Understanding the Enemy: The Top 10 Nastiest Malware Trends

Five years ago, the term "malware", if used at all, simply referred to viruses. Over the last few years, however, hackers and spammers have developed all sorts of new ways to invade your computer. Today, Malware, or malicious software, simply means any unwanted code or program that embeds itself on a computer without the user's knowledge.

Malware is growing quickly. McAfee Avert Labs expected in 2006 to have recorded their 225,000th unique computer/ network threat, finding 50,000 threats between Jan and Nov of 2006 alone [2]. The motive for creating malware has been profit or spying in most cases, and as profits from creating malware have grown, paid professionals have begun to make new and ever more dangerous forms. The return on creating malware has been high in large part because so many victims do not know what to look out for; individuals often still think of malware in the same simplistic forms of five years ago. This guide covers some of the newest trends in malware, and it will give you a better understanding of what sorts of threats you and your computer face.

1. Adware

The most common form of malware is adware. It’s a type of spyware that secretly imbeds itself on your computer and analyzes your web browsing habits and then related banner advertising occasionally in popup windows. While most of the advertisements you see are for legitimate companies, the actual producers of the spyware are not.

Because a user's personal details are often passed on to third parties, adware has been criticized by privacy advocates. Adware usually works by tracking web browser cookies, which were originally placed on your computer by legitimate sites for purposes such as keeping your shopping cart inventory. When adware gets a hold of these cookies, however, they often contain too many personal details, which the adware companies can sell to others.

The United States government now has strict rules about cookie use, but ironically, it does not even follow these rules itself; See indictments of the DEA, CIA, and NSA for instance). So given that the government has not followed its own cookie regulations, do not expect too many adware spammers to comply either. In theory, legitimate adware programs must reveal to the user what they are doing. Despite this requirement, however, a McAfee report from August 2006 shows that currently there are over 4,000 adware variants, many of which are written by paid professional programmers.

2. Browser Hijacker

Browser hijackers, or hijackware, al ter web browser settings to redirect you to a different homepage, typically to questionable websites (adult, gaming, celebrity). Those programs which redirect surfers to adult sites will sometimes leave telltale bookmarks, which have been known to cost people their jobs.

Some hijackware redirects you to a page that has an ad telling you that your computer is infected and that you should purchase and run their virus checker. Other browser hijackers are written purely for increasing pageviews to a particular website in order to get more advertising revenue.

Browser hijackers are often accidentally downloaded from freeware or email attachments. For prevention, read freeware user agreements carefully, as hijackware will sometimes reveal itself in the fine print. For example, one of the first browser hijackers was CWS (Cool Web Search), which was relatively harmless, though famously annoying.

3. Internet Dialer

There are legitimate Internet dialers, but the malware variety does sinister things including making phone calls to 1-900 numbers secretly through your modem. The result is been monster phone bills and lots of family feuds.

Internet dialers only work on dialup connections (modem-based). Since not everyone has a broadband connection yet, dialers are still a serious threat and can cost victims a fortune in long distance calls.

Although dialer use is regulated in many countries, malware dialers obviously do not heed the law. Given this, a simple way to avoid malware dialer's altogether is by switching to non-dialup Internet service such as cable, DSL, or satellite.

4. Keylogger

In the past, keyloggers have been legitimate software used by law enforcement. The FBI used [1] a Trojan to download a keylogger called Magic Lantern, which helped indict Nicodemo Scarfo, Jr., for running an illegal gambling organization. Keyloggers are also used by companies to monitor employees, and by parents to monitor children online.

Unfortunately, however, keyloggers can also be a highly malicious form of spyware that monitors every keystroke a computer user makes, as well as system events. Using a keylogger, thieves can quickly steal passwords, email addresses, IM (Instant Messenger) usernames, bank account numbers, and other sensitive details.

