Worming into security infrastructure
According to Trend Micro, nearly half of the virus alerts issued in May were
internet worms. This is not surprising since present day virus writers prefer
worms due to their obvious advantages over traditional virus attack methods.
Trend Micro issued a total of 248 virus alerts in May. Nearly half (121, or
48.8 percent) were Internet worms. Trojan viruses and backdoor programs took
the second and third positions and accounted for another 26.2 percent and 10.9
percent of the total, with 65 and 27 alerts respectively. Trend Micro points
out that worms are spreading not just via email. Worms can also be combined
with backdoors, trojan programs and other blackhat hacker tools to steal information.
Trend Micro has also noted some interesting patterns in the evolution and behavior
of worms as security attack mechanisms. They are the following.
Increased outbreak pace
The typical pace of worm outbreaks has undergone a jump from once a month to
once a week. Trend Micro Senior Consultant Jamz Yaneza said, "Since the
very first worm, Morris, appeared in 1988, worms have been wreaking havoc across
the Internet. Over the last 18 months, worms have caused a major virus outbreak
on average nearly once a month."
This trend took a sharp upturn at the beginning of this year. Yaneza said, "In
the first quarter of 2004 alone, TrendLabs issued 12 virus alerts for major
worm outbreaks. Largely the result of three new worms MYDOOM, NETSKY, and BAGLE,
a new major outbreak has occurred nearly once a week on average so far this
According to TrendLabs, worm outbreaks in May are using new advanced techniques.
"The virus writers are learning from the behavior of previous malicious
code, using alternative intrusion methods that are more difficult to detect
and attacking the latest vulnerabilities."
Sasser is one of the best examples. However Sasser, which caused delays at British
Airways, cancellation of 40 Delta Airlines flights and infected 19 British Coast
Guard control centers, did not make it into Symantec's top 10 list in May. On
the contrary, it was the reemergence of the two year old PE_ELKERN.D that secured
the number 1 position virus during May.
Virus cross-infection issues
The next trend is that virus cross-infection provides route
for old viruses to reappear. TrendLabs noted that cross-infection could pose
an even more troublesome security problem as modern worms learn to cross-infect
with older viruses. On that Yaneza suggests Abnormal inter-virus alliances
are emerging as users infected with PE_FUNLOVE.4099 may also be simultaneously
infected with PE_ELKERN.D, and PE_FUNLOVE.4099 in turn could be a side-effect
of being infected with WORM_BRAID.A or WORM_WINEVAR.A.
This kind of tenacious virus outbreak clearly illustrates
the importance of preemptive alerts and antivirus protection at every level,
as opposed to relying on desktop antivirus or gateway prevention alone.
According to a report in April from the market analysis institution the Gartner
Group, 25% of Internet attacks were from known vulnerabilities in 2003. This
points to the increasing danger of virus cross-infection. "Users who do
not update their antivirus software can easily become high-risk groups for virus
and worm cross-infection," said Yaneza. The latest example, just as the
Sasser virus writer was being apprehended, the WORM_DABBER.A spread through
computers infected with Sasser. If a PC is infected with WORM_SASSER.A and nothing
is done about it, the user may have come out unscathed from Sasser, but a back
door left behind by Sasser can also be used by Dabber to infiltrate the system.
Network administrators who find the Dabber virus inside the company network
can be assured that someone else has also been infected with Sasser.
Worms do more than rapid spread
Trend Micro emphasizes that today's worms do more damage than the earlier worm
forms. In addition to spreading across the Internet, worms have also begun destroying
The total number of worms announced by TrendLabs in May was slightly less than
April (121 compared to 161 in April). However, this does not mean the threat
has decreased. Earlier, worms searched address books for targets to spread themselves
across the Internet and did very little actual damage (other than clogging up
bandwidth). However, the Wallon virus that generated a medium threat virus alert
in May, not only achieves large scale email proliferation through address lists,
it also automatically executes remote download of virus files and overwrites
original Media Player files so that Media Player becomes unusable until it is
Trend Micro points out, "We cannot predict what kinds of attacks worms
will use, but what we can be sure of is that email, shared folders and other
network resources remain the breeding grounds for worms, and we can anticipate
that more severe attacks including file damage will occur in the future."
Security vendors are still divided (at the time of writing) as to how dangerous
Zafi-B (W32.Erkez.B@mm - Symantec, W32/Zafi.b@MM - McAfee, W32/Zafi-B - Sophos,
PE_ZAFI.B - Trend) worm is. However, they are united in increasing the threat
levels for Zafi.B.
The Zafi-B worm, which first appeared on Friday 11, June 2004, spreads itself
by peer-to-peer file sharing systems and email using a wide variety of different
The Zafi-B worm can display a message box on screen containing the following
A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES
MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen! 2004, jun, Pécs,(SNAF
The English translation is:
We demand that the government accomodates the homeless, tightens up the penal
code and VOTES FOR THE DEATH PENALTY to cut down the increasing crime. Jun.
2004, Pécs (SNAF Team)
The Zafi-B worm is believed to have been written in Hungary, but can send itself
via email using a variety of languages. Its predecessor, Zafi-A, displayed a
message calling for Hungarian patriotism. Antivirus updates are available for
Zafi-B from most major antivirus vendors.
The first ever 64-bit virus
Symantec Security Response experts have analyzed the first known 64-bit malicious
threat -- W64.Rugrat.3344. This proof-of-concept virus is not spreading in the
wild, according to Symantec. However, it is the first known threat to attack
64-bit Windows executables successfully.
Rugrat does not infect 32-bit executables and will not run on 32-bit Windows
platforms. It only targets Win64-bit systems.
W64.Rugrat.3344 exhibits the following characteristics:
- It is a direct-action infector -- a threat that exits memory after execution.
- Written in IA64 (Intel Architecture) assembly code, it infects IA64 executable
files excluding .dll files.
- Infects files that are in the same folder as the virus as well as all files
within the subfolders.
Symantec does not expect widespread infection or copying of virus code of this
worm since there is no broad penetration of 64-bit systems. Most home and business
systems deployed today are running on 32-bit platforms and are not affected
by this threat.
W64.Rugrat.3344 is a Level 1 threat (Level 5 being the most severe). Symantec
Security Response recommends users to update their virus definitions to protect
against this threat. q Source: F-Secure