The amount of new malware has never been higher. Our labs are receiving an average of 25,000 malware samples every day, seven days a week. If this trend continues, the total number of viruses and Trojans will pass the one million mark by the end of 2008.
While there are more viruses being created than ever before,
people often actually report seeing less of them. One reason behind
this illusion is that malware authors are once again changing their
tactics in how to infect our computers.
A year or two ago, most malware was spread via e-mail
attachments, which resulted in mass outbreaks like Bagle, Mydoom
and Warezov. Nowadays sending .EXE attachments in e-mail doesn't
work so well for the criminals because almost every company and
organization is filtering out such risky attachments from their
e-mail traffic.
The criminals’ new preferred way of spreading malware is by
drive-by downloads on the Web. These attacks often still start with
an e-mail spam run but the attachment in the e-mail has been
replaced by a web link, which takes you to the malicious web site.
So instead of getting infected over SMTP, you get infected over
HTTP.
Drive-by downloads
Infection by a drive-by download can happen automatically just
by visiting a web site, unless you have a fully patched operating
system, browser and browser plug-ins. Unfortunately, most people
have some vulnerabilities in their systems. Infection can also take
place when you are fooled into manually clicking on a download and
running a program from the web page that contains the malware.
There are several methods criminals use to gather traffic to
these websites. A common approach is to launch an e-mail spam
campaign containing messages that tempt people to click on a link.
Messages like “There is a video of you on YouTube”, or “You have
received a greeting card”, or “Thank you for your order” have been
popular baits.
Another method used by criminals is to create many web pages
with thousands of different keywords which are indexed by Google,
and then simply wait for people to visit these sites. So when you
do a search for something innocuous like “knitting mittens” (as a
random example), and click on a search result that looks just like
all the others, you are actually getting your computer infected.
Typically, an infection by an automatic exploit happens without you
realizing it or seeing anything strange on the computer screen.
The third method of distributing malware involves the criminals
hacking into existing high profile, high traffic web sites. Unlike
the joke defacements that some hackers played on the front pages of
prominent web sites in the past, today’s criminal hackers don’t
change the front page at all. They simply insert a line of
javascript on the front page which uses an exploit to infect your
machine when you go there. Everything works and looks as
normal.
This has happened to the web sites of some popular magazines
which can have a million users every single day. People trust sites
that are part of their daily routine, and they couldn’t suspect
that anything bad could happen when they go there.
Another vector for drive-by downloads are infiltrated ad
networks. We are seeing more and more advertising displayed on
high-profile websites. By infiltrating the ad networks, the
criminals don’t have to hack a site but their exploit code will
still be shown to millions of users, often without the knowledge of
the webmaster of those sites. Examples of where this has happened
include TV4.se, Expedia, NHL, and MLB.
It is important to be aware of this shift from SMTP to HTTP
infections, which can be exploited by the criminals in many ways.
Companies often measure their risk of getting infected by looking
at the amount of stopped attachments at their e-mail gateway. Those
numbers are definitely going down, but the actual risk of getting
infected probably isn't.
Individuals and companies should therefore be scanning their web
traffic for malware – as well as filtering their FTP traffic. In
parallel to the switch from SMTP to HTTP as a way of spreading
malware, we are now also seeing more and more malicious e-mails
that link to malware via FTP links.
Advanced rootkit emerges
A MBR rootkit – known as Mebroot – is probably the stealthiest
recent malware we have observed, and has so far been distributed by
drive-by downloads.
Mebroot replaces the infected system's Master Boot Record (MBR),
which is the first physical sector of the hard drive and contains
the first code loaded and executed from the drive during the boot
process. It keeps the amount of system modifications to a minimum
and is very challenging to detect from within the infected
system.
MBR viruses used to be the most common form of viruses at the
time of the DOS operating system about 15 years ago. Recently there
were academic papers published in conferences discussing whether
this kind of MBR stealth could ever happen in the age of Windows.
We have been very surprised to see it happening for real now in
2008.
