In some of my February's streams :) "
The War against botnets and DDoS attacks" and "
CME - 24 aka Nyxem, and who's infected?" I covered some of the recent events related to
malware trends
in the first months of 2006. This is perhaps the perfect time to say a
big thanks to everyone who's been expressing ideas, remarks and thoughts
on my malware research. While conducting the reseach itself I realized
that I simply cannot include everything I want it, as I didn't wanted to
release a book to have its content outdated in less than an year, but a
"stick to the big picture" representation of the things to come. The
best part is that while keeping daily track of the trends and trying to
compile a summary to be released at the end of the year, many more
concepts that I didn't include come to my mind, so I feel I'll have
enough material for a quality summary and justification of my
statements. So what are some of the recent developments to keep in mind?
A lot of buzz on the
CME-24 front,
and I
feel
quite a lot of time was spent on speculating on the infected population
out of a web counter whose results weren't that very accurate as
originally though. And as vendors closely cooperated to build awareness
on the destructive payload, I think that's the first victory for 2006,
no windows of opportunity The best is that CAIDA patiently waited until
the buzz is over to actually come up with
reliable statistics on Nyxem.
It's
rather quiet on the AV radars' from the way I see it, and quickly going
through F-Secure's, Kaspersky's (seem to be busy analyzing code, great
real-time stats!), Symantec's I came across the similarities you can
feel for yourself in "the wild" :)
Symantec's ThreatCon is normal, what's interesting to note is
VirusTotal's flood of detected WMF's, which is perhaps a consequence of the *known*
second vulnerability.
James Ancheta's case was perhaps the first known and so nicely documented on
botnet power on 
demand. Recently, a botnet, or the participation in such
shut down a hospital's network, more over I think StormPay didn't comply with a
DDoS extortion attempt during the weekend?
Joanna Rutkowska provided more insights on stealth malware in her research (
slides,
demo) about
"about
new generation of stealth malware, so called Stealth by Design (SbD)
malware, which doesn't use any of the classic rootkit technology tricks,
but still offers full stealth. The presentation also focuses on
limitations of the current anti-rootkit technology and why it’s not
useful in fighting SbD malware. Consequently, alternative method for
compromise 
detection
is advocated in this presentation, Explicit Compromise Detection (ECD),
as well as the challenges which Independent Software Vendors encounter
when trying to implement ECD for Windows systems – I call it Memory
Reading Problem (MRP). "
How sound is the possibility of
malware heading towards the BIOS anyway? An "
Intelligent P2P worm's activity"
that I just across to also deserves to be mentioned, the concept is
great, still the authors have to figure out how to come up with
legitimate file sizes for multimedia files if they really want to fake
its existence, what do you think on this?
Some recent research and articles worth mentioning are,
Kaspersky's Malware - Evolution : October - December 2005 outlines the possibilities for
cryptoviral extortion attacks, 0days vulnerabilities, and
how the WMF bug got purchased/sold for $4000. There's also been quite a lot of
new trojans analyzed by third-party researchers, and among the many recent articles that made me an impression are "
Malicious Malware: attacking the attackers, part 1" and
part 2, from the article :
"This
article explores measures to attack those malicious attackers who seek
to harm our legitimate systems. The proactive use of exploits and bot
networks that fight other bot networks, along with social engineering
and attacker techniques are all discussed in an ethical manner."
Internet worms and IPv6 has nice points, still I wish there were only network based worms to bother about. Besides all I've
missed important concepts in
various commentaries, did you? Malware is still vulnerabilities/social
engineering attacks split at least for the last several months, still
the
increased corporate and home IM usage will inevitable lead to many more security threats to worry about. Web platform worms such as
MySpace and
Google's AdSense Trojan, are
slowly gaining grounds as a Web 2.0 concept, so virus or IDS
signatures are to look for, try both!
During January, David Aitel
reopened the subject of beneficial worms out of
Vesselin Bontchev's research on "
good worms". While I have my
reservations
on such a concept that would have to do with patching mostly the way I
see it, could exploiting a vulnerability in a piece of malware by
considered useful some day, or could a network mapping worm launched in
the wild act as an early response system on mapped targets that could
end up in a malware's "hitlist"? And I also think the alternative to
such an approach going beyond the network level is Johnny Long's (
recent chat with him)
Google Dorks Hacking Database,
you won't need to try to map the unlimited IPv6 address space looking
for preys. Someone will either do the job for you, or with the time,
transparancy in
IPv6, one necessary for
segmented and targeted attacks will be
achieved as well.
Several days ago, Kaspersky released their
summary for 2005, nothing ground breaking in here compared to previous research on
how the WMF vulnerability was purchased/sold for $4000
:) but still, it's a very comprehensive and in-depth summary of 2005 in
respect to the variables of a malware they keep track of. I recommend
you to go through it. What made me an impression?
