August a busy month for viruses

Around 3,300 new malicious codes have been detected by security software provider Trend Micro between August 1-20 this year.

Around 3,300 new malicious codes have been detected by security software provider Trend Micro between August 1-20 this year.

The malicious codes consisted mainly of Trojans, back-doors and worms. According to the Trend Micro World Wide Tracking Centre, Sasser was the most prevalent virus in August with 325,409 victims and made up nearly 31 percent of infections in the August top 10 virus list.

However, the six variants of NetSky accounted for almost 46 percent.

In Australia, the March variant NetSky.P accounted for over 45 percent of August infections.

Mark Sinclair, Trend Australia's technical services manager, said both viruses were written by the same programmer; an 18-year old German who was responsible for 77 percent of infections by the top ten viruses in August. The number of infections by these two viruses since May have also long exceeded that of other viruses.

"According to Trend Micro statistics, the NetSky series has been listed among the top ten viruses since February, accounting for over half of the top ten viruses between April and July. Thus, the majority of virus infections so far this year can all be attributed to a single German high school student."

"It is no wonder the English publication Independent called Sven Jaschan and his substandard computer the most dangerous things on the Internet," he said.

Sinclair said that reports showed that calls to the help line at Microsoft headquarters in Germany jumped from 400 a week to 35,000 a week when Sasser first began quickly spreading, while downloads of their patches jumped from 30,000 a week to 1,600,000 a week.

Trend Micro statistics showed there were 242 new viruses in August -- a small decrease from the 271 new viruses recorded in July.

The production of new viruses was concentrated in the first ten days of the month, with 20 viruses produced on August 9th. Most of the new viruses were variations of previous viruses, with eight new variants of the Worm _rbot series, and nine variants of the Worm_sdbot series.

Trend Micro said the effects of the "virus war" between Worm_Bagle, Worm_Mydoom and Worm_Netsky authors is still prevalent, with six of the top ten threats still relating to these codes.

This month, TrendLabs declared two global Yellow Alerts, both worm-related, for and Worm_Ratos.a.

Trend Micro believes that the aim of the malware writers is no longer to cause damage to systems, but to obtain access to them to retrieve data. One possible goal may be to earn money by selling data such as passwords and credit card numbers. Another possible motive is to build a dormant "dark" network that could be used in the future to perform a large-scale attack against one or more targets.

"Organisations can limit the impact of mass-mailer viruses such as Netsky and Bagle by employing e-mail attachment blocking policies at their gateways. Mass mailers usually feature executable file attachments and stripping these attachments at the gateway is a simple method of reducing infection," Sinclair said.

Top targets
The top five targets of Internet bank fraud in August were US Bank, Citibank, Suntrust Bank, eBay and Paypal. US Bank accounted for around 47 percent of attacks while Citibank had almost 40 percent.

Although phishing generally targets banks with English systems, two major banks in Germany were also attacked in August, including Postbank, which has 1.7 million online customers.

This month also saw the continued release of malicious codes for mobile devices. However, Trend Micro said the most significant codes analysed this month are those designed to attack 64-bit operating systems.

W64_Rugrat.a was the first such code that emerged. It can infect 64-bit files running on IA64 (Intel Itanium) processors, and Portable Executable (PE) files running on AMD 64-bit systems.

W64_Shruggle.a is the second malware discovered that also infects 64-bit Windows PE files. These viruses are believed to be created by the same author who calls himself roy g biv.

Both of these 64-bit viruses are considered as "proof-of-concept" viruses, or viruses created to prove that new systems are penetrable to virus attacks.

When executed, this type of virus searches for target files in the current folder and subfolders. It then infects every 64-bit file (AMD64 only) that it finds. It then passes this file through some filtering criteria, appends its code to the last section to the host file, and then modifies the section as executable.

Sinclair told ZDNet Australia they are expecting to see a similar intensity of virus activity over the coming months and into the next year.

"The authors of Bagle continue to wage war on Netsky; proof of concept viruses are appearing for wireless devices and 64 bit operating systems and phishing/keyboard logging Trojans are becoming more prevalent," he said.

"The potential to see new damaging network worms such as Sasser, SQL Slammer and Blaster is always there. These worms take advantage of vulnerabilities in operating systems and applications and require no human interaction.

"This is what makes them so devastating. Trend Micro has taken the initiative with our Enterprise Protection Strategy and Network Viruswall appliance to minimize the impact of these types of threats," Sinclair added.