Vous êtes sur la page 1sur 123

Three Criteria for Malware Existence

No operating system or application is vulnerable to malicious programs unless external


programs, no matter how simple, can be launched. If an external program, even the
simplest, can be launched within an operating system or application, then it will be
vulnerable to malicious programs. Most contemporary operating systems and applications
need to work with other programs, so they do end up being vulnerable. Potentially
vulnerable OS and applications include:

• All popular desktop operating systems


• Most office applications
• Most graphical editors
• Project applications
• Any applications with in-built script language

Computer viruses, worms, Trojans have been written for countless operating systems and
applications. On the other hand, there are still numerous OSs and applications that are
free from malware so far. Why is this so? What makes one OS more attractive to virus
writers than others?

Malware appears in any given environment when the following criteria are met:

• The operating system is widely used


• Reasonably high-quality documentation is available
• The targeted system is insecure or has a number of documented vulnerabilities

All three criteria are key factors and all three need to be met before the given system will
be targeted by virus writers.

In the first place, in order for hackers and cyber vandals to even consider any system, the
target needs to be popular enough for them to access it. Once an OS or application is
widely available and marketed successfully, it turns into a viable target for virus writers.

A quick look at the number of malicious programs written for Windows and Linux shows
that the volume of malware is roughly proportional to the respective market share of
these two operating systems.

Detailed documentation is necessary for both legal developers and hackers, since
documentation includes descriptions of available services and rules for writing
compatible programs.

For instance, most mobile phone vendors do not share this information, leaving both legal
vendors and hackers helpless. On the other hand, some vendors of smart phones do
publish their documentation. The first viruses for Symbian (Worm.SymbOS.Cabir.a) and
Windows CE (WinCE.Duts.a) appeared shortly after the documentation was published in
mid-2004.

The architecture of a well-built (constructed designed) OS or applications needs to take


security into account. A secure solution does not allow new or unsanctioned programs
extensive access to files or potentially dangerous services. This leads to difficulties, as a
fully secure system, will block not only malware, but 'friendly' programs as well. As a
result, none of the widely available systems can be called truly secure.

Java machines that launch Java applications in 'sandbox' mode come close to achieving
secure conditions. As a matter of fact, there have been no viruses or Trojans which pose a
serious threat written in Java for a long time, though non-viable proof of concept
malware does occasionally appear. Malware written in Java appeared only when
vulnerabilities in Java Virtual Machine security were discovered and publicized.

Malicious Programs Descriptions


Malicious programs can be divided into the following groups: worms, viruses, Trojans,
hacker utilities and other malware. All of these are designed to damage the infected
machine or other networked machines.

Network Worms

This category includes programs that propagate via LANs or the Internet with the
following objectives:

• Penetrating remote machines


• Launching copies on victim machines
• Spreading further to new machines

Worms use different networking systems to propagate: email, instant messaging, file-
sharing (P2P), IRC channels, LANs, WANs and so forth.

Most existing worms spread as files in one form or another - email attachments, in ICQ
or IRC messages, links to files stored on infected websites or FTP servers, files accessible
via P2P networks and so on.
There are a small number of so-called fileless or packet worms; these spread as network
packets and directly penetrate the RAM of the victim machine, where the code is then
executed.

Worms use a variety of methods for penetrating victim machines and subsequently
executing code, including:

• Social engineering; emails that encourage recipients to open the attachment


• Poorly configured networks; networks that leave local machines open to access
from outside the network
• Vulnerabilities in operating systems and applications

Today's malware is often a composite creation: worms now often include Trojan
functions or are able to infect exe files on the victim machine. They are no longer pure
worms, but blended threats.

Classic Viruses

This class of malicious programs covers programs that spread copies of themselves
throughout a single machine in order to:

• Launch and/or execute this code once a user fulfills a designated action
• Penetrate other resources within the victim machine

Unlike worms, viruses do not use network resources to penetrate other machines. Copies
of viruses can penetrate other machines only if an infected object is accessed and the
code is launched by a user on an uninfected machine. This can happen in the following
ways:

• The virus infects files on a network resource that other users can access
• The virus infects removable storage media which are then attached to a clean
machine
• The user attaches an infected file to an email and sends it to a 'healthy' recipient

Viruses are sometimes carried by worms as additional payloads or they can themselves
include backdoor or Trojan functionality which destroy data on an infected machine.

Trojan Programs

This class of malware includes a wide variety of programs that perform actions without
the user's knowledge or consent: collecting data and sending it to a cyber criminal,
destroying or altering data with malicious intent, causing the computer to malfunction, or
using a machine's capabilities for malicious or criminal purposes, such as sending spam.
A subset of Trojans damage remote machines or networks without compromising
infected machines; these are Trojans that utilize victim machines to participate in a DoS
attack on a designated web site.

Hacker Utilities and other malicious programs

This diverse class includes:

• Utilities such as constructors that can be used to create viruses, worms and
Trojans
• Program libraries specially developed to be used in creating malware
• Hacker utilities that encrypt infected files to hide them from antivirus software
• Jokes that interfere with normal computer function
• Programs that deliberately misinform users about their actions in the system
• Other programs that are designed to directly or indirectly damage local or
networked machines

Network Worms
Today everyone has heard of computer worms.

Worms can be classified according to the propagation nethod they use, i.e. how they
deliver copies of themselves to new victim machines. Worms can also be classified by
installation method, launch method and finally according to characteristics standard to all
malware: polymorphism, stealth etc.

Many of the worms which managed to cause significant outbreaks use more then one
propagation method as well as more than one infection technique. The methods are listed
separately below.

• Email Worms
• Instant Messaging Worms
• Internet Worms
• IRC Worms
• File-sharing Networks Worms

Email worms

Email worms spread via infected email messages. The worm may be in the form of an
attachment or the email may contain a link to an infected website. However, in both cases
email is the vehicle.
In the first case the worm will be activated when the user clicks on the attachment.In the
second case the worm will be activated when the user clicks on the link leading to the
infected site.

Email worms normally use one of the following methods to spread:

• Direct connection to SMTP servers using a SMTP API library coded into the
worm
• MS Outlook services
• Windows MAPI functions

Email worms harvest email addresses from victim machines in order to spread further.
Worms use one or more of the following techniques:

• Scanning the local MS Outlook address book


• Scanning the WAB address database
• Scanning files with appropriate extensions for email address-like text strings
• Sending copies of itself to all mail in the user's mailbox (worms may even
'answer' unopened items in the inbox)

While these techniques are the most common, some worms even construct new sender
addresses based lists of possible names combined with common domain names.

Instant Messaging (ICQ and MSN) Worms

These worms have a single propagation method. They spread using instant messaging
applications by sending links to infected websites to everyone on the local contact list.
The only difference between these worms and email worms which send links is the media
chosen to send the links.

Internet Worms

Virus writers use other techniques to distribute computer worms, including:

• Copying the worm to networked resources


• Exploiting operating system vulnerabilities to penetrate computers and/or
networks
• Penetrating public networks
• Piggy-backing: using other malware to act as a carrier for the worm.

In the first case, the worms locate remote machines and copy themselves into folders
which are open for read and write functions. These network worms scan all available
network resources using local operating system services and/or scan the Internet for
vulnerable machines. They will then attempt to connect to these machines and gain full
access to them.
In the second case, the worms scan the Internet for machines that have not been patched,
i.e. have operating systems with critical vulnerabilities still open to exploitation. The
worm sends data packets or requests which install either the entire body of the worm or a
section of the worm's source code containing downloader functionality. If this code is
successfully installed the main worm body is then downloaded. In either case, once the
worm is installed it will execute its code and the cycle continues.

Worms that use Web and FTP servers fall into a separate category. Infection is a two-
stage process. These worms first penetrate service files on the file server, such as static
web pages. Then the worms wait for clients to access the infected files and attack
individual machines. These victim machines are then used as launch pads for further
attacks.

Some virus writers use worms or Trojans to spread new worms. These writers first
identify Trojans or worms that have successfully installed backdoors on victim machines.
In most cases this functionality allows the master to send commands to the victim
machine: such zombies which have backdoors installed can be commanded to download
and execute files - in this case copies of the new worm.

Many worms use two or more propagation methods in combination, in order to more
efficiently penetrate potential victim machines.

IRC Worms

These worms target chat channels, although to day IRC worms have been detected. IRC
worms also use the propagation methods listed above - sending links to infected websites
or infected files to contacts harvested from the infected user. Sending infected files is less
effective as the recipient needs to confirm receipt, save the file and open it before the
worm is able to penetrate the victim machine.

File-sharing Networks or P2P Worms

P2P worms copy themselves into a shared folder, usually located on the local machine.
Once the worm has successfully placed a copy of itself under a harmless name in a shared
folder, the P2P network takes over: the network informs other users about the new
resource and provides the infrastructure to download and execute the infected file.

More complex P2P worms imitate the network protocol of specific file-sharing networks:
they respond affirmatively to all requests and offer infected files containing the worm
body to all comers.

1. IM-Worm.Win32.Bropia.ad
This worm is written in Visual Basic and normally has two components:
the IM-Worm itself, and a variant of Backdoor.Win32.Rbot which is
embedded in the file. The backdoor is usually packed with UPX and
Morphine. It will be detected as Backdoor.Win32.Rbot.gen. The worm is
188,416 bytes in size. The...
2. IM-Worm.Win32.Bropia.aj
This worm spreads via the Internet using MSN Messenger. It is written in
Visual Basic and is approximately 200 KB in size. The worm contains a
backdoor program, Backdoor.Win32.Rbot.hg which it will extract from
itself and launch on the victim machine. Installation Once launched, the
worm copies...
3. IM-Worm.Win32.Funner
This worm spreads via the Internet using MSN Messenger to propagate. It
is written in Visual Basic. It is approximately 56KB in size, and packed
using ASP. The unpacked file is approximately 306KB in size. Installation
Once launched, the worm copies itself to the Windows system directory
under the...
4. IM-Worm.Win32.Jitux
Jitux is an Internet worm that spreads via the MSN Messenger system. It is
written in Visual Basic and its' size is about 24KB. The worm sends
messages with the URL of the downloadable version of the worm. Once
the worm is launched, it scans the victim MSN Messenger contact list and
sends all...
5. IM-Worm.Win32.Kelvir.e
This worm spreads via Windows Messenger. It is written in Visual Basic.
The worm file is 24064 bytes in size. The worm contains the following
text strings: OMGOOSES KELVIR 1000 KelVir-FiNAL Once launched,
the worm sends a message to all contacts in the MSN Messenger contact
list: "omg u have to...
6. IM-Worm.Win32.Kelvir.k
This worm spreads via Windows Messenger. It is written in Visual Basic,
and packed using UPX. The packed file is 8704 bytes in size, and the
unpacked file is 24064 bytes in size. Once launched, the worm sends a
messenger to all MSN Messenger contacts: "its you" The message is
accompanied by the...
7. IM-Worm.Win32.Opanki.d
This worm is written in C, and is packed using MEW and PE_Patch. It
spreads as a link across the AIM network and has Trojan-Dowloader
capabilities. The packed body is 3 973 bytes in size. MD5:
4d0a71e9e37a73bd27932e13d03b7ec0 Installation This worm arrives as a
link via the AOL Instant Messaging...
8. IM-Worm.Win32.Sumom.a
This worm spreads via MSN by means of file transfer. The worm file is
packed using several packing programs, and is approximately 17KB when
packed. The unpacked file is approximately 155KB in size. Installation
The worm copies itself to the Windows directory under one of the
following names:...
9. IM-Worm.Win32.VB.a
This worm spreads via the Internet using MSN Messenger. It is written in
Visual Basic and is approximately 160KB in size. The worm contains a
backdoor program, Backdoor.Win32.Rbot.fy which it will extract from
itself and launch on the victim machine. Installation Once launched, the
worm copies...

Classic Viruses
Computer viruses can be classified according to their environment and infection methods.
The environment is the application or operating system required by any given virus to
infect files within these systems. Infection methods are the techniques used to inject the
virus code into an object.

Environment

Most viruses can be found in one of the following environments:

• File systems
• Boot sectors
• Macro environments
• Script hosts

File viruses use the file system of a given operating system (or more than one) to
propagate. File viruses can be divided into the following categories:

• Those that infect executable files (the largest group of file viruses)
• Those that create duplicates of files (companion viruses)
• Those that create copies of themselves in various directories
• Those that utilize file systems features (link viruses)

Boot sector viruses write themselves either to the boot sector or to the master boot record
or displace the active boot-sector. These viruses were widespread in the 1990s, but have
almost disappeared since the introduction of 32-bit processors as standard and the decline
of the floppy disks. It would be technically possible to write boot sector viruses for CDs
and USB flash ROMs, but no such viruses have yet been detected.

Many word processing, accounting, editing and project applications have built-in macro
scripts which automate frequently used sequences. These macro languages are often
complex and include a wide range of commands. Macro viruses are written in macro
languages and infect applications with built-in macros. Macro viruses propagate by
exploiting macro language properties in order to transfer from an infected file to another
file.

Infection Methods

The groups of viruses listed above can be sub-divided according to the technique a virus
uses to infect objects.
File Viruses

File viruses use the following infection methods:

• Overwriting
• Parasitic
• Companion
• Links
• Object modules (OBJ)
• Compiling libraries (LIB)
• Application source code

Overwriting

This is the simplest infection method: the virus replaces the code of the infected file with
its own, erasing the original code. The file is rendered useless and cannot be restored.
These viruses are easily detected because the operating system and affected applications
will cease to function shortly after infection.

Parasitic

Parasitic viruses modify the code of the infected file. The infected file remains partially
or fully functional.

Parasitic viruses are grouped according to the section of the file they write their code to:

• Prepending: the malicious code is written to the beginning of the file


• Appending: the malicious code is written to the end of the file
• Inserting: the malicious code is inserted in the middle of the file

Inserting file viruses use a variety of methods to write code to the middle of a file: they
either move parts of the original file to the end or copy their own code to empty sections
of the target file. These are sometimes called cavity viruses.

Prepending viruses

Prepending viruses write their code to target files in two ways. In the first scenario, the
virus moves the code from the beginning of the target file to the end and writes its own
code to this space. In the second scenario the virus adds the code of the target file to its
own code.

In both cases, every time the infected file is launched, the virus code is executed first. In
order to maintain application integrity, the virus may clean the infected file, re-launch it,
wait for the file to execute, and once this process is over, the virus will copy itself again
to the beginning of the file. Some viruses use temp files to store clean versions of
infected files. Some viruses will restore the application code in memory, and reset
necessary addresses in the body, thus duplicating the work of the operating system.

Appending viruses

Most viruses fall into this category. Appending viruses write themselves to the end of the
infected files. However, these viruses usually modify the files (change the entry point in
the file header) to ensure that the commands contained in the virus code are executed
before infected object commands.

Inserting viruses

Virus writers use a variety of methods to inject viruses into the middle of a file. The
simplest methods are moving part of the file code to the end of the file or pushing the
original code aside to create a space for the virus.

Inserting viruses include so-called cavity viruses; these write their code to sections of
files that are known to be empty.. For instance, cavity viruses can copy themselves to the
unused part of exe file headers, to the gaps between exe file sections, or to text areas of
popular compilers. Some cavity viruses will only infect files where a certain block
contains a certain byte; the chosen block will be overwritten with the virus code.

Finally, some inserting viruses are badly written and simply overwrite sections of code
which are essential for the infected file to function. This causes the file to be irrevocably
corrupted.

Entry point obscuring viruses - EPOs

There is a small group of parasitic viruses which includes both appending and inserting
viruses which do not modify the entry point address in the headers of exe files. EPO
viruses write the routine pointing to the virus body to the middle of the infected file. The
virus code is then executed only if the routine containing the virus executable is called. If
this routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormant
for a long time.

Virus writers need to choose the entry point carefully: a badly chosen entry point can
either corrupt the host file or cause the virus to remain dormant long enough for the
infected file to be deleted.

Virus writers use different methods to find useful entry points:

• Searching for frames and overwriting them with infected starting points
• Disassembling the host file code
• Or changing the addresses of importing functions
Companion viruses

Companion viruses do not modify the host file. Instead they create a duplicate file
containing the virus. When the infected file is launched the copy containing the virus will
be executed first.

This category includes viruses that re-name the host file, record the new name for future
reference and then overwrite the original file. For instance, a virus might rename
notepad.exe as notepad.exd and write its own code to the file under the original name.
Each time the user of the victim machine launches notepad.exe, the virus code will be
executed, with the original Notepad file, notepad.exd, being run afterwards.

There are other types of companion viruses which use original infection techniques or
exploit vulnerabilities in specific operating systems. For instance, Path-companion
viruses place their copies in the Windows system directory, exploiting the fact that this
directory is first in the PATH list; the system will start from this directory when
launching Windows. Many contemporary worms and Trojans use such autorun
techniques.

Other infection techniques

Some viruses do not use executable files to infect a computer, but simply copy
themselves to a range of folders in the hope that sooner or later they will be launched by
the user. Some virus writers give their viruses such as install.exe or winstart.bat in order
to persuade the user to launch the file containing the virus.

Other viruses copy themselves to compressed files in formats such as ARJ, ZIP and RAR,
while still others write the command to launch an infected file to a BAT-file.

Link viruses also do not modify host files. However, they force the operating system to
execute the virus code by modifying the appropriate fields in the file system.

Boot Sector Viruses

The boot viruses which are currently known about infect the boot sectors of floppy disks
and the boot sector or Master Boot Record (MBR) of the hard disk. Boot viruses act on
the basis of the algorithm used to launch the operating system when the computer is
switched on or rebooted. Once the necessary checks of memory, disks etc. have been
carried out, the system boot program reads/ fetches the first physical sector of the boot
disk (A:, C: or the CD-ROM, depending on the parameters configured/ installed in BIOS
Setup, and passes control to this sector.

When infecting disks, a boot virus will substitute its code for that of a program which
gains control when the system launches. In order to infect the system, the virus will force
the system to read the memory and hand over control not to the original boot program,
but the virus code.
Floppy disks can only be infected in one way. The virus writes its code in the place of the
original code of the boot sector of the disk. Hard disks can be infected in three ways: the
virus either writes its code in place of the MBR code; the boot sector code of the boot
disk, or modifies the address of the active books sector in the Disk Partition Table in the
hard disk MBR.

In the vast majority of cases, when infecting a disk the virus will move the original boot
sector (or MBR) to another sector of the disk, often the first empty one. If the virus is
longer than the sector, then the infected sector will contain the first part of the virus code,
and the remainder of the code will be placed in other sectors, usually the first free ones.

Macro Viruses

The most widespread macro viruses are for Microsoft Office applications (Word, Excel
and PowerPoint) which save information on OLE2 (Object Linking and Embedding)
format. Viruses for other applications are relatively rare.

The actual location of a virus with an MS Office file depends on the file format, which in
the case of Microsoft products is extremely complex. Every WORD document, Office 97
or Excel table is composed of a sequence of data blocks (each of which has its own
format) which are joined/ linked/ united by service data. Due to the complex format of
Word, Excel and Office 97 files, it is easiest to use a diagram to show the location of a
macro virus in such a file:

Uninfected document or table Infected document or table


file file
File header File header
Service data (directories, FAT) Service data (directories,
Text FAT)
Fonts Text
Macros (if any) Fonts
Other data Macros (if any)
Virus macros
Other data

When working with documents and tables, MS Office carries out a number of different
actions: the application opens the document, saves it, prints it, closes it etc. MS Word
will search for and execute/ launch the appropriate built-in macros. For example, using
the File/Save command will call the FileSave macro, the File/SaveAs command will call
the FileSaveAs macro, and so on, always assuming that such macros are defined/
configured.
There are also auto macros, which will be automatically called in a range of situations.
For instance, when a document is opened, MS Word will check the document for the
presence for the AutoOpen macro. If the macro is found, Word will execute it. When a
document is closed, Word will execute the AutoClose macro, when Word is launched, the
application will execute the AutoExec macro etc. These macros are executed
automatically, without any action from the user, as are macros/ functions which are
associated either with a particular key, or with a specific time or date.

As a rule, macro viruses which infect MS Office files will use one of the techniques
described above. The virus will either contain an auto macro (automatic function) or one
of the standard system macros (associated with a menu item) will be redefined, or the
virus macro will be automatically called by a certain key stroke or key combination.
Once the macro virus has gained control, it will transfer its code to other files, usually
ones which are currently being edited. More rarely, the viruses will search disks for other
files.

Script Viruses

Script viruses are a subset of file viruses, written in a variety of script languages (VBS,
JavaScript, BAT, PHP etc.). They either infect other scripts e.g. Windows or Linux
command and service files, or form a part of multi-component viruses. Script viruses are
able to infect other file formats, such as HTML, if the file format allows the execution of
scripts.

Executable File and Boot Viruses


1. BWME.GSD.1145
It is a harmless memory resident virus. It hooks INT 21h and infects EXE files that
are executed or opened. It was created with Biological Warfare Mutation Engine - it
is a polymorphic engine, like the MtE and TPE engines. This virus writes itself to
the end of the files. It contains the text...

2. BWME.Gangi.1130
It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself
to the end of EXE files that are executed. The virus has a bug and can halt the
system. It was created with Biological Warfare Mutation Engine - it is a
polymorphic engine, like the MtE and TPE engines. This virus...

3. BWME.Test.1287
It is a harmless memory resident virus. It hooks INT 21h and infects COM and EXE
files that are executed or opened. It was created with Biological Warfare Mutation
Engine - it is a polymorphic engine, like the MtE and TPE engines. This virus writes
itself to the end of the files. It contains the...

4. BWME.Twelve.1378
It is a harmless nonmemory resident parasitic virus. It searches for COM and EXE
files and infects them. It was created with Biological Warfare Mutation Engine - it is
a polymorphic engine, like the MtE and TPE engines. This virus writes itself to the
end of the files. It contains the text strings:...

5. Devices.2000
It is a harmless memory resident parasitic polymorphic virus. It writes itself to
beginning of SYS and to the end of EXE files. While executing an infected EXE file
the virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers,
infects them and returns to the host program. While...

6. EICAR-Test-File
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a
virus, but is actually NOT "VIRAL" at all. When executed it just displays a message
and returns control to the host program. Why is this harmless file detected as a
virus? The file was created in order to demonstrate to...

7. Happy_II.506
It is a harmless nonmemory resident parasitic virus. It searches for COM files
(except COMMAND.COM), then writes itself to the end of the file. The virus does
not manifests itself in any way, it contains the text strings: *.com COMMAND.
HAPPY v1.03 (C) PROFESSOR,KPI

8. Joke.1068
This is not a dangerous nonmemory resident parasitic virus. It searches for .COM
files (except COMMAND.COM) of current directory and writes itself to the end of
the file. Sometimes it display: At last ...... ALIVE !!!!! I guess your computer is
infected by the Big Joke Virus. Release 4/4-91 Lucky...

9. Kot.b
This is a dangerous memory resident boot virus. It hooks INT 13h, and writes itself
to the BOOT sectors of floppy disks and to the MBR sector of the hard drive. On the
15th day of each month, the virus stops booting in a computer. The virus contains
the text string: Kot

10. Lemena.3544
It is not a dangerous memory resident parasitic polymorphic virus. It copies itself to
the video memory at address BC00:0000, hooks INT 22h (Terminate call), returns
control to host program, waits for termination and hooks INT 21h. To hook INT 21h
the virus patches the DOS kernel. The virus then...

1 | 2 | 3 | 4 | 5 | Next Page >> | Last Page

Macro Viruses
1. Macro.AmiPro.Green
This virus contains four macros (functions): Green_Stripe_Virus, Infect_File,
SaveFile, SaveAsFile. They receive the control when an infected document is
opened, then the virus searches for *.SAM files of the current directory and infects
them. While infecting a SAM file the virus creates an SMM...

2. Macro.Excel.Robocop
This is an Excel macro virus. It contains two modules COP and ROBO. Module
ROBO contains the auto-routine Auto_Open that is executed on opening an infected
file. That macro infects the PERSONAL.XLS file and assigns virus code as being
executed on activating a sheet (SheetActivate handler). As...

3. Macro.Excel97.Laroux
This is a virus converted to MS Excel 97 from their MS Excel prototypes and as a
result it has the same set of macros, functions, features and effects. See the
description of its Excel prototype.

4. Macro.PPoint.Attach
This is the first known macro virus infecting MS PowerPoint presentation files. As
well as other viruses infecting MS Office applications this is written in Visual Basic
for Applications (VBA) language, and for spreading it uses Basic instructions and
MS PowerPoint features. The virus contains...
5. Macro.PPoint.Kelly
This macro virus infects the MS PowerPoint presentations. The virus contains one
macro "Jd" in the "Kelly" module. The virus code is activated on the MouseOver
events on the infected form, it then runs its main routine and infects all form in
opened presentations. While...

6. Macro.PPoint.ShapeMaster
This macro virus infects the MS PowerPoint presentations. The virus contains one
macro "actionhook" in the "ShapeMaster" module. The virus is activated on the
MouseClick on the infected form, it then runs its installation routine and infects the
PowerPoint installed on the...

7. Macro.PPoint.ShapeShift
This is the second known macro virus infecting MS PowerPoint presentations. It
contains five macros in one module "ShapeShift": actionhook, SlideIn, WackShape,
RandomWackSlide, WackPresentation. To activate its code on a event the virus
hooks MouseClick that pass control to the virus...

8. Macro.Visio.Radiant
This is the first known macro-virus infecting Visio documents, stencils and
templates (Visio is the system to create, edit and store business drawing and
diagrams - see http://www.visio.com). To automate data processing, Visio uses
macro-programs written in VBA language (Visual Basic for...

9. Macro.Visio.Unstable
This is the second macro-virus that also has pretensions to be The Number One in
the "Macro.Visio" family. This virus is more complex than Macro.Visio.Radiant - it
uses encryption and special tricks to hide its body in infected files. The virus infects
Visio documents, and stencils and templates...

10. Macro.Word.Alex.a
This is an encrypted Chinese Word macro virus. It contains from three to five
macros depending on the virus version: autonew, autoopen, autoclose, toolsmacro. It
also contains empty macro: ALEX The virus replicates itself when documents are
created (autonew), opened (autoopen) or closed...

1 | 2 | 3 | 4 | 5 | Next Page >> | Last Page


Script Viruses
Script viruses are a subset of file viruses, written in a variety of script languages (VBS,
JavaScript, BAT, PHP etc.). They either infect other scripts e.g. Windows or Linux
command and service files, or form a part of multi-component viruses. Script viruses are
able to infect other file formats, such as HTML, if the file format allows the execution of
scripts.

• Batch Files Viruses


• Windows Help Files Viruses
• JavaScript Viruses
• Inf Files Viruses
• PHP Hypertext Preprocessor Viruses
• Windows Script Viruses

Trojan Programs
Trojans can be classified according to the actions which they carry out on victim
machines.

• Backdoors
• General Trojans
• PSW Trojans
• Trojan Clickers
• Trojan Downloaders
• Trojan Droppers
• Trojan Proxies
• Trojan Spies
• Trojan Notifiers
• ArcBombs

Backdoors

Today backdoors are the most dangerous type of Trojans and the most widespread. These
Trojans are remote administration utilities that open infected machines to external control
via a LAN or the Internet. They function in the same way as legal remote administration
programs used by system administrators. This makes them difficult to detect.

The only difference between a legal administration tool and a backdoor is that backdoors
are installed and launched without the knowledge or consent of the user of the victim
machine. Once the backdoor is launched, it monitors the local system without the user's
knowledge; often the backdoor will not be visible in the log of active programs.

