2004 Threat Summary
When looking back at the year 2004, it's clearly split in half from the middle: the beginning of the year was record-breaking busy with a huge number of major new virus outbreaks. However, since June, things calmed down and we've only had a few serious outbreaks since. This development cannot easily be attributed to any single reason.
New trends in 2004 were primarily the massive increase in phishing email scams, introduction of open-source botnets - networks of infected machines harnessed for malicious operations, and for-profit virus-writing, but this year was also the best year ever in actually catching virus writers and other cyber criminals.
The network worm problems encountered during the year have shown how important it is to protect every single computer with a personal firewall. During 2004 the number of known viruses passed the 100,000 mark.
F-Secure Corporation classifies viruses according to their severity on a scale called Radar. The number of level one alerts, or the most severe type, was four in 2004 (7 in 2003). Most of the Radar alerts issues in 2004 happened during the first five months of the year.
When we look at the year as a whole, six virus families were in a league of their own: Bagle, Mydoom, Netsky, Sasser, Korgo and Sober. It is interesting to note that of these six largest cases, three of them would be categorized as for-profit virus writing (Bagle, Mydoom and Korgo). These viruses are linked either with spammers or with stealing of banking information.
Around 70percent of all email is nowadays spam - and most of that is sent through infected home computers. As spammers also make good money out of it, they can invest into their operations - making the problem even worse.
Due to this and the organized crime behind some of today's viruses, the amount of infected email has grown massively from 2003. Despite of this we have only seen a few big outbreaks in the second half of the year 2004.
The Virus War
The year kicked off with an intense battle between the creators of three different viruses; Bagle, Mydoom and Netsky.
All three are email worms, spreading by sending infected attachments. Bagle and Mydoom create spam proxies; Netsky uninstalls them.
What we saw during January-May was an unusual race between three different viruses. New variants are popping up all the time, peaking on March 3rd, when we found a new variant of each within one hour!
The biggest single outbreak was Mydoom.A - in fact, this outbreak, first seen on January 26th, was the largest email incident in history, bypassing even the Sobig.F epidemic of 2003. At its worst, close to 10percent of all email traffic globally was caused by Mydoom.A.
Many of the Mydoom variants launched distributed denial-of-service attacks:
- Mydoom.A attacked and took down SCO.COM (as a result, SCO took the domain offline for five weeks)
- Mydoom.B attacked MICROSOFT.COM with little visible results
- Doomjuice.A also attacked Microsoft and was successful to some level
- Mydoom.F attacked and took down RIAA.COM
- Mydoom.M used Google to search for email addresses. ( as a result, Google was overloaded with requests and remained offline for hours).
Doomjuice.A managed to disrupt the operation of www. microsoft.com in February. Graph (c) Rommon.
It is interesting to note the variety of techniques we saw in the different variants of these worms.
For example, they would use highly misleading icons to try trick users into clicking email attachments. Bagle sometimes used icons which resembled folders - but they were in fact the virus carrying executables.
Mydoom relied on substituting icons of familiar applications to it's attachment, making the virus appear to be a document or a movie file:
Late variants of Bagle came up with new tricks:
- At first, Bagle sent infected executables as attachments
- We started detecting that
- Then it started sending zipped executables
- We started unpacking the ZIPs and detecting the virus
- Then Bagle started encrypting the ZIPs with a password and telling the user the password in the email
- We started searching the email for the password and decrypting the attached ZIP files
- Bagle started telling the password to the user in an image, so it couldn't be found from the email text.
- and so on and on, in a big game of cat and mouse.
Netsky played its own tricks, for example by adding fake "scanned for viruses" banners to the mails it sent:
Another trick was seen in Netsky.X: it sends messages in many different languages depending on the recipients top-level domain. The message could be in English, Swedish, Finnish, Polish, Norwegian, Portuguese, Italian, French, German.
The main goal for Bagle and Mydoom was to turn the infected machine into a spam proxy that the spammers could use to send out bulk email. The Mitglieder proxy trojan is an interesting link between these two viruses. The first known version of this trojan was used by Bagle.A in January 2004. Bagle.A downloaded it from a web site and installed it to infected computers.
Mydoom.A left a small backdoor to each infected computer. Several days after the initial outbreak someone who knew how to operate the backdoor portscanned large parts of the internet address space and installed another version of the Mitglieder trojan to these machines - and started sending spam through them.
The fact that both Bagle and Mydoom families are utilizing the Mitglieder trojan might indicate that there is, in fact, a single group of virus writers behind both of them.
Some variants were more successful than others. Netsky.P became the most widespread. It was the most common virus in our statistics from April 2004 to August 2004 an is still in the top 10 in December.
The result of all of this was that the first months of the year were very busy virus-wise - probably the busiest we have ever seen. Around June, however, the situation started to calm down a bit.
On May 1st we saw the biggest network worm case of the year: The Sasser worm started spreading, exploiting a new security whole in the LSASS service of Windows 2000 and XP. Microsoft had issued a patch for this hole only 18 days earlier, meaning that many organizations had not yet installed the patch. This phenomenon, where a real-world virus would be found in just days after a vulnerability was announced publicly, was repeated several times throughout the year.
Sasser could be compared to the Blaster outbreak in August 2003 in many ways. Both were automatic network worms affecting Windows 2000 and XP users, scanning random IP addresses and using FTP (or TFTP) to transfer the actual worm file to infected host.
Also, both worms caused unpatched machines to start to reboot. This created some major headaches in computer systems and in networks in general:
There were Sasser-related problems in at least three large banks. RailCorp rail traffic was halted in Australia on Saturday, leaving 300,000 travellers stranded. Two county hospitals Sweden got infected, with 5000 computers and X-ray equipment offline. European Commission in Brussels and Coastguard UK were affected too, as were many other organizations around the world.
Sasser was released early Saturday morning. Next Friday, the German police arrested a young programming hobbyist named Sven Jaschen. He confessed to writing both the Sasser and Netsky virus families. His motive: fighting the spammers behind the Bagle and Mydoom virus families.
For several months after Sven Jaschan was arrested his viruses continued to top the virus charts. Even in December 2004, five out of the TOP 10 viruses were Netsky variants, with Netsky.P being by far the most common one in the wild.
Year 2004 was the best year ever in actually catching virus writers and other cyber criminals.
Microsoft started offering bounties for the writers of certain virus already in late 2003. So far, they have not actually paid any out. However, such bounties put pressure on virus writers as they became afraid of others ratting them out. For example, the information that was used to arrest Sven Jaschen was given to the authorities with the hopes of collecting such bounty money.
Authorities in several countries completed big operations to arrest online criminals. For example, the US Secret Service shut down the carderplanet.cc and shadowcrew.com sites, which were used to trade stolen credit card numbers online.
There have also been several arrests of people from Russian, Lithuanian and Ukrainan origins, who have been found behind the phishing attacks in USA, UK and Australia.
One such arrest was Mr. Andrew Schwarmkoff, who was charged for credit card and identity fraud in Brighton, Boston.
Apparently Mr. Schwarmkoff sent out phishing emails to collect people's credit card and banking details. This alleged member of Russian mafia was arrested with $200,000 worth of stolen merchandise, credit card scanning equipment, more than 100 ID cards with fraudulently obtained information and nearly $15,000 in cash. He has been alleged to have underground connectionswith Russian mafia.
Distributed denial-of-service attacks are being used in a more organized way as well.
Mr. Jay Echouafni, the CEO of satellite receiver reseller Orbit Communication was charged for hiring hackers to launch DDoS attacks against their competitors. Their idea was to take down the online ordering systems of other large competitors, such as rapidsatellite.com and weaknees.com.
After being charged Mr. Echouafni skipped bail, and is today listed among the FBI's most wanted.
The first real mobile phone viruses were found in 2004.
In June 2004 we found Cabir, the first virus to hit Symbian-based Bluetooth phones. At the same time it was the first virus that spreads based on proximity -- if you are close to an infected Bluetooth device you can get infected. Later in July we found a proof-of-concept PocketPC virus called Duts. Shortly thereafter we found the first backdoor for PocketPC devices (Brador).
In the spring 2004 we found a game for Symbian phones (Mosquitos), which was secretly sending messages to expensive toll numbers, creating invisible costs for the user.
In November we discovered yet a new threat, as we received reports of users who had been hit by the new Skulls trojan on their phones.
This trojan has been distributed on some Symbian shareware download sites as "Extended Theme Manager" or "Camera Timer" freeware tool. It makes the smartphone features of your phone useless leaving you with the ability to still make calls with the phone but that's it; no messages, no web, no applications. Recovery could get tricky, and might cause the user to loose all of his own data on the phone - including phonebook, calendar and message history. The most obvious symptom of the trojan is that the typical programs on the phone will not work any more, and that their icons get replaced with a picture of a skull.
Mobile devices are more and more common and as they become more widespread they also become a more attractive target for virus writers. The bigger the target, the better it looks to these people. Also, with the increase of for-profit virus writing the likelihood of severe mobile viruses is high. Every phone call or SMS message is also a financial transaction. That opens up a flood of earning opportunities for the for-profit hackers and virus authors.
