Windows may be ubiquitous, but there’s a thriving variety of alternative operating systems for enterprise and home use. However, the alternatives aren’t as risk free as some people might think.

If you read online IT publications and message boards, you’ll know the story: as soon as a new Trojan is reported, there’ll be a flood of comments along the lines of “That would never have happened with Linux!” And let’s be honest: at least 99 % of the time this is true. The fact is that the majority of malicious programs identified to date (well over 2 million) target Windows. Linux, on the other hand, with a mere 1898 malicious programs targeting the operating system, appears to be relatively secure. And to date, only 48 malicious programs for Apple’s OS X have been identified.

Turbulent beginnings

In the early 1970s - long before the appearance of Microsoft - the Creeper virus was infecting computers running DEC’s TENEX operating system. This malware could be seen as being ahead of its time, as it used the ARPANET – the forerunner of today’s Internet – to spread. Creeper was followed by Pervade in 1975. Pervade was coded for UNIVAC systems and had been created in order to distribute a game called “Animal”. Finally, in 1982, it was Apple’s turn; users had the dubious pleasure of dealing with Rich Skrenta’s Elk Cloner, a virus that spread via floppy disks and regularly caused systems to crash.

Fig.1 Back in the day…message displayed by the BHP virus

Four years later, C64 users joined the virus victims - the BHP virus (believed to have been created by the German “Bayerische Hacker Post” group) caused the screen to flicker at irregular intervals, greeting the unfortunate victim with a message which read “HALLO DICKERCHEN, DIES IST EIN ECHTER VIRUS!” (which translates as “HALLO FATTY, THIS IS A REAL VIRUS!”). The text was followed by a serial number, which increased by an increment of one with each new infection. The virus also ensured it would be able to survive a system reset by hooking a number of interrupts.

It was only in 1986 that the first MS-DOS-compatible malware finally appeared. Brain was a boot sector virus; conveniently, the malware code included the names, addresses and telephone numbers of its authors. Amjad and Basit Farooq Alvi were brothers who asserted they had created Brain in an effort to determine the level of computer piracy in India. However, they subsequently had to admit that they had lost control over their experiment.

Fig. 2: Shellcode in Backdoor.UNIX.Galore.11

continue reading "Malware beyond Vista and XP"

Introduction

We all learn at a very young age to analyse – either consciously or unconsciously – other people’s body language and intonation. Research shows that about 60% of the time, we pay more attention to a person’s body language than what they are actually saying, and we use this information to draw conclusions about how truthful a speaker is being. These conclusions are vital in helping us avoid falling victim to scammers, fraudsters or anyone else trying to manipulate us. But fraud and deception aren’t just a threat in real life – a range of virtual scams have been increasing significantly on the Internet for some time now. This means we have to take a new approach to evaluating possible threats; there’s no body language or intonation involved in email or social networks, and generally we only have text and graphics to guide us. So does this mean that we can no longer rely on gut instinct?

This would appear to be the case, at least on the face of things. However, the Internet does offer other aspects which can be interpreted and compensate for the gut instinct we feel is lacking; however, for this to work, we need to learn what to watch out for. Cybercriminals and scammers are unlikely to reinvent the wheel, so once you’ve encountered a scam or threat once, and have learnt that it’s a scam, you can use this information in the future. This article therefore focuses on some typical examples, and explains how you can protect yourself. This article is primarily aimed at those who are new to the Internet, but who knows, maybe the examples given could also help Internet veterans learn a thing or two.

Classic email threats

If you’re new to the Internet, probably one of the first things you’re going to do is set up an email account. Not only do you want friends and family to be able to contact you, you’ll need a valid email address if you want to buy things online or sign up for forums or social networks.

Unfortunately, just as your mailbox at home can get crammed with advertising fliers which you never requested, your email address can also get filled with unwanted messages. Up to 89% of all emails sent are what is known as spam: messages you never asked for which offer you cheap credit, discount Viagra and a wide range of other products and services. These offers are in no way legitimate, and often the messages will contain links to websites which are infected with viruses, Trojans, or other nasty programs. You should delete the messages without reading, and then they won’t be able to damage your computer – the only thing you will lose is the time you spend deleting them.

It’s easy to say you should delete these emails, but sometimes they just look too tempting to throw out. Cybercriminals are smart: they’re particularly active around major holidays such as Christmas, Easter, and of course Valentine’s Day. The latter in particular is a golden opportunity for the bad guys – it’s traditionally the day where you can admit your feelings for someone without embarrassment, even if that person is just a distant acquaintance. So if you got an email on Valentine’s Day with the subject ‘I love you’, would you open it?