Once a remote administration utilitiy has been successfully installed and launched, the
victim machine is wide open. Backdoor functions can include:

• Sending/ receiving files


• Launching/ deleting files
• Executing files
• Displaying notification
• Deleting data
• Rebooting the machine

In other words, backdoors are used by virus writers to detect and download confidential
information, execute malicious code, destroy data, include the machine in bot networks
and so forth. In short, backdoors combine the functionality of most other types of Trojans
in one package.

Backdoors have one especially dangerous sub-class: variants that can propagate like
worms. The only difference is that worms are programmed to propagate constantly,
whereas these 'mobile' backdoors spread only after a specific command from the 'master'.

General Trojans

This loose category includes a variety of Trojans that damage victim machines or
threaten data integrity, or impair the functioning of the victim machine.

Multi-purpose Trojans are also included in this group, as some virus writers create multi-
functional Trojans rather than Trojan packs.

PSW Trojans

This family of Trojans steals passwords, normally system passwrods from victim
machines. They search for system files which contain confidential information such as
passwords and Internet access telephone numbers and then send this information to an
email address coded into the body of the Trojan. It will then be retrieved by the 'master'
or user of the illegal program.

Some PSW Trojans steal other types of information such as:

• System details (memory, disk space, operating system details)


• Local email client
• IP-address
• Registration details
• Passwords for on-line games
Trojan-AOL are PSW Trojans that steal passwords for aol (American Online) They are
contained in a sub-groups because they are so numerous.

Trojan Clickers

This family of Trojans redirects victim machines to specified websites or other Internet
resources. Clickers either send the necessary commands to the browser or replace system
files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).

Clickers are used:

• To raise the hit-count of a specific site for advertising purposes


• To organize a DoS attack on a specified server or site
• To lead the victim to an infected resource where the machine will be attacked by
other malware (viruses or Trojans)

Trojan Downloaders

This family of Trojans downloads and installs new malware or adware on the victim
machine. The downloader then either launches the new malware or registers it to enable
autorun according to the local operating system requirements. All of this is done without
the knowledge or consent of the user.

The names and locations of malware to be downloaded are either coded into the Trojan or
downloaded from a specified website or other Internet location.

Trojan Droppers

These Trojans are used to install other malware on victim machines without the
knowledge of the user. Droppers install their payload either without displaying any
notification, or displaying a false message about an error in an archived file or in the
operating system. The new malware is dropped to a specified location on a local disk and
then launched.

Droppers are normally structured in the following way:

Main file
contains the dropper payload
File 1
first payload
File 2
second payload
...
as many files as the coder chooses to include
The dropper functionality contains code to install and execute all of the payload files.

In most cases, the payload contains other Trojans and at least one hoax: jokes, games,
graphics and so forth. The hoax is meant to distract the user or to prove that the activity
caused by the dropper is harmless, whereas it actually serves to mask the installation of
the dangerous payload.

Hackers using such programs achieve two objectives:

1. Hidden or masked installation of other Trojans or viruses


2. Tricking antivirus solutions which are unable to analyse all components

Trojan Proxies

These Trojans function as a proxy server and provide anonymous access to the Internet
from victim machines. Today these Trojans are very popular with spammers who always
need additional machines for mass mailings. Virus coders will often include Trojan-
proxies in Trojan packs and sell networks of infected machines to spammers.

Trojan Spies

This family includes a variety of spy programs and key loggers, all of which track and
save user activity on the victim machine and then forward this information to the master.
Trojan-spies collect a range of information including:

• Keystrokes
• Screenshots
• Logs of active applications
• Other user actions

These Trojans are most often used to steal banking and other financial information to
support online fraud.

Trojan Notifiers

These Trojans inform the 'master' about an infected machine. Notifiers confirm that a
machine has been successfully infected, and send information about IP-address, open port
numbers, the email address etc. of the victim machine. This information may be sent by
email, to the master's website, or by ICQ.

Notifiers are usually included in a Trojan 'pack' and used only to inform the master that a
Trojan has been successfully installed on the victim machine.
ArcBombs

These Trojans are archived files coded to sabotage the de-compressor when it attempts to
open the infected archived file. The victim machine will slow or crash when the Trojan
bomb explodes, or the disk will be filled with nonsense data. ArcBombs are especially
dangerous for servers, particularly when incoming data is initially processed
automatically: in such cases, an ArcBomb can crash the server.

There are three types of ArcBombs: incorrect header in the archive, repeating data and a
series of identical files in the archive.

An incorrect archive header or corrupted data can both cause the de-compressor to crash
when opening and unpacking the infected archive.

A large file containing repeating data can be packed into a very small archive: 5
gigabytes will be 200 KB when packed using RAR and 480 KB in ZIP format.

Moreover, special technologies exist to pack an enormous number of identical files in one
archive without significantly affecting the size of the archive itself: for instance, it is
possible to pack 10100 identical files into a 30 KB RAR file or a 230 KB ZIP file.

Backdoors
1. Backdoor.Agobot.gen
This is a classical backdoor and allows a 'master' to control the victim machine
remotely by sending commands via IRC channels. Installation Agobot copies itself
into the Windows directory under random names and then registers itself in the
system registry auto-run keys:...

2. Backdoor.Netbus
This is a hidden (hacker's) remote administration utility similar to the known
Backdoor.BO (a.k.a. Back Orifice) Trojan. It allows to administrate infected
computers from a remote console, to steal files, to damage installed software etc.
See Backdoor.BO Trojan.

3. Backdoor.Rbot.gen
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user
remote access to victim machines. The Trojans are controlled via IRC, and have the
following functions: monitor networks for interesting data packets (i.e. those
containing passwords to FTP servers, and e-payment...
4. Backdoor.SdBot.gen
This is a family of backdoor malicious programs, which provide the user with
remote control over victim machines. This is achieved by sending commands via
IRC channels. Installation Depending upon the program version, the backdoor either
copies itself either to the Windows System directory or to...

5. Backdoor.Throd.a
Throd is a Trojan that allows a 'master' to use the zombie machine as a proxy server.
Throd is written in Delphi for Windows, is about 23 KB in size (about 80 KB
unpacked)and comes packed by UPX. Installation The Trojan copies itself in the
Windows system folder under a randomly combined...

6. Backdoor.Win32.BO.a
This Trojan (also known as Back Orifice Trojan) is a network-administration utility
that allows for the controlling of computers on the network. "'Back Orifice' is a
remote administration system, which allows a user to control a computer across a
tcpip connection using a simple console or gui...

7. Backdoor.Win32.Afcore.q
Afcore is a backdoor Trojan program that appears as a Windows application file (.dll
file) with a size of about 110KB. The Trojan has numerous functions that give
'evildoers' almost full control of victim computers. Infected message body text
contains the following: If you read this, then this...

8. Backdoor.Win32.Agent.jm
This program has remote administration functionality. It is a Windows PE EXE file,
approximately 47KB in size, packed using MEW. The unpacked file is
approximately 303KB in size. Installation Once laucched, the Trojan registers itself
in the system registry:...

9. Backdoor.Win32.Agent.b
Agent.b is a classic Trojan backdoor that opens the infected machine to remote
access. This backdoor is a Windows PE exe file written in Visual C. Agent.b is
packed with two packers: Morphine and UPX. The packed file size is 38 KB and
unpacked - 104 KB. Agent.b is controlled over IRC channels....
10. Backdoor.Win32.Agobot.a
Backdoor.Agobot (also known as PhatBot) is a Trojan program which provides the
author/ user with remote access to the victim machine. It is managed via IRC. It has
a wide range of functionalities: will not work with a debugger running or under
Vmware it can run both as a standard application and...

1 | 2 | 3 | 4 | 5 | Next Page >> | Last Page

General Trojans
1. Trojan-AOL.Win32.Buddy.a
this text was written by Alexey Podrezov, Data Fellows Ltd The
"Trojan.Aol.Buddy" (also known as "PennyTools Trojan") is an AOL password
stealing Trojan. Two versions are currently known (by May 1999). This Trojan uses
a tricky way of installing itself to system. It uses 5 different ways at the same...

2. Trojan-Spy.Win32.WMPatch
Trojan.WebMoney.Wmpatch is a trojan program consisting of two executable
Win32 PE-files: DBOLE.EXE and SICKBOY.EXE.These files are downloaded by
the trojan program TrojanDownloader.Win32.Small.n. A mass mailing of this trojan
program was detected on March 5th, 2003. Message text appears as follows:...

3. Trojan.BAT.Hally
This primitive Trojan is written in BAT and is about 983 bytes in size. When
launched, it copies itself to the C:\ root directory as hally.bat. Due to errors, the rest
of the code is not executed.

4. Trojan.BAT.KeyboardDisable.f
KeyboardDisable.f is a primitive BAT-Trojan written in the DOS command
language. When it is launched it blocks the functioning of the keyboard and mouse.
The program copies itself under the names: C:/MyDocu`1\Autoexec.bat
C:/Windows\StartM`\Programs\Startup\Autoexec.bat It also creates...

5. Trojan.BAT.KillAll.p
This is a primitive and extremely dangerous Trojan program written as a BAT file. It
contains the compressed files BAT2EXE and COM2EXE. Compressed, the file is
2363 bytes, and uncompressed - 507 It deletes all files on disks C: - Z:

6. Trojan.BAT.Looper.af
This primitive Trojan is written in BAT and is 1964 bytes in size. When launching,
the Trojan checks for a file names cargo68.dll. If no such file is found, then the
Trojan copies itself under this name. It creates a file called altec.bat, which will add
the Trojan to ZIP archives and deletes .doc...

7. Trojan.BAT.MkDirs.z
This primitive Trojan is written in BAT and is 317 bytes in size. When launched, the
virus deletes all the files from the C:\windows\ directory. Creates directories named
"1", "2", "3", "4" etc. up to "18" in the current directory. While deleting files it
displays the following text: You are...

8. Trojan.BAT.NoFPU
This is a primitive Trojan, written in DOS command language (i.e. the Trojan is a
BAT file). It disconnects the mathematical coprocessor. As the result the computer
starts to run extremely slowly. Windows 95 may lose functionality due to the action
of the Trojan. The Trojan adds a sector called...

9. Trojan.BAT.Simpsons
This is a silly BAT Trojan that affects all files on C:, A:, B: and D: drives (exactly in
that sequence). To delete the files, the Trojan uses a "DELTREE /Y" DOS
command. The Trojan then also deletes SIMPSONS.* on the same drives (but there
are no files on drives after DELTREE command). The...

10. Trojan.BAT.VSX
This primitive Trojan is written in BAT and is 1471 bytes in size. It creates a
directory named VSX\Infected in the C:\ root directory. It then moves files with the
extensions .BAT, .VBS, .DLL, .SYS, .OCX, and .MOD from the C:\ root directory
to this directory. After moving the files, the virus...

1 | 2 | 3 | 4 | 5 | Next Page >> | Last Page

Password-stealing Trojans
1. Trojan-IM.Win32.Faker.a
Programs in this family steal MSN Messenger passwords with the help of a fake
dialogue box, where the MSN password should be entered. This box is identical to
the MSN Messenger dialogue box. The Trojan may give a false notification that the
connection with MSN has been broken and that it will be...

2. Trojan-PSW.Win32.M2.14.a
This family of Trojan horses is capable of stealing various passwords. Trojans have
a program "configurer" (configuration component) that allows malefactors
controlling these viruses to adjust server components as they desire. All trojans work
the same way - after OS re-start they copy...

3. Trojan-PSW.Win32.Antigen.a
This Trojan utility scans the system data files to Internet access passwords, decrypts
them and sends to a specified e-mail address. It also scans the system for more
private information: telephone numbers, computer name etc. This utility was named
ANTIGEN.EXE, and sent as a fake anti-virus scanner...

4. Trojan-PSW.Win32.CrazyBilets
This program belongs to the family of passwords stealing trojans. It was spread from
a public access Web page on the narod.ru server in the beginning on June 2002. The
web page contained the following: Intermediate Examinations Test papers for
mathematics and topics for compositions. Still...

5. Trojan-PSW.Win32.GOPtrojan
This program belongs to the family of password stealing Trojans. This Trojan seems
to be written in Chinese and is designed to steal OICQ (a Chinese clone of ICQ?)
passwords. When run, the Trojan installs itself to the system. While installing, the
Trojan copies itself to Windows, the Windows...

6. Trojan-PSW.Win32.Gip.107
This program belongs to the family of password-stealing Trojans. When run, the
Trojan installs itself to the system, and while installing, copies itself to Windows,
Windows system, Windows temporary, or Windows\RECYCLED directory and
registers itself in the system registry auto-run section. For...
7. Trojan-PSW.Win32.Hooker
This program belongs to the family of password-stealing Trojans. When activated,
the Trojan installs itself to the system. While installing, the Trojan copies itself to
the Windows or Windows system directory and registers itself in the system registry
auto-run section. For example: Trojan full...

8. Trojan-PSW.Win32.LdPinch.a
This family of Trojans steals user passwords. When launching, the Trojan writes the
following value to the system registry.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
putil = %windir%\%file name% This ensures that the Trojan will be run every time
the system is...

9. Trojan-PSW.Win32.Lmir.gen
This family of Trojans steals passwords to the online game Legend of Mir. As a
rule, programs belonging to this family are written in high-level programming
languages such as Delphi, Visual C/C++, Visual Basic). File sizes vary, and the
programs utilize a range of methods to install themselves to...

10. Trojan-PSW.Win32.Logmod.a
The Logmod program belongs to the family of password stealing trojans. Logmod
steals the following information: Windows version, Explorer version, phone book
entries, service provider information, RAS data, modem log, e.t.c. When run the
trojan installs itself into the system. While installing...

1 | 2 | Next Page >> | Last Page

Trojan Clickers
1. Trojan-Clicker.Win32.Agent.bm
This is a primitive Win32 Trojan. It is written in C, and packed using UPX. The
packed file is approximately 14KB in size, and the unpacked file is approximately
54KB in size. Once launched, the Trojan remains dormant for approximately 7
minutes. This is done on purpose, to attempt to hide its...

2. Trojan-Clicker.Win32.Lopin
This TrojanClicker is written in Cbuilder. Installation When installed, the Trojan
copies itself to the Windows system directory as rundll32.exe and registers this file in
the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ControlPanel] Payload
The Trojan changes the file...

3. Trojan-Clicker.Win32.NetBuie.a
NetBuie is a trojan horse that carries out periodic "clicks" or "hits" on banners held by
the person or persons who created this virus; the purpose rating (value). The virus is a
self-extracting ZIP-archive containing two EXE-files. Both files are written in Visual
Basic 6.0 and is being distributed...

4. Trojan-Clicker.Win32.NetBuie.b
NetBuie is a trojan horse that carries out periodic "clicks" or "hits" on banners held by
the person or persons who created this virus; the purpose rating (value). The virus is a
self-extracting ZIP-archive containing two EXE-files. Both files are written in Visual
Basic 6.0 and is being distributed...

5. Trojan-Clicker.Win32.Qhost.a
TrojanClicker.Win32.Qhost is a family of Trojan horses that primarily replace or alter
the HOSTS file in which corresponding IP addresses and names of remote computers
are held. Usually this leads to an increase in incoming traffic to the sites. To
accomplish this a rule is used for expanding file...

Trojan Downloaders
1. Trojan-Downloader.JS.Miner
This Trojan downloads other malicious programs to the victim machine. It is written
in Java Script, and is between 1 - 3KB in size. The program code may be encoded
using Jscript.Encode. Payload The Trojan downloads and launches other Trojans on
the victim machine without the user's knowledge or...

2. Trojan-Downloader.VBS.Psyme.ap
This Trojan downloader exploits a vulnerability in Internet Explorer to launch other
Trojan programs on the victim machine. The program is designed as an HTML
page; when it is viewed, Visual Basic Script malicious code, approximately 3KB in
size, will be executed. The Trojan then copies itself to...

3. Trojan-Downloader.Win32.Agent.bq
This Trojan program is a Windows PE EXE file, 10 KB or greater in size. The
Trojan is capable of downloading and launching files from the Internet on the victim
machine. It also downloads a program from the AdWare class to the victim machine;
this program then directs the Internet browser on the...

4. Trojan-Downloader.Win32.Apher.a
Apher is malware virus in the wild that spreads as an attachment to spoofed e-mails
using a legitimate Microsoft address. The email text is disguised as a Kaspersky
Labs Anit-virus software update. Below is a screen shot of a spoofed e-mail message
infected with Apher:

5. Trojan-Downloader.Win32.BMPAgent.a
Also known as TrojanDownloader.BMP.Agent.a. This TrojanDownloader explùits a
vulnerability in MS Windows accessible during viewing BMP files. To date Agent
only affects Russian versions of MS Windows 2000. Agent may cause email clients
to close on other versions of Windows or in other...

6. Trojan-Downloader.Win32.CWS.gen
This is a generic detection, which detects a family of Trojan programs which will
download other malicious software from the Internet to the victim machine.
Programs in this family are usually written in Delphi, and packed using PECompact.
The file is often called web.exe, and a packed file will...

7. Trojan-Downloader.Win32.Dler.11.a
When run, the Trojan installs itself to the system. While installing, the program
downloads Trojans from a remote hacker's site and runs them. Optionally, it can
install downloaded Trojans in the Windows registry to start automatically. The
installed Trojan file name, the target directory and...

8. Trojan-Downloader.Win32.Dyfuca.a
This family of Trojans is designed to download a variety of adware and spyware to
victim machines. It spreads via the Internet as the Internet Optimzer utility; there are
several modified versions: InternetOptimizer/Iopti: unknown-server errors, page-
missing errors, server errors and even...
9. Trojan-Downloader.Win32.Dyfuca.du
This Trojan program is written in Visual C++ and packed using UPX. The packed
file is 52104 bytes in size. Installation The program copies itself to Program
Files\Internet Optimizer. Before installing itself, it will display a license agreement
window. Payload The Trojan will send details of...

10. Trojan-Downloader.Win32.Greetyah.a
Greetyah downloads a file from the internet and sets an auto-run key in the system
registry in order to establish automatic starts. A mass mailing of this trojan program
was detected on March 17th, 2003. Message text appears as follows: Date: Mon, 17
Mar 2003 14:57:57 From:...

1 | 2 | 3 | Next Page >> | Last Page

Trojan Droppers
1. Trojan-Dropper.Win32.Agent.ed
This is a primitive Win32 Trojan. It is written in C, and packed using PecBundle and
PECompact. The packed file is approximately 48KB in size, and the unpacked file is
approximately 114KB in size. It creates a synchronization object named
"BaloonMutex". This checks the system for active copies of...

2. Trojan-Dropper.Win32.Checkin
Checkin is a "downloader" trojan that downloads a given file from a certain site and
runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++. The
trojan file sizes are of the following approximate sizes: "Checkin.a": 50Kb
"Checkin.b": 45Kb The trojan EXE file does not...

3. Trojan-Dropper.Win32.ExeBundle
This program is an "improved" version of the TrojanDropper.Win32.ExeStealth. In
addition to "ExeStealth" is is able to carry and drop files with following filename
extensions: COM, BAT, CMD, VBS.

4. Trojan-Dropper.Win32.ExeStealth.20
This program is not "trojan programs" itself, but it is designed: to hide other EXE
files inside itself to install these EXE files to other machines in silent mode I.e. this
program was designed to hide, deploy and install not asked EXE files to victim
machines. So, it is a usual...

5. Trojan-Dropper.Win32.Small.kv
This primitive Trojan is written in Assembler and is packed using FSG. The packed
file is approximately 6KB in size, and the unpacked file is approximately 60KB in
size. When launching, it saves a file named eplrr9.dll (which contains
Trojan.Win32.StartPage.nu) to the %System% directory. It then...

6. Trojan-Dropper.Win32.Small.ff
This Trojan installs and executes a Trojan downloader program. It is written in Visual
C++ and packed using UPX. The size of the packed file is 55296 bytes, and the size
of the unpacked file is 108544 bytes. When launched, this Trojan creates and then
executes a file named hrlypn35.dll in the...

7. TrojanDropper.VBS.Zerolin
Programs which belong to this Trojan family are written in Visual Basic Script. They
are coded to install a range of viruses on victim machines. Malicious programs
installed by versions of TrojanDropper.VBS.Zerolin range from primitive key
logging programs to multi-functional backdoors and worms.

Trojan Proxy Servers


1. Trojan-Proxy.Win32.Bobax.a
This Trojan program makes it possible for the infected machine to be used as a proxy server.
Bobax uses a vulnerability in Microsoft LSASS to propagate on command. The Trojan is
written in Microsoft Visual C++, and the body is encrypted. It runs under Windows, and is
20480 bytes in...

2. Trojan-Proxy.Win32.Mitglieder.a
This Trojan program enables the attacker to use the infected computer as a mail proxy-server. It
runs under Windows, and is approximately 9KB, compressed using UPX. The decompressed
file is approximately 35KB. Installation When launched, the Trojan copies itself to the
Windows system directory...

3. Trojan-Proxy.Win32.Mitglieder.s
This Trojan program makes it possible to use the victim machine as a mail proxy server. It runs
under Windows, and is approximately 19KB in size. It uses I.Worm.Bagle.l to install itself on
the system. The Trojan is not able to launch itself, but uses the Bagle.l library to do this. It
attempts to...

4. Trojan-Proxy.Win32.Webber.a
Webber (aka Heloc) is a Win32 trojan program that installs a hidden proxy server on victim
machines (with up to 100 connections), reports IP addresses and cached passwords of victim
machines to its 'master'. The trojan also downloads (from a URL) and executes other EXE files
such as its...

5. TrojanProxy.Win32.Webber.h
This Trojan runs under Windows. It creates a hidden proxy server (allowing up to 100
connections) and then sends the IP address of the victim machined and cached passwords to its
creator. It also downloads additional .exe files from a web site, and updates itself by executing
these files on the...

1. Trojan-PSW.Win32.Lineage.by
This program is written in Delphi, and not packed at all. It is a DLL file approximately 120KB
in size. It is unable to auto-install, and therefore requires a special installation program. It
functions as a key logger. It will search the victim machine either for a window titled 'Lineage
Windows...

2. Trojan-Spy.HTML.Bankfraud.w
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is made
for stealing information about clients of Washington Mutual Bank. It is sent as an important
message by Washington Mutual Bank: Dear Washington Mutual customer, Due to concerns for
the safety and integrity...

3. Trojan-Spy.HTML.Bankfraud.dq
This Trojan is an email designed as a phishing attack, which steals confidential information
from Regions Bank customers. The email appears to be an important communication from the
bank. It contains a graphic which shows the message text, and what appears to be a clickable
link. When the user...

4. Trojan-Spy.HTML.Citifraud.a
This is a Trojan program made as a fake HTML page. It is made for stealing information about
clients of Citybank. Was sent as an important message by Citybank. The clients were told that
they had to submit their client information: Dear Citibank Account Holder, On January 10th
2004 Citibank had to...

5. Trojan-Spy.HTML.Fraud.gen
This family of Trojans utilises spoofing technology. The Trojans themselves are contained in
fake HTML pages. Messages, purportedly from banks, financial institutions, internet stores,
software companies etc. are sent to users. These messages contain a link to the fake page; this
link exploits the...

6. Trojan-Spy.HTML.Smitfraud.c
This Trojan program utilizes spoofing technology. The Trojan is represented by a fake HTML
page. It is used for stealing confidential information about clients of Smith Barney financial
company (www.smithbarney.com). It is sent by email as an important message from Smith
Barney company with the...

7. Trojan-Spy.HTML.Smitfraud.a
This Trojan program utilizes spoofing technology. The Trojan is represented by a fake HTML
page. It is used for stealing confidential information about clients of Smith Barney financial
company (www.smithbarney.com). It is sent by email as an important message from Smith
Barney company with the...

8. Trojan-Spy.Linux.Logftp
This Trojan is a standard Berkley ftp client compiled on Mandrake Linux 9.1, with a twist: it
logs all hosts, usernames and passwords used to connect to ftp sites to a file named /tmp/.tmp,
in the following format: Host: %ftp name% Login: %login% Pass: %password% Different
connection logins are...

9. Trojan-Spy.Win32.Banker.u
This Trojan spy program is designed to steal confidential financial information. It also has a
backdoor function. The Trojan itself is a Windows PE EXE file approximately 10KB in size,
packed using UPX. The unpacked file is approximately 75KB in size. When installing itself to
the system, the...

10. Trojan-Spy.Win32.GreenScreen.099
This is spy trojan that installs itself to the system, hides itself and then captures screen images
and saves them to disk files in encrypted form. Thus it allows to a hacker to watch screen
images. The trojan itself is Windows PE EXE file, compressed by AsPack, written in Delphi.
The trojan size...

1 | 2 | Next Page >> | Last Page

Other Malware
Other malware includes a range of programs that do not threaten computers directly, but
are used to create viruses or Trojans, or used to carry out illegal activities such as DoS
attacks and breaking into other computers.

• DoS and DDoS Tools


• Hacker Tools and Exploits
• Flooders
• Constructors and VirTools
• FileCryptors and PolyCryptors
• PolyEngines
• Nukers

DoS and DDoS Tools

These programs attack web servers by sending numerous requests to the specified server,
often causing it to crash under an excessive volume of requests. If the server is not
backed by additional resources, it will signal the failure to process requests by denying
service. This is why such attacks are called Denial of Service attacks.

DoS programs conduct such attacks from a single computer with the consent of the user.
Distributed Denial of Service (DDoS) attacks use a large number of infected machines
without the knowledge or consent of their owners. DDoS programs can be downloaded
onto victim machines by various methods. They then launch an attack either based on a
date included in the code or when the 'owner' issues a command to launch the attack.

Worms can carry a DoS procedure as part of their payload. For instance, on August 20,
2001, the CodeRed worm launched a successful attack on the official web site of the
President of the USA (www.whitehouse.gov). Mydoom.a contained DDoS code directed
against SCO's corporate site. The company, a Unix developer, closed the site on February
1, 2004, shortly after the beginning of the DdoS attack and moved it to a different URL.

Hacker Tools and Exploits

These utilities are designed to penetrate remote computers in order to use them as
zombies (by using backdoors) or to download other malicious programs to victim
machines.
Exploits use vulnerabilities in operating systems and applications to achieve the same
result.

Flooders

These utilities are used to flood data channels with useless packets and emails.

Constructors and VirTools

Virus writers use constructor utilities to create new malicious programs and Trojans. It is
known that constructors to create macro-viruses and viruses for Windows are in
existence. Constructors can be used to generate virus source code, object modules and
infected files.

Some constructors come with a user interface where the virus type, objects to attack,
encryption options, protection against debuggers and dissasemblers, text strings,
multimedia effects etc. can be chosen from a menu. Less complex constructors have no
interface, and read information about the type of virus to be built from the configuration
file.

VirTools are all utilites created to simplify virus writing. They can also be used to
analyze viruses to see how they can be used in hacking attacks.

FileCryptors and PolyCryptors

These are hacker utilities used by virus writers use to encrypt malicious programs to
prevent them being detected by antivirus software.

PolyEngines

Polymorphic generators are not viruses in the true sense of the word. They do not
propagate by opening, closing or writing code into files or reading and writing sectors.
These programs encrypt the body of the virus and generate a de-encryption routine.

Virus writers usually spread polymorphic generators as archived files. The main file in a
generator archive is the object module which contains the actual generator. This module
always contains an external function that calls the generator.

