Trend Micro releases exclusive report on virus activity of past month for GITEX 2004

The research unveils a troubling rise is virus activity throughout Europe, the Middle East, and Africa.

TrendLabs detected some 1,485 new malwares this past month. During the same period last year, only 250 new malicious codes were registered. Trojan programmes account for some 61% of the malware detected (including backdoors, which are basically 'remote Trojans'), worms account for 29%. Most strikingly though, 79% (or over 400 examples) of the worms detected by TrendLabs this September are 'bot' programmes, reflecting the expansion of remotely controlled 'zombie' networks.

• Why the increase?
There are various factors that could explain this. There is evidence of a clear motivational shift in the creation of viruses. Whereas previously virus writers were looking for their '15 minutes of fame', it would now seem that their inspiration is based on earning profits and monetary reward. This is illustrated by the growing number of malicious codes designed to created 'zombie' networks, which can be leased at any time to the highest bidder (see below), as well as the successive releases of information stealing Trojans, like variants of TROJ_BANKER and TROJ_BANCOS, which attempt to steal sensitive information (like bank account details) from infected users. The increased availability of malware source codes on the Internet is another significant factor, allowing hackers to create new variants by modifying the code, which are then released into the wild. This is particularly the case with worms like Mydoom, Bagle and Lovgate.

• Growing prevalence of programmes designed to create 'zombie' networks
As mentioned above, TrendLabs recorded some 400 incidences of such (bot) programmes this month - compared to 17 during the same period last year. These malicious codes commonly exploit network vulnerabilities and utilise Internet relay chat (IRC) channels to give a remote attack access to the compromised system. This enables the attacker to take control of the system in question, and use it to use it to create a 'zombie' network - a group of IT systems that can be used furtively for malicious purposes such as launching denial of service attacks. These networks can also be leased as makeshift spam relays. The growing number of bot programmes illustrates the expansion of bot networks. It could also be argued that it represents the growing number of hackers that are being drawn to the idea of controlling remote systems.

• Sasser worm still prevalent
Four months after its release into the wild SASSER.B still tops the 'Top 10' viruses listed by prevalence by TrendLabs. In September 2004, Sasser accounted for 31% of the total number of infections in this list - with most sightings of the worm coming from India. This would indicate that there is still a large number systems which still remain un-patched against the vulnerability in question - despite repeated campaigns from all sectors of the security Industry.

• Resurgence of BAGLE and MYDOOM worms
During the period between August 25th and September 25th 2004, Trend Micro only declared one medium risk outbreak. This was related to WORM_BAGLE.AI. Following on the 'virus war' seen earlier this year, we saw significant new variants of the Bagle worm in July and earlier in August. The more recent variants of this worm demonstrate a more complex propagation routine than their predecessors, which simply used mass-mailing techniques. Later variants send a Trojan downloader component and an HTML script component in a zip file, as well as via network shares. Staying true to its 'bloodline' the more recent variants of Bagle continue to remove any traces of its rival Netsky variants.

MyDoom, which first appeared in January 2004 has spawned five new variants this month - showing that its presence is still being felt.

• Emergence of the first 'JPEG virus'
On September 14th Microsoft published security bulletin MS04-028, announcing a critical vulnerability in the way certain Windows components handle .JPEG files that may enable an attacker to execute arbitrary codes on a target system. A hacker could potentially inject executable code that exploits this vulnerability into a JPEG file, which will automatically execute when the file is opened or previewed on un-patched machines. The automatic execution of these codes can give the attacker the same access privileges to information on the machine in question as the genuine user.

Remote exploitation of this vulnerability may involve specially crafted web pages that use this exploit, while an email based attack may involve the sending of a modified JPEG file as an attachment to target users. Another possible vector of propagation is via network shares, where copies of the crafted JPEG files can be placed. The exploit can be triggered by computer users simply previewing the contents of this share, or by their moving the mouse cursor over the JPEG file.

The emergence of this virus is somewhat daunting, giving that JPEG files are one of the most commonly used formats for image files. Proof of concept codes to exploit this vulnerability appeared a mere three days after its publication. On September 24th we saw the release of a toolkit designed to fully exploit the vulnerability, indicating that there are indeed concerted efforts to fully maximise the flaw.