Threat Summaries Volume 1: 2006 - 2002 - F

Transcription

Threat Summaries Volume 1: 2006 - 2002 - F
THREAT SUMMARIES
VOLUME 1
2006 - 2002
CONTENTS
2006
2005
2004
2003
2002
.................. 2
. . . . . . . . . . . . . . . . . . 14
. . . . . . . . . . . . . . . . . . 23
. . . . . . . . . . . . . . . . . . 31
. . . . . . . . . . . . . . . . . . 39
This document contains a compilation of all the
Threat Summaries released by F-Secure Labs during
the years 2002 to 2006, in reverse chronological order.
This document is followed by Threat Summaries
Volume 2: 2011 to 2007.
For threat landscape coverage and malware research
details from the years after2011, see the Threat Reports
and Mobile Threat Reports available from F-Secure
Labs: Whitepapers.
THREAT SUMMARIES V. 1 2006 - 2002
2
2006
H2 2006 THREAT SUMMARY
As 2006 winds to a close, the basic trends in the data security world and
its counterpart in the malware community seem, for the time being,
relatively predictable.
Although the number of known viruses kept growing at a steady pace,
year 2006 witnessed a remarkable step down in the volume of visible
attacks by worms, viruses and other malware. At the same time, however,
targeted attacks using backdoors, booby trapped document files and
rootkits became increasingly commonplace. Also spam reached new
record-breaking heights.
In place of widespread malware assaults, 2006 has been characterized
by targeted attacks which do not make the headlines and which have
typically one motivation - money. In such scenarios, a hacker may
target a single company, use a cloaking device like a rootkit to conceal a
backdoor and extract valuable information for their own financial gain or
that of the person(s) interested in having such data. Many of these cases
use forged emails with a booby-trapped Microsoft Office document as
the way to gain entry.
The other more visible malware assault motivated by money is phishing.
2006 has seen a significant increase in the kinds of scams that use clever
social engineering techniques and well-engineered bogus websites to
separate the unwary from their money. And obviously phishing works
since the attacks continue to build in force and complexity. Lately,
phishers have been using websites with an average life of just one hour to
try to entice web users before disappearing off the radar.
PayPal and eBay continue to be the most targeted organizations for
phishing attacks, but some German banks are climbing up the ranks.
This finding was confirmed In November by Phishtank, a service run by
OpenDNS which published their first set of phishing statistics.
Bogus domain names support phishing
In October, the F-Secure Research team’s interest was piqued in the
active aftermarket in domain names. These are domain names that have
already been registered and are now being resold. For example, such sites
as hell.com and auction.com which came up for sale in October were
expected to be sold for several million dollars each - quite a price mark up
for sites that were originally registered for something like 5 to 15 USD.
Typically, however, most domain names are resold for a few hundred
or a few thousand dollars and the largest domain resellers for such
transactions are Sedo and Moniker. The Research team was particularly
interested in the resale of domains that obviously belong to banks or
other financial institutions -domains like chasebank-online.com, citibank.com and bankofameriuca.com.
THREAT SUMMARIES V. 1 2006 - 2002
3
The list included something like 30 more sites for
resale and all very similar in name to their legitimate
counterparts. The question is, why would anybody want
to buy these domains unless they are the bank themselves
- or a phishing scammer?
then scanning user-created content to find obvious
copies of eBay or PayPal login pages. In all instances,
abuse messages were sent about the above sites to both
Tripod and PayPal ten hours after which, five had been
taken offline by Tripod.
The Research team also found out that the companies
in question are reselling accented domain names that
have been created using the letters “á” and “í” with an
apostrophe instead of the normal “a” or “i” to create
highly deceptive domain names like vísa.com, pàypal.
com and paypàl.com - almost indistinguishable from the
legitimate sites. Sedo responded to the questionable
nature of selling site names which appear to be legitimate
sites but are not. Sedo’s general counsel, Jeremiah
Johnston, said his company wants to “balance the rights
of all users” and added that at times, trademark owners
“harass a lot of legitimate domain owners.
Continuing the phishing line, in late August the Research
team were given a heads-up to a PayPal phishing site
apparently designed to perform a man-in-the-middle
attack on a user’s password. The site displayed a genuinelooking login box, and the user had to type in a valid
PayPal user name and password. The assumption by the
team was that the scammer had created a shadow login
to the real PayPal site behind the scenes. Anybody falling
victim to the phisher would relinquish both their password
and most likely their credit card number too if they fell for
this highly convincing ruse. Luckily, the alert came before
it was actually spotted in the wild and abuse notices about
the phishing site were sent to the appropriate authorities.
We expect man-in-the middle phishing to become a real
issue in the future.
On the same theme of legitimate companies supporting
the activities of illegitimate enterprises, at the end of
August, Tripod, the free web hosting service from Lycos
was found to have a number of phishing sites hosted on
their servers. Some examples of sites that were active
included:
•
•
•
•
•
•
pay-pal-redirect.tripod.com
pay-pal-jack-pot.tripod.com
pay-pal-upgrade.tripod.com/asfafsa.html
gontham5.tripod.com/paypal.html
wakabu2.tripod.com/paypal.html
pp-account.tripod.com/paypal.html
The Research team wondered why Tripod had not done
more to prevent people from creating new hosts with
names like “pay-pal-redirect” or at least every now and
Warezov makes headlines and headaches
During 2006, we’ve only seen two large “traditional” email
worm outbreaks: Nyxem and Warezov.
The Warezov mass-mailing worm attacks started in
August. Warezov and its many variants sent themselves
as e-mail attachments to addresses found on computers
it had infected. In some cases, the infected attachment
could start automatically. In other cases, the system was
infected when the user opened the attachment. Warezov
also attempts to download updated variants of itself from
specified website(s) on the Internet.
After the worm’s file is run, it shows a message box as
a decoy. It installs itself so that it runs when Windows is
started. When activated, it installs itself to the system and
creates a startup key for itself in the Windows registry. It
then stays active in the system’s memory. While active,
the mass-mailer searches for specific files (HTML files for
example) on all available hard disks for e-mail addresses.
Finally, it connects to an available mail server and sends
itself to all the addresses it has found.
What was interesting about this worm was the fact that it
was able to spread on its own, just like e-mail worms from
earlier years, and it was by far the most actively spammed
attack during 2006. All the variants initially used the same
website to download additional components and updates:
gadesunheranwui.com. - a domain registered by the
authors of this malware just for this reason.
THREAT SUMMARIES V. 1 2006 - 2002
4
By November, the Warezov’s purpose had been revealed
as a highly coordinated exercise in spam propagation.
Warezov-infected machines were shown to download
additional components which, after a variable delay,
started sending out spam messages advertising Viagra,
Vialis, Valium, and Xanax clones. Spam messages like the
following:
And when comparing the domain names used in the virus
to domains shown in the spam messages, we can see that
they overlap, proving that these are all part of a single
operation:
The Research team made the connection between the
virus and the spam just by looking at the domain names
used by the Warezov gang for both the virus component
download and for the hosting of the fake Viagra sites.
Warezov is spread by spamming slightly modified versions
of the downloader component. This is modified by the
spammers as soon as major antiviruses add detection
for that particular component. Once the downloader is
executed on a computer, it connects to a download URL.
A typical URL would be, for example:
• yuhadefunjinsa .com/ chr/grw/ lt.exe
The spam messages link to fake Viagra sites like these:
Still in November, Warezov continued its run, and
F-Secure continued to add detections at the same rate.
With many of the parts of the jigsaw falling into place, new
variants of the worm are now automatically blocked using
F-Secure Internet Security 2007’s System Control feature.
Nevertheless, the Warezov worm seems to be a malware
that will continue to cause headaches for researchers and
users for some time to come.
Social networking sites under worm threat
Interestingly, the domains used by the fake Viagra shops
not only have similar sounding names to the downloader
URLs but also have the same registration information. All
the domains we’ve seen can be categorized according to
just three different groups: domains registered to “Wang
Pang”, “Dima Li” or “Bai Ming”.
At the end of July, the Research team came across further
examples of Web Application Worms exploiting persistent
Cross Site Scripting (XSS) vulnerabilities in websites. This
is a new category of malware and a growing concern for
popular websites. Social Networking sites seem to be the
most popular target right now thanks to their immense
popularity and user bases. MySpace has already been hit
by two such worms - the Samy worm in October 2005
and by a “Flash” worm in July 2006. Samy was written by
somebody who wanted to become popular on MySpace.
The malware author in question designed the worm to
crawl through the site while furiously adding people to his
friends list. The result: over a million “friends” in a couple
of hours. The MySpace Flash worm exploited vulnerability
in Macromedia Flash to redirect MySpace users to an
objectionable webpage.
THREAT SUMMARIES V. 1 2006 - 2002
5
In July, MySpace was also the target of a malicious banner
advertisement that ran on the site. It used the WMF
vulnerability in Windows to serve adware to more than a
million users with unpatched machines.
Following these attacks we decided to see how secure
other popular social networking sites are against
“wormable” XSS vulnerabilities. We picked out two of the
top social networking sites with a reported combined
user base of 80 million. Within half an hour we had
discovered over half a dozen potentially “wormable”
XSS vulnerabilities in each site! We stopped looking
after finding half a dozen, but we are sure there are a lot
more holes in there. With about a day’s work a malicious
attacker with a half-decent knowledge of javascript could
create a worm using just one of these vulnerabilities.
And here’s something to consider: The WMF banner
ad successfully reached about one million users. An
automated worm utilizing a similarly malicious WMF
exploit or a similar browser exploit - maybe even a zeroday exploit, could potentially reach a much, much larger
audience of unpatched machines. Theoretically, this could
be the entire user base...
We recommend end users to patch their computers and
that web application developers start taking security
seriously. XSS issues have stopped being funny for a
long time now. They are a real danger with the advent
of phishing and Web application worms that can exploit
a mass user base of millions of users within a very short
time. Of course, the Research team reported the issues to
the affected websites and are working with them to get
the issues fixed. The writing is on the wall - let’s hope the
malware community can’t read that quickly.
For most users, the vulnerability represented a limited
threat since the vgx.dll component solely handles Vector
Markup Language (VML) - something not too many
websites use these days. Microsoft’s Outlook e-mail
client was also potentially vulnerable to this exploit but
fortunately again, e-mail is treated as if from Restricted
Sites by default, where Binary and Scripting Behaviors are
disabled.
Research team boosted by Kuala Lumpur
security laboratory
F-Secure opened a new Asian Technology Centre in
Malaysia in September 2006. This is the home to the
F-Secure Security Labs in Kuala Lumpur. Malaysia was
selected as a key hub for Asian operations for its well
qualified human resources, the country’s initiative to
encourage high tech companies to set up business there
and its strategically optimal time zone.
VML Exploit put IE users at risk
In late September, F-Secure reported a VML Exploit on
Internet Explorer in the wild that allowed for the remote
execution of code with the only action necessary to
become infected being to view a malicious webpage using
Internet Explorer or an HTML formatted e-mail.
Fortunately for IE users, Microsoft published a prompt
Microsoft Security Advisory (925568) regarding the issue
and an update was scheduled for October. Users were
advised to unregister the susceptible dll from the system
as a workaround for the vulnerability.
Given the time difference between the F-Secure labs
monitoring the global malware situation, work shifts are
conveniently split without much overlap. In this way,
F-Secure is able to maintain its promise to respond faster
to virus outbreaks than its competitors.
THREAT SUMMARIES V. 1 2006 - 2002
6
Mobile malware - the usual suspects and a few
notable oddities
Mobler poses no immediate risk to mobile device users in
its present form. However, it’s possible that virus writers
might use it as a basis for more malicious malware. But
then again, that could be said of previous cross-platform
viruses and thus far a heavy hitter has failed to materialize.
Commwarrior - again...
Also in late autumn, the Research team received a new
Commwarrior sample - SymbOS/Commwarrior.Q.
Nothing remarkable about that except the fact that
Commwarrior.Q is not just a hexedit of Commwarrior.B.
but rather a new variant with additional functionalities.
On the mobile front, there was the usual steady advance
of mobile malware and their variants in the last half
of 2006. By July the number had exceeded the three
hundred mark and continued its rise. As in earlier
times, Symbian continues to be the platform of choice
for the majority of mobile malware authors reflecting
the preponderance of the platform in the smartphone
market.
Cross-platform
worms - the malware
of the future?
In late autumn,
the Research team
encountered a crossplatform worm that is
theoretically capable of spreading from a PC to a mobile
device and back again. The “Mobler” worm as it has been
labeled, moves between Symbian and Windows platforms.
Although its payload on the Windows side is significant, it
doesn’t cause much harm on the Symbian device rather
copying itself to the memory card and trying to trick the
user into infecting his or her PC.
Technically speaking, there is no automatic spreading
mechanism for Mobler to copy itself from one platform
to another. It just creates a Symbian installation package
that inserts a Windows executable on the mobile device’s
memory card. This executable is visible as a system folder
in Windows Explorer so potentially it is possible for the
user to accidentally open it and infect their PC while
browsing the memory card’s files.
Commwarrior.Q is based on Commwarrior.C and has the
same functionality as Commwarrior.C and more. Like
Commwarrior.C, the Q variant spreads via Bluetooth and
MMS messages, and infects any memory card inserted
into device. Additionally, Commwarrior.Q searches the
infected device for any SIS file installation packages and
injects itself into any that it finds.
