2006 annual threat round-up and 2007 forecast: a special report by Trend Micro- December 2006 David Sancho, threat specialist Jamz Yaneza, senior threat researcher.

All data provided in this report was gathered from TrendLabs--Trend Micro's global threat research and support organization that provides customers with 24x7 response to the latest threats--as well as from Trend Micro's Network Security Services Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS provides a complete open-source implementation of crypto libraries supporting SSL and S/MIME. . With more than 800 security experts around the globe, TrendLabs operates in 15 locations including Germany, Japan, the Philippines, and the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. and collects approximately 1.5 billion spam emails daily from over 3000 business customers. They also collects IP addresses and stores 50 million spam emails per day for forensic activities.

Upon review of the malware threats that occurred in 2006, two trends are very clear:

* The nature of threats is changing from widespread to targeted and regional and in addition to email and messaging threats, the web is emerging as powerful threat vector. Trend Micro also sees the blending of email and web threats to create both harmful and viral threats, as well as the use of blended threats, multiple pieces of malware working together.

* Malware creators have an ever increasing and technologically sophisticated tool set at their disposal, comprised of bots bots

maggots of flies which infest animals, especially horses and sheep. The term bot is also loosely used to include the invasive maggots such as those of Cuterebra and Wohlfahrtia spp.

horse bots
see gasterophilus. and botnets, rootkits, social engineering, spyware and adware. They are motivated more than ever by financial gain and are creating underground economies specifically for creating malware, crimeware and spyware/adware. Many come from Eastern Europe Eastern Europe

The countries of eastern Europe, especially those that were allied with the USSR in the Warsaw Pact, which was established in 1955 and dissolved in 1991. and Asia. Rather than create malware that deletes files and decimates PCs, they are creating malware that surreptitiously sur·rep·ti·tious
adj.
1. Obtained, done, or made by clandestine or stealthy means.

2. Acting with or marked by stealth. See Synonyms at secret. resides on PCs waiting to be called into action by a botmaster or the right moment to steal personal information, They continue to create malware that is more likely to evade detection, like image spam--spam emails containing images rather than text. This threat roundup and forecast analyzes the threat activity that has occurred in 2006, and offers recommendations to businesses and consumers alike for being prepared in 2007.

Malware Trends in 2006

Digital threats to information never cease. Since Trend Micro's 2005 Annual Roundup and 2006 Forecast was issued in December 2005, an average of 1.4 million threats have been recorded each month, (Figure 1).

The Return of Malware-Related Threats

2006 has shown a dramatic return to malware-related threats. Additionally, crimeware related Trojans have gained notable prominence. Of the top 20 threats in 2006 (Figure 2), 80% specifically involved viruses and worms. The specifics of each are discussed below.

WORM_NYXEM

The major virus concern of 2006 occurred in January, with the rampant propagation of WORM_NYXEM variants (initially detected as WORM_GREW). This worm had a programmatic pro·gram·mat·ic
adj.
1. Of, relating to, or having a program.

2. Following an overall plan or schedule: a step-by-step, programmatic approach to problem solving.

3. timer that activated every third of the month and deleted common Microsoft Office Microsoft's primary desktop applications for Windows and Mac. Depending on the package, it includes some combination of Word, Excel, PowerPoint, Access and Outlook along with various Internet and other utilities. documents and archives. It was also very effective in dropping copies of itself on shared directories and drives, as well as deleting the auto-start entries of antivirus and security products from the Microsoft Windows See Windows.

(operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. registry. The successful and continued propagation of NYXEM variants is attributed to its sex-oriented social engineering, using provocative e-mail subject and message lines promising video clip A short video presentation. and images. While this technique is somewhat dated (since W97M W97M Microsoft Word 97 Macro Virus _MELISSA in 1999), it has successfully been reused for many of the large outbreaks over the past six years.

Figure 2. Top 20 Threats of 2006. Numbers culled from 3.2 million
unique reports.

 Top-20 Threats   Reports

  WORM_NYXEM.E    571,291

  TROJ_Generic    569,845

 HTML_NETSKY.P    386,943

WORM_NETSKY.DAM   242,609

  PE_PARITE.A     235,476

SPYW_DASHBAR.300  234,565

  SPYW_GATOR.F    216,291

  WORM_MOFEI.B    191,205

 WORM_NETSKY.P    175,084

 JAVA_BYTEVER.A   167,738

  EXPL_WMF.GEN    143,848

ADW_WEBSEARCH.K   142,994

  WORM_ANIG.A     137,490

PE_FUNLOVE.4099   122,096

 WORM_NETSKY.D    118,168

WORM_RONTKBR.GEN  115,849

WORM_RONTOKBRO.B  111,016

 TROJ_ROOTKIT.E   107,915

  BKDR_Generic     95,668

 ADW_SLAGENT.A     95,067

Trend Micro uses heuristic A method of problem solving using exploration and trial and error methods. Heuristic program design provides a framework for solving the problem in contrast with a fixed set of rules (algorithmic) that cannot vary.

1. techniques to immediately identify many of the newer threats, particularly crimeware-related spyware and keyloggers, such as those targeting bank and online gaming See gaming. accounts. Users with gateway implementations of content filtering See Web filtering and parental control software. now have better protection as a result.

WORM_NETSTKY

While the WORM_NYXEM variants outnumber out·num·ber
tr.v. out·num·bered, out·num·ber·ing, out·num·bers
To exceed the number of; be more numerous than.

outnumber
Verb

to exceed in number: the WORM_NETSTKY variants, the collective infections of the NETSKY family trumps that of NYXEM by more than 50%. Damaged versions of NETSKY attachments are also reported as representing one-third of all family-related infections, and are usually either a result of improper cleaning at the gateway or of corruptions as the attachment is relayed from various email servers.