The spam situation is getting worse and worse. Around 70percent of all email is nowadays spam - and most of that is sent through infected home computers. The CAN-SPAM act passed in USA in early 2004 did little to solve the spam problem. Many argue it actually made the situation more difficult, by legalizing spamming in USA, as long as one follows certain guidelines. It would be similar to passing a law that would make it ok to steal money as long as you're being nice about it.
Spammers make good money out of spam. Which mean spammers can invest into their operations - making the problem worse.
One of the few spammers ever sentenced, Mr. Jeremy Jaynes (aka Gaven Stubberfield) is a good example of how well this works. This spammer from North Carolina was getting rich by sending out up to 20 million spam emails a day. Only a few hundred of those would actually lead to a sale (reply rate of 0.00005percent or so). However, even that would be enough to create him an income of up to $750,000 a month.
Eventually, Mr. Jaynes built a fortune worth as much as $24 million - including several cars and several houses, with one mansion having 16 separate T-1 data lines connected to it to provide spamming bandwith.
The good news is Mr. Jaynes was arrested, charged and convicted. He's now serving nine years in a jail, which is in fact a surprisingly long sentence. His defense attorney argued that the prosecutors never proved the e-mail Jaynes sent was unsolicited.
The bad news is that there are hundreds of other spammers more than happy to jump in on this lucrative business.
We here at F-Secure also have evidence which would suggest that some spammers have succesfully recruited individual employees from anti-spam software developers. Which is like a plot from a bad sci-fi movie - 'come to the dark side - we'll double your salary'.
People who design antispam software would be the best experts to figure out how to make spam messages get through antispam filters. Spammers are also known to hire linguistics to assist them in developing spam emails that better evade antispam traps.
Such trends are disturbing, of course. What's next? Virus writers hiring anti-virus researchers?
In 2004 we saw at least two major cases where popular websites were hacked and had an exploit installed to them. The first case in June was done with the Download.Ject exploit and the second in November with an IFRAME exploit. In both cases the end result was that when end users surfed to well-known and trusted web pages, their PC got exploited...if they were surfing with Internet Explorer. Many high-profile organizations have recommended over and over again during 2004 for people to upgrade to alternative browsers because of security concerns. And in fact, IE's market share seems to have dropped at least some percentage points during the year.
Botnets keep getting bigger and bigger. Sheer amount of bots based on open source code has skyrocketed, with several thousand variants of bot families like Agobot are now known.
There were no major incidents in Linux operating system. Some bugs were found and SuSE has dispatched three local security holes to prevent a local user from hacking the computer. Security holes have been found and dispatched in silence in other widely-used systems e.g. Samba, Squid, PHP. These incidents would have created a lof of publicity in the Windows world.
Windows XP Service Pack 2
Microsoft shipped Windows XP Service Pack in August.
SP2 is by far the largest service pack we've seen (it's over 250MB in size and quite a download). What's more important, this SP centres around security features only.
From the antivirus point of view, the three most important features in SP2 are:
- Stack & heap protection: this will make it much harder to generate exploits for buffer overflows, such as those used by automatic network worms like Slammer, Blaster and Sasser. We had a look at how Microsoft actually implemented this, and it looks good.
- Built-in firewall, which is enabled by default, and running right from the boot-up. It will not only prevent access from the outside but it will also warn users when local applications start to listen on specific ports. It won't warn when local applications send data to the Internet, though.
- Patched versions of IE and Outlook. As these are the most common tools to access the net, it is important to have them up-to-date.
The end result will be that once patched XPs become commonplace, it will be much harder to create large network worm outbreaks. User-assisted viruses (like email worms) will not go away...and the bad boys will eventually find ways around the safeguards. But nevertheless, this is a big improvment.
As XP is already the most common operating system on the Internet, this Service Pack is very important. We hope the majority of XP users will apply it soon. This would benefit everybody on the Internet.
Monthly Wrap-Up of the Year
- First variants of Mydoom, Bagle and Netsky are found. The virus war continues for several months.
- The Mosquito trojan is found. This Symbian trojan is a game that secretly sends out SMS text messages to toll numbers, creating hidden costs to the user.
- The Witty worm spreads rapidly, but only affects users running BlackIce software. However, on infected machines the worm seems to do really bad damage, overwriting random parts of the hard drive as long as the machine is infected. Witty spreads through direct network connections, targetting machines that are running BlackIce security software. Witty was released only one day after the vulnerability was announced.
