The first six months of 2006 were characterised by ransomware, an increase in Trojans, and viruses that can attack multiple operating systems and regular mobile phones, according to new half-year reports written by senior virus analysts at Kaspersky Lab.

Ransomware
In January 2006, ransomware whereby a criminal sends a program that encrypts the files on a victim PC and then blackmails the owner into paying to have the files decrypted was represented by just one Trojan, Trojan.Win32.Krotten. According to the Kaspersky Security Bulletin, January - June 2006: Malware Evolution report, however, instances of ransomware have since increased in both intensity and number. Gpcode followed Krotten in late January and evolved rapidly, extending the length of the encryption key from 56 bits to 660, and in the space of the first six months, the number of Trojans used for ransomware increased from two to six. At the peak of their development, the attacks were limited mainly to Russia and the CIS. But by the end of July, the authors of these programs had clearly branched out, as ransomware cases were seen in Germany, the UK and several other countries.

Trojans
Its not just Trojans used specifically for ransomware that are increasing, however. The report shows that, collectively, Trojans are developing faster than any other class of malicious code, with the number of new Trojan variants increasing during the first six months of this year by nine per cent compared to the last six months of 2005.

The four most common types of Trojan Backdoor, Trojan-Downloader, Trojan-Spy and Trojan-PSW share a key commonality: they can all be used to steal personal data or create a botnet of victim computers, which in turn can be used to generate significant amounts of money for the criminally minded.

Viruses and worms, conversely, are no longer in vogue. The number of new variants of existing viruses and worms fell by 1.1 per cent during the first half of 2006. This decline can be attributed to simple economics it is less expensive to develop a primitive Trojan program than it is to create self-replicating malicious code, such as a worm.

Mobile malware
The Kaspersky Security Bulletin, January - June 2006: Malicious Programs for Mobile Devices report claims that malicious programs for mobile devices are set to rise, including cross-platform mobile malware.

According to the report, malware for Symbian OS, the most popular platform for smartphones, has now reached the stage where it is being developed for profit. In April, the first Trojan-spy for Symbian Flexispy was discovered. Flexispy relays information about the victims calls and SMS messages to the criminal.

Windows Mobile, currently the second most popular platform for smartphones, also attracted the attention of malware writers in the first half of the year.

Two new mobile malware samples were discovered during this period, and while they may only be proof of concept viruses, they could certainly provide inspiration for other malware writers with ambitions in this area.

Cross-platform malware for mobile devices was also evidenced in the first half of 2006, the first example being the Cxover virus. Cxover begins by checking which operating system is present on the infected device. If launched on a PC, the virus searches for mobile devices accessible via ActiveSync. Cxover then copies itself via ActiveSync onto all accessible mobile devices. Once the virus is on a mobile device it attempts to copy itself onto accessible PCs. In addition, it deletes user files on infected devices.

Its not just smartphones that are coming under attack regular mobile phones have also been targeted. February saw the emergence of Trojan-SMS.J2ME.RedBrowser, the first piece of malware that could infect any mobile phone capable of running Java (J2ME) applications.

Non-Windows malware
The Kaspersky Security Bulletin, January - June 2006: Malware for Non-Win32 Platforms report highlights an increase in malware for non-Windows operating systems, with a number of proof-of-concept malicious programs appearing in early February. The first, Leap, spreads via the OS X instant messaging service, iChat, and sends itself to all contacts listed in the address book. The second, Inqtana, spreads via Bluetooth.

Geographical origins of todays malware
The Kaspersky Security Bulletin, January - June 2006: Internet Attacks report isolates the origins of internet attacks. Back in 2004, the US was the main source of internet attacks intercepted by Kaspersky Lab. In 2005, however, the US was overtaken by China. This year, the situation has reversed again, with an enormous 40 per cent of all attacks worldwide again originating from the US and only 17 per cent coming from China. This percentage reversal is not because of a decrease in the number of attacks coming from China, but because of the huge increase in the number of attacks coming from the US.

South Korea, which was in third place last year, has dropped to ninth, with its place being taken by the Philippines. Germany also demonstrates a noticeable ascending trend in comparison to last year three times more attacks originated in Germany. Another notable change is France, which moved up to sixth place in comparison with fourteenth place last year. Russia has moved in the opposite direction, dropping from sixth to tenth place.

Related links: (Open in a new window.)
www.viruslist.com/en/analysis?pubid=198968167
www.viruslist.com/en/analysis?pubid=198981193
www.viruslist.com/en/analysis?pubid=198977709
www.viruslist.com/en/analysis?pubid=198981117

View printable version (opens in new window)
Back