WORM_MOFEI.B

WORM_MOFEI.B is a traditional network worm without email propagation capability. Variants of this worm use brute-force techniques to log into systems and install themselves as backdoors. MOFEI's functional features include full control over affected systems, such as the ability to run applications and modify data. It is also interesting to note that MOFEI falsely creates administrator-level accounts related to the Windows Terminal An input/output terminal for a Windows NT or Windows 2000 server running multiuser software such as Windows Terminal Server, WinFrame or Citrix Presentation Server (formerly MetaFrame). Services, but uses common ports 135 and 139, which are usually associated with Remote Commander.

PE_FUNLOVE.4099

First detected in November 1999, PE_FUNLOVE.4099 is the oldest file infector to appear in the top 20 threats of 2006. This threat also acted as a network worm and thus could propagate prop·a·gate
v.
1. To cause an organism to multiply or breed.

2. To breed offspring.

3. To transmit characteristics from one generation to another.

4. more easily, since network shares have historically proven to be the most effective threat vector. The PE_FUNLOVE.4099 infector also dropped viral code and patched the files NTLdr and NTOSKml.exe--enabling it to bypass both the Microsoft Windows file-integrity checking for the NT Boot Loader A program that loads the operating system into memory. Sometimes, the boot loader and boot manager are combined in the same program. See boot manager and boot sector. Kernel, and the integrity checking of infected Windows files. Thus, via a pseudo- kernel- mode rookit function, this malware was able to defeat the existing security implementation available to protect Windows users from viruses, and has continued to be active for more than five years. Due to its complex infection routine, FUNLOVE has been used as a payload (1) Refers to the "actual data" in a packet or file minus all headers attached for transport and minus all descriptive meta-data. In a network packet, headers are appended to the payload for transport and then discarded at their destination. by both WORM_BRAID and WORM_WINEVAR; and, in a recent discovery of double infections, by piggy-backing on the WORM_BAGLE.H variant, which resulted in a new family called WORM_FUNBAG, initially detected in March 2004.

PE_PARITE.A

PE_PARITE.A, the second oldest threat on the list, was first discovered in January 2001 but has proven to be surprisingly tenacious te·na·cious
adj.
1. Clinging to another object or surface; adhesive.

2. Holding together firmly; cohesive.

tenacious

viscid; adhesive. , despite many contemporary security solutions. It injects its code as part of the Windows Explorer See Explorer. .exe file (EXEcutable file) Pronounced "ex-ee file." The name given to a program in machine language that is ready to run in DOS, Windows, OS/2 and VMS. The name comes from the .EXE extension at the end of the program name; for example: XYZ.EXE. , thereby making itself part of every normal operation. This is a prime example of a pseudo-user-mode rootkit. By affecting how Explorer.exe works, PARITE gains pre-control over processes and quickly infects other executables (*.EXE) as well as screen-savers (*.SCR (Sequence Control Register) See program counter. ).

It is also notable that WORM_BRONTOK and WORM_RONTOKBR variants specifically target Indonesian-speaking individuals. This is evident in its spammed e-mail subject lines and content. This parasitic threat actively monitors the Windows registry The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system and prevents removal attempts or installation of antivirus and security products by automatically forcing a reboot To reload the operating system, which restarts the computer. See boot.

(operating system) reboot - (From boot) A boot with the implication that the computer has not been down for long, or that the boot is a bounce intended to clear some state of wedgitude.

See warm boot. .

Exploits account for 10% of threats propagating in the wild. It is their unhindered unhindered
Adjective

not prevented or obstructed: unhindered access

Adverb

without being prevented or obstructed: he was able to go about his work unhindered  execution value, combined with various malware and grayware, that make exploits popular tools in the information thief's arsenal. Holes in the Microsoft Java Virtual Machine A Java interpreter. The Java Virtual Machine (JVM) is software that converts the Java intermediate language (bytecode) into machine language and executes it. The original JVM came from the JavaSoft division of Sun. and its use of ActiveX relate to MS00-0075 and MS03-011; improper MIMEtype header handling is related to MS01-020. Although more related in effect to web pages, the ability of many email applications to send and receive HTML-formatted messages allows the opportunity to embed exploit code and thus auto-run attachments without user intervention. Many of the items listed in the threat list also use the autoattachment execution exploit to propagate themselves including PE_CHIR CHIR Chiricahua National Monument (US National Park Service) , VBS See VBScript. _REDLOF, WORM_NETSKY, and WORM_TRAXG.

Money Still The Main Driver For Malware Authors

In 2006, the overwhelming majority of malware attacks was driven by financial theft, and employed such tactics as password stealing, keylogging, and other related activities.

Trend Micro and other industry analysts refer to this type of threat as crimeware--the fastest-growing threat in the malware category. All crimeware--from TSPY TSPY Testis-Specific Protein Y-encoded _BANCOS, which steals passwords, to TROJ_YABE, which attacks eBay users--follows three typical paths to their payloads: identity theft, extortion extortion, in law, unlawful demanding or receiving by an officer, in his official capacity, of any property or money not legally due to him. Examples include requesting and accepting fees in excess of those allowed to him by statute or arresting a person and, with , and/or espionage.

Once these efforts are successful, crimeware employs a variety of methods for actually stealing money--such as hijacking hijacking

Crime of seizing possession or control of a vehicle from another by force or threat of force. Although by the late 20th century hijacking most frequently involved the seizure of an airplane and its forcible diversion to destinations chosen by the air pirates, when banking passwords, holding files captive under threat, or raiding proprietary corporate information.