This means that the criminals have both the funds and the high
level expertise to develop such complex attacks. They have
succeeded in developing code that loads from the boot sector of the
hard drive, stays alive while Windows boots up, then loads parts of
itself and injects to the operating system when Windows is up and
running, and manages to hide all this very effectively.
We are likely to see this technique being used by quite a
variety of malware. These first MBR rootkits are banking Trojans
targeting several online banks, where the criminals are clearly
seeing an opportunity to make a return on their investment.
First mobile ransom Trojan
Making money is what today’s malware is all about and the first
ransom Trojans for smartphones have been found in China. We have
already seen similar Trojans on the PC side before which infect
your computer, take your data ‘hostage’ or somehow disrupt your
computer’s capabilities, and then offer to restore everything back
to normal if you pay out the ransom money. Typically, the ransom
Trojan first encrypts your hard drive and then sends you a password
after you have sent money to the criminals via an online money
transfer system.
In the case of Kiazha, the first smartphone ransom Trojan, you
get infected by downloading a shareware lookalike program on your
phone, which then drops several known older viruses on your phone.
Next it sends a message explaining that you can only get the phone
fixed by transferring the equivalent of seven dollars to the
attackers through an online payment system. Today’s smartphones are
so important to many people that they are prepared to pay a ransom
to get back their phonebook, calendar and mobile emails, so we
might well be seeing much more of this type of malware in the
future.
More mobile trouble
The Beselo worms spread via MMS and Bluetooth by using a novel
form of social engineering to trick users into installing an
incoming SIS application installation file. What makes Beselo
interesting is that instead of a standard SIS extension, the Beselo
family uses common media file extensions. This leads the recipient
to believe that he or she is receiving a picture or sound file
instead of a Symbian application. The recipient is then far more
likely to answer "yes" to any questions the phone prompts after
clicking on such an incoming file.
The filenames used by Beselo are beauty.jpg, sex.mp3, and
love.rm. So if you have a Symbian S60 phone and receive a media
file, answer "no" to any installation prompt that appears when
trying to open the file. There is no reason for any image file to
ask installation questions on the Symbian platform, so any image or
sound file that does something else than play immediately is
definitely not what it claims to be.
Beselo worms are compiled for S60 2nd Edition phones.
Attempting to open the file on a 3rd Edition phone will probably
cause an error message rather than an installation prompt.
HatiHati.A is another troublemaker, a worm-like application that
spreads via MMC cards. Once the worm has copied itself to a new
device, it starts sending SMS messages to a predefined number which
can prove very expensive.
For a video about mobile threats, please go to our video channel
at
http://www.f-secure.com/video-channel/
Both PC and smart phone users can protect themselves by using an
up-to-date security services from well known vendors. For more
information about F-Secure’s solutions, please go to
www.f-secure.com
More information about current threats in general is available
on our weblog at
http://www.f-secure.com/weblog/
About F-Secure Corporation
F-Secure Corporation protects consumers and businesses against
computer viruses and other threats from the Internet and mobile
networks. F-Secure’s award-winning solutions are available as a
service subscription through more than 160 Internet service
providers and mobile operator partners around the world, making
F-Secure the global leader in this market. The solutions are also
available as licensed products through thousands of resellers
globally. The company aspires to be the most reliable security
provider, helping to make computer and smartphone users’ connected
lives safe and easy. This is substantiated by the company’s
independently proven ability to respond faster to new threats than
its main competitors. Founded in 1988 and headquartered in Finland,
F-Secure has been listed on the OMX Nordic Exchange Helsinki since
1999. The company has consistently been one of the fastest growing
publicly listed companies in the industry. The latest news on
real-time virus threat scenarios is available at the F-Secure Data
Security Lab weblog at
http://www.f-secure.com/weblog/.
For more information, please contact:
F-Secure Corporation
Mikko Hypponen, Chief Research Officer
Tel. +358 400 648 180
Email:
firstname.lastname@f-secure.com
Henrietta Malmari, Corporate Communicator
Tel. +358 40 575 5646
Email:
firstname.lastname@f-secure.com