In the corporate world, keyloggers are often used to glean company secrets as well as data that government regulations say should be protected by various laws (HIPAA, SOX, etc.) In their most malicious form, keylogger attacks are usually combined with other malware that can disable firewalls and install mini FTP servers for uploading keylogs.

A new technique for installing keyloggers surfaced in Fall 2006: e-greeting cards. Fake emails were sent out containing a dangerous link which would redirect the browser to an “exploit server”. This server would check for web browser patches to find vulnerabilities, then download a rootkit and keylogger, when possible. To look legit, the final redirect was to a real Yahoo greeting card, but without any sender details listed on the ecard.

5. Rootkit

Rootkits are amongst the most sinister of all types of malware, going to the operating system and disabling security features such as firewalls and anti-virus programs, thus rendering themselves invisible. They also install other malicious code, change DNS settings and system configurations, access private files, and generally affect security and system performance.

Rootkits have been used by law enforcement and were not always considered malware. That all changed with the infamous Sony BMG rootkit that was first declared malware by the state of California. Sony, in their zeal to protect the copyrights on s ome of their CDs and DVDs, introduced DRM (Digital Rights Management) onto each CD. The discs, when played, would install a rootkit on a user’s computer, disabling certain system features. Unfortunately, this also opened up these computers to attacks by Trojans and other malware.

There are sever al types of rootkits: persistent, memory-based, user-mode, and kernel-mode. In 2007 it is widely expected that there will be an increase in rootkits aimed at 32-bit platforms, and a reduction in kernel-mode rootkits because of Microsoft’s Vista PatchGuard. It’s not easy to detect a rootkit, as some can preserve direct deletion and reinstall themselves, and a new type of invisible rootkit make rootkits an even more malicious threat in the future.

6. Trojan Horse

Trojan horses are masters of disguise. This form of malware pretends to be innocuous plugins, add-ons, or even CODECs (Encoder/ Decoder) for multimedia audio or video players such as WinAmp, and other harmless software. The creators of trojan horses often use an e-mail or a web page written to trick you into installing the Trojan. Trojan horses may live on websites with music or video downloads or even some of the new batch of web2.0 alpha- or beta-mode application sites.

Once installed, Trojans then download malicious code and programs such as keyloggers, screenscapers, or worms from remote servers, often through non-standard ports on your computer [1].

A recent example of a dangerous trojan horse is the J2ME/ Redbrowser Trojan, which runs on Java-enabled smartphones/ PDAs by pretending to access WAP pages but sending SMS messages to an unauthorized number at your expense [2]. Another example of a growing threat is the Skype Trojan, discovered in December 2006, which operates on the Skype VoIP soft client.

7. Worm

Worms are a self-propagating (they multiply on their own) form of malware. Worms hunt for security flaws in other computers on the same network as an infected computer and copy themselves onto the new computer through that loophole. This way of multiplying makes worms particularly dangerous, because they can result in huge network traffic floods or outages, as well as mass infection over a short time.

While worms are not a new malware threat, recent developments in the ways that worms spread have made them much more deadly. A worm discovered in November of 2006 named W32/Realor, for instance, can launch websites on its own. Another new worm is VBS/Eliles, which is a mass-mailer that can send SMS messages to mobile phones. One Windows worm called 'The Mobler', supposedly transports itself via Symbian cell phones. For 2007, it is expected that worms which spread through mobile technologies will continue to spread.

8. Virus

The term “virus” has been used fairly generically in the history of computing, but technically speaking, it refers to software that inserts malicious code into existing documents or even other code [1], and which is then spread by various means. Some early viruses were pranks, others were propagated via MS-Word documents attached in emails.

Today, E-mail is still responsible for about 90% of all viruses spread according to ICSA Labs, but now they are often hidden in password-protected ZIP attachments, making them harder to detect. Viruses have also started showing up in many different forms (macro, file, boot sector, network, email, etc.) and are used for many purposes, including infecting computers to acts as zombies in botnets. These botnets are then used to send spam e-mail or sometimes for fraudulent ad clicking, in order to generate revenue. Other viruses are designed not to generate revenue, but to take down Microsoft. A recent example is a Windows virus shipped with Apple video iPod devices.