Additionally, two other malware effects not directly related to crimeware--but popular among malicious attackers as a means of financial theft--include community-forming and the download of more malicious components. Community-forming malware is usually called a bot (1) (roBOT) A program used on the Internet that performs a repetitive function such as posting a message to multiple newsgroups or searching for information or news. Bots are used to provide comparison shopping. Bots also keep a channel open on the Internet Relay Chat (IRC). worm or, simply, a bot. A bot's primary objective is to achieve as broad a threat distribution as possible, while enabling its creator to maintain centralized control 1. In air defense, the control mode whereby a higher echelon makes direct target assignments to fire units. 2. In joint air operations, placing within one commander the responsibility and authority for planning, directing, and coordinating a military operation or group/category of . Combining individual bots into a network--or botnet--increases the bots' power and enables creators to exploit this power over hundreds and thousands of PCs for financial gain. During 2006, botnets experienced significant growth--the most notable being the WORM_SDBOT SDBOT Spartan Dominion Robot (forums)  family.

The financial motivation inherent in today's malware demonstrates that malicious attackers are no longer mere individuals, as in the past. Now, attacks are commonly executed as joint ventures among professional malware programmers with access to greater pooled resources--and such consortiums are dedicated to the creation and distribution of malicious software intended to steal money from individual and corporate victims. Crimeware includes spyware and other keylogging Trojans, hacking tools, and phishingrelated email spam. New hybrid combinations also have emerged, including spyphishing--a targeted spyware attack in which a downloaded Trojan, programmed to steal specific information from a specific legitimate URL URL
in full Uniform Resource Locator

Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. , activates and sends information to a malicious third party); and vishing--a targeted phishing attack using voice over IP (VoIP). Since the stakes for information theft are rising, applying the term crimeware to the above activities provides an appropriate level of understanding for computer users regarding the threats they face.

Hacking tools account for most crimeware-related threats. However, users should not feel reassured by the success of such old-fashioned infiltration techniques; the majority of systems remain ineffectively patched and firewalled against current threats, mostly due to new machines coming online, as well as users being unfamiliar with security concerns. Phishing, spyware, and spy-phishing are very real threats. Spy-phishing, especially, is a particular concern, as its two-pronged approach (see above) means that users are vulnerable the moment they visit an implicated im·pli·cate
tr.v. im·pli·cat·ed, im·pli·cat·ing, im·pli·cates
1. To involve or connect intimately or incriminatingly: evidence that implicates others in the plot.

2. URL. Even if users suspect a site and navigate away from it, the malware remaining on their machines completes the theft.

Web Threats Emerge From the Shadows of Email Threats

Most malware threats propagate via email. In 2006, attackers combined phishing emails with malicious attachments to create a strong attack vector The approach used to assault a computer system or network. A fancy way of saying "method or type of attack," the term may refer to a variety of vulnerabilities. For example, an operating system or Web browser may have a flaw that is exploited by a Web site. , identified by Trend Micro as spy-phishing. Spy-phishing initially uses email spamming techniques to distribute messages which, in turn, rely on social engineering ploys to trick users into running malicious file attachments. Identity theft remains the highest objective for spy-phishing.

In addition to email, the second most prevalent means of malware distribution is via the Web. Most often, attackers prey upon users' beliefs that a malicious program is needed or expected--and therefore legitimate. For example, in developed countries, increased Internet bandwidth has spawned explosive growth in video sharing See video sharing site. and downloading. In order to view the variety of file formats available, users need codecs--small programs that encode and decode (1) To convert coded data back into its original form. Contrast with encode.

(2) Same as decrypt. See cryptography.

(cryptography) decode - To apply decryption. digital data streams--which are often available as downloads from video-sharing sites. Malware authors exploit this by regularly setting up bogus codecs The following is a list of codecs. Audio codecs
Non-compression formats

Audio Interchange File Format (AIFF, container format)
Resource Interchange File Format (RIFF, container format)

in public networks; sometimes, they go so far as to create entire malware websites around the fake codec (1) (enCOder/DECoder) A hardware circuit that performs analog-to-digital conversion (ADC) and digital-to-analog (DAC) conversion. When analog signals are entered into a computer, cellphone or other device via a microphone or video source such as VHS tape or analog TV, . The TROJ_ZLOB family consistently uses this strategy, masking files as "mandatory downloads" necessary to watch online videos. Malware authors effectively use another Web-based distribution method: publishing malicious links in search engines, discussion forums, and other public places. These links point to download pages with heavily obfuscated script code in order to prevent detection. For example, the FEEBS worm attacked when a user visited a page containing one of these scripts--which enabled the worm to download and infect the user's computer.

New vulnerabilities surface every month, and malware creators respond by adding fresh network-spreading capabilities to their arsenal. This helps them acquire new, unprotected victims each time an exploitable vulnerability is made public. Ever since the Blaster worm first occurred in 2003, malware authors have very successfully exploited network vulnerabilities--immediately updating their libraries when a new vulnerability is released. Bot worms have traditionally been the fastest to incorporate support for newly published exploits.

New in 2006, Trend Micro has observed malware that exploits client-side vulnerabilities.

Such threats operate via exploit files which, when run, drop a piece of malware in the user's system. The WMF (filename extension) wmf - The filename extension for a Windows Metafile. exploit marked this new trend in early January. Consisting of specially-created WMF image files, this attack exploited a vulnerability in the Widows image rendering engine, which allowed rogue code to execute once a user viewed the bogus image. Eventually, this code enabled crimeware. Similar waves of exploits followed, many of which took advantage of client-side vulnerabilities within the popular Microsoft Office suite, as well as applications such as the music player Winamp.

Because users typically don't recognize these exploit files as threats--and therefore open them without consideration--the social engineering component in these cases is significant.

