An Overview Of Virus Activity in 2003

Kaspersky Labs, a leading information security software developer, presents the annual review of malicious programs. The material below contains information about major virus outbreaks which occurred in 2003, expert opinion about malicious program trends and Kaspersky Labs forecasts for the future.

>>> Introduction

9 major virus outbreaks were registered in 2003, and 26 less significant ones, which were mainly of a local nature. This figure is lower than that of 2002, when there were 12 major outbreaks and 34 minor incidents. However, even though the number of outbreaks has decreased, the scale and the impact they have on the Internet has increased significantly.

>>> Major virus outbreaks

There were two global outbreaks in 2003, which were the biggest in the history of the Internet. It should be noted that these outbreaks were not caused by classic email worms, but by worms modified for the Internet which spread as network data packets.

The foundations of the first outbreak were laid on the 25th January by the Internet worm Slammer (Helkern), which used a vulnerability in the Microsoft SQL Server in order to replicate. Slammer became the first fileless Internet worm which fully demonstrated the capabilities of flashworms, first described in 2001. On 25th January 2003, in a matter of mere minutes, the worm infected millions of computers throughout the world, and increased network traffic by between 40% and 80% (estimates vary), causing national backbone servers to crash. The worm attacked though ports 1433 and 1434; on penetration it did not replicate itself on the disk, but simply remained in the memory of the infected machine. An analysis of the outbreak shows that the worm probably originated form East Asia.

The second outbreak, which was no less damaging than the first, was started on the 12th August by Lovesan (Blaster). Lovesan clearly demonstrated to the entire world just how vulnerable the popular operating system Windows is. Lovesan used a Windows security breach to propagate. However, in contrast to Slammer, Lovesan used a breach in the RPC DCOM service, which is present on every computer working under Windows 2000/XP. This meant that the majority of Internet users that day were exposed to the worm.

Only a few days after the worm first appeared, three other versions of Lovesan were detected. Then the Welchia worm, which used the same Windows breach, exploded onto the Internet. However, Welchia differed from the original worm. It deleted copies of Lovesan on infected computers, and attempted to install a patch for the RPC DCOM service.

2003 was the year of ceaseless email worm outbreaks. Ganda and Avron were detected in January. The former was written in Sweden, and is still one of the most widespread email worms in Scandinavia. The author was arrested by the Swedish police at the end of March. Avron was the first worm written in Kazakhstan to cause a global outbreak. The source code of the worm was published on virus web sites, which led to the creation of several less successful versions of the worm.

January also saw the appearance of the first worm in the Sobig family, which caused regular outbreaks. Version Sobig.f broke all records, becoming the most widespread email worm in the history of the Internet. At the peak of the outbreak in August, Sobig.f could be found in every 20th email message.

This particular piece of malicious program was especially dangerous: one of the aims of the authors of the Sobig family was to create an infected network of computers in order to carry out distributed DoS attacks on random web sites. The infected network of computers was also intended to act as a proxy servers for distributing spam.

The email worm Tanatos.b was another notable piece of malicious program which appeared in 2003. The first version of Tanatos (Bugbear) was written in mid 2002, with the second version appearing nearly a year later. The worm used a breach long known about in the Miscosoft Outlook security system (the IFRAME breach) to automatically launch itself from infected messages.

The latest worms in the Lentin (Yaha) family continued to appear. According to current data they were all created in India by one of the local hacker groups in the course of a virtual war being conducted between Indian and Pakistani hackers. The most widespread were versions M and O, where the virus replicated in the form of a ZIP archive attached to infected messages.

Virus writers from Eastern Europe were also active in 2003. The second worm from the former USSR to cause a global outbreak was Mimail. The worm used a vulnerability in Internet Explorer to replicate itself, and the vulnerability became known as Mimail-based. The vulnerability allowed the extraction and execution of binary code from an HTML file and was first exploited in Russia in May 2003 by Trojan.Win32.StartPage.L. Following this, the vulnerability was used by the Mimail family of worms and a number of Trojan programs. The author of Mimail published the source code on the Internet, giving rise to several new versions by virus writers from other countries, including the USA and France.

September 2003 was the month of the Internet worm Swen. Swen disguised itself as a Microsoft patch, infected hundreds of thousands of computers throughout the world, and to this day remains one of the most widespread email worms. The virus author was able to successfully exploit the fact that users were already unsettled by the recent Lovesan and Sobig.f incidents and were therefore likely to instantly install the so-called patch.

