Trends and threats: Malware development

A closer look at the changes in development of malicious software, and possible damage impact and damage limitation.

Snorre Fagerland

Senior Virus Analyst, Norman ASA

Malware on the way out

• DOS viruses. Forget them. 50000 viruses or so, not a threat anymore.

• Boot viruses. Still see them every once in a while, but not many new ones – only the odd infected diskette from way back when.

• Macro viruses. After dominating the picture from 1995 to ca. 2000, macro viruses are now on the decline.

Malware still going strong

Email worms

These will be with us for the foreseeable future.

They are often combined with local area network infection methods, which means that they can be a real problem to get out of a corporate network.

They may come in large series of variants.

They are rapid to very rapid spreaders. Even with good emergency response mechanisms, a significant amount of people may be infected in the early stages of an epidemic.

File infecting viruses

File infectors are still around to a large extent. In addition, many classic email and P2P worms also double as file infecting viruses.

File infectors may be hard to clean perfectly.

Trojans that give unauthorized access

Example : Subseven shown below.

Malware on the way up

Peer 2 peer worms

File sharing networks like Kazaa, Morpheus, Limewire, Grokster etc now thoroughly infested.

Supova.HSpybot.1_2 & Pinfi.ALoxar.CSupova.E

Supova.A

Supova.I

Multi-component malware

From UNIX/Linux environment we have seen that malware often comes as packages of many files. This trend has now moved to Windows.

Problem: Harder to analyse the interaction between many files; easier to change to avoid detection, easier to get false alarms, harder to clean properly.

Exploits (bugs that undermine security)

Malware will seek to use exploits; they ease spreading and give better access to resources.

The most well known are f.ex. those that enable attachments to auto-execute in some instances:

Content-Type: audio/x-wav;

name=”readme.exe"

..or the DCOM RPC exploit used for W32/Blaster.

Note: It is as always important to keep software updated.

Damage impact of modern malware

- Damage to software and data (often security software)- Reduction of system and network performance; instability- Misuse of system (storage of pornography, pirated software, music and films), or participation in spam or DDOS schemes.- Loss of system control (deletion of admin shares and accounts)- Unauthorized access to sensitive data

Damage impact of modern malware, cont’d

Secondary impact: - financial losses connected with investments in security systems and possible cleanup operations.

- Loss of goodwill and business because of downtime, or public security breaches.

Damage limitation : before infection

There is always a tradeoff between functionality and security. Be as secure as you can without severely limiting your ability to work.

Do not allow frivolous use of administrator accounts. No one needs to be constantly logged on as admin.

Have a plan in case of infection, and people in charge of executing it.

Damage limitation, cont’d

Use firewalls.

Make sure all clients are updated. Do not allow people to ”turn off the AV software.

Disallow rogue protocols (i.e. P2P software).

Keep control with shares.

Back up often.

Use attachment limitations on the mail servers, if possible.

Damage limitation : after infection

DONT PANIC! Have centrally placed people lead cleanup operation, you may want to have AV consultants there as well.

Get all available information on the malware.

Small networks : pull infected machines off net, clean manually aided by AV software.

Damage limitation, cont’d

Larger networks : important to find the machines that are spreading the infection. Use network traffic analyzers and auditing tools to find these machines and take them off the network; if possible isolate infected section of the net.

If suspicion of information security breach, back up data and reinstall compromised systems with new passwords etc. This may also need to be done in the case of file infectors, where the infected files may not be possible to clean perfectly.