Regional and Targeted Attacks Replace Global Outbreaks

In 2006, Trend Micro has observed that--with the exception of bot worms--most modern malware lacks the means to easily propagate. This fact implies that unlike older generations of malware, creators of modern threats intend their malware to remain localized. This greatly impacts the types of infections experienced by businesses and consumers alike.

For example, in 2004, a malware outbreak would have wreaked havoc on all seven continents--causing security companies to pursue an immediate solution for cleaning and preventing infections. In 2006, malware outbreaks instead have targeted email address See Internet address. lists, or visitors to a malicious Web page--and may only infect those specific computers. Once an attack is successful, today's malware only remains active until it can steal a user's personal information and, eventually, money. "Targeted attacks" follow the same principle. Deployed in order to steal confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job"
steer, tip, wind, hint, lead from specific companies, such threats mimic internal emails and target certain individuals within a given organization. As soon as even one user is tricked to run the attached malware file, the company becomes vulnerable to widespread theft of often vital data.

Similar to a regional attack, a targeted attack is even narrower in scope with a more specialized objective.

Both regional and targeted attacks affect fewer users than in the past, and often involve blended threats. This presents a new challenge for security companies, for cleaning narrowly focused, self-updating malware is much more difficult than cleaning a widespread, static worm. Therefore, the threat landscape has become more dangerous than ever.

Blended Threats Are Better Than One

Although the term blended threats was coined a while ago, it has become increasingly relevant to today's Internet landscape. In fact, most malware attacks today involve multiple pieces of malware.

Typically, a malware infection launches when a user--either wittingly wit·ting
adj.
1. Aware or conscious of something.

2. Done intentionally or with premeditation; deliberate.

v.
Present participle of wit².

n. Chiefly British
1. or unwittingly--downloads an executable file See executable code. that, in turn, downloads other malicious components and/or spyware. The unfortunate result is infection of the targeted computer by as many as four different types of malware, spyware, and adware--and sometimes, more. For example, in the Gromozon case of Q406, Italian users were tricked into visiting a malicious Web page. This page redirected users, via a script, to a chain of other pages that eventually caused users to download a file. This file then unleashed a malware download process that dropped adware and other components onto affected systems, installing and protecting it with a rootkit.

Similarly, also in Q406, the NUWAR worm attacked several different regions. NUWAR mass-emailed messages with "nuclear war" subject lines and an attached executable file.

This file, when run, dropped a downloader component onto the affected machine and planted copies of the mass-emailer module; then, it downloaded four other components, including a new downloader (which enabled the import of new modules without detection) and a rootkit that hid the entire malware army. The unfortunate result was a collection of computers transformed into spam- and infectious-worm email generators.

The main component of the NUWAR threat was a module that sent spam emails advertising stock sales.

Sadly, these are not isolated cases. Blended threats are a growing concern for all Internet users, and a challenge for antivirus companies. Trend Micro anticipates this type of attack to continue at least into the near future.

Spam and Phishing

Spam is nothing new. Unsolicited advertising, bandwidth hogging Bandwidth hogs are otherwise legitimate users of a paid or free service who use so much bandwidth that it adversely affects other users or the company's ability to make a profit. , and productivity drops have been irritating users for at least several years--and in 2006, spam has continued to rise. One factor behind this spike involves the ways in which bot owners leverage their botnets to propagate spam. In this scenario, the email origination point constantly shifts among members of the botnet--which makes blacklisting as a defensive tactic nearly impossible. Similar instances of using malware as a spamming platform have also been observed. The best example involves the STRAT STRAT Stratocaster (Fender guitar)
STRAT Stratholme (gaming, World of Warcraft instance)
STRAT Stratospheric Tracers of Atmospheric Transport (also seen as STAT) worm distribution, which occurred in the third and fourth quarters of 2006. This worm behaved very much like a typical, fastspreading mass-mailing worm, with a special twist: it spammed advertisements for an online pharmacy

This article or section may deal primarily with the U.S. and may not present a worldwide view. from each infected host. The NUWAR worm, mentioned previously, also used infected machines as spam-sending platforms. Trend Micro predicts this is notthe last time such a plot will exhibit itself, which bodes poorly for all email users and their inboxes.

Incidentally, these spammer worms leverage the latest mass-mailing technique: image spam An e-mail advertisement in the form of an image in the message rather than text in order to avoid detection as spam. Spam filters typically analyze words in a message, which is relatively fast, but scanning images with optical character recognition (OCR) to extract the text is slow. . In 2006, in order to bypass spam filters, spammers revived an old trick that has now become quite common: placing email advertising text within an image, and scattering random elements such as dots or lines throughout the text. The resulting complexity of such emails makes it difficult for heuristic engines and other antispam vehicles to detect image spam.

Although samples are processed continuously on a daily basis, almost 60% of phishing siteshave either been discovered and taken down, or have morphed to avoid detection, during the time in which an actual sample is received for processing. This underlines the need for products that either have a permanent online connection or are equipped with heuristic technologies to effectively detect and block phishing sites.

Many of the affected companies, such as eBay and PayPal, have established dedicated departments and security groups for mitigating the effects of phishing-related crimeware--often through joining broadly based, cross-industry initiatives. They also actively educate users about these types of activities. Traditionally, phishers have used at least ten different techniques to lure users into their schemes. However, due to various browser improvements--as well as government- and private sector-sponsored awareness campaigns--only one of these techniques remains effective: address-bar spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing.

