Viruses
Like their biological counterpart, viruses replicate and mutate. Consequently, they can avoid being snared by your security software’s byte-pattern signature detection by changing key text within the code payload, or part of that code themselves, every time they’re copied.
They’ve come a long way since the first-known “in the wild” example, Elk Cloner, was discovered in 1982 on the Apple DOS 3.3 OS, or the first PC virus, (c)Brain, four years later. But today’s viruses can still be divided into two camps: resident and non-resident. The resident variety loads itself into memory upon execution and transfers control to the host program while it infects new hosts as the infected files are accessed. A non-resident virus will check executable files on the system for infection and, if uninfected, replicate before transferring control to the host program. Cavity viruses such as CIH will infect without increasing the host file size, overwriting unused parts of the executable, in an effort to make antivirus software detection harder.
The type of virus that downs millions of computers worldwide is almost unheard of these days, but that doesn’t mean the threat has evaporated – it’s merely evolved.
Drive-by downloads
The goal of a typical web-based attack is to install malware on the victim’s PC. One of the most common methods used today is the injection of malicious code into otherwise innocuous web pages – the so-called drive-by download. This involves squirting code directly into a program or script from an external source to await execution. So it’s possible to create a text file containing PHP code relating to server A, and have it executed on the exploited server B. One of the reasons code injection is so popular is the availability of kits that can be bought online, making it easy to create malicious code to install spyware, viruses or launch phishing attacks.
Once an appropriate web host is found, the code is injected and the victim is lured by being redirected from another site or via a link embedded in spam. “In a typical attack,” Fraser Howard, principal virus researcher at Sophos, explains “the hacker will have embedded additional iframes onto the web page, often indiscernible to your average web user. These iframes silently load content, which usually attempts to exploit browser vulnerabilities in order to infect the victim’s PC.”
While many of these drive-by downloads are hosted on custom domains registered and set up specifically for the job, a growing number of cybercriminals are injecting malicious code onto legitimate web pages. “During the week before the Miami Dolphins were due to host the Super Bowl earlier this year, malicious code was hosted on the team’s website as hackers tried to take advantage of the influx of visitors to the site,” said Howard. Another tactic is to compromise a web server, as this enables the hackers to inject their code into many sites in a single strike, again increasing the number of potential victims.
Worms
Worms come in several species, but can be divided into four main categories. Email worms are the most prevalent and typically spread as a file attachment, hijacking the email system and sending themselves to the entire contacts list. “They often rely on social-engineering tricks to tempt the user into running the attached file,” says David Emm, senior technology consultant at Kaspersky Lab. “Or the worm’s code may be embedded as script in an HTML email message, or arrive as a link to malicious code.”
Internet worms spread directly over the internet or LAN. “They get a foothold on the system by exploiting an OS or application vulnerability, and then look for other vulnerable systems to infect,” explains Emm. IM worms use links within the messaging software to infect local contact lists, while P2P worms target file-sharing system users with the worm copying itself to a shared folder and letting the P2P network do the rest.
Regular security updates – such as the Microsoft Patch Tuesday run – are worm killers, since they reduce the vulnerabilities left to exploit. As a result, the good news is that “worms account for just a small percentage of today’s threats, around 5%,” according to Emm.
Trojans
The weapon of choice for the criminal malware underground is the trojan. According to Symantec, “increasingly, trojans are the first stage of an attack, and their primary purpose is to stay hidden while downloading and installing a stronger threat such as a bot. Trojans are crimeware, and the creation and distribution of these programs is on the rise. Along with spyware, they’re now 37% of all the malware Symantec processes on a weekly basis.”
Take the recent Trojan.Bayrob, for example, targeted at second-hand car purchasers on Ebay. This is a highly efficient attack, where victims are sent an email about a car for sale, complete with a slideshow of images. While the victim views the slideshow, the trojan is silently installed in the background. “The email most likely contains two different components that are crucial for the attack to succeed. It contains a link to a real Ebay auction and an executable. This executable is a dropper that plants two files into the ‘c:\documents and settings\[current user]\local settings\Temp\’ folder, both named kvet*.exe. One file is the clean slideshow app, and the other is the trojan,” Symantec claims.
If the victim clicks on a link to visit the Ebay auction, the trojan already running in the background will start intercepting that traffic. Check the seller feedback and they’re presented with a fake feedback page by the trojan instead, showing an excellent sales record of course. If the victim decides to buy from the trustworthy seller, that’s the last they’ll see of their money.
That’s just one clever example of a trojan payload: others include installing a backdoor (so-called remote access trojans, or RATs) enabling your PC to be used as part of a spamming or DoS botnet, the encryption of data files as part of a cryptoviral blackmail scam, dropping other malware onto your system, or logging keystrokes and screen capture for ID theft purposes.
You can reduce the risk of trojan attacks by never opening unsolicited email attachments, downloading porn or indulging a trigger-happy link-clicking finger. Sometimes, the odds are stacked against you. Earlier this year, some TomTom Go 910 units came preinstalled with the win32.Perlovga.A trojan and TR/Drop.Small.qp on the device’s hard drive, ready to copy over to a Windows-based PC when the device was connected for updates.
Next: Rootkits, Spyware and Phishing.