Viruses change ploy; attack and mutate

The web has changed over the years and so has the nature of viruses that attack it. From “just-for-fun” kind of viruses, the attackers moved to crimeware or Trojans. Now, even as the number of virus attacks has increased, the duration of the assaults has decreased, making it all the more difficult to detect, leave alone kill them.

The lower duration of the attack doesn’t dilute the impact. It is sometimes just the opposite. For instance, a zero-day attack, also known as a zero-hour attack, takes advantage of computer vulnerabilities that do not currently have a solution. A zero-day attack will take advantage of that problem before a patch has been created. It is named zero day because it occurs before the first day the vulnerability is known.

“Toolkits are now available allowing people not so computer savvy can build viruses and trojans. These tools are advanced enough to allow the viruses and trojans to change their signatures every few minutes becoming virtually impossible to catch with anti-virus solutions,” explains Amuleek Bijral, Country Manager, India & SAARC, RSA, The Security Division of EMC.

In all years cumulative from 2002 through 2007, internet security firm Symantec created a total of 800,000 unique malware signatures. However, in 2008 alone, this went up to 1,800,000.

Malware is no longer exclusive to malicious websites and even legitimate mainstream sites act as parasitic hosts that serve up malware to their unsuspecting visitors. The most malicious activities begin once new malware has established a presence on a user’s machine. Obfuscation is an increasingly common technique used to conceal an attack by making its operation more complex and thus harder to detect. “In 2006, we estimate that a small percentage of attacks were obfuscated. In 2008, the majority of attacks we saw were obfuscated in some form,” says Shantanu Ghosh, VP, India Product Operations, Symantec.

Symantec, too, observed a significant increase in the use of server-side polymorphic threats in which the attacker operates a Web server which hosts malware files. The attacker has a “polymorphing” software running on the web server that dynamically generates a new variant of the malware (each with its own unique signature) every few minutes or hours.

“In 2008, we saw the peak of Trojan.Asprox infections. The trojan creators used dynamically created URLs to hide the sources and make the malware source more difficult to detect Thus, every time a new unsuspecting user visits the malicious website, they'll potentially get a different malware file, resulting in potentially hundreds of new malware variants every day. This makes detection of the malware very challenging using traditional signature-based antivirus methods and has led to the dramatic increase in different malware samples,” says Ghosh.

“To protect your system, users should regularly check and update software patches. Antivirus software is not good at stopping low-volume attacks aimed at single companies. Traditional antivirus programs detect widespread attacks based on matching to a known pattern and do not fare well against low-volume Trojans. And even when they do detect such attacks, the larger volume threats are inevitably moved to the top of the firms’ to-do lists, because they affect a larger number of customers,” suggests Bijral.