(2) Creating fake responses or signals in order to keep a session active and prevent timeouts. . Address-bar spoofing abuses Java or ActiveX scripting to overlay a legitimate address bar with a fake image. Otherwise, more than 96% of all phishing attempts occur via explicit display of a spoofed URL A Spoofed URL describes one website that poses as another. It sometimes applies a mechanism that exploits bugs in web browser technology, allowing a malicious computer attack. Such attacks are most effective against computers that lack recent security patches. , using a combination of character encoding (character) character encoding - (Or "character encoding scheme") A mapping of binary values to code positions and back; generally a 1:1 (bijective) mapping.

In the case of ASCII, this is generally a f(x)=x mapping: code point 65 maps to the byte value 65, and vice versa. to impart a false sense of security to users.

On average, Trend Micro has identified more than two million different pieces of spam flooding the Internet each month. English is the predominant language used, likely due to its global application in the business world; English-language spam constitutes 61% of all samples processed, representing an enormous 20% increase over last year.

Regionally targeted spam for the Japanese market is also on the rise. Chinese spam is the third largest, at more than a half-million pieces recorded.

Commercial spam--spam involving trading or Web-offers--represents 13% of all spam. This is an almost 5% drop from last year's value, likely due to spammers testing the effectiveness of new topics. Financial spam, such as offers for debt consolidation or mortgage programs, is a close second at 8% of the pie. Health-related spam comes in third at 6%. The most successful spam leverages topics that are likely to be of concern to a majority of people--thus ensuring propagation via social engineering. Users who fall victim to such scams, however, are left with nothing--while scam (SCSI Configured AutoMatically) A subset of Plug and Play that allows SCSI IDs to be changed by software rather than by flipping switches or changing jumpers. Both the SCSI host adapter and peripheral must support SCAM. See SCSI. artists make off with their money.

Spyware

The past several years have witnessed the rise of spyware and other non-malicious threats. These threats have been a concern for home and corporate users for two main reasons: the annoyance their unsolicited advertising displays cause; and the data leakage their presence introduces. In 2006, spyware and adware have continued to increase, thanks to their creators' discovering innovate new ways of distributing them. As previously mentioned, many malware attacks are, in reality, blended threats that install spyware and/or adware on the infected computer--which vastly increases their dissemination. The fight against spyware is at its peak, and the market for anti-spyware software is growing.

On their own, aggressive marketing tactics may not appear to be much of a threat--but, especially recently, the results of such activities have included technological abuse. For example, spyware--which profiles users' activities and browsing preferences--feeds into a database that loads these preferences into adware campaigns designed to either promote more visits to a particular site, or to leverage the data to compete with a different brand.

TrendLabs has noticed--via almost four million spyware and adware reports--that several pieces of malware are being used to generate click-through revenues. This means that the prevalence of spyware and adware is a concern; as companies adopt more stringent content filtering solutions, unregulated markets may utilize malware in order to force marketing content onto users. Commercial spam already employs this approach, as with WORM_STRAT distributing pharmaceutical spam as part of its payload.

The New Technologies and Threats on the Block

2006 witnessed the resurfacing of file infectors. File infectors insert malicious code into other executables, making them stickier and more difficult to remove than more common worms and Trojans. Older file infectors--which fell out of fashion several years ago--have been replaced by a newer generation that behaves differently than its ancestors.

Current incarnations have more a modern, somewhat predictable

MACRO VIRUSES

Since 2004, Trend Micro has been reporting that macro virus threats are virtually gone.

This is because the technologies that cause such concerns have not changed much over the years--which makes them easier to protect against.

However, the effects of document and data modifications remain relevant within the current threat landscape.

Evident from this distribution is the fact that, despite the lack of new macro variants, the Microsoft Office Suite remains affected by malicious activity.

Macro threat reports in 2006 year show increasing numbers, initially peaking in April and then again in September.

MICROSOFT WINDOWS INTERNET EXPLORER Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. 7 THREATS

Microsoft Windows Internet Explorer (IE) 7 will soon be the most popular web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. worldwide, due largely to the fact that Microsoft has chosen to deliver IE 7 to existing Windows users via Windows Update An updating service on Microsoft's Web site that enables users to obtain bug fixes and new features for their version of Windows. Windows Update components analyze your PC's configuration and display a list of appropriate downloads for your individual system. . With IE 7 comes three important new features which Trend believes will provide opportunities for spyware--specifically, adware--exploits. These opportunities include:

* Tab-jacking. IE 7 introduces a feature, called tabbed browsing A function in a Web browser that hides the current Web page behind a tab and presents a new blank window for continued browsing. All browsers keep track of pages visited, and clicking Back and Forward moves through them. , that has been present in Firefox for a long time. With this feature, users can associate multiple tabs with particular Web pages--which provides quick access to a user's favorite sites. However, due to the ease with which a user can add a new tab to the browser, Trend Micro expects that adware--rather than producing its typical pop-up ads--will soon introduce adware tabs into IE7. This tab jacking will allow adware companies to create persistent, ad-based tabs that will reappear reappear
Verb

to come back into view

reappearance n

Verb 1. reappear - appear again; "The sores reappeared on her body"; "Her husband reappeared after having left her years ago" when IE 7 is restarted, even if a user closes the ad tabs.

* RSS (Really Simple Syndication) A syndication format that was developed by Netscape in 1999 and became very popular for aggregating updates to blogs and the news sites. RSS has also stood for "Rich Site Summary" and "RDF Site Summary. injection. IE 7 has quickly become the world's most popular RSS reader by its inclusion of Microsoft's RSS reader. Microsoft is quick to point out that adding desired RSS feeds is as easy as adding bookmarks to the browser. Trend Micro anticipates that adware companies will soon inject their own RSS feeds, providing a stream of ad content into the RSS data.

