A year of threats across several technologies


Eddy Willems

EICAR, Belgium
Editor: Helen Martin


'The main trend I have observed this year has been the spread of malware activity across several forms of technology and applications.' Eddy Willems.

While waiting in the departure hall of a Russian airport on my return from an IT conference I reflected on the year that has nearly passed and noted that it has been interesting in every security aspect.

The main trend I have observed this year has been the spread of malware activity across several forms of technology and applications. It appears that the parties that are orchestrating security attacks are gaining an increasing foothold to build a stronger, more sustainable commercial economy based on carefully crafted security attacks.

Social engineering reached a high level of sophistication this year via the ‘Zhelatin-Stormworm’ gang, named after the trojan it circulated. This gang was responsible for what started out as the ‘Storm worm’. First spotted in the early part of the year, the spread of the Storm worm started via emails purporting to provide information on some severe storms that had struck parts of Europe at the end of January. Users who fell for the trick were directed to a website containing malicious code aimed at turning Windows PCs into spam bots. Over time, emails containing links to the Storm worm took on many different forms, with subjects ranging from supposed missile strikes to reports of genocide and other socially engineered trapdoors. The worm even got into users’ blog accounts and created new blog entries with links to the trojan itself. Several million computers were infected worldwide as part of this massive botnet until it was broken down into smaller parts. And still the story continues.

Spammers took a step ahead in their ongoing battle against anti-spam measures by using images to defeat hash filtering and string matching. They also used malware-infected computers (e.g. the Storm worm botnet) to launch spam emails to defeat network/sender reputation filtering. Excel, RTF, PDF, RAR and even MP3 spam are just some of the other next-generation techniques spammers have used this year to avoid detection.

The banking industry continued to be a key target for phishing scams and highly sophisticated targeted attacks. As trojans became more technically complex, the malware writers implemented new techniques in their attacks, including filters that keep a closer track of users’ online banking activity. Such tracking methods make it easier and more effective for fraudsters to collect account details using a variety of methods. I have seen very advanced dedicated phishing and spyware attacks against several large banks, but also some against smaller regional banks, which demonstrates the keen interest of organized criminals in this approach.

Cybercrime and real-life political unrest came together as a form of ‘cyber war’ causing general unrest in Estonia earlier in the year. Disputes over the relocation of a Russian Red Army monument not only led to arrests in the real world, but several Estonian government and other public sector and media websites were heavily targeted via Distributed Denial of Service (DDoS) attacks by an extremely active network of hackers. Several key sites were rendered unreachable.

The mobile malware industry has also been very active this year. ‘Personalized’ SMS spam, financial lottery scams, and several new items of spyware were reported for mobile devices. It is concerning to see complex mobile trojans and spyware being developed by growing commercial entities, with the aim of making solid profits to support further development of the malicious economy. However, the increase in the volume of malware for mobile devices seems to be slowing (though it could be the calm before a storm). The rise of adware also seems to have stagnated – of course this does not necessarily indicate that these threats will stop.

The Mac seems to be becoming increasingly appealing for malware writers, with several trojans appearing this year, such as DNSChanger which hijacks DNS settings and then redirects the user to malicious websites.

So what is the next step for viruses and information threats? Despite the emergence of new operating systems such as Windows Vista, new mobile content and devices like the iPhone, cyber criminals are still using tried and tested ways of attacking Internet users.

Furthermore, we have seen a significant return of DDoS attacks and attacks that use browser vulnerabilities to penetrate the system. The most significant thing that distinguishes the present situation from that of several years ago is the fact that email is not being used as the primary vehicle for spreading malware. Instead, instant messaging services and web exploits are two of today’s key means of distribution.

Anti-virus and security vendors have improved their technologies considerably and introduced several new ones. Presently, end points or PCs are protected much more effectively than they were several years ago. The average length of time that most new malicious programs survive in the wild has been cut to a number of hours.

Company data is worth a lot of money on the dark side of the web and criminals will go to significant lengths to harvest it. But let’s predict what will happen next. Malicious users will attempt to reach beyond the current security solutions – a task that is a shift from ‘getting around’ anti-virus programs or security devices and implies more action in fields that have not yet been mastered by normal security and anti-virus protection, or areas in which protection is not an option for any number of reasons. This is more than likely where the new front will be in the information war. We will face more botnet problems, threats to Web 2.0 sites, Windows Vista malware, malware targeting online games, along with attacks on IM software and more problematic rootkits. I think that hackers will also turn their attention to virtualization software because companies are increasingly looking into virtualization for their defence.

I was so deep in thought at the airport that I nearly missed my chance to have one last chat with Irishka, a student from Rostov University whom I had met on my trip and who had helped me a lot in communicating with the locals. It occurred to me that we should all make the effort to invest more time in real life than in our virtual one before it’s too late. Maybe it’s time that malware writers considered this as well.



Latest articles:

VB2018 paper: The modality of mortality in domain names

Domains slated for abusive uses are effectively disposable: they are registered, quickly abused for cybercrime, and abandoned. In this paper Paul Vixie describes the first systematic study of domain lifetimes, unravelling their complexities and…

VB2018 paper: Analysing compiled binaries using Logic

In this paper Thaís Moreira Hamasaki provides an introduction to some practical applications of SMT solvers in IT security, investigating the theoretical limitations and practical solutions, focusing on their use as a tool for binary static analysis.

VB2018 paper: Internet balkanization: why are we raising borders online?

Nowadays, walls are not just being raised in the real world, but on the Internet as well. Countries want to isolate themselves and shut down the information they are not comfortable with, or the companies they don’t want to do business with. Freedom…

VB2018 paper: Where have all the good hires gone?

Much ink has been spilled on the subject of the information security skills gap, and how difficult it is to hire and retain people for these positions. And yet, we all know someone who has had a hard time finding a suitable position despite having…

VB2018 paper: Little Brother is watching – we know all your secrets!

In their research, Siegfried Rasthofer, Stephan Huber & Steven Arzt evaluated the security level of the most popular family-tracking apps on Android. They assessed the security of the respective apps and conducted assessments of the corresponding…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.