MALWARE HISTORY

2006

The new year was relatively calm, with few major security incidents. The smooth Internet experience users could enjoy was partly due to the fact that Microsoft

JS.Blackworm.A was the first Internet worm to hit in February 2006. The new piece of malware spreads by e-mail using messages with infected attachments, as well as through unprotected network shares. However, JS.Blackworm.A was a classic worm, which only could infect a system when the human user would execute the attachment. The worm comes with a malicious payload that corrupts data in the on the compromised computers. Its payload only triggers on February the 3rd, an event referred to as The Day the Music Died.

More than that, the worm was able to delete several antivirus utilities if they had been installed on the path specified in the worm’s code. After it deletes their files, the worm also flushes their corresponding Windows Registry keys that allow them to start with Windows.

Other variants of the virus set off on October 26th. They are known to disable security-related and file-sharing software, as well as to destroy certain files in the system.

February also premiered the piece of malware for Mac OS X: a low-threat Trojan-horse known as OSX/Leap-A or OSX/Oompa-A. The Leap has worm abilities, as it spreads from one system to another using the iChat instant messaging program. The executable file is camouflaged with the standard icon of an image file that is allegedly containing a screenshot of Apple’s upcoming  operating system. The worm exploits users’ curiosity, a common technique also encountered in the Win32.Loveletter e-mail worm.

Once it infects the system, the worm would make successive attempts to send itself using the same user’s iChat Bonjour buddy list. While the worm does not contain a deliberately-implemented malicious payload, a programming bug would prevent the infected program from starting.

Win32.Warezov.AB hit Microsoft Windows users in late September. Also known as Stratio, the new family of worms is able to shut down the operating system’s security features in order to replicate itself using e-mail clients. Win32.Warezov.AB uses social-engineering techniques in order to infect other systems. The e-mail it sends is allegedly coming as a report from a mail server that announces the user about an unpatched security flaw in Windows. More than that, it informs the user that the respective security patch is attached to the message – in fact, it is a copy of the virus ready to be executed.

In order to avoid detection, Win32.Warezov.AB updates its code about once in 30 minutes. It automatically downloads new instances of the worm, and then stealthily installs them on the host computer. This perpetual update process makes disinfection extremely difficult, as antivirus providers have to issue new file signatures for each variant.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.