That means that in addition to trying to spread by itself,
Commwarrior.Q also tries to get users to distribute it. For
example, if the user has a game installation SIS that he
might copy to his friend.
Commwarrior.Q is also the first Symbian malware that
uses a random SIS installation file size when it replicates.
The file size of the Commwarrior.Q SIS file varies between
32100 bytes and 32200 bytes making it difficult to exclude.
When Commwarrior.Q is installed it will display an HTML
page to the phone’s default browser after a random delay.
Although Commwarrior.Q was detected in the wild, the
fact that Commwarrior.Q displays the HTML page that
states that the phone is infected means that it is unlikely
that it will lead to a large scale outbreak - that and the fact
that Commwarrior.Q is detected by F-Secure Mobile AntiVirus with database update 103.
Mobile spyware - legitimate or not?
Also on the mobile front, F-Secure continued to
investigate commercially available spying trojans for
mobile phones that run on the Symbian OS as well as on
other mobile phone platforms.
The Research team originally thought that such software
would still be a rather limited phenomenon and that there
would be only a couple vendors making spy tools for
smartphones. But it turns out that there’s quite a cottage
THREAT SUMMARIES V. 1 2006 - 2002
7
industry that has been lying low and by and large has
been able to escape attention. In fact, there are several
vendors either making software for Symbian smartphones
or are making hardware-modified versions of just about
any phone available. All the phones and software under
investigation yielded rather similar features.
A typical feature set includes SMS forwarding, SMS and
voice call log information, remote listening and covert
conference calling. Some even include localization
services. This basically means that if the victim has a
full-featured spy application in their phone, they have no
privacy whatsoever for their calls while the one controlling
the software has access to all the information available.
Spyware software vendors state that their software
should only be used in accordance with local laws and
that a typical application for such tools is to keep track of
a cheating spouse or to monitor children’s phone usage.
Naturally, of course these tools have darker applications
such as industrial espionage, identity theft and stalking.
One of the spyware applications under investigation,
Acallno.A. is an SMS spying tool that forwards all sent or
received messages to an additional number configured
by the individual who installed it. Just to be sure, the
Research team added detection of Acallno.A into F-Secure
Mobile Anti-Virus as spyware. Acallno.A is by the way, a
pseudonym for the real software name since F-Secure is
in the business of informing our customers of potential
malware, not promoting commercial spy utilities.
Fortunately, Acallno.A is limited by the target device’s IMEI
code, so in the absence of familiar access to the phone,
it is impossible to download to just anyone. Nor can it
be just included into a trojan or other method of mass
installation. As monitoring tools are not always illegal, and
there might be some legitimate uses for Acallno.A or any
other such software, it is possible for users to release the
detected spyware so that Anti-Virus allows for its use. In
such cases, please consult the product documentation.
Centrino vulnerabilities open potential window
on WLAN viruses
In early August, Intel published a set of patches for Intel
Centrino. Nothing particularly significant about that
but the fact is that Centrino is not just a processor but
also integrates WLAN and other features for laptops.
The vulnerabilities are not related to the processor itself
but to the wireless features - one of the more common
applications in use for modern computer users on the
move.
The vulnerabilities being patched are significant. The
worst of them “could potentially be exploited by attackers
within range of the Wi-Fi station to execute arbitrary
code on the target system with kernel-level privileges”.
So at least in theory, somebody could write a WLAN
virus that would jump from one laptop to another if the
laptops within range of the access point are too close to
each other. This vulnerability is not solely the problem of
Intel Centrino with other operating systems such as Mac
showing potential windows for hackers to exploit in their
drivers. In all instances, our advice is to make sure your
Wi-Fi drivers are up to date.
And finally
The Swedish toy manufacturer, Brio, has decided to create
a lovable collection of figures that ‘live’ inside a typical
computer for children to play with.
The wooden toys also include a number of virus figures.
Not only that they have even built a dedicated website to
support the activities including an active desktop feature
and related mini movie. Our only hope at F-Secure is that
children fall in love with the little computer helpers and
not the viruses...
THREAT SUMMARIES V. 1 2006 - 2002
8
H1 2006 THREAT SUMMARY
The first six months of 2006 seemed quiet on the surface.
But a lot of new criminal malware development and
exploits were happening under the surface, despite
the decreased publicity. The new threats are often
more expertly targeted and extremely well hidden, and
criminals are continuously finding new ways to deliver
their payloads behind the lines of defense.
The beginning of 2006 was also the 20th anniversary of
the first PC virus, Brain, which infected computers via
floppy disks. Things have changed quite much since then
as the following report demonstrates.
At present there are over 185,000 viruses and the number
continues to grow rapidly. The biggest change over
these 20 years has not been in the types of viruses or
amount of malware; rather it has been in the motives of
the virus writers. The most significant change has been
the evolution of virus writing hobbyists into criminally
operated gangs writing viruses for financial gain. And
this trend is continuing with most new malware having a
financial motive, turning infected PCs into bots being used
for distributed spam or phishing e-mails or being used to
steal personal and financial information.
In March 2005 F-Secure launched its Blacklight engine
for detecting rootkits. Rootkits are effectively cloaking
devices, which allow malware authors to enter a computer
under the radar and go about their business completely
undetected. Since that time, we’ve seen a steady growth
in the number of various kinds of malware using rootkit
technology to hide. Interestingly, most other data security
vendors still fail to offer rootkit detection technology
in their offerings, even after the Sony DRM Rootkit case
made the headlines late last year. And the stakes are
getting higher - already in May 2006 a backdoor scam
was found from an online gaming site using rootkit
technology to covertly glean information from players
downloading an apparently useful poker utility program.
Luckily this showed up on our Blacklight radar and was
successfully neutralized.
In other news, 2006 was the year that saw the mobile
malware count reach and exceed the 200 mark. If you
compare the figures against the PC world, this does not
warrant a state of alarm but it certainly indicates a growing
trend. As mobile phones become more like computers
offering the possibility to make financial transactions, it’s
certain that the malware community will follow suit with
new exploits.
Hectic Start to the Year
2006 started in a very hectic way with the zero-day exploit
in the Windows Graphics Rendering engine and the way
it handles Windows Metafiles (WMF) images - an exploit
which was found at the end of 2005. In just a few days a
large number of malicious files using the exploit were
found and with no vendor patch available, Ilfak Guilfanov
at DataRescue, was first to create a temporary patch for
the vulnerability. Microsoft broke their pattern of only
providing updates once a month by shipping an update
on the 5th of January. One of the incidents we saw was a
highly targeted attack on the UK parliament. E-mails like
the one below were sent from a South Korean computer
to a few dozen high-profile e-mail addresses.
THREAT SUMMARIES V. 1 2006 - 2002
9
The e-mail encouraged users to open the attached MAP.
WMF file - which exploited the computer and installed
a backdoor that allowed full access to all the data on
the machine. What made the case really interesting was
the social engineering texts used in the e-mail. It was
obviously crafted to look like a message from a spy movie
with a secretive tone - of course raising the curiosity of
the recipients and getting them to open it.
January continued being a very busy month with yet
another e-mail worm appearing on the 17th of the month
and spreading very aggressively. The new worm, called
Nyxem.E, (with aliases such as MyWife, Blackworm
and Blackmal) was interesting on two counts; it used a
web counter to keep track of the number of infected
computers and it was set to overwrite files on a certain
date every month. In the days of cyber crime, it’s not
very often we see malware with destructive payloads like
this one. The web counter was another interesting thing
about this malware. It’s not the first malware to use a web
counter but this time we were able to get the statistics
from the counter provider in order to create a breakdown
on all the IP addresses having visited the counter. We
mapped the IP addresses with our F-Secure Worldmap
technology to create a world map showing all the affected
machines.
Macintosh Virus
The virus-free Macintosh honeymoon is over. In February
the first virus ever for Mac OSX was found when Leap.A
appeared. The malware was originally posted to the
MacRumors discussion forum. The virus, spreading via
iChat and by infecting local files, was soon followed by
other viruses for the same platform, amongst others a
proof-of-concept virus named OSX/Inqtana.A, which uses
vulnerability in the Bluetooth OBEX Push functionality to
spread from computer to computer.
Rootkits Still a Problem
One of the big issues in 2005 was the Sony BMG rootkit
case where CDs were sold with a DRM (Digital Rights
Management) copy protection scheme using rootkit
technology to hide its presence from users. Rootkits
continued to be a problem in the first quarter of 2006
where lots of new malware used rootkit techniques to
hide the installed files. Examples of these were variants
of the Feebs worm, hiding its presence with a rootkit. It
spreads as an e-mail attachment but instead of generating
e-mails by itself, it waits until the users sends an e-mail
and automatically attaches the malicious attachment to
the e-mail in transit without the user’s knowledge. The
benefit is of course that the e-mail will always look like
a proper e-mail message, because it is! However, the
spreading rate will be much slower compared to other
e-mail worms.
In February we received reports of a case very similar to
the Sony BMG. The German DVD release of the movie “Mr.
& Mrs. Smith” contained a copy protection mechanism,
which used rootkit-like cloaking technology.
The Settec Alpha-DISC copy protection system used on
the DVD hides its own process but fortunately, and unlike
the Sony BMG rootkit, it doesn’t hide any files or registry
keys making it impossible to use this rootkit to hide
malicious files.
The most infected countries were India, Peru, Turkey
and Italy. Fortunately, by the time the malware activated
on February 3, most users had already cleaned their
computers, much thanks to the warnings distributed via
the news media. However, thousands of users still had
their Excel spreadsheets or Word documents overwritten.
All in all, the worm overwrote 11 different file formats.
Nyxem.E continues to be active on the 3rd of every
month, trying to overwrite files on infected machines.
Most reports of affected users continue to originate in
India.
Our message to software companies producing any
software (not just copy protection products) is clear.
You should always avoid hiding anything from the user,
especially the administrator. It rarely serves the needs
of the user, and in many cases it makes it very easy for
hackers to breach the security system.
THREAT SUMMARIES V. 1 2006 - 2002
10
Two of the most widespread worms used to install botclients have had rootkit technology added to them. In
March, variants of both the Bagle and Mydoom families
were found, using rootkit technology to hide the worms’
files, processes and registry keys. The Bagle variants
are the most interesting in their demonstration of viral
evolution and collaboration among virus authors. Two
years ago Bagle was a simple virus consisting of one EXE
file, e-mailing itself around. It’s not like that anymore.
Bagle’s authors for example maintain a complex network
and have constructed a suite of programs that work
together as the following diagram illustrates:
In mid-May we saw a new twist using a rootkit exploit.
An online poker backdoor, covertly storing gamblers’
information for potential theft was uncovered by
F-Secure’s proprietary rootkit detection technology,
Blacklight. In this case the online tool RBCalc.exe, also
known as a Rakeback calculator, had been unwittingly
distributed from a legitimate gaming site, Checkraised.
com.
The backdoor, a method for bypassing normal
authentication or securing remote access to a computer
was created by silently dropping files into the user’s
computer using a rootkit driver to conceal the operation.
With this in place, the tool’s author could access login
information from the user’s computer for various online
poker websites. Having gained access, the hacker could
then play poker against himself, losing on purpose and
reaping the rewards.
Shortly after the discovery, Checkraised.com removed the
offending exe file from its website and issued an official
statement on its website advising users to change their
poker site passwords as well as offering instructions for
manually removing the malware.
Mobile Malware for Everyone
The rootkit technique used in both of the cases
mentioned is the so-called kernel-mode rootkit, which
means that the rootkit has direct access to all system
functions, thus making detection even more difficult. If
the Bagle authors have seriously decided to turn their
attention to upgrading their malware suite with rootkits,
then this first step appears to be a dangerous one and
one worth keeping an eye on. Fortunately, the F-Secure
Blacklight rootkit elimination scanner is able to detect
these threats.
Mobile malware has now been around since June 2004
but so far damage has been limited. The first Java or
J2ME malware was found at the end of February with the
emergence of the Redbrowser trojan. This trojan tries
to steal money by portraying itself as a way to use WAP
services for free. When run, it sends a premium-rate SMS
messages to a number in Russia, costing the user around
5 USD for every message sent. Fortunately, the exploit
was limited by the use of language - Russian. However,
we anticipate seeing attacks of a similar nature in other
languages in future.
THREAT SUMMARIES V. 1 2006 - 2002
11
In March of 2006 the first mobile spyware application
was found in the form of FlexiSpy. Being a commercial
application, the customer logs into a portal where the
software, when installed on the mobile device, monitors
all calls, SMS and MMS messages and posts them to
the portal. The software is advertised as a clever means
for suspicious husbands or wives to keep track of their
spouses’ online activities. For those couples with the
right data security installed, however, this will not work.
F-Secure Mobile Anti-Virus will detect and remove
this spyware application as it installs itself without any
indication of what the functionality of the software is.
In March, the mobile malware count reached and
exceeded the 200 limit.
Launch of F-Secure Worldmap
The F-Secure Worldmap is a system used by the Security
Research Labs to monitor the spreading of viruses, in
real-time, around the world. The system can also be used
to play back earlier events, for example when comparing
a new outbreak with a previous one to determine the
correct alert level to the press and other bodies. In March,
a public version of the tool was launched on our website,
making it possible for anyone to see the spreading of
viruses around the world. Visitors to the website can
easily see the virus situation at any given time and also in a
particular location.
