Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Virus Activity Increases in 2003 but Attacks Cause Less Damage

  • 12 August, 2003 10:43

<p>- Network-aware worms top Trend Micro’s threat list in the year to date -</p>
<p>According to antivirus vendor, Trend Micro, virus activity appeared to increase moderately in the first seven months of 2003, but the cost and impact of virus outbreaks generally remained mild, at least for business users and corporate networks.</p>
<p>Worm-like viruses remained the predominant type of malware throughout the first seven months, particularly ‘mixed threats,’ which typically use multiple channels of transmission in addition to email. These viruses may incorporate successful features from past viruses, and make use of backdoors and other information-stealing exploits found in Trojans and hacker tools.</p>
<p>Trend Micro posted more than 130 low and medium-risk virus advisories in the year to August 1, 2003, including 20 in July. (The last threat, Worm_Mimail.A, struck at the very end of the month (or August 1 in Asia), and is currently the fourth most widespread virus after picking up following the weekend.)</p>
<p>The number of global medium-to-high risk alerts increased by about 40% in the first half of 2003, compared to the same period in 2002. However, recent outbreaks have tended to infect fewer computers, cause less damage and pass by more quickly than the major attacks of three or four years ago, such as Melissa or the Love Letter worm.</p>
<p>Jamz Yaneza, senior antivirus consultant for Trend Micro’s TrendLabs, sees an important explanation for this trend. “The widespread adoption of high-end antivirus and e-mail filtering software has greatly curbed the impact of viruses on enterprise networks,” said Yaneza. “The most successful viruses of yesteryear really took off by infecting large corporations, and using their e-mail systems as high-speed global distribution machines.</p>
<p>Today practically every large company, as well as most small and medium ones, have network-based virus protection. The typical virus is instantly blocked at the gateway level and never reaches a corporate user in an e-mail.”</p>
<p>The focus now turns to what strategies organisations have in place to deal with new types of mixed threats that use multiple propagation techniques to penetrate a network. In 2003 these included the Lovgate.F worm, which topped Trend Micro’s most common virus list since March, and the Slammer worm (Worm_SQL1434.D), which wreaked havoc on the Internet with a lightning-fast strike on Microsoft SQL servers in January.</p>
<p>Also out in the vast sea of home users, millions of whom lack virus protection or fail to update it, nasty and long-running mixed threats such as Klez.H and Yaha.G seem to stay in endless circulation, occasionally slipping through the gates of corporate networks that let their guard down.</p>
<p>1. WORM_LOVGATE.F 5,388,004</p>
<p>2 PE_FUNLOVE.4099 2,376,671</p>
<p>3. WORM_KLEZ.H 1,205,683</p>
<p>4. PE_ELKERN.D 1,023,496</p>
<p>5. JS_NOCLOSE.E 738,752</p>
<p>6. WORM_YAHA.G 703,399</p>
<p>7. PE_NIMDA.A-O 517,710</p>
<p>8. WORM_YAHA.K 384,781</p>
<p>9. PE_NIMDA.E 314,071</p>
<p>10 WORM_BUGBEAR.A 193,305</p>
<p>Of Trend Micro’s ten most common viruses in the first half of 2003, nine are worms and/or worm-like mixed threats. The sole exception, JS_Noclose.A, is one of the malicious but non-destructive Java script exploits found in Web traffic, usually embedded in Web sites of a less than reputable nature. Its purpose is usually to take control of passing browsers and direct them towards another set of Internet destinations, where more sleazy commercial offers await.</p>
<p>While email easily remained the most common vector of attack overall, the two top threats were actually “network-aware” worms: one of which has no email component at all. The Lovegate.F (Worm_Lovgate.F) and FunLove (PE_Funlove.4099) worms can sidestep an email gateway-based defence by using network connections, such as shared or mapped drives, to spread through local area networks (LAN). Once inside, they are capable of infecting thousands of computers in minutes and are difficult to eradicate, re-emerging to re-infect networks if not cleaned thoroughly.</p>
<p>“These tenacious threats underscore the value of virus protection at all levels of the enterprise network, rather than putting all the guns at the gateway,” said Yaneza. Lovgate.F also spreads through email and packs a nasty bag of tricks combined from many earlier threats, which may explain its rapid rise to the top.</p>
<p>As they struggle to break through the corporate email wall, virus writers have become increasingly inventive at adding new channels in 2003, including P2P file sharing networks like Kazaa, instant messaging systems like ICQ, and Internet Relay Chat (IRC) applications. But these are still at best small cracks in corporate defences, and have probably not resulted in more than a trickle of new infections.</p>
<p>The surprisingly effective Slammer outbreak in January points to a much more powerful approach: exploiting built-in flaws and vulnerabilities in widely-used platforms that many enterprises depend on. The tiny Slammer worm targeted an old vulnerability in Microsoft’s SQL Server to cause the most mayhem on the Internet since Code Red. Vendors are getting faster at releasing patches to close these security holes, and administrators can try to deploy them more quickly, but the sheer number of vulnerabilities being discovered each year make it impossible to cover completely.</p>
<p>Security experts are now worried about a critical security flaw in the Windows operating system, confirmed in July, which affects users of both PC and server versions. Gartner, for example, has rated the vulnerability as a "very high" risk because it is easy to exploit, has a widespread impact, and lends itself to scripted attacks. Microsoft described the problem as a buffer overrun vulnerability in the Remote Procedure Call (RPC) protocol used to request a service from another computer in a network. By exploiting the flaw, hackers could take control of a Windows-based PC or system remotely, changing Web pages, reformatting the hard drive, or adding new users to the local administrators group. Free security patches and other safety recommendations are now available through the Microsoft Download Centre.</p>
<p>About Trend Micro</p>
<p>Trend Micro is the world leader in providing centrally controlled server-based virus protection and content-filtering products and services. By protecting information that flows through Internet gateways, email servers and file servers, Trend Micro allows companies and service providers worldwide to stop viruses and other malicious code from a central point before they enter the network. Trend Micro was recently acknowledged as the worldwide leader in server-based antivirus in the IDC report "Antivirus Software 2002: A segmentation of the market". For more information visit</p>
<p>Blackie McDonald contact:
Georgia Sweetapple
Ph: 61 2 9929 0200
<p>*Based on the number of infected computers detected by HouseCall™, Trend Micro’s free on-line virus scanner for PCs, and by the Trend Micro Control Manager (TMCM), a central management solution for network administrators, from January 1 through June 30, 2003 (Source: Trend Micro World Virus Tracking Centre)</p>

Most Popular