By Tom Schmidt
One of the most important aspects of today's threat landscape has to do with the way malicious code is written. Rather than set out to develop entirely new threats, as they did in the past, virus writers now are rapidly creating variations of existing malicious code.
The continued rise of Win32 viruses and worms, along with the decrease in the number of new families, indicates that there are far more variants of existing malicious code families being produced than previously. This can partially be attributed to the availability of source code for some families. For example, the source code for some bots, such as Spybot, Gaobot, and, more recently, Mytob, is readily available online. Since it is easier to modify an existing piece of malicious code than to create a new family, it is not surprising to see a large number of variants of existing families rather than entirely new families.
Take the Spybot family as an example. It currently requires four letters to describe a Spybot variant (e.g., "W32.Spybot.ABCD"). And as of Dec. 31, 2005, 19,545 Spybot variants have been catalogued.
This article looks at the extent to which Windows systems are being infected with these new attacks, and then at some of the most effective ways of fighting back.
Old tricks, new threats
Malicious code that relies on social engineering continues to propagate rapidly among a large number of users, and that holds true for threat variants as well. For example, in the last six months of 2005, Sober.X was the most widely reported malicious code sample. Sober.X is a mass-mailing worm that relies on social engineering to persuade a user to run its email attachment. Similar to previous variants of the Sober worm, it propagates by sending email messages in both English and German, depending on the Windows regional settings on the compromised computer. Some of the messages it uses to propagate purport to be from the FBI, while others appear to be SMTP delivery failure messages.
Earlier this year saw the arrival of yet another case of spam email that contained malicious code as an attachment. The attachment in this case was a ZIP file containing a Trojan horse program that creates a backdoor on a user's system when executed. In this threat, detected as Backdoor.Haxdoor.O, the spam email purported to be from an online retailer asking the user to review an attached invoice. It's likely that the threat emanated from Russia, based on similarities to previous versions of Backdoor.Haxdoor.
Popularity of Win32 malicious code
One of the reasons for the sustained popularity of Win32 threat variants has been the continued success of mass-mailing worms, such as the Sober and Beagle families, which were among the most significant outbreaks of 2005. Because of the predominance of Windows platforms, any mass-mailer worm that hopes to enjoy widespread propagation will target these platforms, thereby leading to the development of still more Win32 viruses and worms.
In addition, Win32 worms that implement bot features are increasingly used by attackers who are bent upon financial gain. Even Microsoft acknowledges this development. Programs that allow an attacker to control a compromised computer, such as backdoor Trojan-horse programs and bot software, account for the lion's share of malicious code removed by Microsoft's automated cleaning tool, the company announced earlier this year at its TechEd conference. Microsoft said the tool detected and removed backdoor Trojans from about 62 percent of infected PCs, while the subcategory of bot software accounted for three of the top-five slots in the company's list of most prevalent malicious software.
Moreover, new variants of existing bots continue to be created at a high rate. For example, in the second half of 2005, 6,542 new variants of Spybot were documented, a 53% increase over the same period in 2004. The steady increase in variants of this bot may be due to attackers creating multiple variants, each of which is designed to exploit a different vulnerability, giving the attacker the chance to compromise a wide range of computers.
Researchers speculate that the continuing increase in the production of bot variants may be driven by the bot authors' desire for maximum return on the time invested in bot creation. Those who produce bots for financial gain may prefer to produce a larger number of variants than create entirely new bots, which can be time consuming. Also, the ease with which an existing bot can be modified to create a new variant enables less skilled attackers to create a bot network.
Keeping ahead of the bad guys
By now it should be clear that the increasing availability of source code for numerous malicious code families has helped fuel the rise of threat variants. In 2005 alone, more than 21,830 Win32 variants were documented. Unfortunately, available evidence indicates these threats will dominate the landscape for some time to come.
Besides keeping up-to-date on the latest threats and threat variants, enterprise users are encouraged to adopt the following "best practices" to prevent infection:
- Employ defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures. This should include the deployment of antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems.
- Turn off and remove services that are not needed.
- If malicious code or some other threat exploits one or more network services, disable or block access to those services until a patch is applied.
- Always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall (such as HTTP, FTP, mail, and DNS services).
- Enforce an effective password policy.
- Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses (such as .VBS, .BAT, .EXE, .PIF, and .SCR files).
- Isolate infected computers quickly to prevent the risk of further infection within the organization.
- Train employees to not open attachments unless they are expected and come from a known and trusted source, and to not execute software that is downloaded from the Internet unless it has been scanned for viruses.
Conclusion
Today's enterprises need to be aggressive if they are to comprehensively protect their networks from attackers, who show no signs of slowing down their development of threat variants. Sophisticated criminal elements are now behind many of these threats, and unlike the hackers of the past, they are much more interested in anonymity than in notoriety. Today's threats are silent and highly targeted. As a result, enterprises must do all they can to keep ahead of, and educate their users about, these invasive threats.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.