Phishing is Popular
F-Secure conducted a simple search across com/net/org/
us/biz/info top-level domains for common bank names
and other financial institutions and the results show that
they are very well represented on the web - clearly some
of these are legitimate but typically most are there to
separate the foolish and their money.
KEYWORD NUMBER OF DOMAINS
citibank* 497
bankofamerica* 407
lloyds* 994
bnpparibas* 41
egold* 691
hsbc* 1258
chase* 6470
paypal* 1634
ebay* 8057
Unfortunately, phishing works. In a recent study
examining phishing website techniques, it turns out that
the most visually deceptive website spoof was able to fool
90 percent of the study’s participants. That 90 percent
figure includes the most technically advanced users
among the participants. It was the look, not the spoofing
of security features that did the job - something that our
resident phishing expert found quite interesting.
Crossing disciplines and summing up an article published
last summer in the journal Neuron - If you don’t see
something often, you won’t often see it. Perhaps you
could also say - If you don’t see fakes often, you won’t
often see fakes. Therefore, many phishers while designing
visually deceptive phishing sites count less on technical
subterfuge than on the failings of the human brain’s power
of perception. If it looks like what the brain is expecting,
then the brain often won’t see that it isn’t.
Our experts wonder why don’t banks allow users to
customize their online banking interface with a picture
of preference - for example a passport picture, an image
of a pet or other family member - something at least that
would indicate authenticity - something that the users
would miss if it weren’t there. There are companies that
are working on visual personalization technology and the
data security researchers at F-Secure think it’s a good idea
that could significantly reduce the size of the phishing
net. We are starting to see it happen.
THREAT SUMMARIES V. 1 2006 - 2002
12
No April Fool
On one day of the year, it’s commonly understood not
to believe everything you hear, that day being April 1.
For some reason, a surprising number of people thought
that our new Moomin-themed security product, Internet
Security 2006 was an April Fool’s Day joke, which is
presumably what you get when you announce something
like that on such a day!
change in the situation, should you have such an ignition
key, get yourself a tin foil cover for it! It’s an interesting
read, check it out at the following address: http://reviews.
cnet.com/4520-3513_7-6516433.html?tag=txt
Mobile Security
What’s the Word?
In late May there was quite a lot of discussion about the
new zero-day vulnerability in Word. According to sources,
a US-based company was targeted with e-mails that were
sent to the company from the outside but were spoofed
to look like internal e-mails.
The e-mails contained a Word DOC file as an attachment.
When run, the exploited file ran a backdoor hidden with
a rootkit allowing unrestricted access for the attackers,
operating from a host registered under the Chinese 3322.
org domain.
But the Moomin- themed product is very real and will
be available in Europe this year. It’s already for sale in
Japan - and there’s good reason for that. The worldwide
popularity and merchandising of the Moomin family
dramatically increased in the 1990’s when a Japanese
production studio animated the stories, making them
massively popular there.
Modern Car Jacking
In a parallel step away from viruses, modern car thieves
don’t bother with crowbars or improvised coat hangers
to break into modern cars - they use laptops. If your
expensive car is using a keyless ignition 40-bit encryption
authentication system you might find your ride gone in 60
seconds.
Robert Vamosi has written an article on keyless
ignition systems based on a study from Johns Hopkins
University and RSA. Vamosi noted in conclusion that
the manufacturers of the RFID systems don’t seem to
think there’s a problem. Perhaps they should ask David
Beckham who had his BMW X5 stolen in Spain using
exactly this technique. So our advice is, until there is any
DOCs are a nasty attack vector for a couple of reasons. A
few years ago, when macro viruses were the number one
problem, many companies denied native DOC files at their
e-mail gateways. Nowadays DOCs typically are admitted.
The more important reason to be concerned is that Word
has vulnerabilities and users typically don’t install Word
patches nearly as well Windows patches.
3322.org is a free host bouncing service in China. Anybody
can register any host name under 3322.org and the service
will point that hostname to any IP address specified.
There’s actually a series of such services, including 8866.
org, 2288.org, 6600.org, 8800.org and 9966.org. If you
have any doubt about the origin of a Word doc entering
your e-mail, we’d recommend you’d at least check your
company’s gateway logs to see what kind of traffic you
have to such services.
Da Vinci Mobile Virus - Truth or
Fiction?
Also in late May, a rumor
originating in an online Indian
publication caused a stir about
a new mobile virus using the
name “Da Vinci virus” - malware
obviously surfing off the
marketing buzz around the
general Hollywood release, the “Da Vinci Code”.
THREAT SUMMARIES V. 1 2006 - 2002
13
By the end of May, the F-Secure Data Security Laboratory
didn’t have a single infection report and no sample of such
malware. Is it truth; is it fiction? Time will tell but for a look
at the original story go to: h t t p://w w1.mid-day.com/
news/city/2006/may/137895.htm
World Cup or Own Goal?
And last of all, eager football fans in Germany might get
a bit more than they bargained for if they answer a new
mass mailing worm called Banwarum (also known as
Zasran and Ranchneg) that is using World Cup themed
e-mail messages.
The worm sends itself as a password protected archive
and includes in the e-mail the password for it. The e-mails
sent by the worm are in German and some of them offer
tickets for the football games in Germany in June. There
are already three functionally similar variants of this worm.
FSAV detects .A and .B variants of the worm with update
version number 2006-05-24_04 and variant .C with update
version number 2006-05-25_01.
One of the e-mails sent by the worm looks as follows in
English translation:
“Hi man,
I saw that you want to go to the World Cup. Don’t ask
who am I and why I am doing this. Here you have 5
pieces, which are a special on-line version, print it and
sign. Password to the archive is (psw).
With friendly greetings Nobody ;)”
For all soccer fans, we at F-Secure recommend you
search for more information on the World Cup and the
tickets from the official site for the 2006 FIFA World Cup
Germany.
Virus Statistics for the First Half of 2006
The top 10 viruses reported to the F-Secure Worldmap for
the first quarter of 2006 were:
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. E-mail-Worm.Win32.Nyxem.e 17,3 percent
Net-Worm.Win32.Mytob.x 11,2 percent
E-mail-Worm.Win32.NetSky.q 11,2 percent
Net-Worm.Win32.Mytob.az 11 percent
E-mail-Worm.Win32.Sober.y 5,7 percent
E-mail-Worm.Win32.Bagle.fj 4,3 percent
E-mail-Worm.Win32.Mydoom.m 3,3 percent
E-mail-Worm.Win32.Doombot.g 2,4 percent
Net-Worm.Win32.Mytob.c 2,2 percent
Net-Worm.Win32.Mytob.bi 2,2 percent
By June 2006, just 20 years after the first detected virus,
Brain, there were over 185, 000 recorded viruses.
Authors: Patrik Runald, Senior Security Specialist and Mark
Woods, Corporate Communicator
THREAT SUMMARIES V. 1 2006 - 2002
14
2005
H2 2005 THREAT SUMMARY
In the second half of the year, we can report that the trend towards mass
assaults using network worms has dropped significantly with two major
outbreaks, one in September causing larger disruptions internationally
and the second, a worm flooding email systems in late November.
Nevertheless, the virus count continued to rise with alarming force
increasing from 110,000 to approximately 150, 000 by the end of the year.
July 2005 started out for data security professionals visiting the DEFCON
conference in Las Vegas - the largest computer underground event in the
world was held. As usual, the participants came from both sides of the
fence and everything inbetween with thousands of black, grey and white
hat hackers as well as security professionals, law enforcement members
and undercover agents.
In slightly less exotic Helsinki: the Assembly’05 demo party was the
scene of 5000 geeks gathering together for four days. The event was of
particular interest to the data security lab specialists since many of the
techniques used in demo coding are written in low-level assembler, and
to fit within tight limits using really advanced compression techniques.
Overall, it was a tough year for high profile malware authors around the
world, at least according to the number of convictions. In July three men
in their early 20s heading an international extortion ring were arrested in
raids in Russia apparently after launching big DDoS attacks from botnets
against gambling sites, then emailing them and asking $50,000 for not
doing it again.
Despite the money trail routing itself to Russia via the Caribbean and
Latvia, the UK police were nevertheless able to trace it, leading eventually
to the arrests. Various other virus authors were reached by the long
arm of the law including the VBS/Lasku virus author in Finland, the Peep
backdoor author arrested in Taiwan and most notoriously, the Sasser and
Netsky author, Sven Janschen who equally notoriously received a thirty
hour community service order and suspended sentence for creating a
worm that caused damage in the millions of dollars before it was brought
under control.
THREAT SUMMARIES V. 1 2006 - 2002
15
Spam is bad for your health
Sometimes, things are handled differently in attempting
to stop the spread of malware and spam. In July, Russian
media reported the owner of the American Language
Center, Vardan Kushnir, had been killed. According to the
reports, Kushnir had suffered massive head trauma when
he was found in his apartment in Moscow. The American
Language Center provides English language courses for
Russian speaking people and reportedly organized the
largest spam campaign in Russian history.
Spam was sent to over 20 million e-mail addresses
belonging to Russian speaking people. The campaign
was so pervasive that you can hardly find a Russian who
has never received a message advertising the American
Language Center. The killing of Kushnir might not,
however, be related to his company’s spamming although
many people might have wished him dead after receiving
yet another spam email from his company. Russian
authorities are currently investigating the crime with
suspects in the thousands.
Phishing is obviously worth it
In July, the Financial Times Deutschland reported that
German banks lost 70 million Euros due to phishing
attacks over the last year and this figure is growing fast.
If this is the case in one country we can extrapolate that
phishing is not only big business but is also clearly worth it
to the criminal fraternity.
As phishing becomes more widespread, however, so too
do the authorities’ ability to detect it. As a result, typical
larger phishing targets, such as those made onCitibank,
eBay, Paypal and US Bankhave been replaced by more
focused attacks against smaller targets in order to find
users who still can still be fooled to respond to a phishing
email.
This has resulted, for example, in a series of attacks
against German banks, with increased activity against
organizations like Deutsche Bank and Postbank. As
a result, both Deutsche Bank and Postbank will be
introducing one-time passwords, which are needed to
authorize online transactions.
There is some evidence that the criminal organizations
behind phishing attacks have been jumping from one
geographical area to another looking for more targets.
First we saw them in the US, then in Australia and then the
UK. In Germany, the attacks were localized in the German
language as was the case earlier in 2005 when phishing
cases localized in Danish were detected in Denmark.
It didn’t take long afterwards in August for a large-scale
attack against Nordea in Sweden. Nordea is the largest
bank in the Nordic countries. It also operates one of the
largest Internet banks in the world, with over 4 million
Internet customers in eight countries.
In this particular case somebody spammed a large amount
of spoofed emails with links pointing to a fake bank. Once
again, the attack was localised in the target language
but this time, the scam was aimed at breaking through
Nordea’s one-time password system.
The system in use by Nordea Sweden consists of a
scratch sheet, where you scratch the paper to uncover
the next available pin code for login. Attacking a site like
this is quite a bit more challenging than attacking banks
authenticating users with a bank account number and a
constant 4-number pin code as was the case in Germany.
The fake mails explained that Nordea was introducing
new security measures, which could be accessed at w
w w.nordea-se.com or w w w.nordea-bank.net (both
fake sites hosted in South Korea). The fake sites looked
fairly real. They were asking the user for his personal
number, access code and the next available scratch code.
Regardless of what was entered, the site would complain
about the scratch code and ask for the next one. In reality,
the phishers were trying to hook several scratch codes for
their own use.
Nordea Sweden took the threat seriously and immediately
shut down their whole Internet bank while they looked
into the assault and immobilised it. Apparently this was
done in order to prevent the scammers from using the
codes to move money around.
THREAT SUMMARIES V. 1 2006 - 2002
16
Overall, by September, the number of phishing attempts
overall had levelled out but this was also marked by an
increase in the volume of spam. This marked rise appears
to be caused by a large number of matchmaking spams.
So it would seem that the activities of a single determined
spammer can still make a difference.
Typosquatting for careless typists
Earlier this year we saw evidence of typosquatting with
the Google surfers mispelling it as ‘googkle’ leading
them to all manner of malware ridden sites instead. In the
autumn, an even larger exploit concerning typosquatting
was launched - no surprises there but the sheer scale of
the domains created to trick the unwary was impressive 150 of them, many of which were targeted to data security
companies.
Among other typosquats we found:”www-f-secure.com”
and “wwwf-secure.com” which at the moment point
to a web site called “nortpnantivirus.com”. The good
news is that at least this site isn’t used for phishing or for
downloading trojans. Other typosquats related to security
firms include the following: f-secue.com, mesagelabs.
com, mcafeeantiviru.com, bitdefneder.com, pestpatorl.
com, wwwbullguard.com, pandafirewall.com, sendamil.
org and centralcomand.com.
Terror attacks, natural disasters and
exploitation
In a year characterised by a large number of natural
disasters and terror attacks, another important and
regrettable trend repeated itself - members of the
malware community using other people’s misery for
profit.
After the 9/11 attack against the World Trade Center in
New York, malware was launched using the event to
trick users into running malicious attachments. Just
two weeks after the September attack the e-mail worm
W32/Vote.A@mm was found and exactly a year after the
event another e-mail worm, W32/Chet@mm, was found.
While Vote.A didn’t spread very well the Chet worm was
widespread and prompted an F-Secure Radar 2 warning.
