Increases in the number of cyber blackmailers and adware
going 'deep' are just some of the highlights in the April-June 2005
Malware report from Alexander Gostev, senior virus analyst,
Kaspersky Lab.
Kaspersky says that serious IT security incidents in that last
few months within major corporations and the detection of a bespoke
Trojan-spy in more than 80 organisations in Israel and the UK has
revealed a startling change in tactics by malware authors: a shift
from global infections to 'cherry picking' prime targets.
In the report Alexander Gostev comments: "It's one thing to
infect a million computers around the world, and to steal 50
thousand credit card numbers from them. It's quite another thing to
steal a million credit card numbers by infecting only one
computer."
Referring to the recent breach of credit card details, he says:
"In order to gain access to the database where credit card numbers
were saved, the Trojan would have to have been programmed
specifically for the CardSystem Solutions database." The report
also notes that the malicious program allegedly responsible has not
yet reached anti-virus companies.
In December 2004 Kaspersky Lab received the first samples of a
number of files which were encrypted by an unknown encryption
program. Now classified as Virus.Win32.Gpcode, this marks the
beginning of a new era in cyber crime where individuals are
blackmailed to have their encrypted data restored. In just one week
in June, Kaspersky Lab counted over 24 different encryption methods
used by the virus.
"The most depressing thing about this whole affair has been the
number of users who have contacted the author of the malicious
program, and who may have directly paid him the ransom demanded. By
doing so, the users have not only lost money, but have also
encouraged the author to create new versions of this encryption
program and to conduct further attacks on other users," says the
report.
"The encryption algorithms used to encrypt files are extremely
primitive and encrypted files can easily be restored to their
original condition by using a good anti-virus which includes the
right detections and treatment procedures. All the user needs to do
is to send one encrypted file to an anti-virus company for
analysis."
The evolution rate of adware is now rapidly changing, with the
use of virus technology to penetrate systems and mask the presence
of adware on infected machines, such as exploiting browser
vulnerabilities, utilising rootkit technology, writing its own code
to system files and replacing system applications, changing files
on the user's computer, etc.
In June, Kaspersky Lab detected a piece of adware that hides its
presence in the system by using a rootkit driver. This is a cause
for serious concern, because until now, this behaviour had only
been present in backdoor programs. The vast majority of anti-virus
solutions are unable to detect and delete rootkits from Windows
systems, and naturally, the latest dedicated anti-adware/spyware
solutions are unable to do this either. Only a multi-functional
anti-virus program, which works with the operating system at the
very lowest levels and monitors all system functions, is able to
detect rootkits in an infected system.