* Search box stealing. IE 7 includes its own embedded search box--meaning that users no longer need to visit a separate search engine page such as google.com. Because IE7's search box is configurable, Trend Micro believes the configurable search box will be hot property and adware companies will hijack the search box to operate searches on their own desired search engines, thus generating search engine Pay Per Click revenue for adware companies.

LINUX MALWARE

Typically, alternative operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. have not been targeted by malware--with the exception of discrete threats such as OSX See Mac OS X. _LEAP.A, a worm detected in February 2006 that affects users of the Mac OSX platform.

This has led to a false sense of security among Linux and Unix users, who are often unprepared for attacks such ELF_LION in 2001--the first publicized pub·li·cize
tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es
To give publicity to.

Adj. 1. publicized - made known; especially made widely known
publicised , internet-propagated worm to affect their systems. In 2006, the most commonly reported Linux threats include ELF_BLITZ, a denial- of-service attack Trojan; and variants of ELF_BO121B and ELF_DIESEL, both file-infecting viruses. Interestingly, remedies to these threats appeared almost instantly, yet users continue to be plagued by the effects.

UNIX_RAMEN ra·men
n.
1. A Japanese dish of noodles in broth, often garnished with small pieces of meat and vegetables.

2. A thin white noodle served in this dish. .G, first discovered in 2002, is the most prevalent Linux worm and appears to be spreading chiefly in North America North America, third largest continent (1990 est. pop. 365,000,000), c.9,400,000 sq mi (24,346,000 sq km), the northern of the two continents of the Western Hemisphere. and parts of Europe.

Many Linux users will often install the full package, including Unix compatibility, to increase the number of free applications they can run on their system.

BOTS AND BOTNETS

Since December 2005, there has been anaverage bot increase of 15% per month, with more than 140,000 being flagged every month.

ROOTKITS

Rootkits are another growing concern. Although not malicious in isolation, they are employed by malware and spyware to hide in infected systems. This is important for the following reason: in an environment where malware is attempting to steal financial information, time is essential. The longer malware remains active, the higher the chances of its obtaining personal and confidential information. Rootkits buy malware more time by hiding processes, registry entries, and related files from antivirus scanners and other security checks. It is vital for PC users to be protected against these new concealing agents, and keep their security software up to date. The release of Microsoft's new operating system operating system (OS)

Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. , Windows Vista The current version of Windows for the desktop. It was released in late 2006 for businesses and early 2007 for consumers.

Vista adds numerous features, including improved security and advanced multimedia capabilities. , will likely decrease the number of kernel-level rootkits. Vista requires every driver to be signed by its vendor. This policy limits the impact that rootkit drivers may have on users. Although kernel-level rootkits are the most effective in hiding Adv. 1. in hiding - quietly in concealment; "he lay doggo"
doggo, out of sight malware, they are also the least popular. User-level rootkits will continue to be a threat and, while easier to remove, are still a formidable enemy. As an example, variants of the TROJ_ROOTKIT family of rootkits have climbed to top positions in the malware prevalence charts during 2006. Detecting the existence of one or more rootkits in a system is not easy, and analysis of the hidden malware can be difficult. Consequently, parasitic lifetime can increase exponentially. Add to this the fact that most rootkits are open-source developments and readily available to anybody. Trend Micro continuously discovers more of these threats as usage gathers a following among malware authors.

Rootkits follow the general growth patterns for all malware, and their widespread presence depends heavily on the propagation and proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous

pro·lif·er·a·tion
n. successes of other multithreat code droppers--as well as the apparent integration of their use by spyware and adware in order to avoid detection and prolong financial gain. These types of threats are complimentary packages to botnets as well.

MOBILE MALWARE See smartphone virus.

Mobile threats have been on researchers' radar screens for the last two years. Trend Micro has observed an increase in mobile phone malware during 2006. The main factor behind this trend is the increasing number of smart phones on the market. Since these phones are specifically targeted--and they can also act as propagating platforms--increased sales means users should beware.

Most has been distributed as Trojans, meaning they generally lack spreading capabilities, and don't have special motivations beyond demonstrating and testing the mobile malware concept. Typically, mobile malware is launched when a user downloads a fake program from the Internet and installs it on the phone. Instead of the expected program, however, mobile malware has a malicious effect, such as sending SMS messages to expensive numbers and other noxious noxious adj. harmful to health, often referring to nuisances. actions. Unlike most other malware, mobile malware appears to be the work of smaller groups, not criminal organizations. As the market expands, and more potential victims join the mobile network, however, this situation may change for the worse.

In 2006, mobile malware prevalence reached an all-time high, and was even predicted to be one of the year's top concerns--if not for the fact that current technological barriers prevent these types of threats from becoming aggressive. However, growth patterns indicate waning interest in new threats based on the old Symbian EPOC A 32-bit operating system for handheld devices from Symbian Ltd., London, (www.symbian.com). Used in Psion and other handheld computers, it supports Java applications, e-mail, fax, infrared exchange, data synchronization with PCs and includes a suite of PIM and productivity applications. platform; lack of interest in versions of the Windows for Mobile platform; and the pronounced continued proliferation of the Nokia-branded SymbianOS.

