Kaspersky Lab: Review of 2004 Shows Malware Continuing at Unrelenting Pace

Kaspersky Lab has announced today its annual Malware Development Review. The full review, which will be published on Kaspersky Lab’s VirusList website (www.viruslist.com) in December, notes that while 2004 has seen the development of malware and its methodology continuing at an unrelenting pace, it was not all bad news – there were also a significant number of arrests of malicious code writers.

The review also concludes that most of the malware that has been endured this year was a development and refinement of code that has been seen before but with some interesting new trends, for example the use of links in e-mails as an alternative to attached files. David Emm, Senior Technology Consultant, Kaspersky Lab notes in the review, “So far, e-mails containing links have not been treated with suspicion by recipients, many of whom are much more likely to follow a link than they are to double-click an attachment. In addition, this method effectively ‘skips over’ the perimeter defences deployed at the Internet gateway by many enterprises.

Much of today’s malware is a composite ‘bundle’ containing several pieces of code. Increasingly this includes a Trojan of one kind or another. Typically Trojans are dropped onto the system by a virus or worm. Since Trojans do not have their own on-board replication capability, they are often perceived as being less dangerous than viruses or worms. Yet their effects can be dangerous and far-reaching. Not only are they becoming more sophisticated, they are also being put to an increasing number of malicious uses.”

A related, and worrying, trend is the commercialisation of the use of malware and the ever increasing involvement of dangerous international criminal gangs. The use of Trojans to steal confidential data, to launch DDoS attacks and to distribute spam e-mail has added this further sinister dimension to the problem. David Emm explains “It’s clear that the computer underground has realised the potential for making money from their creations in a wired world.”

“This includes the use of ‘zombie’ machines leased to the highest bidder as a platform for spam distribution. Or the use of extortion, where the same ‘zombie’ machines are used to launch a ‘demonstration’ DDoS attacks on a victim as a way of extorting money [pay up or we’ll take down your site with a full-scale DDoS attack]. In addition, there is theft of login information to gain access to corporate network resources. And the use of ‘phishing’ scams to trick unsuspecting users into providing their bank details.”

2004 has also seem the use of system exploits to infect vulnerable machines become a major trend since it was popularised by Lovesan last year. Some of this year’s malware, Sasser, Padobot and Bobax for example, use only the exploitation of system vulnerabilities as their sole method of attack. Others, like variants of Bagle, Nestsky and Mydoom have combined this with other methods of infection to increase their chance of propagation.

Amongst many issues highlighted by the review is the battle between rival coders, the emergent threat to wireless devices and the use of e-mails with password protected attachments.