- Sober.F, one of the common Sober variants of the year spreads largely by sending English and German email messages.
- Sasser network worm is foundand causes widespread chaos.
- Network worm Korgo is found. This Russian worm drops an aggressive keylogger. Several variants have been found throughout the rest of the year - many have been used to steal user account and banking details.
- Cabir, the first real virus for mobile phones is found.
- Duts, the first real virus for PocketPC phones and PDAs is found.
- Microsoft releases Windows XP SP2, arguably the largest security effort ever done by the company.
- Brador, the first backdoor for PocketPC devices is found.
- There is a lot of media buzz about a JPEG vulnerability, but it never becomes a big problem.
- Somebody registeres a domain called fedora-redhat.com, and does a fairly large spam run, targeting Linux users. The spam message claimes a security vulnerability has been found in Fedora Linux and the fix is available at fedora-redhat.com. The fake update file turns out to be a rootkit.
- First real malware for Apple Macintosh OS X is found. Known as "Opener", this is a bash script which copies itself as one of the startup items that copies itself to all mounted drives. It containes destructive functionality, a keylogger, a backdoor etc.
- A virus known as Bofra is found. This is one of the fastest viruses ever to take advantage of a new security vulnerability, released only five days after the vulnerability was announced.
- Skulls trojan for Symbian phones is found.
- Sober.I becomes the largest outbreak of the last half of the year
- Lycos Europe starts a controversial program to fight spammers via their makelovenotspam.com site. Spammers quickly counterattack them. The service is discontinued after the first week of operation.
The End of Email?
"We don't see many directly destructive viruses nowadays; most viruses just try to silently take over your machine instead", says Mikko Hypponen, Director of Anti-Virus Research at F-Secure.
"Current email systems are in serious trouble. I'm afraid we need to do a major overhaul of the underlying email standards in the near future. This would mean changing the basic protocols to more robust ones and adding strong user authentication. This would be a massive and very expensive project...which means it won't be done until the current email systems simply stop working", concludes Hypponen.
During 2004 F-Secure Corporation has been the fastest growing company globally in the antivirus and intrusion prevention industry with more than 50percent growth of revenues during the first 9 months in 2004.
Growing twice the market rate can only be based on happy customers. Our customer satisfaction has stayed at 4.3 on a scale from 1 to 5 (5 being the best) for the last three years. A major part of the value we provide to our customers is our commitment to protect them against new threats better than any other vendor. That we have been able to do systematically and provenly over the last ten years.
Based on independent research by AV-Test.org and Messagelabs F-Secure detects new threats faster compared to other major antivirus vendors. F-Secure also updates customers more regularily than other major antivirus vendors. Between January and August 2004, F-Secure sent out an average of 48 updates per month, which is 50percent more than Symantec, almost three times as many as Trend and almost five times as many as McAfee. For the 45 major malware epidemics during 2004, F-Secure customers received their updates on average six hours after the first sample was detected, while, on average, Trend customers were updated ten hours, McAfee customers 14 hours and Symantec customers 16 hours after the first sample. (Source AV-Test.org)
To communicate breaking news fast F-Secure initiated a weblog to provide customers and the media with the latest factual information about viruses, worms, security hacks, and the people behind them. Comments and analyses are updated continually by Mikko Hypponen and the rest of F-Secure's security research team, and postings often include screen shots and images of actual viruses and malware code.
F-Secure's concept of offering security solutions through outsourced services to Internet users is gaining in popularity. More and more service providers are gradually acknowledging the benefits of partnering with F-Secure. F-Secure is constantly entering new territories successfully, while reinforcing the position in the existing markets at the same time. During the last six months service providers in 6 new countries, including Canada, Turkey, USA, Greece and Switzerland have chosen F-Secure as their security partner. Overall, 40 service provider partnerships have been announced and 16 of those during the last six months. This makes F-Secure the fastest growing company in the world in offering security services through service providers.
In Q4 2004, Nokia announced the first two phones in history that ship with antivirus software enabled. These phones are Nokia 6670 and Nokia 7710. The antivirus software on them is made by F-Secure.
F-Secure Mobile Anti-Virus is the most comprehensive solution for protecting smartphones against harmful content, from undesired messages to malfunctioning applications. It provides real-time, on-device protection and automatic over-the-air antivirus updates through a patented SMS update mechanism.
In addition to the hardware vendor cooperation, Elisa, as the first mobile operator in the world, has started offering wireless antivirus services to its smartphone customers. The service is based on the F-Secure Mobile Anti-Virus service solution.