The virus evolution
In other circumstances, the recent rampant spread of Conficker might have been the cue for an outbreak of nostalgia. With a ’trigger date’ for executing its payload, it was reminiscent of predecessors like Anna Kournikova or Lovebug.
The way it spreads, by USB key rather than e-mail, is closer in spirit to the earliest viruses that installed themselves on PCs through infected floppy disks. Conficker, also known as Down up, Down and up, Conf licker or Kido, is thought to have infected at least 10 million PCs worldwide, but its true purpose has security experts puzzled.
“We don’t know exactly what it does – it’s on its seventh or eighth iteration but al l the analysts haven’t been able to see exactly what it does or why it’s out there,” said Brian Honan, director with BH Consulting.
Some have speculated that it is being set up to launch targeted attacks against companies or websites in the future. One thing is certain: once installed, Conficker generates massive amounts of traffic on a company’s network. Security industry sources said some multinationals based here were taken down, and some government systems may also have been infected.
At least one large Irish company – a household name – was so badly affected by Conficker that it was forced off line for two days. No figures are available for the extent of the damage caused in Ireland, but Ealing Council in Britain estimated the cost to repair a Conficker infection at stg»500,000.
Conficker is the latest in a long line of PC infections to have afflicted Irish organisations. According to a cybercrime survey by UCD and the security professionals’ group ISSA Ireland, 59 per cent of companies were infected by viruses, worms or other forms of malware in 2007, the latest year for which figures are available. Between 2002 and 2006, more than three quarters of companies had been attacked.
More specific details are not readily available, as Irish companies are neither obliged nor inclined to disclose publicly when they have been infected. However, we do know something about some of the major attacks over that time.
A notable entry in the rogues’ gallery is the I Love You worm, so called because the e-mail containing the infected attachment had’ I love you’ as the subject line – a social engineering trick to get people to open the message.
It succeeded. The love began to spread in April 2000 and when it hit Ireland, it hit hard.” We organised a seminar to tell people about this and took the top floor in Jurys,” said John Ryan, general manager of Calyx Security.” We had a queue outside the door – there was twice the number of people that the room could hold. That brought it home to us that this had a major impact.”
The Nachi worm, otherwise known as Welchia, first appeared towards the end of 2004. This was also very widespread in Ireland.
“An awful lot of organisations got hit,” said Ryan.” It was a denial of service worm and essentially it put so much traffic on the network that real work couldn’t happen.”
Netsky. P first appeared almost five years ago, a variant on a worm that spawned several strains.
Of all its siblings, Netsky. P was particularly prevalent and had certain characteristics that made it interesting, said EugenioMouri•o Balsa, security manager with the IT distributor Data Solutions.
“It was distributed through Microsoft Outlook on the preview pane,” he said.” It was also different to others in the way that it defended itself – it would detect that the computer owner was trying to run security software or Windows Update and would abort the process. It would also encrypt itself to prevent people from reading the source code. You won’t be able to get rid of it easily.”
The vulnerability that Netsky.P exploited has been patched, but nevertheless many people were infected.
Another piece of malware targeting instant messaging users was Oscarbot.ay, a small Trojan horse program that installs itself in a PC’s memory.
“When the computer is connected to the internet, it sends a message by internet relay chat and awaits instructions from a third party, which could be anything from opening certain files on the PC, or installing other malicious programs such as key loggers,” said Balsa.
This year, data compiled by the anti-virus vendor Eset showed the top infection in Ireland was a redirecting toolbar cal led MyWebSearch. While that is said to be relatively harmless, the second most frequently occurring threat was INF/Autorun.gen, which is designed to execute when it finds its way onto a machine through an infected CD, DVD or USB key.
Separate findings from Topsec Technology also identified Autorun as one of the most common infections this year. Like Eset, Topsec also spotted the Trojan downloader GetCodec as another file infecting Irish users.
GetCodec compromises a PC by connecting to the internet to download fake video codecs via Windows Media Player, and entices the user to install them on the system. In reality, the new codec contains spyware.
These attacks, like Sasser, Blaster and now Conficker, attracted attention but the opposite is true of many newer viruses, worms and Trojans which are designed to remain hidden.
That’s one of the reasons why the situation is worse than ever, said Kevin Hogan, director of Symantec’s security response centre in Dublin.
“It’s more dangerous because the payload does more damage than five years ago, when a mass mailer just chewed up your bandwidth and annoyed your friends,” he said.” Now the end goal is to make money from you, and you don’t know if you’ve been hit or not. Viruses are more subtle now.”
Money, not fame, is the motivation for the modern malware developer, said Hogan.” We don’t even see proofs of concept any more, where virus writers are showing people what they can do. People aren’t in it for the bravado.”
Viruses and worms that were spreading five years ago have little in common with those now in the wild.
“We’re not necessarily talking about the same thing,” said Hogan.” The likes of Netsky and Bagle were in themselves a single attack. In 2009, we’re talking about multiple files in a single attack. You get these chains of files that are used to achieve one end result.”
In practice, that means e-mails carry fewer malicious attachments – instead they include a link to a website that appears normal but where a program is installed in the background, unknown to the user. This program may itself only be part of an attack, and may connect to other sites to download further components or to send information such as credit card numbers or bank login codes to an anonymous third party.
As a result of these developments, the volume of malware has grown massively in the past two years alone. Symantec currently identifies 25,000 new variants per day – a 265 per cent increase since 2007.
“In 2008 we produced more anti-virus signatures than we did since the beginning of Symantec,” said Hogan.
The growth in numbers of malicious files doesn’t prove they are more sophisticated; it just means criminals release more variants to delay detection by anti-virus scanners.
“If you take Slammer [launched in January 2005], technically that thing was beautiful,” Hogan said.” It was really well thought out and more technically complex than anything we deal with now.”
A brief history digression shows how things have changed. In November 2004, the Dublin based e-mail hosting provider IE Internet began taking the temperature of Irish organisations to diagnose the extent of virus and spam infections. It scanned thousands of emails to gauge how serious the problem was.
“When we began compiling our monthly statistics of virus activity in Irish e-mails, the infection rate was maybe 28 per cent.
The likes of Sobig, Blaster and Netsky were at the top of the list, and they were all significant percentages of the total,” said Ken O’Driscoll, technical director with IE Internet. Now the amount of e-mail-based viruses is less than 2 per cent.
Data from Eset backs up this conclusion. None of the company’s top ten infections list during any month of 2009 accounted for more than 9 per cent of the total. The ten most common malware combined are no more than one third of the total. In other words, no single virus dominates the chart – they fight for supremacy with many more infected files than there were years ago.
What this means for computer users is that e-mail is a less fruitful hunting ground, so attackers are targeting other weak spots. Many have gone to where curious users are a certainty: social networks.
According to O’Driscoll, these sites are a popular target for malware writers because they are deliberately designed to al low third-party programmers to write widgets or applications – opening the door to potential security holes.
“If one of those apps – which are not that difficult to write – were written in a malicious way, anyone who visits your page could be attacked through their web browser because the application executes on the PC of anyone who visits the page,” he said.
Although the Windows platform is still the biggest target for virus writers, Honan warned that all operating systems and applications were in the firing line.
“Adobe Reader and Flash have been particularly impacted in the past few months,” he said. Browsing the web is a poorer experience with those plugins disabled, however, and it’s debatable how many users would take the drastic option of turning them off to protect themselves better.
“A lot of computing these days is done through the browser and, some of the time, the level of access these applications require isn’t very well defined,” O’Driscoll said.
Conventional wisdom incorrectly suggests you get viruses from going to dubious websites, but attackers’ techniques include being able to install files on legitimate sites to infect visitors who visit a certain page.
The New York Times was a high-profile victim of this type of attack and some Irish websites are also known to have unwittingly hosted elements of malware.
Apple users are no longer immune, as malware is starting to appear for the Apple iPhone and iPod Touch. What’s impressive is how these viruses spread, according to Balsa.
“They can even activate Bluetooth settings and transmit themselves to different machines nearby,” he said.” That’s not a proof of concept. It was in the wild but it’s now been identified and stopped. But it shows people are now writing malware for the Mac platform.”
Peer-to-peer file-sharing networks are also fertile ground for propagating malware.” If you want to get a virus, go to BitTorrent or LimeWire,” said Michael Conway, managing director of Renaissance, a security software provider.
“You will get infected – it’s not a question of might you or could you.”
O’Driscoll agreed, saying that hack tools available on these sites could give people more than they bargained for.
“For example, someone could be downloading a copy of Adobe Photoshop and you need a licence key because the copy is pirated,” he said.” So you download a licence key generator. This might well crack the password but it might also infect your machine with a virus.”
Conway advised businesses to deny access to file-sharing services to avoid infection.” Social networks are blocked for productivity reasons but the malware risk is significant too,” he said.” LinkedIn or Twitter are probably okay from a productivity point of view, but Facebook, Bebo and Myspace should definitely be blocked.”
Other protection measures include making sure that an organisation patches its software with the latest updates. It may be a cliche, but this is still the best way to avoid infection and a potentially costly clean-up operation.
“That’s a big weakness I see in a lot of organisations,” said Honan.” For example, Conficker exploits a vulnerability that was discovered by Microsoft last year, yet we still see companies infected by it.”
However, reality often intrudes and many businesses worry that introducing new patches could disrupt their essential business applications.
“Most organisations should have some kind of test lab to run a new update before applying it across the company – that would be best practice,” said Niall Mackey, general manager of Topsec Technology.
He acknowledged that not all companies had the resources to deal with this, which is why a managed security service was worth considering.” As part of a managed service, all patches are checked. Most companies’ core business is not securing or scanning a network, so for a small amount of money they can sleep at night.”
Honan agreed.’ ‘I’m a professional in the industry and I realise the amount of time it would take me to do this. If you outsource a function like this, you don’t have to worry about spamming or viruses.”
Now is not the time to be complacent. If your e-mail inbox seems less prone to receiving dodgy e-mails these days, the wrong conclusion to draw is that viruses have gone away.
Their masters have just changed their plan of attack. The risk of having your PC hijacked, your network clogged or your money stolen is more real than ever.