In July of this year, the same pattern repeated itself with
the underground terrorist attack in London. Shortly
after the bombing the first trojan was detected as an
attachment in e-mail messages. The ZIP file contained
the file ‘’London Terror Moovie.avi <124 spaces> Checked
By Norton Antivirus.exe’. F-Secure detected the trojan as
‘SpamTool.Win32.Delf.h’ and promptly sent out an update.
In September there were reports of a spam message with
subject fields like “Katrina killed as many as 80 people”.
The message seems to contain a news article on the
devastation caused by hurricane Katrina but actually
directed the reader to a website called “nextermest.
com. Further investigation reveals that the site is just
a placeholder that refreshes to a page that tries to
download the Trojan-Downloader.JS.Small.bq malware.
Major virus outbreak
in August
In August the Data Security
Laboratory in Helsinki’s
headquarters mapped the
course of a botwar that
took on the proportions of
an international incident
before it was stopped. It
started with a new virus round about lunch exploiting a
Microsoft patch vulnerability: the MS05-039 PnP hole. As
the virus progressed, CNN was struck as was the Financial
Times, The New York Times and ABC.
The attack which centres around the Zotob virus is also
aided by assaults by bot variants which interestingly
compete with each other over infected machines actively
removing the resident infection and replacing it with their
own.
Specifically, there are two groups that are fighting: IRCBot
and Bozori vs Zotobs and the other Bots.Widespread
disruption, particularly in the media was eventually
brought under control and F-Secure’s report makes the
headlines in over 500 different journals in the days that
follow.
THREAT SUMMARIES V. 1 2006 - 2002
17
Not long after the outbreak, two young men were
arrested regarding the Zotob PnP worm case. Moroccan
authorities arrested “Diabl0”, aka Farid Essebar and
Turkish authorities arrested “Coder”, aka Atilla Ekici. The
suspects are aged 18 and 21, respectively.
Then there are several social networking applications that
use Bluetooth such as YOU-WHO and CrowdSurfer. Which
enable people to use Bluetooth for social networking and
gaming and these naturally lower the bar for accepting
any connections and files from unknown persons.
Mobile malware proliferation
And finally most Cabir variants are quite aggressive in
spreading, and keep sending the Bluetooth connection
request, even when the user clicks ‘no’ to them.
Eventually, the user gets frustrated and start clicking yes
to all questions with inevitable results.
Interest in mobile malware continues to grow in step with
the increasing media coverage, To date, F-Secure has
received an increasing number of queries about just how
many known mobile malwares are out there. At the time
of writing the total count has already exceeded 100 - a
landmark in the progress of viruses and their assault on
the mobile environment.
Symbian-related malware is the vast majority of all
mobile malware. The large number just shows how
popular Symbian devices are, thus making them the most
interesting target for malware authors.
F-Secure Mobile Anti-Virus has been able to handle 61
(74 percent) cases of Symbian malware with generic
detection. Which means that the Anti-Virus has been
able to detect and stop the malware without the need for
database updates.
Commwarrior continues to
spread
Nevertheless certain viruses
continue to spread unchecked,
most obviously the infamous
Commwarrior which has now been reported in infection
cases in twenty countries so far spanning from as far afield
as India and South Africa.
In August F-Secure received a sample of new Symbian
trojan Doomboot.A that drops Commwarrior.B and
damages the phone such that it does not boot anymore.
While other trojans have dropped several different Cabir
variants, Doomboot.A is the first known trojan that drops
Commwarrior and uses a new technique to break the
phone.
As all currently known Symbian trojans and worms display
several warnings, it would be easy to blame any user who
got phone infected for being stupid or ignorant. However,
it seems that the explanation why people get infected by
Cabir and other Bluetooth worms show that it is not so
straightforward.
Firstly, a great deal of Symbian software requires
Bluetooth to be visible in order to work properly. And
some of these programs either switch on the Bluetooth
without asking the user, or display the activation question
in such a manner that the user is likely to answer yes.
Like most of the Symbian trojans Doomboot.A also
pretends to be a pirate copied Symbian game. So people
who don’t download and install pirate copied games or
applications are safe from nasty surprises.
What makes Doomboot troubling is the unpleasant
combination of Doomboot and Commwarrior’s effects
on the phone. The Doomboot.A causes the phone not
to boot anymore and Commwarrior causes so much
Bluetooth traffic that the phone will run out of battery
in less than one hour. Thus the user who gets his phone
infected with Doomboot.A has less than one hour to
figure out what is happening and disinfect his phone, or
he will lose all data.
THREAT SUMMARIES V. 1 2006 - 2002
18
In September,an otherwise unremarkable Symbian Trojan,
SymbOS/Cardtrap.A is, put a new spin on mobile malware
by being able to cross infect a PC if the user inserts the
phone memory card to his PC.
When infecting a Symbian phone, the Cardtrap.A copies
two Windows worms (Win32/Padobot.Z and Win32/Rays)
to the memory card of the phone. Padobot.Z is copied
with an autorun.inf file in an attempt to start automatically
if the card is inserted to a PC using Windows. Rays is
copied with the filename SYSTEM.EXE and the same icon
as the System folder. This is done as a social engineering
technique so that the user would click on Rays instead
of the System folder. Luckily, both Padobot.Z and Rays
are detected by F-Secure Anti-Virus, and we have added
detection and disinfection for them also for F-Secure
Mobile Anti-Virus.
Viruses spread to
MP3 players and
game consoles
At the end of August,
reports came through
of a commercial MP3
player being shipped
out with a virus. The manufacturer, Creative reported it
had accidentally shipped almost 4000 MP3 players with a
Windows virus. This happened in Japan with the 5GB Zen
Neeons players. The filesystem on the players contains
one file that is infected with the Wullik.B (also known as
Rays.A) email worm. The worm does not, however, infect
PCs unless the user browses the player’s files and clicks on
the infected file.
In October this was followed up by a malware alert for
Sony Playstation appearing in a firmware dowgrade tool
that turned out to be a trojan rendering the PSP unusable.
The infamous patcher from PSP Team removes a few
important system files from the flash, which makes the
system unbootable. This tool has been reported to be
the first “PSP virus” by many sources. Since it does not
replicate in any way, however, by the F-Secure definition
it can called a trojan at most. It definitely falls under the
malware umbrella term, however. It is worth mentioning
here that, according to Sony, running any unauthorized
code on the PSP will immediately void the warranty. Hot
on the heels of the first PSP Trojan in October, the data
security lab received reports about the first trojan for the
Nintendo DS handheld gaming console.This simple trojan,
known as “DSBrick” overwrites critical memory areas,
preventing the console from booting.
Back with Sony again, the big news in November was
the discovery of a rootkit detected in some Sony BMG
music CDs placed there by the company itself to enforce
the copy control policies of its audio CDs. The rootkit,
which acts as a covert method for monitoring customer
behaviour through Digital Rights Management software
is installed when the user inserts the CD to a Windowsbased PC, and accepts a license agreement. Unknown
to the user, the rootkit is installed after which, there’s no
direct way to uninstall it. The system also opens a possible
backdoor for viruses (or any other malicious program)
to use the rootkit to hide themselves. The good news is
that F-Secure’s BlackLight scanner introduced this year in
March is able to detect both the Sony DRM rootkit system
and any other malware that hides using it.
Speaking about the Sony case, Risto Siilasmaa, CEO of
F-Secure said: “The real story, and the very valuable
lesson, here is that many companies are linking their
products to ICT technology. This means that they need
to educate themselves on data security issues, build
processes to handle claims of vulnerabilities, train their
PR people to deal with these kinds of situation and so on.
Hundreds of consumer electronics companies will find
themselves in the same boat with Sony.”
Also in late November F-Secure issued a Radar Level 1
alert about a New Sober variant that caused the year’s
largest email worm outbreak with everal millions of
infected emails reported by Internet operators. The
mails contained faked messages from such claimed
sources as the FBI and CIA asking its recipients to open an
attachment containing the Sober variant worm.
The first Sober was found in October 2003, over two
years ago and F-Secure believes all 25 variants of this virus
have been written by the same individual, operating from
somewhere in Germany. Interestingly, the author seems
to be from the old school of virus writers seeking for fame
not fortune since there appears to be no clear financial
motive behind the exploit.
THREAT SUMMARIES V. 1 2006 - 2002
19
Successful product releases and the move from
software to hardware
Back in June, F-Secure released F-Secure Client Security
6.0 and, after a summer break, the reviews have started to
flow in. Most significantly for F-Secure, Infoworld review
of F-Secure Anti-Virus Client Security 6.0 in September
put F-Secure ahead of all the major competitors in a large
review.
H1 2005 SECURITY THREAT
SUMMARY
Spam wars, pc viruses, mobile viruses, phishing and
typosquatting, F-Secure Anti-Virus Client Security 6.0
launch and multiple awards
Despite the efforts of companies like F-Secure to
eradicate spam from email servers and private mailboxes,
the volumes continued to rise in the first half of 2005.
Indeed, spam accounts for 85 percent of mail traffic
globally, so concerted efforts on behalf of antivirus
vendors and legislators to stop this modern plague are
needed.
To quote the magazine: “Support
for real-time protection also
varies among vendors. McAfee’s,
Trend Micro’s, and Tenebril’s
versions allow the malware to
install, but prevent it from
executing, thus leaving it installed
but neutered until a removal scan
is started. Others, such as Sunbelt
CounterSpy, block most malware
installs while missing others, and, like Trend Micro,
remove existing traces on next scan. F-Secure did the best
job of preventing initial installations, blocking all spyware
and malware attacks.”
Nevertheless, Microsoft’s Bill Gates made optimistic
statements about eradicating spam predicting in January
2004 that technology will help us finally win the battle
against spam by 2006. One of the first steps in that
direction was announced by Microsoft in April 2005 with
the corporation’s first foray into offering data security
management software - a consumer subscription service
called Windows OneCare. The service is scheduled to
include antivirus, antispyware, firewall, PC maintenance,
and data backup and restore functionality. For its part,
F-Secure welcomed the fact that the IT giant is starting to
develop similar service-centric security concepts to the
ones that it has successfully pioneered over the past five
years.
Also in September, F-Secure launched its flagship
consumer product, F-Secure Internet Security 2006
and shipped out 42,000 boxes of the product destined
for retailers across Europe. The latest version contains
a wealth of new features that will undoubtedly result in
favourable reviews still this year.
Viruses Infections under control in first half of
2005
And also in September, F-Secure made a significant
decision to change the dynamic of company production:
after 17 years as a software company F-Secure started
selling its first hardware product, ever.
The box is called F-Secure Messaging Security Gateway.
It’s a 1U-sized rack-mountable appliance that sits next to
your email server and filters spam and viruses from the
message traffic, automatically. The appliance is a result of
collaboration with US manufacturer Proofpoint and initial
response has been favourable.
The virus situation is actually looking pretty good.
The amount of virus outbreaks is down almost
50percent compared to same time in the previous year.
Nevertheless, the number of viruses has consecutively
grown an average of 40 percent per year for the past
two years - all this in step with the growth of spam.
Industry pundits put this marked growth in relation to
two phenomena, the ongoing increase in processing
power allowing PC users to advertantly or inadvertantly
propagate spam and spam scams, and the fact that more
and more people have broadband connections keeping
them on line potentially 24/7.
THREAT SUMMARIES V. 1 2006 - 2002
20
According to world famous
security expert, Bruce Schneier
who paid a visit to the F-Secure
headquarters in May, anti virus
protection is a ‘done deal’
equivalent to inoculating against
the common cold. Despite what
he described as the ‘insane
amount’ of new viruses
emerging everyday he was
happy to note that the
technology already exists to fight it. For F-Secure, this
stands true - in its efforts to offer the best security
possible the company opened two completely refurbished
state of the art data security labs, the first in mid March in
its San Jose office and the second at the end of May at its
headquarters in Helsinki.
Nevertheless, black hats benefiting from cheap
bandwidth, a good technology infrastructure, and
poor policing in certain countries are able to launch
increasingly bold exploits that aim to circumvent
traditional prevention techniques.
Phishing, pharming and Trojans
One particular trend in malware-writing
from the black hats is the rapid increase
in new trojans and bots. Unlike the more
indiscriminate assaults by viruses and
worms, trojans can be delivered with
precision to target organisations via email
attachments or links to websites. Once a
system is infiltrated, remote hackers can go about stealing
information and planning further attacks from the inside.
The stealth aspect of Trojans, meaning that they don’t
replicate under their own power, conceals the fact that
they are significantly on the rise as a highly effective tool
for criminal exploits.
Phishing is another good example of the modern criminal
mind because it combines the global reach of spam
messaging with the subtle psychology of the confidence
trickster. In addition to the typical phishing targets,
such as eBay, Paypal and large American and British
banks, we’re seeing a move towards smaller markets.
This is probably happening as most customers of a bank
like Citibank have already received a hundred different
phishing messages and will not be fooled by another one.
Given the possibility that a phishing message gets past
all relevant filters and into your email inbox, the only true
protection is your own common sense. Recognizing the
mail for what it is, the best policy is simply to delete it.
Another more sinister evolution of phishing is the term
pharming or the exploitation of a vulnerability in the DNS
server software that allows a hacker to acquire the Domain
Name for a site, and to redirect traffic from that web
site to another web site. DNS servers are the machines
responsible for resolving Internet names into their real
addresses - effectively the “signposts” of the Internet.