9. Drive-By Download (DBD)

In general, the term "drive-by download" (DBD) refers to any malware installed without user consent or knowledge. This malware can download spyware, a virus, etc., and this can happen while viewing a website or popup window, or from an email message.

The reason "drive-by downloads" are so dangerous, is that it requires no action by a surfer to get infected. A hyperlink does not even have to be clicked for the install to occur, as some DBDs exploit browser flaws - the target has often been Internet Explorer.

One of the more well-known incidents [1] involved the legitimate website Kingsofchaos.com and their visitors. A browser flaw allowed a "drive-by download" to replace legitimate popup ads and install malware on the site's visitors. Today, however, "drive-by downloads" occur almost entirely at questionable sites (see page 5 of this ITSecurity.com whitepaper [PDF] for a breakdown of infected sites).

10. Piggyback

Piggyback malware refers to embedded malicious code within an otherwise harmless executable file. According to a recent study, 4% of websites and 5% of available downloads were infected with any of 89 types of malware [1]. This means that even trusted sites might cause your computer to be infected, thus rendering IP/ site blacklists less effective. Typically suspect piggyback sites are those having downloads for games, music, and wallpapers, as well as celebrity and adult sites.

A more recent trend in malware, to is to piggyback off of open source code. Another new trend is piggybacking malware when file sharing via VoIP or VoIM clients. Again, one of the aspects of piggybacking that makes it so dangerous, is that the person sending the malware often does not know it himself.

Quick Summary of Growing Malware Trends

This quick summary is a brief reminder of current Malware trends and new threats which are expected to grow in 2007:

1. Mobile attacks using SMS (SMiShing), whereby malware such as MSIL/Xrove infects smartphones via ActiveSync.
2. Media malware using MPEG video files or CODECs for MP3 audio players. Thanks to the popularity of video sharing sites like YouTube, this mode of attack is expected to grow.
3. Increase in zombie computers and botnets.
4. Return of parasitic malware, which operate by modifying files already existent on your hard drive.
5. Increased silent and targed attacks on transactions instead of computers.
6. Suicidal malware that uses polymorphic techniques to evade detection.
7. Ransomware. A new threat, called ransomware, is where malware authors hold computers hostage unless an infected machine’s owner pays a certain amount.

Conclusion

Malware writers are no longer curious high school or college students pulling a prank. More often, they are professionals using sophisticated techniques [2], motivated by profit. With the growing blackmarket industry of malware, protections against infection will have to continue to evolve in the coming years.

The US government and other nations are trying to do something about malware, including becoming party to the Council of Europe Convention on Cybercrime, which takes effect Jan 1, 2007. But, it is an uphill battle for lawmakers, and one that is unlikely to have a significant effect in the next few years. As a consequence, individuals and corporations must continue to educate themselves about the development of new malware threats in order to stay one step ahead of attackers.

References

Most of the items below have been referenced above using their bullet number in brackets. For example, a reference to IT Security’s Malware Trends paper would appear above as [1].

1. IT Security - Web Security Report - Malware Trends (PDF, 5 pgs).
2. McAfee - Top Ten Security Threats in 2007.
3. Network World - Security Threat Changing.
4. CACI - Computer Security Threats.
5. About.com - Internet/ Network Security Guide - What is a bot?
6. McAfee Avert Labs Blog.
7. Softpedia - Suic idal Malware Rises New Threats.
8. ACSAC - Combating Malicious Software (PDF, 12 pgs).
9. Microsoft - Managing Risk of Malicious Software.
10. Webopedia - Adware definition.
11. Security Watch - Mobile Phones Get The Full IT Treatment.
12. West Coast Labs - Glossary of Malware.
13. Microsoft - Defining Malware.
14. F-Secure Security Labs Weblog.

---

About the Author: By Rich McIver   IT Security.com

---