login credentials for various social networking sites. Using the information gathered from the cookies, the worm connects to these sites and starts sending messages to friends and contacts.
More details about Koobface in Norman's virus description.
General tendencies and trends
The growth in malicious software
One indicator which shows the growth in malicious software during a period of time is the number of signatures for malicious programs in Norman's virus detections files. In 2007 more signatures were added than all previous years accumulated. In 2008 more signatures were added than the total number at the beginning of the year.
The first half of 2009 had a number of signatures at the end of June that was 40% bigger than at the start of the year. This seems to indicate that the growth is stabilized to be more linear as opposed to exponential in the previous years. The total number of new signatures at this point in time is nevertheless mind-blowing compared to the number at the beginning of the decade.
The image below shows the growth in signatures in Norman's malware signature files during 2008 and the first part of 2009.
Legitime software reported as malicious
The fact that the number of malicious software has become so large, respresents an additional risk as legitime software may be detected as malcious as it corresponds to a part of the antimalware vendors' signature files or other malware detection technology. This has happened also this year, with security software from different vendors, including Norman.
Unfortunately this will inevitably happen again. The most important challenge for the security vendors is to avoid such incidents for critical system files and for critical, much-used applications. To accomplish this, the vendors of security software invest heavily in equipment, which enables thorough testing of malware detection files against all kinds of legitimate software, before the signature files are published to the general customer base.
In a security article earlier this year, we discussed this issue in general using a similar issue in Google's system for identifying malicious web sites as the basis for the discussion.
More rogue computer programs
Computer programs that pretend to be what they are not, have been around almost forever (in the age of computing). The trend that was observed in 2008, with an increased flow of rogue computer programs masquerading as antivirus and antispyware applications, continued.
This now seems to have grown into a substanital industry with significant potential for economic profit.
Social media as havens for propagation of malware
Social media like Facebook and Twitter have grown increasingly popular during the year. Not surprisingly this has corresponded with the use of social media as spreading mechanisms for malware.
We refer to Koobface discussed above as one example of malware utilization of social media. There are several. It is important to be aware of the the fact that clever social engineering techniques will often be involved in successful exploitation.
Vulnerabilities in operating systems and applications are still exploited
The tendency for authors of malicious software to use vulnerabilities in operating systems and applications to propagate, continue. Popular applications like all wide-spread web browsers, Adobe's applications, much-used operating systems etc. were all affected by this. Not only were the most used applications from Microsoft targeted, several other vendors' popular software were affected.
The malware writers are very quick to utilize new vulnerabilities by creating exploit applications. One consequence of this is that the software vendors have to try to react faster with security patches and other workarounds. The most recent example of this is Microsoft, which issued a Security advisory few days ago with a workaround for a zero-day vulnerability that was being exploited actively in some versions of Internet Explorer, with compromised web sites as a major spreading vector.
Malware writers are getting increasingly sophisticated in creating malware that exploits not only one, but several vulnerabilities - patched and not patched - in the same piece of malware. This has been made even more easy as a malicious person can purchase her own set of exploits on the Internet, and then use these in her malicious program.
Creating a malicious program is now possible without any programming skills. One of the implications from this is that social engineering skills on the malware "designer's" part are getting more crucial in order for a particular piece of malware to succeed among the multitude of others.
Big media events are used as triggers for malware distribution
This is not a new and revolutionary observation. However, during the first half of this year, we have observed that this tendency has increased. Authors of malware are more eager to launch malware using social engineering techniques piggybacking on major media events.
Several examples of this have been seen in recent months, the latest and perhaps most prominent is the Michael Jackson's death and funeral.
There are numerous tools available for a person who wishes to use her social engineering skills combined with Internet instruments. In special security articles this year, we have discussed:
- Utilizing short URLs to obfuscate the real destination of a link
- Domain name registration with major media events as part of the domain name
Malicious software exploiting new devices
An interesting phenonomen! This year two examples of this have been observed, both of which have qualified for discussion in separate security articles:
Presumably this is only the tip of the iceberg. In the future malware attacking devices never viewed as vulnerable or dangerous by ordinary users, may turn out to be exactly that. This is particulary scary as we need to stress again and again: People have learned to be aware of malware that is distributed through traditional means. As soon as new spreading mechanisms are used, the defences fail.
Awareness of threats to the Internet by top politicians
Finally it is appropriate to mention that late in the first half of 2009, the Internet as a critical part of modern societies' infrastructure was stressed. US President Barack Obama focused on this in particular in a much-commented speech 29 May.
It is particularly welcomed within the security community that challenges that have been strongly felt within this group, now have reached a higher level. Modern communities as such now acknowledge that security issues that involve the Internet and related infrastructure, should be in focus and seen as a potential threat to a modern nation's ability to function appropriately.
More details in our security article here:
Predictions
We refer to the summary of 2008 available below regarding predictions for 2009. It seems unfair to the faithful readers to adjust the predictions for the year in the middle of the foretold period.
The risk for the fortune teller without such adjustment is of course that the probability for being wrong is thus increased. So be it...
Previous years' discussions are available from links below