There were two other major security events which should be mentioned. The first of these was caused by Sober, a relatively simple email worm written by a German in imitation of the leader of the year, Sobig.f. The second of these was the backdoor Trojan Afcore: in spite of the fact that it did not spread widely, it is worth a certain amount of attention due to the interesting way it conceals itself in a system, by writing its code to alternate data streams of the NTFS file system. Even more interesting, Afcore does not use the alternate data streams of files but of directories.

>>> The top ten viruses in 2003*

Ranking Name of malicious software Percentage
1 I-Worm.Sobig 18,25%
2 I-Worm.Klez 16,84%
3 I-Worm.Swen 11,01%
4 I-Worm.Lentin 8,46%
5 I-Worm.Tanatos 2,72%
6 I-Worm.Avron 2,14%
7 Macro.Word97.Thus 2,02%
8 I-Worm.Mimail 1,45%
9 I-Worm.Hybris 1,12%
10 I-Worm.Roron 1,01%

*data from email traffic monitoring

>>> Types of malicious programs

Throughout the year worms remained the dominant type of malicious programs. Viruses rank second, thanks to the activity of the macro viruses Macro.Word97.Thus and Macro.Word.Saver. However, in the autumn of 2003 Trojan programs overtook viruses, and this trend still continues.

>>> Trends

The most noticeable trend in 2003 was the way in which worms dominated. Moreover, within this category, there was a worrying increase in the number of Internet worms over classic email worms. Kaspersky Labs predicts that this trend will be maintained, and Internet worms should become the dominant form of malicious code in 2004. This highlights the utter necessity to install not only anti-virus protection, but also firewalls on every computer and corporate network.

The discovery of breaches in operating systems and applications is a cause for great concern. In previous years, the vulnerabilities which were used to penetrate systems had been known about for a long time, and patches already existed for the breaches, but in 2003 this time frame collapsed to a matter of weeks.

The interval between the discovery of a vulnerability and an attack exploiting the vulnerability is becoming shorter and shorter. In the case of Slammer, the breach in the Microsoft SQL Server was known about for more than six months prior to the attack. In a couple of months, the instructions on how to exploit the breach were published in several places on the Internet. However, Lovesan, the next worm used to attack the Internet on 12th August 2003, appeared only 26 days after a patch was issued to secure the RPC DCOM vulnerability in MS Windows. The computer underground has come to the understanding that attacking through a security breach is the most effective method of penetrating computers and is actively making use of this idea. As a result virus writers receive information about the newest vulnerability and quickly write malicious programs. The Trojan program “StartPage” was registered as spreading on 20th May 2003. It penetrated through the “Exploit.SelfExecHtml” breach, and at the time there was no patch for this vulnerability. Given this, it may be that in the near future breaches may come to light thanks to reports of new viruses, rather than vendors’ reports on the issuing of patches

In 2003, the tendency of the previous year towards malicious programs for new platforms and applications was broken. In 2002, virus writers attacked Flash technologies, SQL Servers, and file sharing networks (KaZaA). This year virus writers confined themselves to attacking the cartographic application MapInfo: MBA.Kynel, a virus written by a Russian in MapBasic managed to successfully infect documents of this format and was even discovered by Kaspersky Labs in the wild. The trend of 2002 towards backdoor programs (unauthorised remote administration utilities) and spy programs continued. The most notable representatives of these classes were Agobot and Afcore. There are currently more than 40 modifications of Agobot due to the fact that the program’s author was able to create a network of several web sites and IRC channels, where anyone who wanted was able to become the owner of an exclusive version of the backdoor for payment upwards of $150. The malicious software would be written to order in accordance with the order of the client.

A new trend in 2003 was the increasing appearance towards the end of the summer of a new class of Trojan programs, TrojanProxy, intended for illegal installation of proxy servers. This was the first and most noticeable sign of the appearance of mixed threats, a cross between viruses and spam. Computers infected by such Trojans were then used by spammers for the distribution of unsolicited email, while the owner of the computer might be unaware of such abuse.

It is clear that spammers also participated in several major outbreaks where the initial replication of the malicious software used spamming technology (Sobig).

Worms also developed actively, replicating by stealing passwords to remote network resources. Such worms, as a rule, are based on IRC clients, scan the addresses of IRC channel users, and then attempt to penetrate the users’ computers, using the NetBIOS protocol and port 445. In this family, one of the most notable representatives was the worm family Randon.

In conclusion, malicious software is now starting to appear which includes retroviruses: viruses that have inbuilt protection against anti-virus programs and firewalls. In fact, these viruses usually attempt to delete information security products from computers. Swen, Lentin and Tanatos are all examples of such programs.

Don't miss