If the web site receiving the traffic is a fake web site, such
as a copy of a bank’s website, it can be used to “phish” or
steal a computer user’s passwords, PIN number or account
number. So, for all on-line transactions, set the alarm bells
ringing if you receive invalid server certificates especially
when attempting to enter any site where you deposit
confidential information or perform money transactions.
Worms, hostage-takers and bogus WLANS
At the beginning of May this year a new email worm Sober
variant was reported in the wild in Europe sending variable
messages in English and German. In this case, the authors
were banking on the German public’s interest in football,
and specifically the forthcoming World Cup with some
predictable results. The worm was released on the same
day ticket sales for the next World Cup began. Sober.P
sent a message out in German confirming successful
ticketing application to the soccer world championships
encouraging recipients to open an enclosed and infected
file. FIFA was quick to respond with a public warning but
not before its system experienced some heavy traffic as
a result. The worm itself compromised thousands of PCs
with reports coming in from 40 countries.
As with everything else these days, the malware
community has become very adept at blending,
automating and adding new layers of sophistication to
their threats. In May there were reports of a data stealing
Trojan called Agent.aa Trojan (aka Trojan-PSW.Win32.
Agent.aa or Bancos.NL) which monitors active Internet
Explorer instances. When a web page containing certain
domain names is visited from an infected computer,
the Trojan logs data from the web page, including key
strokes and also takes screenshots of browser windows.
Unsurprisingly, domain names in this particular exploit are
mostly online banks but what sets this Trojan apart is the
sheer volume of banks listed: 2764 different sites in total
from over 100 different countries.
THREAT SUMMARIES V. 1 2006 - 2002
21
At the end of May there were also reports of a piece of
malware that can take hostages and demand a ransom.
The Trojan called Gpcode (also known as PGPCoder)
encrypts user’s files with certain extensions and then asks
for a ransom to “fee” (decrypt) them - a good example
of adapting new technology to fit a more commonly
recognized model of criminal activity in the ‘real world’.
Luckily, Gpcode had a very simple encryption algorithm,
so it was possible to create a decryptor for the encrypted
files and F-Secure Anti-Virus was able to detect and
decrypt files encrypted by Gpcode.
A further demonstration of the criminal mind in action to
take advantage of gaps in modern technology came out in
March when it was discovered at a conference in London
that hackers had created malicious WLAN hotspots with
a forged log-in web page. People using the hotspot to
access websites automatically found themselves to be the
target of malware. While the exploit came to light, it raises
worrying implications on the use of free wireless hotspots
for business travellers hopping from one connection to
another often with important data in their laptops.
This exploit seems to be the model for more to come.
With this in mind, the best way to protect yourself
against such attacks, is to have up-to-date operating
system and browser, with the latest anti-virus and firewall
software installed. Also, it is important to have any critical
connections secured over VPN, and not to use any
unsecured service connection requiring your user name
and password.
Also in March, F-Secure was actively engaged in
promoting its new BlackLight Rootkit software at the
monumental CeBIT fair in Hannover, Germany. Blacklight
addresses the problem of rootkits, which allow hackers
to create backdoors in systems completely under the
radar of traditional anti virus software. While this exploit is
not common, it has been implicated in a number of high
profile corporate espionage cases in the States. Now,
thanks to BlackLight technology, system administrators
have a new tool in their armoury against their increasingly
cunning opponents.
If only to demonstrate the impact of the new release in
the malware community, a spyware manufacturer released
a version of their Trojan marketing it as “Hidden from by
F-Secure BlackLight Rootkit Elimination Technology!”. The
spyware used a simple trick: identifying the BlackLight
process and not hiding from it. Never versions of
BlackLight have been modified so that it can’t be hidden
from in this manner.
As evidence of the ingenuity of the online criminal
fraternity in their attempts to trick unwary websurfers
is the raise in malicious typosquatting websites. In the
case in point, if you happen to mistype w w w.google.
com (one variation being w w w.googkle.com) you will
be lead to a site that will start a huge chain of web pages
with exploits in various. As a result, the poor mistypist will
have seriously malware and spyware infected computer.
So, our advice to you is keep your browsers up to date and
practice your touch typing.
The advance of mobile
malware
Mobile viruses continue to make
news although it appears that the
majority of them continue exhibit
‘proof of concept’ ie malware
authors are putting their toe in the
water to demonstrate that mobile
viruses are possible. So far, the
worst damage has been shown by a
Trojan called Skulls, a malicious SIS
file Trojan that replaces the system
applications with non-functional versions, so that all but
the phone’s basic functionality is disabled. Once again, as
evidence of malware author ingenuity, F-Secure received
reports this spring of a Symbian Trojan Skulls.L that
pretends to be a pirate copied version of F-Secure Mobile
Anti-Virus showing a dialogue text “F-Secure Antivirus
protect you against the virus. And don`t forget to update
this!”
Users are advised not to download F-Secure Anti-Virus
files from any other server than the official F-Secure
site. For your information, all official F-Secure Anti-Virus
installation packages are Symbian signed, so that when
installing it, the user does not get the warning about a
missing installation package signature. If you are trying to
install F-Secure Mobile Anti-Virus and you get a warning
about a missing signature, simply abort the install.
Equally, in spring there were numerous reports of Cabir
sightings in the wild this spring in more than 23 countries,
as far afield as New Zealand and Switzerland. Cabir is a
worm that runs in Symbian mobile phones that support
Series 60 platform. Cabir replicates over Bluetooth
connections and appears in the infected phone’s
messaging inbox as a SIS file containing the worm. The
minute the unwitting user clicks on it and chooses to
install, the worm activates and starts looking for new
devices to infect over Bluetooth.
THREAT SUMMARIES V. 1 2006 - 2002
22
More worryingly for smartphone owners is the arrival
of Commwarrior - a mobile virus that spreads both via
Bluetooth and MMS messages, which was first reported in
the wild in Ireland already in January 2005. Commwarrior
could potentially be much bigger trouble than Cabir
because of its capability to spread via MMS thus allowing
it to jump from one country to another easily. Up to the
first half of the year, reports on phones infected with
Commwarrior came from 15 different countries, including
USA, Ireland, India, Italy, Germany, The Philippines and of
course, Finland.
When Commwarrior arrives via MMS, the user sees a
message that contains a social engineering text and an
attachment. The problem with viruses spread by MMS is
the trust factor; people are more likely to open a file from
someone they know thus giving the virus access to their
own contacts file and ever onwards.
Commwarrior infected phones can be easily disinfected
with by surfing to mobile.f-secure.com and downloading
F-Secure Mobile Anti-Virus - or manually with a third
party file manager. And telecom operators can scan the
MMS traffic for viruses using a suitable tool, for example
F-Secure Mobile Filter.
Award winning and malware conquering across
the board
In the first six months of the year, F-Secure’s products
was awarded more than eight times in important trade
magazines from around Europe as well as receiving a
number of other positive reviews - all validating the
excellence of F-Secure as the connoisseur’s choice of antivirus software. As a company we actively solicit the critical
review of our products to enable our customers to make
informed choices. Achieving awards validates the quality
of our products and proves in an unbiased manner to
our customers that with F-Secure they can be sure of the
highest levels of protection on the market.
View our review successes at Awards page.
And with the highest protection in mind, F-Secure
launched its flagship product Anti-Virus Client Security
6 in June at the same time introducing a new approach
to tackling modern day threats known as ‘Behavior
Adaptive Security’ allowing protection to be kept at the
highest level no matter how people use their computers
and networks. A practical example of how this adaptive
technology works is the automatic security level change
when a roaming user connects his laptop to a network
outside corporate premises.
Another example is the monitoring of suspicious activities
beyond ‘normal parameters’ so that no software is
allowed to take control over the computer without the
users’ approval. In this manner, F-Secure has created the
means to anticipate security threats beyond the control of
traditional anti virus prevention and raise the threshold to
a new unprecedented level.
Examples of malware exploits in the first half of 2005
indicate that the malware community are ingenious
in their ability to create workarounds to traditional AV
solutions and invent unprecedented attacks in order
to achieve their criminal goals. Based on our awardwinning track record and an innovative approach to
evolving security threats we are confident, however,
that subsequent releases like F-Secure Anti-Virus
Client Security 6.0 prove to industry specialists and
customers alike that we will continue to fulfill the highest
requirements in the market.
THREAT SUMMARIES V. 1 2006 - 2002
23
2004
2004 THREAT SUMMARY
When looking back at the year 2004, it's clearly split in half from the middle:
the beginning of the year was record-breaking busy with a huge number of
major new virus outbreaks. However, since June, things calmed down and
we've only had a few serious outbreaks since. This development cannot easily
be attributed to any single reason.
New trends in 2004 were primarily the massive increase in phishing email
scams, introduction of open-source botnets - networks of infected machines
harnessed for malicious operations, and for-profit virus-writing, but this year
was also the best year ever in actually catching virus writers and other cyber
criminals.
The network worm problems encountered during the year have shown how
important it is to protect every single computer with a personal firewall.
During 2004 the number of known viruses passed the 100,000 mark.
F-Secure Corporation classifies viruses according to their severity on a scale
called Radar. The number of level one alerts, or the most severe type, was four
in 2004 (7 in 2003). Most of the Radar alerts issues in 2004 happened during
the first five months of the year.
When we look at the year as a whole, six virus families were in a league of their
own: Bagle, Mydoom, Netsky, Sasser, Korgo and Sober. It is interesting to note
that of these six largest cases, three of them would be categorized as forprofit virus writing (Bagle, Mydoom and Korgo). These viruses are linked
either with spammers or with stealing of banking information.
THREAT SUMMARIES V. 1 2006 - 2002
24
Around 70percent of all email is nowadays spam - and
most of that is sent through infected home computers.
As spammers also make good money out of it, they can
invest into their operations - making the problem even
worse.
Due to this and the organized crime behind some of
today's viruses, the amount of infected email has grown
massively from 2003. Despite of this we have only seen a
few big outbreaks in the second half of the year 2004.
The Virus War
The year kicked off with an intense battle between the
creators of three different viruses; Bagle, Mydoom and
Netsky.
All three are email worms, spreading by sending infected
attachments. Bagle and Mydoom create spam proxies;
Netsky uninstalls them.
What we saw during January-May was an unusual race
between three different viruses. New variants are popping
up all the time, peaking on March 3rd, when we found a
new variant of each within one hour!
Doomjuice.A managed to disrupt the operation of ww w.
microsoft.com in February. Graph (c) Rommon.
It is interesting to note the variety of techniques we saw in
the different variants of these worms.
For example, they would use highly misleading icons
to try trick users into clicking email attachments. Bagle
sometimes used icons which resembled folders - but they
were in fact the virus carrying executables.
The biggest single outbreak was Mydoom.A - in fact, this
outbreak, first seen on January 26th, was the largest email
incident in history, bypassing even the Sobig.F epidemic
of 2003. At its worst, close to 10percent of all email traffic
globally was caused by Mydoom.A.
Many of the Mydoom variants launched distributed
denial-of-service attacks:
• Mydoom.A attacked and took down SCO.COM
(as a result, SCO took the domain offline for five
weeks)
• Mydoom.B attacked MICROSOFT.COM with little
visible results
• Doomjuice.A also attacked Microsoft and was
successful to some level
• Mydoom.F attacked and took down RIAA.COM
Mydoom.M used Google to search for email addresses.
( as a result, Google was overloaded with requests and
remained offline for hours).
Mydoom relied on substituting icons of familiar
applications to it's attachment, making the virus appear to
be a document or a movie file:
Late variants of Bagle came up with new tricks:
• At first, Bagle sent infected executables as
attachments
• We started detecting that
• Then it started sending zipped executables
• We started unpacking the ZIPs and detecting the
virus
THREAT SUMMARIES V. 1 2006 - 2002
25
• Then Bagle started encrypting the ZIPs with a
password and telling the user the password in the
email
• We started searching the email for the password
and decrypting the attached ZIP files
• Bagle started telling the password to the user in an
image, so it couldn't be found from the email text.
• - and so on and on, in a big game of cat and mouse.
Netsky played its own tricks, for example by adding fake
"scanned for viruses" banners to the mails it sent:
in January 2004. Bagle.A downloaded it from a web site
and installed it to infected computers.
Mydoom.A left a small backdoor to each infected
computer. Several days after the initial outbreak someone
who knew how to operate the backdoor portscanned
large parts of the internet address space and installed
another version of the Mitglieder trojan to these
machines - and started sending spam through them.
The fact that both Bagle and Mydoom families are utilizing
the Mitglieder trojan might indicate that there is, in fact, a
single group of virus writers behind both of them.
Some variants were more successful than others. Netsky.P
became the most widespread. It was the most common
virus in our statistics from April 2004 to August 2004 an is
still in the top 10 in December.
The result of all of this was that the first months of the
year were very busy virus-wise - probably the busiest
we have ever seen. Around June, however, the situation
started to calm down a bit.
Case Sasser
On May 1st we saw the biggest network worm case of the
year: The Sasser worm started spreading, exploiting a
new security whole in the LSASS service of Windows 2000
and XP. Microsoft had issued a patch for this hole only 18
days earlier, meaning that many organizations had not
yet installed the patch. This phenomenon, where a realworld virus would be found in just days after a vulnerability
was announced publicly, was repeated several times
throughout the year.
