/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsNEW DELHI, INDIA: Sanjay Katkar, Chief Technology Officer, Quick Heal Technologies Pvt Ltd talks about the prominent events that took place in the Anti-Virus and security arena in 2008.
Says Sanjay Katkar,
Our Virus Lab has been receiving 3500 to 4000 unique samples daily. The whole year we saw ups and downs in spreading of malware, use of fast flux network to distribute the malware over Internet.
Start of the year: STROM ruled the roost
The year started with still most prevalent STROM (Troj/Pushdo-Gen / Tibs / Zlob) botnet, which was released in Jan 2007. A botnet is a network of compromised computers that are controlled remotely and surreptitiously by one or more individuals, called bot-herders.
Computers in the botnet, called nodes or zombies, are usually ordinary computers with always-on broadband connections, sitting on desktops in homes and offices around the world.
Usually, computers belong to botnets because their owners or users have been tricked into installing malware that secretly connects the computer to the botnet and performs tasks like sending spam, hosting malware or other illegal files, and attacking other computers. Often the user never knows that the bad guys are controlling his/her computer.
STORM botnet was the first large scale malware to be based on a peer-to-peer (P2P) command and control protocol, which allowed its bot network to be nearly invulnerable to shutdown attempts.
The trojans installed on user systems were spammed as attachments and links to trojan hosting website. The spammed e-mail subject line usually reads as follows: “you’ve received a greeting card from a "friend," "neighbor," or "family member" with a link in the message body that sends the recipient to a website that forces the trojan onto the computer.
To avoid not being detected by most Anti-Virus & security applications it used to deliver a modified version of itself for each request. To create modified version of the malware the malware writer had used server side polymorphism where a new package or executable was generated for each request.
But by the end of the year 2008 we saw a steady drop in botnet size. At the beginning of the year it was estimated that the size of the botnet had touch a million unique IP count.
The drop in the zombie (infected) PCs of the STORM botnet was due to the efforts put in by the AV industry by adding generic detection of the trojan and at last the take down of EstDomains by ICANN (Internet Corporation for Assigned Names and Numbers).
More variants of W32.Virut, W32.Xorer, W32.Sality
In 2008 we also saw more variants of W32.Virut, W32.Xorer, W32.Sality and many more file infecting viruses. Most of the file infecting viruses were using the technique like:
Entry point obscuring (EPO).
Polymorphism.
Xoring the original code and many more.
Some of the viruses were badly coded and contained bugs due to which the files infected by the viruses were not recoverable. Some of the viruses like W32.Virut open a backdoor port 65520 on the compromised machine.
This backdoor later can be used for downloading other malware, updated copy of itself and many other malicious use.
USB drives: Culprits this year
This year we also saw increased use of USB drives as a medium of transfer for worms, viruses and other types of malwares. The malware would drop AUTORUN.INF and a copy of itself on the devices connected and mounted as a USB drive.
The AUTORUN.INF contains reference to the dropped malware copy on the device. So now when the device is connected to any other system, it would get infected if AUTORUN is ON. Our Virus Lab was flooded by new variants of Worm.Autorun which used above method to spread across the systems and networks.
Topping our list of adware was Adware.VirtuMonde. It causes popup and advertising for rogue Anti-Spyware programs, and sporadic other misbehavior including performance degradation and denial of service with some websites including Google.
The program periodically makes an HTTP connection to download commands and popup advertisements. The user's desktop background is changed to the image of an installation window saying there is an Adware on the computer. The screensaver is also changed to the Blue Screen of Death (BSOD).
Midway 2008, thanks to Dan Kaminsky of IOActive, security professional, ISP and other Internet related service providers were made aware of a potential attack exploiting weaknesses in the DNS protocol itself.
The weakness is inherent to the DNS protocol and not specific to any single implementation. The DNS protocol uses the Query ID field to match incoming responses to previously sent queries.
The Query ID field is only 16 bits, which makes it an easy target to exploit in the particular spoofing scenario described by Kaminsky. Before the disclosure to public most of the affected were advised to patch the application.
The year also saw rise in rouge security applications, rogue scanners masquerading as Anti-Virus, Anti-Spyware, or other security software, claiming the user's system is infected in order to trick them into paying for a full version.
In some cases, users who pay for the full version of a rogue scanner product will end up with erroneous charges on their credit card after purchase. For example, a rogue scanner may claim the price is $49 but the charge that appears on the credit card may be as high as $190 or more.
XP antivirus is an example of the new generation of malware that is so smart that easily fools even advanced PC users and Internet surfers. XP antivirus behaves differently on different computers depending on at what stage of installation it's been caught, but generally the appearance of XP antivirus pop-ups can end up in:
Desktop icons and folders messed up or disappeared;
Start button and taskbar disappeared;
User’s settings corrupted;
Desktop background wallpaper changed;
Annoying screensaver you've never seen;
Disabled Task Manager;
Windows Clock appearance changed;
Windows unable to boot;
Internet Explorer not working.
During mid 2008 we were seeing 2-3 new websites coming with rogue security and other applications. After the removal of EstDomain we witnessed some drop in the emergence of new rogue website. Also the rogue websites that were already hosted with EstDomain were resultantly closed.
Downturn resulted in upsurge in phishing attacks
At the meltdown of the financial market we saw a rise in the phishing attacks. The phishing mail claimed user to be from their financial institution and seeking personal information. The top 5 targeted financial intuition under phishing scam whole year were
JPMorgan Chase and Co. PayPal, Bank of America Corporation, eBay, Inc., HSBC Group.
By the end of 2008, for a short while, we saw the rate of SPAM distribution going down by 65%. The reason for this decrease was due to the removal of large numbers of Command and Control spam servers (C&Cs) located on McColo’s networks which was running behind EstDomain.
During this period we also observed the absence of political spam that included links to Canadian pharmacy websites. However many of the spam subjects that had abruptly disappeared were coming back from other network.
In December 2008 after the release of Microsoft monthly patch (Patch Tuesday) a new zero day exploit was discovered in Internet Explorer and its existence in the wild was confirmed. The exploit was a typical heap overflow that appears to be exploiting something in the XML parser.
Later Microsoft had to release update out of its regular cycle looking at the severity and exploit availability in the wild.
Summarizing the whole year, we have seen fast flux domain being used to distribute malwares. The malware writers have become more professional. By professionalism we mean that they are putting more efforts and committing the crime in more organized way as seen with the rogue software. After so many years of effort by security community ICANN has started scrutinizing the registrar and their offerings.
Looking Ahead 2009
Now for the coming year, we predict that we will be seeing more of the organized crime and targeted attacks. The public forums and networking websites will be targeted for attack and distribution of malwares. Mobile environment will start getting the pinch of malwares as more and more devices are introduced.
The flood of malware samples will continue to flow in our Virus Lab as custom packers and server side polymorphism continue to exist.
In all the situation will keep on getting worse at. On positive note we will also see new technologies on IT Security front.