This makes sense, given the greater adoption of SymbianOS--and in particular the Series 60 version--by various mobile operators and manufacturers. An industry report by Canalys during Q1 2005 supported this trend, showing various SymbianOS versions as accounting for 61.4% of the worldwide market share. Further, Canalys projected that increased adoption of the new Windows Mobile The Windows platform from Microsoft for handheld devices, including PDAs, cellphones and Portable Media Centers. See Pocket PC, Pocket PC Phone Edition, Smartphone and Portable Media Center. 2005 platform--as well as increased sales in Linux-based mobile phones such as the Motorola RAZR and the occasional Nokia 7710--might soon change that landscape. However, during Q4 2005, Nokia released its innovative N-series phones--which cater to multi-media enthusiasts--and and a new set of E-series phones--which cater to business users. Both of these developments have cemented Nokia as the market leader. In September 2005, SYMBOS_CARDTRP.A attempted to become the first crossplatform mobile worm, by dropping worms--such as WORM_WUKILL.B--in the infected device's memory card. When the card was subsequently attached to a Windows computer, the worm could open a backdoor See trapdoor. to the system and distribute two more worms. Though this attack was not particularly successful, the most recent SYMBOS_CARDTRP.R--discovered found March 2006--was 17th variant found, with early reports from North America and China. Since removable flash memory cards in MMC See MultiMediaCard and Microsoft Management Console. or SD formats are easy-to-carry commodities, and are available with up to two gigabytes of storage, it makes sense for many consumers to plug such devices into regular desktop terminals (to back up data, for example, or store multimedia files). This consumer behavior has likewise changed the standard input devices of pre-assembled desktops for sale--which these days support any of the nine common card formats, including compact flash, XD, and Duo, as well as those previously mentioned.

Further, during November 2005, Trend Micro received samples of a particular form of mobile phone malware that attempted to gather a user's contact details, and send those details to any other mobile device in range. Trend Micro named this malware SYMBOS_PBSTEAL.A. This malware was, in effect, the first information-stealing threat for mobile phones. North America is again listed as a site in which the most recent variant SYMBOS_PBSTEAL.D was found in late January.

It appears that almost all of the newly reported mobile threats, as well as several variants of SYMBOS_FONTAL and SYMBOS_SKULLS, are actually Trojans that require premeditated pre·med·i·tat·ed
adj.
Characterized by deliberate purpose, previous consideration, and some degree of planning: a premeditated crime. user intervention to be installed. One exception is SYMBOS_BOOTTON, which can spread via Bluetooth. Malicious authors float their creations online and on P2P See peer-to-peer and point-to-point. networks as bootleg copies of commercial software, or even as common fileviewing tools. Thus, the mantra mantra (măn`trə, mŭn–), in Hinduism and Buddhism, mystic words used in ritual and meditation. A mantra is believed to be the sound form of reality, having the power to bring into being the reality it represents. of avoiding malware-riddled "warez (soft "wares") Pirated software distributed over the Internet. A warez site may also provide hackers with viruses and Trojans as well as tips, techniques and scripts for gaining illegal entry into networks and systems. It may also offer ways to cheat at online games. " (pirated software) is as true for mobile applications as it is for desktop software.

There is some indication that the desktop spyware phenomenon is going mobile.

SYMBOS_FLEXSPY.A was reported in March 2005, with functionality to log calls, SMS (1) (Storage Management System) Software used to routinely back up and archive files. See HSM.

(2) (Systems Management Server) Systems management software from Microsoft that runs on Windows NT Server. and MMS (Multimedia Messaging Service) An enhanced transmission service that enables graphics, video clips and sound files to be transmitted via cellphones. Developed as part of the 3GPP project, MMS phones are generally backward compatible with SMS and EMS. messages, GPRS (General Packet Radio Service) The first high-speed digital data service provided by cellular carriers that used the GSM technology. GPRS added a packet-switched channel to GSM, which uses dedicated, circuit-switched channels for voice conversations. and data usage, as well as email content. Once the data is collected, it is sent to a remote server. This doesn't bode bode¹
v. bod·ed, bod·ing, bodes

v.tr.
1. To be an omen of: heavy seas that boded trouble for small craft.

2. well for the future of mobility.

Users are soon likely to be carrying viruses and spam in their pockets the way they currently carry them on their networks and desktops.

While malware that targets mobile devices is expected to increase in 2007, the major threat continues to be from lost or stolen devices. Leaving a device in a taxi is a much more common occurrence today than having such a device hacked while surfing at the local Starbucks. Trend Micro continues to be measured in its observations about the mobile security threat; today, it is in proof-of-concept stage, but has the indicators to become virulent vir·u·lent
adj.
1. Extremely infectious, malignant, or poisonous. Used of a disease or toxin.

2. Capable of causing disease by breaking down protective mechanisms of the host. Used of a pathogen.

3. in the near future.

The Emergence of Web Threats in 2007

In 2007, users can expect Web threats to emerge as the prevailing security threat. Web threats include a broad array of threats originating on the Internet, and are typically blended threats that use a combination of files and threats. They spawn large numbers of variants and generally target a relatively small audience, such as regional internet users or users of a specific site or related group of sites. These threats, much like their 2006 predecessors, are profit-driven, their goal being to surreptitiously infect and hide on PCs or the Web, and steal information for as long as possible. Web threats will impact consumers and corporations alike through confidential information leakage, identity theft, bot infection, adware/spyware installation, and the like.

2007 will continue the "high focus/low spread" tendency of 2006. Due to the nature of their distribution methods, infections will usually be very limited in scope. This is completely changing the concept of outbreak in the industry. Whereas in the past, we experienced widespread mass-infections, now we see smaller-scope regional outbreaks.

These targeted attacks have more specific objectives and they are more difficult to eradicate. In some cases, they are so specific as to target single companies in order to steal certain internal information. Most of the time, they are just blended threats whose initial detonator detonator (dĕ`tənā'tər), type of explosive that reacts with great rapidity and is used to set off other, more inert explosives. Fulminate of mercury mixed with potassium chlorate is a commonly used detonator. component is spammed to an email address database.

In 2007, we can also expect to see the bot threat grow, as creators find newer methods for installing them in users' machines. More ingenious social engineering and software vulnerabilities will be the likeliest candidates for this.