Nukers

Hackers use these utilities to crash attacked machines by sending specially coded/phrased
requests. These requests exploit vulnerabilities in applications and operating systems to
cause fatal errors.
Denial-of-Service Attack Tools
1. DoS.Win32.DieWar
This program is a realized DoS attack on one of the more popular ftp-servers for
Windows 95/98/NT - War-FTPD v1.70. It makes many connections to an ftp-server
resulting in a denial of service. This program also can disturb the operation of other
ftp's in a Unix system - wu-ftpd, proftpd,...

Hacker Tools and Exploits


1. Exploit.CodeBaseExec
The suspicious message "Exploit.CodeBaseExec" means that HTML page being
scanned contains code exploiting the Microsoft Internet Explorer Arbitrary Program
Execution Vulnerability, aka the Local Executable Invocation via Object tag
vulnerability. Microsoft Internet Explorer 5.01, 5.5 and 6.0 treat...

2. Exploit.HTML.DialogArg
This file has been detected because it contains an instruction which attempts to
download and install a malicious program on your computer by using a security
breach in Internet Explorer.

3. Exploit.HTML.Mht
This file has been detected because it contains an instruction which attempts to
download and install a malicious program on your computer by using a security
breach in Internet Explorer.

4. Exploit.HTML.Objdata
ObjData is an exploit often seen in spam mailings. ObjData attempts to use the
Object Type Vulnerability and Two vulnerabilities that could allow an attacker to
cause arbitrary code to run on the user's system in MS Windows described in the
following Security Bulletins: Microsoft Security...

5. Exploit.IFrame.FileDownload
Exploit takes advantage of a security breach in MS Internet Explorer 5.01, 5.5 and
Outlook. Some Internet worms use this breach to activate themselves from HTML e-
mail messages. Examples of such worms are: Aliz, BadtransII, Nimda, and Toil.
This vulnerability allows for the opening or previewing...

6. Exploit.IIS.Beavuh
Beavuh is a malware exploit of the so-called MS IIS ".printer" vulnerability, which
is described by Microsoft in the "Security Bulletin MS01-23",released May 1, 2001.
The MS01-23 Security Bulletin can be viewed at the following location:...

7. Exploit.JS.ActiveXComponent
This is an MS Internet Explorer and Outlook security breach
(com.ms.activeX.ActiveXComponent security vulnerability). The security flaw
allows remote scripts and HTML pages to access to any ActiveX control installed on
a victim's computer. The remote script can gain full contol over a victim's...

8. Exploit.Linux.Lacksand
This exploit is written in C, and is approximately 16KB in size. It uses a loophole
present in NIPrint LPD-LPR Print Server versions 4.10 and lower.

9. Exploit.Linux.SSHD22.a
Under the SSHD22 name KAV detects a couple of tools widely used on the Internet
by hackers to compromise systems vulnerable to the security flaw known as the
"SSH CRC-32 compensation attack". Initially reported in October 2001, (for details
you may check the CERT advisory 2001-35, at: http:...

10. Exploit.Win32.MS04-028.gen
Kaspersky Lab provides a generic detection for JPEG files that contain an exploit
for the MS04-028 vulnerability (also known as the buffer overrun in JPEG
processing (GDI+) could allow code execution). JPEG files with affected by this
vulnerability could contain executable code which is executed...

1 | 2 | Next Page >> | Last Page

Flooders
1. Email-Flooder.Win32.FriendGreetings
Advert.FriendGreetings is an electronic post card program that once installed, unlike
other similar programs, sends out emails to all addresses found in a victim computer's
Microsoft address book. This obnoxious feature has lead some anti-virus companies
to classify this program as a "worm". If a...

2. Flooder.Win32.Fuxx
This program permits a flood-adjusted cellular-phone SMS message. In order to send
SMS, the program uses the following gateways: www.free-sms.com sms-link.btn.de
www.nm-info.de www.pcteam.de www.mobidig.net www.lycos.de

Virus Construction Tools


1. Constructor.DOS.G2
G2 ('the second Generation in Virus Creation') is a virus creator. It produces viral
assembler source of different virus types. The characteristics of the G2-based virus
are selected by editing a configuration file. There are several options: infect COM,
EXE or both; resident or nonmemory resident;...

2. Constructor.DOS.BWG
Constructor creates batch payload programs. It is written in Basic for DOS. It
creates payload programs of the following types: internet worms mIRC worms pIRC
worms installing to the win.ini installing to the system registry startup key installing
to the startup directory deletes antivirus...

3. Constructor.DOS.Dreg
DREG (Digital Hackers' Alliance Randomized Encryption Generator) is a virus
constructor. It creates virus source codes (ASM files), then runs TASM and TLINK
to compile these source to executable files. DREG creates nonmemory resident
encrypted COM viruses. They search for COM files in the...

4. Constructor.DOS.IVP_10
IVP ('INSTANT VIRUS PRODUCTION KIT') is a virus creation kit. It produces
viral assembler source of different virus types. The characteristics of the IVP-based
viruses are selected by editing a configuration file. There are several options: infect
COM, EXE or both; encrypted or not; INT 24h hooking...
5. Constructor.DOS.NRLG
NRLG (NuKE Randomic Life Generator) constructor creates encrypted memory
resident COM/EXE DOS viruses. While creating a virus, the user may select the
en/decryption code - the virus generates random selected codes and displays them on
the screen.

6. Constructor.DOS.PS-MPC
PS-MPC (The Phalcon/Skism Mass-Produced Code Generator) is the second most
known virus constructor, after VCL. The features of that constructor are described in
the documentation that is distributed in the main PS-MPC package: The
Phalcon/Skism Mass-Produced Code Generator is a tool, which...

7. Constructor.DOS.VCL
The virus constructor utility VCL.EXE (Virus Creation Laboratory) seems to be the
most well-known virus creation tool. This constructor can generate source assembler
files of the viruses, OBJ modules and infected master files. VCL contains the
standard pop-up menu interface. By using VCL menus, it...

8. Constructor.MSWord.Cvck
This is a CVCK-based virus. It contains 11 macros: AutoExec, AutoOpen, Action,
Action2, stdClose, HelpAbout, Organizer, ActionDate, ToolsMacro ( Ñ+ ),
FileTemplates, and ToolsCustomize. It infects the global macros area upon the
opening of an infected document, and is written to documents upon...

9. Constructor.MSWord.DW97Mvck
This is a macro Word97 virus construction tool. The constructor itself is a Word97
document that contains seventeen modules: DW97MVCK, frmStartForm,
frmVirusSourceName, frmVirusBody, frmStealth, frmRetro, frmPolymorphic,
frmPayload, frmPayloadMessageBox, frmPayloadSetPassword, frmPayloadBeep,...

10. Constructor.MSWord.NTVCK
This is a Word2000 macro-virus construction tool. The constructor itself is a
Word2000 document that contains 14 modules: NTVCK, frmPlugin, Main,
frmSecret, frmcontact, frminfection, KillAV, frmPayload, frmStart, frmGreetz,
frmAuthor, Ende, frmname, and boom. When run, the constructor displays a...

1 | 2 | Next Page >> | Last Page


Malware-Related Programs
This is a tricky category, since it includes any legal software that hackers use to penetrate
computers. There is no predicting what software might fall into this group, as it depends
on the inventiveness of the computer underground. Once software has been identified as
usable by hackers, they can download it without the knowledge or consent of a user to a
victim machine and control it without triggering antivirus solutions or other security
software. If legal software is used skillfully for illegal means, it can be extremely difficult
to detect.

• Dialers
• Downloaders
• FTP Servers
• Proxy Servers
• Telnet Servers
• Web Servers
• IRC Clients
• PSWTool
• RemoteAdmin
• Tools
• Crackers
• Bad Jokes and Hoaxes

Dialers

These programs do not harm the machine they are installed on. However, there can be
serious financial consquences if such programs are not detected and deleted. Website
owners use such programs to cause infected machines to call pay-to-view sites. More
often than not these are pornographic sites. Although the computer itself is undamaged, a
large phone bill makes these programs extremely unwelcome to computer and network
owners.

Dialers come in two varieties: Trojan dialers and malicious dialers. Trojan dialers are
installed without the knowledge or consent of the user and dial pay-to view sites
automatically. Dangerous dialers, on the other hand, inform the user of what calls are
being made, and how much the calls will cost. Such diallers can be deinstalled using
standard procedures. This second group could be classifed as malicious, since the initial
installation occurs without the consent of the user, but they offer the user a chance to
decide what action to take.

Downloaders

Even legal downloading utilities can be dangerous, since they are usually programmed to
function in background regime, without direct intervention from the user. It is easy for a
hacker to substitute links to infected resources for safe download sites, leading to
malware being downloaded to the victim machine without the user's knowledge.

FTP Servers

These are utilities which can be used to gain remote access to files. Once installed on a
system by a hacker, it is possible for remote users to download any files from the victim
machine, and also track activity on the infected computer.

Proxy Servers

These utilities were originally developed to secure internal networks by separating


internal addresses from external users. However, hackers use them to connect
anonymously to the Internet: the address of the proxy-server will be substituted for the
hacker's real address.

Telnet Servers

These utilities were developed to provide remote access to resources on other machines.
Hackers use them to gain full access to victim machines.

Web Servers

Web servers are utilities providing access to Web pages which are located in a defined
area of the file system. They are used by hackers to gain full access to the victim machine
file system.

IRC Clients

These utilities provide access to IRC channels. Many IRC clients, especially mIRC,
incorporate powerful script languages which automate the IRC client. This functionality
can be exploited to write Trojans and IRC worms. When installing a Trojan IRC program
on a victim machine, hackers will often also surreptitiously install an IRC client as well.

Monitor

These are legal utilities which monitor computer and user activity. Commercial versions
of such utilities exist. Normally information on activity is saved to disk or sent to a
specified email address. Monitoring programs differ from Trojan spy programs only in
that they do not mask their presence in the system, and it is possible to deinstall them.
PSWTool

Such utilities restore lost passwords. They normally display information about the
password on screen or save it to disk. When used in a hacker attack, this information will
be sent to the remote attacker.

RemoteAdmin

These remote administration tools provide hackers full control over the victim machine.

Tools

This category includes other free and commercial programs which are frequently used for
malicious purposes.

Crackers

These programs are not viruses or trojans, but hacker's programs to hack different kinds
of software. Usually they are harmless for installed software and just remove copy and/or
key protection in the protected programs.

Bad Jokes and Hoaxes

This group includes programs that do not cause any direct damage to the infected
machine. However, they launch fake warnings about purported damage that has or will be
done. These can be messages warning users that drives have been reformatted, that a
virus has been found, or symptoms of infection have been detected. The possibilities are
limited only by the so-called sense of humor of the virus writer responsible for a
program.

Not-A-Viruses
1. not-a-virus:AdWare.Cydoor
The program normally contains the following files: cd_clint.dll cd_load.exe
cd_htm.dll cd_swf.dll iMesh.ex The cd_clint.dll file provides the main functionality.
The program is capable of working with P2P networks such as Kazaa and Imesh. The
program creates the following registry keys:...

2. not-a-virus:AdWare.WildTangent.a
This program is effectively harmless. However, it can be installed on the victim
machine without the user's knowledge or consent. The program is a DLL file
approximately 280KB in size, written in Visual C++. No packer is used. The file is
often called wtkernel0100.dll The program is a web driver...

3. not-a-virus:JavaClass.Port25
This JavaClass.Port25 applet contains the "paint" function. This function is named
after the HTML file with the same name. While starting it creates a new socket for
the host www.netscape.com:25. If the connection is successful the function will
display the following message: Success connecting to...

4. not-a-virus:Tool.Win32.AIDA.3862
This program will harvest information about the infected computer, included all
system components. It incorporates tests which can be used to check system
performance and functionality. It may send this data to another computer, and it's
possible that this information may be used to semi- automate a...

5. not-a-virus:Tool.Win32.Reboot
This program is detected by Kaspersky Anti-Virus extended databases. When
launched the program will restart Windows, and either shut down the computer or end
the current user's session. It does not have any other payload, but it may be used by
other malicious programs as a utility. The file name...

6. not-a-virus:Tool.Win32.RegPatch.a
This program is approximately 5KB in size (when packed) and packed using UPX. It
is designed to change system registry values. The file overlay contains an encrypted
(xor 90h) .REG file. When launched, the file is saved in C:\ParaTemp.reg using the
following command: regedit.exe -s C:\ParaTemp.reg....

7. not-a-virus:Tool.Win32.TPE.a
This program is a patch constructor i.e. it can be used to create programs which will
modify other software. It has a wide range of functionality and configuration options.
The program is used to produce small (less than 20KB) EXE files, which will modify
other program files and the system registry....

Hoaxes and Jokes


1. not-a-virus:Joke.Win32.Buttons.a
This is a joke program, not virus or trojan, but it operates so that may annoy a user.
When run it displays the message box: The Button Generator Would you like some
buttons? [Yes] [No] In case of "No" the program just exits. In case of "Yes" it
displays several dozens of "Press me" message...

2. not-virus:BadJoke.Win16.Aloap
This is a joke program, not virus or trojan, but its manifestation is trojan-like and can
fright a user. When run it randomly moves all applications' windows on the screen
("shakes" all windows, active window and background one). The joke program itself
has hidden (not visible) window and to...

3. not-virus:Joke.JS.Spawn.b
Spawn is a "joke". Once launching the Java-script contained within the infected
document's html a user's Internet Explorer browser window begins to move around.
Besides this several more IE windows open in the background.

4. not-virus:Joke.Win32.Errore
This "bad joke" simulates the Windows format functionality. When it is executed, it
displays several fake "error messages" such as: Errore interno di Windows 345
all'indirizzo 4E6F:942A Errore interno di Windows 591 all'indirizzo 93C0:6210
Errore interno di Windows 712 all'indirizzo 7ED5:...

5. not-virus:Joke.Win32.FakeFormat.a
Fake Format simulates the Windows format functionality. Once the program is run,
no matter which buttons are chosen, Fake Format starts to format the drive. The user
is unable to stop, interrupt, or cancel this format. Once the fake formatting has been
completed, the standard Windows format summary...

6. not-virus:Joke.Win32.JepRuss
JepRuss is a joke program - it is not a virus or a Trojan program. It displays too
scaring messages that can really frighten users. When this program launches it
displays a standard message window with the text: Please Wait. Initialising... In a
moment it displays a dialog box with the...
Who Writes Malicious Programs and
Why?
Virus writers: four general types

Virus writers belong to one of four broad groups: cyber-vandals, who can be divided into
two categories, and more serious programmers, who can again be split into two groups.

Cyber vandalism - stage 1

In the past, most malware was written by young programmers: kids who just had learned
to program who wanted to test their skills. Fortunately most of these programs did not
spread widely - the majority of such malware died when disks were reformatted or
upgraded. Viruses like these were not written with a concrete aim or a definite target, but
simply for the writers to assert themselves.

Cyber vandalism - stage 2

The second largest group of contributors to malware coding were young people, usually
students. They were still learning programming, but had already made a conscious
decision to devote their skills to virus writing. These were people who had chosen to
disrupt the computing community by committing acts of cyber hooliganism and cyber
vandalism. Viruses authored by members of this group were usually extremely primitive
and the code contained a large number of errors.

However, the development of the Internet provided space and new opportunities for these
would-be virus writers.Numerous sites, chat rooms and other resources sprang up where
anyone could learn about virus writing: by talking to experienced authors and
downloading everything from tools for constructing and concealing malware to malicious
program source code.

Professional virus writers

And then these 'script kiddies' grew up. Unfortunately, some of them did not grow out of
virus writing. Instead, they looked for commercial applications for their dubious talents.
This group remains the most secretive and dangerous section of the computer
underground: they have created a network of professional and talented programmers who
are very serious about writing and spreading viruses.

Professional virus writers often write innovative code designed to penetrate computers
and networks; they research software and hardware vulnerabilities and use social
engineering in original ways to ensure that their malicious creations will not only survive,
but also spread widely.

Virus researchers: the 'proof-of-concept' malware authors

The fourth and smallest group of virus writers is rather unusual. These virus writers call
themselves researchers, and they are often talented programmers who devote their skills
to developing new methods for penetrating and infecting systems, fooling antivirus
programs and so forth. They are usually among the first to penetrate new operating
systems and hardware. Nevertheless, these virus writers are not writing viruses for
money, but for research purposes. They usually do not spread the source code of their
'proof of concept viruses', but do actively discuss their innovations on Internet resources
devoted to virus writing.

All of this may sound innocent or even beneficial. However, a virus remains a virus and
research into new threats should be conducted by people devoted to curing the disease,
not by amateurs who take no responsibility for the results of their research. Many proof
of concept viruses can turn into serious threats once the professional virus writers gain
access to them, since virus writing is a source of income for this group.

Why write viruses?

Fraud

The computer underground has realised that paid for Internet services, such as Internet
access, email and web hosting, provides new opportunities for illegal activity with the
additional satisfaction of getting something for nothing. Virus writers have authored a
range of Trojans which steal login information and passwords to gain free access to other
users' Internet resources.

The first password stealing Trojans appeared in 1997: the aim was to gain access to AOL.
By 1998 similar Trojans appeared for all other major Internet service providers. Trojans
stealing log in data for dial-up ISPs, AOL and other Internet services are usually written
by people with limited means to support their Internet habit, or by people who do not
accept that Internet resources are a commercial service just like any other, and must
therefore be paid for.

For a long time, this group of Trojans constituted a significant portion of the daily 'catch'
for antivirus companies worldwide. Today, the numbers are decreasing in proportion to
the decreasing cost of Internet access.

Computer games and software license keys are another target for cyber fraud. Once
again, Trojans providing free access to these resources are written by and for people with
limited financial resources. Some hacking and cracking utilities are also written by so-
called 'freedom fighters', who proclaim that all infomration should be shared freely
throughout the computing community. However, fraud remains a crime, no matter how
noble the aim is made out to be.

Organised cyber crime

The most dangerous virus writers are individuals and groups who have turned
professional. These people either extract money directly from end users (either by theft or
by fraud) or use zombie machines to earn money in other ways, such as creating and
selling a spamming platform, or organizing DoS attacks, with the aim here being
blackmail.

Most of today's serious outbreaks are caused by professional virus writers who organize
the blanket installations of Trojans to victim machines. This may be done by using
worms, links to infected sites or other Trojans.

Bot networks

Currently, virus writers either work for particular spammers or sell their wares to the
highest bidder. Today, one standard procedure is for virus writers to create bot networks,
i.e. networks of zombie computer infected with identical malicious code. In the case of
networks used as spamming platforms, a Trojan proxy server will penetrate the victim
machines. These networks number from a thousand to tens of thousands of infected
machines. The virus writers then sell these networks to the highest bidder in the computer
underground.

Such networks are generally used as spamming platforms. Hacker utilities can be used to
ensure that these networks run efficiently; malicious software is installed without the
knowledge or consent of the user, adware programs can be camoflaged to prevent
detection and deletion, and antivirus software may be attacked.

Financial gain

Apart from servicing spam and adware, professional virus writers also create Tojan spies
which they use to steal money from e-wallets, Pay Pal accounts and/or directly from
Internet bank accounts. These Trojans harvest banking and payment information from
local machines or even corporate servers and then forward it to the master.

Cyber extortion

The third major form of contemporary cyber crime is extortion or Internet rackets.
Usually, virus writers create a network of zombie machines capable of conducting an
organized DoS attack. Then they blackmail companies by threatening to conduct a DoS
attack against the corporate website. Popular targets include estores, banking and
gambling sites, i.e. companies whose revenues are generated directly by their on-line
presence.
Other malware

Virus writers and hackers also ensure that adware, dialers, utilities that redirect browsers
to pay-to-view sites and other types of unwanted software function efficiently. Such
programs can generate profits for the computer underground, so it's in the interests of
virus writers and hackers to make sure that these programs are not detected and are
regularly updated.

In spite of the media attention given to young virus writers who manage to cause a global
epidemic, approximately 90% of malicious code is written by the professionals. Although
all of four groups of virus writers challenge computer security, the group which poses a
serious, and growing threat is the community of professional virus writers who sell their
services.

How to Detect a Hacker Attack


Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may
use a single specific exploit, several exploits at the same time, a misconfiguration in one
of the system components or even a backdoor from an earlier attack.

Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced
user. This article gives a few basic guidelines to help you figure out either f your machine
is under attack or if the security of your system has been compromised. Keep in mind just
like with viruses, there is no 100% guarantee you will detect a hacker attack this way.
However, there's a good chance that if your system has been hacked, it will display one
or more of the following behaviours.

Windows machines:

• Suspiciously high outgoing network traffic. If you are on a dial-up account or


using ADSL and notice an unusually high volume of outgoing network (traffic
especially when you computer is idle or not necessarily uploading data), then it is
possible that your computer has been compromised. Your computer may be being
used either to send spam or by a network worm which is replicating and sending
copies of itself. For cable connections, this is less relevant - it is quite common to
have the same amount of outgoing traffic as incoming traffic even if you are
doing nothing more than browsing sites or downloading data from the Internet.
• Increased disk activity or suspicious looking files in the root directories of any
drives. After hacking into a system, many hackers run a massive scan for any
interesting documents or files containing passwords or logins for bank or
epayment accounts such as PayPal. Similarly, some worms search the disk for
files containing email addresses to use for propagation. If you notice major disk
activity even when the system is idle in conjunction with suspiciously named files
in common folders, this may be an indication of a system hack or malware
infection.
• Large number of packets which come from a single address being stopped by a
personal firewall. After locating a target (eg. a company's IP range or a pool of
home cable users) hackers usually run automated probing tools which try to use
various exploits to break into the system. If you run a personal firewall (a
fundamental element in protecting against hacker attacks) and notice an unusually
high number of stopped packets coming from the same address then this is a good
indication that your machine is under attack. The good news is that if your
personal firewall is reporting these attacks, you are probably safe. However,
depending on how many services you expose to the Internet, the personal firewall
may fail to protect you against an attack directed at a specific FTP service running
on your system which has been made accessible to all. In this case, the solution is
to block the offending IP temporarily until the connection attempts stop. Many
personal firewalls and IDSs have such a feature built in.
• Your resident antivirus suddenly starts reporting that backdoors or trojans have
been detected, even if you have not done anything out of the ordinary. Although
hacker attacks can be complex and innovative, many rely on known trojans or
backdoors to gain full access to a compromised system. If the resident component
of your antivirus is detecting and reporting such malware, this may be an
indication that your system can be accessed from outside.

Unix machines:

• Suspiciously named files in the /tmp folder. Many exploits in the Unix world rely
on creating temporary files in the /tmp standard folder which are not always
deleted after the system hack. The same is true for some worms known to infect
Unix systems; they recompile themselves in the /tmp folder and use it as 'home'.
• Modified system binaries such as 'login', 'telnet', 'ftp', 'finger' or more complex
daemons, 'sshd', 'ftpd' and the like. After breaking into a system, a hacker usually
attempts to secure access by planting a backdoor in one of the daemons with
direct access from the Internet, or by modifying standard system utilities which
are used to connect to other systems. The modified binaries are usually part of a
rootkit and generally, are 'stealthed' against direct simple inspection. In all cases,
it is a good idea to maintain a database of checksums for every system utility and
periodically verify them with the system offline, in single user mode.
• Modified /etc/passwd, /etc/shadow, or other system files in the /etc folder.
Sometimes hacker attacks may add a new user in /etc/passwd which can be
remotely logged in a later date. Look for any suspicious usernames in the
password file and monitor all additions, especially on a multi-user system.
• Suspicious services added to /etc/services. Opening a backdoor in a Unix system
is sometimes a matter of adding two text lines. This is accomplished by modifying
/etc/services as well as /etc/ined.conf. Closely monitor these two files for any
additions which may indicate a backdoor bound to an unused or suspicious port.
Three Criteria for Malware Existence
No operating system or application is vulnerable to malicious programs unless external
programs, no matter how simple, can be launched. If an external program, even the
simplest, can be launched within an operating system or application, then it will be
vulnerable to malicious programs. Most contemporary operating systems and applications
need to work with other programs, so they do end up being vulnerable. Potentially
vulnerable OS and applications include:

• All popular desktop operating systems


• Most office applications
• Most graphical editors
• Project applications
• Any applications with in-built script language

Computer viruses, worms, Trojans have been written for countless operating systems and
applications. On the other hand, there are still numerous OSs and applications that are
free from malware so far. Why is this so? What makes one OS more attractive to virus
writers than others?

Malware appears in any given environment when the following criteria are met:

• The operating system is widely used


• Reasonably high-quality documentation is available
• The targeted system is insecure or has a number of documented vulnerabilities

All three criteria are key factors and all three need to be met before the given system will
be targeted by virus writers.

In the first place, in order for hackers and cyber vandals to even consider any system, the
target needs to be popular enough for them to access it. Once an OS or application is
widely available and marketed successfully, it turns into a viable target for virus writers.

A quick look at the number of malicious programs written for Windows and Linux shows
that the volume of malware is roughly proportional to the respective market share of
these two operating systems.

Detailed documentation is necessary for both legal developers and hackers, since
documentation includes descriptions of available services and rules for writing
compatible programs.

For instance, most mobile phone vendors do not share this information, leaving both legal
vendors and hackers helpless. On the other hand, some vendors of smart phones do
publish their documentation. The first viruses for Symbian (Worm.SymbOS.Cabir.a) and
Windows CE (WinCE.Duts.a) appeared shortly after the documentation was published in
mid-2004.

The architecture of a well-built (constructed designed) OS or applications needs to take


security into account. A secure solution does not allow new or unsanctioned programs
extensive access to files or potentially dangerous services. This leads to difficulties, as a
fully secure system, will block not only malware, but 'friendly' programs as well. As a
result, none of the widely available systems can be called truly secure.

Java machines that launch Java applications in 'sandbox' mode come close to achieving
secure conditions. As a matter of fact, there have been no viruses or Trojans which pose a
serious threat written in Java for a long time, though non-viable proof of concept
malware does occasionally appear. Malware written in Java appeared only when
vulnerabilities in Java Virtual Machine security were discovered and publicized.

Malicious Programs Descriptions


Malicious programs can be divided into the following groups: worms, viruses, Trojans,
hacker utilities and other malware. All of these are designed to damage the infected
machine or other networked machines.

Network Worms

This category includes programs that propagate via LANs or the Internet with the
following objectives:

• Penetrating remote machines


• Launching copies on victim machines
• Spreading further to new machines

Worms use different networking systems to propagate: email, instant messaging, file-
sharing (P2P), IRC channels, LANs, WANs and so forth.

Most existing worms spread as files in one form or another - email attachments, in ICQ
or IRC messages, links to files stored on infected websites or FTP servers, files accessible
via P2P networks and so on.

There are a small number of so-called fileless or packet worms; these spread as network
packets and directly penetrate the RAM of the victim machine, where the code is then
executed.

Worms use a variety of methods for penetrating victim machines and subsequently
executing code, including:

• Social engineering; emails that encourage recipients to open the attachment


• Poorly configured networks; networks that leave local machines open to access
from outside the network
• Vulnerabilities in operating systems and applications

Today's malware is often a composite creation: worms now often include Trojan
functions or are able to infect exe files on the victim machine. They are no longer pure
worms, but blended threats.

Classic Viruses

This class of malicious programs covers programs that spread copies of themselves
throughout a single machine in order to:

• Launch and/or execute this code once a user fulfills a designated action
• Penetrate other resources within the victim machine

Unlike worms, viruses do not use network resources to penetrate other machines. Copies
of viruses can penetrate other machines only if an infected object is accessed and the
code is launched by a user on an uninfected machine. This can happen in the following
ways:

• The virus infects files on a network resource that other users can access
• The virus infects removable storage media which are then attached to a clean
machine
• The user attaches an infected file to an email and sends it to a 'healthy' recipient

Viruses are sometimes carried by worms as additional payloads or they can themselves
include backdoor or Trojan functionality which destroy data on an infected machine.

Trojan Programs

This class of malware includes a wide variety of programs that perform actions without
the user's knowledge or consent: collecting data and sending it to a cyber criminal,
destroying or altering data with malicious intent, causing the computer to malfunction, or
using a machine's capabilities for malicious or criminal purposes, such as sending spam.

A subset of Trojans damage remote machines or networks without compromising


infected machines; these are Trojans that utilize victim machines to participate in a DoS
attack on a designated web site.

Hacker Utilities and other malicious programs

This diverse class includes:

• Utilities such as constructors that can be used to create viruses, worms and
Trojans
• Program libraries specially developed to be used in creating malware
• Hacker utilities that encrypt infected files to hide them from antivirus software
• Jokes that interfere with normal computer function
• Programs that deliberately misinform users about their actions in the system
• Other programs that are designed to directly or indirectly damage local or
networked machines

Who Writes Malicious Programs and


Why?
Virus writers: four general types

Virus writers belong to one of four broad groups: cyber-vandals, who can be divided into
two categories, and more serious programmers, who can again be split into two groups.

Cyber vandalism - stage 1

In the past, most malware was written by young programmers: kids who just had learned
to program who wanted to test their skills. Fortunately most of these programs did not
spread widely - the majority of such malware died when disks were reformatted or
upgraded. Viruses like these were not written with a concrete aim or a definite target, but
simply for the writers to assert themselves.

Cyber vandalism - stage 2

The second largest group of contributors to malware coding were young people, usually
students. They were still learning programming, but had already made a conscious
decision to devote their skills to virus writing. These were people who had chosen to
disrupt the computing community by committing acts of cyber hooliganism and cyber
vandalism. Viruses authored by members of this group were usually extremely primitive
and the code contained a large number of errors.

However, the development of the Internet provided space and new opportunities for these
would-be virus writers.Numerous sites, chat rooms and other resources sprang up where
anyone could learn about virus writing: by talking to experienced authors and
downloading everything from tools for constructing and concealing malware to malicious
program source code.

Professional virus writers

And then these 'script kiddies' grew up. Unfortunately, some of them did not grow out of
virus writing. Instead, they looked for commercial applications for their dubious talents.
This group remains the most secretive and dangerous section of the computer
underground: they have created a network of professional and talented programmers who
are very serious about writing and spreading viruses.

Professional virus writers often write innovative code designed to penetrate computers
and networks; they research software and hardware vulnerabilities and use social
engineering in original ways to ensure that their malicious creations will not only survive,
but also spread widely.

Virus researchers: the 'proof-of-concept' malware authors

The fourth and smallest group of virus writers is rather unusual. These virus writers call
themselves researchers, and they are often talented programmers who devote their skills
to developing new methods for penetrating and infecting systems, fooling antivirus
programs and so forth. They are usually among the first to penetrate new operating
systems and hardware. Nevertheless, these virus writers are not writing viruses for
money, but for research purposes. They usually do not spread the source code of their
'proof of concept viruses', but do actively discuss their innovations on Internet resources
devoted to virus writing.

All of this may sound innocent or even beneficial. However, a virus remains a virus and
research into new threats should be conducted by people devoted to curing the disease,
not by amateurs who take no responsibility for the results of their research. Many proof
of concept viruses can turn into serious threats once the professional virus writers gain
access to them, since virus writing is a source of income for this group.

Why write viruses?

Fraud

The computer underground has realised that paid for Internet services, such as Internet
access, email and web hosting, provides new opportunities for illegal activity with the
additional satisfaction of getting something for nothing. Virus writers have authored a
range of Trojans which steal login information and passwords to gain free access to other
users' Internet resources.

The first password stealing Trojans appeared in 1997: the aim was to gain access to AOL.
By 1998 similar Trojans appeared for all other major Internet service providers. Trojans
stealing log in data for dial-up ISPs, AOL and other Internet services are usually written
by people with limited means to support their Internet habit, or by people who do not
accept that Internet resources are a commercial service just like any other, and must
therefore be paid for.

For a long time, this group of Trojans constituted a significant portion of the daily 'catch'
for antivirus companies worldwide. Today, the numbers are decreasing in proportion to
the decreasing cost of Internet access.
Computer games and software license keys are another target for cyber fraud. Once
again, Trojans providing free access to these resources are written by and for people with
limited financial resources. Some hacking and cracking utilities are also written by so-
called 'freedom fighters', who proclaim that all infomration should be shared freely
throughout the computing community. However, fraud remains a crime, no matter how
noble the aim is made out to be.

Organised cyber crime

The most dangerous virus writers are individuals and groups who have turned
professional. These people either extract money directly from end users (either by theft or
by fraud) or use zombie machines to earn money in other ways, such as creating and
selling a spamming platform, or organizing DoS attacks, with the aim here being
blackmail.

Most of today's serious outbreaks are caused by professional virus writers who organize
the blanket installations of Trojans to victim machines. This may be done by using
worms, links to infected sites or other Trojans.

Bot networks

Currently, virus writers either work for particular spammers or sell their wares to the
highest bidder. Today, one standard procedure is for virus writers to create bot networks,
i.e. networks of zombie computer infected with identical malicious code. In the case of
networks used as spamming platforms, a Trojan proxy server will penetrate the victim
machines. These networks number from a thousand to tens of thousands of infected
machines. The virus writers then sell these networks to the highest bidder in the computer
underground.

Such networks are generally used as spamming platforms. Hacker utilities can be used to
ensure that these networks run efficiently; malicious software is installed without the
knowledge or consent of the user, adware programs can be camoflaged to prevent
detection and deletion, and antivirus software may be attacked.

Financial gain

Apart from servicing spam and adware, professional virus writers also create Tojan spies
which they use to steal money from e-wallets, Pay Pal accounts and/or directly from
Internet bank accounts. These Trojans harvest banking and payment information from
local machines or even corporate servers and then forward it to the master.

Cyber extortion

The third major form of contemporary cyber crime is extortion or Internet rackets.
Usually, virus writers create a network of zombie machines capable of conducting an
organized DoS attack. Then they blackmail companies by threatening to conduct a DoS
attack against the corporate website. Popular targets include estores, banking and
gambling sites, i.e. companies whose revenues are generated directly by their on-line
presence.

Other malware

Virus writers and hackers also ensure that adware, dialers, utilities that redirect browsers
to pay-to-view sites and other types of unwanted software function efficiently. Such
programs can generate profits for the computer underground, so it's in the interests of
virus writers and hackers to make sure that these programs are not detected and are
regularly updated.

In spite of the media attention given to young virus writers who manage to cause a global
epidemic, approximately 90% of malicious code is written by the professionals. Although
all of four groups of virus writers challenge computer security, the group which poses a
serious, and growing threat is the community of professional virus writers who sell their
services.

History of Malicious Programs


Malicious software may seem like a relatively new concept. The epidemics of the past
few years have introduced the majority of computer users to viruses, worms and Trojans -
usually because their computers were attacked. The media has also played a role,
reporting more and more frequently on the latest cyber threats and virus writer arrests.

However, malicious software is not really new. Although the first computers were not
attacked by viruses, this does not mean they were not potentially vulnerable. It was
simply that when information technology was in its infancy, not enough people
understood computer systems to exploit them.

But once computers became slightly more common, the problems started. Viruses started
appearing on dedicated networks such as the ARPANET in the 1970s. The boom in
personal computers, initiated by Apple in the early 1980s, led to a corresponding boom in
viruses. As more and more people gained hands-on access to computers, they were able
to learn how the machines worked. And some individuals inevitably used their
knowledge with malicious intent.

As technology has evolved, so have viruses. In the space of a couple of decades, we have
seen computers change almost beyond recognition. The extremely limited machines
which booted from a floppy disk are now powerful systems that can send huge volumes
of data almost instantaneously, route email to hundreds or thousands of addresses, and
entertain individuals with movies, music and interactive Web sites. And virus writers
have kept pace with these changes.
While the viruses of the 1980s targeted a variety of operating systems and networks, most
viruses today are written to exploit vulnerabilities in the most commonly used software:
Microsoft Windows. The increasing number of vulnerable users is now being actively
exploited by virus writers. The first malicious programs may have shocked users, by
causing computers to behave in unexpected ways. However, the viruses which started
appearing in the 1990s present much more of a threat: they are often used to steal
confidential information such as bank account details and passwords.

So malicious software has turned into big business. An understanding of contemporary


threats is vital for safe computing. This section gives an overview of the evolution of
malware: it offers a glimpse of some historical curiosities, and provides a framework to
help understand the origins of today's cyber-threats.

The Beginning - A Little Archeology


Historians are still debating when the first computer virus really appeared. We do know a
few things for certain, however: the first computer, which is generally considered to have
been invented by Charles Babbadge, did not have any viruses. By the mid-1970s, Univax
1108 and IBM 360/370 did.

Nevertheless, the idea for computer viruses actually appeared much earlier. Many
consider the starting point to be the work of John von Neumann in his studies on self-
reproducing mathematical automata, famous in the 1940s. By 1951, Neumann had
already proposed methods for demonstrating how to create such automata.

In 1959, the British mathematician Lionel Penrose presented his view on automated self-
replication in his Scientific American article 'Self-Reproducing Machines'. Unlike
Neumann, Penrose described a simple two dimensional model of this structure which
could be activated, multiply, mutate and attack. Shortly after Penrose's article appeared,
Frederick G. Stahl reproduced this model in machine code on an IBM 650.

It should be noted that these studies were never intended to providing a basis for the
future development of computer viruses. On the contrary, these scientists were striving to
perfect this world and make it more suitable for human life. And it was these works that
laid the foundation for many later studies on robotics and artificial intelligence.

In 1962, a group of engineers from America's Bell Telephone Laboratories, V.


Vyssotsky, G. McIlroy, and Robert Morris, created a game called 'Darwin.' The game
consisted of a so-called umpire in the memory of the computer that determined the rules
and order of battle between competing programs created by the players. The programs
could track and destroy opponents' programs and, more importantly, multiply. The point
of the game was to delete your opponent's programs and gain control over the battle field.
The theoretical suppositions of scientists' and the engineers' harmless game were
shadowed by the moment when the world realized that the theory of self-multiplying
units could be used, equally successfully, for completely different purposes.

Early 1980s
As computers gained in popularity, more and more individuals started writing their own
programs. Advances in telecommunications provided convenient channels for sharing
programs through open-access servers such as BBS - the Bulletin Board System.
Eventually university BBS servers evolved into a global data bank and were available in
all developed countries. The first Trojans appeared in large quantities; programs that
couldn't self-replicate or spread, but did damage systems once downloaded and installed.

1981

The widespread use of Apple II computers predetermined this machine's fate in attracting
the attention of virus writers. It is not surprising that the first large-scale computer virus
outbreak in history occurred on the Apple II platform.

Elk Cloner spread by infecting the Apple II's operating system, stored on floppy disks.
When the computer was booted from an infected floppy, a copy of the virus would
automatically start. The virus would not normally affect the running of the computer,
except for monitoring disk access. When an uninfected floppy was accessed, the virus
would copy itself to the disk, thus infecting it, too, slowly spreading from floppy to
floppy.

The Elk Cloner virus infected the boot sector for Apple II computers. In those days,
operating systems were stored on floppy disks: as a result the floppies were infected and
the virus was launched every time the machine was booted up. Users were startled by the
side effects and often infected friends by sharing floppies, since most people had no idea
what viruses were, much less how they spread.

The Elk Cloner payload included rotating images, blinking text and joke messages:

ELK CLONER:
THE PROGRAM WITH A PERSONALITY
IT WILL GET ON ALL YOUR DISKS
IT WILL INFILTRATE YOUR CHIPS
YES, IT'S CLONER
IT WILL STICK TO YOU LIKE GLUE
IT WILL MODIFY RAM, TOO
SEND IN THE CLONER!
1983

Len Eidelmen first coined the term 'virus' in connection with self-replicating computer
programs. On November 10th, 1983, at a seminar on computer safety at Lehigh
Unversity, this grandfather of modern computer virology demonstrated a virus-like
program on a VAX11/750 system. The program was able to install itself to other system
objects. A year later, at the 7th annual information security conference, he defined the
phrase 'computer virus' as a program which is able to 'infect' other programs by
modifying them to install copies of itself.

1986

The first global IBM-compatible virus epidemic was detected. Brain, which infected the
boot sector, was able to spread practically worldwide within a few months. The almost
total lack of awareness in the computing community of how to protect machines against
viruses ensured Brain's success. In fact, the appearance of numerous science fiction
works on the topic only strengthened the panic, instead of teaching people about security.

The Brain virus was written by a 19 year old Pakistani programmer, Basit Farooq Alvi,
and his brother Amjad, and included a text string containing their names, address and
telephone number. According to the virus's authors, who worked in sales for a software
company, they wanted to gauge the level of piracy in their country. Aside from infecting
a disc's boot sector and changing the disk name to '© Brain', the virus did nothing; it had
real payload, and did not corrupt data. Unfortunately, the brothers lost control of their so-
called experiment and Brain spread worldwide.

Interestingly enough, Brain was also the first 'stealth virus.' When an attempt to read the
infected sector was detected, the virus would display the original, uninfected data.

That same year, a German programmer, Ralf Burger, invented the first programs that
could copy themselves by adding their code executable DOS files in COM format. The
working model of the program, named Virdem, was introduced by Burger in December
1986 in Hamburg at an underground computer forum, the Chaos Computer Club. Though
most of the hackers at the event specialised in attacking VAX/VMS systems, they were
still interested in the concept.

1988
Suriv-3, or the Jerusalem virus, as it is known today, caused a major epidemic in 1988. It
was detected in many enterprises, government offices and academic institutions on
Friday, May 13th. The virus struck all over the world, but the US, Europe and the Near
East were hit hardest. Jerusalem destroyed all loaded files on infected machines.
May 13th 1988 came to be known as Black Friday. Ironically, antivirus experts and virus
writers all pay close attention when the 13th of any month falls on a Friday. Virus writers
are more active, while virus analysts treat it as a professional mini-holiday.

By this time, many antivirus companies had been established around the world.
Generally, these were small firms, usually with two or three people. The software
consisted of simple scanners that performed context searches to detect unique virus code
sequences.

Users also appreciated the immunizers that came with the scanners. These immunizers
would modify programs in such a way that a virus would think the computer was already
infected and leave them untouched. Later, when the quantity of viruses increased into the
hundreds, immunizers were rendered ineffective, as the number of immunizers required
for the viruses in the wild was simply unrealistic to manufacture.

Both types of antivirus programs were either distributed for free or were sold for
ridiculously low prices. Despite this, they failed to gain enough popularity effectively
counter virus epidemics. Furthermore, the antivirus programs were completely helpless in
the face of new viruses: imperfect channels for data transmission and the lack of a unified
worldwide computer network like the modern Internet made the delivery of updated
versions of antivirus programs extremely difficult.

The spread of viruses like Jerusalem, Cascade, Stoned and Vienna was also facilitated by
human factors. First, users of that era did not know enough about the need for antivirus
protection. Second, many users, and even professionals, didn't believe in the existence of
computer viruses.

For instance, even Peter Norton, whose name is synonymous today with many products
of US-based Symantec, was skeptical about computer viruses at one stage in his career.
He declared their existence to be a myth and compared them to stories of large crocodiles
inhabiting the sewers of New York. This incident didn't stop Symantec, however, from
shortly after developing its own antivirus project, Norton AntiVirus.

This was an important year for the antivirus community as well: the first electronic forum
devoted to antivirus security was opened on April 22. This was the Virus-L forum on the
Usenet network created by Ken van Wyk, a university colleague of Fred Cohen's.

The first widespread virus hoax was also registered in 1988. This very interesting
phenomenon refers to the spread of rumors about dangerous new viruses. Actually, in
some cases, these rumors worked liked a virus. Scared users would spread these rumors
at the speed of light. It goes without saying that these hoaxes did not harm anyone,
however, they used up bandwidth and users' nerves and discredited those that initially
believed the rumours.

Mike RoChennel (a pseudonym derived from the word 'Microchannel'), was the author of
one of the first hoaxes.In October 1988, Mike sent a large number of messages to BBSs
regarding an virus which could transfer from one 2400 baud modem to another. A
suggested antidote to this virus was to use modems with a speed of 1200 bauds. However
ridiculous this may have sounded, many users did indeed heed this advice.

Another such hoax was released by Robert Morris about a virus spreading over networks
and changing port and drive configurations. According to the warning, the alleged virus
infected 300,000 computers in the Dakotas in under 12 minutes. November 1988: a
network epidemic caused by the Morris Worm. The virus infected over 600 computer
systems in the US (including the NASA research center) and almost brought some to a
complete standstill. Like the Christmas Tree worm, the virus sent unlimited copies of
itself and completely overloaded the networks.

In order to multiply, the Morris Worm exploited a vulnerability in UNIX operating


systems on VAX and Sun Microsystems platforms. As well as exploiting the UNIX
vulnerability, the virus used several innovative methods to gain system access such as
harvesting passwords.

The overall losses caused by the 'Morris Worm' virus were estimated at US $96 million
dollars - a significant sum at the time.

Finally, a popular antivirius program; Dr. Solomon's Anti-Virus Toolkit was released
onto the market in 1988. The program was created by UK programmer, Alan Solomon,
and was widely used until 1998 when the company was taken over by US-based Network
Associates (NAI).

1989
The Datacrime and FuManchu (a Jerusalem modification) viruses as well as virus
families Vacsina and Yankee appeared.

The Datacrime virus was extremely dangerous: from October 13th through December
31st, it initiated low-level formatting of a hard disc's zero cylinder which led to the
destruction of tables stored in FAT files and irrevocable loss of data.

The first warning about the virus came out of the Netherlands in March from Fred Vogel.
Despite the relatively low infection rate, Datacrime evoked a hysterical reaction
worldwide. The repeated warnings resulted in significantly distorted descriptions of how
the virus really worked and what damage it caused.. In the US, the virus was named
Columbus Day because many speculated that the virus had been written by Norwegian
terrorists attempting to punish Americans for crediting Columbus instead of Eric the Red
with the discovery of America.

An interesting incident occurred in Holland. The local police decided to begin a proactive
fight against cyber-crime. They developed an antivirus program capable of neutralizing
Datacrime and sold it directly to local precincts for a mere $1. There was tremendous
demand for the antivirus program, but it was soon discovered that the program was
unreliable and had a high false positive rate. A second version was produced to correct
the mistakes; however, it was also riddled with bugs.

October 16th, 1989 saw the appearance of the WANK worm on VAX/VMS computers
on the SPAN network. The worm spread via the DECNet protocol and changed system
messages to read, 'WORMS AGAINST NUCLEAR KILLERS' accompanied by the
message, 'Your System Has Been Officially WANKed.' WANK also changed system
passwords to random symbols and sent them to a user by the name of GEMPAK on the
SPAN network.

December 1989 witnessed the Aids Information Diskette incident. 20,000 discs
containing a Trojan were sent to addresses in Eurpose, Africa, Australia and the WHO.
The addresses had been stolen from the database of PC Business World. Once an infected
disk has been loaded, the program would automatically install itself on the system,
creating its own concealed files and directories and modifying system files. After 90
loads, the operating system encoded the names of all files, rendering them invisible and
leaving only one file accessible. This file recommended paying money to a specified
bank account. As a result, it was relatively easy to identify the Trojan's author as one
Joseph Popp who had earlier been declared insane. Despite this, he was convicted in
absentia by Italian authorities.

It is interesting to note that 1989 marked the beginning of virus epidemics in Russia as
well. Towards the end of 1989, approximately 10 viruses (listed in the order they arrived)
appeared in Russian cyber-space: 2 versions of Cascade, several modifications of Vacsina
and Yankee, Jerusalem, Vienna, Eddie, and PingPong.

The spread of high technology worldwide predetermined the appearance of new antivirus
projects throughout the world, just as it did in Russia-or at that time, the USSR. In 1989,
antivirus expert Eugene Kaspersky, who would later found Kaspersky Lab, first ran into a
virus: his work computer was infected by Cascade in October 1989. It was this incident
that led Eugene to devote his life to antivirus research.

Only a month later, Eugene detected the Vascina virus using the first version of the -V
antivirus program he had just written. Years later, -V turned into AVP Antiviral Toolkit
Pro.

In fact, 1989 saw a bumper crop of antivirus companies: F-Prot, ThunderBYTE, and
Norman Virus Control.

So many people became so nervous about viruses that various groups and individuals
asked IBM, then undisputed leader in the IT market, to provide an antivirus solution.
IBM in turn decided to commercialize the internal antivirus project they were running.
IBM Virscan for MS-DOS went on sale in October 1989.
After brief consideration and market research, IBM decided to 'declassify' its antivirus
project as developed in its TJ Watson Research Center and turn it into a full commercial
product. IBM Virscan for MS DOS was first made available for purchase in October
1989 for only $35 dollars.

April of 1989 marked another landmark in the antivirus field: the first antivirus
publications were founded. UK-based Sophos sponsored Virus Bulletin, whereas Dr.
Solomon's founded Virus Fax International. Virus Bulletin exists to this day, while Virus
Fax International was first renamed as Virus News International and eventually
metamorphosed into Secure Computing.

Today, Secure Computing is considered one of the most popular sources in information
technology security and specializes not only in antivirus programs but also in computer
and device safety. Secure Computing conducts annual contests under the 'Secure
Computing Awards' title for the best developments in various fields, including antivirus
safety, cryptology, access-control, intranet screens, and others.

1990
1990 saw several important developments in virus writing. Virus writers developed new
features and establish well-publicized communities to share information.

To start with, the first polymorphic viruses appeared in 1990: the Chameleon family
(1260, V2P1, V2P2, and V2P6), which evolved from two earlier well-known viruses,
Vienna and Cascade. Chameleon's author, Mark Washburn, used Burger's book on the
Vienna virus and then added features from the self-encoding Cascade virus. Unlike
Cascade, Chameleon was not only encrypted, but the virus code also changed with every
infection. This particular feature rendered contemporary antivirus programs useless. Up
to that point, antivirus programs had depended on an ordinary context search, for pieces
of known virus code. Chameleon did not have permanent code which made the
development of new types of antivirus programs priority number one. These
developments were not long in coming. Soon thereafter, antivirus experts invented
special algorithims to identify polymorphic viruses. Later, in 1992, Eugene Kaspersky
developed an even more effective method for neutralizing polymorphic viruses: a
processor-emulator for deciphering codes. Today, this technology is an integral attribute
of all antivirus programs.

The second important milestone was the appearance of the Bulgarian Virus Producing
Factory. Throughout this year and for a number of years afterwards, a large number of
viruses of Bulgarian origin were detected in the wild. They included entire virus families
such as Murphy, Nomenclatura, Beast (or 512 or Number of Beast), new modifications of
Eddie, and many more.
A virus writer named Dark Avenger was particularly active: he released several viruses a
year, which incorporated new infection and concealment techniques. It was Dark
Avenger who first employed a technique where the virus, when detected, would
automatically infect all files in the computer, even if the file was opened for read-only
purposes. Dark Avenger demonstrated exceptional ability, not only in creating viruses,
but in spreading them as well. He actively loaded infected programs onto BBSs,
distributed source codes for his viruses, and advocated the creation of new viruses in
every way possible.

The first BBS (VX BBS) aiming to provide an open forum for the exchange of viruses
and information for virus writers was established in Bulgaria, probably by Dark Avenger.
The philosophy behind the board was simple: if a user uploaded a virus, then in exchange
he was allowed to download one from the board's catalog. If the user submitted a new
and interesting virus, then he was granted full access to the board's resources and could
download an unlimited quantity of viruses from the collection. It almost goes without
saying what a powerful effect VX BBS had on the development of viruses, especially
since the board was open to the whole world, not just Bulgaria.

In July of 1990, a serious incident occurred with the English computer magazine PC
Today. Each issue of the magazine contained a free floppy disc which turned out to be
infected with a copy of DiskKiller. More than 50,000 copies of the magazine were sold.
The resulting epidemic made virology history!

Two innovative stealth viruses appeared in the second half of 1990: Frodo and Whale.
Both used an incredibly complex algorithm to conceal themselves in the system. The nine
kilobyte Whale, in addition, employed several levels of encryption and whole array of
tricky anti-debugging techniques.

The first Russian viruses appeared: Peterburg, Voronezh, and LoveChild.

In December of 1990, EICAR (European


Institute for Computer Antivirus
Research) was established in Hamburg,
Germany. The institute is still considered
one of the most respected international
organizations, uniting professionals from
practically all major antivirus comp1991-
1992
1991

The computer virus population continues to grow, reaching the 300 mark. As the number
and severity of virus incidents escalated, the need for reliable security rose
proportionally. Early 1991 saw the appearance of more AV products: Norton AntiVirus
from Peter Norton who now believed in viruses; Central Point Antivirus; Untouchable
from Fifth Generation System. The latter were bought out by Symantec in 1993 and
1994.

Other virus writer bulletin boards modeled after the VX BBS and new personalities
emerged from the computer underground: Cracker Jack (Italy - the Italian research
Laboratory BBS), Gonorrhea (Germany); Demoralized Youth (Switzerland), Hellpit
(USA) and Dead on Arrival and Semaj (UK). The computer underground was forming.

Tequila, a polymorphic boot infector, caused a significant epidemic in April of this year.
It was created by a Swiss programmer exclusively for research purposes and without
malicious intent. However, one copy of the virus was stolen by an acquaintance who
consciously infected other users.

The summer of 1991 saw a virus epidemic with Dir_II using a fundamentally new means
of infecting files: link-technology. This virus, to this day, remains the only example of
this type detected in the wild.

Altogether, 1991 was relatively calm; a calm before the storm that broke in 1992.

1992

Viruses for non IBM-compatible and non MS-DOS systems fade from the foreground at
this time. Loopholes in global networks were closed, errors corrected, and network
worms lost the conditions they required to spread - at least for the time being!

Instead, boot sector viruses were gaining popularity on the more commonly used
operating systems (MS-DOS) on the most widely used platforms (IBM-PC). The number
of viruses grew astronomically and security incidents occurred almost every day. New
antivirus programs continued to appears as did several books and a number of regular
publications dedicated to viruses. This was the background for some important
developments in virus writing.

In the beginning of 1992 the first polymorphic generator, MTE appeared. Its primary
purpose is to integrate with other viruses to facilitate their polymorphism. The author of
this program, the infamous Dark Avenger, did everything possible to ease the work of his
colleagues in this area. The MTE generator was delivered in the form of a ready to use
module and was accompanied by documentation.

Due to MTE, several polymorphic viruses immediately appeared. MTE was also the
forerunner of several other polymorphic generators, creating a headache for many
antivirus companies. Even after months of work, many antivirus companies were unable
to reach 100% results in detecting well-known versions of polymorphic viruses created
with the help of MTE.

The first anti-antivirus programs appeared during this year. Peach was one of the first: it
deleted the database of Central Point AntiVirus's change inspector. If the antivirus
program was unable to locate its database, then it acted as if it had been installed for the
first time, recreating the database. In this way viruses avoided detection, and slowly
infected the entire system.

Law enforcement agencies worldwide began developing departments specializing


exclusively in computer crimes. For example, the Computer Crime Unit of The New
Scotland Yard successfully disarmed the English virus group, ARCV (Association for
Really Cruel Viruses). Great Britain's proactive law enforcement position practically
neutralized computer underground activity and even now, we are unaware of any serious
organized groups of virus-writers there.

In March of 1992, we witnessed the Michelangelo (or March6) outbreak and the media
hype in advance (the virus itself was first detected in 1991, but caused an outbreak in
1992) Though some experts predicted that over 5 million machines would be infected,
only a few thousand machines actually suffered.

The VCL and PS-MPC virus constructors first appeared in July 1992. They allowed
people to create their own viruses by adding a range of malicious payloads to the
constructors This increased the number and potentially destructive effect of viruses, as
did MTE.

1992 also brought Win.Vir_1_4, the first virus for Windows. Win.Wir_1_4 infected
operating system executable files Despite the fact that the virus was poorly coded, had
limited propagation ability, and had no special Windows functionality, it nevertheless
opened a new chapter in the history of computer viruses.

On the antivirus vendor front, Symantec bought Certus International along with their
proprietary antivirus product, Novi.

1993-1995
1993

Virus writers began to take their work seriously. The computer underground had already
mastered an array of new polymorphic generators and constructors, and founded new
electronic publications. This year saw new viruses which employed new techniques to
infect files, penetrate systems, destroy data and conceal themselves from antivirus
applications.
One such example is the PMBS virus which worked in the secure regime of Intel 80386
processors. Another example was the Strange (or Hmm) virus, the only stealth virus,
however, executed on the level of device interruption at INT 0Dh and INT76h.

Carbuncle signaled a new generation of companion viruses. A number of other viruses


like Emmie, Bomber, Uruguay, and Cruncher employed fundamentally new techniques to
conceal themselves in the code of infected files.

The spring of 1993 turned out to be a nerve-wracking time for many antivirus vendors:
Microsoft released its own antivirus program. Microsoft AntiVirus (MSAV) was based
on the former Central Point AntiVirus (CPAV). The program was included in the
standard delivery of MS-DOS and Windows operating systems. The first tests conducted
by independent testing laboratories showed a high level of effectiveness. However, later
on, its quality began to slowly decline and the project was discontinued.

1994

More and more significance is attached to the problem of viruses on CDs. Having quickly
become popular, this removable storage media became one of the primary ways of
spreading viruses. Several incidents were registered when a virus was discovered on the
master-disc of a compact disc producer. As a result, the computer market was flooded
with relatively large shipments (tens of thousands) of infected discs. Naturally, such
carriers could not be disinfected, they can only be destroyed.

At the beginning of the year, two extremely complex polymorphic viruses appeared in the
UK: SMEG.Pathogen and SMEG.Queeg - even now, not all antivirus programs are able
detect these programs with 100% certainty. The virus writer placed the infected files on
BBS boards and caused both an outbreak and a panic in the mass media.

The GoodTimes hoax caused yet another panic. GoodTimes allegedly spread via the
Internet and infected computers via email. However, sometime later, an ordinary DOS
virus containing the text Good Times appeared and was named GT-Spoof.

Many other unusual viruses appear this year:

• January: Shifter - the first virus to infect OBJ files.


• Phantom1 becomes the first polymorphic virus in Moscow
• April - ScrVir-a family of viruses which infects source code programs in C and
Pascal.
• June - OneHalf - a complex and dangerous polymorphic virus causes a significant
outbreak: in fact, this virus is still active and can cause real damage to this day.
• September - Zaraza - an MS-DOS file-loading virus caused a significant outbreak
by using a unique installation method: the new technique temporarily stumped the
antivirus experts.

This year also marked several significant developments in the antivirus field.
In June, one of the leading antivirus vendors was purchased by Symantec, who had
already earned a reputation for aquiring other antivirus projects.

AntiViral Toolkit Pro was launched in September. Eugene Kaspersky's first product
immediately won top marks in a series of independent tests conducted by Hamburg
University.

1995

Nothing significant occurred in the field of DOS-viruses this year, although several
complex virus such as Nightfall, Nostradamus, and Nutcracker appeared. There were also
some interesting new viruses such as the 'bisexual' RMNS virus and the BAT virus,
Winstart. There were also two widespread, but not severe outbreaks caused by ByWay
and DieHard2.

In February, Microsoft sent infected versions of Windows 95 to beta-testers, but only one
person thought to run an antivirus check. He discovered that the discs were infected by
From and testing was put off until clean discs were issued.

In the Spring of 1995, two antivirus companies announced an alliance: ESaSS (the
developer of ThunderBYTE Anti-Virus) and Norman Data Defense Systems (Norman
Virus Control). These companies, both with their own very strong independent antivirus
products, decided to combine efforts to develop a single antivirus system. Later on, in
1998, this alliance would crumble with a buy-out of the Dutch ESaSS by a Norwegian
company.

In August, the Concept virus struck MS Windows: the virus circled the globe in only a
month and was number one on antivirus vendors lists of most common viruses.

In the first half of September, one of the world's largest computer manufacturers, Digital
Equipment Coporation (DEC) accidentally distributed copies of the Concept virus to
delegates at a DECUS conference taking place in Dublin. Fortunately, the virus was
quickly detected and the outbreak contained. Over a hundred known versions of the
Concept virus are still in circulation today.

Green Stripe, a virus for AmiPro, a then popular word-processing program, also spread
rapidly. The source code for Green Strip was published as a free supplement to Mark
Ludwig's magazine Underground Technology Review.

The advent of macro viruses posed a new set of challenges for antivirus vendors. New
technologies were needed to detect macro viruses; first in MS Word and eventually in
other MS Office applications.

The English affiliate of the Ziff-Davis publishing house distinguished itself twice in
1995. The first time was in September when the publishing house's PC Magazine
(English version) distributed a diskette containing the Sampo virus to its subscribers. This
was soon discovered and the company offered its apologies and offered readers a free
antivirus utility. The irony of the event lay in the fact that the diskette was a supplement
for an issue which contained articles the results of antivirus tests for Novell NetWare
products.

Later, in the middle of December, another Ziff-Davis publication, Computer Life, sent its
readers a diskette containing a Christmas greeting. Unfortunately, it turned out that the
diskette also contained the Parity Boot virus.

Law enforcement agencies also pressed onward in the struggle against cyber crime. On
January 16, The New Scotland Yard's Computer Crime Unit took Christopher Pile to
court for writing and distributing viruses. The unemployed Pile, or the Black Baron, as he
was known in the underground was accused of authoring the Queeg and Pathogen viruses
as well as the SMEG polymorphic generator. After ten months Pile pleaded guilty and
was sentenced to 18 months in prison.

1993-1995
1993

Virus writers began to take their work seriously. The computer underground had already
mastered an array of new polymorphic generators and constructors, and founded new
electronic publications. This year saw new viruses which employed new techniques to
infect files, penetrate systems, destroy data and conceal themselves from antivirus
applications.

One such example is the PMBS virus which worked in the secure regime of Intel 80386
processors. Another example was the Strange (or Hmm) virus, the only stealth virus,
however, executed on the level of device interruption at INT 0Dh and INT76h.

Carbuncle signaled a new generation of companion viruses. A number of other viruses


like Emmie, Bomber, Uruguay, and Cruncher employed fundamentally new techniques to
conceal themselves in the code of infected files.

The spring of 1993 turned out to be a nerve-wracking time for many antivirus vendors:
Microsoft released its own antivirus program. Microsoft AntiVirus (MSAV) was based
on the former Central Point AntiVirus (CPAV). The program was included in the
standard delivery of MS-DOS and Windows operating systems. The first tests conducted
by independent testing laboratories showed a high level of effectiveness. However, later
on, its quality began to slowly decline and the project was discontinued.
1994

More and more significance is attached to the problem of viruses on CDs. Having quickly
become popular, this removable storage media became one of the primary ways of
spreading viruses. Several incidents were registered when a virus was discovered on the
master-disc of a compact disc producer. As a result, the computer market was flooded
with relatively large shipments (tens of thousands) of infected discs. Naturally, such
carriers could not be disinfected, they can only be destroyed.

At the beginning of the year, two extremely complex polymorphic viruses appeared in the
UK: SMEG.Pathogen and SMEG.Queeg - even now, not all antivirus programs are able
detect these programs with 100% certainty. The virus writer placed the infected files on
BBS boards and caused both an outbreak and a panic in the mass media.

The GoodTimes hoax caused yet another panic. GoodTimes allegedly spread via the
Internet and infected computers via email. However, sometime later, an ordinary DOS
virus containing the text Good Times appeared and was named GT-Spoof.

Many other unusual viruses appear this year:

• January: Shifter - the first virus to infect OBJ files.


• Phantom1 becomes the first polymorphic virus in Moscow
• April - ScrVir-a family of viruses which infects source code programs in C and
Pascal.
• June - OneHalf - a complex and dangerous polymorphic virus causes a significant
outbreak: in fact, this virus is still active and can cause real damage to this day.
• September - Zaraza - an MS-DOS file-loading virus caused a significant outbreak
by using a unique installation method: the new technique temporarily stumped the
antivirus experts.

This year also marked several significant developments in the antivirus field.

In June, one of the leading antivirus vendors was purchased by Symantec, who had
already earned a reputation for aquiring other antivirus projects.

AntiViral Toolkit Pro was launched in September. Eugene Kaspersky's first product
immediately won top marks in a series of independent tests conducted by Hamburg
University.

1995

Nothing significant occurred in the field of DOS-viruses this year, although several
complex virus such as Nightfall, Nostradamus, and Nutcracker appeared. There were also
some interesting new viruses such as the 'bisexual' RMNS virus and the BAT virus,
Winstart. There were also two widespread, but not severe outbreaks caused by ByWay
and DieHard2.
In February, Microsoft sent infected versions of Windows 95 to beta-testers, but only one
person thought to run an antivirus check. He discovered that the discs were infected by
From and testing was put off until clean discs were issued.

In the Spring of 1995, two antivirus companies announced an alliance: ESaSS (the
developer of ThunderBYTE Anti-Virus) and Norman Data Defense Systems (Norman
Virus Control). These companies, both with their own very strong independent antivirus
products, decided to combine efforts to develop a single antivirus system. Later on, in
1998, this alliance would crumble with a buy-out of the Dutch ESaSS by a Norwegian
company.

In August, the Concept virus struck MS Windows: the virus circled the globe in only a
month and was number one on antivirus vendors lists of most common viruses.

In the first half of September, one of the world's largest computer manufacturers, Digital
Equipment Coporation (DEC) accidentally distributed copies of the Concept virus to
delegates at a DECUS conference taking place in Dublin. Fortunately, the virus was
quickly detected and the outbreak contained. Over a hundred known versions of the
Concept virus are still in circulation today.

Green Stripe, a virus for AmiPro, a then popular word-processing program, also spread
rapidly. The source code for Green Strip was published as a free supplement to Mark
Ludwig's magazine Underground Technology Review.

The advent of macro viruses posed a new set of challenges for antivirus vendors. New
technologies were needed to detect macro viruses; first in MS Word and eventually in
other MS Office applications.

The English affiliate of the Ziff-Davis publishing house distinguished itself twice in
1995. The first time was in September when the publishing house's PC Magazine
(English version) distributed a diskette containing the Sampo virus to its subscribers. This
was soon discovered and the company offered its apologies and offered readers a free
antivirus utility. The irony of the event lay in the fact that the diskette was a supplement
for an issue which contained articles the results of antivirus tests for Novell NetWare
products.

Later, in the middle of December, another Ziff-Davis publication, Computer Life, sent its
readers a diskette containing a Christmas greeting. Unfortunately, it turned out that the
diskette also contained the Parity Boot virus.

Law enforcement agencies also pressed onward in the struggle against cyber crime. On
January 16, The New Scotland Yard's Computer Crime Unit took Christopher Pile to
court for writing and distributing viruses. The unemployed Pile, or the Black Baron, as he
was known in the underground was accused of authoring the Queeg and Pathogen viruses
as well as the SMEG polymorphic generator. After ten months Pile pleaded guilty and
was sentenced to 18 months in prison.
1996
1996 started off with two interesting viruses. Boza, the first virus for Windows 95 virus,
Boza, and an epidemic caused by Zhengxi; a polymorphic virus written by Denis
Petrovym, a Russian programmer from Saint Petersburg.

In March of 1996, the first virus epidemic for Windows 3.x occurred, caused by
Win.Tentacle. This virus infected a hospital computer network and several other
organizations in France. This virus was distinguished by being the first Windows virus
detected in the wild. Until then, all Windows viruses had been kept in collections, or as
part of the electronic journals of virus-writers. Prior to Win.Tentacle, only boot sector,
DOS, and macro viruses had previously existed in the wild.

In June of 1996, the OS2.AEP virus appeared; this was the first virus which infected
OS/2 EXE files. Prior to this, viruses hadwritten themselves to the file location, destroyed
the file, or employed the companion virus technique.

In July 1996, Laroux; the first Microsoft Excel virus, was detected in the wild, in two oil
drilling companies in Alaska and South Africa respectively, The virus was detected in the
two locations almost simultaneously, As with MS Word viruses, Laroux's payload was
based on macros, mini-programs written in the Visual Basic programming language.
These programs could be infilrtrated into Excel tables just as they could be into MS
Word. As it turned out, Excel's built-in Visual Basic also allowed for the creation of
viruses. It was this virus which cause an epidemic in many companies in Moscow in
April 1997.

At the end of the summer, two virus writers called Nightmare Joker and Wild Worker
released, almost simultaneously, two constructors for macro viruses:Word Macro Virus
Construction Kit and Macro Virus Development Kit.could be used for both the English
and German versions of MS Word.

In the middle of October, Microsoft was hit by another security incident provoked by a
virus. The Wazzu virus was discovered in one of the site's Word documents detailing
technical support for Microsoft products in Switzerland. Later this same virus was found
on a compact disc distributed by the company during the Orbit computer technology
exhibition in Bazel, Switzerland. Even here, Microsoft's problems with the Wazzu virus
didn't end. In September, the virus made its way onto Microsoft Solution Provider
compact discs. In December 1996, the first memory resident Windows 95 virus appeared
It loaded into the system like a VxD driver, intercepted file calls, and infected them.

1996 as a whole could also be considered to be the beginning of a widespread attack by


the computer underground against the Windows 95 and Windows NT operating systems
as well as against other applications like Microsoft Office. Throughout 1996 and 1997
dozens of viruses for Windows 95/NT and several hundred macro viruses.appeared.
Many of these viruses used completely new techniques and innovative methods such as
stealth capability and polymorphism. Consequently, computer viruses reached a new
evolutionary level, now aimed at 32 bit operating systems.However, they followed the
same evolutionary development as DOS viruses had done ten years ago.The antivirus
landscape also changed significantly. Towards the end of the year, Cheyenne Software,
developers of the antivirus program InocuLAN, was bought out by Computer Associates.

1997
In February of 1997, Linux Bliss, the first virus for the Linux operating system appeared.
Viruses had moved to yet another environment. Although Linux viruses are a rarity, they
have evolved since their first appearance. Viruses which run in the background have been
developed for Linux, as well as a number of viable Trojans for this platform. If Linux
were even half as popular asWindows obtained, the number of viruses for Linux would
be far greater than the actual number of viruses which exist for this platform.The release
of Microsoft's Office 97 was noteable for the fact that macro viruses almost immediately
migrated towards this application. The limited payloads (or in some cases the total
absence thereof) of macro viruses created for MS Word 5.0 and Excel 5.0 resulted from a
completely new version of Visual Basic for Applications, VBA 5.0 which differed
significantly from Word Basic and VBA 3.0. The first viruses for MS Office 97 turned
out to be almost identical to their predecessors, simply converted into a new format.
Nevertheless soon new macro viruses developed exclusively for MS Office 97 appeared.

March 1997 was notable for the appearance of the 'ShareFun' macro virus for MS Word
6/7 which started a new chapter in computer history It became the first virus of its kind to
spread using email, in particular MS Mail.

In April of 1997 the Homer virus was detected; this was the first network worm which
used FTP to propagate.June 1997 brought the first self_encrypting virus for Windows 95,
Win95.Mad. The virus, of Russian origin, was sent out to several BBS stations in
Moscow causing a major epidemic.The 'Esperanto' virus was born in November 1997. It
was an attempt, fortunately unsuccessful, to create a multi-platform virus which would be
able to infect DOS, Windows and MacOS.The development of the Internet, and in
particular the appearance of mIRC (Internet Relay Chat) sparked a great deal of interest,
including that of virus writers. It didn't take long for the malicious programs to start
appearing.In December of 1997, the antivirus world publicized the appearance of a
fundamentally new type of computer worm which spread via IRC channels. An analysis
of mIRC, one of the more popular IRC utilities showed a dangerous security loophole.
The directory for files downloaded via IRC coincided with the directory which held the
SCRIPT:INI command file. The SCRIPT:INI file , which contained the body of the
worm, could therefore be transferred to a remote computer, where it would automatically
replace the original command file. When restarted, mIRC would activate the malicious
code, and the worm would then send itself to other users. This error was quickly
corrected and the rather primitive IRC worms had disappeared by summer. However,
multi-component IRC worms which actively searched for SCRIPT.INI files (in mIRC
clients), EVENTS.INI (in pIRCh) clients, and others. later appeared, working in a similar
way to email worms; the user would receive anEXE, COM, BAT, file, which when
launched, would replace the original command file.One of the more important events of
1997 was the split-off of one of the KAMI firm's divisions led by Evgenii Kaspersky.
This division became an independent company known as 'Kaspersky Labs' which is,
today, recommended as a recognized technical leader in the antivirus industry. Since
1994, the company's main product, AntiViral Toolkit Pro, consistently shows high results
in numerous tests conducted by various testing laboratories across the world. The
formation of an independent legal entity allowed a small group of developers to become,
within two years, one of the its own country's domestic leaders in addition to being
generally well-known internationally. Little time was required to develop and release
versions with new antivirus security technologies for virtually all popular platforms, and
create a network of international distribution and technical support.

In October 1997, Kaspersky Lab and Finnish company Data Fellows (later renamed as F-
Secure Corporation) signed an agreement to licensing an antivirus engine in their newest
development product, FSAV (F-Secure Anti-Virus). Prior to this, Data Fellows had been
well-known as the developer of F-PROT antivirus.

1997 will also long be remembered as a year of petty squabbles. Several scandals evolved
at the same time between some of the larger antivirus manufacturers. Atthe beginning of
the year, McAfee announced that they had discovered a 'bookmark' in the programs of
one of their main competitors, antivirus firm Dr. Solomon's. McAfee's announcement
continued in saying that if Dr. Solomon's antivirus program discovered several viruses
during a scan-check, then it completed its work in an elevated mode. In other words, if
the program worked in a normal mode in normal conditions, then in testing for several
viruses it switched to an intense mode (or in McAfee's words, a 'cheat mode') which
allowed the detection of viruses previously invisible to Dr. Solomon's in normal scanning
mode. As a result, the testing of uninfected discs showed good speed results and the scan
tests of virus collections showed good detection results.

Dr. Solomon's response was not long in the waiting, and the company soon filed suit
against McAfree's recent marketing campaign which claimed that McAfee was, 'The
Number One Choice Worldwide. No Wonder The Doctor's Left Town'. This was an
obvious reference to Alan Solomon, the founder of Dr. Solomon's who had in fact, earlier
transferred control of his company to its senior management.

Perhaps even more scandalous was the affair of the Taiwanese developer Trend Micro
who accused two of the leading antivirus companies, McAfee and Symantec, of violating
its patent on virus scan-checking technology via Internet and electronic mail. Shortly
afterward Symantec leapt into the fray with its own accusations, alleging that McAfee
was guilty of using code from Symantec's Norton AntiVirus.
The year came to a close with MacAfee Associates and Network General announcing
their intent to merge into a single Network Associates Inc (NAI) in order to diversify into
other computer security systems as well (such as encryption, multi-networked screens,
network scans, etc. However, at the end of 1999 NAI's management decides to bring new
life into the McAfee brand and line of antivirus products and the company reverted to its
old name.

1998
Virus attacks on MS Windows, MS Office and network applications continued apace,
with viruses exploiting new infection vectors and using ever more complex technologies.
A wide range of Trojan programs designed to steal passwords (PSW family) and remote
adminstration utilities (Backdoor) appeared. Several computer magazines distributed
discs which were infected with Windows viruses, CIH and Marburg. Specifically,
compact discs attached to the English, Slovenian, Swiss and later Italian versions of PC
Gamer contained the Marbug virus. This virus was contained in the electronic registration
program of an MGM Interactive disc with the game, Wargames PC. At the end of
September, the AutoStart virus was discovered on discs which were to be distributed with
the Corel DRAW 8.1 for Mac OS.

The beginning of the year borught an epidemic caused by a whole family of viruses
Win32.HLLP.DeTroi which not only infected Win32 EXE files, but were also capable of
transmitting information about victim machines to the author of the virus. Because the
virus exploited system libraries used only in the French version of Windows, the the
epidemic affected only French-speaking countries.

In February, the Excel4Paix (or Formula.Paix) virus was detected, This new macro virus
install itself in Excel tables by using an unusual macro area of formulas which were
capable of containing self-replicating code. Later the same month, polymorphic
Windows32 viruses emerged: Win95.HPS and Win95.Marburg. Further more, they were
detected in the wild. Antivirus developers were forced to rapidly develop new methods of
detection for polymorphic viruses which, until then, had been only for DOS.

AccesiV, the first virus for Microsoft Access, was detected in March. Unlike the earlier
Word.Concept and Excel.Laroux viruses, it did not cause much alarm, as most users had
come to accept that Microsoft applications are highly vulnerable. At approximately the
same time, another virus called Cross surfaced This was the first multi-platform macro
virus capable of infecting documents simultaneously in two Microsoft Office
applications, Word and Access. On the heels of Cross several other macro-viruses
materialized, transferring their code from one Office application to another. The most
notable of these was Triplicate (also known as Tristate) which was capable of infecting
Word, Excel and PowerPoint.

In May of 1998, the Red Team virus became the first virus to infect Windows EXE files
and distribute itself using the Eudora email client. June brought the Win95.CIH virus,
which caused an epidemic of mass and then later global proportions, infecting computer
networks and home computers by the thousand. The beginning of the epidemic was pin-
pointed to Taiwan where an unknown hacker sent infected files to a local electronic list-
serve. From there the virus spread to the States where infected files made it onto several
popular web-servers and spread the virus to gaming programs. It was most likely the
game servers that acted as the primary reason for the large-scale epidemic, which
continued throughout the year. The virus leap-frogged in 'popularity' over earlier virus
superstars such as Word.CAP and Excel.Laroux. Most notable was the virus payload:
depending on the day of infection, the virus would erase Flash BIOS, which in some
cases could make it necessary to replace the motherboard. CIH's complex procedures
caused antivirus products to significantly increase their speed of development.In August
of 1998 the emergence of BackOrifice (or Backdoor.BO) caused controversy, it was
designed to be a secret utility to be used for remote host administration across networks.
Other similar viruses such as NetBus and Phase appeared shortly thereafter.

August also saw the emergence of the first malicious executable Java module,
Java.StrangeBrew. This virus did not present a specific danger to Internet users, but it did
illustrate the fact that viruses can also be found in applications actively used in viewing
Web servers.

In November 1998, malicious programs continued to evolve hwith three viruses infecting
the scripts of Visual Basic (VBS files) which were actively used in creating webpages. At
the time, Kaspersky Labs released an in-depth study on the potential threat of VBS
viruses. However, many specialists were too quick to label the company as a panic inciter
and criticized the study for provoking virus hysteria. Half a year later when the
LoveLetter epidemic broke, it became clear that Kaspersky's prognosis was completely
accurate. To this day, this type of virus holds onto first place in the list of most
widespread and dangerous virus types.

The logical culmination of VBScript viruses were full-fledged HTML viruses like
HTML.Internal. It became patently clear that virus-writers' efforts are beginning to focus
more and more on network applications. Virus writers were moving towards a networks
worm which exploited flaws in MS Windows and Office and infectted remote computers
through Web servers or via email.

The next MS Office application to fall victim to a virus was PowerPoint. In December
1998, a virus of unknown origins, Attach, was the first to attack. It was immediately
followed by two more, ShapeShift and ShapeMaster, the author of which was likely one
and the same. The appearance of PowerPoint viruses caused yet another headache for
antivirus vendors. Files of this MS application use an OLE2 format which determines the
way in which viruses can be scanned for in DOS and XLS files. However, the VBA
modules in PPT format are stored in compressed format which meant that it was
necessary to design new algorithms to decompress them and facilitate antivirus searches.
Despite the complexity of what would seem like a simple task, almost all antivirus
companies have integrated into their products the necessary functionality to defend
against PowerPoint viruses.
In January, Virus Bulletin magazine began a new project: VB 100%. This regular testing
of antivirus products is designed to determine whether the solutions can detect 100% of
viruses from the wild. VB 100% is now regarded as one of the more respected
independent testers.Significant changes occurred in the antivirus vendor market as well.
In May, Symantec and IBM announced their unified efforts to develop an antivirus
product. The combined product was to be distributed by Symantec under the same name,
while IBM's product, IBM Anti-Virus would cease to exist. Towards the end of
September, Symantec announced its purchase of the antivirus business from Intel
Corporation, LANDesk Virus Protect. Just two weeks later, Symantec surprised the
industry yet again with another purchase, this time of QuarterDeck for $65 million. The
company's product range included such antivirus products as ViruSweep.

Such aggressive tactics did not go unnoticed by the American antivirus giant, NAI which
on August 13th, announced its purchase of one of its primary competitors, English
company, Dr. Solomon's. The latter was bought for the record amount of $640 million by
means of a stock swap. These events evoked true shock in the antivirus industry. A
previous conflict between two large players of the industry had ended in a buy-sell deal
the result of which was the disappearance of one of the more noticeable and
technologically strong developers of antivirus software.

Also interesting was the purchase of EliaShim, a developer of the antivirus product E-
Safe. The purchase was made in December by Alladdin Knowledge Systems, a well-
known developer of equipment and software for computer security.

A curious incident occurred with the publication of computer virus warning in the
December 21st edition of The New York Times. The author warned users about the
appearance of a virus which spread via email and was already being detected in some
networks. It later became evident that this scary virus was none other than the already
well-known macro virus, Class.

1999
Strange as it may seem, the most significant news to come out of this year was not the
emergence of a new computer virus, but an announcement about the long-planned
purchase of Australian antivirus vendor Cybec, by software giant, Computer Associates
(CA). In was with that With this purchase, CA added another antivirus product to its
collection, having purchased Cheyenne Software at the end of 1996. Both products still
exist to this day: CA Vet Anti-Virus and CA InnoculateIT.

Viruses, however, did not sit idly by, and in January we witnessed the emergence of a
global epidemic with the Happy99 virus (also known as Ska). This was actually the first
modern-day worm, which once again opened a new chapter in the history of malware
evolution. It used MS Outlook, which had become a corporate standard in Europe and the
US to spread. Despite the fact that Happy99 first appeared at the beginning of 1999, it
still regularly shows up as one of the top ten most widespread harmful programs to this
day.

At almost the same time, a very interesting macrovirus for MS Word was detected:
Caligula. It searched the system registry, forkeys corresponding to PGP (Pretty Good
Privacy) programs and searched for the appropriate databases. If such databases were
found, the virus initiated an FTP-Session and secretly sent files to a remote server.At the
end of February. SK; the first virus which infected files using Windows HLP files.On the
26th of March, a global epidemic was caused by Melissa, the first macro virus for MS
Word combining Internet worm functionality as well. Immediately after infection,
Melissa scanned the address book in MS Outlook and sent copies of itself to the first 50
found addresses. Like Happy99, Melissa did this without the knowledge or consent of the
user, but messages still seemed to be in the user's name. Fortunately, this macro virus was
not complex and antivirus developers quickly released the necessary additions to their
databases. The epidemic was contained quickly. Despite this, Melissa still managed to
inflict significant damage on a range of computer systems:industry giants like Microsoft,
Intel and Lockheed Martin were forced to temporarily shut down their corporate email
systems. Estimates placethe damage caused by the virus at several tens of millions of US
dollars.

Law enforcement agencies in the US (or, cybercrime units, to be more precise) reacted
exceptionally quickly to the Melissa virus. A short while thereafter, the author of the
virus was discovered and arrested. He was 31 year old David L. Smith, a programmer
from New Jersey. On December 9th, he was found guilty and sentenced to 10 years in
prison and fined $400,000.

Law enforcement agencies were equally active on the other side of the Pacific ocean as
well. In Taiwan, the author of the CIH virus, earlier known only as Chernobyl, was
exposed as Chen Ing Hao (notice the initials), a student at the Taiwan Technical Institute.
However, due to a lack of charges from any of the local companies, the police had no
basis for an arrest.

On May 7th, a virus intruded on the Canadian company, Corel. Under threat was its cash
cow, Corel DRAW. The Gala virus (also known as GaLaDRieL) was written in Corel
SCRIPT language and became the first virus capable of infecting Corel DRAW files as
well as Corel PHOTO-PAINT and Corel VENTURA.

Another epidemic broke at the very beginning of the summer with the dangerous Internet
worm, ZippedFiles (also known as ExploreZip). The virus came in the form of an EXE
file, which once installated would destroy files of some of the more popular applications.
While the worm was not as widespread as Melissa, the damage incurred was estimated to
be several times higher. Despite a quick reaction from antivirus companies in neutralizing
the virus, a relapse was recorded in December. The modified version was changed so that
the body of the virus was compressed using the Neolite compression utility. If the
antivirus program didn't recognize this compression format then the worm escaped
unnoticed. At the time, none of the antivirus programs recognized this format. It was only
in June of 2000 that AntiViral Toolkit Pro (AVP) was integrated with file-support for
Neolite.

In August, an Internet worm named Toadie (or Termite) was detected. In addition to
infecting files in DOS or Windows, the virus attached copies of itself to emails sent via
Pegasus and attempted to spread through IRC channels.

October brought the computer industry three new surprises. First was the discovery of the
Infis virus which was the first virus for this operating system, installing itself at the
highest levels of platform security and affecting system drivers. This made the virus
difficult to contain. The second surprise consisted of antivirus companies warning users
about the first computer virus for MS Project. In actuality, this was a multiplatform virus
that infected files of MS Word just as well as Ms Project. The third surprise was the
emergence in July of yet another script virus, Freelinks was one of the predecessors of the
well-known LoveLetter virus.

In November, the world was shaken by the emergence of a new generation of worms
which spread via email without attached files and penetrated computers when infected
messages were read. The first of these was Bubbleboy which was immediately followed
by KakWorm. Viruses of this type exploited an Internet Explorer loophole, and although
Microsoft issued a patch the same month, KakWorm remained widespread for a long
time.That same month, the USA and Europe recorded several incidents of infection by
FunLove, a Windows virus.

December 7th was noteable for the detection of the latest of a long line of Trojans
authored by a Brazilian virus writer known as Vecna. The very dangerous and complex
Babylonia virus turned a new page in the history of virus creation. It was the first worm
which was capable of remote self-rejuvenation. Every minute it would connect to a server
in Japan and download a list of virus modules. If it found viruses there fresher than on the
infected computer, then it immediately downloaded them. Later, this same technique
would be employed by Sonic, Hybris, and other viruses.

In the middle of the year, the antivirus industry officially divided into two camps in
regard to their approach to potential Y2K threats. One camp strongly promoted the belief
that the computer underground had prepared a surprise in the form of several hundred
thousand viruses capable of shaking human civilization to its core. The subtext of this
warning was clear: install antivirus software and you would be saved from attack. The
second camp of antivirus companies logically opposed the first and attempted to maintain
calm among scared users. Later, the warnings were proved baseless, and the year 2000
came in in the same way as any other year.A few curious stories were abroad as well. A
compact disc distributed with the November edition of the Hungarian magazine, Uj
Alaplap, contained, in addition to useful information, a distinctly unpleasant surprise: two
macro viruses for MS Word, Class.B and Opey.A.

2000
The year began unexpectedly for users of Windows 2000 and Visio, a popular application
for creating diagrams and flow-charts. Microsoft had not even finished announcing the
release of a fully functional commercial version of their operating system when members
of the underground group 29A set Inta loose. The virus was the first to infect Windows
2000 files Shortly after, two viruses emerged almost simultaneously, Unstable and
Radiant which marked Visio's demise. The second incident brought to light a sick joke:
the viruses had been released by Microsoft which not long after Unstable and Radiant
purchased Visio Corporation.

In April, the first macro virus of Russian origin for MS Word was recorded. Proverb was
detected in 10 Downing Street, the office of the British prime minister. It can only be
hoped that English authorities heeded the advice of the Russian proverb, 'Don't put off
'till tomorrow what you can drink today'.

May 5th broke a record in the Guiness Book of Records with the script virus LoveLetter.
Everything occurred exactly as Eugene Kaspersky had predicted in November of 1998.
Naïve users couldn't even imagine that harmless VBS files and TXT files could contain a
harmful virus. Once loaded, it destroyed a range of files and sent itself to all addresses in
the MS Outlook address book. The transparency of the source code more or less
guaranteed that new modifications of the virus would appear throughout the year, and
currently, there are more than 90 of them in circulation.

On the 6th of June, the Timofonica virus was detectedö this was the first computer virus
that employed, in a limited manner, mobile phones. In addition to spreading via email,
the virus sent messages to random mobile phone numbers in the MoviStar cellular
network, which belonged to the global telecommunications giant, Telefonica. The virus
had no other effect on mobile phones despite the fact that many mass media outlets were
quick to name Timifonica the first 'cellular' virus.

The summer of 2000 was hot, particularly as far as mobile phone viruses were concerned.
While this period is usually a vacation time for virus writers and antivirus experts alike,
the former, by all accounts, decided to surprise the latter. In July, a group known as the
Cult of Death Cow produced a new version of Back Orifice virus (BO2K). This occurred
at the annual DefCon conference (in a jab at Microsoft's DevCon) and evoked a flood of
messages from frightened users to antivirus vendors. In reality, the new version posed
little harm more than its predecessor and was promptly added to leading antivirus
vendors' databases. The distinguishing feature of BO2K was its drift towards legitimate
commercial utilities of remote administration; the program was visible upon installation.
Despite this it could still be used for illicit purposes and was classified by antivirus
companies as a BackdoorTrojan.

July saw the appearance of three exceptionally interesting viruses. Star was the first virus
designed for AutoCAD packages. Dilber was distinguished by the fact that it
containedcode from five other viruses including CIH, SK, and Bolzano. Depending on
the date, Dilber activated processes from one of its components, earning it the nickname,
Shuttle Virus. The third interesting virus was an Internet worm called Jer which
employed a relatively clumsy means of penetrating computers. Script programs (the
worm's body) were uploaded to a website which were automatically activated when the
corresponding HTML page was opened. After this, users received a warning that an
unidentified file was found on the disc. It was a calculated risk assuming human error: it
was hoped that users would inadvertantly answer 'yes' to be rid of the script program. The
appearance of this worm confirmed a new fashion in the spread of viruses through the
Internet. First, the worm is placed on a website, and then a mass marketing campaign is
conducted to attract users. The calculated risk paid off: for every thousand users, a few
dozen would let the virus in.

In August, the Liberty virus was discovered - the first harmful Trojan program to affect
the PalmOS operating systems of Palm Pilot. Upon installation, it deleted files but was
incapable of replicating. In September, this new class of harmful programs was extended
with the first true virus for PalmOS, Phage. It represented a classic virus-parasite
program which after installing and infecting files proceeded to delete them and record its
own code.

In the beginning of September, a computer virus by the name of Stream was discovered
which was capable of manipulating the ADS of NTFS file systems. This virus posed no
particular threat. More dangerous was the technology of accessing ADS insofar as no
antivirus program was capable of scanning this location. Unfortunately, the virus evoked
an insufficient reaction among some large antivirus firms which accused Kaspersky Lab
of scaremongering. Despite the accusations, none of the opponents were able to offer any
concrete arguments confirming the position they put forth regarding the safety of ADS in
NTFS. The problem of antivirus protection for NTFS remains to this day a vital issue
insofar as only a few antivirus scans have learned to search for viruses in ADS.

October saw the appearance of the first virus for PIF files (Fable), and the first virus
written in PHP script-language (Pirus). Both viruses to this day have yet to be discovered
'in the wild'. At the same time, a scandal arose when Microsoft's internal systems were
hacked and left open for several months by a group of unknown hackers from St.
Petersburg. The entry was gained through a simple loophole using a network worm called
QAZ. What was curious about this incident was the fact that at the time the system hack
was discovered, the worm in question was already included in practically all antivirus
databases. This caused some misgivings about the competency of Microsoft personnel,
or, perhaps, their malicious intent. In any case, as of the writing of this book, the guilty
parties have yet to be located.

A notable event occurs in November. Kaspersky Labs, having become one of the
antivirus industry's major players in three short years, changes the name of its flagship
product. AntiViral Toolkit Pro (AVP) becomes Kaspersky Anti-Virus and takes on a new
logotype.

This same month brought the detection of a technologically complex and dangerous virus
called Hybris. This virus was written by the Brazilian virus writer Vecna. He further
developed his first self-rejuvenating virus, Babylonia taking into account earlier errors.
The main innovation was the use of websites and list servers (alt.comp.virus in particular)
to load new modules of the virus to infected computers. If it was easy to simply take a
website down, then list servers were an ideal alternative for spreading as they were less
easy to take down. Further, Hybris employed a 128-bit RSA key for identifying modules
actually written by the author.

As a whole, 2000 was the year that email again proved itself to be the best way to
transmit viruses. According to Kaspersky Labs' support statistics, approximately 85% of
all registered infection occurred via email. The year was also notable for a wave of
activity among virus creators with Linux. Altogether, there were37 registered new viruses
and Trojan programs created for the Linux operating system. Consequently, the overall
quantity of Linux viruses reached 43, which represented a seven-fold growth in 2000
alone. Finally, a change in the most widespread viruses occurred. Up until this year,
macro viruses had been the most common, but once 2000 was over, this place was taken
by script viruses.

2001
2001 was a mixed bag: antivirus vendors took significant strides forward, but the number
of virus attacks rose nevertheless. The changeover from classic viruses to worms
continued as Internet use exploded. Virus writers demonstrated a definite preference for
malicious code that propagated by sending their files across local networks and the
Internet.

Significant outbreaks

Malicious programs that exploited vulnerabilities in applications and operating systems


caused serious epidemics in 2001: CodeRed, Nimda, Aliz and BadtransII. The large-scale
epidemics caused by these worms changed the face of computer security and set trends
for malware evolution for several years to come.

Endless variants of LoveLetter (aka ILoveYou), Magistr and SirCam also enlivened the
malware landscape, keeping users and antivirus vendors on their toes.

Vulnerablities

A vulnerability is a hole in a legitimate application or operating system that can be


exploited by a virus writer: malicious code penetrates the system via such loopholes.

Viruses and worms that exploit vulnerabilities are particularly dangerous in that they are
installed and activated automatically regardless of user action. For instance, Nimda
penetrated computers even when the infected email was simply viewed through the
preview window in MS Outlook. CodeRed went a step further: it scanned the Internet for
vulnerable machines and infected them. According to Kaspersky Virus Lab statistics,
malware exploiting vulnerabilities made up almost 55% of all malware detected in 2001.
The interest displayed by virus writers in vulnerabilities was justified. Traditional
infection techniques used by classic file viruses, where the user initiated the infection
cycle, were no longer as effective as previously. Therefore, virus writers eagerly adopted
the new technique.

Email and the Internet - primary sources of new threats

Kaspersky Virus Lab statistics showed that virus attacks via email rose by 5% in 2001 in
comparison with 2000 and made up almost 90% of the total number of virus incidents in
2001.

2001 proved to be a watershed in the evolution of virus attacks via the Internet.
Previously, most Internet-related infections occurred when users downloaded and
executed files from untrustworthy web sites. In 2001 a new infection technique appeared:
users no longer needed to download files - a visit to an infected web site was enough.
Virus writers substituted infected pages for clean ones. Most users were infected by
malware that exploited vulnerabilities in MS IE. In some cases compromised sites offered
free programs that turned out to be malicious.

Attacks via non-Internet technologies

2001 was also the year that instant messaging services, such as ICQ and MS Instant
Messenger, were first used as channels for spreading malicious code. A spate of worm
infections turned these services into further traps for unwary users. The Internet worm
Mandragore attacked the Gnutella file-sharing network. And last but not least, 2001 saw
a proliferation of worms designed to propagate via IRC channels.

More attacks on Linux

A significant number of malicious programs targeting Linux appeared in 2001. Ramen


opened the season on January 19 and penetrated a large number of corporate networks
within days. Victims included NASA (USA), A&M University (USA) and hardware
vendor Supermicro (Taiwan).

The attacks swelled into an avalanche with Ramen clones and new Linux worms
appearing one after another. Most of these malicious programs exploited vulnerabilities
in the operating system. The rapid spread of these threats underlined the lack of
preparation by Linux developers, who had been sleeping peacefully, sure that Linux was
a completely secure environment. Many Linux users hadn't even bothered to install the
patches that were available for some of the exploited vulnerabilities and fell easy prey for
these worms.
Fileless worms - a new challenge

So-called fileless worms turned out to be one of the nastiest surprises of 2001. These
worms were able to self-replicate and function on infected machines without using files.
These worms exist only in RAM and spread as specially configured data packets.

This new technique gave antivirus experts some difficult moments. Traditional antivirus
scanners and monitors proved helpless against this new threat, since up to that time
antivirus engines had detected malicious programs during file operations. Kaspersky Lab
was the first to develop a new antivirus filter that scanned incoming data packets in
background mode and deleted fileless worms.

Worms for Windows increase

While classic viruses, (predominantly macro and script viruses) visibly dominated
throughout 1999-2000, 2001 was the year of worms for Windows. By the fall, these
worms had caused about 90% of all registered virus infections.

The reasons for this trend were two-fold: on the one hand new technologies allowed virus
writers to create better worms, and on the other, antivirus vendors had developed
effective protection against macro and script viruses.

Virus hoaxes

Virus hoaxes were all the rage in 2001, with 10 new warnings about a dangerous new
virus registered by March. And nervous users, frightened by the large-scale outbreaks in
2000 scrambled to forward these warnings to friends and relatives. California IBM and
Girl Thing proved especially effective. A letter warning users about a new ILoveYou
outbreak scheduled for Valentine's day was also extremely effective.

Some of these hoaxes were so effective that copies of the messages were still circulating
around the Internet several years later.

2001 in review:

• Email and the Internet move to the fore environments for new threats;
• Alternate channels such as ICQ, IRC, MSN Messenger and file-sharing networks
also gain prominence;
• Fileless worms appear on the scene;
• Worms for Windows make up the majority of new threats by mid-year, with
macro- and script-viruses losing ground significantly.

2002
There were 12 significant and 34 less serious virus outbreaks in 2002, along with
continuing activity caused by viruses from previous years. Virus writers actively
penetrated new platforms, applications and technologies.

2002 Highlights

Two new flash worms, LFM and Donut, appeared in January: both of these worms were
designed to spread in the .NET environment. Fortunately, both worms turned out to be
only proof of concept viruses and no infections were registered.

In May, we saw Spida, a worm that attacked SQL servers and Benjamin, a virus that
triggered a whole series of copycat malware targeted at the Kazaa file-sharing network.

Malware for Linux

The worm Slapper finally convinced all remaining skeptics that Linux users need to be
just as aware of security issues as users of all other operating systems. Slapper penetrated
thousands of machines running Linux within a few days. Users of FreeBSD also got a
timely reminder about security: a new worm called Scalper struck FreeBSD machines in
September, though the damage did not escalate to the proportions caused by Slapper.

Professional virus writers

This was the year professional writers got down to business: there was a significant
increase in malicious programs designed to commit financial fraud. These programs stole
passwords, confidential data, Internet access information and other data that allowed
virus writers to make money by using the harvested data.

Worms

Email worms, such as Klez and Lentin had already been popular prior to 2002. However,
a new breed of email worms superseded the older versions: these new email worms
spread by connecting directly to built-in SMTP servers on infected machines.

This development grew out of increased security measures which prevented worms from
spreading via MS Outlook and other email clients. Email system developers integrated
either antivirus protection or special functionality preventing unauthorized mailings. As a
result, virus writers focused on worms that were able to avoid these measures.

Worms multiplying in other environments, such as LANs, P2P, IRC and so forth,
disappeared almost entirely in this year.

Klez
An Internet worm named Klez caused the most serious outbreak of the year. Klez was
first detected on 26 October and remained on the list of the most widespread malicious
programs for the next two years. This is a record in virusology that is yet to be broken.
New Klez variants, Klez.e and Klez.h were the most active Klez clones. Altogether, by
the end of 2002, 6 out of 10 registered infections were caused by Klez.

Though Klez caused the most serious outbreak during 2002, several other worms
provided some stiff competition: Lentin and Tanatos (aka Bugbear). In fact, Lentin
surpassed Klez in the number of incidents by the end of the year.

Vulnerabilities

The trend to exploit vulnerabilities that first became significant in 2001 continued: virus
writers homed in on the IFRAME vulnerability in MS Internet Explorer to create worms
including Klez, Lentin and Tanatos. Altogether, 85% of all virus incidents.

Classic viruses

Interestingly enough, macro viruses rose to the fore among classic viruses this year.
Macro viruses for MS Word - Thus, TheSecond, Marker and Flop were the most
widespread. These viruses had first appeared in the late 1990s, but they resurfaced in
2002. The most likely reason is increased numbers of Windows users who were all sure
that macro viruses were a thing of the past. Inconvenient security measures were
abandoned and the result was a second round of old viruses. The majority of infections
were caused by Elkern, CIH, FunLove and Spaces.

On the plus side, script viruses and other classic viruses almost disappeared in 2002.

Virus hoaxes

The upsurge in virus hoaxes that began in 2001 continued into 2002. Users worldwide
flooded each other with new and old hoaxes: JDBGNR, Ace-?, SULFNBK, Virtual Card
for You, California IBM and Girl Thing.

2002 summary

By the end of the year, an interesting pattern emerged in the spread of malicious
programs. In previous years, the overwhelming majority of virus incidents were
connected to a small number of viruses, typically 2-3. By September 2002, however, this
pattern was broken: more and more infections were caused by viruses which did not
make it to the top twenty.

Increased end user awareness regarding security issues and willingness to adopt
precautionary methods undoubtedly played a role in this development. Correct protective
techniques implemented by end users led to a decrease in number of incidents caused by
individual viruses.
And yet, the overall number of infections did not decrease, meaning that the overall
number of malicious programs in the wild had grown. Even though no single virus
caused a significant outbreak, together they constituted an impressive volume.

2003
In 2003 two global Internet attacks took place that could be called the biggest in the
history of the Internet. The Internet worm Slammer laid the foundation for the attacks,
and used a vulnerability in the MS SQL Server to spread. Slammer was the first classic
fileless worm, which fully illustrated the capabilities of a flash-worm - capabilities which
had been foreseen several years before.

On January 25th, 2003, within the space of a few minutes, the worm infected hundreds of
thousands of computers throughout the world, and increased network traffic to the point
where several national segments of the Internet crashed. Experts estimate that traffic
increased from 40% - 80% in a variety of networks. The worm attacked computers
through ports 1433 and 1434 and on penetrating machines did not copy itself on any disk,
but simply remained in computer memory. If we analyse the dynamics of the epidemic,
we can assert that the worm originated in the Far East.

The second, more important epidemic was caused by the Lovesan worm, which appeared
in August 2003. The worm demonstrated just how vulnerable Windows is. Just as
Slammer did, Lovesan exploited a vulnerability in Windows in order to replicate itself.
The difference was that Lovesan used a loophole in the RPC DCOM service working
under Windows 2000/XP. This led to almost every Internet user being attacked by the
worm.

As for viruses penetrating new platforms and applications, the year was surprisingly
quiet. The only news was the discovery, in the wild, of MBP.Kynel, by Kaspersky Labs.
This virus infects MapInfo documents and is written in MapBasic. The MBP.Kynel virus
was undoubtedly written by a Russian.

2003 was the year of ceaseless epidemics caused by email worms. Ganda and Avron
were first detected in January. The former was written in Sweden and is still one of the
most widespread email worms in Scandinavia despite the fact that the Swedish police
arrested the autour of the worm at the end of March.

Avron was the first worm to be created in the former USSR capable of causing a
significant worldwide epidemic. The source code for the worm was published on the
Internet and this has led to the appearance of a number of less effective versions.

Another important event in 2003 was the appearance of the first Sobig worm in January.
Worms from this family all caused significant virus outbreaks but it was version 'f' which
broke all records, becoming the most widely distributed worm in network traffic in
Internet history. At the peak of the epidemic, Sobig.f, which was first detected in August,
could be found in every 20th email message. The virus writers who created the Sobig
family, were aiming to create a network of infected machines with the aim of conducting
DoS attacks on arbitrarily selected sites and also to use the network for spam attacks.

The Tanatos.b email worm was also a notable event in virusology. The first version of
Tanatos was written in the middle of 2002, but version 'b' appeared only a year later. The
worm exploited the well-known IFRAME loophole in MS Outlook to automatically
launch itself from infected messages. Tanatos caused one of the most significant email
epidemics of 2003, coming second to that caused by Sobig.f, which probably has the
record for the most machines infected by an email worm.

Worms from the Lentin family continued to appear. All these worms were written in
India by a local hacker group as part of the 'virtual war' between Indian and Pakistani
hackers. The most widespread versions were 'm' and 'o', where the virus replicated in the
form of a ZIP archive file attached to infected messages.

Russian writers remained active; the second worm from the former USSR, which also
caused a global epidemic was Mimail. The worm used the latest vulnerability in Internet
Explorer to activate itself. The vulnerability allowed binary code to be extracted from
HTML files and executed. This was first used in Russia in May 2003
(Trojan.Win32.StartPage.l) Following this, the vulnerability was used by the Mimail
family and several other Trojan programs. The authors of the Mimail worm published the
source code on the Internet, which led to the appearance of several new varieties of the
worm in November 2003, written by other virus writers.

September was the month of Swen. I-Worm.Swen, masquerading as a patch from


Microsoft, managed to infect several hundred thousand computers throughout the world
and to date remains one of the most widespread email worms. The author of the virus
exploited frightened users who were still nervous after the recent Lovesan and Sobig.f
epidemics.

A recent significant epidemic was caused by Sober, a relatively simple mail worm written
by a German, it is an imitation of the year's leader, Sobig.f.

In 2002, the trend was towards an increase in the number of backdoor and spy Trojan
programs and this continued in 2003. In this category, Backdoor.Agobot and Afcore were
most notable. There are now more than 40 varieties of Agobot in existence, since the
author of the original version created a network of websites and IRC channels where
anyone who wanted could, for a fee starting from $150, become the owner of an
'exclusive' version of Backdoor-a, which would be created in accordance with the client's
wishes.

Afcore is slightly less widespread. However, in order to mask its presence in the system,
it uses an unusual method; it places itself in additional file systems of the NTFS systems,
i.e. in the catalogue stream, not the file streams.
A new and potentially dangerous trend was identified at the end of 2003; a new type of
Trojan, TrojanProxy. This was the first and clearest sign of virus writers and spammers
uniting. Spammers began using machines infected by such Trojan programs for mass
spammer attacks. It is also clear that spammers participated in a number of epidemics as
malicious programs were spread using spamming technology.

Internet worms constituted the second most active class of viruses in 2003; specifically I-
Worms which replicated by seizing passwords to remote network resources. As a rule,
such worms are based on IRC clients, and scan the addresses of IRC users. They then
attempt to penetrate computers using the NetBIOS protocol and port 445. One of the
most notable viruses in this class was the Randon family of Internet worms.

Throughout the year Internet worms remained the dominant type of malicious software.

Viruses, namely macro viruses such as Macro.Word97.Saver came in second. However,


Trojan programs overtook viruses in the autumn, and this trend continues through today.

Where We've Been and Where We're


Going
Worms - trendsetting in 2003

The trends in virusology that we observe today have their primary roots in the second
half of 2003. Internet worms Lovesan, Sobig, Swen and Sober all not only caused global
epidemics, but alos profoundly changed the malware landscape. Each of these malicious
programs set new standards for virus writers.

Once a piece of malware which uses fundamentally new techniques to propagate or infect
victim machines appears, virus writers are quick to adopt the new approach. Today's new
threats all incorporate characteristics of Lovesan, Sobig, Swen or Sober. Therefore, in
order to understand what virus writers are doing currently, and to predict what the future
may bring, we need to examine this quartet of worms carefully.

Lovesan

Lovesan appeared in August 2003 and infected millions of computers worldwide in just a
few days. This Internet worm propagated by exploiting a critical vulnerability in MS
Windows. Lovesan spread directly via the Internet, moving from computer to computer,
ignoring methods such as IRC, P2P and email, which were popular at the time. The
Morris worm first used this propagation method in 1988, but it took 15 years for another
virus writer to take advantage of this particular technique.

To some extent, Lovesan was a copycat worm; by exploiting an MS Windows


vulnerability, it followed in Slammer's footsteps. However, although Slammer, which
struck in January 2003, infected approximately half a million computers, it did not
achieve the same infection rates as Lovesan.

Slammer was also the first classic file-less worm - certainly an achievement, in a perverse
way for the coder, since writing a viable file-less worm requires strong programming
skills. As a matter of fact, there has only been one other moderately 'successful' file-less
worm since Slammer - Witty, which made its appearance in March 2004.

Lovesan also started another trend - the inclusion of DoS attacks on corporate sites part
of the worm's payload. Lovesan attacked Microsoft and had the attack been successful,
millions of users worldwide would have been unable to download the patches they
needed to protect their machines from the worm. Fortunately, the DoS attack failed, but
Microsoft did re-engineer their web server architecture in response.

To summarize, Lovesan set the following trends:

• Exploiting critical vulnerabilities in MS Windows


• Propagation via the Internet through direct connections to victim machines
• Organising DoS and DDos attacks on key websites

Sobig.f

Sobig.f followed hard on the heels of Lovesan in August 2003 and created the first
serious email worm outbreak of the twenty-first century. At the height of the epidemic
one out of 10 email messages was infected by Sobig. Email traffic increased ten fold and
included millions of messages from antivirus programs faithfully informing spoofed
senders about the detected and deleted malware.

Sobig.f did not exploit any vulnerabilities and the messages attributes (message subject
etc.) were also nothing out of the ordinary. However, Sobig's payload included a
backdoor function that left antivirus professionals waiting with bated breath for August
22 - the date when all Sobig controlled zombies were scheduled to receive a mystery
command. Fortunately, the server where the command was to be launched was shut down
on time, but Sobig.f continues to plague the Internet community, remaining among one of
the most common viruses worldwide.

Large-scale epidemics are not caused by classic worms released into the wild from a few
computers. These classic worms often take weeks or even months to reach a peak of
activity. Sobig.f was no exception to this rule: it exploited machines infected previously
by prior versions. Sobig.a appeared in January 2003 and was followed by several
modifications, all of which conscientiously built a network of infected machines,
machine by machine. Once critical mass was reached Sobig.f struck.

Sobig.f initiated the wave of large-scale email worm outbreaks seen in 2004, and this
wave will continue to break until some new technique is invented! Sobig brought two
innovative techniques to the world of malware:
• The creation of networks of infected machines to serve as epidemic platforms
• Mass mailing of malware using spammer techniques

Swen

Let's move on in time to September 18, 2003. Early in the morning, Kaspersky Lab
received a sample from New Zealand. The worm looked interesting, but nobody
anticipated an epidemic. However, 6 hours later cries for help from infected users
worldwide proved that a new and dangerous virus has joined the fray.

At first glance, Swen seemed to be yet another worm using standard propagation methods
- email, IRC and P2P networks. However, Swen stood out from the crowd for its
stunningly successful social engineering. The worm arrived disguised as a patch from
Microsoft which would supposedly secure all vulnerabilities. The message included
Microsoft logos, links to real Microsoft resources and a very convincing text. Recipients,
scared by the recent publicity about the Lovesan and Sobig outbreaks, and having
absorbed the lesson that patching is essential, obediently clicked on the link. The email
was so convincing that many experienced users were caught out, joining droves of less
informed users in launching the worm.

The resulting outbreak was certainly less serious than the ones caused by Lovesan and
Sobig (only 350 infected servers were used to spread Swen), however, Swen did prove
that social engineering works, and works very well indeed when properly implemented.

Sober

Sober is the final entrant in the list of interesting worms from 2003. Sober is a Sobig
copycat, but had some innovative features. Infected emails came in many languages, with
the language chosen being determined by the recipient's IP address of the recipient. Sober
also exploited social engineering techniques by pretending to be a removal tool for Sobig.

2004

2004 has so far given us many new and original malicious programs. Some of these
incorporate last year's developments, but many new features and proof of concept viruses
demonstrate that the computer underground is still thriving and continuing to evolve.

January 2004

A new Trojan proxy, Mitglieder, appeared in the first week of the new year. Thousands
of ICQ users received a message inviting them to visit a specified site. Users who clicked
on the link then turned to antivirus vendors for help. The site contained a Trojan that used
a vulnerability in MS IE to install and launch a proxy server on the victim machine
without the user's knowledge. The proxy opened a port making it possible for a remote
user to send and receive email using the infected machine. Victim machines were
transformed into zombies spewing out spam. Virus writers quickly adopted the two new
techniques introduced in Mitglieder:

• Mass mailings of links to infected sites via email or ICQ


• Trojan proxies become a separate class of malware closely linked to spammers

Last but not least, Mitglieder also created a network of zombie machines - but the world
only found out about this when Bagle struck.

Bagle seems to have been written by the same group which authored Mitglieder. Bagle
also either installed a Trojan proxy server or downloaded it from the Internet. In any case,
the worm was simply an improved version of Mitglieder, with the ability to propagate by
email. Moreover, Bagle was sent from machines infected by Mitglieder.

And finally, the most serious virus epidemic in computer history to date: the worm
Mydoom.a. It propagated using a network of zombie machines infected in advance (like
Sobig), a clever bit of social engineering (like Swen), incorporated an effective backdoor
function and was programmed to conduct a DoS attack on a corporate site (like Lovesan).

This concatenation of features copied from three highly viable worms broke all records.
Mydoom.a created more email traffic than the recent leader Sobig.f; infected millions of
machines worldwide, opening ports to external access and effectively crashing the SCO
website.

Mydoom.a did more than build on the success of its predecessors in creating the most
severe epidemic in computer virology to date. The worm introduced a new technique as
well. The backdoor installed by Mydoom was exploited by other malware authors, with
new viruses that searched for the Mydoom backdoor component appearing immediately.
Most of these newcomers penetrated machines via the backdoor, deleted Mydoom and
installed themselves in place of Mydoom. Some of these copycats caused local outbreaks
and they all forced local segments of the Mydoom zombie network to work for the
copycat virus writers instead.

Thus, we saw yet another technique gain popularity:

• Using vulnerabilities or holes created by other viruses

February 2004

NetSky.b

This email worm used the network of infected machines left in the wake of
Backdoor.Agobot to spread. NetSky.b demonstrated most of the techniques listed above
but also deleted a number of worms: Mydoom, Bagle and Mimail. The idea of a so-called
'antivirus' virus is not new. The first significant example of this supposedly helpful
species, Welchia, appeared in 2003. Welchia not only penetrated computers to clean
machines infected by Lovesan, it also attempted to download the Windows patch that
closed the vulnerability exploited by Lovesan in the first place.

NetSky not only deleted competitor viruses, but engaged their authors in a war of word,
coding insults into the body of the virus. The writer of Mydoom did not take up the
challenge, but the authors of Bagle picked up the gauntlet and the virus war began. At the
peak of activity, three versions of each worm appeared in the space of one day.

Setting aside the issue of verbal warfare, the authors of Bagle and NetSky introduced
several innovations:

• Active deletion of competitor viruses


• Propagation in archived files (Bagle & NetSky variants)
• Propagation in password-protected compressed files: passwords were either
included as text strings or as graphics (Bagle)
• Abandoning propagation by email: instead, the malicious programs spread by
directing infected machines to sites where the worm's body was downloaded or
downloading the worm's body from previously infected machines (NetSky)

The incidents listed above have not only had a serious influence on virus writers, but also
on the evolution of the architecture and functionality of contemporary antivirus solutions.

The move to abandon emailing the body of the worm is particularly significant.
NetSky.q, a NetSky variant that spread by sending emails with links to previously
infected machines, was immediately followed by Bizex. Bizex was the first ICQ worm; it
penetrated machines via ICQ and sent all ICQ contacts found on newly infected machines
links to a site where the body of the worm was located. Once users clicked on the link,
the body of the worm would be downloaded from the infected web site and the cycle
started again. Bizex successfully combined characteristics of Mitglieder (propagation via
ICQ) and NetSky (sending links to infected web sites).

March - May 2004

Snapper and Wallon

These Internet worms consolidated the techniques introduced by NetSky and Bizex. Both
worms scanned email address books on infected machines and sent links to infected sites
to all contacts in the local address books. Virus writers placed script Trojans on infected
sites: these Trojans then exploited vulnerabilities in Internet Explorer to install the main
components on victim machines.

Even today, emails containing links are not treated by recipients with the appropriate
caution. The user who is suspicious of emails with attachments will nevertheless
cheerfully click on links supposedly sent by friends. Undoubtedly, this technique will
continue to be used until users learn to treat links sent via email with the same wariness
that they display towards email attachments. It seems likely that the continual discovery
of new vulnerabilities in Internet Explorer and Outlook will only add fuel to the fire.

Sasser

The final ground-breaking virus of 2004 to date was Sasser, which appeared in late April.
This Internet worm exploited a critical vulnerability in MS Windows, and spread in a
similar way to Lovesan, connecting directly to the victim machine via the Internet. Sasser
caused a serious outbreak in Europe and left behind an FTP-server vulnerability that was
immediately picked up by Dabber and Cycle. When Sven Jaschan, the teenage author of
Sasser, was arrested, he admitted to also being the author of the NetSky family.

The arrest of a virus writer so soon after the release of a new malicious program made
history.

Sasser was evidence that virus writers recycle and plagiarize successful techniques:
Jaschan used techniques exploited by Lovesan, and other virus writers in turn
immediately picked up on his ideas.

Plexus

Plexus made history by becoming the first worm since Nimbda (2001) to use all available
propagation techniques: - the Internet, email, P2P networks and LANs. Three years had
passed since any virus writer utilized so many resources simultaneously.

Plexus was potentially an extremely dangerous worm based on the Mydoom source code.
Here the virus writer followed in the footsteps of Sober's author. Parts of Sober were pure
plagiarism, resulting in a worm which was more successful than some of the malicious
program 'donors'.

Fortunately, no version of Plexus caused a serious outbreaks, most likely because none of
them used spammer mass mailing techniques for initial propagation. Nor did the author
of these worms use any effective social engineering techniques. However, should they or
somebody else choose to create new versions which correct these failings, the world may
be at risk of a serious outbreak.

Beyond worms

The worms described above caused the most publicized outbreaks in recent IT history.
However, other types of malware can pose a serious threat to computer and data security;
it is therefore important to evaluate the total picture, including non-Windows
environments, in in order to gain a complete picture of current trends.

Other Malware
Trojans

Trojans are often perceived as being less dangerous than worms, as they cannot replicate
or travel independently. However, this is a misconception: most of today's malware
combines several components, and many worms carry Trojans as part of their payload.
These Trojans also lay the foundations for bot networks.

Trojans themselves are becoming more sophisticated. Trojan spy programs are
proliferating, with dozens of new versions appearing every week. These versions are all
slightly different, but developed with one aim in mind: to steal confidential financial
information.

Some of these programs are simple key loggers, which send a record of keyboard activity
to the author or user of the program. The more elaborate versions offer complete control
over victim machines, sending data to remote servers and receiving and executing
commands.

Total control over victim machines is often the goal for Trojan writers. Infected machines
are usually joined in a bot network often using IRC channels or web sites where the coder
puts new commands. The more complex Trojans, such as many Agobot variants, unites
all infected machines into a single P2P network.

Once bot networks have been created, they are rented out to spammers or used to conduct
DDoS attacks. The escalating commercialization of virus writing is leading to increased
sophistication in bot network creation.

Trojan droppers and downloaders

Both droppers and downloaders have one goal: to install an additional piece of malware,
be it a worm or another Trojan, on the victim machine. They differ from Trojans simply
in the methods which they use.

Droppers either install another malicious program or a new version of previously


installed malware. Droppers can carry several completely unrelated pieces of malware,
which may display different behaviours and may even be written by different authors. In
effect, droppers act as an archiver which can compress many different kinds of malware.

Droppers are often used to carry known Trojans. This is because it is significantly easier
to write a dropper than a new Trojan, and to ensure that the dropper cannot be detected by
antivirus solutions. Most droppers are written in VBS and JS, which accounts for their
popularity; the languages themselves are relatively simple, with cross-platform
application.

Virus writers often use downloaders in the same way as droppers. However, downloaders
can be more useful than droppers. Firstly, downloaders are much smaller than droppers.
Secondly, they can be used to download endless new versions of the targeted malware.
Like droppers, downloaders are usually written in script languages such as VBS and JS,
but they also often exploit Internet Explorer vulnerabilities.

Moreover, both droppers and downloaders are use not only to install other Trojans, but
also other malicious programs such as adware and pornware.

Classic File Viruses

Classic file viruses reigned supreme in the 90s; however they have almost totally
disappeared today. There are currently about 10 file viruses that are still active. They
experience peaks of activity when they infect the executable files of worms: the file virus
will then travel as far as the infected worm file. For instance, we often see samples of
MyDoom, Netsky and Bagle that are infected by file viruses such as Funlove, Xorala,
Parite or Spaces.

On the whole, there is very little danger that classic file viruses will cause any major
epidemics. Even Rugrat, the first proof of concept virus for Win64, is unlikely to change
the situation in the foreseeable future.

Other Environments

Linux

To date Linux-based platforms have mainly been the victims of rootkit attacks and simple
file viruses. However, the growing number of publicized vulnerabilities means that the
increased number of users switching to Linux will not remain untouched by new
malware.

Handhelds

PDAs are now almost household appliances. Virus writers have not been slow to take
advantage of their growing popularity. the first Trojan for Palm OS appeared in
September 2000. The first proof of concept virus for Pocket PC, Duts, was slower to
arrive, finally appearing in July 2004. So far there have not been any serious virus
outbreaks in the world of handhelds, but it is only a question of time. Once virus writers
decided that information saved on handhelds is worth accessing, malware for these
devices will undoubtedly evolve rapidly.

Mobile Phones

Mobile phones have come a long way, and are now both complex and widely used. These
two factors are bound to attract the attention of virus writers, particularly with the advent
of smart phones, which effectively have computer functionality. The first proof of
concept virus for smartphones running Symbian OS appeared in June 2004. The only
missing factor is commercial use - once virus writers identify a way to make money by
exploiting cell phones, viruses will inevitably appear.
What to Do If Your Computer Is Infected
Sometimes even an experienced user will not realise that a computer is infected with a
virus. This is because viruses can hide among regular files, or camoflage themselves as
standard files. This section contains a detailed discussion of the symptoms of virus
infection, how to recover data after a virus attack and how to prevent data from being
corrupted by malware.

Symptoms of infection

There are a number of symptoms which indicate that your computer has been infected. If
you notice "strange things" happening to your computer, namely:

• unexpected messages or images are suddenly displayed


• unusual sounds or music played at random
• your CD-ROM drive mysteriously opens and closes
• programs suddenly start on your computer
• you receive notification from your firewall that some applications have attempted
to connect to the Internet, although you did not initiate this, then it is very likely
that your computer has been infected by a virus

Additionally, there are some typical symptoms which indicate that your computer has
been infected via email:

• your friends mention that they have received messages from your address which
you know you did not send
• your mailbox contains a lot of messages without a sender's e-mail address or
message header

These problems, however, may not be caused by viruses. For example, infected messages
that are supposedly coming from your address can actually be sent from a different
computer.

There is a range of secondary symptoms which indicate that your computer may be
infected:

• your computer freezes frequently or encounters errors


• your computer slows down when programs are started
• the operating system is unable to load
• files and folders have been deleted or their content has changed
• your hard drive is accessed too often (the light on your main unit flashes rapidly)
• Microsoft Internet Explorer freezes or functions erratically e.g. you cannot close
the application window
90% of the time the symptoms listed above indicate a hardware or software problem.
Although such symptoms are unlikely to be caused by a virus, you should use your
antivirus software to scan your computer fully.

What you should do if you notice symptoms of infection

If you notice that your computer is functioning erratically

1. Don't panic! This golden rule may prevent the loss of important data stored in
your computer and help you avoid unnecessary stress.
2. Disconnect your computer from the Internet.
3. If your computer is connected to a Local Area Network, disconnect it.
4. If the computer cannot boot from the hard drive (error at startup), try to start the
system in Safe Mode or from the Windows boot disk
5. Before taking any action, back up all critical data to an external drive (a floppy
disk, CD, flash memory, etc.).
6. Install antivirus software if you do not have it installed.
7. Download the latest updates for your antivirus database. If possible, do not use
the infected computer to download updates, but use a friend's computer, or a
computer at your office, an Internet cafe, etc. This is important because if you are
connected to the Internet, a virus can send important information to third parties
or may try to send itself to all email addresses in your address book. You may
also be able to obtain updates for your antivirus software on CD-ROM from the
software vendors or authorized dealers.
8. Perform a full system scan.

If no viruses are found during a scan

If no viruses are found during the scan and the symptoms that alarmed you are classifed,
you probably have no reason to worry. Check all hardware and software installed in your
computer. Download Windows patches using Windows Update. Deinstall all unlicensed
software from your computer and clean your hard drives of any junk files.

If viruses are found during a scan

A good antivirus solution will notify you if viruses are found during a scan, and offer
several options for dealing with infected objects.

In the vast majority of cases, personal computers are infected by worms, Trojan
programs, or viruses. In most cases, lost data can be successfully recovered.

1. A good antivirus solution will provide the option to disinfect for infected objects,
quarantine possibly infected objects and delete worms and Trojans. A report will
provide the names of the malicious software discovered on your computer.
2. In some cases, you may need a special utility to recover data that have been
corrupted. Visit your antivirus software vendor's site, and search for information
about the virus, Trojan or worm which has infected your computer. Download any
special utilities if these are available.
3. If your computer has been infected by viruses that exploit Microsoft Outlook
Express vulnerabilities, you can fully clean your computer by disinfecting all
infected objects, and then scanning and disinfecting the mail client's databases.
This ensures that the malicious programs cannot be reactivated when messages
which were infected prior to scanning are re-opened. You should also download
and install security patches for Microsoft Outlook Express.
4. Unfortunately, some viruses cannot be removed from infected objects. Some of
these viruses may corrupt information on your computer when infecting, and it
may not be possible to restore this information. If a virus cannot be removed from
a file, the file should be deleted.

If your computer has suffered a severe virus attack

Some viruses and Trojans can cause severe damage to your computer:

1. If you cannot boot from your hard drive (error at startup), try to boot from the
Windows rescue disk. If the system can not recognize your hard drive, the virus
has damaged the disk partition table. In this case, try to recover the partition table
using scandisk, a standard Windows program. If this does not help, contact a
computer data recovery service. Your computer vendor should be able to provide
contact details for such services.

If you have a disk management utility installed, some of your logical drives may be
unavailable when you boot from the rescue disk. In this case, you should disinfect all
accessible drives, reboot from the system hard drive and disinfect the remaining logical
drives.

2. Recover corrupted files and applications using backup copies after you have
scanned the drive containing this data.

Diagnosing the problem using standard Windows tools

Although this is not recommended unless you are an experience user, you may wish to:

• check the integrity of the file system on your hard drive (using CHKDSK
program) and repair file system errors. If there are a large number of errors, you
must backup the most important files to removable storage media before fixing
the errors
• scan your computer after booting from the Windows rescue disk
• use other standard Windows tools, for example, the scandisk utility

For more details on using these utilities, refer to the Windows Help topics.
If nothing helps

If the symptoms described above persist even after you have scanned your computer, and
checked all installed hardware and software and your hard drive using Windows utilities,
you should send a message with a full description of the problem to your antivirus
vendor's technical support department.

Some antivirus software developers will analyse infected files submitted by users.

After you have eradicated the infection

Once you have eradicated the infection, scan all disks and removable storage media that
may be infected by the virus.

Make sure that you have appropriately configured antivirus software installed on your
computer.

Practice safe computing.

All of these measures will help prevent your computer getting infected in the future.

Virus Glossary
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A
AdvWare Antivirus updating Attack signature
Adware Archivers

B
Bit Blended threat

C
Classic virus Computer virus
Companion virus Computer worm
D
DDoS attack Disassemblers DoS attack

E
Email worm EXE files Exploit
Encryption Executable files

F
False positives Firewall

I
Internet worm

K
Key

M
Maintenance pack Malicious program

N
Network worm

P
Patching Phishing Port
PE EXE files Polymorphic viruses Post Office Protocol
Personal Firewall POP3
R
Registry key

S
Service pack Spyware System registry key
SMTP Stealth virus
Social engineering System registry

T
TCP/IP port Trojan horses Trojans

U
Updating antivirus
databases

V
Virus Vulnerability

W
Windows registry Worm

Spam - What exactly is it?


In order to combat spam effectively it is necessary to define exactly what spam is.

Most people believe that spam is unsolicitied email. However, this definition is not
entirely correct and confuses some types of legitimate business correspondence with true
spam.

Spam is anonymous, unsolicited bulk email.


This is the description that is being used today in the USA and Europe as a basis for the
creation of anti-spam legislation. Let's take a closer look at each component of the
definition:

• Anonymous: real spam is sent with spoofed or harvested sender addresses to


conceal the actual sender.
• Mass mailing: real spam is sent in mass quantities. Spammers make money from
the small percentage of recipients that actually respond, so for spam to be cost-
effective, the initial mails have to be high-volume.
• Unsolicited: mailing lists, newsletters and other advertising materials that end
users have opted to receive may resemble spam but are actually legitimate mail.
In other words, the same piece of mail can be classed as both spam and legitimate
mail depending on whether or not the user elected to receive it.

It should be highlighted that the words 'advertising' and 'commercial' are not used to
define spam.

Many spam messages are neither advertising nor any type of commercial proposition. In
additon to offering goods and services, spam mailings can fall into the following
categories:

• Political messages
• Quasi-charity appeals
• Financial scams
• Chain letters
• Fake spam being used to spread malware

Unsoliticited but legitimate messages

A legitimate commercial proposition, a charity appeal, an invitation addressed personally


to an existing recipient or a newsletter can certainly be defined as unsolicited mail, but
not as spam. Legitimate messages may also include delivery failure messages,
misdirected messages, messages from system administrators or even messages from old
friends who have previously not corresponded with the recipient by email. Unsolicited -
yes. Unwanted - not necessarily.

How to deal with spam

Because unsolicited correspondence may be of interest to the recipient, a quality


antispam solution should be able to distinguish between true spam (unsolicited, bulk
mailing) and unsolicited correspondence. This kind of mail should be flagged as 'possible
spam' so it can be reviewed or deleted at the recipient's convenience.

Companies should have a spam policy, with system administrators assessing the needs of
different departments. Access to different unsolicited mail folders should be given to
different user groups based on this assessment. For instance, the travel manager may well
want to read travel ads, whereas the HR department may wish to see all invitations to
seminars and training sessions.

Contemporary Spammer Technologies


Spammers use dedicated programs and technologies to generate and transmit the billions
of spam emails which are sent every day. This requires significant investment of both
time and money.

Spammer activity can be broken down into the following steps:

1. Collecting and verifying recipient addresses; sorting the addresses into target
groups
2. Creating platforms for mass mailing (servers and/or individual computers)
3. Writing mass mailing programs
4. Marketing spammer services
5. Developing texts for specific campaigns
6. Sending spam

Each step in the process is carried out independently of the others.

Creating address databases

Collecting and verifying addresses; creating address lists

The first step in running a spammer business is creating an email database. Entries do not
only consist of email addresses; each entry may contain additional information such as
geographical location, sphere of activity (for corporate entries) or interests (for personal
entries). A database may contain addresses from specific mail providers, such as Yandex,
Hotmail, AOL etc. or from on-line services such as PayPal or eBay.

There are a number of methods spammers typically use to collecting addresses:

• Spoofing addresses using common combinations of words and numbers - john@,


destroyer@, alex-2@
• Spoofing addresses by analogy - if there is a verified joe.user@yahoo.com , then
it's reasonable to search for a joe.user@hotmail.com, @aol.com etc.
• Scanning public resources including web sites, forums, chat rooms, Whois
databases, Usenet News and so forth for word combinations (i.e.
word1@word2.word.3, with word3 being a top-level domain such as .com or
.info)
• Stealing databases from web services, ISPs etc.
• Stealing users' personal data using Trojans
Topical databases are usually created using the third method, since public resources often
contain information about user preferences along with personal information such as
gender, age etc. Stolen databases from web services and ISPs may also include such
information, enabling spammers to further personalize and target their mailings.

Stealing personal data such as mail client address books is a recent innovation, but is
proving to be highly effective, as the majority of addresses will be active. Unfortunately,
recent virus epidemics have demonstrated that there are still a great many systems
without adequate antivirus protection; this method will continue to be successfully used
until the vast majority of systems have been adequately secured.

Address verification

Once email databases have been created, the addresses need to be verified before they
can be sold or used for mass mailing. Spammers send a variety of trial messages to check
that addresses are active and that email messages are being read.

1. Initial test mailing. A test message with a random text which is designed to evade
spam filters is sent to the entire address list. The mail server logs are analysed for
active and defunct addresses and the database is cleaned accordingly.
2. Once addresses have been verified, a second message is often sent to check
whether recipients are reading messages. For instance, the message may contain a
link to a picture on a designated web server. Once the message is opened, the
picture is downloaded automatically and the web site will log the address as
active. Most email clients no longer download pictures automatically, so this
method is on the wane.
3. A more successful method of verifying if an address is active is a social
engineering technique. Most end users know that they have the right to
unsubscribe from unsolicited and/or unwanted mailings. Spammers take
advantage of this by sending messages with an 'unsubscribe' button. Users click
on the unsubscribe link and a message purportedly unsubscribing the user is sent.
Instead, the spammer receives confirmation that the address in question is not
only valid but that the user is active.

However, none of these methods are foolproof and any spammer database will always
contain a large number of inactive addresses.

Creating platforms for mass mailing

Today's spammers use one of these three mass mailing methods:

1. Direct mailing from rented servers


2. Using open relays and open proxies - servers which have been poorly configured,
and are therefore freely accessible
3. Bot networks - networks of zombie machines infected with malware, usually a
Trojan, which allow spammers to use the infected machines as platforms for mass
mailings without the knowledge or consent of the owner..

Renting servers is problematic, since antispam organizations monitor mass mailings and
are quick to add servers to black lists. Most ISPs and antispam solutions use black lists as
one method to identify spam: this means that once a server has been blacklisted, it can no
longer be used by spammers.

Using open relay and open proxy servers is also time consuming and costly. First
spammers need to write and maintain robots that search the Internet for vulnerable
servers. Then the servers need to be penetrated. However, very often, after a few
successful mailings, these servers will also be detected and blacklisted.

As a result, today most spammers prefer to create or purchase bot networks. Professional
virus writers use a variety of methods to create and maintain these networks:

1. Exploiting vulnerabilities in Internet browsers, primarily MS Internet Explorer.


There are number of browser vulnerabilities in browsers which make it possible to
penetrate a computer from a site being viewed by the machine's user. Virus
writers exploit such holes and write Trojans and other malware to penetrate victim
machines, giving malware owners full access to, and control over, these infected
machines.
For instance, porn sites and other frequently visited semi-legal sites are often
infested with such malicious programs. In 2004 a large number of sites running
under MS IIS were penetrated and infected with Trojans. These Trojans then
attacked the machines of users who believed that these sites were safe.
2. Using email worms and exploiting vulnerabilities in MS Windows services to
distribute and install Trojans:
a. Most recent virus outbreaks have been caused by blended threats, which
included installation of a backdoor on infected machines. In fact, nearly all
email worms have a Trojan payload.
b. MS Windows systems are inherently vulnerable, and hackers and virus
writers are always ready to exploit this. Independent tests have
demonstrated that a Windows XP system without either a firewall and
antivirus software attacked within approximately 20 minutes of being
connected to the Internet.
3. Pirate software is also a favorite vehicle for spreading malicious code. Since these
programs are often spread via file-sharing networks, such as Kazaa, eDonkey and
others, the networks themselves are penetrated and even users who do not use
pirate software will be at risk.

Spammer Software

An average mass mailing contains about a million messages. The objective is to send the
maximum number of messages in the minimum possible time: there is a limited window
of opportunity before antispam vendors update signature databases to deflect the latest
types of spam.

Sending a large number of messages within a limited timeframe requires appropriate


technology. There are a number of resources developed and used by professional
spammers available. These programs need to be able to:

1. Send mail via a variety of channels including open relays and individual infected
machines.
2. Create dynamic texts.
3. Spoof legitimate message headers
4. Track the validity of an email address database.
5. Detect whether individual messages are delivered or not and to resend them from
alternate platforms if the original platform has been blacklisted.

These spammer applications are available as subscription services or as a stand alone


application for a one-off fee.

Creating the message body

Today, antispam filters are sophisticated enough to instantly detect and block a large
number of identical messages. Spammers therefore now make sure that mass mailings
contain emails with almost identical content, with the texts being very slightly altered.
They have developed a range of methods to mask the similiarity between messages in
each mailing:

• Inclusion of random text strings, words or invisible text. This may be as


simple as including a random string of words and/or characters or a real text from
a real source at either the beginning or the end of the message body. An HTML
message may contain invisible text - tiny fonts or text which is colored to match
the background.
All of these tricks interfere with the fuzzy matching and Bayesian filtering
methods used by antispam solutions. However, antispam developers have
responded by developing quotation scanners, detailed analysis of HTML encoding
and other techniques. In many cases spam filters simply detect that such tricks
have been used in a message and automatically flag it as spam.
• Graphical spam. Sending text in graphics format hindered automatic text
analysis for a period of time, though today a good antispam solution is able to
detect and analyze incoming graphics
• Dynamic graphics. Spammers are now utilizing complicated graphics with extra
information to evade antispam filters.
• Dynamic texts. The same text is rewritten in numerous ways so that it is
necessary to compare a large number of samples before it will be possible to
identify a group of messages as spam. This means that antispam filters can only
be updated once most of the mailing has already reached its target.
A good spammer application will utilize all of the above methods, since different
potential victims use different antispam filters. Using a variety of techniques ensures that
a commercially viable number of messages will escape filtration and reach the intended
recipients.

