In-Depth

In Brief

Criminal intentions behind half of all attacks; mass-mailing worms on the outs

• By Mathew Schwartz
• 03/23/2005

Tracking Attackers’ Intentions

Criminal intent was behind more than half of all computer attacks in 2004. That's just one finding of security intelligence provider iDefense Inc.. The company studied the 27,260 reported attacks that occurred last year.

Discerning criminal intent, however, isn’t easy. “The real challenge in dealing with these threats is that you have to know what to look for before it hits, and after, [and] many companies don’t even know that their defenses have been compromised,” notes John Watters, the president and CEO of iDefense.

According to iDefense, the range of attacks included those “designed to covertly steal information or take over computers for criminal purposes, including identity theft and fraud.”

Confidential information is especially at risk, as demand for purloined credit card and bank account numbers keeps increasing. Thus iDefense expects the overall number of attacks to rise in 2005. Especially popular attacks will be phishing, financial blackmail, and skimming of small sums from bank accounts, and it notes “organized crime rings capturing personal information for fraud and extortion activities are a driving force in the growth” of the overall number of threats as well.

Also increasing are attacks over instant messaging (IM) and Internet Relay Chat. iDefense counted 6,200 attacks with an IM-related component in 2004, up from a reported 438 in 2002.

Finally, back-door and remote-access attacks, which give attackers access to a person’s PC, are also on the rise, increasing from 2,205 attacks in 2003 to 9,262 last year. Such attacks often leave so-called bot software installed to scan a PC’s hard drive for sensitive information and perhaps turn the computer into a zombie—able to be “reawakened” later for use in a large-scale denial of service attack, without the user knowing.

Mass-Mailing Worms on the Outs

Remember Bugbear.B? Once again, the worm, now almost two years old, is still on Symantec’s top 10 list of most-pervasive malware for the month of February 2005.

As a Symanteec spokesperson notes, “This means that there are still PCs and users that are compromised and sending out mass mailings without their knowledge.” Also still hanging on is Netsky.P, discovered a year ago.

Despite the continuing pervasiveness of these Bugbear and Netsky variants, the malware landscape is changing. “The top 10 list is moving away from being dominated by mass-mailing worms.” In their place, two new types of attacks are emerging. First are attacks using Web pages and e-mails to deliver “client-side exploits.” Second are so-called “botnet worms such as W32.Spybot and W32.Gaobots.” These can carry code able to control a PC and monitor keystrokes or information stored on the hard drive.

Already Trojan software—Trojan.ByteVerify, Downloader.Reitrec, and Trojan.Vundo—accounted for three of the 10 worst threats in February, including the number-one slot. The top mass-mailing worms for the month included Beagle, plus MyDoom and Netsky variants.

Beyond threats to PCs, Symantec says mobile devices using Bluetooth are also at increasing risk. “In February, we had the first verifiable case of the SymbOS.Cabir worm infection being detected on a mobile phone in California,” it notes.

Likewise, instant messaging attacks are evolving. “Threats propagating using instant messaging are also continuing to appear, such as W32.Bropia.” This worm can download the Spybot worm—not the anti-spyware software of a similar name—and spread via MSN Messenger.

Two other worms now targeting Messenger are Fatso.A and Kevlir.C. The former sends a link to Messenger users which, if clicked, downloads malicious code to the PC. Similarly, Kelvir sends links to people in a user’s Messenger buddy list. If clicked, the link will download malware, such as the Gaobot or Sdbot backdoor software.