Malware Part II
By Stephanie Jordan
EDITOR'S NOTE: This is the second in a two-part series on messaging malware. Find the first installment in the January/February 2007 issue of Messaging News.
Veteran malware Bagle is three-years old and shows no signs of slowing down. According to Commtouch Software, the email worm uses key offensive strategies to maximize propagation and slip under the radar of traditional anti-virus defenses. Among the secrets of Bagles' continued "success" is its ability to attack repeatedly in intense, high-volume waves, releasing thousands of infected email messages per day ensuring a wide distribution of the malware across the Internet. Bagle also boasts over 30,000 distinct malware variants. Since each variant or group of variants requires a different signature, it is difficult for anti-virus engines to keep up with its rapidfire pace. Detection is further hampered because each variant is distributed in very small quantities or instances. Since an anti-virus vendor must be aware of a malware sample in order to analyze it in its laboratory, distribution in low numbers often enables the malware to "fly below the radar" of the traditional anti-virus engines. In 2005 the top three virus outbreaks were Mytob, Bagle, and Sober. In 2006 it was Stration, Bagle and Mytob. But Bagle is not the only one celebrating. In its Security Threat Management Report Update, Sophos notes viruses that have been around for a substantial amount of time dominate the top ten malware threats chart.
"The Internet experienced fewer large-scale virus outbreaks in 2006," comments Tom Gillis, senior vice president of worldwide marketing and sales for IronPort Systems, Inc. "However, the outbreaks we did have were much more sophisticated, malicious and targeted." The hardest hitting threat early last year was the Sober-Z worm, which masqueraded as an email from the F.B.I. or C.I.A., which claimed that the recipient accessed illegal websites.
According to Postini, total spam has gone up 222 percent since November 2005 with 125 percent of this increase coming in the last 6 months. Major email-borne virus attacks in January and February were aimed at creating more botnets-millions of hijacked personal computers that have been infected to steal personal information and to distribute spam and viruses. Heightened virus activity began in late December 2006 with the Happy New Year spam virus attack and continued in January with the Storm email attack. February has seen a steady stream of these types of attacks as hackers continue to harvest computers aimed at creating more botnets for future attacks. The increased volume of attacks in February drove several all-time records. "For the first time, Postini's global data centers processed more than two billion connections per day. Data volumes grew to more than 17 terabytes in a single 24-hour period and average volumes of spams blocked per day rose to more than one billion," discloses Daniel Druker, executive vice president of marketing for Postini. "Following two of the largest outbreaks of email viruses in history in December and January, as predicted, spam and other attacks reached all time highs in February. The rise of botnets has driven spam to be a $100 billion business issue in 2007, making it integral for all companies to seek solutions that keep their communications safe and productive."
Druker says these attacks represent a shift in tactics for the hackers away from selfpropagating Internet worm viruses that copied and sent themselves to the email addresses they found on the PCs they infected. Instead, hackers are now able to use the botnets that they have harvested in order to launch these attacks as spam emails with viruses attached to them. By sending massive quantities of these emails timed with specific mainstream or newsworthy events, hackers only need a tiny fraction of these emails to get through and trick users into clicking on the attachment and infecting their PC. In this fashion the hackers are adding hundreds of thousands more computers to their botnets.
Mark Sunner, chief security analyst for MessageLabs, notes that the increase has been linked to the predictable focus on Valentine's Day related messages. February also saw a hike in seasonal hijacking threats, including the For My Valentine malware with attachments such a s Greetings Card.exe. Additionally, MessageLabs saw a rise in newly created malware with 43.9 percent of all malware intercepted in February being of a new variety, indicating new efforts from malware authors and perhaps new malware distributors entering the market.
"Following heightened Storm worm activity in January, there has been increased speculation that a new botnet of compromised computers has been created," says Sunner. "It also appears that this botnet and others have been used to take a break from spamming and instead launch distributed denial of service (DDoS) attacks to bombard a number of anti-spam sites, such as Spamhaus. The reality is malware, largely distributed through email messaging, continues to plague enterprises. MessageLabs reports for the fifth consecutive month, spam levels continued to rise with February levels reaching 77.8 percent of all emails. IDC research indicates that over 450 new viruses are launched and attack enterprises every month. IDC also estimates that these attacks cost enterprises billions of dollars annually in productivity loss and remediation costs.
MessageLabs CTO Mark Sunner says, "The people behind today's viruses have a much more sophisticated mindset and are now more likely to be organized criminals rather than teenage hackers." Because of this shift, many in the industry have broadened the definition of malware.
"When we talk about malware, from the Microsoft perspective, we are looking at all the malicious components within email," says Craig Spiezle, director of online safety technologies and strategies for Microsoft Corporation and Authentication and Online Trust Alliance founder and executive director. "Another term we use is crimeware. Phishing exploits, zero day exploits, viruses, etc. Any email that tries to lead the end-user to a website that forces malware or keystroke logging."