Marketing spammer services

Strangely enough, spammers advertise their services using spam. In fact, the advertising
which spammers use to promote their services are a separate category of spam. Spammer-
related spam also includes advertisements for spammer applications, bot networks and
email address databases.

The structure of a spammer business

The steps listed above require a team of different specialists or outsourcing certain tasks.
The spammers themselves, i.e. the people who run the business and collect money from
clients, usually purchase or rent the applications and services they need to conduct mass
mailings.

Spammers are divided into professional programmers and virus writers who develop and
implement the software needed to send spam, and amateurs who may not be
programmers or IT people, but simply want to make some easy money.

Future Trends

The spam market today is valued at approximately several hundred million dollars
annually. How is this figure reached? Divide the number of messages detected every day
by the number of messages in a standard mailing. Multiply the result by the average cost
of a standard mailing: 30 billion (messages) divided by 1 million (messages) multiplied
US $100 multiplied by 365 (days) gives us an estimated annual turnover of $1095
million.

Such a lucrative market encourages full-scale companies which run the entire business
cycle in-house in a professional and cost-effective manner. There are also legal issues:
collecting personal data and sending unsolicited correspondence is currently illegal in
most countries of the world. However, the money is good enough to attract the interest of
people who willing to take risks and potentially make a fat profit.

The spam industry is therefore likely to follow in the footsteps of other illegal activities:
go underground and engage in a prolonged cyclic battle with law enforcement agencies.

The Evolution of Spam


In the beginning

Spam (unsolicited bulk advertising via email) made its first appearance in the mid 1990s,
i.e. as soon as enough people were using email to make this a cost-effective form of
advertising. By 1997, spam was regarded as being a problem, and the first Real-Time
Black List (RBL) appeared in the same year.

Spammer techniques have evolved in response to the appearance of more and better
filters. As soon as security firms develop effective filters, spammers change their tactics
to avoid the new spam blockers. And this leads to a vicious circle, with spammers re-
investing profits into developing new techniques to evade new spam filters. The situation
is spiralling out of control.

The development of spammer techniques

Direct mailing

Initially, spam was sent directly to users. In fact, spammers didn't even need to disguise
the sender information. This early spam was easy enough to block: if you black listed
specific sender or IP addresses, you were safe. In response, spammers began spoofing
sender addresses and forging other technical information.

Open Relay

In the mid-1990s all email servers were open relay - any sender could send an email to
any recipient. Spam and other security issues led administrators to start reconfiguring
mail servers worldwide. However, the process was relatively slow, and not all mail server
owners and administrators were willing to cooperate. Once the process was well
underway, security analysts began scanning for the remaining open relay mail servers.
These DNS RBLs were made available, making it possible for,security conscious
administrators to block incoming mail from listed servers. However, open relay servers
are still used for mass mailing.

Modem Pool

As soon as sending spam via open relay became less efficient, spammers began to use
dial up connections. They exploited the way in which ISP providers structured dial up
services and utilized weaknesses in the system:

• As a rule, ISP mail servers forward incoming mail from clients.


• Dial-up connections are supported by dynamic IP addresses. Spammers can
therefore use a new IP address for every mailing session.

In answer to spammer exploitation, ISP providers began to limit the number of emails a
user could send in any one session. Lists of suspect dial-up addresses and filters which
blocked mail from these addresses appeared on the Internet.
Proxy servers

The new century saw spammers switching to high-speed Internet connections and
exploiting hardware vulnerabilities. Cable and ADSL connections allowed spammers to
send mass mailing cheaply and quickly. In addition, spammers rapidly discovered that
many ADSL modems had built-in socks servers or http proxy servers. Both are simply
utilites that divide an Internet channel between multiple computers. The important feature
was that anybody from anywhere in the world could access these servers since they had
no protection at all. In other words, malicious users could use other people's ADSL
connections to do whatever they pleased, including, naturally, sending spam. Moreover,
the spam would look as if it had been sent from the victim's IP address. Since millions of
people worldwide had these connections, spammers had a field day until hardware
manufacturers began securing their equipment.

Zombie or bot networks

In 2003 and 2004 spammers sent the majority of mailing from machines belonging to
unsuspecting users. Spammers use malware to install Trojans on users' machines, leaving
them open to remote use. Methods used to penetrate victim machines include:

• Trojan droppers and downloaders injected into pirate software which is


distributed via file sharing P2P networks (Kazaa, eDonkey etc.).
• Exploiting vulnerabilities in MS Windows and popular applications such as IE &
Outlook.
• Email worms

Anyone who has the client part of a program which controls the Trojan that has infected a
victim machine controls the machine or network of victim machines. The resulting
networks are called bot networks, and are sold and traded among spammers.

Analysts estimate that Trojans are installed on millions of machines worldwide. Modern
Trojans are sophisticated enough to download new versions of themselves, download and
execute commands from specified websites or IRC channels, send out spam, conduct
DDoS attack and much more.

The development of spam content

Content Analysis

Many spam filters work by analysing the content of a message: the message subject,
body, and attachments. Spammers today expend significant resources on developing
content which will evade content filters.
Simple text and HTML

Originally, spam was simple: identical messages were sent to everyone on a mailing list.
These emails were laughably easy to filter out due to the quantity of identical texts.

Personalised mail

Spammers then began to include a greeting based on the recipient's address. Since every
message now contained a personalised greeting, filters which blocked identical messages
did not detect this type of spam. Security experts developed filters that identified
unchanging lines, which would then be added to filtration rules. They also developed
fuzzy signature matching, which would detect text which only had minor changes, and
statistic based self-modifying filtration technologies such as Bayesian filters.

Random text strings and invisible text

Spammers now often place either text strings from legitimate business emails, or random
text strings at the beginning or end of emails in order to evade content filters. Another
method used to evade filters is to include invisible text in HTML-format emails: the text
is either too tiny to see or the font color matches the background.

Both methods are fairly successful against content and statistical filters. Analysts
responded by developing search engines that scanned emails for such typical texts, which
also conducted detailed HTML analysis and sophisticated content analysis. Many
antispam solutions were able to detect such tricks without even analysing the content of
individual emails in detail.

Graphics

Sending spam in graphics format makes it very hard to detect. Analysts are developing
methods for extracting and analyzing text contained in graphics files.

Paraphrasing texts

A single advertisement can be endlessly rephrased, making each individual message


appear to be a legitimate email. As a result, antispam filters have to be configured using a
large number of samples before such messages can be detected as spam.

Summary

Currently, spammers usually use the last three methods in a variety of combinations.
Many antispam solutions are incapable of detecting all three. As long as spamming
remains profitable, users with poor-quality antispam software will continue to find their
mailboxes clogged with advertising.
Types of Spam
Today spam is a household word, since 70-80% of all email traffic is spam. Although
spam written in English is the most common, it comes in all languages including Chinese,
Korean and other Asian languages. In most cases spam is advertising, and experience
shows that spammers have targeted specific goods and services to promote. Some goods
are chosen because a computer user is likely to be interested, but most are grey or black
market goods. In other words, spam is usually illegal not only because of the means used
to advertise the goods, but also because the goods and services being offered are illegal in
themselves.

Other mass mailings are outright fraud, such as the notorious 419 messages which offer
the recipients a share of funds which allegedly cannot be accessed by the sender for
political reasons, in return for the recipient's help in legalizing these funds. The recipient
is asked to provide bank account details; of course, if the recipient provides these details,
the bank account will be emptied without their consent. This type of spam is usually
called a 'scam'.

The commonest types of spam

Spam worldwide tends to advertise a certain range of goods and services irrespective of
language and geography. Additionally, spam reflects seasonal changes, with
advertisements for Christmas items and car heaters being replaced by air conditioner
advertising in summer.

However, when averaged out over the course of the year, 50% of spam falls into the
following categories:

• Adult content
• Health
• IT
• Personal finance
• Education/training

Adult content

This category of spam includes offers for products designed to increase or exhance sexual
potency, links to porn sites or advertisments for pornorgraphy etc. Examples (we include
basic texts but no graphics for ethical reasons):

Subject: very cheap erection tool :-)

Good day!
We would like to offer cheapest Viagra in the world!

You can get it at:


{LINK}

Sincerely,
Liza Stokes

Subject: i think you're gonna like watching me get off :-)

Hi...im Brooke..and I just got a webcam...lets have a little chat.. while


you watch me get dirty .. haha;-)
{LINK}

Health and Medicine

This category includes advertisements for weight loss, skin care, posture improvement,
cures for baldness, dietary supplements, non-traditional medication etc. which can all be
bought on-line.

Examples:

Subject: Lose up to 19% weight. A new weightloss is here.

Hello, I have a special offer for you...

WANT TO LOSE WEIGHT?

The most powerful weightloss is now available


without prescription. All natural Adipren720
100% Money Back Guarantée!

- Lose up to 19% Total Body Weight.


- Up to 300% more Weight Loss while dieting.
- Loss of 20-35% abdominal Fat.
- Reduction of 40-70% overall Fat under skin.
- Increase metabolic rate by 76.9% without Exercise.
- Burns calorized fat.
- Suppresses appetite for sugar.
- Boost your Confidence level and Self Esteem.

Get the facts about all-natural Adipren720: {LINK}

Subject: Legal Low prices for Valium (Diazepam) (Caffeine FREE)


Rx Shopping Service Brings You our Newest Product:

Your personal shopping service that legally provides


Over the Counter (OTC) approved drugs from Canada and
around the world.

Order Valium (Diazepam) and it will be


guaranteed Delivery within 7 DAYS!

Do not miss out *Limited Quantity!

Visit Here: {LINK}

IT

This category includes offers for low-priced hardware and software as well as services
for web site owners such as hosting, domain registration, web site optimization and so
forth.

Examples:

Subject: Huge savings on OEM Software. All brand names available


now stewardess

Looking for not expensive high-quality software?


We might have just what you need.

Windows XP Professional 2002 ............. $50


Adobe Photoshop 7.0 ...................... $60
Microsoft Office XP Professional 2002 .... $60
Corel Draw Graphics Suite 11 ............. $60

and lots more...

Personal finance

Spam which falls into this category offers insurance, debt reduction services, loans with
low interest rates etc.

Examples:

Subject: Lenders Compete--You Win


Reduce your mortgage payments

Interest Rates are Going Up!


Give Your Family The Financial Freedom They Deserve

Refinance Today & SAVE


*Quick & EASY
*CONFIDENTIAL
*100's Of Lenders
*100% FREE
*Get The Lowest Rate

Apply Today! {LINK}

All credit will be accepted

To clear your name from our database please {LINK}or use one of the optins below.
Thank You

Call 1-800-279-7310
Or please mail us at:
1700 E. Elliot Rd. STE3-C4
Tempe, AZ. 85283

Education

This category includes offers for seminars, training, and on-line degrees.

Examples:

Subject: get a degree from home, Mas#ters, Bachelors or PHD

Call {Phone Num.} to inquire about our degree programs.

Whether you are seeking a Bachelors, Masters, Ph.D. or MBA

We can provide you with the fully verifiable credentials to get your
career BACK ON TRACK!

No testing or coursework required Call: {Phone Num.}

we are sorry if you did not want to receive this mail.

To be removed from our list please call {Phone Num.}


Some new trends in spam content

Spammers are constantly seeking to enter new markets and develop new techniques.
Some areas are evolving rapidly and should be monitored closely.

Political spam

This category includes mudslinging or political threats from extremists and possible
terrorists. Though these are merely nuisance messages to end users, security and law
enforcement officials need to be aware of such mailings, since they can provide clues to
genuine potential threats, or be actual communication between terrorists.

Antispam solutions

Spammers advertise supposed antispam solutions in an effort to cash in on the negative


publicity generated by spam itself. However, such offers often lead the user to sites where
a Trojan will be downloaded to the victim machine, which will then be used for future
mass mailings.

Example:

Subject: Join the thousands who are now sp@m-free

FORGET SPAM BLOCKERS!

Get SMART Spam Control That Always Delivers The Email You
Want!

Finally, we discovered the ultimate solution that is guaranteed to stop


all spam
without losing any of your important email! This revolutionary
advanced technology
also protects you 100% against ALL email-borne viruses - both
known and unknown.

We didn't believe it either until we actually tried it. So you be the judge
and see for yourself.

{LINK}

Spam, viruses and junk email

Today, most people class all unsolicited email as spam, including automatic replies,
emails containing viruses and unsolicited, but legitimate business propositions.
Classifying all such emails as spam is broadly correct, but it must be highlighted that
some categories of spam are more dangerous than others.

In particular, the alliance developing between virus writers and spammers is worrisome.
The first half of 2004 brought several virus epidemics where viruses were circulated
using spammer techniques. These outbreaks were classic examples of how botnets can be
created by virus writers, and then sold to spammers for use in future mass mailings.

Ten Ways to Avoid Spam


Maintain at least two email addresses. You should use your private address only
1. for personal correspondence. The public address should be the one you use to
register on public forums, in chat rooms, to subscribe to mailing lists etc.

2. Never publish your private address on publicly accessible resources.

Your private address should be difficult to spoof. Spammers use combinations of


obvious names, words and numbers to build possible addresses. Your private
3. address should not simply be your first and last name. Be creative and
personalize your email address.
If you have to publish your private address electronically, mask it to avoid having
it harvested by spammers. Joe.Smith@yahoo.com is easy to harvest, as is
4. Joe.Smith at yahoo.com. Try writing Joe-dot-Smith-at-yahoo-dot-com instead. If
you need to publish your private address on a web-site, do this as a graphics file
rather than as a link.
Treat your public address as a temporary one. Chances are high that spammers
5. will harvest your public address fairly quickly. Don't be afraid to change it often.
Always use your public address to register in forums, chat rooms and to
subscribe to mailing lists and promotions. You might even consider using a
6. number of public addresses in order to trace which services are selling addresses
to spammers.
Never respond to spam. Most spammers verify receipt and log responses. The
7. more you respond, the more spam you will receive.
Do not click on unsubscribe links from questionable sources. Spammers send
fake unsubscribe letters in an attempt to collect active addresses. You certainly
8. don't want to have your address tagged as active, do you? It will just increase the
amount of spam you receive.
If your private address is discovered by spammers - change it. This can be
9. inconvenient, but changing your email address does help you avoid spam - at
least for a while!
Make sure that your mail is filtered by an antispam solution. Consider installing a
10. personal antispam solution. Only open email accouts with providers who offer
spam filtration prior to mail delivery.

Virus Top Twenty for June 2005


Jul 04 2005 17:22 | comment

Alexander Gostev
Senior Virus Analyst, Kaspersky Lab
Change
Position in Name Percentage
position
1. 0 Net-Worm.Win32.Mytob.c 19.55
2. 0 Email-Worm.Win32.NetSky.q 11.50
3. +6 Email-Worm.Win32.Zafi.d 5.33
4. New Net-Worm.Win32.Mytob.be 4.68
5. -2 Email-Worm.Win32.NetSky.aa 4.60
6. New Net-Worm.Win32.Mytob.bk 4.02
7. -1 Email-Worm.Win32.LovGate.w 3.66
8. -4 Email-Worm.Win32.NetSky.b 3.31
9. -4 Email-Worm.Win32.Zafi.b 3.25
10. +8 Net-Worm.Win32.Mytob.ar 2.97
11. -1 Net-Worm.Win32.Mytob.q 2.67
12. -3 Net-Worm.Win32.Mytob.u 2.49
13. New Net-Worm.Win32.Mytob.bf 2.04
14. +2 Net-Worm.Win32.Mytob.au 2.04
15. -3 Net-Worm.Win32.Mytob.h 1.87
16. -3 Net-Worm.Win32.Mytob.t 1.85
17. -6 Email-Worm.Win32.Mydoom.l 1.55
18. New Net-Worm.Win32.Mytob.bi 1.48
19. New Net-Worm.Win32.Mytob.ba 1.47
20. New Net-Worm.Win32.Mytob.bd 1.39
Other malicious programs 18.28

Mytob. Mytob was flavor of the month in June. We had Mytob with worm and bot
capabilities, Mytob without bot capabilities, Mytob packed with one, two or three packers
and so forth. In short, Mytob variants dominated email traffic this month.

Mytob.c maintained the leading position it occupied in both April and May making
NetSky.q, the worm which occupied first place the longest in 2004, unlikely to regain
first place. Interestingly, both worms have lost points in terms of overall percentage of
traffic: the losses are directly in proportion to the increase in the percentage of other
malicious programs.

The endless Mytobs left so little space for other worms that all 6 newcomers to the
ratings are members of this prolific family. Some of these new worms are simple worms,
without botnet capability. This is a change from the recent trend where virus writers
include botnet capability in most new worms.

Surprisingly, Zafi.d jumped from ninth to third place - the second largest increase in
June. This unexpected surge does not fit into the general pattern of Mytob domination.
On the other hand, Mytob.be, a new variant which took fourth place is entirely explicable
given the plethora of Mytobs this month.

Lovgate – the worm that refuses to die - has been in the top ten for over a year. This is
mostly due to a high rate of Lovgate infections in China, where many users lack adequate
anti-virus protection. Mytob also has connections to Asia: it's reasonable, therefore, to
assume that we will be seeing Mytobs in the ratings for many months to come.

Other facts worth noting in the June Top Twenty include Mytob.ar soaring from 18th
place to 10th, and the complete disappearance of Bagle and Sober. The last Mydoom
remaining in the ratings fell to 17th place, leading us to predict that Mydoom will follow
Bagle and Sober into oblivion. This leaves only NetSky to represent the most dangerous
worms from 2004 in the July ratings.

The share of malware detected in email traffic that did not make it into the Top Twenty
has been increasing steadily all year: from 6.68% in January to 18.28% in June. This is
partially due to the fact that malware writers are using individualized worms and Trojans
to target specific user groups instead of relying mostly on mass mailings to infect random
users.

Summary:

Mytob.be, Mytob.bk, Mytob.bf, Mytob.bi, Mytob.ba,


New
Mytob.bd
Moved up Zafi.d, Mytob.ar, Mytob.au
Netsky.aa, LovGate.w, Netsky.b, Zafi.b, Mytob.q, Mytob.u,
Moved down
Mytob.h, Mytob.t, Mydoom.l
No change Mytob.c, NetSky.q

Malware Evolution: May Roundup


Jun 07 2005 16:38 | comment

Pavel Zelensky
Virus Analyst, Kaspersky Lab

A number of families of malicious programs became noticeably more active last month.
Net-Worm.Win32.Mytob was one of these, and in May it started to present a serious
challenge to Email-Worm.Win32.Mydoom. It may be that in the near future Mytob,
which is a direct descendant of Mydoom (with added functionality) will be come more
prevalent than Mydoom. This is because Mytob's extended functionality makes it capable
of propagating via networks. It also contains an IRC backdoor, and some versions of
Mytob are capable of propagating via IM networks: these versions include a separate
module which is effectively a clone of IM-Worm.Win32.Kelvir. This is installed
separately to the victim machine by the main executable file of the malicious program. It
should be noticed that in addition to extended functionalities, the life-cycle of Mytob is
also changing. In contrast to the most recent, short lived email worms, Mytob is designed
to be active for longer, similar to the first versions of Mydoom, NetSKy, Zafi and Bagle.
All the modifications listed above, together with the new versions which are regularly
released, and recompiled, make the worm highly prevalent.

The next worm on the list worth examining is Eyeveg, for a variety of reasons. In May,
after nearly six months in hibernation, Eyeveg became extremely active again. The first
three versions of this worm were detected in 2003 (the last one on the 14th October), with
another two being detected in 2004. And then, this month, Eyeveg.f, Eyeveg.g and
Eyeveg.h appeared, with approximately a week's lapse between versions. It's currently
one of the most active malicious programs, with the majority of activity being in the
Russian Federation. It's difficult to predict what will happen in the future. Maybe the
worm will retreat again after this burst of frenzied activity, or continue to spread, and
maintain its current level of activity, as some other programs - Trojan-
Downloader.Win32.INService, for example - have done.

Finally, Email-Worm.Win32.Sober made another appearance, as Sober.q, which spread


actively throughout Europe, sending far right propaganda and updating itself (to Sober.p)
via the Internet.
IM worms remain active, with new versions appearing frequently - IM-
Worm.Win32.Bropia and IM-Worm.Win32.Kelvir have been detected in a number of
versions. New versions are characterized by their short life cycle.

In contrast to worms, spyware has been less active this month. However, the decreased
activity is not particularly significant, and mainly applies to Trojan-
PSW.Win32.LdPinch, PdPinch and Trojan-Spy.Win32.Goldun. In fact, the decreased
activity is simply a drop from an extremely high peak to a more standard level.

On the other hand, within this same group of programs, Brazilian spyware has become far
more prevalent, both the spyware itself and the downloader programs which install it.
Every day we see either a new version of one of these programs, or a modified old
version - older versions are modified in order to make it more difficult for antivirus
solutions to detect them. One example of this approach is Trojan-Spy.Win32.Baner.ju,
which constantly arrives in slightly different guises.

Spyware spreads in a number of ways, with the most popular method being mass mailing
(spamming). This can be done in a variety of ways, either in a single stage (where the file
containing the spyware is mailed to the user) or in two stages, using a Trojan downloader
(in the case of this spyware family, Dadobra is used. Some recent versions of Dadobra
have been modified to download files containing other malicious programs via FTP,
rather than using HTTP as in the past.) One other method, which is used relatively
infrequently, is using Email-Worm.Win32.Combra as the carrier; this worm will
download either the spyware program itself or the Trojan downloader to the infected
machine.

May was also notable for the Chinese attempting to compete with the Brazilians in terms
of virus activity. However, Chinese programs such as Trojan-PSW.Win32.Lmir, Lineage,
Gamania and other QQ (Chinese instant messaging application) malware have not shown
any significantly increased activity. Backdoor.Win32.Hupigon is something of an
exception here, as several new versions have been released in the recent past, but they
have not caused any serious disruption.

Finally, an interesting newcomer this month was Trojan-Downloader.Win32.Peerat.a,


which is distinguished by its functionality. It differs from standard Trojan downloaders in
that it doesn't just download other malicious programs to the victim machine, but also to
any file sharing network present.

To summarize: Mytob became more active than Mydoom, its predecessor, and this trend
looks set to continue. Mytob may come to effectively replace Mydoom.

Some groups of malicious programs which have been inactive for a long time may
demonstrate renewed activity.

Spyware and theft programs will continue to be used, either at the current level, or with
increased intensity.
Virus Top Twenty for April 2005
May 03 2005 16:53 | comment

Alexander Gostev
Senior Virus Analyst, Kaspersky Lab
Change in
Position Name Percentage
position
Net-
1. +3 27.80
Worm.Win32.Mytob.c
Email-
2. -1 16.53
Worm.Win32.NetSky.q
Email-
3. -1 6.05
Worm.Win32.NetSky.aa
Email-
4. -1 5.77
Worm.Win32.NetSky.b
Email-
5. - 3.65
Worm.Win32.Lovgate.w
Email-
6. +1 3.45
Worm.Win32.Zafi.b
Net-
7. New 3.29
Worm.Win32.Mytob.q
Email-
8. -2 2.89
Worm.Win32.Zafi.d
Net-
9. New 2.42
Worm.Win32.Mytob.u
Email-
10. -1 2.17
Worm.Win32.NetSky.d
Email-
11. -1 1.99
Worm.Win32.Mydoom.l
Email-
12. -4 1.82
Worm.Win32.Mydoom.m
Email-
13. -1 1.47
Worm.Win32.NetSky.x
Net-
14. New 1.42
Worm.Win32.Mytob.r
Email-
15. -1 1.25
Worm.Win32.NetSky.t
Email-
16. -5 1.15
Worm.Win32.NetSky.y
Net-
17. New 1.06
Worm.Win32.Mytob.t
Net-
18. New 1.01
Worm.Win32.Mytob.h
Email-
19. -6 0.98
Worm.Win32.NetSky.r
Email-
20. -5 0.81
Worm.Win32.Bagle.ai
Other malicious programs 13.02

Our Top Twenty shows the event we've long been expecting has finally come to pass -
the leading position is now occupied by Mytob. Mytob.c is one of many representatives
of a family of network worms which first appeared in 2005. Mytob.c was initially
detected on 4th March, and in less than two months has managed to push NetSky.q, the
2004 leader, out of first place. In fact, Mytob.c had managed to do this by the end of
March.

Since being detected, Mytob.c has demonstrated that it's here to stay. It is based on the
Mydoom.a source code, and spreads via email, but also incorporates the ability to
replicate via the LSASS vulnerability. The name antivirus companies have given Mytob
also reflects the fact that the worm has bot functionality: My(doom) + tob('bot' reversed)

The fact that Mytob is able to replicate in two ways makes it difficult to stop it spreading
quickly. This can only be done by detecting the worm and deleting it from mail traffic
passing through major network nodes. Users should also install critical Windows updates
which will close the LSASS vulnerability and thus prevent Mytob from spreading further.

It's worrying that Mytob.c is not alone - the April Top Twenty includes another 5
representatives of this family. This month, therefore, Mytob is second only to NetSky,
with its eight modifications in the Top Twenty. NetSky, however, took several months
before figuring so strongly in the rankings, whereas Mytob achieved this in the course of
just one month.

There's no question that this family of worms will continue to appear over and over again
in our statistics. Mytob's authors remain active, and at the end of April were releasing a
new modification of Mytob every two days. The new versions don't differ significantly
from each other; however, usually a different packing program is used in an attempt to
prevent detection by the majority of anti-virus scanners.
Of course, Mytob wasn't the only worm to appear in April 2005 - there were several
small outbreaks caused by Sober and Bagle, but none of these made it into the Top
Twenty. This was due to a variety of reasons, including errors in the program code, and
the rapid reaction of antivirus companies to these latest threats.

All the other threats listed in the Top Twenty have been forced out of position by Mytob,
all falling by several places except for Zafi.b; this was the only malicious program which
strengthened its position, albeit by a single place. Mytob also meant that new versions of
the many programs used in phishing attacks (Trojan-Spy.HTML) and Trojan
Downloaders also failed to make it into the Top Twenty. This is a little surprising - these
programs are still sent out on a regular basis. But it seems that the authors of such
programs are now concentrating not on volume, but on specific targets: either attacking
clients of a particular bank, or sending their creations to addresses in one domain only,
such as .ua.

Malicious program not listed individually made up a significant portion of malicious


programs intercepted this month - 13.02%. This clearly shows that a relatively large
number of other worms and Trojan programs are still circulating, and can still pose a
threat to unprotected machines.

Summary:

New Mytob.q, Mytob.u, Mytob.r, Mytob.t, Mytob.h


Moved up Mytob.c, Zafi.b
NetSky.q, NetSky.aa, NetSky.b, Zafi.d, NetSky.d, Mydoom.l,
Moved down Mydoom.m, NetSky.x, NetSky.t, NetSky.y, NetSky.r,
Bagle.ai
No change LovGate.w