It’s not only holidays and hot topics that the cybercriminals make use of. The Internet is often described as the ultimate in entertainment media, and there are lots of sites dedicated exclusively to amusing articles, images and videos. We all love a bit of distraction, and cybercriminals play on this, sending messages with intriguing subjects like ‘Check out this funny video!’ or ‘Funny photo!’ But you should resist the temptation to open the file that’s attached to the message: it’s 99.99% likely to contain programs which can damage the data stored on your computer, spy on your online activity, and/or defraud you in some way. In her article, “Spam evolution: June 2009″, my colleague Tatyana Kulikova stated that 0.31% of all emails sent on the Russian Internet have malicious attachments. This might not appear to be a particularly high percentage, but given that 500,000 types of spam are sent every day, the total number of messages is going to be fairly large, especially when you consider that any one spam message will be sent to millions of email addresses.

Phishing

Probably one of the best-known scams is phishing. You receive an email which asks you to go to a site (the link is given in the email) and enter some personal information – this might be a password, a bank account number etc. The email might look as though it’s come from your bank, from eBay, from a payment system like PayPal etc. However, no matter how convincing the message might look, it’s a fake; if you click on the link and enter the information requested, cybercriminals can get hold of your data and use it for their own ends.

A lot of banks have now put additional security measures in place to combat phishing attempts, and this means that phishing emails which target the most widely-used banks are on the decline. However, this doesn’t mean that this type of scam isn’t being used anymore – it’s simply been modified to keep up with the changing times.

Phishing emails are an international phenomenon: a basic text gets translated into a range of languages, and an email is then designed to imitate the look and feel of a well-known bank or financial institution. Most of the effort goes into the design of the email, and the logos and colours used are often difficult to distinguish from a genuine communication. The text, on the other hand, is likely to be riddled with spelling and/ or grammar errors: an instant red flag. Additionally, emails that start “Dear customer” rather than using your actual name are a strong indication of a phishing attempt; these days, where even newsletters can be personalized, a legitimate communication is unlikely not to use your name. And finally, legitimate banks never request PIN numbers, TAN numbers or other sensitive information, and certainly not via email.

As mentioned above, it’s not just banks which can suffer from phishing attacks. Recently, a large number of phishing emails are designed to harvesting account data for online payment systems such as PayPal or auction sites such as eBay. Phishing mails make up 0.94% of all spam, and an incredible 60% of these messages target at PayPal. Phishing emails of this type often threaten with closure of your account, because allegedly it’s not been used for some time. To retain your account, the message says, you should log in; and of course, there’s a handy link provided in the email. If you click on it, you’ll see a page which looks like the site in question, and it asks you to enter your user name and password. Although it might look like the real thing, this website is a fake. You should never use links in emails which lead to a page where you’re requested to enter sensitive information. Use the bookmarks in your browser or enter the address yourself in the address line of your browser. Even if the link appears to be legitimate, JavaScript in the background can open a completely different address to the one displayed.

Figure 1: Even better than the real thing? An eBay phishing site

continue reading "Traps on the Internet"

Introduction

The evolution of mobile malware all but stopped after the publication of our first two articles on the subject. This is why there has been an interval of nearly three years between articles.

Mobile malware evolved rapidly during the first two years (2004 – 2006) of its existence. During this period, a wide range of malicious programs targeting mobile phones appeared, and these programs were very similar to malware which targeted computers: viruses, worms, and Trojans, the latter including spyware, backdoors, and adware.

This threat landscape created conditions which could be used for an all-out attack on smartphone users. However, such an attack did not occur. The reason for this was the rapidly changing situation of the mobile devices market. Two years ago, Symbian was the undisputed market leader. If the situation had remained unchanged, there would now be an enormous amount of malware for Symbian smartphones. However, things have changed: Symbian (and Nokia) have lost their leading market share to other mobile operating systems and devices. At present, Nokia’s share of the smartphone market is around 45%.

Microsoft was the first to strike a competitive blow with its Windows Mobile platform. Windows Mobile 5 laid the foundation for Microsoft’s success and was supported by many major phone manufacturers. Version 6 was then released, with the source code of the operating system being published. Today, Windows Mobile holds about a 15% share of the global smartphone market, and is the market leader in some countries. Four of the biggest mobile phone manufacturers (excluding Nokia) have licensed Windows Mobile from Microsoft. Sales of mobile phones running Windows Mobile may currently exceed 20 million devices a year.

RIM has also strengthened its market position considerably as its Blackberry device (which runs a proprietary operating system) has become very popular in the USA. No malware for this platform has been identified to date, apart from BBproxy, a proof-of-concept backdoor created by vulnerability researchers (http://www.praetoriang.net).

