In-Depth

Bot Networks Hurl More Trojan Code

Bot networks are behind the rise in malicious code aimed at capturing sensitive information. Also, IM attacks decrease during February.

Sensitive information—including credit card and bank account numbers—sells, and increasingly, malicious code is being used to obtain it.

A rise in the number of malicious programs found in the wild in 2005 underscores that trend. For example, Kaspersky Lab, an antivirus vendor based in Moscow, says the number of malicious programs it intercepted in December 2005 averaged 6,368 programs per month, an increase of 117 percent since January 2005.

For purposes of analysis, beyond viruses and worms, Kaspersky lumps bad code into several categories: Trojan code; malicious programs able to replicate independently; and malware—programs which create malicious programs and organize attacks. During 2005, the latter two types of bad code declined: malicious programs able to replicate independently decreased by 7 percent, while other types of malware decreased by 2 percent.

By contrast, last year the amount of Trojan software—code not able to replicate independently, and which is distributed via e-mail or other malware—actually increased by 9 percent. Such programs include software backdoors, as well as rootkits, which achieved notoriety last year after Sony attempted to hide such software on its music CDs. The use of rootkits and software back doors is increasing faster than other forms of malware. For example, the incidence of rootkits in malicious code increased by a factor of four during 2005. On average, 28 new rootkits now appear every month.

Yet rootkits are often mere camouflage. “Rootkits on their own have no malicious payload, but they are increasingly being used to mask the activity of other malicious programs,” notes Yury Mashevsky, a virus analyst at Kaspersky.

Perhaps more troubling, then, is the increase in the maliciousness of Trojan code found in the wild, the activities of which rootkits can disguise. For example, comparing 2004 to 2005, Kaspersky found the incidence of malicious software which contains backdoors doubled, Trojan droppers (programs which deposit Trojan software or backdoors onto PCs) more than doubled, and Trojan downloaders (which download and run files onto a compromised computer from an external FTP or Web site) tripled. Such tools are also integral for automatically harvesting PCs into bot networks, then managing them.

The increased maliciousness of bad code—and attackers’ continuing use of bot networks—bespeaks organized, criminal activities, says Mashevsky. “The computer underground is becoming increasingly criminalized, focusing on accessing and using confidential information to gain access to profitable data, whether that be system resources, bank accounts, proprietary information, or online games.” More and more, Trojan software is the weapon of choice for helping to steal sensitive information.

IM Attacks Decrease

If Trojan attacks are up, at least IM attacks are currently on the decline. In particular, an analysis of attacks utilizing instant messaging (IM) networks by Akonix Systems found IM attacks decreased during February 2006, and only 12 new types of attacks were observed.

Other new IM worms identified in February include Lamo, Lepo, and Imav, though variants of the Opanki virus—first identified in June 2005—were the most prevalent attacks seen in the wild.

While the number of IM attacks has decreased, unfortunately attacker ingenuity may be improving. Witness the appearance of the first-ever worm able to spread between Macintosh computers running OS X via its built-in IM client, iChat. “This speaks to the increased sophistication and ways that virus writers are trying to develop worms for different networks and operating systems,” notes Don Montgomery, vice president of marketing at Akonix.

So overall, “although IM threats were down this month, companies need to be aware that we view this as a temporary lull in activity and that the threats are going to get more malicious and sophisticated with time,” he says.

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles