While peer-to-peer services (P2P), instant messaging (IM), Internet relay chat (IRC), and network file sharing (CIFS) continue to be used as propagation vectors for the top threats, their effectiveness appears to be on the decline. In the first half of 2005, only 19% of the top 50 malicious code reported to Symantec used one of these replication vectors, compared with 50% in the previous six months and 36% one year ago (figure 23).
In the final six months of 2004, Mydoom,79Netsky, and Beagle variants dominated the top ten malicious code reports and all possessed the ability to spread via P2P. However, in the first half of 2005, of those three, only Netsky appeared in the top ten. As a result, the primary infection vector has shifted from P2P applications to a combination of P2P applications and Windows CIFS. Nevertheless, a downward trend in the use of these replication vectors continues.
Figure 23. P2P, IM, IRC, and CIFS threats Source: Symantec Corporation
None of the top 50 reported malicious code samples this period used IM as a propagation mechanism.
However, the number of threats in the overall count of malicious code samples that used IM as a propagation vector did increase. This was mainly due to multiple variants of the Bropia80and Kelvir81 families. Both are worms that send URL links via MSN Messenger to people on a compromised computer’s contact list. The URL link is either a link to the worm itself or to a variant of Spybot.
The first variant of Bropia was detected in January 2005, and 39 variants have been discovered since.
Kelvir was first spotted in March 2005; by the end of June, 130 variants had been discovered. However, neither worm has appeared in the top 50, demonstrating the general ineffectiveness of the propagation
59
82http://www.securityfocus.com/bid/12506
vector compared to other common vectors, such as email. One likely reason for this is that the actual executable file was not transferred through the instant messages but was hosted in a separate location instead. This means that once authorities removed access to the executable file from the hosting server, the worm could no longer propagate.
In addition, a buffer overflow in the image–processing component of Microsoft Messenger82was made public in February and led to speculation that it may be the next step in threats such as Bropia. However, days after the vulnerability was patched, Microsoft required all their MSN messenger clients to be updated before users could join the network. This eliminated the possibility of the vulnerability being used as a replication vector. This mitigation strategy will likely prevent malicious threats from exploiting such vulnerabilities in instant messaging systems.
Because these vectors continue to appear in the top ten threats, organizations should still audit networks for rogue usage of peer-to-peer applications and protocols. In addition, any approved applications should be regularly updated with all necessary security-related patches.
Bots
Bots (short for “robots”) are programs that are covertly installed on a user’s computer in order to allow an unauthorized user to control the computer remotely. Bots are designed to let an attacker create a network of compromised computers known as a bot network, which can be remotely controlled to collectively conduct malicious activities such as DoS attacks.
Bots can have numerous effects on an enterprise. A single infected host within a network (such as a laptop that was compromised outside the local network and then connected to the network, either directly or by VPN) can allow a bot to propagate to other computers that are normally protected against external attacks by corporate firewalls. Additionally, bots can be used to perform DoS attacks against the enterprise’s Web site, which can disrupt revenue for ecommerce companies, or against other organizations’ Web sites, which can have serious legal consequences.
In the first half of 2005, the percentage of bot-related malicious code reported to Symantec increased, accounting for 14% of the top 50 (figure 24). This represents a 17% increase since the last half of 2004, when bots accounted for 12% of the top 50 malicious code reports. It is also a 40% increase over the 10%
from the six-month period prior to that.
60
0%
4%
8%
12%
16%
Jan–June 2004 July–Dec 2004 Jan–June 2005
Percentage of top 50 reports
Period 10%
12%
14%
Figure 24. Bots in top 50 malicious code reports Source: Symantec Corporation
Bots often employ multiple propagation mechanisms to compromise other computers. They may copy themselves to shared network drives with weak password protection. They may also spread through P2P networks by copying themselves to the shared folders of the P2P client application. Most bots, such as Randex,83Spybot, and Gaobot, employ multiple propagation mechanisms that also include exploiting vulnerabilities in remotely accessible services, such as the Microsoft Windows LSASS Buffer Overrun Vulnerability.84
The most significant new development in bot technology over the first six months of 2005 was the addition of a new propagation mechanism. In addition to propagating by traditional methods such as those
mentioned above, Spybot.IVQ,85propagated through Microsoft SQL and MySQL servers with weak password protection. Symantec believes this is significant since it indicates that bot authors may be looking to increase the number of potential systems they can control.
83http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html
84http://www.securityfocus.com/bid/10108
85http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ivq.html
61
0 1,000 2,000 3,000 4,000 5,000 6,000 7,000
Jan–June 2004 July–Dec 2004 Jan–June 2005
Number of new variants
Period
1,104 1,167
892 765 919
4,288
1,121 1,412
6,361
Gaobot Randex Spybot