Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Fortinet reviews 2004 malware - mass-mailer the most prolific pest

  • 10 January, 2005 12:46

<p>What has happened? Past Year (2004) Highlights</p>
<p>• The mass-mailer virus takes the top spot for the most prolific virus type of 2004. The three most successful viruses of this type can be classified in to one of three families – Bagle, Mydoom and Netsky.</p>
<p>• Those who in 2003 made predictions for what might happen in 2004 did not have to wait long to witness what could possibly turn out to be truly the worst computer virus ever. As far as being widespread, W32/Mydoom.A-mm was hands-down the clearest of the clear winners.</p>
<p>• Averaging reported infection rates of several major ISPs and MSPs, some estimates show the peak infection rate of W32/Mydoom.A to be somewhere between 50,000 to 90,000 detected copies per hour, during the first 24 hours of the outbreak. Measured another way, one in every 20 emails worldwide contained a copy of W32/Mydoom.A-mm.</p>
<p>• An important update to the Microsoft OS (see XP SP2) and its most commonly used components helped to reduce the impact of a certain number of mass-mailer viruses, specifically those attempting to hijack SMTP functionality of Microsoft Outlook and Outlook Express.</p>
<p>• But it was not a mass-mailer virus that received the title of most high impact virus of the year, if there really was such a title. A single virus, W32/Sasser.A-net, had a very big impact in 2004 and, just as with W32/MSBlaster, once again brought to the fore the importance of keeping the OS up-to-date by applying all of the latest security-related patches.</p>
<p>• W32/Sasser.A-net took advantage of a known vulnerability that had been recently patched in a monthly Microsoft update cycle. As discussed under Microsoft technical bulletin MS04-011, “Security Update for Microsoft Windows”, and the eEye Digital advisory, a buffer overrun vulnerability exists in LSASS that could allow remote code execution.</p>
<p>• Just as with another network-aware predecessor – W32/MSBlaster, W32/Sasser was able to propagate to tens of millions of PCs, costing businesses untold millions of dollars. Correcting the LSASS vulnerability these viruses exploit is easily accomplished, but to this day viruses still take advantage of unpatched PCs. (Agobot, Korgo, RBot, Bobax, etc.)</p>
<p>• One of the aforementioned viruses – W32/Agobot (or Gaobot) – became “most numerous of 2004” in that the number of variants of it known to exist now exceeds 1,500. The primary reason for so many variations is because Agobot’s source code was posted to a public site. At that time Agobot became something downloadable by anybody to code and recode and suit to their own needs.</p>
<p>• Two other large families of “Bots” emerged during 2004. They are W32/RBot and W32/SDBot. But as many variants as the two families contain, their purpose remains identical – to compromise the security of the system; and to prepare it for remote control by making it a zombie in a sea of zombies.</p>
<p>• As for being the most successful in setting up a network of spam zombies, we saw several successive variants of the Bagle, aka Beagle family. The W32/Bagle.A-mm onslaught began in the early hours of January 18th, 2004, and found its way to W32/Bagle.BD-mm (marking the 56th variant), by October 29th.</p>
<p>• The situation was made all the worse when W32-Bagle.AD-mm was found spreading in the wild dropping and emailing its own source code during the infection process. Once again people who might want to do harm had in their hands raw virus code. Using an already proven infection vector, it would only take a modicum of programming knowledge to modify the code [so as to be undetectable by most virus scanners] and initiate the next Bagle outbreak. We now began to see the evolution in the motivational factor of virus writers. Having once sought their ‘15 minutes of fame’ virus writers began to look for financial gain from their malicious creations. There has even been some speculation that professional spammers pay for each new Bagle variant.</p>
<p>• PCs weren’t the only pieces of computer hardware affected by viruses in 2004. CEL phones using Bluetooth technology based on the Symbian operating system found themselves a target this past year.</p>
<p>• Known commonly as SymbOS/Mquito, or the Mosquitos Trojan Horse, this cracked and modified version of the reputable game has an expensive payload: infected phones may send text messages to premium rate numbers without the user’s knowledge or approval. The spread of this virus was limited significantly by virtue that only people who knowingly downloaded and installed a cracked copy of the Mosquitos game became infected.</p>
<p>• The second noteworthy Symbian virus is SymbOS/Cabir. This virus does have the ability to transmit itself to the nearest Bluetooth-enabled device that it finds, however acts more like a Trojan horse in that successful infection requires the device’s owner to authorize two software install dialogues.</p>
<p>• Ending out the year were two somewhat notable events. W32/Zafi.D-mm, the fourth in the family of viruses originally discovered in April, 2004, momentarily showed signs of a spike in prevalence. Most antivirus vendors put a quick halt to its spread, however, by providing updates to detect the virus, thus limiting its potential.</p>
<p>• The second and more notable event was PERL/Santy-net, a virus that exploits a known vulnerability in the phpBB bulletin board software application. PERL/Santy-net doesn’t infect home PCs, rather, it causes a defacement of affected web site pages. PERL/Santy.A-net uses the Google search engine to locate potential hosts. Impressively, makers of the popular search engine were quick to step up to the plate and, without using traditional antivirus techniques, shut down the virus by filtering out known Santy-formatted requests.</p>
