Kaspersky Lab, Inc.

Kaspersky Lab publishes the analytical report for Q3 2006 on malware evolution


Woburn, MA -- (ReleaseWire) -- 11/21/2006 --Kaspersky Lab, a leading developer of secure content management solutions, has released its latest quarterly report, Malware Evolution: June - September 2006. Alexander Gostev, Kaspersky Lab's Senior Virus Analyst, described this period as 'the calm before the storm'.

You can find full version of the report at: http://www.viruslist.com/en/analysis?pubid=204791907. Here is its main essence:

After the stormy confrontation of ideas from those on both sides of the virus war, there was the inevitable period of calm, when both sides attempted to evaluate the results of their labours during the first six months of 2006. There were no significant epidemics, and no new proof of concept viruses either. All was relatively quiet on the virus front, with most of the activity being the everyday jockeying for position on the Internet. In spite of this, virus writers and cyber criminals still manage to come up with a few unpleasant surprises.

One major issue in the information security world today is vulnerabilities in Microsoft Office. Between April and June 2006 Word, Excel and PowerPoint all came under fire from the blackhats. In a mere three months, the number of security holes rose to close on a dozen. In the third quarter of 2006, Microsoft issued 6 patches, but every vulnerability had multiple Trojans, sometimes dozens, exploiting it. These malicious programs were detected either in mail traffic, or on users' machines.

The issue of vulnerabilities in Office was further complicated by the fact that virus writers seemed to be working around Microsoft’s patch schedule, with their malicious creations being released a mere few days after a scheduled patch was released. This resulted in almost a month going by during which the latest vulnerabilities could be exploited by hackers, with users being left unprotected. According to Alexander Gostev, the highly unusual coordination among hacker groups looked like an attempt “seems like an attempt to discredit Microsoft as an information security specialist in general, and to specifically target the company’s habit of releasing patches according to a defined schedule.”

The situation remains extremely complex. Even more inventive attacks on Microsoft Office are expected as Microsoft has released Office 2007 into open beta testing, and this will give hackers and security researchers yet another target.

Between July and September 2006, it wasn’t only the multiple vulnerabilities in Microsoft Office which posed a serious threat to users, but also two other security loopholes in Microsoft products: MS06-040 and MS06-055.

MS06-040 is the most dangerous ttype of currently known vulnerability, making itpossible for an attacker to execute arbitrary code via a network attack. Happily, the very nature of the vulnerability and the composition of the exploits were not so different from those which were already known (very similar to MS04-011 and MS05-039) and this made it possible for a lot of antivirus and firewall vendors to block the virus attacks without having to patch their products. An epidemic was averted, and August 2006 did not become another latest black month in the virus vs. antivirus calendar. MS06-055, a vulnerability in Internet Explorer, which was detected in September, related to VML processing, and would allow a remote malicious user to create a script which would execute arbitrary code on a victim machine when the user visited an infected site. In this case, Microsoft published an out-of-schedule patch in record time, and this significantly reduced the number of infections.

In the period under review, there were there were only a few pieces of mobile malware which stood out from the mass of primitive Skuller- like Trojans: Comwar 3.0, Mobler.a, and Acallno. Comwar 3.0 was the first Comwar variant to use file infecting technologies - the worm searches for other sis files on the phone, and writes itself to these files. This makes it possible for it to spread in yet another way, in addition to its traditional MMS and Bluetooth propagation routines. Mobler.a was the first cross platform virus capable of infecting both Symbian and Windows systems, proof of concept code from an unknown author. The worm propagates by copying itself from an infected computer to a handset. “Mobler.a should probably be seen as a new way of attacking personal computers, rather than purely a new way of penetrating mobile phones.” believes Alexander Gostev. The Acallno Trojan, developed by a commercial firm, is designed to spy on the user of a designated telephone, and sends copies of all sent and received SMS messages to a specially configured number. The other novelty detected in the third quarter of 2006 was Wesber, a Trojan for J2Me; it’s the second known Trojan that is capable of functioning both on smartphones and on the vast majority of modern handsets.

Russian Instant Messaging users were attacked by multiple Trojans, and most of all by the Trojan spy program LdPinch. Once the program has penetrated the victim machine, and harvested information which the remote malicious user wants, the Trojan then sends a link to the site where it's located to the user’s ICQ contact list. In the third quarter of 2006, the Russian segment of the Internet was hit by several such epidemics, when hundreds and thousands of users received links from their contacts - links which promised 'funny pictures' or 'summer pictures'. The main problem is the human factor: users are very trusting of links which appear to have been sent by a friend or a contact. Alexander Gostev says "The advice that we gave a year and a half ago remains relevant. We recommend that system administrators and IT security professionals should be highly aware of the potential threat currently posed by IM, and should consider forbidding its use as part of the company's security policy.”

In conclusion, Alexander Gostev takes stock of the current situation and looks to the future. The second stage of both virus and antivirus evolution is now complete. Today’s virus writers and cyber criminals have adapted to the evolution of today’s antivirus industry, and are not currently on the attack. Virus writers find the current reaction times of antivirus companies - which could be a few hours, or even minutes - acceptable, and have come to terms with what they can achieve within the window of opportunity provided. However, this is a state of uneasy equilibrium: as Alexander Gostev states, “if the situation is as I have described it, then something will have to change in the near future. Either antivirus companies will go on the attack, making a new concerted effort to quash the virus uprising, or virus writers will come up with something truly new, raising the bar for the antivirus industry as a whole.”