Increases in the number of cyber blackmailers and adware going 'deep' are just some of the highlights in the April-June 2005 Malware report from Alexander Gostev, senior virus analyst, Kaspersky Lab.
Kaspersky says that serious IT security incidents in that last few months within major corporations and the detection of a bespoke Trojan-spy in more than 80 organisations in Israel and the UK has revealed a startling change in tactics by malware authors: a shift from global infections to 'cherry picking' prime targets.
In the report Alexander Gostev comments, "It's one thing to infect a million computers around the world and to steal 50 thousand credit card numbers from them. It's quite another thing to steal a million credit card numbers by infecting only one computer."
Referring to the recent breach of credit card details, "In order to gain access to the database where credit card numbers were saved, the Trojan would have to have been programmed specifically for the CardSystem Solutions database."
The report also notes that the malicious program allegedly responsible has not yet reached anti-virus companies.
In December 2004 Kaspersky Lab received the first samples of a number of files which were encrypted by an unknown encryption program. Now classified as Virus.Win32.Gpcode, this marks the beginning of a new era in cyber crime where individuals are blackmailed to have their encrypted data restored.
In just one week in June, Kaspersky Lab counted over 24 different encryption methods used by the virus.
"The most depressing thing about this whole affair has been the number of users who have contacted the author of the malicious program, and who may have directly paid him the ransom demanded. By doing so, the users have not only lost money, but have also encouraged the author to create new versions of this encryption program and to conduct further attacks on other users," says the report.
"The encryption algorithms used to encrypt files are extremely primitive and encrypted files can easily be restored to their original condition by using a good anti-virus which includes the right detections and treatment procedures. All the user needs to do is to send one encrypted file to an anti-virus company for analysis."
The evolution rate of adware is now rapidly changing, with the use of virus technology to penetrate systems and mask the presence of adware on infected machines, such as exploiting browser vulnerabilities, utilising rootkit technology, writing its own code to system files and replacing system applications, changing files on the user's computer, etc.
In June, Kaspersky Lab detected a piece of adware that hides its presence in the system by using a rootkit driver. This is a cause for serious concern, because until now, this behaviour had only been present in backdoor programs. The vast majority of anti-virus solutions are unable to detect and delete rootkits from Windows systems, and naturally, the latest dedicated anti-adware/spyware solutions are unable to do this either.
Only a multi-functional anti-virus program, which works with the operating system at the very lowest levels and monitors all system functions, is able to detect rootkits in an infected system.