Virus writers building underground network for rapid dispersal of new viruses
Quote:
London, UK – January 12th, 2004: Clearswift, the MIMEsweeper company, predicts a rise in malicious threats and the birth of the ‘superworm’ in 2004, following an analysis of 2003 and the detection of a private peer-to-peer malware network. Clearswift is advising organisations to review their email and Web security to ensure their PCs are not used to distribute viruses or execute criminal activities on behalf of malicious groups.
The Sobig project last year, consisting of six successive viruses, marked the emergence of long-term malware projects, involving multi-stage attacks using spam, worms, trojans, spyware and proxies. Furthermore, 2003 saw a clear switch in motivation of the virus writer – intellectual challenge or simple-minded cyber-vandalism is no longer the primary motive.
Instead, financial gain is now the principle reason behind virus development. It has become apparent that the Sobig project was instigated by organised crime gangs which are now deploying the tools of spammer, virus writer and hacker in a co-ordinated manner to expand their operations into cyberspace. These groups have now established a network of broadband home PCs which can be covertly used as an anonymous platform for criminal activity.
The Sinit Evolution
More recently, a private peer-to-peer malware network has been created, marking a major milestone in the evolution of the virus landscape. The network, dubbed Sinit, removes the single-point-of-failure that is often targeted by law enforcers in order to terminate viruses (as was the case with the last Sobig virus). With Sinit, there is no central server that can be shut down. Each infected host becomes part of a peer-to-peer network through which additional trojans are spread to all hosts. It has been estimated that hundreds of thousands of PCs have already been infected.
Sinit enables rapid dispersal of viruses and uses sophisticated encryption technology to prevent anti-virus companies from tracking development activity or modifying the virus codes. Sinit could also constitute the launch pad for a highly efficient ‘superworm’. Theorists have postulated that a superworm could be capable of infecting all vulnerable hosts on the Internet in minutes.
“It looks as though 2004 will be the year of the superworm,” comments Pete Simpson, manager of ThreatLab at Clearswift. “It’s always been an arms race in the battle between virus writers and anti-virus companies, however both sides now have financial incentives. Sinit represents a new and daunting challenge to anti-virus companies and further emphasises the need to have a multi-layered defence against these security threats.”
Whilst organised crime has come to dominate the malware scene, in 2003, the traditional virus-writing groups have not been entirely moribund. Serotonin, a virus developed last year that has yet to be released in the wild, represents an entirely new generation of worm. Using ‘Genetic Programming’ techniques, based on processes analogous to those operating in biological evolution, the worm mimics natural selection processes. Although this has not been released in the wild yet, it demonstrates the potential problems to come.
No longer can organisations expect to be protected from malicious codes by deploying just firewall and anti-virus technology - the ever-evolving nature of viruses require a more proactive defence. Content security provides an additional layer of defence by enabling the generic blocking of executables, scripts and specified file types to protect against viruses and non-viral malware such as spyware. It will also intercept other malicious code in email and web pages.
Source : http://www.clearswift.com/news/pressreleases/306.aspx