The launch of Apple’s iPhone was the most memorable and significant event in the recent history of mobile devices. The iPhone uses the mobile version of Mac OS X, and very quickly became one of the best selling mobile devices across the world. Apple announced its intention to sell 10 million iPhones by the end of 2008, and achieved this. By now, more than 21 million iPhones of all types have been sold; if sales of the iPod Touch (an iPhone without the phone) are included, then the total number reaches 37 million.

Add the recently launch of the first phone using Google’s Android platform, which offers a lot of possibilities for creating applications and using Google services and suddenly, it’s very unclear which platform could be seen as being the leader.

This situation differs dramatically from the world of PCs, which is clearly Windows-dominated. After all, it’s the popularity of an operating system that makes it a target for cybercriminal attack.

When virus writers realized that there was no clear leading operating system for mobile devices, they also realized it wouldn’t be possible to target the majority of mobile device users with a single attack. Because of this, they started focusing less on writing malware which targeted specific platforms, and more on creating programs capable of infecting several platforms.

This article discusses the results of this approach.

Malware families and modifications: Statistics and changes.

The list of mobile malware given in Mobile Malware Evolution, Part 1 was dated 30 August, 2006, and included 5 platforms which had been targeted by virus writers. Only one more platform has been added to the list in the three years that have passed: S/EGOLD (classified as SGold by Kaspersky Lab), used on Siemens phones. S/EGOLD is an open platform which allows users to install their own applications.

The data in the table above can also be represented as a diagram:

Distribution of mobile malware across platforms

continue reading "Mobile Malware Evolution: An Overview, Part 3"

Anyone who has ever analyzed malware designed to steal data from online banking customers will agree that Brazil is one of the biggest sources of so-called banking Trojans. But why exactly is Brazil a world leader in producing this type of malicious program? Who is responsible and what drives them? Having analyzed the malicious code originating from Brazil, we are ready to share our conclusions.

Why Brazil?

Brazil is the biggest country in Latin America with a population of approximately 200 million people. Nearly one third of the population – about 70 million – are Internet users and their number is constantly growing.

Brazil’s highly stratified social structure often means that those on a low income are drawn into illegal activity, including writing malicious programs designed to steal data belonging to bank customers. The fact that online banking systems are widely used in Brazil makes this type of criminal activity all the more attractive. Additionally, the country does not have legislation which effectively combats cybercrime.

Between them, Brazil’s biggest banks have millions of online banking customers. For instance, Banco do Brasil has 7.9 million online customers, Bradesco has 6.9 million, Itaú has 4.2 million and Caixa has 3.69 million. These numbers are high enough to motivate the criminals: even if the percentage of successful attacks is small, the profits can still be impressive.

Targets

Unfortunately, lots of customers at different banks fall victim to this type of cybercrime.

Percentage of malicious programs designed to steal customer data from different banks

continue reading "“Brazil: a country rich in banking Trojans”"

Kaspersky Lab presents its monthly malware statistics for October. From this month onwards, the data used is gathered from all products which use the Kaspersky Security Network (KSN), i.e. products from both the 2009 and 2010 lines. As a result, the Top Twenties have changed somewhat, and the figures in both ratings this month are significantly higher, due to an increased numbers of users participating in KSN.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position	Change in position	Name	Number of infected computers
1	3	Net-Worm.Win32.Kido.ir	344745
2	-1	Net-Worm.Win32.Kido.ih	126645
3	0	not-a-virus:AdWare.Win32.Boran.z	114776
4	-2	Virus.Win32.Sality.aa	87839
5	6	Worm.Win32.FlyStudio.cu	70163
6	-1	Trojan-Downloader.Win32.VB.eql	52012
7	0	Virus.Win32.Induc.a	49251
8	New	Packed.Win32.Black.d	39666
9	New	Worm.Win32.AutoRun.awkp	35039
10	-3	Virus.Win32.Virut.ce	33354
11	Return	Packed.Win32.Black.a	31530
12	-1	Worm.Win32.AutoRun.dui	25370
13	4	Trojan-Dropper.Win32.Flystud.yo	24038
14	New	Trojan-Dropper.Win32.Agent.bcyx	22471
15	Return	Packed.Win32.Klone.bj	21919
16	Return	Trojan.Win32.Swizzor.b	19496
17	New	Trojan-Downloader.WMA.GetCodec.s	18571
18	-4	Worm.Win32.Mabezat.b	19708
19	New	Trojan-GameThief.Win32.Magania.cbrt	17610
20	New	Trojan-Dropper.Win32.Agent.ayqa	16909

continue reading "Monthly Malware Statistics: October 2009"