A year of threats across several technologies


Eddy Willems

EICAR, Belgium
Editor: Helen Martin


'The main trend I have observed this year has been the spread of malware activity across several forms of technology and applications.' Eddy Willems.

While waiting in the departure hall of a Russian airport on my return from an IT conference I reflected on the year that has nearly passed and noted that it has been interesting in every security aspect.

The main trend I have observed this year has been the spread of malware activity across several forms of technology and applications. It appears that the parties that are orchestrating security attacks are gaining an increasing foothold to build a stronger, more sustainable commercial economy based on carefully crafted security attacks.

Social engineering reached a high level of sophistication this year via the ‘Zhelatin-Stormworm’ gang, named after the trojan it circulated. This gang was responsible for what started out as the ‘Storm worm’. First spotted in the early part of the year, the spread of the Storm worm started via emails purporting to provide information on some severe storms that had struck parts of Europe at the end of January. Users who fell for the trick were directed to a website containing malicious code aimed at turning Windows PCs into spam bots. Over time, emails containing links to the Storm worm took on many different forms, with subjects ranging from supposed missile strikes to reports of genocide and other socially engineered trapdoors. The worm even got into users’ blog accounts and created new blog entries with links to the trojan itself. Several million computers were infected worldwide as part of this massive botnet until it was broken down into smaller parts. And still the story continues.

Spammers took a step ahead in their ongoing battle against anti-spam measures by using images to defeat hash filtering and string matching. They also used malware-infected computers (e.g. the Storm worm botnet) to launch spam emails to defeat network/sender reputation filtering. Excel, RTF, PDF, RAR and even MP3 spam are just some of the other next-generation techniques spammers have used this year to avoid detection.

The banking industry continued to be a key target for phishing scams and highly sophisticated targeted attacks. As trojans became more technically complex, the malware writers implemented new techniques in their attacks, including filters that keep a closer track of users’ online banking activity. Such tracking methods make it easier and more effective for fraudsters to collect account details using a variety of methods. I have seen very advanced dedicated phishing and spyware attacks against several large banks, but also some against smaller regional banks, which demonstrates the keen interest of organized criminals in this approach.

Cybercrime and real-life political unrest came together as a form of ‘cyber war’ causing general unrest in Estonia earlier in the year. Disputes over the relocation of a Russian Red Army monument not only led to arrests in the real world, but several Estonian government and other public sector and media websites were heavily targeted via Distributed Denial of Service (DDoS) attacks by an extremely active network of hackers. Several key sites were rendered unreachable.

The mobile malware industry has also been very active this year. ‘Personalized’ SMS spam, financial lottery scams, and several new items of spyware were reported for mobile devices. It is concerning to see complex mobile trojans and spyware being developed by growing commercial entities, with the aim of making solid profits to support further development of the malicious economy. However, the increase in the volume of malware for mobile devices seems to be slowing (though it could be the calm before a storm). The rise of adware also seems to have stagnated – of course this does not necessarily indicate that these threats will stop.

The Mac seems to be becoming increasingly appealing for malware writers, with several trojans appearing this year, such as DNSChanger which hijacks DNS settings and then redirects the user to malicious websites.

So what is the next step for viruses and information threats? Despite the emergence of new operating systems such as Windows Vista, new mobile content and devices like the iPhone, cyber criminals are still using tried and tested ways of attacking Internet users.

Furthermore, we have seen a significant return of DDoS attacks and attacks that use browser vulnerabilities to penetrate the system. The most significant thing that distinguishes the present situation from that of several years ago is the fact that email is not being used as the primary vehicle for spreading malware. Instead, instant messaging services and web exploits are two of today’s key means of distribution.

Anti-virus and security vendors have improved their technologies considerably and introduced several new ones. Presently, end points or PCs are protected much more effectively than they were several years ago. The average length of time that most new malicious programs survive in the wild has been cut to a number of hours.

Company data is worth a lot of money on the dark side of the web and criminals will go to significant lengths to harvest it. But let’s predict what will happen next. Malicious users will attempt to reach beyond the current security solutions – a task that is a shift from ‘getting around’ anti-virus programs or security devices and implies more action in fields that have not yet been mastered by normal security and anti-virus protection, or areas in which protection is not an option for any number of reasons. This is more than likely where the new front will be in the information war. We will face more botnet problems, threats to Web 2.0 sites, Windows Vista malware, malware targeting online games, along with attacks on IM software and more problematic rootkits. I think that hackers will also turn their attention to virtualization software because companies are increasingly looking into virtualization for their defence.

I was so deep in thought at the airport that I nearly missed my chance to have one last chat with Irishka, a student from Rostov University whom I had met on my trip and who had helped me a lot in communicating with the locals. It occurred to me that we should all make the effort to invest more time in real life than in our virtual one before it’s too late. Maybe it’s time that malware writers considered this as well.



Latest articles:

VB2018 paper: Fake News, Inc.

As the world grapples with massive disinformation campaigns waged by the intelligence agencies of hostile nations, we should not forget that such activities are not limited to the purview of the Bears or Pandas of the world, and that even relatively…

Alternative communication channel over NTP

Nikolaos Tsapakis explores Network Time Protocol (NTP) as an alternative communication channel, providing practical examples, code, and the basic theory behind the idea.

VB2018 paper: Under the hood: the automotive challenge

In an average five-year-old car, there are about 30 different computers on board. In an average new car, there are double that number, and in some cases up to 100. That’s the size of network an average SMB would have, only there’s no CIO/CISO, and…

VB2018 paper: Android app deobfuscation using static-dynamic cooperation

Malicious Android applications are quite common, and can even be found from time to time in the Google Play Store. Thus, a lot of work has been done in both industry and academia on Android app analysis, and in particular, static code analysis. One…

VB2018 paper: Anatomy of an attack: detecting and defeating CRASHOVERRIDE

CRASHOVERRIDE is the first publicly known malware designed to impact electric grid operations. Reviewing previously unavailable data covering logs, forensics, and various incident information, in this paper Joe Slowik outlines the CRASHOVERRIDE…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.