Another trick was seen in Netsky.X: it sends messages in
many different languages depending on the recipients
top-level domain. The message could be in English,
Swedish, Finnish, Polish, Norwegian, Portuguese, Italian,
French, German.
The main goal for Bagle and Mydoom was to turn the
infected machine into a spam proxy that the spammers
could use to send out bulk email. The Mitglieder proxy
trojan is an interesting link between these two viruses.
The first known version of this trojan was used by Bagle.A
Sasser could be compared to the Blaster outbreak in
August 2003 in many ways. Both were automatic network
worms affecting Windows 2000 and XP users, scanning
random IP addresses and using FTP (or TFTP) to transfer
the actual worm file to infected host.
Also, both worms caused unpatched machines to start to
reboot. This created some major headaches in computer
systems and in networks in general:
There were Sasser-related problems in at least three
large banks. RailCorp rail traffic was halted in Australia on
Saturday, leaving 300,000 travellers stranded. Two county
THREAT SUMMARIES V. 1 2006 - 2002
26
hospitals Sweden got infected, with 5000 computers and
X-ray equipment offline. European Commission in Brussels
and Coastguard UK were affected too, as were many other
organizations around the world.
Sasser was released early Saturday morning. Next Friday,
the German police arrested a young programming
hobbyist named Sven Jaschen. He confessed to writing
both the Sasser and Netsky virus families. His motive:
fighting the spammers behind the Bagle and Mydoom
virus families.
For several months after Sven Jaschan was arrested
his viruses continued to top the virus charts. Even in
December 2004, five out of the TOP 10 viruses were
Netsky variants, with Netsky.P being by far the most
common one in the wild.
Arrests
Wanted by FBI
Year 2004 was the best year ever in actually catching virus
writers and other cyber criminals.
There have also been several arrests of people from
Russian, Lithuanian and Ukrainan origins, who have
been found behind the phishing attacks in USA, UK and
Australia.
Microsoft started offering bounties for the writers of
certain virus already in late 2003. So far, they have not
actually paid any out. However, such bounties put
pressure on virus writers as they became afraid of others
ratting them out. For example, the information that was
used to arrest Sven Jaschen was given to the authorities
with the hopes of collecting such bounty money.
One such arrest was Mr. Andrew Schwarmkoff, who was
charged for credit card and identity fraud in Brighton,
Boston.
Apparently Mr. Schwarmkoff sent out phishing emails
to collect people's credit card and banking details.
This alleged member of Russian mafia was arrested
with $200,000 worth of stolen merchandise, credit
card scanning equipment, more than 100 ID cards with
fraudulently obtained information and nearly $15,000
in cash. He has been alleged to have underground
connectionswith Russian mafia.
Distributed denial-of-service attacks are being used in a
more organized way as well.
Authorities in several countries completed big operations
to arrest online criminals. For example, the US Secret
Service shut down the carderplanet.cc and shadowcrew.
com sites, which were used to trade stolen credit card
numbers online.
Mr. Jay Echouafni, the CEO of satellite receiver reseller
Orbit Communication was charged for hiring hackers
to launch DDoS attacks against their competitors. Their
idea was to take down the online ordering systems of
other large competitors, such as rapidsatellite.com and
weaknees.com.
After being charged Mr. Echouafni skipped bail, and is
today listed among the FBI's most wanted.
THREAT SUMMARIES V. 1 2006 - 2002
27
Mobile devices are more and more common and as they
become more widespread they also become a more
attractive target for virus writers. The bigger the target,
the better it looks to these people. Also, with the increase
of for-profit virus writing the likelihood of severe mobile
viruses is high. Every phone call or SMS message is also
a financial transaction. That opens up a flood of earning
opportunities for the for-profit hackers and virus authors.
Spamming
Mobile Threats
The first real mobile phone viruses were found in 2004.
In June 2004 we found Cabir, the first virus to hit Symbianbased Bluetooth phones. At the same time it was the first
virus that spreads based on proximity -- if you are close to
an infected Bluetooth device you can get infected. Later
in July we found a proof-of-concept PocketPC virus called
Duts. Shortly thereafter we found the first backdoor for
PocketPC devices (Brador).
In the spring 2004 we found a game for Symbian phones
(Mosquitos), which was secretly sending messages to
expensive toll numbers, creating invisible costs for the
user.
In November we discovered yet a new threat, as we
received reports of users who had been hit by the new
Skulls trojan on their phones.
This trojan has been distributed on some Symbian
shareware download sites as "Extended Theme
Manager" or "Camera Timer" freeware tool. It makes the
smartphone features of your phone useless leaving you
with the ability to still make calls with the phone but that's
it; no messages, no web, no applications. Recovery could
get tricky, and might cause the user to loose all of his own
data on the phone - including phonebook, calendar and
message history. The most obvious symptom of the trojan
is that the typical programs on the phone will not work
any more, and that their icons get replaced with a picture
of a skull.
The spam situation is getting worse and worse. Around
70percent of all email is nowadays spam - and most of that
is sent through infected home computers. The CAN-SPAM
act passed in USA in early 2004 did little to solve the spam
problem. Many argue it actually made the situation more
difficult, by legalizing spamming in USA, as long as one
follows certain guidelines. It would be similar to passing a
law that would make it ok to steal money as long as you're
being nice about it.
Spammers make good money out of spam. Which mean
spammers can invest into their operations - making the
problem worse.
One of the few spammers ever sentenced, Mr. Jeremy
Jaynes (aka Gaven Stubberfield) is a good example of how
well this works. This spammer from North Carolina was
getting rich by sending out up to 20 million spam emails a
day. Only a few hundred of those would actually lead to a
sale (reply rate of 0.00005percent or so). However, even
that would be enough to create him an income of up to
$750,000 a month.
Eventually, Mr. Jaynes built a fortune worth as much as $24
million - including several cars and several houses, with
one mansion having 16 separate T-1 data lines connected
to it to provide spamming bandwith.
The good news is Mr. Jaynes was arrested, charged and
convicted. He's now serving nine years in a jail, which is
in fact a surprisingly long sentence. His defense attorney
argued that the prosecutors never proved the e-mail
Jaynes sent was unsolicited.
The bad news is that there are hundreds of other
spammers more than happy to jump in on this lucrative
business.
We here at F-Secure also have evidence which would
suggest that some spammers have succesfully recruited
individual employees from anti-spam software
developers. Which is like a plot from a bad sci-fi movie 'come to the dark side - we'll double your salary'.
THREAT SUMMARIES V. 1 2006 - 2002
28
People who design antispam software would be the best
experts to figure out how to make spam messages get
through antispam filters. Spammers are also known to hire
linguistics to assist them in developing spam emails that
better evade antispam traps.
Such trends are disturbing, of course. What's next? Virus
writers hiring anti-virus researchers?
Other Cases
In 2004 we saw at least two major cases where popular
websites were hacked and had an exploit installed to
them. The first case in June was done with the Download.
Ject exploit and the second in November with an
IFRAME exploit. In both cases the end result was that
when end users surfed to well-known and trusted web
pages, their PC got exploited...if they were surfing with
Internet Explorer. Many high-profile organizations have
recommended over and over again during 2004 for
people to upgrade to alternative browsers because of
security concerns. And in fact, IE's market share seems to
have dropped at least some percentage points during the
year.
Botnets keep getting bigger and bigger. Sheer amount of
bots based on open source code has skyrocketed, with
several thousand variants of bot families like Agobot are
now known.
Linux
There were no major incidents in Linux operating system.
Some bugs were found and SuSE has dispatched three
local security holes to prevent a local user from hacking
the computer. Security holes have been found and
dispatched in silence in other widely-used systems e.g.
Samba, Squid, PHP. These incidents would have created a
lof of publicity in the Windows world.
Windows XP Service Pack 2
Microsoft shipped Windows XP Service Pack in August.
SP2 is by far the largest service pack we've seen (it's
over 250MB in size and quite a download). What's more
important, this SP centres around security features only.
From the antivirus point of view, the three most important
features in SP2 are:
• Stack & heap protection: this will make it much
harder to generate exploits for buffer overflows,
such as those used by automatic network worms
like Slammer, Blaster and Sasser. We had a look at
how Microsoft actually implemented this, and it
looks good.
• Built-in firewall, which is enabled by default,
and running right from the boot-up. It will not
only prevent access from the outside but it will
also warn users when local applications start to
listen on specific ports. It won't warn when local
THREAT SUMMARIES V. 1 2006 - 2002
29
applications send data to the Internet, though.
• Patched versions of IE and Outlook. As these are
the most common tools to access the net, it is
important to have them up-to-date.
The end result will be that once patched XPs become
commonplace, it will be much harder to create large
network worm outbreaks. User-assisted viruses (like email
worms) will not go away...and the bad boys will eventually
find ways around the safeguards. But nevertheless, this is a
big improvment.
As XP is already the most common operating system on
the Internet, this Service Pack is very important. We hope
the majority of XP users will apply it soon. This would
benefit everybody on the Internet.
Monthly Wrap-Up of the Year
January
• First variants of Mydoom, Bagle and Netsky are
found. The virus war continues for several months.
February
• The Mosquito trojan is found. This Symbian trojan is
a game that secretly sends out SMS text messages to
toll numbers, creating hidden costs to the user.
March
• The Witty worm spreads rapidly, but only affects
users running BlackIce software. However, on
infected machines the worm seems to do really bad
damage, overwriting random parts of the hard drive
as long as the machine is infected. Witty spreads
through direct network connections, targetting
machines that are running BlackIce security
software. Witty was released only one day after the
vulnerability was announced.
April
• Sober.F, one of the common Sober variants of the
year spreads largely by sending English and German
email messages.
May
• Sasser network worm is foundand causes widespread
chaos.
June
• Network worm Korgo is found. This Russian worm
drops an aggressive keylogger. Several variants have
been found throughout the rest of the year - many
have been used to steal user account and banking
details.
• Cabir, the first real virus for mobile phones is found.
July
• Duts, the first real virus for PocketPC phones and
PDAs is found.
August
• Microsoft releases Windows XP SP2, arguably the
largest security effort ever done by the company.
• Brador, the first backdoor for PocketPC devices is
found.
September
• There is a lot of media buzz about a JPEG
vulnerability, but it never becomes a big problem.
October
• Somebody registeres a domain called fedora-redhat.
com, and does a fairly large spam run, targeting
Linux users. The spam message claimes a security
vulnerability has been found in Fedora Linux and the
fix is available at fedora-redhat.com. The fake update
file turns out to be a rootkit.
• First real malware for Apple Macintosh OS X is
found. Known as "Opener", this is a bash script which
copies itself as one of the startup items that copies
itself to all mounted drives. It containes destructive
functionality, a keylogger, a backdoor etc.
THREAT SUMMARIES V. 1 2006 - 2002
30
November
• A virus known as Bofra is found. This is one of the
fastest viruses ever to take advantage of a new
security vulnerability, released only five days after
the vulnerability was announced.
• Skulls trojan for Symbian phones is found.
• Sober.I becomes the largest outbreak of the last half
of the year
times as many as Trend and almost five times as many
as McAfee. For the 45 major malware epidemics during
2004, F-Secure customers received their updates on
average six hours after the first sample was detected,
while, on average, Trend customers were updated
ten hours, McAfee customers 14 hours and Symantec
customers 16 hours after the first sample. (Source AV-Test.
org)
December
• Lycos Europe starts a controversial program to fight
spammers via their makelovenotspam.com site.
Spammers quickly counterattack them. The service
is discontinued after the first week of operation.
To communicate breaking news fast F-Secure initiated
a weblog to provide customers and the media with the
latest factual information about viruses, worms, security
hacks, and the people behind them. Comments and
analyses are updated continually by Mikko Hypponen and
the rest of F-Secure's security research team, and postings
often include screen shots and images of actual viruses
and malware code.
The End of Email?
"We don't see many directly destructive viruses nowadays;
most viruses just try to silently take over your machine
instead", says Mikko Hypponen, Director of Anti-Virus
Research at F-Secure.
"Current email systems are in serious trouble. I'm afraid
we need to do a major overhaul of the underlying email
standards in the near future. This would mean changing
the basic protocols to more robust ones and adding
strong user authentication. This would be a massive and
very expensive project...which means it won't be done
until the current email systems simply stop working",
concludes Hypponen.
Company Summary
During 2004 F-Secure Corporation has been the fastest
growing company globally in the antivirus and intrusion
prevention industry with more than 50percent growth of
revenues during the first 9 months in 2004.
Growing twice the market rate can only be based on
happy customers. Our customer satisfaction has stayed
at 4.3 on a scale from 1 to 5 (5 being the best) for the last
three years. A major part of the value we provide to our
customers is our commitment to protect them against
new threats better than any other vendor. That we have
been able to do systematically and provenly over the last
ten years.
Based on independent research by AV-Test.org and
Messagelabs F-Secure detects new threats faster
compared to other major antivirus vendors. F-Secure
also updates customers more regularily than other major
antivirus vendors. Between January and August 2004,
F-Secure sent out an average of 48 updates per month,
which is 50percent more than Symantec, almost three
ISP Offerings
F-Secure's concept of offering security solutions
through outsourced services to Internet users is gaining
in popularity. More and more service providers are
gradually acknowledging the benefits of partnering with
F-Secure. F-Secure is constantly entering new territories
successfully, while reinforcing the position in the existing
markets at the same time. During the last six months
service providers in 6 new countries, including Canada,
Turkey, USA, Greece and Switzerland have chosen
F-Secure as their security partner. Overall, 40 service
provider partnerships have been announced and 16 of
those during the last six months. This makes F-Secure the
fastest growing company in the world in offering security
services through service providers.