- on average,
6368 malicious programs detected by month
-
+272% Trojan-Downloaders 2005 vs 2004
-
+212% Trojan-Dropper 2005 vs 2004
-
+413% Rootkit 2005 vs 2004
- During 2005, on average
28 new rootkits a month
-
IM worms 32 modifications per month
-
IRC worms are on
-31%
- P2P worms are on
-43%,
the best thing is that Kaspersky labs also shares my opinion on the
reason for the decline, P2P busts and general prosecutions for
file-sharing. What's also interesting is to mention is the recent ruling
in a district court in Paris on the "
legality of P2P" in France and the charge of 5 EUR per month for access to P2P, but for how long? :) P2P
filesharing isn't illegal
and if you cannot come up with a way to release your multimedia content
online, don't bother doing at all. In previous chats I had with
Eric Goldman, he also makes some
very good points on the topic.
-
+68% Exploit, that is
software vulnerabilities
and the use of exploits both known or 0day's with the idea to easily
exploit targeted PC, though I'm expecting the actual percentage to be
much higher
- Internet banking malware reached a record
402% growth
rate by the end of 2005 The Trojan.Passwd is a very good example, it
clearly indicates that it is written for financial gains. E-banking can
indeed prove dangerous sometimes, and while I'm not being a paranoid in
here, I'd would recommend you go through Candid's well written "
Threats to Consider when doing E-banking" paper
- A modest growth from 22 programs per month in 2004 to 31 in 2005 on the
Linux malware front
I
feel today's malware scene is so vibrant that it's getting more and
more complex to keep track of possible propagation vectors, ecosystem
here and there, and mostly
communicating what's going on to the general public(actually this one isn't).
What's to come and what drives the current growth of malware?
- money!
- the
commercialization of the market for software vulnerabilities, where we have
the first underground purchase of the WMF exploit,
so have software vulnerabilities always been the currency of trade in
the security world or they've started getting the necessary attention
recently?
- is stealth malware more than an issue compared to
utilizing 0day vulnerabilities, and is retaining current zombie PCs a
bigger priority than to infecting new ones?
- business competitors,
enemies, unethical individuals are actively seeking for undetected
pieces of malware coded especially for their needs, these definitely go
beneath the sensors
-
Ancheta's case
is a clear indication of a working Ecosystem from my point of view,
that goes as high as to provide after-sale services such as DDoS
strength consultations and 0day malware on demand
To sum up,
malware tends to look so sneaky when spreading and zoomed out :) I originally came across the
VisualComplexity project in one of my previous posts on
visualization. Feel I've missed something that's worth mentioning during the last two months? Than consider expanding the discussion!
You can also consider going through the following resources related to malware :
Continue reading →
Cheers to Symantec's PR folks for coming up with such an entertaining promotion of Norton 360, so that "if everything gets too much hit the spacebar to activate the Norton 360 force field to destroy everything in sight."
It's
rather quiet on the AV radars' from the way I see it, and quickly going
through F-Secure's, Kaspersky's (seem to be busy analyzing code, great
real-time stats!), Symantec's I came across the similarities you can
feel for yourself in "the wild" :) Symantec's ThreatCon is normal, what's interesting to note is VirusTotal's flood of detected WMF's, which is perhaps a consequence of the *known* second vulnerability.
demand. Recently, a botnet, or the participation in such shut down a hospital's network, more over I think StormPay didn't comply with a DDoS extortion attempt during the weekend? 
detection
is advocated in this presentation, Explicit Compromise Detection (ECD),
as well as the challenges which Independent Software Vendors encounter
when trying to implement ECD for Windows systems – I call it Memory
Reading Problem (MRP). " 
To sum up, malware tends to look so sneaky when spreading and zoomed out :) I originally came across the VisualComplexity project in one of my previous posts on visualization. Feel I've missed something that's worth mentioning during the last two months? Than consider expanding the discussion! 
- 1,439 million IM accounts in existence by 2007
Exposing Bulgaria's Largest Data Leak - An OSINT Analysis
Exposing the Black Basta Ransomware Group - Part Three
Exposing the Conti Ransomware Gang - An OSINT Analysis
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Joining Team Astalavista.box.sk - Official Project Re-Launch - Join us Today!
Profiling a Currently Active High-Profile Cybercriminals Portfolio of Ransomware-Themed Extortion Email Addresses
New Project - Malware C&C Domains Offensive Network Reconnaissance Monitoring Project
Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jabber and XMPP Accounts
Dissecting 'Operation Ababil' - an OSINT Analysis
RSS Feed