Malware Evolution: April - June 2007

This report will say very little about malicious programs themselves. Instead, we're changing gears to examine a wider range of information security issues: Internet problems, new technologies and vulnerabilities. These are the areas in which today’s key tasks lie, the problems which today’s antivirus companies must resolve.

The events in Estonia in late April and early May will likely remain the most discussed events in 2007. Dozens of servers on the Estonian Internet were targeted by DDoS attacks after the Estonian police broke up a demonstration in Tallinn, where protestors spoke out against the Estonian government's decision to remove a monument from one of the city's central squares. (The monument commemorated Soviet soldiers who fell while liberating Estonia during WWII.) The websites of the president, the prime minister, the parliament, the police and a number of ministries were overloaded with an enormous number of requests from thousands of computers located around the world. In addition to the DoS attacks, which were primarily targeted at government websites, dozens of other Estonian websites were defaced.

Estonian politicians blamed the Russian special services for the attacks. This was the first time that the word "cyberwar" was used by such highly placed officials. Estonia asked NATO to view the cyber attacks as military action and ultimately requested military protection from threats stemming from the Internet.

What happened on the Russian Internet during this period? As soon as skirmishes between protesters and the police began in Estonia, many Russian Internet users took the only opportunity they had to voice their protest against the actions of the Estonian government - an online protest. This took the form of DoS attacks. A number of different programs began to appear on forums and websites, and they were used to send innumerable requests to Estonian websites. Any person could download this kind of program and launch it on their own computer. In technical terms, this creates a botnet. However, this botnet was constructed with the consent of computer owners who knew what they were doing. Of course, some of these attacks were sent from “real” botnets from previously infected machines, but one should not underestimate the power of this 'manual' attack. If such events can be called a cyberwar, then in this case the war involved guerilla combat.

There was no substantial evidence for the participation of Russian government bodies in these attacks. However, now the problems of cyberwar and cyber terrorism are being discussed round the world, and not just by security professionals, but also by politicians and military experts. Cyber terrorism is clearly not being discussed in ways appropriate to the current situation: too much dangerous information is being published, and readers are offered ready-made cyber terrorist scenarios. Kaspersky Lab has always held the opinion that the publication and discussion of different ways to bring down a target cannot be described as anything but reprehensible. There is no doubt that any such information could provoke certain extremist groups to attempt to spark off a similar scenario. And now Pandora’s box has been opened.

The biggest global event in the cell phone industry in the second quarter of 2007 - or probably the entire year - was the release of Apple's new iPhone. It's predicted that sales over the first 18 months to reach 13.5 million units. Will the iPhone’s popularity act as a tipping point, upsetting the stagnant status quo in the world of mobile viruses? According to our estimates, we can conclude that the year 2008 is when we can expect to see virus problems for the iPhone become a reality. Malicious programs for the iPhone probably won't be worms. Instead, they will probably be typical file viruses and a variety of Trojans. But the biggest threat for iPhone users will be the different vulnerabilities that could be used by malicious users to access information stored on the phone.

Mpack. The authors of malicious programs have begun giving preference to using various vulnerabilities in order to penetrate systems. In mid-June this year, over six thousand Italian servers were detected with websites that included a few strings of malicious html, similar to:

<iframe src=’[address]’ width=5 height=5> </iframe>

This is a typical construction used to exploit a range of browser vulnerabilities and Kaspersky Lab analysts have been very familiar with it for a number of years now. What happens, and how? There is a certain bundle of exploits that take advantage of the vulnerabilities in popular web browsers and operating systems. Malicious users post these exploits on their own website. In order to attract users to visit the site, they gain access to other websites, usually by using account access information that was previously stolen by a Trojan. Then, the iframe tag is added to all of these sites. The tag leads back to the infected site with the exploits. In the end, a Trojan Downloader is usually installed on the system under attack, which makes it possible to download more viruses, worms, backdoors, spyware, etc to the victim machine.

We were surprised that Mpack made it beyond the borders of Russia and was used in Italy. Here’s why: Mpack was created in Russia and was sold by Russian hackers to other Russian hackers. Its authors are very active when it came to creating and supporting the spread of the Trojan LdPinch. There are several other similar exploit bundles on the black market: Q406 Roll-up package, MDAC, WebAttacker, etc. All of these analogues have better 'success' rates when it comes to infecting systems than does Mpack.

We believe that the biggest problem is that it is extremely difficult to hold the authors of Mpack criminally responsible. They simply take exploits which were identified by other people and then published on IT security websites in the interests of improving security, but they take no responsibility for how these exploit bundles will be used. This is where we come to the age-old question: does disclosing information about vulnerabilities do more harm than good? We promise to return to this issue and voice our views on what’s going on today in terms of blackhat vs. whitehat.

In mid May we detected three variants of a new Trojan for cell phones: Trojan-SMS.SymbOS.Viver. This Trojan sends text messages to premium numbers. As a result, the subscriber who falls victim is charged a certain amount of money which is then transferred to the malicious user's account. In May we registered three such incidents, which just goes to show once again that today’s mobile technologies are continuing to attract the interest of cyber criminals. Unfortunately, we do not have statistics for most other countries, but it’s difficult to believe that this is an exclusively Russian problem.

The key events of the second quarter discussed in this report are certainly food for thought, but they still do not answer the question: what is the next step for viruses and information threats? Despite the emergence of new operating systems (such as Windows Vista), new services (mobile content) and devices (the iPhone), cyber criminals continue to lack initiative and are using tried and tested ways of attacking Internet users. Furthermore, we are seeing a significant return to “the sources”: computers are increasingly the targets of DDoS attacks and attacks that use browser vulnerabilities to penetrate the system. Probably the only thing that distinguishes the present from three years ago is the fact that email is not being used as the primary vehicle for spreading viruses. Instead, instant messaging services are one of today’s key means of distribution. Another difference is that there has been an explosive increase in Trojans targeting the users of online games. The threats are not becoming “smarter.” Innovation has stagnated as development is now focused on cosmetic changes, and we still don't know what may ultimately serve as a catalyst for global changes to the virus landscape in the near future.

Antivirus companies have considerably improved their technologies and introduced several new technologies. Presently, antivirus company clients are protected much more effectively than two years ago. The average time that most new malicious programs survive in the wild has been cut down to a number of hours, and is rarely ever counted in days anymore.

But let’s predict what will happen next. Malicious users will attempt to reach beyond the protection antivirus solutions - a task that is a shift from “getting around” antivirus programs and implies more action in fields that have not yet been mastered by quality antivirus protection, or areas in which protection is not an option for any number of reasons. This is more than likely where the new front will be in the information war: online games, blogs, instant messaging and file swapping networks.