Mobile Offerings
In Q4 2004, Nokia announced the first two phones in
history that ship with antivirus software enabled. These
phones are Nokia 6670 and Nokia 7710. The antivirus
software on them is made by F-Secure.
F-Secure Mobile Anti-Virus is the most comprehensive
solution for protecting smartphones against harmful
content, from undesired messages to malfunctioning
applications. It provides real-time, on-device protection
and automatic over-the-air antivirus updates through a
patented SMS update mechanism.
In addition to the hardware vendor cooperation, Elisa, as
the first mobile operator in the world, has started offering
wireless antivirus services to its smartphone customers.
The service is based on the F-Secure Mobile Anti-Virus
service solution.
THREAT SUMMARIES V. 1 2006 - 2002
31
2003
2003 THREAT SUMMARY
Overview
The year 2003 has clearly been the worst in virus history. At the same time, the
entire computer virus phenomenon saw its 20th birthday this year. New trends
in 2003 were primarily the way spammers began to use viruses as a tool and
how several critical infrastructure systems suffered from the consequences
of virus outbreaks. The network worm problems encountered during the
year have shown how important it is to equip every single computer with
a personal firewall. The number of known viruses is at the moment some
90,000.
Virus problems seem to arrive in waves. Year 2001 was a very busy virus year,
while 2002 was clearly quieter. Unfortunately, 2003 exceeded previous years in
terms of both the number of virus outbreaks as well as their extensiveness and
severity.
F-Secure Corporation classifies viruses on a scale called Radar according to
their severity. The number of alerts of level one, or the most severe types,
was seven in 2003. In 2002 the number was only two. The number of level two
alerts was 25 in 2002 and 28 in 2003. Some of the virus cases seen during the
year were caused by old viruses, some of which have been out in the wild for a
couple of years now.
When we look at the year as a whole, five cases were in a league of their own:
Slammer, Bugbear.B, Blaster, Sobig.F and Swen.
Case Slammer
The explosive outburst of the network worm Slammer (or Sapphire) in January
2003 was the biggest attack against the Internet ever. Slammer was a fully
automatic network worm and it was able to infect computers directly over
a network connection. In other words, it did not spread through e-mail like
many other major outbreaks.
Slammer infected Windows systems with Microsoft SQL database software
installed on them. Many widely used office applications automatically install
this software on the systems. However, most of the computers around the
world did not have it installed and Slammer could not infect them. In fact, the
main problem was not that Slammer would have infected that many systems,
but the way it aggressively looked for new victims in the network and caused
an enormous amount of network traffic.
THREAT SUMMARIES V. 1 2006 - 2002
32
The Bugbear.B worm propagated widely during the
summer, but the amount of actual damage remains
unknown.
Case Blaster
In theory, there are some 4 billion public IP addresses on
the Internet. The Slammer worm was released on January
25, 2003 around 04:31 UTC. By 04:45 it had scanned
through all Internet addresses - in less than 15 minutes!
This operation can be compared to an automatic system
dialing all available phone numbers in the world in 15
minutes. As on the net, only a small number of phones
would answer the call but the lines would certainly be
congested.
Blaster (or Lovsan or MSBlast), which was detected
on August 11, was also an automatic network worm
and basically similar to Slammer, but it was able to
infect a significantly larger amount of computers. The
vulnerability used by Blaster affected millions of Windows
2000 and Windows XP users, whose Windows operating
system had not been appropriately updated. Blaster,
however, propagated at a considerably slower speed
than Slammer, yet it was significantly faster than viruses
spreading through e-mail.
The RPC hole used by Blaster had been detected on July
16, less than a month earlier. As July - August is the main
summer holiday season, many organizations had failed to
install security patches before the worm appeared.
The network jam caused by Slammer had dramatic
consequences, which are discussed in more detail further
on in this summary.
Case Bugbear.B
The e-mail worm Bugbear.B was detected on June 5. It was
a successor of the widely spread Bugbear.A.
This virus was interesting because it tried to steal
information from banks and other financial institutions.
When Bugbear.B infected a computer, it checked if the
affected computer was located in an internal network of
a known financial institution. If this was the case, the virus
gathered information and passwords from the system and
sent them to ten pre-defined e-mail addresses.
To this end, the worm carried a list of network addresses
of more than 1300 banks. Among them were network
addresses of American, African, Australian, Asian
and European banks. As soon as this functionality
was discovered, F-Secure warned the listed financial
institutions about the potential threat. The response time
of the F-Secure Anti-Virus Research Unit was 3 hours 59
minutes from the detection of the worm to the release of
an anti-virus update. F-Secure also published a free tool to
clean systems affected by Bugbear.B.
The first symptom of the Blaster virus was that Windows
XP users started seeing a message about the shutdown
of the RPC process and about Windows restarting in
60 seconds. After the system had restarted, the same
message often appeared again in a few minutes. This was
repeated until the user disconnected the computer from
the Internet or updated Windows. It took some 10 minutes
to download the security updates from Microsoft’s
windowsupdate.com service. Many users running into the
problem were unable to update the operating system as
the system restarted over and over again because of the
worm and the downloading process was interrupted.
THREAT SUMMARIES V. 1 2006 - 2002
33
The writer of the Blaster worm was probably a young
hacker who wanted to express his or her hostility towards
Microsoft. An indication of this is the text found inside
the virus: “billy gates why do you make this possible? Stop
making money and fix your software!!”, and the fact that
the worm was programmed to start its denial of service
attack against the windowsupdate.com site five days
after it was found. Since windowsupdate.com was not
Microsoft’s official update site, the company responded
by removing the site from the Internet a few hours before
the attack started, while addresses like windowsupdate.
microsoft.com remained in operation. However, the virus
got what it wanted: windowsupdate.com does not exist
any more.
One of the consequences of the Blaster worm was that
some competing virus writer created a virus fighting
against Blaster. This virus, known as Welchi or Nachi,
infected computers already infected by Blaster. As soon
as Welchi had entered a system it destroyed Blaster and
tried to download and install Windows security updates.
In other words, it was an anti-virus virus. Too bad that
the cure was worse than the disease: Welchi generated
considerably more network traffic than Blaster and was
the reason for most of the severe system outages in
companies in mid-August.
One of F-Secure’s honeypot machines caught the first
known sample of the Blaster worm on Monday evening,
August 11, 2003. F-Secure warned CERT (Computer
Emergency Response Team) on the new threat within an
hour. The response time of F-Secure’s Anti-Virus Research
Team was 2 hours 3 minutes from the detection of the
worm to the release of an anti-virus update. F-Secure also
made available a free tool to clean systems affected by
Blaster or Welchi.
Case Sobig.F
Only a week after Blaster was detected things started
happening again. Early on Tuesday morning on August 19,
2003 F-Secure received a sample of a new e-mail worm.
This turned out to be the latest addition to the Sobig virus
family. It was the worst e-mail worm ever, sending over
300 million infected e-mail messages around the world.
The first virus belonging to the Sobig family was found
in January 2003. New versions appeared at regular
intervals. It was odd, however, that the different versions
were programmed to stop spreading after a few weeks.
Later, it was understood that this was a simple version
management technique: the writers of Sobig wanted to
remove old worm versions from the market to be able to
release a new, enhanced version.
In addition to spreading through e-mail, different versions
of Sobig had another common factor, too: they waited for
a couple of days after infecting a machine and then turned
affected machines into e-mail proxy servers. The reason
soon became apparent: spammers, or organizations
sending bulk e-mail ads, used these proxies, which Sobig
had created, to redistribute spam on a massive scale.
Computers of innocent home users were taken over with
the help of the worm and soon they were used to send
hundreds of thousands of questionable advertisements
without the owner being aware of this.
Both Blaster and Welchi hampered the operation of
important systems, such as automatic teller machines
and public transportation. These are discussed in more
detail in a separate section. However, it is important to
note that especially Welchi still continues to spread. After
several months since the actual epidemic, an unprotected
Windows machine can get infected in just minutes when
connected to network.
It is likely that there’s a virus writer group behind Sobig.
They planned the operation, then used the worm to
infect a huge number of computers and then sold various
spammer groups lists of proxy servers which would
be open for spreading spam. It was clearly a business
operation.
After Sobig.F was detected on Tuesday morning,
F-Secure’s Anti-Virus Research Team released its antivirus update in 2 hours and 33 minutes. Soon after this
the global flood of e-mail messages created by Sobig.F
started. Some individuals reported that they had
THREAT SUMMARIES V. 1 2006 - 2002
34
received thousands of infected messages in a day. Large
organizations saw hundreds of thousands of messages,
and some e-mail systems collapsed under the heavy load.
AOL reported stopping more than 20 million infected
messages by Wednesday, the 20th of August.
Virus writers and spammers working together
spam
One of the interesting trends during the year was that
virus writers and spammers have found each other.
F-Secure’s researchers continued studying the code of
the worm and eventually found a functionality hidden in
the virus code: computers infected by the worm were
synchronized with an atomic clock to activate on Friday,
August 22nd at 19:00 UTC. At this clock strike they would
contact one of 20 pre-defined computers around the
world and receive more specific instructions from them.
When this functionality was found, F-Secure had less than
30 hours to disconnect those 20 computers from the
net in order to stop the activation. By working in close
co-operation with Internet operators, CERT units and the
FBI, this was accomplished just in time. The last computer
that needed to be disconnected was shut down only 15
minutes before the deadline.
F-Secure made available a free tool to remove the Sobig.F
worm from infected machines. The tool proved to be very
popular and it was downloaded hundreds of thousands of
times during the Sobig.F week.
Case Swen
The Swen e-mail worm was detected on September
18, 2003, but the problems arising from it continued
for weeks in e-mail systems around the world. E-mail
messages sent by Swen were forged to look like genuine
Microsoft safety updates. It is good to remember that
Microsoft never sends updates as e-mail attachments.
For end users, Swen was not as visible a harm as Sobig.F.
Instead, it caused severe problems to Internet operators.
The reason was that the majority of the e-mails sent by
Swen used incorrect e-mail addresses. Thus, the end users
never saw them, but they generated error messages and
the messages bounced back to the operators’ networks.
End result: several large Internet operators reported
severe delays in email delivery. In some cases emails were
delayed by weeks.
The problems caused by Swen were a concrete
indication of how important the e-mail has become as a
communications channel in only a few years.
The response time of F-Secure’s Anti-Virus Research
Team was 3 hours 57 minutes from the detection of the
worm to the release of an anti-virus update. F-Secure also
published a free tool to clean systems affected by the
Swen.
The most conspicuous example of this was the Sobig virus
family, but there are actually at least four ways in which
the spammers take advantage of viruses:
• Collection of e-mail addresses
Spammers need e-mail addresses to send their
advertisements to. Worms collect addresses from
the user’s address book and files. Additionally,
viruses like Swen display false error messages to the
users and ask them to enter their e-mail address
and password for an error report - which they then
forward to the virus writer.
• Setting up e-mail servers
Malware, such as Sobig, Slanper and Trojanproxy
install a proxy or relay program on the user’s
computer. These are then used to relay spam
through the infected home computer. This prevents
anyone from tracking the actual sender of the spam.
It is estimated that currently more than half of all
spam mail is circulated through home computers
infected like this.
Setting up web servers for offending material
A large part of spam messages is connected to the
advertising of products that are on the verge of
being illegal. It is not easy for spammers to find www
servers where they could maintain these kinds of
sites. For example, the Fizzer worm installs a web
server on infected machines. The outcome may be
that a home computer of an unsuspecting user may
serve as a web service offering hard porn.
THREAT SUMMARIES V. 1 2006 - 2002
35
• Attacks against anti-spam services
The worst enemies of a spammer are anti-spam
activists. Variations of the Mimail worm, for example,
activated massive denial-of-service attacks from
infected computers against different anti-spam sites
trying to shut them down or close them. They have
been successful to some extent, too: four known
anti-spam sites had to stop their operations because
of the attacks. Nevertheless, the most important
anti-spam operator, Spamhaus, is still up and running
in spite of the attacks from the spammers.
Spamming is profitable. Spammers have considerable
interests to defend, and they can also invest large
amounts of money in the continuation of their operations.
“Suddenly the nature of our counterpart has changed
completely,” says Mikko Hypponen, Director of AntiVirus Research at F-Secure. “Our enemy used to be
amateurs who wrote viruses for the fun of it. Now viruses
are generated by spammer gangs, who develop viruses
professionally”.
Viruses and critical infrastructure
The RPC traffic created by Blaster caused big problems
worldwide. Problems were reported in banking systems
and in the networks or large system integrators. Also,
several airlines reported problems in their systems caused
by Blaster and Welchi, and flights had to be canceled.
Welchi also infected Windows XP-based automatic teller
machines made by Diebold, which hampered monetary
transactions. The operation of the US State Department’s
visa system suffered. The rail company CSX reported that
the virus had interfered with the train signaling systems
stopping all passenger and freight traffic. As a result of
this, all commuter trains around the US capital stopped on
their tracks.
The media has given a lot of attention to the indirect
effects of Blaster on the power blackout in the
northeastern USA which occurred during the outbreak
week. According to the intermediate report of the
blackout investigative committee there were four main
reasons behind the power failure, one of them being
specifically computer problems. F-Secure believes that
these problems were to a great extent caused by the
Blaster. A separate official committee is still investigating
this issue in detail.
