Computer Crime Research Center


Computer crime: Malware Quarterly Report, PandaLabs

Date: August 08, 2005
Source: Computer Crime Research Center
By: compiled by CCRC

As in the first quarter of the year, Adware and Spyware detections were comfortably ahead of each of the rest of the categories, accounting for 51% of the total. Consequently, Adware and Spyware detections alone were greater than the rest of the categories as a whole, albeit to a lesser extent than in the previous quarter (when the percentage of Adware and Spyware detections was 60%).

The total number of Adware and Spyware detections as well as the total number of detections in other categories has increased substantially compared to the previous quarter. In fact, Panda ActiveScan recorded 12% more detections than in the first quarter. This circumstance illustrates the inexistence of any signs of weakness in the epidemic of malware and other threats currently being suffered.

Trojans are the second most widespread threat, representing a solid 21% of all Panda ActiveScan detections this past quarter (3% more than in the first quarter). 27% of detections relating to Trojans are specimens from the Trj/Downloader family, closely related to Adware and Spyware, as explained in the previous quarterly report. Consequently, detections attributed to the Trj/Downloader family represent a fairly substantial 6% of the Panda ActiveScan total.

Worms, however, continue their downward trend, recording only a modest 7% in the total number of Panda ActiveScan detections.

For their part, bots have once again assumed a prominent role, making up 5% of the total detections recorded during this second quarter. The number of incidents generated by this type of malware is similar to traditional worms.

There has been a reaffirmation during the second quarter of 2005 of the already evident decline in mail worms compared to other forms of malware and threats. This trend has been particularly noticeable in two of the most notorious families in malware history: Mydoom and Bagle.

Diverse variants of the unpopular Mydoom and Bagle families have tried to put email users and different companies from the anti- malware industry in a quandary during the second quarter of the year. In spite of attempts to achieve this, none of the attacks launched by these new variants managed to reach anything like worrying levels. In fact, levels of virulence recorded were even less than the previous quarter, which in turn were a mere shadow of levels reached during 2004.

During the second quarter of the year, PandaLabs did not record any situation that could be considered as an alert due to incidents attributable to these two malware families (remember there were two orange alert situations during the first quarter of the year caused by W32/Mydoom.AO.worm and W32/Bagle.BL.worm respectively).

If, fortunately, the “activity” of different variants of Mydoom and Bagle did not manage to rise to the occasion, the activity related to the numerous variants belonging to the Mytob family distributed throughout the second quarter of the year faired slightly better. This second quarter saw an authentic wave of very similar variants, which appeared to claim the dubious distinction of king of the mass mailing worms.

PandaLabs recorded an incredible 1169% increase in the number of new variants identified for the W32/Mytob.worm family compared to the previous quarter.

The unique distribution pattern that has characterized the Mytob clone army is closely related to a fortunate circumstance that arose at the end of 2004: malware creators are finding it increasingly difficult to produce global epidemics with a single malware specimen.

This situation has become especially relevant among email worms, whose propagation capability depends on the success of a social engineering technique: after a disastrous 2004, plagued with incidents resulting from this type of malware, there are an increasing number of email users that take precautions before opening attachments.

Naturally, greater user awareness has not been the only catalyst in this situation. The role of companies in the IT security sector and their clients, who ultimately deploy the defensive measures offered, has been equally important.

It's a case of the proverbial bad penny, as they say. During the second quarter of this year, PandaLabs recorded a reasonable number of new variants for the W32/Sober.worm family. Although the volume in itself was not significant, it was enough for the puppeteers that operate in the shadows to achieve substantial “success”. As a result, PandaLabs ordered a state of Orange Alert on May 3rd due to the increasing number of detections of the W32/Sober.V.worm specimen. This state of alert continued for various days.

It should be pointed out that the W32/Sober.V.worm was initially blocked
proactively using the TruPrevent™ behavioral analysis module. Consequently, clients with this technology were protected even before PandaLabs had the opportunity to prepare the relevant “vaccine”.

If, during the first quarter of the year, there was clear evidence of a increase in the use of instant messaging as a way of distributing malware and other threats, the second quarter has provided visible signs that such evidence is a tangible reality.

Instant messaging worms have consolidated their presence with a continuous trickle of new variants which have caused a constant but sustained number of incidents during the period.

Of note is the role performed by W32/Kelvir.worm, whose number of incidents has comfortably surpassed those caused by other instant messaging worm families. The arrival on the scene of two new families should also be mentioned: W32/Prex.worm and W32/Oscarbot, the latter designed for the AOL messaging network.

The disproportionate increase recorded by PandaLabs in the number of variants belonging to the W32/Kelvir.worm family stands out: a massive 1280% increase compared to the previous quarter. The explosion of the W32/Kelvir.worm family is in stark contrast to the sharp decline of 71% in the W32/Bropia.worm family.

As indicated in the previous quarterly report, instant messaging worms, in contrast to their email counterparts, have been driven from the beginning by motives that transcend mere demonstrations of ego or power: the different variants of these malware families exploit each “conquest” to install a bot in the infected system.

The omnipresent bots are a very useful tool for hackers and cyber-criminals: authentic Swiss Army knives with which to perpetrate all types of actions. When a “tool” of this type is installed in a system, it is left at the mercy of the hacker or cyber-crook, opening up a whole range of possibilities: installation of all types of Adware/ Spyware, carrying out of dDoS attacks, sending of SPAM etc. In fact, various cases of the fraudulent installation of Adware and Spyware using bots spread by these instant messaging worms have been recorded.

Phishing is one of the fastest growing threats since its emergence became clear at the end of 2003. Of the all the types of phishing in existence, the one that creates most fear is the one that targets online banking clients. In fact, it is so worrying that financial institutions offering online services have now decided to step in.

Furthermore, phishers appear to have found a perfect ally in specialist Trojans to carry out far more silent and difficult to identify attacks:

- Installing this type of malware in the system of a potential victim means social engineering is no longer necessary in order to obtain the desired information (bank details, access credentials to online services etc), which results in greater precision and possibilities of success.

- Another major factor which tips the balance in favor of phisher -type malware is the possibility of capturing data of diverse nature and origin with each specimen. It should not be forgotten that in the case of traditional phishing, each message is personalized to obtain very specific data. The same message cannot be used at the same time to steal data from clients of two different financial institutions.

During the second quarter of 2005, PandaLabs recorded a large increase in the number of new variants detected for these types of Trojans; highlighting those designed to steal bank information (with a major increase of 113%). Of particular relevance is a significant increase in certain families of Trojans specialized in stealing online multiplayer games (with an increase of 58%).

Families such as Trj/Banbra, Trj/Bancos, Trj/Banker, Trj/Bancodor or Trj/Banpaes are the leading types of malware specialized in bank data theft.

The overall growth of these malware families is around 113% according to PandaLabs data, which means that the number of new variants identified is comfortably double that of the previous quarter.

There is no doubt that Trojans specializing in the theft of financial information is alarming. This concern has spread not only to end users but also to financial institutions.

This situation is especially difficult in countries like Brazil, where these types of threats are increasingly prevalent. PandaLabs would like to acknowledge the magnificent effort being made by members of the Brazilian CERTą in their particular struggle against these types of threats, and takes this opportunity to send them our most sincere congratulations.

During the second quarter of the year, PandaLabs detected a Trojan-type phisher which exploited to the full one of the main advantages that this type of malware possesses compared to traditional phishing: Trj/Bancos.NL includes a list...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo