Kaspersky Labs Int. presents a year-end review of events having taken place in the area of anti-virus security. E-mail: The best means for virus transport Virus Diversification Year of the LoveLetter Expecting Cell Phone Viruses Invisible Worms Self-updating Viruses Viruses in The Alternate NTFS...
Kaspersky Lab Int. presents a year-end review of events having taken place in the area of anti-virus security.
- E-mail: The best means for virus transport
- Virus Diversification
- Year of the LoveLetter
- Expecting Cell Phone Viruses
- Invisible Worms
- Self-updating Viruses
- Viruses in The Alternate NTFS Data Streams
- Linux Withstanding the Siege
- Virus Hoaxes Continue
- What's Next?
Observing the picture of events that have occurred during this year, we must admit that the situation in the anti-virus field is more complicated as compared with that in 1999. Just in May 2000 alone, the LoveLetter virus attacked more than 40 million computers around the world. As reported by the Computer Economics research center, during the first 5 days of the epidemic, the LoveLetter virus caused worldwide losses in the amount of US$ 6.7 billion. You may compare these figures with the report provided by the center in 1999, where they reported worldwide year-ending losses of US$ 12 billion.
The results of malware development in 2000 are the following:
- E-mail is the undisputed leader among all the available virus propagation sources;
- technological diversification of viruses;
- script and macro viruses are dominant amongst other virus types;
- the first attempt to develop a virus for cellular phones;
- "invisible" viruses have spread throughout the world by exploiting security breaches in Internet Explorer;
- a new generation of self-updating viruses has appeared
- new viruses using the alternative data streams of NTFS have been detected
- a lot of new viruses have been developed for Linux
Therefore, the question of anti-virus protection in 2000 has once again proved to be the most critical element in personal and corporate computer protection systems.
E-mail: The best means for virus transport
i) A very high speed of distribution. Right after infection, the virus e-mails itself to entries in the address books maintained by Microsoft's Outlook e-mail software. Just like the Melissa virus (detected in the fall of 1999), the LoveLetter virus does its work on behalf of the unaware and unsuspecting computer owner.
ii) The deceptive extension of the files attached to the messages: 'TXT.vbs'. Many users still believe that text files cannot contain virus code. This is true, but sometimes this extension may hide a file of another type, in this case it was a program in Visual Basic Script (VBS).
iii) The author of this virus used a very simple and brilliant psychological approach: there are not many people that are able to resist the temptation to read a love letter from an acquaintance.
Here we should remind you of Rabbit - the first script-virus that was detected in November 1998. Right after it had happened, Kaspersky Lab forecasted the global epidemic that can be caused by script-viruses (viruses similar to LoveLetter). At that time, many companies accused Kaspersky Lab of causing "virus hysteria"; however, in the fall of 2000, Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, was vindicated as his prediction was validated.
Currently we know of 80 modifications of the LoveLetter virus that have been detected by Kaspersky Lab experts. In order to protect our customers and users from all the possible modifications of this virus, Kaspersky Lab released a unique technology under the name of Script Checker on May 7th. This tool allows for the checking of unknown script-viruses. Thanks to the integrated heuristic mechanism analyzing script-programs, Script Checker reliably protects Kaspersky® Anti-Virus (AVP) users from all modifications of LoveLetter without any extra updates needed for the anti-virus database.
It all began on June 6th when the Internet-worm by the name of Timofonica was detected in Spain. This worm has one peculiar quality: it is capable of sending meaningless SMS-messages to the cellular phones of the MoviStar network. This case has caused rumors about the first virus infecting mobile phones. Fortunately, the reality was not so cruel - except for its SMS-messages, the virus had nothing in common with cellular phones.
Two months later, the utility called HSE was detected. This utility is able to send SMS-messages of any content to the phones operating on several cellular networks in Germany. Unlike Timofonica, this utility cannot be classified as a virus or Internet-worm. In fact, this is just a piece of malware that may be used against the cell phone owners.
And finally, on August 30th, the world was made aware of the new "cellular" virus that had been detected by Web2Wap AS, a Norwegian company. As it turned out later, the Norwegian experts merely had discovered a "hole" in the protection system of several Nokia cell phone models. This hole allowed for the locking of the phone keyboard by means of a certain SMS-message. But this had nothing to do with a virus.
It's worthwhile to emphasize that, currently, the problem of cellular viruses cannot be considered to be urgent. The main and only reason is that current cell phones do not have the appropriate hardware environment to support a virus. The conditions allowing for virus existence are as follows: i) the hardware should provide the means to create, modify and exchange with the executable software objects, ii) the hardware should be popular among users and iii) its protection system must be weak.
However, we can expect the appearance of the first cellular viruses in the very near future. The MID standard (Mobile Information Device), based on Java (JavaTM 2 Platform Micro Edition - J2ME) and released on August 19th by the Sun company and its partners, in fact gives the green light for the development of the appropriate malware.
The first virus of this kind (BubbleBoy) was detected in November 1999. One week before, Microsoft had released the appropriate patch for this breach. But, despite this fact, during the year the virus called KakWorm infected many computers. This means that users have a tendency to ignore the advice of anti-virus companies, and they do not install patches for their software in due course. Because of this, we would like to advise you once again to install the free patch for your Internet Explorer 5.0. You may download this patch from here.
This technology was established in the end of 1999, and the first virus that used it was Babylonia. In 2000, several more viruses were developed based on this technology: their names are Sonic and Music, along with others. The Internet-worm called Hybris is a more advanced user of this technology. This virus is able to download updates not only from Web sites, but also from newsgroups (alt.comp.virus). This is very convenient, because site owners close them right after they have learned that the Web sites are being used by malware to download updates. As for the newsgroup, it's impossible to do so. Besides, the Hybris author has implemented another advanced technology that protects the virus from being controlled by an unauthorized person. He has used a powerful algorithm, encoding the updates with a digital signature.
Viruses in The Alternate NTFS Data Streams
At the beginning of September, the first virus (Stream) able to manipulate the alternate data streams (ADS) of the NTFS file system was detected. According to the Kaspersky Lab report, this virus cannot be considered as something that constitutes a real threat. But the technology enabling it to penetrate the additional streams is very dangerous, since only a few anti-virus scanners are currently able to detect malware in ADS.
To our regret, the story caused an inadequate response from some competitor anti-virus companies accusing Kaspersky Lab of causing unnecessary alarm amongst users. Nevertheless, except for their unsubstantiated accusations, our competitors haven't provided any evidence to prove their theory that additional data streams are safe. The problem with anti-virus protection of NTFS is still topical, since during the months that have passed since the moment the Stream virus was detected, only a few anti-virus scanners have "learned" how to check for viruses in ADS. Kaspersky Anti-Virus was the first anti-virus scanner in the world that acquired this ability; this function was implemented in the version 3.5.
Here you will find an explanation about how to differentiate a virus warning from a hoax.
Last year, we explained our opinion, and today we can simply repeat it: Kaspersky Lab considers this type of information to be a marketing ploy designed to boost the sales of anti-virus programs on Christmas Eve.