Year 2003 saw virus induced problems in real-life systems
which were unprecedented in their severity. The main
culprits were Slammer, Blaster and Welchi. Additionally,
the e-mail outages caused by Sobig.F and Swen hampered
the operation of corporate systems.
Bank of America
The network congestion caused
by Slammer dramatically slowed
down the network traffic of
the entire Internet. One of the
world’s largest automatic teller
machine networks crashed and
remained inoperative over the
whole weekend. Many international airports reported that
their air control systems slowed down. Emergency phone
systems were reported to have problems in different parts
of the USA. The virus even managed to enter the internal
network of the Davis-Besse nuclear power plant in Ohio,
taking down the computer monitoring the state of the
nuclear reactor.
It is important to note that even though the system
problems caused by Slammer and Blaster were truly
considerable, they were only byproducts of the worms.
The worms only tried to propagate: they were not
intended to affect critical systems. The viruses affected
environments that had nothing to do with Windows:
the massive network traffic caused by the worms alone
disrupted their operation.
THREAT SUMMARIES V. 1 2006 - 2002
36
Network worms, such as Slammer, manage to spread into
virtually isolated systems thanks to their effective and
systematic operation: Slammer exhaustively scans every
single Internet address it can reach. Therefore, if a critical
computer is connected to any device which is linked to
some public network, even indirectly, Slammer will find it
sooner or later.
In principle, SQL or RPC-based worms should never be
able to enter company intranets through the public
Internet, because firewalls should prevent this type of
traffic. Sometimes viruses were able to pass through the
firewall because of errors in configuration, but a typical
route to the internal networks was an employee’s laptop
that had been infected at home or for example in a hotel
network. When the infected machine was taken back to
the office, the worm was able to spread like wildfire in the
company intranet. There have also been cases where a
WLAN network card inserted in a company PC contacted
a public network at the same time as the machine was
connected to the intranet through a network cable.
Not all problems in critical systems were caused by
viruses. In October 2003, a 19 year old British hacker
was tried in court, because he had crashed information
systems of the Port of Houston in USA. It was assumed
that the reason behind the attack was jealousy.
Iraq
The war in Iraq, which started in March, had an
indirect effect also on public information networks.
The phenomena were not caused by official network
warfare between USA or Iraq forces, but by the activities
of individual hackers, wanting to publish their own
messages.
People behind the attacks were either patriotic hackers,
extremists, or pacifists. The methods used in the attacks
were mainly web defacements and to some extent also
viruses.
Attacks seen in March included:
• Denial-of-service attack against the web site of AlJazeera TV network
• Denial-of-service attack against the web site of the
British prime minister
• Several “Kill Saddam” defacement attacks
• Attacks quoting the Koran against US and British
web sites
• Repeated attacks against the www sites of the US
Army, Navy and Air Forces
• Several computer viruses, which were spreading
an anti-war message or tried in other ways to take
advantage of the situation, such as Ganda, Lioten,
Prune and Vote.D.
The number of defacements was more than 20 times
higher during the week the war started if compared to the
previous week.
THREAT SUMMARIES V. 1 2006 - 2002
37
Other observations
Future
The virus problems in 2003 concentrated on the Windows
platform. No new major viruses were detected in the Linux
or Mac environment. No viruses aimed at PDAs or mobile
phones were encountered either.
Attacks against data systems will increase and become
more and more professional. The virus technology used
by spammers is threatening to change the entire Internet
into a battle field. The people behind the network attacks
are hackers, activists, industrial spies, terrorist groups and
organized crime, but the modern society must be able to
function in spite of attacks against data security.
During the spring and fall, there were several court
cases in UK, where the accused defended themselves by
explaining that even though their computers had been
involved in crimes, the body behind the crime was not the
owner of the computer but a virus, which had infected the
system.
Ways to protect computers
F-Secure recommends four basic methods to protect
computers:
• Apply operating system patches regularly
• Switch the computer off or disconnect the network
cable whenever the computer is not in use
• Install an automatically updated anti-virus
program
• Install a personal firewall - this concerns also
desktop computers inside company’s internal
network.
In September, F-Secure announced the new F-Secure
Anti-Virus Client Security software. It consists of an antivirus program and integrated firewall software as well
as intrusion control and application control. With this
application, firewall is added to each computer along with
the anti-virus system.
Outsourcing security to a service provider or Internet
operator has proved an efficient way for home users
or small companies to solve everyday data security
problems. F-Secure continues to work together with
operators in this field to provide applicable solutions.
We would also like to point out that the only way to
protect critical computer systems is to keep disconnected
from all networks.
“I’m afraid there will be a lot of work for us also in 2004”,
says Mikko Hypponen, Director of Anti-Virus Research at
F-Secure.
THREAT SUMMARIES V. 1 2006 - 2002
38
Appendix: Major virus cases of 2003
January
• The Slammer worm attacked: the most biggest
attack against the Internet ever
• The first member of the Sobig virus family, Sobig.A
was found
• Dedicated to Canadian singer Avril Lavigne, Lirva.A
and Lirva.B worms spread widely through e-mail, file
sharing and peer-to-peer networks
February
• Lovgate.A out in the wild. Lovgate guessed user
passwords and infects the computer through
network sharing or e-mail
March
• Deloader.A and new variants of Lovgate spreading.
They both allot user passwords
• The Ganda e-mail worm, which took advantage of
the Iraq war was going around
May
• The Fizzer worm spread all over the world. The virus
is strongly linked to spammers
• Second and third variants of Sobig (B and C) are
detected. They both spread very extensively
June
• Bugbear.B attacking banks spreads around the word
• Fourth and fifth variant of Sobig (D and E) are
detected. The D version fails to spread. On the other
hand, version E becomes the most widely spreading
variant this far
August
• The worst virus month in history
• The first member of the Mimail virus family is
detected
• Blaster spreads globally
• Welchi spreads globally
• Sobig.F spreads globally
September
• The Swen worm is detected. The e-mail problems
caused by it go on for months
• Several new viruses are detected on the anniversary
of the terror attacks of September 11, for example
Mimail.B and Vote.K, which contain text “WORLD
TRADE CENTER, REVENGE”
October
• The Mimail.C worm is detected and launches denial
of service attacks
• The Sober worm sends infected e-mail messages,
which look as if they originated from anti-virus
companies
November
• Ten new variants of the Mimail virus were detected
during the month. The variants attacked anti-spam
sites, among others, or stole users’ credit card
details
• At least four significant servers of Linux developers
were broken into and distribution packages or
source codes were modified. In some cases it took
several weeks before the problem was detected
THREAT SUMMARIES V. 1 2006 - 2002
39
2002
2002 THREAT SUMMARY
In 2002, the data security world was characterized by new types of threats.
Virus outbreaks in Linux systems, attacks utilizing open source code, breaks
into home computers and increasing activity of Asian virus writers kept data
security companies busy. Known viruses today amount to some 80,000.
Computer viruses still pose the greatest single problem, even though the
number of worldwide outbreaks was clearly smaller in 2002 than in 2001.
F-Secure Corporation classifies viruses on a scale called F-Secure Radar
according to their severity. The number of alerts of level one, or the most
severe types, was nine in 2001. In 2002, the number was mere two: the
Slapper network worm attacking Linux systems and the Bugbear e-mail worm
attacking Windows systems. Respectively, level two alerts were given 31 and
26 times. The majority of virus cases seen during the year were caused by old
viruses, some of which have been out in the wild for a couple of years now.
Even though the number of outbreaks has been smaller than during the
previous year, new viruses are detected more or less at the same rate as
before. Every month, hundreds of new viruses are found. The total number of
known viruses was some 80,000 at the end of year 2002.
One distinct change in 2002 has been the increase in the activity of Asian virus
writers, and the number of viruses originating from Asia keeps growing. The
most significant originator countries include China, Taiwan and South Korea.
Since September 2001, there have been hardly any viruses written in North
America: a more strict attitude towards crimes directed at the society has
considerably decreased the number of viruses from the US.
Lively e-mail worms
There were two viruses competing for the title of the year’s most bothersome
virus: Klez and Bugbear. Of these, the Klez virus family has been out in the wild
since October 2001 and is still spreading. Bugbear was found in September
2002 and spread all over the world in just a few days. Both Klez and Bugbear
are e-mail worms. Also, they both put fake sender name and e-mail address in
the “From” field of messages they send.
Consequently, innocent persons may be accused of spreading viruses. The
owner of the infected computer may be fully unaware of what has happened
and is not prompted to clean his or her system. Bugbear was an example of
another problem, which became widespread in 2002: the inclusion of remote
access properties into a virus. Each computer infected by Bugbear can be
accessed remotely over the Internet. The attacker can therefore read, delete
or edit any files on the infected machine.
Like many other e-mail worms detected during the year, Klez and Bugbear
took advantage of the IFRAME vulnerability, thanks to which viruses were able
to launch their own attachments while the infected message was read. The
IFRAME hole appears to be a big problems even today, though Microsoft has
offered a patch to it more than couple of years ago.
THREAT SUMMARIES V. 1 2006 - 2002
40
Use of file exchange networks and directories
Home computers subjected to attacks
Even though e-mail continued to be the most common
route for viruses, other techniques were also seen. For
example, the Benjamin, Roron and Lolol worms spread
through the Kazaa file exchange network. These viruses
try to distribute infected files to the peer-to-peer network
by using attractive file names and by relying on the fact
that some of the network users cannot make a difference
between music or video files and program files.
Home computers are one of the biggest problems in the
data security sector. Because home computers do not
normally contain any major secrets their users do not
take security as seriously as business users. However,
computers are attacked for many other reasons besides
theft of information.
The Opaserv and Lioten worm, on the other hand, spread
from one computer to another through shared directories
or folders. When Windows users share their folders with
other users, they may not realize that files in those shared
folders may be visible to people on the other side of
the world. Opaserv looked for unprotected Windows 95
and 98 computers and broke the password protection
of shared files, thereby becoming quickly a worldwide
problem.
Attacking Linux systems
So far the most widespread Linux virus outbreak was
seen in 2002. A network worm named Slapper was
first detected on September 14th. It quickly infected
thousands of Apache web servers around the world. The
virus only infected servers and was mostly not seen by end
users at all.
The most interesting characteristic of Slapper was its
ability to create a distributed peer-to-peer attack network
by means of which the writer of the worm was able to take
control of any infected server. This feature was probably
created to launch distributed denial-of-service attacks
with the help of the worm. F-Secure’s specialists managed
to disassemble the peer-to-peer protocol used by the
worm and the threat posed by the worm was eliminated in
a few days. However, there is more to come on this front
for certain.
Systems using open source code have been facing other
security problems during 2002 as well. Backdoors were
hidden in the distribution versions of OpenSSH, tcpdump
and libcap programs. Even though these malicious
additions could be seen by anyone in the source code,
it took days before these changes were noticed in these
cases.
Hacking for the sake of fun is increasing all the time.
In these cases the attraction is the computer itself, not
the data contained by it. A modern home computer has
massive capacity: a several gigaherz processor, hundreds
of megabytes of memory and dozens of gigabytes of disk
space. All this with a continuously open connection to
the network through a fast DSL or cable modem. When
combined with an operating system supporting true
multiprocessing it may be that the owner of the system
can be working on his or her computer without noticing
that the system is simultaneously accessed by fifty
teenagers from different parts of the world downloading
the most recently announced movie as an illegal Divx
copy. A typical outcome of this kind of free-riding is that
a home computer is used to distribute illegal or dubious
material without the owner knowing about it. If the
computer owner opens protected VPN connections to
his or her employer’s intranet, the consequences may be
really serious.
The huge capacity of home computers may also lead to
a situation where they are used as a medium in attacks
against networks. When a suitable vulnerability is located
in a popular network service, such as Kazaa, ICQ or MSN
Messenger, a malicious user may get access to millions
of Windows systems through it. An attack network
consisting of them would be able to paralyze most of the
Internet traffic for long periods. Modern society cannot
and should not leave a threat like this without attention.
Mobile world
No mobile or PDA viruses were seen during 2002. In
spite of this the security industry continues to research
and build security systems in this area. The need for a
strong protection of data on hand-held systems keeps on
growing.
Because hand-held computers and mobile phones are
becoming more and more like traditional computers,
the security risks also become more concrete. As the
GPRS and other fast mobile data networks get more
THREAT SUMMARIES V. 1 2006 - 2002
41
common in the world, they will be one of objects of
network criminals. It is easy to operate anonymously in
mobile networks using so-called prepaid subscriptions.
Operators play a key role in the security of home
computers and mobile devices.
Future
“Attacks against data systems will increase and they will
become more and more professional. New, fast network
worm technologies may lead into a situation where a
worm spreads around the world in just a few minutes
after it has been launched. These attacks can be done by
hackers, hactivists, industrial spies, terrorist groups or
organized crime. Society must be able to function in spite
of such network warfare” says Mikko Hypponen, Manager
of Anti-Virus Research at F-Secure.
SWITCH
ON
FREEDOM
F-Secure is an online security and privacy company from Finland.
We offer millions of people around the globe the power to surf
invisibly and store and share stuff, safe from online threats.
We are here to fight for digital freedom.
Join the movement and switch on freedom.
Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.