<p>• Computer crime did not always pay in 2004. Viruses were written and released, yes, but several virus authors were identified, brought to trial, and convicted of their crimes.</p>
<p>• Whether their punishments fit the crime is a subject too complex to be discussed in this paper. To sum up the current consensus, however, many believe the virus writers are being let off too easily.</p>
<p>• Light or even no jail sentences for virus authors, and reversed sentences are sometimes unavoidable though. The people who have been caught writing viruses thus far for the most part have often been minors, and are not subject to the same level of law as are their adult counterparts.</p>
<p>What Next? Future Possibilities (2005)</p>
<p>• There are most definitely wolves in the virtual den. They become wilier with each new crafty email that attempts to massage personal banking information from the unsuspecting computer user. This security threat is known as phishing, and we can expect to see more complex phishing tricks and tactics in 2005. Most phishing currently involves the sending of a fairly straightforward email. There is nothing viral about it, and thus it may be exempted for consideration by antivirus scanners. The ‘From’: address of the email is usually forged – a telltale sign of a spammed message. Otherwise, the message simply contains a few statements that are engineered to lead the reader to believe the message originates from a bank or other financial institution at which they maintain an account.</p>
<p>One that is about to expire!</p>
<p>So something needs to be done about it fast!!</p>
<p>Of course fixing it is as fast and easy as clicking on the link at the end of the email. And since we all know that banking institutions are always that efficient in everything else they do for us, we click on the link. Oh, what’s this? All I should do is confirm my user account number and password? My, that is simple!</p>
<p>Something does need to be done: Those who receive such emails should forward them to their banks and to their ISP’s abuse@ email addresses.</p>
<p>Phishing has become commonplace in 2004, and in 2005 its volume is expected to increase dramatically. A major reason is that organized crime may be behind it. Realizing the huge financial gains that can be made by unsuspecting account holders, criminal hackers have successfully used phishing schemes to steal large sums of money from many a bank account holder.</p>
<p>A recent phishing attack directed users to a banking site. Once at the site, the phishing scheme initiated its own user login and password pop-up window. The new window mimicked a pop-up that might appear at any banking center and fooled the unwary in to thinking they were actually entering their bank account number and password at the actual bank’s web site.</p>
<p>• Exploits of vulnerabilities, known &amp; Zero-day: A popular trend in 2004 continued to be “find the vulnerability and exploit it.” This very often occurred where Internet Explorer was involved, but it wasn’t only the Microsoft developers who were busy patching. Software manufacturers large and small spent an increased amount of time researching and repairing known security vulnerabilities.</p>
<p>• Obviously: Expect many updates during 2005!</p>
<p>• Until the ability to do so is shut down or throttled: Expect more viruses to include their own SMTP engine.</p>
<p>Arming yourself now</p>
<p>• Ensure company networks are protected with an adequate security solution.</p>
<p>The nature of today’s viruses is such that a single point solution, whether it be hardware or software, is no longer enough. The convergence of hacking, spamming and worm techniques, the increase of network worms and the advent of ‘Zero-day’ attacks necessitates a multifaceted security solution that can react immediately, where the various security functionalities are interoperable, allowing the attack to be rapidly analyzed, and blocked by the most effective means. Stand alone security solutions lack the integration of best in class capabilities needed to enforce bullet-proof protection and lack the breadth of functionality required to handle the threats of today. As threats continue to increase, shipments of single-function security solutions are bound to decrease, and ultimately, become all but obsolete.</p>
<p>Unified Threat Management (UTM) appliances are possibly the only way forward to deal with the threats of today – and those of tomorrow. UTM security appliances combine (at least) the functionalities of gateway antivirus, firewall and Intrusion Prevention into a single appliance. Hosted in a single appliance, these various functionalities can communicate, allowing malicious codes to be analyzed an stopped at a far greater speed – speed being the essence when one considers the propagation potential of today’s malware. For further information on Fortinet’s FortiGate™ systems, which are the UTM appliance market leader, please see</p>
<p>About Fortinet
Fortinet is the confirmed leader of the Unified Threat Management market. Its award-winning FortiGate™ Series of ASIC-accelerated antivirus firewalls, winner of the 2003 Networking Industry Awards Firewall Product of the Year and the 2004 Security Product of the Year Award from Network Computing Magazine, are the new generation of real-time network protection systems. They detect and eliminate the most damaging, content-based threats from e-mail, Web and file transfer traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time – without degrading network performance. FortiGate systems are the only security products that are quadruple-certified by the ICSA (antivirus, firewall, IPSec, NIDS), and deliver a full range of network-level and application-level services in integrated, easily managed platforms. Named to the Red Herring Top 100 Private Companies, Fortinet is privately held and based in Sunnyvale, California.</p>
<p>For more information</p>
<p>Yvonne Cheong, Fortinet +65-6838 5226</p>
<p>David Frost, PR Deadlines +61-2-4341 5021</p>

Most Popular