Since crimeware creators have away to fund their activities, crimeware attacks will not go away. PC users must be prepared for, and be familiar with, these novel ways of being attacked in order to prevent being robbed or scammed.

Spyware and other aggressive marketing campaigns will continue to be a threat. Developers of these adware campaigns usually pay per each copy of the software installed. Their distributors, therefore, resort to questionable methods of installing as many copies as possible, even against the user's will or knowledge. If this situation continues, distributors will seek even sneakier ways to drop their adware--even joining forces with malware writers, as they have during 2006.

Best Practices and Recommendations

For enterprises, mid-size corporations and small businesses, Trend Micro recommends a multi-layered approach to protection, including the following:

* Deploy HTTP-scanning methods.

Due to the prevalence of Web threats, it is highly recommended to implement Web-scanning systems in mid- to large-size networks. Not only is it advisable to deploy these, but also to make sure users cannot bypass them. The most secure way to implement such a system is to force users to forward all Web requests to the scanning device See scanner. , and deny them otherwise. Closing this gap is key in the fight against malware and spyware, since the Web has become the number one point of entry in the corporate network.

* Do not allow unnecessary protocols to enter the corporate network.

The most dangerous of these are P2P communication protocols and IRC (Internet Relay Chat) Computer conferencing on the Internet. There are hundreds of IRC channels on numerous subjects that are hosted on IRC servers around the world. After joining a channel, your messages are broadcast to everyone listening to that channel. (chat). These two protocols are part of the bot arsenal of weapons used to propagate and communicate with their botmaster, and should be disallowed in the corporate firewall.

* Deploy vulnerability scanning software in the network.

Maintaining a consistently up-to-date operating system can minimize the impact of any new network vulnerabilities, and diminish the risk of being infected by these kinds of worms. It is highly recommended to keep all other applications patched as well. This especially includes office productivity applications.

* Restrict user privileges See user permissions. of all network users.

Kernel-level rootkits are implemented as device drivers; therefore, denying users the right to "load and unload device drivers" will largely block them. Windows Vista already provides a default protection feature to prevent this. Other types of malware leverage administrator-level capabilities to perform malicious acts. It is wise to limit what a rogue program can do by limiting its user privileges. This is accomplished by depriving normal users of administrator rights.

* Deploy corporate anti-spyware scanning.

As spyware threats are becoming more prevalent for businesses, administrators need to deploy specific software to detect and stop them.

* Support user awareness campaigns.

Since many employees with corporate laptops take them outside the corporate environment--on airplanes, in cafes, and at home--and also use them for personal purposes, user awareness is especially important. Most of today's malware-related attacks attempt to fool the user in what is called social engineering. Most of the malware detected in 2006 would not have created any harm had users not clicked on it. We can minimize the effect of malware in our networks by demonstrating how attackers try to fool users. We must teach users basic security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security and how to react to typical attack scenarios. This goes a long way towards preventing internal outbreaks. It is also important to keep users up-to-date on new attack strategies, as well as on company security policies and recommendations.

In 2006, the Trend Micro Internet Security

The of this article or section may be compromised by "weasel words".
You can help Wikipedia by removing weasel words. and Confidence Survey yielded a very interesting finding. While most respondents perceived the Internet to be somewhat safe today, and believe it will be less safe in six months, they still admitted to participating in risky online behaviour--such as using freeware/shareware programs and unsecured public wi-fi hotspots. Today's security tools go a long way toward helping secure the online experience of computer users; however, end-user awareness and online behaviour needs to complement security tools if true security is to

be achieved.

For home users, Trend Micro recommends the following:

* Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.

* Scan, with an updated antivirus and anti-spyware software tool, any program downloaded via the Internet. This includes any downloads from P2P networks, through the Web, and by FTP FTP
in full file transfer protocol

Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to server--regardless of the source.

* Beware of unexpected or strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.

* Enable the "Automatic Update" feature in your Windows operating system and apply new updates as soon as they are available.

* Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.

Trend Micro Inc. provides centrally controlled server-based virus protection and content filtering products and services. By protecting information that flows through Internet gateways, email servers, and file servers, Trend Micro allows companies worldwide to stop viruses and other malicious codes at a central access point before they reach the desktop.

www.trendmicro.com

COPYRIGHT 2007 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	SECURITY SUPPLEMENT
Publication:	Software World
Article Type:	Company overview
Date:	Jan 1, 2007
Words:	6448
Previous Article:	Security news and products; Sunbelt Software announces top ten spyware threats for October.(SOFTWARE WORLD DIGEST)
Next Article:	Infosecurity Europe 2007.(SOFTWARE WORLD INTELLIGENCE)(Company overview)
Topics:	Telecommunications equipment industry Forecasts and trends

Related Articles
2006 year for going back to basics, say researchers.(real estate industry)
By 2009 the Worldwide Market for Network Security Appliance & Software is Expected to Reach $6billion.
Security news and products; avanquest UK launches PC-Cillin from Trend-Micro.(SOFTWARE WORLD DIGEST)
Research & Markets: Gain an Insight into the Financial Performance of Ixia.
Research and Markets: New Report Analyzes Business Structure, Finances and Operations at Packeteer Inc.
Security news and products; 2006: the year spam raised its game and threats got personal.(SOFTWARE WORLD DIGEST)
China Fuels the Sharp Rise in Demand for Cable Set Top Boxes.
Security and products; new beta version of ScanMail.(SOFTWARE WORLD DIGEST)
Research and Markets: New Report Analyzes Performance and Competitors at Amdocs Limited.
Research and Markets: Gain an Insight into the Financial Performance of Secure Computing Corporation.